From e7549372515dbef74f4764a36a6b1a408087cf59 Mon Sep 17 00:00:00 2001
From: Peter Wu <peter@lekensteyn.nl>
Date: Wed, 1 Aug 2018 02:10:40 +0200
Subject: WireGuard: implement decryption with PSKs

This imposes an additional requirement on the key log file, PSKs are
only linked to the most recently seen ephemeral key. This means that the
key log might contain duplicate PSK lines, but at least the dissector
won't have to try all keys and thereby save CPU time.

Bug: 15011
Change-Id: I368fa16269c96c4a1ff3bcb4e376c21f38fa2689
Reviewed-on: https://code.wireshark.org/review/28993
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot
Reviewed-by: Anders Broman <a.broman58@gmail.com>
---
 test/suite_decryption.py | 68 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 68 insertions(+)

(limited to 'test/suite_decryption.py')

diff --git a/test/suite_decryption.py b/test/suite_decryption.py
index db179bcaf9..33a3eb197f 100644
--- a/test/suite_decryption.py
+++ b/test/suite_decryption.py
@@ -500,6 +500,15 @@ class case_decrypt_wireguard(subprocesstest.SubprocessTestCase):
     key_Epriv_r0 = 'QC4/FZKhFf0b/eXEcCecmZNt6V6PXmRa4EWG1PIYTU4='
     key_Epriv_i1 = 'ULv83D+y3vA0t2mgmTmWz++lpVsrP7i4wNaUEK2oX0E='
     key_Epriv_r1 = 'sBv1dhsm63cbvWMv/XML+bvynBp9PTdY9Vvptu3HQlg='
+    # Ephemeral keys and PSK for wireguard-psk.pcap
+    key_Epriv_i2 = 'iCv2VTi/BC/q0egU931KXrrQ4TSwXaezMgrhh7uCbXs='
+    key_Epriv_r2 = '8G1N3LnEqYC7+NW/b6mqceVUIGBMAZSm+IpwG1U0j0w='
+    key_psk2 = '//////////////////////////////////////////8='
+    key_Epriv_i3 = '+MHo9sfkjPsjCx7lbVhRLDvMxYvTirOQFDSdzAW6kUQ='
+    key_Epriv_r3 = '0G6t5j1B/We65MXVEBIGuRGYadwB2ITdvJovtAuATmc='
+    key_psk3 = 'iIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIg='
+    # dummy key that should not work with anything.
+    key_dummy = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx='
 
     def runOne(self, args, keylog=None, pcap_file='wireguard-ping-tcp.pcap'):
         if not config.have_libgcrypt17:
@@ -638,3 +647,62 @@ class case_decrypt_wireguard(subprocesstest.SubprocessTestCase):
         self.assertIn('14\t1\t\t\t1\t\t', lines)
         self.assertIn('17\t\t\t\t\t\t443', lines)
         self.assertIn('18\t\t\t\t\t\t49472', lines)
+
+    def test_decrypt_psk_initiator(self):
+        """Check whether PSKs enable decryption for initiation keys."""
+        lines = self.runOne([
+            '-Tfields',
+            '-e', 'frame.number',
+            '-e', 'wg.handshake_ok',
+        ], keylog=[
+            'REMOTE_STATIC_PUBLIC_KEY = %s' % self.key_Spub_r,
+            'LOCAL_STATIC_PRIVATE_KEY = %s' % self.key_Spriv_i,
+            'LOCAL_EPHEMERAL_PRIVATE_KEY=%s' % self.key_Epriv_i2,
+            'PRESHARED_KEY=%s' % self.key_psk2,
+            'LOCAL_EPHEMERAL_PRIVATE_KEY=%s' % self.key_Epriv_r3,
+            'PRESHARED_KEY=%s' % self.key_psk3,
+        ], pcap_file='wireguard-psk.pcap')
+        self.assertIn('2\t1', lines)
+        self.assertIn('4\t1', lines)
+
+    def test_decrypt_psk_responder(self):
+        """Check whether PSKs enable decryption for responder keys."""
+        lines = self.runOne([
+            '-Tfields',
+            '-e', 'frame.number',
+            '-e', 'wg.handshake_ok',
+        ], keylog=[
+            'REMOTE_STATIC_PUBLIC_KEY=%s' % self.key_Spub_i,
+            'LOCAL_STATIC_PRIVATE_KEY=%s' % self.key_Spriv_r,
+            # Epriv_r2 needs psk2. This tests handling of duplicate ephemeral
+            # keys with multiple PSKs. It should not have adverse effects.
+            'LOCAL_EPHEMERAL_PRIVATE_KEY=%s' % self.key_Epriv_r2,
+            'PRESHARED_KEY=%s' % self.key_dummy,
+            'LOCAL_EPHEMERAL_PRIVATE_KEY=%s' % self.key_Epriv_r2,
+            'PRESHARED_KEY=%s' % self.key_psk2,
+            'LOCAL_EPHEMERAL_PRIVATE_KEY=%s' % self.key_Epriv_i3,
+            'PRESHARED_KEY=%s' % self.key_psk3,
+            # Epriv_i3 needs psk3, this tests that additional keys again have no
+            # bad side-effects.
+            'LOCAL_EPHEMERAL_PRIVATE_KEY=%s' % self.key_Epriv_i3,
+            'PRESHARED_KEY=%s' % self.key_dummy,
+        ], pcap_file='wireguard-psk.pcap')
+        self.assertIn('2\t1', lines)
+        self.assertIn('4\t1', lines)
+
+    def test_decrypt_psk_wrong_orderl(self):
+        """Check that the wrong order of lines indeed fail decryption."""
+        lines = self.runOne([
+            '-Tfields',
+            '-e', 'frame.number',
+            '-e', 'wg.handshake_ok',
+        ], keylog=[
+            'REMOTE_STATIC_PUBLIC_KEY=%s' % self.key_Spub_i,
+            'LOCAL_STATIC_PRIVATE_KEY=%s' % self.key_Spriv_r,
+            'LOCAL_EPHEMERAL_PRIVATE_KEY=%s' % self.key_Epriv_r2,
+            'LOCAL_EPHEMERAL_PRIVATE_KEY=%s' % self.key_Epriv_i3,
+            'PRESHARED_KEY=%s' % self.key_psk2, # note: swapped with previous line
+            'PRESHARED_KEY=%s' % self.key_psk3,
+        ], pcap_file='wireguard-psk.pcap')
+        self.assertIn('2\t0', lines)
+        self.assertIn('4\t0', lines)
-- 
cgit v1.2.3