1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved.
23 */
24
25 #include <sys/types.h>
26 #include <sys/random.h>
27 #include <sys/conf.h>
28 #include <sys/ddi.h>
29 #include <sys/sunddi.h>
30
31 #include <sys/socket.h>
32 #include <inet/tcp.h>
33
34 #include <sys/stmf.h>
35 #include <sys/stmf_ioctl.h>
36 #include <sys/portif.h>
37 #include <sys/idm/idm.h>
38 #include <sys/iscsit/chap.h>
39
40 #include "iscsit.h"
41 #include "radius_auth.h"
42
43 void
client_set_numeric_data(auth_key_block_t * keyBlock,int key_type,uint32_t numeric)44 client_set_numeric_data(auth_key_block_t *keyBlock,
45 int key_type,
46 uint32_t numeric)
47 {
48 auth_key_t *p;
49
50 ASSERT(key_type < AUTH_KEY_TYPE_MAX);
51
52 p = &keyBlock->key[key_type];
53 p->value.numeric = numeric;
54 p->present = 1;
55 }
56
57 void
client_set_string_data(auth_key_block_t * keyBlock,int key_type,char * string)58 client_set_string_data(auth_key_block_t *keyBlock,
59 int key_type,
60 char *string)
61 {
62 auth_key_t *p;
63
64 ASSERT(key_type < AUTH_KEY_TYPE_MAX);
65
66 p = &keyBlock->key[key_type];
67 p->value.string = string;
68 p->present = 1;
69 }
70
71 void
client_set_binary_data(auth_key_block_t * keyBlock,int key_type,unsigned char * binary,unsigned int len)72 client_set_binary_data(auth_key_block_t *keyBlock,
73 int key_type,
74 unsigned char *binary, unsigned int len)
75 {
76 auth_key_t *p;
77
78 ASSERT(key_type < AUTH_KEY_TYPE_MAX);
79
80 p = &keyBlock->key[key_type];
81 p->value.binary = binary;
82 p->len = len;
83 p->present = 1;
84 }
85
86 void
client_get_numeric_data(auth_key_block_t * keyBlock,int key_type,uint32_t * numeric)87 client_get_numeric_data(auth_key_block_t *keyBlock,
88 int key_type,
89 uint32_t *numeric)
90 {
91 auth_key_t *p;
92
93 ASSERT(key_type < AUTH_KEY_TYPE_MAX);
94
95 p = &keyBlock->key[key_type];
96 *numeric = p->value.numeric;
97 }
98
99 void
client_get_string_data(auth_key_block_t * keyBlock,int key_type,char ** string)100 client_get_string_data(auth_key_block_t *keyBlock,
101 int key_type,
102 char **string)
103 {
104 auth_key_t *p;
105
106 ASSERT(key_type < AUTH_KEY_TYPE_MAX);
107
108 p = &keyBlock->key[key_type];
109 *string = p->value.string;
110 }
111
112 void
client_get_binary_data(auth_key_block_t * keyBlock,int key_type,unsigned char ** binary,unsigned int * len)113 client_get_binary_data(auth_key_block_t *keyBlock,
114 int key_type,
115 unsigned char **binary, unsigned int *len)
116 {
117 auth_key_t *p;
118
119 ASSERT(key_type < AUTH_KEY_TYPE_MAX);
120
121 p = &keyBlock->key[key_type];
122 *binary = p->value.binary;
123 *len = p->len;
124 }
125
126 int
client_auth_key_present(auth_key_block_t * keyBlock,int key_type)127 client_auth_key_present(auth_key_block_t *keyBlock,
128 int key_type)
129 {
130 auth_key_t *p;
131
132 ASSERT(key_type < AUTH_KEY_TYPE_MAX);
133
134 p = &keyBlock->key[key_type];
135
136 return (p->present != 0 ? 1 : 0);
137 }
138
139 /*ARGSUSED*/
140 void
client_compute_chap_resp(uchar_t * resp,unsigned int chap_i,uint8_t * password,int password_len,uchar_t * chap_c,unsigned int challenge_len)141 client_compute_chap_resp(uchar_t *resp,
142 unsigned int chap_i,
143 uint8_t *password, int password_len,
144 uchar_t *chap_c, unsigned int challenge_len)
145 {
146 MD5_CTX context;
147
148 MD5Init(&context);
149
150 /*
151 * id byte
152 */
153 resp[0] = (uchar_t)chap_i;
154 MD5Update(&context, resp, 1);
155
156 /*
157 * shared secret
158 */
159 MD5Update(&context, (uchar_t *)password, password_len);
160
161 /*
162 * challenge value
163 */
164 MD5Update(&context, chap_c, challenge_len);
165
166 MD5Final(resp, &context);
167 }
168
169 int
iscsit_verify_chap_resp(iscsit_conn_login_t * lsm,unsigned int chap_i,uchar_t * chap_c,unsigned int challenge_len,uchar_t * chap_r,unsigned int resp_len)170 iscsit_verify_chap_resp(iscsit_conn_login_t *lsm,
171 unsigned int chap_i,
172 uchar_t *chap_c, unsigned int challenge_len,
173 uchar_t *chap_r, unsigned int resp_len)
174 {
175 uchar_t verifyData[iscsitAuthChapResponseLength];
176 conn_auth_t *auth = &lsm->icl_auth;
177
178 /* Check if RADIUS access is enabled */
179 if (auth->ca_use_radius == B_TRUE) {
180 chap_validation_status_type chap_valid_status;
181 RADIUS_CONFIG radius_cfg;
182 struct sockaddr_storage *sa = &auth->ca_radius_server;
183 struct sockaddr_in *sin;
184 struct sockaddr_in6 *sin6;
185
186 /* Use RADIUS server to authentication target */
187 sin = (struct sockaddr_in *)sa;
188 radius_cfg.rad_svr_port = ntohs(sin->sin_port);
189 if (sa->ss_family == AF_INET) {
190 /* IPv4 */
191 radius_cfg.rad_svr_addr.i_addr.in4.s_addr =
192 sin->sin_addr.s_addr;
193 radius_cfg.rad_svr_addr.i_insize = sizeof (in_addr_t);
194 } else if (sa->ss_family == AF_INET6) {
195 /* IPv6 */
196 sin6 = (struct sockaddr_in6 *)sa;
197 bcopy(sin6->sin6_addr.s6_addr,
198 radius_cfg.rad_svr_addr.i_addr.in6.s6_addr,
199 sizeof (struct in6_addr));
200 radius_cfg.rad_svr_addr.i_insize = sizeof (in6_addr_t);
201 } else {
202 return (ISCSI_AUTH_FAILED);
203 }
204
205 bcopy(auth->ca_radius_secret,
206 radius_cfg.rad_svr_shared_secret,
207 MAX_RAD_SHARED_SECRET_LEN);
208 radius_cfg.rad_svr_shared_secret_len =
209 auth->ca_radius_secretlen;
210
211 chap_valid_status = iscsit_radius_chap_validate(
212 auth->ca_ini_chapuser,
213 auth->ca_tgt_chapuser,
214 chap_c,
215 challenge_len,
216 chap_r,
217 resp_len,
218 chap_i,
219 radius_cfg.rad_svr_addr,
220 radius_cfg.rad_svr_port,
221 radius_cfg.rad_svr_shared_secret,
222 radius_cfg.rad_svr_shared_secret_len);
223
224 if (chap_valid_status == CHAP_VALIDATION_PASSED) {
225 return (ISCSI_AUTH_PASSED);
226 }
227 return (ISCSI_AUTH_FAILED);
228 }
229
230 /* Empty chap secret is not allowed */
231 if (auth->ca_ini_chapsecretlen == 0) {
232 return (ISCSI_AUTH_FAILED);
233 }
234
235 /* only MD5 is supported */
236 if (resp_len != sizeof (verifyData)) {
237 return (ISCSI_AUTH_FAILED);
238 }
239
240 client_compute_chap_resp(
241 &verifyData[0],
242 chap_i,
243 auth->ca_ini_chapsecret, auth->ca_ini_chapsecretlen,
244 chap_c, challenge_len);
245
246 if (bcmp(chap_r, verifyData,
247 sizeof (verifyData)) != 0) {
248 return (ISCSI_AUTH_FAILED);
249 }
250
251 /* chap response OK */
252 return (ISCSI_AUTH_PASSED);
253 }
254
255 void
auth_random_set_data(uchar_t * data,unsigned int length)256 auth_random_set_data(uchar_t *data, unsigned int length)
257 {
258 (void) random_get_pseudo_bytes(data, length);
259 }
260