/* * Copyright (c) 2003 Sun Microsystems, Inc. All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * Redistribution of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * Redistribution in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * Neither the name of Sun Microsystems, Inc. or the names of * contributors may be used to endorse or promote products derived * from this software without specific prior written permission. * * This software is provided "AS IS," without a warranty of any kind. * ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, * INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A * PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE HEREBY EXCLUDED. * SUN MICROSYSTEMS, INC. ("SUN") AND ITS LICENSORS SHALL NOT BE LIABLE * FOR ANY DAMAGES SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING * OR DISTRIBUTING THIS SOFTWARE OR ITS DERIVATIVES. IN NO EVENT WILL * SUN OR ITS LICENSORS BE LIABLE FOR ANY LOST REVENUE, PROFIT OR DATA, * OR FOR DIRECT, INDIRECT, SPECIAL, CONSEQUENTIAL, INCIDENTAL OR * PUNITIVE DAMAGES, HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF * LIABILITY, ARISING OUT OF THE USE OF OR INABILITY TO USE THIS SOFTWARE, * EVEN IF SUN HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. */ #include <assert.h> #include <string.h> #if defined(HAVE_CONFIG_H) # include <config.h> #endif #include <ipmitool/bswap.h> #include <ipmitool/log.h> #include "lanplus.h" #include "lanplus_crypt.h" #include "lanplus_crypt_impl.h" /* * lanplus_rakp2_hmac_matches * * param session holds all the state data that we need to generate the hmac * param hmac is the HMAC sent by the BMC in the RAKP 2 message * * The HMAC was generated [per RFC2404] from : * * SIDm - Remote console session ID * SIDc - BMC session ID * Rm - Remote console random number * Rc - BMC random number * GUIDc - BMC guid * ROLEm - Requested privilege level (entire byte) * ULENGTHm - Username length * <UNAMEm> - Username (absent for null user names) * * generated by using Kuid. I am aware that the subscripts on the values * look backwards, but that's the way they are written in the specification. * * If the authentication algorithm is IPMI_AUTH_RAKP_NONE, we return success. * * return 0 on success (the authcode matches) * 1 on failure (the authcode does not match) */ int lanplus_rakp2_hmac_matches(const struct ipmi_session * session, const uint8_t * bmc_mac, struct ipmi_intf * intf) { uint8_t * buffer; int bufferLength, i; uint8_t mac[EVP_MAX_MD_SIZE]; uint32_t macLength; uint32_t SIDm_lsbf, SIDc_lsbf; if (session->v2_data.auth_alg == IPMI_AUTH_RAKP_NONE) return 1; /* We don't yet support other algorithms (was assert) */ if ((session->v2_data.auth_alg != IPMI_AUTH_RAKP_HMAC_SHA1) && (session->v2_data.auth_alg != IPMI_AUTH_RAKP_HMAC_MD5) && (session->v2_data.auth_alg != IPMI_AUTH_RAKP_HMAC_SHA256)) { printf("Error, unsupported rakp2 auth alg %d\n", session->v2_data.auth_alg); return 1; } bufferLength = 4 + /* SIDm */ 4 + /* SIDc */ 16 + /* Rm */ 16 + /* Rc */ 16 + /* GUIDc */ 1 + /* ROLEm */ 1 + /* ULENGTHm */ (int)strlen((const char *)session->username); /* optional */ buffer = malloc(bufferLength); if (buffer == NULL) { lprintf(LOG_ERR, "lanplus: malloc failure"); return 1; } /* * Fill the buffer. I'm assuming that we're using the LSBF representation of the * multibyte numbers in use. */ /* SIDm */ SIDm_lsbf = session->v2_data.console_id; #if WORDS_BIGENDIAN SIDm_lsbf = BSWAP_32(SIDm_lsbf); #endif memcpy(buffer, &SIDm_lsbf, 4); /* SIDc */ SIDc_lsbf = session->v2_data.bmc_id; #if WORDS_BIGENDIAN SIDc_lsbf = BSWAP_32(SIDc_lsbf); #endif memcpy(buffer + 4, &SIDc_lsbf, 4); /* Rm */ #if WORDS_BIGENDIAN for (i = 0; i < 16; ++i) buffer[8 + i] = session->v2_data.console_rand[16 - 1 - i]; #else for (i = 0; i < 16; ++i) buffer[8 + i] = session->v2_data.console_rand[i]; #endif /* Rc */ #if WORDS_BIGENDIAN for (i = 0; i < 16; ++i) buffer[24 + i] = session->v2_data.bmc_rand[16 - 1 - i]; #else for (i = 0; i < 16; ++i) buffer[24 + i] = session->v2_data.bmc_rand[i]; #endif /* GUIDc */ #if WORDS_BIGENDIAN for (i = 0; i < 16; ++i) buffer[40 + i] = session->v2_data.bmc_guid[16 - 1 - i]; #else for (i = 0; i < 16; ++i) buffer[40 + i] = session->v2_data.bmc_guid[i]; #endif /* ROLEm */ buffer[56] = session->v2_data.requested_role; /* ULENGTHm */ buffer[57] = (uint8_t)strlen((const char *)session->username); /* UserName [optional] */ for (i = 0; i < buffer[57]; ++i) buffer[58 + i] = session->username[i]; if (verbose > 2) { lprintf(LOG_DEBUG,"rakp2 mac input buffer (%d bytes)", bufferLength); } /* * The buffer is complete. Let's hash. */ lanplus_HMAC(session->v2_data.auth_alg, session->authcode, IPMI_AUTHCODE_BUFFER_SIZE, buffer, bufferLength, mac, &macLength); free(buffer); if (verbose > 2) { printbuf(mac, macLength, ">> rakp2 mac as computed by the remote console"); } return (memcmp(bmc_mac, mac, macLength) == 0); } /* * lanplus_rakp4_hmac_matches * * param session holds all the state data that we need to generate the hmac * param hmac is the HMAC sent by the BMC in the RAKP 4 message * * The HMAC was generated [per RFC2404] from : * * Rm - Remote console random number * SIDc - BMC session ID * GUIDc - BMC guid * * generated by using SIK (the session integrity key). I am aware that the * subscripts on the values look backwards, but that's the way they are * written in the specification. * * If the authentication algorithm is IPMI_AUTH_RAKP_NONE, we return success. * * return 1 on success (the authcode matches) * 0 on failure (the authcode does not match) * */ int lanplus_rakp4_hmac_matches(const struct ipmi_session * session, const uint8_t * bmc_mac, struct ipmi_intf * intf) { uint8_t * buffer; int bufferLength, i; uint8_t mac[EVP_MAX_MD_SIZE]; uint32_t macLength; uint32_t cmpLength; uint32_t SIDc_lsbf; int unsupported = 0; uint8_t alg; if (ipmi_oem_active(intf, "intelplus")){ /* Intel BMC responds with the integrity Algorithm in RAKP4 */ if (session->v2_data.integrity_alg == IPMI_INTEGRITY_NONE) return 1; /* (Old) Intel BMC doesn't support other algorithms */ if ((session->v2_data.integrity_alg != IPMI_INTEGRITY_HMAC_SHA1_96) && (session->v2_data.integrity_alg != IPMI_INTEGRITY_HMAC_MD5_128)) { printf("Error, unsupported rakp4 integrity_alg %d\n", session->v2_data.integrity_alg); return 1; } } else { if (session->v2_data.auth_alg == IPMI_AUTH_RAKP_NONE) return 1; /* We don't yet support other algorithms (was assert) */ if ((session->v2_data.auth_alg != IPMI_AUTH_RAKP_HMAC_SHA1) && (session->v2_data.auth_alg != IPMI_AUTH_RAKP_HMAC_MD5) && (session->v2_data.auth_alg != IPMI_AUTH_RAKP_HMAC_SHA256)) { printf("Error, unsupported rakp4 auth alg %d\n", session->v2_data.auth_alg); return 1; } } bufferLength = 16 + /* Rm */ 4 + /* SIDc */ 16; /* GUIDc */ buffer = (uint8_t *)malloc(bufferLength); if (buffer == NULL) { lprintf(LOG_ERR, "lanplus: malloc failure"); return 1; } /* * Fill the buffer. I'm assuming that we're using the LSBF * representation of the multibyte numbers in use. */ /* Rm */ #if WORDS_BIGENDIAN for (i = 0; i < 16; ++i) buffer[i] = session->v2_data.console_rand[16 - 1 - i]; #else for (i = 0; i < 16; ++i) buffer[i] = session->v2_data.console_rand[i]; #endif /* SIDc */ SIDc_lsbf = session->v2_data.bmc_id; #if WORDS_BIGENDIAN SIDc_lsbf = BSWAP_32(SIDc_lsbf); #endif memcpy(buffer + 16, &SIDc_lsbf, 4); /* GUIDc */ #if WORDS_BIGENDIAN for (i = 0; i < 16; ++i) buffer[i + 20] = session->v2_data.bmc_guid[16 - 1 - i]; #else for (i = 0; i < 16; ++i) buffer[i + 20] = session->v2_data.bmc_guid[i]; #endif if (verbose > 2) { printbuf((const uint8_t *)buffer, bufferLength, ">> rakp4 mac input buffer"); printbuf(session->v2_data.sik, session->v2_data.sik_len, ">> rakp4 mac key (sik)"); } /* * The buffer is complete. Let's hash. */ alg = ( (ipmi_oem_active(intf, "intelplus")) ? session->v2_data.integrity_alg : session->v2_data.auth_alg ); lanplus_HMAC(alg, session->v2_data.sik, session->v2_data.sik_len, buffer, bufferLength, mac, &macLength); if (verbose > 2) { printbuf(bmc_mac, macLength, ">> rakp4 mac as computed by the BMC"); printbuf(mac, macLength, ">> rakp4 mac as computed by the remote console"); } if (ipmi_oem_active(intf, "intelplus")){ /* Intel BMC responds with the integrity Algorithm in RAKP4 */ switch(session->v2_data.integrity_alg) { case IPMI_INTEGRITY_HMAC_SHA1_96: if (macLength != SHA_DIGEST_LENGTH) unsupported = 1; cmpLength = IPMI_SHA1_AUTHCODE_SIZE; break; case IPMI_INTEGRITY_HMAC_MD5_128: if (macLength != MD5_DIGEST_LENGTH) unsupported = 1; cmpLength = IPMI_HMAC_MD5_AUTHCODE_SIZE; break; default: unsupported = 1; break; } } else { /* We don't yet support other algorithms (was assert) */ switch(session->v2_data.auth_alg) { case IPMI_AUTH_RAKP_HMAC_SHA1: if (macLength != SHA_DIGEST_LENGTH) unsupported = 1; cmpLength = IPMI_SHA1_AUTHCODE_SIZE; break; case IPMI_AUTH_RAKP_HMAC_MD5 : if (macLength != MD5_DIGEST_LENGTH) unsupported = 1; cmpLength = IPMI_HMAC_MD5_AUTHCODE_SIZE; break; case IPMI_AUTH_RAKP_HMAC_SHA256: if (macLength != SHA256_DIGEST_LENGTH) unsupported = 1; cmpLength = IPMI_HMAC_SHA256_AUTHCODE_SIZE; break; default: unsupported = 1; break; } } if (unsupported) { printf("Unsupported rakp4 macLength %d for auth %d\n", macLength, session->v2_data.auth_alg); return 1; } free(buffer); return (memcmp(bmc_mac, mac, cmpLength) == 0); } /* * lanplus_generate_rakp3_auth_code * * This auth code is an HMAC generated with : * * Rc - BMC random number * SIDm - Console session ID * ROLEm - Requested privilege level (entire byte) * ULENGTHm - Username length * <USERNAME> - Usename (absent for null usernames) * * The key used to generated the MAC is Kuid * * I am aware that the subscripts look backwards, but that is the way they are * written in the spec. * * param output_buffer [out] will hold the generated MAC * param session [in] holds all the state data we need to generate the auth code * param mac_length [out] will be set to the length of the auth code * * returns 0 on success * 1 on failure */ int lanplus_generate_rakp3_authcode(uint8_t * output_buffer, const struct ipmi_session * session, uint32_t * mac_length, struct ipmi_intf * intf) { int ret = 0; int input_buffer_length, i; uint8_t * input_buffer; uint32_t SIDm_lsbf; if (session->v2_data.auth_alg == IPMI_AUTH_RAKP_NONE) { *mac_length = 0; return 0; } /* We don't yet support other algorithms (was assert) */ if ((session->v2_data.auth_alg != IPMI_AUTH_RAKP_HMAC_SHA1) && (session->v2_data.auth_alg != IPMI_AUTH_RAKP_HMAC_MD5) && (session->v2_data.auth_alg != IPMI_AUTH_RAKP_HMAC_SHA256)) { printf("Error, unsupported rakp3 auth alg %d\n", session->v2_data.auth_alg); return 1; } input_buffer_length = 16 + /* Rc */ 4 + /* SIDm */ 1 + /* ROLEm */ 1 + /* ULENGTHm */ (int)strlen((const char *)session->username); input_buffer = malloc(input_buffer_length); if (input_buffer == NULL) { lprintf(LOG_ERR, "lanplus: malloc failure"); return 1; } /* * Fill the buffer. I'm assuming that we're using the LSBF representation of the * multibyte numbers in use. */ /* Rc */ #if WORDS_BIGENDIAN for (i = 0; i < 16; ++i) input_buffer[i] = session->v2_data.bmc_rand[16 - 1 - i]; #else for (i = 0; i < 16; ++i) input_buffer[i] = session->v2_data.bmc_rand[i]; #endif /* SIDm */ SIDm_lsbf = session->v2_data.console_id; #if WORDS_BIGENDIAN SIDm_lsbf = BSWAP_32(SIDm_lsbf); #endif memcpy(input_buffer + 16, &SIDm_lsbf, 4); /* ROLEm */ if (ipmi_oem_active(intf, "intelplus")) input_buffer[20] = session->privlvl; else input_buffer[20] = session->v2_data.requested_role; /* ULENGTHm */ input_buffer[21] = (uint8_t)strlen((const char *)session->username); /* USERNAME */ for (i = 0; i < input_buffer[21]; ++i) input_buffer[22 + i] = session->username[i]; if (verbose > 2) { printbuf((const uint8_t *)input_buffer, input_buffer_length, ">> rakp3 mac input buffer"); printbuf((const uint8_t *)session->authcode, IPMI_AUTHCODE_BUFFER_SIZE, ">> rakp3 mac key"); } lanplus_HMAC(session->v2_data.auth_alg, session->authcode, IPMI_AUTHCODE_BUFFER_SIZE, input_buffer, input_buffer_length, output_buffer, mac_length); if (verbose > 2) printbuf((const uint8_t *)output_buffer, *mac_length, "generated rakp3 mac"); free(input_buffer); return ret; } /* * lanplus_generate_sik * * Generate the session integrity key (SIK) used for integrity checking * during the IPMI v2 / RMCP+ session * * This session integrity key is a HMAC generated with : * * Rm - Console generated random number * Rc - BMC generated random number * ROLEm - Requested privilege level (entire byte) * ULENGTHm - Username length * <USERNAME> - Usename (absent for null usernames) * * The key used to generated the SIK is Kg if Kg is not null (two-key logins are * enabled). Otherwise Kuid (the user authcode) is used as the key to genereate * the SIK. * * I am aware that the subscripts look backwards, but that is the way they are * written in the spec. * * param session [in/out] contains our input and output fields. * * returns 0 on success * 1 on failure */ int lanplus_generate_sik(struct ipmi_session * session) { uint8_t * input_buffer; int input_buffer_length, i; uint8_t * input_key; uint32_t mac_length; int unsupported = 0; memset(session->v2_data.sik, 0, sizeof(session->v2_data.sik)); session->v2_data.sik_len = 0; if (session->v2_data.auth_alg == IPMI_AUTH_RAKP_NONE) return 0; /* We don't yet support other algorithms (was assert) */ if ((session->v2_data.auth_alg != IPMI_AUTH_RAKP_HMAC_SHA1) && (session->v2_data.auth_alg != IPMI_AUTH_RAKP_HMAC_MD5) && (session->v2_data.auth_alg != IPMI_AUTH_RAKP_HMAC_SHA256)) { printf("Error, unsupported sik auth alg %d\n", session->v2_data.auth_alg); return 1; } input_buffer_length = 16 + /* Rm */ 16 + /* Rc */ 1 + /* ROLEm */ 1 + /* ULENGTHm */ (int)strlen((const char *)session->username); input_buffer = malloc(input_buffer_length); if (input_buffer == NULL) { lprintf(LOG_ERR, "lanplus: malloc failure"); return 1; } /* * Fill the buffer. I'm assuming that we're using the LSBF representation of the * multibyte numbers in use. */ /* Rm */ #if WORDS_BIGENDIAN for (i = 0; i < 16; ++i) input_buffer[i] = session->v2_data.console_rand[16 - 1 - i]; #else for (i = 0; i < 16; ++i) input_buffer[i] = session->v2_data.console_rand[i]; #endif /* Rc */ #if WORDS_BIGENDIAN for (i = 0; i < 16; ++i) input_buffer[16 + i] = session->v2_data.bmc_rand[16 - 1 - i]; #else for (i = 0; i < 16; ++i) input_buffer[16 + i] = session->v2_data.bmc_rand[i]; #endif /* ROLEm */ input_buffer[32] = session->v2_data.requested_role; /* ULENGTHm */ input_buffer[33] = (uint8_t)strlen((const char *)session->username); /* USERNAME */ for (i = 0; i < input_buffer[33]; ++i) input_buffer[34 + i] = session->username[i]; if (session->v2_data.kg[0]) { /* We will be hashing with Kg */ /* * Section 13.31 of the IPMI v2 spec describes the SIK creation * using Kg. It specifies that Kg should not be truncated. * Kg is set in ipmi_intf. */ input_key = session->v2_data.kg; } else { /* We will be hashing with Kuid */ input_key = session->authcode; } if (verbose >= 2) printbuf((const uint8_t *)input_buffer, input_buffer_length, "session integrity key input"); lanplus_HMAC(session->v2_data.auth_alg, input_key, IPMI_AUTHCODE_BUFFER_SIZE, input_buffer, input_buffer_length, session->v2_data.sik, &mac_length); free(input_buffer); switch(session->v2_data.auth_alg) { case IPMI_AUTH_RAKP_HMAC_SHA1 : if (mac_length != SHA_DIGEST_LENGTH) unsupported = 1; break; case IPMI_AUTH_RAKP_HMAC_MD5 : if (mac_length != MD5_DIGEST_LENGTH) unsupported = 1; break; case IPMI_AUTH_RAKP_HMAC_SHA256: if (mac_length != SHA256_DIGEST_LENGTH) unsupported = 1; break; default : unsupported = 1; break; } if (unsupported) { /*was assert*/ printf("Unsupported sik macLength %d for auth %d\n", mac_length, session->v2_data.auth_alg); return 1; } session->v2_data.sik_len = (uint8_t)mac_length; /* * The key MAC generated is 20 bytes, but we will only be using the first * 12 for SHA1 96 */ if (verbose >= 2) printbuf(session->v2_data.sik, session->v2_data.sik_len, "Generated session integrity key"); return 0; } /* * lanplus_generate_k1 * * Generate K1, the key presumably used to generate integrity authcodes * * We use the authentication algorithm to generated the HMAC, using * the session integrity key (SIK) as our key. * * param session [in/out]. * * returns 0 on success * 1 on failure */ int lanplus_generate_k1(struct ipmi_session * session) { uint32_t mac_length; int unsupported = 0; uint8_t CONST_1[36] = /*EVP_MAX_MD_SIZE = 36*/ {0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01}; if (session->v2_data.auth_alg == IPMI_AUTH_RAKP_NONE) memcpy(session->v2_data.k1, CONST_1, 20); else { lanplus_HMAC(session->v2_data.auth_alg, session->v2_data.sik, session->v2_data.sik_len,/* SIK length */ CONST_1, IPMI_AUTHCODE_BUFFER_SIZE, /*=20*/ session->v2_data.k1, &mac_length); switch(session->v2_data.auth_alg) { case IPMI_AUTH_RAKP_HMAC_SHA1 : if (mac_length != SHA_DIGEST_LENGTH) unsupported = 1; break; case IPMI_AUTH_RAKP_HMAC_MD5 : if (mac_length != MD5_DIGEST_LENGTH) unsupported = 1; break; case IPMI_AUTH_RAKP_HMAC_SHA256: if (mac_length != SHA256_DIGEST_LENGTH) unsupported = 1; break; default : unsupported = 1; break; } if (unsupported) { /*was assert*/ printf("Unsupported k1 macLength %d for auth %d\n", mac_length, session->v2_data.auth_alg); return 1; } session->v2_data.k1_len = (uint8_t)mac_length; } if (verbose >= 2) printbuf(session->v2_data.k1, session->v2_data.k1_len, "Generated K1"); return 0; } /* * lanplus_generate_k2 * * Generate K2, the key used for RMCP+ AES encryption. * * We use the authentication algorithm to generated the HMAC, using * the session integrity key (SIK) as our key. * * param session [in/out]. * * returns 0 on success * 1 on failure */ int lanplus_generate_k2(struct ipmi_session * session) { uint32_t mac_length; int unsupported = 0; uint8_t CONST_2[36] = /*EVP_MAX_MD_SIZE = 36*/ {0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02}; if (session->v2_data.auth_alg == IPMI_AUTH_RAKP_NONE) memcpy(session->v2_data.k2, CONST_2, 20); else { lanplus_HMAC(session->v2_data.auth_alg, session->v2_data.sik, session->v2_data.sik_len,/* SIK length */ CONST_2, IPMI_AUTHCODE_BUFFER_SIZE, /*=20*/ session->v2_data.k2, &mac_length); switch(session->v2_data.auth_alg) { case IPMI_AUTH_RAKP_HMAC_SHA1 : if (mac_length != SHA_DIGEST_LENGTH) unsupported = 1; break; case IPMI_AUTH_RAKP_HMAC_MD5 : if (mac_length != MD5_DIGEST_LENGTH) unsupported = 1; break; case IPMI_AUTH_RAKP_HMAC_SHA256: if (mac_length != SHA256_DIGEST_LENGTH) unsupported = 1; break; default : unsupported = 1; break; } if (unsupported) { /*was assert*/ printf("Unsupported k2 macLength %d for auth %d\n", mac_length, session->v2_data.auth_alg); return 1; } session->v2_data.k2_len = (uint8_t)mac_length; } if (verbose >= 2) printbuf(session->v2_data.k2, session->v2_data.k2_len, "Generated K2"); return 0; } /* * lanplus_encrypt_payload * * Perform the appropriate encryption on the input data. Output the encrypted * data to output, including the required confidentiality header and trailer. * If the crypt_alg is IPMI_CRYPT_NONE, simply copy the input to the output and * set bytes_written to input_length. * * param crypt_alg specifies the encryption algorithm (from table 13-19 of the * IPMI v2 spec) * param key is the used as input to the encryption algorithmf * param input is the input data to be encrypted * param input_length is the length of the input data to be encrypted * param output is the cipher text generated by the encryption process * param bytes_written is the number of bytes written during the encryption * process * * returns 0 on success * 1 on failure */ int lanplus_encrypt_payload(uint8_t crypt_alg, const uint8_t * key, const uint8_t * input, uint32_t input_length, uint8_t * output, uint16_t * bytes_written) { uint8_t * padded_input; uint32_t mod, i, bytes_encrypted; uint8_t pad_length = 0; if (crypt_alg == IPMI_CRYPT_NONE) { /* Just copy the input to the output */ *bytes_written = (uint16_t)input_length; return 0; } /* Currently, we only support AES (was assert) */ if ((crypt_alg != IPMI_CRYPT_AES_CBC_128) || (input_length > IPMI_MAX_PAYLOAD_SIZE)) { lprintf(LOG_ERR,"lanplus crypt: unsupported alg %d or len %d\n", crypt_alg,input_length); return 1; } /* * The input to the AES encryption algorithm has to be a multiple of the * block size (16 bytes). The extra byte we are adding is the pad length * byte. */ mod = (input_length + 1) % IPMI_CRYPT_AES_CBC_128_BLOCK_SIZE; if (mod) pad_length = IPMI_CRYPT_AES_CBC_128_BLOCK_SIZE - mod; padded_input = (uint8_t*)malloc(input_length + pad_length + 1); if (padded_input == NULL) { lprintf(LOG_ERR, "lanplus: malloc failure"); return 1; } memcpy(padded_input, input, input_length); /* add the pad */ for (i = 0; i < pad_length; ++i) padded_input[input_length + i] = i + 1; /* add the pad length */ padded_input[input_length + pad_length] = pad_length; /* Generate an initialization vector, IV, for the encryption process */ if (lanplus_rand(output, IPMI_CRYPT_AES_CBC_128_BLOCK_SIZE)) { lprintf(LOG_ERR, "lanplus_encrypt_payload: Error generating IV"); free(padded_input); return 1; } if (verbose > 2) printbuf(output, IPMI_CRYPT_AES_CBC_128_BLOCK_SIZE, ">> Initialization vector"); lanplus_encrypt_aes_cbc_128(output, /* IV */ key, /* K2 */ padded_input, /* Data to encrypt */ input_length + pad_length + 1, /* Input length */ output + IPMI_CRYPT_AES_CBC_128_BLOCK_SIZE, /* output */ &bytes_encrypted); /* bytes written */ *bytes_written = IPMI_CRYPT_AES_CBC_128_BLOCK_SIZE + /* IV */ bytes_encrypted; free(padded_input); return 0; } /* * lanplus_has_valid_auth_code * * Determine whether the packets authcode field is valid for packet. * * We always return success if any of the following are true. * - this is not an IPMIv2 packet * - the session is not yet active * - the packet specifies that it is not authenticated * - the integrity algorithm agreed upon during session creation is "none" * * The authcode is computed using the specified integrity algorithm starting * with the AuthType / Format field, and ending with the field immediately * preceeding the authcode itself. * * The key key used to generate the authcode MAC is K1. * * param rs holds the response structure. * param session holds our session state, including our chosen algorithm, key, etc. * * returns 1 on success (authcode is valid) * 0 on failure (autchode integrity check failed) */ int lanplus_has_valid_auth_code(struct ipmi_rs * rs, struct ipmi_session * session) { uint8_t * bmc_authcode; uint8_t generated_authcode[EVP_MAX_MD_SIZE]; uint32_t generated_authcode_length; uint32_t authcode_length; if ((rs->session.authtype != IPMI_SESSION_AUTHTYPE_RMCP_PLUS) || (session->v2_data.session_state != LANPLUS_STATE_ACTIVE) || (! rs->session.bAuthenticated) || (session->v2_data.integrity_alg == IPMI_INTEGRITY_NONE)) return 1; switch(session->v2_data.integrity_alg) { case IPMI_INTEGRITY_HMAC_SHA1_96 : authcode_length = IPMI_SHA1_AUTHCODE_SIZE; break; case IPMI_INTEGRITY_HMAC_MD5_128 : authcode_length = IPMI_HMAC_MD5_AUTHCODE_SIZE; break; case IPMI_INTEGRITY_HMAC_SHA256_128: authcode_length = IPMI_HMAC_SHA256_AUTHCODE_SIZE; break; /* Unsupported */ default: printf("Unsupported lanplus auth_code %d\n", session->v2_data.auth_alg); return 1; break; } /* * For SHA1-96, the authcode will be the last 12 bytes in the packet */ bmc_authcode = rs->data + (rs->data_len - authcode_length); lanplus_HMAC(session->v2_data.integrity_alg, session->v2_data.k1, session->v2_data.k1_len, rs->data + IPMI_LANPLUS_OFFSET_AUTHTYPE, rs->data_len - IPMI_LANPLUS_OFFSET_AUTHTYPE - authcode_length, generated_authcode, &generated_authcode_length); if (verbose > 3) { lprintf(LOG_DEBUG+2, "Validating authcode"); printbuf(session->v2_data.k1, session->v2_data.k1_len, "K1"); printbuf(rs->data + IPMI_LANPLUS_OFFSET_AUTHTYPE, rs->data_len - IPMI_LANPLUS_OFFSET_AUTHTYPE - authcode_length, "Authcode Input Data"); printbuf(generated_authcode, authcode_length, "Generated authcode"); printbuf(bmc_authcode, authcode_length, "Expected authcode"); } // assert(generated_authcode_length == 20); return (memcmp(bmc_authcode, generated_authcode, authcode_length) == 0); } /* * lanplus_decrypt_payload * * * param input points to the beginning of the payload (which will be the IV if * we are using AES) * param payload_size [out] will be set to the size of the payload EXCLUDING * padding * * returns 0 on success (we were able to successfully decrypt the packet) * 1 on failure (we were unable to successfully decrypt the packet) */ int lanplus_decrypt_payload(uint8_t crypt_alg, const uint8_t * key, const uint8_t * input, uint32_t input_length, uint8_t * output, uint16_t * payload_size) { uint8_t * decrypted_payload; uint32_t bytes_decrypted; if (crypt_alg == IPMI_CRYPT_NONE) { /* We are not encrypted. The paylaod size is is everything. */ *payload_size = (uint16_t)input_length; memmove(output, input, input_length); return 0; } /* We only support AES (was assert) */ if (crypt_alg != IPMI_CRYPT_AES_CBC_128) { lprintf(LOG_ERR,"lanplus decrypt: unsupported alg %d\n", crypt_alg); return 1; } decrypted_payload = (uint8_t*)malloc(input_length); if (decrypted_payload == NULL) { lprintf(LOG_ERR, "lanplus: malloc failure"); return 1; } lanplus_decrypt_aes_cbc_128(input, /* IV */ key, /* Key */ input + /* Data to decrypt */ IPMI_CRYPT_AES_CBC_128_BLOCK_SIZE, input_length - /* Input length */ IPMI_CRYPT_AES_CBC_128_BLOCK_SIZE, decrypted_payload, /* output */ &bytes_decrypted); /* bytes written */ if (bytes_decrypted != 0) { /* Success */ uint8_t conf_pad_length; int i; memmove(output, decrypted_payload, bytes_decrypted); /* * We have to determine the payload size, by substracting the padding, etc. * The last byte of the decrypted payload is the confidentiality pad length. */ conf_pad_length = decrypted_payload[bytes_decrypted - 1]; *payload_size = bytes_decrypted - conf_pad_length - 1; /* * Extra test to make sure that the padding looks like it should (should start * with 0x01, 0x02, 0x03, etc... */ for (i = 0; i < conf_pad_length; ++i) { if (decrypted_payload[*payload_size + i] == i) { lprintf(LOG_ERR, "Malformed payload padding"); return 1; /* assert(0); */ } } } else { lprintf(LOG_ERR, "ERROR: lanplus_decrypt_aes_cbc_128 decryptd 0 bytes"); return 1; /* assert(0); */ } free(decrypted_payload); return (bytes_decrypted == 0); }