Patch Name: PHNE_21031 Patch Description: s700_800 11.00 IPSec 168 bit 3DES cumulative patch Creation Date: 00/03/03 Post Date: 00/04/04 Repost: 02/03/29 The patch documentation was modified to remove comments about the patch being restricted by the cryptographic export controls of the U.S. Commerce Department. The IPSec/9000 product is no longer under restriction, so these comments were removed from the documentation. The patch is now available on the HP IT Resource Center and can be freely exported outside of the U.S. and Canada. Hardware Platforms - OS Releases: s700: 11.00 s800: 11.00 Products: IPSEC A.01.01 Filesets: IPSEC.IPSEC-KRN,fr=A.01.01,fa=HP-UX_B.11.00_32,v=HP IPSEC.IPSEC-KRN,fr=A.01.01,fa=HP-UX_B.11.00_64,v=HP IPSEC.IPSEC-RUN,fr=A.01.01,fa=HP-UX_B.11.00_32/64,v=HP IPSEC.IPSEC-MAN,fr=A.01.01,fa=HP-UX_B.11.00_32/64,v=HP IPSEC.IPSEC-GUI,fr=A.01.01,fa=HP-UX_B.11.00_32/64,v=HP Automatic Reboot?: Yes Status: General Release Critical: Yes PHNE_21031: PANIC PHNE_20375: OTHER This patch fixes critical interoperability problems Category Tags: defect_repair general_release critical panic Path Name: /hp-ux_patches/s700_800/11.X/PHNE_21031 Symptoms: PHNE_21031: 1. IPSec crashes under a system exhaustion condition. 2. IPSec crashes under stressful ports scan. 3. ipsec_mgr core dumps intermittently, when enrolling with the VeriSign Certificate Authority. 4. Establishing a Tunnel between the HP external host and the Nortel's Connectivity gateway box fails. 5. Changing the configuration of one of the two machines, with identical IPSec Policies, to a different Tunnel ISAKMP Policy, the user is alerted with the message: "Changing the tunnel ISAKMP policy will affect all IPSec policies that refer to the same tunnel Endpoint IP address. Do you really want to do this?" Despite a No, the change takes place. 6. ipsec_mgr gui accepts invalid IP address and does not report error. This invalid IP address causes problem when the policy file is used. 7. Main Mode re-negotiation using VeriSign certificates fails due to slow or no DNS response. 8. ipsec_mgr core dumps when the Certificate Issuer Name is greater than 100 characters. 9. IPSEC/9000 fails to build a secure connection using VeriSign certificates on multi-homed systems. 10. Returns the errors message "ALERT-Incorrect caller 10 or bad status of 7" for "ipsec_admin -al debug". 11. The "Exclusive" check box on the "Create IPSec Policy" screen has the following problems: a) It does not reflect what is in the policy flat file (policies.txt) b) For transport configurations, it has to be checked if the remote IP address is not an explicit address and the IPSec transform is AH and/or ESP. c) For tunnel configurations, it cannot be checked if the transform is PASS. PHNE_20375: 1. Applications, such as SNMP Traps, that open a socket, send a small amount of UDP data, and close the socket will sometimes see the UDP data not reach the remote system. 2. IPSec is unable to successfully start-up during system boot-up. 3. The IKE Main Mode negotiation failed if the initiator uses an FQDN or ASN.1 ID-type and uses a Verisign certificate for RSA authentication. 4. Connections will hang between two IPSec end nodes which use transport mode to each other as well as tunnel mode to an intervening IPSec gateway. PHNE_18948: 1. The user can't refresh the VeriSign Certificate list from ipsec_mgr. 2. On the VeriSign Certificate Details screen, non-applicable domain certificate fields are displayed, but contain no data. 3. The label, Tunnel Transform List (authenticate, encrypt, pass, discard), in the "Create/Edit IPSec Policy screen" is incorrect. 4. Once an Entrust profile is created, the user cannot create a new one. 5. ipsec_mgr may coredump at startup. 6. In a topology where two end nodes, Node A and Node B, are connected through a secure gateway in tunnel mode, only the traffic initiated by Node A can go through. 7. When using RSA signature to authenticate a non-HP node, ISAKMP authentication fails. 8. When the user uses RSA signature to authenticate a non-HP node, the Certificate Request is rejected. 9. When a non-HP peer sends a Certificate payload or a Certificate Request payload with a type other than X.509 signature, such as CRL, the negotiation fails. 10. When the proposed SA lifetime is less than the minimum lifetime set by IPSec/9000, the negotiation fails. 11. It takes several seconds to establish a connection to a peer node. 12. IPSec/9000 cannot establish connections using hash rules that contain subnet masks and a one-way direction policy. 13. Excessive IPSec SAs are created for a connection request. 14. If there are IPSec SAs established with a peer node and the peer node is rebooted, the existing connection to the peer node cannot be reestablished. 15. To save ipsec_report output to a file, the user needs to redirect the output. However, the user cannot see the password prompt to accomplish this. 16. If one of the concurrent IPSec negotiations times out, the network connection of the rest of the IPSec negotiations will hang. 17. IKE daemon hangs after running extensive negotiations for a period of time. 18. When stopping IPSec, IKE reports "Process Construct error 0xffffff" to the audit file. 19. Establishing a connection in the reverse direction to an existing established SAs may hang. 20. Occasionally log messages are not recorded in the audit file. 21. The Policy daemon logs an alert message to the audit file "No SPI for received packet" 22. IPSec/9000 domestic product, J4256AA, now supports 3DES-CBC for IKE Main Mode authentication. Defect Description: PHNE_21031: 1. The IPSec SAs counter in the Security Association database was not initialized to zero. Secondly, the system crashed because IPSec kernel did not detect a system exhaustion condition. When the IPSec/9000 was not brought down properly, it left an inconsistent Security Association database. When IPSec/9000 was restarted, the system would consume all system memory and crash. Resolution: Fixed to detect system memory exhaustion condition, initialize the IPSec SA counter to zero and flush the Security Association data base whenever IPSec/9000 is launched. 2. When several ports scan were run, the IPSec/9000 systems would generate thousands of kernel Policy Cache records, thereby consuming all system memory and crashing the system. Resolution: Modified to detect the exhaustion of system memory to avoid panic. Secondly, limited the number of kernel Policy Cache records to 50,000. Once 25,000 Cache records are created, the Administrator is alerted of a possible Denial of Service attack with "Alert" messages in the IPSec Audit file. The user may get the number of kernel Cache records and SAs that have been created by running "ndd -get /dev/ip ip_ipsec_status". 3. A buffer used to build the command to enroll to the VeriSign CA was being overrun. Resolution: Increased the buffer size and checked for buffer overrun. 4. IKE did not process the SADB_EXT_IDENTITY_SRC and SADB_EXT_IDENTITY_DST extensions set by PFKey ACQUIRE message and only sent out ID_IPV4_ADDR type ID payload. Resolution: Changed IKE to process identity extensions and send the ID_IPV4_ADDR or ID_IPV4_ADDR_SUBNET type ID payload as required. 5. The wrong table index was used to process the "No" response to the dialog box. Resolution: Modified code to use the correct table index. 6. The logic used to detect invalid addresses did not cover all invalid cases. Resolution: Added new logic to detect the invalid IP addresses. 7. When the DNS service was slow or unavailable, the VeriSign Main Mode re-negotiation failed. Resolution: Replaced all gethostbyname calls for the local system with IO calls and the loopback address with simple address conversion. 8. The buffer for an issuer's name was overrun by a name greater than 100 characters in length, thus causing a core dump. Resolution: Increased the maximum buffer length to 1024 characters. In addition, added checks to prevent overrun. 9. The VeriSign certificate storage/retrieval mechanism was inconsistent. The certificate was stored based on network address and retrieved using ID. Resolution: Changed the storage/retrieval mechanism to use the network address consistently. 10. The Audit Daemon, secauditd, did not recognize the new internal debug level and reported error. Resolution: Removed the checking for the audit level in secauditd. 11. The code was inadequate in handling the "Exclusive" check box. Resolution: Modified code, to fix. PHNE_20375: 1. IPSec is dropping UDP packets on applications that do a quick open socket, send UDP data, and close socket sequence. Resolution: IPSec will pend UDP traffic to get Policy completion when IPSec is enabled. Resolution requires a Transport GR patch which is also needed to fix this problem. 2. IPSec cannot be started during system boot-up, the IPSec kernel is in a "Down" state. Resolution: One of the IPSec control files was being reset by ipsec_admin causing IPSec to not start-up successfully during boot-up. 3. IPSec/9000 is unable to interoperate with Cisco IOS which only uses a FADN ID-type when using Verisign certificates. Resolution: The peer's source IP address is used in the peer's Main Mode ID until Secure DNS is available and the FQDN or ASN.1 DN can be resolved. Note that HP-UX IPSec/9000 always uses a IPv4 ID-type in its Main Mode messages. 4. The Policy daemon was not waiting for all the SAs to be built (tunnel and transport) on the receiving side. This caused the receiving side to initiate another SA pair for the transport SA, causing confusion on creating the SA on the sending side. Resolution: The Policy daemon now waits for the tunnel SA to be complete before processing the transport SA. PHNE_18948: 1. IPSec/9000 ipsec_mgr does not provide a "Refresh" function. Resolution: Add a "Refresh" feature on the ipsec_mgr "Certificates" screen". 2. For a domain certificate, the non-applicable fields are displayed in error. Resolution: Don't display non-applicable fields for a domain certificate. 3. The tunnel transform can not be pass or discard. Resolution: Change the label to "Tunnel Transform List authenticate, encrypt)". 4. Once an Entrust profile is created, the user is only allowed to "Recover epf File". Resolution: Change to the GUI to add two separate buttons: "Create profile", and "Recover profile". 5. At start-up, an error occurs when ipsec_mgr attempts to decrypt a file with an outdated ipsec password. Resolution: Removed this unnecessary code. 6. When Node B sets up a tunnel through a secure gateway to Node A, the source and proxy addresses of the IPSec inbound SA generated by Node A to the secure gateway are incorrect. Resolution: Corrected the source and proxy addresses of the IPSec inbound SA. 7. There is misalignment in the Certificate Request payload. Resolution: Modified the code. 8. IPSec/9000 passes the Certificate Subject name rather than the Certificate Issuer name in the Certificate Request. Resolution: Modified code to pass the certificate issuer name. 9. When IPSec/9000 received a Certificate payload or a Certificate Request payload with a type other than X.509 signature, such as CRL, IPSec/9000 fails to handle it correctly. Resolution: Modified IKE to handle Certificate payload Type or Certificate Request payload type other than X.509 Signature. 10. If a proposed ISAKMP SA lifetime is less than 3600 seconds or a proposed IPSec SA lifetime is less than 600 seconds, IPSec/9000 does not accept the ISAKMP or the IPSec SA proposal. Resolution: The minimum lifetime for an ISAKMP SA is reduced to 600 seconds and the minimum lifetime for IPSec SA is reduced to 300 seconds. 11. IPSec/9000 drops the first packet sent by the peer node. Resolution: Corrected the Policy daemon on the responder system to have the kernel to wait for the first Main Mode IKE message while resolving its clear-text IKE message. 12. The Policy daemon does not create a hash policy rule for subnet masks and a one-way direction policy in memory. Resolution: Corrected the Policy daemon to create a hash policy rule for subnet masks and a one-way direction policy in memory. 13. The Policy daemon on the responder system does not wait for the negotiation to finish and this causes the responder system to initiate a second new negotiation. Resolution: Change the Policy daemon on the responder system to wait for IKE to finish it's QM negotiation in all cases. 14. To correct this situation, the system administrator must delete the existing ISAKMP and IPSec SAs to this peer node. Resolution: A new "-deletesa remote_ip_address" option has been added to ipsec_admin. The remote_ip_address is the IP address of the rebooted node. 15. The password prompt was not displayed for file redirection. Resolution: A new "-file report_file" option has been added to ipsec_report. 16. When one of the Quick Mode negotiations times out, IKE marks the ISAKMP SA as unusable but IKE did not notify the Policy daemon of the negotiation failure for all the other network connections. Resolution: Modified IKE to notify the policy daemon of the negotiation failure for all other network connections. 17. After running extensive negotiations for a period of time, an internal array of the IKE daemon overflows. Resolution: Fixed the IKE daemon internal array problem. 18. In an attempt to flush all the IPSec SAs, IKE incorrectly anticipates that both the AH and ESP protocols have IPSec SAs established. IKE reports "Process Construct error 0xffffff" error message to the audit file if no SAs exist for a protocol. Resolution: Corrected the code so it does not expect both AH and ESP Protocols. 19. The Policy daemon on the initiator system was not updating the state of the policy rule in it's memory cache to "Ready", this caused connections initiated from the responder system to hang. Resolution: Changed the Policy daemon on the initiator system to update the state of the policy rule in it's memory cache to "Ready". 20. The buffer for logging was too small and there is no flow control. Resolution: Increased the buffer size and add flow control. 21. There was a window where the initiator system receives a packet from the responder system before the inbound SA was loaded into the kernel. Resolution: Corrected the timing problem 22. IPSec/9000 domestic product, J4256AA, does not support 3DES-CBC for IKE Main Mode authentication. Resolution: Add a new function: 3DES-CBC for IKE Main Mode authentication for J4256AA. SR: 0000000000 Patch Files: IPSEC.IPSEC-KRN,fr=A.01.01,fa=HP-UX_B.11.00_32,v=HP: /usr/conf/lib/libipsec.a IPSEC.IPSEC-KRN,fr=A.01.01,fa=HP-UX_B.11.00_64,v=HP: /usr/conf/lib/libipsec.a IPSEC.IPSEC-RUN,fr=A.01.01,fa=HP-UX_B.11.00_32/64,v=HP: /usr/sbin/ikmpd /usr/sbin/ipsec_admin /usr/sbin/ipsec_policy /usr/sbin/ipsec_report /usr/sbin/secauditd /usr/sbin/secpolicyd IPSEC.IPSEC-MAN,fr=A.01.01,fa=HP-UX_B.11.00_32/64,v=HP: /usr/share/doc/PHNE_18948.ReadMe /usr/man/man1m.Z/ipsec_admin.1m /usr/man/man1m.Z/ipsec_report.1m IPSEC.IPSEC-GUI,fr=A.01.01,fa=HP-UX_B.11.00_32/64,v=HP: /usr/sbin/ipsec_mgr /var/adm/ipsec_gui/help/cert_main_all.html /var/adm/ipsec_gui/help/cert_main_create.html /var/adm/ipsec_gui/help/cert_main_ent_all.html /var/adm/ipsec_gui/help/cert_db_details.html /var/adm/ipsec_gui/help/cert_db_ent_create.html /var/adm/ipsec_gui/help/oakley_db_encryp.html /var/adm/ipsec_gui/help/oakley_db_lifetime.html /var/adm/ipsec_gui/help/ippolicy_f_lifesec.html /var/adm/ipsec_gui/help/cert_main_refr.html /var/adm/ipsec_gui/lib/IPSecManager.jar /var/adm/ipsec_gui/lib/labelString.properties /var/adm/ipsec_gui/lib/messageString.properties /var/adm/ipsec_gui/lib/libverisign.sl /var/adm/ipsec_gui/lib/swing.jar what(1) Output: IPSEC.IPSEC-KRN,fr=A.01.01,fa=HP-UX_B.11.00_32,v=HP: /usr/conf/lib/libipsec.a: $ IPSec/9000 Patch PHNE_21030/PHNE_21031 Feb 10 2000 13:30:01 $ NET: libipsec: Version: B.11.00 IPSEC.IPSEC-KRN,fr=A.01.01,fa=HP-UX_B.11.00_64,v=HP: /usr/conf/lib/libipsec.a: $ IPSec/9000 Patch PHNE_21030/PHNE_21031 Feb 10 2000 17:13:34 $ NET: libipsec: Version: B.11.00 IPSEC.IPSEC-RUN,fr=A.01.01,fa=HP-UX_B.11.00_32/64,v=HP: /usr/sbin/ikmpd: $ IPSec/9000 Patch PHNE_21030/PHNE_21031 Mar 3 200 0 12:05:36 $ IPSEC: Version: B.11.00 $Revision: 1.1 $ $Date: 98 /09/14 15:30:00$ /usr/sbin/ipsec_admin: $ IPSec/9000 Patch PHNE_21030/PHNE_21031 Feb 25 200 0 17:28:23 $ IPSEC: Version: B.11.00 $Revision: 1.1 $ $Date: 98 /09/14 15:30:00$ /usr/sbin/ipsec_policy: $ IPSec/9000 Patch PHNE_18947/PHNE_18948 Sep 24 199 9 14:13:35 $ IPSEC: Version: B.11.00 $Revision: 1.1 $ $Date: 98 /09/14 15:30:00$ /usr/sbin/ipsec_report: $ IPSec/9000 Patch PHNE_20374/PHNE_20375 Nov 8 199 9 11:52:04 $ IPSEC: Version: B.11.00 $Revision: 1.1 $ $Date: 98 /09/14 15:30:00$ /usr/sbin/secauditd: $ IPSec/9000 Patch PHNE_21030/PHNE_21031 Feb 25 200 0 17:35:24 $ secauditd.c $Revision: $ IPSEC: Version: B.11.00 $Revision: 1.1 $ $Date: 98 /09/14 15:30:00$ /usr/sbin/secpolicyd: $ IPSec/9000 Patch PHNE_21030/PHNE_21031 Feb 25 200 0 17:34:41 $ IPSEC: Version: B.11.00 $Revision: 1.1 $ $Date: 98 /09/14 15:30:00$ IPSEC.IPSEC-MAN,fr=A.01.01,fa=HP-UX_B.11.00_32/64,v=HP: /usr/share/doc/PHNE_18948.ReadMe: None /usr/man/man1m.Z/ipsec_admin.1m: None /usr/man/man1m.Z/ipsec_report.1m: None IPSEC.IPSEC-GUI,fr=A.01.01,fa=HP-UX_B.11.00_32/64,v=HP: /usr/sbin/ipsec_mgr: $ IPSec/9000 Patch PHNE_18947/PHNE_18948 Sep 24 199 9 14:19:37 $ IPSEC: Version: B.11.00 $Revision: 1.1 $ $Date: 98 /09/14 15:30:00$ /var/adm/ipsec_gui/help/cert_main_all.html: None /var/adm/ipsec_gui/help/cert_main_create.html: None /var/adm/ipsec_gui/help/cert_main_ent_all.html: None /var/adm/ipsec_gui/help/cert_db_details.html: None /var/adm/ipsec_gui/help/cert_db_ent_create.html: None /var/adm/ipsec_gui/help/oakley_db_encryp.html: None /var/adm/ipsec_gui/help/oakley_db_lifetime.html: None /var/adm/ipsec_gui/help/ippolicy_f_lifesec.html: None /var/adm/ipsec_gui/help/cert_main_refr.html: None /var/adm/ipsec_gui/lib/IPSecManager.jar: None /var/adm/ipsec_gui/lib/labelString.properties: None /var/adm/ipsec_gui/lib/messageString.properties: None /var/adm/ipsec_gui/lib/libverisign.sl: $ IPSec/9000 Patch PHNE_21030/PHNE_21031 Feb 25 200 0 17:35:51 $ IPSEC: Version: B.11.00 $Revision: 1.1 $ $Date: 98 /09/14 15:30:00$ /var/adm/ipsec_gui/lib/swing.jar: None cksum(1) Output: IPSEC.IPSEC-KRN,fr=A.01.01,fa=HP-UX_B.11.00_32,v=HP: 547382454 83688 /usr/conf/lib/libipsec.a IPSEC.IPSEC-KRN,fr=A.01.01,fa=HP-UX_B.11.00_64,v=HP: 197469134 159922 /usr/conf/lib/libipsec.a IPSEC.IPSEC-RUN,fr=A.01.01,fa=HP-UX_B.11.00_32/64,v=HP: 3151002608 495616 /usr/sbin/ikmpd 1546351430 114688 /usr/sbin/ipsec_admin 868394560 81920 /usr/sbin/ipsec_policy 1457489295 94208 /usr/sbin/ipsec_report 1080576495 28672 /usr/sbin/secauditd 2913275960 77824 /usr/sbin/secpolicyd IPSEC.IPSEC-MAN,fr=A.01.01,fa=HP-UX_B.11.00_32/64,v=HP: 2764990399 3212 /usr/share/doc/PHNE_18948.ReadMe 1574098544 4001 /usr/man/man1m.Z/ipsec_admin.1m 1592177469 9705 /usr/man/man1m.Z/ipsec_report.1m IPSEC.IPSEC-GUI,fr=A.01.01,fa=HP-UX_B.11.00_32/64,v=HP: 2791839409 73728 /usr/sbin/ipsec_mgr 3048164802 2707 /var/adm/ipsec_gui/help/cert_main_all.html 332317317 1265 /var/adm/ipsec_gui/help/cert_main_create.html 3832204250 1495 /var/adm/ipsec_gui/help/ cert_main_ent_all.html 1193753424 1187 /var/adm/ipsec_gui/help/cert_db_details.html 2192492928 1251 /var/adm/ipsec_gui/help/ cert_db_ent_create.html 2774206110 677 /var/adm/ipsec_gui/help/oakley_db_encryp.html 2677016764 1611 /var/adm/ipsec_gui/help/ oakley_db_lifetime.html 1576222854 887 /var/adm/ipsec_gui/help/ ippolicy_f_lifesec.html 4097750579 425 /var/adm/ipsec_gui/help/cert_main_refr.html 3605887723 253538 /var/adm/ipsec_gui/lib/IPSecManager.jar 3488665694 9818 /var/adm/ipsec_gui/lib/ labelString.properties 1933149242 5856 /var/adm/ipsec_gui/lib/ messageString.properties 1101648857 716800 /var/adm/ipsec_gui/lib/libverisign.sl 2609227314 1868003 /var/adm/ipsec_gui/lib/swing.jar Patch Conflicts: None Patch Dependencies: s700: 11.00: PHNE_18972 PHNE_20436 s800: 11.00: PHNE_18972 PHNE_20436 Hardware Dependencies: None Other Dependencies: None Supersedes: PHNE_18948 PHNE_20375 Equivalent Patches: None Patch Package Size: 4070 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHNE_21031 5. Run swinstall to install the patch: swinstall -x autoreboot=true -x patch_match_target=true \ -s /tmp/PHNE_21031.depot By default swinstall will archive the original software in /var/adm/sw/save/PHNE_21031. If you do not wish to retain a copy of the original software, use the patch_save_files option: swinstall -x autoreboot=true -x patch_match_target=true \ -x patch_save_files=false -s /tmp/PHNE_21031.depot WARNING: If patch_save_files is false when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. For future reference, the contents of the PHNE_21031.text file is available in the product readme: swlist -l product -a readme -d @ /tmp/PHNE_21031.depot To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHNE_21031.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: After installation of this patch the file PHNE_18948.ReadMe will outline changes to the user manual. Please print out: /usr/share/doc/PHNE_18948.ReadMe