NetworkPkg: introduce the NETWORK_ISCSI_MD5_ENABLE feature test macro

Introduce the NETWORK_ISCSI_MD5_ENABLE feature test macro for NetworkPkg.
When explicitly set to FALSE, remove MD5 from IScsiDxe's CHAP algorithm
list.

Set NETWORK_ISCSI_MD5_ENABLE to TRUE by default, for compatibility
reasons. Not just to minimize the disruption for platforms that currently
include IScsiDxe, but also because RFC 7143 mandates MD5 for CHAP, and
some vendors' iSCSI targets support MD5 only.

With MD5 enabled, IScsiDxe will suggest SHA256, and then fall back to MD5
if the target requests it. With MD5 disabled, IScsiDxe will suggest
SHA256, and break off the connection (and session) if the target doesn't
support SHA256.

Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3355
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20210629163337.14120-7-lersek@redhat.com>

diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c
index 80035ece98874de2e39eee5de016e97a4f29f7ce..0491ef42db95e57390f9045ca25adaf933c2499f 100644 (file)
--- a/NetworkPkg/IScsiDxe/IScsiCHAP.c
+++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c
@@ -23,6 +23,7 @@ STATIC CONST CHAP_HASH mChapHash[] = {
     Sha256Update,\r
     Sha256Final\r
   },\r
+#ifdef ENABLE_MD5_DEPRECATED_INTERFACES\r
   //\r
   // Keep the deprecated MD5 entry at the end of the array (making MD5 the\r
   // least preferred choice of the initiator).\r
@@ -35,6 +36,7 @@ STATIC CONST CHAP_HASH mChapHash[] = {
     Md5Update,\r
     Md5Final\r
   },\r
+#endif // ENABLE_MD5_DEPRECATED_INTERFACES\r
 };\r
 \r
 //\r

diff --git a/NetworkPkg/NetworkBuildOptions.dsc.inc b/NetworkPkg/NetworkBuildOptions.dsc.inc
index 42d980d9543d08f21c0ab886e1b752569ed72775..738da2222f7e9b95bfc79b15fdb322175c13c63e 100644 (file)
--- a/NetworkPkg/NetworkBuildOptions.dsc.inc
+++ b/NetworkPkg/NetworkBuildOptions.dsc.inc
@@ -14,7 +14,7 @@
 #\r
 ##\r
 \r
-!if $(NETWORK_ISCSI_ENABLE) == TRUE\r
+!if $(NETWORK_ISCSI_ENABLE) == TRUE && $(NETWORK_ISCSI_MD5_ENABLE) == TRUE\r
   MSFT:*_*_*_CC_FLAGS = /D ENABLE_MD5_DEPRECATED_INTERFACES\r
   INTEL:*_*_*_CC_FLAGS = /D ENABLE_MD5_DEPRECATED_INTERFACES\r
   GCC:*_*_*_CC_FLAGS = -D ENABLE_MD5_DEPRECATED_INTERFACES\r

diff --git a/NetworkPkg/NetworkDefines.dsc.inc b/NetworkPkg/NetworkDefines.dsc.inc
index 54deb6342aaa89830292b65eedec067c07bf8343..e39a9cb3dc09ae0afe72e0c0252dc85c0560e618 100644 (file)
--- a/NetworkPkg/NetworkDefines.dsc.inc
+++ b/NetworkPkg/NetworkDefines.dsc.inc
@@ -19,6 +19,7 @@
 #   DEFINE NETWORK_HTTP_BOOT_ENABLE       = TRUE\r
 #   DEFINE NETWORK_ALLOW_HTTP_CONNECTIONS = FALSE\r
 #   DEFINE NETWORK_ISCSI_ENABLE           = FALSE\r
+#   DEFINE NETWORK_ISCSI_MD5_ENABLE       = TRUE\r
 #   DEFINE NETWORK_VLAN_ENABLE            = TRUE\r
 #\r
 # Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>\r
@@ -117,6 +118,25 @@
   DEFINE NETWORK_ISCSI_ENABLE = FALSE\r
 !endif\r
 \r
+!ifndef NETWORK_ISCSI_MD5_ENABLE\r
+  #\r
+  # This flag enables the deprecated MD5 hash algorithm in iSCSI CHAP\r
+  # authentication.\r
+  #\r
+  # Note: The NETWORK_ISCSI_MD5_ENABLE flag only makes a difference if\r
+  #       NETWORK_ISCSI_ENABLE is TRUE; otherwise, NETWORK_ISCSI_MD5_ENABLE is\r
+  #       ignored.\r
+  #\r
+  #       With NETWORK_ISCSI_MD5_ENABLE set to TRUE, MD5 is enabled as the\r
+  #       least preferred CHAP hash algorithm. With NETWORK_ISCSI_MD5_ENABLE\r
+  #       set to FALSE, MD5 is disabled statically, at build time.\r
+  #\r
+  #       The default value is TRUE, because RFC 7143 mandates MD5, and because\r
+  #       several vendors' iSCSI targets only support MD5, for CHAP.\r
+  #\r
+  DEFINE NETWORK_ISCSI_MD5_ENABLE = TRUE\r
+!endif\r
+\r
 !if $(NETWORK_ENABLE) == TRUE\r
   #\r
   # Check the flags to see if there is any conflict.\r