ipsec: add encryption types for AES-GCM with 8,12,16 octet ICV
The current "AES-GCM" encryption type in the `esp_sa` uat file does not specify an ICV length, contrary to the `ikev2_decryption_table`. The ICV does not get stripped from the encrypted data before decrypting and dissecting it, whence the protocol type of the decrypted frame is looked up at the wrong location. In most cases, an invalid protocol number is found and the dissection stops, in other cases the wrong protocol is dissected, showing garbage. This commit adds the following new encryption types IPSEC_ENCRYPT_AES_GCM_8: "AES-GCM with 8 octet ICV [RFC4106]" IPSEC_ENCRYPT_AES_GCM_12: "AES-GCM with 12 octet ICV [RFC4106]" IPSEC_ENCRYPT_AES_GCM_16: "AES-GCM with 16 octet ICV [RFC4106]" which are currently mapped to IPSEC_ENCRYPT_AES_GCM. In other words, the new entries load without errors but the ICV is ignored. The rationale is to have an unchanged reference implementation for testing which does not bail out on the new uat encryption types.
This commit is contained in:
parent
18f6c8b058
commit
23ef47336c
|
@ -130,8 +130,11 @@ static dissector_table_t ip_dissector_table;
|
|||
/* Encryption algorithm defined in RFC 2144 */
|
||||
#define IPSEC_ENCRYPT_CAST5_CBC 7
|
||||
|
||||
/* Encryption algorithm defined in RFC 4106 */
|
||||
#define IPSEC_ENCRYPT_AES_GCM 8
|
||||
/* Encryption algorithms defined in RFC 4106 */
|
||||
#define IPSEC_ENCRYPT_AES_GCM 8
|
||||
#define IPSEC_ENCRYPT_AES_GCM_8 9
|
||||
#define IPSEC_ENCRYPT_AES_GCM_12 10
|
||||
#define IPSEC_ENCRYPT_AES_GCM_16 11
|
||||
|
||||
/* Authentication algorithms defined in RFC 4305 */
|
||||
#define IPSEC_AUTH_NULL 0
|
||||
|
@ -1794,6 +1797,12 @@ dissect_esp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
|
|||
}
|
||||
break;
|
||||
|
||||
case IPSEC_ENCRYPT_AES_GCM_8 :
|
||||
case IPSEC_ENCRYPT_AES_GCM_12:
|
||||
case IPSEC_ENCRYPT_AES_GCM_16 :
|
||||
esp_crypt_algo = IPSEC_ENCRYPT_AES_GCM;
|
||||
/* falls through */
|
||||
|
||||
case IPSEC_ENCRYPT_AES_CTR :
|
||||
case IPSEC_ENCRYPT_AES_GCM :
|
||||
/* RFC 3686 says :
|
||||
|
@ -2368,7 +2377,10 @@ proto_register_ipsec(void)
|
|||
{ IPSEC_ENCRYPT_CAST5_CBC, "CAST5-CBC [RFC2144]" },
|
||||
{ IPSEC_ENCRYPT_BLOWFISH_CBC, "BLOWFISH-CBC [RFC2451]" },
|
||||
{ IPSEC_ENCRYPT_TWOFISH_CBC, "TWOFISH-CBC" },
|
||||
{ IPSEC_ENCRYPT_AES_GCM, "AES-GCM [RFC4106]" },
|
||||
{ IPSEC_ENCRYPT_AES_GCM, "AES-GCM [RFC4106]" }, /* unspecified ICV length */
|
||||
{ IPSEC_ENCRYPT_AES_GCM_8, "AES-GCM with 8 octet ICV [RFC4106]" },
|
||||
{ IPSEC_ENCRYPT_AES_GCM_12, "AES-GCM with 12 octet ICV [RFC4106]" },
|
||||
{ IPSEC_ENCRYPT_AES_GCM_16, "AES-GCM with 16 octet ICV [RFC4106]" },
|
||||
{ 0x00, NULL }
|
||||
};
|
||||
|
||||
|
|
Loading…
Reference in New Issue