Patch-ID# 114435-05 Keywords: security harware key storage ike ipv6 Synopsis: SunOS 5.9_x86: IKE Hardware - libike Patch Date: Apr/28/2004 Install Requirements: Reconfigure immediately after patch is installed Solaris Release: 9_x86 SunOS Release: 5.9_x86 Unbundled Product: Unbundled Release: Xref: This patch available for SPARC as patch 113451 Topic: SunOS 5.9_x86: IKE Hardware - libike Patch Relevant Architectures: i386 BugId's fixed with this patch: 4666686 4667873 4671563 4673333 4673338 4687237 4704460 4731575 4739746 4742619 4745493 4745709 4752466 4762219 4804299 4823665 4832562 4840090 4842368 4890236 4919747 4919802 4927429 4930399 4941232 Changes incorporated in this version: 4762219 4941232 Patches accumulated and obsoleted by this patch: 115261-01 Patches which conflict with this patch: Patches required with this patch: Obsoleted by: Files included with this patch: /etc/security/exec_attr /usr/lib/abi/abi_libike.so.1 /usr/lib/inet/certdb /usr/lib/inet/certlocal /usr/lib/inet/certrldb /usr/lib/inet/in.iked /usr/lib/libike.so.1 /usr/sbin/ikeadm /usr/sbin/ikecert Problem Description: 4762219 ikeadm write preshared causes in.iked heartburn 4941232 Deleting P1 SAs by address should delete ALL matching P1 SAs (from 114435-04) 4804299 Failed to change the default value of 28800 for Phase 2 SA's via p2_lifetime_sec 4919747 p2_lifetime default value is too high 4919802 Solaris IKE does not negotiate p2_lifetime_secs when creating an SA 4667873 in.iked door protocol handles some key lengths badly 4840090 Why is add_new_sa() called before a phase1_t is linked to a Phase 1 pm_info? 4890236 in.iked botches PF_KEY identity extensions 4927429 Some deleted Phase Is linger slightly too long. (from 114435-03) 4930399 ASN.1 patches from SSH, Inc. (from 114435-02) This patch revision was generated to accumulate and obsolete the changes introduced in Solaris Update s9u5 feature point patch 115261-01. (from 114435-01) 4673333 IKE should support hardware assist for certs and Oakley groups 4666686 Patch libike with 4/8/2002 SSH patches 4687237 ssh_fatal() calls abort() 4704460 ikeadm: strcpy() should be replaced by strlcpy() 4739746 single-buffer memory leak in start_ike_servers() 4745493 More patches from SSH Inc. 4745709 SSH IKE code leaks hostent structures (from 115261-01) 4671563 RFE: ikecert -lv should list algorithm signature 4673338 IKE should support HW storage of private keys and certificates 4731575 IKE should work with IPv6 4742619 HW-IKE should be more robust when choosing pkcs11 slots 4752466 Race in in.iked causes coredump in add_new_sa(). 4823665 in.iked becomes confused about sender and receiver 4832562 *certdb* malformed cert causes core dump in p 4842368 Memory leak for rsa_encryption initiator Patch Installation Instructions: -------------------------------- For Solaris 2.0-2.6 releases, refer to the Install.info file and/or the README within the patch for instructions on using the generic 'installpatch' and 'backoutpatch' scripts provided with each patch. For Solaris 7-9 releases, refer to the man pages for instructions on using 'patchadd' and 'patchrm' scripts provided with Solaris. Any other special or non-generic installation instructions should be described below as special instructions. The following example installs a patch to a standalone machine: example# patchadd /var/spool/patch/104945-02 The following example removes a patch from a standalone system: example# patchrm 104945-02 For additional examples please see the appropriate man pages. Special Install Instructions: ----------------------------- NOTE 1: To get the complete Hardware Acceleration for IKE feature, please install patch: 114436-01 (or newer) config.sample NOTE 2: To get the complete Hardware Key Storage for IKE and Ike for IPV6 feature, please install the following patches: 114337-08 (or newer) kernel/drv/tcp kernel/drv/ip patch 114978-01 (or newer) kernel/drv/ipsecah Patch README -- Last modified date: Wednesday, April 28, 2004