NetworkPkg/IScsiDxe: support multiple hash algorithms for CHAP

Introduce the "mChapHash" table, containing the hash algorithms supported
for CHAP. Hash algos listed at the beginning of the table are preferred by
the initiator.

In ISCSI_CHAP_STEP_ONE, send such a CHAP_A value that is the
comma-separated, ordered list of algorithm identifiers from "mChapHash".
Pre-format this value string at driver startup, in the new function
IScsiCHAPInitHashList().

(In IScsiCHAPInitHashList(), also enforce that every hash algo's digest
size fit into ISCSI_CHAP_MAX_DIGEST_SIZE, as the latter controls the
digest, outgoing challenge, and hex *allocations*.)

In ISCSI_CHAP_STEP_TWO, allow the target to select one of the offered hash
algorithms, and remember the selection for the later steps. For
ISCSI_CHAP_STEP_THREE, hash the challenge from the target with the
selected hash algo.

In ISCSI_CHAP_STEP_THREE, send the correctly sized digest to the target.
If the initiator wants mutual authentication, then generate a challenge
with as many bytes as the target's digest will have, in
ISCSI_CHAP_STEP_FOUR.

In ISCSI_CHAP_STEP_FOUR (i.e., when mutual authentication is required by
the initiator), verify the target's response (digest) with the selected
algorithm.

Clear the selected hash algorithm before every login (remember that in
IScsiDxe, every login is a leading login).

There is no peer-observable change from this patch, as it only reworks the
current MD5 support into the new internal representation.

Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3355
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Message-Id: <20210629163337.14120-5-lersek@redhat.com>
Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>

NetworkPkg/IScsiDxe/IScsiCHAP.h

@@ -47,6 +47,45 @@ typedef struct _ISCSI_CHAP_AUTH_CONFIG_NVDATA {
 
 #pragma pack()
 
+//
+// Typedefs for collecting sets of hash APIs from BaseCryptLib.
+//
+typedef
+UINTN
+(EFIAPI *CHAP_HASH_GET_CONTEXT_SIZE) (
+  VOID
+  );
+
+typedef
+BOOLEAN
+(EFIAPI *CHAP_HASH_INIT) (
+  OUT VOID *Context
+  );
+
+typedef
+BOOLEAN
+(EFIAPI *CHAP_HASH_UPDATE) (
+  IN OUT VOID       *Context,
+  IN     CONST VOID *Data,
+  IN     UINTN      DataSize
+  );
+
+typedef
+BOOLEAN
+(EFIAPI *CHAP_HASH_FINAL) (
+  IN OUT VOID  *Context,
+  OUT    UINT8 *HashValue
+  );
+
+typedef struct {
+  UINT8                      Algorithm;      // ISCSI_CHAP_ALGORITHM_*, CHAP_A
+  UINT32                     DigestSize;
+  CHAP_HASH_GET_CONTEXT_SIZE GetContextSize;
+  CHAP_HASH_INIT             Init;
+  CHAP_HASH_UPDATE           Update;
+  CHAP_HASH_FINAL            Final;
+} CHAP_HASH;
+
 ///
 /// ISCSI CHAP Authentication Data
 ///
@@ -56,6 +95,11 @@ typedef struct _ISCSI_CHAP_AUTH_DATA {
   UINT8                         InChallenge[1024];
   UINT32                        InChallengeLength;
   //
+  // The hash algorithm (CHAP_A) that the target selects in
+  // ISCSI_CHAP_STEP_TWO.
+  //
+  CONST CHAP_HASH               *Hash;
+  //
   // Calculated CHAP Response (CHAP_R) value.
   //
   UINT8                         CHAPResponse[ISCSI_CHAP_MAX_DIGEST_SIZE];
@@ -108,4 +152,15 @@ IScsiCHAPToSendReq (
   IN OUT  NET_BUF           *Pdu
   );
 
+/**
+  Initialize the CHAP_A=<A1,A2...> *value* string for the entire driver, to be
+  sent by the initiator in ISCSI_CHAP_STEP_ONE.
+
+  This function sanity-checks the internal table of supported CHAP hashing
+  algorithms, as well.
+**/
+VOID
+IScsiCHAPInitHashList (
+  VOID
+  );
 #endif