[mirror_edk2.git] / NetworkPkg / IScsiDxe / IScsiCHAP.c

/** @file\r
  This file is for Challenge-Handshake Authentication Protocol (CHAP)\r
  Configuration.\r
\r
Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.<BR>\r
SPDX-License-Identifier: BSD-2-Clause-Patent\r
\r
**/\r
\r
#include "IScsiImpl.h"\r
\r
//\r
// Supported CHAP hash algorithms, mapped to sets of BaseCryptLib APIs and\r
// macros. CHAP_HASH structures at lower subscripts in the array are preferred\r
// by the initiator.\r
//\r
STATIC CONST CHAP_HASH mChapHash[] = {\r
  {\r
    ISCSI_CHAP_ALGORITHM_SHA256,\r
    SHA256_DIGEST_SIZE,\r
    Sha256GetContextSize,\r
    Sha256Init,\r
    Sha256Update,\r
    Sha256Final\r
  },\r
#ifdef ENABLE_MD5_DEPRECATED_INTERFACES\r
  //\r
  // Keep the deprecated MD5 entry at the end of the array (making MD5 the\r
  // least preferred choice of the initiator).\r
  //\r
  {\r
    ISCSI_CHAP_ALGORITHM_MD5,\r
    MD5_DIGEST_SIZE,\r
    Md5GetContextSize,\r
    Md5Init,\r
    Md5Update,\r
    Md5Final\r
  },\r
#endif // ENABLE_MD5_DEPRECATED_INTERFACES\r
};\r
\r
//\r
// Ordered list of mChapHash[*].Algorithm values. It is formatted for the\r
// CHAP_A=<A1,A2...> value string, by the IScsiCHAPInitHashList() function. It\r
// is sent by the initiator in ISCSI_CHAP_STEP_ONE.\r
//\r
STATIC CHAR8 mChapHashListString[\r
               3 +                                      // UINT8 identifier in\r
                                                        //   decimal\r
               (1 + 3) * (ARRAY_SIZE (mChapHash) - 1) + // comma prepended for\r
                                                        //   entries after the\r
                                                        //   first\r
               1 +                                      // extra character for\r
                                                        //   AsciiSPrint()\r
                                                        //   truncation check\r
               1                                        // terminating NUL\r
               ];\r
\r
/**\r
  Initiator calculates its own expected hash value.\r
\r
  @param[in]   ChapIdentifier     iSCSI CHAP identifier sent by authenticator.\r
  @param[in]   ChapSecret         iSCSI CHAP secret of the authenticator.\r
  @param[in]   SecretLength       The length of iSCSI CHAP secret.\r
  @param[in]   ChapChallenge      The challenge message sent by authenticator.\r
  @param[in]   ChallengeLength    The length of iSCSI CHAP challenge message.\r
  @param[in]   Hash               Pointer to the CHAP_HASH structure that\r
                                  determines the hashing algorithm to use. The\r
                                  caller is responsible for making Hash point\r
                                  to an "mChapHash" element.\r
  @param[out]  ChapResponse       The calculation of the expected hash value.\r
\r
  @retval EFI_SUCCESS             The expected hash value was calculatedly\r
                                  successfully.\r
  @retval EFI_PROTOCOL_ERROR      The length of the secret should be at least\r
                                  the length of the hash value for the hashing\r
                                  algorithm chosen.\r
  @retval EFI_PROTOCOL_ERROR      Hash operation fails.\r
  @retval EFI_OUT_OF_RESOURCES    Failure to allocate resource to complete\r
                                  hashing.\r
\r
**/\r
EFI_STATUS\r
IScsiCHAPCalculateResponse (\r
  IN  UINT32          ChapIdentifier,\r
  IN  CHAR8           *ChapSecret,\r
  IN  UINT32          SecretLength,\r
  IN  UINT8           *ChapChallenge,\r
  IN  UINT32          ChallengeLength,\r
  IN  CONST CHAP_HASH *Hash,\r
  OUT UINT8           *ChapResponse\r
  )\r
{\r
  UINTN       ContextSize;\r
  VOID        *Ctx;\r
  CHAR8       IdByte[1];\r
  EFI_STATUS  Status;\r
\r
  if (SecretLength < ISCSI_CHAP_SECRET_MIN_LEN) {\r
    return EFI_PROTOCOL_ERROR;\r
  }\r
\r
  ASSERT (Hash != NULL);\r
\r
  ContextSize = Hash->GetContextSize ();\r
  Ctx = AllocatePool (ContextSize);\r
  if (Ctx == NULL) {\r
    return EFI_OUT_OF_RESOURCES;\r
  }\r
\r
  Status = EFI_PROTOCOL_ERROR;\r
\r
  if (!Hash->Init (Ctx)) {\r
    goto Exit;\r
  }\r
\r
  //\r
  // Hash Identifier - Only calculate 1 byte data (RFC1994)\r
  //\r
  IdByte[0] = (CHAR8) ChapIdentifier;\r
  if (!Hash->Update (Ctx, IdByte, 1)) {\r
    goto Exit;\r
  }\r
\r
  //\r
  // Hash Secret\r
  //\r
  if (!Hash->Update (Ctx, ChapSecret, SecretLength)) {\r
    goto Exit;\r
  }\r
\r
  //\r
  // Hash Challenge received from Target\r
  //\r
  if (!Hash->Update (Ctx, ChapChallenge, ChallengeLength)) {\r
    goto Exit;\r
  }\r
\r
  if (Hash->Final (Ctx, ChapResponse)) {\r
    Status = EFI_SUCCESS;\r
  }\r
\r
Exit:\r
  FreePool (Ctx);\r
  return Status;\r
}\r
\r
/**\r
  The initiator checks the CHAP response replied by target against its own\r
  calculation of the expected hash value.\r
\r
  @param[in]   AuthData             iSCSI CHAP authentication data.\r
  @param[in]   TargetResponse       The response from target.\r
\r
  @retval EFI_SUCCESS               The response from target passed\r
                                    authentication.\r
  @retval EFI_SECURITY_VIOLATION    The response from target was not expected\r
                                    value.\r
  @retval Others                    Other errors as indicated.\r
\r
**/\r
EFI_STATUS\r
IScsiCHAPAuthTarget (\r
  IN  ISCSI_CHAP_AUTH_DATA  *AuthData,\r
  IN  UINT8                 *TargetResponse\r
  )\r
{\r
  EFI_STATUS  Status;\r
  UINT32      SecretSize;\r
  UINT8       VerifyRsp[ISCSI_CHAP_MAX_DIGEST_SIZE];\r
  INTN        Mismatch;\r
\r
  Status      = EFI_SUCCESS;\r
\r
  SecretSize  = (UINT32) AsciiStrLen (AuthData->AuthConfig->ReverseCHAPSecret);\r
\r
  ASSERT (AuthData->Hash != NULL);\r
\r
  Status = IScsiCHAPCalculateResponse (\r
             AuthData->OutIdentifier,\r
             AuthData->AuthConfig->ReverseCHAPSecret,\r
             SecretSize,\r
             AuthData->OutChallenge,\r
             AuthData->Hash->DigestSize,              // ChallengeLength\r
             AuthData->Hash,\r
             VerifyRsp\r
             );\r
\r
  Mismatch = CompareMem (\r
               VerifyRsp,\r
               TargetResponse,\r
               AuthData->Hash->DigestSize\r
               );\r
  if (Mismatch != 0) {\r
    Status = EFI_SECURITY_VIOLATION;\r
  }\r
\r
  return Status;\r
}\r
\r
\r
/**\r
  This function checks the received iSCSI Login Response during the security\r
  negotiation stage.\r
\r
  @param[in] Conn             The iSCSI connection.\r
\r
  @retval EFI_SUCCESS          The Login Response passed the CHAP validation.\r
  @retval EFI_OUT_OF_RESOURCES Failed to allocate memory.\r
  @retval EFI_PROTOCOL_ERROR   Some kind of protocol error occurred.\r
  @retval Others               Other errors as indicated.\r
\r
**/\r
EFI_STATUS\r
IScsiCHAPOnRspReceived (\r
  IN ISCSI_CONNECTION  *Conn\r
  )\r
{\r
  EFI_STATUS                  Status;\r
  ISCSI_SESSION               *Session;\r
  ISCSI_CHAP_AUTH_DATA        *AuthData;\r
  CHAR8                       *Value;\r
  UINT8                       *Data;\r
  UINT32                      Len;\r
  LIST_ENTRY                  *KeyValueList;\r
  UINTN                       Algorithm;\r
  CHAR8                       *Identifier;\r
  CHAR8                       *Challenge;\r
  CHAR8                       *Name;\r
  CHAR8                       *Response;\r
  UINT8                       TargetRsp[ISCSI_CHAP_MAX_DIGEST_SIZE];\r
  UINT32                      RspLen;\r
  UINTN                       Result;\r
  UINTN                       HashIndex;\r
\r
  ASSERT (Conn->CurrentStage == ISCSI_SECURITY_NEGOTIATION);\r
  ASSERT (Conn->RspQue.BufNum != 0);\r
\r
  Session     = Conn->Session;\r
  AuthData    = &Session->AuthData.CHAP;\r
  Len         = Conn->RspQue.BufSize;\r
  Data        = AllocateZeroPool (Len);\r
  if (Data == NULL) {\r
    return EFI_OUT_OF_RESOURCES;\r
  }\r
  //\r
  // Copy the data in case the data spans over multiple PDUs.\r
  //\r
  NetbufQueCopy (&Conn->RspQue, 0, Len, Data);\r
\r
  //\r
  // Build the key-value list from the data segment of the Login Response.\r
  //\r
  KeyValueList = IScsiBuildKeyValueList ((CHAR8 *) Data, Len);\r
  if (KeyValueList == NULL) {\r
    Status = EFI_OUT_OF_RESOURCES;\r
    goto ON_EXIT;\r
  }\r
\r
  Status = EFI_PROTOCOL_ERROR;\r
\r
  switch (Conn->AuthStep) {\r
  case ISCSI_AUTH_INITIAL:\r
    //\r
    // The first Login Response.\r
    //\r
    Value = IScsiGetValueByKeyFromList (\r
              KeyValueList,\r
              ISCSI_KEY_TARGET_PORTAL_GROUP_TAG\r
              );\r
    if (Value == NULL) {\r
      goto ON_EXIT;\r
    }\r
\r
    Result = IScsiNetNtoi (Value);\r
    if (Result > 0xFFFF) {\r
      goto ON_EXIT;\r
    }\r
\r
    Session->TargetPortalGroupTag = (UINT16) Result;\r
\r
    Value                         = IScsiGetValueByKeyFromList (\r
                                      KeyValueList,\r
                                      ISCSI_KEY_AUTH_METHOD\r
                                      );\r
    if (Value == NULL) {\r
      goto ON_EXIT;\r
    }\r
    //\r
    // Initiator mandates CHAP authentication but target replies without\r
    // "CHAP", or initiator suggets "None" but target replies with some kind of\r
    // auth method.\r
    //\r
    if (Session->AuthType == ISCSI_AUTH_TYPE_NONE) {\r
      if (AsciiStrCmp (Value, ISCSI_KEY_VALUE_NONE) != 0) {\r
        goto ON_EXIT;\r
      }\r
    } else if (Session->AuthType == ISCSI_AUTH_TYPE_CHAP) {\r
      if (AsciiStrCmp (Value, ISCSI_AUTH_METHOD_CHAP) != 0) {\r
        goto ON_EXIT;\r
      }\r
    } else {\r
      goto ON_EXIT;\r
    }\r
\r
    //\r
    // Transit to CHAP step one.\r
    //\r
    Conn->AuthStep  = ISCSI_CHAP_STEP_ONE;\r
    Status          = EFI_SUCCESS;\r
    break;\r
\r
  case ISCSI_CHAP_STEP_TWO:\r
    //\r
    // The Target replies with CHAP_A=<A> CHAP_I=<I> CHAP_C=<C>\r
    //\r
    Value = IScsiGetValueByKeyFromList (\r
              KeyValueList,\r
              ISCSI_KEY_CHAP_ALGORITHM\r
              );\r
    if (Value == NULL) {\r
      goto ON_EXIT;\r
    }\r
\r
    Algorithm = IScsiNetNtoi (Value);\r
    for (HashIndex = 0; HashIndex < ARRAY_SIZE (mChapHash); HashIndex++) {\r
      if (Algorithm == mChapHash[HashIndex].Algorithm) {\r
        break;\r
      }\r
    }\r
    if (HashIndex == ARRAY_SIZE (mChapHash)) {\r
      //\r
      // Unsupported algorithm is chosen by target.\r
      //\r
      goto ON_EXIT;\r
    }\r
    //\r
    // Remember the target's chosen hash algorithm.\r
    //\r
    ASSERT (AuthData->Hash == NULL);\r
    AuthData->Hash = &mChapHash[HashIndex];\r
\r
    Identifier = IScsiGetValueByKeyFromList (\r
                   KeyValueList,\r
                   ISCSI_KEY_CHAP_IDENTIFIER\r
                   );\r
    if (Identifier == NULL) {\r
      goto ON_EXIT;\r
    }\r
\r
    Challenge = IScsiGetValueByKeyFromList (\r
                  KeyValueList,\r
                  ISCSI_KEY_CHAP_CHALLENGE\r
                  );\r
    if (Challenge == NULL) {\r
      goto ON_EXIT;\r
    }\r
    //\r
    // Process the CHAP identifier and CHAP Challenge from Target.\r
    // Calculate Response value.\r
    //\r
    Result = IScsiNetNtoi (Identifier);\r
    if (Result > 0xFF) {\r
      goto ON_EXIT;\r
    }\r
\r
    AuthData->InIdentifier      = (UINT32) Result;\r
    AuthData->InChallengeLength = (UINT32) sizeof (AuthData->InChallenge);\r
    Status = IScsiHexToBin (\r
               (UINT8 *) AuthData->InChallenge,\r
               &AuthData->InChallengeLength,\r
               Challenge\r
               );\r
    if (EFI_ERROR (Status)) {\r
      Status = EFI_PROTOCOL_ERROR;\r
      goto ON_EXIT;\r
    }\r
    Status = IScsiCHAPCalculateResponse (\r
               AuthData->InIdentifier,\r
               AuthData->AuthConfig->CHAPSecret,\r
               (UINT32) AsciiStrLen (AuthData->AuthConfig->CHAPSecret),\r
               AuthData->InChallenge,\r
               AuthData->InChallengeLength,\r
               AuthData->Hash,\r
               AuthData->CHAPResponse\r
               );\r
\r
    //\r
    // Transit to next step.\r
    //\r
    Conn->AuthStep = ISCSI_CHAP_STEP_THREE;\r
    break;\r
\r
  case ISCSI_CHAP_STEP_THREE:\r
    //\r
    // One way CHAP authentication and the target would like to\r
    // authenticate us.\r
    //\r
    Status = EFI_SUCCESS;\r
    break;\r
\r
  case ISCSI_CHAP_STEP_FOUR:\r
    ASSERT (AuthData->AuthConfig->CHAPType == ISCSI_CHAP_MUTUAL);\r
    //\r
    // The forth step, CHAP_N=<N> CHAP_R=<R> is received from Target.\r
    //\r
    Name = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_NAME);\r
    if (Name == NULL) {\r
      goto ON_EXIT;\r
    }\r
\r
    Response = IScsiGetValueByKeyFromList (\r
                 KeyValueList,\r
                 ISCSI_KEY_CHAP_RESPONSE\r
                 );\r
    if (Response == NULL) {\r
      goto ON_EXIT;\r
    }\r
\r
    ASSERT (AuthData->Hash != NULL);\r
    RspLen = AuthData->Hash->DigestSize;\r
    Status = IScsiHexToBin (TargetRsp, &RspLen, Response);\r
    if (EFI_ERROR (Status) || RspLen != AuthData->Hash->DigestSize) {\r
      Status = EFI_PROTOCOL_ERROR;\r
      goto ON_EXIT;\r
    }\r
\r
    //\r
    // Check the CHAP Name and Response replied by Target.\r
    //\r
    Status = IScsiCHAPAuthTarget (AuthData, TargetRsp);\r
    break;\r
\r
  default:\r
    break;\r
  }\r
\r
ON_EXIT:\r
\r
  if (KeyValueList != NULL) {\r
    IScsiFreeKeyValueList (KeyValueList);\r
  }\r
\r
  FreePool (Data);\r
\r
  return Status;\r
}\r
\r
\r
/**\r
  This function fills the CHAP authentication information into the login PDU\r
  during the security negotiation stage in the iSCSI connection login.\r
\r
  @param[in]       Conn        The iSCSI connection.\r
  @param[in, out]  Pdu         The PDU to send out.\r
\r
  @retval EFI_SUCCESS           All check passed and the phase-related CHAP\r
                                authentication info is filled into the iSCSI\r
                                PDU.\r
  @retval EFI_OUT_OF_RESOURCES  Failed to allocate memory.\r
  @retval EFI_PROTOCOL_ERROR    Some kind of protocol error occurred.\r
\r
**/\r
EFI_STATUS\r
IScsiCHAPToSendReq (\r
  IN      ISCSI_CONNECTION  *Conn,\r
  IN OUT  NET_BUF           *Pdu\r
  )\r
{\r
  EFI_STATUS                  Status;\r
  ISCSI_SESSION               *Session;\r
  ISCSI_LOGIN_REQUEST         *LoginReq;\r
  ISCSI_CHAP_AUTH_DATA        *AuthData;\r
  CHAR8                       *Value;\r
  CHAR8                       ValueStr[256];\r
  CHAR8                       *Response;\r
  UINT32                      RspLen;\r
  CHAR8                       *Challenge;\r
  UINT32                      ChallengeLen;\r
  EFI_STATUS                  BinToHexStatus;\r
\r
  ASSERT (Conn->CurrentStage == ISCSI_SECURITY_NEGOTIATION);\r
\r
  Session     = Conn->Session;\r
  AuthData    = &Session->AuthData.CHAP;\r
  LoginReq    = (ISCSI_LOGIN_REQUEST *) NetbufGetByte (Pdu, 0, 0);\r
  if (LoginReq == NULL) {\r
    return EFI_PROTOCOL_ERROR;\r
  }\r
  Status      = EFI_SUCCESS;\r
\r
  RspLen      = 2 * ISCSI_CHAP_MAX_DIGEST_SIZE + 3;\r
  Response    = AllocateZeroPool (RspLen);\r
  if (Response == NULL) {\r
    return EFI_OUT_OF_RESOURCES;\r
  }\r
\r
  ChallengeLen  = 2 * ISCSI_CHAP_MAX_DIGEST_SIZE + 3;\r
  Challenge     = AllocateZeroPool (ChallengeLen);\r
  if (Challenge == NULL) {\r
    FreePool (Response);\r
    return EFI_OUT_OF_RESOURCES;\r
  }\r
\r
  switch (Conn->AuthStep) {\r
  case ISCSI_AUTH_INITIAL:\r
    //\r
    // It's the initial Login Request. Fill in the key=value pairs mandatory\r
    // for the initial Login Request.\r
    //\r
    IScsiAddKeyValuePair (\r
      Pdu,\r
      ISCSI_KEY_INITIATOR_NAME,\r
      mPrivate->InitiatorName\r
      );\r
    IScsiAddKeyValuePair (Pdu, ISCSI_KEY_SESSION_TYPE, "Normal");\r
    IScsiAddKeyValuePair (\r
      Pdu,\r
      ISCSI_KEY_TARGET_NAME,\r
      Session->ConfigData->SessionConfigData.TargetName\r
      );\r
\r
    if (Session->AuthType == ISCSI_AUTH_TYPE_NONE) {\r
      Value = ISCSI_KEY_VALUE_NONE;\r
      ISCSI_SET_FLAG (LoginReq, ISCSI_LOGIN_REQ_PDU_FLAG_TRANSIT);\r
    } else {\r
      Value = ISCSI_AUTH_METHOD_CHAP;\r
    }\r
\r
    IScsiAddKeyValuePair (Pdu, ISCSI_KEY_AUTH_METHOD, Value);\r
\r
    break;\r
\r
  case ISCSI_CHAP_STEP_ONE:\r
    //\r
    // First step, send the Login Request with CHAP_A=<A1,A2...> key-value\r
    // pair.\r
    //\r
    IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_ALGORITHM, mChapHashListString);\r
\r
    Conn->AuthStep = ISCSI_CHAP_STEP_TWO;\r
    break;\r
\r
  case ISCSI_CHAP_STEP_THREE:\r
    //\r
    // Third step, send the Login Request with CHAP_N=<N> CHAP_R=<R> or\r
    // CHAP_N=<N> CHAP_R=<R> CHAP_I=<I> CHAP_C=<C> if target authentication is\r
    // required too.\r
    //\r
    // CHAP_N=<N>\r
    //\r
    IScsiAddKeyValuePair (\r
      Pdu,\r
      ISCSI_KEY_CHAP_NAME,\r
      (CHAR8 *) &AuthData->AuthConfig->CHAPName\r
      );\r
    //\r
    // CHAP_R=<R>\r
    //\r
    ASSERT (AuthData->Hash != NULL);\r
    BinToHexStatus = IScsiBinToHex (\r
                       (UINT8 *) AuthData->CHAPResponse,\r
                       AuthData->Hash->DigestSize,\r
                       Response,\r
                       &RspLen\r
                       );\r
    ASSERT_EFI_ERROR (BinToHexStatus);\r
    IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_RESPONSE, Response);\r
\r
    if (AuthData->AuthConfig->CHAPType == ISCSI_CHAP_MUTUAL) {\r
      //\r
      // CHAP_I=<I>\r
      //\r
      IScsiGenRandom ((UINT8 *) &AuthData->OutIdentifier, 1);\r
      AsciiSPrint (ValueStr, sizeof (ValueStr), "%d", AuthData->OutIdentifier);\r
      IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_IDENTIFIER, ValueStr);\r
      //\r
      // CHAP_C=<C>\r
      //\r
      IScsiGenRandom (\r
        (UINT8 *) AuthData->OutChallenge,\r
        AuthData->Hash->DigestSize\r
        );\r
      BinToHexStatus = IScsiBinToHex (\r
                         (UINT8 *) AuthData->OutChallenge,\r
                         AuthData->Hash->DigestSize,\r
                         Challenge,\r
                         &ChallengeLen\r
                         );\r
      ASSERT_EFI_ERROR (BinToHexStatus);\r
      IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_CHALLENGE, Challenge);\r
\r
      Conn->AuthStep = ISCSI_CHAP_STEP_FOUR;\r
    }\r
    //\r
    // Set the stage transition flag.\r
    //\r
    ISCSI_SET_FLAG (LoginReq, ISCSI_LOGIN_REQ_PDU_FLAG_TRANSIT);\r
    break;\r
\r
  default:\r
    Status = EFI_PROTOCOL_ERROR;\r
    break;\r
  }\r
\r
  FreePool (Response);\r
  FreePool (Challenge);\r
\r
  return Status;\r
}\r
\r
/**\r
  Initialize the CHAP_A=<A1,A2...> *value* string for the entire driver, to be\r
  sent by the initiator in ISCSI_CHAP_STEP_ONE.\r
\r
  This function sanity-checks the internal table of supported CHAP hashing\r
  algorithms, as well.\r
**/\r
VOID\r
IScsiCHAPInitHashList (\r
  VOID\r
  )\r
{\r
  CHAR8           *Position;\r
  UINTN           Left;\r
  UINTN           HashIndex;\r
  CONST CHAP_HASH *Hash;\r
  UINTN           Printed;\r
\r
  Position = mChapHashListString;\r
  Left = sizeof (mChapHashListString);\r
  for (HashIndex = 0; HashIndex < ARRAY_SIZE (mChapHash); HashIndex++) {\r
    Hash = &mChapHash[HashIndex];\r
\r
    //\r
    // Format the next hash identifier.\r
    //\r
    // Assert that we can format at least one non-NUL character, i.e. that we\r
    // can progress. Truncation is checked after printing.\r
    //\r
    ASSERT (Left >= 2);\r
    Printed = AsciiSPrint (\r
                Position,\r
                Left,\r
                "%a%d",\r
                (HashIndex == 0) ? "" : ",",\r
                Hash->Algorithm\r
                );\r
    //\r
    // There's no way to differentiate between the "buffer filled to the brim,\r
    // but not truncated" result and the "truncated" result of AsciiSPrint().\r
    // This is why "mChapHashListString" has an extra byte allocated, and the\r
    // reason why we use the less-than (rather than the less-than-or-equal-to)\r
    // relational operator in the assertion below -- we enforce "no truncation"\r
    // by excluding the "completely used up" case too.\r
    //\r
    ASSERT (Printed + 1 < Left);\r
\r
    Position += Printed;\r
    Left -= Printed;\r
\r
    //\r
    // Sanity-check the digest size for Hash.\r
    //\r
    ASSERT (Hash->DigestSize <= ISCSI_CHAP_MAX_DIGEST_SIZE);\r
  }\r
}\r
Commit	Line	Data
4c5a5e0c	1	/** @file\r
83761337 LE	2	This file is for Challenge-Handshake Authentication Protocol (CHAP)\r
83761337 LE	3	Configuration.\r
4c5a5e0c	4	\r
f75a7f56	5	Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.<BR>\r
ecf98fbc	6	SPDX-License-Identifier: BSD-2-Clause-Patent\r
4c5a5e0c	7	\r
	8	**/\r
	9	\r
	10	#include "IScsiImpl.h"\r
	11	\r
903ce1d8 LE	12	//\r
	13	// Supported CHAP hash algorithms, mapped to sets of BaseCryptLib APIs and\r
	14	// macros. CHAP_HASH structures at lower subscripts in the array are preferred\r
	15	// by the initiator.\r
	16	//\r
	17	STATIC CONST CHAP_HASH mChapHash[] = {\r
47fea2ab LE	18	{\r
	19	ISCSI_CHAP_ALGORITHM_SHA256,\r
	20	SHA256_DIGEST_SIZE,\r
	21	Sha256GetContextSize,\r
	22	Sha256Init,\r
	23	Sha256Update,\r
	24	Sha256Final\r
	25	},\r
bb33c27f	26	#ifdef ENABLE_MD5_DEPRECATED_INTERFACES\r
47fea2ab LE	27	//\r
	28	// Keep the deprecated MD5 entry at the end of the array (making MD5 the\r
	29	// least preferred choice of the initiator).\r
	30	//\r
903ce1d8 LE	31	{\r
	32	ISCSI_CHAP_ALGORITHM_MD5,\r
	33	MD5_DIGEST_SIZE,\r
	34	Md5GetContextSize,\r
	35	Md5Init,\r
	36	Md5Update,\r
	37	Md5Final\r
	38	},\r
bb33c27f	39	#endif // ENABLE_MD5_DEPRECATED_INTERFACES\r
903ce1d8 LE	40	};\r
	41	\r
	42	//\r
	43	// Ordered list of mChapHash[*].Algorithm values. It is formatted for the\r
	44	// CHAP_A=<A1,A2...> value string, by the IScsiCHAPInitHashList() function. It\r
	45	// is sent by the initiator in ISCSI_CHAP_STEP_ONE.\r
	46	//\r
	47	STATIC CHAR8 mChapHashListString[\r
	48	3 + // UINT8 identifier in\r
	49	// decimal\r
	50	(1 + 3) * (ARRAY_SIZE (mChapHash) - 1) + // comma prepended for\r
	51	// entries after the\r
	52	// first\r
	53	1 + // extra character for\r
	54	// AsciiSPrint()\r
	55	// truncation check\r
	56	1 // terminating NUL\r
	57	];\r
	58	\r
4c5a5e0c	59	/**\r
efb56593	60	Initiator calculates its own expected hash value.\r
f75a7f56	61	\r
4c5a5e0c	62	@param[in] ChapIdentifier iSCSI CHAP identifier sent by authenticator.\r
	63	@param[in] ChapSecret iSCSI CHAP secret of the authenticator.\r
	64	@param[in] SecretLength The length of iSCSI CHAP secret.\r
	65	@param[in] ChapChallenge The challenge message sent by authenticator.\r
	66	@param[in] ChallengeLength The length of iSCSI CHAP challenge message.\r
903ce1d8 LE	67	@param[in] Hash Pointer to the CHAP_HASH structure that\r
	68	determines the hashing algorithm to use. The\r
	69	caller is responsible for making Hash point\r
	70	to an "mChapHash" element.\r
4c5a5e0c	71	@param[out] ChapResponse The calculation of the expected hash value.\r
f75a7f56	72	\r
83761337 LE	73	@retval EFI_SUCCESS The expected hash value was calculatedly\r
	74	successfully.\r
	75	@retval EFI_PROTOCOL_ERROR The length of the secret should be at least\r
	76	the length of the hash value for the hashing\r
	77	algorithm chosen.\r
903ce1d8 LE	78	@retval EFI_PROTOCOL_ERROR Hash operation fails.\r
	79	@retval EFI_OUT_OF_RESOURCES Failure to allocate resource to complete\r
	80	hashing.\r
4c5a5e0c	81	\r
	82	**/\r
	83	EFI_STATUS\r
	84	IScsiCHAPCalculateResponse (\r
7eba9f69 LE	85	IN UINT32 ChapIdentifier,\r
	86	IN CHAR8 *ChapSecret,\r
	87	IN UINT32 SecretLength,\r
	88	IN UINT8 *ChapChallenge,\r
	89	IN UINT32 ChallengeLength,\r
903ce1d8	90	IN CONST CHAP_HASH *Hash,\r
7eba9f69	91	OUT UINT8 *ChapResponse\r
4c5a5e0c	92	)\r
4c5a5e0c	93	{\r
903ce1d8 LE	94	UINTN ContextSize;\r
903ce1d8 LE	95	VOID *Ctx;\r
4c5a5e0c	96	CHAR8 IdByte[1];\r
	97	EFI_STATUS Status;\r
	98	\r
	99	if (SecretLength < ISCSI_CHAP_SECRET_MIN_LEN) {\r
	100	return EFI_PROTOCOL_ERROR;\r
	101	}\r
	102	\r
903ce1d8 LE	103	ASSERT (Hash != NULL);\r
	104	\r
	105	ContextSize = Hash->GetContextSize ();\r
	106	Ctx = AllocatePool (ContextSize);\r
	107	if (Ctx == NULL) {\r
4c5a5e0c	108	return EFI_OUT_OF_RESOURCES;\r
	109	}\r
	110	\r
	111	Status = EFI_PROTOCOL_ERROR;\r
	112	\r
903ce1d8	113	if (!Hash->Init (Ctx)) {\r
4c5a5e0c	114	goto Exit;\r
	115	}\r
	116	\r
	117	//\r
	118	// Hash Identifier - Only calculate 1 byte data (RFC1994)\r
	119	//\r
	120	IdByte[0] = (CHAR8) ChapIdentifier;\r
903ce1d8	121	if (!Hash->Update (Ctx, IdByte, 1)) {\r
4c5a5e0c	122	goto Exit;\r
	123	}\r
	124	\r
	125	//\r
	126	// Hash Secret\r
	127	//\r
903ce1d8	128	if (!Hash->Update (Ctx, ChapSecret, SecretLength)) {\r
4c5a5e0c	129	goto Exit;\r
	130	}\r
	131	\r
	132	//\r
	133	// Hash Challenge received from Target\r
	134	//\r
903ce1d8	135	if (!Hash->Update (Ctx, ChapChallenge, ChallengeLength)) {\r
4c5a5e0c	136	goto Exit;\r
	137	}\r
	138	\r
903ce1d8	139	if (Hash->Final (Ctx, ChapResponse)) {\r
4c5a5e0c	140	Status = EFI_SUCCESS;\r
	141	}\r
	142	\r
	143	Exit:\r
903ce1d8	144	FreePool (Ctx);\r
4c5a5e0c	145	return Status;\r
	146	}\r
	147	\r
	148	/**\r
efb56593	149	The initiator checks the CHAP response replied by target against its own\r
f75a7f56 LG	150	calculation of the expected hash value.\r
	151	\r
	152	@param[in] AuthData iSCSI CHAP authentication data.\r
	153	@param[in] TargetResponse The response from target.\r
4c5a5e0c	154	\r
83761337 LE	155	@retval EFI_SUCCESS The response from target passed\r
	156	authentication.\r
	157	@retval EFI_SECURITY_VIOLATION The response from target was not expected\r
	158	value.\r
4c5a5e0c	159	@retval Others Other errors as indicated.\r
	160	\r
	161	**/\r
	162	EFI_STATUS\r
	163	IScsiCHAPAuthTarget (\r
	164	IN ISCSI_CHAP_AUTH_DATA *AuthData,\r
	165	IN UINT8 *TargetResponse\r
	166	)\r
	167	{\r
	168	EFI_STATUS Status;\r
	169	UINT32 SecretSize;\r
7b6c2b2a	170	UINT8 VerifyRsp[ISCSI_CHAP_MAX_DIGEST_SIZE];\r
903ce1d8	171	INTN Mismatch;\r
4c5a5e0c	172	\r
	173	Status = EFI_SUCCESS;\r
	174	\r
	175	SecretSize = (UINT32) AsciiStrLen (AuthData->AuthConfig->ReverseCHAPSecret);\r
903ce1d8 LE	176	\r
	177	ASSERT (AuthData->Hash != NULL);\r
	178	\r
4c5a5e0c	179	Status = IScsiCHAPCalculateResponse (\r
	180	AuthData->OutIdentifier,\r
	181	AuthData->AuthConfig->ReverseCHAPSecret,\r
	182	SecretSize,\r
	183	AuthData->OutChallenge,\r
903ce1d8 LE	184	AuthData->Hash->DigestSize, // ChallengeLength\r
903ce1d8 LE	185	AuthData->Hash,\r
4c5a5e0c	186	VerifyRsp\r
	187	);\r
	188	\r
903ce1d8 LE	189	Mismatch = CompareMem (\r
	190	VerifyRsp,\r
	191	TargetResponse,\r
	192	AuthData->Hash->DigestSize\r
	193	);\r
	194	if (Mismatch != 0) {\r
4c5a5e0c	195	Status = EFI_SECURITY_VIOLATION;\r
	196	}\r
	197	\r
	198	return Status;\r
	199	}\r
	200	\r
	201	\r
	202	/**\r
	203	This function checks the received iSCSI Login Response during the security\r
	204	negotiation stage.\r
	205	\r
	206	@param[in] Conn The iSCSI connection.\r
	207	\r
	208	@retval EFI_SUCCESS The Login Response passed the CHAP validation.\r
	209	@retval EFI_OUT_OF_RESOURCES Failed to allocate memory.\r
	210	@retval EFI_PROTOCOL_ERROR Some kind of protocol error occurred.\r
	211	@retval Others Other errors as indicated.\r
	212	\r
	213	**/\r
	214	EFI_STATUS\r
	215	IScsiCHAPOnRspReceived (\r
	216	IN ISCSI_CONNECTION *Conn\r
	217	)\r
	218	{\r
	219	EFI_STATUS Status;\r
	220	ISCSI_SESSION *Session;\r
	221	ISCSI_CHAP_AUTH_DATA *AuthData;\r
	222	CHAR8 *Value;\r
	223	UINT8 *Data;\r
	224	UINT32 Len;\r
	225	LIST_ENTRY *KeyValueList;\r
	226	UINTN Algorithm;\r
	227	CHAR8 *Identifier;\r
	228	CHAR8 *Challenge;\r
	229	CHAR8 *Name;\r
	230	CHAR8 *Response;\r
7b6c2b2a	231	UINT8 TargetRsp[ISCSI_CHAP_MAX_DIGEST_SIZE];\r
4c5a5e0c	232	UINT32 RspLen;\r
4c5a5e0c	233	UINTN Result;\r
903ce1d8	234	UINTN HashIndex;\r
4c5a5e0c	235	\r
	236	ASSERT (Conn->CurrentStage == ISCSI_SECURITY_NEGOTIATION);\r
	237	ASSERT (Conn->RspQue.BufNum != 0);\r
	238	\r
	239	Session = Conn->Session;\r
	240	AuthData = &Session->AuthData.CHAP;\r
	241	Len = Conn->RspQue.BufSize;\r
	242	Data = AllocateZeroPool (Len);\r
	243	if (Data == NULL) {\r
	244	return EFI_OUT_OF_RESOURCES;\r
	245	}\r
	246	//\r
	247	// Copy the data in case the data spans over multiple PDUs.\r
	248	//\r
	249	NetbufQueCopy (&Conn->RspQue, 0, Len, Data);\r
	250	\r
	251	//\r
	252	// Build the key-value list from the data segment of the Login Response.\r
	253	//\r
	254	KeyValueList = IScsiBuildKeyValueList ((CHAR8 *) Data, Len);\r
	255	if (KeyValueList == NULL) {\r
	256	Status = EFI_OUT_OF_RESOURCES;\r
	257	goto ON_EXIT;\r
	258	}\r
	259	\r
	260	Status = EFI_PROTOCOL_ERROR;\r
	261	\r
	262	switch (Conn->AuthStep) {\r
	263	case ISCSI_AUTH_INITIAL:\r
	264	//\r
	265	// The first Login Response.\r
	266	//\r
83761337 LE	267	Value = IScsiGetValueByKeyFromList (\r
	268	KeyValueList,\r
	269	ISCSI_KEY_TARGET_PORTAL_GROUP_TAG\r
	270	);\r
4c5a5e0c	271	if (Value == NULL) {\r
	272	goto ON_EXIT;\r
	273	}\r
	274	\r
	275	Result = IScsiNetNtoi (Value);\r
	276	if (Result > 0xFFFF) {\r
	277	goto ON_EXIT;\r
	278	}\r
	279	\r
	280	Session->TargetPortalGroupTag = (UINT16) Result;\r
	281	\r
83761337 LE	282	Value = IScsiGetValueByKeyFromList (\r
	283	KeyValueList,\r
	284	ISCSI_KEY_AUTH_METHOD\r
	285	);\r
4c5a5e0c	286	if (Value == NULL) {\r
	287	goto ON_EXIT;\r
	288	}\r
	289	//\r
83761337 LE	290	// Initiator mandates CHAP authentication but target replies without\r
	291	// "CHAP", or initiator suggets "None" but target replies with some kind of\r
	292	// auth method.\r
4c5a5e0c	293	//\r
	294	if (Session->AuthType == ISCSI_AUTH_TYPE_NONE) {\r
	295	if (AsciiStrCmp (Value, ISCSI_KEY_VALUE_NONE) != 0) {\r
	296	goto ON_EXIT;\r
	297	}\r
	298	} else if (Session->AuthType == ISCSI_AUTH_TYPE_CHAP) {\r
	299	if (AsciiStrCmp (Value, ISCSI_AUTH_METHOD_CHAP) != 0) {\r
	300	goto ON_EXIT;\r
	301	}\r
	302	} else {\r
	303	goto ON_EXIT;\r
	304	}\r
	305	\r
	306	//\r
	307	// Transit to CHAP step one.\r
	308	//\r
	309	Conn->AuthStep = ISCSI_CHAP_STEP_ONE;\r
	310	Status = EFI_SUCCESS;\r
	311	break;\r
	312	\r
	313	case ISCSI_CHAP_STEP_TWO:\r
	314	//\r
	315	// The Target replies with CHAP_A=<A> CHAP_I=<I> CHAP_C=<C>\r
	316	//\r
83761337 LE	317	Value = IScsiGetValueByKeyFromList (\r
	318	KeyValueList,\r
	319	ISCSI_KEY_CHAP_ALGORITHM\r
	320	);\r
4c5a5e0c	321	if (Value == NULL) {\r
	322	goto ON_EXIT;\r
	323	}\r
	324	\r
	325	Algorithm = IScsiNetNtoi (Value);\r
903ce1d8 LE	326	for (HashIndex = 0; HashIndex < ARRAY_SIZE (mChapHash); HashIndex++) {\r
	327	if (Algorithm == mChapHash[HashIndex].Algorithm) {\r
	328	break;\r
	329	}\r
	330	}\r
	331	if (HashIndex == ARRAY_SIZE (mChapHash)) {\r
4c5a5e0c	332	//\r
	333	// Unsupported algorithm is chosen by target.\r
	334	//\r
	335	goto ON_EXIT;\r
	336	}\r
903ce1d8 LE	337	//\r
	338	// Remember the target's chosen hash algorithm.\r
	339	//\r
	340	ASSERT (AuthData->Hash == NULL);\r
	341	AuthData->Hash = &mChapHash[HashIndex];\r
4c5a5e0c	342	\r
83761337 LE	343	Identifier = IScsiGetValueByKeyFromList (\r
	344	KeyValueList,\r
	345	ISCSI_KEY_CHAP_IDENTIFIER\r
	346	);\r
4c5a5e0c	347	if (Identifier == NULL) {\r
	348	goto ON_EXIT;\r
	349	}\r
	350	\r
83761337 LE	351	Challenge = IScsiGetValueByKeyFromList (\r
	352	KeyValueList,\r
	353	ISCSI_KEY_CHAP_CHALLENGE\r
	354	);\r
4c5a5e0c	355	if (Challenge == NULL) {\r
	356	goto ON_EXIT;\r
	357	}\r
	358	//\r
	359	// Process the CHAP identifier and CHAP Challenge from Target.\r
	360	// Calculate Response value.\r
f75a7f56	361	//\r
4c5a5e0c	362	Result = IScsiNetNtoi (Identifier);\r
	363	if (Result > 0xFF) {\r
	364	goto ON_EXIT;\r
f75a7f56 LG	365	}\r
f75a7f56 LG	366	\r
4c5a5e0c	367	AuthData->InIdentifier = (UINT32) Result;\r
29cab43b	368	AuthData->InChallengeLength = (UINT32) sizeof (AuthData->InChallenge);\r
b8649cf2 LE	369	Status = IScsiHexToBin (\r
	370	(UINT8 *) AuthData->InChallenge,\r
	371	&AuthData->InChallengeLength,\r
	372	Challenge\r
	373	);\r
	374	if (EFI_ERROR (Status)) {\r
	375	Status = EFI_PROTOCOL_ERROR;\r
	376	goto ON_EXIT;\r
	377	}\r
4c5a5e0c	378	Status = IScsiCHAPCalculateResponse (\r
	379	AuthData->InIdentifier,\r
	380	AuthData->AuthConfig->CHAPSecret,\r
	381	(UINT32) AsciiStrLen (AuthData->AuthConfig->CHAPSecret),\r
	382	AuthData->InChallenge,\r
	383	AuthData->InChallengeLength,\r
903ce1d8	384	AuthData->Hash,\r
4c5a5e0c	385	AuthData->CHAPResponse\r
	386	);\r
	387	\r
	388	//\r
	389	// Transit to next step.\r
	390	//\r
	391	Conn->AuthStep = ISCSI_CHAP_STEP_THREE;\r
	392	break;\r
	393	\r
	394	case ISCSI_CHAP_STEP_THREE:\r
	395	//\r
	396	// One way CHAP authentication and the target would like to\r
	397	// authenticate us.\r
	398	//\r
	399	Status = EFI_SUCCESS;\r
	400	break;\r
	401	\r
	402	case ISCSI_CHAP_STEP_FOUR:\r
	403	ASSERT (AuthData->AuthConfig->CHAPType == ISCSI_CHAP_MUTUAL);\r
	404	//\r
	405	// The forth step, CHAP_N=<N> CHAP_R=<R> is received from Target.\r
	406	//\r
	407	Name = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_NAME);\r
	408	if (Name == NULL) {\r
	409	goto ON_EXIT;\r
	410	}\r
	411	\r
83761337 LE	412	Response = IScsiGetValueByKeyFromList (\r
	413	KeyValueList,\r
	414	ISCSI_KEY_CHAP_RESPONSE\r
	415	);\r
4c5a5e0c	416	if (Response == NULL) {\r
	417	goto ON_EXIT;\r
	418	}\r
	419	\r
903ce1d8 LE	420	ASSERT (AuthData->Hash != NULL);\r
903ce1d8 LE	421	RspLen = AuthData->Hash->DigestSize;\r
b8649cf2	422	Status = IScsiHexToBin (TargetRsp, &RspLen, Response);\r
903ce1d8	423	if (EFI_ERROR (Status) \|\| RspLen != AuthData->Hash->DigestSize) {\r
b8649cf2 LE	424	Status = EFI_PROTOCOL_ERROR;\r
	425	goto ON_EXIT;\r
	426	}\r
4c5a5e0c	427	\r
	428	//\r
	429	// Check the CHAP Name and Response replied by Target.\r
	430	//\r
	431	Status = IScsiCHAPAuthTarget (AuthData, TargetRsp);\r
	432	break;\r
	433	\r
	434	default:\r
	435	break;\r
	436	}\r
	437	\r
	438	ON_EXIT:\r
	439	\r
	440	if (KeyValueList != NULL) {\r
	441	IScsiFreeKeyValueList (KeyValueList);\r
f75a7f56	442	}\r
4c5a5e0c	443	\r
	444	FreePool (Data);\r
	445	\r
	446	return Status;\r
	447	}\r
	448	\r
	449	\r
	450	/**\r
	451	This function fills the CHAP authentication information into the login PDU\r
	452	during the security negotiation stage in the iSCSI connection login.\r
	453	\r
	454	@param[in] Conn The iSCSI connection.\r
	455	@param[in, out] Pdu The PDU to send out.\r
	456	\r
	457	@retval EFI_SUCCESS All check passed and the phase-related CHAP\r
83761337 LE	458	authentication info is filled into the iSCSI\r
83761337 LE	459	PDU.\r
4c5a5e0c	460	@retval EFI_OUT_OF_RESOURCES Failed to allocate memory.\r
	461	@retval EFI_PROTOCOL_ERROR Some kind of protocol error occurred.\r
	462	\r
	463	**/\r
	464	EFI_STATUS\r
	465	IScsiCHAPToSendReq (\r
	466	IN ISCSI_CONNECTION *Conn,\r
	467	IN OUT NET_BUF *Pdu\r
	468	)\r
	469	{\r
	470	EFI_STATUS Status;\r
	471	ISCSI_SESSION *Session;\r
	472	ISCSI_LOGIN_REQUEST *LoginReq;\r
	473	ISCSI_CHAP_AUTH_DATA *AuthData;\r
	474	CHAR8 *Value;\r
	475	CHAR8 ValueStr[256];\r
	476	CHAR8 *Response;\r
	477	UINT32 RspLen;\r
	478	CHAR8 *Challenge;\r
	479	UINT32 ChallengeLen;\r
d90fff40	480	EFI_STATUS BinToHexStatus;\r
4c5a5e0c	481	\r
	482	ASSERT (Conn->CurrentStage == ISCSI_SECURITY_NEGOTIATION);\r
	483	\r
	484	Session = Conn->Session;\r
	485	AuthData = &Session->AuthData.CHAP;\r
	486	LoginReq = (ISCSI_LOGIN_REQUEST *) NetbufGetByte (Pdu, 0, 0);\r
7a49cd08 ED	487	if (LoginReq == NULL) {\r
	488	return EFI_PROTOCOL_ERROR;\r
	489	}\r
4c5a5e0c	490	Status = EFI_SUCCESS;\r
4c5a5e0c	491	\r
7b6c2b2a	492	RspLen = 2 * ISCSI_CHAP_MAX_DIGEST_SIZE + 3;\r
4c5a5e0c	493	Response = AllocateZeroPool (RspLen);\r
	494	if (Response == NULL) {\r
	495	return EFI_OUT_OF_RESOURCES;\r
	496	}\r
	497	\r
7b6c2b2a	498	ChallengeLen = 2 * ISCSI_CHAP_MAX_DIGEST_SIZE + 3;\r
4c5a5e0c	499	Challenge = AllocateZeroPool (ChallengeLen);\r
	500	if (Challenge == NULL) {\r
	501	FreePool (Response);\r
	502	return EFI_OUT_OF_RESOURCES;\r
	503	}\r
	504	\r
	505	switch (Conn->AuthStep) {\r
	506	case ISCSI_AUTH_INITIAL:\r
	507	//\r
	508	// It's the initial Login Request. Fill in the key=value pairs mandatory\r
	509	// for the initial Login Request.\r
	510	//\r
83761337 LE	511	IScsiAddKeyValuePair (\r
	512	Pdu,\r
	513	ISCSI_KEY_INITIATOR_NAME,\r
	514	mPrivate->InitiatorName\r
	515	);\r
4c5a5e0c	516	IScsiAddKeyValuePair (Pdu, ISCSI_KEY_SESSION_TYPE, "Normal");\r
	517	IScsiAddKeyValuePair (\r
	518	Pdu,\r
	519	ISCSI_KEY_TARGET_NAME,\r
	520	Session->ConfigData->SessionConfigData.TargetName\r
	521	);\r
	522	\r
	523	if (Session->AuthType == ISCSI_AUTH_TYPE_NONE) {\r
	524	Value = ISCSI_KEY_VALUE_NONE;\r
	525	ISCSI_SET_FLAG (LoginReq, ISCSI_LOGIN_REQ_PDU_FLAG_TRANSIT);\r
	526	} else {\r
	527	Value = ISCSI_AUTH_METHOD_CHAP;\r
	528	}\r
	529	\r
	530	IScsiAddKeyValuePair (Pdu, ISCSI_KEY_AUTH_METHOD, Value);\r
	531	\r
	532	break;\r
	533	\r
	534	case ISCSI_CHAP_STEP_ONE:\r
	535	//\r
83761337 LE	536	// First step, send the Login Request with CHAP_A=<A1,A2...> key-value\r
83761337 LE	537	// pair.\r
4c5a5e0c	538	//\r
903ce1d8	539	IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_ALGORITHM, mChapHashListString);\r
4c5a5e0c	540	\r
	541	Conn->AuthStep = ISCSI_CHAP_STEP_TWO;\r
	542	break;\r
	543	\r
	544	case ISCSI_CHAP_STEP_THREE:\r
	545	//\r
	546	// Third step, send the Login Request with CHAP_N=<N> CHAP_R=<R> or\r
	547	// CHAP_N=<N> CHAP_R=<R> CHAP_I=<I> CHAP_C=<C> if target authentication is\r
	548	// required too.\r
	549	//\r
	550	// CHAP_N=<N>\r
	551	//\r
83761337 LE	552	IScsiAddKeyValuePair (\r
	553	Pdu,\r
	554	ISCSI_KEY_CHAP_NAME,\r
	555	(CHAR8 *) &AuthData->AuthConfig->CHAPName\r
	556	);\r
4c5a5e0c	557	//\r
	558	// CHAP_R=<R>\r
	559	//\r
903ce1d8	560	ASSERT (AuthData->Hash != NULL);\r
d90fff40 LE	561	BinToHexStatus = IScsiBinToHex (\r
d90fff40 LE	562	(UINT8 *) AuthData->CHAPResponse,\r
903ce1d8	563	AuthData->Hash->DigestSize,\r
d90fff40 LE	564	Response,\r
	565	&RspLen\r
	566	);\r
	567	ASSERT_EFI_ERROR (BinToHexStatus);\r
4c5a5e0c	568	IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_RESPONSE, Response);\r
	569	\r
	570	if (AuthData->AuthConfig->CHAPType == ISCSI_CHAP_MUTUAL) {\r
	571	//\r
	572	// CHAP_I=<I>\r
	573	//\r
	574	IScsiGenRandom ((UINT8 *) &AuthData->OutIdentifier, 1);\r
	575	AsciiSPrint (ValueStr, sizeof (ValueStr), "%d", AuthData->OutIdentifier);\r
	576	IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_IDENTIFIER, ValueStr);\r
	577	//\r
	578	// CHAP_C=<C>\r
	579	//\r
903ce1d8 LE	580	IScsiGenRandom (\r
	581	(UINT8 *) AuthData->OutChallenge,\r
	582	AuthData->Hash->DigestSize\r
	583	);\r
d90fff40 LE	584	BinToHexStatus = IScsiBinToHex (\r
d90fff40 LE	585	(UINT8 *) AuthData->OutChallenge,\r
903ce1d8	586	AuthData->Hash->DigestSize,\r
d90fff40 LE	587	Challenge,\r
	588	&ChallengeLen\r
	589	);\r
	590	ASSERT_EFI_ERROR (BinToHexStatus);\r
4c5a5e0c	591	IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_CHALLENGE, Challenge);\r
	592	\r
	593	Conn->AuthStep = ISCSI_CHAP_STEP_FOUR;\r
	594	}\r
	595	//\r
	596	// Set the stage transition flag.\r
	597	//\r
	598	ISCSI_SET_FLAG (LoginReq, ISCSI_LOGIN_REQ_PDU_FLAG_TRANSIT);\r
	599	break;\r
	600	\r
	601	default:\r
	602	Status = EFI_PROTOCOL_ERROR;\r
	603	break;\r
	604	}\r
	605	\r
	606	FreePool (Response);\r
	607	FreePool (Challenge);\r
	608	\r
	609	return Status;\r
	610	}\r
903ce1d8 LE	611	\r
	612	/**\r
	613	Initialize the CHAP_A=<A1,A2...> value string for the entire driver, to be\r
	614	sent by the initiator in ISCSI_CHAP_STEP_ONE.\r
	615	\r
	616	This function sanity-checks the internal table of supported CHAP hashing\r
	617	algorithms, as well.\r
	618	**/\r
	619	VOID\r
	620	IScsiCHAPInitHashList (\r
	621	VOID\r
	622	)\r
	623	{\r
	624	CHAR8 *Position;\r
	625	UINTN Left;\r
	626	UINTN HashIndex;\r
	627	CONST CHAP_HASH *Hash;\r
	628	UINTN Printed;\r
	629	\r
	630	Position = mChapHashListString;\r
	631	Left = sizeof (mChapHashListString);\r
	632	for (HashIndex = 0; HashIndex < ARRAY_SIZE (mChapHash); HashIndex++) {\r
	633	Hash = &mChapHash[HashIndex];\r
	634	\r
	635	//\r
	636	// Format the next hash identifier.\r
	637	//\r
	638	// Assert that we can format at least one non-NUL character, i.e. that we\r
	639	// can progress. Truncation is checked after printing.\r
	640	//\r
	641	ASSERT (Left >= 2);\r
	642	Printed = AsciiSPrint (\r
	643	Position,\r
	644	Left,\r
	645	"%a%d",\r
	646	(HashIndex == 0) ? "" : ",",\r
	647	Hash->Algorithm\r
	648	);\r
	649	//\r
	650	// There's no way to differentiate between the "buffer filled to the brim,\r
	651	// but not truncated" result and the "truncated" result of AsciiSPrint().\r
	652	// This is why "mChapHashListString" has an extra byte allocated, and the\r
	653	// reason why we use the less-than (rather than the less-than-or-equal-to)\r
	654	// relational operator in the assertion below -- we enforce "no truncation"\r
	655	// by excluding the "completely used up" case too.\r
	656	//\r
	657	ASSERT (Printed + 1 < Left);\r
	658	\r
	659	Position += Printed;\r
	660	Left -= Printed;\r
	661	\r
	662	//\r
	663	// Sanity-check the digest size for Hash.\r
	664	//\r
	665	ASSERT (Hash->DigestSize <= ISCSI_CHAP_MAX_DIGEST_SIZE);\r
	666	}\r
	667	}\r