Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / phosphor-net-ipmid / 2555e2ec1c5bd6636eb67a1a2cdf6b8b567772c9^! / . / command / rakp12.cpp
commit2555e2ec1c5bd6636eb67a1a2cdf6b8b567772c9[log] [tgz]
authorjayaprakash Mutyala <mutyalax.jayaprakash@intel.com>Tue Dec 24 22:51:46 2019 +0000
committerVernon Mauery <vernon.mauery@linux.intel.com>Wed Feb 19 17:30:02 2020 +0000
tree47aadcb2241ce5b5a756094b5f59f5957d38cdbb
parent706ef5ab2383032fdcb0c209a4d3e0c32464b656 [diff] [blame]
rakp12: Fix for Callback privilege

Issue: GetPayload Activation status should not be allowed for Callback
       privilege as Callback privilege is deprecated.

Fix: Returning proper error response for Callback privilege

Tested:
Before:
Command: ipmitool -I lanplus -U root -P 0penBmc -H <BMC-IP>
            -L Callback raw 6 0x4A 1 // GetPayload Activation Status
Response: 01 00 00

After:
Command: ipmitool -I lanplus -U root -P 0penBmc -H <BMC-IP>
            -L Callback raw 6 0x4A 1 //GetPayload Activation Status
Response: Error: Unable to establish IPMI v2 / RMCP+ session

Signed-off-by: jayaprakash Mutyala <mutyalax.jayaprakash@intel.com>
Change-Id: Iab12aa546ec6b05e547a39032e400d0c382f5178

diff --git a/command/rakp12.cpp b/command/rakp12.cpp
index 2ab9fcd..4a56bf0 100644
--- a/command/rakp12.cpp
+++ b/command/rakp12.cpp

@@ -123,19 +123,20 @@
         return outPayload;
     }
     // As stated in Set Session Privilege Level command in IPMI Spec, when
-    // creating a session through Activate command / RAKP 1 message, it must be
-    // established with CALLBACK privilege if requested for callback. All other
-    // sessions are initialy set to USER privilege, regardless of the requested
-    // maximum privilege.
-    session->currentPrivilege(
-        static_cast<uint8_t>(session::Privilege::CALLBACK));
-    if (static_cast<session::Privilege>(request->req_max_privilege_level &
-                                        session::reqMaxPrivMask) >
-        session::Privilege::CALLBACK)
+    // creating a session through Activate command / RAKP 1 message, it must
+    // be established with USER privilege as well as all other sessions are
+    // initially set to USER privilege, regardless of the requested maximum
+    // privilege.
+    if (!(static_cast<session::Privilege>(request->req_max_privilege_level &
+                                          session::reqMaxPrivMask) >
+          session::Privilege::CALLBACK))
     {
-        session->currentPrivilege(
-            static_cast<uint8_t>(session::Privilege::USER));
+        response->rmcpStatusCode =
+            static_cast<uint8_t>(RAKP_ReturnCode::UNAUTH_ROLE_PRIV);
+        return outPayload;
     }
+    session->currentPrivilege(static_cast<uint8_t>(session::Privilege::USER));
+
     session->reqMaxPrivLevel =
         static_cast<session::Privilege>(request->req_max_privilege_level);
     if (request->user_name_len == 0)
@@ -205,7 +206,7 @@
     }
     session->channelNum(chNum);
     session->userID(userId);
-    // minimum privilege of Channel / User / session::privilege::USER/CALLBACK /
+    // minimum privilege of Channel / User / session::privilege::USER
     // has to be used as session current privilege level
     uint8_t minPriv = 0;
     if (session->sessionChannelAccess.privLimit <