diff options
| author | MichaĆ Skalski <mskalski13@gmail.com> | 2016-08-21 22:00:44 +0200 |
|---|---|---|
| committer | Pascal Quantin <pascal.quantin@gmail.com> | 2016-08-23 10:07:38 +0000 |
| commit | c7ca0e88df468989647fc272a798bcd038084d99 (patch) | |
| tree | e2eba352a9cc0a8bfd1f7836d13a0fd31a56737a /test | |
| parent | 8d7aba1060ef1823223e52c06d613fa3fe3828b0 (diff) | |
| download | wireshark-c7ca0e88df468989647fc272a798bcd038084d99.tar.gz | |
dissector ISAKMP IKEv2: fixed bug with libgcrypt-1.6.x and AEAD ciphers
IKEv2:
Fixed bug with AEAD ciphers with 8- and 12-byte length ICVs and
libgcrypt 1.6.x - gcry_cipher_checktag() returned INVALID_LENGTH.
Fixed for merged changeset https://code.wireshark.org/review/17078
Added support for verification of encrypted data with HMAC_MD5_128
[RFC4595] and HMAC_SHA1_160 [RFC4595] integrity algorithms
Added IKEv2 decryption suite for few combinations of encryption and
integrity algorithms: 3DES-CBC/SHA1_160, AES-128-CCM-12, AES-128-CCM-12
(using CTR mode), AES-192-CTR/SHA2-512, AES-256-CBC/SHA2-256,
AES-256-CCM-16, AES-256-GCM-16, AES-256-GCM-8
Change-Id: Ic564b25f1fd41e913c605322b7b8aa030cf90ddf
Reviewed-on: https://code.wireshark.org/review/17213
Petri-Dish: Pascal Quantin <pascal.quantin@gmail.com>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Diffstat (limited to 'test')
| -rw-r--r-- | test/captures/ikev2-decrypt-3des-sha1_160.pcap | bin | 0 -> 1860 bytes | |||
| -rw-r--r-- | test/captures/ikev2-decrypt-aes128ccm12-2.pcap | bin | 0 -> 1416 bytes | |||
| -rw-r--r-- | test/captures/ikev2-decrypt-aes128ccm12.pcap | bin | 0 -> 1432 bytes | |||
| -rw-r--r-- | test/captures/ikev2-decrypt-aes192ctr.pcap | bin | 0 -> 1512 bytes | |||
| -rw-r--r-- | test/captures/ikev2-decrypt-aes256cbc.pcapng | bin | 0 -> 1792 bytes | |||
| -rw-r--r-- | test/captures/ikev2-decrypt-aes256ccm16.pcapng | bin | 0 -> 1728 bytes | |||
| -rw-r--r-- | test/captures/ikev2-decrypt-aes256gcm16.pcap | bin | 0 -> 1448 bytes | |||
| -rw-r--r-- | test/captures/ikev2-decrypt-aes256gcm8.pcap | bin | 0 -> 1400 bytes | |||
| -rw-r--r-- | test/config/ikev2_decryption_table.tmpl | 10 | ||||
| -rwxr-xr-x | test/suite-decryption.sh | 124 |
10 files changed, 134 insertions, 0 deletions
diff --git a/test/captures/ikev2-decrypt-3des-sha1_160.pcap b/test/captures/ikev2-decrypt-3des-sha1_160.pcap Binary files differnew file mode 100644 index 0000000000..ffdc7b517c --- /dev/null +++ b/test/captures/ikev2-decrypt-3des-sha1_160.pcap diff --git a/test/captures/ikev2-decrypt-aes128ccm12-2.pcap b/test/captures/ikev2-decrypt-aes128ccm12-2.pcap Binary files differnew file mode 100644 index 0000000000..5ffecbee4d --- /dev/null +++ b/test/captures/ikev2-decrypt-aes128ccm12-2.pcap diff --git a/test/captures/ikev2-decrypt-aes128ccm12.pcap b/test/captures/ikev2-decrypt-aes128ccm12.pcap Binary files differnew file mode 100644 index 0000000000..66dabfe699 --- /dev/null +++ b/test/captures/ikev2-decrypt-aes128ccm12.pcap diff --git a/test/captures/ikev2-decrypt-aes192ctr.pcap b/test/captures/ikev2-decrypt-aes192ctr.pcap Binary files differnew file mode 100644 index 0000000000..31f16cb97a --- /dev/null +++ b/test/captures/ikev2-decrypt-aes192ctr.pcap diff --git a/test/captures/ikev2-decrypt-aes256cbc.pcapng b/test/captures/ikev2-decrypt-aes256cbc.pcapng Binary files differnew file mode 100644 index 0000000000..ce3d247c8c --- /dev/null +++ b/test/captures/ikev2-decrypt-aes256cbc.pcapng diff --git a/test/captures/ikev2-decrypt-aes256ccm16.pcapng b/test/captures/ikev2-decrypt-aes256ccm16.pcapng Binary files differnew file mode 100644 index 0000000000..78874618e4 --- /dev/null +++ b/test/captures/ikev2-decrypt-aes256ccm16.pcapng diff --git a/test/captures/ikev2-decrypt-aes256gcm16.pcap b/test/captures/ikev2-decrypt-aes256gcm16.pcap Binary files differnew file mode 100644 index 0000000000..1e77424eab --- /dev/null +++ b/test/captures/ikev2-decrypt-aes256gcm16.pcap diff --git a/test/captures/ikev2-decrypt-aes256gcm8.pcap b/test/captures/ikev2-decrypt-aes256gcm8.pcap Binary files differnew file mode 100644 index 0000000000..a0d74de8ad --- /dev/null +++ b/test/captures/ikev2-decrypt-aes256gcm8.pcap diff --git a/test/config/ikev2_decryption_table.tmpl b/test/config/ikev2_decryption_table.tmpl new file mode 100644 index 0000000000..674564e6d3 --- /dev/null +++ b/test/config/ikev2_decryption_table.tmpl @@ -0,0 +1,10 @@ +# This file is automatically generated, DO NOT MODIFY. +1234567890123456,0987654321098765,,,"NULL [RFC2410]",,,"NONE [RFC4306]" +19ab98963486359f,78f13157ccd3b3d8,2e0e194070fc658c2bfbfdbf8b956be4b2eaa33d02a43cca,219f3080e631774b8d5836d3a675b099b1e271c9bdcf6e15,"3DES [RFC2451]",c96f5bad08aebbff60509c7495f11c183818b916,e742ac415cdfdd709c9de92769a169e0a5224f79,"HMAC_SHA1_160 [RFC4595]" +ea684d21597afd36,d9fe2ab22dac23ac,be83fe15f6a9976941870830fe26c014b863b3,79e0f4476861a76e64329e787b1c4ff38d732f,"AES-CCM-128 with 12 octet ICV [RFC5282]",,,"NONE [RFC4306]" +a2926ae833c6f138,5464c57d0dc5e272,5daf82e6fd7e57d5fbf76cd5af73fd46035db0bc,68848f4a7602b20c7d033cc998b0c097032ac38a,"AES-CTR-128 [RFC5930]",,,"ANY 96-bits of Authentication [No Checking]" +81f24c0acd8fa55c,192383172724c706,aaa06839eaf0959d486eeecda7a48b23080963b5fd7217928e8fbf58,92dc96ec87076caa84e26b3621c7c469427e2e4bcc1b962362a3dde3,"AES-CTR-192 [RFC5930]",65777be31ee2137f31cf23fa0ee834dfede11cc0adc9a84541026642c09df2bf96056a2036e97a67ce7d3c5b6f37e17e8fe64f4ef23e14f5997fb7671df3adaf,42abd4709f1b94fd8c2270c74aae3fbe61c0b9c109c55f3e3b9ed7e480bc75c3985c15234caa623c8ca0606c303921d7cfd44861df1e798370b2ee95fe712e52,"HMAC_SHA2_512_256 [RFC4868]" +191ccd371a7a1f7b,bc123d15e4af593f,9096ddd2933620e8f48122c53a3f562cb0222c1cf97ce41fcc874ea2582a89ac,6718c6b2bbef2f234eac4c13832f885d87b574afd2af0111161e99b5dc61b4d4,"AES-CBC-256 [RFC3602]",12d532c3e83c757906af548dfe1ccf223ca5507af77898454e2d55c8ace57a17,30c4ead18c93024b58a86c1e3db60f550221801026853170b4cb0248d3a95329,"HMAC_SHA2_256_128 [RFC4868]" +cd7ae76304b277e2,74f6080ed799d463,daa0a85a81e6adda7b8c568f1c4cfaa6e9f9edb242e9895f012caaa642eacf4d004903,e02281ba4bb8ed20321faff956b95ce7f841b3039984dad4ed4625e77743fce4a04f32,"AES-CCM-256 with 16 octet ICV [RFC5282]",,,"NONE [RFC4306]" +5d48bfeeb7d574da,bbb73016c0503640,91b817d036d97db3ace64475cd8d1cbeab186295020211a9cf0c16cec10b92b453ecd24e,d04516586721974d970627d85f7d031433b6558c0ec6faecf9217e5445e17e7eeee6bc68,"AES-GCM-256 with 8 octet ICV [RFC5282]",,,"NONE [RFC4306]" +0158b8fb90b7623d,13514610cea16160,647075bf167447a1c8683e8dbe4794b4cfe73799cc6bec34905441159ce13705c8dfb3a9,15c9eae6f94631d63068bf44bb69999abc07b3d15e915fd8f0ed99ad481efd75deb02a5e,"AES-GCM-256 with 16 octet ICV [RFC5282]",,,"NONE [RFC4306]" diff --git a/test/suite-decryption.sh b/test/suite-decryption.sh index 14a15736cf..975fdab8d3 100755 --- a/test/suite-decryption.sh +++ b/test/suite-decryption.sh @@ -45,6 +45,7 @@ UAT_FILES=" ssl_keys c1222_decryption_table ikev1_decryption_table + ikev2_decryption_table " TEST_KEYS_DIR="$TESTS_DIR/keys/" @@ -340,6 +341,118 @@ decryption_step_ikev1_unencrypted() { test_step_ok } +# IKEv2 decryption test (3DES-CBC/SHA1_160) +decryption_step_ikev2_3des_sha160() { + $TESTS_DIR/run_and_catch_crashes env $TS_DC_ENV $TSHARK $TS_DC_ARGS \ + -Tfields -e isakmp.auth.data \ + -r "$CAPTURE_DIR/ikev2-decrypt-3des-sha1_160.pcap" \ + | grep "02:f7:a0:d5:f1:fd:c8:ea:81:03:98:18:c6:5b:b9:bd:09:af:9b:89:17:31:9b:88:7f:f9:ba:30:46:c3:44:c7" > /dev/null 2>&1 + RETURNVALUE=$? + if [ ! $RETURNVALUE -eq $EXIT_OK ]; then + test_step_failed "Failed to decrypt encrypted with 3_DES_CBC/SHA1_160 packet of IKEv2 exchange" + return + fi + test_step_ok +} + +# IKEv2 decryption test (AES-128-CCM-12) - with CBC-MAC verification +decryption_step_ikev2_aes128_ccm12() { + $TESTS_DIR/run_and_catch_crashes env $TS_DC_ENV $TSHARK $TS_DC_ARGS \ + -Tfields -e isakmp.auth.data \ + -r "$CAPTURE_DIR/ikev2-decrypt-aes128ccm12.pcap" \ + | grep "c2:10:43:94:29:9e:1f:fe:79:08:ea:72:0a:d5:d1:37:17:a0:d4:54:e4:fa:0a:21:28:ea:68:94:11:f4:79:c4" > /dev/null 2>&1 + RETURNVALUE=$? + if [ ! $RETURNVALUE -eq $EXIT_OK ]; then + test_step_failed "Failed to decrypt encrypted with AES_128_CCM_12 packet of IKEv2 exchange" + return + fi + test_step_ok +} + +# IKEv2 decryption test (AES-128-CCM-12 using CTR mode, without checksum) +decryption_step_ikev2_aes128_ccm12_2() { + $TESTS_DIR/run_and_catch_crashes env $TS_DC_ENV $TSHARK $TS_DC_ARGS \ + -Tfields -e isakmp.auth.data \ + -r "$CAPTURE_DIR/ikev2-decrypt-aes128ccm12-2.pcap" \ + | grep "aa:a2:81:c8:7b:4a:19:04:6c:57:27:1d:55:74:88:ca:41:3b:57:22:8c:b9:51:f5:fa:96:40:99:2a:02:85:b9" > /dev/null 2>&1 + RETURNVALUE=$? + if [ ! $RETURNVALUE -eq $EXIT_OK ]; then + test_step_failed "Failed to decrypt (using CTR mode) encrypted with AES_128_CCM_12 packet of IKEv2 exchange" + return + fi + test_step_ok +} + +# IKEv2 decryption test (AES-192-CTR/SHA2-512) +decryption_step_ikev2_aes192ctr_sha512() { + $TESTS_DIR/run_and_catch_crashes env $TS_DC_ENV $TSHARK $TS_DC_ARGS \ + -Tfields -e isakmp.auth.data \ + -r "$CAPTURE_DIR/ikev2-decrypt-aes192ctr.pcap" \ + | grep "3e:c2:3d:cf:93:48:48:56:38:40:7c:75:45:47:ae:b3:08:52:90:08:2c:49:f5:83:fd:ba:e5:92:63:a2:0b:4a" > /dev/null 2>&1 + RETURNVALUE=$? + if [ ! $RETURNVALUE -eq $EXIT_OK ]; then + test_step_failed "Failed to decrypt encrypted with AES-192-CTR/SHA2_512 packet of IKEv2 exchange" + return + fi + test_step_ok +} + +# IKEv2 decryption test (AES-256-CBC/SHA2-256) +decryption_step_ikev2_aes256cbc_sha256() { + $TESTS_DIR/run_and_catch_crashes env $TS_DC_ENV $TSHARK $TS_DC_ARGS \ + -Tfields -e isakmp.auth.data \ + -r "$CAPTURE_DIR/ikev2-decrypt-aes256cbc.pcapng" \ + | grep "e1:a8:d5:50:06:42:01:a7:ec:02:4a:85:75:8d:06:73:c6:1c:5c:51:0a:c1:3b:cd:22:5d:63:27:f5:0d:a3:d3" > /dev/null 2>&1 + RETURNVALUE=$? + if [ ! $RETURNVALUE -eq $EXIT_OK ]; then + test_step_failed "Failed to decrypt encrypted with AES-256-CBC/SHA2-256 packet of IKEv2 exchange" + return + fi + test_step_ok +} + +# IKEv2 decryption test (AES-256-CCM-16) +decryption_step_ikev2_aes256ccm16() { + $TESTS_DIR/run_and_catch_crashes env $TS_DC_ENV $TSHARK $TS_DC_ARGS \ + -Tfields -e isakmp.auth.data \ + -r "$CAPTURE_DIR/ikev2-decrypt-aes256ccm16.pcapng" \ + | grep "fa:2e:74:bd:c0:1e:30:fb:0b:3d:dc:97:23:c9:44:90:95:96:9d:a5:1f:69:e5:60:20:9d:2c:2b:79:40:21:0a" > /dev/null 2>&1 + RETURNVALUE=$? + if [ ! $RETURNVALUE -eq $EXIT_OK ]; then + test_step_failed "Failed to decrypt encrypted with AES-256-CCM-16 packet of IKEv2 exchange" + return + fi + test_step_ok +} + +# IKEv2 decryption test (AES-256-GCM-16) +decryption_step_ikev2_aes256gcm16() { + $TESTS_DIR/run_and_catch_crashes env $TS_DC_ENV $TSHARK $TS_DC_ARGS \ + -Tfields -e isakmp.auth.data \ + -r "$CAPTURE_DIR/ikev2-decrypt-aes256gcm16.pcap" \ + | grep "9a:b7:1f:14:ab:55:3c:ad:87:3a:1a:a7:0b:99:df:15:5d:ee:77:cd:cf:36:94:b3:b7:52:7a:cb:b9:71:2d:ed" > /dev/null 2>&1 + RETURNVALUE=$? + if [ ! $RETURNVALUE -eq $EXIT_OK ]; then + test_step_failed "Failed to decrypt encrypted with AES-256-GCM-16 packet of IKEv2 exchange" + return + fi + test_step_ok +} + +# IKEv2 decryption test (AES-256-GCM-8) +decryption_step_ikev2_aes256gcm8() { + $TESTS_DIR/run_and_catch_crashes env $TS_DC_ENV $TSHARK $TS_DC_ARGS \ + -Tfields -e isakmp.auth.data \ + -r "$CAPTURE_DIR/ikev2-decrypt-aes256gcm8.pcap" \ + | grep "4a:66:d8:22:d0:af:bc:22:ad:9a:92:a2:cf:42:87:c9:20:ad:8a:c3:b0:69:a4:a7:e7:5f:e0:a5:d4:99:f9:14" > /dev/null 2>&1 + RETURNVALUE=$? + if [ ! $RETURNVALUE -eq $EXIT_OK ]; then + test_step_failed "Failed to decrypt encrypted with AES-256-GCM-8 packet of IKEv2 exchange" + return + fi + test_step_ok +} + # HTTP2 (HPACK) decryption_step_http2() { env $TS_DC_ENV $TSHARK $TS_DC_ARGS \ @@ -382,9 +495,20 @@ tshark_decryption_suite() { test_step_add "ZigBee Decryption" decryption_step_zigbee test_step_add "ANSI C12.22 Decryption" decryption_step_c1222 test_step_add "DVB-CI Decryption" decryption_step_dvb_ci + test_step_add "IKEv1 Decryption (certificates)" decryption_step_ikev1_certs test_step_add "IKEv1 Decryption (simultaneous exchanges)" decryption_step_ikev1_simultaneous test_step_add "IKEv1 Decryption (unencrypted phase 1)" decryption_step_ikev1_unencrypted + + test_step_add "IKEv2 Decryption (3DES-CBC/SHA1_160)" decryption_step_ikev2_3des_sha160 + test_step_add "IKEv2 Decryption (AES-128-CCM-12)" decryption_step_ikev2_aes128_ccm12 + test_step_add "IKEv2 Decryption (AES-128-CCM-12 using CTR mode)" decryption_step_ikev2_aes128_ccm12_2 + test_step_add "IKEv2 Decryption (AES-192-CTR/SHA2-512)" decryption_step_ikev2_aes192ctr_sha512 + test_step_add "IKEv2 Decryption (AES-256-CBC/SHA2-256)" decryption_step_ikev2_aes256cbc_sha256 + test_step_add "IKEv2 Decryption (AES-256-CCM-16)" decryption_step_ikev2_aes256ccm16 + test_step_add "IKEv2 Decryption (AES-256-GCM-16)" decryption_step_ikev2_aes256gcm16 + test_step_add "IKEv2 Decryption (AES-256-GCM-8)" decryption_step_ikev2_aes256gcm8 + test_step_add "HTTP2 (HPACK)" decryption_step_http2 } |