]> git.proxmox.com Git - mirror_edk2.git/blob - NetworkPkg/IScsiDxe/IScsiCHAP.c
projects / mirror_edk2.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
NetworkPkg: introduce the NETWORK_ISCSI_MD5_ENABLE feature test macro
[mirror_edk2.git] / NetworkPkg / IScsiDxe / IScsiCHAP.c
1 /** @file
2 This file is for Challenge-Handshake Authentication Protocol (CHAP)
3 Configuration.
4
5 Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.<BR>
6 SPDX-License-Identifier: BSD-2-Clause-Patent
7
8 **/
9
10 #include "IScsiImpl.h"
11
12 //
13 // Supported CHAP hash algorithms, mapped to sets of BaseCryptLib APIs and
14 // macros. CHAP_HASH structures at lower subscripts in the array are preferred
15 // by the initiator.
16 //
17 STATIC CONST CHAP_HASH mChapHash[] = {
18 {
19 ISCSI_CHAP_ALGORITHM_SHA256,
20 SHA256_DIGEST_SIZE,
21 Sha256GetContextSize,
22 Sha256Init,
23 Sha256Update,
24 Sha256Final
25 },
26 #ifdef ENABLE_MD5_DEPRECATED_INTERFACES
27 //
28 // Keep the deprecated MD5 entry at the end of the array (making MD5 the
29 // least preferred choice of the initiator).
30 //
31 {
32 ISCSI_CHAP_ALGORITHM_MD5,
33 MD5_DIGEST_SIZE,
34 Md5GetContextSize,
35 Md5Init,
36 Md5Update,
37 Md5Final
38 },
39 #endif // ENABLE_MD5_DEPRECATED_INTERFACES
40 };
41
42 //
43 // Ordered list of mChapHash[*].Algorithm values. It is formatted for the
44 // CHAP_A=<A1,A2...> value string, by the IScsiCHAPInitHashList() function. It
45 // is sent by the initiator in ISCSI_CHAP_STEP_ONE.
46 //
47 STATIC CHAR8 mChapHashListString[
48 3 + // UINT8 identifier in
49 // decimal
50 (1 + 3) * (ARRAY_SIZE (mChapHash) - 1) + // comma prepended for
51 // entries after the
52 // first
53 1 + // extra character for
54 // AsciiSPrint()
55 // truncation check
56 1 // terminating NUL
57 ];
58
59 /**
60 Initiator calculates its own expected hash value.
61
62 @param[in] ChapIdentifier iSCSI CHAP identifier sent by authenticator.
63 @param[in] ChapSecret iSCSI CHAP secret of the authenticator.
64 @param[in] SecretLength The length of iSCSI CHAP secret.
65 @param[in] ChapChallenge The challenge message sent by authenticator.
66 @param[in] ChallengeLength The length of iSCSI CHAP challenge message.
67 @param[in] Hash Pointer to the CHAP_HASH structure that
68 determines the hashing algorithm to use. The
69 caller is responsible for making Hash point
70 to an "mChapHash" element.
71 @param[out] ChapResponse The calculation of the expected hash value.
72
73 @retval EFI_SUCCESS The expected hash value was calculatedly
74 successfully.
75 @retval EFI_PROTOCOL_ERROR The length of the secret should be at least
76 the length of the hash value for the hashing
77 algorithm chosen.
78 @retval EFI_PROTOCOL_ERROR Hash operation fails.
79 @retval EFI_OUT_OF_RESOURCES Failure to allocate resource to complete
80 hashing.
81
82 **/
83 EFI_STATUS
84 IScsiCHAPCalculateResponse (
85 IN UINT32 ChapIdentifier,
86 IN CHAR8 *ChapSecret,
87 IN UINT32 SecretLength,
88 IN UINT8 *ChapChallenge,
89 IN UINT32 ChallengeLength,
90 IN CONST CHAP_HASH *Hash,
91 OUT UINT8 *ChapResponse
92 )
93 {
94 UINTN ContextSize;
95 VOID *Ctx;
96 CHAR8 IdByte[1];
97 EFI_STATUS Status;
98
99 if (SecretLength < ISCSI_CHAP_SECRET_MIN_LEN) {
100 return EFI_PROTOCOL_ERROR;
101 }
102
103 ASSERT (Hash != NULL);
104
105 ContextSize = Hash->GetContextSize ();
106 Ctx = AllocatePool (ContextSize);
107 if (Ctx == NULL) {
108 return EFI_OUT_OF_RESOURCES;
109 }
110
111 Status = EFI_PROTOCOL_ERROR;
112
113 if (!Hash->Init (Ctx)) {
114 goto Exit;
115 }
116
117 //
118 // Hash Identifier - Only calculate 1 byte data (RFC1994)
119 //
120 IdByte[0] = (CHAR8) ChapIdentifier;
121 if (!Hash->Update (Ctx, IdByte, 1)) {
122 goto Exit;
123 }
124
125 //
126 // Hash Secret
127 //
128 if (!Hash->Update (Ctx, ChapSecret, SecretLength)) {
129 goto Exit;
130 }
131
132 //
133 // Hash Challenge received from Target
134 //
135 if (!Hash->Update (Ctx, ChapChallenge, ChallengeLength)) {
136 goto Exit;
137 }
138
139 if (Hash->Final (Ctx, ChapResponse)) {
140 Status = EFI_SUCCESS;
141 }
142
143 Exit:
144 FreePool (Ctx);
145 return Status;
146 }
147
148 /**
149 The initiator checks the CHAP response replied by target against its own
150 calculation of the expected hash value.
151
152 @param[in] AuthData iSCSI CHAP authentication data.
153 @param[in] TargetResponse The response from target.
154
155 @retval EFI_SUCCESS The response from target passed
156 authentication.
157 @retval EFI_SECURITY_VIOLATION The response from target was not expected
158 value.
159 @retval Others Other errors as indicated.
160
161 **/
162 EFI_STATUS
163 IScsiCHAPAuthTarget (
164 IN ISCSI_CHAP_AUTH_DATA *AuthData,
165 IN UINT8 *TargetResponse
166 )
167 {
168 EFI_STATUS Status;
169 UINT32 SecretSize;
170 UINT8 VerifyRsp[ISCSI_CHAP_MAX_DIGEST_SIZE];
171 INTN Mismatch;
172
173 Status = EFI_SUCCESS;
174
175 SecretSize = (UINT32) AsciiStrLen (AuthData->AuthConfig->ReverseCHAPSecret);
176
177 ASSERT (AuthData->Hash != NULL);
178
179 Status = IScsiCHAPCalculateResponse (
180 AuthData->OutIdentifier,
181 AuthData->AuthConfig->ReverseCHAPSecret,
182 SecretSize,
183 AuthData->OutChallenge,
184 AuthData->Hash->DigestSize, // ChallengeLength
185 AuthData->Hash,
186 VerifyRsp
187 );
188
189 Mismatch = CompareMem (
190 VerifyRsp,
191 TargetResponse,
192 AuthData->Hash->DigestSize
193 );
194 if (Mismatch != 0) {
195 Status = EFI_SECURITY_VIOLATION;
196 }
197
198 return Status;
199 }
200
201
202 /**
203 This function checks the received iSCSI Login Response during the security
204 negotiation stage.
205
206 @param[in] Conn The iSCSI connection.
207
208 @retval EFI_SUCCESS The Login Response passed the CHAP validation.
209 @retval EFI_OUT_OF_RESOURCES Failed to allocate memory.
210 @retval EFI_PROTOCOL_ERROR Some kind of protocol error occurred.
211 @retval Others Other errors as indicated.
212
213 **/
214 EFI_STATUS
215 IScsiCHAPOnRspReceived (
216 IN ISCSI_CONNECTION *Conn
217 )
218 {
219 EFI_STATUS Status;
220 ISCSI_SESSION *Session;
221 ISCSI_CHAP_AUTH_DATA *AuthData;
222 CHAR8 *Value;
223 UINT8 *Data;
224 UINT32 Len;
225 LIST_ENTRY *KeyValueList;
226 UINTN Algorithm;
227 CHAR8 *Identifier;
228 CHAR8 *Challenge;
229 CHAR8 *Name;
230 CHAR8 *Response;
231 UINT8 TargetRsp[ISCSI_CHAP_MAX_DIGEST_SIZE];
232 UINT32 RspLen;
233 UINTN Result;
234 UINTN HashIndex;
235
236 ASSERT (Conn->CurrentStage == ISCSI_SECURITY_NEGOTIATION);
237 ASSERT (Conn->RspQue.BufNum != 0);
238
239 Session = Conn->Session;
240 AuthData = &Session->AuthData.CHAP;
241 Len = Conn->RspQue.BufSize;
242 Data = AllocateZeroPool (Len);
243 if (Data == NULL) {
244 return EFI_OUT_OF_RESOURCES;
245 }
246 //
247 // Copy the data in case the data spans over multiple PDUs.
248 //
249 NetbufQueCopy (&Conn->RspQue, 0, Len, Data);
250
251 //
252 // Build the key-value list from the data segment of the Login Response.
253 //
254 KeyValueList = IScsiBuildKeyValueList ((CHAR8 *) Data, Len);
255 if (KeyValueList == NULL) {
256 Status = EFI_OUT_OF_RESOURCES;
257 goto ON_EXIT;
258 }
259
260 Status = EFI_PROTOCOL_ERROR;
261
262 switch (Conn->AuthStep) {
263 case ISCSI_AUTH_INITIAL:
264 //
265 // The first Login Response.
266 //
267 Value = IScsiGetValueByKeyFromList (
268 KeyValueList,
269 ISCSI_KEY_TARGET_PORTAL_GROUP_TAG
270 );
271 if (Value == NULL) {
272 goto ON_EXIT;
273 }
274
275 Result = IScsiNetNtoi (Value);
276 if (Result > 0xFFFF) {
277 goto ON_EXIT;
278 }
279
280 Session->TargetPortalGroupTag = (UINT16) Result;
281
282 Value = IScsiGetValueByKeyFromList (
283 KeyValueList,
284 ISCSI_KEY_AUTH_METHOD
285 );
286 if (Value == NULL) {
287 goto ON_EXIT;
288 }
289 //
290 // Initiator mandates CHAP authentication but target replies without
291 // "CHAP", or initiator suggets "None" but target replies with some kind of
292 // auth method.
293 //
294 if (Session->AuthType == ISCSI_AUTH_TYPE_NONE) {
295 if (AsciiStrCmp (Value, ISCSI_KEY_VALUE_NONE) != 0) {
296 goto ON_EXIT;
297 }
298 } else if (Session->AuthType == ISCSI_AUTH_TYPE_CHAP) {
299 if (AsciiStrCmp (Value, ISCSI_AUTH_METHOD_CHAP) != 0) {
300 goto ON_EXIT;
301 }
302 } else {
303 goto ON_EXIT;
304 }
305
306 //
307 // Transit to CHAP step one.
308 //
309 Conn->AuthStep = ISCSI_CHAP_STEP_ONE;
310 Status = EFI_SUCCESS;
311 break;
312
313 case ISCSI_CHAP_STEP_TWO:
314 //
315 // The Target replies with CHAP_A=<A> CHAP_I=<I> CHAP_C=<C>
316 //
317 Value = IScsiGetValueByKeyFromList (
318 KeyValueList,
319 ISCSI_KEY_CHAP_ALGORITHM
320 );
321 if (Value == NULL) {
322 goto ON_EXIT;
323 }
324
325 Algorithm = IScsiNetNtoi (Value);
326 for (HashIndex = 0; HashIndex < ARRAY_SIZE (mChapHash); HashIndex++) {
327 if (Algorithm == mChapHash[HashIndex].Algorithm) {
328 break;
329 }
330 }
331 if (HashIndex == ARRAY_SIZE (mChapHash)) {
332 //
333 // Unsupported algorithm is chosen by target.
334 //
335 goto ON_EXIT;
336 }
337 //
338 // Remember the target's chosen hash algorithm.
339 //
340 ASSERT (AuthData->Hash == NULL);
341 AuthData->Hash = &mChapHash[HashIndex];
342
343 Identifier = IScsiGetValueByKeyFromList (
344 KeyValueList,
345 ISCSI_KEY_CHAP_IDENTIFIER
346 );
347 if (Identifier == NULL) {
348 goto ON_EXIT;
349 }
350
351 Challenge = IScsiGetValueByKeyFromList (
352 KeyValueList,
353 ISCSI_KEY_CHAP_CHALLENGE
354 );
355 if (Challenge == NULL) {
356 goto ON_EXIT;
357 }
358 //
359 // Process the CHAP identifier and CHAP Challenge from Target.
360 // Calculate Response value.
361 //
362 Result = IScsiNetNtoi (Identifier);
363 if (Result > 0xFF) {
364 goto ON_EXIT;
365 }
366
367 AuthData->InIdentifier = (UINT32) Result;
368 AuthData->InChallengeLength = (UINT32) sizeof (AuthData->InChallenge);
369 Status = IScsiHexToBin (
370 (UINT8 *) AuthData->InChallenge,
371 &AuthData->InChallengeLength,
372 Challenge
373 );
374 if (EFI_ERROR (Status)) {
375 Status = EFI_PROTOCOL_ERROR;
376 goto ON_EXIT;
377 }
378 Status = IScsiCHAPCalculateResponse (
379 AuthData->InIdentifier,
380 AuthData->AuthConfig->CHAPSecret,
381 (UINT32) AsciiStrLen (AuthData->AuthConfig->CHAPSecret),
382 AuthData->InChallenge,
383 AuthData->InChallengeLength,
384 AuthData->Hash,
385 AuthData->CHAPResponse
386 );
387
388 //
389 // Transit to next step.
390 //
391 Conn->AuthStep = ISCSI_CHAP_STEP_THREE;
392 break;
393
394 case ISCSI_CHAP_STEP_THREE:
395 //
396 // One way CHAP authentication and the target would like to
397 // authenticate us.
398 //
399 Status = EFI_SUCCESS;
400 break;
401
402 case ISCSI_CHAP_STEP_FOUR:
403 ASSERT (AuthData->AuthConfig->CHAPType == ISCSI_CHAP_MUTUAL);
404 //
405 // The forth step, CHAP_N=<N> CHAP_R=<R> is received from Target.
406 //
407 Name = IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_NAME);
408 if (Name == NULL) {
409 goto ON_EXIT;
410 }
411
412 Response = IScsiGetValueByKeyFromList (
413 KeyValueList,
414 ISCSI_KEY_CHAP_RESPONSE
415 );
416 if (Response == NULL) {
417 goto ON_EXIT;
418 }
419
420 ASSERT (AuthData->Hash != NULL);
421 RspLen = AuthData->Hash->DigestSize;
422 Status = IScsiHexToBin (TargetRsp, &RspLen, Response);
423 if (EFI_ERROR (Status) || RspLen != AuthData->Hash->DigestSize) {
424 Status = EFI_PROTOCOL_ERROR;
425 goto ON_EXIT;
426 }
427
428 //
429 // Check the CHAP Name and Response replied by Target.
430 //
431 Status = IScsiCHAPAuthTarget (AuthData, TargetRsp);
432 break;
433
434 default:
435 break;
436 }
437
438 ON_EXIT:
439
440 if (KeyValueList != NULL) {
441 IScsiFreeKeyValueList (KeyValueList);
442 }
443
444 FreePool (Data);
445
446 return Status;
447 }
448
449
450 /**
451 This function fills the CHAP authentication information into the login PDU
452 during the security negotiation stage in the iSCSI connection login.
453
454 @param[in] Conn The iSCSI connection.
455 @param[in, out] Pdu The PDU to send out.
456
457 @retval EFI_SUCCESS All check passed and the phase-related CHAP
458 authentication info is filled into the iSCSI
459 PDU.
460 @retval EFI_OUT_OF_RESOURCES Failed to allocate memory.
461 @retval EFI_PROTOCOL_ERROR Some kind of protocol error occurred.
462
463 **/
464 EFI_STATUS
465 IScsiCHAPToSendReq (
466 IN ISCSI_CONNECTION *Conn,
467 IN OUT NET_BUF *Pdu
468 )
469 {
470 EFI_STATUS Status;
471 ISCSI_SESSION *Session;
472 ISCSI_LOGIN_REQUEST *LoginReq;
473 ISCSI_CHAP_AUTH_DATA *AuthData;
474 CHAR8 *Value;
475 CHAR8 ValueStr[256];
476 CHAR8 *Response;
477 UINT32 RspLen;
478 CHAR8 *Challenge;
479 UINT32 ChallengeLen;
480 EFI_STATUS BinToHexStatus;
481
482 ASSERT (Conn->CurrentStage == ISCSI_SECURITY_NEGOTIATION);
483
484 Session = Conn->Session;
485 AuthData = &Session->AuthData.CHAP;
486 LoginReq = (ISCSI_LOGIN_REQUEST *) NetbufGetByte (Pdu, 0, 0);
487 if (LoginReq == NULL) {
488 return EFI_PROTOCOL_ERROR;
489 }
490 Status = EFI_SUCCESS;
491
492 RspLen = 2 * ISCSI_CHAP_MAX_DIGEST_SIZE + 3;
493 Response = AllocateZeroPool (RspLen);
494 if (Response == NULL) {
495 return EFI_OUT_OF_RESOURCES;
496 }
497
498 ChallengeLen = 2 * ISCSI_CHAP_MAX_DIGEST_SIZE + 3;
499 Challenge = AllocateZeroPool (ChallengeLen);
500 if (Challenge == NULL) {
501 FreePool (Response);
502 return EFI_OUT_OF_RESOURCES;
503 }
504
505 switch (Conn->AuthStep) {
506 case ISCSI_AUTH_INITIAL:
507 //
508 // It's the initial Login Request. Fill in the key=value pairs mandatory
509 // for the initial Login Request.
510 //
511 IScsiAddKeyValuePair (
512 Pdu,
513 ISCSI_KEY_INITIATOR_NAME,
514 mPrivate->InitiatorName
515 );
516 IScsiAddKeyValuePair (Pdu, ISCSI_KEY_SESSION_TYPE, "Normal");
517 IScsiAddKeyValuePair (
518 Pdu,
519 ISCSI_KEY_TARGET_NAME,
520 Session->ConfigData->SessionConfigData.TargetName
521 );
522
523 if (Session->AuthType == ISCSI_AUTH_TYPE_NONE) {
524 Value = ISCSI_KEY_VALUE_NONE;
525 ISCSI_SET_FLAG (LoginReq, ISCSI_LOGIN_REQ_PDU_FLAG_TRANSIT);
526 } else {
527 Value = ISCSI_AUTH_METHOD_CHAP;
528 }
529
530 IScsiAddKeyValuePair (Pdu, ISCSI_KEY_AUTH_METHOD, Value);
531
532 break;
533
534 case ISCSI_CHAP_STEP_ONE:
535 //
536 // First step, send the Login Request with CHAP_A=<A1,A2...> key-value
537 // pair.
538 //
539 IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_ALGORITHM, mChapHashListString);
540
541 Conn->AuthStep = ISCSI_CHAP_STEP_TWO;
542 break;
543
544 case ISCSI_CHAP_STEP_THREE:
545 //
546 // Third step, send the Login Request with CHAP_N=<N> CHAP_R=<R> or
547 // CHAP_N=<N> CHAP_R=<R> CHAP_I=<I> CHAP_C=<C> if target authentication is
548 // required too.
549 //
550 // CHAP_N=<N>
551 //
552 IScsiAddKeyValuePair (
553 Pdu,
554 ISCSI_KEY_CHAP_NAME,
555 (CHAR8 *) &AuthData->AuthConfig->CHAPName
556 );
557 //
558 // CHAP_R=<R>
559 //
560 ASSERT (AuthData->Hash != NULL);
561 BinToHexStatus = IScsiBinToHex (
562 (UINT8 *) AuthData->CHAPResponse,
563 AuthData->Hash->DigestSize,
564 Response,
565 &RspLen
566 );
567 ASSERT_EFI_ERROR (BinToHexStatus);
568 IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_RESPONSE, Response);
569
570 if (AuthData->AuthConfig->CHAPType == ISCSI_CHAP_MUTUAL) {
571 //
572 // CHAP_I=<I>
573 //
574 IScsiGenRandom ((UINT8 *) &AuthData->OutIdentifier, 1);
575 AsciiSPrint (ValueStr, sizeof (ValueStr), "%d", AuthData->OutIdentifier);
576 IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_IDENTIFIER, ValueStr);
577 //
578 // CHAP_C=<C>
579 //
580 IScsiGenRandom (
581 (UINT8 *) AuthData->OutChallenge,
582 AuthData->Hash->DigestSize
583 );
584 BinToHexStatus = IScsiBinToHex (
585 (UINT8 *) AuthData->OutChallenge,
586 AuthData->Hash->DigestSize,
587 Challenge,
588 &ChallengeLen
589 );
590 ASSERT_EFI_ERROR (BinToHexStatus);
591 IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_CHALLENGE, Challenge);
592
593 Conn->AuthStep = ISCSI_CHAP_STEP_FOUR;
594 }
595 //
596 // Set the stage transition flag.
597 //
598 ISCSI_SET_FLAG (LoginReq, ISCSI_LOGIN_REQ_PDU_FLAG_TRANSIT);
599 break;
600
601 default:
602 Status = EFI_PROTOCOL_ERROR;
603 break;
604 }
605
606 FreePool (Response);
607 FreePool (Challenge);
608
609 return Status;
610 }
611
612 /**
613 Initialize the CHAP_A=<A1,A2...> *value* string for the entire driver, to be
614 sent by the initiator in ISCSI_CHAP_STEP_ONE.
615
616 This function sanity-checks the internal table of supported CHAP hashing
617 algorithms, as well.
618 **/
619 VOID
620 IScsiCHAPInitHashList (
621 VOID
622 )
623 {
624 CHAR8 *Position;
625 UINTN Left;
626 UINTN HashIndex;
627 CONST CHAP_HASH *Hash;
628 UINTN Printed;
629
630 Position = mChapHashListString;
631 Left = sizeof (mChapHashListString);
632 for (HashIndex = 0; HashIndex < ARRAY_SIZE (mChapHash); HashIndex++) {
633 Hash = &mChapHash[HashIndex];
634
635 //
636 // Format the next hash identifier.
637 //
638 // Assert that we can format at least one non-NUL character, i.e. that we
639 // can progress. Truncation is checked after printing.
640 //
641 ASSERT (Left >= 2);
642 Printed = AsciiSPrint (
643 Position,
644 Left,
645 "%a%d",
646 (HashIndex == 0) ? "" : ",",
647 Hash->Algorithm
648 );
649 //
650 // There's no way to differentiate between the "buffer filled to the brim,
651 // but not truncated" result and the "truncated" result of AsciiSPrint().
652 // This is why "mChapHashListString" has an extra byte allocated, and the
653 // reason why we use the less-than (rather than the less-than-or-equal-to)
654 // relational operator in the assertion below -- we enforce "no truncation"
655 // by excluding the "completely used up" case too.
656 //
657 ASSERT (Printed + 1 < Left);
658
659 Position += Printed;
660 Left -= Printed;
661
662 //
663 // Sanity-check the digest size for Hash.
664 //
665 ASSERT (Hash->DigestSize <= ISCSI_CHAP_MAX_DIGEST_SIZE);
666 }
667 }
EFI Development Kit II mirror for PVE