WireGuard: implement initiation message decryption with static keys
[metze/wireshark/wip.git] / test / suite_decryption.py
1 #
2 # -*- coding: utf-8 -*-
3 # Wireshark tests
4 # By Gerald Combs <gerald@wireshark.org>
5 #
6 # Ported from a set of Bash scripts which were copyright 2005 Ulf Lamping
7 #
8 # SPDX-License-Identifier: GPL-2.0-or-later
9 #
10 '''Decryption tests'''
11
12 import config
13 import os.path
14 import subprocesstest
15 import unittest
16
17 class case_decrypt_80211(subprocesstest.SubprocessTestCase):
18     def test_80211_wpa_psk(self):
19         '''IEEE 802.11 WPA PSK'''
20         # https://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=view&target=wpa-Induction.pcap
21         capture_file = os.path.join(config.capture_dir, 'wpa-Induction.pcap.gz')
22         self.runProcess((config.cmd_tshark,
23                 '-o', 'wlan.enable_decryption: TRUE',
24                 '-Tfields',
25                 '-e', 'http.request.uri',
26                 '-r', capture_file,
27                 '-Y', 'http',
28             ),
29             env=config.test_env)
30         self.assertTrue(self.grepOutput('favicon.ico'))
31
32     def test_80211_wpa_eap(self):
33         '''IEEE 802.11 WPA EAP (EAPOL Rekey)'''
34         # Included in git sources test/captures/wpa-eap-tls.pcap.gz
35         capture_file = os.path.join(config.capture_dir, 'wpa-eap-tls.pcap.gz')
36         self.runProcess((config.cmd_tshark,
37                 '-o', 'wlan.enable_decryption: TRUE',
38                 '-r', capture_file,
39                 '-Y', 'wlan.analysis.tk==7d9987daf5876249b6c773bf454a0da7',
40                 ),
41             env=config.test_env)
42         self.assertTrue(self.grepOutput('Group Message'))
43
44     def test_80211_wpa_eapol_incomplete_rekeys(self):
45         '''WPA decode with message1+2 only and secure bit set on message 2'''
46         # Included in git sources test/captures/wpa-test-decode.pcap.gz
47         capture_file = os.path.join(config.capture_dir, 'wpa-test-decode.pcap.gz')
48         self.runProcess((config.cmd_tshark,
49                 '-o', 'wlan.enable_decryption: TRUE',
50                 '-r', capture_file,
51                 '-Y', 'icmp.resp_to == 4263',
52                 ),
53             env=config.test_env)
54         self.assertTrue(self.grepOutput('Echo'))
55
56     def test_80211_wpa_psk_mfp(self):
57         '''WPA decode management frames with MFP enabled (802.11w)'''
58         # Included in git sources test/captures/wpa-test-decode-mgmt.pcap.gz
59         capture_file = os.path.join(config.capture_dir, 'wpa-test-decode-mgmt.pcap.gz')
60         self.runProcess((config.cmd_tshark,
61                 '-o', 'wlan.enable_decryption: TRUE',
62                 '-r', capture_file,
63                 '-Y', 'wlan.fixed.reason_code == 2 || wlan.fixed.category_code == 3',
64                 ),
65             env=config.test_env)
66         self.assertEqual(self.countOutput('802.11.*SN=.*FN=.*Flags='), 3)
67
68
69     def test_80211_wpa_tdls(self):
70         '''WPA decode traffic in a TDLS (Tunneled Direct-Link Setup) session (802.11z)'''
71         if not config.have_libgcrypt16:
72             self.skipTest('Requires GCrypt 1.6 or later.')
73         # Included in git sources test/captures/wpa-test-decode-tdls.pcap.gz
74         capture_file = os.path.join(config.capture_dir, 'wpa-test-decode-tdls.pcap.gz')
75         self.runProcess((config.cmd_tshark,
76                 #'-ouat:80211_keys:"wpa-pwd","12345678"',
77                 '-o', 'wlan.enable_decryption: TRUE',
78                 '-r', capture_file,
79                 '-Y', 'icmp',
80                 ),
81             env=config.test_env)
82         self.assertEqual(self.countOutput('ICMP.*Echo .ping'), 2)
83
84 class case_decrypt_dtls(subprocesstest.SubprocessTestCase):
85     def test_dtls(self):
86         '''DTLS'''
87         # https://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=view&target=snakeoil.tgz
88         capture_file = os.path.join(config.capture_dir, 'snakeoil-dtls.pcap')
89         self.runProcess((config.cmd_tshark,
90                 '-r', capture_file,
91                 '-Tfields',
92                 '-e', 'data.data',
93                 '-Y', 'data',
94             ),
95             env=config.test_env)
96         self.assertTrue(self.grepOutput('69:74:20:77:6f:72:6b:20:21:0a'))
97
98     def test_dtls_psk_aes128ccm8(self):
99         '''DTLS 1.2 with PSK, AES-128-CCM-8'''
100         capture_file = os.path.join(config.capture_dir, 'dtls12-aes128ccm8.pcap')
101         self.runProcess((config.cmd_tshark,
102                 '-r', capture_file,
103                 '-o', 'dtls.psk:ca19e028a8a372ad2d325f950fcaceed',
104                 '-x'
105             ),
106             env=config.test_env)
107         dt_count = self.countOutput('Decrypted DTLS')
108         wfm_count = self.countOutput('Works for me!.')
109         self.assertTrue(dt_count == 7 and wfm_count == 2)
110
111     def test_dtls_udt(self):
112         '''UDT over DTLS 1.2 with RSA key'''
113         capture_file = os.path.join(config.capture_dir, 'udt-dtls.pcapng.gz')
114         key_file = os.path.join(config.key_dir, 'udt-dtls.key')
115         self.runProcess((config.cmd_tshark,
116                 '-r', capture_file,
117                 '-o', 'dtls.keys_list:0.0.0.0,0,data,{}'.format(key_file),
118                 '-Y', 'dtls && udt.type==ack',
119             ),
120             env=config.test_env)
121         self.assertTrue(self.grepOutput('UDT'))
122
123 class case_decrypt_tls(subprocesstest.SubprocessTestCase):
124     def test_ssl(self):
125         '''SSL using the server's private key'''
126         # https://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=view&target=snakeoil2_070531.tgz
127         capture_file = os.path.join(config.capture_dir, 'rsasnakeoil2.pcap')
128         self.runProcess((config.cmd_tshark,
129                 '-r', capture_file,
130                 '-Tfields',
131                 '-e', 'http.request.uri',
132                 '-Y', 'http',
133             ),
134             env=config.test_env)
135         self.assertTrue(self.grepOutput('favicon.ico'))
136
137     def test_ssl_rsa_pq(self):
138         '''SSL using the server's private key with p < q
139         (test whether libgcrypt is correctly called)'''
140         capture_file = os.path.join(config.capture_dir, 'rsa-p-lt-q.pcap')
141         key_file = os.path.join(config.key_dir, 'rsa-p-lt-q.key')
142         self.runProcess((config.cmd_tshark,
143                 '-r', capture_file,
144                 '-o', 'ssl.keys_list:0.0.0.0,443,http,{}'.format(key_file),
145                 '-Tfields',
146                 '-e', 'http.request.uri',
147                 '-Y', 'http',
148             ),
149             env=config.test_env)
150         self.assertTrue(self.grepOutput('/'))
151
152     def test_ssl_with_password(self):
153         '''SSL using the server's private key with password'''
154         capture_file = os.path.join(config.capture_dir, 'dmgr.pcapng')
155         self.runProcess((config.cmd_tshark,
156                 '-r', capture_file,
157                 '-Tfields',
158                 '-e', 'http.request.uri',
159                 '-Y', 'http',
160             ),
161             env=config.test_env)
162         self.assertTrue(self.grepOutput('unsecureLogon.jsp'))
163
164     def test_ssl_master_secret(self):
165         '''SSL using the master secret'''
166         capture_file = os.path.join(config.capture_dir, 'dhe1.pcapng.gz')
167         key_file = os.path.join(config.key_dir, 'dhe1_keylog.dat')
168         self.runProcess((config.cmd_tshark,
169                 '-r', capture_file,
170                 '-o', 'ssl.keylog_file: {}'.format(key_file),
171                 '-o', 'ssl.desegment_ssl_application_data: FALSE',
172                 '-o', 'http.ssl.port: 443',
173                 '-Tfields',
174                 '-e', 'http.request.uri',
175                 '-Y', 'http',
176             ),
177             env=config.test_env)
178         self.assertTrue(self.grepOutput('test'))
179
180     def test_tls12_renegotiation(self):
181         '''TLS 1.2 with renegotiation'''
182         capture_file = os.path.join(config.capture_dir, 'tls-renegotiation.pcap')
183         key_file = os.path.join(config.key_dir, 'rsasnakeoil2.key')
184         self.runProcess((config.cmd_tshark,
185                 '-r', capture_file,
186                 '-o', 'ssl.keys_list:0.0.0.0,4433,http,{}'.format(key_file),
187                 '-Tfields',
188                 '-e', 'http.content_length',
189                 '-Y', 'http',
190             ),
191             env=config.test_env)
192         count_0 = self.countOutput('^0$')
193         count_2151 = self.countOutput('^2151$')
194         self.assertTrue(count_0 == 1 and count_2151 == 1)
195
196     def test_tls12_psk_aes128ccm(self):
197         '''TLS 1.2 with PSK, AES-128-CCM'''
198         capture_file = os.path.join(config.capture_dir, 'tls12-aes128ccm.pcap')
199         self.runProcess((config.cmd_tshark,
200                 '-r', capture_file,
201                 '-o', 'ssl.psk:ca19e028a8a372ad2d325f950fcaceed',
202                 '-q',
203                 '-z', 'follow,ssl,ascii,0',
204             ),
205             env=config.test_env)
206         self.assertTrue(self.grepOutput('http://www.gnu.org/software/gnutls'))
207
208     def test_tls12_psk_aes256gcm(self):
209         '''TLS 1.2 with PSK, AES-256-GCM'''
210         capture_file = os.path.join(config.capture_dir, 'tls12-aes256gcm.pcap')
211         self.runProcess((config.cmd_tshark,
212                 '-r', capture_file,
213                 '-o', 'ssl.psk:ca19e028a8a372ad2d325f950fcaceed',
214                 '-q',
215                 '-z', 'follow,ssl,ascii,0',
216             ),
217             env=config.test_env)
218         self.assertTrue(self.grepOutput('http://www.gnu.org/software/gnutls'))
219
220     def test_tls12_chacha20poly1305(self):
221         '''TLS 1.2 with ChaCha20-Poly1305'''
222         if not config.have_libgcrypt17:
223             self.skipTest('Requires GCrypt 1.7 or later.')
224         capture_file = os.path.join(config.capture_dir, 'tls12-chacha20poly1305.pcap')
225         key_file = os.path.join(config.key_dir, 'tls12-chacha20poly1305.keys')
226         ciphers=[
227             'ECDHE-ECDSA-CHACHA20-POLY1305',
228             'ECDHE-RSA-CHACHA20-POLY1305',
229             'DHE-RSA-CHACHA20-POLY1305',
230             'RSA-PSK-CHACHA20-POLY1305',
231             'DHE-PSK-CHACHA20-POLY1305',
232             'ECDHE-PSK-CHACHA20-POLY1305',
233             'PSK-CHACHA20-POLY1305',
234         ]
235         stream = 0
236         for cipher in ciphers:
237             self.runProcess((config.cmd_tshark,
238                     '-r', capture_file,
239                     '-o', 'ssl.keylog_file: {}'.format(key_file),
240                     '-q',
241                     '-z', 'follow,ssl,ascii,{}'.format(stream),
242                 ),
243                 env=config.test_env)
244             stream += 1
245             self.assertTrue(self.grepOutput('Cipher is {}'.format(cipher)))
246
247     def test_tls13_chacha20poly1305(self):
248         '''TLS 1.3 with ChaCha20-Poly1305'''
249         if not config.have_libgcrypt17:
250             self.skipTest('Requires GCrypt 1.7 or later.')
251         capture_file = os.path.join(config.capture_dir, 'tls13-20-chacha20poly1305.pcap')
252         key_file = os.path.join(config.key_dir, 'tls13-20-chacha20poly1305.keys')
253         self.runProcess((config.cmd_tshark,
254                 '-r', capture_file,
255                 '-o', 'ssl.keylog_file: {}'.format(key_file),
256                 '-q',
257                 '-z', 'follow,ssl,ascii,0',
258             ),
259             env=config.test_env)
260         self.assertTrue(self.grepOutput('TLS13-CHACHA20-POLY1305-SHA256'))
261
262 class case_decrypt_zigbee(subprocesstest.SubprocessTestCase):
263     def test_zigbee(self):
264         '''ZigBee'''
265         # https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7022
266         capture_file = os.path.join(config.capture_dir, 'sample_control4_2012-03-24.pcap')
267         self.runProcess((config.cmd_tshark,
268                 '-r', capture_file,
269                 '-Tfields',
270                 '-e', 'data.data',
271                 '-Y', 'zbee_aps',
272             ),
273             env=config.test_env)
274         self.assertTrue(self.grepOutput('30:67:63:63:38:65:20:63:34:2e:64:6d:2e:74:76:20'))
275
276 class case_decrypt_ansi_c1222(subprocesstest.SubprocessTestCase):
277     def test_ansi_c1222(self):
278         '''ANSI C12.22'''
279         # https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9196
280         capture_file = os.path.join(config.capture_dir, 'c1222_std_example8.pcap')
281         self.runProcess((config.cmd_tshark,
282                 '-r', capture_file,
283                 '-o', 'c1222.decrypt: TRUE',
284                 '-o', 'c1222.baseoid: 2.16.124.113620.1.22.0',
285                 '-Tfields',
286                 '-e', 'c1222.data',
287             ),
288             env=config.test_env)
289         self.assertTrue(self.grepOutput('00:10:4d:41:4e:55:46:41:43:54:55:52:45:52:20:53:4e:20:92'))
290
291 class case_decrypt_dvb_ci(subprocesstest.SubprocessTestCase):
292     def test_dvb_ci(self):
293         '''DVB-CI'''
294         # simplified version of the sample capture in
295         # https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6700
296         capture_file = os.path.join(config.capture_dir, 'dvb-ci_UV1_0000.pcap')
297         self.runProcess((config.cmd_tshark,
298                 '-r', capture_file,
299                 '-o', 'dvb-ci.sek: 00000000000000000000000000000000',
300                 '-o', 'dvb-ci.siv: 00000000000000000000000000000000',
301                 '-Tfields',
302                 '-e', 'dvb-ci.cc.sac.padding',
303             ),
304             env=config.test_env)
305         self.assertTrue(self.grepOutput('80:00:00:00:00:00:00:00:00:00:00:00'))
306
307 class case_decrypt_ipsec(subprocesstest.SubprocessTestCase):
308     def test_ipsec_esp(self):
309         '''IPsec ESP'''
310         # https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12671
311         capture_file = os.path.join(config.capture_dir, 'esp-bug-12671.pcapng.gz')
312         self.runProcess((config.cmd_tshark,
313                 '-r', capture_file,
314                 '-o', 'esp.enable_encryption_decode: TRUE',
315                 '-Tfields',
316                 '-e', 'data.data',
317             ),
318             env=config.test_env)
319         self.assertTrue(self.grepOutput('08:09:0a:0b:0c:0d:0e:0f:10:11:12:13:14:15:16:17'))
320
321 class case_decrypt_ike_isakmp(subprocesstest.SubprocessTestCase):
322     def test_ikev1_certs(self):
323         '''IKEv1 (ISAKMP) with certificates'''
324         # https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7951
325         capture_file = os.path.join(config.capture_dir, 'ikev1-certs.pcap')
326         self.runProcess((config.cmd_tshark,
327                 '-r', capture_file,
328                 '-Tfields',
329                 '-e', 'x509sat.printableString',
330             ),
331             env=config.test_env)
332         self.assertTrue(self.grepOutput('OpenSwan'))
333
334     def test_ikev1_simultaneous(self):
335         '''IKEv1 (ISAKMP) simultaneous exchanges'''
336         # https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12610
337         capture_file = os.path.join(config.capture_dir, 'ikev1-bug-12610.pcapng.gz')
338         self.runProcess((config.cmd_tshark,
339                 '-r', capture_file,
340                 '-Tfields',
341                 '-e', 'isakmp.hash',
342             ),
343             env=config.test_env)
344         self.assertTrue(self.grepOutput('b5:25:21:f7:74:96:74:02:c9:f6:ce:e9:5f:d1:7e:5b'))
345
346     def test_ikev1_unencrypted(self):
347         '''IKEv1 (ISAKMP) unencrypted phase 1'''
348         # https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12620
349         capture_file = os.path.join(config.capture_dir, 'ikev1-bug-12620.pcapng.gz')
350         self.runProcess((config.cmd_tshark,
351                 '-r', capture_file,
352                 '-Tfields',
353                 '-e', 'isakmp.hash',
354             ),
355             env=config.test_env)
356         self.assertTrue(self.grepOutput('40:04:3b:64:0f:43:73:25:0d:5a:c3:a1:fb:63:15:3c'))
357
358     def test_ikev2_3des_sha160(self):
359         '''IKEv2 decryption test (3DES-CBC/SHA1_160)'''
360         capture_file = os.path.join(config.capture_dir, 'ikev2-decrypt-3des-sha1_160.pcap')
361         self.runProcess((config.cmd_tshark,
362                 '-r', capture_file,
363                 '-Tfields',
364                 '-e', 'isakmp.auth.data',
365             ),
366             env=config.test_env)
367         self.assertTrue(self.grepOutput('02:f7:a0:d5:f1:fd:c8:ea:81:03:98:18:c6:5b:b9:bd:09:af:9b:89:17:31:9b:88:7f:f9:ba:30:46:c3:44:c7'))
368
369     def test_ikev2_aes128_ccm12(self):
370         '''IKEv2 decryption test (AES-128-CCM-12) - with CBC-MAC verification'''
371         capture_file = os.path.join(config.capture_dir, 'ikev2-decrypt-aes128ccm12.pcap')
372         self.runProcess((config.cmd_tshark,
373                 '-r', capture_file,
374                 '-Tfields',
375                 '-e', 'isakmp.auth.data',
376             ),
377             env=config.test_env)
378         self.assertTrue(self.grepOutput('c2:10:43:94:29:9e:1f:fe:79:08:ea:72:0a:d5:d1:37:17:a0:d4:54:e4:fa:0a:21:28:ea:68:94:11:f4:79:c4'))
379
380     def test_ikev2_aes128_ccm12_2(self):
381         '''IKEv2 decryption test (AES-128-CCM-12 using CTR mode, without checksum)'''
382         capture_file = os.path.join(config.capture_dir, 'ikev2-decrypt-aes128ccm12-2.pcap')
383         self.runProcess((config.cmd_tshark,
384                 '-r', capture_file,
385                 '-Tfields',
386                 '-e', 'isakmp.auth.data',
387             ),
388             env=config.test_env)
389         self.assertTrue(self.grepOutput('aa:a2:81:c8:7b:4a:19:04:6c:57:27:1d:55:74:88:ca:41:3b:57:22:8c:b9:51:f5:fa:96:40:99:2a:02:85:b9'))
390
391     def test_ikev2_aes192ctr_sha512(self):
392         '''IKEv2 decryption test (AES-192-CTR/SHA2-512)'''
393         capture_file = os.path.join(config.capture_dir, 'ikev2-decrypt-aes192ctr.pcap')
394         self.runProcess((config.cmd_tshark,
395                 '-r', capture_file,
396                 '-Tfields',
397                 '-e', 'isakmp.auth.data',
398             ),
399             env=config.test_env)
400         self.assertTrue(self.grepOutput('3e:c2:3d:cf:93:48:48:56:38:40:7c:75:45:47:ae:b3:08:52:90:08:2c:49:f5:83:fd:ba:e5:92:63:a2:0b:4a'))
401
402     def test_ikev2_aes256cbc_sha256(self):
403         '''IKEv2 decryption test (AES-256-CBC/SHA2-256)'''
404         capture_file = os.path.join(config.capture_dir, 'ikev2-decrypt-aes256cbc.pcapng')
405         self.runProcess((config.cmd_tshark,
406                 '-r', capture_file,
407                 '-Tfields',
408                 '-e', 'isakmp.auth.data',
409             ),
410             env=config.test_env)
411         self.assertTrue(self.grepOutput('e1:a8:d5:50:06:42:01:a7:ec:02:4a:85:75:8d:06:73:c6:1c:5c:51:0a:c1:3b:cd:22:5d:63:27:f5:0d:a3:d3'))
412
413     def test_ikev2_aes256ccm16(self):
414         '''IKEv2 decryption test (AES-256-CCM-16)'''
415         capture_file = os.path.join(config.capture_dir, 'ikev2-decrypt-aes256ccm16.pcapng')
416         self.runProcess((config.cmd_tshark,
417                 '-r', capture_file,
418                 '-Tfields',
419                 '-e', 'isakmp.auth.data',
420             ),
421             env=config.test_env)
422         self.assertTrue(self.grepOutput('fa:2e:74:bd:c0:1e:30:fb:0b:3d:dc:97:23:c9:44:90:95:96:9d:a5:1f:69:e5:60:20:9d:2c:2b:79:40:21:0a'))
423
424     def test_ikev2_aes256gcm16(self):
425         '''IKEv2 decryption test (AES-256-GCM-16)'''
426         capture_file = os.path.join(config.capture_dir, 'ikev2-decrypt-aes256gcm16.pcap')
427         self.runProcess((config.cmd_tshark,
428                 '-r', capture_file,
429                 '-Tfields',
430                 '-e', 'isakmp.auth.data',
431             ),
432             env=config.test_env)
433         self.assertTrue(self.grepOutput('9a:b7:1f:14:ab:55:3c:ad:87:3a:1a:a7:0b:99:df:15:5d:ee:77:cd:cf:36:94:b3:b7:52:7a:cb:b9:71:2d:ed'))
434
435     def test_ikev2_aes256gcm8(self):
436         '''IKEv2 decryption test (AES-256-GCM-8)'''
437         capture_file = os.path.join(config.capture_dir, 'ikev2-decrypt-aes256gcm8.pcap')
438         self.runProcess((config.cmd_tshark,
439                 '-r', capture_file,
440                 '-Tfields',
441                 '-e', 'isakmp.auth.data',
442             ),
443             env=config.test_env)
444         self.assertTrue(self.grepOutput('4a:66:d8:22:d0:af:bc:22:ad:9a:92:a2:cf:42:87:c9:20:ad:8a:c3:b0:69:a4:a7:e7:5f:e0:a5:d4:99:f9:14'))
445
446 class case_decrypt_http2(subprocesstest.SubprocessTestCase):
447     def test_http2(self):
448         '''HTTP2 (HPACK)'''
449         if not config.have_nghttp2:
450             self.skipTest('Requires nghttp2.')
451         capture_file = os.path.join(config.capture_dir, 'packet-h2-14_headers.pcapng')
452         self.runProcess((config.cmd_tshark,
453                 '-r', capture_file,
454                 '-Tfields',
455                 '-e', 'http2.header.value',
456                 '-d', 'tcp.port==3000,http2',
457             ),
458             env=config.test_env)
459         test_passed = self.grepOutput('nghttp2')
460         if not test_passed:
461             self.log_fd.write(u'\n\n-- Verbose output --\n\n')
462             self.runProcess((config.cmd_tshark,
463                     '-r', capture_file,
464                     '-V',
465                     '-d', 'tcp.port==3000,http2',
466                 ),
467                 env=config.test_env)
468         self.assertTrue(test_passed)
469
470 class case_decrypt_kerberos(subprocesstest.SubprocessTestCase):
471     def test_kerberos(self):
472         '''Kerberos'''
473         # Files are from krb-816.zip on the SampleCaptures page.
474         if not config.have_kerberos:
475             self.skipTest('Requires nghttp2.')
476         capture_file = os.path.join(config.capture_dir, 'krb-816.pcap.gz')
477         keytab_file = os.path.join(config.key_dir, 'krb-816.keytab')
478         self.runProcess((config.cmd_tshark,
479                 '-r', capture_file,
480                 '-o', 'kerberos.decrypt: TRUE',
481                 '-o', 'kerberos.file: {}'.format(keytab_file),
482                 '-Tfields',
483                 '-e', 'kerberos.keyvalue',
484             ),
485             env=config.test_env)
486         # keyvalue: ccda7d48219f73c3b28311c4ba7242b3
487         self.assertTrue(self.grepOutput('cc:da:7d:48:21:9f:73:c3:b2:83:11:c4:ba:72:42:b3'))
488
489 class case_decrypt_wireguard(subprocesstest.SubprocessTestCase):
490     key_Spriv_i = 'AKeZaHwBxjiKLFnkY2unvEdOTtg4AL+M9dQXfopFVFk='
491     key_Spub_i = 'Igge9KzRytKNwrgkzDE/8hrLu6Ly0OqVdvOPWhA5KR4='
492     key_Spriv_r = 'cFIxTUyBs1Qil414hBwEgvasEax8CKJ5IS5ZougplWs='
493     key_Spub_r = 'YDCttCs9e1J52/g9vEnwJJa+2x6RqaayAYMpSVQfGEY='
494     key_Epriv_i0 = 'sLGLJSOQfyz7JNJ5ZDzFf3Uz1rkiCMMjbWerNYcPFFU='
495     key_Epriv_r0 = 'QC4/FZKhFf0b/eXEcCecmZNt6V6PXmRa4EWG1PIYTU4='
496     key_Epriv_i1 = 'ULv83D+y3vA0t2mgmTmWz++lpVsrP7i4wNaUEK2oX0E='
497     key_Epriv_r1 = 'sBv1dhsm63cbvWMv/XML+bvynBp9PTdY9Vvptu3HQlg='
498
499     def runOne(self, args, pcap_file='wireguard-ping-tcp.pcap'):
500         if not config.have_libgcrypt17:
501             self.skipTest('Requires Gcrypt 1.7 or later')
502         capture_file = os.path.join(config.capture_dir, pcap_file)
503         proc = self.runProcess([config.cmd_tshark, '-r', capture_file] + args,
504                                env=config.test_env)
505         lines = proc.stdout_str.splitlines()
506         return lines
507
508     def test_mac1_public(self):
509         """Check that MAC1 identification using public keys work."""
510         lines = self.runOne([
511             '-ouat:wg_keys:"Public","%s"' % self.key_Spub_i,
512             '-ouat:wg_keys:"Public","%s"' % self.key_Spub_r,
513             '-Y', 'wg.receiver_pubkey',
514             '-Tfields',
515             '-e', 'frame.number',
516             '-e', 'wg.receiver_pubkey',
517             '-e', 'wg.receiver_pubkey.known_privkey',
518         ])
519         self.assertEqual(4, len(lines))
520         self.assertIn('1\t%s\t0' % self.key_Spub_r, lines)
521         self.assertIn('2\t%s\t0' % self.key_Spub_i, lines)
522         self.assertIn('13\t%s\t0' % self.key_Spub_r, lines)
523         self.assertIn('14\t%s\t0' % self.key_Spub_i, lines)
524
525     def test_mac1_private(self):
526         """Check that MAC1 identification using private keys work."""
527         lines = self.runOne([
528             '-ouat:wg_keys:"Private","%s"' % self.key_Spriv_i,
529             '-ouat:wg_keys:"Private","%s"' % self.key_Spriv_r,
530             '-Y', 'wg.receiver_pubkey',
531             '-Tfields',
532             '-e', 'frame.number',
533             '-e', 'wg.receiver_pubkey',
534             '-e', 'wg.receiver_pubkey.known_privkey',
535         ])
536         self.assertEqual(4, len(lines))
537         self.assertIn('1\t%s\t1' % self.key_Spub_r, lines)
538         self.assertIn('2\t%s\t1' % self.key_Spub_i, lines)
539         self.assertIn('13\t%s\t1' % self.key_Spub_r, lines)
540         self.assertIn('14\t%s\t1' % self.key_Spub_i, lines)
541
542     def test_decrypt_initiation_sprivr(self):
543         """Check for partial decryption using Spriv_r."""
544         lines = self.runOne([
545             '-ouat:wg_keys:"Private","%s"' % self.key_Spriv_r,
546             '-Y', 'wg.type==1',
547             '-Tfields',
548             '-e', 'frame.number',
549             '-e', 'wg.static',
550             '-e', 'wg.static.known_pubkey',
551             '-e', 'wg.static.known_privkey',
552             '-e', 'wg.timestamp.nanoseconds',
553         ])
554         # static pubkey is unknown because Spub_i is not added to wg_keys.
555         self.assertIn('1\t%s\t0\t0\t%s' % (self.key_Spub_i, '356537872'), lines)
556         self.assertIn('13\t%s\t0\t0\t%s' % (self.key_Spub_i, '490514356'), lines)