Patch Name: PHNE_25508 Patch Description: s700_800 11.X IPSec 168 bit 3DES cumulative patch Creation Date: 01/11/30 Post Date: 01/12/11 Hardware Platforms - OS Releases: s700: 11.00 11.04 s800: 11.00 11.04 Products: IPSEC A.01.04 Filesets: IPSec.IPSEC2-KRN,fr=A.01.04,fa=HP-UX_B.11.00_32,v=HP IPSec.IPSEC2-KRN,fr=A.01.04,fa=HP-UX_B.11.04_32,v=HP IPSec.IPSEC2-KRN,fr=A.01.04,fa=HP-UX_B.11.00_64,v=HP IPSec.IPSEC2-KRN,fr=A.01.04,fa=HP-UX_B.11.04_64,v=HP IPSec.IPSEC2-RUN,fr=A.01.04,fa=HP-UX_B.11.00_32/64,v=HP IPSec.IPSEC2-RUN,fr=A.01.04,fa=HP-UX_B.11.04_32/64,v=HP IPSec.IPSEC2-GUI,fr=A.01.04,fa=HP-UX_B.11.00_32/64,v=HP IPSec.IPSEC2-GUI,fr=A.01.04,fa=HP-UX_B.11.04_32/64,v=HP IPSec.IPSEC-MAN,fr=A.01.04,fa=HP-UX_B.11.00_32/64,v=HP IPSec.IPSEC-MAN,fr=A.01.04,fa=HP-UX_B.11.04_32/64,v=HP Automatic Reboot?: Yes Status: General Release Critical: Yes PHNE_25508: HANG OTHER This patch fixes critical autoboot problem. Category Tags: defect_repair enhancement general_release critical halts_system Path Name: /hp-ux_patches/s700_800/11.X/PHNE_25508 Symptoms: PHNE_25508: 1. JAGad92116 The IKE daemon cannot negotiate SAs if IPSec is started at system boot time using the autoboot option. IPSec negotiations will fail and IPSec will not be able to encrypt or authenticate any packets. Network traffic that should be encrypted or authenticated will time out. ipsec_report -status will show that the IKE daemon is running, but netstat -an will not show any sockets listening on UDP port 500. 2. JAGad90820 The IKE daemon may hang after processing a certificate ID that is a Distinguished Name. 3. JAGad91605 IPSec (Quick Mode) SA negotiations fail for the following topology: IPSec/9000 initiator to a gateway (tunnel endpoint) to subnetwork destination. The IPSec policy passes traffic between the end nodes; the destination is a subnetwork. IPSec negotiations will fail and IPSec will not be able to encrypt or authenticate any packets. Network traffic that should be encrypted or authenticated will time out. 4. JAGad93252 IKE (or IPSec) Main Mode negotiations will fail when certificate-based authentication is used and the remote system sends an ID that is a Distinguished Name longer than 128 bytes. IPSec negotiations will fail and IPSec will not be able to encrypt or authenticate any packets. Network traffic that should be encrypted or authenticated will time out. 5. JAGad94481 All IPSec Main Mode SA negotiations using Entrust certificates for authentication will fail if IPSec/9000 is not able to connect to Entrust PKI at IPSec startup or autoboot time. IPSec negotiations will fail and IPSec will not be able to encrypt or authenticate any packets. Network traffic that should be encrypted or authenticated will time out. The error message indicating Entrust registration failure is "init_Entrust() failed -> preshared key only". 6. JAGad96331 When a user changes an IPSec admin password (with -newpasswd or -np option), IPSec/9000 tries to reset its internal structures for preshared keys or certificates, as at startup time. IPSec/9000 service may not be affected, but the entries in the audit file are confusing. Defect Description: PHNE_25508: 1. At system boot time, IPSec is started by ipsec_admin in S011ipsec script before any network interface is assigned with an IP address. In previous releases, the ikmpd daemon would bind an AF_INET socket with ANYADDR to listen to the ISAKMP (port 500) messages at startup time. In the AR1201 release, the ikmpd daemon needs to bind the AF_INET and/or AF_INET6 socket with an IP address. Resolution: secpolicyd adds a thread to watch for logical interface change and to notify ikmpd with interface information. The ikmpd daemon will then bind to the IP address. 2. The IKE daemon (ikmpd) improperly frees dynamically allocated memory, causing it to corrupt some of its internal data structures. This is caused by address calculation errors when processing Distinguished Names in certificates. Resolution: Code changes in the IPSec IKE daemon in processing the Distinguished Name comparison. Free the buffer only after verifying that the pointer actually points to the start of a malloc'ed buffer. 3. The Quick Mode src/dst ID information was set incorrectly when IKE processed the PFKey ACQUIRE message. IPSec/9000 sent out 0X0 as the subnet mask. Resolution: Fix made in pitcher() of daemon.c file. The src/dst id information given by PFKey ACQUIRE message is properly copied to the qm_id_src and qm_id_dst of the SA structure. 4. The A.01.04 product limits the length of Disguished Names used for certificate IDs to 128 bytes. Resolution: Code changes in both IKE and policy daemon and their interface on the OAKLEY rule, to expand the identity structure to be able to hold Distinguished Names that are 256 bytes long. 5. If for any reasons IPSec/9000 failed to register with the Entrust PKI during initialization, the system will not be able to use an Entrust certificate for authentication. (Note that preshared key authentication would still be available.) The problem would continue until the administrator restarted IPSec/9000. Resolution: Modify ikmpd to retry Entrust registration when there are no relevant activities to handle for a defined period of time. The IPSec admin should ensure that the PKI is accessible to the end system that needs it. Note that if ikmpd is continuously busy, the retry could be delayed indefinitely. 6. IPSec/9000 set up the internal preshared key or certificate structures when the IPSec admin password was changed as well as at startup time. Resolution: Modify ikmpd so that it only sets up the internal preshared key or certificate structure during the startup of IPSec. SR: 0000000000 Patch Files: IPSec.IPSEC2-KRN,fr=A.01.04,fa=HP-UX_B.11.00_32,v=HP: IPSec.IPSEC2-KRN,fr=A.01.04,fa=HP-UX_B.11.04_32,v=HP: /usr/conf/lib/libipsec.a /usr/conf/lib/libauth.a /usr/conf/lib/libencint.a /usr/conf/lib/libencdom.a /usr/conf/lib/libvvipsec.a IPSec.IPSEC2-KRN,fr=A.01.04,fa=HP-UX_B.11.00_64,v=HP: IPSec.IPSEC2-KRN,fr=A.01.04,fa=HP-UX_B.11.04_64,v=HP: /usr/conf/lib/libipsec.a /usr/conf/lib/libauth.a /usr/conf/lib/libencint.a /usr/conf/lib/libencdom.a /usr/conf/lib/libvvipsec.a IPSec.IPSEC2-RUN,fr=A.01.04,fa=HP-UX_B.11.00_32/64,v=HP: IPSec.IPSEC2-RUN,fr=A.01.04,fa=HP-UX_B.11.04_32/64,v=HP: /usr/sbin/ikmpd /usr/sbin/ipsec_admin /usr/sbin/ipsec_policy /usr/sbin/ipsec_report /usr/sbin/secauditd /usr/sbin/secpolicyd IPSec.IPSEC2-GUI,fr=A.01.04,fa=HP-UX_B.11.00_32/64,v=HP: IPSec.IPSEC2-GUI,fr=A.01.04,fa=HP-UX_B.11.04_32/64,v=HP: /usr/sbin/ipsec_mgr /var/adm/ipsec_gui/lib/IPSecManager.jar /var/adm/ipsec_gui/lib/libverisign.sl IPSec.IPSEC-MAN,fr=A.01.04,fa=HP-UX_B.11.00_32/64,v=HP: IPSec.IPSEC-MAN,fr=A.01.04,fa=HP-UX_B.11.04_32/64,v=HP: /usr/man/man1m.Z/ipsec_admin.1m /usr/man/man1m.Z/ipsec_report.1m /usr/man/man1m.Z/ipsec_policy.1m what(1) Output: IPSec.IPSEC2-KRN,fr=A.01.04,fa=HP-UX_B.11.00_32,v=HP: /usr/conf/lib/libipsec.a: $ IPSec/9000 Patch PHNE_25507/PHNE_25508 Revision A. 01.04.01 Nov 12 2001 19:01:41 $ NET: libipsec: Version: B.11.00 /usr/conf/lib/libauth.a: None /usr/conf/lib/libencint.a: None /usr/conf/lib/libencdom.a: None /usr/conf/lib/libvvipsec.a: None IPSec.IPSEC2-KRN,fr=A.01.04,fa=HP-UX_B.11.00_64,v=HP: /usr/conf/lib/libipsec.a: $ IPSec/9000 Patch PHNE_25507/PHNE_25508 Revision A. 01.04.01 Nov 12 2001 19:02:32 $ NET: libipsec: Version: B.11.00 /usr/conf/lib/libauth.a: None /usr/conf/lib/libencint.a: None /usr/conf/lib/libencdom.a: None /usr/conf/lib/libvvipsec.a: None IPSec.IPSEC2-RUN,fr=A.01.04,fa=HP-UX_B.11.00_32/64,v=HP: /usr/sbin/ikmpd: $ IPSec/9000 Patch PHNE_25507/PHNE_25508 Revision A. 01.04.01 Nov 19 2001 16:27:49 $ /usr/sbin/ipsec_admin: $ IPSec/9000 Patch PHNE_25507/PHNE_25508 Revision A. 01.04.01 Nov 19 2001 16:26:48 $ /usr/sbin/ipsec_policy: $ IPSec/9000 Patch PHNE_25507/PHNE_25508 Revision A. 01.04.01 Nov 19 2001 16:27:07 $ /usr/sbin/ipsec_report: $ IPSec/9000 Patch PHNE_25507/PHNE_25508 Revision A. 01.04.01 Nov 19 2001 16:27:20 $ /usr/sbin/secauditd: $ IPSec/9000 Patch PHNE_25507/PHNE_25508 Revision A. 01.04.01 Nov 19 2001 16:29:08 $ /usr/sbin/secpolicyd: $ IPSec/9000 Patch PHNE_25507/PHNE_25508 Revision A. 01.04.01 Nov 19 2001 16:28:37 $ IPSec.IPSEC2-GUI,fr=A.01.04,fa=HP-UX_B.11.00_32/64,v=HP: /usr/sbin/ipsec_mgr: $ IPSec/9000 Patch PHNE_25507/PHNE_25508 Revision A. 01.04.01 Nov 19 2001 16:30:10 $ /var/adm/ipsec_gui/lib/IPSecManager.jar: None /var/adm/ipsec_gui/lib/libverisign.sl: $ IPSec/9000 Patch PHNE_25507/PHNE_25508 Revision A. 01.04.01 Nov 19 2001 16:29:24 $ IPSec.IPSEC-MAN,fr=A.01.04,fa=HP-UX_B.11.00_32/64,v=HP: /usr/man/man1m.Z/ipsec_admin.1m: None /usr/man/man1m.Z/ipsec_report.1m: None /usr/man/man1m.Z/ipsec_policy.1m: None cksum(1) Output: IPSec.IPSEC2-KRN,fr=A.01.04,fa=HP-UX_B.11.00_32,v=HP: 2252510053 89816 /usr/conf/lib/libipsec.a 2325099944 16600 /usr/conf/lib/libauth.a 1225687978 20484 /usr/conf/lib/libencint.a 3997547207 34036 /usr/conf/lib/libencdom.a 330601385 1584 /usr/conf/lib/libvvipsec.a IPSec.IPSEC2-KRN,fr=A.01.04,fa=HP-UX_B.11.00_64,v=HP: 3564061713 173130 /usr/conf/lib/libipsec.a 2174387393 20472 /usr/conf/lib/libauth.a 3072054653 267032 /usr/conf/lib/libencint.a 3982248025 303968 /usr/conf/lib/libencdom.a 3792410091 2316 /usr/conf/lib/libvvipsec.a IPSec.IPSEC2-RUN,fr=A.01.04,fa=HP-UX_B.11.00_32/64,v=HP: 505381456 503808 /usr/sbin/ikmpd 3977594157 114688 /usr/sbin/ipsec_admin 2823769948 81920 /usr/sbin/ipsec_policy 2258979882 94208 /usr/sbin/ipsec_report 548603935 28672 /usr/sbin/secauditd 3964254143 90112 /usr/sbin/secpolicyd IPSec.IPSEC2-GUI,fr=A.01.04,fa=HP-UX_B.11.00_32/64,v=HP: 780332767 294912 /usr/sbin/ipsec_mgr 1473763218 312552 /var/adm/ipsec_gui/lib/IPSecManager.jar 1728556525 176128 /var/adm/ipsec_gui/lib/libverisign.sl IPSec.IPSEC-MAN,fr=A.01.04,fa=HP-UX_B.11.00_32/64,v=HP: 3110422404 4139 /usr/man/man1m.Z/ipsec_admin.1m 3198535675 9921 /usr/man/man1m.Z/ipsec_report.1m 259757475 3493 /usr/man/man1m.Z/ipsec_policy.1m Patch Conflicts: None Patch Dependencies: None Hardware Dependencies: None Other Dependencies: None Supersedes: None Equivalent Patches: PHNE_25530: s700: 11.11 s800: 11.11 Patch Package Size: 2640 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHNE_25508 5. Run swinstall to install the patch: swinstall -x autoreboot=true -x patch_match_target=true \ -s /tmp/PHNE_25508.depot By default swinstall will archive the original software in /var/adm/sw/save/PHNE_25508. If you do not wish to retain a copy of the original software, include the patch_save_files option in the swinstall command above: -x patch_save_files=false WARNING: If patch_save_files is false when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. For future reference, the contents of the PHNE_25508.text file is available in the product readme: swlist -l product -a readme -d @ /tmp/PHNE_25508.depot To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHNE_25508.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: None