Wireshark and TShark throw packet-wireguard-WARNING when running on systems with FIPS enabled
Summary
Wireshark uses GCRY_MD_BLAKE2S_128, GCRY_MD_BLAKE2S_256, GCRY_CIPHER_CHACHA20 decryption algorithm but these algorithm are not FIPS certified. https://lore.kernel.org/all/YG4gO15Q2CzTwlO7@quark.localdomain/T/
Therefore, we should avoid defining WG_DECRYPTION_SUPPORTED in “epan/dissectors/packet-wireguard.c” if FIPS is enabled.
tshark Warning :- packet-wireguard-WARNING **: 13:08:15.105: proto_register_wg: decryption will not be possible due to lack of algorithms support
Steps to reproduce
- install wireshark version 3.4.9 on Oracle Linux 7.9 running a RHEL 7.9 kernel with FIPS enabled
- Run “./tshark -v” command
System Requirement :-
- Oracle Linux 7.9 running a RHEL 7.9 kernel
What is the current bug behavior?
• tshark throwing packet-wireguard-WARNING before showing the actual output of particular command.
Example :- ./tshark -v (process:321): packet-wireguard-WARNING **: 16:10:40.872: proto_register_wg: decryption will not be possible due to lack of algorithms support TShark (Wireshark) 3.4.9 (Git commit 365e236f)
Copyright 1998-2021 Gerald Combs gerald@wireshark.org and contributors. License GPLv2+: GNU GPL version 2 or later https://www.gnu.org/licenses/gpl-2.0.html This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compiled (64-bit) with libpcap, without POSIX capabilities, without libnl, with GLib 2.66.8, with zlib 1.2.11, without SMI, with c-ares 1.17.2, with Lua 5.1.5, with GnuTLS 3.6.15 and PKCS #11 (closed) support, with Gcrypt 1.8.8, without Kerberos, without MaxMind DB resolver, with nghttp2 1.43.0, without brotli, without LZ4, without Zstandard, without Snappy, without libxml2.
Running on Linux 3.10.0-1160.59.1.el7.x86_64, with Intel(R) Xeon(R) Gold 6230 CPU @ 2.10GHz (with SSE4.2), with 128419 MB of physical memory, with locale en_US.UTF-8, with libpcap version 1.10.1 (with TPACKET_V3), with GnuTLS 3.6.16, with Gcrypt 1.8.8, with zlib 1.2.11, binary plugins supported (0 loaded). Built using gcc 10.3.1 20210422 (Red Hat 10.3.1-1).
What is the expected correct behavior?
• tshark should show actual output of command without giving packet-wireguard-WARNING
Build information
./tshark -v (process:321): packet-wireguard-WARNING **: 16:10:40.872: proto_register_wg: decryption will not be possible due to lack of algorithms support TShark (Wireshark) 3.4.9 (Git commit 365e236f)
Copyright 1998-2021 Gerald Combs gerald@wireshark.org and contributors. License GPLv2+: GNU GPL version 2 or later https://www.gnu.org/licenses/gpl-2.0.html This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compiled (64-bit) with libpcap, without POSIX capabilities, without libnl, with GLib 2.66.8, with zlib 1.2.11, without SMI, with c-ares 1.17.2, with Lua 5.1.5, with GnuTLS 3.6.15 and PKCS #11 (closed) support, with Gcrypt 1.8.8, without Kerberos, without MaxMind DB resolver, with nghttp2 1.43.0, without brotli, without LZ4, without Zstandard, without Snappy, without libxml2.
Running on Linux 3.10.0-1160.59.1.el7.x86_64, with Intel(R) Xeon(R) Gold 6230 CPU @ 2.10GHz (with SSE4.2), with 128419 MB of physical memory, with locale en_US.UTF-8, with libpcap version 1.10.1 (with TPACKET_V3), with GnuTLS 3.6.16, with Gcrypt 1.8.8, with zlib 1.2.11, binary plugins supported (0 loaded). Built using gcc 10.3.1 20210422 (Red Hat 10.3.1-1).