Bug ID |
12620
|
Summary |
IKEv1 decryption fails after unencrypted phase 1 of Aggressive Mode
|
Product |
Wireshark
|
Version |
Git
|
Hardware |
x86-64
|
OS |
Debian
|
Status |
UNCONFIRMED
|
Severity |
Normal
|
Priority |
Low
|
Component |
Dissection engine (libwireshark)
|
Assignee |
[email protected]
|
Reporter |
[email protected]
|
Created attachment 14730 [details]
IKEv1 traffic captured between Android 6.0.1 (CM13) and Strongswan 5.4.0
Build Information:
Version 2.1.1-git (v2.1.1rc0-501-g6223327 from master)
Copyright 1998-2016 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with GTK+ 3.14.5, with Cairo 1.14.0, with Pango 1.36.8, with
libpcap, with POSIX capabilities (Linux), without libnl, with GLib 2.42.1, with
zlib 1.2.8, without SMI, with c-ares 1.10.0, without Lua, with GnuTLS 3.3.8,
with Gcrypt 1.6.3, with MIT Kerberos, without GeoIP, with PortAudio V19-devel
(built Feb 15 2014 23:28:00), without AirPcap.
Running on Linux 4.5.0-0.bpo.2-amd64, with locale de_DE.utf8, with libpcap
version 1.6.2, with GnuTLS 3.3.8, with Gcrypt 1.6.3, with zlib 1.2.8.
Intel(R) Core(TM) i5-4570 CPU @ 3.20GHz (with SSE4.2)
Built using gcc 4.9.2.
--
Wireshark fails to decrypt the first message of each encrypted exchange,
reporting it as a Malformed Packet.
This seems to be caused by wrong CBC initialization vectors.
The error is triggered by a phase 1 where all messages are unencrypted,
which is allowed according to RFC 2409.
In the error situation, Wireshark generates IVs as follows:
During phase 1, decrypt_payload() is never called, since no message
has the Encryption flag set.
For the first post-phase1 exchange with encrypted messages (Informational,
frame #4):
iv2 = hash(g^xi | g^xr) /* wrong */
iv2 = last_cbc(ciphertext)
...
When Wireshark handles the second post-phase1 exchange (Config Mode, frame #5),
the last CBC block of frame #4 is wrongly stored as if it was the latest IV of
phase 1 and then used for generating further IVs:
iv1 = iv2
iv[n] = hash(iv1, message_id[n])
However, in the absence of encryption in phase 1, the IVs for
all post-phase1 exchanges should be generated as follows:
iv1 = hash(g^xi | g^xr)
/* no ciphertext blocks to update iv1, it keeps this value */
iv[n] = hash(iv1 | message_id[n])
You are receiving this mail because:
- You are watching all bug changes.