2011-08-17 04:38:08 +02:00
|
|
|
/** @file
|
|
|
|
|
The header file of CHAP configuration.
|
|
|
|
|
|
2018-06-27 15:12:32 +02:00
|
|
|
Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.<BR>
|
2019-04-04 01:06:13 +02:00
|
|
|
SPDX-License-Identifier: BSD-2-Clause-Patent
|
2011-08-17 04:38:08 +02:00
|
|
|
|
|
|
|
|
**/
|
|
|
|
|
|
|
|
|
|
#ifndef _ISCSI_CHAP_H_
|
|
|
|
|
#define _ISCSI_CHAP_H_
|
|
|
|
|
|
2021-06-29 18:33:33 +02:00
|
|
|
#define ISCSI_AUTH_METHOD_CHAP "CHAP"
|
2011-08-17 04:38:08 +02:00
|
|
|
|
2021-06-29 18:33:33 +02:00
|
|
|
#define ISCSI_KEY_CHAP_ALGORITHM "CHAP_A"
|
|
|
|
|
#define ISCSI_KEY_CHAP_IDENTIFIER "CHAP_I"
|
|
|
|
|
#define ISCSI_KEY_CHAP_CHALLENGE "CHAP_C"
|
|
|
|
|
#define ISCSI_KEY_CHAP_NAME "CHAP_N"
|
|
|
|
|
#define ISCSI_KEY_CHAP_RESPONSE "CHAP_R"
|
2011-08-17 04:38:08 +02:00
|
|
|
|
NetworkPkg/IScsiDxe: distinguish "maximum" and "selected" CHAP digest sizes
IScsiDxe uses the ISCSI_CHAP_RSP_LEN macro for expressing the size of the
digest (16) that it solely supports at this point (MD5).
ISCSI_CHAP_RSP_LEN is used for both (a) *allocating* digest-related
buffers (binary buffers and hex encodings alike), and (b) *processing*
binary digest buffers (comparing them, filling them, reading them).
In preparation for adding other hash algorithms, split purpose (a) from
purpose (b). For purpose (a) -- buffer allocation --, introduce
ISCSI_CHAP_MAX_DIGEST_SIZE. For purpose (b) -- processing --, rely on
MD5_DIGEST_SIZE from <BaseCryptLib.h>.
Distinguishing these purposes is justified because purpose (b) --
processing -- must depend on the hashing algorithm negotiated between
initiator and target, while for purpose (a) -- allocation --, using the
maximum supported digest size is suitable. For now, because only MD5 is
supported, introduce ISCSI_CHAP_MAX_DIGEST_SIZE *as* MD5_DIGEST_SIZE.
Note that the argument for using the digest size as the size of the
outgoing challenge (in case mutual authentication is desired by the
initiator) remains in place. Because of this, the above two purposes are
distinguished for the "ISCSI_CHAP_AUTH_DATA.OutChallenge" field as well.
This patch is functionally a no-op, just yet.
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3355
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Message-Id: <20210629163337.14120-4-lersek@redhat.com>
2021-06-29 18:33:34 +02:00
|
|
|
//
|
|
|
|
|
// Identifiers of supported CHAP hash algorithms:
|
|
|
|
|
// https://www.iana.org/assignments/ppp-numbers/ppp-numbers.xhtml#ppp-numbers-9
|
|
|
|
|
//
|
2021-06-29 18:33:33 +02:00
|
|
|
#define ISCSI_CHAP_ALGORITHM_MD5 5
|
2011-08-17 04:38:08 +02:00
|
|
|
|
NetworkPkg/IScsiDxe: distinguish "maximum" and "selected" CHAP digest sizes
IScsiDxe uses the ISCSI_CHAP_RSP_LEN macro for expressing the size of the
digest (16) that it solely supports at this point (MD5).
ISCSI_CHAP_RSP_LEN is used for both (a) *allocating* digest-related
buffers (binary buffers and hex encodings alike), and (b) *processing*
binary digest buffers (comparing them, filling them, reading them).
In preparation for adding other hash algorithms, split purpose (a) from
purpose (b). For purpose (a) -- buffer allocation --, introduce
ISCSI_CHAP_MAX_DIGEST_SIZE. For purpose (b) -- processing --, rely on
MD5_DIGEST_SIZE from <BaseCryptLib.h>.
Distinguishing these purposes is justified because purpose (b) --
processing -- must depend on the hashing algorithm negotiated between
initiator and target, while for purpose (a) -- allocation --, using the
maximum supported digest size is suitable. For now, because only MD5 is
supported, introduce ISCSI_CHAP_MAX_DIGEST_SIZE *as* MD5_DIGEST_SIZE.
Note that the argument for using the digest size as the size of the
outgoing challenge (in case mutual authentication is desired by the
initiator) remains in place. Because of this, the above two purposes are
distinguished for the "ISCSI_CHAP_AUTH_DATA.OutChallenge" field as well.
This patch is functionally a no-op, just yet.
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3355
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Message-Id: <20210629163337.14120-4-lersek@redhat.com>
2021-06-29 18:33:34 +02:00
|
|
|
//
|
|
|
|
|
// Byte count of the largest digest over the above-listed
|
|
|
|
|
// ISCSI_CHAP_ALGORITHM_* hash algorithms.
|
|
|
|
|
//
|
|
|
|
|
#define ISCSI_CHAP_MAX_DIGEST_SIZE MD5_DIGEST_SIZE
|
2011-08-17 04:38:08 +02:00
|
|
|
|
2021-06-29 18:33:33 +02:00
|
|
|
#define ISCSI_CHAP_STEP_ONE 1
|
|
|
|
|
#define ISCSI_CHAP_STEP_TWO 2
|
|
|
|
|
#define ISCSI_CHAP_STEP_THREE 3
|
|
|
|
|
#define ISCSI_CHAP_STEP_FOUR 4
|
2011-08-17 04:38:08 +02:00
|
|
|
|
|
|
|
|
|
|
|
|
|
#pragma pack(1)
|
|
|
|
|
|
|
|
|
|
typedef struct _ISCSI_CHAP_AUTH_CONFIG_NVDATA {
|
|
|
|
|
UINT8 CHAPType;
|
|
|
|
|
CHAR8 CHAPName[ISCSI_CHAP_NAME_STORAGE];
|
|
|
|
|
CHAR8 CHAPSecret[ISCSI_CHAP_SECRET_STORAGE];
|
|
|
|
|
CHAR8 ReverseCHAPName[ISCSI_CHAP_NAME_STORAGE];
|
|
|
|
|
CHAR8 ReverseCHAPSecret[ISCSI_CHAP_SECRET_STORAGE];
|
|
|
|
|
} ISCSI_CHAP_AUTH_CONFIG_NVDATA;
|
|
|
|
|
|
|
|
|
|
#pragma pack()
|
|
|
|
|
|
|
|
|
|
///
|
|
|
|
|
/// ISCSI CHAP Authentication Data
|
|
|
|
|
///
|
|
|
|
|
typedef struct _ISCSI_CHAP_AUTH_DATA {
|
|
|
|
|
ISCSI_CHAP_AUTH_CONFIG_NVDATA *AuthConfig;
|
|
|
|
|
UINT32 InIdentifier;
|
2021-06-08 14:12:51 +02:00
|
|
|
UINT8 InChallenge[1024];
|
2011-08-17 04:38:08 +02:00
|
|
|
UINT32 InChallengeLength;
|
|
|
|
|
//
|
|
|
|
|
// Calculated CHAP Response (CHAP_R) value.
|
|
|
|
|
//
|
NetworkPkg/IScsiDxe: distinguish "maximum" and "selected" CHAP digest sizes
IScsiDxe uses the ISCSI_CHAP_RSP_LEN macro for expressing the size of the
digest (16) that it solely supports at this point (MD5).
ISCSI_CHAP_RSP_LEN is used for both (a) *allocating* digest-related
buffers (binary buffers and hex encodings alike), and (b) *processing*
binary digest buffers (comparing them, filling them, reading them).
In preparation for adding other hash algorithms, split purpose (a) from
purpose (b). For purpose (a) -- buffer allocation --, introduce
ISCSI_CHAP_MAX_DIGEST_SIZE. For purpose (b) -- processing --, rely on
MD5_DIGEST_SIZE from <BaseCryptLib.h>.
Distinguishing these purposes is justified because purpose (b) --
processing -- must depend on the hashing algorithm negotiated between
initiator and target, while for purpose (a) -- allocation --, using the
maximum supported digest size is suitable. For now, because only MD5 is
supported, introduce ISCSI_CHAP_MAX_DIGEST_SIZE *as* MD5_DIGEST_SIZE.
Note that the argument for using the digest size as the size of the
outgoing challenge (in case mutual authentication is desired by the
initiator) remains in place. Because of this, the above two purposes are
distinguished for the "ISCSI_CHAP_AUTH_DATA.OutChallenge" field as well.
This patch is functionally a no-op, just yet.
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3355
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Message-Id: <20210629163337.14120-4-lersek@redhat.com>
2021-06-29 18:33:34 +02:00
|
|
|
UINT8 CHAPResponse[ISCSI_CHAP_MAX_DIGEST_SIZE];
|
2011-08-17 04:38:08 +02:00
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Auth-data to be sent out for mutual authentication.
|
|
|
|
|
//
|
NetworkPkg/IScsiDxe: clean up "ISCSI_CHAP_AUTH_DATA.OutChallengeLength"
The "ISCSI_CHAP_AUTH_DATA.OutChallenge" field is declared as a UINT8 array
with ISCSI_CHAP_AUTH_MAX_LEN (1024) elements. However, when the challenge
is generated and formatted, only ISCSI_CHAP_RSP_LEN (16) octets are used
in the array.
Change the array size to ISCSI_CHAP_RSP_LEN, and remove the (now unused)
ISCSI_CHAP_AUTH_MAX_LEN macro.
Remove the "ISCSI_CHAP_AUTH_DATA.OutChallengeLength" field, which is
superfluous too.
Most importantly, explain in a new comment *why* tying the challenge size
to the digest size (ISCSI_CHAP_RSP_LEN) has always made sense. (See also
Linux kernel commit 19f5f88ed779, "scsi: target: iscsi: tie the challenge
length to the hash digest size", 2019-11-06.) For sure, the motivation
that the new comment now explains has always been there, and has always
been the same, for IScsiDxe; it's just that now we spell it out too.
No change in peer-visible behavior.
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Message-Id: <20210608121259.32451-4-lersek@redhat.com>
2021-06-08 14:12:52 +02:00
|
|
|
// While the challenge size is technically independent of the hashing
|
|
|
|
|
// algorithm, it is good practice to avoid hashing *fewer bytes* than the
|
|
|
|
|
// digest size. In other words, it's good practice to feed *at least as many
|
|
|
|
|
// bytes* to the hashing algorithm as the hashing algorithm will output.
|
|
|
|
|
//
|
2011-08-17 04:38:08 +02:00
|
|
|
UINT32 OutIdentifier;
|
NetworkPkg/IScsiDxe: distinguish "maximum" and "selected" CHAP digest sizes
IScsiDxe uses the ISCSI_CHAP_RSP_LEN macro for expressing the size of the
digest (16) that it solely supports at this point (MD5).
ISCSI_CHAP_RSP_LEN is used for both (a) *allocating* digest-related
buffers (binary buffers and hex encodings alike), and (b) *processing*
binary digest buffers (comparing them, filling them, reading them).
In preparation for adding other hash algorithms, split purpose (a) from
purpose (b). For purpose (a) -- buffer allocation --, introduce
ISCSI_CHAP_MAX_DIGEST_SIZE. For purpose (b) -- processing --, rely on
MD5_DIGEST_SIZE from <BaseCryptLib.h>.
Distinguishing these purposes is justified because purpose (b) --
processing -- must depend on the hashing algorithm negotiated between
initiator and target, while for purpose (a) -- allocation --, using the
maximum supported digest size is suitable. For now, because only MD5 is
supported, introduce ISCSI_CHAP_MAX_DIGEST_SIZE *as* MD5_DIGEST_SIZE.
Note that the argument for using the digest size as the size of the
outgoing challenge (in case mutual authentication is desired by the
initiator) remains in place. Because of this, the above two purposes are
distinguished for the "ISCSI_CHAP_AUTH_DATA.OutChallenge" field as well.
This patch is functionally a no-op, just yet.
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3355
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Message-Id: <20210629163337.14120-4-lersek@redhat.com>
2021-06-29 18:33:34 +02:00
|
|
|
UINT8 OutChallenge[ISCSI_CHAP_MAX_DIGEST_SIZE];
|
2011-08-17 04:38:08 +02:00
|
|
|
} ISCSI_CHAP_AUTH_DATA;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
This function checks the received iSCSI Login Response during the security
|
|
|
|
|
negotiation stage.
|
|
|
|
|
|
|
|
|
|
@param[in] Conn The iSCSI connection.
|
|
|
|
|
|
|
|
|
|
@retval EFI_SUCCESS The Login Response passed the CHAP validation.
|
|
|
|
|
@retval EFI_OUT_OF_RESOURCES Failed to allocate memory.
|
|
|
|
|
@retval EFI_PROTOCOL_ERROR Some kind of protocol error occurred.
|
|
|
|
|
@retval Others Other errors as indicated.
|
|
|
|
|
|
|
|
|
|
**/
|
|
|
|
|
EFI_STATUS
|
|
|
|
|
IScsiCHAPOnRspReceived (
|
|
|
|
|
IN ISCSI_CONNECTION *Conn
|
|
|
|
|
);
|
|
|
|
|
/**
|
|
|
|
|
This function fills the CHAP authentication information into the login PDU
|
|
|
|
|
during the security negotiation stage in the iSCSI connection login.
|
|
|
|
|
|
|
|
|
|
@param[in] Conn The iSCSI connection.
|
|
|
|
|
@param[in, out] Pdu The PDU to send out.
|
|
|
|
|
|
|
|
|
|
@retval EFI_SUCCESS All check passed and the phase-related CHAP
|
2021-06-08 14:12:50 +02:00
|
|
|
authentication info is filled into the iSCSI
|
|
|
|
|
PDU.
|
2011-08-17 04:38:08 +02:00
|
|
|
@retval EFI_OUT_OF_RESOURCES Failed to allocate memory.
|
|
|
|
|
@retval EFI_PROTOCOL_ERROR Some kind of protocol error occurred.
|
|
|
|
|
|
|
|
|
|
**/
|
|
|
|
|
EFI_STATUS
|
|
|
|
|
IScsiCHAPToSendReq (
|
|
|
|
|
IN ISCSI_CONNECTION *Conn,
|
|
|
|
|
IN OUT NET_BUF *Pdu
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
#endif
|
