test/suite_decryption.py: update SMB3+ decryption tests

Update existing tests to the new smb2_seskey_list syntax and add new tests for decrypting using different combinations of provided keys. Change-Id: I86fda351ff736cae6029ec2321c45a02c1917226 Reviewed-on: https://code.wireshark.org/review/36137 Reviewed-by: Peter Wu <peter@lekensteyn.nl> Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
author: Aurelien Aptel <aaptel@suse.com> 2020-02-19 22:35:50 +0100
committer: Alexis La Goutte <alexis.lagoutte@gmail.com> 2020-02-23 06:14:06 +0000
commit: 1702e59b5536d0dd4e44605cbc62ec1be41dd74a (patch)
tree: 9e5617c5346739e7e9e43996bbc52e40e5cac907 /test
parent: b8f9448c7887729ce82efeb097da01b9f8d246de (diff)
1 files changed, 166 insertions, 49 deletions
diff --git a/test/suite_decryption.py b/test/suite_decryption.py
index 6decdb1b2b..519faf9d87 100644
--- a/test/suite_decryption.py
+++ b/test/suite_decryption.py
@@ -1106,65 +1106,182 @@ class case_decrypt_pkcs11(subprocesstest.SubprocessTestCase):
 @fixtures.mark_usefixtures('test_env')
 @fixtures.uses_fixtures
 class case_decrypt_smb2(subprocesstest.SubprocessTestCase):
-    def test_smb300_bad_key(self, cmd_tshark, capture_file):
-        '''Check that a bad session key doesn't crash'''
-        seskey = 'ffffffffffffffffffffffffffffffff'
-        sesid = '1900009c003c0000'
-        proc = self.assertRun((cmd_tshark,
-                '-r', capture_file('smb300-aes-128-ccm.pcap.gz'),
-                '-o', 'uat:smb2_seskey_list:{},{},"",""'.format(sesid, seskey),
-                '-Y', 'frame.number == 7',
-        ))
-        self.assertIn('Encrypted', proc.stdout_str)
+    BAD_KEY = 'ffffffffffffffffffffffffffffffff'
 
-    def test_smb311_bad_key(self, cmd_tshark, capture_file):
-        seskey = 'ffffffffffffffffffffffffffffffff'
-        sesid = '2900009c003c0000'
+    def check_bad_key(self, cmd_tshark, cap, disp_filter, sesid, seskey, s2ckey, c2skey):
         proc = self.assertRun((cmd_tshark,
-                '-r', capture_file('smb311-aes-128-ccm.pcap.gz'),
-                '-o', 'uat:smb2_seskey_list:{},{},"",""'.format(sesid, seskey),
-                '-Y', 'frame.number == 7'
+                '-r', cap,
+                '-o', 'uat:smb2_seskey_list:{},{},{},{}'.format(sesid, seskey, s2ckey, c2skey),
+                '-Y', disp_filter,
         ))
-        self.assertIn('Encrypted', proc.stdout_str)
+        self.assertIn('Encrypted SMB', proc.stdout_str)
 
-    def test_smb300_aes128ccm(self, cmd_tshark, capture_file):
-        '''Check SMB 3.0 AES128CCM decryption.'''
-        sesid = '1900009c003c0000'
-        seskey = '9a9ea16a0cdbeb6064772318073f172f'
-        tree = r'\\dfsroot1.foo.test\IPC$'
-        proc = self.assertRun((cmd_tshark,
-                '-r', capture_file('smb300-aes-128-ccm.pcap.gz'),
-                '-o', 'uat:smb2_seskey_list:{},{},"",""'.format(sesid, seskey),
-                '-Tfields',
-                '-e', 'smb2.tree',
-                '-Y', 'smb2.tree == "{}"'.format(tree.replace('\\', '\\\\')),
-        ))
-        self.assertEqual(tree, proc.stdout_str.strip())
+    #
+    # SMB3.0 CCM bad keys tests
+    #
+    def test_smb300_bad_seskey(self, features, cmd_tshark, capture_file):
+        '''Check that a bad session key doesn't crash'''
+        if not features.have_libgcrypt16:
+            self.skipTest('Requires GCrypt 1.6 or later.')
+        self.check_bad_key(cmd_tshark, capture_file('smb300-aes-128-ccm.pcap.gz'),
+                           'frame.number == 7', '1900009c003c0000', self.BAD_KEY, '""', '""')
+
+    def test_smb300_bad_s2ckey(self, features, cmd_tshark, capture_file):
+        '''Check that a bad s2c key doesn't crash'''
+        if not features.have_libgcrypt16:
+            self.skipTest('Requires GCrypt 1.6 or later.')
+        self.check_bad_key(cmd_tshark, capture_file('smb300-aes-128-ccm.pcap.gz'),
+                           'frame.number == 7', '1900009c003c0000', '""', self.BAD_KEY, '""')
+
+    def test_smb300_bad_c2skey(self, features, cmd_tshark, capture_file):
+        '''Check that a bad c2s key doesn't crash'''
+        if not features.have_libgcrypt16:
+            self.skipTest('Requires GCrypt 1.6 or later.')
+        self.check_bad_key(cmd_tshark, capture_file('smb300-aes-128-ccm.pcap.gz'),
+                           'frame.number == 7', '1900009c003c0000', '""', '""', self.BAD_KEY)
+
+    def test_smb300_bad_deckey(self, features, cmd_tshark, capture_file):
+        '''Check that bad decryption keys doesn't crash'''
+        if not features.have_libgcrypt16:
+            self.skipTest('Requires GCrypt 1.6 or later.')
+        self.check_bad_key(cmd_tshark, capture_file('smb300-aes-128-ccm.pcap.gz'),
+                           'frame.number == 7', '1900009c003c0000', '""', self.BAD_KEY, self.BAD_KEY)
+
+    def test_smb300_bad_allkey(self, features, cmd_tshark, capture_file):
+        '''Check that all bad keys doesn't crash'''
+        if not features.have_libgcrypt16:
+            self.skipTest('Requires GCrypt 1.6 or later.')
+        self.check_bad_key(cmd_tshark, capture_file('smb300-aes-128-ccm.pcap.gz'),
+                           'frame.number == 7', '1900009c003c0000', self.BAD_KEY, self.BAD_KEY, self.BAD_KEY)
+
+    #
+    # SMB3.1.1 CCM bad key tests
+    #
+    def test_smb311_bad_seskey(self, features, cmd_tshark, capture_file):
+        '''Check that a bad session key doesn't crash'''
+        if not features.have_libgcrypt16:
+            self.skipTest('Requires GCrypt 1.6 or later.')
+        self.check_bad_key(cmd_tshark, capture_file('smb311-aes-128-ccm.pcap.gz'),
+                           'frame.number == 7', '2900009c003c0000', self.BAD_KEY, '""', '""')
+
+    def test_smb311_bad_s2ckey(self, features, cmd_tshark, capture_file):
+        '''Check that a bad s2c key doesn't crash'''
+        if not features.have_libgcrypt16:
+            self.skipTest('Requires GCrypt 1.6 or later.')
+        self.check_bad_key(cmd_tshark, capture_file('smb311-aes-128-ccm.pcap.gz'),
+                           'frame.number == 7', '2900009c003c0000', '""', self.BAD_KEY, '""')
+
+    def test_smb311_bad_c2skey(self, features, cmd_tshark, capture_file):
+        '''Check that a bad c2s key doesn't crash'''
+        if not features.have_libgcrypt16:
+            self.skipTest('Requires GCrypt 1.6 or later.')
+        self.check_bad_key(cmd_tshark, capture_file('smb311-aes-128-ccm.pcap.gz'),
+                           'frame.number == 7', '2900009c003c0000', '""', '""', self.BAD_KEY)
+
+    def test_smb311_bad_deckey(self, features, cmd_tshark, capture_file):
+        '''Check that bad decryption keys doesn't crash'''
+        if not features.have_libgcrypt16:
+            self.skipTest('Requires GCrypt 1.6 or later.')
+        self.check_bad_key(cmd_tshark, capture_file('smb311-aes-128-ccm.pcap.gz'),
+                           'frame.number == 7', '2900009c003c0000', '""', self.BAD_KEY, self.BAD_KEY)
+
+    def test_smb311_bad_allkey(self, features, cmd_tshark, capture_file):
+        '''Check that all bad keys doesn't crash'''
+        if not features.have_libgcrypt16:
+            self.skipTest('Requires GCrypt 1.6 or later.')
+        self.check_bad_key(cmd_tshark, capture_file('smb311-aes-128-ccm.pcap.gz'),
+                           'frame.number == 7', '2900009c003c0000', self.BAD_KEY, self.BAD_KEY, self.BAD_KEY)
+
+    #
+    # Decryption tests
+    #
 
-    def test_smb311_aes128ccm(self, cmd_tshark, capture_file):
-        '''Check SMB 3.1.1 AES128CCM decryption.'''
-        sesid = '2900009c003c0000'
-        seskey = 'f1fa528d3cd182cca67bd4596dabd885'
-        tree = r'\\dfsroot1.foo.test\IPC$'
+    def check_tree(self, cmd_tshark, cap, tree, sesid, seskey, s2ckey, c2skey):
         proc = self.assertRun((cmd_tshark,
-                '-r', capture_file('smb311-aes-128-ccm.pcap.gz'),
-                '-o', 'uat:smb2_seskey_list:{},{},"",""'.format(sesid, seskey),
+                '-r', cap,
+                '-o', 'uat:smb2_seskey_list:{},{},{},{}'.format(sesid, seskey, s2ckey, c2skey),
                 '-Tfields',
                 '-e', 'smb2.tree',
                 '-Y', 'smb2.tree == "{}"'.format(tree.replace('\\', '\\\\')),
         ))
         self.assertEqual(tree, proc.stdout_str.strip())
 
-    def test_smb311_aes128gcm(self, cmd_tshark, capture_file):
-        '''Check SMB 3.1.1 AES128GCM decryption.'''
-        sesid = '3900000000400000'
-        seskey = 'e79161ded03bda1449b2c8e58f753953'
-        tree = r'\\dfsroot1.foo.test\IPC$'
-        proc = self.assertRun((cmd_tshark,
-                '-r', capture_file('smb311-aes-128-gcm.pcap.gz'),
-                '-o', 'uat:smb2_seskey_list:{},{},"",""'.format(sesid, seskey),
-                '-Tfields',
-                '-e', 'smb2.tree',
-                '-Y', 'smb2.tree == "{}"'.format(tree.replace('\\', '\\\\')),
+    # SMB3.0 CCM
+    def test_smb300_aes128ccm_seskey(self, features, cmd_tshark, capture_file):
+        '''Check SMB 3.0 AES128CCM decryption with session key.'''
+        if not features.have_libgcrypt16:
+            self.skipTest('Requires GCrypt 1.6 or later.')
+        self.check_tree(cmd_tshark, capture_file('smb300-aes-128-ccm.pcap.gz'),
+                        r'\\dfsroot1.foo.test\IPC$', '1900009c003c0000',
+                        '9a9ea16a0cdbeb6064772318073f172f', '""', '""')
+
+    def test_smb300_aes128ccm_deckey(self, features, cmd_tshark, capture_file):
+        '''Check SMB 3.0 AES128CCM decryption with decryption keys.'''
+        if not features.have_libgcrypt16:
+            self.skipTest('Requires GCrypt 1.6 or later.')
+        self.check_tree(cmd_tshark, capture_file('smb300-aes-128-ccm.pcap.gz'),
+                        r'\\dfsroot1.foo.test\IPC$', '1900009c003c0000',
+                        '""', '8be6cc53d4beba29387e69aef035d497','bff985870e81784d533fdc09497b8eab')
+
+
+    # SMB3.1.1 CCM
+    def test_smb311_aes128ccm_seskey(self, features, cmd_tshark, capture_file):
+        '''Check SMB 3.1.1 AES128CCM decryption with session key.'''
+        if not features.have_libgcrypt16:
+            self.skipTest('Requires GCrypt 1.6 or later.')
+        self.check_tree(cmd_tshark, capture_file('smb311-aes-128-ccm.pcap.gz'),
+                        r'\\dfsroot1.foo.test\IPC$', '2900009c003c0000',
+                        'f1fa528d3cd182cca67bd4596dabd885', '""', '""')
+
+    def test_smb311_aes128ccm_deckey(self, features, cmd_tshark, capture_file):
+        '''Check SMB 3.1.1 AES128CCM decryption with decryption keys.'''
+        if not features.have_libgcrypt16:
+            self.skipTest('Requires GCrypt 1.6 or later.')
+        self.check_tree(cmd_tshark, capture_file('smb311-aes-128-ccm.pcap.gz'),
+                        r'\\dfsroot1.foo.test\IPC$', '2900009c003c0000',
+                        '""', '763d5552dbc9650b700869467a5857e4', '35e69833c6578e438c8701cb40bf483e')
+
+    # SMB3.1.1 GCM
+    def test_smb311_aes128gcm_seskey(self, features, cmd_tshark, capture_file):
+        '''Check SMB 3.1.1 AES128GCM decryption with session key.'''
+        if not features.have_libgcrypt16:
+            self.skipTest('Requires GCrypt 1.6 or later.')
+        self.check_tree(cmd_tshark, capture_file('smb311-aes-128-gcm.pcap.gz'),
+                        r'\\dfsroot1.foo.test\IPC$', '3900000000400000',
+                        'e79161ded03bda1449b2c8e58f753953', '""', '""')
+
+    def test_smb311_aes128gcm_deckey(self, features, cmd_tshark, capture_file):
+        '''Check SMB 3.1.1 AES128GCM decryption with decryption keys.'''
+        if not features.have_libgcrypt16:
+            self.skipTest('Requires GCrypt 1.6 or later.')
+        self.check_tree(cmd_tshark, capture_file('smb311-aes-128-gcm.pcap.gz'),
+                        r'\\dfsroot1.foo.test\IPC$', '3900000000400000',
+                        '""', 'b02f5de25e0562075c3dc329fa2aa396', '7201623a31754e6581864581209dd3d2')
+
+    def check_partial(self, home_path, cmd_tshark, full_cap, pkt_skip, tree, sesid, s2ckey, c2skey):
+        # generate a trace without NegProt and SessionSetup
+        partial_cap = os.path.join(home_path, 'short.pcap')
+        self.assertRun((cmd_tshark,
+                        '-r', full_cap,
+                        '-Y', 'frame.number >= %d'%pkt_skip,
+                        '-w', partial_cap,
         ))
-        self.assertEqual(tree, proc.stdout_str.strip())
+        self.check_tree(cmd_tshark, partial_cap, tree, sesid, '""', s2ckey, c2skey)
+
+    def test_smb311_aes128gcm_partial(self, features, home_path, cmd_tshark, capture_file):
+        '''Check SMB 3.1.1 AES128GCM decryption in capture missing session setup'''
+        if not features.have_libgcrypt16:
+            self.skipTest('Requires GCrypt 1.6 or later.')
+        self.check_partial(home_path, cmd_tshark,
+                           capture_file('smb311-aes-128-gcm.pcap.gz'), 7,
+                           r'\\dfsroot1.foo.test\IPC$', '3900000000400000',
+                           'b02f5de25e0562075c3dc329fa2aa396', '7201623a31754e6581864581209dd3d2')
+
+    def test_smb311_aes128gcm_partial_keyswap(self, features, home_path, cmd_tshark, capture_file):
+        '''Check SMB 3.1.1 AES128GCM decryption in capture missing session setup with keys in wrong order'''
+        if not features.have_libgcrypt16:
+            self.skipTest('Requires GCrypt 1.6 or later.')
+        self.check_partial(home_path, cmd_tshark,
+                           capture_file('smb311-aes-128-gcm.pcap.gz'), 7,
+                           r'\\dfsroot1.foo.test\IPC$', '3900000000400000',
+                           '7201623a31754e6581864581209dd3d2', 'b02f5de25e0562075c3dc329fa2aa396')
author	Aurelien Aptel <aaptel@suse.com>	2020-02-19 22:35:50 +0100
committer	Alexis La Goutte <alexis.lagoutte@gmail.com>	2020-02-23 06:14:06 +0000
commit	1702e59b5536d0dd4e44605cbc62ec1be41dd74a (patch)
tree	9e5617c5346739e7e9e43996bbc52e40e5cac907 /test
parent	b8f9448c7887729ce82efeb097da01b9f8d246de (diff)