login.c revision 274870
1/*- 2 * Copyright (c) 2012 The FreeBSD Foundation 3 * All rights reserved. 4 * 5 * This software was developed by Edward Tomasz Napierala under sponsorship 6 * from the FreeBSD Foundation. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 * 29 */ 30 31#include <sys/cdefs.h> 32__FBSDID("$FreeBSD: stable/10/usr.sbin/ctld/login.c 274870 2014-11-22 17:50:14Z trasz $"); 33 34#include <assert.h> 35#include <stdbool.h> 36#include <stdint.h> 37#include <stdio.h> 38#include <stdlib.h> 39#include <string.h> 40#include <unistd.h> 41#include <netinet/in.h> 42 43#include "ctld.h" 44#include "iscsi_proto.h" 45 46static void login_send_error(struct pdu *request, 47 char class, char detail); 48 49static void 50login_set_nsg(struct pdu *response, int nsg) 51{ 52 struct iscsi_bhs_login_response *bhslr; 53 54 assert(nsg == BHSLR_STAGE_SECURITY_NEGOTIATION || 55 nsg == BHSLR_STAGE_OPERATIONAL_NEGOTIATION || 56 nsg == BHSLR_STAGE_FULL_FEATURE_PHASE); 57 58 bhslr = (struct iscsi_bhs_login_response *)response->pdu_bhs; 59 60 bhslr->bhslr_flags &= 0xFC; 61 bhslr->bhslr_flags |= nsg; 62} 63 64static int 65login_csg(const struct pdu *request) 66{ 67 struct iscsi_bhs_login_request *bhslr; 68 69 bhslr = (struct iscsi_bhs_login_request *)request->pdu_bhs; 70 71 return ((bhslr->bhslr_flags & 0x0C) >> 2); 72} 73 74static void 75login_set_csg(struct pdu *response, int csg) 76{ 77 struct iscsi_bhs_login_response *bhslr; 78 79 assert(csg == BHSLR_STAGE_SECURITY_NEGOTIATION || 80 csg == BHSLR_STAGE_OPERATIONAL_NEGOTIATION || 81 csg == BHSLR_STAGE_FULL_FEATURE_PHASE); 82 83 bhslr = (struct iscsi_bhs_login_response *)response->pdu_bhs; 84 85 bhslr->bhslr_flags &= 0xF3; 86 bhslr->bhslr_flags |= csg << 2; 87} 88 89static struct pdu * 90login_receive(struct connection *conn, bool initial) 91{ 92 struct pdu *request; 93 struct iscsi_bhs_login_request *bhslr; 94 95 request = pdu_new(conn); 96 pdu_receive(request); 97 if ((request->pdu_bhs->bhs_opcode & ~ISCSI_BHS_OPCODE_IMMEDIATE) != 98 ISCSI_BHS_OPCODE_LOGIN_REQUEST) { 99 /* 100 * The first PDU in session is special - if we receive any PDU 101 * different than login request, we have to drop the connection 102 * without sending response ("A target receiving any PDU 103 * except a Login request before the Login Phase is started MUST 104 * immediately terminate the connection on which the PDU 105 * was received.") 106 */ 107 if (initial == false) 108 login_send_error(request, 0x02, 0x0b); 109 log_errx(1, "protocol error: received invalid opcode 0x%x", 110 request->pdu_bhs->bhs_opcode); 111 } 112 bhslr = (struct iscsi_bhs_login_request *)request->pdu_bhs; 113 /* 114 * XXX: Implement the C flag some day. 115 */ 116 if ((bhslr->bhslr_flags & BHSLR_FLAGS_CONTINUE) != 0) { 117 login_send_error(request, 0x03, 0x00); 118 log_errx(1, "received Login PDU with unsupported \"C\" flag"); 119 } 120 if (bhslr->bhslr_version_max != 0x00) { 121 login_send_error(request, 0x02, 0x05); 122 log_errx(1, "received Login PDU with unsupported " 123 "Version-max 0x%x", bhslr->bhslr_version_max); 124 } 125 if (bhslr->bhslr_version_min != 0x00) { 126 login_send_error(request, 0x02, 0x05); 127 log_errx(1, "received Login PDU with unsupported " 128 "Version-min 0x%x", bhslr->bhslr_version_min); 129 } 130 if (ntohl(bhslr->bhslr_cmdsn) < conn->conn_cmdsn) { 131 login_send_error(request, 0x02, 0x05); 132 log_errx(1, "received Login PDU with decreasing CmdSN: " 133 "was %d, is %d", conn->conn_cmdsn, 134 ntohl(bhslr->bhslr_cmdsn)); 135 } 136 if (initial == false && 137 ntohl(bhslr->bhslr_expstatsn) != conn->conn_statsn) { 138 login_send_error(request, 0x02, 0x05); 139 log_errx(1, "received Login PDU with wrong ExpStatSN: " 140 "is %d, should be %d", ntohl(bhslr->bhslr_expstatsn), 141 conn->conn_statsn); 142 } 143 conn->conn_cmdsn = ntohl(bhslr->bhslr_cmdsn); 144 145 return (request); 146} 147 148static struct pdu * 149login_new_response(struct pdu *request) 150{ 151 struct pdu *response; 152 struct connection *conn; 153 struct iscsi_bhs_login_request *bhslr; 154 struct iscsi_bhs_login_response *bhslr2; 155 156 bhslr = (struct iscsi_bhs_login_request *)request->pdu_bhs; 157 conn = request->pdu_connection; 158 159 response = pdu_new_response(request); 160 bhslr2 = (struct iscsi_bhs_login_response *)response->pdu_bhs; 161 bhslr2->bhslr_opcode = ISCSI_BHS_OPCODE_LOGIN_RESPONSE; 162 login_set_csg(response, BHSLR_STAGE_SECURITY_NEGOTIATION); 163 memcpy(bhslr2->bhslr_isid, 164 bhslr->bhslr_isid, sizeof(bhslr2->bhslr_isid)); 165 bhslr2->bhslr_initiator_task_tag = bhslr->bhslr_initiator_task_tag; 166 bhslr2->bhslr_statsn = htonl(conn->conn_statsn++); 167 bhslr2->bhslr_expcmdsn = htonl(conn->conn_cmdsn); 168 bhslr2->bhslr_maxcmdsn = htonl(conn->conn_cmdsn); 169 170 return (response); 171} 172 173static void 174login_send_error(struct pdu *request, char class, char detail) 175{ 176 struct pdu *response; 177 struct iscsi_bhs_login_response *bhslr2; 178 179 log_debugx("sending Login Response PDU with failure class 0x%x/0x%x; " 180 "see next line for reason", class, detail); 181 response = login_new_response(request); 182 bhslr2 = (struct iscsi_bhs_login_response *)response->pdu_bhs; 183 bhslr2->bhslr_status_class = class; 184 bhslr2->bhslr_status_detail = detail; 185 186 pdu_send(response); 187 pdu_delete(response); 188} 189 190static int 191login_list_contains(const char *list, const char *what) 192{ 193 char *tofree, *str, *token; 194 195 tofree = str = checked_strdup(list); 196 197 while ((token = strsep(&str, ",")) != NULL) { 198 if (strcmp(token, what) == 0) { 199 free(tofree); 200 return (1); 201 } 202 } 203 free(tofree); 204 return (0); 205} 206 207static int 208login_list_prefers(const char *list, 209 const char *choice1, const char *choice2) 210{ 211 char *tofree, *str, *token; 212 213 tofree = str = checked_strdup(list); 214 215 while ((token = strsep(&str, ",")) != NULL) { 216 if (strcmp(token, choice1) == 0) { 217 free(tofree); 218 return (1); 219 } 220 if (strcmp(token, choice2) == 0) { 221 free(tofree); 222 return (2); 223 } 224 } 225 free(tofree); 226 return (-1); 227} 228 229static struct pdu * 230login_receive_chap_a(struct connection *conn) 231{ 232 struct pdu *request; 233 struct keys *request_keys; 234 const char *chap_a; 235 236 request = login_receive(conn, false); 237 request_keys = keys_new(); 238 keys_load(request_keys, request); 239 240 chap_a = keys_find(request_keys, "CHAP_A"); 241 if (chap_a == NULL) { 242 login_send_error(request, 0x02, 0x07); 243 log_errx(1, "received CHAP Login PDU without CHAP_A"); 244 } 245 if (login_list_contains(chap_a, "5") == 0) { 246 login_send_error(request, 0x02, 0x01); 247 log_errx(1, "received CHAP Login PDU with unsupported CHAP_A " 248 "\"%s\"", chap_a); 249 } 250 keys_delete(request_keys); 251 252 return (request); 253} 254 255static void 256login_send_chap_c(struct pdu *request, struct chap *chap) 257{ 258 struct pdu *response; 259 struct keys *response_keys; 260 char *chap_c, *chap_i; 261 262 chap_c = chap_get_challenge(chap); 263 chap_i = chap_get_id(chap); 264 265 response = login_new_response(request); 266 response_keys = keys_new(); 267 keys_add(response_keys, "CHAP_A", "5"); 268 keys_add(response_keys, "CHAP_I", chap_i); 269 keys_add(response_keys, "CHAP_C", chap_c); 270 free(chap_i); 271 free(chap_c); 272 keys_save(response_keys, response); 273 pdu_send(response); 274 pdu_delete(response); 275 keys_delete(response_keys); 276} 277 278static struct pdu * 279login_receive_chap_r(struct connection *conn, struct auth_group *ag, 280 struct chap *chap, const struct auth **authp) 281{ 282 struct pdu *request; 283 struct keys *request_keys; 284 const char *chap_n, *chap_r; 285 const struct auth *auth; 286 int error; 287 288 request = login_receive(conn, false); 289 request_keys = keys_new(); 290 keys_load(request_keys, request); 291 292 chap_n = keys_find(request_keys, "CHAP_N"); 293 if (chap_n == NULL) { 294 login_send_error(request, 0x02, 0x07); 295 log_errx(1, "received CHAP Login PDU without CHAP_N"); 296 } 297 chap_r = keys_find(request_keys, "CHAP_R"); 298 if (chap_r == NULL) { 299 login_send_error(request, 0x02, 0x07); 300 log_errx(1, "received CHAP Login PDU without CHAP_R"); 301 } 302 error = chap_receive(chap, chap_r); 303 if (error != 0) { 304 login_send_error(request, 0x02, 0x07); 305 log_errx(1, "received CHAP Login PDU with malformed CHAP_R"); 306 } 307 308 /* 309 * Verify the response. 310 */ 311 assert(ag->ag_type == AG_TYPE_CHAP || 312 ag->ag_type == AG_TYPE_CHAP_MUTUAL); 313 auth = auth_find(ag, chap_n); 314 if (auth == NULL) { 315 login_send_error(request, 0x02, 0x01); 316 log_errx(1, "received CHAP Login with invalid user \"%s\"", 317 chap_n); 318 } 319 320 assert(auth->a_secret != NULL); 321 assert(strlen(auth->a_secret) > 0); 322 323 error = chap_authenticate(chap, auth->a_secret); 324 if (error != 0) { 325 login_send_error(request, 0x02, 0x01); 326 log_errx(1, "CHAP authentication failed for user \"%s\"", 327 auth->a_user); 328 } 329 330 keys_delete(request_keys); 331 332 *authp = auth; 333 return (request); 334} 335 336static void 337login_send_chap_success(struct pdu *request, 338 const struct auth *auth) 339{ 340 struct pdu *response; 341 struct keys *request_keys, *response_keys; 342 struct iscsi_bhs_login_response *bhslr2; 343 struct rchap *rchap; 344 const char *chap_i, *chap_c; 345 char *chap_r; 346 int error; 347 348 response = login_new_response(request); 349 bhslr2 = (struct iscsi_bhs_login_response *)response->pdu_bhs; 350 bhslr2->bhslr_flags |= BHSLR_FLAGS_TRANSIT; 351 login_set_nsg(response, BHSLR_STAGE_OPERATIONAL_NEGOTIATION); 352 353 /* 354 * Actually, one more thing: mutual authentication. 355 */ 356 request_keys = keys_new(); 357 keys_load(request_keys, request); 358 chap_i = keys_find(request_keys, "CHAP_I"); 359 chap_c = keys_find(request_keys, "CHAP_C"); 360 if (chap_i != NULL || chap_c != NULL) { 361 if (chap_i == NULL) { 362 login_send_error(request, 0x02, 0x07); 363 log_errx(1, "initiator requested target " 364 "authentication, but didn't send CHAP_I"); 365 } 366 if (chap_c == NULL) { 367 login_send_error(request, 0x02, 0x07); 368 log_errx(1, "initiator requested target " 369 "authentication, but didn't send CHAP_C"); 370 } 371 if (auth->a_auth_group->ag_type != AG_TYPE_CHAP_MUTUAL) { 372 login_send_error(request, 0x02, 0x01); 373 log_errx(1, "initiator requests target authentication " 374 "for user \"%s\", but mutual user/secret " 375 "is not set", auth->a_user); 376 } 377 378 log_debugx("performing mutual authentication as user \"%s\"", 379 auth->a_mutual_user); 380 381 rchap = rchap_new(auth->a_mutual_secret); 382 error = rchap_receive(rchap, chap_i, chap_c); 383 if (error != 0) { 384 login_send_error(request, 0x02, 0x07); 385 log_errx(1, "received CHAP Login PDU with malformed " 386 "CHAP_I or CHAP_C"); 387 } 388 chap_r = rchap_get_response(rchap); 389 rchap_delete(rchap); 390 response_keys = keys_new(); 391 keys_add(response_keys, "CHAP_N", auth->a_mutual_user); 392 keys_add(response_keys, "CHAP_R", chap_r); 393 free(chap_r); 394 keys_save(response_keys, response); 395 keys_delete(response_keys); 396 } else { 397 log_debugx("initiator did not request target authentication"); 398 } 399 400 keys_delete(request_keys); 401 pdu_send(response); 402 pdu_delete(response); 403} 404 405static void 406login_chap(struct connection *conn, struct auth_group *ag) 407{ 408 const struct auth *auth; 409 struct chap *chap; 410 struct pdu *request; 411 412 /* 413 * Receive CHAP_A PDU. 414 */ 415 log_debugx("beginning CHAP authentication; waiting for CHAP_A"); 416 request = login_receive_chap_a(conn); 417 418 /* 419 * Generate the challenge. 420 */ 421 chap = chap_new(); 422 423 /* 424 * Send the challenge. 425 */ 426 log_debugx("sending CHAP_C, binary challenge size is %zd bytes", 427 sizeof(chap->chap_challenge)); 428 login_send_chap_c(request, chap); 429 pdu_delete(request); 430 431 /* 432 * Receive CHAP_N/CHAP_R PDU and authenticate. 433 */ 434 log_debugx("waiting for CHAP_N/CHAP_R"); 435 request = login_receive_chap_r(conn, ag, chap, &auth); 436 437 /* 438 * Yay, authentication succeeded! 439 */ 440 log_debugx("authentication succeeded for user \"%s\"; " 441 "transitioning to Negotiation Phase", auth->a_user); 442 login_send_chap_success(request, auth); 443 pdu_delete(request); 444 chap_delete(chap); 445} 446 447static void 448login_negotiate_key(struct pdu *request, const char *name, 449 const char *value, bool skipped_security, struct keys *response_keys) 450{ 451 int which, tmp; 452 struct connection *conn; 453 454 conn = request->pdu_connection; 455 456 if (strcmp(name, "InitiatorName") == 0) { 457 if (!skipped_security) 458 log_errx(1, "initiator resent InitiatorName"); 459 } else if (strcmp(name, "SessionType") == 0) { 460 if (!skipped_security) 461 log_errx(1, "initiator resent SessionType"); 462 } else if (strcmp(name, "TargetName") == 0) { 463 if (!skipped_security) 464 log_errx(1, "initiator resent TargetName"); 465 } else if (strcmp(name, "InitiatorAlias") == 0) { 466 if (conn->conn_initiator_alias != NULL) 467 free(conn->conn_initiator_alias); 468 conn->conn_initiator_alias = checked_strdup(value); 469 } else if (strcmp(value, "Irrelevant") == 0) { 470 /* Ignore. */ 471 } else if (strcmp(name, "HeaderDigest") == 0) { 472 /* 473 * We don't handle digests for discovery sessions. 474 */ 475 if (conn->conn_session_type == CONN_SESSION_TYPE_DISCOVERY) { 476 log_debugx("discovery session; digests disabled"); 477 keys_add(response_keys, name, "None"); 478 return; 479 } 480 481 which = login_list_prefers(value, "CRC32C", "None"); 482 switch (which) { 483 case 1: 484 log_debugx("initiator prefers CRC32C " 485 "for header digest; we'll use it"); 486 conn->conn_header_digest = CONN_DIGEST_CRC32C; 487 keys_add(response_keys, name, "CRC32C"); 488 break; 489 case 2: 490 log_debugx("initiator prefers not to do " 491 "header digest; we'll comply"); 492 keys_add(response_keys, name, "None"); 493 break; 494 default: 495 log_warnx("initiator sent unrecognized " 496 "HeaderDigest value \"%s\"; will use None", value); 497 keys_add(response_keys, name, "None"); 498 break; 499 } 500 } else if (strcmp(name, "DataDigest") == 0) { 501 if (conn->conn_session_type == CONN_SESSION_TYPE_DISCOVERY) { 502 log_debugx("discovery session; digests disabled"); 503 keys_add(response_keys, name, "None"); 504 return; 505 } 506 507 which = login_list_prefers(value, "CRC32C", "None"); 508 switch (which) { 509 case 1: 510 log_debugx("initiator prefers CRC32C " 511 "for data digest; we'll use it"); 512 conn->conn_data_digest = CONN_DIGEST_CRC32C; 513 keys_add(response_keys, name, "CRC32C"); 514 break; 515 case 2: 516 log_debugx("initiator prefers not to do " 517 "data digest; we'll comply"); 518 keys_add(response_keys, name, "None"); 519 break; 520 default: 521 log_warnx("initiator sent unrecognized " 522 "DataDigest value \"%s\"; will use None", value); 523 keys_add(response_keys, name, "None"); 524 break; 525 } 526 } else if (strcmp(name, "MaxConnections") == 0) { 527 keys_add(response_keys, name, "1"); 528 } else if (strcmp(name, "InitialR2T") == 0) { 529 keys_add(response_keys, name, "Yes"); 530 } else if (strcmp(name, "ImmediateData") == 0) { 531 if (conn->conn_session_type == CONN_SESSION_TYPE_DISCOVERY) { 532 log_debugx("discovery session; ImmediateData irrelevant"); 533 keys_add(response_keys, name, "Irrelevant"); 534 } else { 535 if (strcmp(value, "Yes") == 0) { 536 conn->conn_immediate_data = true; 537 keys_add(response_keys, name, "Yes"); 538 } else { 539 conn->conn_immediate_data = false; 540 keys_add(response_keys, name, "No"); 541 } 542 } 543 } else if (strcmp(name, "MaxRecvDataSegmentLength") == 0) { 544 tmp = strtoul(value, NULL, 10); 545 if (tmp <= 0) { 546 login_send_error(request, 0x02, 0x00); 547 log_errx(1, "received invalid " 548 "MaxRecvDataSegmentLength"); 549 } 550 if (tmp > MAX_DATA_SEGMENT_LENGTH) { 551 log_debugx("capping MaxRecvDataSegmentLength " 552 "from %d to %d", tmp, MAX_DATA_SEGMENT_LENGTH); 553 tmp = MAX_DATA_SEGMENT_LENGTH; 554 } 555 conn->conn_max_data_segment_length = tmp; 556 keys_add_int(response_keys, name, tmp); 557 } else if (strcmp(name, "MaxBurstLength") == 0) { 558 tmp = strtoul(value, NULL, 10); 559 if (tmp <= 0) { 560 login_send_error(request, 0x02, 0x00); 561 log_errx(1, "received invalid MaxBurstLength"); 562 } 563 if (tmp > MAX_BURST_LENGTH) { 564 log_debugx("capping MaxBurstLength from %d to %d", 565 tmp, MAX_BURST_LENGTH); 566 tmp = MAX_BURST_LENGTH; 567 } 568 conn->conn_max_burst_length = tmp; 569 keys_add(response_keys, name, value); 570 } else if (strcmp(name, "FirstBurstLength") == 0) { 571 tmp = strtoul(value, NULL, 10); 572 if (tmp <= 0) { 573 login_send_error(request, 0x02, 0x00); 574 log_errx(1, "received invalid " 575 "FirstBurstLength"); 576 } 577 if (tmp > MAX_DATA_SEGMENT_LENGTH) { 578 log_debugx("capping FirstBurstLength from %d to %d", 579 tmp, MAX_DATA_SEGMENT_LENGTH); 580 tmp = MAX_DATA_SEGMENT_LENGTH; 581 } 582 /* 583 * We don't pass the value to the kernel; it only enforces 584 * hardcoded limit anyway. 585 */ 586 keys_add_int(response_keys, name, tmp); 587 } else if (strcmp(name, "DefaultTime2Wait") == 0) { 588 keys_add(response_keys, name, value); 589 } else if (strcmp(name, "DefaultTime2Retain") == 0) { 590 keys_add(response_keys, name, "0"); 591 } else if (strcmp(name, "MaxOutstandingR2T") == 0) { 592 keys_add(response_keys, name, "1"); 593 } else if (strcmp(name, "DataPDUInOrder") == 0) { 594 keys_add(response_keys, name, "Yes"); 595 } else if (strcmp(name, "DataSequenceInOrder") == 0) { 596 keys_add(response_keys, name, "Yes"); 597 } else if (strcmp(name, "ErrorRecoveryLevel") == 0) { 598 keys_add(response_keys, name, "0"); 599 } else if (strcmp(name, "OFMarker") == 0) { 600 keys_add(response_keys, name, "No"); 601 } else if (strcmp(name, "IFMarker") == 0) { 602 keys_add(response_keys, name, "No"); 603 } else { 604 log_debugx("unknown key \"%s\"; responding " 605 "with NotUnderstood", name); 606 keys_add(response_keys, name, "NotUnderstood"); 607 } 608} 609 610static void 611login_negotiate(struct connection *conn, struct pdu *request) 612{ 613 struct pdu *response; 614 struct iscsi_bhs_login_response *bhslr2; 615 struct keys *request_keys, *response_keys; 616 int i; 617 bool skipped_security; 618 619 if (request == NULL) { 620 log_debugx("beginning operational parameter negotiation; " 621 "waiting for Login PDU"); 622 request = login_receive(conn, false); 623 skipped_security = false; 624 } else 625 skipped_security = true; 626 627 request_keys = keys_new(); 628 keys_load(request_keys, request); 629 630 response = login_new_response(request); 631 bhslr2 = (struct iscsi_bhs_login_response *)response->pdu_bhs; 632 bhslr2->bhslr_flags |= BHSLR_FLAGS_TRANSIT; 633 bhslr2->bhslr_tsih = htons(0xbadd); 634 login_set_csg(response, BHSLR_STAGE_OPERATIONAL_NEGOTIATION); 635 login_set_nsg(response, BHSLR_STAGE_FULL_FEATURE_PHASE); 636 response_keys = keys_new(); 637 638 if (skipped_security && 639 conn->conn_session_type == CONN_SESSION_TYPE_NORMAL) { 640 if (conn->conn_target->t_alias != NULL) 641 keys_add(response_keys, 642 "TargetAlias", conn->conn_target->t_alias); 643 keys_add_int(response_keys, "TargetPortalGroupTag", 644 conn->conn_portal->p_portal_group->pg_tag); 645 } 646 647 for (i = 0; i < KEYS_MAX; i++) { 648 if (request_keys->keys_names[i] == NULL) 649 break; 650 651 login_negotiate_key(request, request_keys->keys_names[i], 652 request_keys->keys_values[i], skipped_security, 653 response_keys); 654 } 655 656 log_debugx("operational parameter negotiation done; " 657 "transitioning to Full Feature Phase"); 658 659 keys_save(response_keys, response); 660 pdu_send(response); 661 pdu_delete(response); 662 keys_delete(response_keys); 663 pdu_delete(request); 664 keys_delete(request_keys); 665} 666 667void 668login(struct connection *conn) 669{ 670 struct pdu *request, *response; 671 struct iscsi_bhs_login_request *bhslr; 672 struct iscsi_bhs_login_response *bhslr2; 673 struct keys *request_keys, *response_keys; 674 struct auth_group *ag; 675 const char *initiator_name, *initiator_alias, *session_type, 676 *target_name, *auth_method; 677 678 /* 679 * Handle the initial Login Request - figure out required authentication 680 * method and either transition to the next phase, if no authentication 681 * is required, or call appropriate authentication code. 682 */ 683 log_debugx("beginning Login Phase; waiting for Login PDU"); 684 request = login_receive(conn, true); 685 bhslr = (struct iscsi_bhs_login_request *)request->pdu_bhs; 686 if (bhslr->bhslr_tsih != 0) { 687 login_send_error(request, 0x02, 0x0a); 688 log_errx(1, "received Login PDU with non-zero TSIH"); 689 } 690 691 memcpy(conn->conn_initiator_isid, bhslr->bhslr_isid, 692 sizeof(conn->conn_initiator_isid)); 693 694 /* 695 * XXX: Implement the C flag some day. 696 */ 697 request_keys = keys_new(); 698 keys_load(request_keys, request); 699 700 assert(conn->conn_initiator_name == NULL); 701 initiator_name = keys_find(request_keys, "InitiatorName"); 702 if (initiator_name == NULL) { 703 login_send_error(request, 0x02, 0x07); 704 log_errx(1, "received Login PDU without InitiatorName"); 705 } 706 if (valid_iscsi_name(initiator_name) == false) { 707 login_send_error(request, 0x02, 0x00); 708 log_errx(1, "received Login PDU with invalid InitiatorName"); 709 } 710 conn->conn_initiator_name = checked_strdup(initiator_name); 711 log_set_peer_name(conn->conn_initiator_name); 712 /* 713 * XXX: This doesn't work (does nothing) because of Capsicum. 714 */ 715 setproctitle("%s (%s)", conn->conn_initiator_addr, conn->conn_initiator_name); 716 717 initiator_alias = keys_find(request_keys, "InitiatorAlias"); 718 if (initiator_alias != NULL) 719 conn->conn_initiator_alias = checked_strdup(initiator_alias); 720 721 assert(conn->conn_session_type == CONN_SESSION_TYPE_NONE); 722 session_type = keys_find(request_keys, "SessionType"); 723 if (session_type != NULL) { 724 if (strcmp(session_type, "Normal") == 0) { 725 conn->conn_session_type = CONN_SESSION_TYPE_NORMAL; 726 } else if (strcmp(session_type, "Discovery") == 0) { 727 conn->conn_session_type = CONN_SESSION_TYPE_DISCOVERY; 728 } else { 729 login_send_error(request, 0x02, 0x00); 730 log_errx(1, "received Login PDU with invalid " 731 "SessionType \"%s\"", session_type); 732 } 733 } else 734 conn->conn_session_type = CONN_SESSION_TYPE_NORMAL; 735 736 assert(conn->conn_target == NULL); 737 if (conn->conn_session_type == CONN_SESSION_TYPE_NORMAL) { 738 target_name = keys_find(request_keys, "TargetName"); 739 if (target_name == NULL) { 740 login_send_error(request, 0x02, 0x07); 741 log_errx(1, "received Login PDU without TargetName"); 742 } 743 744 conn->conn_target = 745 target_find(conn->conn_portal->p_portal_group->pg_conf, 746 target_name); 747 if (conn->conn_target == NULL) { 748 login_send_error(request, 0x02, 0x03); 749 log_errx(1, "requested target \"%s\" not found", 750 target_name); 751 } 752 } 753 754 /* 755 * At this point we know what kind of authentication we need. 756 */ 757 if (conn->conn_session_type == CONN_SESSION_TYPE_NORMAL) { 758 ag = conn->conn_target->t_auth_group; 759 if (ag->ag_name != NULL) { 760 log_debugx("initiator requests to connect " 761 "to target \"%s\"; auth-group \"%s\"", 762 conn->conn_target->t_name, 763 conn->conn_target->t_auth_group->ag_name); 764 } else { 765 log_debugx("initiator requests to connect " 766 "to target \"%s\"", conn->conn_target->t_name); 767 } 768 } else { 769 assert(conn->conn_session_type == CONN_SESSION_TYPE_DISCOVERY); 770 ag = conn->conn_portal->p_portal_group->pg_discovery_auth_group; 771 if (ag->ag_name != NULL) { 772 log_debugx("initiator requests " 773 "discovery session; auth-group \"%s\"", ag->ag_name); 774 } else { 775 log_debugx("initiator requests discovery session"); 776 } 777 } 778 779 /* 780 * Enforce initiator-name and initiator-portal. 781 */ 782 if (auth_name_defined(ag)) { 783 if (auth_name_find(ag, initiator_name) == NULL) { 784 login_send_error(request, 0x02, 0x02); 785 log_errx(1, "initiator does not match allowed " 786 "initiator names"); 787 } 788 log_debugx("initiator matches allowed initiator names"); 789 } else { 790 log_debugx("auth-group does not define initiator name " 791 "restrictions"); 792 } 793 794 if (auth_portal_defined(ag)) { 795 if (auth_portal_find(ag, &conn->conn_initiator_sa) == NULL) { 796 login_send_error(request, 0x02, 0x02); 797 log_errx(1, "initiator does not match allowed " 798 "initiator portals"); 799 } 800 log_debugx("initiator matches allowed initiator portals"); 801 } else { 802 log_debugx("auth-group does not define initiator portal " 803 "restrictions"); 804 } 805 806 /* 807 * Let's see if the initiator intends to do any kind of authentication 808 * at all. 809 */ 810 if (login_csg(request) == BHSLR_STAGE_OPERATIONAL_NEGOTIATION) { 811 if (ag->ag_type != AG_TYPE_NO_AUTHENTICATION) { 812 login_send_error(request, 0x02, 0x01); 813 log_errx(1, "initiator skipped the authentication, " 814 "but authentication is required"); 815 } 816 817 keys_delete(request_keys); 818 819 log_debugx("initiator skipped the authentication, " 820 "and we don't need it; proceeding with negotiation"); 821 login_negotiate(conn, request); 822 return; 823 } 824 825 if (ag->ag_type == AG_TYPE_NO_AUTHENTICATION) { 826 /* 827 * Initiator might want to to authenticate, 828 * but we don't need it. 829 */ 830 log_debugx("authentication not required; " 831 "transitioning to operational parameter negotiation"); 832 833 if ((bhslr->bhslr_flags & BHSLR_FLAGS_TRANSIT) == 0) 834 log_warnx("initiator did not set the \"T\" flag; " 835 "transitioning anyway"); 836 837 response = login_new_response(request); 838 bhslr2 = (struct iscsi_bhs_login_response *)response->pdu_bhs; 839 bhslr2->bhslr_flags |= BHSLR_FLAGS_TRANSIT; 840 login_set_nsg(response, 841 BHSLR_STAGE_OPERATIONAL_NEGOTIATION); 842 response_keys = keys_new(); 843 /* 844 * Required by Linux initiator. 845 */ 846 auth_method = keys_find(request_keys, "AuthMethod"); 847 if (auth_method != NULL && 848 login_list_contains(auth_method, "None")) 849 keys_add(response_keys, "AuthMethod", "None"); 850 851 if (conn->conn_session_type == CONN_SESSION_TYPE_NORMAL) { 852 if (conn->conn_target->t_alias != NULL) 853 keys_add(response_keys, 854 "TargetAlias", conn->conn_target->t_alias); 855 keys_add_int(response_keys, "TargetPortalGroupTag", 856 conn->conn_portal->p_portal_group->pg_tag); 857 } 858 keys_save(response_keys, response); 859 pdu_send(response); 860 pdu_delete(response); 861 keys_delete(response_keys); 862 pdu_delete(request); 863 keys_delete(request_keys); 864 865 login_negotiate(conn, NULL); 866 return; 867 } 868 869 if (ag->ag_type == AG_TYPE_DENY) { 870 login_send_error(request, 0x02, 0x01); 871 log_errx(1, "auth-type is \"deny\""); 872 } 873 874 if (ag->ag_type == AG_TYPE_UNKNOWN) { 875 /* 876 * This can happen with empty auth-group. 877 */ 878 login_send_error(request, 0x02, 0x01); 879 log_errx(1, "auth-type not set, denying access"); 880 } 881 882 log_debugx("CHAP authentication required"); 883 884 auth_method = keys_find(request_keys, "AuthMethod"); 885 if (auth_method == NULL) { 886 login_send_error(request, 0x02, 0x07); 887 log_errx(1, "received Login PDU without AuthMethod"); 888 } 889 /* 890 * XXX: This should be Reject, not just a login failure (5.3.2). 891 */ 892 if (login_list_contains(auth_method, "CHAP") == 0) { 893 login_send_error(request, 0x02, 0x01); 894 log_errx(1, "initiator requests unsupported AuthMethod \"%s\" " 895 "instead of \"CHAP\"", auth_method); 896 } 897 898 response = login_new_response(request); 899 900 response_keys = keys_new(); 901 keys_add(response_keys, "AuthMethod", "CHAP"); 902 if (conn->conn_session_type == CONN_SESSION_TYPE_NORMAL) { 903 if (conn->conn_target->t_alias != NULL) 904 keys_add(response_keys, 905 "TargetAlias", conn->conn_target->t_alias); 906 keys_add_int(response_keys, "TargetPortalGroupTag", 907 conn->conn_portal->p_portal_group->pg_tag); 908 } 909 keys_save(response_keys, response); 910 911 pdu_send(response); 912 pdu_delete(response); 913 keys_delete(response_keys); 914 pdu_delete(request); 915 keys_delete(request_keys); 916 917 login_chap(conn, ag); 918 919 login_negotiate(conn, NULL); 920} 921