Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bios-settings-mgr / 616f9228daa5b94447c3c9d519b63f1686e751f5 / . / src / password.cpp
blob: f780cc50fa0d6acfe5d4bf21717cc736666e3efa [file] [log] [blame]
Kuiying Wang8f706212020-12-16 18:59:24 +0800[diff] [blame]1/*
2// Copyright (c) 2020 Intel Corporation
3//
4// Licensed under the Apache License, Version 2.0 (the "License");
5// you may not use this file except in compliance with the License.
6// You may obtain a copy of the License at
7//
8// http://www.apache.org/licenses/LICENSE-2.0
9//
10// Unless required by applicable law or agreed to in writing, software
11// distributed under the License is distributed on an "AS IS" BASIS,
12// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13// See the License for the specific language governing permissions and
14// limitations under the License.
15*/
16#include "password.hpp"
17
18#include "xyz/openbmc_project/BIOSConfig/Common/error.hpp"
19#include "xyz/openbmc_project/Common/error.hpp"
20
21#include <boost/algorithm/hex.hpp>
22#include <boost/asio.hpp>
23#include <phosphor-logging/elog-errors.hpp>
George Liu567a3cf2021-12-08 10:36:03 +0800[diff] [blame]24#include <phosphor-logging/lg2.hpp>
Kuiying Wang8f706212020-12-16 18:59:24 +0800[diff] [blame]25#include <sdbusplus/asio/connection.hpp>
26#include <sdbusplus/asio/object_server.hpp>
27
28#include <fstream>
29#include <iostream>
30
31namespace bios_config_pwd
32{
33using namespace sdbusplus::xyz::openbmc_project::Common::Error;
34using namespace sdbusplus::xyz::openbmc_project::BIOSConfig::Common::Error;
35
Ayushi Smriti96e72ec2021-05-20 13:44:12 +0530[diff] [blame]36bool Password::isMatch(const std::array<uint8_t, maxHashSize>& expected,
37 const std::array<uint8_t, maxSeedSize>& seed,
George Liu616f9222021-12-29 14:25:39 +0800[diff] [blame^]38 const std::string& rawData, const std::string& algo)
Kuiying Wang8f706212020-12-16 18:59:24 +0800[diff] [blame]39{
George Liu567a3cf2021-12-08 10:36:03 +0800[diff] [blame]40 lg2::error("isMatch");
Ayushi Smriti96e72ec2021-05-20 13:44:12 +0530[diff] [blame]41
42 if (algo == "SHA256")
Kuiying Wang8f706212020-12-16 18:59:24 +0800[diff] [blame]43 {
Ayushi Smriti96e72ec2021-05-20 13:44:12 +0530[diff] [blame]44 std::vector<uint8_t> output(SHA256_DIGEST_LENGTH);
Snehalatha Venkatesh2f7ba732021-09-30 10:25:32 +0000[diff] [blame]45 unsigned int hashLen = SHA256_DIGEST_LENGTH;
Ayushi Smriti96e72ec2021-05-20 13:44:12 +0530[diff] [blame]46
Snehalatha Venkatesh2f7ba732021-09-30 10:25:32 +0000[diff] [blame]47 if (!PKCS5_PBKDF2_HMAC(
48 reinterpret_cast<const char*>(rawData.c_str()),
49 rawData.length() + 1,
50 reinterpret_cast<const unsigned char*>(seed.data()),
51 seed.size(), iterValue, EVP_sha256(), hashLen, output.data()))
Kuiying Wang8f706212020-12-16 18:59:24 +0800[diff] [blame]52 {
George Liu567a3cf2021-12-08 10:36:03 +0800[diff] [blame]53 lg2::error(
54 "Generate PKCS5_PBKDF2_HMAC_SHA256 Integrity Check Value failed");
Kuiying Wang8f706212020-12-16 18:59:24 +0800[diff] [blame]55 throw InternalFailure();
56 }
Ayushi Smriti96e72ec2021-05-20 13:44:12 +0530[diff] [blame]57
58 int cmp;
59 cmp = std::memcmp(output.data(), expected.data(),
60 output.size() * sizeof(uint8_t));
61 if (cmp == 0)
Kuiying Wang8f706212020-12-16 18:59:24 +0800[diff] [blame]62 {
63 return true;
64 }
65 else
66 {
67 return false;
68 }
69 }
Ayushi Smriti96e72ec2021-05-20 13:44:12 +0530[diff] [blame]70 if (algo == "SHA384")
71 {
72 std::array<uint8_t, SHA384_DIGEST_LENGTH> output;
Snehalatha Venkatesh2f7ba732021-09-30 10:25:32 +0000[diff] [blame]73 unsigned int hashLen = SHA384_DIGEST_LENGTH;
Ayushi Smriti96e72ec2021-05-20 13:44:12 +0530[diff] [blame]74
Snehalatha Venkatesh2f7ba732021-09-30 10:25:32 +0000[diff] [blame]75 if (!PKCS5_PBKDF2_HMAC(
76 reinterpret_cast<const char*>(rawData.c_str()),
77 rawData.length() + 1,
78 reinterpret_cast<const unsigned char*>(seed.data()),
79 seed.size(), iterValue, EVP_sha384(), hashLen, output.data()))
Ayushi Smriti96e72ec2021-05-20 13:44:12 +0530[diff] [blame]80 {
George Liu567a3cf2021-12-08 10:36:03 +0800[diff] [blame]81 lg2::error(
82 "Generate PKCS5_PBKDF2_HMAC_SHA384 Integrity Check Value failed");
Ayushi Smriti96e72ec2021-05-20 13:44:12 +0530[diff] [blame]83 throw InternalFailure();
84 }
85
86 int cmp;
87 cmp = std::memcmp(output.data(), expected.data(),
88 output.size() * sizeof(uint8_t));
89 if (cmp == 0)
90 {
91 return true;
92 }
93 else
94 {
95 return false;
96 }
97 }
98
Kuiying Wang8f706212020-12-16 18:59:24 +0800[diff] [blame]99 return false;
100}
101
102void Password::verifyPassword(std::string userName, std::string currentPassword,
103 std::string newPassword)
104{
105 if (fs::exists(seedFile.c_str()))
106 {
Ayushi Smriti96e72ec2021-05-20 13:44:12 +0530[diff] [blame]107 std::array<uint8_t, maxHashSize> orgUsrPwdHash;
108 std::array<uint8_t, maxHashSize> orgAdminPwdHash;
109 std::array<uint8_t, maxSeedSize> seed;
Kuiying Wang8f706212020-12-16 18:59:24 +0800[diff] [blame]110 std::string hashAlgo = "";
111 try
112 {
Ayushi Smriti96e72ec2021-05-20 13:44:12 +0530[diff] [blame]113 nlohmann::json json = nullptr;
Kuiying Wang8f706212020-12-16 18:59:24 +0800[diff] [blame]114 std::ifstream ifs(seedFile.c_str());
Ayushi Smriti96e72ec2021-05-20 13:44:12 +0530[diff] [blame]115 if (ifs.is_open())
116 {
117 try
118 {
119 json = nlohmann::json::parse(ifs, nullptr, false);
120 }
121 catch (const nlohmann::json::parse_error& e)
122 {
George Liu567a3cf2021-12-08 10:36:03 +0800[diff] [blame]123 lg2::error("Failed to parse JSON file: {ERROR}", "ERROR",
124 e);
Ayushi Smriti96e72ec2021-05-20 13:44:12 +0530[diff] [blame]125 throw InternalFailure();
126 }
127
128 if (json.is_discarded())
129 {
130 return;
131 }
132 orgUsrPwdHash = json["UserPwdHash"];
133 orgAdminPwdHash = json["AdminPwdHash"];
134 seed = json["Seed"];
135 hashAlgo = json["HashAlgo"];
136 }
137 else
138 {
139 return;
140 }
Kuiying Wang8f706212020-12-16 18:59:24 +0800[diff] [blame]141 }
142 catch (nlohmann::detail::exception& e)
143 {
George Liu567a3cf2021-12-08 10:36:03 +0800[diff] [blame]144 lg2::error("Failed to parse JSON file: {ERROR}", "ERROR", e);
Kuiying Wang8f706212020-12-16 18:59:24 +0800[diff] [blame]145 throw InternalFailure();
146 }
Ayushi Smriti96e72ec2021-05-20 13:44:12 +0530[diff] [blame]147 if (userName == "AdminPassword")
Kuiying Wang8f706212020-12-16 18:59:24 +0800[diff] [blame]148 {
Ayushi Smriti96e72ec2021-05-20 13:44:12 +0530[diff] [blame]149 if (!isMatch(orgAdminPwdHash, seed, currentPassword, hashAlgo))
Kuiying Wang8f706212020-12-16 18:59:24 +0800[diff] [blame]150 {
151 throw InvalidCurrentPassword();
152 }
153 }
154 else
155 {
Ayushi Smriti96e72ec2021-05-20 13:44:12 +0530[diff] [blame]156 if (!isMatch(orgUsrPwdHash, seed, currentPassword, hashAlgo))
Kuiying Wang8f706212020-12-16 18:59:24 +0800[diff] [blame]157 {
158 throw InvalidCurrentPassword();
159 }
160 }
Ayushi Smriti96e72ec2021-05-20 13:44:12 +0530[diff] [blame]161 if (hashAlgo == "SHA256")
Kuiying Wang8f706212020-12-16 18:59:24 +0800[diff] [blame]162 {
Snehalatha Venkatesh2f7ba732021-09-30 10:25:32 +0000[diff] [blame]163 unsigned int mdLen = 32;
Ayushi Smriti96e72ec2021-05-20 13:44:12 +0530[diff] [blame]164 mNewPwdHash.fill(0);
165
Snehalatha Venkatesh2f7ba732021-09-30 10:25:32 +0000[diff] [blame]166 if (!PKCS5_PBKDF2_HMAC(
167 reinterpret_cast<const char*>(newPassword.c_str()),
168 newPassword.length() + 1,
169 reinterpret_cast<const unsigned char*>(seed.data()),
170 seed.size(), iterValue, EVP_sha256(), mdLen,
171 mNewPwdHash.data()))
Kuiying Wang8f706212020-12-16 18:59:24 +0800[diff] [blame]172 {
George Liu567a3cf2021-12-08 10:36:03 +0800[diff] [blame]173 lg2::error(
Snehalatha Venkatesh2f7ba732021-09-30 10:25:32 +0000[diff] [blame]174 "Verify PKCS5_PBKDF2_HMAC_SHA256 Integrity Check failed");
Kuiying Wang8f706212020-12-16 18:59:24 +0800[diff] [blame]175 throw InternalFailure();
176 }
Kuiying Wang8f706212020-12-16 18:59:24 +0800[diff] [blame]177 }
Ayushi Smriti96e72ec2021-05-20 13:44:12 +0530[diff] [blame]178 if (hashAlgo == "SHA384")
179 {
Snehalatha Venkatesh2f7ba732021-09-30 10:25:32 +0000[diff] [blame]180 unsigned int mdLen = 48;
Ayushi Smriti96e72ec2021-05-20 13:44:12 +0530[diff] [blame]181 mNewPwdHash.fill(0);
Kuiying Wang8f706212020-12-16 18:59:24 +0800[diff] [blame]182
Snehalatha Venkatesh2f7ba732021-09-30 10:25:32 +0000[diff] [blame]183 if (!PKCS5_PBKDF2_HMAC(
184 reinterpret_cast<const char*>(newPassword.c_str()),
185 newPassword.length() + 1,
186 reinterpret_cast<const unsigned char*>(seed.data()),
187 seed.size(), iterValue, EVP_sha384(), mdLen,
188 mNewPwdHash.data()))
Ayushi Smriti96e72ec2021-05-20 13:44:12 +0530[diff] [blame]189 {
George Liu567a3cf2021-12-08 10:36:03 +0800[diff] [blame]190 lg2::error(
Snehalatha Venkatesh2f7ba732021-09-30 10:25:32 +0000[diff] [blame]191 "Verify PKCS5_PBKDF2_HMAC_SHA384 Integrity Check failed");
Ayushi Smriti96e72ec2021-05-20 13:44:12 +0530[diff] [blame]192 throw InternalFailure();
193 }
194 }
Kuiying Wang8f706212020-12-16 18:59:24 +0800[diff] [blame]195 return;
196 }
197 throw InternalFailure();
198}
199void Password::changePassword(std::string userName, std::string currentPassword,
200 std::string newPassword)
201{
George Liu567a3cf2021-12-08 10:36:03 +0800[diff] [blame]202 lg2::debug("BIOS config changePassword");
Kuiying Wang8f706212020-12-16 18:59:24 +0800[diff] [blame]203 verifyPassword(userName, currentPassword, newPassword);
204
Ayushi Smriti96e72ec2021-05-20 13:44:12 +0530[diff] [blame]205 std::ifstream fs(seedFile.c_str());
206 nlohmann::json json = nullptr;
207
208 if (fs.is_open())
Kuiying Wang8f706212020-12-16 18:59:24 +0800[diff] [blame]209 {
Ayushi Smriti96e72ec2021-05-20 13:44:12 +0530[diff] [blame]210 try
Kuiying Wang8f706212020-12-16 18:59:24 +0800[diff] [blame]211 {
Ayushi Smriti96e72ec2021-05-20 13:44:12 +0530[diff] [blame]212 json = nlohmann::json::parse(fs, nullptr, false);
Kuiying Wang8f706212020-12-16 18:59:24 +0800[diff] [blame]213 }
Ayushi Smriti96e72ec2021-05-20 13:44:12 +0530[diff] [blame]214 catch (const nlohmann::json::parse_error& e)
Kuiying Wang8f706212020-12-16 18:59:24 +0800[diff] [blame]215 {
George Liu567a3cf2021-12-08 10:36:03 +0800[diff] [blame]216 lg2::error("Failed to parse JSON file: {ERROR}", "ERROR", e);
Ayushi Smriti96e72ec2021-05-20 13:44:12 +0530[diff] [blame]217 throw InternalFailure();
Kuiying Wang8f706212020-12-16 18:59:24 +0800[diff] [blame]218 }
Ayushi Smriti96e72ec2021-05-20 13:44:12 +0530[diff] [blame]219
220 if (json.is_discarded())
221 {
222 throw InternalFailure();
223 }
224 json["AdminPwdHash"] = mNewPwdHash;
225 json["IsAdminPwdChanged"] = true;
226
227 std::ofstream ofs(seedFile.c_str(), std::ios::out);
228 const auto& writeData = json.dump();
229 ofs << writeData;
230 ofs.close();
Kuiying Wang8f706212020-12-16 18:59:24 +0800[diff] [blame]231 }
Ayushi Smriti96e72ec2021-05-20 13:44:12 +0530[diff] [blame]232 else
Kuiying Wang8f706212020-12-16 18:59:24 +0800[diff] [blame]233 {
George Liu567a3cf2021-12-08 10:36:03 +0800[diff] [blame]234 lg2::debug("Cannot open file stream");
Kuiying Wang8f706212020-12-16 18:59:24 +0800[diff] [blame]235 throw InternalFailure();
236 }
237}
238Password::Password(sdbusplus::asio::object_server& objectServer,
239 std::shared_ptr<sdbusplus::asio::connection>& systemBus) :
240 sdbusplus::xyz::openbmc_project::BIOSConfig::server::Password(
241 *systemBus, objectPathPwd),
242 objServer(objectServer), systemBus(systemBus)
243{
George Liu567a3cf2021-12-08 10:36:03 +0800[diff] [blame]244 lg2::debug("BIOS config password is runing");
Kuiying Wang8f706212020-12-16 18:59:24 +0800[diff] [blame]245 try
246 {
247 fs::path biosDir(BIOS_PERSIST_PATH);
248 fs::create_directories(biosDir);
Kuiying Wang8f706212020-12-16 18:59:24 +0800[diff] [blame]249 seedFile = biosDir / biosSeedFile;
250 }
251 catch (const fs::filesystem_error& e)
252 {
George Liu567a3cf2021-12-08 10:36:03 +0800[diff] [blame]253 lg2::error("Failed to parse JSON file: {ERROR}", "ERROR", e);
Kuiying Wang8f706212020-12-16 18:59:24 +0800[diff] [blame]254 throw InternalFailure();
255 }
256}
257
258} // namespace bios_config_pwd
259
260int main()
261{
262 boost::asio::io_service io;
263 auto systemBus = std::make_shared<sdbusplus::asio::connection>(io);
264
265 systemBus->request_name(bios_config_pwd::servicePwd);
266 sdbusplus::asio::object_server objectServer(systemBus);
267 bios_config_pwd::Password password(objectServer, systemBus);
268
269 io.run();
270 return 0;
271}