From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <cluster-cvs-return-10121-listarch-cluster-cvs=sources.redhat.com@sourceware.org>
Received: (qmail 22309 invoked by alias); 12 Feb 2009 10:14:48 -0000
Received: (qmail 22302 invoked by alias); 12 Feb 2009 10:14:48 -0000
X-SWARE-Spam-Status: No, hits=0.0 required=5.0
	tests=AWL,BAYES_00,J_CHICKENPOX_43,J_CHICKENPOX_62,J_CHICKENPOX_64,J_CHICKENPOX_73,J_CHICKENPOX_83,SPF_HELO_PASS
X-Spam-Status: No, hits=0.0 required=5.0
	tests=AWL,BAYES_00,J_CHICKENPOX_43,J_CHICKENPOX_62,J_CHICKENPOX_64,J_CHICKENPOX_73,J_CHICKENPOX_83,SPF_HELO_PASS
X-Spam-Check-By: sourceware.org
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	bastion.fedora.phx.redhat.com
Subject: cluster: RHEL5 - fence: fix IPMI over lan to support ciphersuite
	select
To: cluster-cvs-relay@redhat.com
X-Project: Cluster Project
X-Git-Module: cluster.git
X-Git-Refname: refs/heads/RHEL5
X-Git-Reftype: branch
X-Git-Oldrev: 80f30cbbff2e5802b96f8b00f12a78d77d8f9644
X-Git-Newrev: bf90935cc54ded61220a81fb9cb949bfa12b001f
From: Jan Friesse <honzaf@fedoraproject.org>
Message-Id: <20090212101424.3529F1201DC@lists.fedorahosted.org>
Date: Thu, 12 Feb 2009 10:14:00 -0000
X-Scanned-By: MIMEDefang 2.58 on 172.16.52.254
Mailing-List: contact cluster-cvs-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <cluster-cvs.sourceware.org>
List-Subscribe: <mailto:cluster-cvs-subscribe@sourceware.org>
List-Post: <mailto:cluster-cvs@sourceware.org>
List-Help: <mailto:cluster-cvs-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: cluster-cvs-owner@sourceware.org
X-SW-Source: 2009-q1/txt/msg00442.txt.bz2

Gitweb:        http://git.fedorahosted.org/git/cluster.git?p=cluster.git;a=commitdiff;h=bf90935cc54ded61220a81fb9cb949bfa12b001f
Commit:        bf90935cc54ded61220a81fb9cb949bfa12b001f
Parent:        80f30cbbff2e5802b96f8b00f12a78d77d8f9644
Author:        Jan Friesse <jfriesse@redhat.com>
AuthorDate:    Thu Feb 12 11:03:01 2009 +0100
Committer:     Jan Friesse <jfriesse@redhat.com>
CommitterDate: Thu Feb 12 11:03:01 2009 +0100

fence: fix IPMI over lan to support ciphersuite select

If user select lanplus as IPMI protocol, ipmitool
automatically select cipher type 3. This patch add
possibility to select another type of cipher. New -C
parameter is directly passed as -C parameter to ipmitool.

rhbz#447497
---
 fence/agents/ipmilan/ipmilan.c |   47 +++++++++++++++++++++++++++++++++++----
 fence/man/fence_ipmilan.8      |   12 +++++++++-
 2 files changed, 53 insertions(+), 6 deletions(-)

diff --git a/fence/agents/ipmilan/ipmilan.c b/fence/agents/ipmilan/ipmilan.c
index 2beb15a..a7e30c5 100644
--- a/fence/agents/ipmilan/ipmilan.c
+++ b/fence/agents/ipmilan/ipmilan.c
@@ -96,6 +96,7 @@ struct ipmi {
 	int i_verbose;
 	int i_lanplus;
 	int i_timeout;
+	int i_cipher;
 };
 
 
@@ -114,10 +115,14 @@ const char *ipmitool_paths[] = {
 };
 
 
+#define ECIPHER 2048
+
 static struct Etoken power_on_complete[] = {
 	{"Password:", EPERM, 0},
 	{"Unable to establish LAN", EAGAIN, 0},	/* Retry */
 	{"IPMI mutex", EFAULT, 0},	/* Death */
+	{"Unsupported cipher suite ID", ECIPHER,0},
+	{"read_rakp2_message: no support for", ECIPHER,0},
 	{"Up/On", 0, 0},
 	{NULL, 0, 0}
 };
@@ -126,6 +131,8 @@ static struct Etoken power_off_complete[] = {
 	{"Password:", EPERM, 0},
 	{"Unable to establish LAN", EAGAIN, 0},	/* Retry */
 	{"IPMI mutex", EFAULT, 0},	/* Death */
+	{"Unsupported cipher suite ID", ECIPHER,0},
+	{"read_rakp2_message: no support for", ECIPHER,0},
 	{"Down/Off", 0, 0},
 	{NULL, 0, 0}
 };
@@ -137,6 +144,8 @@ static struct Etoken power_status[] = {
 	{"Password:", EPERM, 0},
 	{"Unable to establish LAN", EAGAIN, 0},	/* Retry */
 	{"IPMI mutex", EFAULT, 0},	/* Death */
+	{"Unsupported cipher suite ID", ECIPHER,0},
+	{"read_rakp2_message: no support for", ECIPHER,0},
 	{"Chassis Power is off", STATE_OFF, 0},
 	{"Chassis Power is on", STATE_ON, 0},
 	{NULL, 0, 0}
@@ -237,6 +246,11 @@ build_cmd(char *command, size_t cmdlen, struct ipmi *ipmi, int op)
 		strncat(cmd, arg, sizeof(cmd) - strlen(arg));
 	}
 
+	if (ipmi->i_cipher>=0) {
+		snprintf(arg, sizeof(arg), " -C %d", ipmi->i_cipher);
+		strncat(cmd, arg, sizeof(cmd) - strlen(arg));
+	}
+
 	if (ipmi->i_password) {
 		snprintf(arg, sizeof(arg), " -P %s", str_prepare_for_sh(tmp,ipmi->i_password,sizeof(tmp)));
 		strncat(cmd, arg, sizeof(cmd) - strlen(arg));
@@ -367,6 +381,12 @@ ipmi_op(struct ipmi *ipmi, int op, struct Etoken *toklist)
 		return ret;
 	}
 
+	if (ret == ECIPHER) {
+		log(LOG_CRIT, "ipmilan: ipmitool failed to operate "
+		    "with ciphersuite %d; unable to complete operation\n",ipmi->i_cipher);
+		return ret;
+	}
+
 	if (ret == ETIMEDOUT) {
 		/*!!! Still couldn't get through?! */
 		log(LOG_WARNING,
@@ -491,7 +511,8 @@ ipmi_destroy(struct ipmi *i)
  */
 static struct ipmi *
 ipmi_init(struct ipmi *i, char *host, char *authtype,
-	  char *user, char *password, int lanplus, int verbose,int timeout)
+	  char *user, char *password, int lanplus, int verbose,int timeout,
+	  int cipher)
 {
 	const char *p;
 
@@ -563,6 +584,7 @@ ipmi_init(struct ipmi *i, char *host, char *authtype,
 	i->i_verbose = verbose;
 	i->i_lanplus = lanplus;
 	i->i_timeout = timeout;
+	i->i_cipher = cipher;
 
 	return i;
 }
@@ -847,7 +869,8 @@ get_options_stdin(char *ip, size_t iplen,
 		  char *pwd_script, size_t pwd_script_len,
 		  char *user, size_t userlen,
 		  char *op, size_t oplen,
-		  int *lanplus, int *verbose,int *timeout)
+		  int *lanplus, int *verbose,int *timeout,
+	          int *cipher)
 {
 	char in[256];
 	int line = 0;
@@ -913,6 +936,10 @@ get_options_stdin(char *ip, size_t iplen,
 			if ((sscanf(val,"%d",timeout)!=1) || *timeout<1) {
 			    *timeout=DEFAULT_TIMEOUT;
 			}
+		} else if (!strcasecmp(name,"cipher")) {
+			if ((sscanf(val,"%d",cipher)!=1) || *cipher<0) {
+			    *cipher=-1;
+			}
 		} else if (!strcasecmp(name, "option") ||
 			   !strcasecmp(name, "operation") ||
 			   !strcasecmp(name, "action")) {
@@ -953,6 +980,7 @@ printf("   -l <login>     Username/Login (if required) to control power\n"
 printf("   -o <op>        Operation to perform.\n");
 printf("                  Valid operations: on, off, reboot, status\n");
 printf("   -t <timeout>   Timeout (sec) for IPMI operation (default %d)\n",DEFAULT_TIMEOUT);
+printf("   -C <cipher>    Ciphersuite to use (same as ipmitool -C parameter)\n");
 printf("   -V             Print version and exit\n");
 printf("   -v             Verbose mode\n\n");
 printf("If no options are specified, the following options will be read\n");
@@ -967,6 +995,7 @@ printf("   option=<op>           Same as -o\n");
 printf("   operation=<op>        Same as -o\n");
 printf("   action=<op>           Same as -o\n");
 printf("   timeout=<timeout>     Same as -t\n");
+printf("   cipher=<cipher>       Same as -C\n");
 printf("   verbose               Same as -v\n\n");
 	exit(1);
 }
@@ -988,6 +1017,7 @@ main(int argc, char **argv)
 	char *pname = basename(argv[0]);
 	struct ipmi *i;
 	int timeout=DEFAULT_TIMEOUT;
+        int cipher=-1;
 
 	memset(ip, 0, sizeof(ip));
 	memset(authtype, 0, sizeof(authtype));
@@ -999,7 +1029,7 @@ main(int argc, char **argv)
 		/*
 		   Parse command line options if any were specified
 		 */
-		while ((opt = getopt(argc, argv, "A:a:i:l:p:S:Po:vV?hHt:")) != EOF) {
+		while ((opt = getopt(argc, argv, "A:a:i:l:p:S:Po:vV?hHt:C:")) != EOF) {
 			switch(opt) {
 			case 'A':
 				/* Auth type */
@@ -1035,6 +1065,12 @@ main(int argc, char **argv)
 				    fail_exit("Timeout option expects positive number parameter");
 				}
 				break;
+			case 'C':
+				/* Ciphersuite */
+				if ((sscanf(optarg,"%d",&cipher)!=1) || cipher<0) {
+				    fail_exit("Ciphersuite option expects positive number parameter");
+				}
+				break;
 			case 'v':
 				verbose++;
 				break;
@@ -1058,7 +1094,8 @@ main(int argc, char **argv)
 				      passwd, sizeof(passwd),
 					  pwd_script, sizeof(pwd_script),
 				      user, sizeof(user),
-				      op, sizeof(op), &lanplus, &verbose,&timeout) != 0)
+				      op, sizeof(op), &lanplus, &verbose,&timeout,
+				      &cipher) != 0)
 			return 1;
 	}
 
@@ -1108,7 +1145,7 @@ main(int argc, char **argv)
 
 
 	/* Ok, set up the IPMI struct */
-	i = ipmi_init(NULL, ip, authtype, user, passwd, lanplus, verbose, timeout);
+	i = ipmi_init(NULL, ip, authtype, user, passwd, lanplus, verbose, timeout, cipher);
 	if (!i)
 		fail_exit("Failed to initialize\n");
 
diff --git a/fence/man/fence_ipmilan.8 b/fence/man/fence_ipmilan.8
index 822b827..588a41c 100644
--- a/fence/man/fence_ipmilan.8
+++ b/fence/man/fence_ipmilan.8
@@ -48,6 +48,11 @@ Use the lanplus option if this is a lanplus capable interface (for example iLo2)
 \fB-A\fP \fIAuthentication Type\fP
 Can be set to none, password, md2, or md5.
 .TP
+\fB-C\fP \fICiphersuite Type\fP
+If you are using lanplus, this option avails you to define type of ciphersuite to
+use. Standard is 3 (defined if you just use lanplus). For more information please
+refer ipmitool man page (option -C).
+.TP
 \fB-t\fP \fItimeout\fP
 Timeout in seconds for IPMI operation. Default is 10, but in some cases it
 must be set to higher value (anything above 30 is not recommended and may
@@ -84,8 +89,13 @@ Timeout in seconds for IPMI operation. Default is 10, but in some cases it
 must be set to higher value (anything above 30 is not recommended and may
 cause strange problems).
 .TP
+\fIcipher = < param >\fR
+If you are using lanplus, this option avails you to define type of ciphersuite to
+use. Standard is 3 (defined if you just use lanplus). For more information please
+refer ipmitool man page (option -C).
+.TP
 \fIlanplus\fR
 If we are using the lanplus option for ipmitool
 
 .SH SEE ALSO
-fence(8), fence_node(8)
+fence(8), fence_node(8), ipmitool(1)