| From e4452be67f3f5ae326ba6be4fe92048eddc2720b Mon Sep 17 00:00:00 2001 |
| From: Howard McLauchlan <hmclauchlan@fb.com> |
| Date: Tue, 16 Aug 2022 22:33:51 -0700 |
| Subject: [PATCH 3/3] Add verifySIDPassword |
| |
| This is a utility I added to aid debugging, but generally seems like a |
| good idea. Before adding this, the only way we had of checking "do i |
| have the right password" was to try to change it, which does seem a |
| little weird. The pattern of change_password -> verify_password seems a |
| little more sane to me. |
| |
| The implementation of this command is a little scuffed though. Under the |
| hood, we attempt to start a session with the passed in password. There |
| are many reasons for a session start to fail, and verifySIDPassword |
| faithfully returns them. On success, however, the password must be |
| correct. |
| |
| Signed-off-by: Howard McLauchlan <hmclauchlan@fb.com> |
| --- |
| Common/DtaDev.h | 7 +++++++ |
| Common/DtaDevEnterprise.cpp | 6 ++++++ |
| Common/DtaDevEnterprise.h | 7 +++++++ |
| Common/DtaDevGeneric.cpp | 1 + |
| Common/DtaDevGeneric.h | 7 +++++++ |
| Common/DtaDevOpal.cpp | 26 ++++++++++++++++++++++++++ |
| Common/DtaDevOpal.h | 8 ++++++++ |
| Common/DtaOptions.cpp | 3 +++ |
| Common/DtaOptions.h | 1 + |
| Common/sedutil.cpp | 4 ++++ |
| 10 files changed, 70 insertions(+) |
| |
| diff --git a/Common/DtaDev.h b/Common/DtaDev.h |
| index c73c179..98777b0 100644 |
| --- a/Common/DtaDev.h |
| +++ b/Common/DtaDev.h |
| @@ -132,6 +132,13 @@ public: |
| */ |
| virtual uint8_t setSIDPassword(char * oldpassword, char * newpassword, |
| uint8_t hasholdpwd = 1, uint8_t hashnewpwd = 1, bool securemode = false) = 0; |
| + /** Verify the SID pasword. |
| + * Requires special handling because password is not always hashed. |
| + * @param password SID password to be tested |
| + * @param hashpwd Should the password be hashed. See comments in function Impl. |
| + * @param securemode Should the password be interactively obtained. |
| + */ |
| + virtual uint8_t verifySIDPassword(char const * const password, uint8_t hashpwd, bool securemode) = 0; |
| /** Set the password of a locking SP user. |
| * @param password current password |
| * @param userid the userid whose password is to be changed |
| diff --git a/Common/DtaDevEnterprise.cpp b/Common/DtaDevEnterprise.cpp |
| index ba2e97a..f00c9cc 100644 |
| --- a/Common/DtaDevEnterprise.cpp |
| +++ b/Common/DtaDevEnterprise.cpp |
| @@ -1346,6 +1346,12 @@ uint8_t DtaDevEnterprise::setSIDPassword(char * oldpassword, char * newpassword, |
| LOG(D1) << "Exiting DtaDevEnterprise::setSIDPassword()"; |
| return 0; |
| } |
| +uint8_t DtaDevEnterprise::verifySIDPassword(char const * const, uint8_t, bool) |
| +{ |
| + LOG(E) << "DtaDevEnterprise does not support verifySIDPassword" << std::endl; |
| + return DTAERROR_INVALID_COMMAND; |
| +} |
| + |
| uint8_t DtaDevEnterprise::setTable(vector<uint8_t> table, const char *name, |
| OPAL_TOKEN value) |
| { |
| diff --git a/Common/DtaDevEnterprise.h b/Common/DtaDevEnterprise.h |
| index 4a6d2e2..b195026 100644 |
| --- a/Common/DtaDevEnterprise.h |
| +++ b/Common/DtaDevEnterprise.h |
| @@ -85,6 +85,13 @@ public: |
| */ |
| uint8_t setSIDPassword(char * oldpassword, char * newpassword, |
| uint8_t hasholdpwd = 1, uint8_t hashnewpwd = 1, bool securemode = false); |
| + /** Verify the SID pasword. |
| + * Requires special handling because password is not always hashed. |
| + * @param password SID password to be tested |
| + * @param hashpwdd Should the password be hashed. See comments in function Impl. |
| + * @param securemode Should the password be interactively obtained. |
| + */ |
| + uint8_t verifySIDPassword(char const * const password, uint8_t hashpwd, bool securemode); |
| /** set a single column in an object table |
| * @param table the UID of the table |
| * @param name the column name to be set |
| diff --git a/Common/DtaDevGeneric.cpp b/Common/DtaDevGeneric.cpp |
| index 8e1bdc9..02b6ad9 100644 |
| --- a/Common/DtaDevGeneric.cpp |
| +++ b/Common/DtaDevGeneric.cpp |
| @@ -93,6 +93,7 @@ uint8NOCODE(eraseLockingRange_SUM, uint8_t lockingrange, char * password) |
| uint8NOCODE(takeOwnership, char * newpassword, bool securemode) |
| uint8NOCODE(setSIDPassword,char * oldpassword, char * newpassword, |
| uint8_t hasholdpwd, uint8_t hashnewpwd, bool securemode) |
| +uint8NOCODE(verifySIDPassword, char const * const password, uint8_t hashpwd, bool securemode) |
| uint16_t DtaDevGeneric::comID() |
| { |
| LOG(E) << "Generic Device class does not support function " << "comID" << std::endl; |
| diff --git a/Common/DtaDevGeneric.h b/Common/DtaDevGeneric.h |
| index 0772878..999209e 100644 |
| --- a/Common/DtaDevGeneric.h |
| +++ b/Common/DtaDevGeneric.h |
| @@ -76,6 +76,13 @@ public: |
| */ |
| uint8_t setSIDPassword(char * oldpassword, char * newpassword, |
| uint8_t hasholdpwd = 1, uint8_t hashnewpwd = 1, bool securemode = false) ; |
| + /** Verify the SID pasword. |
| + * Requires special handling because password is not always hashed. |
| + * @param password SID password to be tested |
| + * @param hashpwdd Should the password be hashed. See comments in function Impl. |
| + * @param securemode Should the password be interactively obtained. |
| + */ |
| + uint8_t verifySIDPassword(char const * const password, uint8_t hashpwd, bool securemode); |
| /** Set the password of a locking SP user. |
| * @param password current password |
| * @param userid the userid whose password is to be changed |
| diff --git a/Common/DtaDevOpal.cpp b/Common/DtaDevOpal.cpp |
| index 0f6ccc7..a5e7eda 100644 |
| --- a/Common/DtaDevOpal.cpp |
| +++ b/Common/DtaDevOpal.cpp |
| @@ -1545,6 +1545,32 @@ uint8_t DtaDevOpal::setSIDPassword(char * oldpassword, char * newpassword, |
| return 0; |
| } |
| |
| +uint8_t DtaDevOpal::verifySIDPassword(char const * const password, uint8_t hashpwd, bool securemode) |
| +{ |
| + LOG(D1) << "Entering DtaDevOpal::setSIDPassword()"; |
| + uint8_t lastRC; |
| + session = new DtaSession(this); |
| + |
| + if (!session) { |
| + LOG(E) << "Unable to create session object "; |
| + return DTAERROR_OBJECT_CREATE_FAILED; |
| + } |
| + if (!hashpwd) |
| + session->dontHashPwd(); |
| + if ((lastRC = session->start(OPAL_UID::OPAL_ADMINSP_UID, |
| + const_cast<char*>(password), OPAL_UID::OPAL_SID_UID)) != 0) { |
| + delete session; |
| + return lastRC; |
| + } |
| + delete session; |
| + LOG(D1) << "Exiting DtaDevOpal::VerifySIDPassword"; |
| + |
| + // Logging to ERROR on success is weird, but this is an easy way to force |
| + // output to console without mucking around the internals of this codebase. |
| + LOG(E) << "Successfully verified SIDPassword"; |
| + return 0; |
| +} |
| + |
| uint8_t DtaDevOpal::setTable(vector<uint8_t> table, OPAL_TOKEN name, |
| OPAL_TOKEN value) |
| { |
| diff --git a/Common/DtaDevOpal.h b/Common/DtaDevOpal.h |
| index 389b97f..50c9dd2 100644 |
| --- a/Common/DtaDevOpal.h |
| +++ b/Common/DtaDevOpal.h |
| @@ -83,6 +83,14 @@ public: |
| */ |
| uint8_t setSIDPassword(char * oldpassword, char * newpassword, |
| uint8_t hasholdpwd = 1, uint8_t hashnewpwd = 1, bool securemode = false); |
| + /** Verify the SID pasword. |
| + * Requires special handling because password is not always hashed. |
| + * @param password SID password to be tested |
| + * @param hashpwdd Should the password be hashed. See comments in function Impl. |
| + * @param securemode Should the password be interactively obtained. |
| + */ |
| + uint8_t verifySIDPassword(char const * const password, uint8_t hashpwd, bool securemode); |
| + |
| /** set a single column in an object table |
| * @param table the UID of the table |
| * @param name the column name to be set |
| diff --git a/Common/DtaOptions.cpp b/Common/DtaOptions.cpp |
| index 0d1752e..0e3eb9f 100644 |
| --- a/Common/DtaOptions.cpp |
| +++ b/Common/DtaOptions.cpp |
| @@ -71,6 +71,8 @@ void usage() |
| printf("--setPassword <oldpassword, \"\" for MSID> <userid> <newpassword> <device> \n"); |
| printf(" Change the Enterprise password for userid\n"); |
| printf(" \"EraseMaster\" or \"BandMaster<n>\", 0 <= n <= 1023\n"); |
| + printf("--verifySIDPassword <SIDpassword> <device>\n"); |
| + printf(" Verify the SID password for given device\n"); |
| printf("--setLockingRange <0...n> <RW|RO|LK> <Admin1password> <device> \n"); |
| printf(" Set the status of a Locking Range\n"); |
| printf(" 0 = GLobal 1..n = LRn \n"); |
| @@ -171,6 +173,7 @@ uint8_t DtaOptions(int argc, char * argv[], DTA_OPTIONS * opts) |
| BEGIN_OPTION(initialSetup, 2, 1) OPTION_IS(password) OPTION_IS(device) END_OPTION |
| BEGIN_OPTION(setSIDPassword, 3, 1) OPTION_IS(password) OPTION_IS(newpassword) |
| OPTION_IS(device) END_OPTION |
| + BEGIN_OPTION(verifySIDPassword, 2 /*num_args_non_secure*/, 1/*num_args_secure*/) OPTION_IS(password) OPTION_IS(device) END_OPTION |
| BEGIN_OPTION(setup_SUM, 6, 4) |
| TESTARG(0, lockingrange, 0) |
| TESTARG(1, lockingrange, 1) |
| diff --git a/Common/DtaOptions.h b/Common/DtaOptions.h |
| index 4ae3bc2..990cd56 100644 |
| --- a/Common/DtaOptions.h |
| +++ b/Common/DtaOptions.h |
| @@ -60,6 +60,7 @@ typedef enum _sedutiloption { |
| deadbeef, // 0 should indicate no action specified |
| initialSetup, |
| setSIDPassword, |
| + verifySIDPassword, |
| setup_SUM, |
| setAdmin1Pwd, |
| setPassword, |
| diff --git a/Common/sedutil.cpp b/Common/sedutil.cpp |
| index 7053cd3..4c0e9ff 100644 |
| --- a/Common/sedutil.cpp |
| +++ b/Common/sedutil.cpp |
| @@ -116,6 +116,10 @@ int main(int argc, char * argv[]) |
| LOG(D) << "Performing setSIDPassword "; |
| return d->setSIDPassword(GET_PASSWORD(), GET_NEW_PASSWORD(), opts.no_hash_passwords? 0 : 1, opts.no_hash_passwords? 0 : 1, opts.secure_mode); |
| break; |
| + case sedutiloption::verifySIDPassword: |
| + LOG(D) << "Performing verifySIDPassword "; |
| + return d->verifySIDPassword(GET_PASSWORD(), !opts.no_hash_passwords, opts.secure_mode); |
| + break; |
| case sedutiloption::setAdmin1Pwd: |
| LOG(D) << "Performing setPAdmin1Pwd "; |
| return d->setPassword(GET_PASSWORD(), (char *) "Admin1", |
| -- |
| 2.40.0.577.gac1e443424-goog |
| |