| #include "channel_auth.hpp" |
| |
| #include <errno.h> |
| #include <ipmid/api.h> |
| |
| #include <ipmid/types.hpp> |
| #include <ipmid/utils.hpp> |
| #include <nlohmann/json.hpp> |
| #include <phosphor-logging/elog-errors.hpp> |
| #include <phosphor-logging/lg2.hpp> |
| #include <user_channel/channel_layer.hpp> |
| #include <user_channel/user_layer.hpp> |
| #include <xyz/openbmc_project/Common/error.hpp> |
| |
| #include <fstream> |
| #include <set> |
| #include <string> |
| |
| namespace command |
| { |
| |
| using namespace phosphor::logging; |
| using namespace sdbusplus::xyz::openbmc_project::Common::Error; |
| using Json = nlohmann::json; |
| |
| std::vector<uint8_t> |
| GetChannelCapabilities(const std::vector<uint8_t>& inPayload, |
| std::shared_ptr<message::Handler>& /* handler */) |
| { |
| auto request = |
| reinterpret_cast<const GetChannelCapabilitiesReq*>(inPayload.data()); |
| if (inPayload.size() != sizeof(*request)) |
| { |
| std::vector<uint8_t> errorPayload{IPMI_CC_REQ_DATA_LEN_INVALID}; |
| return errorPayload; |
| } |
| constexpr unsigned int channelMask = 0x0f; |
| uint8_t chNum = ipmi::convertCurrentChannelNum( |
| request->channelNumber & channelMask, getInterfaceIndex()); |
| |
| if (!ipmi::isValidChannel(chNum) || |
| (ipmi::EChannelSessSupported::none == |
| ipmi::getChannelSessionSupport(chNum)) || |
| !ipmi::isValidPrivLimit(request->reqMaxPrivLevel)) |
| { |
| std::vector<uint8_t> errorPayload{IPMI_CC_INVALID_FIELD_REQUEST}; |
| return errorPayload; |
| } |
| |
| std::vector<uint8_t> outPayload(sizeof(GetChannelCapabilitiesResp)); |
| auto response = |
| reinterpret_cast<GetChannelCapabilitiesResp*>(outPayload.data()); |
| |
| // A canned response, since there is no user and channel management. |
| response->completionCode = IPMI_CC_OK; |
| |
| response->channelNumber = chNum; |
| |
| response->ipmiVersion = 1; // IPMI v2.0 extended capabilities available. |
| response->reserved1 = 0; |
| response->oem = 0; |
| response->straightKey = 0; |
| response->reserved2 = 0; |
| response->md5 = 0; |
| response->md2 = 0; |
| |
| response->reserved3 = 0; |
| response->KGStatus = 0; // KG is set to default |
| response->perMessageAuth = 0; // Per-message Authentication is enabled |
| response->userAuth = 0; // User Level Authentication is enabled |
| uint8_t maxChUsers = 0; |
| uint8_t enabledUsers = 0; |
| uint8_t fixedUsers = 0; |
| ipmi::ipmiUserGetAllCounts(maxChUsers, enabledUsers, fixedUsers); |
| |
| response->nonNullUsers = enabledUsers > 0 ? 1 : 0; // Non-null usernames |
| response->nullUsers = 0; // Null usernames disabled |
| response->anonymousLogin = 0; // Anonymous Login disabled |
| |
| response->reserved4 = 0; |
| response->extCapabilities = 0x2; // Channel supports IPMI v2.0 connections |
| |
| response->oemID[0] = 0; |
| response->oemID[1] = 0; |
| response->oemID[2] = 0; |
| response->oemAuxillary = 0; |
| return outPayload; |
| } |
| |
| static constexpr const char* configFile = |
| "/usr/share/ipmi-providers/cipher_list.json"; |
| static constexpr const char* cipher = "cipher"; |
| static constexpr uint8_t stdCipherSuite = 0xC0; |
| static constexpr uint8_t oemCipherSuite = 0xC1; |
| static constexpr const char* oem = "oemiana"; |
| static constexpr const char* auth = "authentication"; |
| static constexpr const char* integrity = "integrity"; |
| static constexpr uint8_t integrityTag = 0x40; |
| static constexpr const char* conf = "confidentiality"; |
| static constexpr uint8_t confTag = 0x80; |
| |
| /** @brief Get the supported Cipher records |
| * |
| * The cipher records are read from the JSON file and converted into |
| * 1. cipher suite record format mentioned in the IPMI specification. The |
| * records can be either OEM or standard cipher. Each json entry is parsed and |
| * converted into the cipher record format and pushed into the vector. |
| * 2. Algorithms listed in vector format |
| * |
| * @return pair of vector containing 1. all the cipher suite records. 2. |
| * Algorithms supported |
| * |
| */ |
| static std::pair<std::vector<uint8_t>, std::vector<uint8_t>> getCipherRecords() |
| { |
| std::vector<uint8_t> cipherRecords; |
| std::vector<uint8_t> supportedAlgorithmRecords; |
| // create set to get the unique supported algorithms |
| std::set<uint8_t> supportedAlgorithmSet; |
| |
| std::ifstream jsonFile(configFile); |
| if (!jsonFile.is_open()) |
| { |
| lg2::error("Channel Cipher suites file not found: {ERROR}", "ERROR", |
| strerror(errno)); |
| elog<InternalFailure>(); |
| } |
| |
| auto data = Json::parse(jsonFile, nullptr, false); |
| if (data.is_discarded()) |
| { |
| lg2::error("Parsing channel cipher suites JSON failed: {ERROR}", |
| "ERROR", strerror(errno)); |
| elog<InternalFailure>(); |
| } |
| |
| for (const auto& record : data) |
| { |
| if (record.find(oem) != record.end()) |
| { |
| // OEM cipher suite - 0xC1 |
| cipherRecords.push_back(oemCipherSuite); |
| // Cipher Suite ID |
| cipherRecords.push_back(record.value(cipher, 0)); |
| // OEM IANA - 3 bytes |
| cipherRecords.push_back(record.value(oem, 0)); |
| cipherRecords.push_back(record.value(oem, 0) >> 8); |
| cipherRecords.push_back(record.value(oem, 0) >> 16); |
| } |
| else |
| { |
| // Standard cipher suite - 0xC0 |
| cipherRecords.push_back(stdCipherSuite); |
| // Cipher Suite ID |
| cipherRecords.push_back(record.value(cipher, 0)); |
| } |
| |
| // Authentication algorithm number |
| cipherRecords.push_back(record.value(auth, 0)); |
| supportedAlgorithmSet.insert(record.value(auth, 0)); |
| |
| // Integrity algorithm number |
| cipherRecords.push_back(record.value(integrity, 0) | integrityTag); |
| supportedAlgorithmSet.insert(record.value(integrity, 0) | integrityTag); |
| |
| // Confidentiality algorithm number |
| cipherRecords.push_back(record.value(conf, 0) | confTag); |
| supportedAlgorithmSet.insert(record.value(conf, 0) | confTag); |
| } |
| |
| // copy the set to supportedAlgorithmRecord which is vector based. |
| std::copy(supportedAlgorithmSet.begin(), supportedAlgorithmSet.end(), |
| std::back_inserter(supportedAlgorithmRecords)); |
| |
| return std::make_pair(cipherRecords, supportedAlgorithmRecords); |
| } |
| |
| /** @brief this command is used to look up what authentication, integrity, |
| * confidentiality algorithms are supported. |
| * |
| * @ param inPayload - vector of input data |
| * @ param handler - pointer to handler |
| * |
| * @returns ipmi completion code plus response data |
| * - vector of response data: cc, channel, record data |
| **/ |
| std::vector<uint8_t> |
| getChannelCipherSuites(const std::vector<uint8_t>& inPayload, |
| std::shared_ptr<message::Handler>& /* handler */) |
| { |
| const auto errorResponse = [](uint8_t cc) { |
| std::vector<uint8_t> rsp(1); |
| rsp[0] = cc; |
| return rsp; |
| }; |
| |
| static constexpr size_t getChannelCipherSuitesReqLen = 3; |
| if (inPayload.size() != getChannelCipherSuitesReqLen) |
| { |
| return errorResponse(IPMI_CC_REQ_DATA_LEN_INVALID); |
| } |
| |
| static constexpr uint8_t channelMask = 0x0f; |
| uint8_t channelNumber = inPayload[0] & channelMask; |
| if (channelNumber != inPayload[0]) |
| { |
| return errorResponse(IPMI_CC_INVALID_FIELD_REQUEST); |
| } |
| static constexpr uint8_t payloadMask = 0x3f; |
| uint8_t payloadType = inPayload[1] & payloadMask; |
| if (payloadType != inPayload[1]) |
| { |
| return errorResponse(IPMI_CC_INVALID_FIELD_REQUEST); |
| } |
| static constexpr uint8_t indexMask = 0x3f; |
| uint8_t listIndex = inPayload[2] & indexMask; |
| static constexpr uint8_t algoSelectShift = 7; |
| uint8_t algoSelectBit = inPayload[2] >> algoSelectShift; |
| if ((listIndex | (algoSelectBit << algoSelectShift)) != inPayload[2]) |
| { |
| return errorResponse(IPMI_CC_INVALID_FIELD_REQUEST); |
| } |
| |
| static std::vector<uint8_t> cipherRecords; |
| static std::vector<uint8_t> supportedAlgorithms; |
| static bool recordInit = false; |
| |
| uint8_t rspChannel = |
| ipmi::convertCurrentChannelNum(channelNumber, getInterfaceIndex()); |
| |
| if (!ipmi::isValidChannel(rspChannel)) |
| { |
| return errorResponse(IPMI_CC_INVALID_FIELD_REQUEST); |
| } |
| if (!ipmi::isValidPayloadType(static_cast<ipmi::PayloadType>(payloadType))) |
| { |
| lg2::debug("Get channel cipher suites - Invalid payload type: {ERROR}", |
| "ERROR", strerror(errno)); |
| constexpr uint8_t ccPayloadTypeNotSupported = 0x80; |
| return errorResponse(ccPayloadTypeNotSupported); |
| } |
| |
| if (!recordInit) |
| { |
| try |
| { |
| std::tie(cipherRecords, supportedAlgorithms) = getCipherRecords(); |
| recordInit = true; |
| } |
| catch (const std::exception& e) |
| { |
| return errorResponse(IPMI_CC_UNSPECIFIED_ERROR); |
| } |
| } |
| |
| const std::vector<uint8_t>& records = |
| algoSelectBit ? cipherRecords : supportedAlgorithms; |
| static constexpr auto respSize = 16; |
| |
| // Session support is available in active LAN channels. |
| if ((ipmi::getChannelSessionSupport(rspChannel) == |
| ipmi::EChannelSessSupported::none) || |
| !(ipmi::doesDeviceExist(rspChannel))) |
| { |
| lg2::debug("Get channel cipher suites - Device does not exist:{ERROR}", |
| "ERROR", strerror(errno)); |
| return errorResponse(IPMI_CC_INVALID_FIELD_REQUEST); |
| } |
| |
| // List index(00h-3Fh), 0h selects the first set of 16, 1h selects the next |
| // set of 16 and so on. |
| |
| // Calculate the number of record data bytes to be returned. |
| auto start = |
| std::min(static_cast<size_t>(listIndex) * respSize, records.size()); |
| auto end = std::min((static_cast<size_t>(listIndex) * respSize) + respSize, |
| records.size()); |
| auto size = end - start; |
| |
| std::vector<uint8_t> rsp; |
| rsp.push_back(IPMI_CC_OK); |
| rsp.push_back(rspChannel); |
| std::copy_n(records.data() + start, size, std::back_inserter(rsp)); |
| |
| return rsp; |
| } |
| |
| } // namespace command |