Commit | Line | Data |
---|---|---|
e48354ce NB |
1 | /******************************************************************************* |
2 | * This file houses the main functions for the iSCSI CHAP support | |
3 | * | |
4c76251e | 4 | * (c) Copyright 2007-2013 Datera, Inc. |
e48354ce NB |
5 | * |
6 | * Author: Nicholas A. Bellinger <nab@linux-iscsi.org> | |
7 | * | |
8 | * This program is free software; you can redistribute it and/or modify | |
9 | * it under the terms of the GNU General Public License as published by | |
10 | * the Free Software Foundation; either version 2 of the License, or | |
11 | * (at your option) any later version. | |
12 | * | |
13 | * This program is distributed in the hope that it will be useful, | |
14 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
16 | * GNU General Public License for more details. | |
17 | ******************************************************************************/ | |
18 | ||
f2b56afd | 19 | #include <linux/kernel.h> |
e48354ce NB |
20 | #include <linux/string.h> |
21 | #include <linux/crypto.h> | |
22 | #include <linux/err.h> | |
23 | #include <linux/scatterlist.h> | |
24 | ||
67f091f2 | 25 | #include <target/iscsi/iscsi_target_core.h> |
e48354ce NB |
26 | #include "iscsi_target_nego.h" |
27 | #include "iscsi_target_auth.h" | |
28 | ||
e48354ce NB |
29 | static int chap_string_to_hex(unsigned char *dst, unsigned char *src, int len) |
30 | { | |
ddca8f3e | 31 | int j = DIV_ROUND_UP(len, 2), rc; |
e48354ce | 32 | |
ddca8f3e NB |
33 | rc = hex2bin(dst, src, j); |
34 | if (rc < 0) | |
35 | pr_debug("CHAP string contains non hex digit symbols\n"); | |
e48354ce NB |
36 | |
37 | dst[j] = '\0'; | |
38 | return j; | |
39 | } | |
40 | ||
41 | static void chap_binaryhex_to_asciihex(char *dst, char *src, int src_len) | |
42 | { | |
43 | int i; | |
44 | ||
45 | for (i = 0; i < src_len; i++) { | |
46 | sprintf(&dst[i*2], "%02x", (int) src[i] & 0xff); | |
47 | } | |
48 | } | |
49 | ||
e48354ce NB |
50 | static void chap_gen_challenge( |
51 | struct iscsi_conn *conn, | |
52 | int caller, | |
53 | char *c_str, | |
54 | unsigned int *c_len) | |
55 | { | |
56 | unsigned char challenge_asciihex[CHAP_CHALLENGE_LENGTH * 2 + 1]; | |
8359cf43 | 57 | struct iscsi_chap *chap = conn->auth_protocol; |
e48354ce NB |
58 | |
59 | memset(challenge_asciihex, 0, CHAP_CHALLENGE_LENGTH * 2 + 1); | |
60 | ||
98e2eeb3 | 61 | get_random_bytes(chap->challenge, CHAP_CHALLENGE_LENGTH); |
e48354ce NB |
62 | chap_binaryhex_to_asciihex(challenge_asciihex, chap->challenge, |
63 | CHAP_CHALLENGE_LENGTH); | |
64 | /* | |
65 | * Set CHAP_C, and copy the generated challenge into c_str. | |
66 | */ | |
67 | *c_len += sprintf(c_str + *c_len, "CHAP_C=0x%s", challenge_asciihex); | |
68 | *c_len += 1; | |
69 | ||
70 | pr_debug("[%s] Sending CHAP_C=0x%s\n\n", (caller) ? "server" : "client", | |
71 | challenge_asciihex); | |
72 | } | |
73 | ||
3160723c TV |
74 | static int chap_check_algorithm(const char *a_str) |
75 | { | |
76 | char *tmp, *orig, *token; | |
77 | ||
78 | tmp = kstrdup(a_str, GFP_KERNEL); | |
79 | if (!tmp) { | |
80 | pr_err("Memory allocation failed for CHAP_A temporary buffer\n"); | |
81 | return CHAP_DIGEST_UNKNOWN; | |
82 | } | |
83 | orig = tmp; | |
84 | ||
85 | token = strsep(&tmp, "="); | |
86 | if (!token) | |
87 | goto out; | |
88 | ||
89 | if (strcmp(token, "CHAP_A")) { | |
90 | pr_err("Unable to locate CHAP_A key\n"); | |
91 | goto out; | |
92 | } | |
93 | while (token) { | |
94 | token = strsep(&tmp, ","); | |
95 | if (!token) | |
96 | goto out; | |
97 | ||
98 | if (!strncmp(token, "5", 1)) { | |
99 | pr_debug("Selected MD5 Algorithm\n"); | |
100 | kfree(orig); | |
101 | return CHAP_DIGEST_MD5; | |
102 | } | |
103 | } | |
104 | out: | |
105 | kfree(orig); | |
106 | return CHAP_DIGEST_UNKNOWN; | |
107 | } | |
e48354ce NB |
108 | |
109 | static struct iscsi_chap *chap_server_open( | |
110 | struct iscsi_conn *conn, | |
111 | struct iscsi_node_auth *auth, | |
112 | const char *a_str, | |
113 | char *aic_str, | |
114 | unsigned int *aic_len) | |
115 | { | |
3160723c | 116 | int ret; |
e48354ce NB |
117 | struct iscsi_chap *chap; |
118 | ||
119 | if (!(auth->naf_flags & NAF_USERID_SET) || | |
120 | !(auth->naf_flags & NAF_PASSWORD_SET)) { | |
121 | pr_err("CHAP user or password not set for" | |
122 | " Initiator ACL\n"); | |
123 | return NULL; | |
124 | } | |
125 | ||
126 | conn->auth_protocol = kzalloc(sizeof(struct iscsi_chap), GFP_KERNEL); | |
127 | if (!conn->auth_protocol) | |
128 | return NULL; | |
129 | ||
8359cf43 | 130 | chap = conn->auth_protocol; |
3160723c TV |
131 | ret = chap_check_algorithm(a_str); |
132 | switch (ret) { | |
133 | case CHAP_DIGEST_MD5: | |
134 | pr_debug("[server] Got CHAP_A=5\n"); | |
135 | /* | |
136 | * Send back CHAP_A set to MD5. | |
137 | */ | |
138 | *aic_len = sprintf(aic_str, "CHAP_A=5"); | |
139 | *aic_len += 1; | |
140 | chap->digest_type = CHAP_DIGEST_MD5; | |
141 | pr_debug("[server] Sending CHAP_A=%d\n", chap->digest_type); | |
142 | break; | |
143 | case CHAP_DIGEST_UNKNOWN: | |
144 | default: | |
145 | pr_err("Unsupported CHAP_A value\n"); | |
e48354ce NB |
146 | return NULL; |
147 | } | |
3160723c | 148 | |
e48354ce NB |
149 | /* |
150 | * Set Identifier. | |
151 | */ | |
60bfcf8e | 152 | chap->id = conn->tpg->tpg_chap_id++; |
e48354ce NB |
153 | *aic_len += sprintf(aic_str + *aic_len, "CHAP_I=%d", chap->id); |
154 | *aic_len += 1; | |
155 | pr_debug("[server] Sending CHAP_I=%d\n", chap->id); | |
156 | /* | |
157 | * Generate Challenge. | |
158 | */ | |
159 | chap_gen_challenge(conn, 1, aic_str, aic_len); | |
160 | ||
161 | return chap; | |
162 | } | |
163 | ||
164 | static void chap_close(struct iscsi_conn *conn) | |
165 | { | |
166 | kfree(conn->auth_protocol); | |
167 | conn->auth_protocol = NULL; | |
168 | } | |
169 | ||
170 | static int chap_server_compute_md5( | |
171 | struct iscsi_conn *conn, | |
172 | struct iscsi_node_auth *auth, | |
173 | char *nr_in_ptr, | |
174 | char *nr_out_ptr, | |
175 | unsigned int *nr_out_len) | |
176 | { | |
bc704fb5 | 177 | unsigned long id; |
7ac9ad11 | 178 | unsigned char id_as_uchar; |
bc704fb5 | 179 | unsigned char digest[MD5_SIGNATURE_SIZE]; |
e48354ce NB |
180 | unsigned char type, response[MD5_SIGNATURE_SIZE * 2 + 2]; |
181 | unsigned char identifier[10], *challenge = NULL; | |
182 | unsigned char *challenge_binhex = NULL; | |
183 | unsigned char client_digest[MD5_SIGNATURE_SIZE]; | |
184 | unsigned char server_digest[MD5_SIGNATURE_SIZE]; | |
185 | unsigned char chap_n[MAX_CHAP_N_SIZE], chap_r[MAX_RESPONSE_LENGTH]; | |
86784c6b | 186 | size_t compare_len; |
8359cf43 | 187 | struct iscsi_chap *chap = conn->auth_protocol; |
e48354ce NB |
188 | struct crypto_hash *tfm; |
189 | struct hash_desc desc; | |
190 | struct scatterlist sg; | |
191 | int auth_ret = -1, ret, challenge_len; | |
192 | ||
193 | memset(identifier, 0, 10); | |
194 | memset(chap_n, 0, MAX_CHAP_N_SIZE); | |
195 | memset(chap_r, 0, MAX_RESPONSE_LENGTH); | |
196 | memset(digest, 0, MD5_SIGNATURE_SIZE); | |
197 | memset(response, 0, MD5_SIGNATURE_SIZE * 2 + 2); | |
198 | memset(client_digest, 0, MD5_SIGNATURE_SIZE); | |
199 | memset(server_digest, 0, MD5_SIGNATURE_SIZE); | |
200 | ||
201 | challenge = kzalloc(CHAP_CHALLENGE_STR_LEN, GFP_KERNEL); | |
202 | if (!challenge) { | |
203 | pr_err("Unable to allocate challenge buffer\n"); | |
204 | goto out; | |
205 | } | |
206 | ||
207 | challenge_binhex = kzalloc(CHAP_CHALLENGE_STR_LEN, GFP_KERNEL); | |
208 | if (!challenge_binhex) { | |
209 | pr_err("Unable to allocate challenge_binhex buffer\n"); | |
210 | goto out; | |
211 | } | |
212 | /* | |
213 | * Extract CHAP_N. | |
214 | */ | |
215 | if (extract_param(nr_in_ptr, "CHAP_N", MAX_CHAP_N_SIZE, chap_n, | |
216 | &type) < 0) { | |
217 | pr_err("Could not find CHAP_N.\n"); | |
218 | goto out; | |
219 | } | |
220 | if (type == HEX) { | |
221 | pr_err("Could not find CHAP_N.\n"); | |
222 | goto out; | |
223 | } | |
224 | ||
86784c6b ES |
225 | /* Include the terminating NULL in the compare */ |
226 | compare_len = strlen(auth->userid) + 1; | |
227 | if (strncmp(chap_n, auth->userid, compare_len) != 0) { | |
e48354ce NB |
228 | pr_err("CHAP_N values do not match!\n"); |
229 | goto out; | |
230 | } | |
231 | pr_debug("[server] Got CHAP_N=%s\n", chap_n); | |
232 | /* | |
233 | * Extract CHAP_R. | |
234 | */ | |
235 | if (extract_param(nr_in_ptr, "CHAP_R", MAX_RESPONSE_LENGTH, chap_r, | |
236 | &type) < 0) { | |
237 | pr_err("Could not find CHAP_R.\n"); | |
238 | goto out; | |
239 | } | |
240 | if (type != HEX) { | |
241 | pr_err("Could not find CHAP_R.\n"); | |
242 | goto out; | |
243 | } | |
244 | ||
245 | pr_debug("[server] Got CHAP_R=%s\n", chap_r); | |
246 | chap_string_to_hex(client_digest, chap_r, strlen(chap_r)); | |
247 | ||
248 | tfm = crypto_alloc_hash("md5", 0, CRYPTO_ALG_ASYNC); | |
249 | if (IS_ERR(tfm)) { | |
250 | pr_err("Unable to allocate struct crypto_hash\n"); | |
251 | goto out; | |
252 | } | |
253 | desc.tfm = tfm; | |
254 | desc.flags = 0; | |
255 | ||
256 | ret = crypto_hash_init(&desc); | |
257 | if (ret < 0) { | |
258 | pr_err("crypto_hash_init() failed\n"); | |
259 | crypto_free_hash(tfm); | |
260 | goto out; | |
261 | } | |
262 | ||
8359cf43 | 263 | sg_init_one(&sg, &chap->id, 1); |
e48354ce NB |
264 | ret = crypto_hash_update(&desc, &sg, 1); |
265 | if (ret < 0) { | |
266 | pr_err("crypto_hash_update() failed for id\n"); | |
267 | crypto_free_hash(tfm); | |
268 | goto out; | |
269 | } | |
270 | ||
8359cf43 | 271 | sg_init_one(&sg, &auth->password, strlen(auth->password)); |
e48354ce NB |
272 | ret = crypto_hash_update(&desc, &sg, strlen(auth->password)); |
273 | if (ret < 0) { | |
274 | pr_err("crypto_hash_update() failed for password\n"); | |
275 | crypto_free_hash(tfm); | |
276 | goto out; | |
277 | } | |
278 | ||
8359cf43 | 279 | sg_init_one(&sg, chap->challenge, CHAP_CHALLENGE_LENGTH); |
e48354ce NB |
280 | ret = crypto_hash_update(&desc, &sg, CHAP_CHALLENGE_LENGTH); |
281 | if (ret < 0) { | |
282 | pr_err("crypto_hash_update() failed for challenge\n"); | |
283 | crypto_free_hash(tfm); | |
284 | goto out; | |
285 | } | |
286 | ||
287 | ret = crypto_hash_final(&desc, server_digest); | |
288 | if (ret < 0) { | |
289 | pr_err("crypto_hash_final() failed for server digest\n"); | |
290 | crypto_free_hash(tfm); | |
291 | goto out; | |
292 | } | |
293 | crypto_free_hash(tfm); | |
294 | ||
295 | chap_binaryhex_to_asciihex(response, server_digest, MD5_SIGNATURE_SIZE); | |
296 | pr_debug("[server] MD5 Server Digest: %s\n", response); | |
297 | ||
298 | if (memcmp(server_digest, client_digest, MD5_SIGNATURE_SIZE) != 0) { | |
299 | pr_debug("[server] MD5 Digests do not match!\n\n"); | |
300 | goto out; | |
301 | } else | |
302 | pr_debug("[server] MD5 Digests match, CHAP connetication" | |
303 | " successful.\n\n"); | |
304 | /* | |
305 | * One way authentication has succeeded, return now if mutual | |
306 | * authentication is not enabled. | |
307 | */ | |
308 | if (!auth->authenticate_target) { | |
309 | kfree(challenge); | |
310 | kfree(challenge_binhex); | |
311 | return 0; | |
312 | } | |
313 | /* | |
314 | * Get CHAP_I. | |
315 | */ | |
316 | if (extract_param(nr_in_ptr, "CHAP_I", 10, identifier, &type) < 0) { | |
317 | pr_err("Could not find CHAP_I.\n"); | |
318 | goto out; | |
319 | } | |
320 | ||
321 | if (type == HEX) | |
b06eef6e | 322 | ret = kstrtoul(&identifier[2], 0, &id); |
e48354ce | 323 | else |
b06eef6e NB |
324 | ret = kstrtoul(identifier, 0, &id); |
325 | ||
326 | if (ret < 0) { | |
327 | pr_err("kstrtoul() failed for CHAP identifier: %d\n", ret); | |
328 | goto out; | |
329 | } | |
bc704fb5 NB |
330 | if (id > 255) { |
331 | pr_err("chap identifier: %lu greater than 255\n", id); | |
332 | goto out; | |
333 | } | |
e48354ce NB |
334 | /* |
335 | * RFC 1994 says Identifier is no more than octet (8 bits). | |
336 | */ | |
bc704fb5 | 337 | pr_debug("[server] Got CHAP_I=%lu\n", id); |
e48354ce NB |
338 | /* |
339 | * Get CHAP_C. | |
340 | */ | |
341 | if (extract_param(nr_in_ptr, "CHAP_C", CHAP_CHALLENGE_STR_LEN, | |
342 | challenge, &type) < 0) { | |
343 | pr_err("Could not find CHAP_C.\n"); | |
344 | goto out; | |
345 | } | |
346 | ||
347 | if (type != HEX) { | |
348 | pr_err("Could not find CHAP_C.\n"); | |
349 | goto out; | |
350 | } | |
351 | pr_debug("[server] Got CHAP_C=%s\n", challenge); | |
352 | challenge_len = chap_string_to_hex(challenge_binhex, challenge, | |
353 | strlen(challenge)); | |
354 | if (!challenge_len) { | |
355 | pr_err("Unable to convert incoming challenge\n"); | |
356 | goto out; | |
357 | } | |
e4fae231 NB |
358 | if (challenge_len > 1024) { |
359 | pr_err("CHAP_C exceeds maximum binary size of 1024 bytes\n"); | |
360 | goto out; | |
361 | } | |
1d2b60a5 NB |
362 | /* |
363 | * During mutual authentication, the CHAP_C generated by the | |
364 | * initiator must not match the original CHAP_C generated by | |
365 | * the target. | |
366 | */ | |
367 | if (!memcmp(challenge_binhex, chap->challenge, CHAP_CHALLENGE_LENGTH)) { | |
368 | pr_err("initiator CHAP_C matches target CHAP_C, failing" | |
369 | " login attempt\n"); | |
370 | goto out; | |
371 | } | |
e48354ce NB |
372 | /* |
373 | * Generate CHAP_N and CHAP_R for mutual authentication. | |
374 | */ | |
375 | tfm = crypto_alloc_hash("md5", 0, CRYPTO_ALG_ASYNC); | |
376 | if (IS_ERR(tfm)) { | |
377 | pr_err("Unable to allocate struct crypto_hash\n"); | |
378 | goto out; | |
379 | } | |
380 | desc.tfm = tfm; | |
381 | desc.flags = 0; | |
382 | ||
383 | ret = crypto_hash_init(&desc); | |
384 | if (ret < 0) { | |
385 | pr_err("crypto_hash_init() failed\n"); | |
386 | crypto_free_hash(tfm); | |
387 | goto out; | |
388 | } | |
389 | ||
7ac9ad11 AG |
390 | /* To handle both endiannesses */ |
391 | id_as_uchar = id; | |
392 | sg_init_one(&sg, &id_as_uchar, 1); | |
e48354ce NB |
393 | ret = crypto_hash_update(&desc, &sg, 1); |
394 | if (ret < 0) { | |
395 | pr_err("crypto_hash_update() failed for id\n"); | |
396 | crypto_free_hash(tfm); | |
397 | goto out; | |
398 | } | |
399 | ||
8359cf43 | 400 | sg_init_one(&sg, auth->password_mutual, |
e48354ce NB |
401 | strlen(auth->password_mutual)); |
402 | ret = crypto_hash_update(&desc, &sg, strlen(auth->password_mutual)); | |
403 | if (ret < 0) { | |
404 | pr_err("crypto_hash_update() failed for" | |
405 | " password_mutual\n"); | |
406 | crypto_free_hash(tfm); | |
407 | goto out; | |
408 | } | |
409 | /* | |
410 | * Convert received challenge to binary hex. | |
411 | */ | |
8359cf43 | 412 | sg_init_one(&sg, challenge_binhex, challenge_len); |
e48354ce NB |
413 | ret = crypto_hash_update(&desc, &sg, challenge_len); |
414 | if (ret < 0) { | |
415 | pr_err("crypto_hash_update() failed for ma challenge\n"); | |
416 | crypto_free_hash(tfm); | |
417 | goto out; | |
418 | } | |
419 | ||
420 | ret = crypto_hash_final(&desc, digest); | |
421 | if (ret < 0) { | |
422 | pr_err("crypto_hash_final() failed for ma digest\n"); | |
423 | crypto_free_hash(tfm); | |
424 | goto out; | |
425 | } | |
426 | crypto_free_hash(tfm); | |
427 | /* | |
428 | * Generate CHAP_N and CHAP_R. | |
429 | */ | |
430 | *nr_out_len = sprintf(nr_out_ptr, "CHAP_N=%s", auth->userid_mutual); | |
431 | *nr_out_len += 1; | |
432 | pr_debug("[server] Sending CHAP_N=%s\n", auth->userid_mutual); | |
433 | /* | |
434 | * Convert response from binary hex to ascii hext. | |
435 | */ | |
436 | chap_binaryhex_to_asciihex(response, digest, MD5_SIGNATURE_SIZE); | |
437 | *nr_out_len += sprintf(nr_out_ptr + *nr_out_len, "CHAP_R=0x%s", | |
438 | response); | |
439 | *nr_out_len += 1; | |
440 | pr_debug("[server] Sending CHAP_R=0x%s\n", response); | |
441 | auth_ret = 0; | |
442 | out: | |
443 | kfree(challenge); | |
444 | kfree(challenge_binhex); | |
445 | return auth_ret; | |
446 | } | |
447 | ||
448 | static int chap_got_response( | |
449 | struct iscsi_conn *conn, | |
450 | struct iscsi_node_auth *auth, | |
451 | char *nr_in_ptr, | |
452 | char *nr_out_ptr, | |
453 | unsigned int *nr_out_len) | |
454 | { | |
8359cf43 | 455 | struct iscsi_chap *chap = conn->auth_protocol; |
e48354ce NB |
456 | |
457 | switch (chap->digest_type) { | |
458 | case CHAP_DIGEST_MD5: | |
459 | if (chap_server_compute_md5(conn, auth, nr_in_ptr, | |
460 | nr_out_ptr, nr_out_len) < 0) | |
461 | return -1; | |
462 | return 0; | |
463 | default: | |
464 | pr_err("Unknown CHAP digest type %d!\n", | |
465 | chap->digest_type); | |
466 | return -1; | |
467 | } | |
468 | } | |
469 | ||
470 | u32 chap_main_loop( | |
471 | struct iscsi_conn *conn, | |
472 | struct iscsi_node_auth *auth, | |
473 | char *in_text, | |
474 | char *out_text, | |
475 | int *in_len, | |
476 | int *out_len) | |
477 | { | |
8359cf43 | 478 | struct iscsi_chap *chap = conn->auth_protocol; |
e48354ce NB |
479 | |
480 | if (!chap) { | |
481 | chap = chap_server_open(conn, auth, in_text, out_text, out_len); | |
482 | if (!chap) | |
483 | return 2; | |
484 | chap->chap_state = CHAP_STAGE_SERVER_AIC; | |
485 | return 0; | |
486 | } else if (chap->chap_state == CHAP_STAGE_SERVER_AIC) { | |
487 | convert_null_to_semi(in_text, *in_len); | |
488 | if (chap_got_response(conn, auth, in_text, out_text, | |
489 | out_len) < 0) { | |
490 | chap_close(conn); | |
491 | return 2; | |
492 | } | |
493 | if (auth->authenticate_target) | |
494 | chap->chap_state = CHAP_STAGE_SERVER_NR; | |
495 | else | |
496 | *out_len = 0; | |
497 | chap_close(conn); | |
498 | return 1; | |
499 | } | |
500 | ||
501 | return 2; | |
502 | } |