Patch Name: PHNE_25530 Patch Description: s700_800 11.11 IPSec 168 bit 3DES cumulative patch Creation Date: 01/12/06 Post Date: 01/12/18 Hardware Platforms - OS Releases: s700: 11.11 s800: 11.11 Products: IPSEC A.01.04 Filesets: IPSec.IPSEC2-KRN,fr=A.01.04,fa=HP-UX_B.11.11_32,v=HP IPSec.IPSEC2-KRN,fr=A.01.04,fa=HP-UX_B.11.11_64,v=HP IPSec.IPSEC2-RUN,fr=A.01.04,fa=HP-UX_B.11.11_32/64,v=HP IPSec.IPSEC2-GUI,fr=A.01.04,fa=HP-UX_B.11.11_32/64,v=HP IPSec.IPSEC-MAN,fr=A.01.04,fa=HP-UX_B.11.11_32/64,v=HP Automatic Reboot?: Yes Status: General Release Critical: Yes PHNE_25530: HANG OTHER This patch fixes critical autoboot problem. Category Tags: defect_repair enhancement general_release critical halts_system Path Name: /hp-ux_patches/s700_800/11.X/PHNE_25530 Symptoms: PHNE_25530: 1. JAGad92116 The IKE daemon cannot negotiate SAs if IPSec is started at system boot time using the autoboot option. IPSec negotiations will fail and IPSec will not be able to encrypt or authenticate any packets. Network traffic that should be encrypted or authenticated will time out. ipsec_report -status will show that the IKE daemon is running, but netstat -an will not show any sockets listening on UDP port 500. 2. JAGad90857 The ipsec_admin deletesa option does not work for SAs established between IPv6 addresses. 3. JAGad90820 The IKE daemon may hang after processing a certificate ID that is a Distinguished Name. 4. JAGad92083 Receiver systems occasionally drop IPv6 packets sent by IPSec/9000 with bad checksums. An "Integrity Check Value failure" is logged by the receiver. 5. JAGad91605 IPSec (Quick Mode) SA negotiations fail for the following topology: IPSec/9000 initiator to a gateway (tunnel endpoint) to subnetwork destination. The IPSec policy passes traffic between the end nodes; the destination is a subnetwork. IPSec negotiations will fail and IPSec will not be able to encrypt or authenticate any packets. Network traffic that should be encrypted or authenticated will time out. 6. JAGad93252 IKE (or IPSec) Main Mode negotiations will fail when certificate-based authentication is used and the remote system sends an ID that is a Distinguished Name longer than 128 bytes. IPSec negotiations will fail and IPSec will not be able to encrypt or authenticate any packets. Network traffic that should be encrypted or authenticated will time out. 7. JAGad94481 All IPSec Main Mode SA negotiations using Entrust certificates for authentication will fail if IPSec/9000 is not able to connect to Entrust PKI during IPSec startup or autoboot time. IPSec negotiations will fail and IPSec will not be able to encrypt or authenticate any packets. Network traffic that should be encrypted or authenticated will time out. The error message indicating Entrust registration failure is "init_Entrust() failed -> preshared key only". 8. JAGad96331 When a user changes an IPSec admin password (with -newpasswd or -np option), IPSec/9000 tries to reset its internal structures for preshared keys or certificates, as at startup time. IPSec/9000 service may not be affected, but the entries in the audit file are confusing. Defect Description: PHNE_25530: 1. At system boot time, IPSec is started by ipsec_admin in S011ipsec script before any network interface is assigned with an IP address. In previous releases, the ikmpd daemon would bind an AF_INET socket with ANYADDR to listen to the ISAKMP (port 500) messages at startup time. In the AR1201 release, the ikmpd daemon needs to bind the AF_INET and/or AF_INET6 socket with an IP address. Resolution: secpolicyd adds a thread to watch for logical interface change and to notify ikmpd with interface information. The ikmpd daemon will then bind to the IP address. 2. After establishing an IPSec connection between two nodes using IPv6 addresses, an IPSec SA was established. This SA will be removed either when it expires or by an administrator. The administrator can issue the "ipsec_admin -deletesa " command to delete the cached SA. The ipsec_admin -deletsa operation did not remove all 128 bits of the IPv6 address, and no delete operation was completed. Resolution: Code changes in the ipsec_admin command to delete the full IPv6 address and to request that the kernel delete the SA. 3. The IKE daemon (ikmpd) improperly frees dynamically allocated memory, causing it to corrupt some of its internal data structures. This was caused by address calculation errors when processing Distinguished Names in certificates. Resolution: Code changes in the IPSec IKE daemon in processing the Distinguished Name comparison. Free the buffer only after verifying that the pointer actually points to the start of a malloc'ed buffer. 4. Checksum error occurs on any IPv6 outbound UDP, TCP, or ICMP packet that is reinjected downstream after having been queued for an IPsec policy. Resolution: Code changes in IPSec kernel and ARPA transport kernel for IPv6 checksum calculation. 5. The Quick Mode src/dst id information was set incorrectly when IKE processed the PFKey ACQUIRE message. IPSec/9000 sent out 0X0 as the subnet mask. Resolution: Fix made in pitcher() of daemon.c file. The src/dst id information given by PFKey ACQUIRE message is properly copied to the qm_id_src and qm_id_dst of the SA structure. 6. The A.01.04 product limits the length of Disguished Names used for certificate IDs to 128 bytes. Resolution: Code changes in both IKE and policy daemon and their interface on the OAKLEY rule, to expand the identity structure to be able to hold Distinguished Names that are 256 bytes long. 7. If for any reasons IPSec/9000 failed to register with the Entrust PKI during initialization, the system will not be able to use an Entrust certificate for authentication. (Note that preshared key authentication would still be available.) The problem would continue until the administrator restarted IPSec/9000. Resolution: Modify ikmpd to retry Entrust registration when there are no relevant activities it must handle for a defined period of time. The IPSec admin should ensure that the PKI is accessible to the end system that needs it. Note that if ikmpd is continuously busy, the retry could be delayed indefinitely. 8. IPSec/9000 sets up the internal preshared key or certificate structures when the IPSec admin password is changed as well as at startup time. Resolution: Modify ikmpd so that it only sets up the internal preshared key or certificate structure during the startup of IPSec. SR: 0000000000 Patch Files: IPSec.IPSEC2-KRN,fr=A.01.04,fa=HP-UX_B.11.11_32,v=HP: /usr/conf/lib/libipsec.a /usr/conf/lib/libauth.a /usr/conf/lib/libencdom.a /usr/conf/lib/libencint.a /usr/conf/lib/libvvipsec.a IPSec.IPSEC2-KRN,fr=A.01.04,fa=HP-UX_B.11.11_64,v=HP: /usr/conf/lib/libipsec.a /usr/conf/lib/libauth.a /usr/conf/lib/libencdom.a /usr/conf/lib/libencint.a /usr/conf/lib/libvvipsec.a /usr/conf/lib/libencdom-pdk.a /usr/conf/lib/libencint-pdk.a IPSec.IPSEC2-RUN,fr=A.01.04,fa=HP-UX_B.11.11_32/64,v=HP: /usr/sbin/ikmpd /usr/sbin/ikmpdv6 /usr/sbin/ipsec_admin /usr/sbin/ipsec_policy /usr/sbin/ipsec_report /usr/sbin/secauditd /usr/sbin/secpolicyd IPSec.IPSEC2-GUI,fr=A.01.04,fa=HP-UX_B.11.11_32/64,v=HP: /usr/sbin/ipsec_mgr /var/adm/ipsec_gui/lib/IPSecManager.jar /var/adm/ipsec_gui/lib/libverisign.sl IPSec.IPSEC-MAN,fr=A.01.04,fa=HP-UX_B.11.11_32/64,v=HP: /usr/man/man1m.Z/ipsec_admin.1m /usr/man/man1m.Z/ipsec_report.1m /usr/man/man1m.Z/ipsec_policy.1m what(1) Output: IPSec.IPSEC2-KRN,fr=A.01.04,fa=HP-UX_B.11.11_32,v=HP: /usr/conf/lib/libipsec.a: $ IPSec/9000 Patch PHNE_25529/PHNE_25530 Revision A. 01.04.01 Nov 12 2001 13:46:02 $ NET: libipsec: Version: B.11.11 $Revision: libipsec.a: CUP_IPSEC_A.01.04.01 Mon N ov 12 13:46:18 PST 2001 $ /usr/conf/lib/libauth.a: $ IPSec/9000 Patch PHNE_25529/PHNE_25530 Revision A. 01.04.01 Nov 12 2001 13:46:47 $ NET: libauth: Version: B.11.11 $Revision: libauth.a: CUP_IPSEC_A.01.04.01 Mon No v 12 13:46:59 PST 2001 $ /usr/conf/lib/libencdom.a: $ IPSec/9000 Patch PHNE_25529/PHNE_25530 Revision A. 01.04.01 Nov 12 2001 13:46:27 $ NET: libencdom: Version: B.11.11 $Revision: libencdom.a: CUP_IPSEC_A.01.04.01 Mon Nov 12 13:46:44 PST 2001 $ /usr/conf/lib/libencint.a: $ IPSec/9000 Patch PHNE_25529/PHNE_25530 Revision A. 01.04.01 Nov 12 2001 13:46:22 $ NET: libencint: Version: B.11.11 $Revision: libencint.a: CUP_IPSEC_A.01.04.01 Mon Nov 12 13:46:24 PST 2001 $ /usr/conf/lib/libvvipsec.a: $ IPSec/9000 Patch PHNE_25529/PHNE_25530 Revision A. 01.04.01 Nov 12 2001 13:45:38 $ NET: libvvipsec: Version: B.11.11 $Revision: libvvipsec.a: CUP_IPSEC_A.01.04.01 Mon Nov 12 13:45:58 PST 2001 $ IPSec.IPSEC2-KRN,fr=A.01.04,fa=HP-UX_B.11.11_64,v=HP: /usr/conf/lib/libipsec.a: $ IPSec/9000 Patch PHNE_25529/PHNE_25530 Revision A. 01.04.01 Nov 12 2001 13:46:02 $ NET: libipsec: Version: B.11.11 $Revision: libipsec.a: CUP_IPSEC_A.01.04.01 Mon N ov 12 13:46:18 PST 2001 $ /usr/conf/lib/libauth.a: $ IPSec/9000 Patch PHNE_25529/PHNE_25530 Revision A. 01.04.01 Nov 12 2001 13:46:47 $ NET: libauth: Version: B.11.11 $Revision: libauth.a: CUP_IPSEC_A.01.04.01 Mon No v 12 13:46:59 PST 2001 $ /usr/conf/lib/libencdom.a: $ IPSec/9000 Patch PHNE_25529/PHNE_25530 Revision A. 01.04.01 Nov 12 2001 13:46:26 $ NET: libencdom: Version: B.11.11 $Revision: libencdom.a: CUP_IPSEC_A.01.04.01 Mon Nov 12 13:46:44 PST 2001 $ /usr/conf/lib/libencint.a: $ IPSec/9000 Patch PHNE_25529/PHNE_25530 Revision A. 01.04.01 Nov 12 2001 13:46:22 $ NET: libencint: Version: B.11.11 $Revision: libencint.a: CUP_IPSEC_A.01.04.01 Mon Nov 12 13:46:24 PST 2001 $ /usr/conf/lib/libvvipsec.a: $ IPSec/9000 Patch PHNE_25529/PHNE_25530 Revision A. 01.04.01 Nov 12 2001 13:45:39 $ NET: libvvipsec: Version: B.11.11 $Revision: libvvipsec.a: CUP_IPSEC_A.01.04.01 Mon Nov 12 13:45:58 PST 2001 $ /usr/conf/lib/libencdom-pdk.a: $Revision: libencdom-pdk.a: CUP_IPSEC_A.01.04.01 Sat Nov 3 19:31:26 PST 2001 $ /usr/conf/lib/libencint-pdk.a: $Revision: libencint-pdk.a: CUP_IPSEC_A.01.04.01 Sat Nov 3 19:31:23 PST 2001 $ IPSec.IPSEC2-RUN,fr=A.01.04,fa=HP-UX_B.11.11_32/64,v=HP: /usr/sbin/ikmpd: $ IPSec/9000 Patch PHNE_25529/PHNE_25530 Revision A. 01.04.01 Nov 19 2001 10:48:44 $ /usr/sbin/ikmpdv6: $ IPSec/9000 Patch PHNE_25529/PHNE_25530 Revision A. 01.04.01 Nov 19 2001 10:44:10 $ /usr/sbin/ipsec_admin: $ IPSec/9000 Patch PHNE_25529/PHNE_25530 Revision A. 01.04.01 Nov 13 2001 15:38:25 $ /usr/sbin/ipsec_policy: $ IPSec/9000 Patch PHNE_25529/PHNE_25530 Revision A. 01.04.01 Nov 13 2001 15:38:44 $ /usr/sbin/ipsec_report: $ IPSec/9000 Patch PHNE_25529/PHNE_25530 Revision A. 01.04.01 Nov 13 2001 15:38:55 $ /usr/sbin/secauditd: $ IPSec/9000 Patch PHNE_25529/PHNE_25530 Revision A. 01.04.01 Nov 13 2001 15:40:57 $ /usr/sbin/secpolicyd: $ IPSec/9000 Patch PHNE_25529/PHNE_25530 Revision A. 01.04.01 Nov 13 2001 15:40:35 $ IPSec.IPSEC2-GUI,fr=A.01.04,fa=HP-UX_B.11.11_32/64,v=HP: /usr/sbin/ipsec_mgr: $ IPSec/9000 Patch PHNE_25529/PHNE_25530 Revision A. 01.04.01 Nov 19 2001 10:51:36 $ /var/adm/ipsec_gui/lib/IPSecManager.jar: None /var/adm/ipsec_gui/lib/libverisign.sl: $ IPSec/9000 Patch PHNE_25529/PHNE_25530 Revision A. 01.04.01 Nov 19 2001 10:50:57 $ IPSec.IPSEC-MAN,fr=A.01.04,fa=HP-UX_B.11.11_32/64,v=HP: /usr/man/man1m.Z/ipsec_admin.1m: None /usr/man/man1m.Z/ipsec_report.1m: None /usr/man/man1m.Z/ipsec_policy.1m: None cksum(1) Output: IPSec.IPSEC2-KRN,fr=A.01.04,fa=HP-UX_B.11.11_32,v=HP: 1259947730 154602 /usr/conf/lib/libipsec.a 1163275984 23244 /usr/conf/lib/libauth.a 2412754513 41782 /usr/conf/lib/libencdom.a 4040621574 28122 /usr/conf/lib/libencint.a 3972829428 7320 /usr/conf/lib/libvvipsec.a IPSec.IPSEC2-KRN,fr=A.01.04,fa=HP-UX_B.11.11_64,v=HP: 317453723 267470 /usr/conf/lib/libipsec.a 3303501689 25966 /usr/conf/lib/libauth.a 264605513 31652 /usr/conf/lib/libencdom.a 74120162 28172 /usr/conf/lib/libencint.a 1463877433 5428 /usr/conf/lib/libvvipsec.a 2890185323 285186 /usr/conf/lib/libencdom-pdk.a 753420524 251286 /usr/conf/lib/libencint-pdk.a IPSec.IPSEC2-RUN,fr=A.01.04,fa=HP-UX_B.11.11_32/64,v=HP: 1393116625 524288 /usr/sbin/ikmpd 548995892 536576 /usr/sbin/ikmpdv6 3133726353 118784 /usr/sbin/ipsec_admin 2218272498 86016 /usr/sbin/ipsec_policy 381596140 98304 /usr/sbin/ipsec_report 74922089 20480 /usr/sbin/secauditd 4156332243 98304 /usr/sbin/secpolicyd IPSec.IPSEC2-GUI,fr=A.01.04,fa=HP-UX_B.11.11_32/64,v=HP: 842502732 294912 /usr/sbin/ipsec_mgr 1473763218 312552 /var/adm/ipsec_gui/lib/IPSecManager.jar 522930791 176128 /var/adm/ipsec_gui/lib/libverisign.sl IPSec.IPSEC-MAN,fr=A.01.04,fa=HP-UX_B.11.11_32/64,v=HP: 3110422404 4139 /usr/man/man1m.Z/ipsec_admin.1m 3198535675 9921 /usr/man/man1m.Z/ipsec_report.1m 259757475 3493 /usr/man/man1m.Z/ipsec_policy.1m Patch Conflicts: None Patch Dependencies: s700: 11.11: PHNE_25642 s800: 11.11: PHNE_25642 Hardware Dependencies: None Other Dependencies: None Supersedes: None Equivalent Patches: PHNE_25508: s700: 11.00 s800: 11.00 Patch Package Size: 3420 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHNE_25530 5. Run swinstall to install the patch: swinstall -x autoreboot=true -x patch_match_target=true \ -s /tmp/PHNE_25530.depot By default swinstall will archive the original software in /var/adm/sw/save/PHNE_25530. If you do not wish to retain a copy of the original software, include the patch_save_files option in the swinstall command above: -x patch_save_files=false WARNING: If patch_save_files is false when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. For future reference, the contents of the PHNE_25530.text file is available in the product readme: swlist -l product -a readme -d @ /tmp/PHNE_25530.depot To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHNE_25530.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: None