Wireshark-bugs: [Wireshark-bugs] [Bug 12620] New: IKEv1 decryption fails after unencrypted phase

Date: Thu, 14 Jul 2016 15:30:14 +0000
Bug ID 12620
Summary IKEv1 decryption fails after unencrypted phase 1 of Aggressive Mode
Product Wireshark
Version Git
Hardware x86-64
OS Debian
Status UNCONFIRMED
Severity Normal
Priority Low
Component Dissection engine (libwireshark)
Assignee [email protected]
Reporter [email protected]

Created attachment 14730 [details]
IKEv1 traffic captured between Android 6.0.1 (CM13) and Strongswan 5.4.0

Build Information:
Version 2.1.1-git (v2.1.1rc0-501-g6223327 from master)

Copyright 1998-2016 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GTK+ 3.14.5, with Cairo 1.14.0, with Pango 1.36.8, with
libpcap, with POSIX capabilities (Linux), without libnl, with GLib 2.42.1, with
zlib 1.2.8, without SMI, with c-ares 1.10.0, without Lua, with GnuTLS 3.3.8,
with Gcrypt 1.6.3, with MIT Kerberos, without GeoIP, with PortAudio V19-devel
(built Feb 15 2014 23:28:00), without AirPcap.

Running on Linux 4.5.0-0.bpo.2-amd64, with locale de_DE.utf8, with libpcap
version 1.6.2, with GnuTLS 3.3.8, with Gcrypt 1.6.3, with zlib 1.2.8.
Intel(R) Core(TM) i5-4570 CPU @ 3.20GHz (with SSE4.2)

Built using gcc 4.9.2.

--
Wireshark fails to decrypt the first message of each encrypted exchange,
reporting it as a Malformed Packet.

This seems to be caused by wrong CBC initialization vectors.
The error is triggered by a phase 1 where all messages are unencrypted,
which is allowed according to RFC 2409.

In the error situation, Wireshark generates IVs as follows:

During phase 1, decrypt_payload() is never called, since no message
has the Encryption flag set.

For the first post-phase1 exchange with encrypted messages (Informational, 
frame #4):
  iv2 = hash(g^xi | g^xr)  /* wrong */
  iv2 = last_cbc(ciphertext)
  ...

When Wireshark handles the second post-phase1 exchange (Config Mode, frame #5),
the last CBC block of frame #4 is wrongly stored as if it was the latest IV of 
phase 1 and then used for generating further IVs:
  iv1 = iv2
  iv[n] = hash(iv1, message_id[n])

However, in the absence of encryption in phase 1, the IVs for
all post-phase1 exchanges should be generated as follows:
  iv1 = hash(g^xi | g^xr)
  /* no ciphertext blocks to update iv1, it keeps this value */
  iv[n] = hash(iv1 | message_id[n])


You are receiving this mail because:
  • You are watching all bug changes.