diff --git a/ipmitool-1.8.12-fips.patch b/ipmitool-1.8.12-fips.patch new file mode 100644 index 0000000..f9e2c04 --- /dev/null +++ b/ipmitool-1.8.12-fips.patch @@ -0,0 +1,148 @@ +diff -up ./src/plugins/lan/lan.c.fips ./src/plugins/lan/lan.c +--- ./src/plugins/lan/lan.c.fips 2013-08-09 12:17:31.336127511 +0200 ++++ ./src/plugins/lan/lan.c 2013-08-09 12:48:35.624639106 +0200 +@@ -67,6 +67,10 @@ + #define IPMI_LAN_PORT 0x26f + #define IPMI_LAN_CHANNEL_E 0x0e + ++#if defined(HAVE_CRYPTO_MD2) || defined(HAVE_CRYPTO_MD5) ++#include ++#endif ++ + extern const struct valstr ipmi_privlvl_vals[]; + extern const struct valstr ipmi_authtype_session_vals[]; + extern int verbose; +@@ -861,10 +865,18 @@ ipmi_lan_build_cmd(struct ipmi_intf * in + */ + switch (s->authtype) { + case IPMI_SESSION_AUTHTYPE_MD5: ++ if (FIPS_mode() && verbose > 1) { ++ printf("MD5 not supported in FIPS mode. Try -I lanplus\n"); ++ return NULL; ++ } + temp = ipmi_auth_md5(s, msg+mp, msg[mp-1]); + memcpy(msg+ap, temp, 16); + break; + case IPMI_SESSION_AUTHTYPE_MD2: ++ if (FIPS_mode() && verbose > 1) { ++ printf("MD2 not supported in FIPS mode. Try -I lanplus\n"); ++ return NULL; ++ } + temp = ipmi_auth_md2(s, msg+mp, msg[mp-1]); + memcpy(msg+ap, temp, 16); + break; +diff -up ./src/plugins/lanplus/lanplus.c.fips ./src/plugins/lanplus/lanplus.c +--- ./src/plugins/lanplus/lanplus.c.fips 2013-07-16 06:17:39.000000000 +0200 ++++ ./src/plugins/lanplus/lanplus.c 2013-08-09 12:17:31.338127516 +0200 +@@ -65,6 +65,10 @@ + #include "rmcp.h" + #include "asf.h" + ++#if defined(HAVE_CRYPTO_MD2) || defined(HAVE_CRYPTO_MD5) ++#include ++#endif ++ + extern const struct valstr ipmi_rakp_return_codes[]; + extern const struct valstr ipmi_priv_levels[]; + extern const struct valstr ipmi_auth_algorithms[]; +@@ -183,56 +187,100 @@ int lanplus_get_requested_ciphers(int + *auth_alg = IPMI_AUTH_RAKP_HMAC_SHA1; + *integrity_alg = IPMI_INTEGRITY_HMAC_SHA1_96; + *crypt_alg = IPMI_CRYPT_XRC4_128; ++ if (FIPS_mode() && verbose > 1) { ++ printf("RC4 not supported in FIPS mode. Try -C 3\n"); ++ return 1; ++ } + break; + case 5: + *auth_alg = IPMI_AUTH_RAKP_HMAC_SHA1; + *integrity_alg = IPMI_INTEGRITY_HMAC_SHA1_96; + *crypt_alg = IPMI_CRYPT_XRC4_40; ++ if (FIPS_mode() && verbose > 1) { ++ printf("RC4 not supported in FIPS mode. Try -C 3\n"); ++ return 1; ++ } + break; + case 6: + *auth_alg = IPMI_AUTH_RAKP_HMAC_MD5; + *integrity_alg = IPMI_INTEGRITY_NONE; + *crypt_alg = IPMI_CRYPT_NONE; ++ if (FIPS_mode() && verbose > 1) { ++ printf("MD5 not supported in FIPS mode. Try -C 1\n"); ++ return 1; ++ } + break; + case 7: + *auth_alg = IPMI_AUTH_RAKP_HMAC_MD5; + *integrity_alg = IPMI_INTEGRITY_HMAC_MD5_128; + *crypt_alg = IPMI_CRYPT_NONE; ++ if (FIPS_mode() && verbose > 1) { ++ printf("MD5 not supported in FIPS mode. Try -C 2\n"); ++ return 1; ++ } + break; + case 8: + *auth_alg = IPMI_AUTH_RAKP_HMAC_MD5; + *integrity_alg = IPMI_INTEGRITY_HMAC_MD5_128; + *crypt_alg = IPMI_CRYPT_AES_CBC_128; ++ if (FIPS_mode() && verbose > 1) { ++ printf("MD5 not supported in FIPS mode. Try -C 3\n"); ++ return 1; ++ } + break; + case 9: + *auth_alg = IPMI_AUTH_RAKP_HMAC_MD5; + *integrity_alg = IPMI_INTEGRITY_HMAC_MD5_128; + *crypt_alg = IPMI_CRYPT_XRC4_128; ++ if (FIPS_mode() && verbose > 1) { ++ printf("MD5 not supported in FIPS mode. Try -C 3\n"); ++ return 1; ++ } + break; + case 10: + *auth_alg = IPMI_AUTH_RAKP_HMAC_MD5; + *integrity_alg = IPMI_INTEGRITY_HMAC_MD5_128; + *crypt_alg = IPMI_CRYPT_XRC4_40; ++ if (FIPS_mode() && verbose > 1) { ++ printf("MD5 not supported in FIPS mode. Try -C 3\n"); ++ return 1; ++ } + break; + case 11: + *auth_alg = IPMI_AUTH_RAKP_HMAC_MD5; + *integrity_alg = IPMI_INTEGRITY_MD5_128; + *crypt_alg = IPMI_CRYPT_NONE; ++ if (FIPS_mode() && verbose > 1) { ++ printf("MD5 not supported in FIPS mode. Try -C 3\n"); ++ return 1; ++ } + break; + case 12: + *auth_alg = IPMI_AUTH_RAKP_HMAC_MD5; + *integrity_alg = IPMI_INTEGRITY_MD5_128; + *crypt_alg = IPMI_CRYPT_AES_CBC_128; ++ if (FIPS_mode() && verbose > 1) { ++ printf("MD5 not supported in FIPS mode. Try -C 3\n"); ++ return 1; ++ } + break; + case 13: + *auth_alg = IPMI_AUTH_RAKP_HMAC_MD5; + *integrity_alg = IPMI_INTEGRITY_MD5_128; + *crypt_alg = IPMI_CRYPT_XRC4_128; ++ if (FIPS_mode() && verbose > 1) { ++ printf("MD5 not supported in FIPS mode. Try -C 3\n"); ++ return 1; ++ } + break; + case 14: + *auth_alg = IPMI_AUTH_RAKP_HMAC_MD5; + *integrity_alg = IPMI_INTEGRITY_MD5_128; + *crypt_alg = IPMI_CRYPT_XRC4_40; ++ if (FIPS_mode() && verbose > 1) { ++ printf("MD5 not supported in FIPS mode. Try -C 3\n"); ++ return 1; ++ } + break; + } + diff --git a/ipmitool.spec b/ipmitool.spec index 2e0d16f..73041b9 100644 --- a/ipmitool.spec +++ b/ipmitool.spec @@ -1,7 +1,7 @@ Name: ipmitool Summary: Utility for IPMI control Version: 1.8.12 -Release: 13073101%{?dist} +Release: 13073102%{?dist} License: BSD Group: System Environment/Base URL: http://ipmitool.sourceforge.net/ @@ -29,6 +29,8 @@ Patch2: ipmitool-1.8.10-ipmievd-condrestart.patch Patch3: ipmitool-1.8.11-remove-umask0.patch # various threads. still pending. Patch4: cxoem-jb-cx6.patch +# pending +Patch5: ipmitool-1.8.12-fips.patch %description This package contains a utility for interfacing with devices that support @@ -69,6 +71,7 @@ for the host OS to use. %patch2 -p0 -b .condrestart %patch3 -p1 -b .umask %patch4 -p1 -b .cxoem +%patch5 -p0 -b .fips for f in AUTHORS ChangeLog; do iconv -f iso-8859-1 -t utf8 < ${f} > ${f}.utf8 @@ -143,6 +146,9 @@ install -Dm 755 %{SOURCE6} %{buildroot}%{_libexecdir}/exchange-bmc-os-info %changelog +* Fri Jul 09 2013 Ales Ledvinka 1.8.12-13073102 +- Avoid FIPS mode crashes if possible. + * Wed Jul 31 2013 Ales Ledvinka 1.8.12-13073101 - Include current upstream bugfixes.