Commit | Line | Data |
---|---|---|
e48354ce NB |
1 | /******************************************************************************* |
2 | * This file houses the main functions for the iSCSI CHAP support | |
3 | * | |
4c76251e | 4 | * (c) Copyright 2007-2013 Datera, Inc. |
e48354ce NB |
5 | * |
6 | * Author: Nicholas A. Bellinger <nab@linux-iscsi.org> | |
7 | * | |
8 | * This program is free software; you can redistribute it and/or modify | |
9 | * it under the terms of the GNU General Public License as published by | |
10 | * the Free Software Foundation; either version 2 of the License, or | |
11 | * (at your option) any later version. | |
12 | * | |
13 | * This program is distributed in the hope that it will be useful, | |
14 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
16 | * GNU General Public License for more details. | |
17 | ******************************************************************************/ | |
18 | ||
69110e3c | 19 | #include <crypto/hash.h> |
f2b56afd | 20 | #include <linux/kernel.h> |
e48354ce | 21 | #include <linux/string.h> |
e48354ce NB |
22 | #include <linux/err.h> |
23 | #include <linux/scatterlist.h> | |
24 | ||
67f091f2 | 25 | #include <target/iscsi/iscsi_target_core.h> |
e48354ce NB |
26 | #include "iscsi_target_nego.h" |
27 | #include "iscsi_target_auth.h" | |
28 | ||
e48354ce NB |
29 | static int chap_string_to_hex(unsigned char *dst, unsigned char *src, int len) |
30 | { | |
ddca8f3e | 31 | int j = DIV_ROUND_UP(len, 2), rc; |
e48354ce | 32 | |
ddca8f3e NB |
33 | rc = hex2bin(dst, src, j); |
34 | if (rc < 0) | |
35 | pr_debug("CHAP string contains non hex digit symbols\n"); | |
e48354ce NB |
36 | |
37 | dst[j] = '\0'; | |
38 | return j; | |
39 | } | |
40 | ||
41 | static void chap_binaryhex_to_asciihex(char *dst, char *src, int src_len) | |
42 | { | |
43 | int i; | |
44 | ||
45 | for (i = 0; i < src_len; i++) { | |
46 | sprintf(&dst[i*2], "%02x", (int) src[i] & 0xff); | |
47 | } | |
48 | } | |
49 | ||
e48354ce NB |
50 | static void chap_gen_challenge( |
51 | struct iscsi_conn *conn, | |
52 | int caller, | |
53 | char *c_str, | |
54 | unsigned int *c_len) | |
55 | { | |
56 | unsigned char challenge_asciihex[CHAP_CHALLENGE_LENGTH * 2 + 1]; | |
8359cf43 | 57 | struct iscsi_chap *chap = conn->auth_protocol; |
e48354ce NB |
58 | |
59 | memset(challenge_asciihex, 0, CHAP_CHALLENGE_LENGTH * 2 + 1); | |
60 | ||
98e2eeb3 | 61 | get_random_bytes(chap->challenge, CHAP_CHALLENGE_LENGTH); |
e48354ce NB |
62 | chap_binaryhex_to_asciihex(challenge_asciihex, chap->challenge, |
63 | CHAP_CHALLENGE_LENGTH); | |
64 | /* | |
65 | * Set CHAP_C, and copy the generated challenge into c_str. | |
66 | */ | |
67 | *c_len += sprintf(c_str + *c_len, "CHAP_C=0x%s", challenge_asciihex); | |
68 | *c_len += 1; | |
69 | ||
70 | pr_debug("[%s] Sending CHAP_C=0x%s\n\n", (caller) ? "server" : "client", | |
71 | challenge_asciihex); | |
72 | } | |
73 | ||
3160723c TV |
74 | static int chap_check_algorithm(const char *a_str) |
75 | { | |
76 | char *tmp, *orig, *token; | |
77 | ||
78 | tmp = kstrdup(a_str, GFP_KERNEL); | |
79 | if (!tmp) { | |
80 | pr_err("Memory allocation failed for CHAP_A temporary buffer\n"); | |
81 | return CHAP_DIGEST_UNKNOWN; | |
82 | } | |
83 | orig = tmp; | |
84 | ||
85 | token = strsep(&tmp, "="); | |
86 | if (!token) | |
87 | goto out; | |
88 | ||
89 | if (strcmp(token, "CHAP_A")) { | |
90 | pr_err("Unable to locate CHAP_A key\n"); | |
91 | goto out; | |
92 | } | |
93 | while (token) { | |
94 | token = strsep(&tmp, ","); | |
95 | if (!token) | |
96 | goto out; | |
97 | ||
98 | if (!strncmp(token, "5", 1)) { | |
99 | pr_debug("Selected MD5 Algorithm\n"); | |
100 | kfree(orig); | |
101 | return CHAP_DIGEST_MD5; | |
102 | } | |
103 | } | |
104 | out: | |
105 | kfree(orig); | |
106 | return CHAP_DIGEST_UNKNOWN; | |
107 | } | |
e48354ce NB |
108 | |
109 | static struct iscsi_chap *chap_server_open( | |
110 | struct iscsi_conn *conn, | |
111 | struct iscsi_node_auth *auth, | |
112 | const char *a_str, | |
113 | char *aic_str, | |
114 | unsigned int *aic_len) | |
115 | { | |
3160723c | 116 | int ret; |
e48354ce NB |
117 | struct iscsi_chap *chap; |
118 | ||
119 | if (!(auth->naf_flags & NAF_USERID_SET) || | |
120 | !(auth->naf_flags & NAF_PASSWORD_SET)) { | |
121 | pr_err("CHAP user or password not set for" | |
122 | " Initiator ACL\n"); | |
123 | return NULL; | |
124 | } | |
125 | ||
126 | conn->auth_protocol = kzalloc(sizeof(struct iscsi_chap), GFP_KERNEL); | |
127 | if (!conn->auth_protocol) | |
128 | return NULL; | |
129 | ||
8359cf43 | 130 | chap = conn->auth_protocol; |
3160723c TV |
131 | ret = chap_check_algorithm(a_str); |
132 | switch (ret) { | |
133 | case CHAP_DIGEST_MD5: | |
134 | pr_debug("[server] Got CHAP_A=5\n"); | |
135 | /* | |
136 | * Send back CHAP_A set to MD5. | |
137 | */ | |
138 | *aic_len = sprintf(aic_str, "CHAP_A=5"); | |
139 | *aic_len += 1; | |
140 | chap->digest_type = CHAP_DIGEST_MD5; | |
141 | pr_debug("[server] Sending CHAP_A=%d\n", chap->digest_type); | |
142 | break; | |
143 | case CHAP_DIGEST_UNKNOWN: | |
144 | default: | |
145 | pr_err("Unsupported CHAP_A value\n"); | |
e48354ce NB |
146 | return NULL; |
147 | } | |
3160723c | 148 | |
e48354ce NB |
149 | /* |
150 | * Set Identifier. | |
151 | */ | |
60bfcf8e | 152 | chap->id = conn->tpg->tpg_chap_id++; |
e48354ce NB |
153 | *aic_len += sprintf(aic_str + *aic_len, "CHAP_I=%d", chap->id); |
154 | *aic_len += 1; | |
155 | pr_debug("[server] Sending CHAP_I=%d\n", chap->id); | |
156 | /* | |
157 | * Generate Challenge. | |
158 | */ | |
159 | chap_gen_challenge(conn, 1, aic_str, aic_len); | |
160 | ||
161 | return chap; | |
162 | } | |
163 | ||
164 | static void chap_close(struct iscsi_conn *conn) | |
165 | { | |
166 | kfree(conn->auth_protocol); | |
167 | conn->auth_protocol = NULL; | |
168 | } | |
169 | ||
170 | static int chap_server_compute_md5( | |
171 | struct iscsi_conn *conn, | |
172 | struct iscsi_node_auth *auth, | |
173 | char *nr_in_ptr, | |
174 | char *nr_out_ptr, | |
175 | unsigned int *nr_out_len) | |
176 | { | |
bc704fb5 | 177 | unsigned long id; |
7ac9ad11 | 178 | unsigned char id_as_uchar; |
bc704fb5 | 179 | unsigned char digest[MD5_SIGNATURE_SIZE]; |
e48354ce NB |
180 | unsigned char type, response[MD5_SIGNATURE_SIZE * 2 + 2]; |
181 | unsigned char identifier[10], *challenge = NULL; | |
182 | unsigned char *challenge_binhex = NULL; | |
183 | unsigned char client_digest[MD5_SIGNATURE_SIZE]; | |
184 | unsigned char server_digest[MD5_SIGNATURE_SIZE]; | |
185 | unsigned char chap_n[MAX_CHAP_N_SIZE], chap_r[MAX_RESPONSE_LENGTH]; | |
86784c6b | 186 | size_t compare_len; |
8359cf43 | 187 | struct iscsi_chap *chap = conn->auth_protocol; |
69110e3c HX |
188 | struct crypto_shash *tfm = NULL; |
189 | struct shash_desc *desc = NULL; | |
e48354ce NB |
190 | int auth_ret = -1, ret, challenge_len; |
191 | ||
192 | memset(identifier, 0, 10); | |
193 | memset(chap_n, 0, MAX_CHAP_N_SIZE); | |
194 | memset(chap_r, 0, MAX_RESPONSE_LENGTH); | |
195 | memset(digest, 0, MD5_SIGNATURE_SIZE); | |
196 | memset(response, 0, MD5_SIGNATURE_SIZE * 2 + 2); | |
197 | memset(client_digest, 0, MD5_SIGNATURE_SIZE); | |
198 | memset(server_digest, 0, MD5_SIGNATURE_SIZE); | |
199 | ||
200 | challenge = kzalloc(CHAP_CHALLENGE_STR_LEN, GFP_KERNEL); | |
201 | if (!challenge) { | |
202 | pr_err("Unable to allocate challenge buffer\n"); | |
203 | goto out; | |
204 | } | |
205 | ||
206 | challenge_binhex = kzalloc(CHAP_CHALLENGE_STR_LEN, GFP_KERNEL); | |
207 | if (!challenge_binhex) { | |
208 | pr_err("Unable to allocate challenge_binhex buffer\n"); | |
209 | goto out; | |
210 | } | |
211 | /* | |
212 | * Extract CHAP_N. | |
213 | */ | |
214 | if (extract_param(nr_in_ptr, "CHAP_N", MAX_CHAP_N_SIZE, chap_n, | |
215 | &type) < 0) { | |
216 | pr_err("Could not find CHAP_N.\n"); | |
217 | goto out; | |
218 | } | |
219 | if (type == HEX) { | |
220 | pr_err("Could not find CHAP_N.\n"); | |
221 | goto out; | |
222 | } | |
223 | ||
86784c6b ES |
224 | /* Include the terminating NULL in the compare */ |
225 | compare_len = strlen(auth->userid) + 1; | |
226 | if (strncmp(chap_n, auth->userid, compare_len) != 0) { | |
e48354ce NB |
227 | pr_err("CHAP_N values do not match!\n"); |
228 | goto out; | |
229 | } | |
230 | pr_debug("[server] Got CHAP_N=%s\n", chap_n); | |
231 | /* | |
232 | * Extract CHAP_R. | |
233 | */ | |
234 | if (extract_param(nr_in_ptr, "CHAP_R", MAX_RESPONSE_LENGTH, chap_r, | |
235 | &type) < 0) { | |
236 | pr_err("Could not find CHAP_R.\n"); | |
237 | goto out; | |
238 | } | |
239 | if (type != HEX) { | |
240 | pr_err("Could not find CHAP_R.\n"); | |
241 | goto out; | |
242 | } | |
243 | ||
244 | pr_debug("[server] Got CHAP_R=%s\n", chap_r); | |
245 | chap_string_to_hex(client_digest, chap_r, strlen(chap_r)); | |
246 | ||
69110e3c | 247 | tfm = crypto_alloc_shash("md5", 0, 0); |
e48354ce | 248 | if (IS_ERR(tfm)) { |
69110e3c HX |
249 | tfm = NULL; |
250 | pr_err("Unable to allocate struct crypto_shash\n"); | |
e48354ce NB |
251 | goto out; |
252 | } | |
e48354ce | 253 | |
69110e3c HX |
254 | desc = kmalloc(sizeof(*desc) + crypto_shash_descsize(tfm), GFP_KERNEL); |
255 | if (!desc) { | |
256 | pr_err("Unable to allocate struct shash_desc\n"); | |
e48354ce NB |
257 | goto out; |
258 | } | |
259 | ||
69110e3c HX |
260 | desc->tfm = tfm; |
261 | desc->flags = 0; | |
262 | ||
263 | ret = crypto_shash_init(desc); | |
e48354ce | 264 | if (ret < 0) { |
69110e3c | 265 | pr_err("crypto_shash_init() failed\n"); |
e48354ce NB |
266 | goto out; |
267 | } | |
268 | ||
69110e3c | 269 | ret = crypto_shash_update(desc, &chap->id, 1); |
e48354ce | 270 | if (ret < 0) { |
69110e3c | 271 | pr_err("crypto_shash_update() failed for id\n"); |
e48354ce NB |
272 | goto out; |
273 | } | |
274 | ||
69110e3c HX |
275 | ret = crypto_shash_update(desc, (char *)&auth->password, |
276 | strlen(auth->password)); | |
e48354ce | 277 | if (ret < 0) { |
69110e3c | 278 | pr_err("crypto_shash_update() failed for password\n"); |
e48354ce NB |
279 | goto out; |
280 | } | |
281 | ||
69110e3c HX |
282 | ret = crypto_shash_finup(desc, chap->challenge, |
283 | CHAP_CHALLENGE_LENGTH, server_digest); | |
e48354ce | 284 | if (ret < 0) { |
69110e3c | 285 | pr_err("crypto_shash_finup() failed for challenge\n"); |
e48354ce NB |
286 | goto out; |
287 | } | |
e48354ce NB |
288 | |
289 | chap_binaryhex_to_asciihex(response, server_digest, MD5_SIGNATURE_SIZE); | |
290 | pr_debug("[server] MD5 Server Digest: %s\n", response); | |
291 | ||
292 | if (memcmp(server_digest, client_digest, MD5_SIGNATURE_SIZE) != 0) { | |
293 | pr_debug("[server] MD5 Digests do not match!\n\n"); | |
294 | goto out; | |
295 | } else | |
296 | pr_debug("[server] MD5 Digests match, CHAP connetication" | |
297 | " successful.\n\n"); | |
298 | /* | |
299 | * One way authentication has succeeded, return now if mutual | |
300 | * authentication is not enabled. | |
301 | */ | |
302 | if (!auth->authenticate_target) { | |
69110e3c HX |
303 | auth_ret = 0; |
304 | goto out; | |
e48354ce NB |
305 | } |
306 | /* | |
307 | * Get CHAP_I. | |
308 | */ | |
309 | if (extract_param(nr_in_ptr, "CHAP_I", 10, identifier, &type) < 0) { | |
310 | pr_err("Could not find CHAP_I.\n"); | |
311 | goto out; | |
312 | } | |
313 | ||
314 | if (type == HEX) | |
b06eef6e | 315 | ret = kstrtoul(&identifier[2], 0, &id); |
e48354ce | 316 | else |
b06eef6e NB |
317 | ret = kstrtoul(identifier, 0, &id); |
318 | ||
319 | if (ret < 0) { | |
320 | pr_err("kstrtoul() failed for CHAP identifier: %d\n", ret); | |
321 | goto out; | |
322 | } | |
bc704fb5 NB |
323 | if (id > 255) { |
324 | pr_err("chap identifier: %lu greater than 255\n", id); | |
325 | goto out; | |
326 | } | |
e48354ce NB |
327 | /* |
328 | * RFC 1994 says Identifier is no more than octet (8 bits). | |
329 | */ | |
bc704fb5 | 330 | pr_debug("[server] Got CHAP_I=%lu\n", id); |
e48354ce NB |
331 | /* |
332 | * Get CHAP_C. | |
333 | */ | |
334 | if (extract_param(nr_in_ptr, "CHAP_C", CHAP_CHALLENGE_STR_LEN, | |
335 | challenge, &type) < 0) { | |
336 | pr_err("Could not find CHAP_C.\n"); | |
337 | goto out; | |
338 | } | |
339 | ||
340 | if (type != HEX) { | |
341 | pr_err("Could not find CHAP_C.\n"); | |
342 | goto out; | |
343 | } | |
344 | pr_debug("[server] Got CHAP_C=%s\n", challenge); | |
345 | challenge_len = chap_string_to_hex(challenge_binhex, challenge, | |
346 | strlen(challenge)); | |
347 | if (!challenge_len) { | |
348 | pr_err("Unable to convert incoming challenge\n"); | |
349 | goto out; | |
350 | } | |
e4fae231 NB |
351 | if (challenge_len > 1024) { |
352 | pr_err("CHAP_C exceeds maximum binary size of 1024 bytes\n"); | |
353 | goto out; | |
354 | } | |
1d2b60a5 NB |
355 | /* |
356 | * During mutual authentication, the CHAP_C generated by the | |
357 | * initiator must not match the original CHAP_C generated by | |
358 | * the target. | |
359 | */ | |
360 | if (!memcmp(challenge_binhex, chap->challenge, CHAP_CHALLENGE_LENGTH)) { | |
361 | pr_err("initiator CHAP_C matches target CHAP_C, failing" | |
362 | " login attempt\n"); | |
363 | goto out; | |
364 | } | |
e48354ce NB |
365 | /* |
366 | * Generate CHAP_N and CHAP_R for mutual authentication. | |
367 | */ | |
69110e3c | 368 | ret = crypto_shash_init(desc); |
e48354ce | 369 | if (ret < 0) { |
69110e3c | 370 | pr_err("crypto_shash_init() failed\n"); |
e48354ce NB |
371 | goto out; |
372 | } | |
373 | ||
7ac9ad11 AG |
374 | /* To handle both endiannesses */ |
375 | id_as_uchar = id; | |
69110e3c | 376 | ret = crypto_shash_update(desc, &id_as_uchar, 1); |
e48354ce | 377 | if (ret < 0) { |
69110e3c | 378 | pr_err("crypto_shash_update() failed for id\n"); |
e48354ce NB |
379 | goto out; |
380 | } | |
381 | ||
69110e3c HX |
382 | ret = crypto_shash_update(desc, auth->password_mutual, |
383 | strlen(auth->password_mutual)); | |
e48354ce | 384 | if (ret < 0) { |
69110e3c | 385 | pr_err("crypto_shash_update() failed for" |
e48354ce | 386 | " password_mutual\n"); |
e48354ce NB |
387 | goto out; |
388 | } | |
389 | /* | |
390 | * Convert received challenge to binary hex. | |
391 | */ | |
69110e3c HX |
392 | ret = crypto_shash_finup(desc, challenge_binhex, challenge_len, |
393 | digest); | |
e48354ce | 394 | if (ret < 0) { |
69110e3c | 395 | pr_err("crypto_shash_finup() failed for ma challenge\n"); |
e48354ce NB |
396 | goto out; |
397 | } | |
398 | ||
e48354ce NB |
399 | /* |
400 | * Generate CHAP_N and CHAP_R. | |
401 | */ | |
402 | *nr_out_len = sprintf(nr_out_ptr, "CHAP_N=%s", auth->userid_mutual); | |
403 | *nr_out_len += 1; | |
404 | pr_debug("[server] Sending CHAP_N=%s\n", auth->userid_mutual); | |
405 | /* | |
406 | * Convert response from binary hex to ascii hext. | |
407 | */ | |
408 | chap_binaryhex_to_asciihex(response, digest, MD5_SIGNATURE_SIZE); | |
409 | *nr_out_len += sprintf(nr_out_ptr + *nr_out_len, "CHAP_R=0x%s", | |
410 | response); | |
411 | *nr_out_len += 1; | |
412 | pr_debug("[server] Sending CHAP_R=0x%s\n", response); | |
413 | auth_ret = 0; | |
414 | out: | |
69110e3c HX |
415 | kzfree(desc); |
416 | crypto_free_shash(tfm); | |
e48354ce NB |
417 | kfree(challenge); |
418 | kfree(challenge_binhex); | |
419 | return auth_ret; | |
420 | } | |
421 | ||
422 | static int chap_got_response( | |
423 | struct iscsi_conn *conn, | |
424 | struct iscsi_node_auth *auth, | |
425 | char *nr_in_ptr, | |
426 | char *nr_out_ptr, | |
427 | unsigned int *nr_out_len) | |
428 | { | |
8359cf43 | 429 | struct iscsi_chap *chap = conn->auth_protocol; |
e48354ce NB |
430 | |
431 | switch (chap->digest_type) { | |
432 | case CHAP_DIGEST_MD5: | |
433 | if (chap_server_compute_md5(conn, auth, nr_in_ptr, | |
434 | nr_out_ptr, nr_out_len) < 0) | |
435 | return -1; | |
436 | return 0; | |
437 | default: | |
438 | pr_err("Unknown CHAP digest type %d!\n", | |
439 | chap->digest_type); | |
440 | return -1; | |
441 | } | |
442 | } | |
443 | ||
444 | u32 chap_main_loop( | |
445 | struct iscsi_conn *conn, | |
446 | struct iscsi_node_auth *auth, | |
447 | char *in_text, | |
448 | char *out_text, | |
449 | int *in_len, | |
450 | int *out_len) | |
451 | { | |
8359cf43 | 452 | struct iscsi_chap *chap = conn->auth_protocol; |
e48354ce NB |
453 | |
454 | if (!chap) { | |
455 | chap = chap_server_open(conn, auth, in_text, out_text, out_len); | |
456 | if (!chap) | |
457 | return 2; | |
458 | chap->chap_state = CHAP_STAGE_SERVER_AIC; | |
459 | return 0; | |
460 | } else if (chap->chap_state == CHAP_STAGE_SERVER_AIC) { | |
461 | convert_null_to_semi(in_text, *in_len); | |
462 | if (chap_got_response(conn, auth, in_text, out_text, | |
463 | out_len) < 0) { | |
464 | chap_close(conn); | |
465 | return 2; | |
466 | } | |
467 | if (auth->authenticate_target) | |
468 | chap->chap_state = CHAP_STAGE_SERVER_NR; | |
469 | else | |
470 | *out_len = 0; | |
471 | chap_close(conn); | |
472 | return 1; | |
473 | } | |
474 | ||
475 | return 2; | |
476 | } |