OpenSolaris

1. Community: OS/Net (ON)
   1. Blogs
   2. Development Process
   3. Developer's Reference
      1. Introduction
      2. Prerequisites
      3. The Source Tree, part 1
      4. The Source Tree, part 2
      5. Building OpenSolaris
      6. Installing and Testing OpenSolaris
      7. Integration Procedure
      8. Best Practices and Requirements
      9. Glossary
   4. Discussions
   5. Installation (from source) Quickstart
      1. Annotated nightly(1) Mail Example
   6. Currently Known Issues
   7. CRT
      1. Advocates & Sponsors
      2. Becoming a CRT Advocate
      3. Charter
      4. RTI nits to avoid
      5. Sponsor Tasks
      6. Becoming a Sponsor
   8. Schedule
   9. ONNV Flag Days, Heads Ups, and Project Integration History
      1. All
      2. Builds 91-95
      3. Builds 86-90
      4. Builds 81-85
      5. Builds 76-80
      6. Builds 71-75
      7. Builds 66-70
      8. Builds 61-65
      9. Builds 56-60
      10. Builds 51-55
      11. Builds 46-50
      12. Builds 41-45
      13. Builds 36-40
      14. Builds 31-35
      15. Builds 26-30
      16. Builds 21-25
   10. Leaders
   11. Observers
   12. Putback Logs
   13. Developing Solaris
       1. Quality Death Spiral
   14. wx
   15. findunref and unreferenced files
   16. Bourne/Korn Shell Coding Conventions

FLAG DAY: 4797442 & friends cause expose ipsecalgs(1m) problems

Date: Mon, 28 Nov 2005 23:27:05 -0500
From: Dan McDonald <danmcd at sun dot com>
To: onnv-gate-notify at onnv dot eng dot sun dot com, on-all at eng dot sun dot com,
Subject: FLAG DAY: 4797442 & friends cause expose ipsecalgs(1m) problems

ONNV folks:  This is a standard flag-day announcement.  Read on if you're
             an IPsec user.

Punchin folks:	There is an interoperability exposure if you're using a stock
		(no-strong-crypto) on10 or pre-putback Nevada machine with a
		peer that has this IKE putback.


The putback for these bugs in particular:

4797442 Enable AES encryption for the IKE exchange
5080843 IKE rule processing inconsistent
6332338 Send more than one proposal for variable-sized IPsec ciphers in QM.

will cause a post-putback machine to propose 256-bit AES if it's available.

This bug:

6343251 default /etc/inet/ipsecalgs file thinks 256-bit AES & 448-bit
	Blowfish is available

may cause a responder without a properly synchronized ipsecalgs(1m) setup to
think it has 256-bit AES, when in fact it doesn't.

The punchin servers are immune from this problem - they definitely have
256-bit AES.  Punchin clients, however, may not be.  ITops punchin clients
will not have this problem until ITops punchin servers advance to S10 update
2 or later.  OPG punchin client already have this problem if they use .east,
and will with .sfbay soon.

Basically, if you're running between S10 FCS up to Nevada before this
putback, you may be in danger of having an IKE daemon die if it is proposed
to have 256-bit AES or 448-bit Blowfish.

I've attached a shell script (that you need to run as root) that fixes the
problem - and fixes it again if you happen to install strong crypto from a
SUNWcryr package that does not have this fix:

6343253 SUNWcryr install script needs to update /etc/inet/ipsecalgs

in place.

As usual, BFU does the right thing.

Sorry for the convolutions.

Dan



#!/bin/sh

aes=`cryptoadm list | grep aes`
/usr/xpg4/bin/grep -q _BLOWFISH_ /etc/crypto/kcf.conf
if [ $? = 0 ]; then
        bfprov=CKM_BLOWFISH_CBC
else
        bfprov=CKM_BF_CBC
fi

if [ $aes = "aes256" ]; then
    echo "Looks like you have full-strength crypto."
    ipsecalgs -a -P 3 -k 128-256 -i 64 -K 128 -b 16 -n aes-cbc,aes -N 12 -m CKM_AES_CBC -f
    ipsecalgs -a -P 3 -k 32-448 -i 8 -K 128 -b 8 -n blowfish-cbc,blowfish -N 7 -m $bfprov -f
else
    echo "Looks like you have 128-bit only crypto."
    ipsecalgs -a -P 3 -k 128 -b 16 -n aes-cbc,aes -N 12 -m CKM_AES_CBC -f
    ipsecalgs -a -P 3 -k 32-128 -i 8 -K 128 -b 8 -n blowfish-cbc,blowfish -N 7 -m $bfprov -f
fi

echo "Syncing up the kernel."
ipsecalgs -s