ipmitool/ipmitool-1.8.12-fips.patch
2013-08-09 12:50:48 +02:00

149 lines
4.7 KiB
Diff

diff -up ./src/plugins/lan/lan.c.fips ./src/plugins/lan/lan.c
--- ./src/plugins/lan/lan.c.fips 2013-08-09 12:17:31.336127511 +0200
+++ ./src/plugins/lan/lan.c 2013-08-09 12:48:35.624639106 +0200
@@ -67,6 +67,10 @@
#define IPMI_LAN_PORT 0x26f
#define IPMI_LAN_CHANNEL_E 0x0e
+#if defined(HAVE_CRYPTO_MD2) || defined(HAVE_CRYPTO_MD5)
+#include <openssl/fips.h>
+#endif
+
extern const struct valstr ipmi_privlvl_vals[];
extern const struct valstr ipmi_authtype_session_vals[];
extern int verbose;
@@ -861,10 +865,18 @@ ipmi_lan_build_cmd(struct ipmi_intf * in
*/
switch (s->authtype) {
case IPMI_SESSION_AUTHTYPE_MD5:
+ if (FIPS_mode() && verbose > 1) {
+ printf("MD5 not supported in FIPS mode. Try -I lanplus\n");
+ return NULL;
+ }
temp = ipmi_auth_md5(s, msg+mp, msg[mp-1]);
memcpy(msg+ap, temp, 16);
break;
case IPMI_SESSION_AUTHTYPE_MD2:
+ if (FIPS_mode() && verbose > 1) {
+ printf("MD2 not supported in FIPS mode. Try -I lanplus\n");
+ return NULL;
+ }
temp = ipmi_auth_md2(s, msg+mp, msg[mp-1]);
memcpy(msg+ap, temp, 16);
break;
diff -up ./src/plugins/lanplus/lanplus.c.fips ./src/plugins/lanplus/lanplus.c
--- ./src/plugins/lanplus/lanplus.c.fips 2013-07-16 06:17:39.000000000 +0200
+++ ./src/plugins/lanplus/lanplus.c 2013-08-09 12:17:31.338127516 +0200
@@ -65,6 +65,10 @@
#include "rmcp.h"
#include "asf.h"
+#if defined(HAVE_CRYPTO_MD2) || defined(HAVE_CRYPTO_MD5)
+#include <openssl/fips.h>
+#endif
+
extern const struct valstr ipmi_rakp_return_codes[];
extern const struct valstr ipmi_priv_levels[];
extern const struct valstr ipmi_auth_algorithms[];
@@ -183,56 +187,100 @@ int lanplus_get_requested_ciphers(int
*auth_alg = IPMI_AUTH_RAKP_HMAC_SHA1;
*integrity_alg = IPMI_INTEGRITY_HMAC_SHA1_96;
*crypt_alg = IPMI_CRYPT_XRC4_128;
+ if (FIPS_mode() && verbose > 1) {
+ printf("RC4 not supported in FIPS mode. Try -C 3\n");
+ return 1;
+ }
break;
case 5:
*auth_alg = IPMI_AUTH_RAKP_HMAC_SHA1;
*integrity_alg = IPMI_INTEGRITY_HMAC_SHA1_96;
*crypt_alg = IPMI_CRYPT_XRC4_40;
+ if (FIPS_mode() && verbose > 1) {
+ printf("RC4 not supported in FIPS mode. Try -C 3\n");
+ return 1;
+ }
break;
case 6:
*auth_alg = IPMI_AUTH_RAKP_HMAC_MD5;
*integrity_alg = IPMI_INTEGRITY_NONE;
*crypt_alg = IPMI_CRYPT_NONE;
+ if (FIPS_mode() && verbose > 1) {
+ printf("MD5 not supported in FIPS mode. Try -C 1\n");
+ return 1;
+ }
break;
case 7:
*auth_alg = IPMI_AUTH_RAKP_HMAC_MD5;
*integrity_alg = IPMI_INTEGRITY_HMAC_MD5_128;
*crypt_alg = IPMI_CRYPT_NONE;
+ if (FIPS_mode() && verbose > 1) {
+ printf("MD5 not supported in FIPS mode. Try -C 2\n");
+ return 1;
+ }
break;
case 8:
*auth_alg = IPMI_AUTH_RAKP_HMAC_MD5;
*integrity_alg = IPMI_INTEGRITY_HMAC_MD5_128;
*crypt_alg = IPMI_CRYPT_AES_CBC_128;
+ if (FIPS_mode() && verbose > 1) {
+ printf("MD5 not supported in FIPS mode. Try -C 3\n");
+ return 1;
+ }
break;
case 9:
*auth_alg = IPMI_AUTH_RAKP_HMAC_MD5;
*integrity_alg = IPMI_INTEGRITY_HMAC_MD5_128;
*crypt_alg = IPMI_CRYPT_XRC4_128;
+ if (FIPS_mode() && verbose > 1) {
+ printf("MD5 not supported in FIPS mode. Try -C 3\n");
+ return 1;
+ }
break;
case 10:
*auth_alg = IPMI_AUTH_RAKP_HMAC_MD5;
*integrity_alg = IPMI_INTEGRITY_HMAC_MD5_128;
*crypt_alg = IPMI_CRYPT_XRC4_40;
+ if (FIPS_mode() && verbose > 1) {
+ printf("MD5 not supported in FIPS mode. Try -C 3\n");
+ return 1;
+ }
break;
case 11:
*auth_alg = IPMI_AUTH_RAKP_HMAC_MD5;
*integrity_alg = IPMI_INTEGRITY_MD5_128;
*crypt_alg = IPMI_CRYPT_NONE;
+ if (FIPS_mode() && verbose > 1) {
+ printf("MD5 not supported in FIPS mode. Try -C 3\n");
+ return 1;
+ }
break;
case 12:
*auth_alg = IPMI_AUTH_RAKP_HMAC_MD5;
*integrity_alg = IPMI_INTEGRITY_MD5_128;
*crypt_alg = IPMI_CRYPT_AES_CBC_128;
+ if (FIPS_mode() && verbose > 1) {
+ printf("MD5 not supported in FIPS mode. Try -C 3\n");
+ return 1;
+ }
break;
case 13:
*auth_alg = IPMI_AUTH_RAKP_HMAC_MD5;
*integrity_alg = IPMI_INTEGRITY_MD5_128;
*crypt_alg = IPMI_CRYPT_XRC4_128;
+ if (FIPS_mode() && verbose > 1) {
+ printf("MD5 not supported in FIPS mode. Try -C 3\n");
+ return 1;
+ }
break;
case 14:
*auth_alg = IPMI_AUTH_RAKP_HMAC_MD5;
*integrity_alg = IPMI_INTEGRITY_MD5_128;
*crypt_alg = IPMI_CRYPT_XRC4_40;
+ if (FIPS_mode() && verbose > 1) {
+ printf("MD5 not supported in FIPS mode. Try -C 3\n");
+ return 1;
+ }
break;
}