diff --git a/ipmitool/0001-CVE-2011-4339-OpenIPMI.patch b/ipmitool/0001-CVE-2011-4339-OpenIPMI.patch new file mode 100644 index 0000000..437c9ad --- /dev/null +++ b/ipmitool/0001-CVE-2011-4339-OpenIPMI.patch @@ -0,0 +1,25 @@ +From 152efd46931a70ab4e3d81e99d312df7dcd666e6 Mon Sep 17 00:00:00 2001 +From: Boris Ranto +Date: Tue, 10 May 2016 19:12:08 +0200 +Subject: [PATCH] CVE-2011-4339 OpenIPMI + +IPMI event daemon creates PID file with world writeable permissions +--- + lib/helper.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/lib/helper.c b/lib/helper.c +index de91438..c3a1c80 100644 +--- a/lib/helper.c ++++ b/lib/helper.c +@@ -829,7 +829,6 @@ ipmi_start_daemon(struct ipmi_intf *intf) + #endif + + chdir("/"); +- umask(0); + + for (fd=0; fd<64; fd++) { + if (fd != intf->fd) +-- +2.7.4 + diff --git a/ipmitool/0002-openssl.patch b/ipmitool/0002-openssl.patch new file mode 100644 index 0000000..ff5e705 --- /dev/null +++ b/ipmitool/0002-openssl.patch @@ -0,0 +1,89 @@ +diff -urNp old/src/plugins/lanplus/lanplus_crypt_impl.c new/src/plugins/lanplus/lanplus_crypt_impl.c +--- old/src/plugins/lanplus/lanplus_crypt_impl.c 2016-05-28 10:20:20.000000000 +0200 ++++ new/src/plugins/lanplus/lanplus_crypt_impl.c 2017-02-21 10:50:21.634873466 +0100 +@@ -164,10 +164,10 @@ lanplus_encrypt_aes_cbc_128(const uint8_ + uint8_t * output, + uint32_t * bytes_written) + { +- EVP_CIPHER_CTX ctx; +- EVP_CIPHER_CTX_init(&ctx); +- EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, key, iv); +- EVP_CIPHER_CTX_set_padding(&ctx, 0); ++ EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); ++ EVP_CIPHER_CTX_init(ctx); ++ EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv); ++ EVP_CIPHER_CTX_set_padding(ctx, 0); + + + *bytes_written = 0; +@@ -191,7 +191,7 @@ lanplus_encrypt_aes_cbc_128(const uint8_ + assert((input_length % IPMI_CRYPT_AES_CBC_128_BLOCK_SIZE) == 0); + + +- if(!EVP_EncryptUpdate(&ctx, output, (int *)bytes_written, input, input_length)) ++ if(!EVP_EncryptUpdate(ctx, output, (int *)bytes_written, input, input_length)) + { + /* Error */ + *bytes_written = 0; +@@ -201,7 +201,7 @@ lanplus_encrypt_aes_cbc_128(const uint8_ + { + uint32_t tmplen; + +- if(!EVP_EncryptFinal_ex(&ctx, output + *bytes_written, (int *)&tmplen)) ++ if(!EVP_EncryptFinal_ex(ctx, output + *bytes_written, (int *)&tmplen)) + { + *bytes_written = 0; + return; /* Error */ +@@ -210,7 +210,8 @@ lanplus_encrypt_aes_cbc_128(const uint8_ + { + /* Success */ + *bytes_written += tmplen; +- EVP_CIPHER_CTX_cleanup(&ctx); ++ EVP_CIPHER_CTX_cleanup(ctx); ++ EVP_CIPHER_CTX_free(ctx); + } + } + } +@@ -239,10 +240,10 @@ lanplus_decrypt_aes_cbc_128(const uint8_ + uint8_t * output, + uint32_t * bytes_written) + { +- EVP_CIPHER_CTX ctx; +- EVP_CIPHER_CTX_init(&ctx); +- EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, key, iv); +- EVP_CIPHER_CTX_set_padding(&ctx, 0); ++ EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); ++ EVP_CIPHER_CTX_init(ctx); ++ EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv); ++ EVP_CIPHER_CTX_set_padding(ctx, 0); + + + if (verbose >= 5) +@@ -266,7 +267,7 @@ lanplus_decrypt_aes_cbc_128(const uint8_ + assert((input_length % IPMI_CRYPT_AES_CBC_128_BLOCK_SIZE) == 0); + + +- if (!EVP_DecryptUpdate(&ctx, output, (int *)bytes_written, input, input_length)) ++ if (!EVP_DecryptUpdate(ctx, output, (int *)bytes_written, input, input_length)) + { + /* Error */ + lprintf(LOG_DEBUG, "ERROR: decrypt update failed"); +@@ -277,7 +278,7 @@ lanplus_decrypt_aes_cbc_128(const uint8_ + { + uint32_t tmplen; + +- if (!EVP_DecryptFinal_ex(&ctx, output + *bytes_written, (int *)&tmplen)) ++ if (!EVP_DecryptFinal_ex(ctx, output + *bytes_written, (int *)&tmplen)) + { + char buffer[1000]; + ERR_error_string(ERR_get_error(), buffer); +@@ -290,7 +291,8 @@ lanplus_decrypt_aes_cbc_128(const uint8_ + { + /* Success */ + *bytes_written += tmplen; +- EVP_CIPHER_CTX_cleanup(&ctx); ++ EVP_CIPHER_CTX_cleanup(ctx); ++ EVP_CIPHER_CTX_free(ctx); + } + } + diff --git a/ipmitool/0003-ipmitool-1.8.11-set-kg-key.patch b/ipmitool/0003-ipmitool-1.8.11-set-kg-key.patch new file mode 100644 index 0000000..00a396e --- /dev/null +++ b/ipmitool/0003-ipmitool-1.8.11-set-kg-key.patch @@ -0,0 +1,240 @@ +diff -urNp old/doc/ipmitool.1 new/doc/ipmitool.1 +--- old/doc/ipmitool.1 2017-02-06 10:20:02.254362909 +0100 ++++ new/doc/ipmitool.1 2017-02-06 10:33:41.729294474 +0100 +@@ -372,6 +372,20 @@ Configure user access information on the + + Displays the list of cipher suites supported for the given + application (ipmi or sol) on the given channel. ++.TP ++\fIsetkg\fP <\fIhex\fP|\fIplain\fP> <\fBkey\fP> [<\fBchannel\fR>] ++.br ++ ++Sets K_g key to given value. Use \fIplain\fP to specify \fBkey\fR as simple ASCII string. ++Use \fIhex\fP to specify \fBkey\fR as sequence of hexadecimal codes of ASCII charactes. ++I.e. following two examples are equivalent: ++ ++.RS ++ipmitool channel setkg plain PASSWORD ++ ++ipmitool channel setkg hex 50415353574F5244 ++.RE ++ + .RE + .RE + .TP +diff -urNp old/include/ipmitool/helper.h new/include/ipmitool/helper.h +--- old/include/ipmitool/helper.h 2017-02-06 10:20:02.254362909 +0100 ++++ new/include/ipmitool/helper.h 2017-02-06 10:40:07.336136844 +0100 +@@ -58,6 +58,8 @@ + # define IPMI_UID_MAX 63 + #endif + ++#define IPMI_KG_BUFFER_SIZE 21 /* key plus null byte */ ++ + struct ipmi_intf; + + struct valstr { +diff -urNp old/include/ipmitool/ipmi_channel.h new/include/ipmitool/ipmi_channel.h +--- old/include/ipmitool/ipmi_channel.h 2017-02-06 10:20:02.253316684 +0100 ++++ new/include/ipmitool/ipmi_channel.h 2017-02-06 10:58:15.291287621 +0100 +@@ -49,6 +49,10 @@ + #define IPMI_GET_USER_NAME 0x46 + #define IPMI_SET_USER_PASSWORD 0x47 + #define IPMI_GET_CHANNEL_CIPHER_SUITES 0x54 ++#define IPMI_SET_CHANNEL_SECURITY_KEYS 0x56 ++ ++#define IPMI_KG_KEY_ID 1 ++#define IPMI_SET_CHANNEL_SECURITY_KEYS_OP_SET 1 + + /* These are for channel_info_t.session_support */ + #define IPMI_CHANNEL_SESSION_LESS 0x00 +@@ -137,6 +141,40 @@ int _ipmi_set_channel_access(struct ipmi + struct channel_access_t channel_access, uint8_t access_option, + uint8_t privilege_option); + ++struct set_channel_security_keys_req { ++#if WORDS_BIGENDIAN ++ uint8_t __reserved1 :4; ++ uint8_t channel :4; ++ ++ uint8_t __reserved2 :6; ++ uint8_t operation :2; ++ ++ uint8_t key_id; ++ unsigned char key_value[IPMI_KG_BUFFER_SIZE-1]; /* we don't want space for '\0' at the end */ ++#else ++ uint8_t channel :4; ++ uint8_t __reserved1 :4; ++ ++ uint8_t operation :2; ++ uint8_t __reserved2 :6; ++ ++ uint8_t key_id; ++ unsigned char key_value[IPMI_KG_BUFFER_SIZE-1]; /* we don't want space for '\0' at the end */ ++#endif ++} __attribute__ ((packed)); ++ ++struct set_channel_security_keys_rsp { ++#if WORDS_BIGENDIAN ++ uint8_t __reserved1 :6; ++ uint8_t lock_status :2; ++ unsigned char key_value; /* just the first character, use &key_value to explore the rest */ ++#else ++ uint8_t lock_status :2; ++ uint8_t __reserved1 :6; ++ unsigned char key_value; /* just the first character, use &key_value to explore the rest */ ++#endif ++} __attribute__ ((packed)); ++ + uint8_t ipmi_get_channel_medium(struct ipmi_intf * intf, uint8_t channel); + uint8_t ipmi_current_channel_medium(struct ipmi_intf * intf); + int ipmi_channel_main(struct ipmi_intf * intf, int argc, char ** argv); +diff -urNp old/include/ipmitool/ipmi_intf.h new/include/ipmitool/ipmi_intf.h +--- old/include/ipmitool/ipmi_intf.h 2017-02-06 10:20:02.254362909 +0100 ++++ new/include/ipmitool/ipmi_intf.h 2017-02-06 10:40:40.264577602 +0100 +@@ -60,7 +60,6 @@ enum LANPLUS_SESSION_STATE { + + #define IPMI_AUTHCODE_BUFFER_SIZE 20 + #define IPMI_SIK_BUFFER_SIZE IPMI_MAX_MD_SIZE +-#define IPMI_KG_BUFFER_SIZE 21 /* key plus null byte */ + + struct ipmi_session_params { + char * hostname; +diff -urNp old/lib/ipmi_channel.c new/lib/ipmi_channel.c +--- old/lib/ipmi_channel.c 2017-02-06 10:20:02.255409134 +0100 ++++ new/lib/ipmi_channel.c 2017-02-06 12:32:14.222282317 +0100 +@@ -821,6 +821,92 @@ ipmi_set_user_access(struct ipmi_intf *i + return 0; + } + ++int ++ipmi_set_channel_security_keys (struct ipmi_intf *intf, uint8_t channel, const char *method, const char *key) ++{ ++ uint8_t kgkey[IPMI_KG_BUFFER_SIZE]; ++ struct ipmi_rs *rsp; ++ struct ipmi_rq req; ++ struct set_channel_security_keys_req req_data; ++ int rc = -1; ++ ++ /* convert provided key to array of bytes */ ++ if (strcmp(method, "hex") == 0) { ++ if (strlen(key) > (IPMI_KG_BUFFER_SIZE-1)*2) { ++ lprintf(LOG_ERR, "Provided key is too long, max. length is %d bytes", (IPMI_KG_BUFFER_SIZE-1)); ++ printf_channel_usage(); ++ return -1; ++ } ++ ++ rc = ipmi_parse_hex(key, kgkey, sizeof(kgkey)-1); ++ if (rc == -1) { ++ lprintf(LOG_ERR, "Number of Kg key characters is not even"); ++ return rc; ++ } else if (rc == -3) { ++ lprintf(LOG_ERR, "Kg key is not hexadecimal number"); ++ return rc; ++ } else if (rc > (IPMI_KG_BUFFER_SIZE-1)) { ++ lprintf(LOG_ERR, "Kg key is too long"); ++ return rc; ++ } ++ ++ } else if (strcmp(method, "plain") == 0) { ++ if (strlen(key) > IPMI_KG_BUFFER_SIZE-1) { ++ lprintf(LOG_ERR, "Provided key is too long, max. length is %d bytes", (IPMI_KG_BUFFER_SIZE -1)); ++ printf_channel_usage(); ++ return rc; ++ } ++ ++ strncpy(kgkey, key, IPMI_KG_BUFFER_SIZE-1); ++ } else { ++ printf_channel_usage(); ++ return rc; ++ } ++ ++ /* assemble and send request to set kg key */ ++ memset(&req_data, 0, sizeof(req_data)); ++ req_data.channel = channel; ++ req_data.operation = IPMI_SET_CHANNEL_SECURITY_KEYS_OP_SET; ++ req_data.key_id = IPMI_KG_KEY_ID; ++ memcpy(req_data.key_value, kgkey, IPMI_KG_BUFFER_SIZE-1); ++ ++ memset(&req, 0, sizeof(req)); ++ req.msg.netfn = IPMI_NETFN_APP; ++ req.msg.cmd = IPMI_SET_CHANNEL_SECURITY_KEYS; ++ req.msg.data = (uint8_t*) &req_data; ++ req.msg.data_len = sizeof(req_data); ++ ++ rsp = intf->sendrecv(intf, &req); ++ if (rsp == NULL) { ++ lprintf(LOG_ERR, "Set Channel Security Keys command failed"); ++ return rc; ++ } ++ if (rsp->ccode > 0) { ++ const char *error = NULL; ++ switch (rsp->ccode) { ++ case 0x80: ++ error = "Key is locked"; ++ break; ++ case 0x81: ++ error = "Insufficient key bytes"; ++ break; ++ case 0x82: ++ error = "Too many key bytes"; ++ break; ++ case 0x83: ++ error = "Key value does not meet criteria for K_g key"; ++ break; ++ default: ++ error = val2str(rsp->ccode, completion_code_vals); ++ } ++ lprintf(LOG_ERR, "Error setting security key: %X (%s)", rsp->ccode, error); ++ return rc; ++ } ++ ++ lprintf(LOG_NOTICE, "Set Channel Security Keys command succeeded"); ++ return 0; ++} ++ + int + ipmi_channel_main(struct ipmi_intf *intf, int argc, char **argv) + { +@@ -890,6 +976,19 @@ ipmi_channel_main(struct ipmi_intf *intf + retval = ipmi_get_channel_cipher_suites(intf, + argv[1], /* ipmi | sol */ + channel); ++ } else if (strncmp(argv[0], "setkg", 5) == 0) { ++ if (argc < 3 || argc > 4) ++ printf_channel_usage(); ++ else { ++ uint8_t ch = 0xe; ++ char *method = argv[1]; ++ char *key = argv[2]; ++ if (argc == 4) { ++ ch = (uint8_t)strtol(argv[3], NULL, 0); ++ } ++ ++ retval = ipmi_set_channel_security_keys(intf, ch, method, key); ++ } + } else { + lprintf(LOG_ERR, "Invalid CHANNEL command: %s\n", argv[0]); + printf_channel_usage(); +@@ -916,6 +1015,10 @@ printf_channel_usage() + lprintf(LOG_NOTICE, + ""); + lprintf(LOG_NOTICE, ++" setkg hex|plain [channel]"); ++ lprintf(LOG_NOTICE, ++""); ++ lprintf(LOG_NOTICE, + "Possible privilege levels are:"); + lprintf(LOG_NOTICE, + " 1 Callback level"); +diff -urNp old/src/plugins/ipmi_intf.c new/src/plugins/ipmi_intf.c +--- old/src/plugins/ipmi_intf.c 2017-02-06 10:20:02.257501584 +0100 ++++ new/src/plugins/ipmi_intf.c 2017-02-06 10:42:12.585257810 +0100 +@@ -55,6 +55,7 @@ + #include + #include + #include ++#include + + #define IPMI_DEFAULT_PAYLOAD_SIZE 25 + diff --git a/ipmitool/0004-slowswid.patch b/ipmitool/0004-slowswid.patch new file mode 100644 index 0000000..c5f91b7 --- /dev/null +++ b/ipmitool/0004-slowswid.patch @@ -0,0 +1,16 @@ +diff --git a/lib/ipmi_sdr.c b/lib/ipmi_sdr.c +index fa7b082..9bc5ac2 100644 +--- a/lib/ipmi_sdr.c ++++ b/lib/ipmi_sdr.c +@@ -572,6 +572,8 @@ ipmi_sdr_get_sensor_reading_ipmb(struct ipmi_intf *intf, uint8_t sensor, + uint32_t save_addr; + uint32_t save_channel; + ++ if (target == (uint8_t) 0xb1) ++ return ipmi_sdr_get_sensor_reading(intf, sensor); + if ( BRIDGE_TO_SENSOR(intf, target, channel) ) { + lprintf(LOG_DEBUG, + "Bridge to Sensor " +-- +2.1.0 + diff --git a/ipmitool/0005-sensor-id-length.patch b/ipmitool/0005-sensor-id-length.patch new file mode 100644 index 0000000..0cb8313 --- /dev/null +++ b/ipmitool/0005-sensor-id-length.patch @@ -0,0 +1,16 @@ +diff --git a/include/ipmitool/ipmi_sdr.h b/include/ipmitool/ipmi_sdr.h +index ccf0cf0..47d3949 100644 +--- a/include/ipmitool/ipmi_sdr.h ++++ b/include/ipmitool/ipmi_sdr.h +@@ -819,7 +819,7 @@ static const char *sensor_type_desc[] __attribute__ ((unused)) = { + "Version Change", "FRU State" }; + + struct sensor_reading { +- char s_id[17]; /* name of the sensor */ ++ char s_id[33]; /* name of the sensor */ + struct sdr_record_full_sensor *full; + struct sdr_record_compact_sensor *compact; + uint8_t s_reading_valid; /* read value valididity */ +-- +2.1.0 + diff --git a/ipmitool/0006-enable-usb.patch b/ipmitool/0006-enable-usb.patch new file mode 100644 index 0000000..d3bfba5 --- /dev/null +++ b/ipmitool/0006-enable-usb.patch @@ -0,0 +1,21 @@ +diff -urNp old/configure.ac new/configure.ac +--- old/configure.ac 2017-02-02 14:20:33.230784269 +0100 ++++ new/configure.ac 2017-02-02 14:22:53.528510336 +0100 +@@ -63,7 +63,7 @@ xenable_intf_imb=yes + xenable_intf_lipmi=yes + xenable_intf_open=yes + #xenable_intf_serial=yes +-xenable_intf_usb=no ++xenable_intf_usb=yes + xenable_ipmishell=yes + + dnl set some things so we build with GNU tools on Solaris +@@ -209,7 +209,7 @@ fi + dnl enable IPMI USB interface + AC_ARG_ENABLE([intf-usb], + [AC_HELP_STRING([--enable-intf-usb], +- [enable IPMI USB interface [default=auto]])], ++ [enable IPMI USB interface [default=yes]])], + [xenable_intf_usb=$enableval], + [xenable_intf_usb=$xenable_intf_usb]) + if test "x$xenable_intf_usb" = "xstatic" || test "x$xenable_intf_usb" = "xplugin"; then diff --git a/ipmitool/0007-check-input.patch b/ipmitool/0007-check-input.patch new file mode 100644 index 0000000..030fd2a --- /dev/null +++ b/ipmitool/0007-check-input.patch @@ -0,0 +1,41 @@ +diff -urNp old/doc/ipmitool.1 new/doc/ipmitool.1 +--- old/doc/ipmitool.1 2017-10-03 16:10:50.446539988 +0200 ++++ new/doc/ipmitool.1 2017-10-03 16:16:37.039673239 +0200 +@@ -3170,13 +3170,14 @@ SOL configuration data for the currently + + Enable, disable or show status of SOL payload for the user on the specified channel. + .TP +-\fIset\fP <\fBparameter\fR> <\fBvalue\fR> [<\fBchannel\fR>] ++\fIset\fP <\fBparameter\fR> <\fBvalue\fR> [<\fBchannel\fR>] [\fBnoguard\fR] + .br + + Configure parameters for Serial Over Lan. If no channel is given, + it will display SOL configuration data for the currently used + channel. Configuration parameter updates are automatically guarded +-with the updates to the set\-in\-progress parameter. ++with the updates to the set\-in\-progress parameter, unless \fInoguard\fR ++parameter is present. + .RS + .TP + Valid parameters and values are: +diff -urNp old/lib/ipmi_sol.c new/lib/ipmi_sol.c +--- old/lib/ipmi_sol.c 2017-10-03 16:10:50.447539996 +0200 ++++ new/lib/ipmi_sol.c 2017-10-03 16:18:37.079006949 +0200 +@@ -1875,7 +1875,7 @@ static void + print_sol_usage(void) + { + lprintf(LOG_NOTICE, "SOL Commands: info []"); +- lprintf(LOG_NOTICE, " set [channel]"); ++ lprintf(LOG_NOTICE, " set [channel] [noguard]"); + lprintf(LOG_NOTICE, " payload [channel] [userid]"); + lprintf(LOG_NOTICE, " activate [] [instance=]"); + lprintf(LOG_NOTICE, " deactivate [instance=]"); +@@ -1890,6 +1890,8 @@ print_sol_usage(void) + static void + print_sol_set_usage(void) + { ++ lprintf(LOG_NOTICE, "\nSOL set usage: \n"); ++ lprintf(LOG_NOTICE, " sol set [channel] [noguard]\n"); + lprintf(LOG_NOTICE, "\nSOL set parameters and values: \n"); + lprintf(LOG_NOTICE, " set-in-progress set-complete | " + "set-in-progress | commit-write");