project-edgeos/sys-block/sedutil/files/0003-Add-verifySIDPassword.patch - cos/overlays/board-overlays - Git at Google

 From e4452be67f3f5ae326ba6be4fe92048eddc2720b Mon Sep 17 00:00:00 2001
 From: Howard McLauchlan <hmclauchlan@fb.com>
 Date: Tue, 16 Aug 2022 22:33:51 -0700
 Subject: [PATCH 3/3] Add verifySIDPassword

 This is a utility I added to aid debugging, but generally seems like a
 good idea. Before adding this, the only way we had of checking "do i
 have the right password" was to try to change it, which does seem a
 little weird. The pattern of change_password -> verify_password seems a
 little more sane to me.

 The implementation of this command is a little scuffed though. Under the
 hood, we attempt to start a session with the passed in password. There
 are many reasons for a session start to fail, and verifySIDPassword
 faithfully returns them. On success, however, the password must be
 correct.

 Signed-off-by: Howard McLauchlan <hmclauchlan@fb.com>
 ---
  Common/DtaDev.h             |  7 +++++++
  Common/DtaDevEnterprise.cpp |  6 ++++++
  Common/DtaDevEnterprise.h   |  7 +++++++
  Common/DtaDevGeneric.cpp    |  1 +
  Common/DtaDevGeneric.h      |  7 +++++++
  Common/DtaDevOpal.cpp       | 26 ++++++++++++++++++++++++++
  Common/DtaDevOpal.h         |  8 ++++++++
  Common/DtaOptions.cpp       |  3 +++
  Common/DtaOptions.h         |  1 +
  Common/sedutil.cpp          |  4 ++++
  10 files changed, 70 insertions(+)

 diff --git a/Common/DtaDev.h b/Common/DtaDev.h
 index c73c179..98777b0 100644
 --- a/Common/DtaDev.h
 +++ b/Common/DtaDev.h
 @@ -132,6 +132,13 @@ public:
  	 */
  	virtual uint8_t setSIDPassword(char * oldpassword, char * newpassword,
  		uint8_t hasholdpwd = 1, uint8_t hashnewpwd = 1, bool securemode = false) = 0;
 +	/** Verify the SID pasword.
 +	 * Requires special handling because password is not always hashed.
 +	 * @param password      SID password to be tested
 +	 * @param hashpwd      Should the password be hashed. See comments in function Impl.
 +     * @param securemode    Should the password be interactively obtained.
 +	 */
 +    virtual uint8_t verifySIDPassword(char const * const password, uint8_t hashpwd, bool securemode) = 0;
  	/** Set the password of a locking SP user.
  	 * @param password  current password
  	 * @param userid the userid whose password is to be changed
 diff --git a/Common/DtaDevEnterprise.cpp b/Common/DtaDevEnterprise.cpp
 index ba2e97a..f00c9cc 100644
 --- a/Common/DtaDevEnterprise.cpp
 +++ b/Common/DtaDevEnterprise.cpp
 @@ -1346,6 +1346,12 @@ uint8_t DtaDevEnterprise::setSIDPassword(char * oldpassword, char * newpassword,
  	LOG(D1) << "Exiting DtaDevEnterprise::setSIDPassword()";
  	return 0;
  }
 +uint8_t DtaDevEnterprise::verifySIDPassword(char const * const, uint8_t, bool)
 +{
 +    LOG(E) << "DtaDevEnterprise does not support verifySIDPassword" << std::endl;
 +    return DTAERROR_INVALID_COMMAND;
 +}
 +
  uint8_t DtaDevEnterprise::setTable(vector<uint8_t> table, const char *name,
  	OPAL_TOKEN value)
  {
 diff --git a/Common/DtaDevEnterprise.h b/Common/DtaDevEnterprise.h
 index 4a6d2e2..b195026 100644
 --- a/Common/DtaDevEnterprise.h
 +++ b/Common/DtaDevEnterprise.h
 @@ -85,6 +85,13 @@ public:
           */
  	uint8_t setSIDPassword(char * oldpassword, char * newpassword,
  		uint8_t hasholdpwd = 1, uint8_t hashnewpwd = 1, bool securemode = false);
 +        /** Verify the SID pasword.
 +         * Requires special handling because password is not always hashed.
 +         * @param password      SID password to be tested
 +         * @param hashpwdd      Should the password be hashed. See comments in function Impl.
 +         * @param securemode    Should the password be interactively obtained.
 +         */
 +    uint8_t verifySIDPassword(char const * const password, uint8_t hashpwd, bool securemode);
          /** set a single column in an object table
           * @param table the UID of the table
           * @param name the column name to be set
 diff --git a/Common/DtaDevGeneric.cpp b/Common/DtaDevGeneric.cpp
 index 8e1bdc9..02b6ad9 100644
 --- a/Common/DtaDevGeneric.cpp
 +++ b/Common/DtaDevGeneric.cpp
 @@ -93,6 +93,7 @@ uint8NOCODE(eraseLockingRange_SUM, uint8_t lockingrange, char * password)
  uint8NOCODE(takeOwnership, char * newpassword, bool securemode)
  uint8NOCODE(setSIDPassword,char * oldpassword, char * newpassword,
  	uint8_t hasholdpwd, uint8_t hashnewpwd, bool securemode)
 +uint8NOCODE(verifySIDPassword, char const * const password, uint8_t hashpwd, bool securemode)
  uint16_t DtaDevGeneric::comID()
  {
  	LOG(E) << "Generic Device class does not support function " << "comID" << std::endl;
 diff --git a/Common/DtaDevGeneric.h b/Common/DtaDevGeneric.h
 index 0772878..999209e 100644
 --- a/Common/DtaDevGeneric.h
 +++ b/Common/DtaDevGeneric.h
 @@ -76,6 +76,13 @@ public:
           */
  	 uint8_t setSIDPassword(char * oldpassword, char * newpassword,
  		uint8_t hasholdpwd = 1, uint8_t hashnewpwd = 1, bool securemode = false) ;
 +        /** Verify the SID pasword.
 +         * Requires special handling because password is not always hashed.
 +         * @param password      SID password to be tested
 +         * @param hashpwdd      Should the password be hashed. See comments in function Impl.
 +         * @param securemode    Should the password be interactively obtained.
 +         */
 +    uint8_t verifySIDPassword(char const * const password, uint8_t hashpwd, bool securemode);
           /** Set the password of a locking SP user.
            * @param password  current password
           * @param userid the userid whose password is to be changed
 diff --git a/Common/DtaDevOpal.cpp b/Common/DtaDevOpal.cpp
 index 0f6ccc7..a5e7eda 100644
 --- a/Common/DtaDevOpal.cpp
 +++ b/Common/DtaDevOpal.cpp
 @@ -1545,6 +1545,32 @@ uint8_t DtaDevOpal::setSIDPassword(char * oldpassword, char * newpassword,
  	return 0;
  }

 +uint8_t DtaDevOpal::verifySIDPassword(char const * const password, uint8_t hashpwd, bool securemode)
 +{
 +	LOG(D1) << "Entering DtaDevOpal::setSIDPassword()";
 +	uint8_t lastRC;
 +	session = new DtaSession(this);
 +
 +    if (!session) {
 +		LOG(E) << "Unable to create session object ";
 +		return DTAERROR_OBJECT_CREATE_FAILED;
 +	}
 +	if (!hashpwd)
 +        session->dontHashPwd();
 +	if ((lastRC = session->start(OPAL_UID::OPAL_ADMINSP_UID,
 +		const_cast<char*>(password), OPAL_UID::OPAL_SID_UID)) != 0) {
 +		delete session;
 +		return lastRC;
 +	}
 +	delete session;
 +	LOG(D1) << "Exiting DtaDevOpal::VerifySIDPassword";
 +
 +    // Logging to ERROR on success is weird, but this is an easy way to force
 +    // output to console without mucking around the internals of this codebase.
 +    LOG(E)  << "Successfully verified SIDPassword";
 +	return 0;
 +}
 +
  uint8_t DtaDevOpal::setTable(vector<uint8_t> table, OPAL_TOKEN name,
  	OPAL_TOKEN value)
  {
 diff --git a/Common/DtaDevOpal.h b/Common/DtaDevOpal.h
 index 389b97f..50c9dd2 100644
 --- a/Common/DtaDevOpal.h
 +++ b/Common/DtaDevOpal.h
 @@ -83,6 +83,14 @@ public:
           */
  	uint8_t setSIDPassword(char * oldpassword, char * newpassword,
  		uint8_t hasholdpwd = 1, uint8_t hashnewpwd = 1, bool securemode = false);
 +        /** Verify the SID pasword.
 +         * Requires special handling because password is not always hashed.
 +         * @param password      SID password to be tested
 +         * @param hashpwdd      Should the password be hashed. See comments in function Impl.
 +         * @param securemode    Should the password be interactively obtained.
 +         */
 +    uint8_t verifySIDPassword(char const * const password, uint8_t hashpwd, bool securemode);
 +
           /** set a single column in an object table
           * @param table the UID of the table
           * @param name the column name to be set
 diff --git a/Common/DtaOptions.cpp b/Common/DtaOptions.cpp
 index 0d1752e..0e3eb9f 100644
 --- a/Common/DtaOptions.cpp
 +++ b/Common/DtaOptions.cpp
 @@ -71,6 +71,8 @@ void usage()
  	printf("--setPassword <oldpassword, \"\" for MSID> <userid> <newpassword> <device> \n");
  	printf("                                Change the Enterprise password for userid\n");
  	printf("                                \"EraseMaster\" or \"BandMaster<n>\", 0 <= n <= 1023\n");
 +    printf("--verifySIDPassword <SIDpassword> <device>\n");
 +    printf("                                Verify the SID password for given device\n");
  	printf("--setLockingRange <0...n> <RW|RO|LK> <Admin1password> <device> \n");
  	printf("                                Set the status of a Locking Range\n");
  	printf("                                0 = GLobal 1..n  = LRn \n");
 @@ -171,6 +173,7 @@ uint8_t DtaOptions(int argc, char * argv[], DTA_OPTIONS * opts)
  		BEGIN_OPTION(initialSetup, 2, 1) OPTION_IS(password) OPTION_IS(device) END_OPTION
  		BEGIN_OPTION(setSIDPassword, 3, 1) OPTION_IS(password) OPTION_IS(newpassword)
  		         OPTION_IS(device) END_OPTION
 +        BEGIN_OPTION(verifySIDPassword, 2 /*num_args_non_secure*/, 1/*num_args_secure*/) OPTION_IS(password) OPTION_IS(device) END_OPTION
  		BEGIN_OPTION(setup_SUM, 6, 4)
  			TESTARG(0, lockingrange, 0)
  			TESTARG(1, lockingrange, 1)
 diff --git a/Common/DtaOptions.h b/Common/DtaOptions.h
 index 4ae3bc2..990cd56 100644
 --- a/Common/DtaOptions.h
 +++ b/Common/DtaOptions.h
 @@ -60,6 +60,7 @@ typedef enum _sedutiloption {
  	deadbeef,    // 0 should indicate no action specified
  	initialSetup,
  	setSIDPassword,
 +    verifySIDPassword,
  	setup_SUM,
  	setAdmin1Pwd,
  	setPassword,
 diff --git a/Common/sedutil.cpp b/Common/sedutil.cpp
 index 7053cd3..4c0e9ff 100644
 --- a/Common/sedutil.cpp
 +++ b/Common/sedutil.cpp
 @@ -116,6 +116,10 @@ int main(int argc, char * argv[])
          LOG(D) << "Performing setSIDPassword ";
          return d->setSIDPassword(GET_PASSWORD(), GET_NEW_PASSWORD(), opts.no_hash_passwords? 0 : 1, opts.no_hash_passwords? 0 : 1, opts.secure_mode);
  		break;
 +    case sedutiloption::verifySIDPassword:
 +        LOG(D) << "Performing verifySIDPassword ";
 +        return d->verifySIDPassword(GET_PASSWORD(), !opts.no_hash_passwords, opts.secure_mode);
 +        break;
  	case sedutiloption::setAdmin1Pwd:
          LOG(D) << "Performing setPAdmin1Pwd ";
          return d->setPassword(GET_PASSWORD(), (char *) "Admin1",
 --
 2.40.0.577.gac1e443424-goog
	From e4452be67f3f5ae326ba6be4fe92048eddc2720b Mon Sep 17 00:00:00 2001
	From: Howard McLauchlan <hmclauchlan@fb.com>
	Date: Tue, 16 Aug 2022 22:33:51 -0700
	Subject: [PATCH 3/3] Add verifySIDPassword

	This is a utility I added to aid debugging, but generally seems like a
	good idea. Before adding this, the only way we had of checking "do i
	have the right password" was to try to change it, which does seem a
	little weird. The pattern of change_password -> verify_password seems a
	little more sane to me.

	The implementation of this command is a little scuffed though. Under the
	hood, we attempt to start a session with the passed in password. There
	are many reasons for a session start to fail, and verifySIDPassword
	faithfully returns them. On success, however, the password must be
	correct.

	Signed-off-by: Howard McLauchlan <hmclauchlan@fb.com>
	---
	Common/DtaDev.h \| 7 +++++++
	Common/DtaDevEnterprise.cpp \| 6 ++++++
	Common/DtaDevEnterprise.h \| 7 +++++++
	Common/DtaDevGeneric.cpp \| 1 +
	Common/DtaDevGeneric.h \| 7 +++++++
	Common/DtaDevOpal.cpp \| 26 ++++++++++++++++++++++++++
	Common/DtaDevOpal.h \| 8 ++++++++
	Common/DtaOptions.cpp \| 3 +++
	Common/DtaOptions.h \| 1 +
	Common/sedutil.cpp \| 4 ++++
	10 files changed, 70 insertions(+)

	diff --git a/Common/DtaDev.h b/Common/DtaDev.h
	index c73c179..98777b0 100644
	--- a/Common/DtaDev.h
	+++ b/Common/DtaDev.h
	@@ -132,6 +132,13 @@ public:
	*/
	virtual uint8_t setSIDPassword(char * oldpassword, char * newpassword,
	uint8_t hasholdpwd = 1, uint8_t hashnewpwd = 1, bool securemode = false) = 0;
	+ /** Verify the SID pasword.
	+ * Requires special handling because password is not always hashed.
	+ * @param password SID password to be tested
	+ * @param hashpwd Should the password be hashed. See comments in function Impl.
	+ * @param securemode Should the password be interactively obtained.
	+ */
	+ virtual uint8_t verifySIDPassword(char const * const password, uint8_t hashpwd, bool securemode) = 0;
	/** Set the password of a locking SP user.
	* @param password current password
	* @param userid the userid whose password is to be changed
	diff --git a/Common/DtaDevEnterprise.cpp b/Common/DtaDevEnterprise.cpp
	index ba2e97a..f00c9cc 100644
	--- a/Common/DtaDevEnterprise.cpp
	+++ b/Common/DtaDevEnterprise.cpp
	@@ -1346,6 +1346,12 @@ uint8_t DtaDevEnterprise::setSIDPassword(char * oldpassword, char * newpassword,
	LOG(D1) << "Exiting DtaDevEnterprise::setSIDPassword()";
	return 0;
	}
	+uint8_t DtaDevEnterprise::verifySIDPassword(char const * const, uint8_t, bool)
	+{
	+ LOG(E) << "DtaDevEnterprise does not support verifySIDPassword" << std::endl;
	+ return DTAERROR_INVALID_COMMAND;
	+}
	+
	uint8_t DtaDevEnterprise::setTable(vector<uint8_t> table, const char *name,
	OPAL_TOKEN value)
	{
	diff --git a/Common/DtaDevEnterprise.h b/Common/DtaDevEnterprise.h
	index 4a6d2e2..b195026 100644
	--- a/Common/DtaDevEnterprise.h
	+++ b/Common/DtaDevEnterprise.h
	@@ -85,6 +85,13 @@ public:
	*/
	uint8_t setSIDPassword(char * oldpassword, char * newpassword,
	uint8_t hasholdpwd = 1, uint8_t hashnewpwd = 1, bool securemode = false);
	+ /** Verify the SID pasword.
	+ * Requires special handling because password is not always hashed.
	+ * @param password SID password to be tested
	+ * @param hashpwdd Should the password be hashed. See comments in function Impl.
	+ * @param securemode Should the password be interactively obtained.
	+ */
	+ uint8_t verifySIDPassword(char const * const password, uint8_t hashpwd, bool securemode);
	/** set a single column in an object table
	* @param table the UID of the table
	* @param name the column name to be set
	diff --git a/Common/DtaDevGeneric.cpp b/Common/DtaDevGeneric.cpp
	index 8e1bdc9..02b6ad9 100644
	--- a/Common/DtaDevGeneric.cpp
	+++ b/Common/DtaDevGeneric.cpp
	@@ -93,6 +93,7 @@ uint8NOCODE(eraseLockingRange_SUM, uint8_t lockingrange, char * password)
	uint8NOCODE(takeOwnership, char * newpassword, bool securemode)
	uint8NOCODE(setSIDPassword,char * oldpassword, char * newpassword,
	uint8_t hasholdpwd, uint8_t hashnewpwd, bool securemode)
	+uint8NOCODE(verifySIDPassword, char const * const password, uint8_t hashpwd, bool securemode)
	uint16_t DtaDevGeneric::comID()
	{
	LOG(E) << "Generic Device class does not support function " << "comID" << std::endl;
	diff --git a/Common/DtaDevGeneric.h b/Common/DtaDevGeneric.h
	index 0772878..999209e 100644
	--- a/Common/DtaDevGeneric.h
	+++ b/Common/DtaDevGeneric.h
	@@ -76,6 +76,13 @@ public:
	*/
	uint8_t setSIDPassword(char * oldpassword, char * newpassword,
	uint8_t hasholdpwd = 1, uint8_t hashnewpwd = 1, bool securemode = false) ;
	+ /** Verify the SID pasword.
	+ * Requires special handling because password is not always hashed.
	+ * @param password SID password to be tested
	+ * @param hashpwdd Should the password be hashed. See comments in function Impl.
	+ * @param securemode Should the password be interactively obtained.
	+ */
	+ uint8_t verifySIDPassword(char const * const password, uint8_t hashpwd, bool securemode);
	/** Set the password of a locking SP user.
	* @param password current password
	* @param userid the userid whose password is to be changed
	diff --git a/Common/DtaDevOpal.cpp b/Common/DtaDevOpal.cpp
	index 0f6ccc7..a5e7eda 100644
	--- a/Common/DtaDevOpal.cpp
	+++ b/Common/DtaDevOpal.cpp
	@@ -1545,6 +1545,32 @@ uint8_t DtaDevOpal::setSIDPassword(char * oldpassword, char * newpassword,
	return 0;
	}

	+uint8_t DtaDevOpal::verifySIDPassword(char const * const password, uint8_t hashpwd, bool securemode)
	+{
	+ LOG(D1) << "Entering DtaDevOpal::setSIDPassword()";
	+ uint8_t lastRC;
	+ session = new DtaSession(this);
	+
	+ if (!session) {
	+ LOG(E) << "Unable to create session object ";
	+ return DTAERROR_OBJECT_CREATE_FAILED;
	+ }
	+ if (!hashpwd)
	+ session->dontHashPwd();
	+ if ((lastRC = session->start(OPAL_UID::OPAL_ADMINSP_UID,
	+ const_cast<char*>(password), OPAL_UID::OPAL_SID_UID)) != 0) {
	+ delete session;
	+ return lastRC;
	+ }
	+ delete session;
	+ LOG(D1) << "Exiting DtaDevOpal::VerifySIDPassword";
	+
	+ // Logging to ERROR on success is weird, but this is an easy way to force
	+ // output to console without mucking around the internals of this codebase.
	+ LOG(E) << "Successfully verified SIDPassword";
	+ return 0;
	+}
	+
	uint8_t DtaDevOpal::setTable(vector<uint8_t> table, OPAL_TOKEN name,
	OPAL_TOKEN value)
	{
	diff --git a/Common/DtaDevOpal.h b/Common/DtaDevOpal.h
	index 389b97f..50c9dd2 100644
	--- a/Common/DtaDevOpal.h
	+++ b/Common/DtaDevOpal.h
	@@ -83,6 +83,14 @@ public:
	*/
	uint8_t setSIDPassword(char * oldpassword, char * newpassword,
	uint8_t hasholdpwd = 1, uint8_t hashnewpwd = 1, bool securemode = false);
	+ /** Verify the SID pasword.
	+ * Requires special handling because password is not always hashed.
	+ * @param password SID password to be tested
	+ * @param hashpwdd Should the password be hashed. See comments in function Impl.
	+ * @param securemode Should the password be interactively obtained.
	+ */
	+ uint8_t verifySIDPassword(char const * const password, uint8_t hashpwd, bool securemode);
	+
	/** set a single column in an object table
	* @param table the UID of the table
	* @param name the column name to be set
	diff --git a/Common/DtaOptions.cpp b/Common/DtaOptions.cpp
	index 0d1752e..0e3eb9f 100644
	--- a/Common/DtaOptions.cpp
	+++ b/Common/DtaOptions.cpp
	@@ -71,6 +71,8 @@ void usage()
	printf("--setPassword <oldpassword, \"\" for MSID> <userid> <newpassword> <device> \n");
	printf(" Change the Enterprise password for userid\n");
	printf(" \"EraseMaster\" or \"BandMaster<n>\", 0 <= n <= 1023\n");
	+ printf("--verifySIDPassword <SIDpassword> <device>\n");
	+ printf(" Verify the SID password for given device\n");
	printf("--setLockingRange <0...n> <RW\|RO\|LK> <Admin1password> <device> \n");
	printf(" Set the status of a Locking Range\n");
	printf(" 0 = GLobal 1..n = LRn \n");
	@@ -171,6 +173,7 @@ uint8_t DtaOptions(int argc, char * argv[], DTA_OPTIONS * opts)
	BEGIN_OPTION(initialSetup, 2, 1) OPTION_IS(password) OPTION_IS(device) END_OPTION
	BEGIN_OPTION(setSIDPassword, 3, 1) OPTION_IS(password) OPTION_IS(newpassword)
	OPTION_IS(device) END_OPTION
	+ BEGIN_OPTION(verifySIDPassword, 2 /num_args_non_secure/, 1/num_args_secure/) OPTION_IS(password) OPTION_IS(device) END_OPTION
	BEGIN_OPTION(setup_SUM, 6, 4)
	TESTARG(0, lockingrange, 0)
	TESTARG(1, lockingrange, 1)
	diff --git a/Common/DtaOptions.h b/Common/DtaOptions.h
	index 4ae3bc2..990cd56 100644
	--- a/Common/DtaOptions.h
	+++ b/Common/DtaOptions.h
	@@ -60,6 +60,7 @@ typedef enum _sedutiloption {
	deadbeef, // 0 should indicate no action specified
	initialSetup,
	setSIDPassword,
	+ verifySIDPassword,
	setup_SUM,
	setAdmin1Pwd,
	setPassword,
	diff --git a/Common/sedutil.cpp b/Common/sedutil.cpp
	index 7053cd3..4c0e9ff 100644
	--- a/Common/sedutil.cpp
	+++ b/Common/sedutil.cpp
	@@ -116,6 +116,10 @@ int main(int argc, char * argv[])
	LOG(D) << "Performing setSIDPassword ";
	return d->setSIDPassword(GET_PASSWORD(), GET_NEW_PASSWORD(), opts.no_hash_passwords? 0 : 1, opts.no_hash_passwords? 0 : 1, opts.secure_mode);
	break;
	+ case sedutiloption::verifySIDPassword:
	+ LOG(D) << "Performing verifySIDPassword ";
	+ return d->verifySIDPassword(GET_PASSWORD(), !opts.no_hash_passwords, opts.secure_mode);
	+ break;
	case sedutiloption::setAdmin1Pwd:
	LOG(D) << "Performing setPAdmin1Pwd ";
	return d->setPassword(GET_PASSWORD(), (char *) "Admin1",
	--
	2.40.0.577.gac1e443424-goog