1255570Strasz/*- 2255570Strasz * Copyright (c) 2012 The FreeBSD Foundation 3255570Strasz * All rights reserved. 4255570Strasz * 5255570Strasz * This software was developed by Edward Tomasz Napierala under sponsorship 6255570Strasz * from the FreeBSD Foundation. 7255570Strasz * 8255570Strasz * Redistribution and use in source and binary forms, with or without 9255570Strasz * modification, are permitted provided that the following conditions 10255570Strasz * are met: 11255570Strasz * 1. Redistributions of source code must retain the above copyright 12255570Strasz * notice, this list of conditions and the following disclaimer. 13255570Strasz * 2. Redistributions in binary form must reproduce the above copyright 14255570Strasz * notice, this list of conditions and the following disclaimer in the 15255570Strasz * documentation and/or other materials provided with the distribution. 16255570Strasz * 17255570Strasz * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 18255570Strasz * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19255570Strasz * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20255570Strasz * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 21255570Strasz * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22255570Strasz * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23255570Strasz * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24255570Strasz * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25255570Strasz * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26255570Strasz * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27255570Strasz * SUCH DAMAGE. 28255570Strasz * 29255570Strasz */ 30255570Strasz 31270888Strasz#include <sys/cdefs.h> 32270888Strasz__FBSDID("$FreeBSD$"); 33270888Strasz 34255570Strasz#include <assert.h> 35255570Strasz#include <stdbool.h> 36255570Strasz#include <stdlib.h> 37255570Strasz#include <string.h> 38255570Strasz#include <unistd.h> 39255570Strasz#include <netinet/in.h> 40255570Strasz 41255570Strasz#include "ctld.h" 42255570Strasz#include "iscsi_proto.h" 43255570Strasz 44255570Straszstatic void login_send_error(struct pdu *request, 45255570Strasz char class, char detail); 46255570Strasz 47255570Straszstatic void 48255570Straszlogin_set_nsg(struct pdu *response, int nsg) 49255570Strasz{ 50255570Strasz struct iscsi_bhs_login_response *bhslr; 51255570Strasz 52255570Strasz assert(nsg == BHSLR_STAGE_SECURITY_NEGOTIATION || 53255570Strasz nsg == BHSLR_STAGE_OPERATIONAL_NEGOTIATION || 54255570Strasz nsg == BHSLR_STAGE_FULL_FEATURE_PHASE); 55255570Strasz 56255570Strasz bhslr = (struct iscsi_bhs_login_response *)response->pdu_bhs; 57255570Strasz 58255570Strasz bhslr->bhslr_flags &= 0xFC; 59255570Strasz bhslr->bhslr_flags |= nsg; 60286801Smav bhslr->bhslr_flags |= BHSLR_FLAGS_TRANSIT; 61255570Strasz} 62255570Strasz 63255570Straszstatic int 64255570Straszlogin_csg(const struct pdu *request) 65255570Strasz{ 66255570Strasz struct iscsi_bhs_login_request *bhslr; 67255570Strasz 68255570Strasz bhslr = (struct iscsi_bhs_login_request *)request->pdu_bhs; 69255570Strasz 70255570Strasz return ((bhslr->bhslr_flags & 0x0C) >> 2); 71255570Strasz} 72255570Strasz 73255570Straszstatic void 74255570Straszlogin_set_csg(struct pdu *response, int csg) 75255570Strasz{ 76255570Strasz struct iscsi_bhs_login_response *bhslr; 77255570Strasz 78255570Strasz assert(csg == BHSLR_STAGE_SECURITY_NEGOTIATION || 79255570Strasz csg == BHSLR_STAGE_OPERATIONAL_NEGOTIATION || 80255570Strasz csg == BHSLR_STAGE_FULL_FEATURE_PHASE); 81255570Strasz 82255570Strasz bhslr = (struct iscsi_bhs_login_response *)response->pdu_bhs; 83255570Strasz 84255570Strasz bhslr->bhslr_flags &= 0xF3; 85255570Strasz bhslr->bhslr_flags |= csg << 2; 86255570Strasz} 87255570Strasz 88255570Straszstatic struct pdu * 89255570Straszlogin_receive(struct connection *conn, bool initial) 90255570Strasz{ 91255570Strasz struct pdu *request; 92255570Strasz struct iscsi_bhs_login_request *bhslr; 93255570Strasz 94255570Strasz request = pdu_new(conn); 95255570Strasz pdu_receive(request); 96255570Strasz if ((request->pdu_bhs->bhs_opcode & ~ISCSI_BHS_OPCODE_IMMEDIATE) != 97255570Strasz ISCSI_BHS_OPCODE_LOGIN_REQUEST) { 98255570Strasz /* 99255570Strasz * The first PDU in session is special - if we receive any PDU 100255570Strasz * different than login request, we have to drop the connection 101255570Strasz * without sending response ("A target receiving any PDU 102255570Strasz * except a Login request before the Login Phase is started MUST 103255570Strasz * immediately terminate the connection on which the PDU 104255570Strasz * was received.") 105255570Strasz */ 106255570Strasz if (initial == false) 107255570Strasz login_send_error(request, 0x02, 0x0b); 108255570Strasz log_errx(1, "protocol error: received invalid opcode 0x%x", 109255570Strasz request->pdu_bhs->bhs_opcode); 110255570Strasz } 111255570Strasz bhslr = (struct iscsi_bhs_login_request *)request->pdu_bhs; 112255570Strasz /* 113255570Strasz * XXX: Implement the C flag some day. 114255570Strasz */ 115255570Strasz if ((bhslr->bhslr_flags & BHSLR_FLAGS_CONTINUE) != 0) { 116255570Strasz login_send_error(request, 0x03, 0x00); 117255570Strasz log_errx(1, "received Login PDU with unsupported \"C\" flag"); 118255570Strasz } 119255570Strasz if (bhslr->bhslr_version_max != 0x00) { 120255570Strasz login_send_error(request, 0x02, 0x05); 121255570Strasz log_errx(1, "received Login PDU with unsupported " 122255570Strasz "Version-max 0x%x", bhslr->bhslr_version_max); 123255570Strasz } 124255570Strasz if (bhslr->bhslr_version_min != 0x00) { 125255570Strasz login_send_error(request, 0x02, 0x05); 126255570Strasz log_errx(1, "received Login PDU with unsupported " 127255570Strasz "Version-min 0x%x", bhslr->bhslr_version_min); 128255570Strasz } 129296441Smav if (initial == false && 130296441Smav ISCSI_SNLT(ntohl(bhslr->bhslr_cmdsn), conn->conn_cmdsn)) { 131296441Smav login_send_error(request, 0x02, 0x00); 132255570Strasz log_errx(1, "received Login PDU with decreasing CmdSN: " 133276613Smav "was %u, is %u", conn->conn_cmdsn, 134255570Strasz ntohl(bhslr->bhslr_cmdsn)); 135255570Strasz } 136255570Strasz if (initial == false && 137255570Strasz ntohl(bhslr->bhslr_expstatsn) != conn->conn_statsn) { 138296441Smav login_send_error(request, 0x02, 0x00); 139255570Strasz log_errx(1, "received Login PDU with wrong ExpStatSN: " 140276613Smav "is %u, should be %u", ntohl(bhslr->bhslr_expstatsn), 141255570Strasz conn->conn_statsn); 142255570Strasz } 143255570Strasz conn->conn_cmdsn = ntohl(bhslr->bhslr_cmdsn); 144255570Strasz 145255570Strasz return (request); 146255570Strasz} 147255570Strasz 148255570Straszstatic struct pdu * 149255570Straszlogin_new_response(struct pdu *request) 150255570Strasz{ 151255570Strasz struct pdu *response; 152255570Strasz struct connection *conn; 153255570Strasz struct iscsi_bhs_login_request *bhslr; 154255570Strasz struct iscsi_bhs_login_response *bhslr2; 155255570Strasz 156255570Strasz bhslr = (struct iscsi_bhs_login_request *)request->pdu_bhs; 157255570Strasz conn = request->pdu_connection; 158255570Strasz 159255570Strasz response = pdu_new_response(request); 160255570Strasz bhslr2 = (struct iscsi_bhs_login_response *)response->pdu_bhs; 161255570Strasz bhslr2->bhslr_opcode = ISCSI_BHS_OPCODE_LOGIN_RESPONSE; 162255570Strasz login_set_csg(response, BHSLR_STAGE_SECURITY_NEGOTIATION); 163255570Strasz memcpy(bhslr2->bhslr_isid, 164255570Strasz bhslr->bhslr_isid, sizeof(bhslr2->bhslr_isid)); 165255570Strasz bhslr2->bhslr_initiator_task_tag = bhslr->bhslr_initiator_task_tag; 166255570Strasz bhslr2->bhslr_statsn = htonl(conn->conn_statsn++); 167255570Strasz bhslr2->bhslr_expcmdsn = htonl(conn->conn_cmdsn); 168255570Strasz bhslr2->bhslr_maxcmdsn = htonl(conn->conn_cmdsn); 169255570Strasz 170255570Strasz return (response); 171255570Strasz} 172255570Strasz 173255570Straszstatic void 174255570Straszlogin_send_error(struct pdu *request, char class, char detail) 175255570Strasz{ 176255570Strasz struct pdu *response; 177255570Strasz struct iscsi_bhs_login_response *bhslr2; 178255570Strasz 179255570Strasz log_debugx("sending Login Response PDU with failure class 0x%x/0x%x; " 180255570Strasz "see next line for reason", class, detail); 181255570Strasz response = login_new_response(request); 182255570Strasz bhslr2 = (struct iscsi_bhs_login_response *)response->pdu_bhs; 183255570Strasz bhslr2->bhslr_status_class = class; 184255570Strasz bhslr2->bhslr_status_detail = detail; 185255570Strasz 186255570Strasz pdu_send(response); 187255570Strasz pdu_delete(response); 188255570Strasz} 189255570Strasz 190255570Straszstatic int 191255570Straszlogin_list_contains(const char *list, const char *what) 192255570Strasz{ 193255570Strasz char *tofree, *str, *token; 194255570Strasz 195255570Strasz tofree = str = checked_strdup(list); 196255570Strasz 197255570Strasz while ((token = strsep(&str, ",")) != NULL) { 198255570Strasz if (strcmp(token, what) == 0) { 199255570Strasz free(tofree); 200255570Strasz return (1); 201255570Strasz } 202255570Strasz } 203255570Strasz free(tofree); 204255570Strasz return (0); 205255570Strasz} 206255570Strasz 207255570Straszstatic int 208255570Straszlogin_list_prefers(const char *list, 209255570Strasz const char *choice1, const char *choice2) 210255570Strasz{ 211255570Strasz char *tofree, *str, *token; 212255570Strasz 213255570Strasz tofree = str = checked_strdup(list); 214255570Strasz 215255570Strasz while ((token = strsep(&str, ",")) != NULL) { 216255570Strasz if (strcmp(token, choice1) == 0) { 217255570Strasz free(tofree); 218255570Strasz return (1); 219255570Strasz } 220255570Strasz if (strcmp(token, choice2) == 0) { 221255570Strasz free(tofree); 222255570Strasz return (2); 223255570Strasz } 224255570Strasz } 225255570Strasz free(tofree); 226255570Strasz return (-1); 227255570Strasz} 228255570Strasz 229255570Straszstatic struct pdu * 230255570Straszlogin_receive_chap_a(struct connection *conn) 231255570Strasz{ 232255570Strasz struct pdu *request; 233255570Strasz struct keys *request_keys; 234255570Strasz const char *chap_a; 235255570Strasz 236255570Strasz request = login_receive(conn, false); 237255570Strasz request_keys = keys_new(); 238255570Strasz keys_load(request_keys, request); 239255570Strasz 240255570Strasz chap_a = keys_find(request_keys, "CHAP_A"); 241255570Strasz if (chap_a == NULL) { 242255570Strasz login_send_error(request, 0x02, 0x07); 243255570Strasz log_errx(1, "received CHAP Login PDU without CHAP_A"); 244255570Strasz } 245255570Strasz if (login_list_contains(chap_a, "5") == 0) { 246255570Strasz login_send_error(request, 0x02, 0x01); 247255570Strasz log_errx(1, "received CHAP Login PDU with unsupported CHAP_A " 248255570Strasz "\"%s\"", chap_a); 249255570Strasz } 250255570Strasz keys_delete(request_keys); 251255570Strasz 252255570Strasz return (request); 253255570Strasz} 254255570Strasz 255255570Straszstatic void 256274866Straszlogin_send_chap_c(struct pdu *request, struct chap *chap) 257255570Strasz{ 258255570Strasz struct pdu *response; 259255570Strasz struct keys *response_keys; 260274866Strasz char *chap_c, *chap_i; 261255570Strasz 262274866Strasz chap_c = chap_get_challenge(chap); 263274866Strasz chap_i = chap_get_id(chap); 264255570Strasz 265255570Strasz response = login_new_response(request); 266255570Strasz response_keys = keys_new(); 267255570Strasz keys_add(response_keys, "CHAP_A", "5"); 268255570Strasz keys_add(response_keys, "CHAP_I", chap_i); 269255570Strasz keys_add(response_keys, "CHAP_C", chap_c); 270274866Strasz free(chap_i); 271255570Strasz free(chap_c); 272255570Strasz keys_save(response_keys, response); 273256192Strasz pdu_send(response); 274256192Strasz pdu_delete(response); 275255570Strasz keys_delete(response_keys); 276255570Strasz} 277255570Strasz 278255570Straszstatic struct pdu * 279274866Straszlogin_receive_chap_r(struct connection *conn, struct auth_group *ag, 280274866Strasz struct chap *chap, const struct auth **authp) 281255570Strasz{ 282255570Strasz struct pdu *request; 283255570Strasz struct keys *request_keys; 284255570Strasz const char *chap_n, *chap_r; 285255570Strasz const struct auth *auth; 286255570Strasz int error; 287255570Strasz 288255570Strasz request = login_receive(conn, false); 289255570Strasz request_keys = keys_new(); 290255570Strasz keys_load(request_keys, request); 291255570Strasz 292255570Strasz chap_n = keys_find(request_keys, "CHAP_N"); 293255570Strasz if (chap_n == NULL) { 294255570Strasz login_send_error(request, 0x02, 0x07); 295255570Strasz log_errx(1, "received CHAP Login PDU without CHAP_N"); 296255570Strasz } 297255570Strasz chap_r = keys_find(request_keys, "CHAP_R"); 298255570Strasz if (chap_r == NULL) { 299255570Strasz login_send_error(request, 0x02, 0x07); 300255570Strasz log_errx(1, "received CHAP Login PDU without CHAP_R"); 301255570Strasz } 302274866Strasz error = chap_receive(chap, chap_r); 303255570Strasz if (error != 0) { 304255570Strasz login_send_error(request, 0x02, 0x07); 305255570Strasz log_errx(1, "received CHAP Login PDU with malformed CHAP_R"); 306255570Strasz } 307255570Strasz 308255570Strasz /* 309255570Strasz * Verify the response. 310255570Strasz */ 311255570Strasz assert(ag->ag_type == AG_TYPE_CHAP || 312255570Strasz ag->ag_type == AG_TYPE_CHAP_MUTUAL); 313255570Strasz auth = auth_find(ag, chap_n); 314255570Strasz if (auth == NULL) { 315255570Strasz login_send_error(request, 0x02, 0x01); 316255570Strasz log_errx(1, "received CHAP Login with invalid user \"%s\"", 317255570Strasz chap_n); 318255570Strasz } 319255570Strasz 320255570Strasz assert(auth->a_secret != NULL); 321255570Strasz assert(strlen(auth->a_secret) > 0); 322255570Strasz 323274866Strasz error = chap_authenticate(chap, auth->a_secret); 324274866Strasz if (error != 0) { 325255570Strasz login_send_error(request, 0x02, 0x01); 326255570Strasz log_errx(1, "CHAP authentication failed for user \"%s\"", 327255570Strasz auth->a_user); 328255570Strasz } 329255570Strasz 330255570Strasz keys_delete(request_keys); 331255570Strasz 332274866Strasz *authp = auth; 333255570Strasz return (request); 334255570Strasz} 335255570Strasz 336255570Straszstatic void 337255570Straszlogin_send_chap_success(struct pdu *request, 338255570Strasz const struct auth *auth) 339255570Strasz{ 340255570Strasz struct pdu *response; 341255570Strasz struct keys *request_keys, *response_keys; 342274866Strasz struct rchap *rchap; 343255570Strasz const char *chap_i, *chap_c; 344274866Strasz char *chap_r; 345255570Strasz int error; 346255570Strasz 347255570Strasz response = login_new_response(request); 348255570Strasz login_set_nsg(response, BHSLR_STAGE_OPERATIONAL_NEGOTIATION); 349255570Strasz 350255570Strasz /* 351255570Strasz * Actually, one more thing: mutual authentication. 352255570Strasz */ 353255570Strasz request_keys = keys_new(); 354255570Strasz keys_load(request_keys, request); 355255570Strasz chap_i = keys_find(request_keys, "CHAP_I"); 356255570Strasz chap_c = keys_find(request_keys, "CHAP_C"); 357255570Strasz if (chap_i != NULL || chap_c != NULL) { 358255570Strasz if (chap_i == NULL) { 359255570Strasz login_send_error(request, 0x02, 0x07); 360255570Strasz log_errx(1, "initiator requested target " 361255570Strasz "authentication, but didn't send CHAP_I"); 362255570Strasz } 363255570Strasz if (chap_c == NULL) { 364255570Strasz login_send_error(request, 0x02, 0x07); 365255570Strasz log_errx(1, "initiator requested target " 366255570Strasz "authentication, but didn't send CHAP_C"); 367255570Strasz } 368255570Strasz if (auth->a_auth_group->ag_type != AG_TYPE_CHAP_MUTUAL) { 369255570Strasz login_send_error(request, 0x02, 0x01); 370255570Strasz log_errx(1, "initiator requests target authentication " 371255570Strasz "for user \"%s\", but mutual user/secret " 372255570Strasz "is not set", auth->a_user); 373255570Strasz } 374255570Strasz 375274866Strasz log_debugx("performing mutual authentication as user \"%s\"", 376274866Strasz auth->a_mutual_user); 377274866Strasz 378274866Strasz rchap = rchap_new(auth->a_mutual_secret); 379274866Strasz error = rchap_receive(rchap, chap_i, chap_c); 380255570Strasz if (error != 0) { 381255570Strasz login_send_error(request, 0x02, 0x07); 382255570Strasz log_errx(1, "received CHAP Login PDU with malformed " 383274866Strasz "CHAP_I or CHAP_C"); 384255570Strasz } 385274866Strasz chap_r = rchap_get_response(rchap); 386274866Strasz rchap_delete(rchap); 387255570Strasz response_keys = keys_new(); 388255570Strasz keys_add(response_keys, "CHAP_N", auth->a_mutual_user); 389255570Strasz keys_add(response_keys, "CHAP_R", chap_r); 390255570Strasz free(chap_r); 391255570Strasz keys_save(response_keys, response); 392255570Strasz keys_delete(response_keys); 393255570Strasz } else { 394255570Strasz log_debugx("initiator did not request target authentication"); 395255570Strasz } 396255570Strasz 397255570Strasz keys_delete(request_keys); 398255570Strasz pdu_send(response); 399256192Strasz pdu_delete(response); 400255570Strasz} 401255570Strasz 402255570Straszstatic void 403255570Straszlogin_chap(struct connection *conn, struct auth_group *ag) 404255570Strasz{ 405255570Strasz const struct auth *auth; 406274866Strasz struct chap *chap; 407255570Strasz struct pdu *request; 408255570Strasz 409255570Strasz /* 410255570Strasz * Receive CHAP_A PDU. 411255570Strasz */ 412255570Strasz log_debugx("beginning CHAP authentication; waiting for CHAP_A"); 413255570Strasz request = login_receive_chap_a(conn); 414255570Strasz 415255570Strasz /* 416255570Strasz * Generate the challenge. 417255570Strasz */ 418274866Strasz chap = chap_new(); 419255570Strasz 420255570Strasz /* 421255570Strasz * Send the challenge. 422255570Strasz */ 423255570Strasz log_debugx("sending CHAP_C, binary challenge size is %zd bytes", 424274866Strasz sizeof(chap->chap_challenge)); 425274866Strasz login_send_chap_c(request, chap); 426255570Strasz pdu_delete(request); 427255570Strasz 428255570Strasz /* 429255570Strasz * Receive CHAP_N/CHAP_R PDU and authenticate. 430255570Strasz */ 431255570Strasz log_debugx("waiting for CHAP_N/CHAP_R"); 432274866Strasz request = login_receive_chap_r(conn, ag, chap, &auth); 433255570Strasz 434255570Strasz /* 435255570Strasz * Yay, authentication succeeded! 436255570Strasz */ 437255570Strasz log_debugx("authentication succeeded for user \"%s\"; " 438255570Strasz "transitioning to Negotiation Phase", auth->a_user); 439255570Strasz login_send_chap_success(request, auth); 440255570Strasz pdu_delete(request); 441275244Strasz 442275244Strasz /* 443275244Strasz * Leave username and CHAP information for discovery(). 444275244Strasz */ 445275244Strasz conn->conn_user = auth->a_user; 446275244Strasz conn->conn_chap = chap; 447255570Strasz} 448255570Strasz 449255570Straszstatic void 450255570Straszlogin_negotiate_key(struct pdu *request, const char *name, 451255570Strasz const char *value, bool skipped_security, struct keys *response_keys) 452255570Strasz{ 453255570Strasz int which, tmp; 454255570Strasz struct connection *conn; 455255570Strasz 456255570Strasz conn = request->pdu_connection; 457255570Strasz 458255570Strasz if (strcmp(name, "InitiatorName") == 0) { 459255570Strasz if (!skipped_security) 460255570Strasz log_errx(1, "initiator resent InitiatorName"); 461255570Strasz } else if (strcmp(name, "SessionType") == 0) { 462255570Strasz if (!skipped_security) 463255570Strasz log_errx(1, "initiator resent SessionType"); 464255570Strasz } else if (strcmp(name, "TargetName") == 0) { 465255570Strasz if (!skipped_security) 466255570Strasz log_errx(1, "initiator resent TargetName"); 467255570Strasz } else if (strcmp(name, "InitiatorAlias") == 0) { 468255570Strasz if (conn->conn_initiator_alias != NULL) 469255570Strasz free(conn->conn_initiator_alias); 470255570Strasz conn->conn_initiator_alias = checked_strdup(value); 471255570Strasz } else if (strcmp(value, "Irrelevant") == 0) { 472255570Strasz /* Ignore. */ 473255570Strasz } else if (strcmp(name, "HeaderDigest") == 0) { 474255570Strasz /* 475255570Strasz * We don't handle digests for discovery sessions. 476255570Strasz */ 477255570Strasz if (conn->conn_session_type == CONN_SESSION_TYPE_DISCOVERY) { 478255570Strasz log_debugx("discovery session; digests disabled"); 479255570Strasz keys_add(response_keys, name, "None"); 480255570Strasz return; 481255570Strasz } 482255570Strasz 483255570Strasz which = login_list_prefers(value, "CRC32C", "None"); 484255570Strasz switch (which) { 485255570Strasz case 1: 486255570Strasz log_debugx("initiator prefers CRC32C " 487255570Strasz "for header digest; we'll use it"); 488255570Strasz conn->conn_header_digest = CONN_DIGEST_CRC32C; 489255570Strasz keys_add(response_keys, name, "CRC32C"); 490255570Strasz break; 491255570Strasz case 2: 492255570Strasz log_debugx("initiator prefers not to do " 493255570Strasz "header digest; we'll comply"); 494255570Strasz keys_add(response_keys, name, "None"); 495255570Strasz break; 496255570Strasz default: 497255570Strasz log_warnx("initiator sent unrecognized " 498255570Strasz "HeaderDigest value \"%s\"; will use None", value); 499255570Strasz keys_add(response_keys, name, "None"); 500255570Strasz break; 501255570Strasz } 502255570Strasz } else if (strcmp(name, "DataDigest") == 0) { 503255570Strasz if (conn->conn_session_type == CONN_SESSION_TYPE_DISCOVERY) { 504255570Strasz log_debugx("discovery session; digests disabled"); 505255570Strasz keys_add(response_keys, name, "None"); 506255570Strasz return; 507255570Strasz } 508255570Strasz 509255570Strasz which = login_list_prefers(value, "CRC32C", "None"); 510255570Strasz switch (which) { 511255570Strasz case 1: 512255570Strasz log_debugx("initiator prefers CRC32C " 513255570Strasz "for data digest; we'll use it"); 514255570Strasz conn->conn_data_digest = CONN_DIGEST_CRC32C; 515255570Strasz keys_add(response_keys, name, "CRC32C"); 516255570Strasz break; 517255570Strasz case 2: 518255570Strasz log_debugx("initiator prefers not to do " 519255570Strasz "data digest; we'll comply"); 520255570Strasz keys_add(response_keys, name, "None"); 521255570Strasz break; 522255570Strasz default: 523255570Strasz log_warnx("initiator sent unrecognized " 524255570Strasz "DataDigest value \"%s\"; will use None", value); 525255570Strasz keys_add(response_keys, name, "None"); 526255570Strasz break; 527255570Strasz } 528255570Strasz } else if (strcmp(name, "MaxConnections") == 0) { 529255570Strasz keys_add(response_keys, name, "1"); 530255570Strasz } else if (strcmp(name, "InitialR2T") == 0) { 531255570Strasz keys_add(response_keys, name, "Yes"); 532255570Strasz } else if (strcmp(name, "ImmediateData") == 0) { 533255570Strasz if (conn->conn_session_type == CONN_SESSION_TYPE_DISCOVERY) { 534255570Strasz log_debugx("discovery session; ImmediateData irrelevant"); 535255570Strasz keys_add(response_keys, name, "Irrelevant"); 536255570Strasz } else { 537255570Strasz if (strcmp(value, "Yes") == 0) { 538255570Strasz conn->conn_immediate_data = true; 539255570Strasz keys_add(response_keys, name, "Yes"); 540255570Strasz } else { 541255570Strasz conn->conn_immediate_data = false; 542255570Strasz keys_add(response_keys, name, "No"); 543255570Strasz } 544255570Strasz } 545255570Strasz } else if (strcmp(name, "MaxRecvDataSegmentLength") == 0) { 546255570Strasz tmp = strtoul(value, NULL, 10); 547255570Strasz if (tmp <= 0) { 548255570Strasz login_send_error(request, 0x02, 0x00); 549255570Strasz log_errx(1, "received invalid " 550255570Strasz "MaxRecvDataSegmentLength"); 551255570Strasz } 552255570Strasz if (tmp > MAX_DATA_SEGMENT_LENGTH) { 553271626Strasz log_debugx("capping MaxRecvDataSegmentLength " 554271626Strasz "from %d to %d", tmp, MAX_DATA_SEGMENT_LENGTH); 555255570Strasz tmp = MAX_DATA_SEGMENT_LENGTH; 556255570Strasz } 557255570Strasz conn->conn_max_data_segment_length = tmp; 558276234Smav keys_add_int(response_keys, name, MAX_DATA_SEGMENT_LENGTH); 559255570Strasz } else if (strcmp(name, "MaxBurstLength") == 0) { 560255570Strasz tmp = strtoul(value, NULL, 10); 561255570Strasz if (tmp <= 0) { 562255570Strasz login_send_error(request, 0x02, 0x00); 563255570Strasz log_errx(1, "received invalid MaxBurstLength"); 564255570Strasz } 565255570Strasz if (tmp > MAX_BURST_LENGTH) { 566255570Strasz log_debugx("capping MaxBurstLength from %d to %d", 567255570Strasz tmp, MAX_BURST_LENGTH); 568255570Strasz tmp = MAX_BURST_LENGTH; 569255570Strasz } 570255570Strasz conn->conn_max_burst_length = tmp; 571255570Strasz keys_add(response_keys, name, value); 572255570Strasz } else if (strcmp(name, "FirstBurstLength") == 0) { 573255570Strasz tmp = strtoul(value, NULL, 10); 574255570Strasz if (tmp <= 0) { 575255570Strasz login_send_error(request, 0x02, 0x00); 576255570Strasz log_errx(1, "received invalid " 577255570Strasz "FirstBurstLength"); 578255570Strasz } 579255570Strasz if (tmp > MAX_DATA_SEGMENT_LENGTH) { 580255570Strasz log_debugx("capping FirstBurstLength from %d to %d", 581255570Strasz tmp, MAX_DATA_SEGMENT_LENGTH); 582255570Strasz tmp = MAX_DATA_SEGMENT_LENGTH; 583255570Strasz } 584255570Strasz /* 585255570Strasz * We don't pass the value to the kernel; it only enforces 586255570Strasz * hardcoded limit anyway. 587255570Strasz */ 588255570Strasz keys_add_int(response_keys, name, tmp); 589255570Strasz } else if (strcmp(name, "DefaultTime2Wait") == 0) { 590255570Strasz keys_add(response_keys, name, value); 591255570Strasz } else if (strcmp(name, "DefaultTime2Retain") == 0) { 592255570Strasz keys_add(response_keys, name, "0"); 593255570Strasz } else if (strcmp(name, "MaxOutstandingR2T") == 0) { 594255570Strasz keys_add(response_keys, name, "1"); 595255570Strasz } else if (strcmp(name, "DataPDUInOrder") == 0) { 596255570Strasz keys_add(response_keys, name, "Yes"); 597255570Strasz } else if (strcmp(name, "DataSequenceInOrder") == 0) { 598255570Strasz keys_add(response_keys, name, "Yes"); 599255570Strasz } else if (strcmp(name, "ErrorRecoveryLevel") == 0) { 600255570Strasz keys_add(response_keys, name, "0"); 601255570Strasz } else if (strcmp(name, "OFMarker") == 0) { 602255570Strasz keys_add(response_keys, name, "No"); 603255570Strasz } else if (strcmp(name, "IFMarker") == 0) { 604255570Strasz keys_add(response_keys, name, "No"); 605288753Smav } else if (strcmp(name, "iSCSIProtocolLevel") == 0) { 606288753Smav tmp = strtoul(value, NULL, 10); 607288753Smav if (tmp > 2) 608288753Smav tmp = 2; 609288753Smav keys_add_int(response_keys, name, tmp); 610255570Strasz } else { 611255570Strasz log_debugx("unknown key \"%s\"; responding " 612255570Strasz "with NotUnderstood", name); 613255570Strasz keys_add(response_keys, name, "NotUnderstood"); 614255570Strasz } 615255570Strasz} 616255570Strasz 617255570Straszstatic void 618275642Straszlogin_redirect(struct pdu *request, const char *target_address) 619275642Strasz{ 620275642Strasz struct pdu *response; 621275642Strasz struct iscsi_bhs_login_response *bhslr2; 622275642Strasz struct keys *response_keys; 623275642Strasz 624275642Strasz response = login_new_response(request); 625275642Strasz login_set_csg(response, login_csg(request)); 626275642Strasz bhslr2 = (struct iscsi_bhs_login_response *)response->pdu_bhs; 627275642Strasz bhslr2->bhslr_status_class = 0x01; 628275642Strasz bhslr2->bhslr_status_detail = 0x01; 629275642Strasz 630275642Strasz response_keys = keys_new(); 631275642Strasz keys_add(response_keys, "TargetAddress", target_address); 632275642Strasz 633275642Strasz keys_save(response_keys, response); 634275642Strasz pdu_send(response); 635275642Strasz pdu_delete(response); 636275642Strasz keys_delete(response_keys); 637275642Strasz} 638275642Strasz 639275642Straszstatic bool 640275642Straszlogin_portal_redirect(struct connection *conn, struct pdu *request) 641275642Strasz{ 642275642Strasz const struct portal_group *pg; 643275642Strasz 644275642Strasz pg = conn->conn_portal->p_portal_group; 645275642Strasz if (pg->pg_redirection == NULL) 646275642Strasz return (false); 647275642Strasz 648275642Strasz log_debugx("portal-group \"%s\" configured to redirect to %s", 649275642Strasz pg->pg_name, pg->pg_redirection); 650275642Strasz login_redirect(request, pg->pg_redirection); 651275642Strasz 652275642Strasz return (true); 653275642Strasz} 654275642Strasz 655275642Straszstatic bool 656275642Straszlogin_target_redirect(struct connection *conn, struct pdu *request) 657275642Strasz{ 658275642Strasz const char *target_address; 659275642Strasz 660275642Strasz assert(conn->conn_portal->p_portal_group->pg_redirection == NULL); 661275642Strasz 662275642Strasz if (conn->conn_target == NULL) 663275642Strasz return (false); 664275642Strasz 665275642Strasz target_address = conn->conn_target->t_redirection; 666275642Strasz if (target_address == NULL) 667275642Strasz return (false); 668275642Strasz 669275642Strasz log_debugx("target \"%s\" configured to redirect to %s", 670275642Strasz conn->conn_target->t_name, target_address); 671275642Strasz login_redirect(request, target_address); 672275642Strasz 673275642Strasz return (true); 674275642Strasz} 675275642Strasz 676275642Straszstatic void 677255570Straszlogin_negotiate(struct connection *conn, struct pdu *request) 678255570Strasz{ 679255570Strasz struct pdu *response; 680255570Strasz struct iscsi_bhs_login_response *bhslr2; 681255570Strasz struct keys *request_keys, *response_keys; 682274869Strasz int i; 683275642Strasz bool redirected, skipped_security; 684255570Strasz 685255570Strasz if (request == NULL) { 686265515Strasz log_debugx("beginning operational parameter negotiation; " 687255570Strasz "waiting for Login PDU"); 688255570Strasz request = login_receive(conn, false); 689255570Strasz skipped_security = false; 690255570Strasz } else 691255570Strasz skipped_security = true; 692255570Strasz 693275642Strasz /* 694275642Strasz * RFC 3720, 10.13.5. Status-Class and Status-Detail, says 695275642Strasz * the redirection SHOULD be accepted by the initiator before 696275642Strasz * authentication, but MUST be be accepted afterwards; that's 697275642Strasz * why we're doing it here and not earlier. 698275642Strasz */ 699275642Strasz redirected = login_target_redirect(conn, request); 700275642Strasz if (redirected) { 701275642Strasz log_debugx("initiator redirected; exiting"); 702275642Strasz exit(0); 703275642Strasz } 704275642Strasz 705255570Strasz request_keys = keys_new(); 706255570Strasz keys_load(request_keys, request); 707255570Strasz 708255570Strasz response = login_new_response(request); 709255570Strasz bhslr2 = (struct iscsi_bhs_login_response *)response->pdu_bhs; 710255570Strasz bhslr2->bhslr_tsih = htons(0xbadd); 711255570Strasz login_set_csg(response, BHSLR_STAGE_OPERATIONAL_NEGOTIATION); 712255570Strasz login_set_nsg(response, BHSLR_STAGE_FULL_FEATURE_PHASE); 713255570Strasz response_keys = keys_new(); 714271701Strasz 715271701Strasz if (skipped_security && 716271701Strasz conn->conn_session_type == CONN_SESSION_TYPE_NORMAL) { 717271701Strasz if (conn->conn_target->t_alias != NULL) 718271701Strasz keys_add(response_keys, 719271701Strasz "TargetAlias", conn->conn_target->t_alias); 720274870Strasz keys_add_int(response_keys, "TargetPortalGroupTag", 721271701Strasz conn->conn_portal->p_portal_group->pg_tag); 722271701Strasz } 723271701Strasz 724255570Strasz for (i = 0; i < KEYS_MAX; i++) { 725255570Strasz if (request_keys->keys_names[i] == NULL) 726255570Strasz break; 727255570Strasz 728255570Strasz login_negotiate_key(request, request_keys->keys_names[i], 729255570Strasz request_keys->keys_values[i], skipped_security, 730255570Strasz response_keys); 731255570Strasz } 732255570Strasz 733265515Strasz log_debugx("operational parameter negotiation done; " 734255570Strasz "transitioning to Full Feature Phase"); 735255570Strasz 736255570Strasz keys_save(response_keys, response); 737255570Strasz pdu_send(response); 738255570Strasz pdu_delete(response); 739255570Strasz keys_delete(response_keys); 740255570Strasz pdu_delete(request); 741255570Strasz keys_delete(request_keys); 742255570Strasz} 743255570Strasz 744287026Smavstatic void 745287026Smavlogin_wait_transition(struct connection *conn) 746287026Smav{ 747287026Smav struct pdu *request, *response; 748287026Smav struct iscsi_bhs_login_request *bhslr; 749287026Smav 750287026Smav log_debugx("waiting for state transition request"); 751287026Smav request = login_receive(conn, false); 752287026Smav bhslr = (struct iscsi_bhs_login_request *)request->pdu_bhs; 753287026Smav if ((bhslr->bhslr_flags & BHSLR_FLAGS_TRANSIT) == 0) { 754287026Smav login_send_error(request, 0x02, 0x00); 755287026Smav log_errx(1, "got no \"T\" flag after answering AuthMethod"); 756287026Smav } 757287026Smav 758287026Smav log_debugx("got state transition request"); 759287026Smav response = login_new_response(request); 760300450Struckman pdu_delete(request); 761287026Smav login_set_nsg(response, BHSLR_STAGE_OPERATIONAL_NEGOTIATION); 762287026Smav pdu_send(response); 763287026Smav pdu_delete(response); 764287026Smav 765287026Smav login_negotiate(conn, NULL); 766287026Smav} 767287026Smav 768255570Straszvoid 769255570Straszlogin(struct connection *conn) 770255570Strasz{ 771255570Strasz struct pdu *request, *response; 772255570Strasz struct iscsi_bhs_login_request *bhslr; 773255570Strasz struct keys *request_keys, *response_keys; 774255570Strasz struct auth_group *ag; 775274947Strasz struct portal_group *pg; 776255570Strasz const char *initiator_name, *initiator_alias, *session_type, 777255570Strasz *target_name, *auth_method; 778287026Smav bool redirected, fail, trans; 779255570Strasz 780255570Strasz /* 781255570Strasz * Handle the initial Login Request - figure out required authentication 782255570Strasz * method and either transition to the next phase, if no authentication 783255570Strasz * is required, or call appropriate authentication code. 784255570Strasz */ 785255570Strasz log_debugx("beginning Login Phase; waiting for Login PDU"); 786255570Strasz request = login_receive(conn, true); 787255570Strasz bhslr = (struct iscsi_bhs_login_request *)request->pdu_bhs; 788255570Strasz if (bhslr->bhslr_tsih != 0) { 789255570Strasz login_send_error(request, 0x02, 0x0a); 790255570Strasz log_errx(1, "received Login PDU with non-zero TSIH"); 791255570Strasz } 792255570Strasz 793274947Strasz pg = conn->conn_portal->p_portal_group; 794274947Strasz 795268684Smav memcpy(conn->conn_initiator_isid, bhslr->bhslr_isid, 796268684Smav sizeof(conn->conn_initiator_isid)); 797268684Smav 798255570Strasz /* 799255570Strasz * XXX: Implement the C flag some day. 800255570Strasz */ 801255570Strasz request_keys = keys_new(); 802255570Strasz keys_load(request_keys, request); 803255570Strasz 804255570Strasz assert(conn->conn_initiator_name == NULL); 805255570Strasz initiator_name = keys_find(request_keys, "InitiatorName"); 806255570Strasz if (initiator_name == NULL) { 807255570Strasz login_send_error(request, 0x02, 0x07); 808255570Strasz log_errx(1, "received Login PDU without InitiatorName"); 809255570Strasz } 810255570Strasz if (valid_iscsi_name(initiator_name) == false) { 811255570Strasz login_send_error(request, 0x02, 0x00); 812255570Strasz log_errx(1, "received Login PDU with invalid InitiatorName"); 813255570Strasz } 814255570Strasz conn->conn_initiator_name = checked_strdup(initiator_name); 815255570Strasz log_set_peer_name(conn->conn_initiator_name); 816255570Strasz setproctitle("%s (%s)", conn->conn_initiator_addr, conn->conn_initiator_name); 817255570Strasz 818275642Strasz redirected = login_portal_redirect(conn, request); 819275642Strasz if (redirected) { 820275642Strasz log_debugx("initiator redirected; exiting"); 821275642Strasz exit(0); 822275642Strasz } 823275642Strasz 824255570Strasz initiator_alias = keys_find(request_keys, "InitiatorAlias"); 825255570Strasz if (initiator_alias != NULL) 826255570Strasz conn->conn_initiator_alias = checked_strdup(initiator_alias); 827255570Strasz 828255570Strasz assert(conn->conn_session_type == CONN_SESSION_TYPE_NONE); 829255570Strasz session_type = keys_find(request_keys, "SessionType"); 830255570Strasz if (session_type != NULL) { 831255570Strasz if (strcmp(session_type, "Normal") == 0) { 832255570Strasz conn->conn_session_type = CONN_SESSION_TYPE_NORMAL; 833255570Strasz } else if (strcmp(session_type, "Discovery") == 0) { 834255570Strasz conn->conn_session_type = CONN_SESSION_TYPE_DISCOVERY; 835255570Strasz } else { 836255570Strasz login_send_error(request, 0x02, 0x00); 837255570Strasz log_errx(1, "received Login PDU with invalid " 838255570Strasz "SessionType \"%s\"", session_type); 839255570Strasz } 840255570Strasz } else 841255570Strasz conn->conn_session_type = CONN_SESSION_TYPE_NORMAL; 842255570Strasz 843255570Strasz assert(conn->conn_target == NULL); 844255570Strasz if (conn->conn_session_type == CONN_SESSION_TYPE_NORMAL) { 845255570Strasz target_name = keys_find(request_keys, "TargetName"); 846255570Strasz if (target_name == NULL) { 847255570Strasz login_send_error(request, 0x02, 0x07); 848255570Strasz log_errx(1, "received Login PDU without TargetName"); 849255570Strasz } 850255570Strasz 851279006Smav conn->conn_port = port_find_in_pg(pg, target_name); 852279006Smav if (conn->conn_port == NULL) { 853255570Strasz login_send_error(request, 0x02, 0x03); 854255570Strasz log_errx(1, "requested target \"%s\" not found", 855255570Strasz target_name); 856255570Strasz } 857279006Smav conn->conn_target = conn->conn_port->p_target; 858255570Strasz } 859255570Strasz 860255570Strasz /* 861255570Strasz * At this point we know what kind of authentication we need. 862255570Strasz */ 863255570Strasz if (conn->conn_session_type == CONN_SESSION_TYPE_NORMAL) { 864279006Smav ag = conn->conn_port->p_auth_group; 865279006Smav if (ag == NULL) 866279006Smav ag = conn->conn_target->t_auth_group; 867255570Strasz if (ag->ag_name != NULL) { 868255570Strasz log_debugx("initiator requests to connect " 869255570Strasz "to target \"%s\"; auth-group \"%s\"", 870263723Strasz conn->conn_target->t_name, 871274947Strasz ag->ag_name); 872255570Strasz } else { 873255570Strasz log_debugx("initiator requests to connect " 874263723Strasz "to target \"%s\"", conn->conn_target->t_name); 875255570Strasz } 876255570Strasz } else { 877255570Strasz assert(conn->conn_session_type == CONN_SESSION_TYPE_DISCOVERY); 878274947Strasz ag = pg->pg_discovery_auth_group; 879255570Strasz if (ag->ag_name != NULL) { 880255570Strasz log_debugx("initiator requests " 881255570Strasz "discovery session; auth-group \"%s\"", ag->ag_name); 882255570Strasz } else { 883255570Strasz log_debugx("initiator requests discovery session"); 884255570Strasz } 885255570Strasz } 886255570Strasz 887287026Smav if (ag->ag_type == AG_TYPE_DENY) { 888287026Smav login_send_error(request, 0x02, 0x01); 889287026Smav log_errx(1, "auth-type is \"deny\""); 890287026Smav } 891287026Smav 892287026Smav if (ag->ag_type == AG_TYPE_UNKNOWN) { 893287026Smav /* 894287026Smav * This can happen with empty auth-group. 895287026Smav */ 896287026Smav login_send_error(request, 0x02, 0x01); 897287026Smav log_errx(1, "auth-type not set, denying access"); 898287026Smav } 899287026Smav 900255570Strasz /* 901263720Strasz * Enforce initiator-name and initiator-portal. 902263720Strasz */ 903274949Strasz if (auth_name_check(ag, initiator_name) != 0) { 904274949Strasz login_send_error(request, 0x02, 0x02); 905274949Strasz log_errx(1, "initiator does not match allowed initiator names"); 906263720Strasz } 907263720Strasz 908274949Strasz if (auth_portal_check(ag, &conn->conn_initiator_sa) != 0) { 909274949Strasz login_send_error(request, 0x02, 0x02); 910274949Strasz log_errx(1, "initiator does not match allowed " 911274949Strasz "initiator portals"); 912263720Strasz } 913263720Strasz 914263720Strasz /* 915255570Strasz * Let's see if the initiator intends to do any kind of authentication 916255570Strasz * at all. 917255570Strasz */ 918255570Strasz if (login_csg(request) == BHSLR_STAGE_OPERATIONAL_NEGOTIATION) { 919255570Strasz if (ag->ag_type != AG_TYPE_NO_AUTHENTICATION) { 920255570Strasz login_send_error(request, 0x02, 0x01); 921255570Strasz log_errx(1, "initiator skipped the authentication, " 922255570Strasz "but authentication is required"); 923255570Strasz } 924255570Strasz 925255570Strasz keys_delete(request_keys); 926255570Strasz 927255570Strasz log_debugx("initiator skipped the authentication, " 928255570Strasz "and we don't need it; proceeding with negotiation"); 929255570Strasz login_negotiate(conn, request); 930255570Strasz return; 931255570Strasz } 932255570Strasz 933287026Smav fail = false; 934287026Smav response = login_new_response(request); 935287026Smav response_keys = keys_new(); 936287026Smav trans = (bhslr->bhslr_flags & BHSLR_FLAGS_TRANSIT) != 0; 937287026Smav auth_method = keys_find(request_keys, "AuthMethod"); 938255570Strasz if (ag->ag_type == AG_TYPE_NO_AUTHENTICATION) { 939287026Smav log_debugx("authentication not required"); 940287026Smav if (auth_method == NULL || 941287026Smav login_list_contains(auth_method, "None")) { 942255570Strasz keys_add(response_keys, "AuthMethod", "None"); 943287026Smav } else { 944287026Smav log_warnx("initiator requests " 945287026Smav "AuthMethod \"%s\" instead of \"None\"", 946287026Smav auth_method); 947287026Smav keys_add(response_keys, "AuthMethod", "Reject"); 948255570Strasz } 949287026Smav if (trans) 950287026Smav login_set_nsg(response, BHSLR_STAGE_OPERATIONAL_NEGOTIATION); 951287026Smav } else { 952287026Smav log_debugx("CHAP authentication required"); 953287026Smav if (auth_method == NULL || 954287026Smav login_list_contains(auth_method, "CHAP")) { 955287026Smav keys_add(response_keys, "AuthMethod", "CHAP"); 956287026Smav } else { 957287026Smav log_warnx("initiator requests unsupported " 958287026Smav "AuthMethod \"%s\" instead of \"CHAP\"", 959287026Smav auth_method); 960287026Smav keys_add(response_keys, "AuthMethod", "Reject"); 961287026Smav fail = true; 962287026Smav } 963255570Strasz } 964255570Strasz if (conn->conn_session_type == CONN_SESSION_TYPE_NORMAL) { 965271701Strasz if (conn->conn_target->t_alias != NULL) 966271701Strasz keys_add(response_keys, 967271701Strasz "TargetAlias", conn->conn_target->t_alias); 968274947Strasz keys_add_int(response_keys, 969274947Strasz "TargetPortalGroupTag", pg->pg_tag); 970255570Strasz } 971255570Strasz keys_save(response_keys, response); 972255570Strasz 973255570Strasz pdu_send(response); 974255570Strasz pdu_delete(response); 975255570Strasz keys_delete(response_keys); 976255570Strasz pdu_delete(request); 977255570Strasz keys_delete(request_keys); 978255570Strasz 979287026Smav if (fail) { 980287026Smav log_debugx("sent reject for AuthMethod; exiting"); 981287026Smav exit(1); 982287026Smav } 983255570Strasz 984287026Smav if (ag->ag_type != AG_TYPE_NO_AUTHENTICATION) { 985287026Smav login_chap(conn, ag); 986287026Smav login_negotiate(conn, NULL); 987287026Smav } else if (trans) { 988287026Smav login_negotiate(conn, NULL); 989287026Smav } else { 990287026Smav login_wait_transition(conn); 991287026Smav } 992255570Strasz} 993