freeipmi-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Freeipmi-devel] [bug #38790] Invalid "Confidentiality Pad Length" v


From: Rob Swindell
Subject: Re: [Freeipmi-devel] [bug #38790] Invalid "Confidentiality Pad Length" value in encrypted RMCP+ packets
Date: Thu, 25 Apr 2013 21:33:45 +0000

I can confirm your patch fixes the problem.

I was able to reproduce the original problem with *any* payload that happened 
to be evenly divisible by 16 and was greater than 16 (the AES-128 block size). 
This included sending specific lengths of SOL payload data, DCMI asset tag, 
DCMI management controller ID string or any *sent* encrypted packet which 
happened to result in these special payload sizes.

I was able to reproduce it with your example (DCMI asset tag of 5 characters) 
as well as my example (DCMI asset tag of 21 characters) - both work now with 
your patch.

Thanks,

-Rob

-----Original Message-----
From: Albert Chu [mailto:address@hidden 
Sent: Thursday, April 25, 2013 11:27 AM
To: Albert Chu; Rob Swindell; address@hidden
Subject: [bug #38790] Invalid "Confidentiality Pad Length" value in encrypted 
RMCP+ packets

Update of bug #38790 (project freeipmi):

             Assigned to:                    None => chu11                  

    _______________________________________________________

Follow-up Comment #2:

I was able to reproduce with --set-asset-tag=12313 (not sure why it did not
with your example).  I'm surprised this bug lingered so long.  I guess most
vendors do not check the pad.

I did a different patch though, and found another location in the code that
needed to be changed.  Here's the patch I commited for 1.2.6.  I've of course
given credit to you & Broadcom in the ChangeLog for finding the bug and the
fix location.

===================================================================
--- libfreeipmi/interface/ipmi-rmcpplus-interface.c     (revision 9608)
+++ libfreeipmi/interface/ipmi-rmcpplus-interface.c     (working copy)
@@ -739,7 +739,7 @@
   uint8_t iv[IPMI_CRYPT_AES_CBC_128_IV_LENGTH];
   int iv_len;
   uint8_t payload_buf[IPMI_MAX_PAYLOAD_LENGTH];
-  uint8_t pad_len;
+  uint8_t pad_len, pad_tmp;
   int payload_len, cipher_keylen, cipher_blocklen, encrypt_len;
 
   /* Note: Confidentiality Key for AES_CBS_128 is K2 */
@@ -808,7 +808,11 @@
   /* Pad the data appropriately */
 
   /* +1 is for the pad length field */
-  pad_len = IPMI_CRYPT_AES_CBC_128_BLOCK_LENGTH - ((payload_len + 1) %
IPMI_CRYPT_AES_CBC_128_BLOCK_LENGTH);
+  pad_tmp = ((payload_len + 1) % IPMI_CRYPT_AES_CBC_128_BLOCK_LENGTH);
+  if (pad_tmp)
+    pad_len = IPMI_CRYPT_AES_CBC_128_BLOCK_LENGTH - pad_tmp;
+  else
+    pad_len = 0;
 
   if ((payload_len + pad_len + 1) > IPMI_MAX_PAYLOAD_LENGTH)
     {
@@ -821,8 +825,8 @@
       unsigned int i;
       for (i = 0; i < pad_len; i++)
         payload_buf[payload_len + i] = i + 1;
-      payload_buf[payload_len + pad_len] = pad_len;
     }
+  payload_buf[payload_len + pad_len] = pad_len;
 
   /* +1 for pad length field */
   if ((encrypt_len = crypt_cipher_encrypt (IPMI_CRYPT_CIPHER_AES,



    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?38790>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/



reply via email to

[Prev in Thread] Current Thread [Next in Thread]