[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Freeipmi-devel] [bug #38790] Invalid "Confidentiality Pad Length" v
From: |
Rob Swindell |
Subject: |
Re: [Freeipmi-devel] [bug #38790] Invalid "Confidentiality Pad Length" value in encrypted RMCP+ packets |
Date: |
Thu, 25 Apr 2013 21:33:45 +0000 |
I can confirm your patch fixes the problem.
I was able to reproduce the original problem with *any* payload that happened
to be evenly divisible by 16 and was greater than 16 (the AES-128 block size).
This included sending specific lengths of SOL payload data, DCMI asset tag,
DCMI management controller ID string or any *sent* encrypted packet which
happened to result in these special payload sizes.
I was able to reproduce it with your example (DCMI asset tag of 5 characters)
as well as my example (DCMI asset tag of 21 characters) - both work now with
your patch.
Thanks,
-Rob
-----Original Message-----
From: Albert Chu [mailto:address@hidden
Sent: Thursday, April 25, 2013 11:27 AM
To: Albert Chu; Rob Swindell; address@hidden
Subject: [bug #38790] Invalid "Confidentiality Pad Length" value in encrypted
RMCP+ packets
Update of bug #38790 (project freeipmi):
Assigned to: None => chu11
_______________________________________________________
Follow-up Comment #2:
I was able to reproduce with --set-asset-tag=12313 (not sure why it did not
with your example). I'm surprised this bug lingered so long. I guess most
vendors do not check the pad.
I did a different patch though, and found another location in the code that
needed to be changed. Here's the patch I commited for 1.2.6. I've of course
given credit to you & Broadcom in the ChangeLog for finding the bug and the
fix location.
===================================================================
--- libfreeipmi/interface/ipmi-rmcpplus-interface.c (revision 9608)
+++ libfreeipmi/interface/ipmi-rmcpplus-interface.c (working copy)
@@ -739,7 +739,7 @@
uint8_t iv[IPMI_CRYPT_AES_CBC_128_IV_LENGTH];
int iv_len;
uint8_t payload_buf[IPMI_MAX_PAYLOAD_LENGTH];
- uint8_t pad_len;
+ uint8_t pad_len, pad_tmp;
int payload_len, cipher_keylen, cipher_blocklen, encrypt_len;
/* Note: Confidentiality Key for AES_CBS_128 is K2 */
@@ -808,7 +808,11 @@
/* Pad the data appropriately */
/* +1 is for the pad length field */
- pad_len = IPMI_CRYPT_AES_CBC_128_BLOCK_LENGTH - ((payload_len + 1) %
IPMI_CRYPT_AES_CBC_128_BLOCK_LENGTH);
+ pad_tmp = ((payload_len + 1) % IPMI_CRYPT_AES_CBC_128_BLOCK_LENGTH);
+ if (pad_tmp)
+ pad_len = IPMI_CRYPT_AES_CBC_128_BLOCK_LENGTH - pad_tmp;
+ else
+ pad_len = 0;
if ((payload_len + pad_len + 1) > IPMI_MAX_PAYLOAD_LENGTH)
{
@@ -821,8 +825,8 @@
unsigned int i;
for (i = 0; i < pad_len; i++)
payload_buf[payload_len + i] = i + 1;
- payload_buf[payload_len + pad_len] = pad_len;
}
+ payload_buf[payload_len + pad_len] = pad_len;
/* +1 for pad length field */
if ((encrypt_len = crypt_cipher_encrypt (IPMI_CRYPT_CIPHER_AES,
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/bugs/?38790>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/