aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--system/ipmitool/ipmitool.SlackBuild29
-rw-r--r--system/ipmitool/patches/0001-CVE-2011-4339-OpenIPMI.patch25
-rw-r--r--system/ipmitool/patches/0002-openssl.patch (renamed from system/ipmitool/ipmitool-openssl-1.1.patch)21
-rw-r--r--system/ipmitool/patches/0003-ipmitool-1.8.11-set-kg-key.patch240
-rw-r--r--system/ipmitool/patches/0004-slowswid.patch16
-rw-r--r--system/ipmitool/patches/0005-sensor-id-length.patch16
-rw-r--r--system/ipmitool/patches/0006-enable-usb.patch21
-rw-r--r--system/ipmitool/patches/0007-check-input.patch41
-rw-r--r--system/ipmitool/patches/0008-add-extern.patch40
-rw-r--r--system/ipmitool/patches/0009-best-cipher.patch864
-rw-r--r--system/ipmitool/patches/0010-pef-missing-newline.patch33
-rw-r--r--system/ipmitool/patches/0011-expand-sensor-name-column.patch57
-rw-r--r--system/ipmitool/patches/0012-CVE-2020-5208.patch378
13 files changed, 1760 insertions, 21 deletions
diff --git a/system/ipmitool/ipmitool.SlackBuild b/system/ipmitool/ipmitool.SlackBuild
index e0e11b85ab8ce..44b9d6702d31f 100644
--- a/system/ipmitool/ipmitool.SlackBuild
+++ b/system/ipmitool/ipmitool.SlackBuild
@@ -21,7 +21,7 @@ PKGTYPE=${PKGTYPE:-tgz}
if [ -z "$ARCH" ]; then
case "$( uname -m )" in
- i?86) ARCH=i486 ;;
+ i?86) ARCH=i586 ;;
arm*) ARCH=arm ;;
*) ARCH=$( uname -m ) ;;
esac
@@ -39,8 +39,8 @@ TMP=${TMP:-/tmp/SBo}
PKG=$TMP/package-$PRGNAM
OUTPUT=${OUTPUT:-/tmp}
-if [ "$ARCH" = "i486" ]; then
- SLKCFLAGS="-O2 -march=i486 -mtune=i686"
+if [ "$ARCH" = "i586" ]; then
+ SLKCFLAGS="-O2 -march=i586 -mtune=i686"
LIBDIRSUFFIX=""
elif [ "$ARCH" = "i686" ]; then
SLKCFLAGS="-O2 -march=i686 -mtune=i686"
@@ -63,13 +63,20 @@ tar xvf $CWD/$PRGNAM-$VERSION.tar.bz2
cd $PRGNAM-$VERSION
chown -R root:root .
find -L . \
- \( -perm 777 -o -perm 775 -o -perm 750 -o -perm 711 -o -perm 555 -o -perm 511 \) \
- -exec chmod 755 {} \; -o \
- \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \
- -exec chmod 644 {} \;
-
-# Fix compilation with openssl-1.1
-[ "`openssl version | grep 1.1`" ] && patch -p0 < $CWD/ipmitool-openssl-1.1.patch
+ \( -perm 777 -o -perm 775 -o -perm 750 -o -perm 711 -o -perm 555 \
+ -o -perm 511 \) -exec chmod 755 {} \; -o \
+ \( -perm 666 -o -perm 664 -o -perm 640 -o -perm 600 -o -perm 444 \
+ -o -perm 440 -o -perm 400 \) -exec chmod 644 {} \;
+
+# Apply a lot of patches (thanks, fedora!)
+for i in $CWD/patches/* ; do patch -p1 < $i ; done
+aclocal
+libtoolize --automake --copy
+autoheader
+automake --foreign --add-missing --copy
+aclocal
+autoconf
+automake --foreign
CFLAGS="$SLKCFLAGS" \
CXXFLAGS="$SLKCFLAGS" \
@@ -85,7 +92,7 @@ CXXFLAGS="$SLKCFLAGS" \
make DOCDIR=/usr/doc/$PRGNAM-$VERSION
make DOCDIR=/usr/doc/$PRGNAM-$VERSION install DESTDIR=$PKG
-find $PKG | xargs file | grep -e "executable" -e "shared object" | grep ELF \
+find $PKG -print0 | xargs -0 file | grep -e "executable" -e "shared object" | grep ELF \
| cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null || true
find $PKG/usr/man -type f -exec gzip -9 {} \;
diff --git a/system/ipmitool/patches/0001-CVE-2011-4339-OpenIPMI.patch b/system/ipmitool/patches/0001-CVE-2011-4339-OpenIPMI.patch
new file mode 100644
index 0000000000000..437c9adaf9c84
--- /dev/null
+++ b/system/ipmitool/patches/0001-CVE-2011-4339-OpenIPMI.patch
@@ -0,0 +1,25 @@
+From 152efd46931a70ab4e3d81e99d312df7dcd666e6 Mon Sep 17 00:00:00 2001
+From: Boris Ranto <branto@redhat.com>
+Date: Tue, 10 May 2016 19:12:08 +0200
+Subject: [PATCH] CVE-2011-4339 OpenIPMI
+
+IPMI event daemon creates PID file with world writeable permissions
+---
+ lib/helper.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/lib/helper.c b/lib/helper.c
+index de91438..c3a1c80 100644
+--- a/lib/helper.c
++++ b/lib/helper.c
+@@ -829,7 +829,6 @@ ipmi_start_daemon(struct ipmi_intf *intf)
+ #endif
+
+ chdir("/");
+- umask(0);
+
+ for (fd=0; fd<64; fd++) {
+ if (fd != intf->fd)
+--
+2.7.4
+
diff --git a/system/ipmitool/ipmitool-openssl-1.1.patch b/system/ipmitool/patches/0002-openssl.patch
index 39b311f6e9154..ff5e7051bf5f7 100644
--- a/system/ipmitool/ipmitool-openssl-1.1.patch
+++ b/system/ipmitool/patches/0002-openssl.patch
@@ -1,6 +1,7 @@
---- src/plugins/lanplus/lanplus_crypt_impl.c.orig 2020-01-05 20:05:14.536039135 +0100
-+++ src/plugins/lanplus/lanplus_crypt_impl.c 2020-01-05 20:09:48.808613128 +0100
-@@ -164,10 +164,10 @@
+diff -urNp old/src/plugins/lanplus/lanplus_crypt_impl.c new/src/plugins/lanplus/lanplus_crypt_impl.c
+--- old/src/plugins/lanplus/lanplus_crypt_impl.c 2016-05-28 10:20:20.000000000 +0200
++++ new/src/plugins/lanplus/lanplus_crypt_impl.c 2017-02-21 10:50:21.634873466 +0100
+@@ -164,10 +164,10 @@ lanplus_encrypt_aes_cbc_128(const uint8_
uint8_t * output,
uint32_t * bytes_written)
{
@@ -15,7 +16,7 @@
*bytes_written = 0;
-@@ -191,7 +191,7 @@
+@@ -191,7 +191,7 @@ lanplus_encrypt_aes_cbc_128(const uint8_
assert((input_length % IPMI_CRYPT_AES_CBC_128_BLOCK_SIZE) == 0);
@@ -24,7 +25,7 @@
{
/* Error */
*bytes_written = 0;
-@@ -201,7 +201,7 @@
+@@ -201,7 +201,7 @@ lanplus_encrypt_aes_cbc_128(const uint8_
{
uint32_t tmplen;
@@ -33,7 +34,7 @@
{
*bytes_written = 0;
return; /* Error */
-@@ -210,7 +210,8 @@
+@@ -210,7 +210,8 @@ lanplus_encrypt_aes_cbc_128(const uint8_
{
/* Success */
*bytes_written += tmplen;
@@ -43,7 +44,7 @@
}
}
}
-@@ -239,10 +240,10 @@
+@@ -239,10 +240,10 @@ lanplus_decrypt_aes_cbc_128(const uint8_
uint8_t * output,
uint32_t * bytes_written)
{
@@ -58,7 +59,7 @@
if (verbose >= 5)
-@@ -266,7 +267,7 @@
+@@ -266,7 +267,7 @@ lanplus_decrypt_aes_cbc_128(const uint8_
assert((input_length % IPMI_CRYPT_AES_CBC_128_BLOCK_SIZE) == 0);
@@ -67,7 +68,7 @@
{
/* Error */
lprintf(LOG_DEBUG, "ERROR: decrypt update failed");
-@@ -277,7 +278,7 @@
+@@ -277,7 +278,7 @@ lanplus_decrypt_aes_cbc_128(const uint8_
{
uint32_t tmplen;
@@ -76,7 +77,7 @@
{
char buffer[1000];
ERR_error_string(ERR_get_error(), buffer);
-@@ -290,7 +291,8 @@
+@@ -290,7 +291,8 @@ lanplus_decrypt_aes_cbc_128(const uint8_
{
/* Success */
*bytes_written += tmplen;
diff --git a/system/ipmitool/patches/0003-ipmitool-1.8.11-set-kg-key.patch b/system/ipmitool/patches/0003-ipmitool-1.8.11-set-kg-key.patch
new file mode 100644
index 0000000000000..00a396e230877
--- /dev/null
+++ b/system/ipmitool/patches/0003-ipmitool-1.8.11-set-kg-key.patch
@@ -0,0 +1,240 @@
+diff -urNp old/doc/ipmitool.1 new/doc/ipmitool.1
+--- old/doc/ipmitool.1 2017-02-06 10:20:02.254362909 +0100
++++ new/doc/ipmitool.1 2017-02-06 10:33:41.729294474 +0100
+@@ -372,6 +372,20 @@ Configure user access information on the
+
+ Displays the list of cipher suites supported for the given
+ application (ipmi or sol) on the given channel.
++.TP
++\fIsetkg\fP <\fIhex\fP|\fIplain\fP> <\fBkey\fP> [<\fBchannel\fR>]
++.br
++
++Sets K_g key to given value. Use \fIplain\fP to specify \fBkey\fR as simple ASCII string.
++Use \fIhex\fP to specify \fBkey\fR as sequence of hexadecimal codes of ASCII charactes.
++I.e. following two examples are equivalent:
++
++.RS
++ipmitool channel setkg plain PASSWORD
++
++ipmitool channel setkg hex 50415353574F5244
++.RE
++
+ .RE
+ .RE
+ .TP
+diff -urNp old/include/ipmitool/helper.h new/include/ipmitool/helper.h
+--- old/include/ipmitool/helper.h 2017-02-06 10:20:02.254362909 +0100
++++ new/include/ipmitool/helper.h 2017-02-06 10:40:07.336136844 +0100
+@@ -58,6 +58,8 @@
+ # define IPMI_UID_MAX 63
+ #endif
+
++#define IPMI_KG_BUFFER_SIZE 21 /* key plus null byte */
++
+ struct ipmi_intf;
+
+ struct valstr {
+diff -urNp old/include/ipmitool/ipmi_channel.h new/include/ipmitool/ipmi_channel.h
+--- old/include/ipmitool/ipmi_channel.h 2017-02-06 10:20:02.253316684 +0100
++++ new/include/ipmitool/ipmi_channel.h 2017-02-06 10:58:15.291287621 +0100
+@@ -49,6 +49,10 @@
+ #define IPMI_GET_USER_NAME 0x46
+ #define IPMI_SET_USER_PASSWORD 0x47
+ #define IPMI_GET_CHANNEL_CIPHER_SUITES 0x54
++#define IPMI_SET_CHANNEL_SECURITY_KEYS 0x56
++
++#define IPMI_KG_KEY_ID 1
++#define IPMI_SET_CHANNEL_SECURITY_KEYS_OP_SET 1
+
+ /* These are for channel_info_t.session_support */
+ #define IPMI_CHANNEL_SESSION_LESS 0x00
+@@ -137,6 +141,40 @@ int _ipmi_set_channel_access(struct ipmi
+ struct channel_access_t channel_access, uint8_t access_option,
+ uint8_t privilege_option);
+
++struct set_channel_security_keys_req {
++#if WORDS_BIGENDIAN
++ uint8_t __reserved1 :4;
++ uint8_t channel :4;
++
++ uint8_t __reserved2 :6;
++ uint8_t operation :2;
++
++ uint8_t key_id;
++ unsigned char key_value[IPMI_KG_BUFFER_SIZE-1]; /* we don't want space for '\0' at the end */
++#else
++ uint8_t channel :4;
++ uint8_t __reserved1 :4;
++
++ uint8_t operation :2;
++ uint8_t __reserved2 :6;
++
++ uint8_t key_id;
++ unsigned char key_value[IPMI_KG_BUFFER_SIZE-1]; /* we don't want space for '\0' at the end */
++#endif
++} __attribute__ ((packed));
++
++struct set_channel_security_keys_rsp {
++#if WORDS_BIGENDIAN
++ uint8_t __reserved1 :6;
++ uint8_t lock_status :2;
++ unsigned char key_value; /* just the first character, use &key_value to explore the rest */
++#else
++ uint8_t lock_status :2;
++ uint8_t __reserved1 :6;
++ unsigned char key_value; /* just the first character, use &key_value to explore the rest */
++#endif
++} __attribute__ ((packed));
++
+ uint8_t ipmi_get_channel_medium(struct ipmi_intf * intf, uint8_t channel);
+ uint8_t ipmi_current_channel_medium(struct ipmi_intf * intf);
+ int ipmi_channel_main(struct ipmi_intf * intf, int argc, char ** argv);
+diff -urNp old/include/ipmitool/ipmi_intf.h new/include/ipmitool/ipmi_intf.h
+--- old/include/ipmitool/ipmi_intf.h 2017-02-06 10:20:02.254362909 +0100
++++ new/include/ipmitool/ipmi_intf.h 2017-02-06 10:40:40.264577602 +0100
+@@ -60,7 +60,6 @@ enum LANPLUS_SESSION_STATE {
+
+ #define IPMI_AUTHCODE_BUFFER_SIZE 20
+ #define IPMI_SIK_BUFFER_SIZE IPMI_MAX_MD_SIZE
+-#define IPMI_KG_BUFFER_SIZE 21 /* key plus null byte */
+
+ struct ipmi_session_params {
+ char * hostname;
+diff -urNp old/lib/ipmi_channel.c new/lib/ipmi_channel.c
+--- old/lib/ipmi_channel.c 2017-02-06 10:20:02.255409134 +0100
++++ new/lib/ipmi_channel.c 2017-02-06 12:32:14.222282317 +0100
+@@ -821,6 +821,92 @@ ipmi_set_user_access(struct ipmi_intf *i
+ return 0;
+ }
+
++int
++ipmi_set_channel_security_keys (struct ipmi_intf *intf, uint8_t channel, const char *method, const char *key)
++{
++ uint8_t kgkey[IPMI_KG_BUFFER_SIZE];
++ struct ipmi_rs *rsp;
++ struct ipmi_rq req;
++ struct set_channel_security_keys_req req_data;
++ int rc = -1;
++
++ /* convert provided key to array of bytes */
++ if (strcmp(method, "hex") == 0) {
++ if (strlen(key) > (IPMI_KG_BUFFER_SIZE-1)*2) {
++ lprintf(LOG_ERR, "Provided key is too long, max. length is %d bytes", (IPMI_KG_BUFFER_SIZE-1));
++ printf_channel_usage();
++ return -1;
++ }
++
++ rc = ipmi_parse_hex(key, kgkey, sizeof(kgkey)-1);
++ if (rc == -1) {
++ lprintf(LOG_ERR, "Number of Kg key characters is not even");
++ return rc;
++ } else if (rc == -3) {
++ lprintf(LOG_ERR, "Kg key is not hexadecimal number");
++ return rc;
++ } else if (rc > (IPMI_KG_BUFFER_SIZE-1)) {
++ lprintf(LOG_ERR, "Kg key is too long");
++ return rc;
++ }
++
++ } else if (strcmp(method, "plain") == 0) {
++ if (strlen(key) > IPMI_KG_BUFFER_SIZE-1) {
++ lprintf(LOG_ERR, "Provided key is too long, max. length is %d bytes", (IPMI_KG_BUFFER_SIZE -1));
++ printf_channel_usage();
++ return rc;
++ }
++
++ strncpy(kgkey, key, IPMI_KG_BUFFER_SIZE-1);
++ } else {
++ printf_channel_usage();
++ return rc;
++ }
++
++ /* assemble and send request to set kg key */
++ memset(&req_data, 0, sizeof(req_data));
++ req_data.channel = channel;
++ req_data.operation = IPMI_SET_CHANNEL_SECURITY_KEYS_OP_SET;
++ req_data.key_id = IPMI_KG_KEY_ID;
++ memcpy(req_data.key_value, kgkey, IPMI_KG_BUFFER_SIZE-1);
++
++ memset(&req, 0, sizeof(req));
++ req.msg.netfn = IPMI_NETFN_APP;
++ req.msg.cmd = IPMI_SET_CHANNEL_SECURITY_KEYS;
++ req.msg.data = (uint8_t*) &req_data;
++ req.msg.data_len = sizeof(req_data);
++
++ rsp = intf->sendrecv(intf, &req);
++ if (rsp == NULL) {
++ lprintf(LOG_ERR, "Set Channel Security Keys command failed");
++ return rc;
++ }
++ if (rsp->ccode > 0) {
++ const char *error = NULL;
++ switch (rsp->ccode) {
++ case 0x80:
++ error = "Key is locked";
++ break;
++ case 0x81:
++ error = "Insufficient key bytes";
++ break;
++ case 0x82:
++ error = "Too many key bytes";
++ break;
++ case 0x83:
++ error = "Key value does not meet criteria for K_g key";
++ break;
++ default:
++ error = val2str(rsp->ccode, completion_code_vals);
++ }
++ lprintf(LOG_ERR, "Error setting security key: %X (%s)", rsp->ccode, error);
++ return rc;
++ }
++
++ lprintf(LOG_NOTICE, "Set Channel Security Keys command succeeded");
++ return 0;
++}
++
+ int
+ ipmi_channel_main(struct ipmi_intf *intf, int argc, char **argv)
+ {
+@@ -890,6 +976,19 @@ ipmi_channel_main(struct ipmi_intf *intf
+ retval = ipmi_get_channel_cipher_suites(intf,
+ argv[1], /* ipmi | sol */
+ channel);
++ } else if (strncmp(argv[0], "setkg", 5) == 0) {
++ if (argc < 3 || argc > 4)
++ printf_channel_usage();
++ else {
++ uint8_t ch = 0xe;
++ char *method = argv[1];
++ char *key = argv[2];
++ if (argc == 4) {
++ ch = (uint8_t)strtol(argv[3], NULL, 0);
++ }
++
++ retval = ipmi_set_channel_security_keys(intf, ch, method, key);
++ }
+ } else {
+ lprintf(LOG_ERR, "Invalid CHANNEL command: %s\n", argv[0]);
+ printf_channel_usage();
+@@ -916,6 +1015,10 @@ printf_channel_usage()
+ lprintf(LOG_NOTICE,
+ "");
+ lprintf(LOG_NOTICE,
++" setkg hex|plain <key> [channel]");
++ lprintf(LOG_NOTICE,
++"");
++ lprintf(LOG_NOTICE,
+ "Possible privilege levels are:");
+ lprintf(LOG_NOTICE,
+ " 1 Callback level");
+diff -urNp old/src/plugins/ipmi_intf.c new/src/plugins/ipmi_intf.c
+--- old/src/plugins/ipmi_intf.c 2017-02-06 10:20:02.257501584 +0100
++++ new/src/plugins/ipmi_intf.c 2017-02-06 10:42:12.585257810 +0100
+@@ -55,6 +55,7 @@
+ #include <ipmitool/ipmi.h>
+ #include <ipmitool/ipmi_sdr.h>
+ #include <ipmitool/log.h>
++#include <ipmitool/helper.h>
+
+ #define IPMI_DEFAULT_PAYLOAD_SIZE 25
+
diff --git a/system/ipmitool/patches/0004-slowswid.patch b/system/ipmitool/patches/0004-slowswid.patch
new file mode 100644
index 0000000000000..c5f91b7efa607
--- /dev/null
+++ b/system/ipmitool/patches/0004-slowswid.patch
@@ -0,0 +1,16 @@
+diff --git a/lib/ipmi_sdr.c b/lib/ipmi_sdr.c
+index fa7b082..9bc5ac2 100644
+--- a/lib/ipmi_sdr.c
++++ b/lib/ipmi_sdr.c
+@@ -572,6 +572,8 @@ ipmi_sdr_get_sensor_reading_ipmb(struct ipmi_intf *intf, uint8_t sensor,
+ uint32_t save_addr;
+ uint32_t save_channel;
+
++ if (target == (uint8_t) 0xb1)
++ return ipmi_sdr_get_sensor_reading(intf, sensor);
+ if ( BRIDGE_TO_SENSOR(intf, target, channel) ) {
+ lprintf(LOG_DEBUG,
+ "Bridge to Sensor "
+--
+2.1.0
+
diff --git a/system/ipmitool/patches/0005-sensor-id-length.patch b/system/ipmitool/patches/0005-sensor-id-length.patch
new file mode 100644
index 0000000000000..0cb8313d6c5e5
--- /dev/null
+++ b/system/ipmitool/patches/0005-sensor-id-length.patch
@@ -0,0 +1,16 @@
+diff --git a/include/ipmitool/ipmi_sdr.h b/include/ipmitool/ipmi_sdr.h
+index ccf0cf0..47d3949 100644
+--- a/include/ipmitool/ipmi_sdr.h
++++ b/include/ipmitool/ipmi_sdr.h
+@@ -819,7 +819,7 @@ static const char *sensor_type_desc[] __attribute__ ((unused)) = {
+ "Version Change", "FRU State" };
+
+ struct sensor_reading {
+- char s_id[17]; /* name of the sensor */
++ char s_id[33]; /* name of the sensor */
+ struct sdr_record_full_sensor *full;
+ struct sdr_record_compact_sensor *compact;
+ uint8_t s_reading_valid; /* read value valididity */
+--
+2.1.0
+
diff --git a/system/ipmitool/patches/0006-enable-usb.patch b/system/ipmitool/patches/0006-enable-usb.patch
new file mode 100644
index 0000000000000..d3bfba5a4d647
--- /dev/null
+++ b/system/ipmitool/patches/0006-enable-usb.patch
@@ -0,0 +1,21 @@
+diff -urNp old/configure.ac new/configure.ac
+--- old/configure.ac 2017-02-02 14:20:33.230784269 +0100
++++ new/configure.ac 2017-02-02 14:22:53.528510336 +0100
+@@ -63,7 +63,7 @@ xenable_intf_imb=yes
+ xenable_intf_lipmi=yes
+ xenable_intf_open=yes
+ #xenable_intf_serial=yes
+-xenable_intf_usb=no
++xenable_intf_usb=yes
+ xenable_ipmishell=yes
+
+ dnl set some things so we build with GNU tools on Solaris
+@@ -209,7 +209,7 @@ fi
+ dnl enable IPMI USB interface
+ AC_ARG_ENABLE([intf-usb],
+ [AC_HELP_STRING([--enable-intf-usb],
+- [enable IPMI USB interface [default=auto]])],
++ [enable IPMI USB interface [default=yes]])],
+ [xenable_intf_usb=$enableval],
+ [xenable_intf_usb=$xenable_intf_usb])
+ if test "x$xenable_intf_usb" = "xstatic" || test "x$xenable_intf_usb" = "xplugin"; then
diff --git a/system/ipmitool/patches/0007-check-input.patch b/system/ipmitool/patches/0007-check-input.patch
new file mode 100644
index 0000000000000..030fd2a40c8fb
--- /dev/null
+++ b/system/ipmitool/patches/0007-check-input.patch
@@ -0,0 +1,41 @@
+diff -urNp old/doc/ipmitool.1 new/doc/ipmitool.1
+--- old/doc/ipmitool.1 2017-10-03 16:10:50.446539988 +0200
++++ new/doc/ipmitool.1 2017-10-03 16:16:37.039673239 +0200
+@@ -3170,13 +3170,14 @@ SOL configuration data for the currently
+
+ Enable, disable or show status of SOL payload for the user on the specified channel.
+ .TP
+-\fIset\fP <\fBparameter\fR> <\fBvalue\fR> [<\fBchannel\fR>]
++\fIset\fP <\fBparameter\fR> <\fBvalue\fR> [<\fBchannel\fR>] [\fBnoguard\fR]
+ .br
+
+ Configure parameters for Serial Over Lan. If no channel is given,
+ it will display SOL configuration data for the currently used
+ channel. Configuration parameter updates are automatically guarded
+-with the updates to the set\-in\-progress parameter.
++with the updates to the set\-in\-progress parameter, unless \fInoguard\fR
++parameter is present.
+ .RS
+ .TP
+ Valid parameters and values are:
+diff -urNp old/lib/ipmi_sol.c new/lib/ipmi_sol.c
+--- old/lib/ipmi_sol.c 2017-10-03 16:10:50.447539996 +0200
++++ new/lib/ipmi_sol.c 2017-10-03 16:18:37.079006949 +0200
+@@ -1875,7 +1875,7 @@ static void
+ print_sol_usage(void)
+ {
+ lprintf(LOG_NOTICE, "SOL Commands: info [<channel number>]");
+- lprintf(LOG_NOTICE, " set <parameter> <value> [channel]");
++ lprintf(LOG_NOTICE, " set <parameter> <value> [channel] [noguard]");
+ lprintf(LOG_NOTICE, " payload <enable|disable|status> [channel] [userid]");
+ lprintf(LOG_NOTICE, " activate [<usesolkeepalive|nokeepalive>] [instance=<number>]");
+ lprintf(LOG_NOTICE, " deactivate [instance=<number>]");
+@@ -1890,6 +1890,8 @@ print_sol_usage(void)
+ static void
+ print_sol_set_usage(void)
+ {
++ lprintf(LOG_NOTICE, "\nSOL set usage: \n");
++ lprintf(LOG_NOTICE, " sol set <parameter> <value> [channel] [noguard]\n");
+ lprintf(LOG_NOTICE, "\nSOL set parameters and values: \n");
+ lprintf(LOG_NOTICE, " set-in-progress set-complete | "
+ "set-in-progress | commit-write");
diff --git a/system/ipmitool/patches/0008-add-extern.patch b/system/ipmitool/patches/0008-add-extern.patch
new file mode 100644
index 0000000000000..53f4ca2482f97
--- /dev/null
+++ b/system/ipmitool/patches/0008-add-extern.patch
@@ -0,0 +1,40 @@
+From 95f666fa10c32233ee202d8b99d05b5e13528a25 Mon Sep 17 00:00:00 2001
+From: Vaclav Dolezal <vdolezal@redhat.com>
+Date: Thu, 23 Jan 2020 11:26:32 +0100
+Subject: [PATCH] hpmfwupg: move variable definition to .c file
+
+Signed-off-by: Vaclav Dolezal <vdolezal@redhat.com>
+---
+ include/ipmitool/ipmi_hpmfwupg.h | 2 +-
+ lib/ipmi_hpmfwupg.c | 2 ++
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/include/ipmitool/ipmi_hpmfwupg.h b/include/ipmitool/ipmi_hpmfwupg.h
+index de65292..07f597b 100644
+--- a/include/ipmitool/ipmi_hpmfwupg.h
++++ b/include/ipmitool/ipmi_hpmfwupg.h
+@@ -800,7 +800,7 @@ typedef struct _VERSIONINFO {
+ char descString[HPMFWUPG_DESC_STRING_LENGTH + 1];
+ }VERSIONINFO, *PVERSIONINFO;
+
+-VERSIONINFO gVersionInfo[HPMFWUPG_COMPONENT_ID_MAX];
++extern VERSIONINFO gVersionInfo[HPMFWUPG_COMPONENT_ID_MAX];
+
+ #define TARGET_VER (0x01)
+ #define ROLLBACK_VER (0x02)
+diff --git a/lib/ipmi_hpmfwupg.c b/lib/ipmi_hpmfwupg.c
+index bbcffc0..d7cdcd6 100644
+--- a/lib/ipmi_hpmfwupg.c
++++ b/lib/ipmi_hpmfwupg.c
+@@ -58,6 +58,8 @@ ipmi_intf_get_max_request_data_size(struct ipmi_intf * intf);
+
+ extern int verbose;
+
++VERSIONINFO gVersionInfo[HPMFWUPG_COMPONENT_ID_MAX];
++
+ int HpmfwupgUpgrade(struct ipmi_intf *intf, char *imageFilename,
+ int activate, int, int);
+ int HpmfwupgValidateImageIntegrity(struct HpmfwupgUpgradeCtx *pFwupgCtx);
+--
+2.20.1
+
diff --git a/system/ipmitool/patches/0009-best-cipher.patch b/system/ipmitool/patches/0009-best-cipher.patch
new file mode 100644
index 0000000000000..8f999b32950c0
--- /dev/null
+++ b/system/ipmitool/patches/0009-best-cipher.patch
@@ -0,0 +1,864 @@
+From f2df2aa5a010544d53589a5b048677406eb40ee8 Mon Sep 17 00:00:00 2001
+From: Vernon Mauery <vernon.mauery@intel.com>
+Date: Mon, 9 Apr 2018 12:28:57 -0700
+Subject: [PATCH] lanplus: Auto-select 'best' cipher suite available
+
+Current cipher suites could be ranked as this:
+ 17 > 3 >> all the rest
+
+Cherry-picked-from: 7772254b62826b894ca629df8c597030a98f4f72
+Cherry-picked-from: f9c699c712f884c82fc1a62f1f61a8d597ac0cfd
+
+Also fetched some functions/macros for helper.h
+
+Equals to getting include/ipmitool/helper.h changes from commits:
+(oldest first)
+
+ 6c00d44 mc: watchdog get: Update to match IPMI 2.0 spec
+ e8e94d8 mc: watchdog set: Refactor to reduce complexity
+ 0310208 mc: Code refactor to reduce copy-paste ratio
+ 249e092 general: Make byteswapping arch-independent
+ 5491b12 refix 249e0929: Fix byteswapping helpers
+ bb1a4cc Refactoring. Improve code reuse ratio.
+---
+ include/ipmitool/helper.h | 58 ++++++++
+ include/ipmitool/ipmi_channel.h | 47 +++++++
+ include/ipmitool/ipmi_intf.h | 39 ++++-
+ lib/ipmi_channel.c | 242 +++++++++++++++-----------------
+ lib/ipmi_main.c | 23 +--
+ src/plugins/ipmi_intf.c | 5 +-
+ src/plugins/lanplus/lanplus.c | 114 +++++++++++----
+ 7 files changed, 360 insertions(+), 168 deletions(-)
+
+diff --git a/include/ipmitool/helper.h b/include/ipmitool/helper.h
+index c53736f..6a2e5f4 100644
+--- a/include/ipmitool/helper.h
++++ b/include/ipmitool/helper.h
+@@ -38,6 +38,8 @@
+ #include <stdio.h>
+ #include <string.h>
+
++#define ARRAY_SIZE(a) (sizeof(a) / sizeof(a[0]))
++
+ #ifndef TRUE
+ #define TRUE 1
+ #endif
+@@ -111,6 +113,62 @@ FILE * ipmi_open_file(const char * file, int rw);
+ void ipmi_start_daemon(struct ipmi_intf *intf);
+ uint16_t ipmi_get_oem_id(struct ipmi_intf *intf);
+
++#define IS_SET(v, b) ((v) & (1 << (b)))
++
++/* le16toh(), hto16le(), et. al. don't exist for Windows or Apple */
++/* For portability, let's simply define our own versions here */
++
++/* IPMI is always little-endian */
++static inline uint16_t ipmi16toh(void *ipmi16)
++{
++ uint8_t *ipmi = (uint8_t *)ipmi16;
++ uint16_t h;
++
++ h = ipmi[1] << 8; /* MSB */
++ h |= ipmi[0]; /* LSB */
++
++ return h;
++}
++
++static inline void htoipmi16(uint16_t h, uint8_t *ipmi)
++{
++ ipmi[0] = h & 0xFF; /* LSB */
++ ipmi[1] = h >> 8; /* MSB */
++}
++
++static inline uint32_t ipmi24toh(void *ipmi24)
++{
++ uint8_t *ipmi = (uint8_t *)ipmi24;
++ uint32_t h = 0;
++
++ h = ipmi[2] << 16; /* MSB */
++ h |= ipmi[1] << 8;
++ h |= ipmi[0]; /* LSB */
++
++ return h;
++}
++
++static inline uint32_t ipmi32toh(void *ipmi32)
++{
++ uint8_t *ipmi = ipmi32;
++ uint32_t h;
++
++ h = ipmi[3] << 24; /* MSB */
++ h |= ipmi[2] << 16;
++ h |= ipmi[1] << 8;
++ h |= ipmi[0]; /* LSB */
++
++ return h;
++}
++
++static inline void htoipmi32(uint32_t h, uint8_t *ipmi)
++{
++ ipmi[0] = h & 0xFF; /* LSB */
++ ipmi[1] = (h >> 8) & 0xFF;
++ ipmi[2] = (h >> 16) & 0xFF;
++ ipmi[3] = (h >> 24) & 0xFF; /* MSB */
++}
++
+ #define ipmi_open_file_read(file) ipmi_open_file(file, 0)
+ #define ipmi_open_file_write(file) ipmi_open_file(file, 1)
+
+diff --git a/include/ipmitool/ipmi_channel.h b/include/ipmitool/ipmi_channel.h
+index 3ade2d5..324c0bb 100644
+--- a/include/ipmitool/ipmi_channel.h
++++ b/include/ipmitool/ipmi_channel.h
+@@ -37,6 +37,7 @@
+ # include <config.h>
+ #endif
+ #include <ipmitool/ipmi.h>
++#include <ipmitool/ipmi_intf.h>
+
+
+ #define IPMI_GET_CHANNEL_AUTH_CAP 0x38
+@@ -81,6 +82,50 @@ struct channel_access_t {
+ uint8_t user_level_auth;
+ };
+
++/*
++ * The Cipher Suite Record Format from table 22-18 of the IPMI v2.0 spec
++ */
++enum cipher_suite_format_tag {
++ STANDARD_CIPHER_SUITE = 0xc0,
++ OEM_CIPHER_SUITE = 0xc1,
++};
++#ifdef HAVE_PRAGMA_PACK
++#pragma pack(1)
++#endif
++struct std_cipher_suite_record_t {
++ uint8_t start_of_record;
++ uint8_t cipher_suite_id;
++ uint8_t auth_alg;
++ uint8_t integrity_alg;
++ uint8_t crypt_alg;
++} ATTRIBUTE_PACKING;
++struct oem_cipher_suite_record_t {
++ uint8_t start_of_record;
++ uint8_t cipher_suite_id;
++ uint8_t iana[3];
++ uint8_t auth_alg;
++ uint8_t integrity_alg;
++ uint8_t crypt_alg;
++} ATTRIBUTE_PACKING;
++#ifdef HAVE_PRAGMA_PACK
++#pragma pack(0)
++#endif
++#define CIPHER_ALG_MASK 0x3f
++#define MAX_CIPHER_SUITE_RECORD_OFFSET 0x40
++#define MAX_CIPHER_SUITE_DATA_LEN 0x10
++#define LIST_ALGORITHMS_BY_CIPHER_SUITE 0x80
++
++/* Below is the theoretical maximum number of cipher suites that could be
++ * reported by a BMC. That is with the Get Channel Cipher Suites Command, at 16
++ * bytes at a time and 0x40 requests, it can report 1024 bytes, which is about
++ * 204 standard records or 128 OEM records. Really, we probably don't need more
++ * than about 20, which is the full set of standard records plus a few OEM
++ * records.
++ */
++#define MAX_CIPHER_SUITE_COUNT (MAX_CIPHER_SUITE_RECORD_OFFSET * \
++ MAX_CIPHER_SUITE_DATA_LEN / \
++ sizeof(struct std_cipher_suite_record_t))
++
+ /*
+ * The Get Authentication Capabilities response structure
+ * From table 22-15 of the IPMI v2.0 spec
+@@ -135,6 +180,8 @@ struct get_channel_auth_cap_rsp {
+ int _ipmi_get_channel_access(struct ipmi_intf *intf,
+ struct channel_access_t *channel_access,
+ uint8_t get_volatile_settings);
++int ipmi_get_channel_cipher_suites(struct ipmi_intf *intf, const char *payload_type,
++ uint8_t channel, struct cipher_suite_info *suites, size_t *count);
+ int _ipmi_get_channel_info(struct ipmi_intf *intf,
+ struct channel_info_t *channel_info);
+ int _ipmi_set_channel_access(struct ipmi_intf *intf,
+diff --git a/include/ipmitool/ipmi_intf.h b/include/ipmitool/ipmi_intf.h
+index 0b8c64b..7a07d66 100644
+--- a/include/ipmitool/ipmi_intf.h
++++ b/include/ipmitool/ipmi_intf.h
+@@ -61,13 +61,45 @@ enum LANPLUS_SESSION_STATE {
+ #define IPMI_AUTHCODE_BUFFER_SIZE 20
+ #define IPMI_SIK_BUFFER_SIZE IPMI_MAX_MD_SIZE
+
++enum cipher_suite_ids {
++ IPMI_LANPLUS_CIPHER_SUITE_0 = 0,
++ IPMI_LANPLUS_CIPHER_SUITE_1 = 1,
++ IPMI_LANPLUS_CIPHER_SUITE_2 = 2,
++ IPMI_LANPLUS_CIPHER_SUITE_3 = 3,
++ IPMI_LANPLUS_CIPHER_SUITE_4 = 4,
++ IPMI_LANPLUS_CIPHER_SUITE_5 = 5,
++ IPMI_LANPLUS_CIPHER_SUITE_6 = 6,
++ IPMI_LANPLUS_CIPHER_SUITE_7 = 7,
++ IPMI_LANPLUS_CIPHER_SUITE_8 = 8,
++ IPMI_LANPLUS_CIPHER_SUITE_9 = 9,
++ IPMI_LANPLUS_CIPHER_SUITE_10 = 10,
++ IPMI_LANPLUS_CIPHER_SUITE_11 = 11,
++ IPMI_LANPLUS_CIPHER_SUITE_12 = 12,
++ IPMI_LANPLUS_CIPHER_SUITE_13 = 13,
++ IPMI_LANPLUS_CIPHER_SUITE_14 = 14,
++#ifdef HAVE_CRYPTO_SHA256
++ IPMI_LANPLUS_CIPHER_SUITE_15 = 15,
++ IPMI_LANPLUS_CIPHER_SUITE_16 = 16,
++ IPMI_LANPLUS_CIPHER_SUITE_17 = 17,
++#endif /* HAVE_CRYPTO_SHA256 */
++ IPMI_LANPLUS_CIPHER_SUITE_RESERVED = 0xff,
++};
++
++struct cipher_suite_info {
++ enum cipher_suite_ids cipher_suite_id;
++ uint8_t auth_alg;
++ uint8_t integrity_alg;
++ uint8_t crypt_alg;
++ uint32_t iana;
++};
++
+ struct ipmi_session_params {
+ char * hostname;
+ uint8_t username[17];
+ uint8_t authcode_set[IPMI_AUTHCODE_BUFFER_SIZE + 1];
+ uint8_t authtype_set;
+ uint8_t privlvl;
+- uint8_t cipher_suite_id;
++ enum cipher_suite_ids cipher_suite_id;
+ char sol_escape_char;
+ int password;
+ int port;
+@@ -217,7 +249,10 @@ void ipmi_intf_session_set_username(struct ipmi_intf * intf, char * username);
+ void ipmi_intf_session_set_password(struct ipmi_intf * intf, char * password);
+ void ipmi_intf_session_set_privlvl(struct ipmi_intf * intf, uint8_t privlvl);
+ void ipmi_intf_session_set_lookupbit(struct ipmi_intf * intf, uint8_t lookupbit);
+-void ipmi_intf_session_set_cipher_suite_id(struct ipmi_intf * intf, uint8_t cipher_suite_id);
++#ifdef IPMI_INTF_LANPLUS
++void ipmi_intf_session_set_cipher_suite_id(struct ipmi_intf * intf,
++ enum cipher_suite_ids cipher_suite_id);
++#endif /* IPMI_INTF_LANPLUS */
+ void ipmi_intf_session_set_sol_escape_char(struct ipmi_intf * intf, char sol_escape_char);
+ void ipmi_intf_session_set_kgkey(struct ipmi_intf *intf, const uint8_t *kgkey);
+ void ipmi_intf_session_set_port(struct ipmi_intf * intf, int port);
+diff --git a/lib/ipmi_channel.c b/lib/ipmi_channel.c
+index e1fc75f..3ae3104 100644
+--- a/lib/ipmi_channel.c
++++ b/lib/ipmi_channel.c
+@@ -342,86 +342,116 @@ ipmi_get_channel_auth_cap(struct ipmi_intf *intf, uint8_t channel, uint8_t priv)
+ return 0;
+ }
+
+-static int
++static size_t
++parse_channel_cipher_suite_data(uint8_t *cipher_suite_data, size_t data_len,
++ struct cipher_suite_info* suites, size_t nr_suites)
++{
++ size_t count = 0;
++ size_t offset = 0;
++ uint32_t iana;
++ uint8_t auth_alg, integrity_alg, crypt_alg;
++ uint8_t cipher_suite_id;
++
++ memset(suites, 0, sizeof(*suites) * nr_suites);
++
++ while (offset < data_len && count < nr_suites) {
++ auth_alg = IPMI_AUTH_RAKP_NONE;
++ integrity_alg = IPMI_INTEGRITY_NONE;
++ crypt_alg = IPMI_CRYPT_NONE;
++ if (cipher_suite_data[offset] == STANDARD_CIPHER_SUITE) {
++ struct std_cipher_suite_record_t *record =
++ (struct std_cipher_suite_record_t*)(&cipher_suite_data[offset]);
++ /* standard type */
++ iana = 0;
++
++ /* Verify that we have at least a full record left; id + 3 algs */
++ if ((data_len - offset) < sizeof(*record)) {
++ lprintf(LOG_INFO, "Incomplete data record in cipher suite data");
++ break;
++ }
++ cipher_suite_id = record->cipher_suite_id;
++ auth_alg = CIPHER_ALG_MASK & record->auth_alg;
++ integrity_alg = CIPHER_ALG_MASK & record->integrity_alg;
++ crypt_alg = CIPHER_ALG_MASK & record->crypt_alg;
++ offset += sizeof(*record);
++ } else if (cipher_suite_data[offset] == OEM_CIPHER_SUITE) {
++ /* OEM record type */
++ struct oem_cipher_suite_record_t *record =
++ (struct oem_cipher_suite_record_t*)(&cipher_suite_data[offset]);
++ /* Verify that we have at least a full record left
++ * id + iana + 3 algs
++ */
++ if ((data_len - offset) < sizeof(*record)) {
++ lprintf(LOG_INFO, "Incomplete data record in cipher suite data");
++ break;
++ }
++
++ cipher_suite_id = record->cipher_suite_id;
++
++ /* Grab the IANA */
++ iana = ipmi24toh(record->iana);
++ auth_alg = CIPHER_ALG_MASK & record->auth_alg;
++ integrity_alg = CIPHER_ALG_MASK & record->integrity_alg;
++ crypt_alg = CIPHER_ALG_MASK & record->crypt_alg;
++ offset += sizeof(*record);
++ } else {
++ lprintf(LOG_INFO, "Bad start of record byte in cipher suite data (offset %d, value %x)", offset, cipher_suite_data[offset]);
++ break;
++ }
++ suites[count].cipher_suite_id = cipher_suite_id;
++ suites[count].iana = iana;
++ suites[count].auth_alg = auth_alg;
++ suites[count].integrity_alg = integrity_alg;
++ suites[count].crypt_alg = crypt_alg;
++ count++;
++ }
++ return count;
++}
++
++int
+ ipmi_get_channel_cipher_suites(struct ipmi_intf *intf, const char *payload_type,
+- uint8_t channel)
++ uint8_t channel, struct cipher_suite_info *suites, size_t *count)
+ {
+ struct ipmi_rs *rsp;
+ struct ipmi_rq req;
+
+ uint8_t rqdata[3];
+- uint32_t iana;
+- uint8_t auth_alg, integrity_alg, crypt_alg;
+- uint8_t cipher_suite_id;
+ uint8_t list_index = 0;
+ /* 0x40 sets * 16 bytes per set */
+- uint8_t cipher_suite_data[1024];
+- uint16_t offset = 0;
+- /* how much was returned, total */
+- uint16_t cipher_suite_data_length = 0;
++ uint8_t cipher_suite_data[MAX_CIPHER_SUITE_RECORD_OFFSET *
++ MAX_CIPHER_SUITE_DATA_LEN];
++ size_t offset = 0;
++ size_t nr_suites = 0;
+
++ if (!suites || !count || !*count)
++ return -1;
++
++ nr_suites = *count;
++ *count = 0;
+ memset(cipher_suite_data, 0, sizeof(cipher_suite_data));
+-
++
+ memset(&req, 0, sizeof(req));
+ req.msg.netfn = IPMI_NETFN_APP;
+ req.msg.cmd = IPMI_GET_CHANNEL_CIPHER_SUITES;
+ req.msg.data = rqdata;
+- req.msg.data_len = 3;
++ req.msg.data_len = sizeof(rqdata);
+
+ rqdata[0] = channel;
+ rqdata[1] = ((strncmp(payload_type, "ipmi", 4) == 0)? 0: 1);
+- /* Always ask for cipher suite format */
+- rqdata[2] = 0x80;
+-
+- rsp = intf->sendrecv(intf, &req);
+- if (rsp == NULL) {
+- lprintf(LOG_ERR, "Unable to Get Channel Cipher Suites");
+- return -1;
+- }
+- if (rsp->ccode > 0) {
+- lprintf(LOG_ERR, "Get Channel Cipher Suites failed: %s",
+- val2str(rsp->ccode, completion_code_vals));
+- return -1;
+- }
+-
+-
+- /*
+- * Grab the returned channel number once. We assume it's the same
+- * in future calls.
+- */
+- if (rsp->data_len >= 1) {
+- channel = rsp->data[0];
+- }
+-
+- while ((rsp->data_len > 1) && (rsp->data_len == 17) && (list_index < 0x3F)) {
+- /*
+- * We got back cipher suite data -- store it.
+- * printf("copying data to offset %d\n", offset);
+- * printbuf(rsp->data + 1, rsp->data_len - 1, "this is the data");
+- */
+- memcpy(cipher_suite_data + offset, rsp->data + 1, rsp->data_len - 1);
+- offset += rsp->data_len - 1;
+-
+- /*
+- * Increment our list for the next call
+- */
+- ++list_index;
+- rqdata[2] = (rqdata[2] & 0x80) + list_index;
+
++ do {
++ /* Always ask for cipher suite format */
++ rqdata[2] = LIST_ALGORITHMS_BY_CIPHER_SUITE | list_index;
+ rsp = intf->sendrecv(intf, &req);
+ if (rsp == NULL) {
+ lprintf(LOG_ERR, "Unable to Get Channel Cipher Suites");
+ return -1;
+ }
+- if (rsp->ccode > 0) {
++ if (rsp->ccode || rsp->data_len < 1) {
+ lprintf(LOG_ERR, "Get Channel Cipher Suites failed: %s",
+ val2str(rsp->ccode, completion_code_vals));
+ return -1;
+ }
+- }
+-
+- /* Copy last chunk */
+- if(rsp->data_len > 1) {
+ /*
+ * We got back cipher suite data -- store it.
+ * printf("copying data to offset %d\n", offset);
+@@ -429,88 +459,46 @@ ipmi_get_channel_cipher_suites(struct ipmi_intf *intf, const char *payload_type,
+ */
+ memcpy(cipher_suite_data + offset, rsp->data + 1, rsp->data_len - 1);
+ offset += rsp->data_len - 1;
+- }
+
+- /* We can chomp on all our data now. */
+- cipher_suite_data_length = offset;
+- offset = 0;
++ /*
++ * Increment our list for the next call
++ */
++ ++list_index;
++ } while ((rsp->data_len == (sizeof(uint8_t) + MAX_CIPHER_SUITE_DATA_LEN)) &&
++ (list_index < MAX_CIPHER_SUITE_RECORD_OFFSET));
+
+- if (! csv_output) {
+- printf("ID IANA Auth Alg Integrity Alg Confidentiality Alg\n");
+- }
+- while (offset < cipher_suite_data_length) {
+- if (cipher_suite_data[offset++] == 0xC0) {
+- /* standard type */
+- iana = 0;
++ *count = parse_channel_cipher_suite_data(cipher_suite_data, offset, suites,
++ nr_suites);
++ return 0;
++}
+
+- /* Verify that we have at least a full record left; id + 3 algs */
+- if ((cipher_suite_data_length - offset) < 4) {
+- lprintf(LOG_ERR, "Incomplete data record in cipher suite data");
+- return -1;
+- }
+- cipher_suite_id = cipher_suite_data[offset++];
+- } else if (cipher_suite_data[offset++] == 0xC1) {
+- /* OEM record type */
+- /* Verify that we have at least a full record left
+- * id + iana + 3 algs
+- */
+- if ((cipher_suite_data_length - offset) < 4) {
+- lprintf(LOG_ERR, "Incomplete data record in cipher suite data");
+- return -1;
+- }
++static int
++ipmi_print_channel_cipher_suites(struct ipmi_intf *intf, const char *payload_type,
++ uint8_t channel)
++{
++ int rc;
++ size_t i = 0;
++ struct cipher_suite_info suites[MAX_CIPHER_SUITE_COUNT];
++ size_t nr_suites = sizeof(*suites);
+
+- cipher_suite_id = cipher_suite_data[offset++];
++ rc = ipmi_get_channel_cipher_suites(intf, payload_type, channel,
++ suites, &nr_suites);
+
+- /* Grab the IANA */
+- iana =
+- cipher_suite_data[offset] |
+- (cipher_suite_data[offset + 1] << 8) |
+- (cipher_suite_data[offset + 2] << 16);
+- offset += 3;
+- } else {
+- lprintf(LOG_ERR, "Bad start of record byte in cipher suite data");
+- return -1;
+- }
++ if (rc < 0)
++ return rc;
+
+- /*
+- * Grab the algorithms for this cipher suite. I guess we can't be
+- * sure of what order they'll come in. Also, I suppose we default
+- * to the NONE algorithm if one were absent. This part of the spec is
+- * poorly written -- I have read the errata document. For now, I'm only
+- * allowing one algorithm per type (auth, integrity, crypt) because I
+- * don't I understand how it could be otherwise.
+- */
+- auth_alg = IPMI_AUTH_RAKP_NONE;
+- integrity_alg = IPMI_INTEGRITY_NONE;
+- crypt_alg = IPMI_CRYPT_NONE;
+-
+- while (((cipher_suite_data[offset] & 0xC0) != 0xC0) &&
+- ((cipher_suite_data_length - offset) > 0))
+- {
+- switch (cipher_suite_data[offset] & 0xC0)
+- {
+- case 0x00:
+- /* Authentication algorithm specifier */
+- auth_alg = cipher_suite_data[offset++] & 0x3F;
+- break;
+- case 0x40:
+- /* Interity algorithm specifier */
+- integrity_alg = cipher_suite_data[offset++] & 0x3F;
+- break;
+- case 0x80:
+- /* Confidentiality algorithm specifier */
+- crypt_alg = cipher_suite_data[offset++] & 0x3F;
+- break;
+- }
+- }
++ if (! csv_output) {
++ printf("ID IANA Auth Alg Integrity Alg Confidentiality Alg\n");
++ }
++ for (i = 0; i < nr_suites; i++) {
+ /* We have everything we need to spit out a cipher suite record */
+ printf((csv_output? "%d,%s,%s,%s,%s\n" :
+ "%-4d %-7s %-15s %-15s %-15s\n"),
+- cipher_suite_id,
+- iana_string(iana),
+- val2str(auth_alg, ipmi_auth_algorithms),
+- val2str(integrity_alg, ipmi_integrity_algorithms),
+- val2str(crypt_alg, ipmi_encryption_algorithms));
++ suites[i].cipher_suite_id,
++ iana_string(suites[i].iana),
++ val2str(suites[i].auth_alg, ipmi_auth_algorithms),
++ val2str(suites[i].integrity_alg, ipmi_integrity_algorithms),
++ val2str(suites[i].crypt_alg, ipmi_encryption_algorithms));
+ }
+ return 0;
+ }
+@@ -973,7 +961,7 @@ ipmi_channel_main(struct ipmi_intf *intf, int argc, char **argv)
+ return (-1);
+ }
+ }
+- retval = ipmi_get_channel_cipher_suites(intf,
++ retval = ipmi_print_channel_cipher_suites(intf,
+ argv[1], /* ipmi | sol */
+ channel);
+ } else if (strncmp(argv[0], "setkg", 5) == 0) {
+diff --git a/lib/ipmi_main.c b/lib/ipmi_main.c
+index 811c80b..6aee102 100644
+--- a/lib/ipmi_main.c
++++ b/lib/ipmi_main.c
+@@ -323,6 +323,7 @@ ipmi_main(int argc, char ** argv,
+ uint8_t target_addr = 0;
+ uint8_t target_channel = 0;
+
++ uint8_t u8tmp = 0;
+ uint8_t transit_addr = 0;
+ uint8_t transit_channel = 0;
+ uint8_t target_lun = 0;
+@@ -347,7 +348,10 @@ ipmi_main(int argc, char ** argv,
+ char * seloem = NULL;
+ int port = 0;
+ int devnum = 0;
+- int cipher_suite_id = 3; /* See table 22-19 of the IPMIv2 spec */
++#ifdef IPMI_INTF_LANPLUS
++ /* lookup best cipher suite available */
++ enum cipher_suite_ids cipher_suite_id = IPMI_LANPLUS_CIPHER_SUITE_RESERVED;
++#endif /* IPMI_INTF_LANPLUS */
+ int argflag, i, found;
+ int rc = -1;
+ int ai_family = AF_UNSPEC;
+@@ -425,19 +429,18 @@ ipmi_main(int argc, char ** argv,
+ goto out_free;
+ }
+ break;
++#ifdef IPMI_INTF_LANPLUS
+ case 'C':
+- if (str2int(optarg, &cipher_suite_id) != 0) {
+- lprintf(LOG_ERR, "Invalid parameter given or out of range for '-C'.");
+- rc = -1;
+- goto out_free;
+- }
+- /* add check Cipher is -gt 0 */
+- if (cipher_suite_id < 0) {
+- lprintf(LOG_ERR, "Cipher suite ID %i is invalid.", cipher_suite_id);
++ /* Cipher Suite ID is a byte as per IPMI specification */
++ if (str2uchar(optarg, &u8tmp) != 0) {
++ lprintf(LOG_ERR, "Invalid parameter given or out of "
++ "range [0-255] for '-C'.");
+ rc = -1;
+ goto out_free;
+ }
++ cipher_suite_id = u8tmp;
+ break;
++#endif /* IPMI_INTF_LANPLUS */
+ case 'v':
+ verbose++;
+ break;
+@@ -870,7 +873,9 @@ ipmi_main(int argc, char ** argv,
+
+ ipmi_intf_session_set_lookupbit(ipmi_main_intf, lookupbit);
+ ipmi_intf_session_set_sol_escape_char(ipmi_main_intf, sol_escape_char);
++#ifdef IPMI_INTF_LANPLUS
+ ipmi_intf_session_set_cipher_suite_id(ipmi_main_intf, cipher_suite_id);
++#endif /* IPMI_INTF_LANPLUS */
+
+ ipmi_main_intf->devnum = devnum;
+
+diff --git a/src/plugins/ipmi_intf.c b/src/plugins/ipmi_intf.c
+index 1d9e87b..00b0918 100644
+--- a/src/plugins/ipmi_intf.c
++++ b/src/plugins/ipmi_intf.c
+@@ -252,11 +252,14 @@ ipmi_intf_session_set_lookupbit(struct ipmi_intf * intf, uint8_t lookupbit)
+ intf->ssn_params.lookupbit = lookupbit;
+ }
+
++#ifdef IPMI_INTF_LANPLUS
+ void
+-ipmi_intf_session_set_cipher_suite_id(struct ipmi_intf * intf, uint8_t cipher_suite_id)
++ipmi_intf_session_set_cipher_suite_id(struct ipmi_intf * intf,
++ enum cipher_suite_ids cipher_suite_id)
+ {
+ intf->ssn_params.cipher_suite_id = cipher_suite_id;
+ }
++#endif /* IPMI_INTF_LANPLUS */
+
+ void
+ ipmi_intf_session_set_sol_escape_char(struct ipmi_intf * intf, char sol_escape_char)
+diff --git a/src/plugins/lanplus/lanplus.c b/src/plugins/lanplus/lanplus.c
+index a0e388c..3087348 100644
+--- a/src/plugins/lanplus/lanplus.c
++++ b/src/plugins/lanplus/lanplus.c
+@@ -164,114 +164,109 @@ extern int verbose;
+ * returns 0 on success
+ * 1 on failure
+ */
+-int lanplus_get_requested_ciphers(int cipher_suite_id,
++int lanplus_get_requested_ciphers(enum cipher_suite_ids cipher_suite_id,
+ uint8_t * auth_alg,
+ uint8_t * integrity_alg,
+ uint8_t * crypt_alg)
+ {
+-#ifdef HAVE_CRYPTO_SHA256
+- if ((cipher_suite_id < 0) || (cipher_suite_id > 17)) {
+- return 1;
+- }
+-#else
+- if ((cipher_suite_id < 0) || (cipher_suite_id > 14))
+- return 1;
+-#endif /* HAVE_CRYPTO_SHA256 */
+ /* See table 22-19 for the source of the statement */
+ switch (cipher_suite_id)
+ {
+- case 0:
++ case IPMI_LANPLUS_CIPHER_SUITE_0:
+ *auth_alg = IPMI_AUTH_RAKP_NONE;
+ *integrity_alg = IPMI_INTEGRITY_NONE;
+ *crypt_alg = IPMI_CRYPT_NONE;
+ break;
+- case 1:
++ case IPMI_LANPLUS_CIPHER_SUITE_1:
+ *auth_alg = IPMI_AUTH_RAKP_HMAC_SHA1;
+ *integrity_alg = IPMI_INTEGRITY_NONE;
+ *crypt_alg = IPMI_CRYPT_NONE;
+ break;
+- case 2:
++ case IPMI_LANPLUS_CIPHER_SUITE_2:
+ *auth_alg = IPMI_AUTH_RAKP_HMAC_SHA1;
+ *integrity_alg = IPMI_INTEGRITY_HMAC_SHA1_96;
+ *crypt_alg = IPMI_CRYPT_NONE;
+ break;
+- case 3:
++ case IPMI_LANPLUS_CIPHER_SUITE_3:
+ *auth_alg = IPMI_AUTH_RAKP_HMAC_SHA1;
+ *integrity_alg = IPMI_INTEGRITY_HMAC_SHA1_96;
+ *crypt_alg = IPMI_CRYPT_AES_CBC_128;
+ break;
+- case 4:
++ case IPMI_LANPLUS_CIPHER_SUITE_4:
+ *auth_alg = IPMI_AUTH_RAKP_HMAC_SHA1;
+ *integrity_alg = IPMI_INTEGRITY_HMAC_SHA1_96;
+ *crypt_alg = IPMI_CRYPT_XRC4_128;
+ break;
+- case 5:
++ case IPMI_LANPLUS_CIPHER_SUITE_5:
+ *auth_alg = IPMI_AUTH_RAKP_HMAC_SHA1;
+ *integrity_alg = IPMI_INTEGRITY_HMAC_SHA1_96;
+ *crypt_alg = IPMI_CRYPT_XRC4_40;
+ break;
+- case 6:
++ case IPMI_LANPLUS_CIPHER_SUITE_6:
+ *auth_alg = IPMI_AUTH_RAKP_HMAC_MD5;
+ *integrity_alg = IPMI_INTEGRITY_NONE;
+ *crypt_alg = IPMI_CRYPT_NONE;
+ break;
+- case 7:
++ case IPMI_LANPLUS_CIPHER_SUITE_7:
+ *auth_alg = IPMI_AUTH_RAKP_HMAC_MD5;
+ *integrity_alg = IPMI_INTEGRITY_HMAC_MD5_128;
+ *crypt_alg = IPMI_CRYPT_NONE;
+ break;
+- case 8:
++ case IPMI_LANPLUS_CIPHER_SUITE_8:
+ *auth_alg = IPMI_AUTH_RAKP_HMAC_MD5;
+ *integrity_alg = IPMI_INTEGRITY_HMAC_MD5_128;
+ *crypt_alg = IPMI_CRYPT_AES_CBC_128;
+ break;
+- case 9:
++ case IPMI_LANPLUS_CIPHER_SUITE_9:
+ *auth_alg = IPMI_AUTH_RAKP_HMAC_MD5;
+ *integrity_alg = IPMI_INTEGRITY_HMAC_MD5_128;
+ *crypt_alg = IPMI_CRYPT_XRC4_128;
+ break;
+- case 10:
++ case IPMI_LANPLUS_CIPHER_SUITE_10:
+ *auth_alg = IPMI_AUTH_RAKP_HMAC_MD5;
+ *integrity_alg = IPMI_INTEGRITY_HMAC_MD5_128;
+ *crypt_alg = IPMI_CRYPT_XRC4_40;
+ break;
+- case 11:
++ case IPMI_LANPLUS_CIPHER_SUITE_11:
+ *auth_alg = IPMI_AUTH_RAKP_HMAC_MD5;
+ *integrity_alg = IPMI_INTEGRITY_MD5_128;
+ *crypt_alg = IPMI_CRYPT_NONE;
+ break;
+- case 12:
++ case IPMI_LANPLUS_CIPHER_SUITE_12:
+ *auth_alg = IPMI_AUTH_RAKP_HMAC_MD5;
+ *integrity_alg = IPMI_INTEGRITY_MD5_128;
+ *crypt_alg = IPMI_CRYPT_AES_CBC_128;
+ break;
+- case 13:
++ case IPMI_LANPLUS_CIPHER_SUITE_13:
+ *auth_alg = IPMI_AUTH_RAKP_HMAC_MD5;
+ *integrity_alg = IPMI_INTEGRITY_MD5_128;
+ *crypt_alg = IPMI_CRYPT_XRC4_128;
+ break;
+- case 14:
++ case IPMI_LANPLUS_CIPHER_SUITE_14:
+ *auth_alg = IPMI_AUTH_RAKP_HMAC_MD5;
+ *integrity_alg = IPMI_INTEGRITY_MD5_128;
+ *crypt_alg = IPMI_CRYPT_XRC4_40;
+ break;
+ #ifdef HAVE_CRYPTO_SHA256
+- case 15:
++ case IPMI_LANPLUS_CIPHER_SUITE_15:
+ *auth_alg = IPMI_AUTH_RAKP_HMAC_SHA256;
+ *integrity_alg = IPMI_INTEGRITY_NONE;
+ *crypt_alg = IPMI_CRYPT_NONE;
+ break;
+- case 16:
++ case IPMI_LANPLUS_CIPHER_SUITE_16:
+ *auth_alg = IPMI_AUTH_RAKP_HMAC_SHA256;
+ *integrity_alg = IPMI_INTEGRITY_HMAC_SHA256_128;
+ *crypt_alg = IPMI_CRYPT_NONE;
+ break;
+- case 17:
++ case IPMI_LANPLUS_CIPHER_SUITE_17:
+ *auth_alg = IPMI_AUTH_RAKP_HMAC_SHA256;
+ *integrity_alg = IPMI_INTEGRITY_HMAC_SHA256_128;
+ *crypt_alg = IPMI_CRYPT_AES_CBC_128;
+ break;
+ #endif /* HAVE_CRYPTO_SHA256 */
++ case IPMI_LANPLUS_CIPHER_SUITE_RESERVED:
++ default:
++ return 1;
+ }
+
+ return 0;
+@@ -3441,6 +3436,57 @@ ipmi_set_session_privlvl_cmd(struct ipmi_intf * intf)
+ return 0;
+ }
+
++static uint8_t
++ipmi_find_best_cipher_suite(struct ipmi_intf *intf)
++{
++ enum cipher_suite_ids best_suite = IPMI_LANPLUS_CIPHER_SUITE_RESERVED;
++#ifdef HAVE_CRYPTO_SHA256
++ struct cipher_suite_info suites[MAX_CIPHER_SUITE_COUNT];
++ size_t nr_suites = ARRAY_SIZE(suites);
++ /* cipher suite best order is chosen with this criteria:
++ * HMAC-MD5 and MD5 are BAD; xRC4 is bad; AES128 is required
++ * HMAC-SHA256 > HMAC-SHA1
++ * secure authentication > encrypted content
++ *
++ * With xRC4 out, all cipher suites with MD5 out, and cipher suite 3 being
++ * required by the spec, the only better defined standard cipher suite is
++ * 17. So if SHA256 is available, we should try to use that, otherwise,
++ * fall back to 3.
++ */
++ const enum cipher_suite_ids cipher_order_preferred[] = {
++ IPMI_LANPLUS_CIPHER_SUITE_17,
++ IPMI_LANPLUS_CIPHER_SUITE_3,
++ };
++ const size_t nr_preferred = ARRAY_SIZE(cipher_order_preferred);
++ size_t ipref, i;
++
++ if (ipmi_get_channel_cipher_suites(intf, "ipmi", IPMI_LAN_CHANNEL_E,
++ suites, &nr_suites) < 0)
++ {
++ /* default legacy behavior - cipher suite 3 if none is requested */
++ return IPMI_LANPLUS_CIPHER_SUITE_3;
++ }
++ for (ipref = 0; ipref < nr_preferred &&
++ IPMI_LANPLUS_CIPHER_SUITE_RESERVED == best_suite; ipref++)
++ {
++ for (i = 0; i < nr_suites; i++) {
++ if (cipher_order_preferred[ipref] == suites[i].cipher_suite_id) {
++ best_suite = cipher_order_preferred[ipref];
++ break;
++ }
++ }
++ }
++#endif /* HAVE_CRYPTO_SHA256 */
++ if (IPMI_LANPLUS_CIPHER_SUITE_RESERVED == best_suite) {
++ /* IPMI 2.0 spec requires that cipher suite 3 is implemented
++ * so we should always be able to fall back to that if better
++ * options are not available. */
++ best_suite = IPMI_LANPLUS_CIPHER_SUITE_3;
++ }
++ lprintf(LOG_INFO, "Using best available cipher suite %d\n", best_suite);
++ return best_suite;
++}
++
+ /**
+ * ipmi_lanplus_open
+ */
+@@ -3514,6 +3560,16 @@ ipmi_lanplus_open(struct ipmi_intf * intf)
+ lprintf(LOG_INFO, "This BMC does not support IPMI v2 / RMCP+");
+ goto fail;
+ }
++ /*
++ * If no cipher suite was provided, query the channel cipher suite list and
++ * pick the best one available
++ */
++ if (IPMI_LANPLUS_CIPHER_SUITE_RESERVED ==
++ intf->ssn_params.cipher_suite_id)
++ {
++ ipmi_intf_session_set_cipher_suite_id(intf,
++ ipmi_find_best_cipher_suite(intf));
++ }
+
+ /*
+ * If the open/rakp1/rakp3 sequence encounters a timeout, the whole sequence
+@@ -3728,7 +3784,7 @@ static int ipmi_lanplus_setup(struct ipmi_intf * intf)
+
+ static void ipmi_lanp_set_max_rq_data_size(struct ipmi_intf * intf, uint16_t size)
+ {
+- if (intf->ssn_params.cipher_suite_id == 3) {
++ if (intf->ssn_params.cipher_suite_id == IPMI_LANPLUS_CIPHER_SUITE_3) {
+ /*
+ * encrypted payload can only be multiple of 16 bytes
+ */
+@@ -3746,7 +3802,7 @@ static void ipmi_lanp_set_max_rq_data_size(struct ipmi_intf * intf, uint16_t siz
+
+ static void ipmi_lanp_set_max_rp_data_size(struct ipmi_intf * intf, uint16_t size)
+ {
+- if (intf->ssn_params.cipher_suite_id == 3) {
++ if (intf->ssn_params.cipher_suite_id == IPMI_LANPLUS_CIPHER_SUITE_3) {
+ /*
+ * encrypted payload can only be multiple of 16 bytes
+ */
+--
+2.20.1
+
diff --git a/system/ipmitool/patches/0010-pef-missing-newline.patch b/system/ipmitool/patches/0010-pef-missing-newline.patch
new file mode 100644
index 0000000000000..76503338d941e
--- /dev/null
+++ b/system/ipmitool/patches/0010-pef-missing-newline.patch
@@ -0,0 +1,33 @@
+From f65ea137f0d03f883219a791a49cf8ea7e16776a Mon Sep 17 00:00:00 2001
+From: Vaclav Dolezal <vdolezal@redhat.com>
+Date: Fri, 1 Mar 2019 14:46:12 +0100
+Subject: [PATCH] Fix "ipmitool pef {status,info}" not printing final newline
+
+Signed-off-by: Vaclav Dolezal <vdolezal@redhat.com>
+---
+ lib/ipmi_pef.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib/ipmi_pef.c b/lib/ipmi_pef.c
+index bbf25f2..4be749e 100644
+--- a/lib/ipmi_pef.c
++++ b/lib/ipmi_pef.c
+@@ -1183,6 +1183,7 @@ ipmi_pef2_get_info(struct ipmi_intf *intf)
+ ipmi_pef_print_guid(guid_ptr);
+ }
+ ipmi_pef_print_flags(&pef_b2s_actions, P_SUPP, pcap.actions);
++ putchar('\n');
+ return 0;
+ }
+
+@@ -1242,6 +1243,7 @@ ipmi_pef2_get_status(struct ipmi_intf *intf)
+ return (-1);
+ }
+ ipmi_pef_print_flags(&pef_b2s_actions, P_ACTV, rsp->data[1]);
++ putchar('\n');
+ return 0;
+ }
+
+--
+2.20.1
+
diff --git a/system/ipmitool/patches/0011-expand-sensor-name-column.patch b/system/ipmitool/patches/0011-expand-sensor-name-column.patch
new file mode 100644
index 0000000000000..85e0c92a21404
--- /dev/null
+++ b/system/ipmitool/patches/0011-expand-sensor-name-column.patch
@@ -0,0 +1,57 @@
+From 57b57b27fe2c17e3030c41ee5566af36ccd33941 Mon Sep 17 00:00:00 2001
+From: Vaclav Dolezal <vdolezal@redhat.com>
+Date: Thu, 30 Jan 2020 16:18:37 +0100
+Subject: [PATCH] Expand column with name in ipmitool sdr/sensor output
+
+---
+ lib/ipmi_sdr.c | 4 ++--
+ lib/ipmi_sensor.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/lib/ipmi_sdr.c b/lib/ipmi_sdr.c
+index fd2c02d..0f6faab 100644
+--- a/lib/ipmi_sdr.c
++++ b/lib/ipmi_sdr.c
+@@ -1619,7 +1619,7 @@ ipmi_sdr_print_sensor_fc(struct ipmi_intf *intf,
+ /*
+ * print sensor name, reading, state
+ */
+- printf("%-16s | ", sr->s_id);
++ printf("%-24s | ", sr->s_id);
+
+ memset(sval, 0, sizeof (sval));
+
+@@ -1657,7 +1657,7 @@ ipmi_sdr_print_sensor_fc(struct ipmi_intf *intf,
+ /*
+ * print sensor name, number, state, entity, reading
+ */
+- printf("%-16s | %02Xh | ",
++ printf("%-24s | %02Xh | ",
+ sr->s_id, sensor->keys.sensor_num);
+
+ if (IS_THRESHOLD_SENSOR(sensor)) {
+diff --git a/lib/ipmi_sensor.c b/lib/ipmi_sensor.c
+index a0b7eb8..7328508 100644
+--- a/lib/ipmi_sensor.c
++++ b/lib/ipmi_sensor.c
+@@ -175,7 +175,7 @@ ipmi_sensor_print_fc_discrete(struct ipmi_intf *intf,
+ /* output format
+ * id value units status thresholds....
+ */
+- printf("%-16s ", sr->s_id);
++ printf("%-24s ", sr->s_id);
+ if (sr->s_reading_valid) {
+ if (sr->s_has_analog_value) {
+ /* don't show discrete component */
+@@ -276,7 +276,7 @@ ipmi_sensor_print_fc_threshold(struct ipmi_intf *intf,
+ /* output format
+ * id value units status thresholds....
+ */
+- printf("%-16s ", sr->s_id);
++ printf("%-24s ", sr->s_id);
+ if (sr->s_reading_valid) {
+ if (sr->s_has_analog_value)
+ printf("| %-10.3f | %-10s | %-6s",
+--
+2.20.1
+
diff --git a/system/ipmitool/patches/0012-CVE-2020-5208.patch b/system/ipmitool/patches/0012-CVE-2020-5208.patch
new file mode 100644
index 0000000000000..4d5a4874f24a4
--- /dev/null
+++ b/system/ipmitool/patches/0012-CVE-2020-5208.patch
@@ -0,0 +1,378 @@
+From b3e74778c65ba3ffc8a9b3133c87588ee5d18a74 Mon Sep 17 00:00:00 2001
+From: Chrostoper Ertl <chertl@microsoft.com>
+Date: Thu, 28 Nov 2019 16:33:59 +0000
+Subject: [PATCH] Fixes for CVE-2020-5208
+
+see https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
+
+This patch is combination of following commits:
+
+pick e824c23316ae50beb7f7488f2055ac65e8b341f2 fru: Fix buffer overflow vulnerabilities
+pick 840fb1cbb4fb365cb9797300e3374d4faefcdb10 fru: Fix buffer overflow in ipmi_spd_print_fru
+pick 41d7026946fafbd4d1ec0bcaca3ea30a6e8eed22 session: Fix buffer overflow in ipmi_get_session_info
+pick 9452be87181a6e83cfcc768b3ed8321763db50e4 channel: Fix buffer overflow
+pick d45572d71e70840e0d4c50bf48218492b79c1a10 lanp: Fix buffer overflows in get_lan_param_select
+pick 7ccea283dd62a05a320c1921e3d8d71a87772637 fru, sdr: Fix id_string buffer overflows
+---
+ lib/dimm_spd.c | 9 ++++++++-
+ lib/ipmi_channel.c | 5 ++++-
+ lib/ipmi_fru.c | 35 ++++++++++++++++++++++++++++++++---
+ lib/ipmi_lanp.c | 14 +++++++-------
+ lib/ipmi_sdr.c | 40 ++++++++++++++++++++++++----------------
+ lib/ipmi_session.c | 12 ++++++++----
+ 6 files changed, 83 insertions(+), 32 deletions(-)
+
+diff --git a/lib/dimm_spd.c b/lib/dimm_spd.c
+index 41e30db..68f3b4f 100644
+--- a/lib/dimm_spd.c
++++ b/lib/dimm_spd.c
+@@ -1621,7 +1621,7 @@ ipmi_spd_print_fru(struct ipmi_intf * intf, uint8_t id)
+ struct ipmi_rq req;
+ struct fru_info fru;
+ uint8_t *spd_data, msg_data[4];
+- int len, offset;
++ uint32_t len, offset;
+
+ msg_data[0] = id;
+
+@@ -1697,6 +1697,13 @@ ipmi_spd_print_fru(struct ipmi_intf * intf, uint8_t id)
+ }
+
+ len = rsp->data[0];
++ if(rsp->data_len < 1
++ || len > rsp->data_len - 1
++ || len > fru.size - offset)
++ {
++ printf(" Not enough buffer size");
++ return -1;
++ }
+ memcpy(&spd_data[offset], rsp->data + 1, len);
+ offset += len;
+ } while (offset < fru.size);
+diff --git a/lib/ipmi_channel.c b/lib/ipmi_channel.c
+index 3ae3104..80ba522 100644
+--- a/lib/ipmi_channel.c
++++ b/lib/ipmi_channel.c
+@@ -447,7 +447,10 @@ ipmi_get_channel_cipher_suites(struct ipmi_intf *intf, const char *payload_type,
+ lprintf(LOG_ERR, "Unable to Get Channel Cipher Suites");
+ return -1;
+ }
+- if (rsp->ccode || rsp->data_len < 1) {
++ if (rsp->ccode
++ || rsp->data_len < 1
++ || rsp->data_len > sizeof(uint8_t) + MAX_CIPHER_SUITE_DATA_LEN)
++ {
+ lprintf(LOG_ERR, "Get Channel Cipher Suites failed: %s",
+ val2str(rsp->ccode, completion_code_vals));
+ return -1;
+diff --git a/lib/ipmi_fru.c b/lib/ipmi_fru.c
+index cf00eff..98bc984 100644
+--- a/lib/ipmi_fru.c
++++ b/lib/ipmi_fru.c
+@@ -615,7 +615,10 @@ int
+ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
+ uint32_t offset, uint32_t length, uint8_t *frubuf)
+ {
+- uint32_t off = offset, tmp, finish;
++ uint32_t off = offset;
++ uint32_t tmp;
++ uint32_t finish;
++ uint32_t size_left_in_buffer;
+ struct ipmi_rs * rsp;
+ struct ipmi_rq req;
+ uint8_t msg_data[4];
+@@ -628,10 +631,12 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
+
+ finish = offset + length;
+ if (finish > fru->size) {
++ memset(frubuf + fru->size, 0, length - fru->size);
+ finish = fru->size;
+ lprintf(LOG_NOTICE, "Read FRU Area length %d too large, "
+ "Adjusting to %d",
+ offset + length, finish - offset);
++ length = finish - offset;
+ }
+
+ memset(&req, 0, sizeof(req));
+@@ -667,6 +672,7 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
+ }
+ }
+
++ size_left_in_buffer = length;
+ do {
+ tmp = fru->access ? off >> 1 : off;
+ msg_data[0] = id;
+@@ -707,9 +713,18 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
+ }
+
+ tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0];
++ if(rsp->data_len < 1
++ || tmp > rsp->data_len - 1
++ || tmp > size_left_in_buffer)
++ {
++ printf(" Not enough buffer size");
++ return -1;
++ }
++
+ memcpy(frubuf, rsp->data + 1, tmp);
+ off += tmp;
+ frubuf += tmp;
++ size_left_in_buffer -= tmp;
+ /* sometimes the size returned in the Info command
+ * is too large. return 0 so higher level function
+ * still attempts to parse what was returned */
+@@ -742,7 +757,9 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
+ uint32_t offset, uint32_t length, uint8_t *frubuf)
+ {
+ static uint32_t fru_data_rqst_size = 20;
+- uint32_t off = offset, tmp, finish;
++ uint32_t off = offset;
++ uint32_t tmp, finish;
++ uint32_t size_left_in_buffer;
+ struct ipmi_rs * rsp;
+ struct ipmi_rq req;
+ uint8_t msg_data[4];
+@@ -755,10 +772,12 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
+
+ finish = offset + length;
+ if (finish > fru->size) {
++ memset(frubuf + fru->size, 0, length - fru->size);
+ finish = fru->size;
+ lprintf(LOG_NOTICE, "Read FRU Area length %d too large, "
+ "Adjusting to %d",
+ offset + length, finish - offset);
++ length = finish - offset;
+ }
+
+ memset(&req, 0, sizeof(req));
+@@ -773,6 +792,8 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
+ if (fru->access && fru_data_rqst_size > 16)
+ #endif
+ fru_data_rqst_size = 16;
++
++ size_left_in_buffer = length;
+ do {
+ tmp = fru->access ? off >> 1 : off;
+ msg_data[0] = id;
+@@ -804,8 +825,16 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
+ }
+
+ tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0];
++ if(rsp->data_len < 1
++ || tmp > rsp->data_len - 1
++ || tmp > size_left_in_buffer)
++ {
++ printf(" Not enough buffer size");
++ return -1;
++ }
+ memcpy((frubuf + off)-offset, rsp->data + 1, tmp);
+ off += tmp;
++ size_left_in_buffer -= tmp;
+
+ /* sometimes the size returned in the Info command
+ * is too large. return 0 so higher level function
+@@ -3033,7 +3062,7 @@ ipmi_fru_print(struct ipmi_intf * intf, struct sdr_record_fru_locator * fru)
+ return 0;
+
+ memset(desc, 0, sizeof(desc));
+- memcpy(desc, fru->id_string, fru->id_code & 0x01f);
++ memcpy(desc, fru->id_string, __min(fru->id_code & 0x01f, sizeof(desc)));
+ desc[fru->id_code & 0x01f] = 0;
+ printf("FRU Device Description : %s (ID %d)\n", desc, fru->device_id);
+
+diff --git a/lib/ipmi_lanp.c b/lib/ipmi_lanp.c
+index 65d881b..022c7f1 100644
+--- a/lib/ipmi_lanp.c
++++ b/lib/ipmi_lanp.c
+@@ -1809,7 +1809,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert,
+ if (p == NULL) {
+ return (-1);
+ }
+- memcpy(data, p->data, p->data_len);
++ memcpy(data, p->data, __min(p->data_len, sizeof(data)));
+ /* set new ipaddr */
+ memcpy(data+3, temp, 4);
+ printf("Setting LAN Alert %d IP Address to %d.%d.%d.%d\n", alert,
+@@ -1824,7 +1824,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert,
+ if (p == NULL) {
+ return (-1);
+ }
+- memcpy(data, p->data, p->data_len);
++ memcpy(data, p->data, __min(p->data_len, sizeof(data)));
+ /* set new macaddr */
+ memcpy(data+7, temp, 6);
+ printf("Setting LAN Alert %d MAC Address to "
+@@ -1838,7 +1838,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert,
+ if (p == NULL) {
+ return (-1);
+ }
+- memcpy(data, p->data, p->data_len);
++ memcpy(data, p->data, __min(p->data_len, sizeof(data)));
+
+ if (strncasecmp(argv[1], "def", 3) == 0 ||
+ strncasecmp(argv[1], "default", 7) == 0) {
+@@ -1864,7 +1864,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert,
+ if (p == NULL) {
+ return (-1);
+ }
+- memcpy(data, p->data, p->data_len);
++ memcpy(data, p->data, __min(p->data_len, sizeof(data)));
+
+ if (strncasecmp(argv[1], "on", 2) == 0 ||
+ strncasecmp(argv[1], "yes", 3) == 0) {
+@@ -1889,7 +1889,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert,
+ if (p == NULL) {
+ return (-1);
+ }
+- memcpy(data, p->data, p->data_len);
++ memcpy(data, p->data, __min(p->data_len, sizeof(data)));
+
+ if (strncasecmp(argv[1], "pet", 3) == 0) {
+ printf("Setting LAN Alert %d destination to PET Trap\n", alert);
+@@ -1917,7 +1917,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert,
+ if (p == NULL) {
+ return (-1);
+ }
+- memcpy(data, p->data, p->data_len);
++ memcpy(data, p->data, __min(p->data_len, sizeof(data)));
+
+ if (str2uchar(argv[1], &data[2]) != 0) {
+ lprintf(LOG_ERR, "Invalid time: %s", argv[1]);
+@@ -1933,7 +1933,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert,
+ if (p == NULL) {
+ return (-1);
+ }
+- memcpy(data, p->data, p->data_len);
++ memcpy(data, p->data, __min(p->data_len, sizeof(data)));
+
+ if (str2uchar(argv[1], &data[3]) != 0) {
+ lprintf(LOG_ERR, "Invalid retry: %s", argv[1]);
+diff --git a/lib/ipmi_sdr.c b/lib/ipmi_sdr.c
+index 0f6faab..9890132 100644
+--- a/lib/ipmi_sdr.c
++++ b/lib/ipmi_sdr.c
+@@ -2086,7 +2086,7 @@ ipmi_sdr_print_sensor_eventonly(struct ipmi_intf *intf,
+ return -1;
+
+ memset(desc, 0, sizeof (desc));
+- snprintf(desc, (sensor->id_code & 0x1f) + 1, "%s", sensor->id_string);
++ snprintf(desc, sizeof(desc), "%.*s", (sensor->id_code & 0x1f) + 1, sensor->id_string);
+
+ if (verbose) {
+ printf("Sensor ID : %s (0x%x)\n",
+@@ -2137,7 +2137,7 @@ ipmi_sdr_print_sensor_mc_locator(struct ipmi_intf *intf,
+ return -1;
+
+ memset(desc, 0, sizeof (desc));
+- snprintf(desc, (mc->id_code & 0x1f) + 1, "%s", mc->id_string);
++ snprintf(desc, sizeof(desc), "%.*s", (mc->id_code & 0x1f) + 1, mc->id_string);
+
+ if (verbose == 0) {
+ if (csv_output)
+@@ -2230,7 +2230,7 @@ ipmi_sdr_print_sensor_generic_locator(struct ipmi_intf *intf,
+ char desc[17];
+
+ memset(desc, 0, sizeof (desc));
+- snprintf(desc, (dev->id_code & 0x1f) + 1, "%s", dev->id_string);
++ snprintf(desc, sizeof(desc), "%.*s", (dev->id_code & 0x1f) + 1, dev->id_string);
+
+ if (!verbose) {
+ if (csv_output)
+@@ -2287,7 +2287,7 @@ ipmi_sdr_print_sensor_fru_locator(struct ipmi_intf *intf,
+ char desc[17];
+
+ memset(desc, 0, sizeof (desc));
+- snprintf(desc, (fru->id_code & 0x1f) + 1, "%s", fru->id_string);
++ snprintf(desc, sizeof(desc), "%.*s", (fru->id_code & 0x1f) + 1, fru->id_string);
+
+ if (!verbose) {
+ if (csv_output)
+@@ -2491,35 +2491,43 @@ ipmi_sdr_print_name_from_rawentry(struct ipmi_intf *intf, uint16_t id,
+
+ int rc =0;
+ char desc[17];
++ const char *id_string;
++ uint8_t id_code;
+ memset(desc, ' ', sizeof (desc));
+
+ switch ( type) {
+ case SDR_RECORD_TYPE_FULL_SENSOR:
+ record.full = (struct sdr_record_full_sensor *) raw;
+- snprintf(desc, (record.full->id_code & 0x1f) +1, "%s",
+- (const char *)record.full->id_string);
++ id_code = record.full->id_code;
++ id_string = record.full->id_string;
+ break;
++
+ case SDR_RECORD_TYPE_COMPACT_SENSOR:
+ record.compact = (struct sdr_record_compact_sensor *) raw ;
+- snprintf(desc, (record.compact->id_code & 0x1f) +1, "%s",
+- (const char *)record.compact->id_string);
++ id_code = record.compact->id_code;
++ id_string = record.compact->id_string;
+ break;
++
+ case SDR_RECORD_TYPE_EVENTONLY_SENSOR:
+ record.eventonly = (struct sdr_record_eventonly_sensor *) raw ;
+- snprintf(desc, (record.eventonly->id_code & 0x1f) +1, "%s",
+- (const char *)record.eventonly->id_string);
+- break;
++ id_code = record.eventonly->id_code;
++ id_string = record.eventonly->id_string;
++ break;
++
+ case SDR_RECORD_TYPE_MC_DEVICE_LOCATOR:
+ record.mcloc = (struct sdr_record_mc_locator *) raw ;
+- snprintf(desc, (record.mcloc->id_code & 0x1f) +1, "%s",
+- (const char *)record.mcloc->id_string);
++ id_code = record.mcloc->id_code;
++ id_string = record.mcloc->id_string;
+ break;
++
+ default:
+ rc = -1;
+- break;
+- }
++ }
++ if (!rc) {
++ snprintf(desc, sizeof(desc), "%.*s", (id_code & 0x1f) + 1, id_string);
++ }
+
+- lprintf(LOG_INFO, "ID: 0x%04x , NAME: %-16s", id, desc);
++ lprintf(LOG_INFO, "ID: 0x%04x , NAME: %-16s", id, desc);
+ return rc;
+ }
+
+diff --git a/lib/ipmi_session.c b/lib/ipmi_session.c
+index 141f0f4..b9af1fd 100644
+--- a/lib/ipmi_session.c
++++ b/lib/ipmi_session.c
+@@ -309,8 +309,10 @@ ipmi_get_session_info(struct ipmi_intf * intf,
+ }
+ else
+ {
+- memcpy(&session_info, rsp->data, rsp->data_len);
+- print_session_info(&session_info, rsp->data_len);
++ memcpy(&session_info, rsp->data,
++ __min(rsp->data_len, sizeof(session_info)));
++ print_session_info(&session_info,
++ __min(rsp->data_len, sizeof(session_info)));
+ }
+ break;
+
+@@ -341,8 +343,10 @@ ipmi_get_session_info(struct ipmi_intf * intf,
+ break;
+ }
+
+- memcpy(&session_info, rsp->data, rsp->data_len);
+- print_session_info(&session_info, rsp->data_len);
++ memcpy(&session_info, rsp->data,
++ __min(rsp->data_len, sizeof(session_info)));
++ print_session_info(&session_info,
++ __min(rsp->data_len, sizeof(session_info)));
+
+ } while (i <= session_info.session_slot_count);
+ break;
+--
+2.20.1
+