Patch-ID# 114435-07
Keywords: security hardware key storage ike ipv6
Synopsis: SunOS 5.9_x86: IKE Hardware - libike Patch
Date: Sep/29/2004


Install Requirements: Reconfigure immediately after patch is installed                      
                      
Solaris Release: 9_x86

SunOS Release: 5.9_x86

Unbundled Product: 

Unbundled Release: 

Xref: This patch available for SPARC as patch 113451

Topic: SunOS 5.9_x86: IKE Hardware - libike Patch

Relevant Architectures: i386

BugId's fixed with this patch: 4666686 4667873 4671563 4673333 4673338 4687237 4704460 4731575 4739746 4742619 4745493 4745709 4752466 4762219 4804299 4823665 4832562 4840090 4842368 4890236 4919747 4919802 4927429 4930399 4941232 4974853 4976759 4977335 4982429 5016628

Changes incorporated in this version: 4974853 4976759 4977335 5016628

Patches accumulated and obsoleted by this patch: 115261-01

Patches which conflict with this patch: 

Patches required with this patch: 

Obsoleted by: 

Files included with this patch: 

/etc/security/exec_attr
/usr/lib/abi/abi_libike.so.1
/usr/lib/inet/certdb
/usr/lib/inet/certlocal
/usr/lib/inet/certrldb
/usr/lib/inet/in.iked
/usr/lib/libike.so.1
/usr/sbin/ikeadm
/usr/sbin/ikecert

Problem Description:

5016628 ikecert certrldb -e "certspec" does not work
4976759 Callers of ssh_x509_crl_decode() should check for SSH_X509_OK/FAILURE
4977335 ssh_x509_crl_decode() can fail but return SSH_X509_OK
4974853 certrldb will dump core if pem_to_ber() returns NULL
 
(from 114435-06)
 
4982429 patch 113451-06 adds certlocal entry to exec_attr redundantly
 
(from 114435-05)
 
4762219 ikeadm write preshared causes in.iked heartburn
4941232 Deleting P1 SAs by address should delete ALL matching P1 SAs
 
(from 114435-04)
 
4804299 Failed to change the default value of 28800 for Phase 2 SA's via p2_lifetime_sec
4919747 p2_lifetime default value is too high
4919802 Solaris IKE does not negotiate p2_lifetime_secs when creating an SA
4667873 in.iked door protocol handles some key lengths badly
4840090 Why is add_new_sa() called before a phase1_t is linked to a Phase 1 pm_info?
4890236 in.iked botches PF_KEY identity extensions
4927429 Some deleted Phase Is linger slightly too long.
 
(from 114435-03)
 
4930399 ASN.1 patches from SSH, Inc.
 
(from 114435-02)
 
        This patch revision was generated to accumulate and obsolete
        the changes introduced in Solaris Update s9u5 feature point
        patch 115261-01.
 
(from 114435-01)
 
4673333 IKE should support hardware assist for certs and Oakley groups
4666686 Patch libike with 4/8/2002 SSH patches
4687237 ssh_fatal() calls abort()
4704460 ikeadm:  strcpy() should be replaced by strlcpy()
4739746 single-buffer memory leak in start_ike_servers()
4745493 More patches from SSH Inc.
4745709 SSH IKE code leaks hostent structures
 
(from 115261-01)
 
4671563 RFE: ikecert -lv should list algorithm signature
4673338 IKE should support HW storage of private keys and certificates
4731575 IKE should work with IPv6
4742619 HW-IKE should be more robust when choosing pkcs11 slots
4752466 Race in in.iked causes coredump in add_new_sa().
4823665 in.iked becomes confused about sender and receiver
4832562 *certdb* malformed cert causes core dump in p
4842368 Memory leak for rsa_encryption initiator

Patch Installation Instructions:
--------------------------------
 
For Solaris 2.0-2.6 releases, refer to the Install.info file and/or
the README within the patch for instructions on using the generic
'installpatch' and 'backoutpatch' scripts provided with each patch.
 
For Solaris 7-9 releases, refer to the man pages for instructions
on using 'patchadd' and 'patchrm' scripts provided with Solaris.
Any other special or non-generic installation instructions should be
described below as special instructions.  The following example
installs a patch to a standalone machine:
 
       example# patchadd /var/spool/patch/104945-02
 
The following example removes a patch from a standalone system:
 
       example# patchrm 104945-02
 
For additional examples please see the appropriate man pages.

Special Install Instructions:
-----------------------------
 
NOTE 1:  To get the complete Hardware Acceleration for IKE
         feature, please install patch:
 
         114436-01 (or newer) config.sample
 
NOTE 2:  To get the complete Hardware Key Storage for IKE and
         Ike for IPV6 feature, please install the following patches:
 
         114337-08 (or newer)  kernel/drv/tcp kernel/drv/ip patch
         114978-01 (or newer)  kernel/drv/ipsecah Patch

README -- Last modified date:  Wednesday, September 29, 2004