Commit | Line | Data |
---|---|---|
e48354ce NB |
1 | /******************************************************************************* |
2 | * This file houses the main functions for the iSCSI CHAP support | |
3 | * | |
4 | * \u00a9 Copyright 2007-2011 RisingTide Systems LLC. | |
5 | * | |
6 | * Licensed to the Linux Foundation under the General Public License (GPL) version 2. | |
7 | * | |
8 | * Author: Nicholas A. Bellinger <nab@linux-iscsi.org> | |
9 | * | |
10 | * This program is free software; you can redistribute it and/or modify | |
11 | * it under the terms of the GNU General Public License as published by | |
12 | * the Free Software Foundation; either version 2 of the License, or | |
13 | * (at your option) any later version. | |
14 | * | |
15 | * This program is distributed in the hope that it will be useful, | |
16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
18 | * GNU General Public License for more details. | |
19 | ******************************************************************************/ | |
20 | ||
f2b56afd | 21 | #include <linux/kernel.h> |
e48354ce NB |
22 | #include <linux/string.h> |
23 | #include <linux/crypto.h> | |
24 | #include <linux/err.h> | |
25 | #include <linux/scatterlist.h> | |
26 | ||
27 | #include "iscsi_target_core.h" | |
28 | #include "iscsi_target_nego.h" | |
29 | #include "iscsi_target_auth.h" | |
30 | ||
e48354ce NB |
31 | static int chap_string_to_hex(unsigned char *dst, unsigned char *src, int len) |
32 | { | |
ddca8f3e | 33 | int j = DIV_ROUND_UP(len, 2), rc; |
e48354ce | 34 | |
ddca8f3e NB |
35 | rc = hex2bin(dst, src, j); |
36 | if (rc < 0) | |
37 | pr_debug("CHAP string contains non hex digit symbols\n"); | |
e48354ce NB |
38 | |
39 | dst[j] = '\0'; | |
40 | return j; | |
41 | } | |
42 | ||
43 | static void chap_binaryhex_to_asciihex(char *dst, char *src, int src_len) | |
44 | { | |
45 | int i; | |
46 | ||
47 | for (i = 0; i < src_len; i++) { | |
48 | sprintf(&dst[i*2], "%02x", (int) src[i] & 0xff); | |
49 | } | |
50 | } | |
51 | ||
e48354ce NB |
52 | static void chap_gen_challenge( |
53 | struct iscsi_conn *conn, | |
54 | int caller, | |
55 | char *c_str, | |
56 | unsigned int *c_len) | |
57 | { | |
58 | unsigned char challenge_asciihex[CHAP_CHALLENGE_LENGTH * 2 + 1]; | |
8359cf43 | 59 | struct iscsi_chap *chap = conn->auth_protocol; |
e48354ce NB |
60 | |
61 | memset(challenge_asciihex, 0, CHAP_CHALLENGE_LENGTH * 2 + 1); | |
62 | ||
98e2eeb3 | 63 | get_random_bytes(chap->challenge, CHAP_CHALLENGE_LENGTH); |
e48354ce NB |
64 | chap_binaryhex_to_asciihex(challenge_asciihex, chap->challenge, |
65 | CHAP_CHALLENGE_LENGTH); | |
66 | /* | |
67 | * Set CHAP_C, and copy the generated challenge into c_str. | |
68 | */ | |
69 | *c_len += sprintf(c_str + *c_len, "CHAP_C=0x%s", challenge_asciihex); | |
70 | *c_len += 1; | |
71 | ||
72 | pr_debug("[%s] Sending CHAP_C=0x%s\n\n", (caller) ? "server" : "client", | |
73 | challenge_asciihex); | |
74 | } | |
75 | ||
76 | ||
77 | static struct iscsi_chap *chap_server_open( | |
78 | struct iscsi_conn *conn, | |
79 | struct iscsi_node_auth *auth, | |
80 | const char *a_str, | |
81 | char *aic_str, | |
82 | unsigned int *aic_len) | |
83 | { | |
84 | struct iscsi_chap *chap; | |
85 | ||
86 | if (!(auth->naf_flags & NAF_USERID_SET) || | |
87 | !(auth->naf_flags & NAF_PASSWORD_SET)) { | |
88 | pr_err("CHAP user or password not set for" | |
89 | " Initiator ACL\n"); | |
90 | return NULL; | |
91 | } | |
92 | ||
93 | conn->auth_protocol = kzalloc(sizeof(struct iscsi_chap), GFP_KERNEL); | |
94 | if (!conn->auth_protocol) | |
95 | return NULL; | |
96 | ||
8359cf43 | 97 | chap = conn->auth_protocol; |
e48354ce NB |
98 | /* |
99 | * We only support MD5 MDA presently. | |
100 | */ | |
101 | if (strncmp(a_str, "CHAP_A=5", 8)) { | |
102 | pr_err("CHAP_A is not MD5.\n"); | |
103 | return NULL; | |
104 | } | |
105 | pr_debug("[server] Got CHAP_A=5\n"); | |
106 | /* | |
107 | * Send back CHAP_A set to MD5. | |
108 | */ | |
109 | *aic_len = sprintf(aic_str, "CHAP_A=5"); | |
110 | *aic_len += 1; | |
111 | chap->digest_type = CHAP_DIGEST_MD5; | |
112 | pr_debug("[server] Sending CHAP_A=%d\n", chap->digest_type); | |
113 | /* | |
114 | * Set Identifier. | |
115 | */ | |
116 | chap->id = ISCSI_TPG_C(conn)->tpg_chap_id++; | |
117 | *aic_len += sprintf(aic_str + *aic_len, "CHAP_I=%d", chap->id); | |
118 | *aic_len += 1; | |
119 | pr_debug("[server] Sending CHAP_I=%d\n", chap->id); | |
120 | /* | |
121 | * Generate Challenge. | |
122 | */ | |
123 | chap_gen_challenge(conn, 1, aic_str, aic_len); | |
124 | ||
125 | return chap; | |
126 | } | |
127 | ||
128 | static void chap_close(struct iscsi_conn *conn) | |
129 | { | |
130 | kfree(conn->auth_protocol); | |
131 | conn->auth_protocol = NULL; | |
132 | } | |
133 | ||
134 | static int chap_server_compute_md5( | |
135 | struct iscsi_conn *conn, | |
136 | struct iscsi_node_auth *auth, | |
137 | char *nr_in_ptr, | |
138 | char *nr_out_ptr, | |
139 | unsigned int *nr_out_len) | |
140 | { | |
141 | char *endptr; | |
bc704fb5 | 142 | unsigned long id; |
7ac9ad11 | 143 | unsigned char id_as_uchar; |
bc704fb5 | 144 | unsigned char digest[MD5_SIGNATURE_SIZE]; |
e48354ce NB |
145 | unsigned char type, response[MD5_SIGNATURE_SIZE * 2 + 2]; |
146 | unsigned char identifier[10], *challenge = NULL; | |
147 | unsigned char *challenge_binhex = NULL; | |
148 | unsigned char client_digest[MD5_SIGNATURE_SIZE]; | |
149 | unsigned char server_digest[MD5_SIGNATURE_SIZE]; | |
150 | unsigned char chap_n[MAX_CHAP_N_SIZE], chap_r[MAX_RESPONSE_LENGTH]; | |
6aec95b4 | 151 | size_t compare_len; |
8359cf43 | 152 | struct iscsi_chap *chap = conn->auth_protocol; |
e48354ce NB |
153 | struct crypto_hash *tfm; |
154 | struct hash_desc desc; | |
155 | struct scatterlist sg; | |
156 | int auth_ret = -1, ret, challenge_len; | |
157 | ||
158 | memset(identifier, 0, 10); | |
159 | memset(chap_n, 0, MAX_CHAP_N_SIZE); | |
160 | memset(chap_r, 0, MAX_RESPONSE_LENGTH); | |
161 | memset(digest, 0, MD5_SIGNATURE_SIZE); | |
162 | memset(response, 0, MD5_SIGNATURE_SIZE * 2 + 2); | |
163 | memset(client_digest, 0, MD5_SIGNATURE_SIZE); | |
164 | memset(server_digest, 0, MD5_SIGNATURE_SIZE); | |
165 | ||
166 | challenge = kzalloc(CHAP_CHALLENGE_STR_LEN, GFP_KERNEL); | |
167 | if (!challenge) { | |
168 | pr_err("Unable to allocate challenge buffer\n"); | |
169 | goto out; | |
170 | } | |
171 | ||
172 | challenge_binhex = kzalloc(CHAP_CHALLENGE_STR_LEN, GFP_KERNEL); | |
173 | if (!challenge_binhex) { | |
174 | pr_err("Unable to allocate challenge_binhex buffer\n"); | |
175 | goto out; | |
176 | } | |
177 | /* | |
178 | * Extract CHAP_N. | |
179 | */ | |
180 | if (extract_param(nr_in_ptr, "CHAP_N", MAX_CHAP_N_SIZE, chap_n, | |
181 | &type) < 0) { | |
182 | pr_err("Could not find CHAP_N.\n"); | |
183 | goto out; | |
184 | } | |
185 | if (type == HEX) { | |
186 | pr_err("Could not find CHAP_N.\n"); | |
187 | goto out; | |
188 | } | |
189 | ||
6aec95b4 ES |
190 | /* Include the terminating NULL in the compare */ |
191 | compare_len = strlen(auth->userid) + 1; | |
192 | if (strncmp(chap_n, auth->userid, compare_len) != 0) { | |
e48354ce NB |
193 | pr_err("CHAP_N values do not match!\n"); |
194 | goto out; | |
195 | } | |
196 | pr_debug("[server] Got CHAP_N=%s\n", chap_n); | |
197 | /* | |
198 | * Extract CHAP_R. | |
199 | */ | |
200 | if (extract_param(nr_in_ptr, "CHAP_R", MAX_RESPONSE_LENGTH, chap_r, | |
201 | &type) < 0) { | |
202 | pr_err("Could not find CHAP_R.\n"); | |
203 | goto out; | |
204 | } | |
205 | if (type != HEX) { | |
206 | pr_err("Could not find CHAP_R.\n"); | |
207 | goto out; | |
208 | } | |
209 | ||
210 | pr_debug("[server] Got CHAP_R=%s\n", chap_r); | |
211 | chap_string_to_hex(client_digest, chap_r, strlen(chap_r)); | |
212 | ||
213 | tfm = crypto_alloc_hash("md5", 0, CRYPTO_ALG_ASYNC); | |
214 | if (IS_ERR(tfm)) { | |
215 | pr_err("Unable to allocate struct crypto_hash\n"); | |
216 | goto out; | |
217 | } | |
218 | desc.tfm = tfm; | |
219 | desc.flags = 0; | |
220 | ||
221 | ret = crypto_hash_init(&desc); | |
222 | if (ret < 0) { | |
223 | pr_err("crypto_hash_init() failed\n"); | |
224 | crypto_free_hash(tfm); | |
225 | goto out; | |
226 | } | |
227 | ||
8359cf43 | 228 | sg_init_one(&sg, &chap->id, 1); |
e48354ce NB |
229 | ret = crypto_hash_update(&desc, &sg, 1); |
230 | if (ret < 0) { | |
231 | pr_err("crypto_hash_update() failed for id\n"); | |
232 | crypto_free_hash(tfm); | |
233 | goto out; | |
234 | } | |
235 | ||
8359cf43 | 236 | sg_init_one(&sg, &auth->password, strlen(auth->password)); |
e48354ce NB |
237 | ret = crypto_hash_update(&desc, &sg, strlen(auth->password)); |
238 | if (ret < 0) { | |
239 | pr_err("crypto_hash_update() failed for password\n"); | |
240 | crypto_free_hash(tfm); | |
241 | goto out; | |
242 | } | |
243 | ||
8359cf43 | 244 | sg_init_one(&sg, chap->challenge, CHAP_CHALLENGE_LENGTH); |
e48354ce NB |
245 | ret = crypto_hash_update(&desc, &sg, CHAP_CHALLENGE_LENGTH); |
246 | if (ret < 0) { | |
247 | pr_err("crypto_hash_update() failed for challenge\n"); | |
248 | crypto_free_hash(tfm); | |
249 | goto out; | |
250 | } | |
251 | ||
252 | ret = crypto_hash_final(&desc, server_digest); | |
253 | if (ret < 0) { | |
254 | pr_err("crypto_hash_final() failed for server digest\n"); | |
255 | crypto_free_hash(tfm); | |
256 | goto out; | |
257 | } | |
258 | crypto_free_hash(tfm); | |
259 | ||
260 | chap_binaryhex_to_asciihex(response, server_digest, MD5_SIGNATURE_SIZE); | |
261 | pr_debug("[server] MD5 Server Digest: %s\n", response); | |
262 | ||
263 | if (memcmp(server_digest, client_digest, MD5_SIGNATURE_SIZE) != 0) { | |
264 | pr_debug("[server] MD5 Digests do not match!\n\n"); | |
265 | goto out; | |
266 | } else | |
267 | pr_debug("[server] MD5 Digests match, CHAP connetication" | |
268 | " successful.\n\n"); | |
269 | /* | |
270 | * One way authentication has succeeded, return now if mutual | |
271 | * authentication is not enabled. | |
272 | */ | |
273 | if (!auth->authenticate_target) { | |
274 | kfree(challenge); | |
275 | kfree(challenge_binhex); | |
276 | return 0; | |
277 | } | |
278 | /* | |
279 | * Get CHAP_I. | |
280 | */ | |
281 | if (extract_param(nr_in_ptr, "CHAP_I", 10, identifier, &type) < 0) { | |
282 | pr_err("Could not find CHAP_I.\n"); | |
283 | goto out; | |
284 | } | |
285 | ||
286 | if (type == HEX) | |
8359cf43 | 287 | id = simple_strtoul(&identifier[2], &endptr, 0); |
e48354ce | 288 | else |
8359cf43 | 289 | id = simple_strtoul(identifier, &endptr, 0); |
bc704fb5 NB |
290 | if (id > 255) { |
291 | pr_err("chap identifier: %lu greater than 255\n", id); | |
292 | goto out; | |
293 | } | |
e48354ce NB |
294 | /* |
295 | * RFC 1994 says Identifier is no more than octet (8 bits). | |
296 | */ | |
bc704fb5 | 297 | pr_debug("[server] Got CHAP_I=%lu\n", id); |
e48354ce NB |
298 | /* |
299 | * Get CHAP_C. | |
300 | */ | |
301 | if (extract_param(nr_in_ptr, "CHAP_C", CHAP_CHALLENGE_STR_LEN, | |
302 | challenge, &type) < 0) { | |
303 | pr_err("Could not find CHAP_C.\n"); | |
304 | goto out; | |
305 | } | |
306 | ||
307 | if (type != HEX) { | |
308 | pr_err("Could not find CHAP_C.\n"); | |
309 | goto out; | |
310 | } | |
311 | pr_debug("[server] Got CHAP_C=%s\n", challenge); | |
312 | challenge_len = chap_string_to_hex(challenge_binhex, challenge, | |
313 | strlen(challenge)); | |
314 | if (!challenge_len) { | |
315 | pr_err("Unable to convert incoming challenge\n"); | |
316 | goto out; | |
317 | } | |
63afedf4 NB |
318 | /* |
319 | * During mutual authentication, the CHAP_C generated by the | |
320 | * initiator must not match the original CHAP_C generated by | |
321 | * the target. | |
322 | */ | |
323 | if (!memcmp(challenge_binhex, chap->challenge, CHAP_CHALLENGE_LENGTH)) { | |
324 | pr_err("initiator CHAP_C matches target CHAP_C, failing" | |
325 | " login attempt\n"); | |
326 | goto out; | |
327 | } | |
e48354ce NB |
328 | /* |
329 | * Generate CHAP_N and CHAP_R for mutual authentication. | |
330 | */ | |
331 | tfm = crypto_alloc_hash("md5", 0, CRYPTO_ALG_ASYNC); | |
332 | if (IS_ERR(tfm)) { | |
333 | pr_err("Unable to allocate struct crypto_hash\n"); | |
334 | goto out; | |
335 | } | |
336 | desc.tfm = tfm; | |
337 | desc.flags = 0; | |
338 | ||
339 | ret = crypto_hash_init(&desc); | |
340 | if (ret < 0) { | |
341 | pr_err("crypto_hash_init() failed\n"); | |
342 | crypto_free_hash(tfm); | |
343 | goto out; | |
344 | } | |
345 | ||
7ac9ad11 AG |
346 | /* To handle both endiannesses */ |
347 | id_as_uchar = id; | |
348 | sg_init_one(&sg, &id_as_uchar, 1); | |
e48354ce NB |
349 | ret = crypto_hash_update(&desc, &sg, 1); |
350 | if (ret < 0) { | |
351 | pr_err("crypto_hash_update() failed for id\n"); | |
352 | crypto_free_hash(tfm); | |
353 | goto out; | |
354 | } | |
355 | ||
8359cf43 | 356 | sg_init_one(&sg, auth->password_mutual, |
e48354ce NB |
357 | strlen(auth->password_mutual)); |
358 | ret = crypto_hash_update(&desc, &sg, strlen(auth->password_mutual)); | |
359 | if (ret < 0) { | |
360 | pr_err("crypto_hash_update() failed for" | |
361 | " password_mutual\n"); | |
362 | crypto_free_hash(tfm); | |
363 | goto out; | |
364 | } | |
365 | /* | |
366 | * Convert received challenge to binary hex. | |
367 | */ | |
8359cf43 | 368 | sg_init_one(&sg, challenge_binhex, challenge_len); |
e48354ce NB |
369 | ret = crypto_hash_update(&desc, &sg, challenge_len); |
370 | if (ret < 0) { | |
371 | pr_err("crypto_hash_update() failed for ma challenge\n"); | |
372 | crypto_free_hash(tfm); | |
373 | goto out; | |
374 | } | |
375 | ||
376 | ret = crypto_hash_final(&desc, digest); | |
377 | if (ret < 0) { | |
378 | pr_err("crypto_hash_final() failed for ma digest\n"); | |
379 | crypto_free_hash(tfm); | |
380 | goto out; | |
381 | } | |
382 | crypto_free_hash(tfm); | |
383 | /* | |
384 | * Generate CHAP_N and CHAP_R. | |
385 | */ | |
386 | *nr_out_len = sprintf(nr_out_ptr, "CHAP_N=%s", auth->userid_mutual); | |
387 | *nr_out_len += 1; | |
388 | pr_debug("[server] Sending CHAP_N=%s\n", auth->userid_mutual); | |
389 | /* | |
390 | * Convert response from binary hex to ascii hext. | |
391 | */ | |
392 | chap_binaryhex_to_asciihex(response, digest, MD5_SIGNATURE_SIZE); | |
393 | *nr_out_len += sprintf(nr_out_ptr + *nr_out_len, "CHAP_R=0x%s", | |
394 | response); | |
395 | *nr_out_len += 1; | |
396 | pr_debug("[server] Sending CHAP_R=0x%s\n", response); | |
397 | auth_ret = 0; | |
398 | out: | |
399 | kfree(challenge); | |
400 | kfree(challenge_binhex); | |
401 | return auth_ret; | |
402 | } | |
403 | ||
404 | static int chap_got_response( | |
405 | struct iscsi_conn *conn, | |
406 | struct iscsi_node_auth *auth, | |
407 | char *nr_in_ptr, | |
408 | char *nr_out_ptr, | |
409 | unsigned int *nr_out_len) | |
410 | { | |
8359cf43 | 411 | struct iscsi_chap *chap = conn->auth_protocol; |
e48354ce NB |
412 | |
413 | switch (chap->digest_type) { | |
414 | case CHAP_DIGEST_MD5: | |
415 | if (chap_server_compute_md5(conn, auth, nr_in_ptr, | |
416 | nr_out_ptr, nr_out_len) < 0) | |
417 | return -1; | |
418 | return 0; | |
419 | default: | |
420 | pr_err("Unknown CHAP digest type %d!\n", | |
421 | chap->digest_type); | |
422 | return -1; | |
423 | } | |
424 | } | |
425 | ||
426 | u32 chap_main_loop( | |
427 | struct iscsi_conn *conn, | |
428 | struct iscsi_node_auth *auth, | |
429 | char *in_text, | |
430 | char *out_text, | |
431 | int *in_len, | |
432 | int *out_len) | |
433 | { | |
8359cf43 | 434 | struct iscsi_chap *chap = conn->auth_protocol; |
e48354ce NB |
435 | |
436 | if (!chap) { | |
437 | chap = chap_server_open(conn, auth, in_text, out_text, out_len); | |
438 | if (!chap) | |
439 | return 2; | |
440 | chap->chap_state = CHAP_STAGE_SERVER_AIC; | |
441 | return 0; | |
442 | } else if (chap->chap_state == CHAP_STAGE_SERVER_AIC) { | |
443 | convert_null_to_semi(in_text, *in_len); | |
444 | if (chap_got_response(conn, auth, in_text, out_text, | |
445 | out_len) < 0) { | |
446 | chap_close(conn); | |
447 | return 2; | |
448 | } | |
449 | if (auth->authenticate_target) | |
450 | chap->chap_state = CHAP_STAGE_SERVER_NR; | |
451 | else | |
452 | *out_len = 0; | |
453 | chap_close(conn); | |
454 | return 1; | |
455 | } | |
456 | ||
457 | return 2; | |
458 | } |