From nobody Mon Feb 9 19:53:29 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+76219+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+76219+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1623157650; cv=none; d=zohomail.com; s=zohoarc; b=Cot6+4uYuB0Rk4HmWm7waurviyE4AyCeseMibDwhDtWO9XPoK5h1AeT2J2vyBgguooNV2kUWsy+bZqaL4GEI6gWJ0Eg1v/soaJfHZXwWgYBODs6h1bXqhf7GnCQm8eD1vv5mkVxp69R00wZOF16PRuOnlNA1dkScjJIzZfOFpp0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1623157650; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=iqrXgyC8/dlVNKCTvDPPE1SxdYpPK5Z42MZavOg0uEI=; b=UV2cCrcbcp/TOjMBTyQTNNhMmLOGFS3l9RdUsRIEuBRDqtG/eOJ1ZmXGNEALsR/E9jzdC8JowTeI4X43rOYk227zE4Vn08ojJKNQ6kbt9whlXglB239DRsSsNfecYi1zpY7WsdtJ9ET/TEQv+Y3GtZtKQjJgUsjE2+BbEJEbkQg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+76219+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 16231576509331014.3115836588097; Tue, 8 Jun 2021 06:07:30 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id ZRGqYY1788612xQIseDOWfuI; Tue, 08 Jun 2021 06:07:30 -0700 X-Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.groups.io with SMTP id smtpd.web08.11866.1623157644411585393 for ; Tue, 08 Jun 2021 06:07:24 -0700 X-Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-105-iQqke7QzM7axMtf-vT3PbA-1; Tue, 08 Jun 2021 09:07:21 -0400 X-MC-Unique: iQqke7QzM7axMtf-vT3PbA-1 X-Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 3135E107AFF8; Tue, 8 Jun 2021 13:07:20 +0000 (UTC) X-Received: from lacos-laptop-7.usersys.redhat.com (ovpn-113-27.ams2.redhat.com [10.36.113.27]) by smtp.corp.redhat.com (Postfix) with ESMTP id EE00B60CC9; Tue, 8 Jun 2021 13:07:18 +0000 (UTC) From: "Laszlo Ersek" To: edk2-devel-groups-io Cc: Jiaxin Wu , Maciej Rabeda , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Siyuan Fu Subject: [edk2-devel] [PATCH 6/6] NetworkPkg: introduce the NETWORK_ISCSI_MD5_ENABLE feature test macro Date: Tue, 8 Jun 2021 15:06:52 +0200 Message-Id: <20210608130652.2434-7-lersek@redhat.com> In-Reply-To: <20210608130652.2434-1-lersek@redhat.com> References: <20210608130652.2434-1-lersek@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,lersek@redhat.com X-Gm-Message-State: rXraxy6qe8H1NwgTt76g33Rhx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1623157650; bh=iqrXgyC8/dlVNKCTvDPPE1SxdYpPK5Z42MZavOg0uEI=; h=Cc:Content-Type:Date:From:Reply-To:Subject:To; b=aqe4jZ/0kme/J6SBV42CDZFaIVEW3c6jX1cDW+3GbSHrlZHb/9pt44AwXc0+a7P4U91 Oe3BuZkG6Dqq/8NX1mAYcgaSJzou/IXT+bICM2PVovF1+E8+lNh3RTJsKGr1RhOWi9l4j fNwSlinJm3eKwqf0CGquz6bFh78VRZv7kqc= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" Introduce the NETWORK_ISCSI_MD5_ENABLE feature test macro for NetworkPkg. When explicitly set to FALSE, remove MD5 from IScsiDxe's CHAP algorithm list. Set NETWORK_ISCSI_MD5_ENABLE to TRUE by default, for compatibility reasons. Not just to minimize the disruption for platforms that currently include IScsiDxe, but also because RFC 7143 mandates MD5 for CHAP, and some vendors' iSCSI targets support MD5 only. With MD5 enabled, IScsiDxe will suggest SHA256, and then fall back to MD5 if the target requests it. With MD5 disabled, IScsiDxe will suggest SHA256, and break off the connection (and session) if the target doesn't support SHA256. Cc: Jiaxin Wu Cc: Maciej Rabeda Cc: Philippe Mathieu-Daud=C3=A9 Cc: Siyuan Fu Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3355 Signed-off-by: Laszlo Ersek Reviewed-by: Maciej Rabeda Reviewed-by: Philippe Mathieu-Daude --- NetworkPkg/NetworkBuildOptions.dsc.inc | 2 +- NetworkPkg/NetworkDefines.dsc.inc | 20 ++++++++++++++++++++ NetworkPkg/IScsiDxe/IScsiCHAP.c | 2 ++ 3 files changed, 23 insertions(+), 1 deletion(-) diff --git a/NetworkPkg/NetworkBuildOptions.dsc.inc b/NetworkPkg/NetworkBui= ldOptions.dsc.inc index 42d980d9543d..738da2222f7e 100644 --- a/NetworkPkg/NetworkBuildOptions.dsc.inc +++ b/NetworkPkg/NetworkBuildOptions.dsc.inc @@ -1,22 +1,22 @@ ## @file # Network DSC include file for [BuildOptions] sections of all Architecture= s. # # This file can be included in the [BuildOptions*] section(s) of a platfor= m DSC file # by using "!include NetworkPkg/NetworkBuildOptions.dsc.inc", to specify t= he C language # feature test macros (eg., API deprecation macros) according to the flags= described # in "NetworkDefines.dsc.inc". # # Supported tool chain families: "GCC", "INTEL", "MSFT", "RVCT". # # Copyright (c) 2020, Intel Corporation. All rights reserved.
# # SPDX-License-Identifier: BSD-2-Clause-Patent # ## =20 -!if $(NETWORK_ISCSI_ENABLE) =3D=3D TRUE +!if $(NETWORK_ISCSI_ENABLE) =3D=3D TRUE && $(NETWORK_ISCSI_MD5_ENABLE) =3D= =3D TRUE MSFT:*_*_*_CC_FLAGS =3D /D ENABLE_MD5_DEPRECATED_INTERFACES INTEL:*_*_*_CC_FLAGS =3D /D ENABLE_MD5_DEPRECATED_INTERFACES GCC:*_*_*_CC_FLAGS =3D -D ENABLE_MD5_DEPRECATED_INTERFACES RVCT:*_*_*_CC_FLAGS =3D -DENABLE_MD5_DEPRECATED_INTERFACES !endif diff --git a/NetworkPkg/NetworkDefines.dsc.inc b/NetworkPkg/NetworkDefines.= dsc.inc index 54deb6342aaa..e39a9cb3dc09 100644 --- a/NetworkPkg/NetworkDefines.dsc.inc +++ b/NetworkPkg/NetworkDefines.dsc.inc @@ -3,38 +3,39 @@ # # This file can be included to the [Defines] section of a platform DSC fil= e by # using "!include NetworkPkg/NetworkDefines.dsc.inc" to set default value = of # flags if they are not defined somewhere else, and also check the value t= o see # if there is any conflict. # # These flags can be defined before the !include line, or changed on the c= ommand # line to enable or disable related feature support. # -D FLAG=3DVALUE # The default value of these flags are: # DEFINE NETWORK_ENABLE =3D TRUE # DEFINE NETWORK_SNP_ENABLE =3D TRUE # DEFINE NETWORK_IP4_ENABLE =3D TRUE # DEFINE NETWORK_IP6_ENABLE =3D TRUE # DEFINE NETWORK_TLS_ENABLE =3D TRUE # DEFINE NETWORK_HTTP_ENABLE =3D FALSE # DEFINE NETWORK_HTTP_BOOT_ENABLE =3D TRUE # DEFINE NETWORK_ALLOW_HTTP_CONNECTIONS =3D FALSE # DEFINE NETWORK_ISCSI_ENABLE =3D FALSE +# DEFINE NETWORK_ISCSI_MD5_ENABLE =3D TRUE # DEFINE NETWORK_VLAN_ENABLE =3D TRUE # # Copyright (c) 2019, Intel Corporation. All rights reserved.
# (C) Copyright 2020 Hewlett Packard Enterprise Development LP
# # SPDX-License-Identifier: BSD-2-Clause-Patent # ## =20 !ifndef NETWORK_ENABLE # # This flag is to enable or disable the whole network stack. # DEFINE NETWORK_ENABLE =3D TRUE !endif =20 !ifndef NETWORK_SNP_ENABLE # # This flag is to include the common SNP driver or not. @@ -101,33 +102,52 @@ # Both the "https://" and "http://" URI schemes are permitted. Oth= erwise, HTTP # connections are denied. Only the "https://" URI scheme is permit= ted. # DEFINE NETWORK_ALLOW_HTTP_CONNECTIONS =3D FALSE !endif =20 !ifndef NETWORK_ISCSI_ENABLE # # This flag is to enable or disable iSCSI feature. # # Note: This feature depends on the OpenSSL building. To enable this fea= ture, please # follow the instructions found in the file "OpenSSL-HOWTO.txt" lo= cated in # CryptoPkg\Library\OpensslLib to enable the OpenSSL building firs= t. # Both OpensslLib.inf and OpensslLibCrypto.inf library instance ca= n be used # since libssl is not required for iSCSI. # DEFINE NETWORK_ISCSI_ENABLE =3D FALSE !endif =20 +!ifndef NETWORK_ISCSI_MD5_ENABLE + # + # This flag enables the deprecated MD5 hash algorithm in iSCSI CHAP + # authentication. + # + # Note: The NETWORK_ISCSI_MD5_ENABLE flag only makes a difference if + # NETWORK_ISCSI_ENABLE is TRUE; otherwise, NETWORK_ISCSI_MD5_ENABL= E is + # ignored. + # + # With NETWORK_ISCSI_MD5_ENABLE set to TRUE, MD5 is enabled as the + # least preferred CHAP hash algorithm. With NETWORK_ISCSI_MD5_ENAB= LE + # set to FALSE, MD5 is disabled statically, at build time. + # + # The default value is TRUE, because RFC 7143 mandates MD5, and be= cause + # several vendors' iSCSI targets only support MD5, for CHAP. + # + DEFINE NETWORK_ISCSI_MD5_ENABLE =3D TRUE +!endif + !if $(NETWORK_ENABLE) =3D=3D TRUE # # Check the flags to see if there is any conflict. # !if ($(NETWORK_IP4_ENABLE) =3D=3D FALSE) AND ($(NETWORK_IP6_ENABLE) =3D= =3D FALSE) !error "Must enable at least IP4 or IP6 stack if NETWORK_ENABLE is set= to TRUE!" !endif =20 !if ($(NETWORK_HTTP_BOOT_ENABLE) =3D=3D TRUE) OR ($(NETWORK_HTTP_ENABLE)= =3D=3D TRUE) !if ($(NETWORK_TLS_ENABLE) =3D=3D FALSE) AND ($(NETWORK_ALLOW_HTTP_CON= NECTIONS) =3D=3D FALSE) !error "Must enable TLS to support HTTPS, or allow unsecured HTTP co= nnection, if NETWORK_HTTP_BOOT_ENABLE or NETWORK_HTTP_ENABLE is set to TRUE= !" !endif !endif !endif diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHA= P.c index 2ce53c1ea4af..57163e9eb97f 100644 --- a/NetworkPkg/IScsiDxe/IScsiCHAP.c +++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c @@ -7,50 +7,52 @@ SPDX-License-Identifier: BSD-2-Clause-Patent =20 **/ =20 #include "IScsiImpl.h" =20 // // Supported CHAP hash algorithms, mapped to sets of BaseCryptLib APIs and // macros. CHAP_HASH structures at lower subscripts in the array are prefe= rred // by the initiator. // STATIC CONST CHAP_HASH mChapHash[] =3D { { ISCSI_CHAP_ALGORITHM_SHA256, SHA256_DIGEST_SIZE, Sha256GetContextSize, Sha256Init, Sha256Update, Sha256Final }, +#ifdef ENABLE_MD5_DEPRECATED_INTERFACES // // Keep the deprecated MD5 entry at the end of the array (making MD5 the // least preferred choice of the initiator). // { ISCSI_CHAP_ALGORITHM_MD5, MD5_DIGEST_SIZE, Md5GetContextSize, Md5Init, Md5Update, Md5Final }, +#endif // ENABLE_MD5_DEPRECATED_INTERFACES }; =20 // // Ordered list of mChapHash[*].Algorithm values. It is formatted for the // CHAP_A=3D value string, by the IScsiCHAPInitHashList() functi= on. It // is sent by the initiator in ISCSI_CHAP_STEP_ONE. // STATIC CHAR8 mChapHashListString[ 3 + // UINT8 identifie= r in // decimal (1 + 3) * (ARRAY_SIZE (mChapHash) - 1) + // comma prepended= for // entries after= the // first 1 + // extra character= for // AsciiSPrint() // truncation ch= eck 1 // terminating NUL ]; =20 --=20 2.19.1.3.g30247aa5d201 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#76219): https://edk2.groups.io/g/devel/message/76219 Mute This Topic: https://groups.io/mt/83395035/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-