Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / phosphor-net-ipmid / 9b307be647ff786f05c03fa742b982d99dd341ae^! / . / command
commit9b307be647ff786f05c03fa742b982d99dd341ae[log] [tgz]
authorVernon Mauery <vernon.mauery@linux.intel.com>Wed Nov 22 09:28:16 2017 -0800
committerVernon Mauery <vernon.mauery@linux.intel.com>Thu Dec 07 12:54:43 2017 -0800
tree0b19e4d830a1ee6c7e882539c7e5b1549fbdc111
parent70fd29cf487ceefd21af58bab988a7ff9ec07efb [diff]
Prepare for adding RMCP+ cipher suite 17

In many places, there are baked-in assumptions about algorithms that tie
the session initiation to cipher suite 3. This commit teases out those
assumptions and prepares for the next patch that actually adds in the
new authentication and integrity algorithms to support cipher suite 17.

Change-Id: I2ee3672a7c503b89c5ff0aba30cf7a4601e24d04
Signed-off-by: Vernon Mauery <vernon.mauery@linux.intel.com>

diff --git a/command/open_session.cpp b/command/open_session.cpp
index d29cbf1..f33de3c 100644
--- a/command/open_session.cpp
+++ b/command/open_session.cpp

@@ -19,8 +19,8 @@
     auto response = reinterpret_cast<OpenSessionResponse*>(outPayload.data());
 
     // Check for valid Authentication Algorithms
-    if (request->authAlgo != static_cast<uint8_t>
-        (cipher::rakp_auth::Algorithms::RAKP_HMAC_SHA1))
+    if (!cipher::rakp_auth::Interface::isAlgorithmSupported(
+                static_cast<cipher::rakp_auth::Algorithms>(request->authAlgo)))
     {
         response->status_code =
             static_cast<uint8_t>(RAKP_ReturnCode::INVALID_AUTH_ALGO);
@@ -28,8 +28,8 @@
     }
 
     // Check for valid Integrity Algorithms
-    if(!cipher::integrity::Interface::isAlgorithmSupported(static_cast
-                    <cipher::integrity::Algorithms>(request->intAlgo)))
+    if (!cipher::integrity::Interface::isAlgorithmSupported(
+                static_cast<cipher::integrity::Algorithms>(request->intAlgo)))
     {
         response->status_code =
             static_cast<uint8_t>(RAKP_ReturnCode::INVALID_INTEGRITY_ALGO);

diff --git a/command/rakp34.cpp b/command/rakp34.cpp
index 8c95e95..5ba9aa1 100644
--- a/command/rakp34.cpp
+++ b/command/rakp34.cpp

@@ -8,6 +8,7 @@
 #include "endian.hpp"
 #include "guid.hpp"
 #include "main.hpp"
+#include "rmcp.hpp"
 
 namespace command
 {
@@ -44,8 +45,11 @@
     {
         case cipher::crypt::Algorithms::AES_CBC_128:
         {
-            session->setCryptAlgo(std::make_unique<cipher::crypt::AlgoAES128>(
-                                 authAlgo->sessionIntegrityKey));
+            auto intAlgo = session->getIntegrityAlgo();
+            auto k2 = intAlgo->generateKn(
+                    authAlgo->sessionIntegrityKey, rmcp::const_2);
+            session->setCryptAlgo(
+                    std::make_unique<cipher::crypt::AlgoAES128>(k2));
             break;
         }
         default:
@@ -63,7 +67,7 @@
     auto response = reinterpret_cast<RAKP4response*>(outPayload.data());
 
     // Check if the RAKP3 Payload Length is as expected
-    if(inPayload.size() != sizeof(RAKP3request))
+    if (inPayload.size() < sizeof(RAKP3request))
     {
         std::cerr << "RAKP34: Invalid RAKP3 request\n";
         response->rmcpStatusCode =
@@ -145,8 +149,8 @@
     // Generate Key Exchange Authentication Code - RAKP2
     auto output = authAlgo->generateHMAC(input);
 
-    if (std::memcmp(output.data(), request->keyExchangeAuthCode,
-                    output.size()))
+    if (inPayload.size() != (sizeof(RAKP3request) + output.size()) ||
+            std::memcmp(output.data(), request+1, output.size()))
     {
         std::cerr << "Mismatch in HMAC sent by remote console\n";
 

diff --git a/command/rakp34.hpp b/command/rakp34.hpp
index deaf2e9..2f00823 100644
--- a/command/rakp34.hpp
+++ b/command/rakp34.hpp

@@ -19,7 +19,6 @@
     uint8_t rmcpStatusCode;
     uint16_t reserved;
     uint32_t managedSystemSessionID;
-    uint8_t keyExchangeAuthCode[20];
 } __attribute__((packed));
 
 /**