login.c revision 274866
1/*- 2 * Copyright (c) 2012 The FreeBSD Foundation 3 * All rights reserved. 4 * 5 * This software was developed by Edward Tomasz Napierala under sponsorship 6 * from the FreeBSD Foundation. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 * 29 */ 30 31#include <sys/cdefs.h> 32__FBSDID("$FreeBSD: stable/10/usr.sbin/ctld/login.c 274866 2014-11-22 17:39:39Z trasz $"); 33 34#include <assert.h> 35#include <stdbool.h> 36#include <stdint.h> 37#include <stdio.h> 38#include <stdlib.h> 39#include <string.h> 40#include <unistd.h> 41#include <netinet/in.h> 42 43#include "ctld.h" 44#include "iscsi_proto.h" 45 46static void login_send_error(struct pdu *request, 47 char class, char detail); 48 49static void 50login_set_nsg(struct pdu *response, int nsg) 51{ 52 struct iscsi_bhs_login_response *bhslr; 53 54 assert(nsg == BHSLR_STAGE_SECURITY_NEGOTIATION || 55 nsg == BHSLR_STAGE_OPERATIONAL_NEGOTIATION || 56 nsg == BHSLR_STAGE_FULL_FEATURE_PHASE); 57 58 bhslr = (struct iscsi_bhs_login_response *)response->pdu_bhs; 59 60 bhslr->bhslr_flags &= 0xFC; 61 bhslr->bhslr_flags |= nsg; 62} 63 64static int 65login_csg(const struct pdu *request) 66{ 67 struct iscsi_bhs_login_request *bhslr; 68 69 bhslr = (struct iscsi_bhs_login_request *)request->pdu_bhs; 70 71 return ((bhslr->bhslr_flags & 0x0C) >> 2); 72} 73 74static void 75login_set_csg(struct pdu *response, int csg) 76{ 77 struct iscsi_bhs_login_response *bhslr; 78 79 assert(csg == BHSLR_STAGE_SECURITY_NEGOTIATION || 80 csg == BHSLR_STAGE_OPERATIONAL_NEGOTIATION || 81 csg == BHSLR_STAGE_FULL_FEATURE_PHASE); 82 83 bhslr = (struct iscsi_bhs_login_response *)response->pdu_bhs; 84 85 bhslr->bhslr_flags &= 0xF3; 86 bhslr->bhslr_flags |= csg << 2; 87} 88 89static struct pdu * 90login_receive(struct connection *conn, bool initial) 91{ 92 struct pdu *request; 93 struct iscsi_bhs_login_request *bhslr; 94 95 request = pdu_new(conn); 96 pdu_receive(request); 97 if ((request->pdu_bhs->bhs_opcode & ~ISCSI_BHS_OPCODE_IMMEDIATE) != 98 ISCSI_BHS_OPCODE_LOGIN_REQUEST) { 99 /* 100 * The first PDU in session is special - if we receive any PDU 101 * different than login request, we have to drop the connection 102 * without sending response ("A target receiving any PDU 103 * except a Login request before the Login Phase is started MUST 104 * immediately terminate the connection on which the PDU 105 * was received.") 106 */ 107 if (initial == false) 108 login_send_error(request, 0x02, 0x0b); 109 log_errx(1, "protocol error: received invalid opcode 0x%x", 110 request->pdu_bhs->bhs_opcode); 111 } 112 bhslr = (struct iscsi_bhs_login_request *)request->pdu_bhs; 113 /* 114 * XXX: Implement the C flag some day. 115 */ 116 if ((bhslr->bhslr_flags & BHSLR_FLAGS_CONTINUE) != 0) { 117 login_send_error(request, 0x03, 0x00); 118 log_errx(1, "received Login PDU with unsupported \"C\" flag"); 119 } 120 if (bhslr->bhslr_version_max != 0x00) { 121 login_send_error(request, 0x02, 0x05); 122 log_errx(1, "received Login PDU with unsupported " 123 "Version-max 0x%x", bhslr->bhslr_version_max); 124 } 125 if (bhslr->bhslr_version_min != 0x00) { 126 login_send_error(request, 0x02, 0x05); 127 log_errx(1, "received Login PDU with unsupported " 128 "Version-min 0x%x", bhslr->bhslr_version_min); 129 } 130 if (ntohl(bhslr->bhslr_cmdsn) < conn->conn_cmdsn) { 131 login_send_error(request, 0x02, 0x05); 132 log_errx(1, "received Login PDU with decreasing CmdSN: " 133 "was %d, is %d", conn->conn_cmdsn, 134 ntohl(bhslr->bhslr_cmdsn)); 135 } 136 if (initial == false && 137 ntohl(bhslr->bhslr_expstatsn) != conn->conn_statsn) { 138 login_send_error(request, 0x02, 0x05); 139 log_errx(1, "received Login PDU with wrong ExpStatSN: " 140 "is %d, should be %d", ntohl(bhslr->bhslr_expstatsn), 141 conn->conn_statsn); 142 } 143 conn->conn_cmdsn = ntohl(bhslr->bhslr_cmdsn); 144 145 return (request); 146} 147 148static struct pdu * 149login_new_response(struct pdu *request) 150{ 151 struct pdu *response; 152 struct connection *conn; 153 struct iscsi_bhs_login_request *bhslr; 154 struct iscsi_bhs_login_response *bhslr2; 155 156 bhslr = (struct iscsi_bhs_login_request *)request->pdu_bhs; 157 conn = request->pdu_connection; 158 159 response = pdu_new_response(request); 160 bhslr2 = (struct iscsi_bhs_login_response *)response->pdu_bhs; 161 bhslr2->bhslr_opcode = ISCSI_BHS_OPCODE_LOGIN_RESPONSE; 162 login_set_csg(response, BHSLR_STAGE_SECURITY_NEGOTIATION); 163 memcpy(bhslr2->bhslr_isid, 164 bhslr->bhslr_isid, sizeof(bhslr2->bhslr_isid)); 165 bhslr2->bhslr_initiator_task_tag = bhslr->bhslr_initiator_task_tag; 166 bhslr2->bhslr_statsn = htonl(conn->conn_statsn++); 167 bhslr2->bhslr_expcmdsn = htonl(conn->conn_cmdsn); 168 bhslr2->bhslr_maxcmdsn = htonl(conn->conn_cmdsn); 169 170 return (response); 171} 172 173static void 174login_send_error(struct pdu *request, char class, char detail) 175{ 176 struct pdu *response; 177 struct iscsi_bhs_login_response *bhslr2; 178 179 log_debugx("sending Login Response PDU with failure class 0x%x/0x%x; " 180 "see next line for reason", class, detail); 181 response = login_new_response(request); 182 bhslr2 = (struct iscsi_bhs_login_response *)response->pdu_bhs; 183 bhslr2->bhslr_status_class = class; 184 bhslr2->bhslr_status_detail = detail; 185 186 pdu_send(response); 187 pdu_delete(response); 188} 189 190static int 191login_list_contains(const char *list, const char *what) 192{ 193 char *tofree, *str, *token; 194 195 tofree = str = checked_strdup(list); 196 197 while ((token = strsep(&str, ",")) != NULL) { 198 if (strcmp(token, what) == 0) { 199 free(tofree); 200 return (1); 201 } 202 } 203 free(tofree); 204 return (0); 205} 206 207static int 208login_list_prefers(const char *list, 209 const char *choice1, const char *choice2) 210{ 211 char *tofree, *str, *token; 212 213 tofree = str = checked_strdup(list); 214 215 while ((token = strsep(&str, ",")) != NULL) { 216 if (strcmp(token, choice1) == 0) { 217 free(tofree); 218 return (1); 219 } 220 if (strcmp(token, choice2) == 0) { 221 free(tofree); 222 return (2); 223 } 224 } 225 free(tofree); 226 return (-1); 227} 228 229static struct pdu * 230login_receive_chap_a(struct connection *conn) 231{ 232 struct pdu *request; 233 struct keys *request_keys; 234 const char *chap_a; 235 236 request = login_receive(conn, false); 237 request_keys = keys_new(); 238 keys_load(request_keys, request); 239 240 chap_a = keys_find(request_keys, "CHAP_A"); 241 if (chap_a == NULL) { 242 login_send_error(request, 0x02, 0x07); 243 log_errx(1, "received CHAP Login PDU without CHAP_A"); 244 } 245 if (login_list_contains(chap_a, "5") == 0) { 246 login_send_error(request, 0x02, 0x01); 247 log_errx(1, "received CHAP Login PDU with unsupported CHAP_A " 248 "\"%s\"", chap_a); 249 } 250 keys_delete(request_keys); 251 252 return (request); 253} 254 255static void 256login_send_chap_c(struct pdu *request, struct chap *chap) 257{ 258 struct pdu *response; 259 struct keys *response_keys; 260 char *chap_c, *chap_i; 261 262 chap_c = chap_get_challenge(chap); 263 chap_i = chap_get_id(chap); 264 265 response = login_new_response(request); 266 response_keys = keys_new(); 267 keys_add(response_keys, "CHAP_A", "5"); 268 keys_add(response_keys, "CHAP_I", chap_i); 269 keys_add(response_keys, "CHAP_C", chap_c); 270 free(chap_i); 271 free(chap_c); 272 keys_save(response_keys, response); 273 pdu_send(response); 274 pdu_delete(response); 275 keys_delete(response_keys); 276} 277 278static struct pdu * 279login_receive_chap_r(struct connection *conn, struct auth_group *ag, 280 struct chap *chap, const struct auth **authp) 281{ 282 struct pdu *request; 283 struct keys *request_keys; 284 const char *chap_n, *chap_r; 285 const struct auth *auth; 286 int error; 287 288 request = login_receive(conn, false); 289 request_keys = keys_new(); 290 keys_load(request_keys, request); 291 292 chap_n = keys_find(request_keys, "CHAP_N"); 293 if (chap_n == NULL) { 294 login_send_error(request, 0x02, 0x07); 295 log_errx(1, "received CHAP Login PDU without CHAP_N"); 296 } 297 chap_r = keys_find(request_keys, "CHAP_R"); 298 if (chap_r == NULL) { 299 login_send_error(request, 0x02, 0x07); 300 log_errx(1, "received CHAP Login PDU without CHAP_R"); 301 } 302 error = chap_receive(chap, chap_r); 303 if (error != 0) { 304 login_send_error(request, 0x02, 0x07); 305 log_errx(1, "received CHAP Login PDU with malformed CHAP_R"); 306 } 307 308 /* 309 * Verify the response. 310 */ 311 assert(ag->ag_type == AG_TYPE_CHAP || 312 ag->ag_type == AG_TYPE_CHAP_MUTUAL); 313 auth = auth_find(ag, chap_n); 314 if (auth == NULL) { 315 login_send_error(request, 0x02, 0x01); 316 log_errx(1, "received CHAP Login with invalid user \"%s\"", 317 chap_n); 318 } 319 320 assert(auth->a_secret != NULL); 321 assert(strlen(auth->a_secret) > 0); 322 323 error = chap_authenticate(chap, auth->a_secret); 324 if (error != 0) { 325 login_send_error(request, 0x02, 0x01); 326 log_errx(1, "CHAP authentication failed for user \"%s\"", 327 auth->a_user); 328 } 329 330 keys_delete(request_keys); 331 332 *authp = auth; 333 return (request); 334} 335 336static void 337login_send_chap_success(struct pdu *request, 338 const struct auth *auth) 339{ 340 struct pdu *response; 341 struct keys *request_keys, *response_keys; 342 struct iscsi_bhs_login_response *bhslr2; 343 struct rchap *rchap; 344 const char *chap_i, *chap_c; 345 char *chap_r; 346 int error; 347 348 response = login_new_response(request); 349 bhslr2 = (struct iscsi_bhs_login_response *)response->pdu_bhs; 350 bhslr2->bhslr_flags |= BHSLR_FLAGS_TRANSIT; 351 login_set_nsg(response, BHSLR_STAGE_OPERATIONAL_NEGOTIATION); 352 353 /* 354 * Actually, one more thing: mutual authentication. 355 */ 356 request_keys = keys_new(); 357 keys_load(request_keys, request); 358 chap_i = keys_find(request_keys, "CHAP_I"); 359 chap_c = keys_find(request_keys, "CHAP_C"); 360 if (chap_i != NULL || chap_c != NULL) { 361 if (chap_i == NULL) { 362 login_send_error(request, 0x02, 0x07); 363 log_errx(1, "initiator requested target " 364 "authentication, but didn't send CHAP_I"); 365 } 366 if (chap_c == NULL) { 367 login_send_error(request, 0x02, 0x07); 368 log_errx(1, "initiator requested target " 369 "authentication, but didn't send CHAP_C"); 370 } 371 if (auth->a_auth_group->ag_type != AG_TYPE_CHAP_MUTUAL) { 372 login_send_error(request, 0x02, 0x01); 373 log_errx(1, "initiator requests target authentication " 374 "for user \"%s\", but mutual user/secret " 375 "is not set", auth->a_user); 376 } 377 378 log_debugx("performing mutual authentication as user \"%s\"", 379 auth->a_mutual_user); 380 381 rchap = rchap_new(auth->a_mutual_secret); 382 error = rchap_receive(rchap, chap_i, chap_c); 383 if (error != 0) { 384 login_send_error(request, 0x02, 0x07); 385 log_errx(1, "received CHAP Login PDU with malformed " 386 "CHAP_I or CHAP_C"); 387 } 388 chap_r = rchap_get_response(rchap); 389 rchap_delete(rchap); 390 response_keys = keys_new(); 391 keys_add(response_keys, "CHAP_N", auth->a_mutual_user); 392 keys_add(response_keys, "CHAP_R", chap_r); 393 free(chap_r); 394 keys_save(response_keys, response); 395 keys_delete(response_keys); 396 } else { 397 log_debugx("initiator did not request target authentication"); 398 } 399 400 keys_delete(request_keys); 401 pdu_send(response); 402 pdu_delete(response); 403} 404 405static void 406login_chap(struct connection *conn, struct auth_group *ag) 407{ 408 const struct auth *auth; 409 struct chap *chap; 410 struct pdu *request; 411 412 /* 413 * Receive CHAP_A PDU. 414 */ 415 log_debugx("beginning CHAP authentication; waiting for CHAP_A"); 416 request = login_receive_chap_a(conn); 417 418 /* 419 * Generate the challenge. 420 */ 421 chap = chap_new(); 422 423 /* 424 * Send the challenge. 425 */ 426 log_debugx("sending CHAP_C, binary challenge size is %zd bytes", 427 sizeof(chap->chap_challenge)); 428 login_send_chap_c(request, chap); 429 pdu_delete(request); 430 431 /* 432 * Receive CHAP_N/CHAP_R PDU and authenticate. 433 */ 434 log_debugx("waiting for CHAP_N/CHAP_R"); 435 request = login_receive_chap_r(conn, ag, chap, &auth); 436 437 /* 438 * Yay, authentication succeeded! 439 */ 440 log_debugx("authentication succeeded for user \"%s\"; " 441 "transitioning to Negotiation Phase", auth->a_user); 442 login_send_chap_success(request, auth); 443 pdu_delete(request); 444 chap_delete(chap); 445} 446 447static void 448login_negotiate_key(struct pdu *request, const char *name, 449 const char *value, bool skipped_security, struct keys *response_keys) 450{ 451 int which, tmp; 452 struct connection *conn; 453 454 conn = request->pdu_connection; 455 456 if (strcmp(name, "InitiatorName") == 0) { 457 if (!skipped_security) 458 log_errx(1, "initiator resent InitiatorName"); 459 } else if (strcmp(name, "SessionType") == 0) { 460 if (!skipped_security) 461 log_errx(1, "initiator resent SessionType"); 462 } else if (strcmp(name, "TargetName") == 0) { 463 if (!skipped_security) 464 log_errx(1, "initiator resent TargetName"); 465 } else if (strcmp(name, "InitiatorAlias") == 0) { 466 if (conn->conn_initiator_alias != NULL) 467 free(conn->conn_initiator_alias); 468 conn->conn_initiator_alias = checked_strdup(value); 469 } else if (strcmp(value, "Irrelevant") == 0) { 470 /* Ignore. */ 471 } else if (strcmp(name, "HeaderDigest") == 0) { 472 /* 473 * We don't handle digests for discovery sessions. 474 */ 475 if (conn->conn_session_type == CONN_SESSION_TYPE_DISCOVERY) { 476 log_debugx("discovery session; digests disabled"); 477 keys_add(response_keys, name, "None"); 478 return; 479 } 480 481 which = login_list_prefers(value, "CRC32C", "None"); 482 switch (which) { 483 case 1: 484 log_debugx("initiator prefers CRC32C " 485 "for header digest; we'll use it"); 486 conn->conn_header_digest = CONN_DIGEST_CRC32C; 487 keys_add(response_keys, name, "CRC32C"); 488 break; 489 case 2: 490 log_debugx("initiator prefers not to do " 491 "header digest; we'll comply"); 492 keys_add(response_keys, name, "None"); 493 break; 494 default: 495 log_warnx("initiator sent unrecognized " 496 "HeaderDigest value \"%s\"; will use None", value); 497 keys_add(response_keys, name, "None"); 498 break; 499 } 500 } else if (strcmp(name, "DataDigest") == 0) { 501 if (conn->conn_session_type == CONN_SESSION_TYPE_DISCOVERY) { 502 log_debugx("discovery session; digests disabled"); 503 keys_add(response_keys, name, "None"); 504 return; 505 } 506 507 which = login_list_prefers(value, "CRC32C", "None"); 508 switch (which) { 509 case 1: 510 log_debugx("initiator prefers CRC32C " 511 "for data digest; we'll use it"); 512 conn->conn_data_digest = CONN_DIGEST_CRC32C; 513 keys_add(response_keys, name, "CRC32C"); 514 break; 515 case 2: 516 log_debugx("initiator prefers not to do " 517 "data digest; we'll comply"); 518 keys_add(response_keys, name, "None"); 519 break; 520 default: 521 log_warnx("initiator sent unrecognized " 522 "DataDigest value \"%s\"; will use None", value); 523 keys_add(response_keys, name, "None"); 524 break; 525 } 526 } else if (strcmp(name, "MaxConnections") == 0) { 527 keys_add(response_keys, name, "1"); 528 } else if (strcmp(name, "InitialR2T") == 0) { 529 keys_add(response_keys, name, "Yes"); 530 } else if (strcmp(name, "ImmediateData") == 0) { 531 if (conn->conn_session_type == CONN_SESSION_TYPE_DISCOVERY) { 532 log_debugx("discovery session; ImmediateData irrelevant"); 533 keys_add(response_keys, name, "Irrelevant"); 534 } else { 535 if (strcmp(value, "Yes") == 0) { 536 conn->conn_immediate_data = true; 537 keys_add(response_keys, name, "Yes"); 538 } else { 539 conn->conn_immediate_data = false; 540 keys_add(response_keys, name, "No"); 541 } 542 } 543 } else if (strcmp(name, "MaxRecvDataSegmentLength") == 0) { 544 tmp = strtoul(value, NULL, 10); 545 if (tmp <= 0) { 546 login_send_error(request, 0x02, 0x00); 547 log_errx(1, "received invalid " 548 "MaxRecvDataSegmentLength"); 549 } 550 if (tmp > MAX_DATA_SEGMENT_LENGTH) { 551 log_debugx("capping MaxRecvDataSegmentLength " 552 "from %d to %d", tmp, MAX_DATA_SEGMENT_LENGTH); 553 tmp = MAX_DATA_SEGMENT_LENGTH; 554 } 555 conn->conn_max_data_segment_length = tmp; 556 keys_add_int(response_keys, name, tmp); 557 } else if (strcmp(name, "MaxBurstLength") == 0) { 558 tmp = strtoul(value, NULL, 10); 559 if (tmp <= 0) { 560 login_send_error(request, 0x02, 0x00); 561 log_errx(1, "received invalid MaxBurstLength"); 562 } 563 if (tmp > MAX_BURST_LENGTH) { 564 log_debugx("capping MaxBurstLength from %d to %d", 565 tmp, MAX_BURST_LENGTH); 566 tmp = MAX_BURST_LENGTH; 567 } 568 conn->conn_max_burst_length = tmp; 569 keys_add(response_keys, name, value); 570 } else if (strcmp(name, "FirstBurstLength") == 0) { 571 tmp = strtoul(value, NULL, 10); 572 if (tmp <= 0) { 573 login_send_error(request, 0x02, 0x00); 574 log_errx(1, "received invalid " 575 "FirstBurstLength"); 576 } 577 if (tmp > MAX_DATA_SEGMENT_LENGTH) { 578 log_debugx("capping FirstBurstLength from %d to %d", 579 tmp, MAX_DATA_SEGMENT_LENGTH); 580 tmp = MAX_DATA_SEGMENT_LENGTH; 581 } 582 /* 583 * We don't pass the value to the kernel; it only enforces 584 * hardcoded limit anyway. 585 */ 586 keys_add_int(response_keys, name, tmp); 587 } else if (strcmp(name, "DefaultTime2Wait") == 0) { 588 keys_add(response_keys, name, value); 589 } else if (strcmp(name, "DefaultTime2Retain") == 0) { 590 keys_add(response_keys, name, "0"); 591 } else if (strcmp(name, "MaxOutstandingR2T") == 0) { 592 keys_add(response_keys, name, "1"); 593 } else if (strcmp(name, "DataPDUInOrder") == 0) { 594 keys_add(response_keys, name, "Yes"); 595 } else if (strcmp(name, "DataSequenceInOrder") == 0) { 596 keys_add(response_keys, name, "Yes"); 597 } else if (strcmp(name, "ErrorRecoveryLevel") == 0) { 598 keys_add(response_keys, name, "0"); 599 } else if (strcmp(name, "OFMarker") == 0) { 600 keys_add(response_keys, name, "No"); 601 } else if (strcmp(name, "IFMarker") == 0) { 602 keys_add(response_keys, name, "No"); 603 } else { 604 log_debugx("unknown key \"%s\"; responding " 605 "with NotUnderstood", name); 606 keys_add(response_keys, name, "NotUnderstood"); 607 } 608} 609 610static void 611login_negotiate(struct connection *conn, struct pdu *request) 612{ 613 struct pdu *response; 614 struct iscsi_bhs_login_response *bhslr2; 615 struct keys *request_keys, *response_keys; 616 char *portal_group_tag; 617 int i, rv; 618 bool skipped_security; 619 620 if (request == NULL) { 621 log_debugx("beginning operational parameter negotiation; " 622 "waiting for Login PDU"); 623 request = login_receive(conn, false); 624 skipped_security = false; 625 } else 626 skipped_security = true; 627 628 request_keys = keys_new(); 629 keys_load(request_keys, request); 630 631 response = login_new_response(request); 632 bhslr2 = (struct iscsi_bhs_login_response *)response->pdu_bhs; 633 bhslr2->bhslr_flags |= BHSLR_FLAGS_TRANSIT; 634 bhslr2->bhslr_tsih = htons(0xbadd); 635 login_set_csg(response, BHSLR_STAGE_OPERATIONAL_NEGOTIATION); 636 login_set_nsg(response, BHSLR_STAGE_FULL_FEATURE_PHASE); 637 response_keys = keys_new(); 638 639 if (skipped_security && 640 conn->conn_session_type == CONN_SESSION_TYPE_NORMAL) { 641 if (conn->conn_target->t_alias != NULL) 642 keys_add(response_keys, 643 "TargetAlias", conn->conn_target->t_alias); 644 rv = asprintf(&portal_group_tag, "%d", 645 conn->conn_portal->p_portal_group->pg_tag); 646 if (rv <= 0) 647 log_err(1, "asprintf"); 648 keys_add(response_keys, 649 "TargetPortalGroupTag", portal_group_tag); 650 free(portal_group_tag); 651 } 652 653 for (i = 0; i < KEYS_MAX; i++) { 654 if (request_keys->keys_names[i] == NULL) 655 break; 656 657 login_negotiate_key(request, request_keys->keys_names[i], 658 request_keys->keys_values[i], skipped_security, 659 response_keys); 660 } 661 662 log_debugx("operational parameter negotiation done; " 663 "transitioning to Full Feature Phase"); 664 665 keys_save(response_keys, response); 666 pdu_send(response); 667 pdu_delete(response); 668 keys_delete(response_keys); 669 pdu_delete(request); 670 keys_delete(request_keys); 671} 672 673void 674login(struct connection *conn) 675{ 676 struct pdu *request, *response; 677 struct iscsi_bhs_login_request *bhslr; 678 struct iscsi_bhs_login_response *bhslr2; 679 struct keys *request_keys, *response_keys; 680 struct auth_group *ag; 681 const char *initiator_name, *initiator_alias, *session_type, 682 *target_name, *auth_method; 683 char *portal_group_tag; 684 int rv; 685 686 /* 687 * Handle the initial Login Request - figure out required authentication 688 * method and either transition to the next phase, if no authentication 689 * is required, or call appropriate authentication code. 690 */ 691 log_debugx("beginning Login Phase; waiting for Login PDU"); 692 request = login_receive(conn, true); 693 bhslr = (struct iscsi_bhs_login_request *)request->pdu_bhs; 694 if (bhslr->bhslr_tsih != 0) { 695 login_send_error(request, 0x02, 0x0a); 696 log_errx(1, "received Login PDU with non-zero TSIH"); 697 } 698 699 memcpy(conn->conn_initiator_isid, bhslr->bhslr_isid, 700 sizeof(conn->conn_initiator_isid)); 701 702 /* 703 * XXX: Implement the C flag some day. 704 */ 705 request_keys = keys_new(); 706 keys_load(request_keys, request); 707 708 assert(conn->conn_initiator_name == NULL); 709 initiator_name = keys_find(request_keys, "InitiatorName"); 710 if (initiator_name == NULL) { 711 login_send_error(request, 0x02, 0x07); 712 log_errx(1, "received Login PDU without InitiatorName"); 713 } 714 if (valid_iscsi_name(initiator_name) == false) { 715 login_send_error(request, 0x02, 0x00); 716 log_errx(1, "received Login PDU with invalid InitiatorName"); 717 } 718 conn->conn_initiator_name = checked_strdup(initiator_name); 719 log_set_peer_name(conn->conn_initiator_name); 720 /* 721 * XXX: This doesn't work (does nothing) because of Capsicum. 722 */ 723 setproctitle("%s (%s)", conn->conn_initiator_addr, conn->conn_initiator_name); 724 725 initiator_alias = keys_find(request_keys, "InitiatorAlias"); 726 if (initiator_alias != NULL) 727 conn->conn_initiator_alias = checked_strdup(initiator_alias); 728 729 assert(conn->conn_session_type == CONN_SESSION_TYPE_NONE); 730 session_type = keys_find(request_keys, "SessionType"); 731 if (session_type != NULL) { 732 if (strcmp(session_type, "Normal") == 0) { 733 conn->conn_session_type = CONN_SESSION_TYPE_NORMAL; 734 } else if (strcmp(session_type, "Discovery") == 0) { 735 conn->conn_session_type = CONN_SESSION_TYPE_DISCOVERY; 736 } else { 737 login_send_error(request, 0x02, 0x00); 738 log_errx(1, "received Login PDU with invalid " 739 "SessionType \"%s\"", session_type); 740 } 741 } else 742 conn->conn_session_type = CONN_SESSION_TYPE_NORMAL; 743 744 assert(conn->conn_target == NULL); 745 if (conn->conn_session_type == CONN_SESSION_TYPE_NORMAL) { 746 target_name = keys_find(request_keys, "TargetName"); 747 if (target_name == NULL) { 748 login_send_error(request, 0x02, 0x07); 749 log_errx(1, "received Login PDU without TargetName"); 750 } 751 752 conn->conn_target = 753 target_find(conn->conn_portal->p_portal_group->pg_conf, 754 target_name); 755 if (conn->conn_target == NULL) { 756 login_send_error(request, 0x02, 0x03); 757 log_errx(1, "requested target \"%s\" not found", 758 target_name); 759 } 760 } 761 762 /* 763 * At this point we know what kind of authentication we need. 764 */ 765 if (conn->conn_session_type == CONN_SESSION_TYPE_NORMAL) { 766 ag = conn->conn_target->t_auth_group; 767 if (ag->ag_name != NULL) { 768 log_debugx("initiator requests to connect " 769 "to target \"%s\"; auth-group \"%s\"", 770 conn->conn_target->t_name, 771 conn->conn_target->t_auth_group->ag_name); 772 } else { 773 log_debugx("initiator requests to connect " 774 "to target \"%s\"", conn->conn_target->t_name); 775 } 776 } else { 777 assert(conn->conn_session_type == CONN_SESSION_TYPE_DISCOVERY); 778 ag = conn->conn_portal->p_portal_group->pg_discovery_auth_group; 779 if (ag->ag_name != NULL) { 780 log_debugx("initiator requests " 781 "discovery session; auth-group \"%s\"", ag->ag_name); 782 } else { 783 log_debugx("initiator requests discovery session"); 784 } 785 } 786 787 /* 788 * Enforce initiator-name and initiator-portal. 789 */ 790 if (auth_name_defined(ag)) { 791 if (auth_name_find(ag, initiator_name) == NULL) { 792 login_send_error(request, 0x02, 0x02); 793 log_errx(1, "initiator does not match allowed " 794 "initiator names"); 795 } 796 log_debugx("initiator matches allowed initiator names"); 797 } else { 798 log_debugx("auth-group does not define initiator name " 799 "restrictions"); 800 } 801 802 if (auth_portal_defined(ag)) { 803 if (auth_portal_find(ag, &conn->conn_initiator_sa) == NULL) { 804 login_send_error(request, 0x02, 0x02); 805 log_errx(1, "initiator does not match allowed " 806 "initiator portals"); 807 } 808 log_debugx("initiator matches allowed initiator portals"); 809 } else { 810 log_debugx("auth-group does not define initiator portal " 811 "restrictions"); 812 } 813 814 /* 815 * Let's see if the initiator intends to do any kind of authentication 816 * at all. 817 */ 818 if (login_csg(request) == BHSLR_STAGE_OPERATIONAL_NEGOTIATION) { 819 if (ag->ag_type != AG_TYPE_NO_AUTHENTICATION) { 820 login_send_error(request, 0x02, 0x01); 821 log_errx(1, "initiator skipped the authentication, " 822 "but authentication is required"); 823 } 824 825 keys_delete(request_keys); 826 827 log_debugx("initiator skipped the authentication, " 828 "and we don't need it; proceeding with negotiation"); 829 login_negotiate(conn, request); 830 return; 831 } 832 833 if (ag->ag_type == AG_TYPE_NO_AUTHENTICATION) { 834 /* 835 * Initiator might want to to authenticate, 836 * but we don't need it. 837 */ 838 log_debugx("authentication not required; " 839 "transitioning to operational parameter negotiation"); 840 841 if ((bhslr->bhslr_flags & BHSLR_FLAGS_TRANSIT) == 0) 842 log_warnx("initiator did not set the \"T\" flag; " 843 "transitioning anyway"); 844 845 response = login_new_response(request); 846 bhslr2 = (struct iscsi_bhs_login_response *)response->pdu_bhs; 847 bhslr2->bhslr_flags |= BHSLR_FLAGS_TRANSIT; 848 login_set_nsg(response, 849 BHSLR_STAGE_OPERATIONAL_NEGOTIATION); 850 response_keys = keys_new(); 851 /* 852 * Required by Linux initiator. 853 */ 854 auth_method = keys_find(request_keys, "AuthMethod"); 855 if (auth_method != NULL && 856 login_list_contains(auth_method, "None")) 857 keys_add(response_keys, "AuthMethod", "None"); 858 859 if (conn->conn_session_type == CONN_SESSION_TYPE_NORMAL) { 860 if (conn->conn_target->t_alias != NULL) 861 keys_add(response_keys, 862 "TargetAlias", conn->conn_target->t_alias); 863 rv = asprintf(&portal_group_tag, "%d", 864 conn->conn_portal->p_portal_group->pg_tag); 865 if (rv <= 0) 866 log_err(1, "asprintf"); 867 keys_add(response_keys, 868 "TargetPortalGroupTag", portal_group_tag); 869 free(portal_group_tag); 870 } 871 keys_save(response_keys, response); 872 pdu_send(response); 873 pdu_delete(response); 874 keys_delete(response_keys); 875 pdu_delete(request); 876 keys_delete(request_keys); 877 878 login_negotiate(conn, NULL); 879 return; 880 } 881 882 if (ag->ag_type == AG_TYPE_DENY) { 883 login_send_error(request, 0x02, 0x01); 884 log_errx(1, "auth-type is \"deny\""); 885 } 886 887 if (ag->ag_type == AG_TYPE_UNKNOWN) { 888 /* 889 * This can happen with empty auth-group. 890 */ 891 login_send_error(request, 0x02, 0x01); 892 log_errx(1, "auth-type not set, denying access"); 893 } 894 895 log_debugx("CHAP authentication required"); 896 897 auth_method = keys_find(request_keys, "AuthMethod"); 898 if (auth_method == NULL) { 899 login_send_error(request, 0x02, 0x07); 900 log_errx(1, "received Login PDU without AuthMethod"); 901 } 902 /* 903 * XXX: This should be Reject, not just a login failure (5.3.2). 904 */ 905 if (login_list_contains(auth_method, "CHAP") == 0) { 906 login_send_error(request, 0x02, 0x01); 907 log_errx(1, "initiator requests unsupported AuthMethod \"%s\" " 908 "instead of \"CHAP\"", auth_method); 909 } 910 911 response = login_new_response(request); 912 913 response_keys = keys_new(); 914 keys_add(response_keys, "AuthMethod", "CHAP"); 915 if (conn->conn_session_type == CONN_SESSION_TYPE_NORMAL) { 916 if (conn->conn_target->t_alias != NULL) 917 keys_add(response_keys, 918 "TargetAlias", conn->conn_target->t_alias); 919 rv = asprintf(&portal_group_tag, "%d", 920 conn->conn_portal->p_portal_group->pg_tag); 921 if (rv <= 0) 922 log_err(1, "asprintf"); 923 keys_add(response_keys, 924 "TargetPortalGroupTag", portal_group_tag); 925 free(portal_group_tag); 926 } 927 keys_save(response_keys, response); 928 929 pdu_send(response); 930 pdu_delete(response); 931 keys_delete(response_keys); 932 pdu_delete(request); 933 keys_delete(request_keys); 934 935 login_chap(conn, ag); 936 937 login_negotiate(conn, NULL); 938} 939