Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / phosphor-net-ipmid / 41ff9b51e4bf4bb501c669527d45293acf0645fc / . / command / rakp12.cpp
blob: 912a1d0a7b9cb690ac1c8499090e5321901b70e4 [file] [log] [blame]
Tom Joseph8bb10b72016-12-06 17:47:56 +0530[diff] [blame]1#include "rakp12.hpp"
2
Vernon Mauery9e801a22018-10-12 13:20:49 -0700[diff] [blame]3#include "comm_module.hpp"
4#include "endian.hpp"
5#include "guid.hpp"
Vernon Mauery2085ae02021-06-10 11:51:00 -0700[diff] [blame]6#include "sessions_manager.hpp"
Vernon Mauery9e801a22018-10-12 13:20:49 -0700[diff] [blame]7
Tom Joseph8bb10b72016-12-06 17:47:56 +0530[diff] [blame]8#include <openssl/rand.h>
9
10#include <algorithm>
Tom Joseph56527b92018-03-21 19:31:58 +0530[diff] [blame]11#include <cstring>
Tom Joseph8bb10b72016-12-06 17:47:56 +0530[diff] [blame]12#include <iomanip>
Vernon Maueryfc37e592018-12-19 14:55:15 -0800[diff] [blame]13#include <phosphor-logging/log.hpp>
Tom Joseph8bb10b72016-12-06 17:47:56 +0530[diff] [blame]14
Vernon Maueryfc37e592018-12-19 14:55:15 -0800[diff] [blame]15using namespace phosphor::logging;
16
Tom Joseph8bb10b72016-12-06 17:47:56 +0530[diff] [blame]17namespace command
18{
19
AppaRao Puliecb32fb2020-07-01 22:55:38 +0530[diff] [blame]20bool isChannelAccessModeEnabled(const uint8_t accessMode)
21{
22 return accessMode !=
23 static_cast<uint8_t>(ipmi::EChannelAccessMode::disabled);
24}
25
Tom Joseph18a45e92017-04-11 11:30:44 +0530[diff] [blame]26std::vector<uint8_t> RAKP12(const std::vector<uint8_t>& inPayload,
Vernon Mauery41ff9b52021-06-11 11:37:40 -0700[diff] [blame^]27 std::shared_ptr<message::Handler>& handler)
Tom Joseph8bb10b72016-12-06 17:47:56 +0530[diff] [blame]28{
Tom Joseph18a45e92017-04-11 11:30:44 +0530[diff] [blame]29 auto request = reinterpret_cast<const RAKP1request*>(inPayload.data());
Zhikui Ren2b1edef2020-07-24 14:32:13 -0700[diff] [blame]30 // verify inPayload minimum size
31 if (inPayload.size() < (sizeof(*request) - userNameMaxLen))
32 {
33 std::vector<uint8_t> errorPayload{IPMI_CC_REQ_DATA_LEN_INVALID};
34 return errorPayload;
35 }
36
37 std::vector<uint8_t> outPayload(sizeof(RAKP2response));
Tom Joseph8bb10b72016-12-06 17:47:56 +0530[diff] [blame]38 auto response = reinterpret_cast<RAKP2response*>(outPayload.data());
39
40 // Session ID zero is reserved for Session Setup
Vernon Mauery9e801a22018-10-12 13:20:49 -0700[diff] [blame]41 if (endian::from_ipmi(request->managedSystemSessionID) ==
Suryakanth Sekarf8a34fc2019-06-12 20:59:18 +0530[diff] [blame]42 session::sessionZero)
Tom Joseph8bb10b72016-12-06 17:47:56 +0530[diff] [blame]43 {
Vernon Maueryfc37e592018-12-19 14:55:15 -0800[diff] [blame]44 log<level::INFO>("RAKP12: BMC invalid Session ID");
Tom Joseph8bb10b72016-12-06 17:47:56 +0530[diff] [blame]45 response->rmcpStatusCode =
46 static_cast<uint8_t>(RAKP_ReturnCode::INVALID_SESSION_ID);
47 return outPayload;
48 }
49
50 std::shared_ptr<session::Session> session;
51 try
52 {
Vernon Mauery2085ae02021-06-10 11:51:00 -0700[diff] [blame]53 session = session::Manager::get().getSession(
54 endian::from_ipmi(request->managedSystemSessionID));
Tom Joseph8bb10b72016-12-06 17:47:56 +0530[diff] [blame]55 }
56 catch (std::exception& e)
57 {
Vernon Maueryfc37e592018-12-19 14:55:15 -0800[diff] [blame]58 log<level::ERR>("RAKP12 : session not found",
59 entry("EXCEPTION=%s", e.what()));
Tom Joseph8bb10b72016-12-06 17:47:56 +0530[diff] [blame]60 response->rmcpStatusCode =
61 static_cast<uint8_t>(RAKP_ReturnCode::INVALID_SESSION_ID);
62 return outPayload;
63 }
64
Vernon Mauery9e801a22018-10-12 13:20:49 -0700[diff] [blame]65 auto rakp1Size =
66 sizeof(RAKP1request) - (userNameMaxLen - request->user_name_len);
Tom Joseph56527b92018-03-21 19:31:58 +0530[diff] [blame]67
68 // Validate user name length in the message
69 if (request->user_name_len > userNameMaxLen ||
Vernon Mauery9e801a22018-10-12 13:20:49 -0700[diff] [blame]70 inPayload.size() != rakp1Size)
Tom Joseph56527b92018-03-21 19:31:58 +0530[diff] [blame]71 {
72 response->rmcpStatusCode =
73 static_cast<uint8_t>(RAKP_ReturnCode::INVALID_NAME_LENGTH);
74 return outPayload;
75 }
76
77 session->userName.assign(request->user_name, request->user_name_len);
78
Tom Joseph8bb10b72016-12-06 17:47:56 +0530[diff] [blame]79 // Update transaction time
80 session->updateLastTransactionTime();
81
82 auto rcSessionID = endian::to_ipmi(session->getRCSessionID());
83 auto bmcSessionID = endian::to_ipmi(session->getBMCSessionID());
84 auto authAlgo = session->getAuthAlgo();
85
86 /*
87 * Generate Key Authentication Code - RAKP 2
88 *
89 * 1) Remote Console Session ID - 4 bytes
90 * 2) Managed System Session ID - 4 bytes
91 * 3) Remote Console Random Number - 16 bytes
92 * 4) Managed System Random Number - 16 bytes
93 * 5) Managed System GUID - 16 bytes
94 * 6) Requested Privilege Level - 1 byte
95 * 7) User Name Length Byte - 1 byte (0 for 'null' username)
96 * 8) User Name - variable (absent for 'null' username)
97 */
98
99 std::vector<uint8_t> input;
100 input.resize(sizeof(rcSessionID) + sizeof(bmcSessionID) +
101 cipher::rakp_auth::REMOTE_CONSOLE_RANDOM_NUMBER_LEN +
Vernon Mauery9e801a22018-10-12 13:20:49 -0700[diff] [blame]102 cipher::rakp_auth::BMC_RANDOM_NUMBER_LEN + BMC_GUID_LEN +
103 sizeof(request->req_max_privilege_level) +
104 sizeof(request->user_name_len) + session->userName.size());
Tom Joseph8bb10b72016-12-06 17:47:56 +0530[diff] [blame]105
106 auto iter = input.begin();
107
108 // Remote Console Session ID
Vernon Mauery9e801a22018-10-12 13:20:49 -0700[diff] [blame]109 std::copy_n(reinterpret_cast<uint8_t*>(&rcSessionID), sizeof(rcSessionID),
110 iter);
Tom Joseph8bb10b72016-12-06 17:47:56 +0530[diff] [blame]111 std::advance(iter, sizeof(rcSessionID));
112
113 // Managed System Session ID
114 std::copy_n(reinterpret_cast<uint8_t*>(&bmcSessionID), sizeof(bmcSessionID),
115 iter);
116 std::advance(iter, sizeof(bmcSessionID));
117
118 // Copy the Remote Console Random Number from the RAKP1 request to the
119 // Authentication Algorithm
Vernon Mauery9e801a22018-10-12 13:20:49 -0700[diff] [blame]120 std::copy_n(
121 reinterpret_cast<const uint8_t*>(request->remote_console_random_number),
122 cipher::rakp_auth::REMOTE_CONSOLE_RANDOM_NUMBER_LEN,
123 authAlgo->rcRandomNum.begin());
Tom Joseph8bb10b72016-12-06 17:47:56 +0530[diff] [blame]124
Vernon Mauery9e801a22018-10-12 13:20:49 -0700[diff] [blame]125 std::copy(authAlgo->rcRandomNum.begin(), authAlgo->rcRandomNum.end(), iter);
Tom Joseph8bb10b72016-12-06 17:47:56 +0530[diff] [blame]126 std::advance(iter, cipher::rakp_auth::REMOTE_CONSOLE_RANDOM_NUMBER_LEN);
127
128 // Generate the Managed System Random Number
129 if (!RAND_bytes(input.data() + sizeof(rcSessionID) + sizeof(bmcSessionID) +
Vernon Mauery9e801a22018-10-12 13:20:49 -0700[diff] [blame]130 cipher::rakp_auth::REMOTE_CONSOLE_RANDOM_NUMBER_LEN,
Tom Joseph8bb10b72016-12-06 17:47:56 +0530[diff] [blame]131 cipher::rakp_auth::BMC_RANDOM_NUMBER_LEN))
132 {
133 response->rmcpStatusCode =
134 static_cast<uint8_t>(RAKP_ReturnCode::INSUFFICIENT_RESOURCE);
135 return outPayload;
136 }
Richard Marian Thomaiyard5a4f452019-01-16 12:15:44 +0530[diff] [blame]137 // As stated in Set Session Privilege Level command in IPMI Spec, when
jayaprakash Mutyala2555e2e2019-12-24 22:51:46 +0000[diff] [blame]138 // creating a session through Activate command / RAKP 1 message, it must
139 // be established with USER privilege as well as all other sessions are
140 // initially set to USER privilege, regardless of the requested maximum
141 // privilege.
142 if (!(static_cast<session::Privilege>(request->req_max_privilege_level &
143 session::reqMaxPrivMask) >
144 session::Privilege::CALLBACK))
Richard Marian Thomaiyard5a4f452019-01-16 12:15:44 +0530[diff] [blame]145 {
jayaprakash Mutyala2555e2e2019-12-24 22:51:46 +0000[diff] [blame]146 response->rmcpStatusCode =
147 static_cast<uint8_t>(RAKP_ReturnCode::UNAUTH_ROLE_PRIV);
148 return outPayload;
Richard Marian Thomaiyard5a4f452019-01-16 12:15:44 +0530[diff] [blame]149 }
jayaprakash Mutyala2555e2e2019-12-24 22:51:46 +0000[diff] [blame]150 session->currentPrivilege(static_cast<uint8_t>(session::Privilege::USER));
151
Tom Joseph4021b1f2019-02-12 10:10:12 +0530[diff] [blame]152 session->reqMaxPrivLevel =
153 static_cast<session::Privilege>(request->req_max_privilege_level);
Richard Marian Thomaiyard91fd9d2018-12-06 12:03:50 +0530[diff] [blame]154 if (request->user_name_len == 0)
Richard Marian Thomaiyar127748a2018-09-06 07:08:51 +0530[diff] [blame]155 {
Richard Marian Thomaiyard91fd9d2018-12-06 12:03:50 +0530[diff] [blame]156 // Bail out, if user name is not specified.
157 // Yes, NULL user name is not supported for security reasons.
Richard Marian Thomaiyar99b87842018-12-06 21:35:43 +0530[diff] [blame]158 response->rmcpStatusCode =
159 static_cast<uint8_t>(RAKP_ReturnCode::UNAUTH_NAME);
160 return outPayload;
Richard Marian Thomaiyard2563c52018-11-29 11:49:10 +0530[diff] [blame]161 }
Richard Marian Thomaiyar99b87842018-12-06 21:35:43 +0530[diff] [blame]162
163 // Perform user name based lookup
164 std::string userName(request->user_name, request->user_name_len);
165 std::string passwd;
166 uint8_t userId = ipmi::ipmiUserGetUserId(userName);
167 if (userId == ipmi::invalidUserId)
168 {
169 response->rmcpStatusCode =
170 static_cast<uint8_t>(RAKP_ReturnCode::UNAUTH_NAME);
171 return outPayload;
172 }
173 // check user is enabled before proceeding.
174 bool userEnabled = false;
175 ipmi::ipmiUserCheckEnabled(userId, userEnabled);
176 if (!userEnabled)
177 {
178 response->rmcpStatusCode =
179 static_cast<uint8_t>(RAKP_ReturnCode::INACTIVE_ROLE);
180 return outPayload;
181 }
Richard Marian Thomaiyar4c4694e2019-06-20 16:36:49 +0530[diff] [blame]182 // Get the user password for RAKP message authenticate
183 passwd = ipmi::ipmiUserGetPassword(userName);
184 if (passwd.empty())
185 {
186 response->rmcpStatusCode =
187 static_cast<uint8_t>(RAKP_ReturnCode::UNAUTH_NAME);
188 return outPayload;
189 }
Ayushi Smritib31e9692019-05-15 12:06:51 +0000[diff] [blame]190 // Check whether user is already locked for failed attempts
191 if (!ipmi::ipmiUserPamAuthenticate(userName, passwd))
192 {
193 log<level::ERR>("Authentication failed - user already locked out",
194 entry("USER-ID=%d", static_cast<uint8_t>(userId)));
195
196 response->rmcpStatusCode =
197 static_cast<uint8_t>(RAKP_ReturnCode::UNAUTH_NAME);
198 return outPayload;
199 }
Saravanan Palanisamyd9c86bb2019-08-07 17:57:37 +0000[diff] [blame]200
201 uint8_t chNum = static_cast<uint8_t>(getInterfaceIndex());
Richard Marian Thomaiyar99b87842018-12-06 21:35:43 +0530[diff] [blame]202 // Get channel based access information
Richard Marian Thomaiyar992e53c2019-03-03 13:30:46 +0530[diff] [blame]203 if ((ipmi::ipmiUserGetPrivilegeAccess(
204 userId, chNum, session->sessionUserPrivAccess) != IPMI_CC_OK) ||
205 (ipmi::getChannelAccessData(chNum, session->sessionChannelAccess) !=
206 IPMI_CC_OK))
Richard Marian Thomaiyar99b87842018-12-06 21:35:43 +0530[diff] [blame]207 {
208 response->rmcpStatusCode =
209 static_cast<uint8_t>(RAKP_ReturnCode::INACTIVE_ROLE);
210 return outPayload;
211 }
AppaRao Puliecb32fb2020-07-01 22:55:38 +0530[diff] [blame]212 if (!isChannelAccessModeEnabled(session->sessionChannelAccess.accessMode))
213 {
214 phosphor::logging::log<phosphor::logging::level::ERR>(
215 "Channel access mode disabled.");
216 response->rmcpStatusCode =
217 static_cast<uint8_t>(RAKP_ReturnCode::INACTIVE_ROLE);
218 return outPayload;
219 }
Richard Marian Thomaiyar992e53c2019-03-03 13:30:46 +0530[diff] [blame]220 if (session->sessionUserPrivAccess.privilege >
221 static_cast<uint8_t>(session::Privilege::OEM))
Richard Marian Thomaiyar7e5d38d2019-03-02 22:11:41 +0530[diff] [blame]222 {
223 response->rmcpStatusCode =
224 static_cast<uint8_t>(RAKP_ReturnCode::INACTIVE_ROLE);
225 return outPayload;
226 }
Suryakanth Sekarf8a34fc2019-06-12 20:59:18 +0530[diff] [blame]227 session->channelNum(chNum);
228 session->userID(userId);
jayaprakash Mutyala2555e2e2019-12-24 22:51:46 +0000[diff] [blame]229 // minimum privilege of Channel / User / session::privilege::USER
Richard Marian Thomaiyard5a4f452019-01-16 12:15:44 +0530[diff] [blame]230 // has to be used as session current privilege level
Richard Marian Thomaiyar99b87842018-12-06 21:35:43 +0530[diff] [blame]231 uint8_t minPriv = 0;
Richard Marian Thomaiyar992e53c2019-03-03 13:30:46 +0530[diff] [blame]232 if (session->sessionChannelAccess.privLimit <
233 session->sessionUserPrivAccess.privilege)
Richard Marian Thomaiyar99b87842018-12-06 21:35:43 +0530[diff] [blame]234 {
Richard Marian Thomaiyar992e53c2019-03-03 13:30:46 +0530[diff] [blame]235 minPriv = session->sessionChannelAccess.privLimit;
Richard Marian Thomaiyar99b87842018-12-06 21:35:43 +0530[diff] [blame]236 }
237 else
238 {
Richard Marian Thomaiyar992e53c2019-03-03 13:30:46 +0530[diff] [blame]239 minPriv = session->sessionUserPrivAccess.privilege;
Richard Marian Thomaiyar99b87842018-12-06 21:35:43 +0530[diff] [blame]240 }
Suryakanth Sekarf8a34fc2019-06-12 20:59:18 +0530[diff] [blame]241 if (session->currentPrivilege() > minPriv)
Richard Marian Thomaiyar99b87842018-12-06 21:35:43 +0530[diff] [blame]242 {
Suryakanth Sekarf8a34fc2019-06-12 20:59:18 +0530[diff] [blame]243 session->currentPrivilege(static_cast<uint8_t>(minPriv));
Richard Marian Thomaiyar99b87842018-12-06 21:35:43 +0530[diff] [blame]244 }
Richard Marian Thomaiyard91fd9d2018-12-06 12:03:50 +0530[diff] [blame]245 // For username / privilege lookup, fail with UNAUTH_NAME, if requested
Richard Marian Thomaiyard8e92fe2019-01-16 11:56:23 +0530[diff] [blame]246 // max privilege does not match user privilege
Richard Marian Thomaiyard91fd9d2018-12-06 12:03:50 +0530[diff] [blame]247 if (((request->req_max_privilege_level & userNameOnlyLookupMask) ==
248 userNamePrivLookup) &&
Richard Marian Thomaiyard8e92fe2019-01-16 11:56:23 +0530[diff] [blame]249 ((request->req_max_privilege_level & session::reqMaxPrivMask) !=
Richard Marian Thomaiyar992e53c2019-03-03 13:30:46 +0530[diff] [blame]250 session->sessionUserPrivAccess.privilege))
Richard Marian Thomaiyard91fd9d2018-12-06 12:03:50 +0530[diff] [blame]251 {
Vernon Maueryfc37e592018-12-19 14:55:15 -0800[diff] [blame]252 log<level::INFO>(
253 "Username/Privilege lookup failed for requested privilege");
Richard Marian Thomaiyard91fd9d2018-12-06 12:03:50 +0530[diff] [blame]254 response->rmcpStatusCode =
255 static_cast<uint8_t>(RAKP_ReturnCode::UNAUTH_NAME);
256 return outPayload;
257 }
Richard Marian Thomaiyar99b87842018-12-06 21:35:43 +0530[diff] [blame]258
259 std::fill(authAlgo->userKey.data(),
260 authAlgo->userKey.data() + authAlgo->userKey.size(), 0);
261 std::copy_n(passwd.c_str(), passwd.size(), authAlgo->userKey.data());
262
Tom Joseph8bb10b72016-12-06 17:47:56 +0530[diff] [blame]263 // Copy the Managed System Random Number to the Authentication Algorithm
264 std::copy_n(iter, cipher::rakp_auth::BMC_RANDOM_NUMBER_LEN,
265 authAlgo->bmcRandomNum.begin());
266 std::advance(iter, cipher::rakp_auth::BMC_RANDOM_NUMBER_LEN);
267
268 // Managed System GUID
Tom Joseph83029cb2017-09-01 16:37:31 +0530[diff] [blame]269 std::copy_n(cache::guid.data(), cache::guid.size(), iter);
Tom Joseph8bb10b72016-12-06 17:47:56 +0530[diff] [blame]270 std::advance(iter, BMC_GUID_LEN);
271
272 // Requested Privilege Level
Tom Joseph8bb10b72016-12-06 17:47:56 +0530[diff] [blame]273 std::copy_n(&(request->req_max_privilege_level),
274 sizeof(request->req_max_privilege_level), iter);
275 std::advance(iter, sizeof(request->req_max_privilege_level));
276
Tom Joseph8bb10b72016-12-06 17:47:56 +0530[diff] [blame]277 // User Name Length Byte
278 std::copy_n(&(request->user_name_len), sizeof(request->user_name_len),
279 iter);
Tom Joseph56527b92018-03-21 19:31:58 +0530[diff] [blame]280 std::advance(iter, sizeof(request->user_name_len));
281
282 std::copy_n(session->userName.data(), session->userName.size(), iter);
Tom Joseph8bb10b72016-12-06 17:47:56 +0530[diff] [blame]283
284 // Generate Key Exchange Authentication Code - RAKP2
285 auto output = authAlgo->generateHMAC(input);
286
287 response->messageTag = request->messageTag;
288 response->rmcpStatusCode = static_cast<uint8_t>(RAKP_ReturnCode::NO_ERROR);
289 response->reserved = 0;
Vernon Mauery9e801a22018-10-12 13:20:49 -0700[diff] [blame]290 response->remoteConsoleSessionID = rcSessionID;
Tom Joseph8bb10b72016-12-06 17:47:56 +0530[diff] [blame]291
292 // Copy Managed System Random Number to the Response
293 std::copy(authAlgo->bmcRandomNum.begin(), authAlgo->bmcRandomNum.end(),
294 response->managed_system_random_number);
295
296 // Copy System GUID to the Response
Vernon Mauery9e801a22018-10-12 13:20:49 -0700[diff] [blame]297 std::copy_n(cache::guid.data(), cache::guid.size(),
Tom Joseph83029cb2017-09-01 16:37:31 +0530[diff] [blame]298 response->managed_system_guid);
Tom Joseph8bb10b72016-12-06 17:47:56 +0530[diff] [blame]299
300 // Insert the HMAC output into the payload
301 outPayload.insert(outPayload.end(), output.begin(), output.end());
Tom Joseph8bb10b72016-12-06 17:47:56 +0530[diff] [blame]302 return outPayload;
303}
304
305} // namespace command