[mirror_edk2.git] / MdeModulePkg / Universal / Network / IScsiDxe / IScsiCHAP.c

/** @file\r
  This file is for Challenge-Handshake Authentication Protocol (CHAP) Configuration.\r
 \r
Copyright (c) 2004 - 2009, Intel Corporation.<BR>\r
All rights reserved. This program and the accompanying materials\r
are licensed and made available under the terms and conditions of the BSD License\r
which accompanies this distribution.  The full text of the license may be found at\r
http://opensource.org/licenses/bsd-license.php\r
\r
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
\r
**/\r
\r
#include "IScsiImpl.h"\r
#include "Md5.h"\r
\r
EFI_GUID  mIScsiCHAPAuthInfoGuid = ISCSI_CHAP_AUTH_INFO_GUID;\r
\r
/**\r
  Initator caculates its own expected hash value. \r
  \r
  @param[in]   ChapIdentifier     iSCSI CHAP identifier sent by authenticator.  \r
  @param[in]   ChapSecret         iSCSI CHAP secret of the authenticator.   \r
  @param[in]   SecretLength       The length of iSCSI CHAP secret.\r
  @param[in]   ChapChallenge      The challenge message sent by authenticator.  \r
  @param[in]   ChallengeLength    The length of iSCSI CHAP challenge message.\r
  @param[out]  ChapResponse       The calculation of the expected hash value.\r
  \r
  @retval EFI_SUCCESS             The expected hash value was caculatedly successfully.\r
  @retval EFI_PROTOCOL_ERROR      The length of the secret should be at least the \r
                                  length of the hash value for the hashing algorithm chosen.\r
  @retval Others                  Other errors as indicated.                                \r
**/\r
EFI_STATUS\r
IScsiCHAPCalculateResponse (\r
  IN  UINT32  ChapIdentifier,\r
  IN  CHAR8   *ChapSecret,\r
  IN  UINT32  SecretLength,\r
  IN  UINT8   *ChapChallenge,\r
  IN  UINT32  ChallengeLength,\r
  OUT UINT8   *ChapResponse\r
  )\r
{\r
  MD5_CTX     Md5Ctx;\r
  CHAR8       IdByte[1];\r
  EFI_STATUS  Status;\r
\r
  Status = MD5Init (&Md5Ctx);\r
\r
  //\r
  // Hash Identifier - Only calculate 1 byte data (RFC1994)\r
  //\r
  IdByte[0] = (CHAR8) ChapIdentifier;\r
  MD5Update (&Md5Ctx, IdByte, 1);\r
\r
  //\r
  // Hash Secret\r
  //\r
  if (SecretLength < ISCSI_CHAP_SECRET_MIN_LEN - 1) {\r
    return EFI_PROTOCOL_ERROR;\r
  }\r
\r
  MD5Update (&Md5Ctx, ChapSecret, SecretLength);\r
\r
  //\r
  // Hash Challenge received from Target\r
  //\r
  MD5Update (&Md5Ctx, ChapChallenge, ChallengeLength);\r
\r
  Status = MD5Final (&Md5Ctx, ChapResponse);\r
\r
  return Status;\r
}\r
\r
/**\r
  The initator checks the CHAP response replied by target against its own\r
  calculation of the expected hash value. \r
  \r
  @param[in]   AuthData             iSCSI CHAP authentication data. \r
  @param[in]   TargetResponse       The response from target.    \r
\r
  @retval EFI_SUCCESS               The response from target passed authentication.\r
  @retval EFI_SECURITY_VIOLATION    The response from target was not expected value.\r
  @retval Others                    Other errors as indicated.\r
**/\r
EFI_STATUS\r
IScsiCHAPAuthTarget (\r
  IN  ISCSI_CHAP_AUTH_DATA  *AuthData,\r
  IN  UINT8                 *TargetResponse\r
  )\r
{\r
  EFI_STATUS  Status;\r
  UINT32      SecretSize;\r
  UINT8       VerifyRsp[ISCSI_CHAP_RSP_LEN];\r
\r
  Status      = EFI_SUCCESS;\r
\r
  SecretSize  = (UINT32) AsciiStrLen (AuthData->AuthConfig.ReverseCHAPSecret);\r
  Status = IScsiCHAPCalculateResponse (\r
            AuthData->OutIdentifier,\r
            AuthData->AuthConfig.ReverseCHAPSecret,\r
            SecretSize,\r
            AuthData->OutChallenge,\r
            AuthData->OutChallengeLength,\r
            VerifyRsp\r
            );\r
\r
  if (CompareMem (VerifyRsp, TargetResponse, ISCSI_CHAP_RSP_LEN)) {\r
    Status = EFI_SECURITY_VIOLATION;\r
  }\r
\r
  return Status;\r
}\r
\r
/**\r
  This function checks the received iSCSI Login Response during the security\r
  negotiation stage.\r
  \r
  @param[in] Conn             The iSCSI connection.\r
\r
  @retval EFI_SUCCESS          The Login Response passed the CHAP validation.\r
  @retval EFI_OUT_OF_RESOURCES Failed to allocate memory.\r
  @retval EFI_PROTOCOL_ERROR   Some kind of protocol error happend.\r
  @retval Others               Other errors as indicated.\r
**/\r
EFI_STATUS\r
IScsiCHAPOnRspReceived (\r
  IN ISCSI_CONNECTION  *Conn\r
  )\r
{\r
  EFI_STATUS                Status;\r
  ISCSI_SESSION             *Session;\r
  ISCSI_CHAP_AUTH_DATA      *AuthData;\r
  CHAR8                     *Value;\r
  UINT8                     *Data;\r
  UINT32                    Len;\r
  LIST_ENTRY                *KeyValueList;\r
  UINTN                     Algorithm;\r
  CHAR8                     *Identifier;\r
  CHAR8                     *Challenge;\r
  CHAR8                     *Name;\r
  CHAR8                     *Response;\r
  UINT8                     TargetRsp[ISCSI_CHAP_RSP_LEN];\r
  UINT32                    RspLen;\r
\r
  ASSERT (Conn->CurrentStage == ISCSI_SECURITY_NEGOTIATION);\r
  ASSERT (Conn->RspQue.BufNum != 0);\r
\r
  Session     = Conn->Session;\r
  AuthData    = &Session->AuthData;\r
\r
  Len         = Conn->RspQue.BufSize;\r
  Data        = AllocatePool (Len);\r
  if (Data == NULL) {\r
    return EFI_OUT_OF_RESOURCES;\r
  }\r
  //\r
  // Copy the data in case the data spans over multiple PDUs.\r
  //\r
  NetbufQueCopy (&Conn->RspQue, 0, Len, Data);\r
\r
  //\r
  // Build the key-value list from the data segment of the Login Response.\r
  //\r
  KeyValueList = IScsiBuildKeyValueList ((CHAR8 *) Data, Len);\r
  if (KeyValueList == NULL) {\r
    return EFI_OUT_OF_RESOURCES;\r
  }\r
\r
  Status = EFI_PROTOCOL_ERROR;\r
\r
  switch (Conn->CHAPStep) {\r
  case ISCSI_CHAP_INITIAL:\r
    //\r
    // The first Login Response.\r
    //\r
    Value = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_TARGET_PORTAL_GROUP_TAG);\r
    if (Value == NULL) {\r
      goto ON_EXIT;\r
    }\r
\r
    Session->TargetPortalGroupTag = (UINT16) AsciiStrDecimalToUintn (Value);\r
\r
    Value                         = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_AUTH_METHOD);\r
    if (Value == NULL) {\r
      goto ON_EXIT;\r
    }\r
    //\r
    // Initiator mandates CHAP authentication but target replies without "CHAP" or\r
    // initiator suggets "None" but target replies with some kind of auth method.\r
    //\r
    if (AsciiStrCmp (Value, ISCSI_AUTH_METHOD_CHAP) == 0) {\r
      if (AuthData->AuthConfig.CHAPType == ISCSI_CHAP_NONE) {\r
        goto ON_EXIT;\r
      }\r
    } else {\r
      if (AuthData->AuthConfig.CHAPType != ISCSI_CHAP_NONE) {\r
        goto ON_EXIT;\r
      }\r
    }\r
    //\r
    // Transit to CHAP step one.\r
    //\r
    Conn->CHAPStep  = ISCSI_CHAP_STEP_ONE;\r
    Status          = EFI_SUCCESS;\r
    break;\r
\r
  case ISCSI_CHAP_STEP_TWO:\r
    //\r
    // The Target replies with CHAP_A=<A> CHAP_I=<I> CHAP_C=<C>\r
    //\r
    Value = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_ALGORITHM);\r
    if (Value == NULL) {\r
      goto ON_EXIT;\r
    }\r
\r
    Algorithm = AsciiStrDecimalToUintn (Value);\r
    if (Algorithm != ISCSI_CHAP_ALGORITHM_MD5) {\r
      //\r
      // Unsupported algorithm is chosen by target.\r
      //\r
      goto ON_EXIT;\r
    }\r
\r
    Identifier = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_IDENTIFIER);\r
    if (Identifier == NULL) {\r
      goto ON_EXIT;\r
    }\r
\r
    Challenge = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_CHALLENGE);\r
    if (Challenge == NULL) {\r
      goto ON_EXIT;\r
    }\r
    //\r
    // Process the CHAP identifier and CHAP Challenge from Target\r
    // Calculate Response value\r
    //\r
    AuthData->InIdentifier      = (UINT32) AsciiStrDecimalToUintn (Identifier);\r
    AuthData->InChallengeLength = ISCSI_CHAP_AUTH_MAX_LEN;\r
    IScsiHexToBin ((UINT8 *) AuthData->InChallenge, &AuthData->InChallengeLength, Challenge);\r
    Status = IScsiCHAPCalculateResponse (\r
              AuthData->InIdentifier,\r
              AuthData->AuthConfig.CHAPSecret,\r
              (UINT32) AsciiStrLen (AuthData->AuthConfig.CHAPSecret),\r
              AuthData->InChallenge,\r
              AuthData->InChallengeLength,\r
              AuthData->CHAPResponse\r
              );\r
\r
    //\r
    // Transit to next step.\r
    //\r
    Conn->CHAPStep = ISCSI_CHAP_STEP_THREE;\r
    break;\r
\r
  case ISCSI_CHAP_STEP_THREE:\r
    //\r
    // one way CHAP authentication and the target would like to\r
    // authenticate us.\r
    //\r
    Status = EFI_SUCCESS;\r
    break;\r
\r
  case ISCSI_CHAP_STEP_FOUR:\r
    ASSERT (AuthData->AuthConfig.CHAPType == ISCSI_CHAP_MUTUAL);\r
    //\r
    // The forth step, CHAP_N=<N> CHAP_R=<R> is received from Target.\r
    //\r
    Name = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_NAME);\r
    if (Name == NULL) {\r
      goto ON_EXIT;\r
    }\r
\r
    Response = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_RESPONSE);\r
    if (Response == NULL) {\r
      goto ON_EXIT;\r
    }\r
\r
    RspLen = ISCSI_CHAP_RSP_LEN;\r
    IScsiHexToBin (TargetRsp, &RspLen, Response);\r
\r
    //\r
    // Check the CHAP Response replied by Target.\r
    //\r
    Status = IScsiCHAPAuthTarget (AuthData, TargetRsp);\r
    break;\r
\r
  default:\r
    break;\r
  }\r
\r
ON_EXIT:\r
\r
  IScsiFreeKeyValueList (KeyValueList);\r
\r
  gBS->FreePool (Data);\r
\r
  return Status;\r
}\r
\r
/**\r
  This function fills the CHAP authentication information into the login PDU\r
  during the security negotiation stage in the iSCSI connection login.\r
\r
  @param[in]       Conn        The iSCSI connection.\r
  @param[in, out]  Pdu         The PDU to send out.\r
\r
  @retval EFI_SUCCESS          All check passed and the phase-related CHAP\r
                               authentication info is filled into the iSCSI PDU.\r
  @retval EFI_OUT_OF_RESOURCES Failed to allocate memory.\r
  @retval EFI_PROTOCOL_ERROR   Some kind of protocol error happend.\r
**/\r
EFI_STATUS\r
IScsiCHAPToSendReq (\r
  IN      ISCSI_CONNECTION  *Conn,\r
  IN OUT  NET_BUF           *Pdu\r
  )\r
{\r
  EFI_STATUS                Status;\r
  ISCSI_SESSION             *Session;\r
  ISCSI_LOGIN_REQUEST       *LoginReq;\r
  ISCSI_CHAP_AUTH_DATA      *AuthData;\r
  CHAR8                     *Value;\r
  CHAR8                     ValueStr[256];\r
  CHAR8                     *Response;\r
  UINT32                    RspLen;\r
  CHAR8                     *Challenge;\r
  UINT32                    ChallengeLen;\r
\r
  ASSERT (Conn->CurrentStage == ISCSI_SECURITY_NEGOTIATION);\r
\r
  Session     = Conn->Session;\r
  AuthData    = &Session->AuthData;\r
  LoginReq    = (ISCSI_LOGIN_REQUEST *) NetbufGetByte (Pdu, 0, 0);\r
  Status      = EFI_SUCCESS;\r
\r
  RspLen      = 2 * ISCSI_CHAP_RSP_LEN + 3;\r
  Response    = AllocatePool (RspLen);\r
  if (Response == NULL) {\r
    return EFI_OUT_OF_RESOURCES;\r
  }\r
\r
  ChallengeLen  = 2 * ISCSI_CHAP_RSP_LEN + 3;\r
  Challenge     = AllocatePool (ChallengeLen);\r
  if (Challenge == NULL) {\r
    return EFI_OUT_OF_RESOURCES;\r
  }\r
\r
  switch (Conn->CHAPStep) {\r
  case ISCSI_CHAP_INITIAL:\r
    //\r
    // It's the initial Login Request. Fill in the key=value pairs mandatory\r
    // for the initial Login Request.\r
    //\r
    IScsiAddKeyValuePair (Pdu, ISCSI_KEY_INITIATOR_NAME, Session->InitiatorName);\r
    IScsiAddKeyValuePair (Pdu, ISCSI_KEY_SESSION_TYPE, "Normal");\r
    IScsiAddKeyValuePair (Pdu, ISCSI_KEY_TARGET_NAME, Session->ConfigData.NvData.TargetName);\r
\r
    if (AuthData->AuthConfig.CHAPType == ISCSI_CHAP_NONE) {\r
      Value = ISCSI_KEY_VALUE_NONE;\r
      ISCSI_SET_FLAG (LoginReq, ISCSI_LOGIN_REQ_PDU_FLAG_TRANSIT);\r
    } else {\r
      Value = ISCSI_AUTH_METHOD_CHAP;\r
    }\r
\r
    IScsiAddKeyValuePair (Pdu, ISCSI_KEY_AUTH_METHOD, Value);\r
\r
    break;\r
\r
  case ISCSI_CHAP_STEP_ONE:\r
    //\r
    // First step, send the Login Request with CHAP_A=<A1,A2...> key-value pair.\r
    //\r
    AsciiSPrint (ValueStr, sizeof (ValueStr), "%d", ISCSI_CHAP_ALGORITHM_MD5);\r
    IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_ALGORITHM, ValueStr);\r
\r
    Conn->CHAPStep = ISCSI_CHAP_STEP_TWO;\r
    break;\r
\r
  case ISCSI_CHAP_STEP_THREE:\r
    //\r
    // Third step, send the Login Request with CHAP_N=<N> CHAP_R=<R> or\r
    // CHAP_N=<N> CHAP_R=<R> CHAP_I=<I> CHAP_C=<C> if target ahtentication is\r
    // required too.\r
    //\r
    // CHAP_N=<N>\r
    //\r
    IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_NAME, (CHAR8 *) &AuthData->AuthConfig.CHAPName);\r
    //\r
    // CHAP_R=<R>\r
    //\r
    IScsiBinToHex ((UINT8 *) AuthData->CHAPResponse, ISCSI_CHAP_RSP_LEN, Response, &RspLen);\r
    IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_RESPONSE, Response);\r
\r
    if (AuthData->AuthConfig.CHAPType == ISCSI_CHAP_MUTUAL) {\r
      //\r
      // CHAP_I=<I>\r
      //\r
      IScsiGenRandom ((UINT8 *) &AuthData->OutIdentifier, 1);\r
      AsciiSPrint (ValueStr, sizeof (ValueStr), "%d", AuthData->OutIdentifier);\r
      IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_IDENTIFIER, ValueStr);\r
      //\r
      // CHAP_C=<C>\r
      //\r
      IScsiGenRandom ((UINT8 *) AuthData->OutChallenge, ISCSI_CHAP_RSP_LEN);\r
      AuthData->OutChallengeLength = ISCSI_CHAP_RSP_LEN;\r
      IScsiBinToHex ((UINT8 *) AuthData->OutChallenge, ISCSI_CHAP_RSP_LEN, Challenge, &ChallengeLen);\r
      IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_CHALLENGE, Challenge);\r
\r
      Conn->CHAPStep = ISCSI_CHAP_STEP_FOUR;\r
    }\r
    //\r
    // set the stage transition flag.\r
    //\r
    ISCSI_SET_FLAG (LoginReq, ISCSI_LOGIN_REQ_PDU_FLAG_TRANSIT);\r
    break;\r
\r
  default:\r
    Status = EFI_PROTOCOL_ERROR;\r
    break;\r
  }\r
\r
  gBS->FreePool (Response);\r
  gBS->FreePool (Challenge);\r
\r
  return Status;\r
}\r
Commit	Line	Data
12618416	1	/** @file\r
11e0ec6b	2	This file is for Challenge-Handshake Authentication Protocol (CHAP) Configuration.\r
11e0ec6b	3	\r
894d038a	4	Copyright (c) 2004 - 2009, Intel Corporation.<BR>\r
7a444476	5	All rights reserved. This program and the accompanying materials\r
	6	are licensed and made available under the terms and conditions of the BSD License\r
	7	which accompanies this distribution. The full text of the license may be found at\r
	8	http://opensource.org/licenses/bsd-license.php\r
	9	\r
	10	THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
	11	WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
6a690e23	12	\r
12618416	13	**/\r
6a690e23	14	\r
	15	#include "IScsiImpl.h"\r
	16	#include "Md5.h"\r
	17	\r
	18	EFI_GUID mIScsiCHAPAuthInfoGuid = ISCSI_CHAP_AUTH_INFO_GUID;\r
	19	\r
11e0ec6b	20	/**\r
	21	Initator caculates its own expected hash value. \r
	22	\r
55a64ae0	23	@param[in] ChapIdentifier iSCSI CHAP identifier sent by authenticator. \r
	24	@param[in] ChapSecret iSCSI CHAP secret of the authenticator. \r
	25	@param[in] SecretLength The length of iSCSI CHAP secret.\r
11e0ec6b	26	@param[in] ChapChallenge The challenge message sent by authenticator. \r
55a64ae0	27	@param[in] ChallengeLength The length of iSCSI CHAP challenge message.\r
11e0ec6b	28	@param[out] ChapResponse The calculation of the expected hash value.\r
	29	\r
	30	@retval EFI_SUCCESS The expected hash value was caculatedly successfully.\r
	31	@retval EFI_PROTOCOL_ERROR The length of the secret should be at least the \r
	32	length of the hash value for the hashing algorithm chosen.\r
963dbb30	33	@retval Others Other errors as indicated. \r
11e0ec6b	34	**/\r
6a690e23	35	EFI_STATUS\r
	36	IScsiCHAPCalculateResponse (\r
	37	IN UINT32 ChapIdentifier,\r
	38	IN CHAR8 *ChapSecret,\r
	39	IN UINT32 SecretLength,\r
	40	IN UINT8 *ChapChallenge,\r
	41	IN UINT32 ChallengeLength,\r
	42	OUT UINT8 *ChapResponse\r
	43	)\r
	44	{\r
	45	MD5_CTX Md5Ctx;\r
	46	CHAR8 IdByte[1];\r
	47	EFI_STATUS Status;\r
	48	\r
	49	Status = MD5Init (&Md5Ctx);\r
	50	\r
	51	//\r
	52	// Hash Identifier - Only calculate 1 byte data (RFC1994)\r
	53	//\r
	54	IdByte[0] = (CHAR8) ChapIdentifier;\r
	55	MD5Update (&Md5Ctx, IdByte, 1);\r
	56	\r
	57	//\r
	58	// Hash Secret\r
	59	//\r
	60	if (SecretLength < ISCSI_CHAP_SECRET_MIN_LEN - 1) {\r
	61	return EFI_PROTOCOL_ERROR;\r
	62	}\r
	63	\r
	64	MD5Update (&Md5Ctx, ChapSecret, SecretLength);\r
	65	\r
	66	//\r
	67	// Hash Challenge received from Target\r
	68	//\r
	69	MD5Update (&Md5Ctx, ChapChallenge, ChallengeLength);\r
	70	\r
	71	Status = MD5Final (&Md5Ctx, ChapResponse);\r
	72	\r
	73	return Status;\r
	74	}\r
	75	\r
11e0ec6b	76	/**\r
	77	The initator checks the CHAP response replied by target against its own\r
	78	calculation of the expected hash value. \r
	79	\r
55a64ae0	80	@param[in] AuthData iSCSI CHAP authentication data. \r
11e0ec6b	81	@param[in] TargetResponse The response from target. \r
	82	\r
	83	@retval EFI_SUCCESS The response from target passed authentication.\r
	84	@retval EFI_SECURITY_VIOLATION The response from target was not expected value.\r
963dbb30	85	@retval Others Other errors as indicated.\r
11e0ec6b	86	**/\r
6a690e23	87	EFI_STATUS\r
	88	IScsiCHAPAuthTarget (\r
	89	IN ISCSI_CHAP_AUTH_DATA *AuthData,\r
	90	IN UINT8 *TargetResponse\r
	91	)\r
	92	{\r
	93	EFI_STATUS Status;\r
	94	UINT32 SecretSize;\r
	95	UINT8 VerifyRsp[ISCSI_CHAP_RSP_LEN];\r
	96	\r
	97	Status = EFI_SUCCESS;\r
	98	\r
	99	SecretSize = (UINT32) AsciiStrLen (AuthData->AuthConfig.ReverseCHAPSecret);\r
	100	Status = IScsiCHAPCalculateResponse (\r
	101	AuthData->OutIdentifier,\r
	102	AuthData->AuthConfig.ReverseCHAPSecret,\r
	103	SecretSize,\r
	104	AuthData->OutChallenge,\r
	105	AuthData->OutChallengeLength,\r
	106	VerifyRsp\r
	107	);\r
	108	\r
e48e37fc	109	if (CompareMem (VerifyRsp, TargetResponse, ISCSI_CHAP_RSP_LEN)) {\r
6a690e23	110	Status = EFI_SECURITY_VIOLATION;\r
	111	}\r
	112	\r
	113	return Status;\r
	114	}\r
	115	\r
12618416	116	/**\r
6a690e23	117	This function checks the received iSCSI Login Response during the security\r
	118	negotiation stage.\r
	119	\r
11e0ec6b	120	@param[in] Conn The iSCSI connection.\r
6a690e23	121	\r
12618416	122	@retval EFI_SUCCESS The Login Response passed the CHAP validation.\r
12618416	123	@retval EFI_OUT_OF_RESOURCES Failed to allocate memory.\r
12618416	124	@retval EFI_PROTOCOL_ERROR Some kind of protocol error happend.\r
963dbb30	125	@retval Others Other errors as indicated.\r
12618416	126	**/\r
	127	EFI_STATUS\r
	128	IScsiCHAPOnRspReceived (\r
c5de0d55	129	IN ISCSI_CONNECTION *Conn\r
12618416	130	)\r
6a690e23	131	{\r
	132	EFI_STATUS Status;\r
	133	ISCSI_SESSION *Session;\r
6a690e23	134	ISCSI_CHAP_AUTH_DATA *AuthData;\r
	135	CHAR8 *Value;\r
	136	UINT8 *Data;\r
	137	UINT32 Len;\r
e48e37fc	138	LIST_ENTRY *KeyValueList;\r
6a690e23	139	UINTN Algorithm;\r
	140	CHAR8 *Identifier;\r
	141	CHAR8 *Challenge;\r
	142	CHAR8 *Name;\r
	143	CHAR8 *Response;\r
	144	UINT8 TargetRsp[ISCSI_CHAP_RSP_LEN];\r
	145	UINT32 RspLen;\r
	146	\r
	147	ASSERT (Conn->CurrentStage == ISCSI_SECURITY_NEGOTIATION);\r
	148	ASSERT (Conn->RspQue.BufNum != 0);\r
	149	\r
	150	Session = Conn->Session;\r
6a690e23	151	AuthData = &Session->AuthData;\r
	152	\r
	153	Len = Conn->RspQue.BufSize;\r
e48e37fc	154	Data = AllocatePool (Len);\r
6a690e23	155	if (Data == NULL) {\r
	156	return EFI_OUT_OF_RESOURCES;\r
	157	}\r
	158	//\r
	159	// Copy the data in case the data spans over multiple PDUs.\r
	160	//\r
	161	NetbufQueCopy (&Conn->RspQue, 0, Len, Data);\r
	162	\r
	163	//\r
	164	// Build the key-value list from the data segment of the Login Response.\r
	165	//\r
69b0882d	166	KeyValueList = IScsiBuildKeyValueList ((CHAR8 *) Data, Len);\r
6a690e23	167	if (KeyValueList == NULL) {\r
894d038a	168	return EFI_OUT_OF_RESOURCES;\r
6a690e23	169	}\r
	170	\r
	171	Status = EFI_PROTOCOL_ERROR;\r
	172	\r
	173	switch (Conn->CHAPStep) {\r
	174	case ISCSI_CHAP_INITIAL:\r
	175	//\r
	176	// The first Login Response.\r
	177	//\r
	178	Value = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_TARGET_PORTAL_GROUP_TAG);\r
	179	if (Value == NULL) {\r
	180	goto ON_EXIT;\r
	181	}\r
	182	\r
	183	Session->TargetPortalGroupTag = (UINT16) AsciiStrDecimalToUintn (Value);\r
	184	\r
	185	Value = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_AUTH_METHOD);\r
	186	if (Value == NULL) {\r
	187	goto ON_EXIT;\r
	188	}\r
	189	//\r
	190	// Initiator mandates CHAP authentication but target replies without "CHAP" or\r
	191	// initiator suggets "None" but target replies with some kind of auth method.\r
	192	//\r
	193	if (AsciiStrCmp (Value, ISCSI_AUTH_METHOD_CHAP) == 0) {\r
	194	if (AuthData->AuthConfig.CHAPType == ISCSI_CHAP_NONE) {\r
	195	goto ON_EXIT;\r
	196	}\r
	197	} else {\r
	198	if (AuthData->AuthConfig.CHAPType != ISCSI_CHAP_NONE) {\r
	199	goto ON_EXIT;\r
	200	}\r
	201	}\r
	202	//\r
	203	// Transit to CHAP step one.\r
	204	//\r
	205	Conn->CHAPStep = ISCSI_CHAP_STEP_ONE;\r
	206	Status = EFI_SUCCESS;\r
	207	break;\r
	208	\r
	209	case ISCSI_CHAP_STEP_TWO:\r
	210	//\r
	211	// The Target replies with CHAP_A=<A> CHAP_I=<I> CHAP_C=<C>\r
	212	//\r
	213	Value = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_ALGORITHM);\r
	214	if (Value == NULL) {\r
	215	goto ON_EXIT;\r
	216	}\r
	217	\r
	218	Algorithm = AsciiStrDecimalToUintn (Value);\r
	219	if (Algorithm != ISCSI_CHAP_ALGORITHM_MD5) {\r
	220	//\r
	221	// Unsupported algorithm is chosen by target.\r
	222	//\r
	223	goto ON_EXIT;\r
	224	}\r
	225	\r
	226	Identifier = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_IDENTIFIER);\r
	227	if (Identifier == NULL) {\r
	228	goto ON_EXIT;\r
	229	}\r
	230	\r
	231	Challenge = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_CHALLENGE);\r
	232	if (Challenge == NULL) {\r
233	goto ON_EXIT;\r
234	}\r
235	//\r
236	// Process the CHAP identifier and CHAP Challenge from Target\r
237	// Calculate Response value\r
238	//\r
239	AuthData->InIdentifier = (UINT32) AsciiStrDecimalToUintn (Identifier);\r
240	AuthData->InChallengeLength = ISCSI_CHAP_AUTH_MAX_LEN;\r
241	IScsiHexToBin ((UINT8 *) AuthData->InChallenge, &AuthData->InChallengeLength, Challenge);\r
242	Status = IScsiCHAPCalculateResponse (\r
243	AuthData->InIdentifier,\r
244	AuthData->AuthConfig.CHAPSecret,\r
245	(UINT32) AsciiStrLen (AuthData->AuthConfig.CHAPSecret),\r
246	AuthData->InChallenge,\r
247	AuthData->InChallengeLength,\r
248	AuthData->CHAPResponse\r
249	);\r
250	\r
251	//\r
252	// Transit to next step.\r
253	//\r
254	Conn->CHAPStep = ISCSI_CHAP_STEP_THREE;\r
255	break;\r
256	\r
257	case ISCSI_CHAP_STEP_THREE:\r
258	//\r
259	// one way CHAP authentication and the target would like to\r
260	// authenticate us.\r
261	//\r
262	Status = EFI_SUCCESS;\r
263	break;\r
264	\r
265	case ISCSI_CHAP_STEP_FOUR:\r
266	ASSERT (AuthData->AuthConfig.CHAPType == ISCSI_CHAP_MUTUAL);\r
267	//\r
268	// The forth step, CHAP_N=<N> CHAP_R=<R> is received from Target.\r
269	//\r
270	Name = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_NAME);\r
271	if (Name == NULL) {\r
272	goto ON_EXIT;\r
273	}\r
274	\r
275	Response = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_RESPONSE);\r
276	if (Response == NULL) {\r
277	goto ON_EXIT;\r
278	}\r
279	\r
280	RspLen = ISCSI_CHAP_RSP_LEN;\r
281	IScsiHexToBin (TargetRsp, &RspLen, Response);\r
282	\r
283	//\r
11e0ec6b	284	// Check the CHAP Response replied by Target.\r
6a690e23	285	//\r
	286	Status = IScsiCHAPAuthTarget (AuthData, TargetRsp);\r
	287	break;\r
	288	\r
	289	default:\r
	290	break;\r
	291	}\r
	292	\r
	293	ON_EXIT:\r
	294	\r
	295	IScsiFreeKeyValueList (KeyValueList);\r
	296	\r
e48e37fc	297	gBS->FreePool (Data);\r
6a690e23	298	\r
	299	return Status;\r
	300	}\r
	301	\r
12618416	302	/**\r
6a690e23	303	This function fills the CHAP authentication information into the login PDU\r
6a690e23	304	during the security negotiation stage in the iSCSI connection login.\r
6a690e23	305	\r
c5de0d55	306	@param[in] Conn The iSCSI connection.\r
c5de0d55	307	@param[in, out] Pdu The PDU to send out.\r
6a690e23	308	\r
12618416	309	@retval EFI_SUCCESS All check passed and the phase-related CHAP\r
12618416	310	authentication info is filled into the iSCSI PDU.\r
12618416	311	@retval EFI_OUT_OF_RESOURCES Failed to allocate memory.\r
12618416	312	@retval EFI_PROTOCOL_ERROR Some kind of protocol error happend.\r
12618416	313	**/\r
	314	EFI_STATUS\r
	315	IScsiCHAPToSendReq (\r
c5de0d55	316	IN ISCSI_CONNECTION *Conn,\r
c5de0d55	317	IN OUT NET_BUF *Pdu\r
12618416	318	)\r
6a690e23	319	{\r
	320	EFI_STATUS Status;\r
	321	ISCSI_SESSION *Session;\r
	322	ISCSI_LOGIN_REQUEST *LoginReq;\r
6a690e23	323	ISCSI_CHAP_AUTH_DATA *AuthData;\r
	324	CHAR8 *Value;\r
	325	CHAR8 ValueStr[256];\r
	326	CHAR8 *Response;\r
	327	UINT32 RspLen;\r
	328	CHAR8 *Challenge;\r
	329	UINT32 ChallengeLen;\r
	330	\r
	331	ASSERT (Conn->CurrentStage == ISCSI_SECURITY_NEGOTIATION);\r
	332	\r
	333	Session = Conn->Session;\r
6a690e23	334	AuthData = &Session->AuthData;\r
	335	LoginReq = (ISCSI_LOGIN_REQUEST *) NetbufGetByte (Pdu, 0, 0);\r
	336	Status = EFI_SUCCESS;\r
	337	\r
	338	RspLen = 2 * ISCSI_CHAP_RSP_LEN + 3;\r
e48e37fc	339	Response = AllocatePool (RspLen);\r
6a690e23	340	if (Response == NULL) {\r
	341	return EFI_OUT_OF_RESOURCES;\r
	342	}\r
	343	\r
	344	ChallengeLen = 2 * ISCSI_CHAP_RSP_LEN + 3;\r
e48e37fc	345	Challenge = AllocatePool (ChallengeLen);\r
6a690e23	346	if (Challenge == NULL) {\r
	347	return EFI_OUT_OF_RESOURCES;\r
	348	}\r
	349	\r
	350	switch (Conn->CHAPStep) {\r
	351	case ISCSI_CHAP_INITIAL:\r
	352	//\r
	353	// It's the initial Login Request. Fill in the key=value pairs mandatory\r
	354	// for the initial Login Request.\r
	355	//\r
	356	IScsiAddKeyValuePair (Pdu, ISCSI_KEY_INITIATOR_NAME, Session->InitiatorName);\r
	357	IScsiAddKeyValuePair (Pdu, ISCSI_KEY_SESSION_TYPE, "Normal");\r
	358	IScsiAddKeyValuePair (Pdu, ISCSI_KEY_TARGET_NAME, Session->ConfigData.NvData.TargetName);\r
	359	\r
	360	if (AuthData->AuthConfig.CHAPType == ISCSI_CHAP_NONE) {\r
	361	Value = ISCSI_KEY_VALUE_NONE;\r
	362	ISCSI_SET_FLAG (LoginReq, ISCSI_LOGIN_REQ_PDU_FLAG_TRANSIT);\r
	363	} else {\r
	364	Value = ISCSI_AUTH_METHOD_CHAP;\r
	365	}\r
	366	\r
	367	IScsiAddKeyValuePair (Pdu, ISCSI_KEY_AUTH_METHOD, Value);\r
	368	\r
	369	break;\r
	370	\r
	371	case ISCSI_CHAP_STEP_ONE:\r
	372	//\r
	373	// First step, send the Login Request with CHAP_A=<A1,A2...> key-value pair.\r
	374	//\r
	375	AsciiSPrint (ValueStr, sizeof (ValueStr), "%d", ISCSI_CHAP_ALGORITHM_MD5);\r
	376	IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_ALGORITHM, ValueStr);\r
	377	\r
	378	Conn->CHAPStep = ISCSI_CHAP_STEP_TWO;\r
	379	break;\r
	380	\r
	381	case ISCSI_CHAP_STEP_THREE:\r
	382	//\r
	383	// Third step, send the Login Request with CHAP_N=<N> CHAP_R=<R> or\r
	384	// CHAP_N=<N> CHAP_R=<R> CHAP_I=<I> CHAP_C=<C> if target ahtentication is\r
	385	// required too.\r
	386	//\r
	387	// CHAP_N=<N>\r
	388	//\r
69b0882d	389	IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_NAME, (CHAR8 *) &AuthData->AuthConfig.CHAPName);\r
6a690e23	390	//\r
	391	// CHAP_R=<R>\r
	392	//\r
	393	IScsiBinToHex ((UINT8 *) AuthData->CHAPResponse, ISCSI_CHAP_RSP_LEN, Response, &RspLen);\r
	394	IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_RESPONSE, Response);\r
	395	\r
	396	if (AuthData->AuthConfig.CHAPType == ISCSI_CHAP_MUTUAL) {\r
	397	//\r
	398	// CHAP_I=<I>\r
	399	//\r
	400	IScsiGenRandom ((UINT8 *) &AuthData->OutIdentifier, 1);\r
	401	AsciiSPrint (ValueStr, sizeof (ValueStr), "%d", AuthData->OutIdentifier);\r
	402	IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_IDENTIFIER, ValueStr);\r
	403	//\r
	404	// CHAP_C=<C>\r
	405	//\r
	406	IScsiGenRandom ((UINT8 *) AuthData->OutChallenge, ISCSI_CHAP_RSP_LEN);\r
	407	AuthData->OutChallengeLength = ISCSI_CHAP_RSP_LEN;\r
	408	IScsiBinToHex ((UINT8 *) AuthData->OutChallenge, ISCSI_CHAP_RSP_LEN, Challenge, &ChallengeLen);\r
	409	IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_CHALLENGE, Challenge);\r
	410	\r
	411	Conn->CHAPStep = ISCSI_CHAP_STEP_FOUR;\r
	412	}\r
	413	//\r
	414	// set the stage transition flag.\r
	415	//\r
	416	ISCSI_SET_FLAG (LoginReq, ISCSI_LOGIN_REQ_PDU_FLAG_TRANSIT);\r
	417	break;\r
	418	\r
	419	default:\r
	420	Status = EFI_PROTOCOL_ERROR;\r
	421	break;\r
	422	}\r
	423	\r
e48e37fc	424	gBS->FreePool (Response);\r
e48e37fc	425	gBS->FreePool (Challenge);\r
6a690e23	426	\r
	427	return Status;\r
	428	}\r