Wireshark-bugs: [Wireshark-bugs] [Bug 12610] New: IKEv1 decryption fails with simultaneous post-

Date: Tue, 12 Jul 2016 11:38:12 +0000
Bug ID 12610
Summary IKEv1 decryption fails with simultaneous post-phase1 exchanges
Product Wireshark
Version Git
Hardware x86-64
OS Debian
Status UNCONFIRMED
Severity Normal
Priority Low
Component Dissection engine (libwireshark)
Assignee [email protected]
Reporter [email protected]

Created attachment 14714 [details]
IKEv1 capture, decryption fails

Build Information:
Version 2.1.1-git (v2.1.1rc0-414-g5cc5ba6 from master)

Copyright 1998-2016 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with Qt 4.8.6, with libpcap, with POSIX capabilities (Linux),
without libnl, with GLib 2.42.1, with zlib 1.2.8, without SMI, with c-ares
1.10.0, without Lua, with GnuTLS 3.3.8, with Gcrypt 1.6.3, without Kerberos,
without GeoIP, without QtMultimedia, without AirPcap.

Running on Linux 4.5.0-0.bpo.2-amd64, with locale de_DE.utf8, with libpcap
version 1.6.2, with GnuTLS 3.3.8, with Gcrypt 1.6.3, with zlib 1.2.8.
Intel(R) Core(TM) i5-4570 CPU @ 3.20GHz (with SSE4.2)

Built using gcc 4.9.2.

Wireshark is Open Source Software released under the GNU General Public
License.

Check the man page and http://www.wireshark.org for more information.
--
The attached file android-ikev1.pcapng contains IKEv1 traffic captured
between Android 6 and Strongswan 5.3.3, the decryption keys are also provided.

Wireshark fails to decrypt frame #11 ("Malformed Packet"),
but the error disappears if frames #9 and #10 are swapped,
see the attachment android-ikev1-serialized.pcapng.

Through some experiments, I found that frame #11 has a wrong
CBC initialization vector caused by insufficient message ID tracking.

When Wireshark sees a frame with a message ID different from the previous,
it assumes the start of a new exchange, and generates a new IV.

In my capture file, an Informational exchange is sent during an
ongoing Config Mode exchange. I believe the standard does allow simultaneous
exchanges, as RFC 2409 says:
> Each post- phase 1 exchange (Quick Modes and Informational Exchanges)
> generates IVs independantly to prevent IVs from getting out of sync when
> two different exchanges are started simultaneously.

This causes Wireshark to create a new IV for frame #11 since
its message ID is different from #10.

However, the IV for #11 should be derived from #9, since they
share the same message ID and follow each other within an exchange.

To this end, Wireshark should keep track of the current IV for each
message ID, not only of two (phase 1, post- phase 1) as it is now.


You are receiving this mail because:
  • You are watching all bug changes.