Remove the support for insecure protocols in RMCP+
The two supported Cipher suites for RMCP+ will be cipher Suite 3
and 17 after this change. The cipher suite 3 is the default choice
for the ipmitool if the cipher suite is not explicitly mentioned.
The supported algorithms are the following:
Authentication: a) RAKP-HMAC-SHA1, b) RAKP-HMAC-SHA256
Integrity: a) HMAC-SHA1-9, b) HMAC-SHA256-128
Confidentiality: a) AES-CBC-128
Change-Id: Ia2fbaae29235e4bd43c42b59a2295a2db28efce3
Signed-off-by: Tom Joseph <tomjoseph@in.ibm.com>
diff --git a/auth_algo.hpp b/auth_algo.hpp
index 6bd32d0..c9fb821 100644
--- a/auth_algo.hpp
+++ b/auth_algo.hpp
@@ -27,10 +27,10 @@
*/
enum class Algorithms : uint8_t
{
- RAKP_NONE = 0, // Mandatory
- RAKP_HMAC_SHA1, // Mandatory
- RAKP_HMAC_MD5, // Optional
- RAKP_HMAC_SHA256, // Optional
+ RAKP_NONE = 0, // Mandatory (implemented, not supported)
+ RAKP_HMAC_SHA1, // Mandatory (implemented, default choice in ipmitool)
+ RAKP_HMAC_MD5, // Optional (not implemented)
+ RAKP_HMAC_SHA256, // Optional (implemented, best available)
// Reserved used to indicate an invalid authentication algorithm
RAKP_HMAC_INVALID = 0xB0
};
@@ -102,8 +102,7 @@
*/
static bool isAlgorithmSupported(Algorithms algo)
{
- if (algo == Algorithms::RAKP_NONE ||
- algo == Algorithms::RAKP_HMAC_SHA1 ||
+ if (algo == Algorithms::RAKP_HMAC_SHA1 ||
algo == Algorithms::RAKP_HMAC_SHA256)
{
return true;
diff --git a/crypt_algo.hpp b/crypt_algo.hpp
index ca4dbca..20f55b9 100644
--- a/crypt_algo.hpp
+++ b/crypt_algo.hpp
@@ -20,11 +20,12 @@
* When payload data is encrypted, there may be additional “Confidentiality
* Header” and/or “Confidentiality Trailer” fields that are included within the
* payload. The size and definition of those fields is specific to the
- * particular confidentiality algorithm.
+ * particular confidentiality algorithm. Based on security recommendations
+ * encrypting IPMI traffic is preferred, so NONE is not supported.
*/
enum class Algorithms : uint8_t
{
- NONE, /**< No encryption (mandatory option) */
+ NONE, /**< No encryption (mandatory , not supported) */
AES_CBC_128, /**< AES-CBC-128 Algorithm (mandatory option) */
xRC4_128, /**< xRC4-128 Algorithm (optional option) */
xRC4_40, /**< xRC4-40 Algorithm (optional option) */
@@ -86,7 +87,7 @@
*/
static bool isAlgorithmSupported(Algorithms algo)
{
- if (algo == Algorithms::NONE || algo == Algorithms::AES_CBC_128)
+ if (algo == Algorithms::AES_CBC_128)
{
return true;
}
diff --git a/integrity_algo.hpp b/integrity_algo.hpp
index 81f7da7..3d56b82 100644
--- a/integrity_algo.hpp
+++ b/integrity_algo.hpp
@@ -17,15 +17,16 @@
* contents for the AuthCode “signature” field that accompanies authenticated
* IPMI v2.0/RMCP+ messages once the session has been established. If the
* Integrity Algorithm is none the AuthCode value is not calculated and the
- * AuthCode field in the message is not present.
+ * AuthCode field in the message is not present. Based on security
+ * recommendations NONE will not be supported.
*/
enum class Algorithms : uint8_t
{
- NONE, // Mandatory
- HMAC_SHA1_96, // Mandatory
- HMAC_MD5_128, // Optional
- MD5_128, // Optional
- HMAC_SHA256_128, // Optional
+ NONE, // Mandatory (implemented, not supported)
+ HMAC_SHA1_96, // Mandatory (implemented, default choice in ipmitool)
+ HMAC_MD5_128, // Optional (not implemented)
+ MD5_128, // Optional (not implemented)
+ HMAC_SHA256_128, // Optional (implemented, best available)
};
/**
@@ -90,8 +91,7 @@
*/
static bool isAlgorithmSupported(Algorithms algo)
{
- if (algo == Algorithms::NONE ||
- algo == Algorithms::HMAC_SHA1_96 ||
+ if (algo == Algorithms::HMAC_SHA1_96 ||
algo == Algorithms::HMAC_SHA256_128)
{
return true;