login.c revision 286222
1/*- 2 * Copyright (c) 2012 The FreeBSD Foundation 3 * All rights reserved. 4 * 5 * This software was developed by Edward Tomasz Napierala under sponsorship 6 * from the FreeBSD Foundation. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 * 29 */ 30 31#include <sys/cdefs.h> 32__FBSDID("$FreeBSD: stable/10/usr.sbin/ctld/login.c 286222 2015-08-03 08:04:31Z trasz $"); 33 34#include <assert.h> 35#include <stdbool.h> 36#include <stdint.h> 37#include <stdio.h> 38#include <stdlib.h> 39#include <string.h> 40#include <unistd.h> 41#include <netinet/in.h> 42 43#include "ctld.h" 44#include "iscsi_proto.h" 45 46static void login_send_error(struct pdu *request, 47 char class, char detail); 48 49static void 50login_set_nsg(struct pdu *response, int nsg) 51{ 52 struct iscsi_bhs_login_response *bhslr; 53 54 assert(nsg == BHSLR_STAGE_SECURITY_NEGOTIATION || 55 nsg == BHSLR_STAGE_OPERATIONAL_NEGOTIATION || 56 nsg == BHSLR_STAGE_FULL_FEATURE_PHASE); 57 58 bhslr = (struct iscsi_bhs_login_response *)response->pdu_bhs; 59 60 bhslr->bhslr_flags &= 0xFC; 61 bhslr->bhslr_flags |= nsg; 62} 63 64static int 65login_csg(const struct pdu *request) 66{ 67 struct iscsi_bhs_login_request *bhslr; 68 69 bhslr = (struct iscsi_bhs_login_request *)request->pdu_bhs; 70 71 return ((bhslr->bhslr_flags & 0x0C) >> 2); 72} 73 74static void 75login_set_csg(struct pdu *response, int csg) 76{ 77 struct iscsi_bhs_login_response *bhslr; 78 79 assert(csg == BHSLR_STAGE_SECURITY_NEGOTIATION || 80 csg == BHSLR_STAGE_OPERATIONAL_NEGOTIATION || 81 csg == BHSLR_STAGE_FULL_FEATURE_PHASE); 82 83 bhslr = (struct iscsi_bhs_login_response *)response->pdu_bhs; 84 85 bhslr->bhslr_flags &= 0xF3; 86 bhslr->bhslr_flags |= csg << 2; 87} 88 89static struct pdu * 90login_receive(struct connection *conn, bool initial) 91{ 92 struct pdu *request; 93 struct iscsi_bhs_login_request *bhslr; 94 95 request = pdu_new(conn); 96 pdu_receive(request); 97 if ((request->pdu_bhs->bhs_opcode & ~ISCSI_BHS_OPCODE_IMMEDIATE) != 98 ISCSI_BHS_OPCODE_LOGIN_REQUEST) { 99 /* 100 * The first PDU in session is special - if we receive any PDU 101 * different than login request, we have to drop the connection 102 * without sending response ("A target receiving any PDU 103 * except a Login request before the Login Phase is started MUST 104 * immediately terminate the connection on which the PDU 105 * was received.") 106 */ 107 if (initial == false) 108 login_send_error(request, 0x02, 0x0b); 109 log_errx(1, "protocol error: received invalid opcode 0x%x", 110 request->pdu_bhs->bhs_opcode); 111 } 112 bhslr = (struct iscsi_bhs_login_request *)request->pdu_bhs; 113 /* 114 * XXX: Implement the C flag some day. 115 */ 116 if ((bhslr->bhslr_flags & BHSLR_FLAGS_CONTINUE) != 0) { 117 login_send_error(request, 0x03, 0x00); 118 log_errx(1, "received Login PDU with unsupported \"C\" flag"); 119 } 120 if (bhslr->bhslr_version_max != 0x00) { 121 login_send_error(request, 0x02, 0x05); 122 log_errx(1, "received Login PDU with unsupported " 123 "Version-max 0x%x", bhslr->bhslr_version_max); 124 } 125 if (bhslr->bhslr_version_min != 0x00) { 126 login_send_error(request, 0x02, 0x05); 127 log_errx(1, "received Login PDU with unsupported " 128 "Version-min 0x%x", bhslr->bhslr_version_min); 129 } 130 if (ISCSI_SNLT(ntohl(bhslr->bhslr_cmdsn), conn->conn_cmdsn)) { 131 login_send_error(request, 0x02, 0x05); 132 log_errx(1, "received Login PDU with decreasing CmdSN: " 133 "was %u, is %u", conn->conn_cmdsn, 134 ntohl(bhslr->bhslr_cmdsn)); 135 } 136 if (initial == false && 137 ntohl(bhslr->bhslr_expstatsn) != conn->conn_statsn) { 138 login_send_error(request, 0x02, 0x05); 139 log_errx(1, "received Login PDU with wrong ExpStatSN: " 140 "is %u, should be %u", ntohl(bhslr->bhslr_expstatsn), 141 conn->conn_statsn); 142 } 143 conn->conn_cmdsn = ntohl(bhslr->bhslr_cmdsn); 144 145 return (request); 146} 147 148static struct pdu * 149login_new_response(struct pdu *request) 150{ 151 struct pdu *response; 152 struct connection *conn; 153 struct iscsi_bhs_login_request *bhslr; 154 struct iscsi_bhs_login_response *bhslr2; 155 156 bhslr = (struct iscsi_bhs_login_request *)request->pdu_bhs; 157 conn = request->pdu_connection; 158 159 response = pdu_new_response(request); 160 bhslr2 = (struct iscsi_bhs_login_response *)response->pdu_bhs; 161 bhslr2->bhslr_opcode = ISCSI_BHS_OPCODE_LOGIN_RESPONSE; 162 login_set_csg(response, BHSLR_STAGE_SECURITY_NEGOTIATION); 163 memcpy(bhslr2->bhslr_isid, 164 bhslr->bhslr_isid, sizeof(bhslr2->bhslr_isid)); 165 bhslr2->bhslr_initiator_task_tag = bhslr->bhslr_initiator_task_tag; 166 bhslr2->bhslr_statsn = htonl(conn->conn_statsn++); 167 bhslr2->bhslr_expcmdsn = htonl(conn->conn_cmdsn); 168 bhslr2->bhslr_maxcmdsn = htonl(conn->conn_cmdsn); 169 170 return (response); 171} 172 173static void 174login_send_error(struct pdu *request, char class, char detail) 175{ 176 struct pdu *response; 177 struct iscsi_bhs_login_response *bhslr2; 178 179 log_debugx("sending Login Response PDU with failure class 0x%x/0x%x; " 180 "see next line for reason", class, detail); 181 response = login_new_response(request); 182 bhslr2 = (struct iscsi_bhs_login_response *)response->pdu_bhs; 183 bhslr2->bhslr_status_class = class; 184 bhslr2->bhslr_status_detail = detail; 185 186 pdu_send(response); 187 pdu_delete(response); 188} 189 190static int 191login_list_contains(const char *list, const char *what) 192{ 193 char *tofree, *str, *token; 194 195 tofree = str = checked_strdup(list); 196 197 while ((token = strsep(&str, ",")) != NULL) { 198 if (strcmp(token, what) == 0) { 199 free(tofree); 200 return (1); 201 } 202 } 203 free(tofree); 204 return (0); 205} 206 207static int 208login_list_prefers(const char *list, 209 const char *choice1, const char *choice2) 210{ 211 char *tofree, *str, *token; 212 213 tofree = str = checked_strdup(list); 214 215 while ((token = strsep(&str, ",")) != NULL) { 216 if (strcmp(token, choice1) == 0) { 217 free(tofree); 218 return (1); 219 } 220 if (strcmp(token, choice2) == 0) { 221 free(tofree); 222 return (2); 223 } 224 } 225 free(tofree); 226 return (-1); 227} 228 229static struct pdu * 230login_receive_chap_a(struct connection *conn) 231{ 232 struct pdu *request; 233 struct keys *request_keys; 234 const char *chap_a; 235 236 request = login_receive(conn, false); 237 request_keys = keys_new(); 238 keys_load(request_keys, request); 239 240 chap_a = keys_find(request_keys, "CHAP_A"); 241 if (chap_a == NULL) { 242 login_send_error(request, 0x02, 0x07); 243 log_errx(1, "received CHAP Login PDU without CHAP_A"); 244 } 245 if (login_list_contains(chap_a, "5") == 0) { 246 login_send_error(request, 0x02, 0x01); 247 log_errx(1, "received CHAP Login PDU with unsupported CHAP_A " 248 "\"%s\"", chap_a); 249 } 250 keys_delete(request_keys); 251 252 return (request); 253} 254 255static void 256login_send_chap_c(struct pdu *request, struct chap *chap) 257{ 258 struct pdu *response; 259 struct keys *response_keys; 260 char *chap_c, *chap_i; 261 262 chap_c = chap_get_challenge(chap); 263 chap_i = chap_get_id(chap); 264 265 response = login_new_response(request); 266 response_keys = keys_new(); 267 keys_add(response_keys, "CHAP_A", "5"); 268 keys_add(response_keys, "CHAP_I", chap_i); 269 keys_add(response_keys, "CHAP_C", chap_c); 270 free(chap_i); 271 free(chap_c); 272 keys_save(response_keys, response); 273 pdu_send(response); 274 pdu_delete(response); 275 keys_delete(response_keys); 276} 277 278static struct pdu * 279login_receive_chap_r(struct connection *conn, struct auth_group *ag, 280 struct chap *chap, const struct auth **authp) 281{ 282 struct pdu *request; 283 struct keys *request_keys; 284 const char *chap_n, *chap_r; 285 const struct auth *auth; 286 int error; 287 288 request = login_receive(conn, false); 289 request_keys = keys_new(); 290 keys_load(request_keys, request); 291 292 chap_n = keys_find(request_keys, "CHAP_N"); 293 if (chap_n == NULL) { 294 login_send_error(request, 0x02, 0x07); 295 log_errx(1, "received CHAP Login PDU without CHAP_N"); 296 } 297 chap_r = keys_find(request_keys, "CHAP_R"); 298 if (chap_r == NULL) { 299 login_send_error(request, 0x02, 0x07); 300 log_errx(1, "received CHAP Login PDU without CHAP_R"); 301 } 302 error = chap_receive(chap, chap_r); 303 if (error != 0) { 304 login_send_error(request, 0x02, 0x07); 305 log_errx(1, "received CHAP Login PDU with malformed CHAP_R"); 306 } 307 308 /* 309 * Verify the response. 310 */ 311 assert(ag->ag_type == AG_TYPE_CHAP || 312 ag->ag_type == AG_TYPE_CHAP_MUTUAL); 313 auth = auth_find(ag, chap_n); 314 if (auth == NULL) { 315 login_send_error(request, 0x02, 0x01); 316 log_errx(1, "received CHAP Login with invalid user \"%s\"", 317 chap_n); 318 } 319 320 assert(auth->a_secret != NULL); 321 assert(strlen(auth->a_secret) > 0); 322 323 error = chap_authenticate(chap, auth->a_secret); 324 if (error != 0) { 325 login_send_error(request, 0x02, 0x01); 326 log_errx(1, "CHAP authentication failed for user \"%s\"", 327 auth->a_user); 328 } 329 330 keys_delete(request_keys); 331 332 *authp = auth; 333 return (request); 334} 335 336static void 337login_send_chap_success(struct pdu *request, 338 const struct auth *auth) 339{ 340 struct pdu *response; 341 struct keys *request_keys, *response_keys; 342 struct iscsi_bhs_login_response *bhslr2; 343 struct rchap *rchap; 344 const char *chap_i, *chap_c; 345 char *chap_r; 346 int error; 347 348 response = login_new_response(request); 349 bhslr2 = (struct iscsi_bhs_login_response *)response->pdu_bhs; 350 bhslr2->bhslr_flags |= BHSLR_FLAGS_TRANSIT; 351 login_set_nsg(response, BHSLR_STAGE_OPERATIONAL_NEGOTIATION); 352 353 /* 354 * Actually, one more thing: mutual authentication. 355 */ 356 request_keys = keys_new(); 357 keys_load(request_keys, request); 358 chap_i = keys_find(request_keys, "CHAP_I"); 359 chap_c = keys_find(request_keys, "CHAP_C"); 360 if (chap_i != NULL || chap_c != NULL) { 361 if (chap_i == NULL) { 362 login_send_error(request, 0x02, 0x07); 363 log_errx(1, "initiator requested target " 364 "authentication, but didn't send CHAP_I"); 365 } 366 if (chap_c == NULL) { 367 login_send_error(request, 0x02, 0x07); 368 log_errx(1, "initiator requested target " 369 "authentication, but didn't send CHAP_C"); 370 } 371 if (auth->a_auth_group->ag_type != AG_TYPE_CHAP_MUTUAL) { 372 login_send_error(request, 0x02, 0x01); 373 log_errx(1, "initiator requests target authentication " 374 "for user \"%s\", but mutual user/secret " 375 "is not set", auth->a_user); 376 } 377 378 log_debugx("performing mutual authentication as user \"%s\"", 379 auth->a_mutual_user); 380 381 rchap = rchap_new(auth->a_mutual_secret); 382 error = rchap_receive(rchap, chap_i, chap_c); 383 if (error != 0) { 384 login_send_error(request, 0x02, 0x07); 385 log_errx(1, "received CHAP Login PDU with malformed " 386 "CHAP_I or CHAP_C"); 387 } 388 chap_r = rchap_get_response(rchap); 389 rchap_delete(rchap); 390 response_keys = keys_new(); 391 keys_add(response_keys, "CHAP_N", auth->a_mutual_user); 392 keys_add(response_keys, "CHAP_R", chap_r); 393 free(chap_r); 394 keys_save(response_keys, response); 395 keys_delete(response_keys); 396 } else { 397 log_debugx("initiator did not request target authentication"); 398 } 399 400 keys_delete(request_keys); 401 pdu_send(response); 402 pdu_delete(response); 403} 404 405static void 406login_chap(struct connection *conn, struct auth_group *ag) 407{ 408 const struct auth *auth; 409 struct chap *chap; 410 struct pdu *request; 411 412 /* 413 * Receive CHAP_A PDU. 414 */ 415 log_debugx("beginning CHAP authentication; waiting for CHAP_A"); 416 request = login_receive_chap_a(conn); 417 418 /* 419 * Generate the challenge. 420 */ 421 chap = chap_new(); 422 423 /* 424 * Send the challenge. 425 */ 426 log_debugx("sending CHAP_C, binary challenge size is %zd bytes", 427 sizeof(chap->chap_challenge)); 428 login_send_chap_c(request, chap); 429 pdu_delete(request); 430 431 /* 432 * Receive CHAP_N/CHAP_R PDU and authenticate. 433 */ 434 log_debugx("waiting for CHAP_N/CHAP_R"); 435 request = login_receive_chap_r(conn, ag, chap, &auth); 436 437 /* 438 * Yay, authentication succeeded! 439 */ 440 log_debugx("authentication succeeded for user \"%s\"; " 441 "transitioning to Negotiation Phase", auth->a_user); 442 login_send_chap_success(request, auth); 443 pdu_delete(request); 444 445 /* 446 * Leave username and CHAP information for discovery(). 447 */ 448 conn->conn_user = auth->a_user; 449 conn->conn_chap = chap; 450} 451 452static void 453login_negotiate_key(struct pdu *request, const char *name, 454 const char *value, bool skipped_security, struct keys *response_keys) 455{ 456 int which, tmp; 457 struct connection *conn; 458 459 conn = request->pdu_connection; 460 461 if (strcmp(name, "InitiatorName") == 0) { 462 if (!skipped_security) 463 log_errx(1, "initiator resent InitiatorName"); 464 } else if (strcmp(name, "SessionType") == 0) { 465 if (!skipped_security) 466 log_errx(1, "initiator resent SessionType"); 467 } else if (strcmp(name, "TargetName") == 0) { 468 if (!skipped_security) 469 log_errx(1, "initiator resent TargetName"); 470 } else if (strcmp(name, "InitiatorAlias") == 0) { 471 if (conn->conn_initiator_alias != NULL) 472 free(conn->conn_initiator_alias); 473 conn->conn_initiator_alias = checked_strdup(value); 474 } else if (strcmp(value, "Irrelevant") == 0) { 475 /* Ignore. */ 476 } else if (strcmp(name, "HeaderDigest") == 0) { 477 /* 478 * We don't handle digests for discovery sessions. 479 */ 480 if (conn->conn_session_type == CONN_SESSION_TYPE_DISCOVERY) { 481 log_debugx("discovery session; digests disabled"); 482 keys_add(response_keys, name, "None"); 483 return; 484 } 485 486 which = login_list_prefers(value, "CRC32C", "None"); 487 switch (which) { 488 case 1: 489 log_debugx("initiator prefers CRC32C " 490 "for header digest; we'll use it"); 491 conn->conn_header_digest = CONN_DIGEST_CRC32C; 492 keys_add(response_keys, name, "CRC32C"); 493 break; 494 case 2: 495 log_debugx("initiator prefers not to do " 496 "header digest; we'll comply"); 497 keys_add(response_keys, name, "None"); 498 break; 499 default: 500 log_warnx("initiator sent unrecognized " 501 "HeaderDigest value \"%s\"; will use None", value); 502 keys_add(response_keys, name, "None"); 503 break; 504 } 505 } else if (strcmp(name, "DataDigest") == 0) { 506 if (conn->conn_session_type == CONN_SESSION_TYPE_DISCOVERY) { 507 log_debugx("discovery session; digests disabled"); 508 keys_add(response_keys, name, "None"); 509 return; 510 } 511 512 which = login_list_prefers(value, "CRC32C", "None"); 513 switch (which) { 514 case 1: 515 log_debugx("initiator prefers CRC32C " 516 "for data digest; we'll use it"); 517 conn->conn_data_digest = CONN_DIGEST_CRC32C; 518 keys_add(response_keys, name, "CRC32C"); 519 break; 520 case 2: 521 log_debugx("initiator prefers not to do " 522 "data digest; we'll comply"); 523 keys_add(response_keys, name, "None"); 524 break; 525 default: 526 log_warnx("initiator sent unrecognized " 527 "DataDigest value \"%s\"; will use None", value); 528 keys_add(response_keys, name, "None"); 529 break; 530 } 531 } else if (strcmp(name, "MaxConnections") == 0) { 532 keys_add(response_keys, name, "1"); 533 } else if (strcmp(name, "InitialR2T") == 0) { 534 keys_add(response_keys, name, "Yes"); 535 } else if (strcmp(name, "ImmediateData") == 0) { 536 if (conn->conn_session_type == CONN_SESSION_TYPE_DISCOVERY) { 537 log_debugx("discovery session; ImmediateData irrelevant"); 538 keys_add(response_keys, name, "Irrelevant"); 539 } else { 540 if (strcmp(value, "Yes") == 0) { 541 conn->conn_immediate_data = true; 542 keys_add(response_keys, name, "Yes"); 543 } else { 544 conn->conn_immediate_data = false; 545 keys_add(response_keys, name, "No"); 546 } 547 } 548 } else if (strcmp(name, "MaxRecvDataSegmentLength") == 0) { 549 tmp = strtoul(value, NULL, 10); 550 if (tmp <= 0) { 551 login_send_error(request, 0x02, 0x00); 552 log_errx(1, "received invalid " 553 "MaxRecvDataSegmentLength"); 554 } 555 if (tmp > MAX_DATA_SEGMENT_LENGTH) { 556 log_debugx("capping MaxRecvDataSegmentLength " 557 "from %d to %d", tmp, MAX_DATA_SEGMENT_LENGTH); 558 tmp = MAX_DATA_SEGMENT_LENGTH; 559 } 560 conn->conn_max_data_segment_length = tmp; 561 keys_add_int(response_keys, name, MAX_DATA_SEGMENT_LENGTH); 562 } else if (strcmp(name, "MaxBurstLength") == 0) { 563 tmp = strtoul(value, NULL, 10); 564 if (tmp <= 0) { 565 login_send_error(request, 0x02, 0x00); 566 log_errx(1, "received invalid MaxBurstLength"); 567 } 568 if (tmp > MAX_BURST_LENGTH) { 569 log_debugx("capping MaxBurstLength from %d to %d", 570 tmp, MAX_BURST_LENGTH); 571 tmp = MAX_BURST_LENGTH; 572 } 573 conn->conn_max_burst_length = tmp; 574 keys_add(response_keys, name, value); 575 } else if (strcmp(name, "FirstBurstLength") == 0) { 576 tmp = strtoul(value, NULL, 10); 577 if (tmp <= 0) { 578 login_send_error(request, 0x02, 0x00); 579 log_errx(1, "received invalid " 580 "FirstBurstLength"); 581 } 582 if (tmp > MAX_DATA_SEGMENT_LENGTH) { 583 log_debugx("capping FirstBurstLength from %d to %d", 584 tmp, MAX_DATA_SEGMENT_LENGTH); 585 tmp = MAX_DATA_SEGMENT_LENGTH; 586 } 587 /* 588 * We don't pass the value to the kernel; it only enforces 589 * hardcoded limit anyway. 590 */ 591 keys_add_int(response_keys, name, tmp); 592 } else if (strcmp(name, "DefaultTime2Wait") == 0) { 593 keys_add(response_keys, name, value); 594 } else if (strcmp(name, "DefaultTime2Retain") == 0) { 595 keys_add(response_keys, name, "0"); 596 } else if (strcmp(name, "MaxOutstandingR2T") == 0) { 597 keys_add(response_keys, name, "1"); 598 } else if (strcmp(name, "DataPDUInOrder") == 0) { 599 keys_add(response_keys, name, "Yes"); 600 } else if (strcmp(name, "DataSequenceInOrder") == 0) { 601 keys_add(response_keys, name, "Yes"); 602 } else if (strcmp(name, "ErrorRecoveryLevel") == 0) { 603 keys_add(response_keys, name, "0"); 604 } else if (strcmp(name, "OFMarker") == 0) { 605 keys_add(response_keys, name, "No"); 606 } else if (strcmp(name, "IFMarker") == 0) { 607 keys_add(response_keys, name, "No"); 608 } else { 609 log_debugx("unknown key \"%s\"; responding " 610 "with NotUnderstood", name); 611 keys_add(response_keys, name, "NotUnderstood"); 612 } 613} 614 615static void 616login_redirect(struct pdu *request, const char *target_address) 617{ 618 struct pdu *response; 619 struct iscsi_bhs_login_response *bhslr2; 620 struct keys *response_keys; 621 622 response = login_new_response(request); 623 login_set_csg(response, login_csg(request)); 624 bhslr2 = (struct iscsi_bhs_login_response *)response->pdu_bhs; 625 bhslr2->bhslr_status_class = 0x01; 626 bhslr2->bhslr_status_detail = 0x01; 627 628 response_keys = keys_new(); 629 keys_add(response_keys, "TargetAddress", target_address); 630 631 keys_save(response_keys, response); 632 pdu_send(response); 633 pdu_delete(response); 634 keys_delete(response_keys); 635} 636 637static bool 638login_portal_redirect(struct connection *conn, struct pdu *request) 639{ 640 const struct portal_group *pg; 641 642 pg = conn->conn_portal->p_portal_group; 643 if (pg->pg_redirection == NULL) 644 return (false); 645 646 log_debugx("portal-group \"%s\" configured to redirect to %s", 647 pg->pg_name, pg->pg_redirection); 648 login_redirect(request, pg->pg_redirection); 649 650 return (true); 651} 652 653static bool 654login_target_redirect(struct connection *conn, struct pdu *request) 655{ 656 const char *target_address; 657 658 assert(conn->conn_portal->p_portal_group->pg_redirection == NULL); 659 660 if (conn->conn_target == NULL) 661 return (false); 662 663 target_address = conn->conn_target->t_redirection; 664 if (target_address == NULL) 665 return (false); 666 667 log_debugx("target \"%s\" configured to redirect to %s", 668 conn->conn_target->t_name, target_address); 669 login_redirect(request, target_address); 670 671 return (true); 672} 673 674static void 675login_negotiate(struct connection *conn, struct pdu *request) 676{ 677 struct pdu *response; 678 struct iscsi_bhs_login_response *bhslr2; 679 struct keys *request_keys, *response_keys; 680 int i; 681 bool redirected, skipped_security; 682 683 if (request == NULL) { 684 log_debugx("beginning operational parameter negotiation; " 685 "waiting for Login PDU"); 686 request = login_receive(conn, false); 687 skipped_security = false; 688 } else 689 skipped_security = true; 690 691 /* 692 * RFC 3720, 10.13.5. Status-Class and Status-Detail, says 693 * the redirection SHOULD be accepted by the initiator before 694 * authentication, but MUST be be accepted afterwards; that's 695 * why we're doing it here and not earlier. 696 */ 697 redirected = login_target_redirect(conn, request); 698 if (redirected) { 699 log_debugx("initiator redirected; exiting"); 700 exit(0); 701 } 702 703 request_keys = keys_new(); 704 keys_load(request_keys, request); 705 706 response = login_new_response(request); 707 bhslr2 = (struct iscsi_bhs_login_response *)response->pdu_bhs; 708 bhslr2->bhslr_flags |= BHSLR_FLAGS_TRANSIT; 709 bhslr2->bhslr_tsih = htons(0xbadd); 710 login_set_csg(response, BHSLR_STAGE_OPERATIONAL_NEGOTIATION); 711 login_set_nsg(response, BHSLR_STAGE_FULL_FEATURE_PHASE); 712 response_keys = keys_new(); 713 714 if (skipped_security && 715 conn->conn_session_type == CONN_SESSION_TYPE_NORMAL) { 716 if (conn->conn_target->t_alias != NULL) 717 keys_add(response_keys, 718 "TargetAlias", conn->conn_target->t_alias); 719 keys_add_int(response_keys, "TargetPortalGroupTag", 720 conn->conn_portal->p_portal_group->pg_tag); 721 } 722 723 for (i = 0; i < KEYS_MAX; i++) { 724 if (request_keys->keys_names[i] == NULL) 725 break; 726 727 login_negotiate_key(request, request_keys->keys_names[i], 728 request_keys->keys_values[i], skipped_security, 729 response_keys); 730 } 731 732 log_debugx("operational parameter negotiation done; " 733 "transitioning to Full Feature Phase"); 734 735 keys_save(response_keys, response); 736 pdu_send(response); 737 pdu_delete(response); 738 keys_delete(response_keys); 739 pdu_delete(request); 740 keys_delete(request_keys); 741} 742 743void 744login(struct connection *conn) 745{ 746 struct pdu *request, *response; 747 struct iscsi_bhs_login_request *bhslr; 748 struct iscsi_bhs_login_response *bhslr2; 749 struct keys *request_keys, *response_keys; 750 struct auth_group *ag; 751 struct portal_group *pg; 752 const char *initiator_name, *initiator_alias, *session_type, 753 *target_name, *auth_method; 754 bool redirected; 755 756 /* 757 * Handle the initial Login Request - figure out required authentication 758 * method and either transition to the next phase, if no authentication 759 * is required, or call appropriate authentication code. 760 */ 761 log_debugx("beginning Login Phase; waiting for Login PDU"); 762 request = login_receive(conn, true); 763 bhslr = (struct iscsi_bhs_login_request *)request->pdu_bhs; 764 if (bhslr->bhslr_tsih != 0) { 765 login_send_error(request, 0x02, 0x0a); 766 log_errx(1, "received Login PDU with non-zero TSIH"); 767 } 768 769 pg = conn->conn_portal->p_portal_group; 770 771 memcpy(conn->conn_initiator_isid, bhslr->bhslr_isid, 772 sizeof(conn->conn_initiator_isid)); 773 774 /* 775 * XXX: Implement the C flag some day. 776 */ 777 request_keys = keys_new(); 778 keys_load(request_keys, request); 779 780 assert(conn->conn_initiator_name == NULL); 781 initiator_name = keys_find(request_keys, "InitiatorName"); 782 if (initiator_name == NULL) { 783 login_send_error(request, 0x02, 0x07); 784 log_errx(1, "received Login PDU without InitiatorName"); 785 } 786 if (valid_iscsi_name(initiator_name) == false) { 787 login_send_error(request, 0x02, 0x00); 788 log_errx(1, "received Login PDU with invalid InitiatorName"); 789 } 790 conn->conn_initiator_name = checked_strdup(initiator_name); 791 log_set_peer_name(conn->conn_initiator_name); 792 setproctitle("%s (%s)", conn->conn_initiator_addr, conn->conn_initiator_name); 793 794 redirected = login_portal_redirect(conn, request); 795 if (redirected) { 796 log_debugx("initiator redirected; exiting"); 797 exit(0); 798 } 799 800 initiator_alias = keys_find(request_keys, "InitiatorAlias"); 801 if (initiator_alias != NULL) 802 conn->conn_initiator_alias = checked_strdup(initiator_alias); 803 804 assert(conn->conn_session_type == CONN_SESSION_TYPE_NONE); 805 session_type = keys_find(request_keys, "SessionType"); 806 if (session_type != NULL) { 807 if (strcmp(session_type, "Normal") == 0) { 808 conn->conn_session_type = CONN_SESSION_TYPE_NORMAL; 809 } else if (strcmp(session_type, "Discovery") == 0) { 810 conn->conn_session_type = CONN_SESSION_TYPE_DISCOVERY; 811 } else { 812 login_send_error(request, 0x02, 0x00); 813 log_errx(1, "received Login PDU with invalid " 814 "SessionType \"%s\"", session_type); 815 } 816 } else 817 conn->conn_session_type = CONN_SESSION_TYPE_NORMAL; 818 819 assert(conn->conn_target == NULL); 820 if (conn->conn_session_type == CONN_SESSION_TYPE_NORMAL) { 821 target_name = keys_find(request_keys, "TargetName"); 822 if (target_name == NULL) { 823 login_send_error(request, 0x02, 0x07); 824 log_errx(1, "received Login PDU without TargetName"); 825 } 826 827 conn->conn_port = port_find_in_pg(pg, target_name); 828 if (conn->conn_port == NULL) { 829 login_send_error(request, 0x02, 0x03); 830 log_errx(1, "requested target \"%s\" not found", 831 target_name); 832 } 833 conn->conn_target = conn->conn_port->p_target; 834 } 835 836 /* 837 * At this point we know what kind of authentication we need. 838 */ 839 if (conn->conn_session_type == CONN_SESSION_TYPE_NORMAL) { 840 ag = conn->conn_port->p_auth_group; 841 if (ag == NULL) 842 ag = conn->conn_target->t_auth_group; 843 if (ag->ag_name != NULL) { 844 log_debugx("initiator requests to connect " 845 "to target \"%s\"; auth-group \"%s\"", 846 conn->conn_target->t_name, 847 ag->ag_name); 848 } else { 849 log_debugx("initiator requests to connect " 850 "to target \"%s\"", conn->conn_target->t_name); 851 } 852 } else { 853 assert(conn->conn_session_type == CONN_SESSION_TYPE_DISCOVERY); 854 ag = pg->pg_discovery_auth_group; 855 if (ag->ag_name != NULL) { 856 log_debugx("initiator requests " 857 "discovery session; auth-group \"%s\"", ag->ag_name); 858 } else { 859 log_debugx("initiator requests discovery session"); 860 } 861 } 862 863 /* 864 * Enforce initiator-name and initiator-portal. 865 */ 866 if (auth_name_check(ag, initiator_name) != 0) { 867 login_send_error(request, 0x02, 0x02); 868 log_errx(1, "initiator does not match allowed initiator names"); 869 } 870 871 if (auth_portal_check(ag, &conn->conn_initiator_sa) != 0) { 872 login_send_error(request, 0x02, 0x02); 873 log_errx(1, "initiator does not match allowed " 874 "initiator portals"); 875 } 876 877 /* 878 * Let's see if the initiator intends to do any kind of authentication 879 * at all. 880 */ 881 if (login_csg(request) == BHSLR_STAGE_OPERATIONAL_NEGOTIATION) { 882 if (ag->ag_type != AG_TYPE_NO_AUTHENTICATION) { 883 login_send_error(request, 0x02, 0x01); 884 log_errx(1, "initiator skipped the authentication, " 885 "but authentication is required"); 886 } 887 888 keys_delete(request_keys); 889 890 log_debugx("initiator skipped the authentication, " 891 "and we don't need it; proceeding with negotiation"); 892 login_negotiate(conn, request); 893 return; 894 } 895 896 if (ag->ag_type == AG_TYPE_NO_AUTHENTICATION) { 897 /* 898 * Initiator might want to to authenticate, 899 * but we don't need it. 900 */ 901 log_debugx("authentication not required; " 902 "transitioning to operational parameter negotiation"); 903 904 if ((bhslr->bhslr_flags & BHSLR_FLAGS_TRANSIT) == 0) 905 log_warnx("initiator did not set the \"T\" flag; " 906 "transitioning anyway"); 907 908 response = login_new_response(request); 909 bhslr2 = (struct iscsi_bhs_login_response *)response->pdu_bhs; 910 bhslr2->bhslr_flags |= BHSLR_FLAGS_TRANSIT; 911 login_set_nsg(response, BHSLR_STAGE_OPERATIONAL_NEGOTIATION); 912 response_keys = keys_new(); 913 /* 914 * Required by Linux initiator. 915 */ 916 auth_method = keys_find(request_keys, "AuthMethod"); 917 if (auth_method != NULL && 918 login_list_contains(auth_method, "None")) 919 keys_add(response_keys, "AuthMethod", "None"); 920 921 if (conn->conn_session_type == CONN_SESSION_TYPE_NORMAL) { 922 if (conn->conn_target->t_alias != NULL) 923 keys_add(response_keys, 924 "TargetAlias", conn->conn_target->t_alias); 925 keys_add_int(response_keys, 926 "TargetPortalGroupTag", pg->pg_tag); 927 } 928 keys_save(response_keys, response); 929 pdu_send(response); 930 pdu_delete(response); 931 keys_delete(response_keys); 932 pdu_delete(request); 933 keys_delete(request_keys); 934 935 login_negotiate(conn, NULL); 936 return; 937 } 938 939 if (ag->ag_type == AG_TYPE_DENY) { 940 login_send_error(request, 0x02, 0x01); 941 log_errx(1, "auth-type is \"deny\""); 942 } 943 944 if (ag->ag_type == AG_TYPE_UNKNOWN) { 945 /* 946 * This can happen with empty auth-group. 947 */ 948 login_send_error(request, 0x02, 0x01); 949 log_errx(1, "auth-type not set, denying access"); 950 } 951 952 log_debugx("CHAP authentication required"); 953 954 auth_method = keys_find(request_keys, "AuthMethod"); 955 if (auth_method == NULL) { 956 login_send_error(request, 0x02, 0x07); 957 log_errx(1, "received Login PDU without AuthMethod"); 958 } 959 /* 960 * XXX: This should be Reject, not just a login failure (5.3.2). 961 */ 962 if (login_list_contains(auth_method, "CHAP") == 0) { 963 login_send_error(request, 0x02, 0x01); 964 log_errx(1, "initiator requests unsupported AuthMethod \"%s\" " 965 "instead of \"CHAP\"", auth_method); 966 } 967 968 response = login_new_response(request); 969 970 response_keys = keys_new(); 971 keys_add(response_keys, "AuthMethod", "CHAP"); 972 if (conn->conn_session_type == CONN_SESSION_TYPE_NORMAL) { 973 if (conn->conn_target->t_alias != NULL) 974 keys_add(response_keys, 975 "TargetAlias", conn->conn_target->t_alias); 976 keys_add_int(response_keys, 977 "TargetPortalGroupTag", pg->pg_tag); 978 } 979 keys_save(response_keys, response); 980 981 pdu_send(response); 982 pdu_delete(response); 983 keys_delete(response_keys); 984 pdu_delete(request); 985 keys_delete(request_keys); 986 987 login_chap(conn, ag); 988 989 login_negotiate(conn, NULL); 990} 991