1 /*-
2 * SPDX-License-Identifier: BSD-2-Clause
3 *
4 * Copyright (c) 2012 The FreeBSD Foundation
5 *
6 * This software was developed by Edward Tomasz Napierala under sponsorship
7 * from the FreeBSD Foundation.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
22 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28 * SUCH DAMAGE.
29 *
30 */
31
32 #include <sys/time.h>
33 #include <assert.h>
34 #include <stdbool.h>
35 #include <stdio.h>
36 #include <stdlib.h>
37 #include <string.h>
38 #include <unistd.h>
39 #include <netinet/in.h>
40 #include <cam/ctl/ctl.h>
41 #include <cam/ctl/ctl_io.h>
42 #include <cam/ctl/ctl_ioctl.h>
43
44 #include "ctld.h"
45 #include "iscsi_proto.h"
46
47 #define MAX_DATA_SEGMENT_LENGTH (128 * 1024)
48
49 static void login_send_error(struct pdu *request,
50 char class, char detail);
51
52 static void
kernel_limits(const char * offload,int s,int * max_recv_dsl,int * max_send_dsl,int * max_burst_length,int * first_burst_length)53 kernel_limits(const char *offload, int s, int *max_recv_dsl, int *max_send_dsl,
54 int *max_burst_length, int *first_burst_length)
55 {
56 struct ctl_iscsi req;
57 struct ctl_iscsi_limits_params *cilp;
58
59 bzero(&req, sizeof(req));
60
61 req.type = CTL_ISCSI_LIMITS;
62 cilp = (struct ctl_iscsi_limits_params *)&(req.data.limits);
63 if (offload != NULL) {
64 strlcpy(cilp->offload, offload, sizeof(cilp->offload));
65 }
66 cilp->socket = s;
67
68 if (ioctl(ctl_fd, CTL_ISCSI, &req) == -1) {
69 log_err(1, "error issuing CTL_ISCSI ioctl; "
70 "dropping connection");
71 }
72
73 if (req.status != CTL_ISCSI_OK) {
74 log_errx(1, "error returned from CTL iSCSI limits request: "
75 "%s; dropping connection", req.error_str);
76 }
77
78 if (cilp->max_recv_data_segment_length != 0) {
79 *max_recv_dsl = cilp->max_recv_data_segment_length;
80 *max_send_dsl = cilp->max_recv_data_segment_length;
81 }
82 if (cilp->max_send_data_segment_length != 0)
83 *max_send_dsl = cilp->max_send_data_segment_length;
84 if (cilp->max_burst_length != 0)
85 *max_burst_length = cilp->max_burst_length;
86 if (cilp->first_burst_length != 0)
87 *first_burst_length = cilp->first_burst_length;
88 if (*max_burst_length < *first_burst_length)
89 *first_burst_length = *max_burst_length;
90
91 if (offload != NULL) {
92 log_debugx("Kernel limits for offload \"%s\" are "
93 "MaxRecvDataSegment=%d, max_send_dsl=%d, "
94 "MaxBurstLength=%d, FirstBurstLength=%d",
95 offload, *max_recv_dsl, *max_send_dsl, *max_burst_length,
96 *first_burst_length);
97 } else {
98 log_debugx("Kernel limits are "
99 "MaxRecvDataSegment=%d, max_send_dsl=%d, "
100 "MaxBurstLength=%d, FirstBurstLength=%d",
101 *max_recv_dsl, *max_send_dsl, *max_burst_length,
102 *first_burst_length);
103 }
104 }
105
106 static void
login_set_nsg(struct pdu * response,int nsg)107 login_set_nsg(struct pdu *response, int nsg)
108 {
109 struct iscsi_bhs_login_response *bhslr;
110
111 assert(nsg == BHSLR_STAGE_SECURITY_NEGOTIATION ||
112 nsg == BHSLR_STAGE_OPERATIONAL_NEGOTIATION ||
113 nsg == BHSLR_STAGE_FULL_FEATURE_PHASE);
114
115 bhslr = (struct iscsi_bhs_login_response *)response->pdu_bhs;
116
117 bhslr->bhslr_flags &= 0xFC;
118 bhslr->bhslr_flags |= nsg;
119 bhslr->bhslr_flags |= BHSLR_FLAGS_TRANSIT;
120 }
121
122 static int
login_csg(const struct pdu * request)123 login_csg(const struct pdu *request)
124 {
125 struct iscsi_bhs_login_request *bhslr;
126
127 bhslr = (struct iscsi_bhs_login_request *)request->pdu_bhs;
128
129 return ((bhslr->bhslr_flags & 0x0C) >> 2);
130 }
131
132 static void
login_set_csg(struct pdu * response,int csg)133 login_set_csg(struct pdu *response, int csg)
134 {
135 struct iscsi_bhs_login_response *bhslr;
136
137 assert(csg == BHSLR_STAGE_SECURITY_NEGOTIATION ||
138 csg == BHSLR_STAGE_OPERATIONAL_NEGOTIATION ||
139 csg == BHSLR_STAGE_FULL_FEATURE_PHASE);
140
141 bhslr = (struct iscsi_bhs_login_response *)response->pdu_bhs;
142
143 bhslr->bhslr_flags &= 0xF3;
144 bhslr->bhslr_flags |= csg << 2;
145 }
146
147 static struct pdu *
login_receive(struct connection * conn,bool initial)148 login_receive(struct connection *conn, bool initial)
149 {
150 struct pdu *request;
151 struct iscsi_bhs_login_request *bhslr;
152
153 request = pdu_new(conn);
154 pdu_receive(request);
155 if ((request->pdu_bhs->bhs_opcode & ~ISCSI_BHS_OPCODE_IMMEDIATE) !=
156 ISCSI_BHS_OPCODE_LOGIN_REQUEST) {
157 /*
158 * The first PDU in session is special - if we receive any PDU
159 * different than login request, we have to drop the connection
160 * without sending response ("A target receiving any PDU
161 * except a Login request before the Login Phase is started MUST
162 * immediately terminate the connection on which the PDU
163 * was received.")
164 */
165 if (initial == false)
166 login_send_error(request, 0x02, 0x0b);
167 log_errx(1, "protocol error: received invalid opcode 0x%x",
168 request->pdu_bhs->bhs_opcode);
169 }
170 bhslr = (struct iscsi_bhs_login_request *)request->pdu_bhs;
171 /*
172 * XXX: Implement the C flag some day.
173 */
174 if ((bhslr->bhslr_flags & BHSLR_FLAGS_CONTINUE) != 0) {
175 login_send_error(request, 0x03, 0x00);
176 log_errx(1, "received Login PDU with unsupported \"C\" flag");
177 }
178 if (bhslr->bhslr_version_max != 0x00) {
179 login_send_error(request, 0x02, 0x05);
180 log_errx(1, "received Login PDU with unsupported "
181 "Version-max 0x%x", bhslr->bhslr_version_max);
182 }
183 if (bhslr->bhslr_version_min != 0x00) {
184 login_send_error(request, 0x02, 0x05);
185 log_errx(1, "received Login PDU with unsupported "
186 "Version-min 0x%x", bhslr->bhslr_version_min);
187 }
188 if (initial == false &&
189 ISCSI_SNLT(ntohl(bhslr->bhslr_cmdsn), conn->conn_cmdsn)) {
190 login_send_error(request, 0x02, 0x00);
191 log_errx(1, "received Login PDU with decreasing CmdSN: "
192 "was %u, is %u", conn->conn_cmdsn,
193 ntohl(bhslr->bhslr_cmdsn));
194 }
195 if (initial == false &&
196 ntohl(bhslr->bhslr_expstatsn) != conn->conn_statsn) {
197 login_send_error(request, 0x02, 0x00);
198 log_errx(1, "received Login PDU with wrong ExpStatSN: "
199 "is %u, should be %u", ntohl(bhslr->bhslr_expstatsn),
200 conn->conn_statsn);
201 }
202 conn->conn_cmdsn = ntohl(bhslr->bhslr_cmdsn);
203
204 return (request);
205 }
206
207 static struct pdu *
login_new_response(struct pdu * request)208 login_new_response(struct pdu *request)
209 {
210 struct pdu *response;
211 struct connection *conn;
212 struct iscsi_bhs_login_request *bhslr;
213 struct iscsi_bhs_login_response *bhslr2;
214
215 bhslr = (struct iscsi_bhs_login_request *)request->pdu_bhs;
216 conn = request->pdu_connection;
217
218 response = pdu_new_response(request);
219 bhslr2 = (struct iscsi_bhs_login_response *)response->pdu_bhs;
220 bhslr2->bhslr_opcode = ISCSI_BHS_OPCODE_LOGIN_RESPONSE;
221 login_set_csg(response, BHSLR_STAGE_SECURITY_NEGOTIATION);
222 memcpy(bhslr2->bhslr_isid,
223 bhslr->bhslr_isid, sizeof(bhslr2->bhslr_isid));
224 bhslr2->bhslr_initiator_task_tag = bhslr->bhslr_initiator_task_tag;
225 bhslr2->bhslr_statsn = htonl(conn->conn_statsn++);
226 bhslr2->bhslr_expcmdsn = htonl(conn->conn_cmdsn);
227 bhslr2->bhslr_maxcmdsn = htonl(conn->conn_cmdsn);
228
229 return (response);
230 }
231
232 static void
login_send_error(struct pdu * request,char class,char detail)233 login_send_error(struct pdu *request, char class, char detail)
234 {
235 struct pdu *response;
236 struct iscsi_bhs_login_response *bhslr2;
237
238 log_debugx("sending Login Response PDU with failure class 0x%x/0x%x; "
239 "see next line for reason", class, detail);
240 response = login_new_response(request);
241 bhslr2 = (struct iscsi_bhs_login_response *)response->pdu_bhs;
242 bhslr2->bhslr_status_class = class;
243 bhslr2->bhslr_status_detail = detail;
244
245 pdu_send(response);
246 pdu_delete(response);
247 }
248
249 static int
login_list_contains(const char * list,const char * what)250 login_list_contains(const char *list, const char *what)
251 {
252 char *tofree, *str, *token;
253
254 tofree = str = checked_strdup(list);
255
256 while ((token = strsep(&str, ",")) != NULL) {
257 if (strcmp(token, what) == 0) {
258 free(tofree);
259 return (1);
260 }
261 }
262 free(tofree);
263 return (0);
264 }
265
266 static int
login_list_prefers(const char * list,const char * choice1,const char * choice2)267 login_list_prefers(const char *list,
268 const char *choice1, const char *choice2)
269 {
270 char *tofree, *str, *token;
271
272 tofree = str = checked_strdup(list);
273
274 while ((token = strsep(&str, ",")) != NULL) {
275 if (strcmp(token, choice1) == 0) {
276 free(tofree);
277 return (1);
278 }
279 if (strcmp(token, choice2) == 0) {
280 free(tofree);
281 return (2);
282 }
283 }
284 free(tofree);
285 return (-1);
286 }
287
288 static struct pdu *
login_receive_chap_a(struct connection * conn)289 login_receive_chap_a(struct connection *conn)
290 {
291 struct pdu *request;
292 struct keys *request_keys;
293 const char *chap_a;
294
295 request = login_receive(conn, false);
296 request_keys = keys_new();
297 keys_load_pdu(request_keys, request);
298
299 chap_a = keys_find(request_keys, "CHAP_A");
300 if (chap_a == NULL) {
301 login_send_error(request, 0x02, 0x07);
302 log_errx(1, "received CHAP Login PDU without CHAP_A");
303 }
304 if (login_list_contains(chap_a, "5") == 0) {
305 login_send_error(request, 0x02, 0x01);
306 log_errx(1, "received CHAP Login PDU with unsupported CHAP_A "
307 "\"%s\"", chap_a);
308 }
309 keys_delete(request_keys);
310
311 return (request);
312 }
313
314 static void
login_send_chap_c(struct pdu * request,struct chap * chap)315 login_send_chap_c(struct pdu *request, struct chap *chap)
316 {
317 struct pdu *response;
318 struct keys *response_keys;
319 char *chap_c, *chap_i;
320
321 chap_c = chap_get_challenge(chap);
322 chap_i = chap_get_id(chap);
323
324 response = login_new_response(request);
325 response_keys = keys_new();
326 keys_add(response_keys, "CHAP_A", "5");
327 keys_add(response_keys, "CHAP_I", chap_i);
328 keys_add(response_keys, "CHAP_C", chap_c);
329 free(chap_i);
330 free(chap_c);
331 keys_save_pdu(response_keys, response);
332 pdu_send(response);
333 pdu_delete(response);
334 keys_delete(response_keys);
335 }
336
337 static struct pdu *
login_receive_chap_r(struct connection * conn,struct auth_group * ag,struct chap * chap,const struct auth ** authp)338 login_receive_chap_r(struct connection *conn, struct auth_group *ag,
339 struct chap *chap, const struct auth **authp)
340 {
341 struct pdu *request;
342 struct keys *request_keys;
343 const char *chap_n, *chap_r;
344 const struct auth *auth;
345 int error;
346
347 request = login_receive(conn, false);
348 request_keys = keys_new();
349 keys_load_pdu(request_keys, request);
350
351 chap_n = keys_find(request_keys, "CHAP_N");
352 if (chap_n == NULL) {
353 login_send_error(request, 0x02, 0x07);
354 log_errx(1, "received CHAP Login PDU without CHAP_N");
355 }
356 chap_r = keys_find(request_keys, "CHAP_R");
357 if (chap_r == NULL) {
358 login_send_error(request, 0x02, 0x07);
359 log_errx(1, "received CHAP Login PDU without CHAP_R");
360 }
361 error = chap_receive(chap, chap_r);
362 if (error != 0) {
363 login_send_error(request, 0x02, 0x07);
364 log_errx(1, "received CHAP Login PDU with malformed CHAP_R");
365 }
366
367 /*
368 * Verify the response.
369 */
370 assert(ag->ag_type == AG_TYPE_CHAP ||
371 ag->ag_type == AG_TYPE_CHAP_MUTUAL);
372 auth = auth_find(ag, chap_n);
373 if (auth == NULL) {
374 login_send_error(request, 0x02, 0x01);
375 log_errx(1, "received CHAP Login with invalid user \"%s\"",
376 chap_n);
377 }
378
379 assert(auth->a_secret != NULL);
380 assert(strlen(auth->a_secret) > 0);
381
382 error = chap_authenticate(chap, auth->a_secret);
383 if (error != 0) {
384 login_send_error(request, 0x02, 0x01);
385 log_errx(1, "CHAP authentication failed for user \"%s\"",
386 auth->a_user);
387 }
388
389 keys_delete(request_keys);
390
391 *authp = auth;
392 return (request);
393 }
394
395 static void
login_send_chap_success(struct pdu * request,const struct auth * auth)396 login_send_chap_success(struct pdu *request,
397 const struct auth *auth)
398 {
399 struct pdu *response;
400 struct keys *request_keys, *response_keys;
401 struct rchap *rchap;
402 const char *chap_i, *chap_c;
403 char *chap_r;
404 int error;
405
406 response = login_new_response(request);
407 login_set_nsg(response, BHSLR_STAGE_OPERATIONAL_NEGOTIATION);
408
409 /*
410 * Actually, one more thing: mutual authentication.
411 */
412 request_keys = keys_new();
413 keys_load_pdu(request_keys, request);
414 chap_i = keys_find(request_keys, "CHAP_I");
415 chap_c = keys_find(request_keys, "CHAP_C");
416 if (chap_i != NULL || chap_c != NULL) {
417 if (chap_i == NULL) {
418 login_send_error(request, 0x02, 0x07);
419 log_errx(1, "initiator requested target "
420 "authentication, but didn't send CHAP_I");
421 }
422 if (chap_c == NULL) {
423 login_send_error(request, 0x02, 0x07);
424 log_errx(1, "initiator requested target "
425 "authentication, but didn't send CHAP_C");
426 }
427 if (auth->a_auth_group->ag_type != AG_TYPE_CHAP_MUTUAL) {
428 login_send_error(request, 0x02, 0x01);
429 log_errx(1, "initiator requests target authentication "
430 "for user \"%s\", but mutual user/secret "
431 "is not set", auth->a_user);
432 }
433
434 log_debugx("performing mutual authentication as user \"%s\"",
435 auth->a_mutual_user);
436
437 rchap = rchap_new(auth->a_mutual_secret);
438 error = rchap_receive(rchap, chap_i, chap_c);
439 if (error != 0) {
440 login_send_error(request, 0x02, 0x07);
441 log_errx(1, "received CHAP Login PDU with malformed "
442 "CHAP_I or CHAP_C");
443 }
444 chap_r = rchap_get_response(rchap);
445 rchap_delete(rchap);
446 response_keys = keys_new();
447 keys_add(response_keys, "CHAP_N", auth->a_mutual_user);
448 keys_add(response_keys, "CHAP_R", chap_r);
449 free(chap_r);
450 keys_save_pdu(response_keys, response);
451 keys_delete(response_keys);
452 } else {
453 log_debugx("initiator did not request target authentication");
454 }
455
456 keys_delete(request_keys);
457 pdu_send(response);
458 pdu_delete(response);
459 }
460
461 static void
login_chap(struct ctld_connection * conn,struct auth_group * ag)462 login_chap(struct ctld_connection *conn, struct auth_group *ag)
463 {
464 const struct auth *auth;
465 struct chap *chap;
466 struct pdu *request;
467
468 /*
469 * Receive CHAP_A PDU.
470 */
471 log_debugx("beginning CHAP authentication; waiting for CHAP_A");
472 request = login_receive_chap_a(&conn->conn);
473
474 /*
475 * Generate the challenge.
476 */
477 chap = chap_new();
478
479 /*
480 * Send the challenge.
481 */
482 log_debugx("sending CHAP_C, binary challenge size is %zd bytes",
483 sizeof(chap->chap_challenge));
484 login_send_chap_c(request, chap);
485 pdu_delete(request);
486
487 /*
488 * Receive CHAP_N/CHAP_R PDU and authenticate.
489 */
490 log_debugx("waiting for CHAP_N/CHAP_R");
491 request = login_receive_chap_r(&conn->conn, ag, chap, &auth);
492
493 /*
494 * Yay, authentication succeeded!
495 */
496 log_debugx("authentication succeeded for user \"%s\"; "
497 "transitioning to operational parameter negotiation", auth->a_user);
498 login_send_chap_success(request, auth);
499 pdu_delete(request);
500
501 /*
502 * Leave username and CHAP information for discovery().
503 */
504 conn->conn_user = auth->a_user;
505 conn->conn_chap = chap;
506 }
507
508 static void
login_negotiate_key(struct pdu * request,const char * name,const char * value,bool skipped_security,struct keys * response_keys)509 login_negotiate_key(struct pdu *request, const char *name,
510 const char *value, bool skipped_security, struct keys *response_keys)
511 {
512 int which;
513 size_t tmp;
514 struct ctld_connection *conn;
515
516 conn = (struct ctld_connection *)request->pdu_connection;
517
518 if (strcmp(name, "InitiatorName") == 0) {
519 if (!skipped_security)
520 log_errx(1, "initiator resent InitiatorName");
521 } else if (strcmp(name, "SessionType") == 0) {
522 if (!skipped_security)
523 log_errx(1, "initiator resent SessionType");
524 } else if (strcmp(name, "TargetName") == 0) {
525 if (!skipped_security)
526 log_errx(1, "initiator resent TargetName");
527 } else if (strcmp(name, "InitiatorAlias") == 0) {
528 if (conn->conn_initiator_alias != NULL)
529 free(conn->conn_initiator_alias);
530 conn->conn_initiator_alias = checked_strdup(value);
531 } else if (strcmp(value, "Irrelevant") == 0) {
532 /* Ignore. */
533 } else if (strcmp(name, "HeaderDigest") == 0) {
534 /*
535 * We don't handle digests for discovery sessions.
536 */
537 if (conn->conn_session_type == CONN_SESSION_TYPE_DISCOVERY) {
538 log_debugx("discovery session; digests disabled");
539 keys_add(response_keys, name, "None");
540 return;
541 }
542
543 which = login_list_prefers(value, "CRC32C", "None");
544 switch (which) {
545 case 1:
546 log_debugx("initiator prefers CRC32C "
547 "for header digest; we'll use it");
548 conn->conn.conn_header_digest = CONN_DIGEST_CRC32C;
549 keys_add(response_keys, name, "CRC32C");
550 break;
551 case 2:
552 log_debugx("initiator prefers not to do "
553 "header digest; we'll comply");
554 keys_add(response_keys, name, "None");
555 break;
556 default:
557 log_warnx("initiator sent unrecognized "
558 "HeaderDigest value \"%s\"; will use None", value);
559 keys_add(response_keys, name, "None");
560 break;
561 }
562 } else if (strcmp(name, "DataDigest") == 0) {
563 if (conn->conn_session_type == CONN_SESSION_TYPE_DISCOVERY) {
564 log_debugx("discovery session; digests disabled");
565 keys_add(response_keys, name, "None");
566 return;
567 }
568
569 which = login_list_prefers(value, "CRC32C", "None");
570 switch (which) {
571 case 1:
572 log_debugx("initiator prefers CRC32C "
573 "for data digest; we'll use it");
574 conn->conn.conn_data_digest = CONN_DIGEST_CRC32C;
575 keys_add(response_keys, name, "CRC32C");
576 break;
577 case 2:
578 log_debugx("initiator prefers not to do "
579 "data digest; we'll comply");
580 keys_add(response_keys, name, "None");
581 break;
582 default:
583 log_warnx("initiator sent unrecognized "
584 "DataDigest value \"%s\"; will use None", value);
585 keys_add(response_keys, name, "None");
586 break;
587 }
588 } else if (strcmp(name, "MaxConnections") == 0) {
589 keys_add(response_keys, name, "1");
590 } else if (strcmp(name, "InitialR2T") == 0) {
591 keys_add(response_keys, name, "Yes");
592 } else if (strcmp(name, "ImmediateData") == 0) {
593 if (conn->conn_session_type == CONN_SESSION_TYPE_DISCOVERY) {
594 log_debugx("discovery session; ImmediateData irrelevant");
595 keys_add(response_keys, name, "Irrelevant");
596 } else {
597 if (strcmp(value, "Yes") == 0) {
598 conn->conn.conn_immediate_data = true;
599 keys_add(response_keys, name, "Yes");
600 } else {
601 conn->conn.conn_immediate_data = false;
602 keys_add(response_keys, name, "No");
603 }
604 }
605 } else if (strcmp(name, "MaxRecvDataSegmentLength") == 0) {
606 tmp = strtoul(value, NULL, 10);
607 if (tmp <= 0) {
608 login_send_error(request, 0x02, 0x00);
609 log_errx(1, "received invalid "
610 "MaxRecvDataSegmentLength");
611 }
612
613 /*
614 * MaxRecvDataSegmentLength is a direction-specific parameter.
615 * We'll limit our _send_ to what the initiator can handle but
616 * our MaxRecvDataSegmentLength is not influenced by the
617 * initiator in any way.
618 */
619 if ((int)tmp > conn->conn_max_send_data_segment_limit) {
620 log_debugx("capping MaxRecvDataSegmentLength "
621 "from %zd to %d", tmp,
622 conn->conn_max_send_data_segment_limit);
623 tmp = conn->conn_max_send_data_segment_limit;
624 }
625 conn->conn.conn_max_send_data_segment_length = tmp;
626 } else if (strcmp(name, "MaxBurstLength") == 0) {
627 tmp = strtoul(value, NULL, 10);
628 if (tmp <= 0) {
629 login_send_error(request, 0x02, 0x00);
630 log_errx(1, "received invalid MaxBurstLength");
631 }
632 if ((int)tmp > conn->conn_max_burst_limit) {
633 log_debugx("capping MaxBurstLength from %zd to %d",
634 tmp, conn->conn_max_burst_limit);
635 tmp = conn->conn_max_burst_limit;
636 }
637 conn->conn.conn_max_burst_length = tmp;
638 keys_add_int(response_keys, name, tmp);
639 } else if (strcmp(name, "FirstBurstLength") == 0) {
640 tmp = strtoul(value, NULL, 10);
641 if (tmp <= 0) {
642 login_send_error(request, 0x02, 0x00);
643 log_errx(1, "received invalid FirstBurstLength");
644 }
645 if ((int)tmp > conn->conn_first_burst_limit) {
646 log_debugx("capping FirstBurstLength from %zd to %d",
647 tmp, conn->conn_first_burst_limit);
648 tmp = conn->conn_first_burst_limit;
649 }
650 conn->conn.conn_first_burst_length = tmp;
651 keys_add_int(response_keys, name, tmp);
652 } else if (strcmp(name, "DefaultTime2Wait") == 0) {
653 keys_add(response_keys, name, value);
654 } else if (strcmp(name, "DefaultTime2Retain") == 0) {
655 keys_add(response_keys, name, "0");
656 } else if (strcmp(name, "MaxOutstandingR2T") == 0) {
657 keys_add(response_keys, name, "1");
658 } else if (strcmp(name, "DataPDUInOrder") == 0) {
659 keys_add(response_keys, name, "Yes");
660 } else if (strcmp(name, "DataSequenceInOrder") == 0) {
661 keys_add(response_keys, name, "Yes");
662 } else if (strcmp(name, "ErrorRecoveryLevel") == 0) {
663 keys_add(response_keys, name, "0");
664 } else if (strcmp(name, "OFMarker") == 0) {
665 keys_add(response_keys, name, "No");
666 } else if (strcmp(name, "IFMarker") == 0) {
667 keys_add(response_keys, name, "No");
668 } else if (strcmp(name, "iSCSIProtocolLevel") == 0) {
669 tmp = strtoul(value, NULL, 10);
670 if (tmp > 2)
671 tmp = 2;
672 keys_add_int(response_keys, name, tmp);
673 } else {
674 log_debugx("unknown key \"%s\"; responding "
675 "with NotUnderstood", name);
676 keys_add(response_keys, name, "NotUnderstood");
677 }
678 }
679
680 static void
login_redirect(struct pdu * request,const char * target_address)681 login_redirect(struct pdu *request, const char *target_address)
682 {
683 struct pdu *response;
684 struct iscsi_bhs_login_response *bhslr2;
685 struct keys *response_keys;
686
687 response = login_new_response(request);
688 login_set_csg(response, login_csg(request));
689 bhslr2 = (struct iscsi_bhs_login_response *)response->pdu_bhs;
690 bhslr2->bhslr_status_class = 0x01;
691 bhslr2->bhslr_status_detail = 0x01;
692
693 response_keys = keys_new();
694 keys_add(response_keys, "TargetAddress", target_address);
695
696 keys_save_pdu(response_keys, response);
697 pdu_send(response);
698 pdu_delete(response);
699 keys_delete(response_keys);
700 }
701
702 static bool
login_portal_redirect(struct ctld_connection * conn,struct pdu * request)703 login_portal_redirect(struct ctld_connection *conn, struct pdu *request)
704 {
705 const struct portal_group *pg;
706
707 pg = conn->conn_portal->p_portal_group;
708 if (pg->pg_redirection == NULL)
709 return (false);
710
711 log_debugx("portal-group \"%s\" configured to redirect to %s",
712 pg->pg_name, pg->pg_redirection);
713 login_redirect(request, pg->pg_redirection);
714
715 return (true);
716 }
717
718 static bool
login_target_redirect(struct ctld_connection * conn,struct pdu * request)719 login_target_redirect(struct ctld_connection *conn, struct pdu *request)
720 {
721 const char *target_address;
722
723 assert(conn->conn_portal->p_portal_group->pg_redirection == NULL);
724
725 if (conn->conn_target == NULL)
726 return (false);
727
728 target_address = conn->conn_target->t_redirection;
729 if (target_address == NULL)
730 return (false);
731
732 log_debugx("target \"%s\" configured to redirect to %s",
733 conn->conn_target->t_name, target_address);
734 login_redirect(request, target_address);
735
736 return (true);
737 }
738
739 static void
login_negotiate(struct ctld_connection * conn,struct pdu * request)740 login_negotiate(struct ctld_connection *conn, struct pdu *request)
741 {
742 struct pdu *response;
743 struct iscsi_bhs_login_response *bhslr2;
744 struct keys *request_keys, *response_keys;
745 int i;
746 bool redirected, skipped_security;
747
748 if (conn->conn_session_type == CONN_SESSION_TYPE_NORMAL) {
749 /*
750 * Query the kernel for various size limits. In case of
751 * offload, it depends on hardware capabilities.
752 */
753 assert(conn->conn_target != NULL);
754 conn->conn_max_recv_data_segment_limit = (1 << 24) - 1;
755 conn->conn_max_send_data_segment_limit = (1 << 24) - 1;
756 conn->conn_max_burst_limit = (1 << 24) - 1;
757 conn->conn_first_burst_limit = (1 << 24) - 1;
758 kernel_limits(conn->conn_portal->p_portal_group->pg_offload,
759 conn->conn.conn_socket,
760 &conn->conn_max_recv_data_segment_limit,
761 &conn->conn_max_send_data_segment_limit,
762 &conn->conn_max_burst_limit,
763 &conn->conn_first_burst_limit);
764
765 /* We expect legal, usable values at this point. */
766 assert(conn->conn_max_recv_data_segment_limit >= 512);
767 assert(conn->conn_max_recv_data_segment_limit < (1 << 24));
768 assert(conn->conn_max_send_data_segment_limit >= 512);
769 assert(conn->conn_max_send_data_segment_limit < (1 << 24));
770 assert(conn->conn_max_burst_limit >= 512);
771 assert(conn->conn_max_burst_limit < (1 << 24));
772 assert(conn->conn_first_burst_limit >= 512);
773 assert(conn->conn_first_burst_limit < (1 << 24));
774 assert(conn->conn_first_burst_limit <=
775 conn->conn_max_burst_limit);
776
777 /*
778 * Limit default send length in case it won't be negotiated.
779 * We can't do it for other limits, since they may affect both
780 * sender and receiver operation, and we must obey defaults.
781 */
782 if (conn->conn_max_send_data_segment_limit <
783 conn->conn.conn_max_send_data_segment_length) {
784 conn->conn.conn_max_send_data_segment_length =
785 conn->conn_max_send_data_segment_limit;
786 }
787 } else {
788 conn->conn_max_recv_data_segment_limit =
789 MAX_DATA_SEGMENT_LENGTH;
790 conn->conn_max_send_data_segment_limit =
791 MAX_DATA_SEGMENT_LENGTH;
792 }
793
794 if (request == NULL) {
795 log_debugx("beginning operational parameter negotiation; "
796 "waiting for Login PDU");
797 request = login_receive(&conn->conn, false);
798 skipped_security = false;
799 } else
800 skipped_security = true;
801
802 /*
803 * RFC 3720, 10.13.5. Status-Class and Status-Detail, says
804 * the redirection SHOULD be accepted by the initiator before
805 * authentication, but MUST be accepted afterwards; that's
806 * why we're doing it here and not earlier.
807 */
808 redirected = login_target_redirect(conn, request);
809 if (redirected) {
810 log_debugx("initiator redirected; exiting");
811 exit(0);
812 }
813
814 request_keys = keys_new();
815 keys_load_pdu(request_keys, request);
816
817 response = login_new_response(request);
818 bhslr2 = (struct iscsi_bhs_login_response *)response->pdu_bhs;
819 bhslr2->bhslr_tsih = htons(0xbadd);
820 login_set_csg(response, BHSLR_STAGE_OPERATIONAL_NEGOTIATION);
821 login_set_nsg(response, BHSLR_STAGE_FULL_FEATURE_PHASE);
822 response_keys = keys_new();
823
824 if (skipped_security &&
825 conn->conn_session_type == CONN_SESSION_TYPE_NORMAL) {
826 if (conn->conn_target->t_alias != NULL)
827 keys_add(response_keys,
828 "TargetAlias", conn->conn_target->t_alias);
829 keys_add_int(response_keys, "TargetPortalGroupTag",
830 conn->conn_portal->p_portal_group->pg_tag);
831 }
832
833 for (i = 0; i < KEYS_MAX; i++) {
834 if (request_keys->keys_names[i] == NULL)
835 break;
836
837 login_negotiate_key(request, request_keys->keys_names[i],
838 request_keys->keys_values[i], skipped_security,
839 response_keys);
840 }
841
842 /*
843 * We'd started with usable values at our end. But a bad initiator
844 * could have presented a large FirstBurstLength and then a smaller
845 * MaxBurstLength (in that order) and because we process the key/value
846 * pairs in the order they are in the request we might have ended up
847 * with illegal values here.
848 */
849 if (conn->conn_session_type == CONN_SESSION_TYPE_NORMAL &&
850 conn->conn.conn_first_burst_length >
851 conn->conn.conn_max_burst_length) {
852 log_errx(1, "initiator sent FirstBurstLength > MaxBurstLength");
853 }
854
855 conn->conn.conn_max_recv_data_segment_length =
856 conn->conn_max_recv_data_segment_limit;
857 keys_add_int(response_keys, "MaxRecvDataSegmentLength",
858 conn->conn.conn_max_recv_data_segment_length);
859
860 log_debugx("operational parameter negotiation done; "
861 "transitioning to Full Feature Phase");
862
863 keys_save_pdu(response_keys, response);
864 pdu_send(response);
865 pdu_delete(response);
866 keys_delete(response_keys);
867 pdu_delete(request);
868 keys_delete(request_keys);
869 }
870
871 static void
login_wait_transition(struct ctld_connection * conn)872 login_wait_transition(struct ctld_connection *conn)
873 {
874 struct pdu *request, *response;
875 struct iscsi_bhs_login_request *bhslr;
876
877 log_debugx("waiting for state transition request");
878 request = login_receive(&conn->conn, false);
879 bhslr = (struct iscsi_bhs_login_request *)request->pdu_bhs;
880 if ((bhslr->bhslr_flags & BHSLR_FLAGS_TRANSIT) == 0) {
881 login_send_error(request, 0x02, 0x00);
882 log_errx(1, "got no \"T\" flag after answering AuthMethod");
883 }
884
885 log_debugx("got state transition request");
886 response = login_new_response(request);
887 pdu_delete(request);
888 login_set_nsg(response, BHSLR_STAGE_OPERATIONAL_NEGOTIATION);
889 pdu_send(response);
890 pdu_delete(response);
891
892 login_negotiate(conn, NULL);
893 }
894
895 void
login(struct ctld_connection * conn)896 login(struct ctld_connection *conn)
897 {
898 struct pdu *request, *response;
899 struct iscsi_bhs_login_request *bhslr;
900 struct keys *request_keys, *response_keys;
901 struct auth_group *ag;
902 struct portal_group *pg;
903 const char *initiator_name, *initiator_alias, *session_type,
904 *target_name, *auth_method;
905 bool redirected, fail, trans;
906
907 /*
908 * Handle the initial Login Request - figure out required authentication
909 * method and either transition to the next phase, if no authentication
910 * is required, or call appropriate authentication code.
911 */
912 log_debugx("beginning Login Phase; waiting for Login PDU");
913 request = login_receive(&conn->conn, true);
914 bhslr = (struct iscsi_bhs_login_request *)request->pdu_bhs;
915 if (bhslr->bhslr_tsih != 0) {
916 login_send_error(request, 0x02, 0x0a);
917 log_errx(1, "received Login PDU with non-zero TSIH");
918 }
919
920 pg = conn->conn_portal->p_portal_group;
921
922 memcpy(conn->conn_initiator_isid, bhslr->bhslr_isid,
923 sizeof(conn->conn_initiator_isid));
924
925 /*
926 * XXX: Implement the C flag some day.
927 */
928 request_keys = keys_new();
929 keys_load_pdu(request_keys, request);
930
931 assert(conn->conn_initiator_name == NULL);
932 initiator_name = keys_find(request_keys, "InitiatorName");
933 if (initiator_name == NULL) {
934 login_send_error(request, 0x02, 0x07);
935 log_errx(1, "received Login PDU without InitiatorName");
936 }
937 if (valid_iscsi_name(initiator_name, log_warnx) == false) {
938 login_send_error(request, 0x02, 0x00);
939 log_errx(1, "received Login PDU with invalid InitiatorName");
940 }
941 conn->conn_initiator_name = checked_strdup(initiator_name);
942 log_set_peer_name(conn->conn_initiator_name);
943 setproctitle("%s (%s)", conn->conn_initiator_addr, conn->conn_initiator_name);
944
945 redirected = login_portal_redirect(conn, request);
946 if (redirected) {
947 log_debugx("initiator redirected; exiting");
948 exit(0);
949 }
950
951 initiator_alias = keys_find(request_keys, "InitiatorAlias");
952 if (initiator_alias != NULL)
953 conn->conn_initiator_alias = checked_strdup(initiator_alias);
954
955 assert(conn->conn_session_type == CONN_SESSION_TYPE_NONE);
956 session_type = keys_find(request_keys, "SessionType");
957 if (session_type != NULL) {
958 if (strcmp(session_type, "Normal") == 0) {
959 conn->conn_session_type = CONN_SESSION_TYPE_NORMAL;
960 } else if (strcmp(session_type, "Discovery") == 0) {
961 conn->conn_session_type = CONN_SESSION_TYPE_DISCOVERY;
962 } else {
963 login_send_error(request, 0x02, 0x00);
964 log_errx(1, "received Login PDU with invalid "
965 "SessionType \"%s\"", session_type);
966 }
967 } else
968 conn->conn_session_type = CONN_SESSION_TYPE_NORMAL;
969
970 assert(conn->conn_target == NULL);
971 if (conn->conn_session_type == CONN_SESSION_TYPE_NORMAL) {
972 target_name = keys_find(request_keys, "TargetName");
973 if (target_name == NULL) {
974 login_send_error(request, 0x02, 0x07);
975 log_errx(1, "received Login PDU without TargetName");
976 }
977
978 conn->conn_port = port_find_in_pg(pg, target_name);
979 if (conn->conn_port == NULL) {
980 login_send_error(request, 0x02, 0x03);
981 log_errx(1, "requested target \"%s\" not found",
982 target_name);
983 }
984 conn->conn_target = conn->conn_port->p_target;
985 }
986
987 /*
988 * At this point we know what kind of authentication we need.
989 */
990 if (conn->conn_session_type == CONN_SESSION_TYPE_NORMAL) {
991 ag = conn->conn_port->p_auth_group;
992 if (ag == NULL)
993 ag = conn->conn_target->t_auth_group;
994 if (ag->ag_name != NULL) {
995 log_debugx("initiator requests to connect "
996 "to target \"%s\"; auth-group \"%s\"",
997 conn->conn_target->t_name,
998 ag->ag_name);
999 } else {
1000 log_debugx("initiator requests to connect "
1001 "to target \"%s\"", conn->conn_target->t_name);
1002 }
1003 } else {
1004 assert(conn->conn_session_type == CONN_SESSION_TYPE_DISCOVERY);
1005 ag = pg->pg_discovery_auth_group;
1006 if (ag->ag_name != NULL) {
1007 log_debugx("initiator requests "
1008 "discovery session; auth-group \"%s\"", ag->ag_name);
1009 } else {
1010 log_debugx("initiator requests discovery session");
1011 }
1012 }
1013
1014 if (ag->ag_type == AG_TYPE_DENY) {
1015 login_send_error(request, 0x02, 0x01);
1016 log_errx(1, "auth-type is \"deny\"");
1017 }
1018
1019 if (ag->ag_type == AG_TYPE_UNKNOWN) {
1020 /*
1021 * This can happen with empty auth-group.
1022 */
1023 login_send_error(request, 0x02, 0x01);
1024 log_errx(1, "auth-type not set, denying access");
1025 }
1026
1027 /*
1028 * Enforce initiator-name and initiator-portal.
1029 */
1030 if (auth_name_check(ag, initiator_name) != 0) {
1031 login_send_error(request, 0x02, 0x02);
1032 log_errx(1, "initiator does not match allowed initiator names");
1033 }
1034
1035 if (auth_portal_check(ag, &conn->conn_initiator_sa) != 0) {
1036 login_send_error(request, 0x02, 0x02);
1037 log_errx(1, "initiator does not match allowed "
1038 "initiator portals");
1039 }
1040
1041 /*
1042 * Let's see if the initiator intends to do any kind of authentication
1043 * at all.
1044 */
1045 if (login_csg(request) == BHSLR_STAGE_OPERATIONAL_NEGOTIATION) {
1046 if (ag->ag_type != AG_TYPE_NO_AUTHENTICATION) {
1047 login_send_error(request, 0x02, 0x01);
1048 log_errx(1, "initiator skipped the authentication, "
1049 "but authentication is required");
1050 }
1051
1052 keys_delete(request_keys);
1053
1054 log_debugx("initiator skipped the authentication, "
1055 "and we don't need it; proceeding with negotiation");
1056 login_negotiate(conn, request);
1057 return;
1058 }
1059
1060 fail = false;
1061 response = login_new_response(request);
1062 response_keys = keys_new();
1063 trans = (bhslr->bhslr_flags & BHSLR_FLAGS_TRANSIT) != 0;
1064 auth_method = keys_find(request_keys, "AuthMethod");
1065 if (ag->ag_type == AG_TYPE_NO_AUTHENTICATION) {
1066 log_debugx("authentication not required");
1067 if (auth_method == NULL ||
1068 login_list_contains(auth_method, "None")) {
1069 keys_add(response_keys, "AuthMethod", "None");
1070 } else {
1071 log_warnx("initiator requests "
1072 "AuthMethod \"%s\" instead of \"None\"",
1073 auth_method);
1074 keys_add(response_keys, "AuthMethod", "Reject");
1075 }
1076 if (trans)
1077 login_set_nsg(response, BHSLR_STAGE_OPERATIONAL_NEGOTIATION);
1078 } else {
1079 log_debugx("CHAP authentication required");
1080 if (auth_method == NULL ||
1081 login_list_contains(auth_method, "CHAP")) {
1082 keys_add(response_keys, "AuthMethod", "CHAP");
1083 } else {
1084 log_warnx("initiator requests unsupported "
1085 "AuthMethod \"%s\" instead of \"CHAP\"",
1086 auth_method);
1087 keys_add(response_keys, "AuthMethod", "Reject");
1088 fail = true;
1089 }
1090 }
1091 if (conn->conn_session_type == CONN_SESSION_TYPE_NORMAL) {
1092 if (conn->conn_target->t_alias != NULL)
1093 keys_add(response_keys,
1094 "TargetAlias", conn->conn_target->t_alias);
1095 keys_add_int(response_keys,
1096 "TargetPortalGroupTag", pg->pg_tag);
1097 }
1098 keys_save_pdu(response_keys, response);
1099
1100 pdu_send(response);
1101 pdu_delete(response);
1102 keys_delete(response_keys);
1103 pdu_delete(request);
1104 keys_delete(request_keys);
1105
1106 if (fail) {
1107 log_debugx("sent reject for AuthMethod; exiting");
1108 exit(1);
1109 }
1110
1111 if (ag->ag_type != AG_TYPE_NO_AUTHENTICATION) {
1112 login_chap(conn, ag);
1113 login_negotiate(conn, NULL);
1114 } else if (trans) {
1115 login_negotiate(conn, NULL);
1116 } else {
1117 login_wait_transition(conn);
1118 }
1119 }
1120