#!/bin/sh
#------------------------------------------------------------------
#
# nssfipspost - Run NSS HW POST if in FIPS mode
#
# Oct 2016 Scott Boswell
#
# Copyright (c) 2016 by cisco Systems, Inc.
# All rights reserved.
#------------------------------------------------------------------
source /etc/reboot_reason.sh

if [ -f /usr/bin/platformfunc.sh ]; then
. /usr/bin/platformfunc.sh
fi
if [ -f /usr/bin/modulefunc.sh ]; then
. /usr/bin/modulefunc.sh
fi

config_nss_capwap() {
    echo 1 > /click/enable_capwap/run
    echo 1 > /click/chkcapwapvpnencap/chkcapwap/capwap_run
    cat /etc/mvl_nss_post_key_1.txt > /sys/devices/platform/dpapi/dtls/dtls_set

    cd /sys/devices/platform/dpapi/port/
    echo 2 3 > port_type_set
    echo 2 $1 > port_cw_port_set
    echo 2 34 > port_id_set
    echo 2 0 > port_cw_proto_set
    echo 2 250 > port_cw_ttl_set
    echo 2 1 > port_cw_csum_set
    echo 2 0 > port_cw_flow_lbl_set
    echo 2 0x0C > port_cw_options_set
    echo 2 1 > port_state_set
    echo 2 0 > port_cw_uc_qos_set
    echo 2 0 > port_cw_mc_qos_set
    echo 2 0 > port_cw_vlan_id_set
    echo 2 0 > port_cw_l4_rx_bits_set
    echo 2 0 > port_cw_l4_tx_bits_set
    echo 2 0x0C > port_cw_l4_prt_hash_set
    echo 2 00:00:00:00:00:02 > port_cw_remote_mac_set
    echo 2 00:00:00:00:00:01 > port_cw_local_mac_set
    echo 2 4 10.0.0.5 > port_cw_remote_ip_set
    echo 2 4 10.0.0.15 > port_cw_local_ip_set
    echo 2 00:00:00:00:00:03 > port_cw_bssid_set
    echo 2 5247 > port_cw_remote_port_set
    echo 2 50000 > port_cw_local_port_set
    echo 2 1485 > port_cw_pmtu_set
    echo 2 0 > port_cw_dtls_index_set > /dev/null 2>&1
    echo 2 > port_commit

    echo 1 > /click/nss_ker_drv/nss_capwap_state
    echo 0 > /click/chkcapwapvpnencap/bypass_nss_capwap/active
    echo 0 > /click/chkcapwapvpnencap/bypass_mvl_nss_keepalive/active
    echo 0 > /click/chkcapwapvpnencap/bypass_mvl_nss_mgmt/active
    echo 0 > /click/bypass_mvl_nss_encap_wired0/active
    sleep 1
}

config_nss_temp_client() {
    cd /sys/devices/platform/dpapi/client/
    echo 1 > client_alloc
    echo 0 3 > client_radio_set
    echo 0 0 > client_vlan_set
    sleep 1
    echo 0 00:00:00:00:00:01 > client_mac_set
    sleep 1
    echo 0 1 > client_bridge_set
    echo 0 1 > client_my_mac_set
    echo 0 2 > client_bssid_set
    echo 0 1 > client_tunnel_set
    echo 0 3 > client_policy_set
    echo 0 > client_commit
    sleep 1
}

config_nss_aes256_sha1() {
    cat /etc/mvl_nss_post_key_2.txt > /sys/devices/platform/dpapi/dtls/dtls_set
    echo 2 > /sys/devices/platform/dpapi/port/port_commit
    sleep 1
}

config_nss_aes256_sha256() {
    cat /etc/mvl_nss_post_key_3.txt > /sys/devices/platform/dpapi/dtls/dtls_set
    echo 2 > /sys/devices/platform/dpapi/port/port_commit
    sleep 1
}

unconfig_nss_capwap() {
    echo 00:00:00:00:00:01 > /sys/devices/platform/dpapi/client/client_delete
    echo 34 > /sys/devices/platform/dpapi/port/port_delete
    echo 2 > /sys/devices/platform/dpapi/port/port_clear
    echo 0 > /click/nss_ker_drv/nss_capwap_state
    echo 0 > /click/enable_capwap/run
    echo 0 > /click/chkcapwapvpnencap/chkcapwap/capwap_run
    echo 1 > /click/chkcapwapvpnencap/bypass_nss_capwap/active
    echo 1 > /click/chkcapwapvpnencap/bypass_mvl_nss_keepalive/active
    echo 1 > /click/chkcapwapvpnencap/bypass_mvl_nss_mgmt/active
    echo 1 > /click/bypass_mvl_nss_encap_wired0/active
}

enable_emac_loopback() {
    echo $1 1 > /sys/devices/platform/pp3/emac/loopback
}

disable_emac_loopback() {
    echo $1 0 > /sys/devices/platform/pp3/emac/loopback
}

enable_nss_post_loopback() {
    echo 0 > /click/mvl_test_bypass/active
}

disable_nss_post_loopback() {
    echo 1 > /click/mvl_test_bypass/active
}

nss_post_cleanup() {
    echo 1 > /sys/devices/platform/pp3/cmac/post_complete
    echo 1 > /click/mvl_post/end_post
    sleep 1
    disable_nss_post_loopback
    disable_emac_loopback $1
    unconfig_nss_capwap
}

nss_post_fail_reboot() {
    echo "Rebooting now!"
    reboot -r $BOOT_REASON_NSS_HW_POST_RESET
    sleep 5
}

is_fips_enabled
if [ $? = 1 ]; then

    #echo 1 > /click/mvl_post/debug

    emac_port=`cat /var/platform/wired0_port`

    config_nss_capwap $emac_port
    config_nss_temp_client
    enable_emac_loopback $emac_port
    enable_nss_post_loopback

    echo 1 > /click/mvl_post/run_aes128_sha1
    sleep 1
    post_passed=`cat /click/mvl_post/aes128_sha1_post_passed`
    if [ "$post_passed" != "true" ]; then
        echo "NSS AES128-CBC_SHA1 POST Failed!"
        nss_post_fail_reboot
    else
        echo "NSS AES128-CBC_SHA1 POST Passed."
    fi

    config_nss_aes256_sha1
    echo 1 > /click/mvl_post/run_aes256_sha1
    sleep 1
    post_passed=`cat /click/mvl_post/aes256_sha1_post_passed`
    if [ "$post_passed" != "true" ]; then
        echo "NSS AES256-CBC_SHA1 POST Failed!"
        nss_post_fail_reboot
    else
        echo "NSS AES256-CBC_SHA1 POST Passed."
    fi

    config_nss_aes256_sha256
    echo 1 > /click/mvl_post/run_aes256_sha256
    sleep 1
    post_passed=`cat /click/mvl_post/aes256_sha256_post_passed`
    if [ "$post_passed" != "true" ]; then
        echo "NSS AES256-CBC_SHA256 POST Failed!"
        nss_post_fail_reboot
    else
        echo "NSS AES256-CBC_SHA256 POST Passed."
    fi

    nss_post_cleanup $emac_port

else

    echo 1 > /sys/devices/platform/pp3/cmac/post_complete

fi

