diff --git a/SOURCES/0008-CVE-2020-5208.patch b/SOURCES/0008-CVE-2020-5208.patch deleted file mode 100644 index 2317f21..0000000 --- a/SOURCES/0008-CVE-2020-5208.patch +++ /dev/null @@ -1,365 +0,0 @@ -From 0e8ff944e776ba50cafeb4270ab439f689beed94 Mon Sep 17 00:00:00 2001 -From: Chrostoper Ertl -Date: Thu, 28 Nov 2019 16:33:59 +0000 -Subject: [PATCH] Fixes for CVE-2020-5208 - -see https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp - -This patch is combination of following commits: - -pick e824c23316ae50beb7f7488f2055ac65e8b341f2 fru: Fix buffer overflow vulnerabilities -pick 840fb1cbb4fb365cb9797300e3374d4faefcdb10 fru: Fix buffer overflow in ipmi_spd_print_fru -pick 41d7026946fafbd4d1ec0bcaca3ea30a6e8eed22 session: Fix buffer overflow in ipmi_get_session_info -pick d45572d71e70840e0d4c50bf48218492b79c1a10 lanp: Fix buffer overflows in get_lan_param_select -pick 7ccea283dd62a05a320c1921e3d8d71a87772637 fru, sdr: Fix id_string buffer overflows - -[vdolezal@redhat.com]: fixed memleak of `spd_data` in - lib/dimm_spd.c:ipmi_spd_print_fru() ---- - lib/dimm_spd.c | 11 ++++++++++- - lib/ipmi_fru.c | 35 ++++++++++++++++++++++++++++++++--- - lib/ipmi_lanp.c | 14 +++++++------- - lib/ipmi_sdr.c | 40 ++++++++++++++++++++++++---------------- - lib/ipmi_session.c | 12 ++++++++---- - 5 files changed, 81 insertions(+), 31 deletions(-) - -diff --git a/lib/dimm_spd.c b/lib/dimm_spd.c -index 41e30db..ebcc94c 100644 ---- a/lib/dimm_spd.c -+++ b/lib/dimm_spd.c -@@ -1621,7 +1621,7 @@ ipmi_spd_print_fru(struct ipmi_intf * intf, uint8_t id) - struct ipmi_rq req; - struct fru_info fru; - uint8_t *spd_data, msg_data[4]; -- int len, offset; -+ uint32_t len, offset; - - msg_data[0] = id; - -@@ -1697,6 +1697,15 @@ ipmi_spd_print_fru(struct ipmi_intf * intf, uint8_t id) - } - - len = rsp->data[0]; -+ if(rsp->data_len < 1 -+ || len > rsp->data_len - 1 -+ || len > fru.size - offset) -+ { -+ printf(" Not enough buffer size"); -+ free(spd_data); -+ spd_data = NULL; -+ return -1; -+ } - memcpy(&spd_data[offset], rsp->data + 1, len); - offset += len; - } while (offset < fru.size); -diff --git a/lib/ipmi_fru.c b/lib/ipmi_fru.c -index cf00eff..98bc984 100644 ---- a/lib/ipmi_fru.c -+++ b/lib/ipmi_fru.c -@@ -615,7 +615,10 @@ int - read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, - uint32_t offset, uint32_t length, uint8_t *frubuf) - { -- uint32_t off = offset, tmp, finish; -+ uint32_t off = offset; -+ uint32_t tmp; -+ uint32_t finish; -+ uint32_t size_left_in_buffer; - struct ipmi_rs * rsp; - struct ipmi_rq req; - uint8_t msg_data[4]; -@@ -628,10 +631,12 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, - - finish = offset + length; - if (finish > fru->size) { -+ memset(frubuf + fru->size, 0, length - fru->size); - finish = fru->size; - lprintf(LOG_NOTICE, "Read FRU Area length %d too large, " - "Adjusting to %d", - offset + length, finish - offset); -+ length = finish - offset; - } - - memset(&req, 0, sizeof(req)); -@@ -667,6 +672,7 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, - } - } - -+ size_left_in_buffer = length; - do { - tmp = fru->access ? off >> 1 : off; - msg_data[0] = id; -@@ -707,9 +713,18 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, - } - - tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0]; -+ if(rsp->data_len < 1 -+ || tmp > rsp->data_len - 1 -+ || tmp > size_left_in_buffer) -+ { -+ printf(" Not enough buffer size"); -+ return -1; -+ } -+ - memcpy(frubuf, rsp->data + 1, tmp); - off += tmp; - frubuf += tmp; -+ size_left_in_buffer -= tmp; - /* sometimes the size returned in the Info command - * is too large. return 0 so higher level function - * still attempts to parse what was returned */ -@@ -742,7 +757,9 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, - uint32_t offset, uint32_t length, uint8_t *frubuf) - { - static uint32_t fru_data_rqst_size = 20; -- uint32_t off = offset, tmp, finish; -+ uint32_t off = offset; -+ uint32_t tmp, finish; -+ uint32_t size_left_in_buffer; - struct ipmi_rs * rsp; - struct ipmi_rq req; - uint8_t msg_data[4]; -@@ -755,10 +772,12 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, - - finish = offset + length; - if (finish > fru->size) { -+ memset(frubuf + fru->size, 0, length - fru->size); - finish = fru->size; - lprintf(LOG_NOTICE, "Read FRU Area length %d too large, " - "Adjusting to %d", - offset + length, finish - offset); -+ length = finish - offset; - } - - memset(&req, 0, sizeof(req)); -@@ -773,6 +792,8 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, - if (fru->access && fru_data_rqst_size > 16) - #endif - fru_data_rqst_size = 16; -+ -+ size_left_in_buffer = length; - do { - tmp = fru->access ? off >> 1 : off; - msg_data[0] = id; -@@ -804,8 +825,16 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, - } - - tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0]; -+ if(rsp->data_len < 1 -+ || tmp > rsp->data_len - 1 -+ || tmp > size_left_in_buffer) -+ { -+ printf(" Not enough buffer size"); -+ return -1; -+ } - memcpy((frubuf + off)-offset, rsp->data + 1, tmp); - off += tmp; -+ size_left_in_buffer -= tmp; - - /* sometimes the size returned in the Info command - * is too large. return 0 so higher level function -@@ -3033,7 +3062,7 @@ ipmi_fru_print(struct ipmi_intf * intf, struct sdr_record_fru_locator * fru) - return 0; - - memset(desc, 0, sizeof(desc)); -- memcpy(desc, fru->id_string, fru->id_code & 0x01f); -+ memcpy(desc, fru->id_string, __min(fru->id_code & 0x01f, sizeof(desc))); - desc[fru->id_code & 0x01f] = 0; - printf("FRU Device Description : %s (ID %d)\n", desc, fru->device_id); - -diff --git a/lib/ipmi_lanp.c b/lib/ipmi_lanp.c -index 65d881b..022c7f1 100644 ---- a/lib/ipmi_lanp.c -+++ b/lib/ipmi_lanp.c -@@ -1809,7 +1809,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert, - if (p == NULL) { - return (-1); - } -- memcpy(data, p->data, p->data_len); -+ memcpy(data, p->data, __min(p->data_len, sizeof(data))); - /* set new ipaddr */ - memcpy(data+3, temp, 4); - printf("Setting LAN Alert %d IP Address to %d.%d.%d.%d\n", alert, -@@ -1824,7 +1824,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert, - if (p == NULL) { - return (-1); - } -- memcpy(data, p->data, p->data_len); -+ memcpy(data, p->data, __min(p->data_len, sizeof(data))); - /* set new macaddr */ - memcpy(data+7, temp, 6); - printf("Setting LAN Alert %d MAC Address to " -@@ -1838,7 +1838,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert, - if (p == NULL) { - return (-1); - } -- memcpy(data, p->data, p->data_len); -+ memcpy(data, p->data, __min(p->data_len, sizeof(data))); - - if (strncasecmp(argv[1], "def", 3) == 0 || - strncasecmp(argv[1], "default", 7) == 0) { -@@ -1864,7 +1864,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert, - if (p == NULL) { - return (-1); - } -- memcpy(data, p->data, p->data_len); -+ memcpy(data, p->data, __min(p->data_len, sizeof(data))); - - if (strncasecmp(argv[1], "on", 2) == 0 || - strncasecmp(argv[1], "yes", 3) == 0) { -@@ -1889,7 +1889,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert, - if (p == NULL) { - return (-1); - } -- memcpy(data, p->data, p->data_len); -+ memcpy(data, p->data, __min(p->data_len, sizeof(data))); - - if (strncasecmp(argv[1], "pet", 3) == 0) { - printf("Setting LAN Alert %d destination to PET Trap\n", alert); -@@ -1917,7 +1917,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert, - if (p == NULL) { - return (-1); - } -- memcpy(data, p->data, p->data_len); -+ memcpy(data, p->data, __min(p->data_len, sizeof(data))); - - if (str2uchar(argv[1], &data[2]) != 0) { - lprintf(LOG_ERR, "Invalid time: %s", argv[1]); -@@ -1933,7 +1933,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert, - if (p == NULL) { - return (-1); - } -- memcpy(data, p->data, p->data_len); -+ memcpy(data, p->data, __min(p->data_len, sizeof(data))); - - if (str2uchar(argv[1], &data[3]) != 0) { - lprintf(LOG_ERR, "Invalid retry: %s", argv[1]); -diff --git a/lib/ipmi_sdr.c b/lib/ipmi_sdr.c -index fd2c02d..01d81f7 100644 ---- a/lib/ipmi_sdr.c -+++ b/lib/ipmi_sdr.c -@@ -2086,7 +2086,7 @@ ipmi_sdr_print_sensor_eventonly(struct ipmi_intf *intf, - return -1; - - memset(desc, 0, sizeof (desc)); -- snprintf(desc, (sensor->id_code & 0x1f) + 1, "%s", sensor->id_string); -+ snprintf(desc, sizeof(desc), "%.*s", (sensor->id_code & 0x1f) + 1, sensor->id_string); - - if (verbose) { - printf("Sensor ID : %s (0x%x)\n", -@@ -2137,7 +2137,7 @@ ipmi_sdr_print_sensor_mc_locator(struct ipmi_intf *intf, - return -1; - - memset(desc, 0, sizeof (desc)); -- snprintf(desc, (mc->id_code & 0x1f) + 1, "%s", mc->id_string); -+ snprintf(desc, sizeof(desc), "%.*s", (mc->id_code & 0x1f) + 1, mc->id_string); - - if (verbose == 0) { - if (csv_output) -@@ -2230,7 +2230,7 @@ ipmi_sdr_print_sensor_generic_locator(struct ipmi_intf *intf, - char desc[17]; - - memset(desc, 0, sizeof (desc)); -- snprintf(desc, (dev->id_code & 0x1f) + 1, "%s", dev->id_string); -+ snprintf(desc, sizeof(desc), "%.*s", (dev->id_code & 0x1f) + 1, dev->id_string); - - if (!verbose) { - if (csv_output) -@@ -2287,7 +2287,7 @@ ipmi_sdr_print_sensor_fru_locator(struct ipmi_intf *intf, - char desc[17]; - - memset(desc, 0, sizeof (desc)); -- snprintf(desc, (fru->id_code & 0x1f) + 1, "%s", fru->id_string); -+ snprintf(desc, sizeof(desc), "%.*s", (fru->id_code & 0x1f) + 1, fru->id_string); - - if (!verbose) { - if (csv_output) -@@ -2491,35 +2491,43 @@ ipmi_sdr_print_name_from_rawentry(struct ipmi_intf *intf, uint16_t id, - - int rc =0; - char desc[17]; -+ const char *id_string; -+ uint8_t id_code; - memset(desc, ' ', sizeof (desc)); - - switch ( type) { - case SDR_RECORD_TYPE_FULL_SENSOR: - record.full = (struct sdr_record_full_sensor *) raw; -- snprintf(desc, (record.full->id_code & 0x1f) +1, "%s", -- (const char *)record.full->id_string); -+ id_code = record.full->id_code; -+ id_string = record.full->id_string; - break; -+ - case SDR_RECORD_TYPE_COMPACT_SENSOR: - record.compact = (struct sdr_record_compact_sensor *) raw ; -- snprintf(desc, (record.compact->id_code & 0x1f) +1, "%s", -- (const char *)record.compact->id_string); -+ id_code = record.compact->id_code; -+ id_string = record.compact->id_string; - break; -+ - case SDR_RECORD_TYPE_EVENTONLY_SENSOR: - record.eventonly = (struct sdr_record_eventonly_sensor *) raw ; -- snprintf(desc, (record.eventonly->id_code & 0x1f) +1, "%s", -- (const char *)record.eventonly->id_string); -- break; -+ id_code = record.eventonly->id_code; -+ id_string = record.eventonly->id_string; -+ break; -+ - case SDR_RECORD_TYPE_MC_DEVICE_LOCATOR: - record.mcloc = (struct sdr_record_mc_locator *) raw ; -- snprintf(desc, (record.mcloc->id_code & 0x1f) +1, "%s", -- (const char *)record.mcloc->id_string); -+ id_code = record.mcloc->id_code; -+ id_string = record.mcloc->id_string; - break; -+ - default: - rc = -1; -- break; -- } -+ } -+ if (!rc) { -+ snprintf(desc, sizeof(desc), "%.*s", (id_code & 0x1f) + 1, id_string); -+ } - -- lprintf(LOG_INFO, "ID: 0x%04x , NAME: %-16s", id, desc); -+ lprintf(LOG_INFO, "ID: 0x%04x , NAME: %-16s", id, desc); - return rc; - } - -diff --git a/lib/ipmi_session.c b/lib/ipmi_session.c -index 141f0f4..b9af1fd 100644 ---- a/lib/ipmi_session.c -+++ b/lib/ipmi_session.c -@@ -309,8 +309,10 @@ ipmi_get_session_info(struct ipmi_intf * intf, - } - else - { -- memcpy(&session_info, rsp->data, rsp->data_len); -- print_session_info(&session_info, rsp->data_len); -+ memcpy(&session_info, rsp->data, -+ __min(rsp->data_len, sizeof(session_info))); -+ print_session_info(&session_info, -+ __min(rsp->data_len, sizeof(session_info))); - } - break; - -@@ -341,8 +343,10 @@ ipmi_get_session_info(struct ipmi_intf * intf, - break; - } - -- memcpy(&session_info, rsp->data, rsp->data_len); -- print_session_info(&session_info, rsp->data_len); -+ memcpy(&session_info, rsp->data, -+ __min(rsp->data_len, sizeof(session_info))); -+ print_session_info(&session_info, -+ __min(rsp->data_len, sizeof(session_info))); - - } while (i <= session_info.session_slot_count); - break; --- -2.20.1 - diff --git a/SOURCES/0008-use-best-cipher.patch b/SOURCES/0008-use-best-cipher.patch new file mode 100644 index 0000000..e122e58 --- /dev/null +++ b/SOURCES/0008-use-best-cipher.patch @@ -0,0 +1,864 @@ +From 260293c0ee5a268bc7fc1483e5304546745122a6 Mon Sep 17 00:00:00 2001 +From: Vernon Mauery +Date: Mon, 9 Apr 2018 12:28:57 -0700 +Subject: [PATCH] lanplus: Auto-select 'best' cipher suite available + +Current cipher suites could be ranked as this: + 17 > 3 >> all the rest + +Cherry-picked-from: 7772254b62826b894ca629df8c597030a98f4f72 +Cherry-picked-from: f9c699c712f884c82fc1a62f1f61a8d597ac0cfd + +Also fetched some functions/macros for helper.h + +Equals to getting include/ipmitool/helper.h changes from commits: +(oldest first) + + 6c00d44 mc: watchdog get: Update to match IPMI 2.0 spec + e8e94d8 mc: watchdog set: Refactor to reduce complexity + 0310208 mc: Code refactor to reduce copy-paste ratio + 249e092 general: Make byteswapping arch-independent + 5491b12 refix 249e0929: Fix byteswapping helpers + bb1a4cc Refactoring. Improve code reuse ratio. +--- + include/ipmitool/helper.h | 58 ++++++++ + include/ipmitool/ipmi_channel.h | 47 +++++++ + include/ipmitool/ipmi_intf.h | 39 ++++- + lib/ipmi_channel.c | 242 +++++++++++++++----------------- + lib/ipmi_main.c | 23 +-- + src/plugins/ipmi_intf.c | 5 +- + src/plugins/lanplus/lanplus.c | 114 +++++++++++---- + 7 files changed, 360 insertions(+), 168 deletions(-) + +diff --git a/include/ipmitool/helper.h b/include/ipmitool/helper.h +index c53736f..6a2e5f4 100644 +--- a/include/ipmitool/helper.h ++++ b/include/ipmitool/helper.h +@@ -38,6 +38,8 @@ + #include + #include + ++#define ARRAY_SIZE(a) (sizeof(a) / sizeof(a[0])) ++ + #ifndef TRUE + #define TRUE 1 + #endif +@@ -111,6 +113,62 @@ FILE * ipmi_open_file(const char * file, int rw); + void ipmi_start_daemon(struct ipmi_intf *intf); + uint16_t ipmi_get_oem_id(struct ipmi_intf *intf); + ++#define IS_SET(v, b) ((v) & (1 << (b))) ++ ++/* le16toh(), hto16le(), et. al. don't exist for Windows or Apple */ ++/* For portability, let's simply define our own versions here */ ++ ++/* IPMI is always little-endian */ ++static inline uint16_t ipmi16toh(void *ipmi16) ++{ ++ uint8_t *ipmi = (uint8_t *)ipmi16; ++ uint16_t h; ++ ++ h = ipmi[1] << 8; /* MSB */ ++ h |= ipmi[0]; /* LSB */ ++ ++ return h; ++} ++ ++static inline void htoipmi16(uint16_t h, uint8_t *ipmi) ++{ ++ ipmi[0] = h & 0xFF; /* LSB */ ++ ipmi[1] = h >> 8; /* MSB */ ++} ++ ++static inline uint32_t ipmi24toh(void *ipmi24) ++{ ++ uint8_t *ipmi = (uint8_t *)ipmi24; ++ uint32_t h = 0; ++ ++ h = ipmi[2] << 16; /* MSB */ ++ h |= ipmi[1] << 8; ++ h |= ipmi[0]; /* LSB */ ++ ++ return h; ++} ++ ++static inline uint32_t ipmi32toh(void *ipmi32) ++{ ++ uint8_t *ipmi = ipmi32; ++ uint32_t h; ++ ++ h = ipmi[3] << 24; /* MSB */ ++ h |= ipmi[2] << 16; ++ h |= ipmi[1] << 8; ++ h |= ipmi[0]; /* LSB */ ++ ++ return h; ++} ++ ++static inline void htoipmi32(uint32_t h, uint8_t *ipmi) ++{ ++ ipmi[0] = h & 0xFF; /* LSB */ ++ ipmi[1] = (h >> 8) & 0xFF; ++ ipmi[2] = (h >> 16) & 0xFF; ++ ipmi[3] = (h >> 24) & 0xFF; /* MSB */ ++} ++ + #define ipmi_open_file_read(file) ipmi_open_file(file, 0) + #define ipmi_open_file_write(file) ipmi_open_file(file, 1) + +diff --git a/include/ipmitool/ipmi_channel.h b/include/ipmitool/ipmi_channel.h +index 3ade2d5..324c0bb 100644 +--- a/include/ipmitool/ipmi_channel.h ++++ b/include/ipmitool/ipmi_channel.h +@@ -37,6 +37,7 @@ + # include + #endif + #include ++#include + + + #define IPMI_GET_CHANNEL_AUTH_CAP 0x38 +@@ -81,6 +82,50 @@ struct channel_access_t { + uint8_t user_level_auth; + }; + ++/* ++ * The Cipher Suite Record Format from table 22-18 of the IPMI v2.0 spec ++ */ ++enum cipher_suite_format_tag { ++ STANDARD_CIPHER_SUITE = 0xc0, ++ OEM_CIPHER_SUITE = 0xc1, ++}; ++#ifdef HAVE_PRAGMA_PACK ++#pragma pack(1) ++#endif ++struct std_cipher_suite_record_t { ++ uint8_t start_of_record; ++ uint8_t cipher_suite_id; ++ uint8_t auth_alg; ++ uint8_t integrity_alg; ++ uint8_t crypt_alg; ++} ATTRIBUTE_PACKING; ++struct oem_cipher_suite_record_t { ++ uint8_t start_of_record; ++ uint8_t cipher_suite_id; ++ uint8_t iana[3]; ++ uint8_t auth_alg; ++ uint8_t integrity_alg; ++ uint8_t crypt_alg; ++} ATTRIBUTE_PACKING; ++#ifdef HAVE_PRAGMA_PACK ++#pragma pack(0) ++#endif ++#define CIPHER_ALG_MASK 0x3f ++#define MAX_CIPHER_SUITE_RECORD_OFFSET 0x40 ++#define MAX_CIPHER_SUITE_DATA_LEN 0x10 ++#define LIST_ALGORITHMS_BY_CIPHER_SUITE 0x80 ++ ++/* Below is the theoretical maximum number of cipher suites that could be ++ * reported by a BMC. That is with the Get Channel Cipher Suites Command, at 16 ++ * bytes at a time and 0x40 requests, it can report 1024 bytes, which is about ++ * 204 standard records or 128 OEM records. Really, we probably don't need more ++ * than about 20, which is the full set of standard records plus a few OEM ++ * records. ++ */ ++#define MAX_CIPHER_SUITE_COUNT (MAX_CIPHER_SUITE_RECORD_OFFSET * \ ++ MAX_CIPHER_SUITE_DATA_LEN / \ ++ sizeof(struct std_cipher_suite_record_t)) ++ + /* + * The Get Authentication Capabilities response structure + * From table 22-15 of the IPMI v2.0 spec +@@ -135,6 +180,8 @@ struct get_channel_auth_cap_rsp { + int _ipmi_get_channel_access(struct ipmi_intf *intf, + struct channel_access_t *channel_access, + uint8_t get_volatile_settings); ++int ipmi_get_channel_cipher_suites(struct ipmi_intf *intf, const char *payload_type, ++ uint8_t channel, struct cipher_suite_info *suites, size_t *count); + int _ipmi_get_channel_info(struct ipmi_intf *intf, + struct channel_info_t *channel_info); + int _ipmi_set_channel_access(struct ipmi_intf *intf, +diff --git a/include/ipmitool/ipmi_intf.h b/include/ipmitool/ipmi_intf.h +index 0b8c64b..7a07d66 100644 +--- a/include/ipmitool/ipmi_intf.h ++++ b/include/ipmitool/ipmi_intf.h +@@ -61,13 +61,45 @@ enum LANPLUS_SESSION_STATE { + #define IPMI_AUTHCODE_BUFFER_SIZE 20 + #define IPMI_SIK_BUFFER_SIZE IPMI_MAX_MD_SIZE + ++enum cipher_suite_ids { ++ IPMI_LANPLUS_CIPHER_SUITE_0 = 0, ++ IPMI_LANPLUS_CIPHER_SUITE_1 = 1, ++ IPMI_LANPLUS_CIPHER_SUITE_2 = 2, ++ IPMI_LANPLUS_CIPHER_SUITE_3 = 3, ++ IPMI_LANPLUS_CIPHER_SUITE_4 = 4, ++ IPMI_LANPLUS_CIPHER_SUITE_5 = 5, ++ IPMI_LANPLUS_CIPHER_SUITE_6 = 6, ++ IPMI_LANPLUS_CIPHER_SUITE_7 = 7, ++ IPMI_LANPLUS_CIPHER_SUITE_8 = 8, ++ IPMI_LANPLUS_CIPHER_SUITE_9 = 9, ++ IPMI_LANPLUS_CIPHER_SUITE_10 = 10, ++ IPMI_LANPLUS_CIPHER_SUITE_11 = 11, ++ IPMI_LANPLUS_CIPHER_SUITE_12 = 12, ++ IPMI_LANPLUS_CIPHER_SUITE_13 = 13, ++ IPMI_LANPLUS_CIPHER_SUITE_14 = 14, ++#ifdef HAVE_CRYPTO_SHA256 ++ IPMI_LANPLUS_CIPHER_SUITE_15 = 15, ++ IPMI_LANPLUS_CIPHER_SUITE_16 = 16, ++ IPMI_LANPLUS_CIPHER_SUITE_17 = 17, ++#endif /* HAVE_CRYPTO_SHA256 */ ++ IPMI_LANPLUS_CIPHER_SUITE_RESERVED = 0xff, ++}; ++ ++struct cipher_suite_info { ++ enum cipher_suite_ids cipher_suite_id; ++ uint8_t auth_alg; ++ uint8_t integrity_alg; ++ uint8_t crypt_alg; ++ uint32_t iana; ++}; ++ + struct ipmi_session_params { + char * hostname; + uint8_t username[17]; + uint8_t authcode_set[IPMI_AUTHCODE_BUFFER_SIZE + 1]; + uint8_t authtype_set; + uint8_t privlvl; +- uint8_t cipher_suite_id; ++ enum cipher_suite_ids cipher_suite_id; + char sol_escape_char; + int password; + int port; +@@ -217,7 +249,10 @@ void ipmi_intf_session_set_username(struct ipmi_intf * intf, char * username); + void ipmi_intf_session_set_password(struct ipmi_intf * intf, char * password); + void ipmi_intf_session_set_privlvl(struct ipmi_intf * intf, uint8_t privlvl); + void ipmi_intf_session_set_lookupbit(struct ipmi_intf * intf, uint8_t lookupbit); +-void ipmi_intf_session_set_cipher_suite_id(struct ipmi_intf * intf, uint8_t cipher_suite_id); ++#ifdef IPMI_INTF_LANPLUS ++void ipmi_intf_session_set_cipher_suite_id(struct ipmi_intf * intf, ++ enum cipher_suite_ids cipher_suite_id); ++#endif /* IPMI_INTF_LANPLUS */ + void ipmi_intf_session_set_sol_escape_char(struct ipmi_intf * intf, char sol_escape_char); + void ipmi_intf_session_set_kgkey(struct ipmi_intf *intf, const uint8_t *kgkey); + void ipmi_intf_session_set_port(struct ipmi_intf * intf, int port); +diff --git a/lib/ipmi_channel.c b/lib/ipmi_channel.c +index e1fc75f..3ae3104 100644 +--- a/lib/ipmi_channel.c ++++ b/lib/ipmi_channel.c +@@ -342,86 +342,116 @@ ipmi_get_channel_auth_cap(struct ipmi_intf *intf, uint8_t channel, uint8_t priv) + return 0; + } + +-static int ++static size_t ++parse_channel_cipher_suite_data(uint8_t *cipher_suite_data, size_t data_len, ++ struct cipher_suite_info* suites, size_t nr_suites) ++{ ++ size_t count = 0; ++ size_t offset = 0; ++ uint32_t iana; ++ uint8_t auth_alg, integrity_alg, crypt_alg; ++ uint8_t cipher_suite_id; ++ ++ memset(suites, 0, sizeof(*suites) * nr_suites); ++ ++ while (offset < data_len && count < nr_suites) { ++ auth_alg = IPMI_AUTH_RAKP_NONE; ++ integrity_alg = IPMI_INTEGRITY_NONE; ++ crypt_alg = IPMI_CRYPT_NONE; ++ if (cipher_suite_data[offset] == STANDARD_CIPHER_SUITE) { ++ struct std_cipher_suite_record_t *record = ++ (struct std_cipher_suite_record_t*)(&cipher_suite_data[offset]); ++ /* standard type */ ++ iana = 0; ++ ++ /* Verify that we have at least a full record left; id + 3 algs */ ++ if ((data_len - offset) < sizeof(*record)) { ++ lprintf(LOG_INFO, "Incomplete data record in cipher suite data"); ++ break; ++ } ++ cipher_suite_id = record->cipher_suite_id; ++ auth_alg = CIPHER_ALG_MASK & record->auth_alg; ++ integrity_alg = CIPHER_ALG_MASK & record->integrity_alg; ++ crypt_alg = CIPHER_ALG_MASK & record->crypt_alg; ++ offset += sizeof(*record); ++ } else if (cipher_suite_data[offset] == OEM_CIPHER_SUITE) { ++ /* OEM record type */ ++ struct oem_cipher_suite_record_t *record = ++ (struct oem_cipher_suite_record_t*)(&cipher_suite_data[offset]); ++ /* Verify that we have at least a full record left ++ * id + iana + 3 algs ++ */ ++ if ((data_len - offset) < sizeof(*record)) { ++ lprintf(LOG_INFO, "Incomplete data record in cipher suite data"); ++ break; ++ } ++ ++ cipher_suite_id = record->cipher_suite_id; ++ ++ /* Grab the IANA */ ++ iana = ipmi24toh(record->iana); ++ auth_alg = CIPHER_ALG_MASK & record->auth_alg; ++ integrity_alg = CIPHER_ALG_MASK & record->integrity_alg; ++ crypt_alg = CIPHER_ALG_MASK & record->crypt_alg; ++ offset += sizeof(*record); ++ } else { ++ lprintf(LOG_INFO, "Bad start of record byte in cipher suite data (offset %d, value %x)", offset, cipher_suite_data[offset]); ++ break; ++ } ++ suites[count].cipher_suite_id = cipher_suite_id; ++ suites[count].iana = iana; ++ suites[count].auth_alg = auth_alg; ++ suites[count].integrity_alg = integrity_alg; ++ suites[count].crypt_alg = crypt_alg; ++ count++; ++ } ++ return count; ++} ++ ++int + ipmi_get_channel_cipher_suites(struct ipmi_intf *intf, const char *payload_type, +- uint8_t channel) ++ uint8_t channel, struct cipher_suite_info *suites, size_t *count) + { + struct ipmi_rs *rsp; + struct ipmi_rq req; + + uint8_t rqdata[3]; +- uint32_t iana; +- uint8_t auth_alg, integrity_alg, crypt_alg; +- uint8_t cipher_suite_id; + uint8_t list_index = 0; + /* 0x40 sets * 16 bytes per set */ +- uint8_t cipher_suite_data[1024]; +- uint16_t offset = 0; +- /* how much was returned, total */ +- uint16_t cipher_suite_data_length = 0; ++ uint8_t cipher_suite_data[MAX_CIPHER_SUITE_RECORD_OFFSET * ++ MAX_CIPHER_SUITE_DATA_LEN]; ++ size_t offset = 0; ++ size_t nr_suites = 0; + ++ if (!suites || !count || !*count) ++ return -1; ++ ++ nr_suites = *count; ++ *count = 0; + memset(cipher_suite_data, 0, sizeof(cipher_suite_data)); +- ++ + memset(&req, 0, sizeof(req)); + req.msg.netfn = IPMI_NETFN_APP; + req.msg.cmd = IPMI_GET_CHANNEL_CIPHER_SUITES; + req.msg.data = rqdata; +- req.msg.data_len = 3; ++ req.msg.data_len = sizeof(rqdata); + + rqdata[0] = channel; + rqdata[1] = ((strncmp(payload_type, "ipmi", 4) == 0)? 0: 1); +- /* Always ask for cipher suite format */ +- rqdata[2] = 0x80; +- +- rsp = intf->sendrecv(intf, &req); +- if (rsp == NULL) { +- lprintf(LOG_ERR, "Unable to Get Channel Cipher Suites"); +- return -1; +- } +- if (rsp->ccode > 0) { +- lprintf(LOG_ERR, "Get Channel Cipher Suites failed: %s", +- val2str(rsp->ccode, completion_code_vals)); +- return -1; +- } +- +- +- /* +- * Grab the returned channel number once. We assume it's the same +- * in future calls. +- */ +- if (rsp->data_len >= 1) { +- channel = rsp->data[0]; +- } +- +- while ((rsp->data_len > 1) && (rsp->data_len == 17) && (list_index < 0x3F)) { +- /* +- * We got back cipher suite data -- store it. +- * printf("copying data to offset %d\n", offset); +- * printbuf(rsp->data + 1, rsp->data_len - 1, "this is the data"); +- */ +- memcpy(cipher_suite_data + offset, rsp->data + 1, rsp->data_len - 1); +- offset += rsp->data_len - 1; +- +- /* +- * Increment our list for the next call +- */ +- ++list_index; +- rqdata[2] = (rqdata[2] & 0x80) + list_index; + ++ do { ++ /* Always ask for cipher suite format */ ++ rqdata[2] = LIST_ALGORITHMS_BY_CIPHER_SUITE | list_index; + rsp = intf->sendrecv(intf, &req); + if (rsp == NULL) { + lprintf(LOG_ERR, "Unable to Get Channel Cipher Suites"); + return -1; + } +- if (rsp->ccode > 0) { ++ if (rsp->ccode || rsp->data_len < 1) { + lprintf(LOG_ERR, "Get Channel Cipher Suites failed: %s", + val2str(rsp->ccode, completion_code_vals)); + return -1; + } +- } +- +- /* Copy last chunk */ +- if(rsp->data_len > 1) { + /* + * We got back cipher suite data -- store it. + * printf("copying data to offset %d\n", offset); +@@ -429,88 +459,46 @@ ipmi_get_channel_cipher_suites(struct ipmi_intf *intf, const char *payload_type, + */ + memcpy(cipher_suite_data + offset, rsp->data + 1, rsp->data_len - 1); + offset += rsp->data_len - 1; +- } + +- /* We can chomp on all our data now. */ +- cipher_suite_data_length = offset; +- offset = 0; ++ /* ++ * Increment our list for the next call ++ */ ++ ++list_index; ++ } while ((rsp->data_len == (sizeof(uint8_t) + MAX_CIPHER_SUITE_DATA_LEN)) && ++ (list_index < MAX_CIPHER_SUITE_RECORD_OFFSET)); + +- if (! csv_output) { +- printf("ID IANA Auth Alg Integrity Alg Confidentiality Alg\n"); +- } +- while (offset < cipher_suite_data_length) { +- if (cipher_suite_data[offset++] == 0xC0) { +- /* standard type */ +- iana = 0; ++ *count = parse_channel_cipher_suite_data(cipher_suite_data, offset, suites, ++ nr_suites); ++ return 0; ++} + +- /* Verify that we have at least a full record left; id + 3 algs */ +- if ((cipher_suite_data_length - offset) < 4) { +- lprintf(LOG_ERR, "Incomplete data record in cipher suite data"); +- return -1; +- } +- cipher_suite_id = cipher_suite_data[offset++]; +- } else if (cipher_suite_data[offset++] == 0xC1) { +- /* OEM record type */ +- /* Verify that we have at least a full record left +- * id + iana + 3 algs +- */ +- if ((cipher_suite_data_length - offset) < 4) { +- lprintf(LOG_ERR, "Incomplete data record in cipher suite data"); +- return -1; +- } ++static int ++ipmi_print_channel_cipher_suites(struct ipmi_intf *intf, const char *payload_type, ++ uint8_t channel) ++{ ++ int rc; ++ size_t i = 0; ++ struct cipher_suite_info suites[MAX_CIPHER_SUITE_COUNT]; ++ size_t nr_suites = sizeof(*suites); + +- cipher_suite_id = cipher_suite_data[offset++]; ++ rc = ipmi_get_channel_cipher_suites(intf, payload_type, channel, ++ suites, &nr_suites); + +- /* Grab the IANA */ +- iana = +- cipher_suite_data[offset] | +- (cipher_suite_data[offset + 1] << 8) | +- (cipher_suite_data[offset + 2] << 16); +- offset += 3; +- } else { +- lprintf(LOG_ERR, "Bad start of record byte in cipher suite data"); +- return -1; +- } ++ if (rc < 0) ++ return rc; + +- /* +- * Grab the algorithms for this cipher suite. I guess we can't be +- * sure of what order they'll come in. Also, I suppose we default +- * to the NONE algorithm if one were absent. This part of the spec is +- * poorly written -- I have read the errata document. For now, I'm only +- * allowing one algorithm per type (auth, integrity, crypt) because I +- * don't I understand how it could be otherwise. +- */ +- auth_alg = IPMI_AUTH_RAKP_NONE; +- integrity_alg = IPMI_INTEGRITY_NONE; +- crypt_alg = IPMI_CRYPT_NONE; +- +- while (((cipher_suite_data[offset] & 0xC0) != 0xC0) && +- ((cipher_suite_data_length - offset) > 0)) +- { +- switch (cipher_suite_data[offset] & 0xC0) +- { +- case 0x00: +- /* Authentication algorithm specifier */ +- auth_alg = cipher_suite_data[offset++] & 0x3F; +- break; +- case 0x40: +- /* Interity algorithm specifier */ +- integrity_alg = cipher_suite_data[offset++] & 0x3F; +- break; +- case 0x80: +- /* Confidentiality algorithm specifier */ +- crypt_alg = cipher_suite_data[offset++] & 0x3F; +- break; +- } +- } ++ if (! csv_output) { ++ printf("ID IANA Auth Alg Integrity Alg Confidentiality Alg\n"); ++ } ++ for (i = 0; i < nr_suites; i++) { + /* We have everything we need to spit out a cipher suite record */ + printf((csv_output? "%d,%s,%s,%s,%s\n" : + "%-4d %-7s %-15s %-15s %-15s\n"), +- cipher_suite_id, +- iana_string(iana), +- val2str(auth_alg, ipmi_auth_algorithms), +- val2str(integrity_alg, ipmi_integrity_algorithms), +- val2str(crypt_alg, ipmi_encryption_algorithms)); ++ suites[i].cipher_suite_id, ++ iana_string(suites[i].iana), ++ val2str(suites[i].auth_alg, ipmi_auth_algorithms), ++ val2str(suites[i].integrity_alg, ipmi_integrity_algorithms), ++ val2str(suites[i].crypt_alg, ipmi_encryption_algorithms)); + } + return 0; + } +@@ -973,7 +961,7 @@ ipmi_channel_main(struct ipmi_intf *intf, int argc, char **argv) + return (-1); + } + } +- retval = ipmi_get_channel_cipher_suites(intf, ++ retval = ipmi_print_channel_cipher_suites(intf, + argv[1], /* ipmi | sol */ + channel); + } else if (strncmp(argv[0], "setkg", 5) == 0) { +diff --git a/lib/ipmi_main.c b/lib/ipmi_main.c +index 811c80b..6aee102 100644 +--- a/lib/ipmi_main.c ++++ b/lib/ipmi_main.c +@@ -323,6 +323,7 @@ ipmi_main(int argc, char ** argv, + uint8_t target_addr = 0; + uint8_t target_channel = 0; + ++ uint8_t u8tmp = 0; + uint8_t transit_addr = 0; + uint8_t transit_channel = 0; + uint8_t target_lun = 0; +@@ -347,7 +348,10 @@ ipmi_main(int argc, char ** argv, + char * seloem = NULL; + int port = 0; + int devnum = 0; +- int cipher_suite_id = 3; /* See table 22-19 of the IPMIv2 spec */ ++#ifdef IPMI_INTF_LANPLUS ++ /* lookup best cipher suite available */ ++ enum cipher_suite_ids cipher_suite_id = IPMI_LANPLUS_CIPHER_SUITE_RESERVED; ++#endif /* IPMI_INTF_LANPLUS */ + int argflag, i, found; + int rc = -1; + int ai_family = AF_UNSPEC; +@@ -425,19 +429,18 @@ ipmi_main(int argc, char ** argv, + goto out_free; + } + break; ++#ifdef IPMI_INTF_LANPLUS + case 'C': +- if (str2int(optarg, &cipher_suite_id) != 0) { +- lprintf(LOG_ERR, "Invalid parameter given or out of range for '-C'."); +- rc = -1; +- goto out_free; +- } +- /* add check Cipher is -gt 0 */ +- if (cipher_suite_id < 0) { +- lprintf(LOG_ERR, "Cipher suite ID %i is invalid.", cipher_suite_id); ++ /* Cipher Suite ID is a byte as per IPMI specification */ ++ if (str2uchar(optarg, &u8tmp) != 0) { ++ lprintf(LOG_ERR, "Invalid parameter given or out of " ++ "range [0-255] for '-C'."); + rc = -1; + goto out_free; + } ++ cipher_suite_id = u8tmp; + break; ++#endif /* IPMI_INTF_LANPLUS */ + case 'v': + verbose++; + break; +@@ -870,7 +873,9 @@ ipmi_main(int argc, char ** argv, + + ipmi_intf_session_set_lookupbit(ipmi_main_intf, lookupbit); + ipmi_intf_session_set_sol_escape_char(ipmi_main_intf, sol_escape_char); ++#ifdef IPMI_INTF_LANPLUS + ipmi_intf_session_set_cipher_suite_id(ipmi_main_intf, cipher_suite_id); ++#endif /* IPMI_INTF_LANPLUS */ + + ipmi_main_intf->devnum = devnum; + +diff --git a/src/plugins/ipmi_intf.c b/src/plugins/ipmi_intf.c +index 1d9e87b..00b0918 100644 +--- a/src/plugins/ipmi_intf.c ++++ b/src/plugins/ipmi_intf.c +@@ -252,11 +252,14 @@ ipmi_intf_session_set_lookupbit(struct ipmi_intf * intf, uint8_t lookupbit) + intf->ssn_params.lookupbit = lookupbit; + } + ++#ifdef IPMI_INTF_LANPLUS + void +-ipmi_intf_session_set_cipher_suite_id(struct ipmi_intf * intf, uint8_t cipher_suite_id) ++ipmi_intf_session_set_cipher_suite_id(struct ipmi_intf * intf, ++ enum cipher_suite_ids cipher_suite_id) + { + intf->ssn_params.cipher_suite_id = cipher_suite_id; + } ++#endif /* IPMI_INTF_LANPLUS */ + + void + ipmi_intf_session_set_sol_escape_char(struct ipmi_intf * intf, char sol_escape_char) +diff --git a/src/plugins/lanplus/lanplus.c b/src/plugins/lanplus/lanplus.c +index a0e388c..3087348 100644 +--- a/src/plugins/lanplus/lanplus.c ++++ b/src/plugins/lanplus/lanplus.c +@@ -164,114 +164,109 @@ extern int verbose; + * returns 0 on success + * 1 on failure + */ +-int lanplus_get_requested_ciphers(int cipher_suite_id, ++int lanplus_get_requested_ciphers(enum cipher_suite_ids cipher_suite_id, + uint8_t * auth_alg, + uint8_t * integrity_alg, + uint8_t * crypt_alg) + { +-#ifdef HAVE_CRYPTO_SHA256 +- if ((cipher_suite_id < 0) || (cipher_suite_id > 17)) { +- return 1; +- } +-#else +- if ((cipher_suite_id < 0) || (cipher_suite_id > 14)) +- return 1; +-#endif /* HAVE_CRYPTO_SHA256 */ + /* See table 22-19 for the source of the statement */ + switch (cipher_suite_id) + { +- case 0: ++ case IPMI_LANPLUS_CIPHER_SUITE_0: + *auth_alg = IPMI_AUTH_RAKP_NONE; + *integrity_alg = IPMI_INTEGRITY_NONE; + *crypt_alg = IPMI_CRYPT_NONE; + break; +- case 1: ++ case IPMI_LANPLUS_CIPHER_SUITE_1: + *auth_alg = IPMI_AUTH_RAKP_HMAC_SHA1; + *integrity_alg = IPMI_INTEGRITY_NONE; + *crypt_alg = IPMI_CRYPT_NONE; + break; +- case 2: ++ case IPMI_LANPLUS_CIPHER_SUITE_2: + *auth_alg = IPMI_AUTH_RAKP_HMAC_SHA1; + *integrity_alg = IPMI_INTEGRITY_HMAC_SHA1_96; + *crypt_alg = IPMI_CRYPT_NONE; + break; +- case 3: ++ case IPMI_LANPLUS_CIPHER_SUITE_3: + *auth_alg = IPMI_AUTH_RAKP_HMAC_SHA1; + *integrity_alg = IPMI_INTEGRITY_HMAC_SHA1_96; + *crypt_alg = IPMI_CRYPT_AES_CBC_128; + break; +- case 4: ++ case IPMI_LANPLUS_CIPHER_SUITE_4: + *auth_alg = IPMI_AUTH_RAKP_HMAC_SHA1; + *integrity_alg = IPMI_INTEGRITY_HMAC_SHA1_96; + *crypt_alg = IPMI_CRYPT_XRC4_128; + break; +- case 5: ++ case IPMI_LANPLUS_CIPHER_SUITE_5: + *auth_alg = IPMI_AUTH_RAKP_HMAC_SHA1; + *integrity_alg = IPMI_INTEGRITY_HMAC_SHA1_96; + *crypt_alg = IPMI_CRYPT_XRC4_40; + break; +- case 6: ++ case IPMI_LANPLUS_CIPHER_SUITE_6: + *auth_alg = IPMI_AUTH_RAKP_HMAC_MD5; + *integrity_alg = IPMI_INTEGRITY_NONE; + *crypt_alg = IPMI_CRYPT_NONE; + break; +- case 7: ++ case IPMI_LANPLUS_CIPHER_SUITE_7: + *auth_alg = IPMI_AUTH_RAKP_HMAC_MD5; + *integrity_alg = IPMI_INTEGRITY_HMAC_MD5_128; + *crypt_alg = IPMI_CRYPT_NONE; + break; +- case 8: ++ case IPMI_LANPLUS_CIPHER_SUITE_8: + *auth_alg = IPMI_AUTH_RAKP_HMAC_MD5; + *integrity_alg = IPMI_INTEGRITY_HMAC_MD5_128; + *crypt_alg = IPMI_CRYPT_AES_CBC_128; + break; +- case 9: ++ case IPMI_LANPLUS_CIPHER_SUITE_9: + *auth_alg = IPMI_AUTH_RAKP_HMAC_MD5; + *integrity_alg = IPMI_INTEGRITY_HMAC_MD5_128; + *crypt_alg = IPMI_CRYPT_XRC4_128; + break; +- case 10: ++ case IPMI_LANPLUS_CIPHER_SUITE_10: + *auth_alg = IPMI_AUTH_RAKP_HMAC_MD5; + *integrity_alg = IPMI_INTEGRITY_HMAC_MD5_128; + *crypt_alg = IPMI_CRYPT_XRC4_40; + break; +- case 11: ++ case IPMI_LANPLUS_CIPHER_SUITE_11: + *auth_alg = IPMI_AUTH_RAKP_HMAC_MD5; + *integrity_alg = IPMI_INTEGRITY_MD5_128; + *crypt_alg = IPMI_CRYPT_NONE; + break; +- case 12: ++ case IPMI_LANPLUS_CIPHER_SUITE_12: + *auth_alg = IPMI_AUTH_RAKP_HMAC_MD5; + *integrity_alg = IPMI_INTEGRITY_MD5_128; + *crypt_alg = IPMI_CRYPT_AES_CBC_128; + break; +- case 13: ++ case IPMI_LANPLUS_CIPHER_SUITE_13: + *auth_alg = IPMI_AUTH_RAKP_HMAC_MD5; + *integrity_alg = IPMI_INTEGRITY_MD5_128; + *crypt_alg = IPMI_CRYPT_XRC4_128; + break; +- case 14: ++ case IPMI_LANPLUS_CIPHER_SUITE_14: + *auth_alg = IPMI_AUTH_RAKP_HMAC_MD5; + *integrity_alg = IPMI_INTEGRITY_MD5_128; + *crypt_alg = IPMI_CRYPT_XRC4_40; + break; + #ifdef HAVE_CRYPTO_SHA256 +- case 15: ++ case IPMI_LANPLUS_CIPHER_SUITE_15: + *auth_alg = IPMI_AUTH_RAKP_HMAC_SHA256; + *integrity_alg = IPMI_INTEGRITY_NONE; + *crypt_alg = IPMI_CRYPT_NONE; + break; +- case 16: ++ case IPMI_LANPLUS_CIPHER_SUITE_16: + *auth_alg = IPMI_AUTH_RAKP_HMAC_SHA256; + *integrity_alg = IPMI_INTEGRITY_HMAC_SHA256_128; + *crypt_alg = IPMI_CRYPT_NONE; + break; +- case 17: ++ case IPMI_LANPLUS_CIPHER_SUITE_17: + *auth_alg = IPMI_AUTH_RAKP_HMAC_SHA256; + *integrity_alg = IPMI_INTEGRITY_HMAC_SHA256_128; + *crypt_alg = IPMI_CRYPT_AES_CBC_128; + break; + #endif /* HAVE_CRYPTO_SHA256 */ ++ case IPMI_LANPLUS_CIPHER_SUITE_RESERVED: ++ default: ++ return 1; + } + + return 0; +@@ -3441,6 +3436,57 @@ ipmi_set_session_privlvl_cmd(struct ipmi_intf * intf) + return 0; + } + ++static uint8_t ++ipmi_find_best_cipher_suite(struct ipmi_intf *intf) ++{ ++ enum cipher_suite_ids best_suite = IPMI_LANPLUS_CIPHER_SUITE_RESERVED; ++#ifdef HAVE_CRYPTO_SHA256 ++ struct cipher_suite_info suites[MAX_CIPHER_SUITE_COUNT]; ++ size_t nr_suites = ARRAY_SIZE(suites); ++ /* cipher suite best order is chosen with this criteria: ++ * HMAC-MD5 and MD5 are BAD; xRC4 is bad; AES128 is required ++ * HMAC-SHA256 > HMAC-SHA1 ++ * secure authentication > encrypted content ++ * ++ * With xRC4 out, all cipher suites with MD5 out, and cipher suite 3 being ++ * required by the spec, the only better defined standard cipher suite is ++ * 17. So if SHA256 is available, we should try to use that, otherwise, ++ * fall back to 3. ++ */ ++ const enum cipher_suite_ids cipher_order_preferred[] = { ++ IPMI_LANPLUS_CIPHER_SUITE_17, ++ IPMI_LANPLUS_CIPHER_SUITE_3, ++ }; ++ const size_t nr_preferred = ARRAY_SIZE(cipher_order_preferred); ++ size_t ipref, i; ++ ++ if (ipmi_get_channel_cipher_suites(intf, "ipmi", IPMI_LAN_CHANNEL_E, ++ suites, &nr_suites) < 0) ++ { ++ /* default legacy behavior - cipher suite 3 if none is requested */ ++ return IPMI_LANPLUS_CIPHER_SUITE_3; ++ } ++ for (ipref = 0; ipref < nr_preferred && ++ IPMI_LANPLUS_CIPHER_SUITE_RESERVED == best_suite; ipref++) ++ { ++ for (i = 0; i < nr_suites; i++) { ++ if (cipher_order_preferred[ipref] == suites[i].cipher_suite_id) { ++ best_suite = cipher_order_preferred[ipref]; ++ break; ++ } ++ } ++ } ++#endif /* HAVE_CRYPTO_SHA256 */ ++ if (IPMI_LANPLUS_CIPHER_SUITE_RESERVED == best_suite) { ++ /* IPMI 2.0 spec requires that cipher suite 3 is implemented ++ * so we should always be able to fall back to that if better ++ * options are not available. */ ++ best_suite = IPMI_LANPLUS_CIPHER_SUITE_3; ++ } ++ lprintf(LOG_INFO, "Using best available cipher suite %d\n", best_suite); ++ return best_suite; ++} ++ + /** + * ipmi_lanplus_open + */ +@@ -3514,6 +3560,16 @@ ipmi_lanplus_open(struct ipmi_intf * intf) + lprintf(LOG_INFO, "This BMC does not support IPMI v2 / RMCP+"); + goto fail; + } ++ /* ++ * If no cipher suite was provided, query the channel cipher suite list and ++ * pick the best one available ++ */ ++ if (IPMI_LANPLUS_CIPHER_SUITE_RESERVED == ++ intf->ssn_params.cipher_suite_id) ++ { ++ ipmi_intf_session_set_cipher_suite_id(intf, ++ ipmi_find_best_cipher_suite(intf)); ++ } + + /* + * If the open/rakp1/rakp3 sequence encounters a timeout, the whole sequence +@@ -3728,7 +3784,7 @@ static int ipmi_lanplus_setup(struct ipmi_intf * intf) + + static void ipmi_lanp_set_max_rq_data_size(struct ipmi_intf * intf, uint16_t size) + { +- if (intf->ssn_params.cipher_suite_id == 3) { ++ if (intf->ssn_params.cipher_suite_id == IPMI_LANPLUS_CIPHER_SUITE_3) { + /* + * encrypted payload can only be multiple of 16 bytes + */ +@@ -3746,7 +3802,7 @@ static void ipmi_lanp_set_max_rq_data_size(struct ipmi_intf * intf, uint16_t siz + + static void ipmi_lanp_set_max_rp_data_size(struct ipmi_intf * intf, uint16_t size) + { +- if (intf->ssn_params.cipher_suite_id == 3) { ++ if (intf->ssn_params.cipher_suite_id == IPMI_LANPLUS_CIPHER_SUITE_3) { + /* + * encrypted payload can only be multiple of 16 bytes + */ +-- +2.20.1 + diff --git a/SOURCES/0009-CVE-2020-5208.patch b/SOURCES/0009-CVE-2020-5208.patch new file mode 100644 index 0000000..ab92493 --- /dev/null +++ b/SOURCES/0009-CVE-2020-5208.patch @@ -0,0 +1,383 @@ +From a1732e68bce148255785e67eb035520729274d86 Mon Sep 17 00:00:00 2001 +From: Chrostoper Ertl +Date: Thu, 28 Nov 2019 16:33:59 +0000 +Subject: [PATCH] Fixes for CVE-2020-5208 + +see https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp + +This patch is combination of following commits: + +pick e824c23316ae50beb7f7488f2055ac65e8b341f2 fru: Fix buffer overflow vulnerabilities +pick 840fb1cbb4fb365cb9797300e3374d4faefcdb10 fru: Fix buffer overflow in ipmi_spd_print_fru +pick 41d7026946fafbd4d1ec0bcaca3ea30a6e8eed22 session: Fix buffer overflow in ipmi_get_session_info +pick 9452be87181a6e83cfcc768b3ed8321763db50e4 channel: Fix buffer overflow +pick d45572d71e70840e0d4c50bf48218492b79c1a10 lanp: Fix buffer overflows in get_lan_param_select +pick 7ccea283dd62a05a320c1921e3d8d71a87772637 fru, sdr: Fix id_string buffer overflows + +[vdolezal@redhat.com]: fixed memleak of `spd_data` in + lib/dimm_spd.c:ipmi_spd_print_fru() +--- + lib/dimm_spd.c | 11 ++++++++++- + lib/ipmi_channel.c | 5 ++++- + lib/ipmi_fru.c | 35 ++++++++++++++++++++++++++++++++--- + lib/ipmi_lanp.c | 14 +++++++------- + lib/ipmi_sdr.c | 40 ++++++++++++++++++++++++---------------- + lib/ipmi_session.c | 12 ++++++++---- + 6 files changed, 85 insertions(+), 32 deletions(-) + +diff --git a/lib/dimm_spd.c b/lib/dimm_spd.c +index 41e30db..ebcc94c 100644 +--- a/lib/dimm_spd.c ++++ b/lib/dimm_spd.c +@@ -1621,7 +1621,7 @@ ipmi_spd_print_fru(struct ipmi_intf * intf, uint8_t id) + struct ipmi_rq req; + struct fru_info fru; + uint8_t *spd_data, msg_data[4]; +- int len, offset; ++ uint32_t len, offset; + + msg_data[0] = id; + +@@ -1697,6 +1697,15 @@ ipmi_spd_print_fru(struct ipmi_intf * intf, uint8_t id) + } + + len = rsp->data[0]; ++ if(rsp->data_len < 1 ++ || len > rsp->data_len - 1 ++ || len > fru.size - offset) ++ { ++ printf(" Not enough buffer size"); ++ free(spd_data); ++ spd_data = NULL; ++ return -1; ++ } + memcpy(&spd_data[offset], rsp->data + 1, len); + offset += len; + } while (offset < fru.size); +diff --git a/lib/ipmi_channel.c b/lib/ipmi_channel.c +index 3ae3104..80ba522 100644 +--- a/lib/ipmi_channel.c ++++ b/lib/ipmi_channel.c +@@ -447,7 +447,10 @@ ipmi_get_channel_cipher_suites(struct ipmi_intf *intf, const char *payload_type, + lprintf(LOG_ERR, "Unable to Get Channel Cipher Suites"); + return -1; + } +- if (rsp->ccode || rsp->data_len < 1) { ++ if (rsp->ccode ++ || rsp->data_len < 1 ++ || rsp->data_len > sizeof(uint8_t) + MAX_CIPHER_SUITE_DATA_LEN) ++ { + lprintf(LOG_ERR, "Get Channel Cipher Suites failed: %s", + val2str(rsp->ccode, completion_code_vals)); + return -1; +diff --git a/lib/ipmi_fru.c b/lib/ipmi_fru.c +index cf00eff..98bc984 100644 +--- a/lib/ipmi_fru.c ++++ b/lib/ipmi_fru.c +@@ -615,7 +615,10 @@ int + read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, + uint32_t offset, uint32_t length, uint8_t *frubuf) + { +- uint32_t off = offset, tmp, finish; ++ uint32_t off = offset; ++ uint32_t tmp; ++ uint32_t finish; ++ uint32_t size_left_in_buffer; + struct ipmi_rs * rsp; + struct ipmi_rq req; + uint8_t msg_data[4]; +@@ -628,10 +631,12 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, + + finish = offset + length; + if (finish > fru->size) { ++ memset(frubuf + fru->size, 0, length - fru->size); + finish = fru->size; + lprintf(LOG_NOTICE, "Read FRU Area length %d too large, " + "Adjusting to %d", + offset + length, finish - offset); ++ length = finish - offset; + } + + memset(&req, 0, sizeof(req)); +@@ -667,6 +672,7 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, + } + } + ++ size_left_in_buffer = length; + do { + tmp = fru->access ? off >> 1 : off; + msg_data[0] = id; +@@ -707,9 +713,18 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, + } + + tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0]; ++ if(rsp->data_len < 1 ++ || tmp > rsp->data_len - 1 ++ || tmp > size_left_in_buffer) ++ { ++ printf(" Not enough buffer size"); ++ return -1; ++ } ++ + memcpy(frubuf, rsp->data + 1, tmp); + off += tmp; + frubuf += tmp; ++ size_left_in_buffer -= tmp; + /* sometimes the size returned in the Info command + * is too large. return 0 so higher level function + * still attempts to parse what was returned */ +@@ -742,7 +757,9 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, + uint32_t offset, uint32_t length, uint8_t *frubuf) + { + static uint32_t fru_data_rqst_size = 20; +- uint32_t off = offset, tmp, finish; ++ uint32_t off = offset; ++ uint32_t tmp, finish; ++ uint32_t size_left_in_buffer; + struct ipmi_rs * rsp; + struct ipmi_rq req; + uint8_t msg_data[4]; +@@ -755,10 +772,12 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, + + finish = offset + length; + if (finish > fru->size) { ++ memset(frubuf + fru->size, 0, length - fru->size); + finish = fru->size; + lprintf(LOG_NOTICE, "Read FRU Area length %d too large, " + "Adjusting to %d", + offset + length, finish - offset); ++ length = finish - offset; + } + + memset(&req, 0, sizeof(req)); +@@ -773,6 +792,8 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, + if (fru->access && fru_data_rqst_size > 16) + #endif + fru_data_rqst_size = 16; ++ ++ size_left_in_buffer = length; + do { + tmp = fru->access ? off >> 1 : off; + msg_data[0] = id; +@@ -804,8 +825,16 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id, + } + + tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0]; ++ if(rsp->data_len < 1 ++ || tmp > rsp->data_len - 1 ++ || tmp > size_left_in_buffer) ++ { ++ printf(" Not enough buffer size"); ++ return -1; ++ } + memcpy((frubuf + off)-offset, rsp->data + 1, tmp); + off += tmp; ++ size_left_in_buffer -= tmp; + + /* sometimes the size returned in the Info command + * is too large. return 0 so higher level function +@@ -3033,7 +3062,7 @@ ipmi_fru_print(struct ipmi_intf * intf, struct sdr_record_fru_locator * fru) + return 0; + + memset(desc, 0, sizeof(desc)); +- memcpy(desc, fru->id_string, fru->id_code & 0x01f); ++ memcpy(desc, fru->id_string, __min(fru->id_code & 0x01f, sizeof(desc))); + desc[fru->id_code & 0x01f] = 0; + printf("FRU Device Description : %s (ID %d)\n", desc, fru->device_id); + +diff --git a/lib/ipmi_lanp.c b/lib/ipmi_lanp.c +index 65d881b..022c7f1 100644 +--- a/lib/ipmi_lanp.c ++++ b/lib/ipmi_lanp.c +@@ -1809,7 +1809,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert, + if (p == NULL) { + return (-1); + } +- memcpy(data, p->data, p->data_len); ++ memcpy(data, p->data, __min(p->data_len, sizeof(data))); + /* set new ipaddr */ + memcpy(data+3, temp, 4); + printf("Setting LAN Alert %d IP Address to %d.%d.%d.%d\n", alert, +@@ -1824,7 +1824,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert, + if (p == NULL) { + return (-1); + } +- memcpy(data, p->data, p->data_len); ++ memcpy(data, p->data, __min(p->data_len, sizeof(data))); + /* set new macaddr */ + memcpy(data+7, temp, 6); + printf("Setting LAN Alert %d MAC Address to " +@@ -1838,7 +1838,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert, + if (p == NULL) { + return (-1); + } +- memcpy(data, p->data, p->data_len); ++ memcpy(data, p->data, __min(p->data_len, sizeof(data))); + + if (strncasecmp(argv[1], "def", 3) == 0 || + strncasecmp(argv[1], "default", 7) == 0) { +@@ -1864,7 +1864,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert, + if (p == NULL) { + return (-1); + } +- memcpy(data, p->data, p->data_len); ++ memcpy(data, p->data, __min(p->data_len, sizeof(data))); + + if (strncasecmp(argv[1], "on", 2) == 0 || + strncasecmp(argv[1], "yes", 3) == 0) { +@@ -1889,7 +1889,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert, + if (p == NULL) { + return (-1); + } +- memcpy(data, p->data, p->data_len); ++ memcpy(data, p->data, __min(p->data_len, sizeof(data))); + + if (strncasecmp(argv[1], "pet", 3) == 0) { + printf("Setting LAN Alert %d destination to PET Trap\n", alert); +@@ -1917,7 +1917,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert, + if (p == NULL) { + return (-1); + } +- memcpy(data, p->data, p->data_len); ++ memcpy(data, p->data, __min(p->data_len, sizeof(data))); + + if (str2uchar(argv[1], &data[2]) != 0) { + lprintf(LOG_ERR, "Invalid time: %s", argv[1]); +@@ -1933,7 +1933,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert, + if (p == NULL) { + return (-1); + } +- memcpy(data, p->data, p->data_len); ++ memcpy(data, p->data, __min(p->data_len, sizeof(data))); + + if (str2uchar(argv[1], &data[3]) != 0) { + lprintf(LOG_ERR, "Invalid retry: %s", argv[1]); +diff --git a/lib/ipmi_sdr.c b/lib/ipmi_sdr.c +index fd2c02d..01d81f7 100644 +--- a/lib/ipmi_sdr.c ++++ b/lib/ipmi_sdr.c +@@ -2086,7 +2086,7 @@ ipmi_sdr_print_sensor_eventonly(struct ipmi_intf *intf, + return -1; + + memset(desc, 0, sizeof (desc)); +- snprintf(desc, (sensor->id_code & 0x1f) + 1, "%s", sensor->id_string); ++ snprintf(desc, sizeof(desc), "%.*s", (sensor->id_code & 0x1f) + 1, sensor->id_string); + + if (verbose) { + printf("Sensor ID : %s (0x%x)\n", +@@ -2137,7 +2137,7 @@ ipmi_sdr_print_sensor_mc_locator(struct ipmi_intf *intf, + return -1; + + memset(desc, 0, sizeof (desc)); +- snprintf(desc, (mc->id_code & 0x1f) + 1, "%s", mc->id_string); ++ snprintf(desc, sizeof(desc), "%.*s", (mc->id_code & 0x1f) + 1, mc->id_string); + + if (verbose == 0) { + if (csv_output) +@@ -2230,7 +2230,7 @@ ipmi_sdr_print_sensor_generic_locator(struct ipmi_intf *intf, + char desc[17]; + + memset(desc, 0, sizeof (desc)); +- snprintf(desc, (dev->id_code & 0x1f) + 1, "%s", dev->id_string); ++ snprintf(desc, sizeof(desc), "%.*s", (dev->id_code & 0x1f) + 1, dev->id_string); + + if (!verbose) { + if (csv_output) +@@ -2287,7 +2287,7 @@ ipmi_sdr_print_sensor_fru_locator(struct ipmi_intf *intf, + char desc[17]; + + memset(desc, 0, sizeof (desc)); +- snprintf(desc, (fru->id_code & 0x1f) + 1, "%s", fru->id_string); ++ snprintf(desc, sizeof(desc), "%.*s", (fru->id_code & 0x1f) + 1, fru->id_string); + + if (!verbose) { + if (csv_output) +@@ -2491,35 +2491,43 @@ ipmi_sdr_print_name_from_rawentry(struct ipmi_intf *intf, uint16_t id, + + int rc =0; + char desc[17]; ++ const char *id_string; ++ uint8_t id_code; + memset(desc, ' ', sizeof (desc)); + + switch ( type) { + case SDR_RECORD_TYPE_FULL_SENSOR: + record.full = (struct sdr_record_full_sensor *) raw; +- snprintf(desc, (record.full->id_code & 0x1f) +1, "%s", +- (const char *)record.full->id_string); ++ id_code = record.full->id_code; ++ id_string = record.full->id_string; + break; ++ + case SDR_RECORD_TYPE_COMPACT_SENSOR: + record.compact = (struct sdr_record_compact_sensor *) raw ; +- snprintf(desc, (record.compact->id_code & 0x1f) +1, "%s", +- (const char *)record.compact->id_string); ++ id_code = record.compact->id_code; ++ id_string = record.compact->id_string; + break; ++ + case SDR_RECORD_TYPE_EVENTONLY_SENSOR: + record.eventonly = (struct sdr_record_eventonly_sensor *) raw ; +- snprintf(desc, (record.eventonly->id_code & 0x1f) +1, "%s", +- (const char *)record.eventonly->id_string); +- break; ++ id_code = record.eventonly->id_code; ++ id_string = record.eventonly->id_string; ++ break; ++ + case SDR_RECORD_TYPE_MC_DEVICE_LOCATOR: + record.mcloc = (struct sdr_record_mc_locator *) raw ; +- snprintf(desc, (record.mcloc->id_code & 0x1f) +1, "%s", +- (const char *)record.mcloc->id_string); ++ id_code = record.mcloc->id_code; ++ id_string = record.mcloc->id_string; + break; ++ + default: + rc = -1; +- break; +- } ++ } ++ if (!rc) { ++ snprintf(desc, sizeof(desc), "%.*s", (id_code & 0x1f) + 1, id_string); ++ } + +- lprintf(LOG_INFO, "ID: 0x%04x , NAME: %-16s", id, desc); ++ lprintf(LOG_INFO, "ID: 0x%04x , NAME: %-16s", id, desc); + return rc; + } + +diff --git a/lib/ipmi_session.c b/lib/ipmi_session.c +index 141f0f4..b9af1fd 100644 +--- a/lib/ipmi_session.c ++++ b/lib/ipmi_session.c +@@ -309,8 +309,10 @@ ipmi_get_session_info(struct ipmi_intf * intf, + } + else + { +- memcpy(&session_info, rsp->data, rsp->data_len); +- print_session_info(&session_info, rsp->data_len); ++ memcpy(&session_info, rsp->data, ++ __min(rsp->data_len, sizeof(session_info))); ++ print_session_info(&session_info, ++ __min(rsp->data_len, sizeof(session_info))); + } + break; + +@@ -341,8 +343,10 @@ ipmi_get_session_info(struct ipmi_intf * intf, + break; + } + +- memcpy(&session_info, rsp->data, rsp->data_len); +- print_session_info(&session_info, rsp->data_len); ++ memcpy(&session_info, rsp->data, ++ __min(rsp->data_len, sizeof(session_info))); ++ print_session_info(&session_info, ++ __min(rsp->data_len, sizeof(session_info))); + + } while (i <= session_info.session_slot_count); + break; +-- +2.20.1 + diff --git a/SOURCES/0009-CVE-2020-5208_2.patch b/SOURCES/0009-CVE-2020-5208_2.patch deleted file mode 100644 index 12e8d2e..0000000 --- a/SOURCES/0009-CVE-2020-5208_2.patch +++ /dev/null @@ -1,44 +0,0 @@ -From f87d8c7721dd6ca2e1e94342fa5688e58fb0af15 Mon Sep 17 00:00:00 2001 -From: Vaclav Dolezal -Date: Wed, 12 Feb 2020 15:20:32 +0100 -Subject: [PATCH] Partial fix for CVE-2020-5208 - -replacement for patch: -9452be8 channel: Fix buffer overflow - -Signed-off-by: Vaclav Dolezal ---- - lib/ipmi_channel.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/lib/ipmi_channel.c b/lib/ipmi_channel.c -index e1fc75f..81ae82e 100644 ---- a/lib/ipmi_channel.c -+++ b/lib/ipmi_channel.c -@@ -383,6 +383,11 @@ ipmi_get_channel_cipher_suites(struct ipmi_intf *intf, const char *payload_type, - val2str(rsp->ccode, completion_code_vals)); - return -1; - } -+ if (rsp->data_len > 17) { -+ lprintf(LOG_ERR, "Get Channel Cipher Suites failed - " -+ "received invalid data"); -+ return -1; -+ } - - - /* -@@ -418,6 +423,11 @@ ipmi_get_channel_cipher_suites(struct ipmi_intf *intf, const char *payload_type, - val2str(rsp->ccode, completion_code_vals)); - return -1; - } -+ if (rsp->data_len > 17) { -+ lprintf(LOG_ERR, "Get Channel Cipher Suites failed - " -+ "received invalid data"); -+ return -1; -+ } - } - - /* Copy last chunk */ --- -2.20.1 - diff --git a/SPECS/ipmitool.spec b/SPECS/ipmitool.spec index 90c075b..4407c82 100644 --- a/SPECS/ipmitool.spec +++ b/SPECS/ipmitool.spec @@ -1,7 +1,7 @@ Name: ipmitool Summary: Utility for IPMI control Version: 1.8.18 -Release: 12%{?dist} +Release: 14%{?dist} License: BSD URL: http://ipmitool.sourceforge.net/ Source0: http://downloads.sourceforge.net/project/%{name}/%{name}/%{version}/%{name}-%{version}.tar.bz2 @@ -20,8 +20,8 @@ Patch4: 0004-slowswid.patch Patch5: 0005-sensor-id-length.patch Patch6: 0006-enable-usb.patch Patch7: 0007-check-input.patch -Patch8: 0008-CVE-2020-5208.patch -Patch9: 0009-CVE-2020-5208_2.patch +Patch8: 0008-use-best-cipher.patch +Patch9: 0009-CVE-2020-5208.patch BuildRequires: openssl-devel readline-devel ncurses-devel %{?systemd_requires} @@ -181,11 +181,17 @@ install -Dm 755 contrib/bmc-snmp-proxy %{buildroot}%{_libexecdir}/bmc-sn %{_libexecdir}/bmc-snmp-proxy %changelog -* Wed Mar 04 2020 Václav Doležal - 1.8.18-12 +* Fri Feb 07 2020 Václav Doležal - 1.8.18-14 +- Fix memory leak (found by covscan) + +* Fri Feb 07 2020 Václav Doležal - 1.8.18-13 +- Backport fix for CVE-2020-5208 (#1799039) + +* Fri Nov 15 2019 Václav Doležal - 1.8.18-12 - Disable -fstrict-aliasing (RPMDiff issue) -* Tue Mar 03 2020 Václav Doležal - 1.8.18-11 -- Backport fix for CVE-2020-5208 +* Tue Oct 15 2019 Václav Doležal - 1.8.18-11 +- Choose the best cipher suite available when connecting over LAN (#1749360) * Thu Feb 22 2018 Josef Ridky - 1.8.18-10 - Spec clean up