#!/bin/sh # # CDDL HEADER START # # The contents of this file are subject to the terms of the # Common Development and Distribution License (the "License"). # You may not use this file except in compliance with the License. # # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE # or http://www.opensolaris.org/os/licensing. # See the License for the specific language governing permissions # and limitations under the License. # # When distributing Covered Code, include this CDDL HEADER in each # file and include the License file at usr/src/OPENSOLARIS.LICENSE. # If applicable, add the following below this CDDL HEADER, with the # fields enclosed by brackets "[]" replaced with your own identifying # information: Portions Copyright [yyyy] [name of copyright owner] # # CDDL HEADER END # # # Copyright 2009 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # while read src dest do if [ ! -f $dest ] ; then # # new install or upgrade from much older OS revision # just copy in the new base ipsecalgs file # cp $src $dest else # # upgrade from a previous version of the ipsecalgs file # There might be third party algorithms in this file and # changes that need to be preserved, so we just substitute # in the protocols and algorithms that we know we need to # either update or revert from past mistakes. # # # We construct the sed command like this to avoid # lines greater than 80 characters # sedcmd="-e 's/CKM_BF_CBC/CKM_BLOWFISH_CBC/'" sedcmd="${sedcmd} -e 's/CKM_BLOWFISH_CBC|128\/32-128,8/" sedcmd="${sedcmd}CKM_BLOWFISH_CBC|128\/32-448,8/'" sedcmd="${sedcmd} -e 's/CKM_BLOWFISH_CBC|128\/32-448,8/" sedcmd="${sedcmd}CKM_BLOWFISH_CBC|128/'" sedcmd="${sedcmd} -e 's/AES_CBC|128|/AES_CBC|128\/128-256,64|/'" eval sed $sedcmd $dest > $dest.$$ # # Add in SHA-2 support if not already there # nawk -F\| '\ BEGIN {sha256 = 0; sha384 = 0; sha512 = 0; ccm8 = 0; ccm12 = 0; ccm16 = 0; gcm8 = 0; gcm12 = 0; gcm16 = 0; default = 1} function add_sha(flag, doi, shasize) { if (flag) return flag; printf("ALG|2|%d|", doi); printf("hmac-sha%d,", shasize) printf("sha%d,", shasize) printf("sha-%d,", shasize) printf("hmac-sha-%d|", shasize) printf("CKM_SHA%d_HMAC_GENERAL|", shasize) printf("%d|%d\n", shasize, shasize / 16); return 1; } function add_combined(doi, block, ivlen, mac, salt, flgs, mechanism, default, label ) { printf("ALG|3|%d|", doi) if (default) printf("%s,", label) printf("%s%d|%s|", label, mac, mechanism) printf("128/128-256,64|%d|", block) printf("%d,%d,%d|%d\n", ivlen, mac, salt, flgs) } function add_aes_ccm(flag, doi, block, ivlen, mac, salt, flgs, default) { if (flag) return; mechanism = "CKM_AES_CCM" label = "aes-ccm" add_combined(doi, block, ivlen, mac, salt, flgs, mechanism, default, label) } function add_aes_gcm(flag, doi, block, ivlen, mac, salt, flgs, default) { if (flag) return; mechanism = "CKM_AES_GCM" label = "aes-gcm" add_combined(doi, block, ivlen, mac, salt, flgs, mechanism, default, label) } /^#/ || /^$/ || /^PROTO/ {print; next}; { if ($2 == 2) { if ($3 == 5) { if (sha256) { next; } sha256 = 1; } if ($3 == 6) { if (sha384) next; sha384 = 1; } if ($3 == 7) { if (sha512) next; sha512 = 1; } print; next; } if ($2 == 3) { if($3 == 0) { # Time to add in missing Auth algs # before the Encr algs. sha256 = add_sha(sha256, 5, 256); sha384 = add_sha(sha384 ,6, 384); sha512 = add_sha(sha512, 7, 512); print; } else { if ($3 == 14) ccm8 = 1; if ($3 == 15) ccm12 = 1; if ($3 == 16) ccm16 = 1; if ($3 == 18) gcm8 = 1; if ($3 == 19) gcm12 = 1; if ($3 == 20) gcm16 = 1; print; } } } # Add in ccm/gcm if missing. END { add_aes_ccm(ccm8, 14, 16, 8, 8, 3, 15, 0) add_aes_ccm(ccm12, 15, 16, 8, 12, 3, 15, 0) add_aes_ccm(ccm16, 16, 16, 8, 16, 3, 15, default) add_aes_gcm(gcm8, 18, 16, 8, 8, 4, 23, 0) add_aes_gcm(gcm12, 19, 16, 8, 12, 4, 23, 0) add_aes_gcm(gcm16, 20, 16, 8, 16, 4, 23, default) }' $dest.$$ > $dest.2.$$ mv $dest.2.$$ $dest rm $dest.$$ # Set correct permissions chmod 0644 $dest fi done exit 0