[prev in list] [next in list] [prev in thread] [next in thread] 

List:       wireshark-dev
Subject:    [Wireshark-dev] Question regarding decryption of ikev1 ISAKMP messages
From:       Susanne Goldammer <Susanne.Goldammer () gmx ! de>
Date:       2012-06-28 15:51:05
Message-ID: 4FEC7D69.6050808 () gmx ! de
[Download RAW message or body]

Hi all,

today i was trying to use this feature to decrypt IKEv1 messages
exchanged during Main Mode. Herefor i added the Initiator Cookie and the
Encryption Key to the IKEv1 Decryption Table. Unfortunately this did not
help. I used Wireshark version 1.8.0.

A source code analysis then showed up, that the code is checking whether
the connection is using Authentication-Method: PSK. In my case it does
not use a PSK but RSA-SIG method. So i changed the code

epan/dissectors/packet-isakmp.c:1728

if (!decr ||
    decr->is_psk == FALSE ||          <-- removed this line
    decr->gi_len == 0 ||
    decr->gr_len == 0)
  return NULL;  

and deactivated the line checking for is_psk.
Then it was possible to decode the ISAKMP payload (Encrypted data). So
the code seems to work for non PSK connections, too.

Now i was wondering about the reason for this check. Is it possible to
remove this for future versions to make the IKEv1 decryption work for
non PSK connections?

Thanks a lot for your replies.
Susanne
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@wireshark.org?subject=unsubscribe
[prev in list] [next in list] [prev in thread] [next in thread]