From 0a0447cf5855fa5718a29e7bc71575d33099ec82 Mon Sep 17 00:00:00 2001
From: Ales Ledvinka <aledvink@redhat.com>
Date: Fri, 9 Aug 2013 13:59:47 +0200
Subject: [PATCH] FIPS FIPS FIPS FIPS FIPS

---
 ipmitool-1.8.12-fips.patch | 100 +++++++++++++++++++++++--------------
 ipmitool.spec              |  10 ++--
 2 files changed, 70 insertions(+), 40 deletions(-)

diff --git a/ipmitool-1.8.12-fips.patch b/ipmitool-1.8.12-fips.patch
index f9e2c04..13f08d9 100644
--- a/ipmitool-1.8.12-fips.patch
+++ b/ipmitool-1.8.12-fips.patch
@@ -1,6 +1,6 @@
 diff -up ./src/plugins/lan/lan.c.fips ./src/plugins/lan/lan.c
---- ./src/plugins/lan/lan.c.fips	2013-08-09 12:17:31.336127511 +0200
-+++ ./src/plugins/lan/lan.c	2013-08-09 12:48:35.624639106 +0200
+--- ./src/plugins/lan/lan.c.fips	2013-08-09 13:49:30.014768330 +0200
++++ ./src/plugins/lan/lan.c	2013-08-09 13:55:02.425532024 +0200
 @@ -67,6 +67,10 @@
  #define IPMI_LAN_PORT		0x26f
  #define IPMI_LAN_CHANNEL_E	0x0e
@@ -12,20 +12,24 @@ diff -up ./src/plugins/lan/lan.c.fips ./src/plugins/lan/lan.c
  extern const struct valstr ipmi_privlvl_vals[];
  extern const struct valstr ipmi_authtype_session_vals[];
  extern int verbose;
-@@ -861,10 +865,18 @@ ipmi_lan_build_cmd(struct ipmi_intf * in
+@@ -861,10 +865,22 @@ ipmi_lan_build_cmd(struct ipmi_intf * in
  		 */
  		switch (s->authtype) {
  		case IPMI_SESSION_AUTHTYPE_MD5:
-+		        if (FIPS_mode() && verbose > 1) {
-+				printf("MD5 not supported in FIPS mode. Try -I lanplus\n");
++		        if (FIPS_mode()) {
++				if (verbose > 1) {
++					printf("MD5 not supported in FIPS mode. Try -I lanplus\n");
++				}
 +				return NULL;
 +			}
  			temp = ipmi_auth_md5(s, msg+mp, msg[mp-1]);
  			memcpy(msg+ap, temp, 16);
  			break;
  		case IPMI_SESSION_AUTHTYPE_MD2:
-+			if (FIPS_mode() && verbose > 1) {
-+				printf("MD2 not supported in FIPS mode. Try -I lanplus\n");
++			if (FIPS_mode()) {
++				if (verbose > 1) {
++					printf("MD2 not supported in FIPS mode. Try -I lanplus\n");
++				}
 +				return NULL;
 +			}
  			temp = ipmi_auth_md2(s, msg+mp, msg[mp-1]);
@@ -33,7 +37,7 @@ diff -up ./src/plugins/lan/lan.c.fips ./src/plugins/lan/lan.c
  			break;
 diff -up ./src/plugins/lanplus/lanplus.c.fips ./src/plugins/lanplus/lanplus.c
 --- ./src/plugins/lanplus/lanplus.c.fips	2013-07-16 06:17:39.000000000 +0200
-+++ ./src/plugins/lanplus/lanplus.c	2013-08-09 12:17:31.338127516 +0200
++++ ./src/plugins/lanplus/lanplus.c	2013-08-09 13:54:27.720451992 +0200
 @@ -65,6 +65,10 @@
  #include "rmcp.h"
  #include "asf.h"
@@ -45,30 +49,36 @@ diff -up ./src/plugins/lanplus/lanplus.c.fips ./src/plugins/lanplus/lanplus.c
  extern const struct valstr ipmi_rakp_return_codes[];
  extern const struct valstr ipmi_priv_levels[];
  extern const struct valstr ipmi_auth_algorithms[];
-@@ -183,56 +187,100 @@ int lanplus_get_requested_ciphers(int
+@@ -183,56 +187,122 @@ int lanplus_get_requested_ciphers(int
  		*auth_alg      = IPMI_AUTH_RAKP_HMAC_SHA1;
  		*integrity_alg = IPMI_INTEGRITY_HMAC_SHA1_96;
  		*crypt_alg     = IPMI_CRYPT_XRC4_128;
-+                if (FIPS_mode() && verbose > 1) {
-+                        printf("RC4 not supported in FIPS mode. Try -C 3\n");
-+                        return 1;
-+                }
++		if (FIPS_mode()) {
++			if (verbose > 1) {
++				printf("RC4 not supported in FIPS mode. Try -C 3\n");
++			}
++			return 1;
++		}
  		break;
  	case 5:
  		*auth_alg      = IPMI_AUTH_RAKP_HMAC_SHA1;
  		*integrity_alg = IPMI_INTEGRITY_HMAC_SHA1_96;
  		*crypt_alg     = IPMI_CRYPT_XRC4_40;
-+                if (FIPS_mode() && verbose > 1) {
-+                        printf("RC4 not supported in FIPS mode. Try -C 3\n");
-+                        return 1;
-+                }
++		if (FIPS_mode()) {
++			if (verbose > 1) {
++				printf("RC4 not supported in FIPS mode. Try -C 3\n");
++			}
++			return 1;
++		}
  		break;
  	case 6:
  		*auth_alg      = IPMI_AUTH_RAKP_HMAC_MD5;
  		*integrity_alg = IPMI_INTEGRITY_NONE;
  		*crypt_alg     = IPMI_CRYPT_NONE;
-+		if (FIPS_mode() && verbose > 1) {
-+			printf("MD5 not supported in FIPS mode. Try -C 1\n");
++		if (FIPS_mode()) {
++			if (verbose > 1) {
++				printf("MD5 not supported in FIPS mode. Try -C 1\n");
++			}
 +			return 1;
 +		}
  		break;
@@ -76,17 +86,21 @@ diff -up ./src/plugins/lanplus/lanplus.c.fips ./src/plugins/lanplus/lanplus.c
  		*auth_alg      = IPMI_AUTH_RAKP_HMAC_MD5;
  		*integrity_alg = IPMI_INTEGRITY_HMAC_MD5_128;
  		*crypt_alg     = IPMI_CRYPT_NONE;
-+                if (FIPS_mode() && verbose > 1) {
-+                        printf("MD5 not supported in FIPS mode. Try -C 2\n");
-+                        return 1;
-+                }
++		if (FIPS_mode()) {
++			if (verbose > 1) {
++				printf("MD5 not supported in FIPS mode. Try -C 2\n");
++			}
++			return 1;
++		}
  		break;
  	case 8:
  		*auth_alg      = IPMI_AUTH_RAKP_HMAC_MD5;
  		*integrity_alg = IPMI_INTEGRITY_HMAC_MD5_128;
  		*crypt_alg     = IPMI_CRYPT_AES_CBC_128;
-+		if (FIPS_mode() && verbose > 1) {
-+			printf("MD5 not supported in FIPS mode. Try -C 3\n");
++		if (FIPS_mode()) {
++			if (verbose > 1) {
++				printf("MD5 not supported in FIPS mode. Try -C 3\n");
++			}
 +			return 1;
 +		}
  		break;
@@ -94,8 +108,10 @@ diff -up ./src/plugins/lanplus/lanplus.c.fips ./src/plugins/lanplus/lanplus.c
  		*auth_alg      = IPMI_AUTH_RAKP_HMAC_MD5;
  		*integrity_alg = IPMI_INTEGRITY_HMAC_MD5_128;
  		*crypt_alg     = IPMI_CRYPT_XRC4_128;
-+		if (FIPS_mode() && verbose > 1) {
-+			printf("MD5 not supported in FIPS mode. Try -C 3\n");
++		if (FIPS_mode()) {
++			if (verbose > 1) {
++				printf("MD5 not supported in FIPS mode. Try -C 3\n");
++			}
 +			return 1;
 +		}
  		break;
@@ -103,8 +119,10 @@ diff -up ./src/plugins/lanplus/lanplus.c.fips ./src/plugins/lanplus/lanplus.c
  		*auth_alg      = IPMI_AUTH_RAKP_HMAC_MD5;
  		*integrity_alg = IPMI_INTEGRITY_HMAC_MD5_128;
  		*crypt_alg     = IPMI_CRYPT_XRC4_40;
-+		if (FIPS_mode() && verbose > 1) {
-+			printf("MD5 not supported in FIPS mode. Try -C 3\n");
++		if (FIPS_mode()) {
++			if (verbose > 1) {
++				printf("MD5 not supported in FIPS mode. Try -C 3\n");
++			}
 +			return 1;
 +		}
  		break;
@@ -112,8 +130,10 @@ diff -up ./src/plugins/lanplus/lanplus.c.fips ./src/plugins/lanplus/lanplus.c
  		*auth_alg      = IPMI_AUTH_RAKP_HMAC_MD5;
  		*integrity_alg = IPMI_INTEGRITY_MD5_128;
  		*crypt_alg     = IPMI_CRYPT_NONE;
-+		if (FIPS_mode() && verbose > 1) {
-+			printf("MD5 not supported in FIPS mode. Try -C 3\n");
++		if (FIPS_mode()) {
++			if (verbose > 1) {
++				printf("MD5 not supported in FIPS mode. Try -C 3\n");
++			}
 +			return 1;
 +		}
  		break;
@@ -121,8 +141,10 @@ diff -up ./src/plugins/lanplus/lanplus.c.fips ./src/plugins/lanplus/lanplus.c
  		*auth_alg      = IPMI_AUTH_RAKP_HMAC_MD5;
  		*integrity_alg = IPMI_INTEGRITY_MD5_128;
  		*crypt_alg     = IPMI_CRYPT_AES_CBC_128;
-+		if (FIPS_mode() && verbose > 1) {
-+			printf("MD5 not supported in FIPS mode. Try -C 3\n");
++		if (FIPS_mode()) {
++			if (verbose > 1) {
++				printf("MD5 not supported in FIPS mode. Try -C 3\n");
++			}
 +			return 1;
 +		}
  		break;
@@ -130,8 +152,10 @@ diff -up ./src/plugins/lanplus/lanplus.c.fips ./src/plugins/lanplus/lanplus.c
  		*auth_alg      = IPMI_AUTH_RAKP_HMAC_MD5;
  		*integrity_alg = IPMI_INTEGRITY_MD5_128;
  		*crypt_alg     = IPMI_CRYPT_XRC4_128;
-+		if (FIPS_mode() && verbose > 1) {
-+			printf("MD5 not supported in FIPS mode. Try -C 3\n");
++		if (FIPS_mode()) {
++			if (verbose > 1) {
++				printf("MD5 not supported in FIPS mode. Try -C 3\n");
++			}
 +			return 1;
 +		}
  		break;
@@ -139,8 +163,10 @@ diff -up ./src/plugins/lanplus/lanplus.c.fips ./src/plugins/lanplus/lanplus.c
  		*auth_alg      = IPMI_AUTH_RAKP_HMAC_MD5;
  		*integrity_alg = IPMI_INTEGRITY_MD5_128;
  		*crypt_alg     = IPMI_CRYPT_XRC4_40;
-+		if (FIPS_mode() && verbose > 1) {
-+			printf("MD5 not supported in FIPS mode. Try -C 3\n");
++		if (FIPS_mode()) {
++			if (verbose > 1) {
++				printf("MD5 not supported in FIPS mode. Try -C 3\n");
++			}
 +			return 1;
 +		}
  		break;
diff --git a/ipmitool.spec b/ipmitool.spec
index 644a44b..c7821f9 100644
--- a/ipmitool.spec
+++ b/ipmitool.spec
@@ -1,7 +1,7 @@
 Name:         ipmitool
 Summary:      Utility for IPMI control
 Version:      1.8.12
-Release:      13073102%{?dist}
+Release:      13073103%{?dist}
 License:      BSD
 Group:        System Environment/Base
 URL:          http://ipmitool.sourceforge.net/
@@ -31,6 +31,8 @@ Patch3: ipmitool-1.8.11-remove-umask0.patch
 Patch4: cxoem-jb-cx6.patch
 # pending
 Patch5: ipmitool-1.8.12-fips.patch
+# pending
+Patch6: ipmitool-1.8.12-fipsman.patch
 
 %description
 This package contains a utility for interfacing with devices that support
@@ -72,6 +74,7 @@ for the host OS to use.
 %patch3 -p1 -b .umask
 %patch4 -p1 -b .cxoem
 %patch5 -p0 -b .fips
+%patch6 -p0 -b .fipsman
 
 for f in AUTHORS ChangeLog; do
     iconv -f iso-8859-1 -t utf8 < ${f} > ${f}.utf8
@@ -146,8 +149,9 @@ install -Dm 755 %{SOURCE6} %{buildroot}%{_libexecdir}/exchange-bmc-os-info
 
 
 %changelog
-* Fri Aug 09 2013 Ales Ledvinka <aledvink@redhat.com> 1.8.12-13073102
--  Avoid FIPS mode crashes if possible.
+* Fri Aug 09 2013 Ales Ledvinka <aledvink@redhat.com> 1.8.12-13073103
+- Avoid FIPS mode crashes if possible.
+- Document FIPS limitations.
 
 * Wed Jul  31 2013 Ales Ledvinka <aledvink@redhat.com> 1.8.12-13073101
 - Include current upstream bugfixes.