1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
|
#pragma once
#include <array>
#include <cstdint>
#include <vector>
namespace cipher
{
namespace crypt
{
/**
* @enum Confidentiality Algorithms
*
* The Confidentiality Algorithm Number specifies the encryption/decryption
* algorithm field that is used for encrypted payload data under the session.
* The ‘encrypted’ bit in the payload type field being set identifies packets
* with payloads that include data that is encrypted per this specification.
* When payload data is encrypted, there may be additional “Confidentiality
* Header” and/or “Confidentiality Trailer” fields that are included within the
* payload. The size and definition of those fields is specific to the
* particular confidentiality algorithm. Based on security recommendations
* encrypting IPMI traffic is preferred, so NONE is not supported.
*/
enum class Algorithms : uint8_t
{
NONE, /**< No encryption (mandatory , not supported) */
AES_CBC_128, /**< AES-CBC-128 Algorithm (mandatory option) */
xRC4_128, /**< xRC4-128 Algorithm (optional option) */
xRC4_40, /**< xRC4-40 Algorithm (optional option) */
};
/**
* @class Interface
*
* Interface is the base class for the Confidentiality Algorithms.
*/
class Interface
{
public:
/**
* @brief Constructor for Interface
*/
explicit Interface(const std::vector<uint8_t>& k2) : k2(k2)
{
}
Interface() = delete;
virtual ~Interface() = default;
Interface(const Interface&) = default;
Interface& operator=(const Interface&) = default;
Interface(Interface&&) = default;
Interface& operator=(Interface&&) = default;
/**
* @brief Decrypt the incoming payload
*
* @param[in] packet - Incoming IPMI packet
* @param[in] sessHeaderLen - Length of the IPMI Session Header
* @param[in] payloadLen - Length of the encrypted IPMI payload
*
* @return decrypted payload if the operation is successful
*/
virtual std::vector<uint8_t>
decryptPayload(const std::vector<uint8_t>& packet,
const size_t sessHeaderLen,
const size_t payloadLen) const = 0;
/**
* @brief Encrypt the outgoing payload
*
* @param[in] payload - plain payload for the outgoing IPMI packet
*
* @return encrypted payload if the operation is successful
*
*/
virtual std::vector<uint8_t>
encryptPayload(std::vector<uint8_t>& payload) const = 0;
/**
* @brief Check if the Confidentiality algorithm is supported
*
* @param[in] algo - confidentiality algorithm
*
* @return true if algorithm is supported else false
*
*/
static bool isAlgorithmSupported(Algorithms algo)
{
if (algo == Algorithms::AES_CBC_128)
{
return true;
}
else
{
return false;
}
}
protected:
/**
* @brief The Cipher Key is the first 128-bits of key “K2”, K2 is
* generated by processing a pre-defined constant keyed by Session
* Integrity Key (SIK) that was created during session activation.
*/
std::vector<uint8_t> k2;
};
/**
* @class AlgoAES128
*
* @brief Implementation of the AES-CBC-128 Confidentiality algorithm
*
* AES-128 uses a 128-bit Cipher Key. The Cipher Key is the first 128-bits of
* key “K2”.Once the Cipher Key has been generated it is used to encrypt
* the payload data. The payload data is padded to make it an integral numbers
* of blocks in length (a block is 16 bytes for AES). The payload is then
* encrypted one block at a time from the lowest data offset to the highest
* using Cipher_Key as specified in AES.
*/
class AlgoAES128 final : public Interface
{
public:
static constexpr size_t AESCBC128ConfHeader = 16;
static constexpr size_t AESCBC128BlockSize = 16;
/**
* If confidentiality bytes are present, the value of the first byte is
* one (01h). and all subsequent bytes shall have a monotonically
* increasing value (e.g., 02h, 03h, 04h, etc). The receiver, as an
* additional check for proper decryption, shall check the value of each
* byte of Confidentiality Pad. For AES algorithm, the pad bytes will
* range from 0 to 15 bytes. This predefined array would help in
* doing the additional check.
*/
static constexpr std::array<uint8_t, AESCBC128BlockSize - 1> confPadBytes =
{0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F};
/**
* @brief Constructor for AlgoAES128
*
* @param[in] - Session Integrity key
*/
explicit AlgoAES128(const std::vector<uint8_t>& k2) : Interface(k2)
{
}
AlgoAES128() = delete;
~AlgoAES128() = default;
AlgoAES128(const AlgoAES128&) = default;
AlgoAES128& operator=(const AlgoAES128&) = default;
AlgoAES128(AlgoAES128&&) = default;
AlgoAES128& operator=(AlgoAES128&&) = default;
/**
* @brief Decrypt the incoming payload
*
* @param[in] packet - Incoming IPMI packet
* @param[in] sessHeaderLen - Length of the IPMI Session Header
* @param[in] payloadLen - Length of the encrypted IPMI payload
*
* @return decrypted payload if the operation is successful
*/
std::vector<uint8_t> decryptPayload(const std::vector<uint8_t>& packet,
const size_t sessHeaderLen,
const size_t payloadLen) const override;
/**
* @brief Encrypt the outgoing payload
*
* @param[in] payload - plain payload for the outgoing IPMI packet
*
* @return encrypted payload if the operation is successful
*
*/
std::vector<uint8_t>
encryptPayload(std::vector<uint8_t>& payload) const override;
private:
/**
* @brief Decrypt the passed data
*
* @param[in] iv - Initialization vector
* @param[in] input - Pointer to input data
* @param[in] inputLen - Length of input data
*
* @return decrypted data if the operation is successful
*/
std::vector<uint8_t> decryptData(const uint8_t* iv, const uint8_t* input,
const int inputLen) const;
/**
* @brief Encrypt the passed data
*
* @param[in] input - Pointer to input data
* @param[in] inputLen - Length of input data
*
* @return encrypted data if the operation is successful
*/
std::vector<uint8_t> encryptData(const uint8_t* input,
const int inputLen) const;
};
} // namespace crypt
} // namespace cipher
|
