diff --git a/Common/DtaDev.h b/Common/DtaDev.h index 04096a2a..bf4c9a0b 100644 --- a/Common/DtaDev.h +++ b/Common/DtaDev.h @@ -159,11 +159,12 @@ class DtaDev { virtual uint8_t loadPBA(char * password, char * filename) = 0; /** Change the locking state of a locking range * @param lockingrange The number of the locking range (0 = global) - * @param lockingstate the locking state to set - * @param Admin1Password password of administrative authority for locking range + * @param lockingstate The locking state to set + * @param userid The userid which will lock/unlock the locking range + * @param password Password of the authority for locking range */ virtual uint8_t setLockingRange(uint8_t lockingrange, uint8_t lockingstate, - char * Admin1Password) = 0; + const char *userid, char * password) = 0; /** Change the locking state of a locking range in Single User Mode * @param lockingrange The number of the locking range (0 = global) * @param lockingstate the locking state to set @@ -211,9 +212,10 @@ class DtaDev { virtual uint8_t setBandsEnabled(int16_t rangeid, char * password) = 0; /** Primitive to set the MBRDone flag. * @param state 0 or 1 - * @param Admin1Password Locking SP authority with access to flag + * @param userid the authority name + * @param password Locking SP authority with access to flag */ - virtual uint8_t setMBRDone(uint8_t state, char * Admin1Password) = 0; + virtual uint8_t setMBRDone(uint8_t state, const char *userid, char * password) = 0; /** Primitive to set the MBREnable flag. * @param state 0 or 1 * @param Admin1Password Locking SP authority with access to flag @@ -293,6 +295,11 @@ class DtaDev { virtual uint8_t exec(DtaCommand * cmd, DtaResponse & resp, uint8_t protocol = 0x01) = 0; /** return the communications ID to be used for sessions to this device */ virtual uint16_t comID() = 0; + /** Add the UserX authority to Locking (Rd/RW) ACEs + * @param userid The user to add to Locking ACEs + * @param Admin1Password Password of the LockingSP authority + */ + virtual uint8_t addUserToLockingACEs(const char *userid, char* Admin1Password) = 0; bool no_hash_passwords; /** disables hashing of passwords */ sedutiloutput output_format; /** standard, readable, JSON */ protected: diff --git a/Common/DtaDevEnterprise.cpp b/Common/DtaDevEnterprise.cpp index bdc169a7..de115cd2 100644 --- a/Common/DtaDevEnterprise.cpp +++ b/Common/DtaDevEnterprise.cpp @@ -181,7 +181,7 @@ uint8_t DtaDevEnterprise::initialSetup(char * password) return lastRC; } if ((lastRC = setLockingRange(0, - OPAL_LOCKINGSTATE::READWRITE, password)) != 0) { + OPAL_LOCKINGSTATE::READWRITE, "Admin1", password)) != 0) { LOG(E) << "Initial setup failed - unable to unlock for read/write"; return lastRC; } @@ -365,13 +365,13 @@ uint8_t DtaDevEnterprise::revertLockingSP(char * password, uint8_t keep) cmd->addToken(OPAL_TOKEN::ENDNAME); cmd->addToken(OPAL_TOKEN::ENDLIST); cmd->complete(); + session->expectAbort(); if ((lastRC = session->sendCommand(cmd, response)) != 0) { delete cmd; delete session; return lastRC; } LOG(I) << "revertLockingSP completed successfully"; - session->expectAbort(); delete cmd; delete session; LOG(D1) << "Exiting DtaDevEnterprise::revertLockingSP()"; @@ -435,20 +435,28 @@ uint8_t DtaDevEnterprise::setPassword(char * password, char * userid, char * new return lastRC; } - std::vector hash; if ((newpassword == NULL) || (*newpassword == '\0')) { - hash.push_back(0xd0); - hash.push_back((uint8_t)strnlen(newpwd, 255)); + std::vector tmppwd; + + tmppwd.push_back(0xd0); + tmppwd.push_back((uint8_t)strnlen(newpwd, 255)); for (unsigned int i = 0; i < strnlen(newpwd, 255); i++) { - hash.push_back(newpwd[i]); + tmppwd.push_back(newpwd[i]); + } + + if ((lastRC = setTable(usercpin, "PIN", tmppwd)) != 0) { + LOG(E) << "Unable to set user " << userid << " new password "; + delete session; + return lastRC; } } else { + std::vector hash; DtaHashPwd(hash, newpwd, this); - } - if ((lastRC = setTable(usercpin, "PIN", hash)) != 0) { - LOG(E) << "Unable to set user " << userid << " new password "; - delete session; - return lastRC; + if ((lastRC = setTable(usercpin, "PIN", hash)) != 0) { + LOG(E) << "Unable to set user " << userid << " new password "; + delete session; + return lastRC; + } } LOG(I) << userid << " password changed"; delete session; @@ -470,10 +478,10 @@ uint8_t DtaDevEnterprise::setMBREnable(uint8_t mbrstate, char * Admin1Password) LOG(D1) << "Exiting DtaDevEnterprise::setMBREnable"; return 0; } -uint8_t DtaDevEnterprise::setMBRDone(uint8_t mbrstate, char * Admin1Password) +uint8_t DtaDevEnterprise::setMBRDone(uint8_t mbrstate, const char *userid, char * password) { LOG(D1) << "Entering DtaDevEnterprise::setMBRDone"; - if (NULL == Admin1Password) { LOG(E) << "This shouldn't happen " << mbrstate; } + if (NULL == password) { LOG(E) << "This shouldn't happen " << mbrstate; } LOG(I) << "MBR shadowing is optional in the Enterprise SSC and not supported"; LOG(D1) << "Exiting DtaDevEnterprise::setMBRDone"; return 0; @@ -749,7 +757,7 @@ uint8_t DtaDevEnterprise::listLockingRanges(char * password, int16_t rangeid) } uint8_t DtaDevEnterprise::setLockingRange(uint8_t lockingrange, uint8_t lockingstate, - char * password) + const char *userid, char * password) { LOG(D1) << "Entering DtaDevEnterprise::setLockingRange"; uint8_t lastRC; @@ -889,13 +897,13 @@ uint8_t DtaDevEnterprise::revertTPer(char * password, uint8_t PSID, uint8_t Admi cmd->addToken(OPAL_TOKEN::STARTLIST); cmd->addToken(OPAL_TOKEN::ENDLIST); cmd->complete(); + session->expectAbort(); if ((lastRC = session->sendCommand(cmd, response)) != 0) { delete cmd; delete session; return lastRC; } LOG(I) << "revertTper completed successfully"; - session->expectAbort(); delete cmd; delete session; LOG(D1) << "Exiting DtaDevEnterprise::revertTPer()"; @@ -1266,53 +1274,57 @@ uint8_t DtaDevEnterprise::setSIDPassword(char * oldpassword, char * newpassword, { LOG(D1) << "Entering DtaDevEnterprise::setSIDPassword()"; uint8_t lastRC; - string defaultPassword; - char *pwd = oldpassword, *newpwd = newpassword; - std::vector user; - set8(user, OPALUID[OPAL_SID_UID]); + vector user; + set8(user, OPALUID[OPAL_SID_UID]); - std::vector usercpin; - set8(usercpin, OPALUID[OPAL_C_PIN_SID]); + vector usercpin; + set8(usercpin, OPALUID[OPAL_C_PIN_SID]); - if ((oldpassword == NULL) || (*oldpassword == '\0') || - (newpassword == NULL) || (*newpassword == '\0')) { + if (*oldpassword == '\0') + { if ((lastRC = getDefaultPassword()) != 0) { - LOG(E) << "setSIDPassword failed to retrieve MSID"; + LOG(E) << "setPassword failed to retrieve MSID"; return lastRC; } - defaultPassword = response.getString(5); - if ((oldpassword == NULL) || (*oldpassword == '\0')) { - pwd = (char *)defaultPassword.c_str(); - hasholdpwd = 0; + string defaultPassword = response.getString(5); + session = new DtaSession(this); + if (session == NULL) { + LOG(E) << "Unable to create session object "; + return DTAERROR_OBJECT_CREATE_FAILED; } - - if ((newpassword == NULL) || (*newpassword == '\0')) { - newpwd = (char *)defaultPassword.c_str(); - hashnewpwd = 0; + session->dontHashPwd(); + if ((lastRC = session->start(OPAL_UID::OPAL_ADMINSP_UID, (char *)defaultPassword.c_str(), user)) != 0) { + delete session; + return lastRC; } } - - session = new DtaSession(this); - if (session == NULL) { - LOG(E) << "Unable to create session object "; - return DTAERROR_OBJECT_CREATE_FAILED; - } - if (!hasholdpwd) + else + { + session = new DtaSession(this); + if (session == NULL) { + LOG(E) << "Unable to create session object "; + return DTAERROR_OBJECT_CREATE_FAILED; + } session->dontHashPwd(); - if ((lastRC = session->start(OPAL_UID::OPAL_ADMINSP_UID, pwd, user)) != 0) { - delete session; - return lastRC; + if (!hasholdpwd) session->dontHashPwd(); + if ((lastRC = session->start(OPAL_UID::OPAL_ADMINSP_UID, oldpassword, user)) != 0) { + delete session; + return lastRC; + } } - - std::vector hash; - if (hashnewpwd) { - DtaHashPwd(hash, newpwd, this); - } else { + vector hash; + if (hashnewpwd) + { + DtaHashPwd(hash, newpassword, this); + } + else + { hash.push_back(0xd0); - hash.push_back((uint8_t)strnlen(newpwd, 255)); - for (uint16_t i = 0; i < strnlen(newpwd, 255); i++) { - hash.push_back(newpwd[i]); + hash.push_back((uint8_t)strnlen(newpassword, 255)); + for (uint16_t i = 0; i < strnlen(newpassword, 255); i++) + { + hash.push_back(newpassword[i]); } } if ((lastRC = setTable(usercpin, "PIN", hash)) != 0) { @@ -1320,7 +1332,6 @@ uint8_t DtaDevEnterprise::setSIDPassword(char * oldpassword, char * newpassword, delete session; return lastRC; } - LOG(I) << "SID password changed"; delete session; LOG(D1) << "Exiting DtaDevEnterprise::setSIDPassword()"; return 0; @@ -1666,6 +1677,13 @@ uint8_t DtaDevEnterprise::objDump(char *sp, char * auth, char *pass, LOG(D1) << "Exiting DtaDevEnterprise::objDump"; return 0; } +uint8_t DtaDevEnterprise::addUserToLockingACEs(const char *userid, char * Admin1Password) +{ + LOG(D1) << "Entering DtaDevEnterprise::addUserLockingACEs"; + LOG(I) << "Enable User1 Locking ACES in the Enterprise SSC is not supported"; + LOG(D1) << "Exiting DtaDevEnterprise::addUserLockingACEs"; + return 0; +} #ifdef _MSC_VER #pragma warning(pop) #endif diff --git a/Common/DtaDevEnterprise.h b/Common/DtaDevEnterprise.h index 3d60b581..c76429eb 100644 --- a/Common/DtaDevEnterprise.h +++ b/Common/DtaDevEnterprise.h @@ -113,7 +113,7 @@ class DtaDevEnterprise : public DtaDevOS { * @param state 0 or 1 * @param Admin1Password Locking SP authority with access to flag */ - uint8_t setMBRDone(uint8_t state, char * Admin1Password); + uint8_t setMBRDone(uint8_t state, const char *userid, char * password); /** Primitive to set the MBREnable flag. * @param state 0 or 1 * @param Admin1Password Locking SP authority with access to flag @@ -129,7 +129,7 @@ class DtaDevEnterprise : public DtaDevOS { /** dummy code not implemented in the enterprise SSC*/ uint8_t setNewPassword_SUM(char * password, char * userid, char * newpassword); uint8_t setLockingRange(uint8_t lockingrange, uint8_t lockingstate, - char * password); + const char *userid, char * password); /** dummy code not implemented in the enterprise SSC*/ uint8_t setLockingRange_SUM(uint8_t lockingrange, uint8_t lockingstate, char * password); @@ -205,6 +205,12 @@ class DtaDevEnterprise : public DtaDevOS { uint8_t rawCmd(char *sp, char *hexauth, char *pass, char *hexinvokingUID, char *hexmethod, char *hexparms); + /** Add the UserX authority to Locking (Rd/RW) ACEs + * @param userid The user to add to Locking ACEs + * @param Admin1Password Password of the LockingSP authority + */ + uint8_t addUserToLockingACEs(const char *userid, char *Admin1Password); + protected: uint8_t getDefaultPassword(); private: diff --git a/Common/DtaDevGeneric.cpp b/Common/DtaDevGeneric.cpp index 6f5d57c6..b3db63de 100644 --- a/Common/DtaDevGeneric.cpp +++ b/Common/DtaDevGeneric.cpp @@ -70,9 +70,9 @@ uint8NOCODE(setup_SUM, uint8_t lockingrange, uint64_t start, uint64_t length, ch uint8NOCODE(setPassword,char * password, char * userid, char * newpassword) uint8NOCODE(setNewPassword_SUM,char * password, char * userid, char * newpassword) uint8NOCODE(setMBREnable,uint8_t mbrstate, char * Admin1Password) -uint8NOCODE(setMBRDone,uint8_t mbrstate, char * Admin1Password) +uint8NOCODE(setMBRDone,uint8_t mbrstate, const char *userid, char * password) uint8NOCODE(setLockingRange,uint8_t lockingrange, uint8_t lockingstate, - char * Admin1Password) + const char *userid, char * password) uint8NOCODE(setLockingRange_SUM, uint8_t lockingrange, uint8_t lockingstate, char * password) uint8NOCODE(setupLockingRange,uint8_t lockingrange, uint64_t start, @@ -93,6 +93,7 @@ uint8NOCODE(eraseLockingRange_SUM, uint8_t lockingrange, char * password) uint8NOCODE(takeOwnership, char * newpassword) uint8NOCODE(setSIDPassword,char * oldpassword, char * newpassword, uint8_t hasholdpwd, uint8_t hashnewpwd) +uint8NOCODE(addUserToLockingACEs, const char* userid, char * Admin1Password) uint16_t DtaDevGeneric::comID() { LOG(E) << "Generic Device class does not support function " << "comID" << std::endl; diff --git a/Common/DtaDevGeneric.h b/Common/DtaDevGeneric.h index e4eedd16..a9ed0606 100644 --- a/Common/DtaDevGeneric.h +++ b/Common/DtaDevGeneric.h @@ -97,7 +97,7 @@ class DtaDevGeneric : public DtaDevOS { * @param Admin1Password password of administrative authority for locking range */ uint8_t setLockingRange(uint8_t lockingrange, uint8_t lockingstate, - char * Admin1Password) ; + const char *userid, char * password) ; /** Change the locking state of a locking range in Single User Mode * @param lockingrange The number of the locking range (0 = global) * @param lockingstate the locking state to set @@ -147,7 +147,7 @@ class DtaDevGeneric : public DtaDevOS { * @param lockingrange locking range number */ uint8_t setBandsEnabled(int16_t rangeid, char * password); - uint8_t setMBRDone(uint8_t state, char * Admin1Password) ; + uint8_t setMBRDone(uint8_t state, const char *userid, char * password) ; /** Primitive to set the MBREnable flag. * @param state 0 or 1 * @param Admin1Password Locking SP authority with access to flag @@ -224,4 +224,9 @@ class DtaDevGeneric : public DtaDevOS { uint8_t exec(DtaCommand * cmd, DtaResponse & resp, uint8_t protocol = 1) ; /** return the communications ID to be used for sessions to this device */ uint16_t comID() ; + /** Add the UserX authority to Locking (Rd/RW) ACEs + * @param userid The user to add to Locking ACEs + * @param Admin1Password Password of the LockingSP authority + */ + uint8_t addUserToLockingACEs(const char *userid, char *Admin1Password); }; diff --git a/Common/DtaDevOpal.cpp b/Common/DtaDevOpal.cpp index 95e4aba7..d45b6149 100644 --- a/Common/DtaDevOpal.cpp +++ b/Common/DtaDevOpal.cpp @@ -24,6 +24,8 @@ along with sedutil. If not, see . #include #include #include +#include +#include #include #include "DtaDevOpal.h" #include "DtaHashPwd.h" @@ -67,12 +69,19 @@ uint8_t DtaDevOpal::initialSetup(char * password) LOG(E) << "Initial setup failed - unable to configure global locking range"; return lastRC; } - if ((lastRC = setLockingRange(0, OPAL_LOCKINGSTATE::READWRITE, password)) != 0) { + if ((lastRC = setLockingRange(0, OPAL_LOCKINGSTATE::READWRITE, "Admin1", password)) != 0) { LOG(E) << "Initial setup failed - unable to set global locking range RW"; return lastRC; } if (!MBRAbsent()) { - setMBREnable(1, password); + if ((lastRC = setMBRDone(1, "Admin1", password)) != 0){ + LOG(E) << "Initial setup failed - unable to Enable MBR shadow"; + return lastRC; + } + if ((lastRC = setMBREnable(1, password)) != 0) { + LOG(E) << "Initial setup failed - unable to Enable MBR shadow"; + return lastRC; + } } LOG(I) << "Initial setup of TPer complete on " << dev; @@ -647,11 +656,11 @@ uint8_t DtaDevOpal::eraseLockingRange(uint8_t lockingrange, char * password) LOG(D1) << "Exiting DtaDevOpal::eraseLockingRange()"; return 0; } -uint8_t DtaDevOpal::getAuth4User(char * userid, uint8_t uidorcpin, std::vector &userData) +uint8_t DtaDevOpal::getAuth4User(const char * userid, uint8_t uidorcpin, std::vector &userData) { LOG(D1) << "Entering DtaDevOpal::getAuth4User()"; userData.clear(); - userData. push_back(OPAL_SHORT_ATOM::BYTESTRING8); + userData.push_back(OPAL_SHORT_ATOM::BYTESTRING8); userData.push_back(0x00); userData.push_back(0x00); userData.push_back(0x00); @@ -774,13 +783,13 @@ uint8_t DtaDevOpal::setMBREnable(uint8_t mbrstate, char * Admin1Password) LOG(D1) << "Entering DtaDevOpal::setMBREnable"; uint8_t lastRC; // set MBRDone before changing MBREnable so the PBA isn't presented - if ((lastRC = setMBRDone(1, Admin1Password)) != 0){ + if ((lastRC = setMBRDone(1, "Admin1", Admin1Password)) != 0){ LOG(E) << "unable to set MBRDone"; return lastRC; } if (mbrstate) { if ((lastRC = setLockingSPvalue(OPAL_UID::OPAL_MBRCONTROL, OPAL_TOKEN::MBRENABLE, - OPAL_TOKEN::OPAL_TRUE, Admin1Password, NULL)) != 0) { + OPAL_TOKEN::OPAL_TRUE, "Admin1", Admin1Password, NULL)) != 0) { LOG(E) << "Unable to set setMBREnable on"; return lastRC; } @@ -790,7 +799,7 @@ uint8_t DtaDevOpal::setMBREnable(uint8_t mbrstate, char * Admin1Password) } else { if ((lastRC = setLockingSPvalue(OPAL_UID::OPAL_MBRCONTROL, OPAL_TOKEN::MBRENABLE, - OPAL_TOKEN::OPAL_FALSE, Admin1Password, NULL)) != 0) { + OPAL_TOKEN::OPAL_FALSE, "Admin1", Admin1Password, NULL)) != 0) { LOG(E) << "Unable to set setMBREnable off"; return lastRC; } @@ -801,13 +810,13 @@ uint8_t DtaDevOpal::setMBREnable(uint8_t mbrstate, char * Admin1Password) LOG(D1) << "Exiting DtaDevOpal::setMBREnable"; return 0; } -uint8_t DtaDevOpal::setMBRDone(uint8_t mbrstate, char * Admin1Password) +uint8_t DtaDevOpal::setMBRDone(uint8_t mbrstate, const char* userid, char * password) { LOG(D1) << "Entering DtaDevOpal::setMBRDone"; uint8_t lastRC; if (mbrstate) { if ((lastRC = setLockingSPvalue(OPAL_UID::OPAL_MBRCONTROL, OPAL_TOKEN::MBRDONE, - OPAL_TOKEN::OPAL_TRUE, Admin1Password, NULL)) != 0) { + OPAL_TOKEN::OPAL_TRUE, userid, password, NULL)) != 0) { LOG(E) << "Unable to set setMBRDone on"; return lastRC; } @@ -817,7 +826,7 @@ uint8_t DtaDevOpal::setMBRDone(uint8_t mbrstate, char * Admin1Password) } else { if ((lastRC = setLockingSPvalue(OPAL_UID::OPAL_MBRCONTROL, OPAL_TOKEN::MBRDONE, - OPAL_TOKEN::OPAL_FALSE, Admin1Password, NULL)) != 0) { + OPAL_TOKEN::OPAL_FALSE, userid, password, NULL)) != 0) { LOG(E) << "Unable to set setMBRDone off"; return lastRC; } @@ -829,12 +838,13 @@ uint8_t DtaDevOpal::setMBRDone(uint8_t mbrstate, char * Admin1Password) return 0; } uint8_t DtaDevOpal::setLockingRange(uint8_t lockingrange, uint8_t lockingstate, - char * Admin1Password) + const char *userid, char * password) { uint8_t lastRC; uint8_t archiveuser = 0; OPAL_TOKEN readlocked, writelocked; const char *msg; + vector userUID; LOG(D1) << "Entering DtaDevOpal::setLockingRange"; switch (lockingstate) { @@ -873,7 +883,12 @@ uint8_t DtaDevOpal::setLockingRange(uint8_t lockingrange, uint8_t lockingstate, LOG(E) << "Unable to create session object "; return DTAERROR_OBJECT_CREATE_FAILED; } - if ((lastRC = session->start(OPAL_UID::OPAL_LOCKINGSP_UID, Admin1Password, OPAL_UID::OPAL_ADMIN1_UID)) != 0) { + if ((lastRC = getAuth4User(userid, 0, userUID)) != 0) { + LOG(E) << "Unable to find user " << userid << " in Authority Table"; + delete session; + return lastRC; + } + if ((lastRC = session->start(OPAL_UID::OPAL_LOCKINGSP_UID, password, userUID)) != 0) { delete session; return lastRC; } @@ -1016,10 +1031,11 @@ uint8_t DtaDevOpal::setLockingRange_SUM(uint8_t lockingrange, uint8_t lockingsta return 0; } uint8_t DtaDevOpal::setLockingSPvalue(OPAL_UID table_uid, OPAL_TOKEN name, - OPAL_TOKEN value,char * password, char * msg) + OPAL_TOKEN value,const char *userid, char * password, char * msg) { LOG(D1) << "Entering DtaDevOpal::setLockingSPvalue"; uint8_t lastRC; + vector userUID; vector table; table. push_back(OPAL_SHORT_ATOM::BYTESTRING8); for (int i = 0; i < 8; i++) { @@ -1030,7 +1046,12 @@ uint8_t DtaDevOpal::setLockingSPvalue(OPAL_UID table_uid, OPAL_TOKEN name, LOG(E) << "Unable to create session object "; return DTAERROR_OBJECT_CREATE_FAILED; } - if ((lastRC = session->start(OPAL_UID::OPAL_LOCKINGSP_UID, password, OPAL_UID::OPAL_ADMIN1_UID)) != 0) { + if ((lastRC = getAuth4User(userid, 0, userUID)) != 0) { + LOG(E) << "Unable to find user " << userid << " in Authority Table"; + delete session; + return lastRC; + } + if ((lastRC = session->start(OPAL_UID::OPAL_LOCKINGSP_UID, password, userUID)) != 0) { delete session; return lastRC; } @@ -1107,13 +1128,13 @@ uint8_t DtaDevOpal::revertTPer(char * password, uint8_t PSID, uint8_t AdminSP) cmd->addToken(OPAL_TOKEN::STARTLIST); cmd->addToken(OPAL_TOKEN::ENDLIST); cmd->complete(); + session->expectAbort(); if ((lastRC = session->sendCommand(cmd, response)) != 0) { delete cmd; delete session; return lastRC; } LOG(I) << "revertTper completed successfully"; - session->expectAbort(); delete cmd; delete session; LOG(D1) << "Exiting DtaDevOpal::revertTPer()"; @@ -1481,7 +1502,6 @@ uint8_t DtaDevOpal::setSIDPassword(char * oldpassword, char * newpassword, delete session; return lastRC; } - LOG(I) << "SID password changed"; delete session; LOG(D1) << "Exiting DtaDevOpal::setSIDPassword()"; return 0; @@ -1833,4 +1853,196 @@ uint8_t DtaDevOpal::rawCmd(char *sp, char * hexauth, char *pass, delete session; LOG(D1) << "Exiting DtaDevEnterprise::rawCmd"; return 0; +} +uint8_t DtaDevOpal::addUserToLockingACEs(const char *userid, char *Admin1Password) { + uint8_t lastRC = 0; + + session = new DtaSession(this); + LOG(D1) << "Entering DtaDevOpal::addUserToLockingACEs"; + if (NULL == session) { + LOG(E) << "Unable to create session object "; + return DTAERROR_OBJECT_CREATE_FAILED; + } + if ((lastRC = session->start(OPAL_UID::OPAL_LOCKINGSP_UID, Admin1Password, OPAL_UID::OPAL_ADMIN1_UID)) != 0) { + delete session; + return lastRC; + } + + vector userUID; + if ((lastRC = getAuth4User(userid, 0, userUID)) != 0) { + LOG(E) << "Unable to find user " << userid << " in Authority Table"; + delete session; + return lastRC; + } + + std::function& v)> cmp = [&userUID] (const std::vector &v) { + return (userUID.size() == v.size() && memcmp(userUID.data(), v.data(), v.size()) == 0);}; + + // Enable authorities in the ACE_Locking_GlobalRange_Set_RdLocked + // Get authorities already allowed + std::vector> authorities_uids; + if ((lastRC = getAuthoritiesFromACE(OPAL_UID::OPAL_LOCKINGRANGE_GLOBAL_ACE_RDLOCKED, authorities_uids)) != 0) { + LOG(E) << "Unable to get already allowed authorities for ACE_Locking_GlobalRange_Set_RdLocked"; + delete session; + return lastRC; + } + // Add new allowed authority + if (std::find_if(authorities_uids.begin(), authorities_uids.end(), cmp) == authorities_uids.end()) { + authorities_uids.push_back(userUID); + } + if ((lastRC = setAuthoritiesToACE(authorities_uids, OPAL_UID::OPAL_LOCKINGRANGE_GLOBAL_ACE_RDLOCKED)) != 0) { + delete session; + return lastRC; + } + LOG(I) << userid << " successfully added to ACE_Locking_GlobalRange_Set_RdLocked"; + + // Enable authorities in the ACE_Locking_GlobalRange_Set_WrLocked + // Get authorities already allowed + if ((lastRC = getAuthoritiesFromACE(OPAL_UID::OPAL_LOCKINGRANGE_GLOBAL_ACE_WRLOCKED, authorities_uids)) != 0) { + LOG(E) << "Unable to get already allowed authorities for ACE_Locking_GlobalRange_Set_WrLocked"; + delete session; + return lastRC; + } + // Add new allowed authority + if (std::find_if(authorities_uids.begin(), authorities_uids.end(), cmp) == authorities_uids.end()) { + authorities_uids.push_back(userUID); + } + if ((lastRC = setAuthoritiesToACE(authorities_uids, OPAL_UID::OPAL_LOCKINGRANGE_GLOBAL_ACE_WRLOCKED)) != 0) { + delete session; + return lastRC; + } + LOG(I) << userid << " successfully added to ACE_Locking_GlobalRange_Set_WrLocked"; + + // Enable Admins and User authority in the ACE_MBRControl_Set_DoneToDOR + // Get authorities already allowed + if ((lastRC = getAuthoritiesFromACE(OPAL_UID::OPAL_MBRControl_Set_DoneToDOR, authorities_uids)) != 0) { + LOG(E) << "Unable to get already allowed authorities for ACE_Locking_GlobalRange_Set_DoneToDOR"; + delete session; + return lastRC; + } + // Add new allowed authority + if (std::find_if(authorities_uids.begin(), authorities_uids.end(), cmp) == authorities_uids.end()) { + authorities_uids.push_back(userUID); + } + lastRC = setAuthoritiesToACE(authorities_uids, OPAL_UID::OPAL_MBRControl_Set_DoneToDOR); + + if (lastRC == 0) { + LOG(I) << userid << " successfully added to ACE_Locking_GlobalRange_Set_DoneToDOR"; + } + + delete session; + return lastRC; +} +uint8_t DtaDevOpal::setAuthoritiesToACE(const std::vector>& users_uid, + OPAL_UID ace_uid) { + uint8_t lastRC = 0; + + DtaCommand *cmd = new DtaCommand(); + cmd->reset(ace_uid, OPAL_METHOD::SET); + cmd->addToken(OPAL_TOKEN::STARTLIST); + cmd->addToken(OPAL_TOKEN::STARTNAME); + cmd->addToken(OPAL_TOKEN::VALUES); + cmd->addToken(OPAL_TOKEN::STARTLIST); + cmd->addToken(OPAL_TOKEN::STARTNAME); + cmd->addToken(0x03); // Column number + cmd->addToken(OPAL_TOKEN::STARTLIST); + + for (size_t i = 0; i < users_uid.size(); i++) { + cmd->addToken(OPAL_TOKEN::STARTNAME); + + //Authority object ref + cmd->addToken(OPAL_SHORT_ATOM::BYTESTRING4); + for (int j = 0; j < 4; j++) { + cmd->addToken(OPALUID[OPAL_UID::OPAL_HALF_UID_AUTHORITY_OBJ_REF][j]); + } + + cmd->addToken(users_uid[i]); + cmd->addToken(OPAL_TOKEN::ENDNAME); + } + + //Boolean ACE + if (users_uid.size() > 1) { + cmd->addToken(OPAL_TOKEN::STARTNAME); + cmd->addToken(OPAL_SHORT_ATOM::BYTESTRING4); + for (int j = 0; j < 4; j++) { + cmd->addToken(OPALUID[OPAL_UID::OPAL_HALF_UID_BOOLEAN_ACE][j]); + } + cmd->addToken(OPAL_TINY_ATOM::UINT_01); + cmd->addToken(OPAL_TOKEN::ENDNAME); + } + + cmd->addToken(OPAL_TOKEN::ENDLIST); + cmd->addToken(OPAL_TOKEN::ENDNAME); + cmd->addToken(OPAL_TOKEN::ENDLIST); + cmd->addToken(OPAL_TOKEN::ENDNAME); + cmd->addToken(OPAL_TOKEN::ENDLIST); + cmd->complete(); + + lastRC = session->sendCommand(cmd, response); + + delete cmd; + return lastRC; +} +uint8_t DtaDevOpal::getAuthoritiesFromACE(OPAL_UID ace_uid, + std::vector>& authorities_uid) { + uint8_t lastRC = OPALSTATUSCODE::SUCCESS; + authorities_uid.clear(); + LOG(D) << "Entering in DtaDevOpal::getAuthoritiesFromACE"; + + std::vector aceTable; + aceTable.push_back(OPAL_SHORT_ATOM::BYTESTRING8); + for (int i = 0; i < 8; i++) { + aceTable.push_back(OPALUID[ace_uid][i]); + } + lastRC = getTable(aceTable, OPAL_TINY_ATOM::UINT_03, OPAL_TINY_ATOM::UINT_03); + + if (lastRC == OPALSTATUSCODE::SUCCESS) { + uint32_t i = 0; + while (i < response.getTokenCount() - 3) { + if (response.tokenIs(i) == OPAL_TOKEN::STARTNAME && + response.tokenIs(i + 1) == OPAL_TOKEN::DTA_TOKENID_UINT && + response.getUint8(i + 1) == OPAL_TINY_ATOM::UINT_03 && + response.tokenIs(i + 2) == OPAL_TOKEN::STARTLIST) { + // Ok, start authorities list + i += 3; + + while (i < response.getTokenCount() - 2 && + lastRC == OPALSTATUSCODE::SUCCESS && + response.tokenIs(i) != OPAL_TOKEN::ENDLIST) { + if (response.tokenIs(i) == OPAL_TOKEN::STARTNAME && + response.tokenIs(i + 1) == OPAL_TOKEN::DTA_TOKENID_BYTESTRING && + response.getLength(i + 1) == 5) { + uint8_t buffer[4]; + response.getBytes(i + 1, buffer); + i++; + + if (memcmp(buffer, OPALUID[OPAL_HALF_UID_AUTHORITY_OBJ_REF], 4) == 0) { + // Find authority object ref + LOG(D1) << "Find authority object ref"; + if (response.tokenIs(i + 1) == OPAL_TOKEN::DTA_TOKENID_BYTESTRING && + response.getLength(i + 1) == 9) { + LOG(D1) << "Add authority"; + authorities_uid.emplace_back(response.getRawToken(i + 1)); + } + } + else if (memcmp(buffer, OPALUID[OPAL_HALF_UID_BOOLEAN_ACE], 4) == 0) { + LOG(D1) << "Find a boolean ACE object ref"; + if (response.tokenIs(i + 1) == OPAL_TOKEN::DTA_TOKENID_BYTESTRING && + response.getLength(i + 1) == 1) { + // Check if boolean ACE is OR + if (response.getUint8(i + 1) != OPAL_TINY_ATOM::UINT_01) + { + LOG(E) << "Invalid boolean ACE"; + lastRC = OPALSTATUSCODE::FAIL; + } + } + } + } + i++; + } + } + i++; + } + } + return lastRC; } \ No newline at end of file diff --git a/Common/DtaDevOpal.h b/Common/DtaDevOpal.h index 33bc357f..2c95dee6 100644 --- a/Common/DtaDevOpal.h +++ b/Common/DtaDevOpal.h @@ -122,7 +122,7 @@ class DtaDevOpal : public DtaDevOS { * @param column UID or CPIN to be returned * @param userData The UIS or CPIN of the USER */ - uint8_t getAuth4User(char * userid, uint8_t column, std::vector &userData); + uint8_t getAuth4User(const char * userid, uint8_t column, std::vector &userData); /** Enable a user in the Locking SP * @param password the password of the Locking SP administrative authority * @param userid Character name of the user to be enabled @@ -130,10 +130,11 @@ class DtaDevOpal : public DtaDevOS { uint8_t enableUser(char * password, char * userid, OPAL_TOKEN status = OPAL_TOKEN::OPAL_TRUE); /** Primitive to set the MBRDone flag. * @param state 0 or 1 - * @param Admin1Password Locking SP authority with access to flag + * @param userid The authority which want to change the MBRDone flag + * @param password Locking SP authority with access to flag * @param status true or false to enable/disable */ - uint8_t setMBRDone(uint8_t state, char * Admin1Password); + uint8_t setMBRDone(uint8_t state, const char *userid, char * password); /** Primitive to set the MBREnable flag. * @param state 0 or 1 * @param Admin1Password Locking SP authority with access to flag @@ -158,7 +159,7 @@ class DtaDevOpal : public DtaDevOS { * @param Admin1Password password of the locking administrative authority */ uint8_t setLockingRange(uint8_t lockingrange, uint8_t lockingstate, - char * Admin1Password); + const char *userid, char * password); /** Change the locking state of a locking range in Single User Mode * @param lockingrange The number of the locking range (0 = global) * @param lockingstate the locking state to set @@ -260,16 +261,25 @@ class DtaDevOpal : public DtaDevOS { */ uint8_t rawCmd(char *sp, char * auth, char *pass, char *invoker, char *method, char *plist); + + /** Add the authority to Locking (Rd/RW) and MBRControl DoneToDOR ACEs + * This function gets authorities already in ACEs. + * Only the OR boolean_ACE are handled in boolean expressions. + * @param Admin1Password Password of the LockingSP authority + * @param userid The authority to add to Locking ACEs + */ + uint8_t addUserToLockingACEs(const char *userid, char *Admin1Password); protected: /** Primitive to handle the setting of a value in the locking sp. * @param table_uid UID of the table * @param name column to be altered * @param value the value to be set - * @param password password for the administrative authority + * @param userid the authority uid which wants to alter the lockingSP + * @param password password for the userid authority * @param msg message to be displayed upon successful update; */ uint8_t setLockingSPvalue(OPAL_UID table_uid, OPAL_TOKEN name, OPAL_TOKEN value, - char * password, char * msg = (char *) "New Value Set"); + const char *userid, char * password, char * msg = (char *) "New Value Set"); uint8_t getDefaultPassword(); typedef struct lrStatus @@ -289,4 +299,16 @@ class DtaDevOpal : public DtaDevOS { */ lrStatus_t getLockingRange_status(uint8_t lockingrange, char * password); + /** Set authorities to the ACE + * @param users_uid The list of authorities to set + * @param ace_uid The ACE to modify + */ + uint8_t setAuthoritiesToACE(const std::vector>& users_uid, OPAL_UID ace_uid); + + /** Get authorities of the ACE + * This function fails if all boolean_ACES are not OR + * @param ace_uid The ACE to read + * @param authorities_uid Vector containing authorities uids + */ + uint8_t getAuthoritiesFromACE(OPAL_UID ace_uid, std::vector>& authorities_uid); }; diff --git a/Common/DtaLexicon.h b/Common/DtaLexicon.h index 7e490f4c..bf406641 100644 --- a/Common/DtaLexicon.h +++ b/Common/DtaLexicon.h @@ -37,6 +37,7 @@ static const uint8_t OPALUID[][8]{ { 0x00, 0x00, 0x02, 0x05, 0x00, 0x01, 0x00, 0x01 }, /**< ENTERPRISE Locking SP */ { 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x01 }, /** is new SID and Admin1 password\n"); printf("--setSIDPassword \n"); printf(" Change the SID password\n"); + printf("--setAdmin1Pwd \n"); + printf(" Change the Admin1 password\n"); printf("--setPassword \n"); - printf(" Change password for userid:\n"); - printf(" Enteprise: \"EraseMaster\" or \"BandMaster\"\n"); + printf(" Change the Enterprise password for userid\n"); + printf(" \"EraseMaster\" or \"BandMaster\", 0 <= n <= 1023\n"); printf(" Opal: \"Admin\" or \"User\"\n"); - printf("--setLockingRange <0...n> \n"); + printf("--setLockingRange <0...n> \n"); printf(" Set the status of a Locking Range\n"); printf(" 0 = GLobal 1..n = LRn \n"); printf("--enableLockingRange <0...n> \n"); @@ -79,7 +81,7 @@ void usage() printf(" 0 = GLobal 1..n = LRn \n"); printf("--setMBREnable \n"); printf(" Enable|Disable MBR shadowing \n"); - printf("--setMBRDone \n"); + printf("--setMBRDone \n"); printf(" set|unset MBRDone\n"); printf("--loadPBAimage \n"); printf(" Write to MBR Shadow area\n"); @@ -92,18 +94,19 @@ void usage() printf(" on GLOBAL RANGE *ONLY* \n"); printf("--PSIDrevert \n"); printf("--yesIreallywanttoERASEALLmydatausingthePSID \n"); - printf(" revert the device using the PSID *ERASING*\n"); - printf(" *ALL* the data\n"); + printf(" revert the device using the PSID *ERASING* *ALL* the data \n"); printf("--PSIDrevertAdminSP \n"); printf(" Alike to PSIDrevert, but on Enterprise calls\n"); printf(" AdminSP->Revert instead of ThisSP->RevertSP\n"); printf("--printDefaultPassword \n"); printf(" print MSID \n"); + printf("--addUserToLockingACEs \n"); + printf(" add UserX to locking ACEs\n"); printf("\n"); printf("Examples \n"); printf("sedutil-cli --scan \n"); printf("sedutil-cli --query %s \n", DEVICEEXAMPLE); - printf("sedutil-cli --yesIreallywanttoERASEALLmydatausingthePSID %s \n", DEVICEEXAMPLE); + printf("sedutil-cli --yesIreallywanttoERASEALLmydatausingthePSID %s \n", DEVICEEXAMPLE); printf("sedutil-cli --initialSetup %s \n", DEVICEEXAMPLE); return; } @@ -187,7 +190,7 @@ uint8_t DtaOptions(int argc, char * argv[], DTA_OPTIONS * opts) BEGIN_OPTION(PSIDrevertAdminSP, 2) OPTION_IS(password) OPTION_IS(device) END_OPTION BEGIN_OPTION(yesIreallywanttoERASEALLmydatausingthePSID, 2) OPTION_IS(password) OPTION_IS(device) END_OPTION - BEGIN_OPTION(enableuser, 2) OPTION_IS(password) OPTION_IS(userid) + BEGIN_OPTION(enableuser, 3) OPTION_IS(password) OPTION_IS(userid) OPTION_IS(device) END_OPTION BEGIN_OPTION(activateLockingSP, 2) OPTION_IS(password) OPTION_IS(device) END_OPTION BEGIN_OPTION(activateLockingSP_SUM, 3) @@ -268,16 +271,17 @@ uint8_t DtaOptions(int argc, char * argv[], DTA_OPTIONS * opts) OPTION_IS(password) OPTION_IS(device) END_OPTION - BEGIN_OPTION(setMBRDone, 3) + BEGIN_OPTION(setMBRDone, 4) TESTARG(ON, mbrstate, 1) TESTARG(on, mbrstate, 1) TESTARG(off, mbrstate, 0) TESTARG(OFF, mbrstate, 0) TESTFAIL("Invalid setMBRDone argument not ") + OPTION_IS(userid) OPTION_IS(password) OPTION_IS(device) END_OPTION - BEGIN_OPTION(setLockingRange, 4) + BEGIN_OPTION(setLockingRange, 5) TESTARG(0, lockingrange, 0) TESTARG(1, lockingrange, 1) TESTARG(2, lockingrange, 2) @@ -302,6 +306,7 @@ uint8_t DtaOptions(int argc, char * argv[], DTA_OPTIONS * opts) TESTARG(LK, lockingstate, OPAL_LOCKINGSTATE::LOCKED) TESTARG(lk, lockingstate, OPAL_LOCKINGSTATE::LOCKED) TESTFAIL("Invalid locking state ") + OPTION_IS(userid) OPTION_IS(password) OPTION_IS(device) END_OPTION @@ -516,6 +521,11 @@ uint8_t DtaOptions(int argc, char * argv[], DTA_OPTIONS * opts) BEGIN_OPTION(objDump, 5) i += 4; OPTION_IS(device) END_OPTION BEGIN_OPTION(printDefaultPassword, 1) OPTION_IS(device) END_OPTION BEGIN_OPTION(rawCmd, 7) i += 6; OPTION_IS(device) END_OPTION + BEGIN_OPTION(addUserToLockingACEs, 3) + OPTION_IS(userid) + OPTION_IS(password) + OPTION_IS(device) + END_OPTION else { LOG(E) << "Invalid command line argument " << argv[i]; return DTAERROR_INVALID_COMMAND; diff --git a/Common/DtaOptions.h b/Common/DtaOptions.h index c012af1d..7fa9d0e2 100644 --- a/Common/DtaOptions.h +++ b/Common/DtaOptions.h @@ -96,7 +96,7 @@ typedef enum _sedutiloption { objDump, printDefaultPassword, rawCmd, - + addUserToLockingACEs, } sedutiloption; /** verify the number of arguments passed */ #define CHECKARGS(x) \ diff --git a/Common/sedutil.cpp b/Common/sedutil.cpp index 270709e9..138cd56a 100644 --- a/Common/sedutil.cpp +++ b/Common/sedutil.cpp @@ -134,7 +134,7 @@ int main(int argc, char * argv[]) break; case sedutiloption::setLockingRange: LOG(D) << "Setting Locking Range " << (uint16_t) opts.lockingrange << " " << (uint16_t) opts.lockingstate; - return d->setLockingRange(opts.lockingrange, opts.lockingstate, argv[opts.password]); + return d->setLockingRange(opts.lockingrange, opts.lockingstate, argv[opts.userid], argv[opts.password]); break; case sedutiloption::setLockingRange_SUM: LOG(D) << "Setting Locking Range " << (uint16_t)opts.lockingrange << " " << (uint16_t)opts.lockingstate << " in Single User Mode"; @@ -187,7 +187,7 @@ int main(int argc, char * argv[]) break; case sedutiloption::setMBRDone: LOG(D) << "Setting MBRDone " << (uint16_t)opts.mbrstate; - return (d->setMBRDone(opts.mbrstate, argv[opts.password])); + return (d->setMBRDone(opts.mbrstate, argv[opts.userid], argv[opts.password])); break; case sedutiloption::setMBREnable: LOG(D) << "Setting MBREnable " << (uint16_t)opts.mbrstate; @@ -277,6 +277,9 @@ int main(int argc, char * argv[]) LOG(D) << "Performing cmdDump "; return d->rawCmd(argv[argc - 7], argv[argc - 6], argv[argc - 5], argv[argc - 4], argv[argc - 3], argv[argc - 2]); break; + case sedutiloption::addUserToLockingACEs: + LOG(D) << "Performing addUserToLockingACEs"; + return d->addUserToLockingACEs(argv[opts.userid], argv[opts.password]); default: LOG(E) << "Unable to determine what you want to do "; usage(); diff --git a/LinuxPBA/UnlockSEDs.cpp b/LinuxPBA/UnlockSEDs.cpp index 4f42e577..ba270826 100644 --- a/LinuxPBA/UnlockSEDs.cpp +++ b/LinuxPBA/UnlockSEDs.cpp @@ -45,6 +45,8 @@ uint8_t UnlockSEDs(char * password) { string tempstring; LOG(D4) << "Enter UnlockSEDs"; dir = opendir("/dev"); + const char* users[] = {"User1", "Admin1"}; + const uint8_t nb_users = 2; if(dir!=NULL) { while((dirent=readdir(dir))!=NULL) {