|
 |
e9ef0e |
diff -urNp old/doc/ipmitool.1 new/doc/ipmitool.1
|
|
|
e9ef0e |
--- old/doc/ipmitool.1 2017-02-06 10:20:02.254362909 +0100
|
|
|
e9ef0e |
+++ new/doc/ipmitool.1 2017-02-06 10:33:41.729294474 +0100
|
|
|
e9ef0e |
@@ -372,6 +372,20 @@ Configure user access information on the
|
|
|
e9ef0e |
|
|
|
e9ef0e |
Displays the list of cipher suites supported for the given
|
|
|
e9ef0e |
application (ipmi or sol) on the given channel.
|
|
|
e9ef0e |
+.TP
|
|
|
e9ef0e |
+\fIsetkg\fP <\fIhex\fP|\fIplain\fP> <\fBkey\fP> [<\fBchannel\fR>]
|
|
|
e9ef0e |
+.br
|
|
|
e9ef0e |
+
|
|
|
e9ef0e |
+Sets K_g key to given value. Use \fIplain\fP to specify \fBkey\fR as simple ASCII string.
|
|
|
e9ef0e |
+Use \fIhex\fP to specify \fBkey\fR as sequence of hexadecimal codes of ASCII charactes.
|
|
|
e9ef0e |
+I.e. following two examples are equivalent:
|
|
|
e9ef0e |
+
|
|
|
e9ef0e |
+.RS
|
|
|
e9ef0e |
+ipmitool channel setkg plain PASSWORD
|
|
|
e9ef0e |
+
|
|
|
e9ef0e |
+ipmitool channel setkg hex 50415353574F5244
|
|
|
e9ef0e |
+.RE
|
|
|
e9ef0e |
+
|
|
|
e9ef0e |
.RE
|
|
|
e9ef0e |
.RE
|
|
|
e9ef0e |
.TP
|
|
|
e9ef0e |
diff -urNp old/include/ipmitool/helper.h new/include/ipmitool/helper.h
|
|
|
e9ef0e |
--- old/include/ipmitool/helper.h 2017-02-06 10:20:02.254362909 +0100
|
|
|
e9ef0e |
+++ new/include/ipmitool/helper.h 2017-02-06 10:40:07.336136844 +0100
|
|
|
e9ef0e |
@@ -58,6 +58,8 @@
|
|
|
e9ef0e |
# define IPMI_UID_MAX 63
|
|
|
e9ef0e |
#endif
|
|
|
e9ef0e |
|
|
|
e9ef0e |
+#define IPMI_KG_BUFFER_SIZE 21 /* key plus null byte */
|
|
|
e9ef0e |
+
|
|
|
e9ef0e |
struct ipmi_intf;
|
|
|
e9ef0e |
|
|
|
e9ef0e |
struct valstr {
|
|
|
e9ef0e |
diff -urNp old/include/ipmitool/ipmi_channel.h new/include/ipmitool/ipmi_channel.h
|
|
|
e9ef0e |
--- old/include/ipmitool/ipmi_channel.h 2017-02-06 10:20:02.253316684 +0100
|
|
|
e9ef0e |
+++ new/include/ipmitool/ipmi_channel.h 2017-02-06 10:58:15.291287621 +0100
|
|
|
e9ef0e |
@@ -49,6 +49,10 @@
|
|
|
e9ef0e |
#define IPMI_GET_USER_NAME 0x46
|
|
|
e9ef0e |
#define IPMI_SET_USER_PASSWORD 0x47
|
|
|
e9ef0e |
#define IPMI_GET_CHANNEL_CIPHER_SUITES 0x54
|
|
|
e9ef0e |
+#define IPMI_SET_CHANNEL_SECURITY_KEYS 0x56
|
|
|
e9ef0e |
+
|
|
|
e9ef0e |
+#define IPMI_KG_KEY_ID 1
|
|
|
e9ef0e |
+#define IPMI_SET_CHANNEL_SECURITY_KEYS_OP_SET 1
|
|
|
e9ef0e |
|
|
|
e9ef0e |
/* These are for channel_info_t.session_support */
|
|
|
e9ef0e |
#define IPMI_CHANNEL_SESSION_LESS 0x00
|
|
|
e9ef0e |
@@ -137,6 +141,40 @@ int _ipmi_set_channel_access(struct ipmi
|
|
|
e9ef0e |
struct channel_access_t channel_access, uint8_t access_option,
|
|
|
e9ef0e |
uint8_t privilege_option);
|
|
|
e9ef0e |
|
|
|
e9ef0e |
+struct set_channel_security_keys_req {
|
|
|
e9ef0e |
+#if WORDS_BIGENDIAN
|
|
|
e9ef0e |
+ uint8_t __reserved1 :4;
|
|
|
e9ef0e |
+ uint8_t channel :4;
|
|
|
e9ef0e |
+
|
|
|
e9ef0e |
+ uint8_t __reserved2 :6;
|
|
|
e9ef0e |
+ uint8_t operation :2;
|
|
|
e9ef0e |
+
|
|
|
e9ef0e |
+ uint8_t key_id;
|
|
|
e9ef0e |
+ unsigned char key_value[IPMI_KG_BUFFER_SIZE-1]; /* we don't want space for '\0' at the end */
|
|
|
e9ef0e |
+#else
|
|
|
e9ef0e |
+ uint8_t channel :4;
|
|
|
e9ef0e |
+ uint8_t __reserved1 :4;
|
|
|
e9ef0e |
+
|
|
|
e9ef0e |
+ uint8_t operation :2;
|
|
|
e9ef0e |
+ uint8_t __reserved2 :6;
|
|
|
e9ef0e |
+
|
|
|
e9ef0e |
+ uint8_t key_id;
|
|
|
e9ef0e |
+ unsigned char key_value[IPMI_KG_BUFFER_SIZE-1]; /* we don't want space for '\0' at the end */
|
|
|
e9ef0e |
+#endif
|
|
|
e9ef0e |
+} __attribute__ ((packed));
|
|
|
e9ef0e |
+
|
|
|
e9ef0e |
+struct set_channel_security_keys_rsp {
|
|
|
e9ef0e |
+#if WORDS_BIGENDIAN
|
|
|
e9ef0e |
+ uint8_t __reserved1 :6;
|
|
|
e9ef0e |
+ uint8_t lock_status :2;
|
|
|
e9ef0e |
+ unsigned char key_value; /* just the first character, use &key_value to explore the rest */
|
|
|
e9ef0e |
+#else
|
|
|
e9ef0e |
+ uint8_t lock_status :2;
|
|
|
e9ef0e |
+ uint8_t __reserved1 :6;
|
|
|
e9ef0e |
+ unsigned char key_value; /* just the first character, use &key_value to explore the rest */
|
|
|
e9ef0e |
+#endif
|
|
|
e9ef0e |
+} __attribute__ ((packed));
|
|
|
e9ef0e |
+
|
|
|
e9ef0e |
uint8_t ipmi_get_channel_medium(struct ipmi_intf * intf, uint8_t channel);
|
|
|
e9ef0e |
uint8_t ipmi_current_channel_medium(struct ipmi_intf * intf);
|
|
|
e9ef0e |
int ipmi_channel_main(struct ipmi_intf * intf, int argc, char ** argv);
|
|
|
e9ef0e |
diff -urNp old/include/ipmitool/ipmi_intf.h new/include/ipmitool/ipmi_intf.h
|
|
|
e9ef0e |
--- old/include/ipmitool/ipmi_intf.h 2017-02-06 10:20:02.254362909 +0100
|
|
|
e9ef0e |
+++ new/include/ipmitool/ipmi_intf.h 2017-02-06 10:40:40.264577602 +0100
|
|
|
e9ef0e |
@@ -60,7 +60,6 @@ enum LANPLUS_SESSION_STATE {
|
|
|
e9ef0e |
|
|
|
e9ef0e |
#define IPMI_AUTHCODE_BUFFER_SIZE 20
|
|
|
e9ef0e |
#define IPMI_SIK_BUFFER_SIZE IPMI_MAX_MD_SIZE
|
|
|
e9ef0e |
-#define IPMI_KG_BUFFER_SIZE 21 /* key plus null byte */
|
|
|
e9ef0e |
|
|
|
e9ef0e |
struct ipmi_session_params {
|
|
|
e9ef0e |
char * hostname;
|
|
|
e9ef0e |
diff -urNp old/lib/ipmi_channel.c new/lib/ipmi_channel.c
|
|
|
e9ef0e |
--- old/lib/ipmi_channel.c 2017-02-06 10:20:02.255409134 +0100
|
|
|
e9ef0e |
+++ new/lib/ipmi_channel.c 2017-02-06 12:32:14.222282317 +0100
|
|
|
e9ef0e |
@@ -821,6 +821,92 @@ ipmi_set_user_access(struct ipmi_intf *i
|
|
|
e9ef0e |
return 0;
|
|
|
e9ef0e |
}
|
|
|
e9ef0e |
|
|
|
e9ef0e |
+int
|
|
|
e9ef0e |
+ipmi_set_channel_security_keys (struct ipmi_intf *intf, uint8_t channel, const char *method, const char *key)
|
|
|
e9ef0e |
+{
|
|
|
e9ef0e |
+ uint8_t kgkey[IPMI_KG_BUFFER_SIZE];
|
|
|
e9ef0e |
+ struct ipmi_rs *rsp;
|
|
|
e9ef0e |
+ struct ipmi_rq req;
|
|
|
e9ef0e |
+ struct set_channel_security_keys_req req_data;
|
|
|
e9ef0e |
+ int rc = -1;
|
|
|
e9ef0e |
+
|
|
|
e9ef0e |
+ /* convert provided key to array of bytes */
|
|
|
e9ef0e |
+ if (strcmp(method, "hex") == 0) {
|
|
|
e9ef0e |
+ if (strlen(key) > (IPMI_KG_BUFFER_SIZE-1)*2) {
|
|
|
e9ef0e |
+ lprintf(LOG_ERR, "Provided key is too long, max. length is %d bytes", (IPMI_KG_BUFFER_SIZE-1));
|
|
|
e9ef0e |
+ printf_channel_usage();
|
|
|
e9ef0e |
+ return -1;
|
|
|
e9ef0e |
+ }
|
|
|
e9ef0e |
+
|
|
|
e9ef0e |
+ rc = ipmi_parse_hex(key, kgkey, sizeof(kgkey)-1);
|
|
|
e9ef0e |
+ if (rc == -1) {
|
|
|
e9ef0e |
+ lprintf(LOG_ERR, "Number of Kg key characters is not even");
|
|
|
e9ef0e |
+ return rc;
|
|
|
e9ef0e |
+ } else if (rc == -3) {
|
|
|
e9ef0e |
+ lprintf(LOG_ERR, "Kg key is not hexadecimal number");
|
|
|
e9ef0e |
+ return rc;
|
|
|
e9ef0e |
+ } else if (rc > (IPMI_KG_BUFFER_SIZE-1)) {
|
|
|
e9ef0e |
+ lprintf(LOG_ERR, "Kg key is too long");
|
|
|
e9ef0e |
+ return rc;
|
|
|
e9ef0e |
+ }
|
|
|
e9ef0e |
+
|
|
|
e9ef0e |
+ } else if (strcmp(method, "plain") == 0) {
|
|
|
e9ef0e |
+ if (strlen(key) > IPMI_KG_BUFFER_SIZE-1) {
|
|
|
e9ef0e |
+ lprintf(LOG_ERR, "Provided key is too long, max. length is %d bytes", (IPMI_KG_BUFFER_SIZE -1));
|
|
|
e9ef0e |
+ printf_channel_usage();
|
|
|
e9ef0e |
+ return rc;
|
|
|
e9ef0e |
+ }
|
|
|
e9ef0e |
+
|
|
|
e9ef0e |
+ strncpy(kgkey, key, IPMI_KG_BUFFER_SIZE-1);
|
|
|
e9ef0e |
+ } else {
|
|
|
e9ef0e |
+ printf_channel_usage();
|
|
|
e9ef0e |
+ return rc;
|
|
|
e9ef0e |
+ }
|
|
|
e9ef0e |
+
|
|
|
e9ef0e |
+ /* assemble and send request to set kg key */
|
|
|
e9ef0e |
+ memset(&req_data, 0, sizeof(req_data));
|
|
|
e9ef0e |
+ req_data.channel = channel;
|
|
|
e9ef0e |
+ req_data.operation = IPMI_SET_CHANNEL_SECURITY_KEYS_OP_SET;
|
|
|
e9ef0e |
+ req_data.key_id = IPMI_KG_KEY_ID;
|
|
|
e9ef0e |
+ memcpy(req_data.key_value, kgkey, IPMI_KG_BUFFER_SIZE-1);
|
|
|
e9ef0e |
+
|
|
|
e9ef0e |
+ memset(&req, 0, sizeof(req));
|
|
|
e9ef0e |
+ req.msg.netfn = IPMI_NETFN_APP;
|
|
|
e9ef0e |
+ req.msg.cmd = IPMI_SET_CHANNEL_SECURITY_KEYS;
|
|
|
e9ef0e |
+ req.msg.data = (uint8_t*) &req_data;
|
|
|
e9ef0e |
+ req.msg.data_len = sizeof(req_data);
|
|
|
e9ef0e |
+
|
|
|
e9ef0e |
+ rsp = intf->sendrecv(intf, &req;;
|
|
|
e9ef0e |
+ if (rsp == NULL) {
|
|
|
e9ef0e |
+ lprintf(LOG_ERR, "Set Channel Security Keys command failed");
|
|
|
e9ef0e |
+ return rc;
|
|
|
e9ef0e |
+ }
|
|
|
e9ef0e |
+ if (rsp->ccode > 0) {
|
|
|
e9ef0e |
+ const char *error = NULL;
|
|
|
e9ef0e |
+ switch (rsp->ccode) {
|
|
|
e9ef0e |
+ case 0x80:
|
|
|
e9ef0e |
+ error = "Key is locked";
|
|
|
e9ef0e |
+ break;
|
|
|
e9ef0e |
+ case 0x81:
|
|
|
e9ef0e |
+ error = "Insufficient key bytes";
|
|
|
e9ef0e |
+ break;
|
|
|
e9ef0e |
+ case 0x82:
|
|
|
e9ef0e |
+ error = "Too many key bytes";
|
|
|
e9ef0e |
+ break;
|
|
|
e9ef0e |
+ case 0x83:
|
|
|
e9ef0e |
+ error = "Key value does not meet criteria for K_g key";
|
|
|
e9ef0e |
+ break;
|
|
|
e9ef0e |
+ default:
|
|
|
e9ef0e |
+ error = val2str(rsp->ccode, completion_code_vals);
|
|
|
e9ef0e |
+ }
|
|
|
e9ef0e |
+ lprintf(LOG_ERR, "Error setting security key: %X (%s)", rsp->ccode, error);
|
|
|
e9ef0e |
+ return rc;
|
|
|
e9ef0e |
+ }
|
|
|
e9ef0e |
+
|
|
|
e9ef0e |
+ lprintf(LOG_NOTICE, "Set Channel Security Keys command succeeded");
|
|
|
e9ef0e |
+ return 0;
|
|
|
e9ef0e |
+}
|
|
|
e9ef0e |
+
|
|
|
e9ef0e |
int
|
|
|
e9ef0e |
ipmi_channel_main(struct ipmi_intf *intf, int argc, char **argv)
|
|
|
e9ef0e |
{
|
|
|
e9ef0e |
@@ -890,6 +976,19 @@ ipmi_channel_main(struct ipmi_intf *intf
|
|
|
e9ef0e |
retval = ipmi_get_channel_cipher_suites(intf,
|
|
|
e9ef0e |
argv[1], /* ipmi | sol */
|
|
|
e9ef0e |
channel);
|
|
|
e9ef0e |
+ } else if (strncmp(argv[0], "setkg", 5) == 0) {
|
|
|
e9ef0e |
+ if (argc < 3 || argc > 4)
|
|
|
e9ef0e |
+ printf_channel_usage();
|
|
|
e9ef0e |
+ else {
|
|
|
e9ef0e |
+ uint8_t ch = 0xe;
|
|
|
e9ef0e |
+ char *method = argv[1];
|
|
|
e9ef0e |
+ char *key = argv[2];
|
|
|
e9ef0e |
+ if (argc == 4) {
|
|
|
e9ef0e |
+ ch = (uint8_t)strtol(argv[3], NULL, 0);
|
|
|
e9ef0e |
+ }
|
|
|
e9ef0e |
+
|
|
|
e9ef0e |
+ retval = ipmi_set_channel_security_keys(intf, ch, method, key);
|
|
|
e9ef0e |
+ }
|
|
|
e9ef0e |
} else {
|
|
|
e9ef0e |
lprintf(LOG_ERR, "Invalid CHANNEL command: %s\n", argv[0]);
|
|
|
e9ef0e |
printf_channel_usage();
|
|
|
e9ef0e |
@@ -916,6 +1015,10 @@ printf_channel_usage()
|
|
|
e9ef0e |
lprintf(LOG_NOTICE,
|
|
|
e9ef0e |
"");
|
|
|
e9ef0e |
lprintf(LOG_NOTICE,
|
|
|
e9ef0e |
+" setkg hex|plain <key> [channel]");
|
|
|
e9ef0e |
+ lprintf(LOG_NOTICE,
|
|
|
e9ef0e |
+"");
|
|
|
e9ef0e |
+ lprintf(LOG_NOTICE,
|
|
|
e9ef0e |
"Possible privilege levels are:");
|
|
|
e9ef0e |
lprintf(LOG_NOTICE,
|
|
|
e9ef0e |
" 1 Callback level");
|
|
|
e9ef0e |
diff -urNp old/src/plugins/ipmi_intf.c new/src/plugins/ipmi_intf.c
|
|
|
e9ef0e |
--- old/src/plugins/ipmi_intf.c 2017-02-06 10:20:02.257501584 +0100
|
|
|
e9ef0e |
+++ new/src/plugins/ipmi_intf.c 2017-02-06 10:42:12.585257810 +0100
|
|
|
e9ef0e |
@@ -55,6 +55,7 @@
|
|
|
e9ef0e |
#include <ipmitool/ipmi.h>
|
|
|
e9ef0e |
#include <ipmitool/ipmi_sdr.h>
|
|
|
e9ef0e |
#include <ipmitool/log.h>
|
|
|
e9ef0e |
+#include <ipmitool/helper.h>
|
|
|
e9ef0e |
|
|
|
e9ef0e |
#define IPMI_DEFAULT_PAYLOAD_SIZE 25
|
|
|
e9ef0e |
|