blob: 7af38b9fb2ed34fe1b31841f1555c5477db9a67e [file] [log] [blame]
/*
// Copyright (c) 2018 Intel Corporation
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
*/
#include "usercommands.hpp"
#include "apphandler.hpp"
#include "channel_layer.hpp"
#include "user_layer.hpp"
#include <security/pam_appl.h>
#include <ipmid/api.hpp>
#include <phosphor-logging/log.hpp>
#include <regex>
namespace ipmi
{
using namespace phosphor::logging;
static constexpr uint8_t enableOperation = 0x00;
static constexpr uint8_t disableOperation = 0x01;
/** @brief implements the set user access command
* @param ctx - IPMI context pointer (for channel)
* @param channel - channel number
* @param ipmiEnabled - indicates ipmi messaging state
* @param linkAuthEnabled - indicates link authentication state
* @param accessCallback - indicates callback state
* @param bitsUpdate - indicates update request
* @param userId - user id
* @param reserved1 - skip 2 bits
* @param privilege - user privilege
* @param reserved2 - skip 4 bits
* @param sessionLimit - optional - unused for now
*
* @returns ipmi completion code
*/
ipmi::RspType<> ipmiSetUserAccess(ipmi::Context::ptr ctx, uint4_t channel,
uint1_t ipmiEnabled, uint1_t linkAuthEnabled,
uint1_t accessCallback, uint1_t bitsUpdate,
uint6_t userId, uint2_t reserved1,
uint4_t privilege, uint4_t reserved2,
std::optional<uint8_t> sessionLimit)
{
uint8_t sessLimit = sessionLimit.value_or(0);
if (reserved1 || reserved2 || sessLimit ||
!ipmiUserIsValidPrivilege(static_cast<uint8_t>(privilege)))
{
log<level::DEBUG>("Set user access - Invalid field in request");
return ipmi::responseInvalidFieldRequest();
}
uint8_t chNum =
convertCurrentChannelNum(static_cast<uint8_t>(channel), ctx->channel);
if (!isValidChannel(chNum))
{
log<level::DEBUG>("Set user access - Invalid channel request");
return ipmi::response(invalidChannel);
}
if (getChannelSessionSupport(chNum) == EChannelSessSupported::none)
{
log<level::DEBUG>("Set user access - No support on channel");
return ipmi::response(ccActionNotSupportedForChannel);
}
if (!ipmiUserIsValidUserId(static_cast<uint8_t>(userId)))
{
log<level::DEBUG>("Set user access - Parameter out of range");
return ipmi::responseParmOutOfRange();
}
PrivAccess privAccess = {0};
if (bitsUpdate)
{
privAccess.ipmiEnabled = static_cast<uint8_t>(ipmiEnabled);
privAccess.linkAuthEnabled = static_cast<uint8_t>(linkAuthEnabled);
privAccess.accessCallback = static_cast<uint8_t>(accessCallback);
}
privAccess.privilege = static_cast<uint8_t>(privilege);
return ipmi::response(
ipmiUserSetPrivilegeAccess(static_cast<uint8_t>(userId), chNum,
privAccess, static_cast<bool>(bitsUpdate)));
}
/** @brief implements the set user access command
* @param ctx - IPMI context pointer (for channel)
* @param channel - channel number
* @param reserved1 - skip 4 bits
* @param userId - user id
* @param reserved2 - skip 2 bits
*
* @returns ipmi completion code plus response data
* - maxChUsers - max channel users
* - reserved1 - skip 2 bits
* - enabledUsers - enabled users count
* - enabledStatus - enabled status
* - fixedUsers - fixed users count
* - reserved2 - skip 2 bits
* - privilege - user privilege
* - ipmiEnabled - ipmi messaging state
* - linkAuthEnabled - link authenticatin state
* - accessCallback - callback state
* - reserved - skip 1 bit
*/
ipmi::RspType<uint6_t, // max channel users
uint2_t, // reserved1
uint6_t, // enabled users count
uint2_t, // enabled status
uint6_t, // fixed users count
uint2_t, // reserved2
uint4_t, // privilege
uint1_t, // ipmi messaging state
uint1_t, // link authentication state
uint1_t, // access callback state
uint1_t // reserved3
>
ipmiGetUserAccess(ipmi::Context::ptr ctx, uint4_t channel,
uint4_t reserved1,
uint6_t userId, uint2_t reserved2)
{
uint8_t chNum =
convertCurrentChannelNum(static_cast<uint8_t>(channel), ctx->channel);
if (reserved1 || reserved2 || !isValidChannel(chNum))
{
log<level::DEBUG>("Get user access - Invalid field in request");
return ipmi::responseInvalidFieldRequest();
}
if (getChannelSessionSupport(chNum) == EChannelSessSupported::none)
{
log<level::DEBUG>("Get user access - No support on channel");
return ipmi::response(ccActionNotSupportedForChannel);
}
if (!ipmiUserIsValidUserId(static_cast<uint8_t>(userId)))
{
log<level::DEBUG>("Get user access - Parameter out of range");
return ipmi::responseParmOutOfRange();
}
uint8_t maxChUsers = 0, enabledUsers = 0, fixedUsers = 0;
ipmi::Cc retStatus;
retStatus = ipmiUserGetAllCounts(maxChUsers, enabledUsers, fixedUsers);
if (retStatus != ccSuccess)
{
return ipmi::response(retStatus);
}
bool enabledState = false;
retStatus =
ipmiUserCheckEnabled(static_cast<uint8_t>(userId), enabledState);
if (retStatus != ccSuccess)
{
return ipmi::response(retStatus);
}
uint2_t enabledStatus = enabledState ? userIdEnabledViaSetPassword
: userIdDisabledViaSetPassword;
PrivAccess privAccess{};
retStatus = ipmiUserGetPrivilegeAccess(static_cast<uint8_t>(userId), chNum,
privAccess);
if (retStatus != ccSuccess)
{
return ipmi::response(retStatus);
}
constexpr uint2_t res2Bits = 0;
return ipmi::responseSuccess(
static_cast<uint6_t>(maxChUsers), res2Bits,
static_cast<uint6_t>(enabledUsers), enabledStatus,
static_cast<uint6_t>(fixedUsers), res2Bits,
static_cast<uint4_t>(privAccess.privilege),
static_cast<uint1_t>(privAccess.ipmiEnabled),
static_cast<uint1_t>(privAccess.linkAuthEnabled),
static_cast<uint1_t>(privAccess.accessCallback),
static_cast<uint1_t>(privAccess.reserved));
}
/** @brief implementes the get user name command
* @param[in] ctx - ipmi command context
* @param[in] userId - 6-bit user ID
* @param[in] reserved - 2-bits reserved
* @param[in] name - 16-byte array for username
* @returns ipmi response
*/
ipmi::RspType<>
ipmiSetUserName(ipmi::Context::ptr ctx, uint6_t id, uint2_t reserved,
const std::array<uint8_t, ipmi::ipmiMaxUserName>& name)
{
if (reserved)
{
return ipmi::responseInvalidFieldRequest();
}
uint8_t userId = static_cast<uint8_t>(id);
if (!ipmiUserIsValidUserId(userId))
{
log<level::DEBUG>("Set user name - Invalid user id");
return ipmi::responseParmOutOfRange();
}
size_t nameLen = strnlen(reinterpret_cast<const char*>(name.data()),
ipmi::ipmiMaxUserName);
const std::string strUserName(reinterpret_cast<const char*>(name.data()),
nameLen);
ipmi::Cc res = ipmiUserSetUserName(userId, strUserName);
return ipmi::response(res);
}
/** @brief implementes the get user name command
* @param[in] ctx - ipmi command context
* @param[in] userId - 6-bit user ID
* @param[in] reserved - 2-bits reserved
* @returns ipmi response with 16-byte username
*/
ipmi::RspType<std::array<uint8_t, ipmi::ipmiMaxUserName>> // user name
ipmiGetUserName(ipmi::Context::ptr ctx, uint6_t id, uint2_t reserved)
{
if (reserved)
{
return ipmi::responseInvalidFieldRequest();
}
uint8_t userId = static_cast<uint8_t>(id);
std::string userName;
if (ipmiUserGetUserName(userId, userName) != ccSuccess)
{ // Invalid User ID
log<level::DEBUG>("User Name not found", entry("USER-ID=%u", userId));
return ipmi::responseParmOutOfRange();
}
// copy the std::string into a fixed array
if (userName.size() > ipmi::ipmiMaxUserName)
{
return ipmi::responseUnspecifiedError();
}
std::array<uint8_t, ipmi::ipmiMaxUserName> userNameFixed;
std::fill(userNameFixed.begin(), userNameFixed.end(), 0);
std::copy(userName.begin(), userName.end(), userNameFixed.begin());
return ipmi::responseSuccess(std::move(userNameFixed));
}
/** @brief implementes the get user name command
* @param[in] ctx - ipmi command context
* @param[in] userId - 6-bit user ID
* @param[in] reserved - 2-bits reserved
* @returns ipmi response with 16-byte username
*/
ipmi::RspType<> // user name
ipmiSetUserPassword(ipmi::Context::ptr ctx, uint6_t id, bool reserved1,
bool pwLen20, uint2_t operation, uint6_t reserved2,
SecureBuffer& userPassword)
{
if (reserved1 || reserved2)
{
log<level::DEBUG>("Invalid data field in request");
return ipmi::responseInvalidFieldRequest();
}
static constexpr uint2_t opDisableUser = 0x00;
static constexpr uint2_t opEnableUser = 0x01;
static constexpr uint2_t opSetPassword = 0x02;
static constexpr uint2_t opTestPassword = 0x03;
// If set / test password operation then password size has to be 16 or 20
// bytes based on the password size bit
if (((operation == opSetPassword) || (operation == opTestPassword)) &&
((pwLen20 && (userPassword.size() != maxIpmi20PasswordSize)) ||
(!pwLen20 && (userPassword.size() != maxIpmi15PasswordSize))))
{
log<level::DEBUG>("Invalid Length");
return ipmi::responseReqDataLenInvalid();
}
size_t passwordLength = userPassword.size();
uint8_t userId = static_cast<uint8_t>(id);
std::string userName;
if (ipmiUserGetUserName(userId, userName) != ccSuccess)
{
log<level::DEBUG>("User Name not found", entry("USER-ID=%d", userId));
return ipmi::responseParmOutOfRange();
}
if (operation == opSetPassword)
{
// turn the non-nul terminated SecureBuffer into a SecureString
SecureString password(
reinterpret_cast<const char*>(userPassword.data()), passwordLength);
ipmi::Cc res = ipmiUserSetUserPassword(userId, password.data());
return ipmi::response(res);
}
else if (operation == opEnableUser || operation == opDisableUser)
{
ipmi::Cc res =
ipmiUserUpdateEnabledState(userId, static_cast<bool>(operation));
return ipmi::response(res);
}
else if (operation == opTestPassword)
{
SecureString password = ipmiUserGetPassword(userName);
// extend with zeros, if needed
if (password.size() < passwordLength)
{
password.resize(passwordLength, '\0');
}
SecureString testPassword(
reinterpret_cast<const char*>(userPassword.data()), passwordLength);
// constant time string compare: always compare exactly as many bytes
// as the length of the input, resizing the actual password to match,
// maintaining a knowledge if the sizes differed originally
static const std::array<char, maxIpmi20PasswordSize> empty = {'\0'};
size_t cmpLen = testPassword.size();
bool pwLenDiffers = password.size() != cmpLen;
const char* cmpPassword = nullptr;
if (pwLenDiffers)
{
cmpPassword = empty.data();
}
else
{
cmpPassword = password.data();
}
bool pwBad = CRYPTO_memcmp(cmpPassword, testPassword.data(), cmpLen);
pwBad |= pwLenDiffers;
if (pwBad)
{
log<level::DEBUG>("Test password failed",
entry("USER-ID=%d", userId));
static constexpr ipmi::Cc ipmiCCPasswdFailMismatch = 0x80;
return ipmi::response(ipmiCCPasswdFailMismatch);
}
return ipmi::responseSuccess();
}
return ipmi::responseInvalidFieldRequest();
}
/** @brief implements the get channel authentication command
* @param ctx - IPMI context pointer (for channel)
* @param extData - get IPMI 2.0 extended data
* @param reserved1 - skip 3 bits
* @param chNum - channel number to get info about
* @param reserved2 - skip 4 bits
* @param privLevel - requested privilege level
* @returns ipmi completion code plus response data
* - channel number
* - rmcpAuthTypes - RMCP auth types (IPMI 1.5)
* - reserved1
* - extDataSupport - true for IPMI 2.0 extensions
* - anonymousLogin - true for anonymous login enabled
* - nullUsers - true for null user names enabled
* - nonNullUsers - true for non-null usernames enabled
* - userAuth - false for user authentication enabled
* - perMessageAuth - false for per message authentication enabled
* - KGStatus - true for Kg required for authentication
* - reserved2
* - rmcp - RMCP (IPMI 1.5) connection support
* - rmcpp - RMCP+ (IPMI 2.0) connection support
* - reserved3
* - oemID - OEM IANA of any OEM auth support
* - oemAuxillary - OEM data for auth
*/
ipmi::RspType<uint8_t, // channel number
uint6_t, // rmcpAuthTypes
bool, // reserved1
bool, // extDataSupport
bool, // anonymousLogin
bool, // nullUsers
bool, // nonNullUsers
bool, // userAuth
bool, // perMessageAuth
bool, // KGStatus
uint2_t, // reserved2
bool, // rmcp
bool, // rmcpp
uint6_t, // reserved3
uint24_t, // oemID
uint8_t // oemAuxillary
>
ipmiGetChannelAuthenticationCapabilities(ipmi::Context::ptr ctx,
uint4_t chNum, uint3_t reserved1,
bool extData, uint4_t privLevel,
uint4_t reserved2)
{
uint8_t channel =
convertCurrentChannelNum(static_cast<uint8_t>(chNum), ctx->channel);
if (reserved1 || reserved2 || !isValidChannel(channel) ||
!isValidPrivLimit(static_cast<uint8_t>(privLevel)))
{
log<level::DEBUG>(
"Get channel auth capabilities - Invalid field in request");
return ipmi::responseInvalidFieldRequest();
}
if (getChannelSessionSupport(channel) == EChannelSessSupported::none)
{
log<level::DEBUG>(
"Get channel auth capabilities - No support on channel");
return ipmi::response(ccActionNotSupportedForChannel);
}
constexpr bool extDataSupport = true; // true for IPMI 2.0 extensions
constexpr bool reserved3 = false;
constexpr uint6_t rmcpAuthTypes = 0; // IPMI 1.5 auth types - not supported
constexpr uint2_t reserved4 = 0;
constexpr bool KGStatus = false; // Not supporting now.
constexpr bool perMessageAuth = false; // Per message auth - enabled
constexpr bool userAuth = false; // User authentication - enabled
constexpr bool nullUsers = false; // Null user names - not supported
constexpr bool anonymousLogin = false; // Anonymous login - not supported
constexpr uint6_t reserved5 = 0;
constexpr bool rmcpp = true; // IPMI 2.0 - supported
constexpr bool rmcp = false; // IPMI 1.5 - not supported
constexpr uint24_t oemID = 0;
constexpr uint8_t oemAuxillary = 0;
bool nonNullUsers = 0;
uint8_t maxChUsers = 0, enabledUsers = 0, fixedUsers = 0;
ipmi::ipmiUserGetAllCounts(maxChUsers, enabledUsers, fixedUsers);
nonNullUsers = enabledUsers > 0;
return ipmi::responseSuccess(
channel, rmcpAuthTypes, reserved3, extDataSupport, anonymousLogin,
nullUsers, nonNullUsers, userAuth, perMessageAuth, KGStatus, reserved4,
rmcp, rmcpp, reserved5, oemID, oemAuxillary);
}
/** @brief implements the set user payload access command.
* @param ctx - IPMI context pointer (for channel)
* @param channel - channel number (4 bits)
* @param reserved1 - skip 4 bits
* @param userId - user id (6 bits)
* @param operation - access ENABLE /DISABLE. (2 bits)
* @param stdPayload0 - IPMI - reserved. (1 bit)
* @param stdPayload1 - SOL. (1 bit)
* @param stdPayload2 - (1 bit)
* @param stdPayload3 - (1 bit)
* @param stdPayload4 - (1 bit)
* @param stdPayload5 - (1 bit)
* @param stdPayload6 - (1 bit)
* @param stdPayload7 - (1 bit)
* @param stdPayloadEnables2Reserved - (8 bits)
* @param oemPayload0 - (1 bit)
* @param oemPayload1 - (1 bit)
* @param oemPayload2 - (1 bit)
* @param oemPayload3 - (1 bit)
* @param oemPayload4 - (1 bit)
* @param oemPayload5 - (1 bit)
* @param oemPayload6 - (1 bit)
* @param oemPayload7 - (1 bit)
* @param oemPayloadEnables2Reserved - (8 bits)
*
* @returns IPMI completion code
*/
ipmi::RspType<> ipmiSetUserPayloadAccess(
ipmi::Context::ptr ctx,
uint4_t channel, uint4_t reserved,
uint6_t userId, uint2_t operation,
bool stdPayload0ipmiReserved, bool stdPayload1SOL, bool stdPayload2,
bool stdPayload3, bool stdPayload4, bool stdPayload5, bool stdPayload6,
bool stdPayload7,
uint8_t stdPayloadEnables2Reserved,
bool oemPayload0, bool oemPayload1, bool oemPayload2, bool oemPayload3,
bool oemPayload4, bool oemPayload5, bool oemPayload6, bool oemPayload7,
uint8_t oemPayloadEnables2Reserved)
{
auto chNum =
convertCurrentChannelNum(static_cast<uint8_t>(channel), ctx->channel);
// Validate the reserved args. Only SOL payload is supported as on date.
if (reserved || stdPayload0ipmiReserved || stdPayload2 || stdPayload3 ||
stdPayload4 || stdPayload5 || stdPayload6 || stdPayload7 ||
oemPayload0 || oemPayload1 || oemPayload2 || oemPayload3 ||
oemPayload4 || oemPayload5 || oemPayload6 || oemPayload7 ||
stdPayloadEnables2Reserved || oemPayloadEnables2Reserved ||
!isValidChannel(chNum))
{
return ipmi::responseInvalidFieldRequest();
}
if ((operation != enableOperation && operation != disableOperation))
{
return ipmi::responseInvalidFieldRequest();
}
if (getChannelSessionSupport(chNum) == EChannelSessSupported::none)
{
return ipmi::response(ccActionNotSupportedForChannel);
}
if (!ipmiUserIsValidUserId(static_cast<uint8_t>(userId)))
{
return ipmi::responseParmOutOfRange();
}
PayloadAccess payloadAccess = {0};
payloadAccess.stdPayloadEnables1[1] = stdPayload1SOL;
return ipmi::response(ipmiUserSetUserPayloadAccess(
chNum, static_cast<uint8_t>(operation), static_cast<uint8_t>(userId),
payloadAccess));
}
/** @brief implements the get user payload access command
* This command returns information about user payload enable settings
* that were set using the 'Set User Payload Access' Command.
*
* @param ctx - IPMI context pointer (for channel)
* @param channel - channel number
* @param reserved1 - skip 4 bits
* @param userId - user id
* @param reserved2 - skip 2 bits
*
* @returns IPMI completion code plus response data
* - stdPayload0ipmiReserved - IPMI payload (reserved).
* - stdPayload1SOL - SOL payload
* - stdPayload2
* - stdPayload3
* - stdPayload4
* - stdPayload5
* - stdPayload6
* - stdPayload7
* - stdPayloadEnables2Reserved - Reserved.
* - oemPayload0
* - oemPayload1
* - oemPayload2
* - oemPayload3
* - oemPayload4
* - oemPayload5
* - oemPayload6
* - oemPayload7
* - oemPayloadEnables2Reserved - Reserved
*/
ipmi::RspType<bool, // stdPayload0ipmiReserved
bool, // stdPayload1SOL
bool, // stdPayload2
bool, // stdPayload3
bool, // stdPayload4
bool, // stdPayload5
bool, // stdPayload6
bool, // stdPayload7
uint8_t, // stdPayloadEnables2Reserved
bool, // oemPayload0
bool, // oemPayload1
bool, // oemPayload2
bool, // oemPayload3
bool, // oemPayload4
bool, // oemPayload5
bool, // oemPayload6
bool, // oemPayload7
uint8_t // oemPayloadEnables2Reserved
>
ipmiGetUserPayloadAccess(ipmi::Context::ptr ctx,
uint4_t channel, uint4_t reserved1,
uint6_t userId, uint2_t reserved2)
{
uint8_t chNum =
convertCurrentChannelNum(static_cast<uint8_t>(channel), ctx->channel);
if (reserved1 || reserved2 || !isValidChannel(chNum))
{
return ipmi::responseInvalidFieldRequest();
}
if (getChannelSessionSupport(chNum) == EChannelSessSupported::none)
{
return ipmi::response(ccActionNotSupportedForChannel);
}
if (!ipmiUserIsValidUserId(static_cast<uint8_t>(userId)))
{
return ipmi::responseParmOutOfRange();
}
ipmi::Cc retStatus;
PayloadAccess payloadAccess = {};
retStatus = ipmiUserGetUserPayloadAccess(
chNum, static_cast<uint8_t>(userId), payloadAccess);
if (retStatus != ccSuccess)
{
return ipmi::response(retStatus);
}
constexpr uint8_t res8bits = 0;
return ipmi::responseSuccess(payloadAccess.stdPayloadEnables1.test(0),
payloadAccess.stdPayloadEnables1.test(1),
payloadAccess.stdPayloadEnables1.test(2),
payloadAccess.stdPayloadEnables1.test(3),
payloadAccess.stdPayloadEnables1.test(4),
payloadAccess.stdPayloadEnables1.test(5),
payloadAccess.stdPayloadEnables1.test(6),
payloadAccess.stdPayloadEnables1.test(7),
res8bits,
payloadAccess.oemPayloadEnables1.test(0),
payloadAccess.oemPayloadEnables1.test(1),
payloadAccess.oemPayloadEnables1.test(2),
payloadAccess.oemPayloadEnables1.test(3),
payloadAccess.oemPayloadEnables1.test(4),
payloadAccess.oemPayloadEnables1.test(5),
payloadAccess.oemPayloadEnables1.test(6),
payloadAccess.oemPayloadEnables1.test(7),
res8bits);
}
void registerUserIpmiFunctions() __attribute__((constructor));
void registerUserIpmiFunctions()
{
post_work([]() { ipmiUserInit(); });
ipmi::registerHandler(ipmi::prioOpenBmcBase, ipmi::netFnApp,
ipmi::app::cmdSetUserAccessCommand,
ipmi::Privilege::Admin, ipmiSetUserAccess);
ipmi::registerHandler(ipmi::prioOpenBmcBase, ipmi::netFnApp,
ipmi::app::cmdGetUserAccessCommand,
ipmi::Privilege::Operator, ipmiGetUserAccess);
ipmi::registerHandler(ipmi::prioOpenBmcBase, ipmi::netFnApp,
ipmi::app::cmdGetUserNameCommand,
ipmi::Privilege::Operator, ipmiGetUserName);
ipmi::registerHandler(ipmi::prioOpenBmcBase, ipmi::netFnApp,
ipmi::app::cmdSetUserName, ipmi::Privilege::Admin,
ipmiSetUserName);
ipmi::registerHandler(ipmi::prioOpenBmcBase, ipmi::netFnApp,
ipmi::app::cmdSetUserPasswordCommand,
ipmi::Privilege::Admin, ipmiSetUserPassword);
ipmi::registerHandler(ipmi::prioOpenBmcBase, ipmi::netFnApp,
ipmi::app::cmdGetChannelAuthCapabilities,
ipmi::Privilege::Callback,
ipmiGetChannelAuthenticationCapabilities);
ipmi::registerHandler(ipmi::prioOpenBmcBase, ipmi::netFnApp,
ipmi::app::cmdSetUserPayloadAccess,
ipmi::Privilege::Admin, ipmiSetUserPayloadAccess);
ipmi::registerHandler(ipmi::prioOpenBmcBase, ipmi::netFnApp,
ipmi::app::cmdGetUserPayloadAccess,
ipmi::Privilege::Operator, ipmiGetUserPayloadAccess);
return;
}
} // namespace ipmi