Nicholas Bellinger | e48354c | 2011-07-23 06:43:04 +0000 | [diff] [blame] | 1 | /******************************************************************************* |
| 2 | * This file houses the main functions for the iSCSI CHAP support |
| 3 | * |
Nicholas Bellinger | 4c76251 | 2013-09-05 15:29:12 -0700 | [diff] [blame] | 4 | * (c) Copyright 2007-2013 Datera, Inc. |
Nicholas Bellinger | e48354c | 2011-07-23 06:43:04 +0000 | [diff] [blame] | 5 | * |
| 6 | * Author: Nicholas A. Bellinger <nab@linux-iscsi.org> |
| 7 | * |
| 8 | * This program is free software; you can redistribute it and/or modify |
| 9 | * it under the terms of the GNU General Public License as published by |
| 10 | * the Free Software Foundation; either version 2 of the License, or |
| 11 | * (at your option) any later version. |
| 12 | * |
| 13 | * This program is distributed in the hope that it will be useful, |
| 14 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 16 | * GNU General Public License for more details. |
| 17 | ******************************************************************************/ |
| 18 | |
Herbert Xu | 69110e3 | 2016-01-24 21:19:52 +0800 | [diff] [blame] | 19 | #include <crypto/hash.h> |
Andy Shevchenko | f2b56af | 2011-09-30 14:39:54 +0300 | [diff] [blame] | 20 | #include <linux/kernel.h> |
Nicholas Bellinger | e48354c | 2011-07-23 06:43:04 +0000 | [diff] [blame] | 21 | #include <linux/string.h> |
Nicholas Bellinger | e48354c | 2011-07-23 06:43:04 +0000 | [diff] [blame] | 22 | #include <linux/err.h> |
| 23 | #include <linux/scatterlist.h> |
| 24 | |
Sagi Grimberg | 67f091f | 2015-01-07 14:57:31 +0200 | [diff] [blame] | 25 | #include <target/iscsi/iscsi_target_core.h> |
Nicholas Bellinger | e48354c | 2011-07-23 06:43:04 +0000 | [diff] [blame] | 26 | #include "iscsi_target_nego.h" |
| 27 | #include "iscsi_target_auth.h" |
| 28 | |
Nicholas Bellinger | e48354c | 2011-07-23 06:43:04 +0000 | [diff] [blame] | 29 | static void chap_binaryhex_to_asciihex(char *dst, char *src, int src_len) |
| 30 | { |
| 31 | int i; |
| 32 | |
| 33 | for (i = 0; i < src_len; i++) { |
| 34 | sprintf(&dst[i*2], "%02x", (int) src[i] & 0xff); |
| 35 | } |
| 36 | } |
| 37 | |
Nicholas Bellinger | e48354c | 2011-07-23 06:43:04 +0000 | [diff] [blame] | 38 | static void chap_gen_challenge( |
| 39 | struct iscsi_conn *conn, |
| 40 | int caller, |
| 41 | char *c_str, |
| 42 | unsigned int *c_len) |
| 43 | { |
| 44 | unsigned char challenge_asciihex[CHAP_CHALLENGE_LENGTH * 2 + 1]; |
Jörn Engel | 8359cf4 | 2011-11-24 02:05:51 +0100 | [diff] [blame] | 45 | struct iscsi_chap *chap = conn->auth_protocol; |
Nicholas Bellinger | e48354c | 2011-07-23 06:43:04 +0000 | [diff] [blame] | 46 | |
| 47 | memset(challenge_asciihex, 0, CHAP_CHALLENGE_LENGTH * 2 + 1); |
| 48 | |
Andy Grover | 98e2eeb | 2013-03-04 13:52:07 -0800 | [diff] [blame] | 49 | get_random_bytes(chap->challenge, CHAP_CHALLENGE_LENGTH); |
Nicholas Bellinger | e48354c | 2011-07-23 06:43:04 +0000 | [diff] [blame] | 50 | chap_binaryhex_to_asciihex(challenge_asciihex, chap->challenge, |
| 51 | CHAP_CHALLENGE_LENGTH); |
| 52 | /* |
| 53 | * Set CHAP_C, and copy the generated challenge into c_str. |
| 54 | */ |
| 55 | *c_len += sprintf(c_str + *c_len, "CHAP_C=0x%s", challenge_asciihex); |
| 56 | *c_len += 1; |
| 57 | |
| 58 | pr_debug("[%s] Sending CHAP_C=0x%s\n\n", (caller) ? "server" : "client", |
| 59 | challenge_asciihex); |
| 60 | } |
| 61 | |
Tejas Vaykole | 3160723 | 2014-05-30 11:13:47 +0530 | [diff] [blame] | 62 | static int chap_check_algorithm(const char *a_str) |
| 63 | { |
| 64 | char *tmp, *orig, *token; |
| 65 | |
| 66 | tmp = kstrdup(a_str, GFP_KERNEL); |
| 67 | if (!tmp) { |
| 68 | pr_err("Memory allocation failed for CHAP_A temporary buffer\n"); |
| 69 | return CHAP_DIGEST_UNKNOWN; |
| 70 | } |
| 71 | orig = tmp; |
| 72 | |
| 73 | token = strsep(&tmp, "="); |
| 74 | if (!token) |
| 75 | goto out; |
| 76 | |
| 77 | if (strcmp(token, "CHAP_A")) { |
| 78 | pr_err("Unable to locate CHAP_A key\n"); |
| 79 | goto out; |
| 80 | } |
| 81 | while (token) { |
| 82 | token = strsep(&tmp, ","); |
| 83 | if (!token) |
| 84 | goto out; |
| 85 | |
| 86 | if (!strncmp(token, "5", 1)) { |
| 87 | pr_debug("Selected MD5 Algorithm\n"); |
| 88 | kfree(orig); |
| 89 | return CHAP_DIGEST_MD5; |
| 90 | } |
| 91 | } |
| 92 | out: |
| 93 | kfree(orig); |
| 94 | return CHAP_DIGEST_UNKNOWN; |
| 95 | } |
Nicholas Bellinger | e48354c | 2011-07-23 06:43:04 +0000 | [diff] [blame] | 96 | |
| 97 | static struct iscsi_chap *chap_server_open( |
| 98 | struct iscsi_conn *conn, |
| 99 | struct iscsi_node_auth *auth, |
| 100 | const char *a_str, |
| 101 | char *aic_str, |
| 102 | unsigned int *aic_len) |
| 103 | { |
Tejas Vaykole | 3160723 | 2014-05-30 11:13:47 +0530 | [diff] [blame] | 104 | int ret; |
Nicholas Bellinger | e48354c | 2011-07-23 06:43:04 +0000 | [diff] [blame] | 105 | struct iscsi_chap *chap; |
| 106 | |
| 107 | if (!(auth->naf_flags & NAF_USERID_SET) || |
| 108 | !(auth->naf_flags & NAF_PASSWORD_SET)) { |
| 109 | pr_err("CHAP user or password not set for" |
| 110 | " Initiator ACL\n"); |
| 111 | return NULL; |
| 112 | } |
| 113 | |
| 114 | conn->auth_protocol = kzalloc(sizeof(struct iscsi_chap), GFP_KERNEL); |
| 115 | if (!conn->auth_protocol) |
| 116 | return NULL; |
| 117 | |
Jörn Engel | 8359cf4 | 2011-11-24 02:05:51 +0100 | [diff] [blame] | 118 | chap = conn->auth_protocol; |
Tejas Vaykole | 3160723 | 2014-05-30 11:13:47 +0530 | [diff] [blame] | 119 | ret = chap_check_algorithm(a_str); |
| 120 | switch (ret) { |
| 121 | case CHAP_DIGEST_MD5: |
| 122 | pr_debug("[server] Got CHAP_A=5\n"); |
| 123 | /* |
| 124 | * Send back CHAP_A set to MD5. |
| 125 | */ |
| 126 | *aic_len = sprintf(aic_str, "CHAP_A=5"); |
| 127 | *aic_len += 1; |
| 128 | chap->digest_type = CHAP_DIGEST_MD5; |
| 129 | pr_debug("[server] Sending CHAP_A=%d\n", chap->digest_type); |
| 130 | break; |
| 131 | case CHAP_DIGEST_UNKNOWN: |
| 132 | default: |
| 133 | pr_err("Unsupported CHAP_A value\n"); |
Nicholas Bellinger | e48354c | 2011-07-23 06:43:04 +0000 | [diff] [blame] | 134 | return NULL; |
| 135 | } |
Tejas Vaykole | 3160723 | 2014-05-30 11:13:47 +0530 | [diff] [blame] | 136 | |
Nicholas Bellinger | e48354c | 2011-07-23 06:43:04 +0000 | [diff] [blame] | 137 | /* |
| 138 | * Set Identifier. |
| 139 | */ |
Andy Grover | 60bfcf8 | 2013-10-09 11:05:58 -0700 | [diff] [blame] | 140 | chap->id = conn->tpg->tpg_chap_id++; |
Nicholas Bellinger | e48354c | 2011-07-23 06:43:04 +0000 | [diff] [blame] | 141 | *aic_len += sprintf(aic_str + *aic_len, "CHAP_I=%d", chap->id); |
| 142 | *aic_len += 1; |
| 143 | pr_debug("[server] Sending CHAP_I=%d\n", chap->id); |
| 144 | /* |
| 145 | * Generate Challenge. |
| 146 | */ |
| 147 | chap_gen_challenge(conn, 1, aic_str, aic_len); |
| 148 | |
| 149 | return chap; |
| 150 | } |
| 151 | |
| 152 | static void chap_close(struct iscsi_conn *conn) |
| 153 | { |
| 154 | kfree(conn->auth_protocol); |
| 155 | conn->auth_protocol = NULL; |
| 156 | } |
| 157 | |
| 158 | static int chap_server_compute_md5( |
| 159 | struct iscsi_conn *conn, |
| 160 | struct iscsi_node_auth *auth, |
| 161 | char *nr_in_ptr, |
| 162 | char *nr_out_ptr, |
| 163 | unsigned int *nr_out_len) |
| 164 | { |
Nicholas Bellinger | bc704fb | 2011-11-28 01:02:07 -0800 | [diff] [blame] | 165 | unsigned long id; |
Andy Grover | 7ac9ad1 | 2013-03-04 13:52:09 -0800 | [diff] [blame] | 166 | unsigned char id_as_uchar; |
Nicholas Bellinger | bc704fb | 2011-11-28 01:02:07 -0800 | [diff] [blame] | 167 | unsigned char digest[MD5_SIGNATURE_SIZE]; |
Nicholas Bellinger | e48354c | 2011-07-23 06:43:04 +0000 | [diff] [blame] | 168 | unsigned char type, response[MD5_SIGNATURE_SIZE * 2 + 2]; |
| 169 | unsigned char identifier[10], *challenge = NULL; |
| 170 | unsigned char *challenge_binhex = NULL; |
| 171 | unsigned char client_digest[MD5_SIGNATURE_SIZE]; |
| 172 | unsigned char server_digest[MD5_SIGNATURE_SIZE]; |
| 173 | unsigned char chap_n[MAX_CHAP_N_SIZE], chap_r[MAX_RESPONSE_LENGTH]; |
Eric Seppanen | 86784c6 | 2013-11-20 14:19:52 -0800 | [diff] [blame] | 174 | size_t compare_len; |
Jörn Engel | 8359cf4 | 2011-11-24 02:05:51 +0100 | [diff] [blame] | 175 | struct iscsi_chap *chap = conn->auth_protocol; |
Herbert Xu | 69110e3 | 2016-01-24 21:19:52 +0800 | [diff] [blame] | 176 | struct crypto_shash *tfm = NULL; |
| 177 | struct shash_desc *desc = NULL; |
Nicholas Bellinger | e48354c | 2011-07-23 06:43:04 +0000 | [diff] [blame] | 178 | int auth_ret = -1, ret, challenge_len; |
| 179 | |
| 180 | memset(identifier, 0, 10); |
| 181 | memset(chap_n, 0, MAX_CHAP_N_SIZE); |
| 182 | memset(chap_r, 0, MAX_RESPONSE_LENGTH); |
| 183 | memset(digest, 0, MD5_SIGNATURE_SIZE); |
| 184 | memset(response, 0, MD5_SIGNATURE_SIZE * 2 + 2); |
| 185 | memset(client_digest, 0, MD5_SIGNATURE_SIZE); |
| 186 | memset(server_digest, 0, MD5_SIGNATURE_SIZE); |
| 187 | |
| 188 | challenge = kzalloc(CHAP_CHALLENGE_STR_LEN, GFP_KERNEL); |
| 189 | if (!challenge) { |
| 190 | pr_err("Unable to allocate challenge buffer\n"); |
| 191 | goto out; |
| 192 | } |
| 193 | |
| 194 | challenge_binhex = kzalloc(CHAP_CHALLENGE_STR_LEN, GFP_KERNEL); |
| 195 | if (!challenge_binhex) { |
| 196 | pr_err("Unable to allocate challenge_binhex buffer\n"); |
| 197 | goto out; |
| 198 | } |
| 199 | /* |
| 200 | * Extract CHAP_N. |
| 201 | */ |
| 202 | if (extract_param(nr_in_ptr, "CHAP_N", MAX_CHAP_N_SIZE, chap_n, |
| 203 | &type) < 0) { |
| 204 | pr_err("Could not find CHAP_N.\n"); |
| 205 | goto out; |
| 206 | } |
| 207 | if (type == HEX) { |
| 208 | pr_err("Could not find CHAP_N.\n"); |
| 209 | goto out; |
| 210 | } |
| 211 | |
Eric Seppanen | 86784c6 | 2013-11-20 14:19:52 -0800 | [diff] [blame] | 212 | /* Include the terminating NULL in the compare */ |
| 213 | compare_len = strlen(auth->userid) + 1; |
| 214 | if (strncmp(chap_n, auth->userid, compare_len) != 0) { |
Nicholas Bellinger | e48354c | 2011-07-23 06:43:04 +0000 | [diff] [blame] | 215 | pr_err("CHAP_N values do not match!\n"); |
| 216 | goto out; |
| 217 | } |
| 218 | pr_debug("[server] Got CHAP_N=%s\n", chap_n); |
| 219 | /* |
| 220 | * Extract CHAP_R. |
| 221 | */ |
| 222 | if (extract_param(nr_in_ptr, "CHAP_R", MAX_RESPONSE_LENGTH, chap_r, |
| 223 | &type) < 0) { |
| 224 | pr_err("Could not find CHAP_R.\n"); |
| 225 | goto out; |
| 226 | } |
| 227 | if (type != HEX) { |
| 228 | pr_err("Could not find CHAP_R.\n"); |
| 229 | goto out; |
| 230 | } |
Vincent Pelletier | 5eeb397 | 2018-09-09 04:09:26 +0000 | [diff] [blame] | 231 | if (strlen(chap_r) != MD5_SIGNATURE_SIZE * 2) { |
| 232 | pr_err("Malformed CHAP_R\n"); |
| 233 | goto out; |
| 234 | } |
| 235 | if (hex2bin(client_digest, chap_r, MD5_SIGNATURE_SIZE) < 0) { |
| 236 | pr_err("Malformed CHAP_R\n"); |
| 237 | goto out; |
| 238 | } |
Nicholas Bellinger | e48354c | 2011-07-23 06:43:04 +0000 | [diff] [blame] | 239 | |
| 240 | pr_debug("[server] Got CHAP_R=%s\n", chap_r); |
Nicholas Bellinger | e48354c | 2011-07-23 06:43:04 +0000 | [diff] [blame] | 241 | |
Herbert Xu | 69110e3 | 2016-01-24 21:19:52 +0800 | [diff] [blame] | 242 | tfm = crypto_alloc_shash("md5", 0, 0); |
Nicholas Bellinger | e48354c | 2011-07-23 06:43:04 +0000 | [diff] [blame] | 243 | if (IS_ERR(tfm)) { |
Herbert Xu | 69110e3 | 2016-01-24 21:19:52 +0800 | [diff] [blame] | 244 | tfm = NULL; |
| 245 | pr_err("Unable to allocate struct crypto_shash\n"); |
Nicholas Bellinger | e48354c | 2011-07-23 06:43:04 +0000 | [diff] [blame] | 246 | goto out; |
| 247 | } |
| 248 | |
Herbert Xu | 69110e3 | 2016-01-24 21:19:52 +0800 | [diff] [blame] | 249 | desc = kmalloc(sizeof(*desc) + crypto_shash_descsize(tfm), GFP_KERNEL); |
| 250 | if (!desc) { |
| 251 | pr_err("Unable to allocate struct shash_desc\n"); |
Nicholas Bellinger | e48354c | 2011-07-23 06:43:04 +0000 | [diff] [blame] | 252 | goto out; |
| 253 | } |
| 254 | |
Herbert Xu | 69110e3 | 2016-01-24 21:19:52 +0800 | [diff] [blame] | 255 | desc->tfm = tfm; |
| 256 | desc->flags = 0; |
| 257 | |
| 258 | ret = crypto_shash_init(desc); |
Nicholas Bellinger | e48354c | 2011-07-23 06:43:04 +0000 | [diff] [blame] | 259 | if (ret < 0) { |
Herbert Xu | 69110e3 | 2016-01-24 21:19:52 +0800 | [diff] [blame] | 260 | pr_err("crypto_shash_init() failed\n"); |
Nicholas Bellinger | e48354c | 2011-07-23 06:43:04 +0000 | [diff] [blame] | 261 | goto out; |
| 262 | } |
| 263 | |
Herbert Xu | 69110e3 | 2016-01-24 21:19:52 +0800 | [diff] [blame] | 264 | ret = crypto_shash_update(desc, &chap->id, 1); |
Nicholas Bellinger | e48354c | 2011-07-23 06:43:04 +0000 | [diff] [blame] | 265 | if (ret < 0) { |
Herbert Xu | 69110e3 | 2016-01-24 21:19:52 +0800 | [diff] [blame] | 266 | pr_err("crypto_shash_update() failed for id\n"); |
Nicholas Bellinger | e48354c | 2011-07-23 06:43:04 +0000 | [diff] [blame] | 267 | goto out; |
| 268 | } |
| 269 | |
Herbert Xu | 69110e3 | 2016-01-24 21:19:52 +0800 | [diff] [blame] | 270 | ret = crypto_shash_update(desc, (char *)&auth->password, |
| 271 | strlen(auth->password)); |
Nicholas Bellinger | e48354c | 2011-07-23 06:43:04 +0000 | [diff] [blame] | 272 | if (ret < 0) { |
Herbert Xu | 69110e3 | 2016-01-24 21:19:52 +0800 | [diff] [blame] | 273 | pr_err("crypto_shash_update() failed for password\n"); |
Nicholas Bellinger | e48354c | 2011-07-23 06:43:04 +0000 | [diff] [blame] | 274 | goto out; |
| 275 | } |
Herbert Xu | 69110e3 | 2016-01-24 21:19:52 +0800 | [diff] [blame] | 276 | |
| 277 | ret = crypto_shash_finup(desc, chap->challenge, |
| 278 | CHAP_CHALLENGE_LENGTH, server_digest); |
| 279 | if (ret < 0) { |
| 280 | pr_err("crypto_shash_finup() failed for challenge\n"); |
| 281 | goto out; |
| 282 | } |
Nicholas Bellinger | e48354c | 2011-07-23 06:43:04 +0000 | [diff] [blame] | 283 | |
| 284 | chap_binaryhex_to_asciihex(response, server_digest, MD5_SIGNATURE_SIZE); |
| 285 | pr_debug("[server] MD5 Server Digest: %s\n", response); |
| 286 | |
| 287 | if (memcmp(server_digest, client_digest, MD5_SIGNATURE_SIZE) != 0) { |
| 288 | pr_debug("[server] MD5 Digests do not match!\n\n"); |
| 289 | goto out; |
| 290 | } else |
Masanari Iida | c01e015 | 2016-04-20 00:27:33 +0900 | [diff] [blame] | 291 | pr_debug("[server] MD5 Digests match, CHAP connection" |
Nicholas Bellinger | e48354c | 2011-07-23 06:43:04 +0000 | [diff] [blame] | 292 | " successful.\n\n"); |
| 293 | /* |
| 294 | * One way authentication has succeeded, return now if mutual |
| 295 | * authentication is not enabled. |
| 296 | */ |
| 297 | if (!auth->authenticate_target) { |
Herbert Xu | 69110e3 | 2016-01-24 21:19:52 +0800 | [diff] [blame] | 298 | auth_ret = 0; |
| 299 | goto out; |
Nicholas Bellinger | e48354c | 2011-07-23 06:43:04 +0000 | [diff] [blame] | 300 | } |
| 301 | /* |
| 302 | * Get CHAP_I. |
| 303 | */ |
| 304 | if (extract_param(nr_in_ptr, "CHAP_I", 10, identifier, &type) < 0) { |
| 305 | pr_err("Could not find CHAP_I.\n"); |
| 306 | goto out; |
| 307 | } |
| 308 | |
| 309 | if (type == HEX) |
Nicholas Bellinger | b06eef6 | 2014-06-13 04:05:16 +0000 | [diff] [blame] | 310 | ret = kstrtoul(&identifier[2], 0, &id); |
Nicholas Bellinger | e48354c | 2011-07-23 06:43:04 +0000 | [diff] [blame] | 311 | else |
Nicholas Bellinger | b06eef6 | 2014-06-13 04:05:16 +0000 | [diff] [blame] | 312 | ret = kstrtoul(identifier, 0, &id); |
| 313 | |
| 314 | if (ret < 0) { |
| 315 | pr_err("kstrtoul() failed for CHAP identifier: %d\n", ret); |
| 316 | goto out; |
| 317 | } |
Nicholas Bellinger | bc704fb | 2011-11-28 01:02:07 -0800 | [diff] [blame] | 318 | if (id > 255) { |
| 319 | pr_err("chap identifier: %lu greater than 255\n", id); |
| 320 | goto out; |
| 321 | } |
Nicholas Bellinger | e48354c | 2011-07-23 06:43:04 +0000 | [diff] [blame] | 322 | /* |
| 323 | * RFC 1994 says Identifier is no more than octet (8 bits). |
| 324 | */ |
Nicholas Bellinger | bc704fb | 2011-11-28 01:02:07 -0800 | [diff] [blame] | 325 | pr_debug("[server] Got CHAP_I=%lu\n", id); |
Nicholas Bellinger | e48354c | 2011-07-23 06:43:04 +0000 | [diff] [blame] | 326 | /* |
| 327 | * Get CHAP_C. |
| 328 | */ |
| 329 | if (extract_param(nr_in_ptr, "CHAP_C", CHAP_CHALLENGE_STR_LEN, |
| 330 | challenge, &type) < 0) { |
| 331 | pr_err("Could not find CHAP_C.\n"); |
| 332 | goto out; |
| 333 | } |
| 334 | |
| 335 | if (type != HEX) { |
| 336 | pr_err("Could not find CHAP_C.\n"); |
| 337 | goto out; |
| 338 | } |
Vincent Pelletier | 5eeb397 | 2018-09-09 04:09:26 +0000 | [diff] [blame] | 339 | challenge_len = DIV_ROUND_UP(strlen(challenge), 2); |
Nicholas Bellinger | e48354c | 2011-07-23 06:43:04 +0000 | [diff] [blame] | 340 | if (!challenge_len) { |
| 341 | pr_err("Unable to convert incoming challenge\n"); |
| 342 | goto out; |
| 343 | } |
Nicholas Bellinger | e4fae23 | 2014-06-13 04:28:31 +0000 | [diff] [blame] | 344 | if (challenge_len > 1024) { |
| 345 | pr_err("CHAP_C exceeds maximum binary size of 1024 bytes\n"); |
| 346 | goto out; |
| 347 | } |
Vincent Pelletier | 5eeb397 | 2018-09-09 04:09:26 +0000 | [diff] [blame] | 348 | if (hex2bin(challenge_binhex, challenge, challenge_len) < 0) { |
| 349 | pr_err("Malformed CHAP_C\n"); |
| 350 | goto out; |
| 351 | } |
| 352 | pr_debug("[server] Got CHAP_C=%s\n", challenge); |
Nicholas Bellinger | e48354c | 2011-07-23 06:43:04 +0000 | [diff] [blame] | 353 | /* |
Nicholas Bellinger | 1d2b60a | 2014-06-05 18:08:57 -0700 | [diff] [blame] | 354 | * During mutual authentication, the CHAP_C generated by the |
| 355 | * initiator must not match the original CHAP_C generated by |
| 356 | * the target. |
| 357 | */ |
| 358 | if (!memcmp(challenge_binhex, chap->challenge, CHAP_CHALLENGE_LENGTH)) { |
| 359 | pr_err("initiator CHAP_C matches target CHAP_C, failing" |
| 360 | " login attempt\n"); |
| 361 | goto out; |
| 362 | } |
| 363 | /* |
Nicholas Bellinger | e48354c | 2011-07-23 06:43:04 +0000 | [diff] [blame] | 364 | * Generate CHAP_N and CHAP_R for mutual authentication. |
| 365 | */ |
Herbert Xu | 69110e3 | 2016-01-24 21:19:52 +0800 | [diff] [blame] | 366 | ret = crypto_shash_init(desc); |
Nicholas Bellinger | e48354c | 2011-07-23 06:43:04 +0000 | [diff] [blame] | 367 | if (ret < 0) { |
Herbert Xu | 69110e3 | 2016-01-24 21:19:52 +0800 | [diff] [blame] | 368 | pr_err("crypto_shash_init() failed\n"); |
Nicholas Bellinger | e48354c | 2011-07-23 06:43:04 +0000 | [diff] [blame] | 369 | goto out; |
| 370 | } |
| 371 | |
Andy Grover | 7ac9ad1 | 2013-03-04 13:52:09 -0800 | [diff] [blame] | 372 | /* To handle both endiannesses */ |
| 373 | id_as_uchar = id; |
Herbert Xu | 69110e3 | 2016-01-24 21:19:52 +0800 | [diff] [blame] | 374 | ret = crypto_shash_update(desc, &id_as_uchar, 1); |
Nicholas Bellinger | e48354c | 2011-07-23 06:43:04 +0000 | [diff] [blame] | 375 | if (ret < 0) { |
Herbert Xu | 69110e3 | 2016-01-24 21:19:52 +0800 | [diff] [blame] | 376 | pr_err("crypto_shash_update() failed for id\n"); |
Nicholas Bellinger | e48354c | 2011-07-23 06:43:04 +0000 | [diff] [blame] | 377 | goto out; |
| 378 | } |
| 379 | |
Herbert Xu | 69110e3 | 2016-01-24 21:19:52 +0800 | [diff] [blame] | 380 | ret = crypto_shash_update(desc, auth->password_mutual, |
| 381 | strlen(auth->password_mutual)); |
Nicholas Bellinger | e48354c | 2011-07-23 06:43:04 +0000 | [diff] [blame] | 382 | if (ret < 0) { |
Herbert Xu | 69110e3 | 2016-01-24 21:19:52 +0800 | [diff] [blame] | 383 | pr_err("crypto_shash_update() failed for" |
Nicholas Bellinger | e48354c | 2011-07-23 06:43:04 +0000 | [diff] [blame] | 384 | " password_mutual\n"); |
Nicholas Bellinger | e48354c | 2011-07-23 06:43:04 +0000 | [diff] [blame] | 385 | goto out; |
| 386 | } |
| 387 | /* |
| 388 | * Convert received challenge to binary hex. |
| 389 | */ |
Herbert Xu | 69110e3 | 2016-01-24 21:19:52 +0800 | [diff] [blame] | 390 | ret = crypto_shash_finup(desc, challenge_binhex, challenge_len, |
| 391 | digest); |
Nicholas Bellinger | e48354c | 2011-07-23 06:43:04 +0000 | [diff] [blame] | 392 | if (ret < 0) { |
Herbert Xu | 69110e3 | 2016-01-24 21:19:52 +0800 | [diff] [blame] | 393 | pr_err("crypto_shash_finup() failed for ma challenge\n"); |
Nicholas Bellinger | e48354c | 2011-07-23 06:43:04 +0000 | [diff] [blame] | 394 | goto out; |
| 395 | } |
| 396 | |
Nicholas Bellinger | e48354c | 2011-07-23 06:43:04 +0000 | [diff] [blame] | 397 | /* |
| 398 | * Generate CHAP_N and CHAP_R. |
| 399 | */ |
| 400 | *nr_out_len = sprintf(nr_out_ptr, "CHAP_N=%s", auth->userid_mutual); |
| 401 | *nr_out_len += 1; |
| 402 | pr_debug("[server] Sending CHAP_N=%s\n", auth->userid_mutual); |
| 403 | /* |
| 404 | * Convert response from binary hex to ascii hext. |
| 405 | */ |
| 406 | chap_binaryhex_to_asciihex(response, digest, MD5_SIGNATURE_SIZE); |
| 407 | *nr_out_len += sprintf(nr_out_ptr + *nr_out_len, "CHAP_R=0x%s", |
| 408 | response); |
| 409 | *nr_out_len += 1; |
| 410 | pr_debug("[server] Sending CHAP_R=0x%s\n", response); |
| 411 | auth_ret = 0; |
| 412 | out: |
Herbert Xu | 69110e3 | 2016-01-24 21:19:52 +0800 | [diff] [blame] | 413 | kzfree(desc); |
David Disseldorp | fffc0fc | 2017-12-13 18:22:30 +0100 | [diff] [blame] | 414 | if (tfm) |
| 415 | crypto_free_shash(tfm); |
Nicholas Bellinger | e48354c | 2011-07-23 06:43:04 +0000 | [diff] [blame] | 416 | kfree(challenge); |
| 417 | kfree(challenge_binhex); |
| 418 | return auth_ret; |
| 419 | } |
| 420 | |
| 421 | static int chap_got_response( |
| 422 | struct iscsi_conn *conn, |
| 423 | struct iscsi_node_auth *auth, |
| 424 | char *nr_in_ptr, |
| 425 | char *nr_out_ptr, |
| 426 | unsigned int *nr_out_len) |
| 427 | { |
Jörn Engel | 8359cf4 | 2011-11-24 02:05:51 +0100 | [diff] [blame] | 428 | struct iscsi_chap *chap = conn->auth_protocol; |
Nicholas Bellinger | e48354c | 2011-07-23 06:43:04 +0000 | [diff] [blame] | 429 | |
| 430 | switch (chap->digest_type) { |
| 431 | case CHAP_DIGEST_MD5: |
| 432 | if (chap_server_compute_md5(conn, auth, nr_in_ptr, |
| 433 | nr_out_ptr, nr_out_len) < 0) |
| 434 | return -1; |
| 435 | return 0; |
| 436 | default: |
| 437 | pr_err("Unknown CHAP digest type %d!\n", |
| 438 | chap->digest_type); |
| 439 | return -1; |
| 440 | } |
| 441 | } |
| 442 | |
| 443 | u32 chap_main_loop( |
| 444 | struct iscsi_conn *conn, |
| 445 | struct iscsi_node_auth *auth, |
| 446 | char *in_text, |
| 447 | char *out_text, |
| 448 | int *in_len, |
| 449 | int *out_len) |
| 450 | { |
Jörn Engel | 8359cf4 | 2011-11-24 02:05:51 +0100 | [diff] [blame] | 451 | struct iscsi_chap *chap = conn->auth_protocol; |
Nicholas Bellinger | e48354c | 2011-07-23 06:43:04 +0000 | [diff] [blame] | 452 | |
| 453 | if (!chap) { |
| 454 | chap = chap_server_open(conn, auth, in_text, out_text, out_len); |
| 455 | if (!chap) |
| 456 | return 2; |
| 457 | chap->chap_state = CHAP_STAGE_SERVER_AIC; |
| 458 | return 0; |
| 459 | } else if (chap->chap_state == CHAP_STAGE_SERVER_AIC) { |
| 460 | convert_null_to_semi(in_text, *in_len); |
| 461 | if (chap_got_response(conn, auth, in_text, out_text, |
| 462 | out_len) < 0) { |
| 463 | chap_close(conn); |
| 464 | return 2; |
| 465 | } |
| 466 | if (auth->authenticate_target) |
| 467 | chap->chap_state = CHAP_STAGE_SERVER_NR; |
| 468 | else |
| 469 | *out_len = 0; |
| 470 | chap_close(conn); |
| 471 | return 1; |
| 472 | } |
| 473 | |
| 474 | return 2; |
| 475 | } |