commit d91fd9d28515983ef23de39c459c927c445f6a1a
author Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com> Thu Dec 06 12:03:50 2018 +0530
committer Vernon Mauery <vernon.mauery@linux.intel.com> Wed Dec 19 23:18:13 2018 +0000
tree c3ee8096c98c443cd785bba0cd061dc72f85d7be
parent cbccb05ab1ea1a9ad23cd8204722044122a49595

Support privilege based lookup with user name

Support for privilege based lookup, with user name is added.
Still NULL user name is not supported for user/privilege based
lookup for security reasons

Unit-Test:
Verified ipmitool session with -L <privielge>+ and also verified
that RAKP12 fails, when requested privilege is more than the user
privilege.
ipmitool -I lanplus -H xx.xx.xx.xx -U root -P 0penBmc -L Administrator+
raw 6 1

Change-Id: Ia97d4f3091c5ca7e3b688188ce1690c17fce9891
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>

command/rakp12.cpp

diff --git a/command/rakp12.cpp b/command/rakp12.cpp
index 5384ab3..cd7dd68 100644
--- a/command/rakp12.cpp
+++ b/command/rakp12.cpp
@@ -125,11 +125,10 @@
     session->reqMaxPrivLevel = request->req_max_privilege_level;
     session->curPrivLevel = static_cast<session::Privilege>(
         request->req_max_privilege_level & session::reqMaxPrivMask);
-    if (((request->req_max_privilege_level & userNameOnlyLookupMask) !=
-         userNameOnlyLookup) ||
-        (request->user_name_len == 0))
+    if (request->user_name_len == 0)
     {
-        // Skip privilege based lookup for security purpose
+        // Bail out, if user name is not specified.
+        // Yes, NULL user name is not supported for security reasons.
         response->rmcpStatusCode =
             static_cast<uint8_t>(RAKP_ReturnCode::UNAUTH_NAME);
         return outPayload;
@@ -191,6 +190,19 @@
     {
         session->curPrivLevel = static_cast<session::Privilege>(minPriv);
     }
+    // For username / privilege lookup, fail with UNAUTH_NAME, if requested
+    // max privilege is greater than the user privilege.
+    if (((request->req_max_privilege_level & userNameOnlyLookupMask) ==
+         userNamePrivLookup) &&
+        ((request->req_max_privilege_level & session::reqMaxPrivMask) >
+         userAccess.privilege))
+    {
+        std::cerr
+            << "Username/Privilege lookup failed for requested privilege\n";
+        response->rmcpStatusCode =
+            static_cast<uint8_t>(RAKP_ReturnCode::UNAUTH_NAME);
+        return outPayload;
+    }
 
     std::fill(authAlgo->userKey.data(),
               authAlgo->userKey.data() + authAlgo->userKey.size(), 0);

command/rakp12.hpp

diff --git a/command/rakp12.hpp b/command/rakp12.hpp
index 95124be..b615c7b 100644
--- a/command/rakp12.hpp
+++ b/command/rakp12.hpp
@@ -12,6 +12,7 @@
 
 constexpr uint8_t userNameOnlyLookupMask = 0x10;
 constexpr uint8_t userNameOnlyLookup = 0x10;
+constexpr uint8_t userNamePrivLookup = 0x0;
 
 /**
  * @struct RAKP1request