Remove the support for insecure protocols in RMCP+
The two supported Cipher suites for RMCP+ will be cipher Suite 3
and 17 after this change. The cipher suite 3 is the default choice
for the ipmitool if the cipher suite is not explicitly mentioned.
The supported algorithms are the following:
Authentication: a) RAKP-HMAC-SHA1, b) RAKP-HMAC-SHA256
Integrity: a) HMAC-SHA1-9, b) HMAC-SHA256-128
Confidentiality: a) AES-CBC-128
Change-Id: Ia2fbaae29235e4bd43c42b59a2295a2db28efce3
Signed-off-by: Tom Joseph <tomjoseph@in.ibm.com>
diff --git a/integrity_algo.hpp b/integrity_algo.hpp
index 81f7da7..3d56b82 100644
--- a/integrity_algo.hpp
+++ b/integrity_algo.hpp
@@ -17,15 +17,16 @@
* contents for the AuthCode “signature” field that accompanies authenticated
* IPMI v2.0/RMCP+ messages once the session has been established. If the
* Integrity Algorithm is none the AuthCode value is not calculated and the
- * AuthCode field in the message is not present.
+ * AuthCode field in the message is not present. Based on security
+ * recommendations NONE will not be supported.
*/
enum class Algorithms : uint8_t
{
- NONE, // Mandatory
- HMAC_SHA1_96, // Mandatory
- HMAC_MD5_128, // Optional
- MD5_128, // Optional
- HMAC_SHA256_128, // Optional
+ NONE, // Mandatory (implemented, not supported)
+ HMAC_SHA1_96, // Mandatory (implemented, default choice in ipmitool)
+ HMAC_MD5_128, // Optional (not implemented)
+ MD5_128, // Optional (not implemented)
+ HMAC_SHA256_128, // Optional (implemented, best available)
};
/**
@@ -90,8 +91,7 @@
*/
static bool isAlgorithmSupported(Algorithms algo)
{
- if (algo == Algorithms::NONE ||
- algo == Algorithms::HMAC_SHA1_96 ||
+ if (algo == Algorithms::HMAC_SHA1_96 ||
algo == Algorithms::HMAC_SHA256_128)
{
return true;