test/suite-decryption.sh

   1 #!/bin/bash
   2 #
   3 # Test decryption capabilities of the Wireshark tools
   4 #
   5 # Wireshark - Network traffic analyzer
   6 # By Gerald Combs <gerald@wireshark.org>
   7 # Copyright 2005 Ulf Lamping
   8 #
   9 # This program is free software; you can redistribute it and/or
  10 # modify it under the terms of the GNU General Public License
  11 # as published by the Free Software Foundation; either version 2
  12 # of the License, or (at your option) any later version.
  13 #
  14 # This program is distributed in the hope that it will be useful,
  15 # but WITHOUT ANY WARRANTY; without even the implied warranty of
  16 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17 # GNU General Public License for more details.
  18 #
  19 # You should have received a copy of the GNU General Public License
  20 # along with this program; if not, write to the Free Software
  21 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  22 #
  23
  24 # To do:
  25 #   IEEE 802.15.4
  26 #   ISAKMP / IKEv2
  27 #   PKCS#12
  28 #   SNMP
  29 #   DCERPC NETLOGON
  30 #   KINK
  31 #   LDAP
  32 #   NTLMSSP
  33 #   SPNEGO
  34
  35 # common exit status values
  36 EXIT_OK=0
  37 EXIT_COMMAND_LINE=1
  38 EXIT_ERROR=2
  39
  40 UAT_FILES="
  41         80211_keys
  42         dtlsdecrypttablefile
  43         esp_sa
  44         ssl_keys
  45         c1222_decryption_table
  46         ikev1_decryption_table
  47         ikev2_decryption_table
  48 "
  49
  50 TEST_KEYS_DIR="$TESTS_DIR/keys/"
  51 if [ "$WS_SYSTEM" == "Windows" ] ; then
  52         TEST_KEYS_DIR="`cygpath -w $TEST_KEYS_DIR`"
  53 fi
  54
  55 #TS_ARGS="-Tfields -e frame.number -e frame.time_epoch -e frame.time_delta"
  56 TS_DC_ARGS=""
  57
  58 DIFF_OUT=./diff-output.txt
  59
  60 # WPA PSK
  61 # https://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=view&target=wpa-Induction.pcap
  62 decryption_step_80211_wpa_psk() {
  63         $TESTS_DIR/run_and_catch_crashes env $TS_DC_ENV $TSHARK $TS_DC_ARGS \
  64                 -o "wlan.enable_decryption: TRUE" \
  65                 -Tfields -e http.request.uri \
  66                 -r "$CAPTURE_DIR/wpa-Induction.pcap.gz" \
  67                 -Y http \
  68                 | grep favicon.ico > /dev/null 2>&1
  69         RETURNVALUE=$?
  70         if [ ! $RETURNVALUE -eq $EXIT_OK ]; then
  71                 test_step_failed "Failed to decrypt IEEE 802.11 WPA PSK"
  72                 return
  73         fi
  74         test_step_ok
  75 }
  76
  77 # WPA EAP (EAPOL Rekey)
  78 # Included in git sources test/captures/wpa-eap-tls.pcap.gz
  79 decryption_step_80211_wpa_eap() {
  80         $TESTS_DIR/run_and_catch_crashes env $TS_DC_ENV $TSHARK $TS_DC_ARGS \
  81                 -o "wlan.enable_decryption: TRUE" \
  82                 -r "$CAPTURE_DIR/wpa-eap-tls.pcap.gz" \
  83                 -Y "wlan.analysis.tk==7d9987daf5876249b6c773bf454a0da7" \
  84                 | grep "Group Message" > /dev/null 2>&1
  85         RETURNVALUE=$?
  86         if [ ! $RETURNVALUE -eq $EXIT_OK ]; then
  87                 test_step_failed "Failed to decrypt IEEE 802.11 WPA EAP"
  88                 return
  89         fi
  90         test_step_ok
  91 }
  92 # WPA decode with message1+2 only and secure bit set on message 2
  93 # Included in git sources test/captures/wpa-test-decode.pcap.gz
  94 decryption_step_80211_wpa_eapol_incomplete_rekeys() {
  95         $TESTS_DIR/run_and_catch_crashes env $TS_DC_ENV $TSHARK $TS_DC_ARGS \
  96                 -o "wlan.enable_decryption: TRUE" \
  97                 -r "$CAPTURE_DIR/wpa-test-decode.pcap.gz" \
  98                 -Y "icmp.resp_to == 4263" \
  99                 | grep "Echo"  > /dev/null 2>&1
 100         RETURNVALUE=$?
 101         if [ ! $RETURNVALUE -eq $EXIT_OK ]; then
 102                 test_step_failed "Not able to follow rekey with missing eapol frames"
 103                 return
 104         fi
 105         test_step_ok
 106 }
 107
 108 # WPA decode management frames with MFP enabled (802.11w)
 109 # Included in git sources test/captures/wpa-test-decode-mgmt.pcap.gz
 110 decryption_step_80211_wpa_psk_mfp() {
 111         local out frames
 112         out=$($TESTS_DIR/run_and_catch_crashes env $TS_DC_ENV $TSHARK $TS_DC_ARGS \
 113                 -o "wlan.enable_decryption: TRUE" \
 114                 -r "$CAPTURE_DIR/wpa-test-decode-mgmt.pcap.gz" \
 115                 -Y "wlan.fixed.reason_code == 2 || wlan.fixed.category_code == 3" \
 116                 2>&1)
 117         RETURNVALUE=$?
 118         frames=$(echo "$out" | wc -l)
 119         if [ ! $RETURNVALUE -eq $EXIT_OK ]; then
 120                 test_step_failed "Error during test execution: $out"
 121                 return
 122         elif [ $frames -ne 3 ]; then
 123                 test_step_failed "Not able to decode All Management frames ($frames/3)"
 124                 return
 125         fi
 126         test_step_ok
 127 }
 128
 129 # WPA decode traffic in a TDLS (Tunneled Direct-Link Setup) session (802.11z)
 130 # Included in git sources test/captures/wpa-test-decode-tdls.pcap.gz
 131 decryption_step_80211_wpa_tdls() {
 132         local out frames
 133         out=$($TESTS_DIR/run_and_catch_crashes env $TS_DC_ENV $TSHARK $TS_DC_ARGS \
 134                 -o "wlan.enable_decryption: TRUE" \
 135                 -r "$CAPTURE_DIR/wpa-test-decode-tdls.pcap.gz" \
 136                 -Y "icmp" \
 137                 2>&1)
 138         RETURNVALUE=$?
 139         frames=$(echo "$out" | wc -l)
 140         if [ ! $RETURNVALUE -eq $EXIT_OK ]; then
 141                 test_step_failed "Error during test execution: $out"
 142                 return
 143         elif [ $frames -ne 2 ]; then
 144                 test_step_failed "Not able to decode all TDLS traffic ($frames/2)"
 145                 return
 146         fi
 147         test_step_ok
 148 }
 149
 150 # DTLS
 151 # https://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=view&target=snakeoil.tgz
 152 decryption_step_dtls() {
 153         $TESTS_DIR/run_and_catch_crashes env $TS_DC_ENV $TSHARK $TS_DC_ARGS \
 154                 -Tfields -e data.data \
 155                 -r "$CAPTURE_DIR/snakeoil-dtls.pcap" -Y data \
 156                 | grep "69:74:20:77:6f:72:6b:20:21:0a" > /dev/null 2>&1
 157         RETURNVALUE=$?
 158         if [ ! $RETURNVALUE -eq $EXIT_OK ]; then
 159                 test_step_failed "Failed to decrypt DTLS"
 160                 return
 161         fi
 162         test_step_ok
 163 }
 164
 165 # DTLS 1.2 with PSK, AES-128-CCM-8
 166 decryption_step_dtls_psk_aes128ccm8() {
 167         output=$($TESTS_DIR/run_and_catch_crashes env $TS_DC_ENV $TSHARK $TS_DC_ARGS \
 168                 -odtls.psk:ca19e028a8a372ad2d325f950fcaceed \
 169                 -r "$CAPTURE_DIR/dtls12-aes128ccm8.pcap" -x)
 170         one='DTLS1.2 test usi*ng GnuTLS 3.5.8.'
 171         two='Works for me!.'
 172         if [[ "$output" != *${one}*${one}*${two}*${two}* ]]; then
 173                 test_step_failed "Failed to decrypt DTLS 1.2 (PSK AES-128-CCM-8)"
 174                 return
 175         fi
 176         test_step_ok
 177 }
 178
 179 # IPsec ESP
 180 # https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12671
 181 decryption_step_ipsec_esp() {
 182         $TESTS_DIR/run_and_catch_crashes env $TS_DC_ENV $TSHARK $TS_DC_ARGS \
 183                 -o "esp.enable_encryption_decode: TRUE" \
 184                 -Tfields -e data.data \
 185                 -r "$CAPTURE_DIR/esp-bug-12671.pcapng.gz" -Y data \
 186                 | grep "08:09:0a:0b:0c:0d:0e:0f:10:11:12:13:14:15:16:17" > /dev/null 2>&1
 187         RETURNVALUE=$?
 188         if [ ! $RETURNVALUE -eq $EXIT_OK ]; then
 189                 test_step_failed "Failed to decrypt DTLS"
 190                 return
 191         fi
 192         test_step_ok
 193 }
 194
 195 # SSL, using the server's private key
 196 # https://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=view&target=snakeoil2_070531.tgz
 197 decryption_step_ssl() {
 198         $TESTS_DIR/run_and_catch_crashes env $TS_DC_ENV $TSHARK $TS_DC_ARGS -Tfields -e http.request.uri \
 199                 -r "$CAPTURE_DIR/rsasnakeoil2.pcap" -Y http \
 200                 | grep favicon.ico > /dev/null 2>&1
 201         RETURNVALUE=$?
 202         if [ ! $RETURNVALUE -eq $EXIT_OK ]; then
 203                 test_step_failed "Failed to decrypt SSL using the server's private key"
 204                 return
 205         fi
 206         test_step_ok
 207 }
 208
 209 # SSL, using the server's private key with p < q
 210 # (test whether libgcrypt is correctly called)
 211 decryption_step_ssl_rsa_pq() {
 212         TEST_KEYS_FILE="$TESTS_DIR/keys/rsa-p-lt-q.key"
 213         if [ "$WS_SYSTEM" == "Windows" ] ; then
 214                 TEST_KEYS_FILE="`cygpath -w $TEST_KEYS_FILE`"
 215         fi
 216         $TESTS_DIR/run_and_catch_crashes env $TS_DC_ENV $TSHARK $TS_DC_ARGS -Tfields -e http.request.uri \
 217                 -o ssl.keys_list:"0.0.0.0,443,http,$TEST_KEYS_FILE" \
 218                 -r "$CAPTURE_DIR/rsa-p-lt-q.pcap" -Y http \
 219                 | grep / > /dev/null 2>&1
 220         RETURNVALUE=$?
 221         if [ ! $RETURNVALUE -eq $EXIT_OK ]; then
 222                 test_step_failed "Failed to decrypt SSL using the server's RSA private key"
 223                 return
 224         fi
 225         test_step_ok
 226 }
 227
 228 # SSL, using the server's private key with password
 229 decryption_step_ssl_with_password() {
 230         $TESTS_DIR/run_and_catch_crashes env $TS_DC_ENV $TSHARK $TS_DC_ARGS -Tfields -e http.request.uri \
 231                 -r "$CAPTURE_DIR/dmgr.pcapng" -Y http \
 232                 | grep unsecureLogon.jsp > /dev/null 2>&1
 233         RETURNVALUE=$?
 234         if [ ! $RETURNVALUE -eq $EXIT_OK ]; then
 235                 test_step_failed "Failed to decrypt SSL using the server's private key with password"
 236                 return
 237         fi
 238         test_step_ok
 239 }
 240
 241 # SSL, using the master secret
 242 decryption_step_ssl_master_secret() {
 243         TEST_KEYS_FILE="$TESTS_DIR/keys/dhe1_keylog.dat"
 244         if [ "$WS_SYSTEM" == "Windows" ] ; then
 245                 TEST_KEYS_FILE="`cygpath -w $TEST_KEYS_FILE`"
 246         fi
 247         $TESTS_DIR/run_and_catch_crashes env $TS_DC_ENV $TSHARK $TS_DC_ARGS -Tfields -e http.request.uri \
 248                 -o "ssl.keylog_file: $TEST_KEYS_FILE" \
 249                 -o "ssl.desegment_ssl_application_data: FALSE" \
 250                 -o "http.ssl.port: 443" \
 251                 -r "$CAPTURE_DIR/dhe1.pcapng.gz" -Y http \
 252                 | grep test > /dev/null 2>&1
 253         RETURNVALUE=$?
 254         if [ ! $RETURNVALUE -eq $EXIT_OK ]; then
 255                 test_step_failed "Failed to decrypt SSL using the master secret"
 256                 return
 257         fi
 258         test_step_ok
 259 }
 260
 261 # TLS 1.2 with renegotiation
 262 decryption_step_ssl_renegotiation() {
 263         TEST_KEYS_FILE="$TESTS_DIR/keys/rsasnakeoil2.key"
 264         if [ "$WS_SYSTEM" == "Windows" ] ; then
 265                 TEST_KEYS_FILE="`cygpath -w $TEST_KEYS_FILE`"
 266         fi
 267         output=$($TESTS_DIR/run_and_catch_crashes env $TS_DC_ENV $TSHARK $TS_DC_ARGS -Tfields -e http.content_length \
 268                 -o ssl.keys_list:"0.0.0.0,4433,http,$TEST_KEYS_FILE" \
 269                 -r "$CAPTURE_DIR/tls-renegotiation.pcap" -Y http)
 270         if [[ "$output" != 0*2151* ]]; then
 271                 test_step_failed "Failed to decrypt SSL with renegotiation"
 272                 return
 273         fi
 274         test_step_ok
 275 }
 276
 277 # TLS 1.2 with PSK, AES-128-CCM
 278 decryption_step_tls_psk_aes128ccm() {
 279         $TESTS_DIR/run_and_catch_crashes env $TS_DC_ENV $TSHARK $TS_DC_ARGS -q \
 280                 -ossl.psk:ca19e028a8a372ad2d325f950fcaceed \
 281                 -r "$CAPTURE_DIR/tls12-aes128ccm.pcap" -z follow,ssl,ascii,0 \
 282                 | grep -q http://www.gnu.org/software/gnutls
 283         RETURNVALUE=$?
 284         if [ ! $RETURNVALUE -eq $EXIT_OK ]; then
 285                 test_step_failed "Failed to decrypt TLS 1.2 (PSK AES-128-CCM)"
 286                 return
 287         fi
 288         test_step_ok
 289 }
 290
 291 # TLS 1.2 with PSK, AES-256-GCM
 292 decryption_step_tls_psk_aes256gcm() {
 293         $TESTS_DIR/run_and_catch_crashes env $TS_DC_ENV $TSHARK $TS_DC_ARGS -q \
 294                 -ossl.psk:ca19e028a8a372ad2d325f950fcaceed \
 295                 -r "$CAPTURE_DIR/tls12-aes256gcm.pcap" -z follow,ssl,ascii,0 \
 296                 | grep -q http://www.gnu.org/software/gnutls
 297         RETURNVALUE=$?
 298         if [ ! $RETURNVALUE -eq $EXIT_OK ]; then
 299                 test_step_failed "Failed to decrypt TLS 1.2 (PSK AES-256-GCM)"
 300                 return
 301         fi
 302         test_step_ok
 303 }
 304
 305 # ZigBee
 306 # https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7022
 307 decryption_step_zigbee() {
 308         $TESTS_DIR/run_and_catch_crashes env $TS_DC_ENV $TSHARK $TS_DC_ARGS \
 309                 -r "$CAPTURE_DIR/sample_control4_2012-03-24.pcap" \
 310                 -Tfields -e data.data \
 311                 -Y zbee_aps \
 312                 | grep "30:67:63:63:38:65:20:63:34:2e:64:6d:2e:74:76:20" > /dev/null 2>&1
 313         RETURNVALUE=$?
 314         if [ ! $RETURNVALUE -eq $EXIT_OK ]; then
 315                 test_step_failed "Failed to decrypt ZigBee"
 316                 return
 317         fi
 318         test_step_ok
 319 }
 320
 321 # ANSI C12.22
 322 # https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9196
 323 decryption_step_c1222() {
 324         $TESTS_DIR/run_and_catch_crashes env $TS_DC_ENV $TSHARK $TS_DC_ARGS \
 325                 -o "c1222.decrypt: TRUE" \
 326                 -o "c1222.baseoid:2.16.124.113620.1.22.0" \
 327                 -r "$CAPTURE_DIR/c1222_std_example8.pcap" \
 328                 -Tfields -e c1222.data \
 329                 | grep "00:10:4d:41:4e:55:46:41:43:54:55:52:45:52:20:53:4e:20:92" > /dev/null 2>&1
 330         RETURNVALUE=$?
 331         if [ ! $RETURNVALUE -eq $EXIT_OK ]; then
 332                 test_step_failed "Failed to decrypt C12.22 $RETURNVALUE"
 333                 return
 334         fi
 335         test_step_ok
 336 }
 337
 338 # DVB-CI
 339 # simplified version of the sample capture in
 340 # https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6700
 341 decryption_step_dvb_ci() {
 342         $TESTS_DIR/run_and_catch_crashes env $TS_DC_ENV $TSHARK $TS_DC_ARGS \
 343                  -o "dvb-ci.sek: 00000000000000000000000000000000" \
 344                  -o "dvb-ci.siv: 00000000000000000000000000000000" \
 345                 -Tfields -e dvb-ci.cc.sac.padding \
 346                 -r "$CAPTURE_DIR/dvb-ci_UV1_0000.pcap" \
 347                 | grep "80:00:00:00:00:00:00:00:00:00:00:00" > /dev/null 2>&1
 348         RETURNVALUE=$?
 349         if [ ! $RETURNVALUE -eq $EXIT_OK ]; then
 350                 test_step_failed "Failed to decrypt DVB_CI"
 351                 return
 352         fi
 353         test_step_ok
 354 }
 355
 356 # IKEv1 (ISAKMP) with certificates
 357 # https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7951
 358 decryption_step_ikev1_certs() {
 359         $TESTS_DIR/run_and_catch_crashes env $TS_DC_ENV $TSHARK $TS_DC_ARGS \
 360                 -Tfields -e x509sat.printableString \
 361                 -r "$CAPTURE_DIR/ikev1-certs.pcap" \
 362                 | grep "OpenSwan" > /dev/null 2>&1
 363         RETURNVALUE=$?
 364         if [ ! $RETURNVALUE -eq $EXIT_OK ]; then
 365                 test_step_failed "Failed to decrypt IKEv1"
 366                 return
 367         fi
 368         test_step_ok
 369 }
 370
 371 # IKEv1 (ISAKMP) simultaneous exchanges
 372 # https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12610
 373 decryption_step_ikev1_simultaneous() {
 374         $TESTS_DIR/run_and_catch_crashes env $TS_DC_ENV $TSHARK $TS_DC_ARGS \
 375                 -Tfields -e isakmp.hash \
 376                 -r "$CAPTURE_DIR/ikev1-bug-12610.pcapng.gz" \
 377                 | grep "b5:25:21:f7:74:96:74:02:c9:f6:ce:e9:5f:d1:7e:5b" > /dev/null 2>&1
 378         RETURNVALUE=$?
 379         if [ ! $RETURNVALUE -eq $EXIT_OK ]; then
 380                 test_step_failed "Failed to decrypt simultaneous IKEv1 exchanges"
 381                 return
 382         fi
 383         test_step_ok
 384 }
 385
 386 # IKEv1 (ISAKMP) unencrypted phase 1
 387 # https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12620
 388 decryption_step_ikev1_unencrypted() {
 389         $TESTS_DIR/run_and_catch_crashes env $TS_DC_ENV $TSHARK $TS_DC_ARGS \
 390                 -Tfields -e isakmp.hash \
 391                 -r "$CAPTURE_DIR/ikev1-bug-12620.pcapng.gz" \
 392                 | grep "40:04:3b:64:0f:43:73:25:0d:5a:c3:a1:fb:63:15:3c" > /dev/null 2>&1
 393         RETURNVALUE=$?
 394         if [ ! $RETURNVALUE -eq $EXIT_OK ]; then
 395                 test_step_failed "Failed to decrypt the first packet of a post-phase1 IKEv1 exchange"
 396                 return
 397         fi
 398         test_step_ok
 399 }
 400
 401 # IKEv2 decryption test (3DES-CBC/SHA1_160)
 402 decryption_step_ikev2_3des_sha160() {
 403         $TESTS_DIR/run_and_catch_crashes env $TS_DC_ENV $TSHARK $TS_DC_ARGS \
 404                 -Tfields -e isakmp.auth.data \
 405                 -r "$CAPTURE_DIR/ikev2-decrypt-3des-sha1_160.pcap" \
 406                 | grep "02:f7:a0:d5:f1:fd:c8:ea:81:03:98:18:c6:5b:b9:bd:09:af:9b:89:17:31:9b:88:7f:f9:ba:30:46:c3:44:c7" > /dev/null 2>&1
 407         RETURNVALUE=$?
 408         if [ ! $RETURNVALUE -eq $EXIT_OK ]; then
 409                 test_step_failed "Failed to decrypt encrypted with 3_DES_CBC/SHA1_160 packet of IKEv2 exchange"
 410                 return
 411         fi
 412         test_step_ok
 413 }
 414
 415 # IKEv2 decryption test (AES-128-CCM-12) - with CBC-MAC verification
 416 decryption_step_ikev2_aes128_ccm12() {
 417         $TESTS_DIR/run_and_catch_crashes env $TS_DC_ENV $TSHARK $TS_DC_ARGS \
 418                 -Tfields -e isakmp.auth.data \
 419                 -r "$CAPTURE_DIR/ikev2-decrypt-aes128ccm12.pcap" \
 420                 | grep "c2:10:43:94:29:9e:1f:fe:79:08:ea:72:0a:d5:d1:37:17:a0:d4:54:e4:fa:0a:21:28:ea:68:94:11:f4:79:c4" > /dev/null 2>&1
 421         RETURNVALUE=$?
 422         if [ ! $RETURNVALUE -eq $EXIT_OK ]; then
 423                 test_step_failed "Failed to decrypt encrypted with AES_128_CCM_12 packet of IKEv2 exchange"
 424                 return
 425         fi
 426         test_step_ok
 427 }
 428
 429 # IKEv2 decryption test (AES-128-CCM-12 using CTR mode, without checksum)
 430 decryption_step_ikev2_aes128_ccm12_2() {
 431         $TESTS_DIR/run_and_catch_crashes env $TS_DC_ENV $TSHARK $TS_DC_ARGS \
 432                 -Tfields -e isakmp.auth.data \
 433                 -r "$CAPTURE_DIR/ikev2-decrypt-aes128ccm12-2.pcap" \
 434                 | grep "aa:a2:81:c8:7b:4a:19:04:6c:57:27:1d:55:74:88:ca:41:3b:57:22:8c:b9:51:f5:fa:96:40:99:2a:02:85:b9" > /dev/null 2>&1
 435         RETURNVALUE=$?
 436         if [ ! $RETURNVALUE -eq $EXIT_OK ]; then
 437                 test_step_failed "Failed to decrypt (using CTR mode) encrypted with AES_128_CCM_12  packet of IKEv2 exchange"
 438                 return
 439         fi
 440         test_step_ok
 441 }
 442
 443 # IKEv2 decryption test (AES-192-CTR/SHA2-512)
 444 decryption_step_ikev2_aes192ctr_sha512() {
 445         $TESTS_DIR/run_and_catch_crashes env $TS_DC_ENV $TSHARK $TS_DC_ARGS \
 446                 -Tfields -e isakmp.auth.data \
 447                 -r "$CAPTURE_DIR/ikev2-decrypt-aes192ctr.pcap" \
 448                 | grep "3e:c2:3d:cf:93:48:48:56:38:40:7c:75:45:47:ae:b3:08:52:90:08:2c:49:f5:83:fd:ba:e5:92:63:a2:0b:4a" > /dev/null 2>&1
 449         RETURNVALUE=$?
 450         if [ ! $RETURNVALUE -eq $EXIT_OK ]; then
 451                 test_step_failed "Failed to decrypt encrypted with AES-192-CTR/SHA2_512 packet of IKEv2 exchange"
 452                 return
 453         fi
 454         test_step_ok
 455 }
 456
 457 # IKEv2 decryption test (AES-256-CBC/SHA2-256)
 458 decryption_step_ikev2_aes256cbc_sha256() {
 459         $TESTS_DIR/run_and_catch_crashes env $TS_DC_ENV $TSHARK $TS_DC_ARGS \
 460                 -Tfields -e isakmp.auth.data \
 461                 -r "$CAPTURE_DIR/ikev2-decrypt-aes256cbc.pcapng" \
 462                 | grep "e1:a8:d5:50:06:42:01:a7:ec:02:4a:85:75:8d:06:73:c6:1c:5c:51:0a:c1:3b:cd:22:5d:63:27:f5:0d:a3:d3" > /dev/null 2>&1
 463         RETURNVALUE=$?
 464         if [ ! $RETURNVALUE -eq $EXIT_OK ]; then
 465                 test_step_failed "Failed to decrypt encrypted with AES-256-CBC/SHA2-256 packet of IKEv2 exchange"
 466                 return
 467         fi
 468         test_step_ok
 469 }
 470
 471 # IKEv2 decryption test (AES-256-CCM-16)
 472 decryption_step_ikev2_aes256ccm16() {
 473         $TESTS_DIR/run_and_catch_crashes env $TS_DC_ENV $TSHARK $TS_DC_ARGS \
 474                 -Tfields -e isakmp.auth.data \
 475                 -r "$CAPTURE_DIR/ikev2-decrypt-aes256ccm16.pcapng" \
 476                 | grep "fa:2e:74:bd:c0:1e:30:fb:0b:3d:dc:97:23:c9:44:90:95:96:9d:a5:1f:69:e5:60:20:9d:2c:2b:79:40:21:0a" > /dev/null 2>&1
 477         RETURNVALUE=$?
 478         if [ ! $RETURNVALUE -eq $EXIT_OK ]; then
 479                 test_step_failed "Failed to decrypt encrypted with AES-256-CCM-16 packet of IKEv2 exchange"
 480                 return
 481         fi
 482         test_step_ok
 483 }
 484
 485 # IKEv2 decryption test (AES-256-GCM-16)
 486 decryption_step_ikev2_aes256gcm16() {
 487         $TESTS_DIR/run_and_catch_crashes env $TS_DC_ENV $TSHARK $TS_DC_ARGS \
 488                 -Tfields -e isakmp.auth.data \
 489                 -r "$CAPTURE_DIR/ikev2-decrypt-aes256gcm16.pcap" \
 490                 | grep "9a:b7:1f:14:ab:55:3c:ad:87:3a:1a:a7:0b:99:df:15:5d:ee:77:cd:cf:36:94:b3:b7:52:7a:cb:b9:71:2d:ed" > /dev/null 2>&1
 491         RETURNVALUE=$?
 492         if [ ! $RETURNVALUE -eq $EXIT_OK ]; then
 493                 test_step_failed "Failed to decrypt encrypted with AES-256-GCM-16 packet of IKEv2 exchange"
 494                 return
 495         fi
 496         test_step_ok
 497 }
 498
 499 # IKEv2 decryption test (AES-256-GCM-8)
 500 decryption_step_ikev2_aes256gcm8() {
 501         $TESTS_DIR/run_and_catch_crashes env $TS_DC_ENV $TSHARK $TS_DC_ARGS \
 502                 -Tfields -e isakmp.auth.data \
 503                 -r "$CAPTURE_DIR/ikev2-decrypt-aes256gcm8.pcap" \
 504                 | grep "4a:66:d8:22:d0:af:bc:22:ad:9a:92:a2:cf:42:87:c9:20:ad:8a:c3:b0:69:a4:a7:e7:5f:e0:a5:d4:99:f9:14" > /dev/null 2>&1
 505         RETURNVALUE=$?
 506         if [ ! $RETURNVALUE -eq $EXIT_OK ]; then
 507                 test_step_failed "Failed to decrypt encrypted with AES-256-GCM-8 packet of IKEv2 exchange"
 508                 return
 509         fi
 510         test_step_ok
 511 }
 512
 513 # HTTP2 (HPACK)
 514 decryption_step_http2() {
 515         if [ $HAVE_NGHTTP2 -ne 0 ]; then
 516                 test_step_skipped
 517                 return
 518         fi
 519         env $TS_DC_ENV $TSHARK $TS_DC_ARGS \
 520                 -Tfields -e http2.header.value \
 521                 -d tcp.port==3000,http2 \
 522                 -r "$CAPTURE_DIR/packet-h2-14_headers.pcapng" \
 523         > ./testout.txt
 524         grep "nghttp2" ./testout.txt > /dev/null 2>&1
 525         RETURNVALUE=$?
 526         if [ ! $RETURNVALUE -eq $EXIT_OK ]; then
 527         env $TS_DC_ENV $TSHARK $TS_DC_ARGS \
 528                 -V \
 529                 -d tcp.port==3000,http2 \
 530                 -r "$CAPTURE_DIR/packet-h2-14_headers.pcapng" \
 531                 > ./testout2.txt
 532         echo
 533         echo "Test output:"
 534         cat ./testout.txt
 535         echo "Verbose output:"
 536         cat ./testout2.txt
 537                 test_step_failed "Failed to decode HTTP2 HPACK"
 538                 return
 539         fi
 540         test_step_ok
 541 }
 542
 543 # Kerberos
 544 # Files are from krb-816.zip on the SampleCaptures page.
 545 KEYTAB_FILE="$TESTS_DIR/keys/krb-816.keytab"
 546 if [ "$WS_SYSTEM" == "Windows" ] ; then
 547         KEYTAB_FILE="`cygpath -w $KEYTAB_FILE`"
 548 fi
 549 decryption_step_kerberos() {
 550         if [ $HAVE_KERBEROS -ne 0 ]; then
 551                 test_step_skipped
 552                 return
 553         fi
 554         # keyvalue: ccda7d48219f73c3b28311c4ba7242b3
 555         $TESTS_DIR/run_and_catch_crashes env $TS_DC_ENV $TSHARK $TS_DC_ARGS \
 556                 -Tfields -e kerberos.keyvalue \
 557                 -o "kerberos.decrypt: TRUE" \
 558                 -o "kerberos.file: $KEYTAB_FILE" \
 559                 -r "$CAPTURE_DIR/krb-816.pcap.gz" \
 560                 | grep "cc:da:7d:48:21:9f:73:c3:b2:83:11:c4:ba:72:42:b3" > /dev/null 2>&1
 561         RETURNVALUE=$?
 562         if [ ! $RETURNVALUE -eq $EXIT_OK ]; then
 563                 test_step_failed "Failed to decrypt encrypted with AES-256-GCM-8 packet of IKEv2 exchange"
 564                 return
 565         fi
 566         test_step_ok
 567 }
 568
 569 tshark_decryption_suite() {
 570         test_step_add "IEEE 802.11 WPA PSK Decryption" decryption_step_80211_wpa_psk
 571         test_step_add "IEEE 802.11 WPA PSK Decryption2 (EAPOL frames missing with a Win 10 client)" decryption_step_80211_wpa_eapol_incomplete_rekeys
 572         test_step_add "IEEE 802.11 WPA PSK Decryption of Management frames (802.11w)" decryption_step_80211_wpa_psk_mfp
 573         test_step_add "IEEE 802.11 WPA EAP Decryption" decryption_step_80211_wpa_eap
 574         test_step_add "IEEE 802.11 WPA TDLS Decryption" decryption_step_80211_wpa_tdls
 575         test_step_add "DTLS Decryption" decryption_step_dtls
 576         test_step_add "DTLS 1.2 Decryption (PSK AES-128-CCM-8)" decryption_step_dtls_psk_aes128ccm8
 577         test_step_add "IPsec ESP Decryption" decryption_step_ipsec_esp
 578         test_step_add "SSL Decryption (private key)" decryption_step_ssl
 579         test_step_add "SSL Decryption (RSA private key with p smaller than q)" decryption_step_ssl_rsa_pq
 580         test_step_add "SSL Decryption (private key with password)" decryption_step_ssl_with_password
 581         test_step_add "SSL Decryption (master secret)" decryption_step_ssl_master_secret
 582         test_step_add "SSL Decryption (renegotiation)" decryption_step_ssl_renegotiation
 583         test_step_add "TLS 1.2 Decryption (PSK AES-128-CCM)" decryption_step_tls_psk_aes128ccm
 584         test_step_add "TLS 1.2 Decryption (PSK AES-256-GCM)" decryption_step_tls_psk_aes256gcm
 585         test_step_add "ZigBee Decryption" decryption_step_zigbee
 586         test_step_add "ANSI C12.22 Decryption" decryption_step_c1222
 587         test_step_add "DVB-CI Decryption" decryption_step_dvb_ci
 588
 589         test_step_add "IKEv1 Decryption (certificates)" decryption_step_ikev1_certs
 590         test_step_add "IKEv1 Decryption (simultaneous exchanges)" decryption_step_ikev1_simultaneous
 591         test_step_add "IKEv1 Decryption (unencrypted phase 1)" decryption_step_ikev1_unencrypted
 592
 593         test_step_add "IKEv2 Decryption (3DES-CBC/SHA1_160)" decryption_step_ikev2_3des_sha160
 594         test_step_add "IKEv2 Decryption (AES-128-CCM-12)" decryption_step_ikev2_aes128_ccm12
 595         test_step_add "IKEv2 Decryption (AES-128-CCM-12 using CTR mode)" decryption_step_ikev2_aes128_ccm12_2
 596         test_step_add "IKEv2 Decryption (AES-192-CTR/SHA2-512)" decryption_step_ikev2_aes192ctr_sha512
 597         test_step_add "IKEv2 Decryption (AES-256-CBC/SHA2-256)" decryption_step_ikev2_aes256cbc_sha256
 598         test_step_add "IKEv2 Decryption (AES-256-CCM-16)" decryption_step_ikev2_aes256ccm16
 599         test_step_add "IKEv2 Decryption (AES-256-GCM-16)" decryption_step_ikev2_aes256gcm16
 600         test_step_add "IKEv2 Decryption (AES-256-GCM-8)" decryption_step_ikev2_aes256gcm8
 601
 602         test_step_add "HTTP2 (HPACK)" decryption_step_http2
 603
 604         test_step_add "Kerberos" decryption_step_kerberos
 605 }
 606
 607 decryption_cleanup_step() {
 608         rm -rf "$TEST_HOME"
 609 }
 610
 611 decryption_prep_step() {
 612         decryption_cleanup_step
 613
 614         TS_DC_ENV="${HOME_ENV}=${HOME_PATH}"
 615
 616         for UAT in $UAT_FILES ; do
 617                 sed -e "s|TEST_KEYS_DIR|${TEST_KEYS_DIR//\\/\\\\x5c}|" \
 618                         < "$TESTS_DIR/config/$UAT.tmpl" \
 619                         > "$CONF_PATH/$UAT"
 620         done
 621 }
 622
 623 decryption_suite() {
 624         test_step_set_pre decryption_prep_step
 625         test_step_set_post decryption_cleanup_step
 626         test_suite_add "TShark decryption" tshark_decryption_suite
 627 }
 628
 629 #
 630 # Editor modelines  -  https://www.wireshark.org/tools/modelines.html
 631 #
 632 # Local variables:
 633 # sh-basic-offset: 8
 634 # tab-width: 8
 635 # indent-tabs-mode: t
 636 # End:
 637 #
 638 # vi: set shiftwidth=8 tabstop=8 noexpandtab:
 639 # :indentSize=8:tabSize=8:noTabs=false:
 640 #
 641