blob: 329c0acfd83ee3ae95b04935830f9273e16c6d1e [file] [log] [blame]
From e4452be67f3f5ae326ba6be4fe92048eddc2720b Mon Sep 17 00:00:00 2001
From: Howard McLauchlan <hmclauchlan@fb.com>
Date: Tue, 16 Aug 2022 22:33:51 -0700
Subject: [PATCH 3/3] Add verifySIDPassword
This is a utility I added to aid debugging, but generally seems like a
good idea. Before adding this, the only way we had of checking "do i
have the right password" was to try to change it, which does seem a
little weird. The pattern of change_password -> verify_password seems a
little more sane to me.
The implementation of this command is a little scuffed though. Under the
hood, we attempt to start a session with the passed in password. There
are many reasons for a session start to fail, and verifySIDPassword
faithfully returns them. On success, however, the password must be
correct.
Signed-off-by: Howard McLauchlan <hmclauchlan@fb.com>
---
Common/DtaDev.h | 7 +++++++
Common/DtaDevEnterprise.cpp | 6 ++++++
Common/DtaDevEnterprise.h | 7 +++++++
Common/DtaDevGeneric.cpp | 1 +
Common/DtaDevGeneric.h | 7 +++++++
Common/DtaDevOpal.cpp | 26 ++++++++++++++++++++++++++
Common/DtaDevOpal.h | 8 ++++++++
Common/DtaOptions.cpp | 3 +++
Common/DtaOptions.h | 1 +
Common/sedutil.cpp | 4 ++++
10 files changed, 70 insertions(+)
diff --git a/Common/DtaDev.h b/Common/DtaDev.h
index c73c179..98777b0 100644
--- a/Common/DtaDev.h
+++ b/Common/DtaDev.h
@@ -132,6 +132,13 @@ public:
*/
virtual uint8_t setSIDPassword(char * oldpassword, char * newpassword,
uint8_t hasholdpwd = 1, uint8_t hashnewpwd = 1, bool securemode = false) = 0;
+ /** Verify the SID pasword.
+ * Requires special handling because password is not always hashed.
+ * @param password SID password to be tested
+ * @param hashpwd Should the password be hashed. See comments in function Impl.
+ * @param securemode Should the password be interactively obtained.
+ */
+ virtual uint8_t verifySIDPassword(char const * const password, uint8_t hashpwd, bool securemode) = 0;
/** Set the password of a locking SP user.
* @param password current password
* @param userid the userid whose password is to be changed
diff --git a/Common/DtaDevEnterprise.cpp b/Common/DtaDevEnterprise.cpp
index ba2e97a..f00c9cc 100644
--- a/Common/DtaDevEnterprise.cpp
+++ b/Common/DtaDevEnterprise.cpp
@@ -1346,6 +1346,12 @@ uint8_t DtaDevEnterprise::setSIDPassword(char * oldpassword, char * newpassword,
LOG(D1) << "Exiting DtaDevEnterprise::setSIDPassword()";
return 0;
}
+uint8_t DtaDevEnterprise::verifySIDPassword(char const * const, uint8_t, bool)
+{
+ LOG(E) << "DtaDevEnterprise does not support verifySIDPassword" << std::endl;
+ return DTAERROR_INVALID_COMMAND;
+}
+
uint8_t DtaDevEnterprise::setTable(vector<uint8_t> table, const char *name,
OPAL_TOKEN value)
{
diff --git a/Common/DtaDevEnterprise.h b/Common/DtaDevEnterprise.h
index 4a6d2e2..b195026 100644
--- a/Common/DtaDevEnterprise.h
+++ b/Common/DtaDevEnterprise.h
@@ -85,6 +85,13 @@ public:
*/
uint8_t setSIDPassword(char * oldpassword, char * newpassword,
uint8_t hasholdpwd = 1, uint8_t hashnewpwd = 1, bool securemode = false);
+ /** Verify the SID pasword.
+ * Requires special handling because password is not always hashed.
+ * @param password SID password to be tested
+ * @param hashpwdd Should the password be hashed. See comments in function Impl.
+ * @param securemode Should the password be interactively obtained.
+ */
+ uint8_t verifySIDPassword(char const * const password, uint8_t hashpwd, bool securemode);
/** set a single column in an object table
* @param table the UID of the table
* @param name the column name to be set
diff --git a/Common/DtaDevGeneric.cpp b/Common/DtaDevGeneric.cpp
index 8e1bdc9..02b6ad9 100644
--- a/Common/DtaDevGeneric.cpp
+++ b/Common/DtaDevGeneric.cpp
@@ -93,6 +93,7 @@ uint8NOCODE(eraseLockingRange_SUM, uint8_t lockingrange, char * password)
uint8NOCODE(takeOwnership, char * newpassword, bool securemode)
uint8NOCODE(setSIDPassword,char * oldpassword, char * newpassword,
uint8_t hasholdpwd, uint8_t hashnewpwd, bool securemode)
+uint8NOCODE(verifySIDPassword, char const * const password, uint8_t hashpwd, bool securemode)
uint16_t DtaDevGeneric::comID()
{
LOG(E) << "Generic Device class does not support function " << "comID" << std::endl;
diff --git a/Common/DtaDevGeneric.h b/Common/DtaDevGeneric.h
index 0772878..999209e 100644
--- a/Common/DtaDevGeneric.h
+++ b/Common/DtaDevGeneric.h
@@ -76,6 +76,13 @@ public:
*/
uint8_t setSIDPassword(char * oldpassword, char * newpassword,
uint8_t hasholdpwd = 1, uint8_t hashnewpwd = 1, bool securemode = false) ;
+ /** Verify the SID pasword.
+ * Requires special handling because password is not always hashed.
+ * @param password SID password to be tested
+ * @param hashpwdd Should the password be hashed. See comments in function Impl.
+ * @param securemode Should the password be interactively obtained.
+ */
+ uint8_t verifySIDPassword(char const * const password, uint8_t hashpwd, bool securemode);
/** Set the password of a locking SP user.
* @param password current password
* @param userid the userid whose password is to be changed
diff --git a/Common/DtaDevOpal.cpp b/Common/DtaDevOpal.cpp
index 0f6ccc7..a5e7eda 100644
--- a/Common/DtaDevOpal.cpp
+++ b/Common/DtaDevOpal.cpp
@@ -1545,6 +1545,32 @@ uint8_t DtaDevOpal::setSIDPassword(char * oldpassword, char * newpassword,
return 0;
}
+uint8_t DtaDevOpal::verifySIDPassword(char const * const password, uint8_t hashpwd, bool securemode)
+{
+ LOG(D1) << "Entering DtaDevOpal::setSIDPassword()";
+ uint8_t lastRC;
+ session = new DtaSession(this);
+
+ if (!session) {
+ LOG(E) << "Unable to create session object ";
+ return DTAERROR_OBJECT_CREATE_FAILED;
+ }
+ if (!hashpwd)
+ session->dontHashPwd();
+ if ((lastRC = session->start(OPAL_UID::OPAL_ADMINSP_UID,
+ const_cast<char*>(password), OPAL_UID::OPAL_SID_UID)) != 0) {
+ delete session;
+ return lastRC;
+ }
+ delete session;
+ LOG(D1) << "Exiting DtaDevOpal::VerifySIDPassword";
+
+ // Logging to ERROR on success is weird, but this is an easy way to force
+ // output to console without mucking around the internals of this codebase.
+ LOG(E) << "Successfully verified SIDPassword";
+ return 0;
+}
+
uint8_t DtaDevOpal::setTable(vector<uint8_t> table, OPAL_TOKEN name,
OPAL_TOKEN value)
{
diff --git a/Common/DtaDevOpal.h b/Common/DtaDevOpal.h
index 389b97f..50c9dd2 100644
--- a/Common/DtaDevOpal.h
+++ b/Common/DtaDevOpal.h
@@ -83,6 +83,14 @@ public:
*/
uint8_t setSIDPassword(char * oldpassword, char * newpassword,
uint8_t hasholdpwd = 1, uint8_t hashnewpwd = 1, bool securemode = false);
+ /** Verify the SID pasword.
+ * Requires special handling because password is not always hashed.
+ * @param password SID password to be tested
+ * @param hashpwdd Should the password be hashed. See comments in function Impl.
+ * @param securemode Should the password be interactively obtained.
+ */
+ uint8_t verifySIDPassword(char const * const password, uint8_t hashpwd, bool securemode);
+
/** set a single column in an object table
* @param table the UID of the table
* @param name the column name to be set
diff --git a/Common/DtaOptions.cpp b/Common/DtaOptions.cpp
index 0d1752e..0e3eb9f 100644
--- a/Common/DtaOptions.cpp
+++ b/Common/DtaOptions.cpp
@@ -71,6 +71,8 @@ void usage()
printf("--setPassword <oldpassword, \"\" for MSID> <userid> <newpassword> <device> \n");
printf(" Change the Enterprise password for userid\n");
printf(" \"EraseMaster\" or \"BandMaster<n>\", 0 <= n <= 1023\n");
+ printf("--verifySIDPassword <SIDpassword> <device>\n");
+ printf(" Verify the SID password for given device\n");
printf("--setLockingRange <0...n> <RW|RO|LK> <Admin1password> <device> \n");
printf(" Set the status of a Locking Range\n");
printf(" 0 = GLobal 1..n = LRn \n");
@@ -171,6 +173,7 @@ uint8_t DtaOptions(int argc, char * argv[], DTA_OPTIONS * opts)
BEGIN_OPTION(initialSetup, 2, 1) OPTION_IS(password) OPTION_IS(device) END_OPTION
BEGIN_OPTION(setSIDPassword, 3, 1) OPTION_IS(password) OPTION_IS(newpassword)
OPTION_IS(device) END_OPTION
+ BEGIN_OPTION(verifySIDPassword, 2 /*num_args_non_secure*/, 1/*num_args_secure*/) OPTION_IS(password) OPTION_IS(device) END_OPTION
BEGIN_OPTION(setup_SUM, 6, 4)
TESTARG(0, lockingrange, 0)
TESTARG(1, lockingrange, 1)
diff --git a/Common/DtaOptions.h b/Common/DtaOptions.h
index 4ae3bc2..990cd56 100644
--- a/Common/DtaOptions.h
+++ b/Common/DtaOptions.h
@@ -60,6 +60,7 @@ typedef enum _sedutiloption {
deadbeef, // 0 should indicate no action specified
initialSetup,
setSIDPassword,
+ verifySIDPassword,
setup_SUM,
setAdmin1Pwd,
setPassword,
diff --git a/Common/sedutil.cpp b/Common/sedutil.cpp
index 7053cd3..4c0e9ff 100644
--- a/Common/sedutil.cpp
+++ b/Common/sedutil.cpp
@@ -116,6 +116,10 @@ int main(int argc, char * argv[])
LOG(D) << "Performing setSIDPassword ";
return d->setSIDPassword(GET_PASSWORD(), GET_NEW_PASSWORD(), opts.no_hash_passwords? 0 : 1, opts.no_hash_passwords? 0 : 1, opts.secure_mode);
break;
+ case sedutiloption::verifySIDPassword:
+ LOG(D) << "Performing verifySIDPassword ";
+ return d->verifySIDPassword(GET_PASSWORD(), !opts.no_hash_passwords, opts.secure_mode);
+ break;
case sedutiloption::setAdmin1Pwd:
LOG(D) << "Performing setPAdmin1Pwd ";
return d->setPassword(GET_PASSWORD(), (char *) "Admin1",
--
2.40.0.577.gac1e443424-goog