[Openswan Users] ANNOUNCE: x509-1.5.2a bug fix for freeswan-2.05 released

Andreas Steffen andreas.steffen at strongsec.net
Sun Feb 29 20:56:13 CET 2004 

FreeS/WAN 2.05 introduced a new st_ph1_iv state variable which caused
the IV for the encryption of notification messages sent during
Main Mode to be computed incorrectly. Version 1.5.2a corrects this bug.

Regards

Andreas

=======================================================================
Andreas Steffen                   e-mail: andreas.steffen at strongsec.com
strongSec GmbH                    home:   http://www.strongsec.com
Alter Zürichweg 20                phone:  +41 1 730 80 64
CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
==========================================[strong internet security]===
-------------- next part --------------
diff -urN freeswan-2.05-1.5.2/programs/ipsec/distro.txt freeswan-2.05-x509/programs/ipsec/distro.txt
--- freeswan-2.05-1.5.2/programs/ipsec/distro.txt	Sun Feb 29 16:25:29 2004
+++ freeswan-2.05-x509/programs/ipsec/distro.txt	Sun Feb 29 11:34:01 2004
@@ -1 +1 @@
-X.509-1.5.2 distributed by Andreas Steffen <andreas.steffen at strongsec.com>
+X.509-1.5.2a distributed by Andreas Steffen <andreas.steffen at strongsec.com>
diff -urN freeswan-2.05-1.5.2/programs/pluto/Makefile freeswan-2.05-x509/programs/pluto/Makefile
--- freeswan-2.05-1.5.2/programs/pluto/Makefile	Sun Feb 29 16:25:29 2004
+++ freeswan-2.05-x509/programs/pluto/Makefile	Sun Feb 29 11:34:34 2004
@@ -16,7 +16,7 @@
 
 # This is the X.509 version which is made available to Pluto via the
 # compile-time option -DX509
-X509_VERSION=\"X.509-1.5.2\"
+X509_VERSION=\"X.509-1.5.2a\"
 
 # Uncomment this line to enable OCSP and dynamic CRL fetching using HTTP or FTP
 #LIBCURL=1
diff -urN freeswan-2.05-1.5.2/programs/pluto/ipsec_doi.c freeswan-2.05-x509/programs/pluto/ipsec_doi.c
--- freeswan-2.05-1.5.2/programs/pluto/ipsec_doi.c	Sun Feb 29 16:25:29 2004
+++ freeswan-2.05-x509/programs/pluto/ipsec_doi.c	Sun Feb 29 15:44:34 2004
@@ -428,13 +428,13 @@
 	if (old_iv_len > MAX_DIGEST_LEN)
 	    impossible();
 	memcpy(old_iv, encst->st_iv, old_iv_len);
-	
+
 	if (!IS_ISAKMP_SA_ESTABLISHED(encst->st_state))
 	{
 	    if (encst->st_new_iv_len > MAX_DIGEST_LEN)
 		impossible();
-	    memcpy(encst->st_iv, encst->st_new_iv, encst->st_new_iv_len);
-	    encst->st_iv_len = encst->st_new_iv_len;
+	    memcpy(encst->st_ph1_iv, encst->st_new_iv, encst->st_new_iv_len);
+	    encst->st_ph1_iv_len = encst->st_new_iv_len;
 	}
 	init_phase2_iv(encst, &msgid);
 	if (!encrypt_message(&r_hdr_pbs, encst))
@@ -1923,9 +1923,6 @@
     st->st_new_iv_len = h->hash_digest_len;
     passert(st->st_new_iv_len <= sizeof(st->st_new_iv));
 
-    DBG_cond_dump(DBG_CRYPT, "last Phase 1 IV:"
-	, st->st_iv, st->st_iv_len);
-
     h->hash_init(&ctx);
     h->hash_update(&ctx, st->st_ph1_iv, st->st_ph1_iv_len);
     passert(*msgid != 0);

More information about the Users mailing list