diff options
author | Tom Joseph <tomjoseph@in.ibm.com> | 2016-08-05 07:13:07 -0500 |
---|---|---|
committer | Patrick Williams <patrick@stwcx.xyz> | 2016-11-21 20:00:02 +0000 |
commit | 8c0446c102646b7ba8622594f5b1b808c88a9077 (patch) | |
tree | ab43e61979abdaf2b884c4a7236cfd746ea00942 /auth_algo.hpp | |
parent | aaeb29e3ee61064e40aee935d952faef89c589a5 (diff) | |
download | phosphor-net-ipmid-8c0446c102646b7ba8622594f5b1b808c88a9077.tar.gz phosphor-net-ipmid-8c0446c102646b7ba8622594f5b1b808c88a9077.zip |
Implemenation of the RAKP Authentication Algorithms
This patch contains the implementation of the RAKP-HMAC_SHA1 algorithm
for Authentication.OpenSSL is used for the HMAC operation.
Change-Id: I7e926aca9010443939e32f476c37ac1481cd2476
Signed-off-by: Tom Joseph <tomjoseph@in.ibm.com>
Diffstat (limited to 'auth_algo.hpp')
-rw-r--r-- | auth_algo.hpp | 132 |
1 files changed, 132 insertions, 0 deletions
diff --git a/auth_algo.hpp b/auth_algo.hpp new file mode 100644 index 0000000..a905778 --- /dev/null +++ b/auth_algo.hpp @@ -0,0 +1,132 @@ +#pragma once + +#include <array> +#include <vector> + +namespace cipher +{ +namespace rakp_auth +{ + +constexpr size_t USER_KEY_MAX_LENGTH = 20; +constexpr size_t BMC_RANDOM_NUMBER_LEN = 16; +constexpr size_t REMOTE_CONSOLE_RANDOM_NUMBER_LEN = 16; + +/* + * @enum RAKP Authentication Algorithms + * + * RMCP+ Authenticated Key-Exchange Protocol (RAKP) + * + * RAKP-None is not supported as per the following recommendation + * (https://www.us-cert.gov/ncas/alerts/TA13-207A) + * ("cipher 0" is an option enabled by default on many IPMI enabled devices that + * allows authentication to be bypassed. Disable "cipher 0" to prevent + * attackers from bypassing authentication and sending arbitrary IPMI commands.) + */ +enum class Algorithms : uint8_t +{ + RAKP_NONE = 0, // Mandatory + RAKP_HMAC_SHA1, // Mandatory + RAKP_HMAC_MD5, // Optional + RAKP_HMAC_SHA256, // Optional + // Reserved used to indicate an invalid authentication algorithm + RAKP_HMAC_INVALID = 0xB0 +}; + +/* + * @class Interface + * + * Interface is the base class for the Authentication Algorithms. + * The Authentication Algorithm specifies the type of authentication “handshake” + * process that is used and identifies any particular variations of hashing or + * signature algorithm that is used as part of the process. + * + */ +class Interface +{ + public: + Interface() = default; + virtual ~Interface() = default; + Interface(const Interface&) = default; + Interface& operator=(const Interface&) = default; + Interface(Interface&&) = default; + Interface& operator=(Interface&&) = default; + + /* + * @brief Generate the Hash Message Authentication Code + * + * This API is invoked to generate the Key Exchange Authentication Code + * in the RAKP2 and RAKP4 sequence and for generating the Session + * Integrity Key. + * + * @param input message + * + * @return hash output + * + * @note The user key which is the secret key for the hash operation + * needs to be set before this operation. + */ + std::vector<uint8_t> virtual generateHMAC( + std::vector<uint8_t>& input) const = 0; + + /* + * @brief Generate the Integrity Check Value + * + * This API is invoked in the RAKP4 sequence for generating the + * Integrity Check Value. + * + * @param input message + * + * @return hash output + * + * @note The session integrity key which is the secret key for the + * hash operation needs to be set before this operation. + */ + std::vector<uint8_t> virtual generateICV( + std::vector<uint8_t>& input) const = 0; + + // User Key is hardcoded to PASSW0RD till the IPMI User account + // management is in place. + std::array<uint8_t, USER_KEY_MAX_LENGTH> userKey = {"PASSW0RD"}; + + // Managed System Random Number + std::array<uint8_t, BMC_RANDOM_NUMBER_LEN> bmcRandomNum; + + // Remote Console Random Number + std::array<uint8_t, REMOTE_CONSOLE_RANDOM_NUMBER_LEN> rcRandomNum; + + // Session Integrity Key + std::vector<uint8_t> sessionIntegrityKey; +}; + +/* + * @class AlgoSHA1 + * + * RAKP-HMAC-SHA1 specifies the use of RAKP messages for the key exchange + * portion of establishing the session, and that HMAC-SHA1 (per [RFC2104]) is + * used to create 20-byte Key Exchange Authentication Code fields in RAKP + * Message 2 and RAKP Message 3. HMAC-SHA1-96(per [RFC2404]) is used for + * generating a 12-byte Integrity Check Value field for RAKP Message 4. + */ + +class AlgoSHA1 : public Interface +{ + public: + AlgoSHA1() = default; + ~AlgoSHA1() = default; + AlgoSHA1(const AlgoSHA1&) = default; + AlgoSHA1& operator=(const AlgoSHA1&) = default; + AlgoSHA1(AlgoSHA1&&) = default; + AlgoSHA1& operator=(AlgoSHA1&&) = default; + + std::vector<uint8_t> generateHMAC(std::vector<uint8_t>& input) const + override; + + std::vector<uint8_t> generateICV(std::vector<uint8_t>& input) const + override; +}; + +}// namespace auth + +}// namespace cipher + |