47fea2abcb
Insert a SHA256 CHAP_HASH structure at the start of "mChapHash". Update ISCSI_CHAP_MAX_DIGEST_SIZE to SHA256_DIGEST_SIZE (32). This enables the initiator and the target to negotiate SHA256 for CHAP, in preference to MD5. Cc: Jiaxin Wu <jiaxin.wu@intel.com> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com> Cc: Philippe Mathieu-Daudé <philmd@redhat.com> Cc: Siyuan Fu <siyuan.fu@intel.com> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3355 Signed-off-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com> Message-Id: <20210629163337.14120-6-lersek@redhat.com>
168 lines
4.9 KiB
C
168 lines
4.9 KiB
C
/** @file
|
|
The header file of CHAP configuration.
|
|
|
|
Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.<BR>
|
|
SPDX-License-Identifier: BSD-2-Clause-Patent
|
|
|
|
**/
|
|
|
|
#ifndef _ISCSI_CHAP_H_
|
|
#define _ISCSI_CHAP_H_
|
|
|
|
#define ISCSI_AUTH_METHOD_CHAP "CHAP"
|
|
|
|
#define ISCSI_KEY_CHAP_ALGORITHM "CHAP_A"
|
|
#define ISCSI_KEY_CHAP_IDENTIFIER "CHAP_I"
|
|
#define ISCSI_KEY_CHAP_CHALLENGE "CHAP_C"
|
|
#define ISCSI_KEY_CHAP_NAME "CHAP_N"
|
|
#define ISCSI_KEY_CHAP_RESPONSE "CHAP_R"
|
|
|
|
//
|
|
// Identifiers of supported CHAP hash algorithms:
|
|
// https://www.iana.org/assignments/ppp-numbers/ppp-numbers.xhtml#ppp-numbers-9
|
|
//
|
|
#define ISCSI_CHAP_ALGORITHM_MD5 5
|
|
#define ISCSI_CHAP_ALGORITHM_SHA256 7
|
|
|
|
//
|
|
// Byte count of the largest digest over the above-listed
|
|
// ISCSI_CHAP_ALGORITHM_* hash algorithms.
|
|
//
|
|
#define ISCSI_CHAP_MAX_DIGEST_SIZE SHA256_DIGEST_SIZE
|
|
|
|
#define ISCSI_CHAP_STEP_ONE 1
|
|
#define ISCSI_CHAP_STEP_TWO 2
|
|
#define ISCSI_CHAP_STEP_THREE 3
|
|
#define ISCSI_CHAP_STEP_FOUR 4
|
|
|
|
|
|
#pragma pack(1)
|
|
|
|
typedef struct _ISCSI_CHAP_AUTH_CONFIG_NVDATA {
|
|
UINT8 CHAPType;
|
|
CHAR8 CHAPName[ISCSI_CHAP_NAME_STORAGE];
|
|
CHAR8 CHAPSecret[ISCSI_CHAP_SECRET_STORAGE];
|
|
CHAR8 ReverseCHAPName[ISCSI_CHAP_NAME_STORAGE];
|
|
CHAR8 ReverseCHAPSecret[ISCSI_CHAP_SECRET_STORAGE];
|
|
} ISCSI_CHAP_AUTH_CONFIG_NVDATA;
|
|
|
|
#pragma pack()
|
|
|
|
//
|
|
// Typedefs for collecting sets of hash APIs from BaseCryptLib.
|
|
//
|
|
typedef
|
|
UINTN
|
|
(EFIAPI *CHAP_HASH_GET_CONTEXT_SIZE) (
|
|
VOID
|
|
);
|
|
|
|
typedef
|
|
BOOLEAN
|
|
(EFIAPI *CHAP_HASH_INIT) (
|
|
OUT VOID *Context
|
|
);
|
|
|
|
typedef
|
|
BOOLEAN
|
|
(EFIAPI *CHAP_HASH_UPDATE) (
|
|
IN OUT VOID *Context,
|
|
IN CONST VOID *Data,
|
|
IN UINTN DataSize
|
|
);
|
|
|
|
typedef
|
|
BOOLEAN
|
|
(EFIAPI *CHAP_HASH_FINAL) (
|
|
IN OUT VOID *Context,
|
|
OUT UINT8 *HashValue
|
|
);
|
|
|
|
typedef struct {
|
|
UINT8 Algorithm; // ISCSI_CHAP_ALGORITHM_*, CHAP_A
|
|
UINT32 DigestSize;
|
|
CHAP_HASH_GET_CONTEXT_SIZE GetContextSize;
|
|
CHAP_HASH_INIT Init;
|
|
CHAP_HASH_UPDATE Update;
|
|
CHAP_HASH_FINAL Final;
|
|
} CHAP_HASH;
|
|
|
|
///
|
|
/// ISCSI CHAP Authentication Data
|
|
///
|
|
typedef struct _ISCSI_CHAP_AUTH_DATA {
|
|
ISCSI_CHAP_AUTH_CONFIG_NVDATA *AuthConfig;
|
|
UINT32 InIdentifier;
|
|
UINT8 InChallenge[1024];
|
|
UINT32 InChallengeLength;
|
|
//
|
|
// The hash algorithm (CHAP_A) that the target selects in
|
|
// ISCSI_CHAP_STEP_TWO.
|
|
//
|
|
CONST CHAP_HASH *Hash;
|
|
//
|
|
// Calculated CHAP Response (CHAP_R) value.
|
|
//
|
|
UINT8 CHAPResponse[ISCSI_CHAP_MAX_DIGEST_SIZE];
|
|
|
|
//
|
|
// Auth-data to be sent out for mutual authentication.
|
|
//
|
|
// While the challenge size is technically independent of the hashing
|
|
// algorithm, it is good practice to avoid hashing *fewer bytes* than the
|
|
// digest size. In other words, it's good practice to feed *at least as many
|
|
// bytes* to the hashing algorithm as the hashing algorithm will output.
|
|
//
|
|
UINT32 OutIdentifier;
|
|
UINT8 OutChallenge[ISCSI_CHAP_MAX_DIGEST_SIZE];
|
|
} ISCSI_CHAP_AUTH_DATA;
|
|
|
|
/**
|
|
This function checks the received iSCSI Login Response during the security
|
|
negotiation stage.
|
|
|
|
@param[in] Conn The iSCSI connection.
|
|
|
|
@retval EFI_SUCCESS The Login Response passed the CHAP validation.
|
|
@retval EFI_OUT_OF_RESOURCES Failed to allocate memory.
|
|
@retval EFI_PROTOCOL_ERROR Some kind of protocol error occurred.
|
|
@retval Others Other errors as indicated.
|
|
|
|
**/
|
|
EFI_STATUS
|
|
IScsiCHAPOnRspReceived (
|
|
IN ISCSI_CONNECTION *Conn
|
|
);
|
|
/**
|
|
This function fills the CHAP authentication information into the login PDU
|
|
during the security negotiation stage in the iSCSI connection login.
|
|
|
|
@param[in] Conn The iSCSI connection.
|
|
@param[in, out] Pdu The PDU to send out.
|
|
|
|
@retval EFI_SUCCESS All check passed and the phase-related CHAP
|
|
authentication info is filled into the iSCSI
|
|
PDU.
|
|
@retval EFI_OUT_OF_RESOURCES Failed to allocate memory.
|
|
@retval EFI_PROTOCOL_ERROR Some kind of protocol error occurred.
|
|
|
|
**/
|
|
EFI_STATUS
|
|
IScsiCHAPToSendReq (
|
|
IN ISCSI_CONNECTION *Conn,
|
|
IN OUT NET_BUF *Pdu
|
|
);
|
|
|
|
/**
|
|
Initialize the CHAP_A=<A1,A2...> *value* string for the entire driver, to be
|
|
sent by the initiator in ISCSI_CHAP_STEP_ONE.
|
|
|
|
This function sanity-checks the internal table of supported CHAP hashing
|
|
algorithms, as well.
|
|
**/
|
|
VOID
|
|
IScsiCHAPInitHashList (
|
|
VOID
|
|
);
|
|
#endif
|