From nobody Wed May 8 23:58:08 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+77286+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77286+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1624984444; cv=none; d=zohomail.com; s=zohoarc; b=l7HCg8JYY57xDluWEBBdkYs3VX8FKM9+CVJ4+6nvt5I9dAqlCn72guQ+IGbQ78FvEI58AIE15OTYl/fz+wzFU0qZIJavesyLC6kClwVnkSHZoP4Gib323Z2h6EgFP2IGfye9ejjHALcbRG0RKge9IYyQq4WLalv01Xc0oHqxZ98= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1624984444; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=70rn44ZSq72RKa/5S7JSncG/i8fiSdhn2NxT/7bDGuY=; b=CwabqSBAVs3nAvyqYVpnGQTq04gW5xtVJZ+zBH78WBOQ64+ufhzkpURP9Rg997TLfA9bn0Gi8d662QA+ihwx6nqlBcGpihoPY/HzEeex9nPXOUO13STKN1Yw7b/NeCvFneuwTStzKjBOALGHw7DUm6i0N05oSj88GcXpIUR+rCQ= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77286+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 162498444401987.25243947642957; Tue, 29 Jun 2021 09:34:04 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id t07xYY1788612xWDZtWXMmk3; Tue, 29 Jun 2021 09:34:03 -0700 X-Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.groups.io with SMTP id smtpd.web11.10831.1624984437975923515 for ; Tue, 29 Jun 2021 09:33:58 -0700 X-Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-534-FA4AyQm6P1S742dMzgUU0A-1; Tue, 29 Jun 2021 12:33:48 -0400 X-MC-Unique: FA4AyQm6P1S742dMzgUU0A-1 X-Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 0C18891270; Tue, 29 Jun 2021 16:33:47 +0000 (UTC) X-Received: from lacos-laptop-7.usersys.redhat.com (ovpn-114-158.ams2.redhat.com [10.36.114.158]) by smtp.corp.redhat.com (Postfix) with ESMTP id A3AF260875; Tue, 29 Jun 2021 16:33:42 +0000 (UTC) From: "Laszlo Ersek" To: edk2-devel-groups-io Cc: Jiaxin Wu , Maciej Rabeda , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Siyuan Fu Subject: [edk2-devel] [PATCH v2 1/6] NetworkPkg/IScsiDxe: re-set session-level authentication state before login Date: Tue, 29 Jun 2021 18:33:32 +0200 Message-Id: <20210629163337.14120-2-lersek@redhat.com> In-Reply-To: <20210629163337.14120-1-lersek@redhat.com> References: <20210629163337.14120-1-lersek@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,lersek@redhat.com X-Gm-Message-State: VN9n2BuF5tAlaJPGm9S76OOFx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1624984443; bh=70rn44ZSq72RKa/5S7JSncG/i8fiSdhn2NxT/7bDGuY=; h=Cc:Content-Type:Date:From:Reply-To:Subject:To; b=M6y+orOO/mMNf5l58Zlk/UKBC6llSSzveDqvW209JqIa1nJ0JLUBUvhUYW9CNKAi9a7 pNaQmH4t/HyP5wbcAj+D2+wGYSOx9bl5ww78R1Z791R+6DCnZuurswUR9FAGyLVd3gYCC 2ZhfU+nMdWNBdbuKLHJ5IwX6JyRwNF/8QlA= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" RFC 7143 explains that a single iSCSI session may use multiple TCP connections. The first connection established is called the leading connection. The login performed on the leading connection is called the leading login. Before the session is considered full-featured, the leading login must succeed. Further (non-leading) connections can be associated with the session later. (It's unclear to me from RFC 7143 whether the non-leading connections require individual (non-leading) logins as well, but that particular question is irrelevant from the perspective of this patch; see below.) The data model in IScsiDxe exhibits some confusion, regarding connection / session association: - On one hand, the "ISCSI_SESSION.Conns" field is a *set* (it has type LIST_ENTRY), and accordingly, connections can be added to, and removed from, a session, with the IScsiAttatchConnection() and IScsiDetatchConnection() functions. - On the other hand, ISCSI_MAX_CONNS_PER_SESSION has value 1, therefore no session will ever use more than 1 connection at a time (refer to instances of "Session->MaxConnections" in "NetworkPkg/IScsiDxe/IScsiProto.c"). This one-to-many confusion between ISCSI_SESSION and ISCSI_CONNECTION is very visible in the CHAP logic, where the progress of the authentication is maintained *per connection*, in the "ISCSI_CONNECTION.AuthStep" field (with values such as ISCSI_AUTH_INITIAL, ISCSI_CHAP_STEP_ONE, etc), but the *data* for the authentication are maintained *per session*, in the "AuthType" and "AuthData" fields of ISCSI_SESSION. Clearly, this makes no sense if multiple connections are eligible for logging in. Knowing that IScsiDxe uses only one connection per session (put differently: knowing that any connection is a leading connection, and any login is a leading login), there is no functionality bug. But the data model is still broken: "AuthType", "AuthData", and "AuthStep" should be maintained at the *same* level -- be it "session-level" or "(leading) connection-level". Fixing this data model bug is more than what I'm signing up for. However, I do need to add one function, in preparation for multi-hash support: whenever a new login is attempted (put differently: whenever the leading login is re-attempted), which always happens with a fresh connection, the session-level authentication data needs to be rewound to a sane initial state. Introduce the IScsiSessionResetAuthData() function. Call it from the central -- session-level -- IScsiSessionLogin() function, just before the latter calls the -- connection-level -- IScsiConnLogin() function. Right now, do nothing in IScsiSessionResetAuthData(); so functionally speaking, the patch is a no-op. Cc: Jiaxin Wu Cc: Maciej Rabeda Cc: Philippe Mathieu-Daud=C3=A9 Cc: Siyuan Fu Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3355 Signed-off-by: Laszlo Ersek Reviewed-by: Maciej Rabeda Reviewed-by: Philippe Mathieu-Daud=C3=A9 --- Notes: v2: - pick up R-b's [Phil, Maciej] NetworkPkg/IScsiDxe/IScsiProto.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/NetworkPkg/IScsiDxe/IScsiProto.c b/NetworkPkg/IScsiDxe/IScsiPr= oto.c index 6983f0fa5973..69d1b39dbb1f 100644 --- a/NetworkPkg/IScsiDxe/IScsiProto.c +++ b/NetworkPkg/IScsiDxe/IScsiProto.c @@ -401,38 +401,55 @@ IScsiGetIp6NicInfo ( if (Ip6ModeData.GroupTable!=3D NULL) { FreePool (Ip6ModeData.GroupTable); } if (Ip6ModeData.RouteTable!=3D NULL) { FreePool (Ip6ModeData.RouteTable); } if (Ip6ModeData.NeighborCache!=3D NULL) { FreePool (Ip6ModeData.NeighborCache); } if (Ip6ModeData.PrefixTable!=3D NULL) { FreePool (Ip6ModeData.PrefixTable); } if (Ip6ModeData.IcmpTypeList!=3D NULL) { FreePool (Ip6ModeData.IcmpTypeList); } =20 return Status; } =20 +/** + Re-set any stateful session-level authentication information that is use= d by + the leading login / leading connection. + + (Note that this driver only supports a single connection per session -- = see + ISCSI_MAX_CONNS_PER_SESSION.) + + @param[in,out] Session The iSCSI session. +**/ +STATIC +VOID +IScsiSessionResetAuthData ( + IN OUT ISCSI_SESSION *Session + ) +{ +} + /** Login the iSCSI session. =20 @param[in] Session The iSCSI session. =20 @retval EFI_SUCCESS The iSCSI session login procedure finished. @retval EFI_OUT_OF_RESOURCES Failed to allocate memory. @retval EFI_NO_MEDIA There was a media error. @retval Others Other errors as indicated. =20 **/ EFI_STATUS IScsiSessionLogin ( IN ISCSI_SESSION *Session ) { EFI_STATUS Status; ISCSI_CONNECTION *Conn; VOID *Tcp; @@ -454,38 +471,39 @@ IScsiSessionLogin ( // CopyMem (Session->Isid, Session->ConfigData->SessionConfigData.IsId, 6); =20 RetryCount =3D 0; =20 do { // // Create a connection for the session. // Conn =3D IScsiCreateConnection (Session); if (Conn =3D=3D NULL) { return EFI_OUT_OF_RESOURCES; } =20 IScsiAttatchConnection (Session, Conn); =20 // // Login through the newly created connection. // + IScsiSessionResetAuthData (Session); Status =3D IScsiConnLogin (Conn, Session->ConfigData->SessionConfigDat= a.ConnectTimeout); if (EFI_ERROR (Status)) { IScsiConnReset (Conn); IScsiDetatchConnection (Conn); IScsiDestroyConnection (Conn); } =20 if (Status !=3D EFI_TIMEOUT) { break; } =20 RetryCount++; } while (RetryCount <=3D Session->ConfigData->SessionConfigData.ConnectR= etryCount); =20 if (!EFI_ERROR (Status)) { Session->State =3D SESSION_STATE_LOGGED_IN; =20 if (!Conn->Ipv6Flag) { ProtocolGuid =3D &gEfiTcp4ProtocolGuid; --=20 2.19.1.3.g30247aa5d201 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#77286): https://edk2.groups.io/g/devel/message/77286 Mute This Topic: https://groups.io/mt/83872646/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Wed May 8 23:58:08 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+77283+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77283+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1624984433; cv=none; d=zohomail.com; s=zohoarc; b=CsCpwoW6GKK23FjGjQQ4iQ4/JTbqyL06tT73PZsT82cmL9ymwXHdejjW8AGPIdVYNLCtBsgHo/qC7pp+tbkf8GjxnNzG0aUki6COBMVKGtSC298eo4bFDhWqSf/G1TMXwB8jLcrH7pDiwlidCLeoi1G2pbCjkpeKBdZi3C4mR+4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1624984433; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=aZ6x4Rb4pM27SYgtrv4ikDGVUjwaK4MpzR9008Nz39M=; b=IYE+acug/+Z2BugA1P1a2HUceRW9yMUqhK9nluNwoDjkereNhPFFyee0lTi1M4dMaOtEZW0yOyNIRaaOzoB7qC0LEk6W2SZTTF3dynHaVKGFNpC6sfYBU1YorjGdhG2u/pM07jhOxzU9faeF7ds7/otQePgMV6eUOdBFPhvqb2k= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77283+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1624984433635383.69464903066773; Tue, 29 Jun 2021 09:33:53 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id Tt60YY1788612xnEaWFbmdfw; Tue, 29 Jun 2021 09:33:53 -0700 X-Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.groups.io with SMTP id smtpd.web08.10697.1624984432590575126 for ; Tue, 29 Jun 2021 09:33:52 -0700 X-Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-603-7x57izY3O7qq31kWPC0wAw-1; Tue, 29 Jun 2021 12:33:50 -0400 X-MC-Unique: 7x57izY3O7qq31kWPC0wAw-1 X-Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id ADB89802C80; Tue, 29 Jun 2021 16:33:48 +0000 (UTC) X-Received: from lacos-laptop-7.usersys.redhat.com (ovpn-114-158.ams2.redhat.com [10.36.114.158]) by smtp.corp.redhat.com (Postfix) with ESMTP id 70E9260875; Tue, 29 Jun 2021 16:33:47 +0000 (UTC) From: "Laszlo Ersek" To: edk2-devel-groups-io Cc: Jiaxin Wu , Maciej Rabeda , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Siyuan Fu Subject: [edk2-devel] [PATCH v2 2/6] NetworkPkg/IScsiDxe: add horizontal whitespace to IScsiCHAP files Date: Tue, 29 Jun 2021 18:33:33 +0200 Message-Id: <20210629163337.14120-3-lersek@redhat.com> In-Reply-To: <20210629163337.14120-1-lersek@redhat.com> References: <20210629163337.14120-1-lersek@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,lersek@redhat.com X-Gm-Message-State: bfQlCqnQQfE67AsQmvvRPNUYx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1624984433; bh=aZ6x4Rb4pM27SYgtrv4ikDGVUjwaK4MpzR9008Nz39M=; h=Cc:Content-Type:Date:From:Reply-To:Subject:To; b=JwLdlAa+i8VgzP+xsSkzu69eBmxRqaWxHbzCil0+TxAaKCs0GvfN8+z4P+CAXGy/4LS B3JVQo2c7iux4/OX/9irL2TH2vQFXkQ6KQK9/HeIAP+FJsNfj6U1ENZyen1MMwu30Ox24 r/jAPp67zp+3NTx86/I9+RXILhJkgzHWXw0= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" In the next patches, we'll need more room for various macro and parameter names. For maintaining the current visual alignments, insert some horizontal whitespace in preparation. "git show -b" produces no output for this patch; the patch introduces no functional changes. Cc: Jiaxin Wu Cc: Maciej Rabeda Cc: Philippe Mathieu-Daud=C3=A9 Cc: Siyuan Fu Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3355 Signed-off-by: Laszlo Ersek Reviewed-by: Philippe Mathieu-Daud=C3=A9 Reviewed-by: Maciej Rabeda --- Notes: v2: - pick up R-b's [Phil, Maciej] NetworkPkg/IScsiDxe/IScsiCHAP.h | 24 ++++++++++---------- NetworkPkg/IScsiDxe/IScsiCHAP.c | 12 +++++----- 2 files changed, 18 insertions(+), 18 deletions(-) diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.h b/NetworkPkg/IScsiDxe/IScsiCHA= P.h index 35d5d6ec29e3..d6a90fc27fc3 100644 --- a/NetworkPkg/IScsiDxe/IScsiCHAP.h +++ b/NetworkPkg/IScsiDxe/IScsiCHAP.h @@ -1,49 +1,49 @@ /** @file The header file of CHAP configuration. =20 Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent =20 **/ =20 #ifndef _ISCSI_CHAP_H_ #define _ISCSI_CHAP_H_ =20 -#define ISCSI_AUTH_METHOD_CHAP "CHAP" +#define ISCSI_AUTH_METHOD_CHAP "CHAP" =20 -#define ISCSI_KEY_CHAP_ALGORITHM "CHAP_A" -#define ISCSI_KEY_CHAP_IDENTIFIER "CHAP_I" -#define ISCSI_KEY_CHAP_CHALLENGE "CHAP_C" -#define ISCSI_KEY_CHAP_NAME "CHAP_N" -#define ISCSI_KEY_CHAP_RESPONSE "CHAP_R" +#define ISCSI_KEY_CHAP_ALGORITHM "CHAP_A" +#define ISCSI_KEY_CHAP_IDENTIFIER "CHAP_I" +#define ISCSI_KEY_CHAP_CHALLENGE "CHAP_C" +#define ISCSI_KEY_CHAP_NAME "CHAP_N" +#define ISCSI_KEY_CHAP_RESPONSE "CHAP_R" =20 -#define ISCSI_CHAP_ALGORITHM_MD5 5 +#define ISCSI_CHAP_ALGORITHM_MD5 5 =20 /// /// MD5_HASHSIZE /// -#define ISCSI_CHAP_RSP_LEN 16 +#define ISCSI_CHAP_RSP_LEN 16 =20 -#define ISCSI_CHAP_STEP_ONE 1 -#define ISCSI_CHAP_STEP_TWO 2 -#define ISCSI_CHAP_STEP_THREE 3 -#define ISCSI_CHAP_STEP_FOUR 4 +#define ISCSI_CHAP_STEP_ONE 1 +#define ISCSI_CHAP_STEP_TWO 2 +#define ISCSI_CHAP_STEP_THREE 3 +#define ISCSI_CHAP_STEP_FOUR 4 =20 =20 #pragma pack(1) =20 typedef struct _ISCSI_CHAP_AUTH_CONFIG_NVDATA { UINT8 CHAPType; CHAR8 CHAPName[ISCSI_CHAP_NAME_STORAGE]; CHAR8 CHAPSecret[ISCSI_CHAP_SECRET_STORAGE]; CHAR8 ReverseCHAPName[ISCSI_CHAP_NAME_STORAGE]; CHAR8 ReverseCHAPSecret[ISCSI_CHAP_SECRET_STORAGE]; } ISCSI_CHAP_AUTH_CONFIG_NVDATA; =20 #pragma pack() =20 /// /// ISCSI CHAP Authentication Data /// typedef struct _ISCSI_CHAP_AUTH_DATA { ISCSI_CHAP_AUTH_CONFIG_NVDATA *AuthConfig; diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHA= P.c index 7e930c0d1eab..bb84f4359d35 100644 --- a/NetworkPkg/IScsiDxe/IScsiCHAP.c +++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c @@ -14,44 +14,44 @@ SPDX-License-Identifier: BSD-2-Clause-Patent =20 @param[in] ChapIdentifier iSCSI CHAP identifier sent by authentica= tor. @param[in] ChapSecret iSCSI CHAP secret of the authenticator. @param[in] SecretLength The length of iSCSI CHAP secret. @param[in] ChapChallenge The challenge message sent by authentica= tor. @param[in] ChallengeLength The length of iSCSI CHAP challenge messa= ge. @param[out] ChapResponse The calculation of the expected hash val= ue. =20 @retval EFI_SUCCESS The expected hash value was calculatedly successfully. @retval EFI_PROTOCOL_ERROR The length of the secret should be at le= ast the length of the hash value for the has= hing algorithm chosen. @retval EFI_PROTOCOL_ERROR MD5 hash operation fail. @retval EFI_OUT_OF_RESOURCES Fail to allocate resource to complete MD= 5. =20 **/ EFI_STATUS IScsiCHAPCalculateResponse ( - IN UINT32 ChapIdentifier, - IN CHAR8 *ChapSecret, - IN UINT32 SecretLength, - IN UINT8 *ChapChallenge, - IN UINT32 ChallengeLength, - OUT UINT8 *ChapResponse + IN UINT32 ChapIdentifier, + IN CHAR8 *ChapSecret, + IN UINT32 SecretLength, + IN UINT8 *ChapChallenge, + IN UINT32 ChallengeLength, + OUT UINT8 *ChapResponse ) { UINTN Md5ContextSize; VOID *Md5Ctx; CHAR8 IdByte[1]; EFI_STATUS Status; =20 if (SecretLength < ISCSI_CHAP_SECRET_MIN_LEN) { return EFI_PROTOCOL_ERROR; } =20 Md5ContextSize =3D Md5GetContextSize (); Md5Ctx =3D AllocatePool (Md5ContextSize); if (Md5Ctx =3D=3D NULL) { return EFI_OUT_OF_RESOURCES; } =20 Status =3D EFI_PROTOCOL_ERROR; =20 --=20 2.19.1.3.g30247aa5d201 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#77283): https://edk2.groups.io/g/devel/message/77283 Mute This Topic: https://groups.io/mt/83872636/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Wed May 8 23:58:08 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+77284+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77284+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1624984441; cv=none; d=zohomail.com; s=zohoarc; b=i19UKIe60H/ozL1Ce/OCSX/MDXWFc39lvWiaVSEROhDwU4DeVXFxJTOi6UM6yimJIRP/G0omq3hUd8TweIbSkkluY6cLq/J36p0R/nunFiKkYw0D1fO5pM37Knaer60NNaFEH6DklMd0g8EiIA3nFBD/Og7VmMiHA8VEf5lhzJg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1624984441; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=hegRt8DRBOyJRRzOmLo7o0us0t1hrXx2uNbzW5VylZw=; b=bItYwhbG2US5fIuUnAnbf+4nxa6CduSpg39GKlEP71Q/nmzPF0GjIu3IRQrw8+5qOpFQyma48Prv16UlpXLd/Z9HEc9PIKLsrr9bfmOiGZv60ou9rgISiT92+OrKyMW7m5wDjhAmvKKIC77XZYWSXyD99dpJ24j08gMmTYBas/w= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77284+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 162498444124278.07133087686464; Tue, 29 Jun 2021 09:34:01 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id cR9bYY1788612x4gQrAgJfPw; Tue, 29 Jun 2021 09:34:00 -0700 X-Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.groups.io with SMTP id smtpd.web08.10699.1624984434680816648 for ; Tue, 29 Jun 2021 09:33:54 -0700 X-Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-142-2u2uQsryMimsdqk3wa9XYA-1; Tue, 29 Jun 2021 12:33:51 -0400 X-MC-Unique: 2u2uQsryMimsdqk3wa9XYA-1 X-Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 8054F19200C0; Tue, 29 Jun 2021 16:33:50 +0000 (UTC) X-Received: from lacos-laptop-7.usersys.redhat.com (ovpn-114-158.ams2.redhat.com [10.36.114.158]) by smtp.corp.redhat.com (Postfix) with ESMTP id 0BB1960875; Tue, 29 Jun 2021 16:33:48 +0000 (UTC) From: "Laszlo Ersek" To: edk2-devel-groups-io Cc: Jiaxin Wu , Maciej Rabeda , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Siyuan Fu Subject: [edk2-devel] [PATCH v2 3/6] NetworkPkg/IScsiDxe: distinguish "maximum" and "selected" CHAP digest sizes Date: Tue, 29 Jun 2021 18:33:34 +0200 Message-Id: <20210629163337.14120-4-lersek@redhat.com> In-Reply-To: <20210629163337.14120-1-lersek@redhat.com> References: <20210629163337.14120-1-lersek@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,lersek@redhat.com X-Gm-Message-State: 0eNepG7ffJ5YkYdgWdwHt0Mgx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1624984440; bh=hegRt8DRBOyJRRzOmLo7o0us0t1hrXx2uNbzW5VylZw=; h=Cc:Content-Type:Date:From:Reply-To:Subject:To; b=alNYoLPiXlFJx5sEAP3JNYAokZ7pxThJbWP+7DERNoGaHalDPTYerh7JSNmabMdnc8D Jd2qPYbrijQL84tyKQNk7LFVONCjvMAzf53er03DYCOhYAvjZjwoc0vCsuG/FtDPFOkHL BpEQJy4S2dMNcQS8kgtj0/LZeQs72Uo65gM= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" IScsiDxe uses the ISCSI_CHAP_RSP_LEN macro for expressing the size of the digest (16) that it solely supports at this point (MD5). ISCSI_CHAP_RSP_LEN is used for both (a) *allocating* digest-related buffers (binary buffers and hex encodings alike), and (b) *processing* binary digest buffers (comparing them, filling them, reading them). In preparation for adding other hash algorithms, split purpose (a) from purpose (b). For purpose (a) -- buffer allocation --, introduce ISCSI_CHAP_MAX_DIGEST_SIZE. For purpose (b) -- processing --, rely on MD5_DIGEST_SIZE from . Distinguishing these purposes is justified because purpose (b) -- processing -- must depend on the hashing algorithm negotiated between initiator and target, while for purpose (a) -- allocation --, using the maximum supported digest size is suitable. For now, because only MD5 is supported, introduce ISCSI_CHAP_MAX_DIGEST_SIZE *as* MD5_DIGEST_SIZE. Note that the argument for using the digest size as the size of the outgoing challenge (in case mutual authentication is desired by the initiator) remains in place. Because of this, the above two purposes are distinguished for the "ISCSI_CHAP_AUTH_DATA.OutChallenge" field as well. This patch is functionally a no-op, just yet. Cc: Jiaxin Wu Cc: Maciej Rabeda Cc: Philippe Mathieu-Daud=C3=A9 Cc: Siyuan Fu Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3355 Signed-off-by: Laszlo Ersek Reviewed-by: Philippe Mathieu-Daud=C3=A9 Reviewed-by: Maciej Rabeda --- Notes: v2: - pick up R-b's [Phil, Maciej] NetworkPkg/IScsiDxe/IScsiCHAP.h | 17 +++++++++------ NetworkPkg/IScsiDxe/IScsiCHAP.c | 22 ++++++++++---------- 2 files changed, 22 insertions(+), 17 deletions(-) diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.h b/NetworkPkg/IScsiDxe/IScsiCHA= P.h index d6a90fc27fc3..b8811b7580f0 100644 --- a/NetworkPkg/IScsiDxe/IScsiCHAP.h +++ b/NetworkPkg/IScsiDxe/IScsiCHAP.h @@ -1,86 +1,91 @@ /** @file The header file of CHAP configuration. =20 Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent =20 **/ =20 #ifndef _ISCSI_CHAP_H_ #define _ISCSI_CHAP_H_ =20 #define ISCSI_AUTH_METHOD_CHAP "CHAP" =20 #define ISCSI_KEY_CHAP_ALGORITHM "CHAP_A" #define ISCSI_KEY_CHAP_IDENTIFIER "CHAP_I" #define ISCSI_KEY_CHAP_CHALLENGE "CHAP_C" #define ISCSI_KEY_CHAP_NAME "CHAP_N" #define ISCSI_KEY_CHAP_RESPONSE "CHAP_R" =20 +// +// Identifiers of supported CHAP hash algorithms: +// https://www.iana.org/assignments/ppp-numbers/ppp-numbers.xhtml#ppp-numb= ers-9 +// #define ISCSI_CHAP_ALGORITHM_MD5 5 =20 -/// -/// MD5_HASHSIZE -/// -#define ISCSI_CHAP_RSP_LEN 16 +// +// Byte count of the largest digest over the above-listed +// ISCSI_CHAP_ALGORITHM_* hash algorithms. +// +#define ISCSI_CHAP_MAX_DIGEST_SIZE MD5_DIGEST_SIZE =20 #define ISCSI_CHAP_STEP_ONE 1 #define ISCSI_CHAP_STEP_TWO 2 #define ISCSI_CHAP_STEP_THREE 3 #define ISCSI_CHAP_STEP_FOUR 4 =20 =20 #pragma pack(1) =20 typedef struct _ISCSI_CHAP_AUTH_CONFIG_NVDATA { UINT8 CHAPType; CHAR8 CHAPName[ISCSI_CHAP_NAME_STORAGE]; CHAR8 CHAPSecret[ISCSI_CHAP_SECRET_STORAGE]; CHAR8 ReverseCHAPName[ISCSI_CHAP_NAME_STORAGE]; CHAR8 ReverseCHAPSecret[ISCSI_CHAP_SECRET_STORAGE]; } ISCSI_CHAP_AUTH_CONFIG_NVDATA; =20 #pragma pack() =20 /// /// ISCSI CHAP Authentication Data /// typedef struct _ISCSI_CHAP_AUTH_DATA { ISCSI_CHAP_AUTH_CONFIG_NVDATA *AuthConfig; UINT32 InIdentifier; UINT8 InChallenge[1024]; UINT32 InChallengeLength; // // Calculated CHAP Response (CHAP_R) value. // - UINT8 CHAPResponse[ISCSI_CHAP_RSP_LEN]; + UINT8 CHAPResponse[ISCSI_CHAP_MAX_DIGEST_SIZE]; =20 // // Auth-data to be sent out for mutual authentication. // // While the challenge size is technically independent of the hashing // algorithm, it is good practice to avoid hashing *fewer bytes* than the // digest size. In other words, it's good practice to feed *at least as = many // bytes* to the hashing algorithm as the hashing algorithm will output. // UINT32 OutIdentifier; - UINT8 OutChallenge[ISCSI_CHAP_RSP_LEN]; + UINT8 OutChallenge[ISCSI_CHAP_MAX_DIGEST_SIZE]; } ISCSI_CHAP_AUTH_DATA; =20 /** This function checks the received iSCSI Login Response during the securi= ty negotiation stage. =20 @param[in] Conn The iSCSI connection. =20 @retval EFI_SUCCESS The Login Response passed the CHAP validati= on. @retval EFI_OUT_OF_RESOURCES Failed to allocate memory. @retval EFI_PROTOCOL_ERROR Some kind of protocol error occurred. @retval Others Other errors as indicated. =20 **/ EFI_STATUS IScsiCHAPOnRspReceived ( IN ISCSI_CONNECTION *Conn ); /** diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHA= P.c index bb84f4359d35..744824e63d23 100644 --- a/NetworkPkg/IScsiDxe/IScsiCHAP.c +++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c @@ -96,90 +96,90 @@ IScsiCHAPCalculateResponse ( =20 @param[in] AuthData iSCSI CHAP authentication data. @param[in] TargetResponse The response from target. =20 @retval EFI_SUCCESS The response from target passed authentication. @retval EFI_SECURITY_VIOLATION The response from target was not expec= ted value. @retval Others Other errors as indicated. =20 **/ EFI_STATUS IScsiCHAPAuthTarget ( IN ISCSI_CHAP_AUTH_DATA *AuthData, IN UINT8 *TargetResponse ) { EFI_STATUS Status; UINT32 SecretSize; - UINT8 VerifyRsp[ISCSI_CHAP_RSP_LEN]; + UINT8 VerifyRsp[ISCSI_CHAP_MAX_DIGEST_SIZE]; =20 Status =3D EFI_SUCCESS; =20 SecretSize =3D (UINT32) AsciiStrLen (AuthData->AuthConfig->ReverseCHAPS= ecret); Status =3D IScsiCHAPCalculateResponse ( AuthData->OutIdentifier, AuthData->AuthConfig->ReverseCHAPSecret, SecretSize, AuthData->OutChallenge, - ISCSI_CHAP_RSP_LEN, // ChallengeLength + MD5_DIGEST_SIZE, // ChallengeLength VerifyRsp ); =20 - if (CompareMem (VerifyRsp, TargetResponse, ISCSI_CHAP_RSP_LEN) !=3D 0) { + if (CompareMem (VerifyRsp, TargetResponse, MD5_DIGEST_SIZE) !=3D 0) { Status =3D EFI_SECURITY_VIOLATION; } =20 return Status; } =20 =20 /** This function checks the received iSCSI Login Response during the securi= ty negotiation stage. =20 @param[in] Conn The iSCSI connection. =20 @retval EFI_SUCCESS The Login Response passed the CHAP validati= on. @retval EFI_OUT_OF_RESOURCES Failed to allocate memory. @retval EFI_PROTOCOL_ERROR Some kind of protocol error occurred. @retval Others Other errors as indicated. =20 **/ EFI_STATUS IScsiCHAPOnRspReceived ( IN ISCSI_CONNECTION *Conn ) { EFI_STATUS Status; ISCSI_SESSION *Session; ISCSI_CHAP_AUTH_DATA *AuthData; CHAR8 *Value; UINT8 *Data; UINT32 Len; LIST_ENTRY *KeyValueList; UINTN Algorithm; CHAR8 *Identifier; CHAR8 *Challenge; CHAR8 *Name; CHAR8 *Response; - UINT8 TargetRsp[ISCSI_CHAP_RSP_LEN]; + UINT8 TargetRsp[ISCSI_CHAP_MAX_DIGEST_SIZE]; UINT32 RspLen; UINTN Result; =20 ASSERT (Conn->CurrentStage =3D=3D ISCSI_SECURITY_NEGOTIATION); ASSERT (Conn->RspQue.BufNum !=3D 0); =20 Session =3D Conn->Session; AuthData =3D &Session->AuthData.CHAP; Len =3D Conn->RspQue.BufSize; Data =3D AllocateZeroPool (Len); if (Data =3D=3D NULL) { return EFI_OUT_OF_RESOURCES; } // // Copy the data in case the data spans over multiple PDUs. // NetbufQueCopy (&Conn->RspQue, 0, Len, Data); =20 // @@ -324,41 +324,41 @@ IScsiCHAPOnRspReceived ( =20 case ISCSI_CHAP_STEP_FOUR: ASSERT (AuthData->AuthConfig->CHAPType =3D=3D ISCSI_CHAP_MUTUAL); // // The forth step, CHAP_N=3D CHAP_R=3D is received from Target. // Name =3D IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_NAME= ); if (Name =3D=3D NULL) { goto ON_EXIT; } =20 Response =3D IScsiGetValueByKeyFromList ( KeyValueList, ISCSI_KEY_CHAP_RESPONSE ); if (Response =3D=3D NULL) { goto ON_EXIT; } =20 - RspLen =3D ISCSI_CHAP_RSP_LEN; + RspLen =3D MD5_DIGEST_SIZE; Status =3D IScsiHexToBin (TargetRsp, &RspLen, Response); - if (EFI_ERROR (Status) || RspLen !=3D ISCSI_CHAP_RSP_LEN) { + if (EFI_ERROR (Status) || RspLen !=3D MD5_DIGEST_SIZE) { Status =3D EFI_PROTOCOL_ERROR; goto ON_EXIT; } =20 // // Check the CHAP Name and Response replied by Target. // Status =3D IScsiCHAPAuthTarget (AuthData, TargetRsp); break; =20 default: break; } =20 ON_EXIT: =20 if (KeyValueList !=3D NULL) { IScsiFreeKeyValueList (KeyValueList); } @@ -395,45 +395,45 @@ IScsiCHAPToSendReq ( ISCSI_CHAP_AUTH_DATA *AuthData; CHAR8 *Value; CHAR8 ValueStr[256]; CHAR8 *Response; UINT32 RspLen; CHAR8 *Challenge; UINT32 ChallengeLen; EFI_STATUS BinToHexStatus; =20 ASSERT (Conn->CurrentStage =3D=3D ISCSI_SECURITY_NEGOTIATION); =20 Session =3D Conn->Session; AuthData =3D &Session->AuthData.CHAP; LoginReq =3D (ISCSI_LOGIN_REQUEST *) NetbufGetByte (Pdu, 0, 0); if (LoginReq =3D=3D NULL) { return EFI_PROTOCOL_ERROR; } Status =3D EFI_SUCCESS; =20 - RspLen =3D 2 * ISCSI_CHAP_RSP_LEN + 3; + RspLen =3D 2 * ISCSI_CHAP_MAX_DIGEST_SIZE + 3; Response =3D AllocateZeroPool (RspLen); if (Response =3D=3D NULL) { return EFI_OUT_OF_RESOURCES; } =20 - ChallengeLen =3D 2 * ISCSI_CHAP_RSP_LEN + 3; + ChallengeLen =3D 2 * ISCSI_CHAP_MAX_DIGEST_SIZE + 3; Challenge =3D AllocateZeroPool (ChallengeLen); if (Challenge =3D=3D NULL) { FreePool (Response); return EFI_OUT_OF_RESOURCES; } =20 switch (Conn->AuthStep) { case ISCSI_AUTH_INITIAL: // // It's the initial Login Request. Fill in the key=3Dvalue pairs manda= tory // for the initial Login Request. // IScsiAddKeyValuePair ( Pdu, ISCSI_KEY_INITIATOR_NAME, mPrivate->InitiatorName ); IScsiAddKeyValuePair (Pdu, ISCSI_KEY_SESSION_TYPE, "Normal"); IScsiAddKeyValuePair ( @@ -466,59 +466,59 @@ IScsiCHAPToSendReq ( =20 case ISCSI_CHAP_STEP_THREE: // // Third step, send the Login Request with CHAP_N=3D CHAP_R=3D or // CHAP_N=3D CHAP_R=3D CHAP_I=3D CHAP_C=3D if target authe= ntication is // required too. // // CHAP_N=3D // IScsiAddKeyValuePair ( Pdu, ISCSI_KEY_CHAP_NAME, (CHAR8 *) &AuthData->AuthConfig->CHAPName ); // // CHAP_R=3D // BinToHexStatus =3D IScsiBinToHex ( (UINT8 *) AuthData->CHAPResponse, - ISCSI_CHAP_RSP_LEN, + MD5_DIGEST_SIZE, Response, &RspLen ); ASSERT_EFI_ERROR (BinToHexStatus); IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_RESPONSE, Response); =20 if (AuthData->AuthConfig->CHAPType =3D=3D ISCSI_CHAP_MUTUAL) { // // CHAP_I=3D // IScsiGenRandom ((UINT8 *) &AuthData->OutIdentifier, 1); AsciiSPrint (ValueStr, sizeof (ValueStr), "%d", AuthData->OutIdentif= ier); IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_IDENTIFIER, ValueStr); // // CHAP_C=3D // - IScsiGenRandom ((UINT8 *) AuthData->OutChallenge, ISCSI_CHAP_RSP_LEN= ); + IScsiGenRandom ((UINT8 *) AuthData->OutChallenge, MD5_DIGEST_SIZE); BinToHexStatus =3D IScsiBinToHex ( (UINT8 *) AuthData->OutChallenge, - ISCSI_CHAP_RSP_LEN, + MD5_DIGEST_SIZE, Challenge, &ChallengeLen ); ASSERT_EFI_ERROR (BinToHexStatus); IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_CHALLENGE, Challenge); =20 Conn->AuthStep =3D ISCSI_CHAP_STEP_FOUR; } // // Set the stage transition flag. // ISCSI_SET_FLAG (LoginReq, ISCSI_LOGIN_REQ_PDU_FLAG_TRANSIT); break; =20 default: Status =3D EFI_PROTOCOL_ERROR; break; } =20 --=20 2.19.1.3.g30247aa5d201 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#77284): https://edk2.groups.io/g/devel/message/77284 Mute This Topic: https://groups.io/mt/83872638/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Wed May 8 23:58:08 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+77285+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77285+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1624984438; cv=none; d=zohomail.com; s=zohoarc; b=hyr26mH2qa+m69oQaKCXqptVpZ80fvr+STqZMORLUoTXfxhXFLLlzJJx1TEqfJK/IEyXkxvIzbr6/F4HrX+a/VvmiTA9IU6WuLxKb3LwLUN8FEwv/uuLPhKQiJO9i3HtTEQzIXa7B0r23LSXbfMLK746tTjfDBNF7hi1m9MtZLc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1624984438; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=XvQQw3dEE+ZNKyQ4lkNBH1Fpo8etykxDM5v5WgzSc5A=; b=Y99Iye4c6wRxt6cPL8N7bVIOU+EFSxyVLpDLEVV5KmgAuOizEQ/+dqyZrdFr7B0YKciQF5R/u6IH9Wk4whooDv6MjN6JQlgZdC0RIZ/J4HmlE/WfkAGVTPBX6Eq/5Qm2HRYBWYCwH7FZ4epQha9djErEP8Lw+2RNUpylkeXKUNE= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77285+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1624984438964856.28898346657; Tue, 29 Jun 2021 09:33:58 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id FedTYY1788612xF66MRaTiyb; Tue, 29 Jun 2021 09:33:58 -0700 X-Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.groups.io with SMTP id smtpd.web11.10830.1624984437663965585 for ; Tue, 29 Jun 2021 09:33:57 -0700 X-Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-533-DxhliEBlOySqxB6-A4YV1A-1; Tue, 29 Jun 2021 12:33:53 -0400 X-MC-Unique: DxhliEBlOySqxB6-A4YV1A-1 X-Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 46E9210C1ADC; Tue, 29 Jun 2021 16:33:52 +0000 (UTC) X-Received: from lacos-laptop-7.usersys.redhat.com (ovpn-114-158.ams2.redhat.com [10.36.114.158]) by smtp.corp.redhat.com (Postfix) with ESMTP id D231960875; Tue, 29 Jun 2021 16:33:50 +0000 (UTC) From: "Laszlo Ersek" To: edk2-devel-groups-io Cc: Jiaxin Wu , Maciej Rabeda , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Siyuan Fu Subject: [edk2-devel] [PATCH v2 4/6] NetworkPkg/IScsiDxe: support multiple hash algorithms for CHAP Date: Tue, 29 Jun 2021 18:33:35 +0200 Message-Id: <20210629163337.14120-5-lersek@redhat.com> In-Reply-To: <20210629163337.14120-1-lersek@redhat.com> References: <20210629163337.14120-1-lersek@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,lersek@redhat.com X-Gm-Message-State: AmLKqgA6VAyLJzMuObXYpiXjx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1624984438; bh=XvQQw3dEE+ZNKyQ4lkNBH1Fpo8etykxDM5v5WgzSc5A=; h=Cc:Content-Type:Date:From:Reply-To:Subject:To; b=KPcTmG5aiq15T9dpcCpteqYUiRnLw54IeiUPvfbnPgymUq2J/mV45ev7os5fXy/2/Ch et5mp4dCdO60HEe9xPGhkFOvggnKNSS9rAbx7IQJbWHlLAPN2B3Bgc0uPbhF2qYNiNPQT 33jw8yNkyzRKUy8iq0LDUdpqTywqTVKKo6o= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" Introduce the "mChapHash" table, containing the hash algorithms supported for CHAP. Hash algos listed at the beginning of the table are preferred by the initiator. In ISCSI_CHAP_STEP_ONE, send such a CHAP_A value that is the comma-separated, ordered list of algorithm identifiers from "mChapHash". Pre-format this value string at driver startup, in the new function IScsiCHAPInitHashList(). (In IScsiCHAPInitHashList(), also enforce that every hash algo's digest size fit into ISCSI_CHAP_MAX_DIGEST_SIZE, as the latter controls the digest, outgoing challenge, and hex *allocations*.) In ISCSI_CHAP_STEP_TWO, allow the target to select one of the offered hash algorithms, and remember the selection for the later steps. For ISCSI_CHAP_STEP_THREE, hash the challenge from the target with the selected hash algo. In ISCSI_CHAP_STEP_THREE, send the correctly sized digest to the target. If the initiator wants mutual authentication, then generate a challenge with as many bytes as the target's digest will have, in ISCSI_CHAP_STEP_FOUR. In ISCSI_CHAP_STEP_FOUR (i.e., when mutual authentication is required by the initiator), verify the target's response (digest) with the selected algorithm. Clear the selected hash algorithm before every login (remember that in IScsiDxe, every login is a leading login). There is no peer-observable change from this patch, as it only reworks the current MD5 support into the new internal representation. Cc: Jiaxin Wu Cc: Maciej Rabeda Cc: Philippe Mathieu-Daud=C3=A9 Cc: Siyuan Fu Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3355 Signed-off-by: Laszlo Ersek Reviewed-by: Maciej Rabeda --- Notes: v2: =20 - Strictly stick with the edk2 coding style, in the multi-line calls to the CompareMem(), IScsiGenRandom(), and AsciiSPrint() functions. [Maciej] =20 - Use a helper variable in the CompareMem() case, to avoid a line break in the controlling expression of the "if" statement. [Laszlo] NetworkPkg/IScsiDxe/IScsiCHAP.h | 55 +++++++ NetworkPkg/IScsiDxe/IScsiCHAP.c | 170 +++++++++++++++++--- NetworkPkg/IScsiDxe/IScsiDriver.c | 2 + NetworkPkg/IScsiDxe/IScsiProto.c | 3 + 4 files changed, 207 insertions(+), 23 deletions(-) diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.h b/NetworkPkg/IScsiDxe/IScsiCHA= P.h index b8811b7580f0..1e5cc0b287ed 100644 --- a/NetworkPkg/IScsiDxe/IScsiCHAP.h +++ b/NetworkPkg/IScsiDxe/IScsiCHAP.h @@ -31,47 +31,91 @@ SPDX-License-Identifier: BSD-2-Clause-Patent =20 #define ISCSI_CHAP_STEP_ONE 1 #define ISCSI_CHAP_STEP_TWO 2 #define ISCSI_CHAP_STEP_THREE 3 #define ISCSI_CHAP_STEP_FOUR 4 =20 =20 #pragma pack(1) =20 typedef struct _ISCSI_CHAP_AUTH_CONFIG_NVDATA { UINT8 CHAPType; CHAR8 CHAPName[ISCSI_CHAP_NAME_STORAGE]; CHAR8 CHAPSecret[ISCSI_CHAP_SECRET_STORAGE]; CHAR8 ReverseCHAPName[ISCSI_CHAP_NAME_STORAGE]; CHAR8 ReverseCHAPSecret[ISCSI_CHAP_SECRET_STORAGE]; } ISCSI_CHAP_AUTH_CONFIG_NVDATA; =20 #pragma pack() =20 +// +// Typedefs for collecting sets of hash APIs from BaseCryptLib. +// +typedef +UINTN +(EFIAPI *CHAP_HASH_GET_CONTEXT_SIZE) ( + VOID + ); + +typedef +BOOLEAN +(EFIAPI *CHAP_HASH_INIT) ( + OUT VOID *Context + ); + +typedef +BOOLEAN +(EFIAPI *CHAP_HASH_UPDATE) ( + IN OUT VOID *Context, + IN CONST VOID *Data, + IN UINTN DataSize + ); + +typedef +BOOLEAN +(EFIAPI *CHAP_HASH_FINAL) ( + IN OUT VOID *Context, + OUT UINT8 *HashValue + ); + +typedef struct { + UINT8 Algorithm; // ISCSI_CHAP_ALGORITHM_*, CH= AP_A + UINT32 DigestSize; + CHAP_HASH_GET_CONTEXT_SIZE GetContextSize; + CHAP_HASH_INIT Init; + CHAP_HASH_UPDATE Update; + CHAP_HASH_FINAL Final; +} CHAP_HASH; + /// /// ISCSI CHAP Authentication Data /// typedef struct _ISCSI_CHAP_AUTH_DATA { ISCSI_CHAP_AUTH_CONFIG_NVDATA *AuthConfig; UINT32 InIdentifier; UINT8 InChallenge[1024]; UINT32 InChallengeLength; // + // The hash algorithm (CHAP_A) that the target selects in + // ISCSI_CHAP_STEP_TWO. + // + CONST CHAP_HASH *Hash; + // // Calculated CHAP Response (CHAP_R) value. // UINT8 CHAPResponse[ISCSI_CHAP_MAX_DIGEST_SIZE]; =20 // // Auth-data to be sent out for mutual authentication. // // While the challenge size is technically independent of the hashing // algorithm, it is good practice to avoid hashing *fewer bytes* than the // digest size. In other words, it's good practice to feed *at least as = many // bytes* to the hashing algorithm as the hashing algorithm will output. // UINT32 OutIdentifier; UINT8 OutChallenge[ISCSI_CHAP_MAX_DIGEST_SIZE]; } ISCSI_CHAP_AUTH_DATA; =20 /** This function checks the received iSCSI Login Response during the securi= ty negotiation stage. @@ -92,20 +136,31 @@ IScsiCHAPOnRspReceived ( This function fills the CHAP authentication information into the login P= DU during the security negotiation stage in the iSCSI connection login. =20 @param[in] Conn The iSCSI connection. @param[in, out] Pdu The PDU to send out. =20 @retval EFI_SUCCESS All check passed and the phase-related CHAP authentication info is filled into the iSC= SI PDU. @retval EFI_OUT_OF_RESOURCES Failed to allocate memory. @retval EFI_PROTOCOL_ERROR Some kind of protocol error occurred. =20 **/ EFI_STATUS IScsiCHAPToSendReq ( IN ISCSI_CONNECTION *Conn, IN OUT NET_BUF *Pdu ); =20 +/** + Initialize the CHAP_A=3D *value* string for the entire driver,= to be + sent by the initiator in ISCSI_CHAP_STEP_ONE. + + This function sanity-checks the internal table of supported CHAP hashing + algorithms, as well. +**/ +VOID +IScsiCHAPInitHashList ( + VOID + ); #endif diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHA= P.c index 744824e63d23..351bf329b739 100644 --- a/NetworkPkg/IScsiDxe/IScsiCHAP.c +++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c @@ -1,148 +1,199 @@ /** @file This file is for Challenge-Handshake Authentication Protocol (CHAP) Configuration. =20 Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent =20 **/ =20 #include "IScsiImpl.h" =20 +// +// Supported CHAP hash algorithms, mapped to sets of BaseCryptLib APIs and +// macros. CHAP_HASH structures at lower subscripts in the array are prefe= rred +// by the initiator. +// +STATIC CONST CHAP_HASH mChapHash[] =3D { + { + ISCSI_CHAP_ALGORITHM_MD5, + MD5_DIGEST_SIZE, + Md5GetContextSize, + Md5Init, + Md5Update, + Md5Final + }, +}; + +// +// Ordered list of mChapHash[*].Algorithm values. It is formatted for the +// CHAP_A=3D value string, by the IScsiCHAPInitHashList() functi= on. It +// is sent by the initiator in ISCSI_CHAP_STEP_ONE. +// +STATIC CHAR8 mChapHashListString[ + 3 + // UINT8 identifie= r in + // decimal + (1 + 3) * (ARRAY_SIZE (mChapHash) - 1) + // comma prepended= for + // entries after= the + // first + 1 + // extra character= for + // AsciiSPrint() + // truncation ch= eck + 1 // terminating NUL + ]; + /** Initiator calculates its own expected hash value. =20 @param[in] ChapIdentifier iSCSI CHAP identifier sent by authentica= tor. @param[in] ChapSecret iSCSI CHAP secret of the authenticator. @param[in] SecretLength The length of iSCSI CHAP secret. @param[in] ChapChallenge The challenge message sent by authentica= tor. @param[in] ChallengeLength The length of iSCSI CHAP challenge messa= ge. + @param[in] Hash Pointer to the CHAP_HASH structure that + determines the hashing algorithm to use.= The + caller is responsible for making Hash po= int + to an "mChapHash" element. @param[out] ChapResponse The calculation of the expected hash val= ue. =20 @retval EFI_SUCCESS The expected hash value was calculatedly successfully. @retval EFI_PROTOCOL_ERROR The length of the secret should be at le= ast the length of the hash value for the has= hing algorithm chosen. - @retval EFI_PROTOCOL_ERROR MD5 hash operation fail. - @retval EFI_OUT_OF_RESOURCES Fail to allocate resource to complete MD= 5. + @retval EFI_PROTOCOL_ERROR Hash operation fails. + @retval EFI_OUT_OF_RESOURCES Failure to allocate resource to complete + hashing. =20 **/ EFI_STATUS IScsiCHAPCalculateResponse ( IN UINT32 ChapIdentifier, IN CHAR8 *ChapSecret, IN UINT32 SecretLength, IN UINT8 *ChapChallenge, IN UINT32 ChallengeLength, + IN CONST CHAP_HASH *Hash, OUT UINT8 *ChapResponse ) { - UINTN Md5ContextSize; - VOID *Md5Ctx; + UINTN ContextSize; + VOID *Ctx; CHAR8 IdByte[1]; EFI_STATUS Status; =20 if (SecretLength < ISCSI_CHAP_SECRET_MIN_LEN) { return EFI_PROTOCOL_ERROR; } =20 - Md5ContextSize =3D Md5GetContextSize (); - Md5Ctx =3D AllocatePool (Md5ContextSize); - if (Md5Ctx =3D=3D NULL) { + ASSERT (Hash !=3D NULL); + + ContextSize =3D Hash->GetContextSize (); + Ctx =3D AllocatePool (ContextSize); + if (Ctx =3D=3D NULL) { return EFI_OUT_OF_RESOURCES; } =20 Status =3D EFI_PROTOCOL_ERROR; =20 - if (!Md5Init (Md5Ctx)) { + if (!Hash->Init (Ctx)) { goto Exit; } =20 // // Hash Identifier - Only calculate 1 byte data (RFC1994) // IdByte[0] =3D (CHAR8) ChapIdentifier; - if (!Md5Update (Md5Ctx, IdByte, 1)) { + if (!Hash->Update (Ctx, IdByte, 1)) { goto Exit; } =20 // // Hash Secret // - if (!Md5Update (Md5Ctx, ChapSecret, SecretLength)) { + if (!Hash->Update (Ctx, ChapSecret, SecretLength)) { goto Exit; } =20 // // Hash Challenge received from Target // - if (!Md5Update (Md5Ctx, ChapChallenge, ChallengeLength)) { + if (!Hash->Update (Ctx, ChapChallenge, ChallengeLength)) { goto Exit; } =20 - if (Md5Final (Md5Ctx, ChapResponse)) { + if (Hash->Final (Ctx, ChapResponse)) { Status =3D EFI_SUCCESS; } =20 Exit: - FreePool (Md5Ctx); + FreePool (Ctx); return Status; } =20 /** The initiator checks the CHAP response replied by target against its own calculation of the expected hash value. =20 @param[in] AuthData iSCSI CHAP authentication data. @param[in] TargetResponse The response from target. =20 @retval EFI_SUCCESS The response from target passed authentication. @retval EFI_SECURITY_VIOLATION The response from target was not expec= ted value. @retval Others Other errors as indicated. =20 **/ EFI_STATUS IScsiCHAPAuthTarget ( IN ISCSI_CHAP_AUTH_DATA *AuthData, IN UINT8 *TargetResponse ) { EFI_STATUS Status; UINT32 SecretSize; UINT8 VerifyRsp[ISCSI_CHAP_MAX_DIGEST_SIZE]; + INTN Mismatch; =20 Status =3D EFI_SUCCESS; =20 SecretSize =3D (UINT32) AsciiStrLen (AuthData->AuthConfig->ReverseCHAPS= ecret); + + ASSERT (AuthData->Hash !=3D NULL); + Status =3D IScsiCHAPCalculateResponse ( AuthData->OutIdentifier, AuthData->AuthConfig->ReverseCHAPSecret, SecretSize, AuthData->OutChallenge, - MD5_DIGEST_SIZE, // ChallengeLength + AuthData->Hash->DigestSize, // ChallengeLength + AuthData->Hash, VerifyRsp ); =20 - if (CompareMem (VerifyRsp, TargetResponse, MD5_DIGEST_SIZE) !=3D 0) { + Mismatch =3D CompareMem ( + VerifyRsp, + TargetResponse, + AuthData->Hash->DigestSize + ); + if (Mismatch !=3D 0) { Status =3D EFI_SECURITY_VIOLATION; } =20 return Status; } =20 =20 /** This function checks the received iSCSI Login Response during the securi= ty negotiation stage. =20 @param[in] Conn The iSCSI connection. =20 @retval EFI_SUCCESS The Login Response passed the CHAP validati= on. @retval EFI_OUT_OF_RESOURCES Failed to allocate memory. @retval EFI_PROTOCOL_ERROR Some kind of protocol error occurred. @retval Others Other errors as indicated. =20 **/ @@ -150,38 +201,39 @@ EFI_STATUS IScsiCHAPOnRspReceived ( IN ISCSI_CONNECTION *Conn ) { EFI_STATUS Status; ISCSI_SESSION *Session; ISCSI_CHAP_AUTH_DATA *AuthData; CHAR8 *Value; UINT8 *Data; UINT32 Len; LIST_ENTRY *KeyValueList; UINTN Algorithm; CHAR8 *Identifier; CHAR8 *Challenge; CHAR8 *Name; CHAR8 *Response; UINT8 TargetRsp[ISCSI_CHAP_MAX_DIGEST_SIZE]; UINT32 RspLen; UINTN Result; + UINTN HashIndex; =20 ASSERT (Conn->CurrentStage =3D=3D ISCSI_SECURITY_NEGOTIATION); ASSERT (Conn->RspQue.BufNum !=3D 0); =20 Session =3D Conn->Session; AuthData =3D &Session->AuthData.CHAP; Len =3D Conn->RspQue.BufSize; Data =3D AllocateZeroPool (Len); if (Data =3D=3D NULL) { return EFI_OUT_OF_RESOURCES; } // // Copy the data in case the data spans over multiple PDUs. // NetbufQueCopy (&Conn->RspQue, 0, Len, Data); =20 // // Build the key-value list from the data segment of the Login Response. // @@ -241,44 +293,54 @@ IScsiCHAPOnRspReceived ( // Transit to CHAP step one. // Conn->AuthStep =3D ISCSI_CHAP_STEP_ONE; Status =3D EFI_SUCCESS; break; =20 case ISCSI_CHAP_STEP_TWO: // // The Target replies with CHAP_A=3D CHAP_I=3D CHAP_C=3D // Value =3D IScsiGetValueByKeyFromList ( KeyValueList, ISCSI_KEY_CHAP_ALGORITHM ); if (Value =3D=3D NULL) { goto ON_EXIT; } =20 Algorithm =3D IScsiNetNtoi (Value); - if (Algorithm !=3D ISCSI_CHAP_ALGORITHM_MD5) { + for (HashIndex =3D 0; HashIndex < ARRAY_SIZE (mChapHash); HashIndex++)= { + if (Algorithm =3D=3D mChapHash[HashIndex].Algorithm) { + break; + } + } + if (HashIndex =3D=3D ARRAY_SIZE (mChapHash)) { // // Unsupported algorithm is chosen by target. // goto ON_EXIT; } + // + // Remember the target's chosen hash algorithm. + // + ASSERT (AuthData->Hash =3D=3D NULL); + AuthData->Hash =3D &mChapHash[HashIndex]; =20 Identifier =3D IScsiGetValueByKeyFromList ( KeyValueList, ISCSI_KEY_CHAP_IDENTIFIER ); if (Identifier =3D=3D NULL) { goto ON_EXIT; } =20 Challenge =3D IScsiGetValueByKeyFromList ( KeyValueList, ISCSI_KEY_CHAP_CHALLENGE ); if (Challenge =3D=3D NULL) { goto ON_EXIT; } // // Process the CHAP identifier and CHAP Challenge from Target. // Calculate Response value. @@ -289,76 +351,78 @@ IScsiCHAPOnRspReceived ( } =20 AuthData->InIdentifier =3D (UINT32) Result; AuthData->InChallengeLength =3D (UINT32) sizeof (AuthData->InChallenge= ); Status =3D IScsiHexToBin ( (UINT8 *) AuthData->InChallenge, &AuthData->InChallengeLength, Challenge ); if (EFI_ERROR (Status)) { Status =3D EFI_PROTOCOL_ERROR; goto ON_EXIT; } Status =3D IScsiCHAPCalculateResponse ( AuthData->InIdentifier, AuthData->AuthConfig->CHAPSecret, (UINT32) AsciiStrLen (AuthData->AuthConfig->CHAPSecret), AuthData->InChallenge, AuthData->InChallengeLength, + AuthData->Hash, AuthData->CHAPResponse ); =20 // // Transit to next step. // Conn->AuthStep =3D ISCSI_CHAP_STEP_THREE; break; =20 case ISCSI_CHAP_STEP_THREE: // // One way CHAP authentication and the target would like to // authenticate us. // Status =3D EFI_SUCCESS; break; =20 case ISCSI_CHAP_STEP_FOUR: ASSERT (AuthData->AuthConfig->CHAPType =3D=3D ISCSI_CHAP_MUTUAL); // // The forth step, CHAP_N=3D CHAP_R=3D is received from Target. // Name =3D IScsiGetValueByKeyFromList (KeyValueList, ISCSI_KEY_CHAP_NAME= ); if (Name =3D=3D NULL) { goto ON_EXIT; } =20 Response =3D IScsiGetValueByKeyFromList ( KeyValueList, ISCSI_KEY_CHAP_RESPONSE ); if (Response =3D=3D NULL) { goto ON_EXIT; } =20 - RspLen =3D MD5_DIGEST_SIZE; + ASSERT (AuthData->Hash !=3D NULL); + RspLen =3D AuthData->Hash->DigestSize; Status =3D IScsiHexToBin (TargetRsp, &RspLen, Response); - if (EFI_ERROR (Status) || RspLen !=3D MD5_DIGEST_SIZE) { + if (EFI_ERROR (Status) || RspLen !=3D AuthData->Hash->DigestSize) { Status =3D EFI_PROTOCOL_ERROR; goto ON_EXIT; } =20 // // Check the CHAP Name and Response replied by Target. // Status =3D IScsiCHAPAuthTarget (AuthData, TargetRsp); break; =20 default: break; } =20 ON_EXIT: =20 if (KeyValueList !=3D NULL) { IScsiFreeKeyValueList (KeyValueList); } @@ -442,88 +506,148 @@ IScsiCHAPToSendReq ( Session->ConfigData->SessionConfigData.TargetName ); =20 if (Session->AuthType =3D=3D ISCSI_AUTH_TYPE_NONE) { Value =3D ISCSI_KEY_VALUE_NONE; ISCSI_SET_FLAG (LoginReq, ISCSI_LOGIN_REQ_PDU_FLAG_TRANSIT); } else { Value =3D ISCSI_AUTH_METHOD_CHAP; } =20 IScsiAddKeyValuePair (Pdu, ISCSI_KEY_AUTH_METHOD, Value); =20 break; =20 case ISCSI_CHAP_STEP_ONE: // // First step, send the Login Request with CHAP_A=3D key-val= ue // pair. // - AsciiSPrint (ValueStr, sizeof (ValueStr), "%d", ISCSI_CHAP_ALGORITHM_M= D5); - IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_ALGORITHM, ValueStr); + IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_ALGORITHM, mChapHashListStri= ng); =20 Conn->AuthStep =3D ISCSI_CHAP_STEP_TWO; break; =20 case ISCSI_CHAP_STEP_THREE: // // Third step, send the Login Request with CHAP_N=3D CHAP_R=3D or // CHAP_N=3D CHAP_R=3D CHAP_I=3D CHAP_C=3D if target authe= ntication is // required too. // // CHAP_N=3D // IScsiAddKeyValuePair ( Pdu, ISCSI_KEY_CHAP_NAME, (CHAR8 *) &AuthData->AuthConfig->CHAPName ); // // CHAP_R=3D // + ASSERT (AuthData->Hash !=3D NULL); BinToHexStatus =3D IScsiBinToHex ( (UINT8 *) AuthData->CHAPResponse, - MD5_DIGEST_SIZE, + AuthData->Hash->DigestSize, Response, &RspLen ); ASSERT_EFI_ERROR (BinToHexStatus); IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_RESPONSE, Response); =20 if (AuthData->AuthConfig->CHAPType =3D=3D ISCSI_CHAP_MUTUAL) { // // CHAP_I=3D // IScsiGenRandom ((UINT8 *) &AuthData->OutIdentifier, 1); AsciiSPrint (ValueStr, sizeof (ValueStr), "%d", AuthData->OutIdentif= ier); IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_IDENTIFIER, ValueStr); // // CHAP_C=3D // - IScsiGenRandom ((UINT8 *) AuthData->OutChallenge, MD5_DIGEST_SIZE); + IScsiGenRandom ( + (UINT8 *) AuthData->OutChallenge, + AuthData->Hash->DigestSize + ); BinToHexStatus =3D IScsiBinToHex ( (UINT8 *) AuthData->OutChallenge, - MD5_DIGEST_SIZE, + AuthData->Hash->DigestSize, Challenge, &ChallengeLen ); ASSERT_EFI_ERROR (BinToHexStatus); IScsiAddKeyValuePair (Pdu, ISCSI_KEY_CHAP_CHALLENGE, Challenge); =20 Conn->AuthStep =3D ISCSI_CHAP_STEP_FOUR; } // // Set the stage transition flag. // ISCSI_SET_FLAG (LoginReq, ISCSI_LOGIN_REQ_PDU_FLAG_TRANSIT); break; =20 default: Status =3D EFI_PROTOCOL_ERROR; break; } =20 FreePool (Response); FreePool (Challenge); =20 return Status; } + +/** + Initialize the CHAP_A=3D *value* string for the entire driver,= to be + sent by the initiator in ISCSI_CHAP_STEP_ONE. + + This function sanity-checks the internal table of supported CHAP hashing + algorithms, as well. +**/ +VOID +IScsiCHAPInitHashList ( + VOID + ) +{ + CHAR8 *Position; + UINTN Left; + UINTN HashIndex; + CONST CHAP_HASH *Hash; + UINTN Printed; + + Position =3D mChapHashListString; + Left =3D sizeof (mChapHashListString); + for (HashIndex =3D 0; HashIndex < ARRAY_SIZE (mChapHash); HashIndex++) { + Hash =3D &mChapHash[HashIndex]; + + // + // Format the next hash identifier. + // + // Assert that we can format at least one non-NUL character, i.e. that= we + // can progress. Truncation is checked after printing. + // + ASSERT (Left >=3D 2); + Printed =3D AsciiSPrint ( + Position, + Left, + "%a%d", + (HashIndex =3D=3D 0) ? "" : ",", + Hash->Algorithm + ); + // + // There's no way to differentiate between the "buffer filled to the b= rim, + // but not truncated" result and the "truncated" result of AsciiSPrint= (). + // This is why "mChapHashListString" has an extra byte allocated, and = the + // reason why we use the less-than (rather than the less-than-or-equal= -to) + // relational operator in the assertion below -- we enforce "no trunca= tion" + // by excluding the "completely used up" case too. + // + ASSERT (Printed + 1 < Left); + + Position +=3D Printed; + Left -=3D Printed; + + // + // Sanity-check the digest size for Hash. + // + ASSERT (Hash->DigestSize <=3D ISCSI_CHAP_MAX_DIGEST_SIZE); + } +} diff --git a/NetworkPkg/IScsiDxe/IScsiDriver.c b/NetworkPkg/IScsiDxe/IScsiD= river.c index 98b73308c118..485c92972113 100644 --- a/NetworkPkg/IScsiDxe/IScsiDriver.c +++ b/NetworkPkg/IScsiDxe/IScsiDriver.c @@ -1763,38 +1763,40 @@ IScsiDriverEntryPoint ( goto Error1; } =20 // // Install the iSCSI Initiator Name Protocol. // Status =3D gBS->InstallProtocolInterface ( &ImageHandle, &gEfiIScsiInitiatorNameProtocolGuid, EFI_NATIVE_INTERFACE, &gIScsiInitiatorName ); if (EFI_ERROR (Status)) { goto Error2; } =20 // // Create the private data structures. // + IScsiCHAPInitHashList (); + mPrivate =3D AllocateZeroPool (sizeof (ISCSI_PRIVATE_DATA)); if (mPrivate =3D=3D NULL) { Status =3D EFI_OUT_OF_RESOURCES; goto Error3; } =20 InitializeListHead (&mPrivate->NicInfoList); InitializeListHead (&mPrivate->AttemptConfigs); =20 // // Initialize the configuration form of iSCSI. // Status =3D IScsiConfigFormInit (gIScsiIp4DriverBinding.DriverBindingHand= le); if (EFI_ERROR (Status)) { goto Error4; } =20 // // Create the Maximum Attempts. diff --git a/NetworkPkg/IScsiDxe/IScsiProto.c b/NetworkPkg/IScsiDxe/IScsiPr= oto.c index 69d1b39dbb1f..e62736bc041f 100644 --- a/NetworkPkg/IScsiDxe/IScsiProto.c +++ b/NetworkPkg/IScsiDxe/IScsiProto.c @@ -416,38 +416,41 @@ IScsiGetIp6NicInfo ( =20 return Status; } =20 /** Re-set any stateful session-level authentication information that is use= d by the leading login / leading connection. =20 (Note that this driver only supports a single connection per session -- = see ISCSI_MAX_CONNS_PER_SESSION.) =20 @param[in,out] Session The iSCSI session. **/ STATIC VOID IScsiSessionResetAuthData ( IN OUT ISCSI_SESSION *Session ) { + if (Session->AuthType =3D=3D ISCSI_AUTH_TYPE_CHAP) { + Session->AuthData.CHAP.Hash =3D NULL; + } } =20 /** Login the iSCSI session. =20 @param[in] Session The iSCSI session. =20 @retval EFI_SUCCESS The iSCSI session login procedure finished. @retval EFI_OUT_OF_RESOURCES Failed to allocate memory. @retval EFI_NO_MEDIA There was a media error. @retval Others Other errors as indicated. =20 **/ EFI_STATUS IScsiSessionLogin ( IN ISCSI_SESSION *Session ) { EFI_STATUS Status; --=20 2.19.1.3.g30247aa5d201 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#77285): https://edk2.groups.io/g/devel/message/77285 Mute This Topic: https://groups.io/mt/83872645/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Wed May 8 23:58:08 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+77287+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77287+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1624984444; cv=none; d=zohomail.com; s=zohoarc; b=L7aExdu3YyYei/EqGIcHEyymupIv6QlZR0Azlee2AcoXP6sG/DsDn/k3I7JlzEZNNCEHcZIuP4uzbMNXUw0aucq4VhGGd9Ob83J0gUQ6WfudyENHqESEHRQxtSRYnS1g8w0ObaBphFlosp7SZr6Hh7mc158cGmOqBajwasnidSE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1624984444; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=S6az3w97VcWm2jk1M5mw1fSKZGWOT3bTOBS1vZsY0yI=; b=iBMyX3YNF/zA9wPMiqA7q2uGcLu1EYCBj4cRfDgX3yCM8D6O+ln3ZHPi4UhA+3yJfILXO2+y0349tMFSCFfRupWyhj0VYyyBI+6pASt/dvl7XD9ApBQEnbcJzHw8zFppWWr52SVHsEljA5s0xwkF+lL2fD1N0rc0R2oR+lDosu8= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77287+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1624984444977698.3523490039994; Tue, 29 Jun 2021 09:34:04 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id lmXLYY1788612xfjkK3ZOpS9; Tue, 29 Jun 2021 09:34:04 -0700 X-Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.groups.io with SMTP id smtpd.web09.10861.1624984438997177684 for ; Tue, 29 Jun 2021 09:33:59 -0700 X-Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-224-vDLqD3CHNVuywTH8SxXXng-1; Tue, 29 Jun 2021 12:33:56 -0400 X-MC-Unique: vDLqD3CHNVuywTH8SxXXng-1 X-Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 91CBE91271; Tue, 29 Jun 2021 16:33:55 +0000 (UTC) X-Received: from lacos-laptop-7.usersys.redhat.com (ovpn-114-158.ams2.redhat.com [10.36.114.158]) by smtp.corp.redhat.com (Postfix) with ESMTP id 98AC760875; Tue, 29 Jun 2021 16:33:52 +0000 (UTC) From: "Laszlo Ersek" To: edk2-devel-groups-io Cc: Jiaxin Wu , Maciej Rabeda , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Siyuan Fu Subject: [edk2-devel] [PATCH v2 5/6] NetworkPkg/IScsiDxe: support SHA256 in CHAP Date: Tue, 29 Jun 2021 18:33:36 +0200 Message-Id: <20210629163337.14120-6-lersek@redhat.com> In-Reply-To: <20210629163337.14120-1-lersek@redhat.com> References: <20210629163337.14120-1-lersek@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,lersek@redhat.com X-Gm-Message-State: P3J4vpzUF1SYn4QUTiQ4LxnWx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1624984444; bh=S6az3w97VcWm2jk1M5mw1fSKZGWOT3bTOBS1vZsY0yI=; h=Cc:Content-Type:Date:From:Reply-To:Subject:To; b=wtAMxkMUlUOPNZKTMoe6v8SeEPI44ziTxtKKZ48i2LvTvx3PG43brrkSlG3cpYkYEX0 jtmtI3gMZ94scFNYWmzae5OD34D2/3NlDAdRfJIPzSBCMPpOXTma1+Svsw/Ux9pJiX8Wg f8Qd+d4ul9X3U/ZqPuguZv/I1RXt7UhhXT4= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" Insert a SHA256 CHAP_HASH structure at the start of "mChapHash". Update ISCSI_CHAP_MAX_DIGEST_SIZE to SHA256_DIGEST_SIZE (32). This enables the initiator and the target to negotiate SHA256 for CHAP, in preference to MD5. Cc: Jiaxin Wu Cc: Maciej Rabeda Cc: Philippe Mathieu-Daud=C3=A9 Cc: Siyuan Fu Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3355 Signed-off-by: Laszlo Ersek Reviewed-by: Philippe Mathieu-Daud=C3=A9 Reviewed-by: Maciej Rabeda --- Notes: v2: - pick up R-b's [Phil, Maciej] NetworkPkg/IScsiDxe/IScsiCHAP.h | 3 ++- NetworkPkg/IScsiDxe/IScsiCHAP.c | 12 ++++++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.h b/NetworkPkg/IScsiDxe/IScsiCHA= P.h index 1e5cc0b287ed..e2df634c4e67 100644 --- a/NetworkPkg/IScsiDxe/IScsiCHAP.h +++ b/NetworkPkg/IScsiDxe/IScsiCHAP.h @@ -6,44 +6,45 @@ SPDX-License-Identifier: BSD-2-Clause-Patent =20 **/ =20 #ifndef _ISCSI_CHAP_H_ #define _ISCSI_CHAP_H_ =20 #define ISCSI_AUTH_METHOD_CHAP "CHAP" =20 #define ISCSI_KEY_CHAP_ALGORITHM "CHAP_A" #define ISCSI_KEY_CHAP_IDENTIFIER "CHAP_I" #define ISCSI_KEY_CHAP_CHALLENGE "CHAP_C" #define ISCSI_KEY_CHAP_NAME "CHAP_N" #define ISCSI_KEY_CHAP_RESPONSE "CHAP_R" =20 // // Identifiers of supported CHAP hash algorithms: // https://www.iana.org/assignments/ppp-numbers/ppp-numbers.xhtml#ppp-numb= ers-9 // #define ISCSI_CHAP_ALGORITHM_MD5 5 +#define ISCSI_CHAP_ALGORITHM_SHA256 7 =20 // // Byte count of the largest digest over the above-listed // ISCSI_CHAP_ALGORITHM_* hash algorithms. // -#define ISCSI_CHAP_MAX_DIGEST_SIZE MD5_DIGEST_SIZE +#define ISCSI_CHAP_MAX_DIGEST_SIZE SHA256_DIGEST_SIZE =20 #define ISCSI_CHAP_STEP_ONE 1 #define ISCSI_CHAP_STEP_TWO 2 #define ISCSI_CHAP_STEP_THREE 3 #define ISCSI_CHAP_STEP_FOUR 4 =20 =20 #pragma pack(1) =20 typedef struct _ISCSI_CHAP_AUTH_CONFIG_NVDATA { UINT8 CHAPType; CHAR8 CHAPName[ISCSI_CHAP_NAME_STORAGE]; CHAR8 CHAPSecret[ISCSI_CHAP_SECRET_STORAGE]; CHAR8 ReverseCHAPName[ISCSI_CHAP_NAME_STORAGE]; CHAR8 ReverseCHAPSecret[ISCSI_CHAP_SECRET_STORAGE]; } ISCSI_CHAP_AUTH_CONFIG_NVDATA; =20 #pragma pack() =20 diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHA= P.c index 351bf329b739..80035ece9887 100644 --- a/NetworkPkg/IScsiDxe/IScsiCHAP.c +++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c @@ -1,36 +1,48 @@ /** @file This file is for Challenge-Handshake Authentication Protocol (CHAP) Configuration. =20 Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent =20 **/ =20 #include "IScsiImpl.h" =20 // // Supported CHAP hash algorithms, mapped to sets of BaseCryptLib APIs and // macros. CHAP_HASH structures at lower subscripts in the array are prefe= rred // by the initiator. // STATIC CONST CHAP_HASH mChapHash[] =3D { + { + ISCSI_CHAP_ALGORITHM_SHA256, + SHA256_DIGEST_SIZE, + Sha256GetContextSize, + Sha256Init, + Sha256Update, + Sha256Final + }, + // + // Keep the deprecated MD5 entry at the end of the array (making MD5 the + // least preferred choice of the initiator). + // { ISCSI_CHAP_ALGORITHM_MD5, MD5_DIGEST_SIZE, Md5GetContextSize, Md5Init, Md5Update, Md5Final }, }; =20 // // Ordered list of mChapHash[*].Algorithm values. It is formatted for the // CHAP_A=3D value string, by the IScsiCHAPInitHashList() functi= on. It // is sent by the initiator in ISCSI_CHAP_STEP_ONE. // STATIC CHAR8 mChapHashListString[ 3 + // UINT8 identifie= r in // decimal (1 + 3) * (ARRAY_SIZE (mChapHash) - 1) + // comma prepended= for --=20 2.19.1.3.g30247aa5d201 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#77287): https://edk2.groups.io/g/devel/message/77287 Mute This Topic: https://groups.io/mt/83872648/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Wed May 8 23:58:08 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+77288+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77288+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1624984447; cv=none; d=zohomail.com; s=zohoarc; b=j7o7FN9JbZXoDGhAJLG07a0Lc/ZcRBwpmpJ+KQlkTsmcCTWEkkpFErZTZIDa0XF+3sajVKJXZBf8uuXM8wlDT4LDpFWf+E+OcTSXQBzvszNPOxXj2FPowS2qI9LE+i7+Th95hr8CyY9gd5kqrslGo+cAVjTmeqvndz66qsPZLgw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1624984447; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=a/B06o1EqknLDDhTIWGnCMBCnu79mKV7aehn3ZFtPlQ=; b=eIGUEcItKDgYMLa1/uEqeX1BF0DyeExEyp//jOLbuDbbiijMKvQ6B5z3zvkwp0NbjvB632vhlhVVKPuHfphUZTp1e5spVEHZGJ7Wl5Vcz48l+zGEFlN5OgyQNDT3tlRD5pCbGoL5zB4uJudsCKrcj/nzVwzGh17Xqdy9V0WM/wY= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+77288+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1624984447358640.4002920394737; Tue, 29 Jun 2021 09:34:07 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id Jn5LYY1788612x6lvMW8ejOH; Tue, 29 Jun 2021 09:34:06 -0700 X-Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.groups.io with SMTP id smtpd.web12.10790.1624984441168893238 for ; Tue, 29 Jun 2021 09:34:01 -0700 X-Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-76-ciFHx_XuMkaSvP4alHeT5w-1; Tue, 29 Jun 2021 12:33:58 -0400 X-MC-Unique: ciFHx_XuMkaSvP4alHeT5w-1 X-Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 5D1CF91270; Tue, 29 Jun 2021 16:33:57 +0000 (UTC) X-Received: from lacos-laptop-7.usersys.redhat.com (ovpn-114-158.ams2.redhat.com [10.36.114.158]) by smtp.corp.redhat.com (Postfix) with ESMTP id E4FC560875; Tue, 29 Jun 2021 16:33:55 +0000 (UTC) From: "Laszlo Ersek" To: edk2-devel-groups-io Cc: Jiaxin Wu , Maciej Rabeda , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Siyuan Fu Subject: [edk2-devel] [PATCH v2 6/6] NetworkPkg: introduce the NETWORK_ISCSI_MD5_ENABLE feature test macro Date: Tue, 29 Jun 2021 18:33:37 +0200 Message-Id: <20210629163337.14120-7-lersek@redhat.com> In-Reply-To: <20210629163337.14120-1-lersek@redhat.com> References: <20210629163337.14120-1-lersek@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,lersek@redhat.com X-Gm-Message-State: RDqbaW1fxV7J3EG3YOhVTXk3x1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1624984446; bh=a/B06o1EqknLDDhTIWGnCMBCnu79mKV7aehn3ZFtPlQ=; h=Cc:Content-Type:Date:From:Reply-To:Subject:To; b=HuYHwsgTlQepLLptiUDVoyG77XF0ETZNT/UIRHygOToJB0u2ZIQ4JuzKIJq2d3g+PyJ B4OlUtZIno9XtoX032U3TcH8KLoWIlMiAia/lfrmWJ7xwcohvf80d31AYxeMJtgk1V7yC CgP5suPxU6AYpXvCAlQHAZbA3H1haRlXCXg= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" Introduce the NETWORK_ISCSI_MD5_ENABLE feature test macro for NetworkPkg. When explicitly set to FALSE, remove MD5 from IScsiDxe's CHAP algorithm list. Set NETWORK_ISCSI_MD5_ENABLE to TRUE by default, for compatibility reasons. Not just to minimize the disruption for platforms that currently include IScsiDxe, but also because RFC 7143 mandates MD5 for CHAP, and some vendors' iSCSI targets support MD5 only. With MD5 enabled, IScsiDxe will suggest SHA256, and then fall back to MD5 if the target requests it. With MD5 disabled, IScsiDxe will suggest SHA256, and break off the connection (and session) if the target doesn't support SHA256. Cc: Jiaxin Wu Cc: Maciej Rabeda Cc: Philippe Mathieu-Daud=C3=A9 Cc: Siyuan Fu Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3355 Signed-off-by: Laszlo Ersek Reviewed-by: Maciej Rabeda Reviewed-by: Philippe Mathieu-Daud=C3=A9 --- Notes: v2: - pick up R-b's [Phil, Maciej] NetworkPkg/NetworkBuildOptions.dsc.inc | 2 +- NetworkPkg/NetworkDefines.dsc.inc | 20 ++++++++++++++++++++ NetworkPkg/IScsiDxe/IScsiCHAP.c | 2 ++ 3 files changed, 23 insertions(+), 1 deletion(-) diff --git a/NetworkPkg/NetworkBuildOptions.dsc.inc b/NetworkPkg/NetworkBui= ldOptions.dsc.inc index 42d980d9543d..738da2222f7e 100644 --- a/NetworkPkg/NetworkBuildOptions.dsc.inc +++ b/NetworkPkg/NetworkBuildOptions.dsc.inc @@ -1,22 +1,22 @@ ## @file # Network DSC include file for [BuildOptions] sections of all Architecture= s. # # This file can be included in the [BuildOptions*] section(s) of a platfor= m DSC file # by using "!include NetworkPkg/NetworkBuildOptions.dsc.inc", to specify t= he C language # feature test macros (eg., API deprecation macros) according to the flags= described # in "NetworkDefines.dsc.inc". # # Supported tool chain families: "GCC", "INTEL", "MSFT", "RVCT". # # Copyright (c) 2020, Intel Corporation. All rights reserved.
# # SPDX-License-Identifier: BSD-2-Clause-Patent # ## =20 -!if $(NETWORK_ISCSI_ENABLE) =3D=3D TRUE +!if $(NETWORK_ISCSI_ENABLE) =3D=3D TRUE && $(NETWORK_ISCSI_MD5_ENABLE) =3D= =3D TRUE MSFT:*_*_*_CC_FLAGS =3D /D ENABLE_MD5_DEPRECATED_INTERFACES INTEL:*_*_*_CC_FLAGS =3D /D ENABLE_MD5_DEPRECATED_INTERFACES GCC:*_*_*_CC_FLAGS =3D -D ENABLE_MD5_DEPRECATED_INTERFACES RVCT:*_*_*_CC_FLAGS =3D -DENABLE_MD5_DEPRECATED_INTERFACES !endif diff --git a/NetworkPkg/NetworkDefines.dsc.inc b/NetworkPkg/NetworkDefines.= dsc.inc index 54deb6342aaa..e39a9cb3dc09 100644 --- a/NetworkPkg/NetworkDefines.dsc.inc +++ b/NetworkPkg/NetworkDefines.dsc.inc @@ -3,38 +3,39 @@ # # This file can be included to the [Defines] section of a platform DSC fil= e by # using "!include NetworkPkg/NetworkDefines.dsc.inc" to set default value = of # flags if they are not defined somewhere else, and also check the value t= o see # if there is any conflict. # # These flags can be defined before the !include line, or changed on the c= ommand # line to enable or disable related feature support. # -D FLAG=3DVALUE # The default value of these flags are: # DEFINE NETWORK_ENABLE =3D TRUE # DEFINE NETWORK_SNP_ENABLE =3D TRUE # DEFINE NETWORK_IP4_ENABLE =3D TRUE # DEFINE NETWORK_IP6_ENABLE =3D TRUE # DEFINE NETWORK_TLS_ENABLE =3D TRUE # DEFINE NETWORK_HTTP_ENABLE =3D FALSE # DEFINE NETWORK_HTTP_BOOT_ENABLE =3D TRUE # DEFINE NETWORK_ALLOW_HTTP_CONNECTIONS =3D FALSE # DEFINE NETWORK_ISCSI_ENABLE =3D FALSE +# DEFINE NETWORK_ISCSI_MD5_ENABLE =3D TRUE # DEFINE NETWORK_VLAN_ENABLE =3D TRUE # # Copyright (c) 2019, Intel Corporation. All rights reserved.
# (C) Copyright 2020 Hewlett Packard Enterprise Development LP
# # SPDX-License-Identifier: BSD-2-Clause-Patent # ## =20 !ifndef NETWORK_ENABLE # # This flag is to enable or disable the whole network stack. # DEFINE NETWORK_ENABLE =3D TRUE !endif =20 !ifndef NETWORK_SNP_ENABLE # # This flag is to include the common SNP driver or not. @@ -101,33 +102,52 @@ # Both the "https://" and "http://" URI schemes are permitted. Oth= erwise, HTTP # connections are denied. Only the "https://" URI scheme is permit= ted. # DEFINE NETWORK_ALLOW_HTTP_CONNECTIONS =3D FALSE !endif =20 !ifndef NETWORK_ISCSI_ENABLE # # This flag is to enable or disable iSCSI feature. # # Note: This feature depends on the OpenSSL building. To enable this fea= ture, please # follow the instructions found in the file "OpenSSL-HOWTO.txt" lo= cated in # CryptoPkg\Library\OpensslLib to enable the OpenSSL building firs= t. # Both OpensslLib.inf and OpensslLibCrypto.inf library instance ca= n be used # since libssl is not required for iSCSI. # DEFINE NETWORK_ISCSI_ENABLE =3D FALSE !endif =20 +!ifndef NETWORK_ISCSI_MD5_ENABLE + # + # This flag enables the deprecated MD5 hash algorithm in iSCSI CHAP + # authentication. + # + # Note: The NETWORK_ISCSI_MD5_ENABLE flag only makes a difference if + # NETWORK_ISCSI_ENABLE is TRUE; otherwise, NETWORK_ISCSI_MD5_ENABL= E is + # ignored. + # + # With NETWORK_ISCSI_MD5_ENABLE set to TRUE, MD5 is enabled as the + # least preferred CHAP hash algorithm. With NETWORK_ISCSI_MD5_ENAB= LE + # set to FALSE, MD5 is disabled statically, at build time. + # + # The default value is TRUE, because RFC 7143 mandates MD5, and be= cause + # several vendors' iSCSI targets only support MD5, for CHAP. + # + DEFINE NETWORK_ISCSI_MD5_ENABLE =3D TRUE +!endif + !if $(NETWORK_ENABLE) =3D=3D TRUE # # Check the flags to see if there is any conflict. # !if ($(NETWORK_IP4_ENABLE) =3D=3D FALSE) AND ($(NETWORK_IP6_ENABLE) =3D= =3D FALSE) !error "Must enable at least IP4 or IP6 stack if NETWORK_ENABLE is set= to TRUE!" !endif =20 !if ($(NETWORK_HTTP_BOOT_ENABLE) =3D=3D TRUE) OR ($(NETWORK_HTTP_ENABLE)= =3D=3D TRUE) !if ($(NETWORK_TLS_ENABLE) =3D=3D FALSE) AND ($(NETWORK_ALLOW_HTTP_CON= NECTIONS) =3D=3D FALSE) !error "Must enable TLS to support HTTPS, or allow unsecured HTTP co= nnection, if NETWORK_HTTP_BOOT_ENABLE or NETWORK_HTTP_ENABLE is set to TRUE= !" !endif !endif !endif diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHA= P.c index 80035ece9887..0491ef42db95 100644 --- a/NetworkPkg/IScsiDxe/IScsiCHAP.c +++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c @@ -7,50 +7,52 @@ SPDX-License-Identifier: BSD-2-Clause-Patent =20 **/ =20 #include "IScsiImpl.h" =20 // // Supported CHAP hash algorithms, mapped to sets of BaseCryptLib APIs and // macros. CHAP_HASH structures at lower subscripts in the array are prefe= rred // by the initiator. // STATIC CONST CHAP_HASH mChapHash[] =3D { { ISCSI_CHAP_ALGORITHM_SHA256, SHA256_DIGEST_SIZE, Sha256GetContextSize, Sha256Init, Sha256Update, Sha256Final }, +#ifdef ENABLE_MD5_DEPRECATED_INTERFACES // // Keep the deprecated MD5 entry at the end of the array (making MD5 the // least preferred choice of the initiator). // { ISCSI_CHAP_ALGORITHM_MD5, MD5_DIGEST_SIZE, Md5GetContextSize, Md5Init, Md5Update, Md5Final }, +#endif // ENABLE_MD5_DEPRECATED_INTERFACES }; =20 // // Ordered list of mChapHash[*].Algorithm values. It is formatted for the // CHAP_A=3D value string, by the IScsiCHAPInitHashList() functi= on. It // is sent by the initiator in ISCSI_CHAP_STEP_ONE. // STATIC CHAR8 mChapHashListString[ 3 + // UINT8 identifie= r in // decimal (1 + 3) * (ARRAY_SIZE (mChapHash) - 1) + // comma prepended= for // entries after= the // first 1 + // extra character= for // AsciiSPrint() // truncation ch= eck 1 // terminating NUL ]; =20 --=20 2.19.1.3.g30247aa5d201 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#77288): https://edk2.groups.io/g/devel/message/77288 Mute This Topic: https://groups.io/mt/83872650/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-