Wireshark-dev: Re: [Wireshark-dev] Are AEAD cyphers accepted for IKEv2 decryption table?

From: Peter Wu <peter@xxxxxxxxxxxxx>
Date: Sat, 6 Aug 2016 11:51:27 +0200
Hi Codrut,

On Tue, Aug 02, 2016 at 07:51:47AM +0000, Codrut Grosu wrote:
> Hi,
> 
> I'm working at a strongSwan plugin that will generate a IKEv2
> decryption table for wireshark.
> 
> In IKEv2 decryption table(wireshark) at encryption algorithm field
> there are only the following algorithms: "3DES[RFC2451]",
> "AES-CBC-128[RFC3602]", "AES-CBC-192[RFC3602]", "AES-CBC-256[RFC3602]"
> and "NULL[RFC2410]".
> 
> But strongSwan accepts AEAD cyphers like: AES_CCM_ICV8, AES_CCM_ICV12,
> AES_CCM_ICV16, AES_GCM_ICV8, AES_GCM_ICV12, AES_GCM_ICV16,
> NULL_AUTH_AES_GMAC, CAMELLIA_CCM_ICV8, CAMELLIA_CCM_ICV12,
> CAMELLIA_CCM_ICV16 and CHACHA20_POLY1305.
> 
> So, wireshark can decrypt packets that are encrypted with AEAD cyphers?

The available ciphers are listedn in epan/dissectors/packet-isakmp.c,
around line 1632 (ikev2_encr_algs). Supported ciphers are the ones you
mentioned, but it should be relatively easy to add support for the other
ciphers since gcrypt supports it (there are also some examples for this
in the SSL dissector). If you start adding support for this, please try
to make a packet capture available containing the various ciphers.

The libgcrypt docs are at
https://gnupg.org/documentation/manuals/gcrypt/Working-with-cipher-handles.html

If you want to start working on it, note that there is some related work
in this dissector (if it shows empty, then it is already closed):
https://code.wireshark.org/review/#/q/status:open+file:epan/dissectors/packet-isakmp.c
-- 
Kind regards,
Peter Wu
https://lekensteyn.nl