login.c revision 332583
1/*- 2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD 3 * 4 * Copyright (c) 2012 The FreeBSD Foundation 5 * All rights reserved. 6 * 7 * This software was developed by Edward Tomasz Napierala under sponsorship 8 * from the FreeBSD Foundation. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 * 31 */ 32 33#include <sys/cdefs.h> 34__FBSDID("$FreeBSD: stable/11/usr.sbin/ctld/login.c 332583 2018-04-16 15:53:44Z trasz $"); 35 36#include <assert.h> 37#include <stdbool.h> 38#include <stdlib.h> 39#include <string.h> 40#include <unistd.h> 41#include <netinet/in.h> 42 43#include "ctld.h" 44#include "iscsi_proto.h" 45 46static void login_send_error(struct pdu *request, 47 char class, char detail); 48 49static void 50login_set_nsg(struct pdu *response, int nsg) 51{ 52 struct iscsi_bhs_login_response *bhslr; 53 54 assert(nsg == BHSLR_STAGE_SECURITY_NEGOTIATION || 55 nsg == BHSLR_STAGE_OPERATIONAL_NEGOTIATION || 56 nsg == BHSLR_STAGE_FULL_FEATURE_PHASE); 57 58 bhslr = (struct iscsi_bhs_login_response *)response->pdu_bhs; 59 60 bhslr->bhslr_flags &= 0xFC; 61 bhslr->bhslr_flags |= nsg; 62 bhslr->bhslr_flags |= BHSLR_FLAGS_TRANSIT; 63} 64 65static int 66login_csg(const struct pdu *request) 67{ 68 struct iscsi_bhs_login_request *bhslr; 69 70 bhslr = (struct iscsi_bhs_login_request *)request->pdu_bhs; 71 72 return ((bhslr->bhslr_flags & 0x0C) >> 2); 73} 74 75static void 76login_set_csg(struct pdu *response, int csg) 77{ 78 struct iscsi_bhs_login_response *bhslr; 79 80 assert(csg == BHSLR_STAGE_SECURITY_NEGOTIATION || 81 csg == BHSLR_STAGE_OPERATIONAL_NEGOTIATION || 82 csg == BHSLR_STAGE_FULL_FEATURE_PHASE); 83 84 bhslr = (struct iscsi_bhs_login_response *)response->pdu_bhs; 85 86 bhslr->bhslr_flags &= 0xF3; 87 bhslr->bhslr_flags |= csg << 2; 88} 89 90static struct pdu * 91login_receive(struct connection *conn, bool initial) 92{ 93 struct pdu *request; 94 struct iscsi_bhs_login_request *bhslr; 95 96 request = pdu_new(conn); 97 pdu_receive(request); 98 if ((request->pdu_bhs->bhs_opcode & ~ISCSI_BHS_OPCODE_IMMEDIATE) != 99 ISCSI_BHS_OPCODE_LOGIN_REQUEST) { 100 /* 101 * The first PDU in session is special - if we receive any PDU 102 * different than login request, we have to drop the connection 103 * without sending response ("A target receiving any PDU 104 * except a Login request before the Login Phase is started MUST 105 * immediately terminate the connection on which the PDU 106 * was received.") 107 */ 108 if (initial == false) 109 login_send_error(request, 0x02, 0x0b); 110 log_errx(1, "protocol error: received invalid opcode 0x%x", 111 request->pdu_bhs->bhs_opcode); 112 } 113 bhslr = (struct iscsi_bhs_login_request *)request->pdu_bhs; 114 /* 115 * XXX: Implement the C flag some day. 116 */ 117 if ((bhslr->bhslr_flags & BHSLR_FLAGS_CONTINUE) != 0) { 118 login_send_error(request, 0x03, 0x00); 119 log_errx(1, "received Login PDU with unsupported \"C\" flag"); 120 } 121 if (bhslr->bhslr_version_max != 0x00) { 122 login_send_error(request, 0x02, 0x05); 123 log_errx(1, "received Login PDU with unsupported " 124 "Version-max 0x%x", bhslr->bhslr_version_max); 125 } 126 if (bhslr->bhslr_version_min != 0x00) { 127 login_send_error(request, 0x02, 0x05); 128 log_errx(1, "received Login PDU with unsupported " 129 "Version-min 0x%x", bhslr->bhslr_version_min); 130 } 131 if (initial == false && 132 ISCSI_SNLT(ntohl(bhslr->bhslr_cmdsn), conn->conn_cmdsn)) { 133 login_send_error(request, 0x02, 0x00); 134 log_errx(1, "received Login PDU with decreasing CmdSN: " 135 "was %u, is %u", conn->conn_cmdsn, 136 ntohl(bhslr->bhslr_cmdsn)); 137 } 138 if (initial == false && 139 ntohl(bhslr->bhslr_expstatsn) != conn->conn_statsn) { 140 login_send_error(request, 0x02, 0x00); 141 log_errx(1, "received Login PDU with wrong ExpStatSN: " 142 "is %u, should be %u", ntohl(bhslr->bhslr_expstatsn), 143 conn->conn_statsn); 144 } 145 conn->conn_cmdsn = ntohl(bhslr->bhslr_cmdsn); 146 147 return (request); 148} 149 150static struct pdu * 151login_new_response(struct pdu *request) 152{ 153 struct pdu *response; 154 struct connection *conn; 155 struct iscsi_bhs_login_request *bhslr; 156 struct iscsi_bhs_login_response *bhslr2; 157 158 bhslr = (struct iscsi_bhs_login_request *)request->pdu_bhs; 159 conn = request->pdu_connection; 160 161 response = pdu_new_response(request); 162 bhslr2 = (struct iscsi_bhs_login_response *)response->pdu_bhs; 163 bhslr2->bhslr_opcode = ISCSI_BHS_OPCODE_LOGIN_RESPONSE; 164 login_set_csg(response, BHSLR_STAGE_SECURITY_NEGOTIATION); 165 memcpy(bhslr2->bhslr_isid, 166 bhslr->bhslr_isid, sizeof(bhslr2->bhslr_isid)); 167 bhslr2->bhslr_initiator_task_tag = bhslr->bhslr_initiator_task_tag; 168 bhslr2->bhslr_statsn = htonl(conn->conn_statsn++); 169 bhslr2->bhslr_expcmdsn = htonl(conn->conn_cmdsn); 170 bhslr2->bhslr_maxcmdsn = htonl(conn->conn_cmdsn); 171 172 return (response); 173} 174 175static void 176login_send_error(struct pdu *request, char class, char detail) 177{ 178 struct pdu *response; 179 struct iscsi_bhs_login_response *bhslr2; 180 181 log_debugx("sending Login Response PDU with failure class 0x%x/0x%x; " 182 "see next line for reason", class, detail); 183 response = login_new_response(request); 184 bhslr2 = (struct iscsi_bhs_login_response *)response->pdu_bhs; 185 bhslr2->bhslr_status_class = class; 186 bhslr2->bhslr_status_detail = detail; 187 188 pdu_send(response); 189 pdu_delete(response); 190} 191 192static int 193login_list_contains(const char *list, const char *what) 194{ 195 char *tofree, *str, *token; 196 197 tofree = str = checked_strdup(list); 198 199 while ((token = strsep(&str, ",")) != NULL) { 200 if (strcmp(token, what) == 0) { 201 free(tofree); 202 return (1); 203 } 204 } 205 free(tofree); 206 return (0); 207} 208 209static int 210login_list_prefers(const char *list, 211 const char *choice1, const char *choice2) 212{ 213 char *tofree, *str, *token; 214 215 tofree = str = checked_strdup(list); 216 217 while ((token = strsep(&str, ",")) != NULL) { 218 if (strcmp(token, choice1) == 0) { 219 free(tofree); 220 return (1); 221 } 222 if (strcmp(token, choice2) == 0) { 223 free(tofree); 224 return (2); 225 } 226 } 227 free(tofree); 228 return (-1); 229} 230 231static struct pdu * 232login_receive_chap_a(struct connection *conn) 233{ 234 struct pdu *request; 235 struct keys *request_keys; 236 const char *chap_a; 237 238 request = login_receive(conn, false); 239 request_keys = keys_new(); 240 keys_load(request_keys, request); 241 242 chap_a = keys_find(request_keys, "CHAP_A"); 243 if (chap_a == NULL) { 244 login_send_error(request, 0x02, 0x07); 245 log_errx(1, "received CHAP Login PDU without CHAP_A"); 246 } 247 if (login_list_contains(chap_a, "5") == 0) { 248 login_send_error(request, 0x02, 0x01); 249 log_errx(1, "received CHAP Login PDU with unsupported CHAP_A " 250 "\"%s\"", chap_a); 251 } 252 keys_delete(request_keys); 253 254 return (request); 255} 256 257static void 258login_send_chap_c(struct pdu *request, struct chap *chap) 259{ 260 struct pdu *response; 261 struct keys *response_keys; 262 char *chap_c, *chap_i; 263 264 chap_c = chap_get_challenge(chap); 265 chap_i = chap_get_id(chap); 266 267 response = login_new_response(request); 268 response_keys = keys_new(); 269 keys_add(response_keys, "CHAP_A", "5"); 270 keys_add(response_keys, "CHAP_I", chap_i); 271 keys_add(response_keys, "CHAP_C", chap_c); 272 free(chap_i); 273 free(chap_c); 274 keys_save(response_keys, response); 275 pdu_send(response); 276 pdu_delete(response); 277 keys_delete(response_keys); 278} 279 280static struct pdu * 281login_receive_chap_r(struct connection *conn, struct auth_group *ag, 282 struct chap *chap, const struct auth **authp) 283{ 284 struct pdu *request; 285 struct keys *request_keys; 286 const char *chap_n, *chap_r; 287 const struct auth *auth; 288 int error; 289 290 request = login_receive(conn, false); 291 request_keys = keys_new(); 292 keys_load(request_keys, request); 293 294 chap_n = keys_find(request_keys, "CHAP_N"); 295 if (chap_n == NULL) { 296 login_send_error(request, 0x02, 0x07); 297 log_errx(1, "received CHAP Login PDU without CHAP_N"); 298 } 299 chap_r = keys_find(request_keys, "CHAP_R"); 300 if (chap_r == NULL) { 301 login_send_error(request, 0x02, 0x07); 302 log_errx(1, "received CHAP Login PDU without CHAP_R"); 303 } 304 error = chap_receive(chap, chap_r); 305 if (error != 0) { 306 login_send_error(request, 0x02, 0x07); 307 log_errx(1, "received CHAP Login PDU with malformed CHAP_R"); 308 } 309 310 /* 311 * Verify the response. 312 */ 313 assert(ag->ag_type == AG_TYPE_CHAP || 314 ag->ag_type == AG_TYPE_CHAP_MUTUAL); 315 auth = auth_find(ag, chap_n); 316 if (auth == NULL) { 317 login_send_error(request, 0x02, 0x01); 318 log_errx(1, "received CHAP Login with invalid user \"%s\"", 319 chap_n); 320 } 321 322 assert(auth->a_secret != NULL); 323 assert(strlen(auth->a_secret) > 0); 324 325 error = chap_authenticate(chap, auth->a_secret); 326 if (error != 0) { 327 login_send_error(request, 0x02, 0x01); 328 log_errx(1, "CHAP authentication failed for user \"%s\"", 329 auth->a_user); 330 } 331 332 keys_delete(request_keys); 333 334 *authp = auth; 335 return (request); 336} 337 338static void 339login_send_chap_success(struct pdu *request, 340 const struct auth *auth) 341{ 342 struct pdu *response; 343 struct keys *request_keys, *response_keys; 344 struct rchap *rchap; 345 const char *chap_i, *chap_c; 346 char *chap_r; 347 int error; 348 349 response = login_new_response(request); 350 login_set_nsg(response, BHSLR_STAGE_OPERATIONAL_NEGOTIATION); 351 352 /* 353 * Actually, one more thing: mutual authentication. 354 */ 355 request_keys = keys_new(); 356 keys_load(request_keys, request); 357 chap_i = keys_find(request_keys, "CHAP_I"); 358 chap_c = keys_find(request_keys, "CHAP_C"); 359 if (chap_i != NULL || chap_c != NULL) { 360 if (chap_i == NULL) { 361 login_send_error(request, 0x02, 0x07); 362 log_errx(1, "initiator requested target " 363 "authentication, but didn't send CHAP_I"); 364 } 365 if (chap_c == NULL) { 366 login_send_error(request, 0x02, 0x07); 367 log_errx(1, "initiator requested target " 368 "authentication, but didn't send CHAP_C"); 369 } 370 if (auth->a_auth_group->ag_type != AG_TYPE_CHAP_MUTUAL) { 371 login_send_error(request, 0x02, 0x01); 372 log_errx(1, "initiator requests target authentication " 373 "for user \"%s\", but mutual user/secret " 374 "is not set", auth->a_user); 375 } 376 377 log_debugx("performing mutual authentication as user \"%s\"", 378 auth->a_mutual_user); 379 380 rchap = rchap_new(auth->a_mutual_secret); 381 error = rchap_receive(rchap, chap_i, chap_c); 382 if (error != 0) { 383 login_send_error(request, 0x02, 0x07); 384 log_errx(1, "received CHAP Login PDU with malformed " 385 "CHAP_I or CHAP_C"); 386 } 387 chap_r = rchap_get_response(rchap); 388 rchap_delete(rchap); 389 response_keys = keys_new(); 390 keys_add(response_keys, "CHAP_N", auth->a_mutual_user); 391 keys_add(response_keys, "CHAP_R", chap_r); 392 free(chap_r); 393 keys_save(response_keys, response); 394 keys_delete(response_keys); 395 } else { 396 log_debugx("initiator did not request target authentication"); 397 } 398 399 keys_delete(request_keys); 400 pdu_send(response); 401 pdu_delete(response); 402} 403 404static void 405login_chap(struct connection *conn, struct auth_group *ag) 406{ 407 const struct auth *auth; 408 struct chap *chap; 409 struct pdu *request; 410 411 /* 412 * Receive CHAP_A PDU. 413 */ 414 log_debugx("beginning CHAP authentication; waiting for CHAP_A"); 415 request = login_receive_chap_a(conn); 416 417 /* 418 * Generate the challenge. 419 */ 420 chap = chap_new(); 421 422 /* 423 * Send the challenge. 424 */ 425 log_debugx("sending CHAP_C, binary challenge size is %zd bytes", 426 sizeof(chap->chap_challenge)); 427 login_send_chap_c(request, chap); 428 pdu_delete(request); 429 430 /* 431 * Receive CHAP_N/CHAP_R PDU and authenticate. 432 */ 433 log_debugx("waiting for CHAP_N/CHAP_R"); 434 request = login_receive_chap_r(conn, ag, chap, &auth); 435 436 /* 437 * Yay, authentication succeeded! 438 */ 439 log_debugx("authentication succeeded for user \"%s\"; " 440 "transitioning to operational parameter negotiation", auth->a_user); 441 login_send_chap_success(request, auth); 442 pdu_delete(request); 443 444 /* 445 * Leave username and CHAP information for discovery(). 446 */ 447 conn->conn_user = auth->a_user; 448 conn->conn_chap = chap; 449} 450 451static void 452login_negotiate_key(struct pdu *request, const char *name, 453 const char *value, bool skipped_security, struct keys *response_keys) 454{ 455 int which; 456 size_t tmp; 457 struct connection *conn; 458 459 conn = request->pdu_connection; 460 461 if (strcmp(name, "InitiatorName") == 0) { 462 if (!skipped_security) 463 log_errx(1, "initiator resent InitiatorName"); 464 } else if (strcmp(name, "SessionType") == 0) { 465 if (!skipped_security) 466 log_errx(1, "initiator resent SessionType"); 467 } else if (strcmp(name, "TargetName") == 0) { 468 if (!skipped_security) 469 log_errx(1, "initiator resent TargetName"); 470 } else if (strcmp(name, "InitiatorAlias") == 0) { 471 if (conn->conn_initiator_alias != NULL) 472 free(conn->conn_initiator_alias); 473 conn->conn_initiator_alias = checked_strdup(value); 474 } else if (strcmp(value, "Irrelevant") == 0) { 475 /* Ignore. */ 476 } else if (strcmp(name, "HeaderDigest") == 0) { 477 /* 478 * We don't handle digests for discovery sessions. 479 */ 480 if (conn->conn_session_type == CONN_SESSION_TYPE_DISCOVERY) { 481 log_debugx("discovery session; digests disabled"); 482 keys_add(response_keys, name, "None"); 483 return; 484 } 485 486 which = login_list_prefers(value, "CRC32C", "None"); 487 switch (which) { 488 case 1: 489 log_debugx("initiator prefers CRC32C " 490 "for header digest; we'll use it"); 491 conn->conn_header_digest = CONN_DIGEST_CRC32C; 492 keys_add(response_keys, name, "CRC32C"); 493 break; 494 case 2: 495 log_debugx("initiator prefers not to do " 496 "header digest; we'll comply"); 497 keys_add(response_keys, name, "None"); 498 break; 499 default: 500 log_warnx("initiator sent unrecognized " 501 "HeaderDigest value \"%s\"; will use None", value); 502 keys_add(response_keys, name, "None"); 503 break; 504 } 505 } else if (strcmp(name, "DataDigest") == 0) { 506 if (conn->conn_session_type == CONN_SESSION_TYPE_DISCOVERY) { 507 log_debugx("discovery session; digests disabled"); 508 keys_add(response_keys, name, "None"); 509 return; 510 } 511 512 which = login_list_prefers(value, "CRC32C", "None"); 513 switch (which) { 514 case 1: 515 log_debugx("initiator prefers CRC32C " 516 "for data digest; we'll use it"); 517 conn->conn_data_digest = CONN_DIGEST_CRC32C; 518 keys_add(response_keys, name, "CRC32C"); 519 break; 520 case 2: 521 log_debugx("initiator prefers not to do " 522 "data digest; we'll comply"); 523 keys_add(response_keys, name, "None"); 524 break; 525 default: 526 log_warnx("initiator sent unrecognized " 527 "DataDigest value \"%s\"; will use None", value); 528 keys_add(response_keys, name, "None"); 529 break; 530 } 531 } else if (strcmp(name, "MaxConnections") == 0) { 532 keys_add(response_keys, name, "1"); 533 } else if (strcmp(name, "InitialR2T") == 0) { 534 keys_add(response_keys, name, "Yes"); 535 } else if (strcmp(name, "ImmediateData") == 0) { 536 if (conn->conn_session_type == CONN_SESSION_TYPE_DISCOVERY) { 537 log_debugx("discovery session; ImmediateData irrelevant"); 538 keys_add(response_keys, name, "Irrelevant"); 539 } else { 540 if (strcmp(value, "Yes") == 0) { 541 conn->conn_immediate_data = true; 542 keys_add(response_keys, name, "Yes"); 543 } else { 544 conn->conn_immediate_data = false; 545 keys_add(response_keys, name, "No"); 546 } 547 } 548 } else if (strcmp(name, "MaxRecvDataSegmentLength") == 0) { 549 tmp = strtoul(value, NULL, 10); 550 if (tmp <= 0) { 551 login_send_error(request, 0x02, 0x00); 552 log_errx(1, "received invalid " 553 "MaxRecvDataSegmentLength"); 554 } 555 if (tmp > conn->conn_data_segment_limit) { 556 log_debugx("capping MaxRecvDataSegmentLength " 557 "from %zd to %zd", tmp, conn->conn_data_segment_limit); 558 tmp = conn->conn_data_segment_limit; 559 } 560 conn->conn_max_data_segment_length = tmp; 561 keys_add_int(response_keys, name, conn->conn_data_segment_limit); 562 } else if (strcmp(name, "MaxBurstLength") == 0) { 563 tmp = strtoul(value, NULL, 10); 564 if (tmp <= 0) { 565 login_send_error(request, 0x02, 0x00); 566 log_errx(1, "received invalid MaxBurstLength"); 567 } 568 if (tmp > MAX_BURST_LENGTH) { 569 log_debugx("capping MaxBurstLength from %zd to %d", 570 tmp, MAX_BURST_LENGTH); 571 tmp = MAX_BURST_LENGTH; 572 } 573 conn->conn_max_burst_length = tmp; 574 keys_add_int(response_keys, name, tmp); 575 } else if (strcmp(name, "FirstBurstLength") == 0) { 576 tmp = strtoul(value, NULL, 10); 577 if (tmp <= 0) { 578 login_send_error(request, 0x02, 0x00); 579 log_errx(1, "received invalid FirstBurstLength"); 580 } 581 if (tmp > FIRST_BURST_LENGTH) { 582 log_debugx("capping FirstBurstLength from %zd to %d", 583 tmp, FIRST_BURST_LENGTH); 584 tmp = FIRST_BURST_LENGTH; 585 } 586 conn->conn_first_burst_length = tmp; 587 keys_add_int(response_keys, name, tmp); 588 } else if (strcmp(name, "DefaultTime2Wait") == 0) { 589 keys_add(response_keys, name, value); 590 } else if (strcmp(name, "DefaultTime2Retain") == 0) { 591 keys_add(response_keys, name, "0"); 592 } else if (strcmp(name, "MaxOutstandingR2T") == 0) { 593 keys_add(response_keys, name, "1"); 594 } else if (strcmp(name, "DataPDUInOrder") == 0) { 595 keys_add(response_keys, name, "Yes"); 596 } else if (strcmp(name, "DataSequenceInOrder") == 0) { 597 keys_add(response_keys, name, "Yes"); 598 } else if (strcmp(name, "ErrorRecoveryLevel") == 0) { 599 keys_add(response_keys, name, "0"); 600 } else if (strcmp(name, "OFMarker") == 0) { 601 keys_add(response_keys, name, "No"); 602 } else if (strcmp(name, "IFMarker") == 0) { 603 keys_add(response_keys, name, "No"); 604 } else if (strcmp(name, "iSCSIProtocolLevel") == 0) { 605 tmp = strtoul(value, NULL, 10); 606 if (tmp > 2) 607 tmp = 2; 608 keys_add_int(response_keys, name, tmp); 609 } else { 610 log_debugx("unknown key \"%s\"; responding " 611 "with NotUnderstood", name); 612 keys_add(response_keys, name, "NotUnderstood"); 613 } 614} 615 616static void 617login_redirect(struct pdu *request, const char *target_address) 618{ 619 struct pdu *response; 620 struct iscsi_bhs_login_response *bhslr2; 621 struct keys *response_keys; 622 623 response = login_new_response(request); 624 login_set_csg(response, login_csg(request)); 625 bhslr2 = (struct iscsi_bhs_login_response *)response->pdu_bhs; 626 bhslr2->bhslr_status_class = 0x01; 627 bhslr2->bhslr_status_detail = 0x01; 628 629 response_keys = keys_new(); 630 keys_add(response_keys, "TargetAddress", target_address); 631 632 keys_save(response_keys, response); 633 pdu_send(response); 634 pdu_delete(response); 635 keys_delete(response_keys); 636} 637 638static bool 639login_portal_redirect(struct connection *conn, struct pdu *request) 640{ 641 const struct portal_group *pg; 642 643 pg = conn->conn_portal->p_portal_group; 644 if (pg->pg_redirection == NULL) 645 return (false); 646 647 log_debugx("portal-group \"%s\" configured to redirect to %s", 648 pg->pg_name, pg->pg_redirection); 649 login_redirect(request, pg->pg_redirection); 650 651 return (true); 652} 653 654static bool 655login_target_redirect(struct connection *conn, struct pdu *request) 656{ 657 const char *target_address; 658 659 assert(conn->conn_portal->p_portal_group->pg_redirection == NULL); 660 661 if (conn->conn_target == NULL) 662 return (false); 663 664 target_address = conn->conn_target->t_redirection; 665 if (target_address == NULL) 666 return (false); 667 668 log_debugx("target \"%s\" configured to redirect to %s", 669 conn->conn_target->t_name, target_address); 670 login_redirect(request, target_address); 671 672 return (true); 673} 674 675static void 676login_negotiate(struct connection *conn, struct pdu *request) 677{ 678 struct pdu *response; 679 struct iscsi_bhs_login_response *bhslr2; 680 struct keys *request_keys, *response_keys; 681 int i; 682 bool redirected, skipped_security; 683 684 if (conn->conn_session_type == CONN_SESSION_TYPE_NORMAL) { 685 /* 686 * Query the kernel for MaxDataSegmentLength it can handle. 687 * In case of offload, it depends on hardware capabilities. 688 */ 689 assert(conn->conn_target != NULL); 690 kernel_limits(conn->conn_portal->p_portal_group->pg_offload, 691 &conn->conn_data_segment_limit); 692 } else { 693 conn->conn_data_segment_limit = MAX_DATA_SEGMENT_LENGTH; 694 } 695 696 if (request == NULL) { 697 log_debugx("beginning operational parameter negotiation; " 698 "waiting for Login PDU"); 699 request = login_receive(conn, false); 700 skipped_security = false; 701 } else 702 skipped_security = true; 703 704 /* 705 * RFC 3720, 10.13.5. Status-Class and Status-Detail, says 706 * the redirection SHOULD be accepted by the initiator before 707 * authentication, but MUST be be accepted afterwards; that's 708 * why we're doing it here and not earlier. 709 */ 710 redirected = login_target_redirect(conn, request); 711 if (redirected) { 712 log_debugx("initiator redirected; exiting"); 713 exit(0); 714 } 715 716 request_keys = keys_new(); 717 keys_load(request_keys, request); 718 719 response = login_new_response(request); 720 bhslr2 = (struct iscsi_bhs_login_response *)response->pdu_bhs; 721 bhslr2->bhslr_tsih = htons(0xbadd); 722 login_set_csg(response, BHSLR_STAGE_OPERATIONAL_NEGOTIATION); 723 login_set_nsg(response, BHSLR_STAGE_FULL_FEATURE_PHASE); 724 response_keys = keys_new(); 725 726 if (skipped_security && 727 conn->conn_session_type == CONN_SESSION_TYPE_NORMAL) { 728 if (conn->conn_target->t_alias != NULL) 729 keys_add(response_keys, 730 "TargetAlias", conn->conn_target->t_alias); 731 keys_add_int(response_keys, "TargetPortalGroupTag", 732 conn->conn_portal->p_portal_group->pg_tag); 733 } 734 735 for (i = 0; i < KEYS_MAX; i++) { 736 if (request_keys->keys_names[i] == NULL) 737 break; 738 739 login_negotiate_key(request, request_keys->keys_names[i], 740 request_keys->keys_values[i], skipped_security, 741 response_keys); 742 } 743 744 log_debugx("operational parameter negotiation done; " 745 "transitioning to Full Feature Phase"); 746 747 keys_save(response_keys, response); 748 pdu_send(response); 749 pdu_delete(response); 750 keys_delete(response_keys); 751 pdu_delete(request); 752 keys_delete(request_keys); 753} 754 755static void 756login_wait_transition(struct connection *conn) 757{ 758 struct pdu *request, *response; 759 struct iscsi_bhs_login_request *bhslr; 760 761 log_debugx("waiting for state transition request"); 762 request = login_receive(conn, false); 763 bhslr = (struct iscsi_bhs_login_request *)request->pdu_bhs; 764 if ((bhslr->bhslr_flags & BHSLR_FLAGS_TRANSIT) == 0) { 765 login_send_error(request, 0x02, 0x00); 766 log_errx(1, "got no \"T\" flag after answering AuthMethod"); 767 } 768 769 log_debugx("got state transition request"); 770 response = login_new_response(request); 771 pdu_delete(request); 772 login_set_nsg(response, BHSLR_STAGE_OPERATIONAL_NEGOTIATION); 773 pdu_send(response); 774 pdu_delete(response); 775 776 login_negotiate(conn, NULL); 777} 778 779void 780login(struct connection *conn) 781{ 782 struct pdu *request, *response; 783 struct iscsi_bhs_login_request *bhslr; 784 struct keys *request_keys, *response_keys; 785 struct auth_group *ag; 786 struct portal_group *pg; 787 const char *initiator_name, *initiator_alias, *session_type, 788 *target_name, *auth_method; 789 bool redirected, fail, trans; 790 791 /* 792 * Handle the initial Login Request - figure out required authentication 793 * method and either transition to the next phase, if no authentication 794 * is required, or call appropriate authentication code. 795 */ 796 log_debugx("beginning Login Phase; waiting for Login PDU"); 797 request = login_receive(conn, true); 798 bhslr = (struct iscsi_bhs_login_request *)request->pdu_bhs; 799 if (bhslr->bhslr_tsih != 0) { 800 login_send_error(request, 0x02, 0x0a); 801 log_errx(1, "received Login PDU with non-zero TSIH"); 802 } 803 804 pg = conn->conn_portal->p_portal_group; 805 806 memcpy(conn->conn_initiator_isid, bhslr->bhslr_isid, 807 sizeof(conn->conn_initiator_isid)); 808 809 /* 810 * XXX: Implement the C flag some day. 811 */ 812 request_keys = keys_new(); 813 keys_load(request_keys, request); 814 815 assert(conn->conn_initiator_name == NULL); 816 initiator_name = keys_find(request_keys, "InitiatorName"); 817 if (initiator_name == NULL) { 818 login_send_error(request, 0x02, 0x07); 819 log_errx(1, "received Login PDU without InitiatorName"); 820 } 821 if (valid_iscsi_name(initiator_name) == false) { 822 login_send_error(request, 0x02, 0x00); 823 log_errx(1, "received Login PDU with invalid InitiatorName"); 824 } 825 conn->conn_initiator_name = checked_strdup(initiator_name); 826 log_set_peer_name(conn->conn_initiator_name); 827 setproctitle("%s (%s)", conn->conn_initiator_addr, conn->conn_initiator_name); 828 829 redirected = login_portal_redirect(conn, request); 830 if (redirected) { 831 log_debugx("initiator redirected; exiting"); 832 exit(0); 833 } 834 835 initiator_alias = keys_find(request_keys, "InitiatorAlias"); 836 if (initiator_alias != NULL) 837 conn->conn_initiator_alias = checked_strdup(initiator_alias); 838 839 assert(conn->conn_session_type == CONN_SESSION_TYPE_NONE); 840 session_type = keys_find(request_keys, "SessionType"); 841 if (session_type != NULL) { 842 if (strcmp(session_type, "Normal") == 0) { 843 conn->conn_session_type = CONN_SESSION_TYPE_NORMAL; 844 } else if (strcmp(session_type, "Discovery") == 0) { 845 conn->conn_session_type = CONN_SESSION_TYPE_DISCOVERY; 846 } else { 847 login_send_error(request, 0x02, 0x00); 848 log_errx(1, "received Login PDU with invalid " 849 "SessionType \"%s\"", session_type); 850 } 851 } else 852 conn->conn_session_type = CONN_SESSION_TYPE_NORMAL; 853 854 assert(conn->conn_target == NULL); 855 if (conn->conn_session_type == CONN_SESSION_TYPE_NORMAL) { 856 target_name = keys_find(request_keys, "TargetName"); 857 if (target_name == NULL) { 858 login_send_error(request, 0x02, 0x07); 859 log_errx(1, "received Login PDU without TargetName"); 860 } 861 862 conn->conn_port = port_find_in_pg(pg, target_name); 863 if (conn->conn_port == NULL) { 864 login_send_error(request, 0x02, 0x03); 865 log_errx(1, "requested target \"%s\" not found", 866 target_name); 867 } 868 conn->conn_target = conn->conn_port->p_target; 869 } 870 871 /* 872 * At this point we know what kind of authentication we need. 873 */ 874 if (conn->conn_session_type == CONN_SESSION_TYPE_NORMAL) { 875 ag = conn->conn_port->p_auth_group; 876 if (ag == NULL) 877 ag = conn->conn_target->t_auth_group; 878 if (ag->ag_name != NULL) { 879 log_debugx("initiator requests to connect " 880 "to target \"%s\"; auth-group \"%s\"", 881 conn->conn_target->t_name, 882 ag->ag_name); 883 } else { 884 log_debugx("initiator requests to connect " 885 "to target \"%s\"", conn->conn_target->t_name); 886 } 887 } else { 888 assert(conn->conn_session_type == CONN_SESSION_TYPE_DISCOVERY); 889 ag = pg->pg_discovery_auth_group; 890 if (ag->ag_name != NULL) { 891 log_debugx("initiator requests " 892 "discovery session; auth-group \"%s\"", ag->ag_name); 893 } else { 894 log_debugx("initiator requests discovery session"); 895 } 896 } 897 898 if (ag->ag_type == AG_TYPE_DENY) { 899 login_send_error(request, 0x02, 0x01); 900 log_errx(1, "auth-type is \"deny\""); 901 } 902 903 if (ag->ag_type == AG_TYPE_UNKNOWN) { 904 /* 905 * This can happen with empty auth-group. 906 */ 907 login_send_error(request, 0x02, 0x01); 908 log_errx(1, "auth-type not set, denying access"); 909 } 910 911 /* 912 * Enforce initiator-name and initiator-portal. 913 */ 914 if (auth_name_check(ag, initiator_name) != 0) { 915 login_send_error(request, 0x02, 0x02); 916 log_errx(1, "initiator does not match allowed initiator names"); 917 } 918 919 if (auth_portal_check(ag, &conn->conn_initiator_sa) != 0) { 920 login_send_error(request, 0x02, 0x02); 921 log_errx(1, "initiator does not match allowed " 922 "initiator portals"); 923 } 924 925 /* 926 * Let's see if the initiator intends to do any kind of authentication 927 * at all. 928 */ 929 if (login_csg(request) == BHSLR_STAGE_OPERATIONAL_NEGOTIATION) { 930 if (ag->ag_type != AG_TYPE_NO_AUTHENTICATION) { 931 login_send_error(request, 0x02, 0x01); 932 log_errx(1, "initiator skipped the authentication, " 933 "but authentication is required"); 934 } 935 936 keys_delete(request_keys); 937 938 log_debugx("initiator skipped the authentication, " 939 "and we don't need it; proceeding with negotiation"); 940 login_negotiate(conn, request); 941 return; 942 } 943 944 fail = false; 945 response = login_new_response(request); 946 response_keys = keys_new(); 947 trans = (bhslr->bhslr_flags & BHSLR_FLAGS_TRANSIT) != 0; 948 auth_method = keys_find(request_keys, "AuthMethod"); 949 if (ag->ag_type == AG_TYPE_NO_AUTHENTICATION) { 950 log_debugx("authentication not required"); 951 if (auth_method == NULL || 952 login_list_contains(auth_method, "None")) { 953 keys_add(response_keys, "AuthMethod", "None"); 954 } else { 955 log_warnx("initiator requests " 956 "AuthMethod \"%s\" instead of \"None\"", 957 auth_method); 958 keys_add(response_keys, "AuthMethod", "Reject"); 959 } 960 if (trans) 961 login_set_nsg(response, BHSLR_STAGE_OPERATIONAL_NEGOTIATION); 962 } else { 963 log_debugx("CHAP authentication required"); 964 if (auth_method == NULL || 965 login_list_contains(auth_method, "CHAP")) { 966 keys_add(response_keys, "AuthMethod", "CHAP"); 967 } else { 968 log_warnx("initiator requests unsupported " 969 "AuthMethod \"%s\" instead of \"CHAP\"", 970 auth_method); 971 keys_add(response_keys, "AuthMethod", "Reject"); 972 fail = true; 973 } 974 } 975 if (conn->conn_session_type == CONN_SESSION_TYPE_NORMAL) { 976 if (conn->conn_target->t_alias != NULL) 977 keys_add(response_keys, 978 "TargetAlias", conn->conn_target->t_alias); 979 keys_add_int(response_keys, 980 "TargetPortalGroupTag", pg->pg_tag); 981 } 982 keys_save(response_keys, response); 983 984 pdu_send(response); 985 pdu_delete(response); 986 keys_delete(response_keys); 987 pdu_delete(request); 988 keys_delete(request_keys); 989 990 if (fail) { 991 log_debugx("sent reject for AuthMethod; exiting"); 992 exit(1); 993 } 994 995 if (ag->ag_type != AG_TYPE_NO_AUTHENTICATION) { 996 login_chap(conn, ag); 997 login_negotiate(conn, NULL); 998 } else if (trans) { 999 login_negotiate(conn, NULL); 1000 } else { 1001 login_wait_transition(conn); 1002 } 1003} 1004