[mirror_edk2.git] / MdeModulePkg / Universal / Network / IScsiDxe / IScsiCHAP.c

/** @file\r
  This file is for Challenge-Handshake Authentication Protocol (CHAP) Configuration.\r
\r
Copyright (c) 2004 - 2011, Intel Corporation. All rights reserved.<BR>\r
This program and the accompanying materials\r
are licensed and made available under the terms and conditions of the BSD License\r
which accompanies this distribution.  The full text of the license may be found at\r
http://opensource.org/licenses/bsd-license.php\r
\r
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
\r
**/\r
\r
#include "IScsiImpl.h"\r
#include "Md5.h"\r
\r
/**\r
  Initator caculates its own expected hash value.\r
\r
  @param[in]   ChapIdentifier     iSCSI CHAP identifier sent by authenticator.\r
  @param[in]   ChapSecret         iSCSI CHAP secret of the authenticator.\r
  @param[in]   SecretLength       The length of iSCSI CHAP secret.\r
  @param[in]   ChapChallenge      The challenge message sent by authenticator.\r
  @param[in]   ChallengeLength    The length of iSCSI CHAP challenge message.\r
  @param[out]  ChapResponse       The calculation of the expected hash value.\r
\r
  @retval EFI_SUCCESS             The expected hash value was caculatedly successfully.\r
  @retval EFI_PROTOCOL_ERROR      The length of the secret should be at least the\r
                                  length of the hash value for the hashing algorithm chosen.\r
  @retval Others                  Other errors as indicated.\r
**/\r
EFI_STATUS\r
IScsiCHAPCalculateResponse (\r
  IN  UINT32  ChapIdentifier,\r
  IN  CHAR8   *ChapSecret,\r
  IN  UINT32  SecretLength,\r
  IN  UINT8   *ChapChallenge,\r
  IN  UINT32  ChallengeLength,\r
  OUT UINT8   *ChapResponse\r
  )\r
{\r
  MD5_CTX     Md5Ctx;\r
  CHAR8       IdByte[1];\r
  EFI_STATUS  Status;\r
\r
  Status = MD5Init (&Md5Ctx);\r
\r
  //\r
  // Hash Identifier - Only calculate 1 byte data (RFC1994)\r
  //\r
  IdByte[0] = (CHAR8) ChapIdentifier;\r
  MD5Update (&Md5Ctx, IdByte, 1);\r
\r
  //\r
  // Hash Secret\r
  //\r
  if (SecretLength < ISCSI_CHAP_SECRET_MIN_LEN - 1) {\r
    return EFI_PROTOCOL_ERROR;\r
  }\r
\r
  MD5Update (&Md5Ctx, ChapSecret, SecretLength);\r
\r
  //\r
  // Hash Challenge received from Target\r
  //\r
  MD5Update (&Md5Ctx, ChapChallenge, ChallengeLength);\r
\r
  Status = MD5Final (&Md5Ctx, ChapResponse);\r
\r
  return Status;\r
}\r
\r
/**\r
  The initator checks the CHAP response replied by target against its own\r
  calculation of the expected hash value.\r
\r
  @param[in]   AuthData             iSCSI CHAP authentication data.\r
  @param[in]   TargetResponse       The response from target.\r
\r
  @retval EFI_SUCCESS               The response from target passed authentication.\r
  @retval EFI_SECURITY_VIOLATION    The response from target was not expected value.\r
  @retval Others                    Other errors as indicated.\r
**/\r
EFI_STATUS\r
IScsiCHAPAuthTarget (\r
  IN  ISCSI_CHAP_AUTH_DATA  *AuthData,\r
  IN  UINT8                 *TargetResponse\r
  )\r
{\r
  EFI_STATUS  Status;\r
  UINT32      SecretSize;\r
  UINT8       VerifyRsp[ISCSI_CHAP_RSP_LEN];\r
\r
  Status      = EFI_SUCCESS;\r
\r
  SecretSize  = (UINT32) AsciiStrLen (AuthData->AuthConfig.ReverseCHAPSecret);\r
  Status = IScsiCHAPCalculateResponse (\r
            AuthData->OutIdentifier,\r
            AuthData->AuthConfig.ReverseCHAPSecret,\r
            SecretSize,\r
            AuthData->OutChallenge,\r
            AuthData->OutChallengeLength,\r
            VerifyRsp\r
            );\r
\r
  if (CompareMem (VerifyRsp, TargetResponse, ISCSI_CHAP_RSP_LEN) != 0) {\r
    Status = EFI_SECURITY_VIOLATION;\r
  }\r
\r
  return Status;\r
}\r
\r
/**\r
  This function checks the received iSCSI Login Response during the security\r
  negotiation stage.\r
\r
  @param[in] Conn             The iSCSI connection.\r
\r
  @retval EFI_SUCCESS          The Login Response passed the CHAP validation.\r
  @retval EFI_OUT_OF_RESOURCES Failed to allocate memory.\r
  @retval EFI_PROTOCOL_ERROR   Some kind of protocol error happend.\r
  @retval Others               Other errors as indicated.\r
**/\r
EFI_STATUS\r
IScsiCHAPOnRspReceived (\r
  IN ISCSI_CONNECTION  *Conn\r
  )\r
{\r
  EFI_STATUS                Status;\r
  ISCSI_SESSION             *Session;\r
  ISCSI_CHAP_AUTH_DATA      *AuthData;\r
  CHAR8                     *Value;\r
  UINT8                     *Data;\r
  UINT32                    Len;\r
  LIST_ENTRY                *KeyValueList;\r
  UINTN                     Algorithm;\r
  CHAR8                     *Identifier;\r
  CHAR8                     *Challenge;\r
  CHAR8                     *Name;\r
  CHAR8                     *Response;\r
  UINT8                     TargetRsp[ISCSI_CHAP_RSP_LEN];\r
  UINT32                    RspLen;\r
\r
  ASSERT (Conn->CurrentStage == ISCSI_SECURITY_NEGOTIATION);\r
  ASSERT (Conn->RspQue.BufNum != 0);\r
\r
  Session     = Conn->Session;\r
  AuthData    = &Session->AuthData;\r
\r
  Len         = Conn->RspQue.BufSize;\r
  Data        = AllocatePool (Len);\r
  if (Data == NULL) {\r
    return EFI_OUT_OF_RESOURCES;\r
  }\r
  //\r
  // Copy the data in case the data spans over multiple PDUs.\r
  //\r
  NetbufQueCopy (&Conn->RspQue, 0, Len, Data);\r
\r
  //\r
  // Build the key-value list from the data segment of the Login Response.\r
  //\r
  KeyValueList = IScsiBuildKeyValueList ((CHAR8 *) Data, Len);\r
  if (KeyValueList == NULL) {\r
    FreePool (Data);\r
    return EFI_OUT_OF_RESOURCES;\r
  }\r
\r
  Status = EFI_PROTOCOL_ERROR;\r
\r
  switch (Conn->CHAPStep) {\r
  case ISCSI_CHAP_INITIAL:\r
    //\r
    // The first Login Response.\r
    //\r
    Value = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_TARGET_PORTAL_GROUP_TAG);\r
    if (Value == NULL) {\r
      goto ON_EXIT;\r
    }\r
\r
    Session->TargetPortalGroupTag = (UINT16) AsciiStrDecimalToUintn (Value);\r
\r
    Value                         = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_AUTH_METHOD);\r
    if (Value == NULL) {\r
      goto ON_EXIT;\r
    }\r
    //\r
    // Initiator mandates CHAP authentication but target replies without "CHAP" or\r
    // initiator suggets "None" but target replies with some kind of auth method.\r
    //\r
    if (AsciiStrCmp (Value, ISCSI_AUTH_METHOD_CHAP) == 0) {\r
      if (AuthData->AuthConfig.CHAPType == ISCSI_CHAP_NONE) {\r
        goto ON_EXIT;\r
      }\r
    } else {\r
      if (AuthData->AuthConfig.CHAPType != ISCSI_CHAP_NONE) {\r
        goto ON_EXIT;\r
      }\r
    }\r
    //\r
    // Transit to CHAP step one.\r
    //\r
    Conn->CHAPStep  = ISCSI_CHAP_STEP_ONE;\r
    Status          = EFI_SUCCESS;\r
    break;\r
\r
  case ISCSI_CHAP_STEP_TWO:\r
    //\r
    // The Target replies with CHAP_A=<A> CHAP_I=<I> CHAP_C=<C>\r
    //\r
    Value = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_ALGORITHM);\r
    if (Value == NULL) {\r
      goto ON_EXIT;\r
    }\r
\r
    Algorithm = AsciiStrDecimalToUintn (Value);\r
    if (Algorithm != ISCSI_CHAP_ALGORITHM_MD5) {\r
      //\r
      // Unsupported algorithm is chosen by target.\r
      //\r
      goto ON_EXIT;\r
    }\r
\r
    Identifier = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_IDENTIFIER);\r
    if (Identifier == NULL) {\r
      goto ON_EXIT;\r
    }\r
\r
    Challenge = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_CHALLENGE);\r
    if (Challenge == NULL) {\r
      goto ON_EXIT;\r
    }\r
    //\r
    // Process the CHAP identifier and CHAP Challenge from Target\r
    // Calculate Response value\r
    //\r
    AuthData->InIdentifier      = (UINT32) AsciiStrDecimalToUintn (Identifier);\r
    AuthData->InChallengeLength = ISCSI_CHAP_AUTH_MAX_LEN;\r
    IScsiHexToBin ((UINT8 *) AuthData->InChallenge, &AuthData->InChallengeLength, Challenge);\r
    Status = IScsiCHAPCalculateResponse (\r
              AuthData->InIdentifier,\r
              AuthData->AuthConfig.CHAPSecret,\r
              (UINT32) AsciiStrLen (AuthData->AuthConfig.CHAPSecret),\r
              AuthData->InChallenge,\r
              AuthData->InChallengeLength,\r
              AuthData->CHAPResponse\r
              );\r
\r
    //\r
    // Transit to next step.\r
    //\r
    Conn->CHAPStep = ISCSI_CHAP_STEP_THREE;\r
    break;\r
\r
  case ISCSI_CHAP_STEP_THREE:\r
    //\r
    // one way CHAP authentication and the target would like to\r
    // authenticate us.\r
    //\r
    Status = EFI_SUCCESS;\r
    break;\r
\r
  case ISCSI_CHAP_STEP_FOUR:\r
    ASSERT (AuthData->AuthConfig.CHAPType == ISCSI_CHAP_MUTUAL);\r
    //\r
    // The forth step, CHAP_N=<N> CHAP_R=<R> is received from Target.\r
    //\r
    Name = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_NAME);\r
    if (Name == NULL) {\r
      goto ON_EXIT;\r
    }\r
\r
    Response = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_RESPONSE);\r
    if (Response == NULL) {\r
      goto ON_EXIT;\r
    }\r
\r
    RspLen = ISCSI_CHAP_RSP_LEN;\r
    IScsiHexToBin (TargetRsp, &RspLen, Response);\r
\r
    //\r
    // Check the CHAP Response replied by Target.\r
    //\r
    Status = IScsiCHAPAuthTarget (AuthData, TargetRsp);\r
    break;\r
\r
  default:\r
    break;\r
  }\r
\r
ON_EXIT:\r
\r
  IScsiFreeKeyValueList (KeyValueList);\r
\r
  FreePool (Data);\r
\r
  return Status;\r
}\r
\r
/**\r
  This function fills the CHAP authentication information into the login PDU\r
  during the security negotiation stage in the iSCSI connection login.\r
\r
  @param[in]       Conn        The iSCSI connection.\r
  @param[in, out]  Pdu         The PDU to send out.\r
\r
  @retval EFI_SUCCESS          All check passed and the phase-related CHAP\r
                               authentication info is filled into the iSCSI PDU.\r
  @retval EFI_OUT_OF_RESOURCES Failed to allocate memory.\r
  @retval EFI_PROTOCOL_ERROR   Some kind of protocol error happend.\r
**/\r
EFI_STATUS\r
IScsiCHAPToSendReq (\r
  IN      ISCSI_CONNECTION  *Conn,\r
  IN OUT  NET_BUF           *Pdu\r
  )\r
{\r
  EFI_STATUS                Status;\r
  ISCSI_SESSION             *Session;\r
  ISCSI_LOGIN_REQUEST       *LoginReq;\r
  ISCSI_CHAP_AUTH_DATA      *AuthData;\r
  CHAR8                     *Value;\r
  CHAR8                     ValueStr[256];\r
  CHAR8                     *Response;\r
  UINT32                    RspLen;\r
  CHAR8                     *Challenge;\r
  UINT32                    ChallengeLen;\r
\r
  ASSERT (Conn->CurrentStage == ISCSI_SECURITY_NEGOTIATION);\r
\r
  Session     = Conn->Session;\r
  AuthData    = &Session->AuthData;\r
  LoginReq    = (ISCSI_LOGIN_REQUEST *) NetbufGetByte (Pdu, 0, 0);\r
  Status      = EFI_SUCCESS;\r
\r
  RspLen      = 2 * ISCSI_CHAP_RSP_LEN + 3;\r
  Response    = AllocatePool (RspLen);\r
  if (Response == NULL) {\r
    return EFI_OUT_OF_RESOURCES;\r
  }\r
\r
  ChallengeLen  = 2 * ISCSI_CHAP_RSP_LEN + 3;\r
  Challenge     = AllocatePool (ChallengeLen);\r
  if (Challenge == NULL) {\r
    return EFI_OUT_OF_RESOURCES;\r
  }\r
\r
  switch (Conn->CHAPStep) {\r
  case ISCSI_CHAP_INITIAL:\r
    //\r
    // It's the initial Login Request. Fill in the key=value pairs mandatory\r
    // for the initial Login Request.\r
    //\r
    IScsiAddKeyValuePair (Pdu, ISCSI_KEY_INITIATOR_NAME, Session->InitiatorName);\r
    IScsiAddKeyValuePair (Pdu, ISCSI_KEY_SESSION_TYPE, "Normal");\r
    IScsiAddKeyValuePair (Pdu, ISCSI_KEY_TARGET_NAME, Session->ConfigData.NvData.TargetName);\r
\r
    if (AuthData->AuthConfig.CHAPType == ISCSI_CHAP_NONE) {\r
      Value = ISCSI_KEY_VALUE_NONE;\r
      ISCSI_SET_FLAG (LoginReq, ISCSI_LOGIN_REQ_PDU_FLAG_TRANSIT);\r
    } else {\r
      Value = ISCSI_AUTH_METHOD_CHAP;\r
    }\r
\r
    IScsiAddKeyValuePair (Pdu, ISCSI_KEY_AUTH_METHOD, Value);\r
\r
    break;\r
\r
  case ISCSI_CHAP_STEP_ONE:\r
    //\r
    // First step, send the Login Request with CHAP_A=<A1,A2...> key-value pair.\r
    //\r
    AsciiSPrint (ValueStr, sizeof (ValueStr), "%d", ISCSI_CHAP_ALGORITHM_MD5);\r
    IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_ALGORITHM, ValueStr);\r
\r
    Conn->CHAPStep = ISCSI_CHAP_STEP_TWO;\r
    break;\r
\r
  case ISCSI_CHAP_STEP_THREE:\r
    //\r
    // Third step, send the Login Request with CHAP_N=<N> CHAP_R=<R> or\r
    // CHAP_N=<N> CHAP_R=<R> CHAP_I=<I> CHAP_C=<C> if target ahtentication is\r
    // required too.\r
    //\r
    // CHAP_N=<N>\r
    //\r
    IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_NAME, (CHAR8 *) &AuthData->AuthConfig.CHAPName);\r
    //\r
    // CHAP_R=<R>\r
    //\r
    IScsiBinToHex ((UINT8 *) AuthData->CHAPResponse, ISCSI_CHAP_RSP_LEN, Response, &RspLen);\r
    IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_RESPONSE, Response);\r
\r
    if (AuthData->AuthConfig.CHAPType == ISCSI_CHAP_MUTUAL) {\r
      //\r
      // CHAP_I=<I>\r
      //\r
      IScsiGenRandom ((UINT8 *) &AuthData->OutIdentifier, 1);\r
      AsciiSPrint (ValueStr, sizeof (ValueStr), "%d", AuthData->OutIdentifier);\r
      IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_IDENTIFIER, ValueStr);\r
      //\r
      // CHAP_C=<C>\r
      //\r
      IScsiGenRandom ((UINT8 *) AuthData->OutChallenge, ISCSI_CHAP_RSP_LEN);\r
      AuthData->OutChallengeLength = ISCSI_CHAP_RSP_LEN;\r
      IScsiBinToHex ((UINT8 *) AuthData->OutChallenge, ISCSI_CHAP_RSP_LEN, Challenge, &ChallengeLen);\r
      IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_CHALLENGE, Challenge);\r
\r
      Conn->CHAPStep = ISCSI_CHAP_STEP_FOUR;\r
    }\r
    //\r
    // set the stage transition flag.\r
    //\r
    ISCSI_SET_FLAG (LoginReq, ISCSI_LOGIN_REQ_PDU_FLAG_TRANSIT);\r
    break;\r
\r
  default:\r
    Status = EFI_PROTOCOL_ERROR;\r
    break;\r
  }\r
\r
  FreePool (Response);\r
  FreePool (Challenge);\r
\r
  return Status;\r
}\r
Commit	Line	Data
12618416	1	/** @file\r
11e0ec6b	2	This file is for Challenge-Handshake Authentication Protocol (CHAP) Configuration.\r
e2851998	3	\r
c8ad2d7a	4	Copyright (c) 2004 - 2011, Intel Corporation. All rights reserved.<BR>\r
e5eed7d3	5	This program and the accompanying materials\r
7a444476	6	are licensed and made available under the terms and conditions of the BSD License\r
	7	which accompanies this distribution. The full text of the license may be found at\r
	8	http://opensource.org/licenses/bsd-license.php\r
	9	\r
	10	THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
	11	WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
6a690e23	12	\r
12618416	13	**/\r
6a690e23	14	\r
	15	#include "IScsiImpl.h"\r
	16	#include "Md5.h"\r
	17	\r
11e0ec6b	18	/**\r
e2851998	19	Initator caculates its own expected hash value.\r
	20	\r
	21	@param[in] ChapIdentifier iSCSI CHAP identifier sent by authenticator.\r
	22	@param[in] ChapSecret iSCSI CHAP secret of the authenticator.\r
55a64ae0	23	@param[in] SecretLength The length of iSCSI CHAP secret.\r
e2851998	24	@param[in] ChapChallenge The challenge message sent by authenticator.\r
55a64ae0	25	@param[in] ChallengeLength The length of iSCSI CHAP challenge message.\r
11e0ec6b	26	@param[out] ChapResponse The calculation of the expected hash value.\r
e2851998	27	\r
11e0ec6b	28	@retval EFI_SUCCESS The expected hash value was caculatedly successfully.\r
e2851998	29	@retval EFI_PROTOCOL_ERROR The length of the secret should be at least the\r
11e0ec6b	30	length of the hash value for the hashing algorithm chosen.\r
e2851998	31	@retval Others Other errors as indicated.\r
11e0ec6b	32	**/\r
6a690e23	33	EFI_STATUS\r
	34	IScsiCHAPCalculateResponse (\r
	35	IN UINT32 ChapIdentifier,\r
	36	IN CHAR8 *ChapSecret,\r
	37	IN UINT32 SecretLength,\r
	38	IN UINT8 *ChapChallenge,\r
	39	IN UINT32 ChallengeLength,\r
	40	OUT UINT8 *ChapResponse\r
	41	)\r
	42	{\r
	43	MD5_CTX Md5Ctx;\r
	44	CHAR8 IdByte[1];\r
	45	EFI_STATUS Status;\r
	46	\r
	47	Status = MD5Init (&Md5Ctx);\r
	48	\r
	49	//\r
	50	// Hash Identifier - Only calculate 1 byte data (RFC1994)\r
	51	//\r
	52	IdByte[0] = (CHAR8) ChapIdentifier;\r
	53	MD5Update (&Md5Ctx, IdByte, 1);\r
	54	\r
	55	//\r
	56	// Hash Secret\r
	57	//\r
	58	if (SecretLength < ISCSI_CHAP_SECRET_MIN_LEN - 1) {\r
	59	return EFI_PROTOCOL_ERROR;\r
	60	}\r
	61	\r
	62	MD5Update (&Md5Ctx, ChapSecret, SecretLength);\r
	63	\r
	64	//\r
	65	// Hash Challenge received from Target\r
	66	//\r
	67	MD5Update (&Md5Ctx, ChapChallenge, ChallengeLength);\r
	68	\r
	69	Status = MD5Final (&Md5Ctx, ChapResponse);\r
	70	\r
	71	return Status;\r
	72	}\r
	73	\r
11e0ec6b	74	/**\r
11e0ec6b	75	The initator checks the CHAP response replied by target against its own\r
e2851998	76	calculation of the expected hash value.\r
	77	\r
	78	@param[in] AuthData iSCSI CHAP authentication data.\r
	79	@param[in] TargetResponse The response from target.\r
11e0ec6b	80	\r
	81	@retval EFI_SUCCESS The response from target passed authentication.\r
	82	@retval EFI_SECURITY_VIOLATION The response from target was not expected value.\r
963dbb30	83	@retval Others Other errors as indicated.\r
11e0ec6b	84	**/\r
6a690e23	85	EFI_STATUS\r
	86	IScsiCHAPAuthTarget (\r
	87	IN ISCSI_CHAP_AUTH_DATA *AuthData,\r
	88	IN UINT8 *TargetResponse\r
	89	)\r
	90	{\r
	91	EFI_STATUS Status;\r
	92	UINT32 SecretSize;\r
	93	UINT8 VerifyRsp[ISCSI_CHAP_RSP_LEN];\r
	94	\r
	95	Status = EFI_SUCCESS;\r
	96	\r
	97	SecretSize = (UINT32) AsciiStrLen (AuthData->AuthConfig.ReverseCHAPSecret);\r
	98	Status = IScsiCHAPCalculateResponse (\r
	99	AuthData->OutIdentifier,\r
	100	AuthData->AuthConfig.ReverseCHAPSecret,\r
	101	SecretSize,\r
	102	AuthData->OutChallenge,\r
	103	AuthData->OutChallengeLength,\r
	104	VerifyRsp\r
	105	);\r
	106	\r
e2851998	107	if (CompareMem (VerifyRsp, TargetResponse, ISCSI_CHAP_RSP_LEN) != 0) {\r
6a690e23	108	Status = EFI_SECURITY_VIOLATION;\r
	109	}\r
	110	\r
	111	return Status;\r
	112	}\r
	113	\r
12618416	114	/**\r
6a690e23	115	This function checks the received iSCSI Login Response during the security\r
6a690e23	116	negotiation stage.\r
e2851998	117	\r
11e0ec6b	118	@param[in] Conn The iSCSI connection.\r
6a690e23	119	\r
12618416	120	@retval EFI_SUCCESS The Login Response passed the CHAP validation.\r
12618416	121	@retval EFI_OUT_OF_RESOURCES Failed to allocate memory.\r
12618416	122	@retval EFI_PROTOCOL_ERROR Some kind of protocol error happend.\r
963dbb30	123	@retval Others Other errors as indicated.\r
12618416	124	**/\r
	125	EFI_STATUS\r
	126	IScsiCHAPOnRspReceived (\r
c5de0d55	127	IN ISCSI_CONNECTION *Conn\r
12618416	128	)\r
6a690e23	129	{\r
	130	EFI_STATUS Status;\r
	131	ISCSI_SESSION *Session;\r
6a690e23	132	ISCSI_CHAP_AUTH_DATA *AuthData;\r
	133	CHAR8 *Value;\r
	134	UINT8 *Data;\r
	135	UINT32 Len;\r
e48e37fc	136	LIST_ENTRY *KeyValueList;\r
6a690e23	137	UINTN Algorithm;\r
	138	CHAR8 *Identifier;\r
	139	CHAR8 *Challenge;\r
	140	CHAR8 *Name;\r
	141	CHAR8 *Response;\r
	142	UINT8 TargetRsp[ISCSI_CHAP_RSP_LEN];\r
	143	UINT32 RspLen;\r
	144	\r
	145	ASSERT (Conn->CurrentStage == ISCSI_SECURITY_NEGOTIATION);\r
	146	ASSERT (Conn->RspQue.BufNum != 0);\r
	147	\r
	148	Session = Conn->Session;\r
6a690e23	149	AuthData = &Session->AuthData;\r
	150	\r
	151	Len = Conn->RspQue.BufSize;\r
e48e37fc	152	Data = AllocatePool (Len);\r
6a690e23	153	if (Data == NULL) {\r
	154	return EFI_OUT_OF_RESOURCES;\r
	155	}\r
	156	//\r
	157	// Copy the data in case the data spans over multiple PDUs.\r
	158	//\r
	159	NetbufQueCopy (&Conn->RspQue, 0, Len, Data);\r
	160	\r
	161	//\r
	162	// Build the key-value list from the data segment of the Login Response.\r
	163	//\r
69b0882d	164	KeyValueList = IScsiBuildKeyValueList ((CHAR8 *) Data, Len);\r
6a690e23	165	if (KeyValueList == NULL) {\r
766c7483	166	FreePool (Data);\r
894d038a	167	return EFI_OUT_OF_RESOURCES;\r
6a690e23	168	}\r
	169	\r
	170	Status = EFI_PROTOCOL_ERROR;\r
	171	\r
	172	switch (Conn->CHAPStep) {\r
	173	case ISCSI_CHAP_INITIAL:\r
	174	//\r
	175	// The first Login Response.\r
	176	//\r
	177	Value = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_TARGET_PORTAL_GROUP_TAG);\r
	178	if (Value == NULL) {\r
	179	goto ON_EXIT;\r
	180	}\r
	181	\r
	182	Session->TargetPortalGroupTag = (UINT16) AsciiStrDecimalToUintn (Value);\r
	183	\r
	184	Value = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_AUTH_METHOD);\r
	185	if (Value == NULL) {\r
	186	goto ON_EXIT;\r
	187	}\r
	188	//\r
	189	// Initiator mandates CHAP authentication but target replies without "CHAP" or\r
	190	// initiator suggets "None" but target replies with some kind of auth method.\r
	191	//\r
	192	if (AsciiStrCmp (Value, ISCSI_AUTH_METHOD_CHAP) == 0) {\r
	193	if (AuthData->AuthConfig.CHAPType == ISCSI_CHAP_NONE) {\r
	194	goto ON_EXIT;\r
	195	}\r
	196	} else {\r
	197	if (AuthData->AuthConfig.CHAPType != ISCSI_CHAP_NONE) {\r
	198	goto ON_EXIT;\r
	199	}\r
	200	}\r
	201	//\r
	202	// Transit to CHAP step one.\r
	203	//\r
	204	Conn->CHAPStep = ISCSI_CHAP_STEP_ONE;\r
	205	Status = EFI_SUCCESS;\r
	206	break;\r
	207	\r
	208	case ISCSI_CHAP_STEP_TWO:\r
	209	//\r
	210	// The Target replies with CHAP_A=<A> CHAP_I=<I> CHAP_C=<C>\r
	211	//\r
	212	Value = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_ALGORITHM);\r
	213	if (Value == NULL) {\r
	214	goto ON_EXIT;\r
	215	}\r
	216	\r
	217	Algorithm = AsciiStrDecimalToUintn (Value);\r
	218	if (Algorithm != ISCSI_CHAP_ALGORITHM_MD5) {\r
	219	//\r
	220	// Unsupported algorithm is chosen by target.\r
	221	//\r
	222	goto ON_EXIT;\r
	223	}\r
	224	\r
	225	Identifier = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_IDENTIFIER);\r
	226	if (Identifier == NULL) {\r
	227	goto ON_EXIT;\r
	228	}\r
	229	\r
	230	Challenge = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_CHALLENGE);\r
	231	if (Challenge == NULL) {\r
232	goto ON_EXIT;\r
233	}\r
234	//\r
235	// Process the CHAP identifier and CHAP Challenge from Target\r
236	// Calculate Response value\r
237	//\r
238	AuthData->InIdentifier = (UINT32) AsciiStrDecimalToUintn (Identifier);\r
239	AuthData->InChallengeLength = ISCSI_CHAP_AUTH_MAX_LEN;\r
240	IScsiHexToBin ((UINT8 *) AuthData->InChallenge, &AuthData->InChallengeLength, Challenge);\r
241	Status = IScsiCHAPCalculateResponse (\r
242	AuthData->InIdentifier,\r
243	AuthData->AuthConfig.CHAPSecret,\r
244	(UINT32) AsciiStrLen (AuthData->AuthConfig.CHAPSecret),\r
245	AuthData->InChallenge,\r
246	AuthData->InChallengeLength,\r
247	AuthData->CHAPResponse\r
248	);\r
249	\r
250	//\r
251	// Transit to next step.\r
252	//\r
253	Conn->CHAPStep = ISCSI_CHAP_STEP_THREE;\r
254	break;\r
255	\r
256	case ISCSI_CHAP_STEP_THREE:\r
257	//\r
258	// one way CHAP authentication and the target would like to\r
259	// authenticate us.\r
260	//\r
261	Status = EFI_SUCCESS;\r
262	break;\r
263	\r
264	case ISCSI_CHAP_STEP_FOUR:\r
265	ASSERT (AuthData->AuthConfig.CHAPType == ISCSI_CHAP_MUTUAL);\r
266	//\r
267	// The forth step, CHAP_N=<N> CHAP_R=<R> is received from Target.\r
268	//\r
269	Name = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_NAME);\r
270	if (Name == NULL) {\r
271	goto ON_EXIT;\r
272	}\r
273	\r
274	Response = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_RESPONSE);\r
275	if (Response == NULL) {\r
276	goto ON_EXIT;\r
277	}\r
278	\r
279	RspLen = ISCSI_CHAP_RSP_LEN;\r
280	IScsiHexToBin (TargetRsp, &RspLen, Response);\r
281	\r
282	//\r
11e0ec6b	283	// Check the CHAP Response replied by Target.\r
6a690e23	284	//\r
	285	Status = IScsiCHAPAuthTarget (AuthData, TargetRsp);\r
	286	break;\r
	287	\r
	288	default:\r
	289	break;\r
	290	}\r
	291	\r
	292	ON_EXIT:\r
	293	\r
	294	IScsiFreeKeyValueList (KeyValueList);\r
	295	\r
766c7483	296	FreePool (Data);\r
6a690e23	297	\r
	298	return Status;\r
	299	}\r
	300	\r
12618416	301	/**\r
6a690e23	302	This function fills the CHAP authentication information into the login PDU\r
6a690e23	303	during the security negotiation stage in the iSCSI connection login.\r
6a690e23	304	\r
c5de0d55	305	@param[in] Conn The iSCSI connection.\r
c5de0d55	306	@param[in, out] Pdu The PDU to send out.\r
6a690e23	307	\r
12618416	308	@retval EFI_SUCCESS All check passed and the phase-related CHAP\r
12618416	309	authentication info is filled into the iSCSI PDU.\r
12618416	310	@retval EFI_OUT_OF_RESOURCES Failed to allocate memory.\r
12618416	311	@retval EFI_PROTOCOL_ERROR Some kind of protocol error happend.\r
12618416	312	**/\r
	313	EFI_STATUS\r
	314	IScsiCHAPToSendReq (\r
c5de0d55	315	IN ISCSI_CONNECTION *Conn,\r
c5de0d55	316	IN OUT NET_BUF *Pdu\r
12618416	317	)\r
6a690e23	318	{\r
	319	EFI_STATUS Status;\r
	320	ISCSI_SESSION *Session;\r
	321	ISCSI_LOGIN_REQUEST *LoginReq;\r
6a690e23	322	ISCSI_CHAP_AUTH_DATA *AuthData;\r
	323	CHAR8 *Value;\r
	324	CHAR8 ValueStr[256];\r
	325	CHAR8 *Response;\r
	326	UINT32 RspLen;\r
	327	CHAR8 *Challenge;\r
	328	UINT32 ChallengeLen;\r
	329	\r
	330	ASSERT (Conn->CurrentStage == ISCSI_SECURITY_NEGOTIATION);\r
	331	\r
	332	Session = Conn->Session;\r
6a690e23	333	AuthData = &Session->AuthData;\r
	334	LoginReq = (ISCSI_LOGIN_REQUEST *) NetbufGetByte (Pdu, 0, 0);\r
	335	Status = EFI_SUCCESS;\r
	336	\r
	337	RspLen = 2 * ISCSI_CHAP_RSP_LEN + 3;\r
e48e37fc	338	Response = AllocatePool (RspLen);\r
6a690e23	339	if (Response == NULL) {\r
	340	return EFI_OUT_OF_RESOURCES;\r
	341	}\r
	342	\r
	343	ChallengeLen = 2 * ISCSI_CHAP_RSP_LEN + 3;\r
e48e37fc	344	Challenge = AllocatePool (ChallengeLen);\r
6a690e23	345	if (Challenge == NULL) {\r
	346	return EFI_OUT_OF_RESOURCES;\r
	347	}\r
	348	\r
	349	switch (Conn->CHAPStep) {\r
	350	case ISCSI_CHAP_INITIAL:\r
	351	//\r
	352	// It's the initial Login Request. Fill in the key=value pairs mandatory\r
	353	// for the initial Login Request.\r
	354	//\r
	355	IScsiAddKeyValuePair (Pdu, ISCSI_KEY_INITIATOR_NAME, Session->InitiatorName);\r
	356	IScsiAddKeyValuePair (Pdu, ISCSI_KEY_SESSION_TYPE, "Normal");\r
	357	IScsiAddKeyValuePair (Pdu, ISCSI_KEY_TARGET_NAME, Session->ConfigData.NvData.TargetName);\r
	358	\r
	359	if (AuthData->AuthConfig.CHAPType == ISCSI_CHAP_NONE) {\r
	360	Value = ISCSI_KEY_VALUE_NONE;\r
	361	ISCSI_SET_FLAG (LoginReq, ISCSI_LOGIN_REQ_PDU_FLAG_TRANSIT);\r
	362	} else {\r
	363	Value = ISCSI_AUTH_METHOD_CHAP;\r
	364	}\r
	365	\r
	366	IScsiAddKeyValuePair (Pdu, ISCSI_KEY_AUTH_METHOD, Value);\r
	367	\r
	368	break;\r
	369	\r
	370	case ISCSI_CHAP_STEP_ONE:\r
	371	//\r
	372	// First step, send the Login Request with CHAP_A=<A1,A2...> key-value pair.\r
	373	//\r
	374	AsciiSPrint (ValueStr, sizeof (ValueStr), "%d", ISCSI_CHAP_ALGORITHM_MD5);\r
	375	IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_ALGORITHM, ValueStr);\r
	376	\r
	377	Conn->CHAPStep = ISCSI_CHAP_STEP_TWO;\r
	378	break;\r
	379	\r
	380	case ISCSI_CHAP_STEP_THREE:\r
	381	//\r
	382	// Third step, send the Login Request with CHAP_N=<N> CHAP_R=<R> or\r
	383	// CHAP_N=<N> CHAP_R=<R> CHAP_I=<I> CHAP_C=<C> if target ahtentication is\r
	384	// required too.\r
	385	//\r
	386	// CHAP_N=<N>\r
	387	//\r
69b0882d	388	IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_NAME, (CHAR8 *) &AuthData->AuthConfig.CHAPName);\r
6a690e23	389	//\r
	390	// CHAP_R=<R>\r
	391	//\r
	392	IScsiBinToHex ((UINT8 *) AuthData->CHAPResponse, ISCSI_CHAP_RSP_LEN, Response, &RspLen);\r
	393	IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_RESPONSE, Response);\r
	394	\r
	395	if (AuthData->AuthConfig.CHAPType == ISCSI_CHAP_MUTUAL) {\r
	396	//\r
	397	// CHAP_I=<I>\r
	398	//\r
	399	IScsiGenRandom ((UINT8 *) &AuthData->OutIdentifier, 1);\r
	400	AsciiSPrint (ValueStr, sizeof (ValueStr), "%d", AuthData->OutIdentifier);\r
	401	IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_IDENTIFIER, ValueStr);\r
	402	//\r
	403	// CHAP_C=<C>\r
	404	//\r
	405	IScsiGenRandom ((UINT8 *) AuthData->OutChallenge, ISCSI_CHAP_RSP_LEN);\r
	406	AuthData->OutChallengeLength = ISCSI_CHAP_RSP_LEN;\r
	407	IScsiBinToHex ((UINT8 *) AuthData->OutChallenge, ISCSI_CHAP_RSP_LEN, Challenge, &ChallengeLen);\r
	408	IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_CHALLENGE, Challenge);\r
	409	\r
	410	Conn->CHAPStep = ISCSI_CHAP_STEP_FOUR;\r
	411	}\r
	412	//\r
	413	// set the stage transition flag.\r
	414	//\r
	415	ISCSI_SET_FLAG (LoginReq, ISCSI_LOGIN_REQ_PDU_FLAG_TRANSIT);\r
	416	break;\r
	417	\r
	418	default:\r
	419	Status = EFI_PROTOCOL_ERROR;\r
	420	break;\r
	421	}\r
	422	\r
766c7483	423	FreePool (Response);\r
766c7483	424	FreePool (Challenge);\r
6a690e23	425	\r
	426	return Status;\r
	427	}\r