Hi Tejas, On Wed, 2014-05-28 at 13:18 +0530, Tejas Vaykole wrote: > Hi, > The target is failing to handle list of CHAP_A key-value pair form > initiator. > The target is expecting CHAP_A=5 always. In other cases, where (for > example) > CHAP_A=6,5 target is failing the security negotiation. Which is incorrect. > > This patch handles the case (RFC 3720 section 11.1.4). > where in the initiator may send list of CHAP_A values and target replies > with appropriate CHAP_A value in response. > The patch below is word-wrapped. Please re-send with formatting disabled following: https://www.kernel.org/doc/Documentation/email-clients.txt Also, there is code comment from yesterday's response that was not addressed in this patch. Please see below. > The patch follows - > > From b6b92b426540160b8a0cd6d81fc12b2728b05681 Mon Sep 17 00:00:00 2001 > From: Tejas Vaykole <tejas.vaykole@xxxxxxxxxxxxxx> > Date: Wed, 28 May 2014 11:32:11 +0530 > Subject: [PATCH] target: Target Error in handling CHAP_A in a List. > > The target is failing to handle list of CHAP_A key-value pair form > initiator. > The target is expecting CHAP_A=5 always. In other cases, where (for > example) > CHAP_A=6,5 target is failing the security negotiation. Which is incorrect. > > This patch handles the case (RFC 3720 section 11.1.4). > where in the initiator may send list of CHAP_A values and target replies > with appropriate CHAP_A value in response. > --- > drivers/target/iscsi/iscsi_target_auth.c | 81 > ++++++++++++++++++++++---------- > drivers/target/iscsi/iscsi_target_auth.h | 1 + > 2 files changed, 56 insertions(+), 26 deletions(-) > > diff --git a/drivers/target/iscsi/iscsi_target_auth.c > b/drivers/target/iscsi/iscsi_target_auth.c > index de77d9a..df9da15 100644 > --- a/drivers/target/iscsi/iscsi_target_auth.c > +++ b/drivers/target/iscsi/iscsi_target_auth.c > @@ -72,6 +72,33 @@ static void chap_gen_challenge( > } > > > +static int check_algorithm(const char *a_str) > +{ > + char *tmp = NULL; > + char *token = NULL; > + tmp = kstrdup(a_str, GFP_KERNEL); > + if (!tmp) { > + pr_err("Memory allocation failed for CHAP_A temperory buffer\n"); > + return CHAP_DIGEST_UNKNOWN; > + } > + token = strsep(&tmp , "="); > + while (token) { > + token = strsep(&tmp , ","); > + if (!token) { > + kfree(tmp); > + return CHAP_DIGEST_UNKNOWN; > + } > + if (!strncmp(token, "5", 1)) { > + pr_debug("Selected MD5 Algorithm\n"); > + kfree(tmp); > + return CHAP_DIGEST_MD5; > + } > + } > + kfree(tmp); > + return CHAP_DIGEST_UNKNOWN; > +} > + > + > static struct iscsi_chap *chap_server_open( > struct iscsi_conn *conn, > struct iscsi_node_auth *auth, > @@ -79,6 +106,7 @@ static struct iscsi_chap *chap_server_open( > char *aic_str, > unsigned int *aic_len) > { > + int ret; > struct iscsi_chap *chap; > > if (!(auth->naf_flags & NAF_USERID_SET) || > @@ -93,34 +121,35 @@ static struct iscsi_chap *chap_server_open( > return NULL; > > chap = conn->auth_protocol; > - /* > - * We only support MD5 MDA presently. > - */ > - if (strncmp(a_str, "CHAP_A=5", 8)) { > - pr_err("CHAP_A is not MD5.\n"); > + ret = check_algorithm(a_str); > + switch (ret) { > + case CHAP_DIGEST_MD5: > + pr_debug("[server] Got CHAP_A=5\n"); > + /* > + * Send back CHAP_A set to MD5. > + */ > + *aic_len = sprintf(aic_str, "CHAP_A=5"); > + *aic_len += 1; > + chap->digest_type = CHAP_DIGEST_MD5; > + pr_debug("[server] Sending CHAP_A=%d\n", chap->digest_type); > + /* > + * Set Identifier. > + */ > + chap->id = conn->tpg->tpg_chap_id++; > + *aic_len += sprintf(aic_str + *aic_len, "CHAP_I=%d", chap->id); > + *aic_len += 1; > + pr_debug("[server] Sending CHAP_I=%d\n", chap->id); > + /* > + * Generate Challenge. > + */ > + chap_gen_challenge(conn, 1, aic_str, aic_len); > + return chap; > + break; > + case CHAP_DIGEST_UNKNOWN: > + default: > + pr_err("Unknown CHAP_A.\n"); > return NULL; > } > - pr_debug("[server] Got CHAP_A=5\n"); > - /* > - * Send back CHAP_A set to MD5. > - */ > - *aic_len = sprintf(aic_str, "CHAP_A=5"); > - *aic_len += 1; > - chap->digest_type = CHAP_DIGEST_MD5; > - pr_debug("[server] Sending CHAP_A=%d\n", chap->digest_type); > - /* > - * Set Identifier. > - */ > - chap->id = conn->tpg->tpg_chap_id++; > - *aic_len += sprintf(aic_str + *aic_len, "CHAP_I=%d", chap->id); > - *aic_len += 1; > - pr_debug("[server] Sending CHAP_I=%d\n", chap->id); > - /* > - * Generate Challenge. > - */ > - chap_gen_challenge(conn, 1, aic_str, aic_len); > - > - return chap; > } The generation of the CHAP_A + CHAP_I + CHAP_C values for the login response are independent of the actual algorithm selected. That said, this code should be common to all algorithms, and not specific to CHAP_DIGEST_MD5 to avoid duplication if/when another algorithm is ever supported. --nab -- To unsubscribe from this list: send the line "unsubscribe target-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
