diff options
author | Peter Wu <peter@lekensteyn.nl> | 2017-06-02 22:05:10 +0200 |
---|---|---|
committer | Peter Wu <peter@lekensteyn.nl> | 2017-06-02 22:04:21 +0000 |
commit | 57b0527821b69dc8aa0786a3b5a425192795aff2 (patch) | |
tree | 4f01e3f4ac81d19d8ca3afa9a85a96f99c7c73bd | |
parent | a86f6603fc8b66a46ce21d18990f2058110acf27 (diff) | |
download | wireshark-57b0527821b69dc8aa0786a3b5a425192795aff2.tar.gz |
Add ChaCha20-Poly1305 decryption support for TLS 1.2 and 1.3
Implements all seven AEAD_CHACHA20_POLY1305 cipher suites from RFC 7905
(for TLS 1.2) and the final missing one for TLS 1.3 (draft -20).
New test captures (created using OpenSSL_1_1_0-pre6-2528-g042597b0a)
also serve as tests for TLS 1.3 decryption support.
Change-Id: Ice6d639c9c7b7bc23a6ff5fb4832d02694abd8c4
Ping-Bug: 12779
Reviewed-on: https://code.wireshark.org/review/21902
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
-rw-r--r-- | epan/dissectors/packet-ssl-utils.c | 62 | ||||
-rw-r--r-- | epan/dissectors/packet-ssl-utils.h | 7 | ||||
-rw-r--r-- | test/captures/tls12-chacha20poly1305.pcap | bin | 0 -> 43693 bytes | |||
-rw-r--r-- | test/captures/tls13-20-chacha20poly1305.pcap | bin | 0 -> 10336 bytes | |||
-rwxr-xr-x | test/config.sh | 18 | ||||
-rw-r--r-- | test/keys/tls12-chacha20poly1305.keys | 9 | ||||
-rw-r--r-- | test/keys/tls13-20-chacha20poly1305.keys | 9 | ||||
-rwxr-xr-x | test/suite-decryption.sh | 61 |
8 files changed, 149 insertions, 17 deletions
diff --git a/epan/dissectors/packet-ssl-utils.c b/epan/dissectors/packet-ssl-utils.c index 91b2f86648..c800263da6 100644 --- a/epan/dissectors/packet-ssl-utils.c +++ b/epan/dissectors/packet-ssl-utils.c @@ -63,6 +63,10 @@ /* Whether to provide support for authentication in addition to decryption. */ #define HAVE_LIBGCRYPT_AEAD #endif +#if GCRYPT_VERSION_NUMBER >= 0x010700 /* 1.7.0 */ +/* Whether AEAD_CHACHA20_POLY1305 can be supported. */ +#define HAVE_LIBGCRYPT_CHACHA20_POLY1305 +#endif /* Lookup tables {{{ */ const value_string ssl_version_short_names[] = { @@ -1500,6 +1504,7 @@ gint ssl_get_keyex_alg(gint cipher) case 0xc0a7: case 0xc0aa: case 0xc0ab: + case 0xccad: case 0xe41c: case 0xe41d: return KEX_DHE_PSK; @@ -1523,6 +1528,7 @@ gint ssl_get_keyex_alg(gint cipher) case 0xc09f: case 0xc0a2: case 0xc0a3: + case 0xccaa: case 0xe41e: case 0xe41f: return KEX_DHE_RSA; @@ -1577,6 +1583,7 @@ gint ssl_get_keyex_alg(gint cipher) case 0xc0ad: case 0xc0ae: case 0xc0af: + case 0xcca9: case 0xe414: case 0xe415: return KEX_ECDHE_ECDSA; @@ -1591,6 +1598,7 @@ gint ssl_get_keyex_alg(gint cipher) case 0xc03b: case 0xc09a: case 0xc09b: + case 0xccac: case 0xe418: case 0xe419: return KEX_ECDHE_PSK; @@ -1607,6 +1615,7 @@ gint ssl_get_keyex_alg(gint cipher) case 0xc077: case 0xc08a: case 0xc08b: + case 0xcca8: case 0xe412: case 0xe413: return KEX_ECDHE_RSA; @@ -1646,6 +1655,7 @@ gint ssl_get_keyex_alg(gint cipher) case 0xc0a5: case 0xc0a8: case 0xc0a9: + case 0xccab: case 0xe416: case 0xe417: return KEX_PSK; @@ -1703,6 +1713,7 @@ gint ssl_get_keyex_alg(gint cipher) case 0xc093: case 0xc098: case 0xc099: + case 0xccae: case 0xe41a: case 0xe41b: return KEX_RSA_PSK; @@ -1977,12 +1988,17 @@ ssl_cipher_init(gcry_cipher_hd_t *cipher, gint algo, guchar* sk, #ifdef HAVE_LIBGCRYPT_AEAD GCRY_CIPHER_MODE_GCM, GCRY_CIPHER_MODE_CCM, - GCRY_CIPHER_MODE_CCM + GCRY_CIPHER_MODE_CCM, #else GCRY_CIPHER_MODE_CTR, GCRY_CIPHER_MODE_CTR, GCRY_CIPHER_MODE_CTR, #endif +#ifdef HAVE_LIBGCRYPT_CHACHA20_POLY1305 + GCRY_CIPHER_MODE_POLY1305, +#else + -1, /* AEAD_CHACHA20_POLY1305 is unsupported. */ +#endif }; gint err; if (algo == -1) { @@ -2160,6 +2176,7 @@ static const gchar *ciphers[]={ "CAMELLIA128", "CAMELLIA256", "SEED", + "CHACHA20", /* since Libgcrypt 1.7.0 */ "*UNKNOWN*" }; @@ -2302,7 +2319,7 @@ static const SslCipherSuite cipher_suites[]={ /* NOTE: TLS 1.3 cipher suites are incompatible with TLS 1.2. */ {0x1301,KEX_TLS13, ENC_AES, DIG_SHA256, MODE_GCM }, /* TLS_AES_128_GCM_SHA256 */ {0x1302,KEX_TLS13, ENC_AES256, DIG_SHA384, MODE_GCM }, /* TLS_AES_256_GCM_SHA384 */ - /* TODO TLS_CHACHA20_POLY1305_SHA256 */ + {0x1303,KEX_TLS13, ENC_CHACHA20, DIG_SHA256, MODE_POLY1305 }, /* TLS_CHACHA20_POLY1305_SHA256 */ {0x1304,KEX_TLS13, ENC_AES, DIG_SHA256, MODE_CCM }, /* TLS_AES_128_CCM_SHA256 */ {0x1305,KEX_TLS13, ENC_AES, DIG_SHA256, MODE_CCM_8 }, /* TLS_AES_128_CCM_8_SHA256 */ @@ -2418,6 +2435,13 @@ static const SslCipherSuite cipher_suites[]={ {0xC0AD,KEX_ECDHE_ECDSA, ENC_AES256, DIG_NA, MODE_CCM }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CCM */ {0xC0AE,KEX_ECDHE_ECDSA, ENC_AES, DIG_NA, MODE_CCM_8 }, /* TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 */ {0xC0AF,KEX_ECDHE_ECDSA, ENC_AES256, DIG_NA, MODE_CCM_8 }, /* TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 */ + {0xCCA8,KEX_ECDHE_RSA, ENC_CHACHA20, DIG_SHA256, MODE_POLY1305 }, /* TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */ + {0xCCA9,KEX_ECDHE_ECDSA, ENC_CHACHA20, DIG_SHA256, MODE_POLY1305 }, /* TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 */ + {0xCCAA,KEX_DHE_RSA, ENC_CHACHA20, DIG_SHA256, MODE_POLY1305 }, /* TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 */ + {0xCCAB,KEX_PSK, ENC_CHACHA20, DIG_SHA256, MODE_POLY1305 }, /* TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 */ + {0xCCAC,KEX_ECDHE_PSK, ENC_CHACHA20, DIG_SHA256, MODE_POLY1305 }, /* TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 */ + {0xCCAD,KEX_DHE_PSK, ENC_CHACHA20, DIG_SHA256, MODE_POLY1305 }, /* TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 */ + {0xCCAE,KEX_RSA_PSK, ENC_CHACHA20, DIG_SHA256, MODE_POLY1305 }, /* TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 */ {-1, 0, 0, 0, MODE_STREAM} }; @@ -2998,7 +3022,7 @@ ssl_create_decoder(const SslCipherSuite *cipher_suite, gint cipher_algo, // decoders since "decryption" is easy for such ciphers. dec->mac_key.data = dec->_mac_key_or_write_iv; ssl_data_set(&dec->mac_key, mk, ssl_cipher_suite_dig(cipher_suite)->len); - } else if (mode == MODE_GCM || mode == MODE_CCM || mode == MODE_CCM_8) { + } else if (mode == MODE_GCM || mode == MODE_CCM || mode == MODE_CCM_8 || mode == MODE_POLY1305) { // Input for the nonce, to be used with AEAD ciphers. DISSECTOR_ASSERT(iv_length <= sizeof(dec->_mac_key_or_write_iv)); dec->write_iv.data = dec->_mac_key_or_write_iv; @@ -3321,6 +3345,9 @@ ssl_generate_keyring_material(SslDecryptSession*ssl_session) /* account for a four-byte salt for client and server side (from * client_write_IV and server_write_IV), see GCMNonce (RFC 5288) */ write_iv_len = 4; + } else if (cipher_suite->mode == MODE_POLY1305) { + /* RFC 7905: SecurityParameters.fixed_iv_length is twelve bytes */ + write_iv_len = 12; } /* Compute the key block. First figure out how much data we need */ @@ -3831,6 +3858,7 @@ tls_decrypt_aead_record(SslDecryptSession *ssl, SslDecoder *decoder, const guchar *explicit_nonce = NULL, *ciphertext; guint ciphertext_len, auth_tag_len; guchar nonce[12]; + const ssl_cipher_mode_t cipher_mode = decoder->cipher_suite->mode; #ifdef HAVE_LIBGCRYPT_AEAD const guchar *auth_tag_wire; guchar auth_tag_calc[16]; @@ -3838,9 +3866,10 @@ tls_decrypt_aead_record(SslDecryptSession *ssl, SslDecoder *decoder, guchar nonce_with_counter[16] = { 0 }; #endif - switch (decoder->cipher_suite->mode) { + switch (cipher_mode) { case MODE_GCM: case MODE_CCM: + case MODE_POLY1305: auth_tag_len = 16; break; case MODE_CCM_8: @@ -3852,7 +3881,7 @@ tls_decrypt_aead_record(SslDecryptSession *ssl, SslDecoder *decoder, } /* Parse input into explicit nonce (TLS 1.2 only), ciphertext and tag. */ - if (is_v12) { + if (is_v12 && cipher_mode != MODE_POLY1305) { if (inl < EXPLICIT_NONCE_LEN + auth_tag_len) { ssl_debug_printf("%s input %d is too small for explicit nonce %d and auth tag %d\n", G_STRFUNC, inl, EXPLICIT_NONCE_LEN, auth_tag_len); @@ -3861,7 +3890,7 @@ tls_decrypt_aead_record(SslDecryptSession *ssl, SslDecoder *decoder, explicit_nonce = in; ciphertext = explicit_nonce + EXPLICIT_NONCE_LEN; ciphertext_len = inl - EXPLICIT_NONCE_LEN - auth_tag_len; - } else if (version == TLSV1DOT3_VERSION) { + } else if (version == TLSV1DOT3_VERSION || cipher_mode == MODE_POLY1305) { if (inl < auth_tag_len) { ssl_debug_printf("%s input %d has no space for auth tag %d\n", G_STRFUNC, inl, auth_tag_len); return FALSE; @@ -3876,20 +3905,23 @@ tls_decrypt_aead_record(SslDecryptSession *ssl, SslDecoder *decoder, auth_tag_wire = ciphertext + ciphertext_len; #endif - /* Nonce construction is version-specific. */ - if (is_v12) { + /* + * Nonce construction is version-specific. Note that AEAD_CHACHA20_POLY1305 + * (RFC 7905) uses a nonce construction similar to TLS 1.3. + */ + if (is_v12 && cipher_mode != MODE_POLY1305) { DISSECTOR_ASSERT(decoder->write_iv.data_len == IMPLICIT_NONCE_LEN); /* Implicit (4) and explicit (8) part of nonce. */ memcpy(nonce, decoder->write_iv.data, IMPLICIT_NONCE_LEN); memcpy(nonce + IMPLICIT_NONCE_LEN, explicit_nonce, EXPLICIT_NONCE_LEN); #ifndef HAVE_LIBGCRYPT_AEAD - if (decoder->cipher_suite->mode == MODE_GCM) { + if (cipher_mode == MODE_GCM) { /* NIST SP 800-38D, sect. 7.2 says that the 32-bit counter part starts * at 1, and gets incremented before passing to the block cipher. */ memcpy(nonce_with_counter, nonce, IMPLICIT_NONCE_LEN + EXPLICIT_NONCE_LEN); nonce_with_counter[IMPLICIT_NONCE_LEN + EXPLICIT_NONCE_LEN + 3] = 2; - } else { /* MODE_CCM and MODE_CCM_8 */ + } else if (cipher_mode == MODE_CCM || cipher_mode == MODE_CCM_8) { /* The nonce for CCM and GCM are the same, but the nonce is used as input * in the CCM algorithm described in RFC 3610. The nonce generated here is * the one from RFC 3610 sect 2.3. Encryption. */ @@ -3898,9 +3930,11 @@ tls_decrypt_aead_record(SslDecryptSession *ssl, SslDecoder *decoder, memcpy(nonce_with_counter + 1, nonce, IMPLICIT_NONCE_LEN + EXPLICIT_NONCE_LEN); /* struct { opaque salt[4]; opaque nonce_explicit[8] } CCMNonce (RFC 6655) */ nonce_with_counter[IMPLICIT_NONCE_LEN + EXPLICIT_NONCE_LEN + 3] = 1; + } else { + g_assert_not_reached(); } #endif - } else if (version == TLSV1DOT3_VERSION) { + } else if (version == TLSV1DOT3_VERSION || cipher_mode == MODE_POLY1305) { /* * Technically the nonce length must be at least 8 bytes, but for * AES-GCM, AES-CCM and Poly1305-ChaCha20 the nonce length is exact 12. @@ -3911,7 +3945,10 @@ tls_decrypt_aead_record(SslDecryptSession *ssl, SslDecoder *decoder, /* Sequence number is left-padded with zeroes and XORed with write_iv */ phton64(nonce + nonce_len - 8, pntoh64(nonce + nonce_len - 8) ^ decoder->seq); ssl_debug_printf("%s seq %" G_GUINT64_FORMAT "\n", G_STRFUNC, decoder->seq); - decoder->seq++; /* Implicit sequence number for TLS 1.3. */ + /* sequence number for TLS 1.2 is incremented when calculating AAD. */ + if (!is_v12) { + decoder->seq++; /* Implicit sequence number for TLS 1.3. */ + } } /* Set nonce and additional authentication data */ @@ -4023,6 +4060,7 @@ ssl_decrypt_record(SslDecryptSession *ssl, SslDecoder *decoder, guint8 ct, guint if (decoder->cipher_suite->mode == MODE_GCM || decoder->cipher_suite->mode == MODE_CCM || decoder->cipher_suite->mode == MODE_CCM_8 || + decoder->cipher_suite->mode == MODE_POLY1305 || ssl->session.version == TLSV1DOT3_VERSION) { if (!tls_decrypt_aead_record(ssl, decoder, ct, record_version, in, inl, out_str, &worklen)) { diff --git a/epan/dissectors/packet-ssl-utils.h b/epan/dissectors/packet-ssl-utils.h index 269618dee8..17e539d7f9 100644 --- a/epan/dissectors/packet-ssl-utils.h +++ b/epan/dissectors/packet-ssl-utils.h @@ -286,7 +286,8 @@ typedef enum { MODE_CBC, /* GenericBlockCipher */ MODE_GCM, /* GenericAEADCipher */ MODE_CCM, /* AEAD_AES_{128,256}_CCM with 16 byte auth tag */ - MODE_CCM_8 /* AEAD_AES_{128,256}_CCM with 8 byte auth tag */ + MODE_CCM_8, /* AEAD_AES_{128,256}_CCM with 8 byte auth tag */ + MODE_POLY1305, /* AEAD_CHACHA20_POLY1305 with 16 byte auth tag (RFC 7905) */ } ssl_cipher_mode_t; /* Explicit and implicit nonce length (RFC 5116 - Section 3.2.1) */ @@ -359,6 +360,7 @@ typedef struct _SslDecoder { #define KEX_IS_DH(n) ((n) >= KEX_DHE_DSS && (n) <= KEX_ECDH_RSA) #define KEX_TLS13 0x23 +/* Order is significant, must match "ciphers" array in packet-ssl-utils.c */ #define ENC_DES 0x30 #define ENC_3DES 0x31 #define ENC_RC4 0x32 @@ -369,7 +371,8 @@ typedef struct _SslDecoder { #define ENC_CAMELLIA128 0x37 #define ENC_CAMELLIA256 0x38 #define ENC_SEED 0x39 -#define ENC_NULL 0x3A +#define ENC_CHACHA20 0x3A +#define ENC_NULL 0x3B #define DIG_MD5 0x40 #define DIG_SHA 0x41 diff --git a/test/captures/tls12-chacha20poly1305.pcap b/test/captures/tls12-chacha20poly1305.pcap Binary files differnew file mode 100644 index 0000000000..1eaa85427f --- /dev/null +++ b/test/captures/tls12-chacha20poly1305.pcap diff --git a/test/captures/tls13-20-chacha20poly1305.pcap b/test/captures/tls13-20-chacha20poly1305.pcap Binary files differnew file mode 100644 index 0000000000..da2246d69d --- /dev/null +++ b/test/captures/tls13-20-chacha20poly1305.pcap diff --git a/test/config.sh b/test/config.sh index 7a59ecdeec..6b9d8f339d 100755 --- a/test/config.sh +++ b/test/config.sh @@ -106,20 +106,32 @@ export WIRESHARK_QUIT_AFTER_CAPTURE="True" CAPTURE_DIR="$TESTS_DIR/captures/" +TSHARK_VERSION=$($TSHARK -v | tr '\n' ' ') + # Figure out if we were built with lua or not so we can skip the lua tests if we # don't have it. -$TSHARK -v | grep -q "with Lua" +echo "$TSHARK_VERSION" | grep -q "with Lua" HAVE_LUA=$? # Check whether we need to skip the HTTP2/HPACK decryption test. -$TSHARK -v | tr '\n' ' '| grep -q "with nghttp2" +echo "$TSHARK_VERSION" | grep -q "with nghttp2" HAVE_NGHTTP2=$? # Check whether we need to skip a certain decryption test. # XXX What do we print for Nettle? -$TSHARK -v | tr '\n' ' '| egrep -q "with MIT Kerberos|with Heimdal Kerberos" +echo "$TSHARK_VERSION" | egrep -q "with MIT Kerberos|with Heimdal Kerberos" HAVE_KERBEROS=$? +# first version is "compiled with", second is "running on" version. +GCRY_VERSION=$(echo "$TSHARK_VERSION" | grep -oE 'Gcrypt [1-9]+(\.[1-9]+)?' | sed -n '1s/Gcrypt //p') +if [ -n "$GCRY_VERSION" ] && ! echo "$GCRY_VERSION" | grep -q '1\.[456]'; then + # Current minimum Gcrypt version is 1.4.2, + # assume 1.7 or newer if not 1,4, 1.5 or 1.6. + HAVE_LIBGCRYPT17=true +else + HAVE_LIBGCRYPT17=false +fi + HAVE_ICONV="False" hash iconv 2>/dev/null && HAVE_ICONV="True" diff --git a/test/keys/tls12-chacha20poly1305.keys b/test/keys/tls12-chacha20poly1305.keys new file mode 100644 index 0000000000..cbdbcad7de --- /dev/null +++ b/test/keys/tls12-chacha20poly1305.keys @@ -0,0 +1,9 @@ +# SSL/TLS secrets log file, generated by OpenSSL +CLIENT_RANDOM ab85fc5f6db67c9cf825cd8a1f34cf6c5e89ec09656a4944ec5536a36aed5728 aee53fb112659bc2b3801db7d230c25100dfb79ffb00f086256885dfc1f8fc545e526fc92fe884348a84964bb7b4bbc0 +CLIENT_RANDOM 59ee68728af906f3fb825bf306f7f40ae1fb68fc13d769a00843d3f2ba5dac45 7b126413d8876316b67a35fc3d530bca6574070a5a4b829868b3f94c36b0b1f673ab0a18f213ee7a5fb47ba50676acb3 +CLIENT_RANDOM 1c73db9d11c0c4fb8acf3f62ec0a50a1559eeaded9a9a54e829f9f291d592069 f38dbcf8c3eb3c30514fbcfe2208efab88b3593468b8695e8c1f55662ffe5ab4151ed4ead5fb207c8707ea073e8aaaba +RSA 3e2ffbd86d10f694 0303f4d5b30f42e5df09d7d3fe363b4ff104b469bcade9e4506bf6cc621441d577cc5fbe448979fdd9be53556881058a +CLIENT_RANDOM 121cdd2ae0f9f089b48897272e37c89cf41f4eb8262ac1272cc02a73fd23fa0b 2a169a4a71b6b988d525546ca3f56d185f16490eecc19659963f796bf8c6b4cf10f8739aeb0f2162451c1e46718c137d +CLIENT_RANDOM db9350951d7ace9c91422b44b526a549fa3ca97b9e0d5c421c08ee3223b3d74a bd0c489a9d428510d937ae09038a0cc84bc3ed72dfe136712d94fcc001d46f54b33992dd3f2f897625cad07f7f9caeb2 +CLIENT_RANDOM 55a097b1bf4bf3c0f7161a81f15be86a78f2ca05f9784b07e0af761c1f9f1d65 bdf97a381c55c50421757a63227717b6a5c840ef8fc61975e0c495cff55f4dde41080b63c896f94639351697810bfcd9 +CLIENT_RANDOM f6fb54f9367adab3128073734d14e7230e6fe3c5c494caa15e130b5a955dbcb6 8409faa69c4c6ebf56cbad7b9ace4f41815de444410c2c595f409b54a80014e0acf944b8ee6f62eb0ef873714514a19f diff --git a/test/keys/tls13-20-chacha20poly1305.keys b/test/keys/tls13-20-chacha20poly1305.keys new file mode 100644 index 0000000000..e858b9a56b --- /dev/null +++ b/test/keys/tls13-20-chacha20poly1305.keys @@ -0,0 +1,9 @@ +# SSL/TLS secrets log file, generated by OpenSSL +SERVER_HANDSHAKE_TRAFFIC_SECRET 3d89529eeebe176375ef29bd146a49e02c375771628244948f6e9408457fdbc1 4e1fbe0594634161e1af3f8b6e940561ba3fc2174b6cefb5b0da3e040cfb23e4 +SERVER_TRAFFIC_SECRET_0 3d89529eeebe176375ef29bd146a49e02c375771628244948f6e9408457fdbc1 1e519f7e8d3e8d45d7cf13038f50a50e1a2f6f0a9f918b9ae856f3269068ef8f +CLIENT_HANDSHAKE_TRAFFIC_SECRET 3d89529eeebe176375ef29bd146a49e02c375771628244948f6e9408457fdbc1 69c6f71caf5031fc55671bf88c70a77acac0d81de20d3cf5e6b4dd7fac4ffe4d +CLIENT_TRAFFIC_SECRET_0 3d89529eeebe176375ef29bd146a49e02c375771628244948f6e9408457fdbc1 292497c163345eaa5b16b0b7907faa31dbb7ce76ac9a1c35ca99ba9dafeae72c +SERVER_HANDSHAKE_TRAFFIC_SECRET 4cfd639e633b0ccdedab543dd333639d2bacd023b2f12a94724eb1c20f5b8e11 976e0b13800a6c2335ed9bb124f38fb2f654c6585dfc14db72eb09cd30148a1c +SERVER_TRAFFIC_SECRET_0 4cfd639e633b0ccdedab543dd333639d2bacd023b2f12a94724eb1c20f5b8e11 f7e0e34d554b2431353dadb226d9fbf248dd15e76944234bfb13b1102af43aaf +CLIENT_HANDSHAKE_TRAFFIC_SECRET 4cfd639e633b0ccdedab543dd333639d2bacd023b2f12a94724eb1c20f5b8e11 d46820a69b572a15d2ef8778d32f1e00300725ab42bc9f3e8f6ede598a1ab532 +CLIENT_TRAFFIC_SECRET_0 4cfd639e633b0ccdedab543dd333639d2bacd023b2f12a94724eb1c20f5b8e11 69bf451e01db2af6924af9b78759a9f3e84affab23300238dbf94c54709cdda1 diff --git a/test/suite-decryption.sh b/test/suite-decryption.sh index 7545b47ed0..a5774708a8 100755 --- a/test/suite-decryption.sh +++ b/test/suite-decryption.sh @@ -302,6 +302,65 @@ decryption_step_tls_psk_aes256gcm() { test_step_ok } +# TLS 1.2 with ChaCha20-Poly1305 +decryption_step_tls12_chacha20poly1305() { + if ! $HAVE_LIBGCRYPT17; then + test_step_skipped + return + fi + TEST_KEYS_FILE="$TESTS_DIR/keys/tls12-chacha20poly1305.keys" + if [ "$WS_SYSTEM" == "Windows" ] ; then + TEST_KEYS_FILE="`cygpath -w $TEST_KEYS_FILE`" + fi + ciphers=' + ECDHE-ECDSA-CHACHA20-POLY1305 + ECDHE-RSA-CHACHA20-POLY1305 + DHE-RSA-CHACHA20-POLY1305 + RSA-PSK-CHACHA20-POLY1305 + DHE-PSK-CHACHA20-POLY1305 + ECDHE-PSK-CHACHA20-POLY1305 + PSK-CHACHA20-POLY1305 + ' + local stream=0 + for cipher in $ciphers; do + $TESTS_DIR/run_and_catch_crashes env $TS_DC_ENV $TSHARK $TS_DC_ARGS -q \ + -r "$CAPTURE_DIR/tls12-chacha20poly1305.pcap" \ + -o "ssl.keylog_file: $TEST_KEYS_FILE" \ + -z follow,ssl,ascii,$stream \ + | grep -q "$cipher" + RETURNVALUE=$? + if [ ! $RETURNVALUE -eq $EXIT_OK ]; then + test_step_failed "Failed to decrypt TLS 1.2 ($cipher)" + return + fi + ((stream++)) + done + test_step_ok +} + +# TLS 1.3 with ChaCha20-Poly1305 +decryption_step_tls13_chacha20poly1305() { + if ! $HAVE_LIBGCRYPT17; then + test_step_skipped + return + fi + TEST_KEYS_FILE="$TESTS_DIR/keys/tls13-20-chacha20poly1305.keys" + if [ "$WS_SYSTEM" == "Windows" ] ; then + TEST_KEYS_FILE="`cygpath -w $TEST_KEYS_FILE`" + fi + $TESTS_DIR/run_and_catch_crashes env $TS_DC_ENV $TSHARK $TS_DC_ARGS -q \ + -r "$CAPTURE_DIR/tls13-20-chacha20poly1305.pcap" \ + -o "ssl.keylog_file: $TEST_KEYS_FILE" \ + -z follow,ssl,ascii,0 \ + | grep -q TLS13-CHACHA20-POLY1305-SHA256 + RETURNVALUE=$? + if [ ! $RETURNVALUE -eq $EXIT_OK ]; then + test_step_failed "Failed to decrypt TLS 1.3 (ChaCha20-Poly1305)" + return + fi + test_step_ok +} + # ZigBee # https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7022 decryption_step_zigbee() { @@ -582,6 +641,8 @@ tshark_decryption_suite() { test_step_add "SSL Decryption (renegotiation)" decryption_step_ssl_renegotiation test_step_add "TLS 1.2 Decryption (PSK AES-128-CCM)" decryption_step_tls_psk_aes128ccm test_step_add "TLS 1.2 Decryption (PSK AES-256-GCM)" decryption_step_tls_psk_aes256gcm + test_step_add "TLS 1.2 Decryption (ChaCha20-Poly1305)" decryption_step_tls12_chacha20poly1305 + test_step_add "TLS 1.3 Decryption (ChaCha20-Poly1305)" decryption_step_tls13_chacha20poly1305 test_step_add "ZigBee Decryption" decryption_step_zigbee test_step_add "ANSI C12.22 Decryption" decryption_step_c1222 test_step_add "DVB-CI Decryption" decryption_step_dvb_ci |