Add securemode/password-setting

*BASICALLY CLEANED UP VERSION OF Drive-Trust-Alliance#271

This commit does what the linked PR says, and also fixes a few bugs in
that original PR. I'm not sure what the right way to give credit is and
it was very painful to resurrect CVE's original patches and roll my own
on top, so the disclaimer here is that it's like 95% his code :).

A few notable things:
* We don't need to modify the makefiles, since we split that out in the
  prior commit.
* We fixed his original makefile, which didn't quite work: that change
  is folded naturally into prior commit.
* The generated makefiles don't need to change, because since CVE's
  original patchset, GetPassPhrase.o was introduced organically to the
  codebase, and ergo the makefiles.

The most interesting thing here is we allow hashing to be forced off by
`-n` even during secure mode.

The key issue we ran into was that if a drive is originally set with no
hashing, then hash'd invocations in the future will fail(obviously). As
implemented, CVE's original patches will silently debug output, and then
turn on hashing without telling the user.

Not a domain expert in why hashing is necessary here, but in either
case, I think we should support the case where a password was originally
set without hashing, by allowing hashing to be turned off _if_ specified
explicitly.

We also do some sneaky business by ensuring -n is evaluated after -s, so
-n will always override -s, if provided.

Signed-off-by: Howard McLauchlan <hmclauchlan@fb.com>

Author: Howard McLauchlan

Common/DtaDev.h

@@ -111,37 +111,40 @@ class DtaDev {
 	/** User command to prepare the device for management by sedutil.
 	 * Specific to the SSC that the device supports
 	 * @param password the password that is to be assigned to the SSC master entities
+     * @param securemode is the new password should be interactively asked
 	 */
-	virtual uint8_t initialSetup(char * password) = 0;
+	virtual uint8_t initialSetup(char * password, bool securemode = false) = 0;
 	/** User command to prepare the drive for Single User Mode and rekey a SUM locking range.
 	 * @param lockingrange locking range number to enable
 	 * @param start LBA to start locking range
 	 * @param length length (in blocks) for locking range
 	 * @param Admin1Password admin1 password for TPer
 	 * @param password User password to set for locking range
 	 */
-	virtual uint8_t setup_SUM(uint8_t lockingrange, uint64_t start, uint64_t length, char *Admin1Password, char * password) = 0;
+	virtual uint8_t setup_SUM(uint8_t lockingrange, uint64_t start, uint64_t length, char *Admin1Password, char * password, bool securemode = false) = 0;
 	/** Set the SID password.
 	 * Requires special handling because password is not always hashed.
 	 * @param oldpassword  current SID password
 	 * @param newpassword  value password is to be changed to
 	 * @param hasholdpwd  is the old password to be hashed before being added to the bytestream
 	 * @param hashnewpwd  is the new password to be hashed before being added to the bytestream
+     * @param securemode is the new password should be interactively asked
 	 */
 	virtual uint8_t setSIDPassword(char * oldpassword, char * newpassword,
-		uint8_t hasholdpwd = 1, uint8_t hashnewpwd = 1) = 0;
+		uint8_t hasholdpwd = 1, uint8_t hashnewpwd = 1, bool securemode = false) = 0;
 	/** Set the password of a locking SP user.
 	 * @param password  current password
 	 * @param userid the userid whose password is to be changed
 	 * @param newpassword  value password is to be changed to
+     * @param securemode is the new password shoulb be interactively asked
 	 */
-	virtual uint8_t setPassword(char * password, char * userid, char * newpassword) = 0;
+	virtual uint8_t setPassword(char * password, char * userid, char * newpassword, bool securemode = false) = 0;
 	/** Set the password of a locking SP user in Single User Mode.
          * @param password  current user password
          * @param userid the userid whose password is to be changed
          * @param newpassword  value password is to be changed to
          */
-	virtual uint8_t setNewPassword_SUM(char * password, char * userid, char * newpassword) = 0;
+	virtual uint8_t setNewPassword_SUM(char * password, char * userid, char * newpassword, bool securemode = false) = 0;
 	/** Loads a disk image file to the shadow MBR table.
 	 * @param password the password for the administrative authority with access to the table
 	 * @param filename the filename of the disk image
@@ -230,8 +233,9 @@ class DtaDev {
 	virtual uint8_t eraseLockingRange_SUM(uint8_t lockingrange, char * password) = 0;
 	/** Change the SID password from it's MSID default
 	 * @param newpassword  new password for SID and locking SP admins
+     * @param securemode is the new password should be interactively asked
 	 */
-	virtual uint8_t takeOwnership(char * newpassword) = 0;
+	virtual uint8_t takeOwnership(char * newpassword, bool securemode = false) = 0;
 	/** Reset the Locking SP to its factory default condition
 	 * ERASES ALL DATA!
 	 * @param password of Administrative user

Common/DtaDevEnterprise.cpp

@@ -171,12 +171,12 @@ DtaDevEnterprise::DtaDevEnterprise(const char * devref)
 DtaDevEnterprise::~DtaDevEnterprise()
 {
 }
-uint8_t DtaDevEnterprise::initialSetup(char * password)
+uint8_t DtaDevEnterprise::initialSetup(char * password, bool securemode)
 {
 	LOG(D1) << "Entering initialSetup()";
 	uint8_t lastRC;
 
-	if ((lastRC = takeOwnership(password)) != 0) {
+	if ((lastRC = takeOwnership(password, securemode)) != 0) {
 		LOG(E) << "Initial setup failed - unable to take ownership";
 		return lastRC;
 	}
@@ -196,7 +196,7 @@ uint8_t DtaDevEnterprise::initialSetup(char * password)
 	LOG(D1) << "Exiting initialSetup()";
 	return 0;
 }
-uint8_t DtaDevEnterprise::setup_SUM(uint8_t lockingrange, uint64_t start, uint64_t length, char *Admin1Password, char * password)
+uint8_t DtaDevEnterprise::setup_SUM(uint8_t lockingrange, uint64_t start, uint64_t length, char *Admin1Password, char * password, bool securemode)
 {
 	LOG(D1) << "Entering DtaDevEnterprise::setup_SUM";
 	LOG(I) << "setup_SUM not supported on DtaDevEnterprise";
@@ -377,13 +377,18 @@ uint8_t DtaDevEnterprise::revertLockingSP(char * password, uint8_t keep)
 	LOG(D1) << "Exiting DtaDevEnterprise::revertLockingSP()";
 	return 0;
 }
-uint8_t DtaDevEnterprise::setPassword(char * password, char * userid, char * newpassword)
+uint8_t DtaDevEnterprise::setPassword(char * password, char * userid, char * newpassword, bool securemode)
 {
 	LOG(D1) << "Entering DtaDevEnterprise::setPassword" ;
-	uint8_t lastRC;
+	uint8_t lastRC = 0;
 	string defaultPassword;
 	char *pwd = password, *newpwd = newpassword;
 
+    if (securemode) {
+        LOG(I) << "setSIDPassword in secure mode in the Enterprise SSC is not supported";
+        return lastRC;
+    }
+
 	if (11 > strnlen(userid, 15)) {
 		LOG(E) << "Invalid Userid " << userid;
 		return DTAERROR_INVALID_PARAMETER;
@@ -463,7 +468,7 @@ uint8_t DtaDevEnterprise::setPassword(char * password, char * userid, char * new
 	LOG(D1) << "Exiting DtaDevEnterprise::setPassword()";
 	return 0;
 }
-uint8_t DtaDevEnterprise::setNewPassword_SUM(char * password, char * userid, char * newpassword)
+uint8_t DtaDevEnterprise::setNewPassword_SUM(char * password, char * userid, char * newpassword, bool securemode)
 {
 	LOG(D1) << "Entering DtaDevEnterprise::setNewPassword_SUM()";
 	LOG(I) << "setNewPassword_SUM is not in the Enterprise SSC and not supported";
@@ -1022,7 +1027,7 @@ uint8_t DtaDevEnterprise::eraseLockingRange_SUM(uint8_t lockingrange, char * pas
 	LOG(D1) << "Exiting DtaDevEnterprise::eraseLockingRange_SUM()";
 	return DTAERROR_INVALID_PARAMETER;
 }
-uint8_t DtaDevEnterprise::takeOwnership(char * newpassword)
+uint8_t DtaDevEnterprise::takeOwnership(char * newpassword, bool securemode)
 {
 	string defaultPassword;
 	uint8_t lastRC;
@@ -1033,7 +1038,7 @@ uint8_t DtaDevEnterprise::takeOwnership(char * newpassword)
 		return lastRC;
 	}
 	defaultPassword = response.getString(5);
-	if ((lastRC = setSIDPassword((char *)defaultPassword.c_str(), newpassword, 0)) != 0) {
+	if ((lastRC = setSIDPassword((char *)defaultPassword.c_str(), newpassword, 0, 1, securemode)) != 0) {
 		LOG(E) << "takeOwnership failed unable to set new SID password";
 		return lastRC;
 	}
@@ -1270,10 +1275,15 @@ uint8_t DtaDevEnterprise::printDefaultPassword()
     return 0;
 }
 uint8_t DtaDevEnterprise::setSIDPassword(char * oldpassword, char * newpassword,
-	uint8_t hasholdpwd, uint8_t hashnewpwd)
+	uint8_t hasholdpwd, uint8_t hashnewpwd, bool securemode)
 {
 	LOG(D1) << "Entering DtaDevEnterprise::setSIDPassword()";
-	uint8_t lastRC;
+	uint8_t lastRC = 0;
+
+    if (securemode) {
+        LOG(I) << "setSIDPassword in the Enterprise SSC is not supported";
+        return lastRC;
+    }
 
 	vector<uint8_t> user;
     set8(user, OPALUID[OPAL_SID_UID]);

Common/DtaDevEnterprise.h

@@ -57,8 +57,9 @@ class DtaDevEnterprise : public DtaDevOS {
 	uint16_t comID();
         /** Change the SID password from it's MSID default 
          * @param newpassword  new password for SID 
+         * @param securemode is the new password should be interactively asked
          */
-	uint8_t takeOwnership(char * newpassword);
+	uint8_t takeOwnership(char * newpassword, bool securemode = false);
         /** Change the passwords for the enabled Bandmasters and the Erasemaster 
          * from the MSID default.
          * @param defaultPassword the MSID password
@@ -80,9 +81,10 @@ class DtaDevEnterprise : public DtaDevOS {
          * @param newpassword  value password is to be changed to
          * @param hasholdpwd  is the old password to be hashed before being added to the bytestream
          * @param hashnewpwd  is the new password to be hashed before being added to the bytestream
+         * @param securemode is the new password should be interactively asked
          */ 
 	uint8_t setSIDPassword(char * oldpassword, char * newpassword,
-		uint8_t hasholdpwd = 1, uint8_t hashnewpwd = 1);
+		uint8_t hasholdpwd = 1, uint8_t hashnewpwd = 1, bool securemode = false);
         /** set a single column in an object table 
          * @param table the UID of the table
          * @param name the column name to be set
@@ -124,10 +126,11 @@ class DtaDevEnterprise : public DtaDevOS {
          * @param password  current password
          * @param userid the userid whose password is to be changed 
          * @param newpassword  value password is to be changed to
+         * @param securemode is the new password should be interactively asked
          */
-	uint8_t setPassword(char * password, char * userid, char * newpassword);
+	uint8_t setPassword(char * password, char * userid, char * newpassword, bool securemode = false);
 	/** dummy code not implemented in the enterprise SSC*/
-	uint8_t setNewPassword_SUM(char * password, char * userid, char * newpassword);
+	uint8_t setNewPassword_SUM(char * password, char * userid, char * newpassword, bool securemode = false);
 	uint8_t setLockingRange(uint8_t lockingrange, uint8_t lockingstate,
 		char * password);
 	/** dummy code not implemented in the enterprise SSC*/
@@ -180,10 +183,11 @@ class DtaDevEnterprise : public DtaDevOS {
          /** User command to prepare the device for management by sedutil. 
          * Specific to the SSC that the device supports
          * @param password the password that is to be assigned to the SSC master entities 
+         * @param securemode is the new password should be interactively asked
          */
-	uint8_t initialSetup(char * password);
+	uint8_t initialSetup(char * password, bool securemode = false);
 	/** dummy code not implemented in the enterprise SSC*/
-	uint8_t setup_SUM(uint8_t lockingrange, uint64_t start, uint64_t length, char *Admin1Password, char * password);
+	uint8_t setup_SUM(uint8_t lockingrange, uint64_t start, uint64_t length, char *Admin1Password, char * password, bool securemode = false);
         /** Displays the identify and discovery 0 information */
 	void puke();
          /** Dumps an object for diagnostic purposes

Common/DtaDevGeneric.cpp

@@ -62,13 +62,13 @@ DtaDevGeneric::~DtaDevGeneric()
 void DtaDevGeneric::init(const char * devref)
 {
 }
-uint8NOCODE(initialSetup, char *password)
+uint8NOCODE(initialSetup, char *password, bool securemode)
 uint8NOCODE(configureLockingRange,uint8_t lockingrange, 
 	uint8_t enabled, char * password)
 uint8NOCODE(revertLockingSP,char * password, uint8_t keep)
-uint8NOCODE(setup_SUM, uint8_t lockingrange, uint64_t start, uint64_t length, char *Admin1Password, char * password)
-uint8NOCODE(setPassword,char * password, char * userid, char * newpassword)
-uint8NOCODE(setNewPassword_SUM,char * password, char * userid, char * newpassword)
+uint8NOCODE(setup_SUM, uint8_t lockingrange, uint64_t start, uint64_t length, char *Admin1Password, char * password, bool securemode)
+uint8NOCODE(setPassword,char * password, char * userid, char * newpassword, bool securemode)
+uint8NOCODE(setNewPassword_SUM,char * password, char * userid, char * newpassword, bool securemode)
 uint8NOCODE(setMBREnable,uint8_t mbrstate, char * Admin1Password)
 uint8NOCODE(setMBRDone,uint8_t mbrstate, char * Admin1Password)
 uint8NOCODE(setLockingRange,uint8_t lockingrange, uint8_t lockingstate,
@@ -90,9 +90,9 @@ uint8NOCODE(loadPBA,char * password, char * filename)
 uint8NOCODE(activateLockingSP,char * password)
 uint8NOCODE(activateLockingSP_SUM,uint8_t lockingrange, char * password)
 uint8NOCODE(eraseLockingRange_SUM, uint8_t lockingrange, char * password)
-uint8NOCODE(takeOwnership, char * newpassword)
+uint8NOCODE(takeOwnership, char * newpassword, bool securemode)
 uint8NOCODE(setSIDPassword,char * oldpassword, char * newpassword,
-	uint8_t hasholdpwd, uint8_t hashnewpwd)
+	uint8_t hasholdpwd, uint8_t hashnewpwd, bool securemode)
 uint16_t DtaDevGeneric::comID()
 {
 	LOG(E) << "Generic Device class does not support function " << "comID" << std::endl; 

Common/DtaDevGeneric.h

@@ -56,36 +56,40 @@ class DtaDevGeneric : public DtaDevOS {
          * Specific to the SSC that the device supports
          * @param password the password that is to be assigned to the SSC master entities 
          */
-	 uint8_t initialSetup(char * password) ;
+	 uint8_t initialSetup(char * password, bool securemode) ;
 	/** User command to prepare the drive for Single User Mode and rekey a SUM locking range.
          * @param lockingrange locking range number to enable
          * @param start LBA to start locking range
          * @param length length (in blocks) for locking range
          * @param Admin1Password admin1 password for TPer
          * @param password User password to set for locking range
+         * @param securemode is the new password shoulb be interactively asked
          */
-         uint8_t setup_SUM(uint8_t lockingrange, uint64_t start, uint64_t length, char *Admin1Password, char * password);
+         uint8_t setup_SUM(uint8_t lockingrange, uint64_t start, uint64_t length, char *Admin1Password, char * password, bool securemode = false);
           /** Set the SID password.
          * Requires special handling because password is not always hashed.
          * @param oldpassword  current SID password
          * @param newpassword  value password is to be changed to
          * @param hasholdpwd  is the old password to be hashed before being added to the bytestream
          * @param hashnewpwd  is the new password to be hashed before being added to the bytestream
+         * @param securemode is the new password shoulb be interactively asked
          */ 
 	 uint8_t setSIDPassword(char * oldpassword, char * newpassword,
-		uint8_t hasholdpwd = 1, uint8_t hashnewpwd = 1) ;
+		uint8_t hasholdpwd = 1, uint8_t hashnewpwd = 1, bool securemode = false) ;
          /** Set the password of a locking SP user.
           * @param password  current password
          * @param userid the userid whose password is to be changed 
          * @param newpassword  value password is to be changed to
+         * @param securemode is the new password should be interactively asked
          */
-	 uint8_t setPassword(char * password, char * userid, char * newpassword) ;
+	 uint8_t setPassword(char * password, char * userid, char * newpassword, bool securemode = false) ;
 	 /** Set the password of a locking SP user in Single User Mode.
          * @param password  current user password
          * @param userid the userid whose password is to be changed
          * @param newpassword  value password is to be changed to
+         * @param securemode is the new password should be interactively asked
          */
-	 uint8_t setNewPassword_SUM(char * password, char * userid, char * newpassword) ;
+	 uint8_t setNewPassword_SUM(char * password, char * userid, char * newpassword, bool securemode = false) ;
           /** Loads a disk image file to the shadow MBR table.
          * @param password the password for the administrative authority with access to the table
          * @param filename the filename of the disk image
@@ -174,8 +178,9 @@ class DtaDevGeneric : public DtaDevOS {
         uint8_t eraseLockingRange_SUM(uint8_t lockingrange, char * password);
         /** Change the SID password from it's MSID default 
          * @param newpassword  new password for SID and locking SP admins
+         * @param securemode is the new password should be interactively asked
          */ 
-	 uint8_t takeOwnership(char * newpassword) ;
+	 uint8_t takeOwnership(char * newpassword, bool securemode = false) ;
          /** Reset the Locking SP to its factory default condition
          * ERASES ALL DATA!
          * @param password of Administrative user