Project

General

Profile

Feature #1557

An option to save IKE_SA and CHILD_SA keys for wireshark

Added by Codrut Grosu over 3 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Category:
-
Target version:
-
Start date:
06.07.2016
Due date:
14.09.2016
Estimated time:
Resolution:
Fixed

Description

Hi all,

This summer I'm working at Ixia (https://www.ixiacom.com/) as an intern.

My summer project is to create a new plug-in for strongSwan that saves all the keys and informations that are needed by Wireshark in order to decrypt ESP packets and ISAKMP packets.

This feature is intended for debugging and development. It will be optional and disabled by default.

For implementing this new feature, when the IKE_SA and CHILD_SA are created I want to save all the necessary informations that are needed by Wireshark.

When you'll run the test suites with this feature, besides the usual results you'll have the encryption keys and a sample with the packets captured using tcpdump.

Suggestions and advice on the architecture or specific implementation requirements are welcome.

We want this feature to be useful for as many strongswan users as possible.

Cheers,
Codrut.

History

#1 Updated by Tobias Brunner over 3 years ago

  • Status changed from New to Feedback

My summer project is to create a new plug-in for strongSwan that saves all the keys and informations that are needed by Wireshark in order to decrypt ESP packets and ISAKMP packets.

These keys can already be logged by setting the log level for the ike and chd subsystems to 4. And IKE message details can also be printed when increasing the log level for the enc subsystem and the ESP keys can be retrieved via XFRM (e.g. ip xfrm state). And using NULL encryption is also an option (for ESP, and even for IKE via openssl plugin). This is documented at CorrectTrafficDump.

When you'll run the test suites with this feature, besides the usual results you'll have the encryption keys and a sample with the packets captured using tcpdump.

What would be the benefit of that exactly in these scenarios?

Suggestions and advice on the architecture or specific implementation requirements are welcome.

Read DeveloperDocumentation, in particular Contributions. And then have a look at the ike_keys and child_keys hooks in the listener_t interface (source:src/libcharon/bus/listeners/listener.h#L81) if you intend to write a plugin. You won't get the derived keys via these hooks, though. Writing a logger (implementing vlog) registered on level 4 might also be an option, then skip all messages except those that log the keys which could be intercepted and written/stored somewhere (they are passed as chunk_t* in the va_list).

#2 Updated by Tobias Brunner over 1 year ago

  • Status changed from Feedback to Closed
  • Assignee changed from Codrut Grosu to Tobias Brunner
  • Resolution set to Fixed

Since 5.6.2 the save-keys plugin is shipped, it's disabled by default and saving the keys has to be enabled for IKE and ESP separately too. When saving keys is enabled, a message is logged to the daemon log (level 0) when the plugin is loaded.

Also available in: Atom PDF