Hosting Provided By

[Users] ANNOUNCE: x509-1.5.2a bug fix for freeswan-2.05 released

From: Andreas Steffen <andreas.steffen(at)strongsec.net>
Date: Sun Feb 29 2004 - 14:56:13 EST

FreeS/WAN 2.05 introduced a new st_ph1_iv state variable which caused the IV for the encryption of notification messages sent during Main Mode to be computed incorrectly. Version 1.5.2a corrects this bug.

Regards

Andreas

Andreas Steffen                   e-mail: andreas.steffen@strongsec.com
strongSec GmbH                    home:   
http://www.strongsec.com
Alter Zürichweg 20                phone:  +41 1 730 80 64

CH-8952 Schlieren (Switzerland) fax: +41 1 730 80 65

==========================================[strong internet security]===

diff -urN freeswan-2.05-1.5.2/programs/ipsec/distro.txt freeswan-2.05-x509/programs/ipsec/distro.txt --- freeswan-2.05-1.5.2/programs/ipsec/distro.txt Sun Feb 29 16:25:29 2004 +++ freeswan-2.05-x509/programs/ipsec/distro.txt Sun Feb 29 11:34:01 2004
@@ -1 +1 @@

-X.509-1.5.2 distributed by Andreas Steffen <andreas.steffen@strongsec.com> +X.509-1.5.2a distributed by Andreas Steffen <andreas.steffen@strongsec.com> diff -urN freeswan-2.05-1.5.2/programs/pluto/Makefile freeswan-2.05-x509/programs/pluto/Makefile

--- freeswan-2.05-1.5.2/programs/pluto/Makefile	Sun Feb 29 16:25:29 2004
+++ freeswan-2.05-x509/programs/pluto/Makefile	Sun Feb 29 11:34:34 2004

@@ -16,7 +16,7 @@

# This is the X.509 version which is made available to Pluto via the # compile-time option -DX509
-X509_VERSION=\"X.509-1.5.2\"
+X509_VERSION=\"X.509-1.5.2a\"

# Uncomment this line to enable OCSP and dynamic CRL fetching using HTTP or FTP #LIBCURL=1
diff -urN freeswan-2.05-1.5.2/programs/pluto/ipsec_doi.c freeswan-2.05-x509/programs/pluto/ipsec_doi.c

--- freeswan-2.05-1.5.2/programs/pluto/ipsec_doi.c	Sun Feb 29 16:25:29 2004
+++ freeswan-2.05-x509/programs/pluto/ipsec_doi.c	Sun Feb 29 15:44:34 2004


@@ -428,13 +428,13 @@


 	if (old_iv_len > MAX_DIGEST_LEN)
 	    impossible();
 	memcpy(old_iv, encst->st_iv, old_iv_len);

-
+

 	if (!IS_ISAKMP_SA_ESTABLISHED(encst->st_state))
 	{
 	    if (encst->st_new_iv_len > MAX_DIGEST_LEN)
 		impossible();
-	    memcpy(encst->st_iv, encst->st_new_iv, encst->st_new_iv_len);
-	    encst->st_iv_len = encst->st_new_iv_len;
+	    memcpy(encst->st_ph1_iv, encst->st_new_iv, encst->st_new_iv_len);
+	    encst->st_ph1_iv_len = encst->st_new_iv_len;
 	}
 	init_phase2_iv(encst, &msgid);
 	if (!encrypt_message(&r_hdr_pbs, encst))


@@ -1923,9 +1923,6 @@


     st->st_new_iv_len = h->hash_digest_len;
     passert(st->st_new_iv_len <= sizeof(st->st_new_iv));
 
-    DBG_cond_dump(DBG_CRYPT, "last Phase 1 IV:"
-	, st->st_iv, st->st_iv_len);
-
     h->hash_init(&ctx);
     h->hash_update(&ctx, st->st_ph1_iv, st->st_ph1_iv_len);
     passert(*msgid != 0);

_______________________________________________ FreeS/WAN Users mailing list
users@lists.freeswan.org
https://mj2.freeswan.org/cgi-bin/mj_wwwusr Received on Sun Feb 29 15:00:27 2004

Do you need help?

This message: [ Message body ]
Next message: Philipp Snizek: "Re: [Users] Nat-t, winxp, certs and PSK ---> getting OT."
Previous message: swlstp(at)sunrisecal.com: "[Users] let it!"
In reply to: Andreas Steffen: "[Users] ANNOUNCE: x509-1.5.2 for freeswan-2.05 released"
Next in thread: David Santinoli: "Re: [Users] ANNOUNCE: x509-1.5.2a bug fix for freeswan-2.05 released"
Reply: David Santinoli: "Re: [Users] ANNOUNCE: x509-1.5.2a bug fix for freeswan-2.05 released"
Reply: Andreas Steffen: "[Users] ANNOUNCE: x509 patch with port wildcard interoperates now with Mac OS X Panther"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:02:06 EDT