Add support for cipher suite 17
cipher suite 17 uses RAKP_HMAC_SHA256 for authentication and
RAKP_HMAC_SHA256_128 for integrity. This adds those in and fixes up the
lookups so the stack knows about the new algorithms.
Change-Id: Icdc66563d08060fc0e541ceaf3bee9dd5f89fdb2
Signed-off-by: Vernon Mauery <vernon.mauery@linux.intel.com>
diff --git a/integrity_algo.hpp b/integrity_algo.hpp
index 3e003b6..81f7da7 100644
--- a/integrity_algo.hpp
+++ b/integrity_algo.hpp
@@ -90,7 +90,9 @@
*/
static bool isAlgorithmSupported(Algorithms algo)
{
- if (algo == Algorithms::NONE || algo == Algorithms::HMAC_SHA1_96)
+ if (algo == Algorithms::NONE ||
+ algo == Algorithms::HMAC_SHA1_96 ||
+ algo == Algorithms::HMAC_SHA256_128)
{
return true;
}
@@ -227,6 +229,91 @@
const size_t len) const;
};
+/**
+ * @class AlgoSHA256
+ *
+ * @brief Implementation of the HMAC-SHA256-128 Integrity algorithm
+ *
+ * HMAC-SHA256-128 take the Session Integrity Key and use it to generate K1. K1
+ * is then used as the key for use in HMAC to produce the AuthCode field. For
+ * “one-key” logins, the user’s key (password) is used in the creation of the
+ * Session Integrity Key. When the HMAC-SHA256-128 Integrity Algorithm is used
+ * the resulting AuthCode field is 16 bytes (128 bits).
+ */
+class AlgoSHA256 final : public Interface
+{
+ public:
+ static constexpr size_t SHA256_128_AUTHCODE_LENGTH = 16;
+
+ /**
+ * @brief Constructor for AlgoSHA256
+ *
+ * @param[in] - Session Integrity Key
+ */
+ explicit AlgoSHA256(const std::vector<uint8_t>& sik);
+
+ AlgoSHA256() = delete;
+ ~AlgoSHA256() = default;
+ AlgoSHA256(const AlgoSHA256&) = default;
+ AlgoSHA256& operator=(const AlgoSHA256&) = default;
+ AlgoSHA256(AlgoSHA256&&) = default;
+ AlgoSHA256& operator=(AlgoSHA256&&) = default;
+
+ /**
+ * @brief Verify the integrity data of the packet
+ *
+ * @param[in] packet - Incoming IPMI packet
+ * @param[in] length - Length of the data in the packet to calculate
+ * the integrity data
+ * @param[in] integrityData - Iterator to the authCode in the packet
+ *
+ * @return true if authcode in the packet is equal to one generated
+ * using integrity algorithm on the packet data, false otherwise
+ */
+ bool verifyIntegrityData(
+ const std::vector<uint8_t>& packet,
+ const size_t length,
+ std::vector<uint8_t>::const_iterator integrityData)
+ const override;
+
+ /**
+ * @brief Generate integrity data for the outgoing IPMI packet
+ *
+ * @param[in] packet - Outgoing IPMI packet
+ *
+ * @return on success return the integrity data for the outgoing IPMI
+ * packet
+ */
+ std::vector<uint8_t> generateIntegrityData(
+ const std::vector<uint8_t>& packet) const override;
+
+ /**
+ * @brief Generate additional keying material based on SIK
+ *
+ * @param[in] sik - session integrity key
+ * @param[in] data - 20-byte Const_n
+ *
+ * @return on success returns the Kn based on HMAC-SHA256
+ *
+ */
+ std::vector<uint8_t> generateKn(
+ const std::vector<uint8_t>& sik,
+ const rmcp::Const_n& const_n) const;
+
+ private:
+ /**
+ * @brief Generate HMAC based on HMAC-SHA256-128 algorithm
+ *
+ * @param[in] input - pointer to the message
+ * @param[in] len - length of the message
+ *
+ * @return on success returns the message authentication code
+ *
+ */
+ std::vector<uint8_t> generateHMAC(const uint8_t* input,
+ const size_t len) const;
+};
+
}// namespace integrity
}// namespace cipher