From Alex Badea via https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8395
Support AES-GCM ipsec encryption using CTR (since libgcrypt doesn't support GCM). Using CTR instead gets us decryption, but does not verify authentication. svn path=/trunk/; revision=47886
This commit is contained in:
parent
2c7844cc69
commit
bdca315497
|
@ -130,6 +130,9 @@ static dissector_table_t ip_dissector_table;
|
||||||
/* Encryption algorithm defined in RFC 2144 */
|
/* Encryption algorithm defined in RFC 2144 */
|
||||||
#define IPSEC_ENCRYPT_CAST5_CBC 7
|
#define IPSEC_ENCRYPT_CAST5_CBC 7
|
||||||
|
|
||||||
|
/* Encryption algorithm defined in RFC 4106 */
|
||||||
|
#define IPSEC_ENCRYPT_AES_GCM 8
|
||||||
|
|
||||||
/* Authentication algorithms defined in RFC 4305 */
|
/* Authentication algorithms defined in RFC 4305 */
|
||||||
#define IPSEC_AUTH_NULL 0
|
#define IPSEC_AUTH_NULL 0
|
||||||
#define IPSEC_AUTH_HMAC_SHA1_96 1
|
#define IPSEC_AUTH_HMAC_SHA1_96 1
|
||||||
|
@ -1524,6 +1527,7 @@ dissect_esp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case IPSEC_ENCRYPT_AES_CTR :
|
case IPSEC_ENCRYPT_AES_CTR :
|
||||||
|
case IPSEC_ENCRYPT_AES_GCM :
|
||||||
/* RFC 3686 says :
|
/* RFC 3686 says :
|
||||||
AES supports three key sizes: 128 bits, 192 bits,
|
AES supports three key sizes: 128 bits, 192 bits,
|
||||||
and 256 bits. The default key size is 128 bits,
|
and 256 bits. The default key size is 128 bits,
|
||||||
|
@ -1565,7 +1569,7 @@ dissect_esp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
|
||||||
break;
|
break;
|
||||||
|
|
||||||
default:
|
default:
|
||||||
fprintf (stderr, "<ESP Preferences> Error in Encryption Algorithm AES-CTR : Bad Keylen (%i Bits)\n",
|
fprintf (stderr, "<ESP Preferences> Error in Encryption Algorithm AES-CTR / AES-GCM : Bad Keylen (%i Bits)\n",
|
||||||
esp_crypt_key_len * 8);
|
esp_crypt_key_len * 8);
|
||||||
decrypt_ok = FALSE;
|
decrypt_ok = FALSE;
|
||||||
}
|
}
|
||||||
|
@ -1715,6 +1719,8 @@ dissect_esp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
|
||||||
memcpy(ctr_block, esp_crypt_key + esp_crypt_key_len - 4, 4);
|
memcpy(ctr_block, esp_crypt_key + esp_crypt_key_len - 4, 4);
|
||||||
memcpy(ctr_block + 4, encrypted_data, 8);
|
memcpy(ctr_block + 4, encrypted_data, 8);
|
||||||
ctr_block[15] = 1;
|
ctr_block[15] = 1;
|
||||||
|
if (esp_crypt_algo == IPSEC_ENCRYPT_AES_GCM)
|
||||||
|
ctr_block[15]++;
|
||||||
err = gcry_cipher_setctr (cypher_hd, ctr_block, 16);
|
err = gcry_cipher_setctr (cypher_hd, ctr_block, 16);
|
||||||
if (!err)
|
if (!err)
|
||||||
{
|
{
|
||||||
|
@ -2080,6 +2086,7 @@ proto_register_ipsec(void)
|
||||||
{ IPSEC_ENCRYPT_CAST5_CBC, "CAST5-CBC [RFC2144]" },
|
{ IPSEC_ENCRYPT_CAST5_CBC, "CAST5-CBC [RFC2144]" },
|
||||||
{ IPSEC_ENCRYPT_BLOWFISH_CBC, "BLOWFISH-CBC [RFC2451]" },
|
{ IPSEC_ENCRYPT_BLOWFISH_CBC, "BLOWFISH-CBC [RFC2451]" },
|
||||||
{ IPSEC_ENCRYPT_TWOFISH_CBC, "TWOFISH-CBC" },
|
{ IPSEC_ENCRYPT_TWOFISH_CBC, "TWOFISH-CBC" },
|
||||||
|
{ IPSEC_ENCRYPT_AES_GCM, "AES-GCM [RFC4106]" },
|
||||||
{ 0x00, NULL }
|
{ 0x00, NULL }
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue