diff options
| author | Tom Joseph <tomjoseph@in.ibm.com> | 2019-02-12 10:10:12 +0530 |
|---|---|---|
| committer | Tom Joseph <tomjoseph@in.ibm.com> | 2019-02-12 23:37:27 +0530 |
| commit | 4021b1f7a1db46b6e467539371321513864534d4 (patch) | |
| tree | 0f3b5a7ff75a36663ac039aa462abe15fed83c55 | |
| parent | b882dbb2b01be1e00a48e5292107dbdee110ab24 (diff) | |
| download | phosphor-net-ipmid-4021b1f7a1db46b6e467539371321513864534d4.tar.gz phosphor-net-ipmid-4021b1f7a1db46b6e467539371321513864534d4.zip | |
Return the maximum privilege in open session command
This commit does the following:
- Set the maximum privilege role in the session instead of current privilege
in the implementation of the open session request/response.
- In open session response, return the maximum privilege of the session
instead of the current privilege level.
- Update RAKP12 and RAKP34 implementation
Tested: Checked the session setup works fine with ipmitool and freeipmi
utility ipmipower.
Change-Id: I41b63b91f08c2ed96856c4db41eedaa878c663e3
Signed-off-by: Tom Joseph <tomjoseph@in.ibm.com>
| -rw-r--r-- | command/open_session.cpp | 21 | ||||
| -rw-r--r-- | command/rakp12.cpp | 3 | ||||
| -rw-r--r-- | command/rakp34.cpp | 2 | ||||
| -rw-r--r-- | command/session_cmds.cpp | 4 | ||||
| -rw-r--r-- | session.hpp | 4 |
5 files changed, 25 insertions, 9 deletions
diff --git a/command/open_session.cpp b/command/open_session.cpp index 51da9e1..e3453f8 100644 --- a/command/open_session.cpp +++ b/command/open_session.cpp @@ -38,6 +38,22 @@ std::vector<uint8_t> openSession(const std::vector<uint8_t>& inPayload, return outPayload; } + session::Privilege priv; + + // 0h in the requested maximum privilege role field indicates highest level + // matching proposed algorithms. The maximum privilege level the session + // can take is set to Administrator level. In the RAKP12 command sequence + // the session maximum privilege role is set again based on the user's + // permitted privilege level. + if (!request->maxPrivLevel) + { + priv = session::Privilege::ADMIN; + } + else + { + priv = static_cast<session::Privilege>(request->maxPrivLevel); + } + // Check for valid Confidentiality Algorithms if (!cipher::crypt::Interface::isAlgorithmSupported( static_cast<cipher::crypt::Algorithms>(request->confAlgo))) @@ -54,8 +70,7 @@ std::vector<uint8_t> openSession(const std::vector<uint8_t>& inPayload, session = std::get<session::Manager&>(singletonPool) .startSession( - endian::from_ipmi<>(request->remoteConsoleSessionID), - static_cast<session::Privilege>(request->maxPrivLevel), + endian::from_ipmi<>(request->remoteConsoleSessionID), priv, static_cast<cipher::rakp_auth::Algorithms>( request->authAlgo), static_cast<cipher::integrity::Algorithms>( @@ -73,7 +88,7 @@ std::vector<uint8_t> openSession(const std::vector<uint8_t>& inPayload, response->messageTag = request->messageTag; response->status_code = static_cast<uint8_t>(RAKP_ReturnCode::NO_ERROR); - response->maxPrivLevel = static_cast<uint8_t>(session->curPrivLevel); + response->maxPrivLevel = static_cast<uint8_t>(session->reqMaxPrivLevel); response->remoteConsoleSessionID = request->remoteConsoleSessionID; response->managedSystemSessionID = endian::to_ipmi<>(session->getBMCSessionID()); diff --git a/command/rakp12.cpp b/command/rakp12.cpp index 17a7483..59ca9e3 100644 --- a/command/rakp12.cpp +++ b/command/rakp12.cpp @@ -136,7 +136,8 @@ std::vector<uint8_t> RAKP12(const std::vector<uint8_t>& inPayload, { session->curPrivLevel = session::Privilege::USER; } - session->reqMaxPrivLevel = request->req_max_privilege_level; + session->reqMaxPrivLevel = + static_cast<session::Privilege>(request->req_max_privilege_level); if (request->user_name_len == 0) { // Bail out, if user name is not specified. diff --git a/command/rakp34.cpp b/command/rakp34.cpp index 10c67fa..370c132 100644 --- a/command/rakp34.cpp +++ b/command/rakp34.cpp @@ -126,7 +126,7 @@ std::vector<uint8_t> RAKP34(const std::vector<uint8_t>& inPayload, auto rcSessionID = endian::to_ipmi(session->getRCSessionID()); // Session Privilege Level - auto sessPrivLevel = session->reqMaxPrivLevel; + auto sessPrivLevel = static_cast<uint8_t>(session->reqMaxPrivLevel); // User Name Length Byte auto userLength = static_cast<uint8_t>(session->userName.size()); diff --git a/command/session_cmds.cpp b/command/session_cmds.cpp index 3312c92..a6b4adb 100644 --- a/command/session_cmds.cpp +++ b/command/session_cmds.cpp @@ -32,8 +32,8 @@ std::vector<uint8_t> response->newPrivLevel = static_cast<uint8_t>(session->curPrivLevel); return outPayload; } - if (reqPrivilegeLevel > - (session->reqMaxPrivLevel & session::reqMaxPrivMask)) + if (reqPrivilegeLevel > (static_cast<uint8_t>(session->reqMaxPrivLevel) & + session::reqMaxPrivMask)) { // Requested level exceeds Channel and/or User Privilege Limit response->completionCode = IPMI_CC_EXCEEDS_USER_PRIV; diff --git a/session.hpp b/session.hpp index bf136e3..bc48971 100644 --- a/session.hpp +++ b/session.hpp @@ -116,7 +116,7 @@ class Session * @param[in] priv - Privilege Level requested in the Command */ Session(SessionID inRemoteConsoleSessID, Privilege priv) : - curPrivLevel(priv), bmcSessionID(crypto::prng::rand()), + reqMaxPrivLevel(priv), bmcSessionID(crypto::prng::rand()), remoteConsoleSessionID(inRemoteConsoleSessID) { } @@ -270,7 +270,7 @@ class Session /** * @brief Session's Requested Maximum Privilege Level */ - uint8_t reqMaxPrivLevel; + Privilege reqMaxPrivLevel; SequenceNumbers sequenceNums; // Session Sequence Numbers State state = State::INACTIVE; // Session State |
