diff options
| author | Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com> | 2018-12-06 12:03:50 +0530 |
|---|---|---|
| committer | Vernon Mauery <vernon.mauery@linux.intel.com> | 2018-12-19 23:18:13 +0000 |
| commit | d91fd9d28515983ef23de39c459c927c445f6a1a (patch) | |
| tree | c3ee8096c98c443cd785bba0cd061dc72f85d7be | |
| parent | cbccb05ab1ea1a9ad23cd8204722044122a49595 (diff) | |
| download | phosphor-net-ipmid-d91fd9d28515983ef23de39c459c927c445f6a1a.tar.gz phosphor-net-ipmid-d91fd9d28515983ef23de39c459c927c445f6a1a.zip | |
Support privilege based lookup with user name
Support for privilege based lookup, with user name is added.
Still NULL user name is not supported for user/privilege based
lookup for security reasons
Unit-Test:
Verified ipmitool session with -L <privielge>+ and also verified
that RAKP12 fails, when requested privilege is more than the user
privilege.
ipmitool -I lanplus -H xx.xx.xx.xx -U root -P 0penBmc -L Administrator+
raw 6 1
Change-Id: Ia97d4f3091c5ca7e3b688188ce1690c17fce9891
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
| -rw-r--r-- | command/rakp12.cpp | 20 | ||||
| -rw-r--r-- | command/rakp12.hpp | 1 |
2 files changed, 17 insertions, 4 deletions
diff --git a/command/rakp12.cpp b/command/rakp12.cpp index 5384ab3..cd7dd68 100644 --- a/command/rakp12.cpp +++ b/command/rakp12.cpp @@ -125,11 +125,10 @@ std::vector<uint8_t> RAKP12(const std::vector<uint8_t>& inPayload, session->reqMaxPrivLevel = request->req_max_privilege_level; session->curPrivLevel = static_cast<session::Privilege>( request->req_max_privilege_level & session::reqMaxPrivMask); - if (((request->req_max_privilege_level & userNameOnlyLookupMask) != - userNameOnlyLookup) || - (request->user_name_len == 0)) + if (request->user_name_len == 0) { - // Skip privilege based lookup for security purpose + // Bail out, if user name is not specified. + // Yes, NULL user name is not supported for security reasons. response->rmcpStatusCode = static_cast<uint8_t>(RAKP_ReturnCode::UNAUTH_NAME); return outPayload; @@ -191,6 +190,19 @@ std::vector<uint8_t> RAKP12(const std::vector<uint8_t>& inPayload, { session->curPrivLevel = static_cast<session::Privilege>(minPriv); } + // For username / privilege lookup, fail with UNAUTH_NAME, if requested + // max privilege is greater than the user privilege. + if (((request->req_max_privilege_level & userNameOnlyLookupMask) == + userNamePrivLookup) && + ((request->req_max_privilege_level & session::reqMaxPrivMask) > + userAccess.privilege)) + { + std::cerr + << "Username/Privilege lookup failed for requested privilege\n"; + response->rmcpStatusCode = + static_cast<uint8_t>(RAKP_ReturnCode::UNAUTH_NAME); + return outPayload; + } std::fill(authAlgo->userKey.data(), authAlgo->userKey.data() + authAlgo->userKey.size(), 0); diff --git a/command/rakp12.hpp b/command/rakp12.hpp index 95124be..b615c7b 100644 --- a/command/rakp12.hpp +++ b/command/rakp12.hpp @@ -12,6 +12,7 @@ constexpr size_t userNameMaxLen = 16; constexpr uint8_t userNameOnlyLookupMask = 0x10; constexpr uint8_t userNameOnlyLookup = 0x10; +constexpr uint8_t userNamePrivLookup = 0x0; /** * @struct RAKP1request |
