Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


[Users] SHA1 and 2.00/01/02 - problems and a fix.
.

  • To: [EMAIL PROTECTED]
  • Subject: [Users] SHA1 and 2.00/01/02 - problems and a fix.
  • From: Sam Sgro <[EMAIL PROTECTED]>
  • Date: Wed, 17 Sep 2003 03:01:39 -0400
  • Sender: [EMAIL PROTECTED]
.
 
-----BEGIN PGP SIGNED MESSAGE-----

Are you running a Linux FreeS/WAN 2.00, 2.01, and 2.02, and interoperating 
with other IPsec implementations? If so, this fix may be relevant to you.

The SHA1 implementation in those releases is flawed; while negotiations for 
ESP_3DES_HMAC_SHA1 will succeed, actually receiving SHA1 hashed packets will 
fail. "klipsdebug=all" will log errors like so:

klips_debug:ipsec_rcv: auth failed on incoming packet from 11.22.33.44: 
hash=653gxdfadkj98akjdfaldkja auth=12aht3flk1jf4ewiafoq212e, dropped

SHA1 support is not critical for many FreeS/WAN deployments. FreeS/WAN to 
FreeS/WAN tunnels have always used MD5 thanks to the nature of the IKE 
proposals, the W2k/XP native clients propose MD5, etc. 

The fault lies in the kernel code, and the fix is simple: apply the following 
patch to your FreeS/WAN source and/or kernel, and recompile as needed.

- --- linux/net/ipsec/ipsec_rcv.c	2003-09-16 17:17:35.000000000 -0400
+++ linux/net/ipsec/ipsec_rcv.c.fix	2003-09-16 17:13:50.000000000 -0400
@@ -376,7 +376,7 @@
 
 	memcpy(&tctx, irs->octx, irs->octx_len);
 
- -	(*aa->update)((void *)&tctx, irs->hash, AHMD596_ALEN);
+	(*aa->update)((void *)&tctx, irs->hash, aa->hashlen);
 	(*aa->final)(irs->hash, (void *)&tctx);
 
 	return IPSEC_RCV_OK;

The patch will be posted on xs4all, and updated module RPMs should follow.

- -- 
Sam Sgro
[EMAIL PROTECTED]

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: For the matching public key, finger the Reply-To: address.

iQCVAwUBP2gG00OSC4btEQUtAQG2QQP/XyTWdzshRtwStDBLBcBXfX45mGyryySD
LNDScwb+c2lX2QZU/sD2IugmoxQ3Qx941C3WJh7yel34QynxGDxdBy4vVMI8m55p
MMEzKup8S6F8S1XVEVhPbpexHxwNRt9075lY5JtSjHfcbu+ExV8lKqGX3dOlek2b
OtE/xdqgSBY=
=sPGy
-----END PGP SIGNATURE-----

--- linux/net/ipsec/ipsec_rcv.c	2003-09-16 17:17:35.000000000 -0400
+++ linux/net/ipsec/ipsec_rcv.c.fix	2003-09-16 17:13:50.000000000 -0400
@@ -376,7 +376,7 @@
 
 	memcpy(&tctx, irs->octx, irs->octx_len);
 
-	(*aa->update)((void *)&tctx, irs->hash, AHMD596_ALEN);
+	(*aa->update)((void *)&tctx, irs->hash, aa->hashlen);
 	(*aa->final)(irs->hash, (void *)&tctx);
 
 	return IPSEC_RCV_OK;

_______________________________________________
FreeS/WAN Users mailing list
[EMAIL PROTECTED]
https://mj2.freeswan.org/cgi-bin/mj_wwwusr
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.