Richard Marian Thomaiyar | 5a6b636 | 2018-03-12 23:42:34 +0530 | [diff] [blame] | 1 | /* |
| 2 | // Copyright (c) 2018 Intel Corporation |
| 3 | // |
| 4 | // Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | // you may not use this file except in compliance with the License. |
| 6 | // You may obtain a copy of the License at |
| 7 | // |
| 8 | // http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | // |
| 10 | // Unless required by applicable law or agreed to in writing, software |
| 11 | // distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | // See the License for the specific language governing permissions and |
| 14 | // limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | #include "usercommands.hpp" |
| 18 | |
| 19 | #include "apphandler.hpp" |
Richard Marian Thomaiyar | 06df876 | 2018-12-08 17:38:25 +0530 | [diff] [blame] | 20 | #include "channel_layer.hpp" |
Richard Marian Thomaiyar | 5a6b636 | 2018-03-12 23:42:34 +0530 | [diff] [blame] | 21 | #include "user_layer.hpp" |
| 22 | |
| 23 | #include <host-ipmid/ipmid-api.h> |
| 24 | #include <security/pam_appl.h> |
| 25 | |
| 26 | #include <phosphor-logging/log.hpp> |
| 27 | #include <regex> |
| 28 | |
| 29 | namespace ipmi |
| 30 | { |
| 31 | |
| 32 | using namespace phosphor::logging; |
| 33 | |
| 34 | static constexpr uint8_t maxIpmi20PasswordSize = 20; |
| 35 | static constexpr uint8_t maxIpmi15PasswordSize = 16; |
| 36 | static constexpr uint8_t disableUser = 0x00; |
| 37 | static constexpr uint8_t enableUser = 0x01; |
| 38 | static constexpr uint8_t setPassword = 0x02; |
| 39 | static constexpr uint8_t testPassword = 0x03; |
Richard Marian Thomaiyar | 23df06f | 2019-01-04 16:42:22 +0530 | [diff] [blame] | 40 | static constexpr uint8_t passwordKeySize20 = 1; |
| 41 | static constexpr uint8_t passwordKeySize16 = 0; |
Richard Marian Thomaiyar | 5a6b636 | 2018-03-12 23:42:34 +0530 | [diff] [blame] | 42 | |
Richard Marian Thomaiyar | 6e1ba9e | 2018-11-29 06:29:21 +0530 | [diff] [blame] | 43 | /** @struct SetUserAccessReq |
| 44 | * |
| 45 | * Structure for set user access request command (refer spec sec 22.26) |
| 46 | */ |
Richard Marian Thomaiyar | 5a6b636 | 2018-03-12 23:42:34 +0530 | [diff] [blame] | 47 | struct SetUserAccessReq |
| 48 | { |
| 49 | #if BYTE_ORDER == LITTLE_ENDIAN |
| 50 | uint8_t chNum : 4; |
| 51 | uint8_t ipmiEnabled : 1; |
| 52 | uint8_t linkAuthEnabled : 1; |
| 53 | uint8_t accessCallback : 1; |
| 54 | uint8_t bitsUpdate : 1; |
| 55 | uint8_t userId : 6; |
| 56 | uint8_t reserved1 : 2; |
| 57 | uint8_t privilege : 4; |
| 58 | uint8_t reserved2 : 4; |
| 59 | uint8_t sessLimit : 4; // optional byte 4 |
| 60 | uint8_t reserved3 : 4; |
| 61 | #endif |
| 62 | #if BYTE_ORDER == BIG_ENDIAN |
| 63 | uint8_t bitsUpdate : 1; |
| 64 | uint8_t accessCallback : 1; |
| 65 | uint8_t linkAuthEnabled : 1; |
| 66 | uint8_t ipmiEnabled : 1; |
| 67 | uint8_t chNum : 4; |
| 68 | uint8_t reserved1 : 2; |
| 69 | uint8_t userId : 6; |
| 70 | uint8_t reserved2 : 4; |
| 71 | uint8_t privilege : 4; |
| 72 | uint8_t reserved3 : 4; |
| 73 | uint8_t sessLimit : 4; // optional byte 4 |
| 74 | #endif |
| 75 | |
| 76 | } __attribute__((packed)); |
| 77 | |
Richard Marian Thomaiyar | 6e1ba9e | 2018-11-29 06:29:21 +0530 | [diff] [blame] | 78 | /** @struct GetUserAccessReq |
| 79 | * |
| 80 | * Structure for get user access request command (refer spec sec 22.27) |
| 81 | */ |
Richard Marian Thomaiyar | 5a6b636 | 2018-03-12 23:42:34 +0530 | [diff] [blame] | 82 | struct GetUserAccessReq |
| 83 | { |
| 84 | #if BYTE_ORDER == LITTLE_ENDIAN |
| 85 | uint8_t chNum : 4; |
| 86 | uint8_t reserved1 : 4; |
| 87 | uint8_t userId : 6; |
| 88 | uint8_t reserved2 : 2; |
| 89 | #endif |
| 90 | #if BYTE_ORDER == BIG_ENDIAN |
| 91 | uint8_t reserved1 : 4; |
| 92 | uint8_t chNum : 4; |
| 93 | uint8_t reserved2 : 2; |
| 94 | uint8_t userId : 6; |
| 95 | #endif |
| 96 | } __attribute__((packed)); |
| 97 | |
Richard Marian Thomaiyar | 6e1ba9e | 2018-11-29 06:29:21 +0530 | [diff] [blame] | 98 | /** @struct GetUserAccessResp |
| 99 | * |
| 100 | * Structure for get user access response command (refer spec sec 22.27) |
| 101 | */ |
Richard Marian Thomaiyar | 5a6b636 | 2018-03-12 23:42:34 +0530 | [diff] [blame] | 102 | struct GetUserAccessResp |
| 103 | { |
| 104 | #if BYTE_ORDER == LITTLE_ENDIAN |
| 105 | uint8_t maxChUsers : 6; |
| 106 | uint8_t reserved1 : 2; |
| 107 | uint8_t enabledUsers : 6; |
| 108 | uint8_t enabledStatus : 2; |
| 109 | uint8_t fixedUsers : 6; |
| 110 | uint8_t reserved2 : 2; |
| 111 | #endif |
| 112 | #if BYTE_ORDER == BIG_ENDIAN |
| 113 | uint8_t reserved1 : 2; |
| 114 | uint8_t maxChUsers : 6; |
| 115 | uint8_t enabledStatus : 2; |
| 116 | uint8_t enabledUsers : 6; |
| 117 | uint8_t reserved2 : 2; |
| 118 | uint8_t fixedUsers : 6; |
| 119 | #endif |
| 120 | PrivAccess privAccess; |
| 121 | } __attribute__((packed)); |
| 122 | |
Richard Marian Thomaiyar | 6e1ba9e | 2018-11-29 06:29:21 +0530 | [diff] [blame] | 123 | /** @struct SetUserNameReq |
| 124 | * |
| 125 | * Structure for set user name request command (refer spec sec 22.28) |
| 126 | */ |
Richard Marian Thomaiyar | 5a6b636 | 2018-03-12 23:42:34 +0530 | [diff] [blame] | 127 | struct SetUserNameReq |
| 128 | { |
| 129 | #if BYTE_ORDER == LITTLE_ENDIAN |
| 130 | uint8_t userId : 6; |
| 131 | uint8_t reserved1 : 2; |
| 132 | #endif |
| 133 | #if BYTE_ORDER == BIG_ENDIAN |
| 134 | uint8_t reserved1 : 2; |
| 135 | uint8_t userId : 6; |
| 136 | #endif |
| 137 | uint8_t userName[16]; |
| 138 | } __attribute__((packed)); |
| 139 | |
Richard Marian Thomaiyar | 6e1ba9e | 2018-11-29 06:29:21 +0530 | [diff] [blame] | 140 | /** @struct GetUserNameReq |
| 141 | * |
| 142 | * Structure for get user name request command (refer spec sec 22.29) |
| 143 | */ |
Richard Marian Thomaiyar | 5a6b636 | 2018-03-12 23:42:34 +0530 | [diff] [blame] | 144 | struct GetUserNameReq |
| 145 | { |
| 146 | #if BYTE_ORDER == LITTLE_ENDIAN |
| 147 | uint8_t userId : 6; |
| 148 | uint8_t reserved1 : 2; |
| 149 | #endif |
| 150 | #if BYTE_ORDER == BIG_ENDIAN |
| 151 | uint8_t reserved1 : 2; |
| 152 | uint8_t userId : 6; |
| 153 | #endif |
| 154 | } __attribute__((packed)); |
| 155 | |
Richard Marian Thomaiyar | 6e1ba9e | 2018-11-29 06:29:21 +0530 | [diff] [blame] | 156 | /** @struct GetUserNameResp |
| 157 | * |
| 158 | * Structure for get user name response command (refer spec sec 22.29) |
| 159 | */ |
Richard Marian Thomaiyar | 5a6b636 | 2018-03-12 23:42:34 +0530 | [diff] [blame] | 160 | struct GetUserNameResp |
| 161 | { |
| 162 | uint8_t userName[16]; |
| 163 | } __attribute__((packed)); |
| 164 | |
Richard Marian Thomaiyar | 6e1ba9e | 2018-11-29 06:29:21 +0530 | [diff] [blame] | 165 | /** @struct SetUserPasswordReq |
| 166 | * |
| 167 | * Structure for set user password request command (refer spec sec 22.30) |
| 168 | */ |
Richard Marian Thomaiyar | 5a6b636 | 2018-03-12 23:42:34 +0530 | [diff] [blame] | 169 | struct SetUserPasswordReq |
| 170 | { |
| 171 | #if BYTE_ORDER == LITTLE_ENDIAN |
| 172 | uint8_t userId : 6; |
| 173 | uint8_t reserved1 : 1; |
| 174 | uint8_t ipmi20 : 1; |
| 175 | uint8_t operation : 2; |
| 176 | uint8_t reserved2 : 6; |
| 177 | #endif |
| 178 | #if BYTE_ORDER == BIG_ENDIAN |
| 179 | uint8_t ipmi20 : 1; |
| 180 | uint8_t reserved1 : 1; |
| 181 | uint8_t userId : 6; |
| 182 | uint8_t reserved2 : 6; |
| 183 | uint8_t operation : 2; |
| 184 | #endif |
| 185 | uint8_t userPassword[maxIpmi20PasswordSize]; |
| 186 | } __attribute__((packed)); |
| 187 | |
| 188 | ipmi_ret_t ipmiSetUserAccess(ipmi_netfn_t netfn, ipmi_cmd_t cmd, |
| 189 | ipmi_request_t request, ipmi_response_t response, |
| 190 | ipmi_data_len_t dataLen, ipmi_context_t context) |
| 191 | { |
| 192 | const SetUserAccessReq* req = static_cast<SetUserAccessReq*>(request); |
| 193 | size_t reqLength = *dataLen; |
Richard Marian Thomaiyar | 4026e44 | 2018-11-30 16:44:15 +0530 | [diff] [blame] | 194 | *dataLen = 0; |
Richard Marian Thomaiyar | 5a6b636 | 2018-03-12 23:42:34 +0530 | [diff] [blame] | 195 | |
| 196 | if (!(reqLength == sizeof(*req) || |
| 197 | (reqLength == (sizeof(*req) - sizeof(uint8_t) /* skip optional*/)))) |
| 198 | { |
| 199 | log<level::DEBUG>("Set user access - Invalid Length"); |
| 200 | return IPMI_CC_REQ_DATA_LEN_INVALID; |
| 201 | } |
Richard Marian Thomaiyar | 06df876 | 2018-12-08 17:38:25 +0530 | [diff] [blame] | 202 | uint8_t chNum = convertCurrentChannelNum(req->chNum); |
Richard Marian Thomaiyar | 5a6b636 | 2018-03-12 23:42:34 +0530 | [diff] [blame] | 203 | if (req->reserved1 != 0 || req->reserved2 != 0 || req->reserved3 != 0 || |
Richard Marian Thomaiyar | 06df876 | 2018-12-08 17:38:25 +0530 | [diff] [blame] | 204 | req->sessLimit != 0 || (!isValidChannel(chNum)) || |
| 205 | (!ipmiUserIsValidPrivilege(req->privilege)) || |
| 206 | (EChannelSessSupported::none == getChannelSessionSupport(chNum))) |
Richard Marian Thomaiyar | 5a6b636 | 2018-03-12 23:42:34 +0530 | [diff] [blame] | 207 | { |
| 208 | log<level::DEBUG>("Set user access - Invalid field in request"); |
| 209 | return IPMI_CC_INVALID_FIELD_REQUEST; |
| 210 | } |
| 211 | if (!ipmiUserIsValidUserId(req->userId)) |
| 212 | { |
| 213 | log<level::DEBUG>("Set user access - Parameter out of range"); |
| 214 | return IPMI_CC_PARM_OUT_OF_RANGE; |
| 215 | } |
Richard Marian Thomaiyar | 06df876 | 2018-12-08 17:38:25 +0530 | [diff] [blame] | 216 | |
Richard Marian Thomaiyar | 5a6b636 | 2018-03-12 23:42:34 +0530 | [diff] [blame] | 217 | PrivAccess privAccess = {0}; |
| 218 | if (req->bitsUpdate) |
| 219 | { |
| 220 | privAccess.ipmiEnabled = req->ipmiEnabled; |
| 221 | privAccess.linkAuthEnabled = req->linkAuthEnabled; |
| 222 | privAccess.accessCallback = req->accessCallback; |
| 223 | } |
| 224 | privAccess.privilege = req->privilege; |
| 225 | ipmiUserSetPrivilegeAccess(req->userId, chNum, privAccess, req->bitsUpdate); |
| 226 | |
| 227 | return IPMI_CC_OK; |
| 228 | } |
| 229 | |
| 230 | ipmi_ret_t ipmiGetUserAccess(ipmi_netfn_t netfn, ipmi_cmd_t cmd, |
| 231 | ipmi_request_t request, ipmi_response_t response, |
| 232 | ipmi_data_len_t dataLen, ipmi_context_t context) |
| 233 | { |
| 234 | const GetUserAccessReq* req = static_cast<GetUserAccessReq*>(request); |
| 235 | size_t reqLength = *dataLen; |
| 236 | |
| 237 | *dataLen = 0; |
| 238 | |
| 239 | if (reqLength != sizeof(*req)) |
| 240 | { |
| 241 | log<level::DEBUG>("Get user access - Invalid Length"); |
| 242 | return IPMI_CC_REQ_DATA_LEN_INVALID; |
| 243 | } |
Richard Marian Thomaiyar | 06df876 | 2018-12-08 17:38:25 +0530 | [diff] [blame] | 244 | uint8_t chNum = convertCurrentChannelNum(req->chNum); |
Richard Marian Thomaiyar | 5a6b636 | 2018-03-12 23:42:34 +0530 | [diff] [blame] | 245 | if (req->reserved1 != 0 || req->reserved2 != 0 || |
Richard Marian Thomaiyar | 06df876 | 2018-12-08 17:38:25 +0530 | [diff] [blame] | 246 | (!isValidChannel(chNum)) || |
| 247 | (EChannelSessSupported::none == getChannelSessionSupport(chNum))) |
Richard Marian Thomaiyar | 5a6b636 | 2018-03-12 23:42:34 +0530 | [diff] [blame] | 248 | { |
| 249 | log<level::DEBUG>("Get user access - Invalid field in request"); |
| 250 | return IPMI_CC_INVALID_FIELD_REQUEST; |
| 251 | } |
| 252 | if (!ipmiUserIsValidUserId(req->userId)) |
| 253 | { |
| 254 | log<level::DEBUG>("Get user access - Parameter out of range"); |
| 255 | return IPMI_CC_PARM_OUT_OF_RANGE; |
| 256 | } |
| 257 | |
| 258 | uint8_t maxChUsers = 0, enabledUsers = 0, fixedUsers = 0; |
| 259 | bool enabledState = false; |
Richard Marian Thomaiyar | 5a6b636 | 2018-03-12 23:42:34 +0530 | [diff] [blame] | 260 | GetUserAccessResp* resp = static_cast<GetUserAccessResp*>(response); |
| 261 | |
| 262 | std::fill(reinterpret_cast<uint8_t*>(resp), |
| 263 | reinterpret_cast<uint8_t*>(resp) + sizeof(*resp), 0); |
| 264 | |
| 265 | ipmiUserGetAllCounts(maxChUsers, enabledUsers, fixedUsers); |
| 266 | resp->maxChUsers = maxChUsers; |
| 267 | resp->enabledUsers = enabledUsers; |
| 268 | resp->fixedUsers = fixedUsers; |
| 269 | |
| 270 | ipmiUserCheckEnabled(req->userId, enabledState); |
| 271 | resp->enabledStatus = enabledState ? userIdEnabledViaSetPassword |
| 272 | : userIdDisabledViaSetPassword; |
| 273 | ipmiUserGetPrivilegeAccess(req->userId, chNum, resp->privAccess); |
| 274 | *dataLen = sizeof(*resp); |
| 275 | |
| 276 | return IPMI_CC_OK; |
| 277 | } |
| 278 | |
| 279 | ipmi_ret_t ipmiSetUserName(ipmi_netfn_t netfn, ipmi_cmd_t cmd, |
| 280 | ipmi_request_t request, ipmi_response_t response, |
| 281 | ipmi_data_len_t dataLen, ipmi_context_t context) |
| 282 | { |
| 283 | const SetUserNameReq* req = static_cast<SetUserNameReq*>(request); |
| 284 | size_t reqLength = *dataLen; |
| 285 | *dataLen = 0; |
| 286 | |
| 287 | if (reqLength != sizeof(*req)) |
| 288 | { |
| 289 | log<level::DEBUG>("Set user name - Invalid Length"); |
| 290 | return IPMI_CC_REQ_DATA_LEN_INVALID; |
| 291 | } |
| 292 | if (req->reserved1) |
| 293 | { |
| 294 | return IPMI_CC_INVALID_FIELD_REQUEST; |
| 295 | } |
| 296 | if (!ipmiUserIsValidUserId(req->userId)) |
| 297 | { |
| 298 | log<level::DEBUG>("Set user name - Invalid user id"); |
| 299 | return IPMI_CC_PARM_OUT_OF_RANGE; |
| 300 | } |
| 301 | |
| 302 | return ipmiUserSetUserName(req->userId, |
| 303 | reinterpret_cast<const char*>(req->userName)); |
| 304 | } |
| 305 | |
| 306 | /** @brief implementes the get user name command |
| 307 | * @param[in] netfn - specifies netfn. |
| 308 | * @param[in] cmd - specifies cmd number. |
| 309 | * @param[in] request - pointer to request data. |
| 310 | * @param[in, out] dataLen - specifies request data length, and returns |
| 311 | * response data length. |
| 312 | * @param[in] context - ipmi context. |
| 313 | * @returns ipmi completion code. |
| 314 | */ |
| 315 | ipmi_ret_t ipmiGetUserName(ipmi_netfn_t netfn, ipmi_cmd_t cmd, |
| 316 | ipmi_request_t request, ipmi_response_t response, |
| 317 | ipmi_data_len_t dataLen, ipmi_context_t context) |
| 318 | { |
| 319 | const GetUserNameReq* req = static_cast<GetUserNameReq*>(request); |
| 320 | size_t reqLength = *dataLen; |
| 321 | |
| 322 | *dataLen = 0; |
| 323 | |
| 324 | if (reqLength != sizeof(*req)) |
| 325 | { |
| 326 | log<level::DEBUG>("Get user name - Invalid Length"); |
| 327 | return IPMI_CC_REQ_DATA_LEN_INVALID; |
| 328 | } |
| 329 | |
| 330 | std::string userName; |
| 331 | if (ipmiUserGetUserName(req->userId, userName) != IPMI_CC_OK) |
| 332 | { // Invalid User ID |
| 333 | log<level::DEBUG>("User Name not found", |
| 334 | entry("USER-ID:%d", (uint8_t)req->userId)); |
| 335 | return IPMI_CC_PARM_OUT_OF_RANGE; |
| 336 | } |
| 337 | GetUserNameResp* resp = static_cast<GetUserNameResp*>(response); |
| 338 | std::fill(reinterpret_cast<uint8_t*>(resp), |
| 339 | reinterpret_cast<uint8_t*>(resp) + sizeof(*resp), 0); |
| 340 | userName.copy(reinterpret_cast<char*>(resp->userName), |
| 341 | sizeof(resp->userName), 0); |
| 342 | *dataLen = sizeof(*resp); |
| 343 | |
| 344 | return IPMI_CC_OK; |
| 345 | } |
| 346 | |
| 347 | int pamFunctionConversation(int numMsg, const struct pam_message** msg, |
| 348 | struct pam_response** resp, void* appdataPtr) |
| 349 | { |
| 350 | if (appdataPtr == nullptr) |
| 351 | { |
| 352 | return PAM_AUTH_ERR; |
| 353 | } |
| 354 | size_t passSize = std::strlen(reinterpret_cast<char*>(appdataPtr)) + 1; |
| 355 | char* pass = reinterpret_cast<char*>(malloc(passSize)); |
| 356 | std::strncpy(pass, reinterpret_cast<char*>(appdataPtr), passSize); |
| 357 | |
| 358 | *resp = reinterpret_cast<pam_response*>( |
| 359 | calloc(numMsg, sizeof(struct pam_response))); |
| 360 | |
| 361 | for (int i = 0; i < numMsg; ++i) |
| 362 | { |
| 363 | if (msg[i]->msg_style != PAM_PROMPT_ECHO_OFF) |
| 364 | { |
| 365 | continue; |
| 366 | } |
| 367 | resp[i]->resp = pass; |
| 368 | } |
| 369 | return PAM_SUCCESS; |
| 370 | } |
| 371 | |
| 372 | bool pamUpdatePasswd(const char* username, const char* password) |
| 373 | { |
| 374 | const struct pam_conv localConversation = {pamFunctionConversation, |
| 375 | const_cast<char*>(password)}; |
| 376 | pam_handle_t* localAuthHandle = NULL; // this gets set by pam_start |
| 377 | |
| 378 | if (pam_start("passwd", username, &localConversation, &localAuthHandle) != |
| 379 | PAM_SUCCESS) |
| 380 | { |
| 381 | return false; |
| 382 | } |
| 383 | int retval = pam_chauthtok(localAuthHandle, PAM_SILENT); |
| 384 | |
| 385 | if (retval != PAM_SUCCESS) |
| 386 | { |
| 387 | if (retval == PAM_AUTHTOK_ERR) |
| 388 | { |
| 389 | log<level::DEBUG>("Authentication Failure"); |
| 390 | } |
| 391 | else |
| 392 | { |
| 393 | log<level::DEBUG>("pam_chauthtok returned failure", |
| 394 | entry("ERROR=%d", retval)); |
| 395 | } |
| 396 | pam_end(localAuthHandle, retval); |
| 397 | return false; |
| 398 | } |
| 399 | if (pam_end(localAuthHandle, PAM_SUCCESS) != PAM_SUCCESS) |
| 400 | { |
| 401 | return false; |
| 402 | } |
| 403 | return true; |
| 404 | } |
| 405 | |
| 406 | /** @brief implementes the set user password command |
| 407 | * @param[in] netfn - specifies netfn. |
| 408 | * @param[in] cmd - specifies cmd number. |
| 409 | * @param[in] request - pointer to request data. |
| 410 | * @param[in, out] dataLen - specifies request data length, and returns |
| 411 | * response data length. |
| 412 | * @param[in] context - ipmi context. |
| 413 | * @returns ipmi completion code. |
| 414 | */ |
| 415 | ipmi_ret_t ipmiSetUserPassword(ipmi_netfn_t netfn, ipmi_cmd_t cmd, |
| 416 | ipmi_request_t request, ipmi_response_t response, |
| 417 | ipmi_data_len_t dataLen, ipmi_context_t context) |
| 418 | { |
| 419 | const SetUserPasswordReq* req = static_cast<SetUserPasswordReq*>(request); |
| 420 | size_t reqLength = *dataLen; |
| 421 | // subtract 2 bytes header to know the password length - including NULL |
| 422 | uint8_t passwordLength = *dataLen - 2; |
| 423 | *dataLen = 0; |
| 424 | |
| 425 | // verify input length based on operation. Required password size is 20 |
| 426 | // bytes as we support only IPMI 2.0, but in order to be compatible with |
| 427 | // tools, accept 16 bytes of password size too. |
| 428 | if (reqLength < 2 || |
| 429 | // If enable / disable user, reqLength has to be >=2 & <= 22 |
| 430 | ((req->operation == disableUser || req->operation == enableUser) && |
| 431 | ((reqLength < 2) || (reqLength > sizeof(SetUserPasswordReq))))) |
| 432 | { |
| 433 | log<level::DEBUG>("Invalid Length"); |
| 434 | return IPMI_CC_REQ_DATA_LEN_INVALID; |
| 435 | } |
| 436 | // If set / test password then password length has to be 16 or 20 bytes |
Richard Marian Thomaiyar | 23df06f | 2019-01-04 16:42:22 +0530 | [diff] [blame] | 437 | // based on the password size bit. |
Richard Marian Thomaiyar | 5a6b636 | 2018-03-12 23:42:34 +0530 | [diff] [blame] | 438 | if (((req->operation == setPassword) || (req->operation == testPassword)) && |
Richard Marian Thomaiyar | 23df06f | 2019-01-04 16:42:22 +0530 | [diff] [blame] | 439 | (((req->ipmi20 == passwordKeySize20) && |
| 440 | (passwordLength != maxIpmi20PasswordSize)) || |
| 441 | ((req->ipmi20 == passwordKeySize16) && |
| 442 | (passwordLength != maxIpmi15PasswordSize)))) |
Richard Marian Thomaiyar | 5a6b636 | 2018-03-12 23:42:34 +0530 | [diff] [blame] | 443 | { |
| 444 | log<level::DEBUG>("Invalid Length"); |
| 445 | return IPMI_CC_REQ_DATA_LEN_INVALID; |
| 446 | } |
| 447 | |
| 448 | std::string userName; |
| 449 | if (ipmiUserGetUserName(req->userId, userName) != IPMI_CC_OK) |
| 450 | { |
| 451 | log<level::DEBUG>("User Name not found", |
| 452 | entry("USER-ID:%d", (uint8_t)req->userId)); |
| 453 | return IPMI_CC_PARM_OUT_OF_RANGE; |
| 454 | } |
| 455 | if (req->operation == setPassword) |
| 456 | { |
| 457 | std::string passwd; |
| 458 | passwd.assign(reinterpret_cast<const char*>(req->userPassword), 0, |
| 459 | maxIpmi20PasswordSize); |
| 460 | if (!std::regex_match(passwd.c_str(), |
| 461 | std::regex("[a-zA-z_0-9][a-zA-Z_0-9,?:`!\"]*"))) |
| 462 | { |
Richard Marian Thomaiyar | 282e79b | 2018-11-13 19:00:58 +0530 | [diff] [blame] | 463 | log<level::ERR>("Invalid password fields", |
| 464 | entry("USER-ID:%d", (uint8_t)req->userId)); |
Richard Marian Thomaiyar | 5a6b636 | 2018-03-12 23:42:34 +0530 | [diff] [blame] | 465 | return IPMI_CC_INVALID_FIELD_REQUEST; |
| 466 | } |
| 467 | if (!pamUpdatePasswd(userName.c_str(), passwd.c_str())) |
| 468 | { |
Richard Marian Thomaiyar | 282e79b | 2018-11-13 19:00:58 +0530 | [diff] [blame] | 469 | log<level::ERR>("Failed to update password", |
| 470 | entry("USER-ID:%d", (uint8_t)req->userId)); |
| 471 | return IPMI_CC_INVALID_FIELD_REQUEST; |
Richard Marian Thomaiyar | 5a6b636 | 2018-03-12 23:42:34 +0530 | [diff] [blame] | 472 | } |
Richard Marian Thomaiyar | 282e79b | 2018-11-13 19:00:58 +0530 | [diff] [blame] | 473 | return IPMI_CC_OK; |
Richard Marian Thomaiyar | 5a6b636 | 2018-03-12 23:42:34 +0530 | [diff] [blame] | 474 | } |
Richard Marian Thomaiyar | 282e79b | 2018-11-13 19:00:58 +0530 | [diff] [blame] | 475 | else if (req->operation == enableUser || req->operation == disableUser) |
Richard Marian Thomaiyar | 5a6b636 | 2018-03-12 23:42:34 +0530 | [diff] [blame] | 476 | { |
Richard Marian Thomaiyar | 282e79b | 2018-11-13 19:00:58 +0530 | [diff] [blame] | 477 | return ipmiUserUpdateEnabledState(req->userId, |
| 478 | static_cast<bool>(req->operation)); |
Richard Marian Thomaiyar | 5a6b636 | 2018-03-12 23:42:34 +0530 | [diff] [blame] | 479 | } |
Richard Marian Thomaiyar | 282e79b | 2018-11-13 19:00:58 +0530 | [diff] [blame] | 480 | else if (req->operation == testPassword) |
| 481 | { |
| 482 | auto password = ipmiUserGetPassword(userName); |
| 483 | std::string testPassword( |
| 484 | reinterpret_cast<const char*>(req->userPassword), 0, |
| 485 | passwordLength); |
| 486 | // Note: For security reasons password size won't be compared and |
| 487 | // wrong password size completion code will not be returned if size |
| 488 | // doesn't match as specified in IPMI specification. |
| 489 | if (password != testPassword) |
| 490 | { |
| 491 | log<level::DEBUG>("Test password failed", |
| 492 | entry("USER-ID:%d", (uint8_t)req->userId)); |
| 493 | return static_cast<ipmi_ret_t>( |
| 494 | IPMISetPasswordReturnCodes::ipmiCCPasswdFailMismatch); |
| 495 | } |
| 496 | return IPMI_CC_OK; |
| 497 | } |
| 498 | return IPMI_CC_INVALID_FIELD_REQUEST; |
Richard Marian Thomaiyar | 5a6b636 | 2018-03-12 23:42:34 +0530 | [diff] [blame] | 499 | } |
| 500 | |
William A. Kennington III | 343d061 | 2018-12-10 15:56:24 -0800 | [diff] [blame] | 501 | void registerUserIpmiFunctions() __attribute__((constructor)); |
Richard Marian Thomaiyar | 5a6b636 | 2018-03-12 23:42:34 +0530 | [diff] [blame] | 502 | void registerUserIpmiFunctions() |
| 503 | { |
| 504 | ipmiUserInit(); |
| 505 | ipmi_register_callback(NETFUN_APP, IPMI_CMD_SET_USER_ACCESS, NULL, |
| 506 | ipmiSetUserAccess, PRIVILEGE_ADMIN); |
| 507 | |
| 508 | ipmi_register_callback(NETFUN_APP, IPMI_CMD_GET_USER_ACCESS, NULL, |
| 509 | ipmiGetUserAccess, PRIVILEGE_OPERATOR); |
| 510 | |
| 511 | ipmi_register_callback(NETFUN_APP, IPMI_CMD_GET_USER_NAME, NULL, |
| 512 | ipmiGetUserName, PRIVILEGE_OPERATOR); |
| 513 | |
| 514 | ipmi_register_callback(NETFUN_APP, IPMI_CMD_SET_USER_NAME, NULL, |
| 515 | ipmiSetUserName, PRIVILEGE_ADMIN); |
| 516 | |
| 517 | ipmi_register_callback(NETFUN_APP, IPMI_CMD_SET_USER_PASSWORD, NULL, |
| 518 | ipmiSetUserPassword, PRIVILEGE_ADMIN); |
| 519 | |
| 520 | return; |
| 521 | } |
| 522 | } // namespace ipmi |