Require a valid session state prior to executing commands

The execution of commands should work fine for pre-session commands
and for session commands that have the session in a valid state
(not ina

Require a valid session state prior to executing commands

The execution of commands should work fine for pre-session commands
and for session commands that have the session in a valid state
(not inactive or tearDownInProgress). This prevents a session from
getting used after the close session command.

Tested: send a command after the session has been closed or re-use an
old session ID. The BMC should ignore the request.

Change-Id: I112bbc3404ffcf90ab5358d2309672473662647a
Signed-off-by: Vernon Mauery <vernon.mauery@linux.intel.com>

show more ...

Only allow IPMI1.5 for non-session requests

Some IPMI messages must be sent out-of-session in order to set up the
session. In order to be counted as out-of-session, they must use the
0x00000000 sess

Only allow IPMI1.5 for non-session requests

Some IPMI messages must be sent out-of-session in order to set up the
session. In order to be counted as out-of-session, they must use the
0x00000000 session ID. And the only IPMI1.5 packets that are allowed in
OpenBMC are the out-of-session messages used to initiate the RMCP+
sessions. This commit enforces that all messages that contain a non-zero
session ID must be a part of a valid session, which means they must be
RMCP2.0 messages because RMCP1.5 sessions are not supported.

Tested: 1) establish a session; send an RMCP1.5 message with that same
session ID and see that it gets rejected.
2) establish a session; send an RMCP2.0 message with a 0 session
ID and see that it gets rejected.

Change-Id: I01e33f1d8ea9b9c6972238eaaf1b032493f46953
Signed-off-by: Vernon Mauery <vernon.mauery@linux.intel.com>

show more ...

Enforce encryption/authentication on in-session RMCP+ messages

In-session RMCP+ messages must have the encryption set to match the
negotiated encryption setting that was set at session creation time

Enforce encryption/authentication on in-session RMCP+ messages

In-session RMCP+ messages must have the encryption set to match the
negotiated encryption setting that was set at session creation time.

Tested: Attempt to send an unencrypted payload with a valid session ID.

Change-Id: Iaa20cb9df9b2224bb81e3be5808cab9202e6dbf4
Signed-off-by: Vernon Mauery <vernon.mauery@linux.intel.com>

show more ...

Enforce correct packet lengths

Zero length messages and messages shorter than the expected length
should be rejected. The expected length is the IPMI Msg Length from the
IPMI session header.

Tested

Enforce correct packet lengths

Zero length messages and messages shorter than the expected length
should be rejected. The expected length is the IPMI Msg Length from the
IPMI session header.

Tested:
# send a zero-length RMCP1.5 packet and a zero-length RMCP2.0 packet
# RMCP 1.5
echo -ne "\x06\x00\xff\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
| nc -w 1 -u $HOST_IP 623
# RMCP 2.0
echo -ne "\x06\x00\xff\x07\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
| nc -w 1 -u $HOST_IP 623

# send a truncated 255-byte RMCP1.5 packet and a zero-length RMCP2.0 packet
# RMCP 1.5
echo -ne "\x06\x00\xff\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff" \
| nc -w 1 -u $HOST_IP 623
# RMCP 2.0
echo -ne "\x06\x00\xff\x07\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\x00" \
| nc -w 1 -u $HOST_IP 623

After each packet sent, verify that netipmid did not crash.

Change-Id: Iec63bae7619e0d3274894e4d98d1f1fb7f082ed6
Signed-off-by: Vernon Mauery <vernon.mauery@linux.intel.com>

show more ...

crypt_algo: add needed include

gcc11 flags an error on this missing include

Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: I9eb8c1d9f1427b56e71d4103ae402980075f0780

bootstrap: fix shellcheck warnings

Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I86ef079c9632e5563a1a56d6a2e23aad59ecbc57

Add dbus interface for sol commands

Add dbus interface for sol config parameters so that after move set/get
sol config parameter command from net-ipmid to host-ipmid, the command
can send config par

Add dbus interface for sol commands

Add dbus interface for sol config parameters so that after move set/get
sol config parameter command from net-ipmid to host-ipmid, the command
can send config parameters to net-ipmid sol service through the dbus
interface.

Tested by:
busctl introspect xyz.openbmc_project.Settings /xyz/openbmc_project
/network/host0/sol can show correct dbus properties of sol parameters.
ipmitool -I lanplus -H x -U x -P x raw 0x0c 0x21 0x0e 0x00 0x01
ipmitool -I lanplus -H x -U x -P x raw 0x0c 0x21 0x0e 0x01 0x00
ipmitool -I lanplus -H x -U x -P x raw 0x0c 0x21 0x0e 0x02 0x83
ipmitool -I lanplus -H x -U x -P x raw 0x0c 0x21 0x0e 0x03 0x5 0x03
ipmitool -I lanplus -H x -U x -P x raw 0x0c 0x21 0x0e 0x04 0x5 0x03
all these commands can change the dbus properties as the value in
above commands.
Before and after run these commands, ipmitool -I lanplus -H x -U x
-P x sol activate can start sol session correctly.
After reboot BMC, "Progress" property in dbus interface change back
to 0 and other properties will not reset to default value.

Signed-off-by: Cheng C Yang <cheng.c.yang@linux.intel.com>
Change-Id: Ib441b551a1559908c427be5378ff3414693e20dd

show more ...

Add RMCP Ping support

Added support of RMCP Ping/Pong request and response
(ASF messages).

Tested: Tested using rmcpping tool to send RMCP ping.

Resolves openbmc/phosphor-net-ipmid#15

Signed-off-

Add RMCP Ping support

Added support of RMCP Ping/Pong request and response
(ASF messages).

Tested: Tested using rmcpping tool to send RMCP ping.

Resolves openbmc/phosphor-net-ipmid#15

Signed-off-by: Kirill Pakhomov <k.pakhomov@yadro.com>
Change-Id: Ie5199e6af69860d9406bdd516952b62c3d05793f

show more ...

Fix includes

sd_event_loop.cpp is missing some includes. It builds today based on
some very large includes from sdbusplus. This fixes that, and makes it
so sdbusplus can remove the asio.hpp includ

Fix includes

sd_event_loop.cpp is missing some includes. It builds today based on
some very large includes from sdbusplus. This fixes that, and makes it
so sdbusplus can remove the asio.hpp include.

Signed-off-by: Ed Tanous <ed@tanous.net>
Change-Id: I71b1641203da71160d69b0366bb4aba5ae51a064

show more ...

add size checking for input payload data

verify input data size before accessing to prevent out of bound access.

Tested:
ipmitool with lanplus works same as without the change.
ipmitool -I lanplus

add size checking for input payload data

verify input data size before accessing to prevent out of bound access.

Tested:
ipmitool with lanplus works same as without the change.
ipmitool -I lanplus -U xx -P xx -H ip -C 17 sol info
ipmitool -I lanplus -U xx -P xx -H ip -C 17 sensor list
ipmitool -I lanplus -U xx -P xx -H ip -C 17 sdr list
ipmitool -I lanplus -U xx -P xx -H ip -C 17 user list 1

Signed-off-by: Zhikui Ren <zhikui.ren@intel.com>
Change-Id: I5025aa2666c8873b7c63f8323a932c0480b59304

show more ...

Close active SOL session after disable SSH SOL

Issue: When SOL-SSH is being disable by Control BMC service command,
the active SOL session are not being closed.

Fix: Stop the Payload Instanc

Close active SOL session after disable SSH SOL

Issue: When SOL-SSH is being disable by Control BMC service command,
the active SOL session are not being closed.

Fix: Stop the Payload Instance and Host console for active SOL
session when SSH SOL is being disable.

Tested:
Verified using ipmitool sol commands.
1. Enable SSH SOL using control BMC service command
Command: ipmitool raw 0x30 0xb1 0x01 0x40 0x00 //SOL activate
Response: // Success
Check the status using below busctl command
command: busctl introspect xyz.openbmc_project.Control.Service.Manager
/xyz/openbmc_project/control/service/obmc_2dconsole_40ttyS2
Response: .Enabled true
2. Activate SOL session
Command: ipmitool -I lanplus -U root -P 0penBmc -H <BMC_IP> -C 17
sol activate
Response: // Success
3. Disable SSH SOL using control BMC service command
Command: ipmitool raw 0x30 0xb1 0x00 0x40 0x00
Response: // Success
Check the status using below busctl command
command: busctl introspect xyz.openbmc_project.Control.Service.Manager
/xyz/openbmc_project/control/service/obmc_2dconsole_40ttyS2
Response: .Enabled false
4. Enable SSH SOL using control BMC service command.
Command: ipmitool raw 0x30 0xb1 0x01 0x40 0x00
Response: // Success
Check the status using below busctl command
command: busctl introspect xyz.openbmc_project.Control.Service.Manager
/xyz/openbmc_project/control/service/obmc_2dconsole_40ttyS2
Response: .Enabled true
5. Activate SOL session
Command: ipmitool -I lanplus -U root -P 0penBmc -H <BMC_IP> -C 17
sol activate
Response: // Successfully establish the session

Signed-off-by: srikanta mondal <srikantax.mondal@intel.com>
Change-Id: I08a459e5a4245d969529c033e4b88625b0796fb2

show more ...

Add channel access mode check for ipmi commands.

Check the channel access mode and reject the
network ipmi commands, if its disabled.

Tested:
- Disabled channel access mode and network
ipmi com

Add channel access mode check for ipmi commands.

Check the channel access mode and reject the
network ipmi commands, if its disabled.

Tested:
- Disabled channel access mode and network
ipmi commands fails over the same lan channel.
#ipmitool raw 0x06 0x40 0x03 0x80 0x44

- Set channel access mode to always available and ipmi
commands works fine over same lan channel.
#ipmitool raw 0x06 0x40 0x03 0x82 0x44

- Set non-volatile channel access mode to disabled,
reset bmc and ipmi commands fails over same lan channel.
#ipmitool raw 0x06 0x40 0x03 0x40 0x44

Signed-off-by: AppaRao Puli <apparao.puli@linux.intel.com>
Change-Id: I44da4e8388b56e5ab7be3aa0e5d20b803a984668

show more ...

Add AfterCaseLabel for clang-format-10

Clang-format-10 has a different default for case labels; add this to
keep the current format.

Change-Id: I7ffd6c6fbe72c7cc365690c81b7f2e1f3d31b338
Signed-off-

Add AfterCaseLabel for clang-format-10

Clang-format-10 has a different default for case labels; add this to
keep the current format.

Change-Id: I7ffd6c6fbe72c7cc365690c81b7f2e1f3d31b338
Signed-off-by: Vernon Mauery <vernon.mauery@linux.intel.com>

show more ...

size_t: ensure cstddef included

Latest upstream yocto appears to have removed a free include of cstddef.
This is causing compile failures for files which do not include it
properly.

Signed-off-by:

size_t: ensure cstddef included

Latest upstream yocto appears to have removed a free include of cstddef.
This is causing compile failures for files which do not include it
properly.

Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: Ie54a2768ef72f59ab140df05e79e86baae6eaa82

show more ...

string: ensure string included

Latest upstream yocto appears to have removed a free include of string.
This is causing compile failures for files which do not include it
properly.

Signed-off-by: An

string: ensure string included

Latest upstream yocto appears to have removed a free include of string.
This is causing compile failures for files which do not include it
properly.

Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: I76b1d73d045f98bd457c155086e000a430134918

show more ...

sdbusplus: replace message::variant with std::variant

Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: Ife4795f07d72b2dd3dd0f218b4cf9777cb02dec4

Use public for enable_shared_from_this

The default inheritance for class is private,
the weak_from_this will always returns NULL.
This causes the SOL data is out of sync, change it to public.

Teste

Use public for enable_shared_from_this

The default inheritance for class is private,
the weak_from_this will always returns NULL.
This causes the SOL data is out of sync, change it to public.

Tested:
Ipmitool sol works the same as SOL in webui

Signed-off-by: Yong Li <yong.b.li@linux.intel.com>
Change-Id: I8f80521e58684c178973447e40c7a10dd2ae18c9

show more ...

Check if the object is still valid in the timeout callback function

When the SOL module in netipmid is busy, there is a chance that the
timeout callback function is executed after the context object

Check if the object is still valid in the timeout callback function

When the SOL module in netipmid is busy, there is a chance that the
timeout callback function is executed after the context object is
destructed. This will cause the process to crash with this error:

terminate called after throwing an instance of
'boost::wrapexcept<boost::asio::bad_executor>'
what(): bad executor

The root cause is that the cancel() cannot cancel the expired callback
handlers. When the callback handler is executed, the object is deleted
already.

This uses proper reference counting on the objects captured in the
lambda so that they are not referencing memory that has already gone out
of scope.

Tested:
Decrease the accumulateInterval to 50ms for easy reproducing.
Run "ipmitool sel list", "ipmitool sensor list"
and "ipmitool sol looptest 200 500" at the same time,
no "sol looptest fail" error

Signed-off-by: Vernon Mauery <vernon.mauery@linux.intel.com>
Change-Id: I4b9e4ebce14ff5fca8e991aed96643186c9ea5d9

show more ...

Update the remote ip addr to session properties

Add remote ip address to session properties so that it is passed to
ipmi-host. This will enable certain commands to know the remote ip
address.

Teste

Update the remote ip addr to session properties

Add remote ip address to session properties so that it is passed to
ipmi-host. This will enable certain commands to know the remote ip
address.

Tested:
Get session info command shows the remote ip address of the active
sessions.

ipmitool -I lanplus -H <ip_addr> -U <user> -P <password> session info all
session handle : 129
slot count : 45
active sessions : 1
user id : 1
privilege level : ADMINISTRATOR
session type : IPMIv1.5
channel number : 0x03
console ip : <remote ip address>
console mac : 00:00:00:00:00:00
console port : 50854

session handle : 0
slot count : 45
active sessions : 1

Signed-off-by: Rajashekar Gade Reddy <raja.sekhar.reddy.gade@linux.intel.com>
Change-Id: I1a431437da97240941390322adc59acb2c5323d1

show more ...

Remove HMAC-SHA1 from Authentication/Integrity Alg

Reason: For security reason- HMAC-SHA1 is deprecated.

Plesae note: Use latest ipmitool or ipmitool v1.8.18.177.g7ccea28 later

Tested :
ipmitool -

Remove HMAC-SHA1 from Authentication/Integrity Alg

Reason: For security reason- HMAC-SHA1 is deprecated.

Plesae note: Use latest ipmitool or ipmitool v1.8.18.177.g7ccea28 later

Tested :
ipmitool -H <BMCIP> -I lanplus -U <username> -P <password> -C 3 raw 6 1
Error in open session response message : invalid authentication algorithm
Error: Unable to establish IPMI v2 / RMCP+ session

ipmitool -H <BMCIP> -I lanplus -U <username> -P <password> -C 17 raw 6 1
23 00 00 40 02 bf 57 01 00 91 00 0d 62 04 f5

Signed-off-by: Suryakanth Sekar <suryakanth.sekar@linux.intel.com>
Change-Id: I8226c06a248ec601d848c1e2dd7eb129a272c503

show more ...

rakp12: Fix for Callback privilege

Issue: GetPayload Activation status should not be allowed for Callback
privilege as Callback privilege is deprecated.

Fix: Returning proper error response

rakp12: Fix for Callback privilege

Issue: GetPayload Activation status should not be allowed for Callback
privilege as Callback privilege is deprecated.

Fix: Returning proper error response for Callback privilege

Tested:
Before:
Command: ipmitool -I lanplus -U root -P 0penBmc -H <BMC-IP>
-L Callback raw 6 0x4A 1 // GetPayload Activation Status
Response: 01 00 00

After:
Command: ipmitool -I lanplus -U root -P 0penBmc -H <BMC-IP>
-L Callback raw 6 0x4A 1 //GetPayload Activation Status
Response: Error: Unable to establish IPMI v2 / RMCP+ session

Signed-off-by: jayaprakash Mutyala <mutyalax.jayaprakash@intel.com>
Change-Id: Iab12aa546ec6b05e547a39032e400d0c382f5178

show more ...

MAINTAINERS: remove Emily Shaffer

See https://lists.ozlabs.org/pipermail/openbmc/2020-January/020345.html

Signed-off-by: Emily Shaffer <emilyshaffer@google.com>
Change-Id: Ia782ac797bfe85752b20ae88

MAINTAINERS: remove Emily Shaffer

See https://lists.ozlabs.org/pipermail/openbmc/2020-January/020345.html

Signed-off-by: Emily Shaffer <emilyshaffer@google.com>
Change-Id: Ia782ac797bfe85752b20ae880189e137c1e8e917

show more ...

Fix elapsedSeconds date formatting causing netimid crash during BMC booting

If sending ipmi command during BMC booting process or BMC is very busy,
the netipmid service will crash.
The root cause is

Fix elapsedSeconds date formatting causing netimid crash during BMC booting

If sending ipmi command during BMC booting process or BMC is very busy,
the netipmid service will crash.
The root cause is that the incoming UDP packet processing time > 2 seconds,
and triggers the log, but the elapsedSeconds date formatting is incorrect,
it causes the process crash.

Signed-off-by: Yong Li <yong.b.li@linux.intel.com>
Change-Id: Ia84149e4b4344793916003fc1ad0cdb26070e388

show more ...

Fix: fix the access to sin/sin6_addr in getRemoteAddress

inet_ntop using 'remoteSockAddr' instead of casting it to 'sockaddr_in/in6'
structure and getting the field 'sin/sin6_addr' access. As result

Fix: fix the access to sin/sin6_addr in getRemoteAddress

inet_ntop using 'remoteSockAddr' instead of casting it to 'sockaddr_in/in6'
structure and getting the field 'sin/sin6_addr' access. As result of this
'getRemoteAddress' returns junk from top of the 'sockaddr_storage' structure.

Tested: Verified by calling 'getRemoteAddress' inside net-ipmi lambda
handler.

[handler, this](const boost::system::error_code& ec,
const IpmiDbusRspType& response) {
...
std::string raddr =
handler->getChannel()->getRemoteAddress();
some_func_for_put_addr(raddr);
...
}

Signed-off-by: Ivan Mikhaylov <i.mikhaylov@yadro.com>
Change-Id: Ia8ae2763a2ab372c148323974fe33ac44b1d28f0

show more ...

Always return Message Tag and Remote Console Session ID

Per the IPMI spec, even on an error we should return the
Message Tag and Remote Console Session ID values.

This sets those two response value

Always return Message Tag and Remote Console Session ID

Per the IPMI spec, even on an error we should return the
Message Tag and Remote Console Session ID values.

This sets those two response values first so they are always
set in case of an error.

Tested:
Ran ipmitool with verbose enabled and confirmed that the
Console Session ID is set:
ipmitool -vv -C 7 mc info

<<OPEN SESSION RESPONSE
<< Message tag : 0x00
<< RMCP+ status : invalid authentication algorithm
<< Maximum privilege level : Unknown (0x00)
<< Console Session ID : 0xa0a2a3a4

Ran ipmipower with --debug and confirmed that the Message Tag
is set and the command returns an error instead of timing out
ipmipower --debug -D LAN_2_0 -s -l ADMIN -I 7

IPMI Command Data:
------------------
[ BCh] = message_tag[ 8b]
[ 4h] = rmcpplus_status_code[ 8b]
[ 41F00603h] = remote_console_session_id[32b]

Ran both of the above commands using cipher suite 17 and they
both complete successfully.

Change-Id: Ic21ec910103a1befdf5e79f7b1afaf83dae63e9f
Signed-off-by: Jason M. Bills <jason.m.bills@linux.intel.com>

show more ...