2011-08-17 04:38:08 +02:00
|
|
|
/** @file
|
|
|
|
|
The header file of CHAP configuration.
|
|
|
|
|
|
2018-06-27 15:12:32 +02:00
|
|
|
Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.<BR>
|
2019-04-04 01:06:13 +02:00
|
|
|
SPDX-License-Identifier: BSD-2-Clause-Patent
|
2011-08-17 04:38:08 +02:00
|
|
|
|
|
|
|
|
**/
|
|
|
|
|
|
|
|
|
|
#ifndef _ISCSI_CHAP_H_
|
|
|
|
|
#define _ISCSI_CHAP_H_
|
|
|
|
|
|
2021-06-29 18:33:33 +02:00
|
|
|
#define ISCSI_AUTH_METHOD_CHAP "CHAP"
|
2011-08-17 04:38:08 +02:00
|
|
|
|
2021-06-29 18:33:33 +02:00
|
|
|
#define ISCSI_KEY_CHAP_ALGORITHM "CHAP_A"
|
|
|
|
|
#define ISCSI_KEY_CHAP_IDENTIFIER "CHAP_I"
|
|
|
|
|
#define ISCSI_KEY_CHAP_CHALLENGE "CHAP_C"
|
|
|
|
|
#define ISCSI_KEY_CHAP_NAME "CHAP_N"
|
|
|
|
|
#define ISCSI_KEY_CHAP_RESPONSE "CHAP_R"
|
2011-08-17 04:38:08 +02:00
|
|
|
|
NetworkPkg/IScsiDxe: distinguish "maximum" and "selected" CHAP digest sizes
IScsiDxe uses the ISCSI_CHAP_RSP_LEN macro for expressing the size of the
digest (16) that it solely supports at this point (MD5).
ISCSI_CHAP_RSP_LEN is used for both (a) *allocating* digest-related
buffers (binary buffers and hex encodings alike), and (b) *processing*
binary digest buffers (comparing them, filling them, reading them).
In preparation for adding other hash algorithms, split purpose (a) from
purpose (b). For purpose (a) -- buffer allocation --, introduce
ISCSI_CHAP_MAX_DIGEST_SIZE. For purpose (b) -- processing --, rely on
MD5_DIGEST_SIZE from <BaseCryptLib.h>.
Distinguishing these purposes is justified because purpose (b) --
processing -- must depend on the hashing algorithm negotiated between
initiator and target, while for purpose (a) -- allocation --, using the
maximum supported digest size is suitable. For now, because only MD5 is
supported, introduce ISCSI_CHAP_MAX_DIGEST_SIZE *as* MD5_DIGEST_SIZE.
Note that the argument for using the digest size as the size of the
outgoing challenge (in case mutual authentication is desired by the
initiator) remains in place. Because of this, the above two purposes are
distinguished for the "ISCSI_CHAP_AUTH_DATA.OutChallenge" field as well.
This patch is functionally a no-op, just yet.
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3355
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Message-Id: <20210629163337.14120-4-lersek@redhat.com>
2021-06-29 18:33:34 +02:00
|
|
|
//
|
|
|
|
|
// Identifiers of supported CHAP hash algorithms:
|
|
|
|
|
// https://www.iana.org/assignments/ppp-numbers/ppp-numbers.xhtml#ppp-numbers-9
|
|
|
|
|
//
|
2021-06-29 18:33:33 +02:00
|
|
|
#define ISCSI_CHAP_ALGORITHM_MD5 5
|
2021-06-29 18:33:36 +02:00
|
|
|
#define ISCSI_CHAP_ALGORITHM_SHA256 7
|
2011-08-17 04:38:08 +02:00
|
|
|
|
NetworkPkg/IScsiDxe: distinguish "maximum" and "selected" CHAP digest sizes
IScsiDxe uses the ISCSI_CHAP_RSP_LEN macro for expressing the size of the
digest (16) that it solely supports at this point (MD5).
ISCSI_CHAP_RSP_LEN is used for both (a) *allocating* digest-related
buffers (binary buffers and hex encodings alike), and (b) *processing*
binary digest buffers (comparing them, filling them, reading them).
In preparation for adding other hash algorithms, split purpose (a) from
purpose (b). For purpose (a) -- buffer allocation --, introduce
ISCSI_CHAP_MAX_DIGEST_SIZE. For purpose (b) -- processing --, rely on
MD5_DIGEST_SIZE from <BaseCryptLib.h>.
Distinguishing these purposes is justified because purpose (b) --
processing -- must depend on the hashing algorithm negotiated between
initiator and target, while for purpose (a) -- allocation --, using the
maximum supported digest size is suitable. For now, because only MD5 is
supported, introduce ISCSI_CHAP_MAX_DIGEST_SIZE *as* MD5_DIGEST_SIZE.
Note that the argument for using the digest size as the size of the
outgoing challenge (in case mutual authentication is desired by the
initiator) remains in place. Because of this, the above two purposes are
distinguished for the "ISCSI_CHAP_AUTH_DATA.OutChallenge" field as well.
This patch is functionally a no-op, just yet.
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3355
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Message-Id: <20210629163337.14120-4-lersek@redhat.com>
2021-06-29 18:33:34 +02:00
|
|
|
//
|
|
|
|
|
// Byte count of the largest digest over the above-listed
|
|
|
|
|
// ISCSI_CHAP_ALGORITHM_* hash algorithms.
|
|
|
|
|
//
|
2021-06-29 18:33:36 +02:00
|
|
|
#define ISCSI_CHAP_MAX_DIGEST_SIZE SHA256_DIGEST_SIZE
|
2011-08-17 04:38:08 +02:00
|
|
|
|
2021-06-29 18:33:33 +02:00
|
|
|
#define ISCSI_CHAP_STEP_ONE 1
|
|
|
|
|
#define ISCSI_CHAP_STEP_TWO 2
|
|
|
|
|
#define ISCSI_CHAP_STEP_THREE 3
|
|
|
|
|
#define ISCSI_CHAP_STEP_FOUR 4
|
2011-08-17 04:38:08 +02:00
|
|
|
|
|
|
|
|
|
|
|
|
|
#pragma pack(1)
|
|
|
|
|
|
|
|
|
|
typedef struct _ISCSI_CHAP_AUTH_CONFIG_NVDATA {
|
|
|
|
|
UINT8 CHAPType;
|
|
|
|
|
CHAR8 CHAPName[ISCSI_CHAP_NAME_STORAGE];
|
|
|
|
|
CHAR8 CHAPSecret[ISCSI_CHAP_SECRET_STORAGE];
|
|
|
|
|
CHAR8 ReverseCHAPName[ISCSI_CHAP_NAME_STORAGE];
|
|
|
|
|
CHAR8 ReverseCHAPSecret[ISCSI_CHAP_SECRET_STORAGE];
|
|
|
|
|
} ISCSI_CHAP_AUTH_CONFIG_NVDATA;
|
|
|
|
|
|
|
|
|
|
#pragma pack()
|
|
|
|
|
|
NetworkPkg/IScsiDxe: support multiple hash algorithms for CHAP
Introduce the "mChapHash" table, containing the hash algorithms supported
for CHAP. Hash algos listed at the beginning of the table are preferred by
the initiator.
In ISCSI_CHAP_STEP_ONE, send such a CHAP_A value that is the
comma-separated, ordered list of algorithm identifiers from "mChapHash".
Pre-format this value string at driver startup, in the new function
IScsiCHAPInitHashList().
(In IScsiCHAPInitHashList(), also enforce that every hash algo's digest
size fit into ISCSI_CHAP_MAX_DIGEST_SIZE, as the latter controls the
digest, outgoing challenge, and hex *allocations*.)
In ISCSI_CHAP_STEP_TWO, allow the target to select one of the offered hash
algorithms, and remember the selection for the later steps. For
ISCSI_CHAP_STEP_THREE, hash the challenge from the target with the
selected hash algo.
In ISCSI_CHAP_STEP_THREE, send the correctly sized digest to the target.
If the initiator wants mutual authentication, then generate a challenge
with as many bytes as the target's digest will have, in
ISCSI_CHAP_STEP_FOUR.
In ISCSI_CHAP_STEP_FOUR (i.e., when mutual authentication is required by
the initiator), verify the target's response (digest) with the selected
algorithm.
Clear the selected hash algorithm before every login (remember that in
IScsiDxe, every login is a leading login).
There is no peer-observable change from this patch, as it only reworks the
current MD5 support into the new internal representation.
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3355
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Message-Id: <20210629163337.14120-5-lersek@redhat.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
2021-06-29 18:33:35 +02:00
|
|
|
//
|
|
|
|
|
// Typedefs for collecting sets of hash APIs from BaseCryptLib.
|
|
|
|
|
//
|
|
|
|
|
typedef
|
|
|
|
|
UINTN
|
|
|
|
|
(EFIAPI *CHAP_HASH_GET_CONTEXT_SIZE) (
|
|
|
|
|
VOID
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
typedef
|
|
|
|
|
BOOLEAN
|
|
|
|
|
(EFIAPI *CHAP_HASH_INIT) (
|
|
|
|
|
OUT VOID *Context
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
typedef
|
|
|
|
|
BOOLEAN
|
|
|
|
|
(EFIAPI *CHAP_HASH_UPDATE) (
|
|
|
|
|
IN OUT VOID *Context,
|
|
|
|
|
IN CONST VOID *Data,
|
|
|
|
|
IN UINTN DataSize
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
typedef
|
|
|
|
|
BOOLEAN
|
|
|
|
|
(EFIAPI *CHAP_HASH_FINAL) (
|
|
|
|
|
IN OUT VOID *Context,
|
|
|
|
|
OUT UINT8 *HashValue
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
typedef struct {
|
|
|
|
|
UINT8 Algorithm; // ISCSI_CHAP_ALGORITHM_*, CHAP_A
|
|
|
|
|
UINT32 DigestSize;
|
|
|
|
|
CHAP_HASH_GET_CONTEXT_SIZE GetContextSize;
|
|
|
|
|
CHAP_HASH_INIT Init;
|
|
|
|
|
CHAP_HASH_UPDATE Update;
|
|
|
|
|
CHAP_HASH_FINAL Final;
|
|
|
|
|
} CHAP_HASH;
|
|
|
|
|
|
2011-08-17 04:38:08 +02:00
|
|
|
///
|
|
|
|
|
/// ISCSI CHAP Authentication Data
|
|
|
|
|
///
|
|
|
|
|
typedef struct _ISCSI_CHAP_AUTH_DATA {
|
|
|
|
|
ISCSI_CHAP_AUTH_CONFIG_NVDATA *AuthConfig;
|
|
|
|
|
UINT32 InIdentifier;
|
2021-06-08 14:12:51 +02:00
|
|
|
UINT8 InChallenge[1024];
|
2011-08-17 04:38:08 +02:00
|
|
|
UINT32 InChallengeLength;
|
|
|
|
|
//
|
NetworkPkg/IScsiDxe: support multiple hash algorithms for CHAP
Introduce the "mChapHash" table, containing the hash algorithms supported
for CHAP. Hash algos listed at the beginning of the table are preferred by
the initiator.
In ISCSI_CHAP_STEP_ONE, send such a CHAP_A value that is the
comma-separated, ordered list of algorithm identifiers from "mChapHash".
Pre-format this value string at driver startup, in the new function
IScsiCHAPInitHashList().
(In IScsiCHAPInitHashList(), also enforce that every hash algo's digest
size fit into ISCSI_CHAP_MAX_DIGEST_SIZE, as the latter controls the
digest, outgoing challenge, and hex *allocations*.)
In ISCSI_CHAP_STEP_TWO, allow the target to select one of the offered hash
algorithms, and remember the selection for the later steps. For
ISCSI_CHAP_STEP_THREE, hash the challenge from the target with the
selected hash algo.
In ISCSI_CHAP_STEP_THREE, send the correctly sized digest to the target.
If the initiator wants mutual authentication, then generate a challenge
with as many bytes as the target's digest will have, in
ISCSI_CHAP_STEP_FOUR.
In ISCSI_CHAP_STEP_FOUR (i.e., when mutual authentication is required by
the initiator), verify the target's response (digest) with the selected
algorithm.
Clear the selected hash algorithm before every login (remember that in
IScsiDxe, every login is a leading login).
There is no peer-observable change from this patch, as it only reworks the
current MD5 support into the new internal representation.
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3355
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Message-Id: <20210629163337.14120-5-lersek@redhat.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
2021-06-29 18:33:35 +02:00
|
|
|
// The hash algorithm (CHAP_A) that the target selects in
|
|
|
|
|
// ISCSI_CHAP_STEP_TWO.
|
|
|
|
|
//
|
|
|
|
|
CONST CHAP_HASH *Hash;
|
|
|
|
|
//
|
2011-08-17 04:38:08 +02:00
|
|
|
// Calculated CHAP Response (CHAP_R) value.
|
|
|
|
|
//
|
NetworkPkg/IScsiDxe: distinguish "maximum" and "selected" CHAP digest sizes
IScsiDxe uses the ISCSI_CHAP_RSP_LEN macro for expressing the size of the
digest (16) that it solely supports at this point (MD5).
ISCSI_CHAP_RSP_LEN is used for both (a) *allocating* digest-related
buffers (binary buffers and hex encodings alike), and (b) *processing*
binary digest buffers (comparing them, filling them, reading them).
In preparation for adding other hash algorithms, split purpose (a) from
purpose (b). For purpose (a) -- buffer allocation --, introduce
ISCSI_CHAP_MAX_DIGEST_SIZE. For purpose (b) -- processing --, rely on
MD5_DIGEST_SIZE from <BaseCryptLib.h>.
Distinguishing these purposes is justified because purpose (b) --
processing -- must depend on the hashing algorithm negotiated between
initiator and target, while for purpose (a) -- allocation --, using the
maximum supported digest size is suitable. For now, because only MD5 is
supported, introduce ISCSI_CHAP_MAX_DIGEST_SIZE *as* MD5_DIGEST_SIZE.
Note that the argument for using the digest size as the size of the
outgoing challenge (in case mutual authentication is desired by the
initiator) remains in place. Because of this, the above two purposes are
distinguished for the "ISCSI_CHAP_AUTH_DATA.OutChallenge" field as well.
This patch is functionally a no-op, just yet.
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3355
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Message-Id: <20210629163337.14120-4-lersek@redhat.com>
2021-06-29 18:33:34 +02:00
|
|
|
UINT8 CHAPResponse[ISCSI_CHAP_MAX_DIGEST_SIZE];
|
2011-08-17 04:38:08 +02:00
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Auth-data to be sent out for mutual authentication.
|
|
|
|
|
//
|
NetworkPkg/IScsiDxe: clean up "ISCSI_CHAP_AUTH_DATA.OutChallengeLength"
The "ISCSI_CHAP_AUTH_DATA.OutChallenge" field is declared as a UINT8 array
with ISCSI_CHAP_AUTH_MAX_LEN (1024) elements. However, when the challenge
is generated and formatted, only ISCSI_CHAP_RSP_LEN (16) octets are used
in the array.
Change the array size to ISCSI_CHAP_RSP_LEN, and remove the (now unused)
ISCSI_CHAP_AUTH_MAX_LEN macro.
Remove the "ISCSI_CHAP_AUTH_DATA.OutChallengeLength" field, which is
superfluous too.
Most importantly, explain in a new comment *why* tying the challenge size
to the digest size (ISCSI_CHAP_RSP_LEN) has always made sense. (See also
Linux kernel commit 19f5f88ed779, "scsi: target: iscsi: tie the challenge
length to the hash digest size", 2019-11-06.) For sure, the motivation
that the new comment now explains has always been there, and has always
been the same, for IScsiDxe; it's just that now we spell it out too.
No change in peer-visible behavior.
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Message-Id: <20210608121259.32451-4-lersek@redhat.com>
2021-06-08 14:12:52 +02:00
|
|
|
// While the challenge size is technically independent of the hashing
|
|
|
|
|
// algorithm, it is good practice to avoid hashing *fewer bytes* than the
|
|
|
|
|
// digest size. In other words, it's good practice to feed *at least as many
|
|
|
|
|
// bytes* to the hashing algorithm as the hashing algorithm will output.
|
|
|
|
|
//
|
2011-08-17 04:38:08 +02:00
|
|
|
UINT32 OutIdentifier;
|
NetworkPkg/IScsiDxe: distinguish "maximum" and "selected" CHAP digest sizes
IScsiDxe uses the ISCSI_CHAP_RSP_LEN macro for expressing the size of the
digest (16) that it solely supports at this point (MD5).
ISCSI_CHAP_RSP_LEN is used for both (a) *allocating* digest-related
buffers (binary buffers and hex encodings alike), and (b) *processing*
binary digest buffers (comparing them, filling them, reading them).
In preparation for adding other hash algorithms, split purpose (a) from
purpose (b). For purpose (a) -- buffer allocation --, introduce
ISCSI_CHAP_MAX_DIGEST_SIZE. For purpose (b) -- processing --, rely on
MD5_DIGEST_SIZE from <BaseCryptLib.h>.
Distinguishing these purposes is justified because purpose (b) --
processing -- must depend on the hashing algorithm negotiated between
initiator and target, while for purpose (a) -- allocation --, using the
maximum supported digest size is suitable. For now, because only MD5 is
supported, introduce ISCSI_CHAP_MAX_DIGEST_SIZE *as* MD5_DIGEST_SIZE.
Note that the argument for using the digest size as the size of the
outgoing challenge (in case mutual authentication is desired by the
initiator) remains in place. Because of this, the above two purposes are
distinguished for the "ISCSI_CHAP_AUTH_DATA.OutChallenge" field as well.
This patch is functionally a no-op, just yet.
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3355
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Message-Id: <20210629163337.14120-4-lersek@redhat.com>
2021-06-29 18:33:34 +02:00
|
|
|
UINT8 OutChallenge[ISCSI_CHAP_MAX_DIGEST_SIZE];
|
2011-08-17 04:38:08 +02:00
|
|
|
} ISCSI_CHAP_AUTH_DATA;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
This function checks the received iSCSI Login Response during the security
|
|
|
|
|
negotiation stage.
|
|
|
|
|
|
|
|
|
|
@param[in] Conn The iSCSI connection.
|
|
|
|
|
|
|
|
|
|
@retval EFI_SUCCESS The Login Response passed the CHAP validation.
|
|
|
|
|
@retval EFI_OUT_OF_RESOURCES Failed to allocate memory.
|
|
|
|
|
@retval EFI_PROTOCOL_ERROR Some kind of protocol error occurred.
|
|
|
|
|
@retval Others Other errors as indicated.
|
|
|
|
|
|
|
|
|
|
**/
|
|
|
|
|
EFI_STATUS
|
|
|
|
|
IScsiCHAPOnRspReceived (
|
|
|
|
|
IN ISCSI_CONNECTION *Conn
|
|
|
|
|
);
|
|
|
|
|
/**
|
|
|
|
|
This function fills the CHAP authentication information into the login PDU
|
|
|
|
|
during the security negotiation stage in the iSCSI connection login.
|
|
|
|
|
|
|
|
|
|
@param[in] Conn The iSCSI connection.
|
|
|
|
|
@param[in, out] Pdu The PDU to send out.
|
|
|
|
|
|
|
|
|
|
@retval EFI_SUCCESS All check passed and the phase-related CHAP
|
2021-06-08 14:12:50 +02:00
|
|
|
authentication info is filled into the iSCSI
|
|
|
|
|
PDU.
|
2011-08-17 04:38:08 +02:00
|
|
|
@retval EFI_OUT_OF_RESOURCES Failed to allocate memory.
|
|
|
|
|
@retval EFI_PROTOCOL_ERROR Some kind of protocol error occurred.
|
|
|
|
|
|
|
|
|
|
**/
|
|
|
|
|
EFI_STATUS
|
|
|
|
|
IScsiCHAPToSendReq (
|
|
|
|
|
IN ISCSI_CONNECTION *Conn,
|
|
|
|
|
IN OUT NET_BUF *Pdu
|
|
|
|
|
);
|
|
|
|
|
|
NetworkPkg/IScsiDxe: support multiple hash algorithms for CHAP
Introduce the "mChapHash" table, containing the hash algorithms supported
for CHAP. Hash algos listed at the beginning of the table are preferred by
the initiator.
In ISCSI_CHAP_STEP_ONE, send such a CHAP_A value that is the
comma-separated, ordered list of algorithm identifiers from "mChapHash".
Pre-format this value string at driver startup, in the new function
IScsiCHAPInitHashList().
(In IScsiCHAPInitHashList(), also enforce that every hash algo's digest
size fit into ISCSI_CHAP_MAX_DIGEST_SIZE, as the latter controls the
digest, outgoing challenge, and hex *allocations*.)
In ISCSI_CHAP_STEP_TWO, allow the target to select one of the offered hash
algorithms, and remember the selection for the later steps. For
ISCSI_CHAP_STEP_THREE, hash the challenge from the target with the
selected hash algo.
In ISCSI_CHAP_STEP_THREE, send the correctly sized digest to the target.
If the initiator wants mutual authentication, then generate a challenge
with as many bytes as the target's digest will have, in
ISCSI_CHAP_STEP_FOUR.
In ISCSI_CHAP_STEP_FOUR (i.e., when mutual authentication is required by
the initiator), verify the target's response (digest) with the selected
algorithm.
Clear the selected hash algorithm before every login (remember that in
IScsiDxe, every login is a leading login).
There is no peer-observable change from this patch, as it only reworks the
current MD5 support into the new internal representation.
Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3355
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Message-Id: <20210629163337.14120-5-lersek@redhat.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
2021-06-29 18:33:35 +02:00
|
|
|
/**
|
|
|
|
|
Initialize the CHAP_A=<A1,A2...> *value* string for the entire driver, to be
|
|
|
|
|
sent by the initiator in ISCSI_CHAP_STEP_ONE.
|
|
|
|
|
|
|
|
|
|
This function sanity-checks the internal table of supported CHAP hashing
|
|
|
|
|
algorithms, as well.
|
|
|
|
|
**/
|
|
|
|
|
VOID
|
|
|
|
|
IScsiCHAPInitHashList (
|
|
|
|
|
VOID
|
|
|
|
|
);
|
2011-08-17 04:38:08 +02:00
|
|
|
#endif
|
