[ipmitool] fix FIPS mode crash
aledvink
aledvink at fedoraproject.org
Fri Aug 9 12:00:13 UTC 2013
commit feaa76d6f2aefd9d3b0c2238f6dcbbe277ef4b74
Author: Ales Ledvinka <aledvink at redhat.com>
Date: Fri Aug 9 12:50:48 2013 +0200
fix FIPS mode crash
ipmitool-1.8.12-fips.patch | 148 ++++++++++++++++++++++++++++++++++++++++++++
ipmitool.spec | 8 ++-
2 files changed, 155 insertions(+), 1 deletions(-)
---
diff --git a/ipmitool-1.8.12-fips.patch b/ipmitool-1.8.12-fips.patch
new file mode 100644
index 0000000..f9e2c04
--- /dev/null
+++ b/ipmitool-1.8.12-fips.patch
@@ -0,0 +1,148 @@
+diff -up ./src/plugins/lan/lan.c.fips ./src/plugins/lan/lan.c
+--- ./src/plugins/lan/lan.c.fips 2013-08-09 12:17:31.336127511 +0200
++++ ./src/plugins/lan/lan.c 2013-08-09 12:48:35.624639106 +0200
+@@ -67,6 +67,10 @@
+ #define IPMI_LAN_PORT 0x26f
+ #define IPMI_LAN_CHANNEL_E 0x0e
+
++#if defined(HAVE_CRYPTO_MD2) || defined(HAVE_CRYPTO_MD5)
++#include <openssl/fips.h>
++#endif
++
+ extern const struct valstr ipmi_privlvl_vals[];
+ extern const struct valstr ipmi_authtype_session_vals[];
+ extern int verbose;
+@@ -861,10 +865,18 @@ ipmi_lan_build_cmd(struct ipmi_intf * in
+ */
+ switch (s->authtype) {
+ case IPMI_SESSION_AUTHTYPE_MD5:
++ if (FIPS_mode() && verbose > 1) {
++ printf("MD5 not supported in FIPS mode. Try -I lanplus\n");
++ return NULL;
++ }
+ temp = ipmi_auth_md5(s, msg+mp, msg[mp-1]);
+ memcpy(msg+ap, temp, 16);
+ break;
+ case IPMI_SESSION_AUTHTYPE_MD2:
++ if (FIPS_mode() && verbose > 1) {
++ printf("MD2 not supported in FIPS mode. Try -I lanplus\n");
++ return NULL;
++ }
+ temp = ipmi_auth_md2(s, msg+mp, msg[mp-1]);
+ memcpy(msg+ap, temp, 16);
+ break;
+diff -up ./src/plugins/lanplus/lanplus.c.fips ./src/plugins/lanplus/lanplus.c
+--- ./src/plugins/lanplus/lanplus.c.fips 2013-07-16 06:17:39.000000000 +0200
++++ ./src/plugins/lanplus/lanplus.c 2013-08-09 12:17:31.338127516 +0200
+@@ -65,6 +65,10 @@
+ #include "rmcp.h"
+ #include "asf.h"
+
++#if defined(HAVE_CRYPTO_MD2) || defined(HAVE_CRYPTO_MD5)
++#include <openssl/fips.h>
++#endif
++
+ extern const struct valstr ipmi_rakp_return_codes[];
+ extern const struct valstr ipmi_priv_levels[];
+ extern const struct valstr ipmi_auth_algorithms[];
+@@ -183,56 +187,100 @@ int lanplus_get_requested_ciphers(int
+ *auth_alg = IPMI_AUTH_RAKP_HMAC_SHA1;
+ *integrity_alg = IPMI_INTEGRITY_HMAC_SHA1_96;
+ *crypt_alg = IPMI_CRYPT_XRC4_128;
++ if (FIPS_mode() && verbose > 1) {
++ printf("RC4 not supported in FIPS mode. Try -C 3\n");
++ return 1;
++ }
+ break;
+ case 5:
+ *auth_alg = IPMI_AUTH_RAKP_HMAC_SHA1;
+ *integrity_alg = IPMI_INTEGRITY_HMAC_SHA1_96;
+ *crypt_alg = IPMI_CRYPT_XRC4_40;
++ if (FIPS_mode() && verbose > 1) {
++ printf("RC4 not supported in FIPS mode. Try -C 3\n");
++ return 1;
++ }
+ break;
+ case 6:
+ *auth_alg = IPMI_AUTH_RAKP_HMAC_MD5;
+ *integrity_alg = IPMI_INTEGRITY_NONE;
+ *crypt_alg = IPMI_CRYPT_NONE;
++ if (FIPS_mode() && verbose > 1) {
++ printf("MD5 not supported in FIPS mode. Try -C 1\n");
++ return 1;
++ }
+ break;
+ case 7:
+ *auth_alg = IPMI_AUTH_RAKP_HMAC_MD5;
+ *integrity_alg = IPMI_INTEGRITY_HMAC_MD5_128;
+ *crypt_alg = IPMI_CRYPT_NONE;
++ if (FIPS_mode() && verbose > 1) {
++ printf("MD5 not supported in FIPS mode. Try -C 2\n");
++ return 1;
++ }
+ break;
+ case 8:
+ *auth_alg = IPMI_AUTH_RAKP_HMAC_MD5;
+ *integrity_alg = IPMI_INTEGRITY_HMAC_MD5_128;
+ *crypt_alg = IPMI_CRYPT_AES_CBC_128;
++ if (FIPS_mode() && verbose > 1) {
++ printf("MD5 not supported in FIPS mode. Try -C 3\n");
++ return 1;
++ }
+ break;
+ case 9:
+ *auth_alg = IPMI_AUTH_RAKP_HMAC_MD5;
+ *integrity_alg = IPMI_INTEGRITY_HMAC_MD5_128;
+ *crypt_alg = IPMI_CRYPT_XRC4_128;
++ if (FIPS_mode() && verbose > 1) {
++ printf("MD5 not supported in FIPS mode. Try -C 3\n");
++ return 1;
++ }
+ break;
+ case 10:
+ *auth_alg = IPMI_AUTH_RAKP_HMAC_MD5;
+ *integrity_alg = IPMI_INTEGRITY_HMAC_MD5_128;
+ *crypt_alg = IPMI_CRYPT_XRC4_40;
++ if (FIPS_mode() && verbose > 1) {
++ printf("MD5 not supported in FIPS mode. Try -C 3\n");
++ return 1;
++ }
+ break;
+ case 11:
+ *auth_alg = IPMI_AUTH_RAKP_HMAC_MD5;
+ *integrity_alg = IPMI_INTEGRITY_MD5_128;
+ *crypt_alg = IPMI_CRYPT_NONE;
++ if (FIPS_mode() && verbose > 1) {
++ printf("MD5 not supported in FIPS mode. Try -C 3\n");
++ return 1;
++ }
+ break;
+ case 12:
+ *auth_alg = IPMI_AUTH_RAKP_HMAC_MD5;
+ *integrity_alg = IPMI_INTEGRITY_MD5_128;
+ *crypt_alg = IPMI_CRYPT_AES_CBC_128;
++ if (FIPS_mode() && verbose > 1) {
++ printf("MD5 not supported in FIPS mode. Try -C 3\n");
++ return 1;
++ }
+ break;
+ case 13:
+ *auth_alg = IPMI_AUTH_RAKP_HMAC_MD5;
+ *integrity_alg = IPMI_INTEGRITY_MD5_128;
+ *crypt_alg = IPMI_CRYPT_XRC4_128;
++ if (FIPS_mode() && verbose > 1) {
++ printf("MD5 not supported in FIPS mode. Try -C 3\n");
++ return 1;
++ }
+ break;
+ case 14:
+ *auth_alg = IPMI_AUTH_RAKP_HMAC_MD5;
+ *integrity_alg = IPMI_INTEGRITY_MD5_128;
+ *crypt_alg = IPMI_CRYPT_XRC4_40;
++ if (FIPS_mode() && verbose > 1) {
++ printf("MD5 not supported in FIPS mode. Try -C 3\n");
++ return 1;
++ }
+ break;
+ }
+
diff --git a/ipmitool.spec b/ipmitool.spec
index 2e0d16f..73041b9 100644
--- a/ipmitool.spec
+++ b/ipmitool.spec
@@ -1,7 +1,7 @@
Name: ipmitool
Summary: Utility for IPMI control
Version: 1.8.12
-Release: 13073101%{?dist}
+Release: 13073102%{?dist}
License: BSD
Group: System Environment/Base
URL: http://ipmitool.sourceforge.net/
@@ -29,6 +29,8 @@ Patch2: ipmitool-1.8.10-ipmievd-condrestart.patch
Patch3: ipmitool-1.8.11-remove-umask0.patch
# various threads. still pending.
Patch4: cxoem-jb-cx6.patch
+# pending
+Patch5: ipmitool-1.8.12-fips.patch
%description
This package contains a utility for interfacing with devices that support
@@ -69,6 +71,7 @@ for the host OS to use.
%patch2 -p0 -b .condrestart
%patch3 -p1 -b .umask
%patch4 -p1 -b .cxoem
+%patch5 -p0 -b .fips
for f in AUTHORS ChangeLog; do
iconv -f iso-8859-1 -t utf8 < ${f} > ${f}.utf8
@@ -143,6 +146,9 @@ install -Dm 755 %{SOURCE6} %{buildroot}%{_libexecdir}/exchange-bmc-os-info
%changelog
+* Fri Jul 09 2013 Ales Ledvinka <aledvink at redhat.com> 1.8.12-13073102
+- Avoid FIPS mode crashes if possible.
+
* Wed Jul 31 2013 Ales Ledvinka <aledvink at redhat.com> 1.8.12-13073101
- Include current upstream bugfixes.
More information about the scm-commits
mailing list