1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2012 The FreeBSD Foundation 5 * 6 * This software was developed by Edward Tomasz Napierala under sponsorship 7 * from the FreeBSD Foundation. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 22 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28 * SUCH DAMAGE. 29 * 30 */ 31 32 #include <sys/time.h> 33 #include <assert.h> 34 #include <stdbool.h> 35 #include <stdio.h> 36 #include <stdlib.h> 37 #include <string.h> 38 #include <unistd.h> 39 #include <netinet/in.h> 40 #include <cam/ctl/ctl.h> 41 #include <cam/ctl/ctl_io.h> 42 #include <cam/ctl/ctl_ioctl.h> 43 44 #include "ctld.hh" 45 #include "iscsi.hh" 46 #include "iscsi_proto.h" 47 48 #define MAX_DATA_SEGMENT_LENGTH (128 * 1024) 49 50 static void login_send_error(struct pdu *request, 51 char error_class, char detail); 52 53 static void 54 kernel_limits(const char *offload, int s, int *max_recv_dsl, int *max_send_dsl, 55 int *max_burst_length, int *first_burst_length) 56 { 57 struct ctl_iscsi req; 58 struct ctl_iscsi_limits_params *cilp; 59 60 bzero(&req, sizeof(req)); 61 62 req.type = CTL_ISCSI_LIMITS; 63 cilp = (struct ctl_iscsi_limits_params *)&(req.data.limits); 64 strlcpy(cilp->offload, offload, sizeof(cilp->offload)); 65 cilp->socket = s; 66 67 if (ioctl(ctl_fd, CTL_ISCSI, &req) == -1) { 68 log_err(1, "error issuing CTL_ISCSI ioctl; " 69 "dropping connection"); 70 } 71 72 if (req.status != CTL_ISCSI_OK) { 73 log_errx(1, "error returned from CTL iSCSI limits request: " 74 "%s; dropping connection", req.error_str); 75 } 76 77 if (cilp->max_recv_data_segment_length != 0) { 78 *max_recv_dsl = cilp->max_recv_data_segment_length; 79 *max_send_dsl = cilp->max_recv_data_segment_length; 80 } 81 if (cilp->max_send_data_segment_length != 0) 82 *max_send_dsl = cilp->max_send_data_segment_length; 83 if (cilp->max_burst_length != 0) 84 *max_burst_length = cilp->max_burst_length; 85 if (cilp->first_burst_length != 0) 86 *first_burst_length = cilp->first_burst_length; 87 if (*max_burst_length < *first_burst_length) 88 *first_burst_length = *max_burst_length; 89 90 if (offload[0] != '\0') { 91 log_debugx("Kernel limits for offload \"%s\" are " 92 "MaxRecvDataSegment=%d, max_send_dsl=%d, " 93 "MaxBurstLength=%d, FirstBurstLength=%d", 94 offload, *max_recv_dsl, *max_send_dsl, *max_burst_length, 95 *first_burst_length); 96 } else { 97 log_debugx("Kernel limits are " 98 "MaxRecvDataSegment=%d, max_send_dsl=%d, " 99 "MaxBurstLength=%d, FirstBurstLength=%d", 100 *max_recv_dsl, *max_send_dsl, *max_burst_length, 101 *first_burst_length); 102 } 103 } 104 105 static void 106 login_set_nsg(struct pdu *response, int nsg) 107 { 108 struct iscsi_bhs_login_response *bhslr; 109 110 assert(nsg == BHSLR_STAGE_SECURITY_NEGOTIATION || 111 nsg == BHSLR_STAGE_OPERATIONAL_NEGOTIATION || 112 nsg == BHSLR_STAGE_FULL_FEATURE_PHASE); 113 114 bhslr = (struct iscsi_bhs_login_response *)response->pdu_bhs; 115 116 bhslr->bhslr_flags &= 0xFC; 117 bhslr->bhslr_flags |= nsg; 118 bhslr->bhslr_flags |= BHSLR_FLAGS_TRANSIT; 119 } 120 121 static int 122 login_csg(const struct pdu *request) 123 { 124 struct iscsi_bhs_login_request *bhslr; 125 126 bhslr = (struct iscsi_bhs_login_request *)request->pdu_bhs; 127 128 return ((bhslr->bhslr_flags & 0x0C) >> 2); 129 } 130 131 static void 132 login_set_csg(struct pdu *response, int csg) 133 { 134 struct iscsi_bhs_login_response *bhslr; 135 136 assert(csg == BHSLR_STAGE_SECURITY_NEGOTIATION || 137 csg == BHSLR_STAGE_OPERATIONAL_NEGOTIATION || 138 csg == BHSLR_STAGE_FULL_FEATURE_PHASE); 139 140 bhslr = (struct iscsi_bhs_login_response *)response->pdu_bhs; 141 142 bhslr->bhslr_flags &= 0xF3; 143 bhslr->bhslr_flags |= csg << 2; 144 } 145 146 static struct pdu * 147 login_receive(struct connection *conn, bool initial) 148 { 149 struct pdu *request; 150 struct iscsi_bhs_login_request *bhslr; 151 152 request = pdu_new(conn); 153 pdu_receive(request); 154 if ((request->pdu_bhs->bhs_opcode & ~ISCSI_BHS_OPCODE_IMMEDIATE) != 155 ISCSI_BHS_OPCODE_LOGIN_REQUEST) { 156 /* 157 * The first PDU in session is special - if we receive any PDU 158 * different than login request, we have to drop the connection 159 * without sending response ("A target receiving any PDU 160 * except a Login request before the Login Phase is started MUST 161 * immediately terminate the connection on which the PDU 162 * was received.") 163 */ 164 if (initial == false) 165 login_send_error(request, 0x02, 0x0b); 166 log_errx(1, "protocol error: received invalid opcode 0x%x", 167 request->pdu_bhs->bhs_opcode); 168 } 169 bhslr = (struct iscsi_bhs_login_request *)request->pdu_bhs; 170 /* 171 * XXX: Implement the C flag some day. 172 */ 173 if ((bhslr->bhslr_flags & BHSLR_FLAGS_CONTINUE) != 0) { 174 login_send_error(request, 0x03, 0x00); 175 log_errx(1, "received Login PDU with unsupported \"C\" flag"); 176 } 177 if (bhslr->bhslr_version_max != 0x00) { 178 login_send_error(request, 0x02, 0x05); 179 log_errx(1, "received Login PDU with unsupported " 180 "Version-max 0x%x", bhslr->bhslr_version_max); 181 } 182 if (bhslr->bhslr_version_min != 0x00) { 183 login_send_error(request, 0x02, 0x05); 184 log_errx(1, "received Login PDU with unsupported " 185 "Version-min 0x%x", bhslr->bhslr_version_min); 186 } 187 if (initial == false && 188 ISCSI_SNLT(ntohl(bhslr->bhslr_cmdsn), conn->conn_cmdsn)) { 189 login_send_error(request, 0x02, 0x00); 190 log_errx(1, "received Login PDU with decreasing CmdSN: " 191 "was %u, is %u", conn->conn_cmdsn, 192 ntohl(bhslr->bhslr_cmdsn)); 193 } 194 if (initial == false && 195 ntohl(bhslr->bhslr_expstatsn) != conn->conn_statsn) { 196 login_send_error(request, 0x02, 0x00); 197 log_errx(1, "received Login PDU with wrong ExpStatSN: " 198 "is %u, should be %u", ntohl(bhslr->bhslr_expstatsn), 199 conn->conn_statsn); 200 } 201 conn->conn_cmdsn = ntohl(bhslr->bhslr_cmdsn); 202 203 return (request); 204 } 205 206 static struct pdu * 207 login_new_response(struct pdu *request) 208 { 209 struct pdu *response; 210 struct connection *conn; 211 struct iscsi_bhs_login_request *bhslr; 212 struct iscsi_bhs_login_response *bhslr2; 213 214 bhslr = (struct iscsi_bhs_login_request *)request->pdu_bhs; 215 conn = request->pdu_connection; 216 217 response = pdu_new_response(request); 218 bhslr2 = (struct iscsi_bhs_login_response *)response->pdu_bhs; 219 bhslr2->bhslr_opcode = ISCSI_BHS_OPCODE_LOGIN_RESPONSE; 220 login_set_csg(response, BHSLR_STAGE_SECURITY_NEGOTIATION); 221 memcpy(bhslr2->bhslr_isid, 222 bhslr->bhslr_isid, sizeof(bhslr2->bhslr_isid)); 223 bhslr2->bhslr_initiator_task_tag = bhslr->bhslr_initiator_task_tag; 224 bhslr2->bhslr_statsn = htonl(conn->conn_statsn++); 225 bhslr2->bhslr_expcmdsn = htonl(conn->conn_cmdsn); 226 bhslr2->bhslr_maxcmdsn = htonl(conn->conn_cmdsn); 227 228 return (response); 229 } 230 231 static void 232 login_send_error(struct pdu *request, char error_class, char detail) 233 { 234 struct pdu *response; 235 struct iscsi_bhs_login_response *bhslr2; 236 237 log_debugx("sending Login Response PDU with failure class 0x%x/0x%x; " 238 "see next line for reason", error_class, detail); 239 response = login_new_response(request); 240 bhslr2 = (struct iscsi_bhs_login_response *)response->pdu_bhs; 241 bhslr2->bhslr_status_class = error_class; 242 bhslr2->bhslr_status_detail = detail; 243 244 pdu_send(response); 245 pdu_delete(response); 246 } 247 248 static int 249 login_list_contains(const char *list, const char *what) 250 { 251 char *tofree, *str, *token; 252 253 tofree = str = checked_strdup(list); 254 255 while ((token = strsep(&str, ",")) != NULL) { 256 if (strcmp(token, what) == 0) { 257 free(tofree); 258 return (1); 259 } 260 } 261 free(tofree); 262 return (0); 263 } 264 265 static int 266 login_list_prefers(const char *list, 267 const char *choice1, const char *choice2) 268 { 269 char *tofree, *str, *token; 270 271 tofree = str = checked_strdup(list); 272 273 while ((token = strsep(&str, ",")) != NULL) { 274 if (strcmp(token, choice1) == 0) { 275 free(tofree); 276 return (1); 277 } 278 if (strcmp(token, choice2) == 0) { 279 free(tofree); 280 return (2); 281 } 282 } 283 free(tofree); 284 return (-1); 285 } 286 287 static struct pdu * 288 login_receive_chap_a(struct connection *conn) 289 { 290 struct pdu *request; 291 struct keys *request_keys; 292 const char *chap_a; 293 294 request = login_receive(conn, false); 295 request_keys = keys_new(); 296 keys_load_pdu(request_keys, request); 297 298 chap_a = keys_find(request_keys, "CHAP_A"); 299 if (chap_a == NULL) { 300 login_send_error(request, 0x02, 0x07); 301 log_errx(1, "received CHAP Login PDU without CHAP_A"); 302 } 303 if (login_list_contains(chap_a, "5") == 0) { 304 login_send_error(request, 0x02, 0x01); 305 log_errx(1, "received CHAP Login PDU with unsupported CHAP_A " 306 "\"%s\"", chap_a); 307 } 308 keys_delete(request_keys); 309 310 return (request); 311 } 312 313 static void 314 login_send_chap_c(struct pdu *request, struct chap *chap) 315 { 316 struct pdu *response; 317 struct keys *response_keys; 318 char *chap_c, *chap_i; 319 320 chap_c = chap_get_challenge(chap); 321 chap_i = chap_get_id(chap); 322 323 response = login_new_response(request); 324 response_keys = keys_new(); 325 keys_add(response_keys, "CHAP_A", "5"); 326 keys_add(response_keys, "CHAP_I", chap_i); 327 keys_add(response_keys, "CHAP_C", chap_c); 328 free(chap_i); 329 free(chap_c); 330 keys_save_pdu(response_keys, response); 331 pdu_send(response); 332 pdu_delete(response); 333 keys_delete(response_keys); 334 } 335 336 static struct pdu * 337 login_receive_chap_r(struct connection *conn, struct auth_group *ag, 338 struct chap *chap, const struct auth **authp, std::string &user) 339 { 340 struct pdu *request; 341 struct keys *request_keys; 342 const char *chap_n, *chap_r; 343 const struct auth *auth; 344 int error; 345 346 request = login_receive(conn, false); 347 request_keys = keys_new(); 348 keys_load_pdu(request_keys, request); 349 350 chap_n = keys_find(request_keys, "CHAP_N"); 351 if (chap_n == NULL) { 352 login_send_error(request, 0x02, 0x07); 353 log_errx(1, "received CHAP Login PDU without CHAP_N"); 354 } 355 chap_r = keys_find(request_keys, "CHAP_R"); 356 if (chap_r == NULL) { 357 login_send_error(request, 0x02, 0x07); 358 log_errx(1, "received CHAP Login PDU without CHAP_R"); 359 } 360 error = chap_receive(chap, chap_r); 361 if (error != 0) { 362 login_send_error(request, 0x02, 0x07); 363 log_errx(1, "received CHAP Login PDU with malformed CHAP_R"); 364 } 365 366 /* 367 * Verify the response. 368 */ 369 assert(ag->type() == auth_type::CHAP || 370 ag->type() == auth_type::CHAP_MUTUAL); 371 auth = ag->find_auth(chap_n); 372 if (auth == NULL) { 373 login_send_error(request, 0x02, 0x01); 374 log_errx(1, "received CHAP Login with invalid user \"%s\"", 375 chap_n); 376 } 377 378 error = chap_authenticate(chap, auth->secret()); 379 if (error != 0) { 380 login_send_error(request, 0x02, 0x01); 381 log_errx(1, "CHAP authentication failed for user \"%s\"", 382 chap_n); 383 } 384 user = chap_n; 385 386 keys_delete(request_keys); 387 388 *authp = auth; 389 return (request); 390 } 391 392 static void 393 login_send_chap_success(struct pdu *request, 394 const struct auth *auth, const std::string &user) 395 { 396 struct pdu *response; 397 struct keys *request_keys, *response_keys; 398 struct rchap *rchap; 399 const char *chap_i, *chap_c; 400 char *chap_r; 401 int error; 402 403 response = login_new_response(request); 404 login_set_nsg(response, BHSLR_STAGE_OPERATIONAL_NEGOTIATION); 405 406 /* 407 * Actually, one more thing: mutual authentication. 408 */ 409 request_keys = keys_new(); 410 keys_load_pdu(request_keys, request); 411 chap_i = keys_find(request_keys, "CHAP_I"); 412 chap_c = keys_find(request_keys, "CHAP_C"); 413 if (chap_i != NULL || chap_c != NULL) { 414 if (chap_i == NULL) { 415 login_send_error(request, 0x02, 0x07); 416 log_errx(1, "initiator requested target " 417 "authentication, but didn't send CHAP_I"); 418 } 419 if (chap_c == NULL) { 420 login_send_error(request, 0x02, 0x07); 421 log_errx(1, "initiator requested target " 422 "authentication, but didn't send CHAP_C"); 423 } 424 if (!auth->mutual()) { 425 login_send_error(request, 0x02, 0x01); 426 log_errx(1, "initiator requests target authentication " 427 "for user \"%s\", but mutual user/secret " 428 "is not set", user.c_str()); 429 } 430 431 log_debugx("performing mutual authentication as user \"%s\"", 432 auth->mutual_user()); 433 434 rchap = rchap_new(auth->mutual_secret()); 435 error = rchap_receive(rchap, chap_i, chap_c); 436 if (error != 0) { 437 login_send_error(request, 0x02, 0x07); 438 log_errx(1, "received CHAP Login PDU with malformed " 439 "CHAP_I or CHAP_C"); 440 } 441 chap_r = rchap_get_response(rchap); 442 rchap_delete(rchap); 443 response_keys = keys_new(); 444 keys_add(response_keys, "CHAP_N", auth->mutual_user()); 445 keys_add(response_keys, "CHAP_R", chap_r); 446 free(chap_r); 447 keys_save_pdu(response_keys, response); 448 keys_delete(response_keys); 449 } else { 450 log_debugx("initiator did not request target authentication"); 451 } 452 453 keys_delete(request_keys); 454 pdu_send(response); 455 pdu_delete(response); 456 } 457 458 void 459 iscsi_connection::login_chap(struct auth_group *ag) 460 { 461 std::string user; 462 const struct auth *auth; 463 struct chap *chap; 464 struct pdu *request; 465 466 /* 467 * Receive CHAP_A PDU. 468 */ 469 log_debugx("beginning CHAP authentication; waiting for CHAP_A"); 470 request = login_receive_chap_a(&conn); 471 472 /* 473 * Generate the challenge. 474 */ 475 chap = chap_new(); 476 477 /* 478 * Send the challenge. 479 */ 480 log_debugx("sending CHAP_C, binary challenge size is %zd bytes", 481 sizeof(chap->chap_challenge)); 482 login_send_chap_c(request, chap); 483 pdu_delete(request); 484 485 /* 486 * Receive CHAP_N/CHAP_R PDU and authenticate. 487 */ 488 log_debugx("waiting for CHAP_N/CHAP_R"); 489 request = login_receive_chap_r(&conn, ag, chap, &auth, user); 490 491 /* 492 * Yay, authentication succeeded! 493 */ 494 log_debugx("authentication succeeded for user \"%s\"; " 495 "transitioning to operational parameter negotiation", user.c_str()); 496 login_send_chap_success(request, auth, user); 497 pdu_delete(request); 498 499 /* 500 * Leave username and CHAP information for discovery(). 501 */ 502 conn_user = user; 503 conn_chap = chap; 504 } 505 506 void 507 iscsi_connection::login_negotiate_key(struct pdu *request, const char *name, 508 const char *value, bool skipped_security, struct keys *response_keys) 509 { 510 int which; 511 size_t tmp; 512 513 assert(request->pdu_connection == &conn); 514 515 if (strcmp(name, "InitiatorName") == 0) { 516 if (!skipped_security) 517 log_errx(1, "initiator resent InitiatorName"); 518 } else if (strcmp(name, "SessionType") == 0) { 519 if (!skipped_security) 520 log_errx(1, "initiator resent SessionType"); 521 } else if (strcmp(name, "TargetName") == 0) { 522 if (!skipped_security) 523 log_errx(1, "initiator resent TargetName"); 524 } else if (strcmp(name, "InitiatorAlias") == 0) { 525 conn_initiator_alias = value; 526 } else if (strcmp(value, "Irrelevant") == 0) { 527 /* Ignore. */ 528 } else if (strcmp(name, "HeaderDigest") == 0) { 529 /* 530 * We don't handle digests for discovery sessions. 531 */ 532 if (conn_session_type == CONN_SESSION_TYPE_DISCOVERY) { 533 log_debugx("discovery session; digests disabled"); 534 keys_add(response_keys, name, "None"); 535 return; 536 } 537 538 which = login_list_prefers(value, "CRC32C", "None"); 539 switch (which) { 540 case 1: 541 log_debugx("initiator prefers CRC32C " 542 "for header digest; we'll use it"); 543 conn.conn_header_digest = CONN_DIGEST_CRC32C; 544 keys_add(response_keys, name, "CRC32C"); 545 break; 546 case 2: 547 log_debugx("initiator prefers not to do " 548 "header digest; we'll comply"); 549 keys_add(response_keys, name, "None"); 550 break; 551 default: 552 log_warnx("initiator sent unrecognized " 553 "HeaderDigest value \"%s\"; will use None", value); 554 keys_add(response_keys, name, "None"); 555 break; 556 } 557 } else if (strcmp(name, "DataDigest") == 0) { 558 if (conn_session_type == CONN_SESSION_TYPE_DISCOVERY) { 559 log_debugx("discovery session; digests disabled"); 560 keys_add(response_keys, name, "None"); 561 return; 562 } 563 564 which = login_list_prefers(value, "CRC32C", "None"); 565 switch (which) { 566 case 1: 567 log_debugx("initiator prefers CRC32C " 568 "for data digest; we'll use it"); 569 conn.conn_data_digest = CONN_DIGEST_CRC32C; 570 keys_add(response_keys, name, "CRC32C"); 571 break; 572 case 2: 573 log_debugx("initiator prefers not to do " 574 "data digest; we'll comply"); 575 keys_add(response_keys, name, "None"); 576 break; 577 default: 578 log_warnx("initiator sent unrecognized " 579 "DataDigest value \"%s\"; will use None", value); 580 keys_add(response_keys, name, "None"); 581 break; 582 } 583 } else if (strcmp(name, "MaxConnections") == 0) { 584 keys_add(response_keys, name, "1"); 585 } else if (strcmp(name, "InitialR2T") == 0) { 586 keys_add(response_keys, name, "Yes"); 587 } else if (strcmp(name, "ImmediateData") == 0) { 588 if (conn_session_type == CONN_SESSION_TYPE_DISCOVERY) { 589 log_debugx("discovery session; ImmediateData irrelevant"); 590 keys_add(response_keys, name, "Irrelevant"); 591 } else { 592 if (strcmp(value, "Yes") == 0) { 593 conn.conn_immediate_data = true; 594 keys_add(response_keys, name, "Yes"); 595 } else { 596 conn.conn_immediate_data = false; 597 keys_add(response_keys, name, "No"); 598 } 599 } 600 } else if (strcmp(name, "MaxRecvDataSegmentLength") == 0) { 601 tmp = strtoul(value, NULL, 10); 602 if (tmp <= 0) { 603 login_send_error(request, 0x02, 0x00); 604 log_errx(1, "received invalid " 605 "MaxRecvDataSegmentLength"); 606 } 607 608 /* 609 * MaxRecvDataSegmentLength is a direction-specific parameter. 610 * We'll limit our _send_ to what the initiator can handle but 611 * our MaxRecvDataSegmentLength is not influenced by the 612 * initiator in any way. 613 */ 614 if ((int)tmp > conn_max_send_data_segment_limit) { 615 log_debugx("capping MaxRecvDataSegmentLength " 616 "from %zd to %d", tmp, 617 conn_max_send_data_segment_limit); 618 tmp = conn_max_send_data_segment_limit; 619 } 620 conn.conn_max_send_data_segment_length = tmp; 621 } else if (strcmp(name, "MaxBurstLength") == 0) { 622 tmp = strtoul(value, NULL, 10); 623 if (tmp <= 0) { 624 login_send_error(request, 0x02, 0x00); 625 log_errx(1, "received invalid MaxBurstLength"); 626 } 627 if ((int)tmp > conn_max_burst_limit) { 628 log_debugx("capping MaxBurstLength from %zd to %d", 629 tmp, conn_max_burst_limit); 630 tmp = conn_max_burst_limit; 631 } 632 conn.conn_max_burst_length = tmp; 633 keys_add_int(response_keys, name, tmp); 634 } else if (strcmp(name, "FirstBurstLength") == 0) { 635 tmp = strtoul(value, NULL, 10); 636 if (tmp <= 0) { 637 login_send_error(request, 0x02, 0x00); 638 log_errx(1, "received invalid FirstBurstLength"); 639 } 640 if ((int)tmp > conn_first_burst_limit) { 641 log_debugx("capping FirstBurstLength from %zd to %d", 642 tmp, conn_first_burst_limit); 643 tmp = conn_first_burst_limit; 644 } 645 conn.conn_first_burst_length = tmp; 646 keys_add_int(response_keys, name, tmp); 647 } else if (strcmp(name, "DefaultTime2Wait") == 0) { 648 keys_add(response_keys, name, value); 649 } else if (strcmp(name, "DefaultTime2Retain") == 0) { 650 keys_add(response_keys, name, "0"); 651 } else if (strcmp(name, "MaxOutstandingR2T") == 0) { 652 keys_add(response_keys, name, "1"); 653 } else if (strcmp(name, "DataPDUInOrder") == 0) { 654 keys_add(response_keys, name, "Yes"); 655 } else if (strcmp(name, "DataSequenceInOrder") == 0) { 656 keys_add(response_keys, name, "Yes"); 657 } else if (strcmp(name, "ErrorRecoveryLevel") == 0) { 658 keys_add(response_keys, name, "0"); 659 } else if (strcmp(name, "OFMarker") == 0) { 660 keys_add(response_keys, name, "No"); 661 } else if (strcmp(name, "IFMarker") == 0) { 662 keys_add(response_keys, name, "No"); 663 } else if (strcmp(name, "iSCSIProtocolLevel") == 0) { 664 tmp = strtoul(value, NULL, 10); 665 if (tmp > 2) 666 tmp = 2; 667 keys_add_int(response_keys, name, tmp); 668 } else { 669 log_debugx("unknown key \"%s\"; responding " 670 "with NotUnderstood", name); 671 keys_add(response_keys, name, "NotUnderstood"); 672 } 673 } 674 675 static void 676 login_redirect(struct pdu *request, const char *target_address) 677 { 678 struct pdu *response; 679 struct iscsi_bhs_login_response *bhslr2; 680 struct keys *response_keys; 681 682 response = login_new_response(request); 683 login_set_csg(response, login_csg(request)); 684 bhslr2 = (struct iscsi_bhs_login_response *)response->pdu_bhs; 685 bhslr2->bhslr_status_class = 0x01; 686 bhslr2->bhslr_status_detail = 0x01; 687 688 response_keys = keys_new(); 689 keys_add(response_keys, "TargetAddress", target_address); 690 691 keys_save_pdu(response_keys, response); 692 pdu_send(response); 693 pdu_delete(response); 694 keys_delete(response_keys); 695 } 696 697 bool 698 iscsi_connection::login_portal_redirect(struct pdu *request) 699 { 700 const struct portal_group *pg; 701 702 pg = conn_portal->portal_group(); 703 if (!pg->is_redirecting()) 704 return (false); 705 706 log_debugx("portal-group \"%s\" configured to redirect to %s", 707 pg->name(), pg->redirection()); 708 login_redirect(request, pg->redirection()); 709 710 return (true); 711 } 712 713 bool 714 iscsi_connection::login_target_redirect(struct pdu *request) 715 { 716 const char *target_address; 717 718 assert(!conn_portal->portal_group()->is_redirecting()); 719 720 if (conn_target == NULL) 721 return (false); 722 723 if (!conn_target->has_redirection()) 724 return (false); 725 726 target_address = conn_target->redirection(); 727 log_debugx("target \"%s\" configured to redirect to %s", 728 conn_target->name(), target_address); 729 login_redirect(request, target_address); 730 731 return (true); 732 } 733 734 void 735 iscsi_connection::login_negotiate(struct pdu *request) 736 { 737 struct portal_group *pg = conn_portal->portal_group(); 738 struct pdu *response; 739 struct iscsi_bhs_login_response *bhslr2; 740 struct keys *request_keys, *response_keys; 741 int i; 742 bool redirected, skipped_security; 743 744 if (conn_session_type == CONN_SESSION_TYPE_NORMAL) { 745 /* 746 * Query the kernel for various size limits. In case of 747 * offload, it depends on hardware capabilities. 748 */ 749 assert(conn_target != NULL); 750 conn_max_recv_data_segment_limit = (1 << 24) - 1; 751 conn_max_send_data_segment_limit = (1 << 24) - 1; 752 conn_max_burst_limit = (1 << 24) - 1; 753 conn_first_burst_limit = (1 << 24) - 1; 754 kernel_limits(pg->offload(), 755 conn_fd, 756 &conn_max_recv_data_segment_limit, 757 &conn_max_send_data_segment_limit, 758 &conn_max_burst_limit, 759 &conn_first_burst_limit); 760 761 /* We expect legal, usable values at this point. */ 762 assert(conn_max_recv_data_segment_limit >= 512); 763 assert(conn_max_recv_data_segment_limit < (1 << 24)); 764 assert(conn_max_send_data_segment_limit >= 512); 765 assert(conn_max_send_data_segment_limit < (1 << 24)); 766 assert(conn_max_burst_limit >= 512); 767 assert(conn_max_burst_limit < (1 << 24)); 768 assert(conn_first_burst_limit >= 512); 769 assert(conn_first_burst_limit < (1 << 24)); 770 assert(conn_first_burst_limit <= conn_max_burst_limit); 771 772 /* 773 * Limit default send length in case it won't be negotiated. 774 * We can't do it for other limits, since they may affect both 775 * sender and receiver operation, and we must obey defaults. 776 */ 777 if (conn_max_send_data_segment_limit < 778 conn.conn_max_send_data_segment_length) { 779 conn.conn_max_send_data_segment_length = 780 conn_max_send_data_segment_limit; 781 } 782 } else { 783 conn_max_recv_data_segment_limit = MAX_DATA_SEGMENT_LENGTH; 784 conn_max_send_data_segment_limit = MAX_DATA_SEGMENT_LENGTH; 785 } 786 787 if (request == NULL) { 788 log_debugx("beginning operational parameter negotiation; " 789 "waiting for Login PDU"); 790 request = login_receive(&conn, false); 791 skipped_security = false; 792 } else 793 skipped_security = true; 794 795 /* 796 * RFC 3720, 10.13.5. Status-Class and Status-Detail, says 797 * the redirection SHOULD be accepted by the initiator before 798 * authentication, but MUST be accepted afterwards; that's 799 * why we're doing it here and not earlier. 800 */ 801 redirected = login_target_redirect(request); 802 if (redirected) { 803 log_debugx("initiator redirected; exiting"); 804 exit(0); 805 } 806 807 request_keys = keys_new(); 808 keys_load_pdu(request_keys, request); 809 810 response = login_new_response(request); 811 bhslr2 = (struct iscsi_bhs_login_response *)response->pdu_bhs; 812 bhslr2->bhslr_tsih = htons(0xbadd); 813 login_set_csg(response, BHSLR_STAGE_OPERATIONAL_NEGOTIATION); 814 login_set_nsg(response, BHSLR_STAGE_FULL_FEATURE_PHASE); 815 response_keys = keys_new(); 816 817 if (skipped_security && 818 conn_session_type == CONN_SESSION_TYPE_NORMAL) { 819 if (conn_target->has_alias()) 820 keys_add(response_keys, 821 "TargetAlias", conn_target->alias()); 822 keys_add_int(response_keys, "TargetPortalGroupTag", 823 pg->tag()); 824 } 825 826 for (i = 0; i < KEYS_MAX; i++) { 827 if (request_keys->keys_names[i] == NULL) 828 break; 829 830 login_negotiate_key(request, request_keys->keys_names[i], 831 request_keys->keys_values[i], skipped_security, 832 response_keys); 833 } 834 835 /* 836 * We'd started with usable values at our end. But a bad initiator 837 * could have presented a large FirstBurstLength and then a smaller 838 * MaxBurstLength (in that order) and because we process the key/value 839 * pairs in the order they are in the request we might have ended up 840 * with illegal values here. 841 */ 842 if (conn_session_type == CONN_SESSION_TYPE_NORMAL && 843 conn.conn_first_burst_length > conn.conn_max_burst_length) { 844 log_errx(1, "initiator sent FirstBurstLength > MaxBurstLength"); 845 } 846 847 conn.conn_max_recv_data_segment_length = 848 conn_max_recv_data_segment_limit; 849 keys_add_int(response_keys, "MaxRecvDataSegmentLength", 850 conn.conn_max_recv_data_segment_length); 851 852 log_debugx("operational parameter negotiation done; " 853 "transitioning to Full Feature Phase"); 854 855 keys_save_pdu(response_keys, response); 856 pdu_send(response); 857 pdu_delete(response); 858 keys_delete(response_keys); 859 pdu_delete(request); 860 keys_delete(request_keys); 861 } 862 863 void 864 iscsi_connection::login_wait_transition() 865 { 866 struct pdu *request, *response; 867 struct iscsi_bhs_login_request *bhslr; 868 869 log_debugx("waiting for state transition request"); 870 request = login_receive(&conn, false); 871 bhslr = (struct iscsi_bhs_login_request *)request->pdu_bhs; 872 if ((bhslr->bhslr_flags & BHSLR_FLAGS_TRANSIT) == 0) { 873 login_send_error(request, 0x02, 0x00); 874 log_errx(1, "got no \"T\" flag after answering AuthMethod"); 875 } 876 877 log_debugx("got state transition request"); 878 response = login_new_response(request); 879 pdu_delete(request); 880 login_set_nsg(response, BHSLR_STAGE_OPERATIONAL_NEGOTIATION); 881 pdu_send(response); 882 pdu_delete(response); 883 884 login_negotiate(nullptr); 885 } 886 887 void 888 iscsi_connection::login() 889 { 890 struct pdu *request, *response; 891 struct iscsi_bhs_login_request *bhslr; 892 struct keys *request_keys, *response_keys; 893 struct auth_group *ag; 894 struct portal_group *pg; 895 const char *initiator_name, *initiator_alias, *session_type, 896 *target_name, *auth_method; 897 bool redirected, fail, trans; 898 899 /* 900 * Handle the initial Login Request - figure out required authentication 901 * method and either transition to the next phase, if no authentication 902 * is required, or call appropriate authentication code. 903 */ 904 log_debugx("beginning Login Phase; waiting for Login PDU"); 905 request = login_receive(&conn, true); 906 bhslr = (struct iscsi_bhs_login_request *)request->pdu_bhs; 907 if (bhslr->bhslr_tsih != 0) { 908 login_send_error(request, 0x02, 0x0a); 909 log_errx(1, "received Login PDU with non-zero TSIH"); 910 } 911 912 pg = conn_portal->portal_group(); 913 914 memcpy(conn_initiator_isid, bhslr->bhslr_isid, 915 sizeof(conn_initiator_isid)); 916 917 /* 918 * XXX: Implement the C flag some day. 919 */ 920 request_keys = keys_new(); 921 keys_load_pdu(request_keys, request); 922 923 assert(conn_initiator_name.empty()); 924 initiator_name = keys_find(request_keys, "InitiatorName"); 925 if (initiator_name == NULL) { 926 login_send_error(request, 0x02, 0x07); 927 log_errx(1, "received Login PDU without InitiatorName"); 928 } 929 if (valid_iscsi_name(initiator_name, log_warnx) == false) { 930 login_send_error(request, 0x02, 0x00); 931 log_errx(1, "received Login PDU with invalid InitiatorName"); 932 } 933 conn_initiator_name = initiator_name; 934 log_set_peer_name(conn_initiator_name.c_str()); 935 setproctitle("%s (%s)", conn_initiator_addr.c_str(), 936 conn_initiator_name.c_str()); 937 938 redirected = login_portal_redirect(request); 939 if (redirected) { 940 log_debugx("initiator redirected; exiting"); 941 exit(0); 942 } 943 944 initiator_alias = keys_find(request_keys, "InitiatorAlias"); 945 if (initiator_alias != NULL) 946 conn_initiator_alias = initiator_alias; 947 948 assert(conn_session_type == CONN_SESSION_TYPE_NONE); 949 session_type = keys_find(request_keys, "SessionType"); 950 if (session_type != NULL) { 951 if (strcmp(session_type, "Normal") == 0) { 952 conn_session_type = CONN_SESSION_TYPE_NORMAL; 953 } else if (strcmp(session_type, "Discovery") == 0) { 954 conn_session_type = CONN_SESSION_TYPE_DISCOVERY; 955 } else { 956 login_send_error(request, 0x02, 0x00); 957 log_errx(1, "received Login PDU with invalid " 958 "SessionType \"%s\"", session_type); 959 } 960 } else 961 conn_session_type = CONN_SESSION_TYPE_NORMAL; 962 963 assert(conn_target == NULL); 964 if (conn_session_type == CONN_SESSION_TYPE_NORMAL) { 965 target_name = keys_find(request_keys, "TargetName"); 966 if (target_name == NULL) { 967 login_send_error(request, 0x02, 0x07); 968 log_errx(1, "received Login PDU without TargetName"); 969 } 970 971 conn_port = pg->find_port(target_name); 972 if (conn_port == NULL) { 973 login_send_error(request, 0x02, 0x03); 974 log_errx(1, "requested target \"%s\" not found", 975 target_name); 976 } 977 conn_target = conn_port->target(); 978 } 979 980 /* 981 * At this point we know what kind of authentication we need. 982 */ 983 if (conn_session_type == CONN_SESSION_TYPE_NORMAL) { 984 ag = conn_port->auth_group(); 985 if (ag == nullptr) 986 ag = conn_target->auth_group(); 987 if (conn_port->auth_group() == nullptr && 988 conn_target->private_auth()) { 989 log_debugx("initiator requests to connect " 990 "to target \"%s\"", conn_target->name()); 991 } else { 992 log_debugx("initiator requests to connect " 993 "to target \"%s\"; %s", 994 conn_target->name(), ag->label()); 995 } 996 } else { 997 assert(conn_session_type == CONN_SESSION_TYPE_DISCOVERY); 998 ag = pg->discovery_auth_group(); 999 log_debugx("initiator requests discovery session; %s", 1000 ag->label()); 1001 } 1002 1003 if (ag->type() == auth_type::DENY) { 1004 login_send_error(request, 0x02, 0x01); 1005 log_errx(1, "auth-type is \"deny\""); 1006 } 1007 1008 if (ag->type() == auth_type::UNKNOWN) { 1009 /* 1010 * This can happen with empty auth-group. 1011 */ 1012 login_send_error(request, 0x02, 0x01); 1013 log_errx(1, "auth-type not set, denying access"); 1014 } 1015 1016 /* 1017 * Enforce initiator-name and initiator-portal. 1018 */ 1019 if (!ag->initiator_permitted(initiator_name)) { 1020 login_send_error(request, 0x02, 0x02); 1021 log_errx(1, "initiator does not match allowed initiator names"); 1022 } 1023 1024 if (!ag->initiator_permitted(conn_initiator_sa)) { 1025 login_send_error(request, 0x02, 0x02); 1026 log_errx(1, "initiator does not match allowed " 1027 "initiator portals"); 1028 } 1029 1030 /* 1031 * Let's see if the initiator intends to do any kind of authentication 1032 * at all. 1033 */ 1034 if (login_csg(request) == BHSLR_STAGE_OPERATIONAL_NEGOTIATION) { 1035 if (ag->type() != auth_type::NO_AUTHENTICATION) { 1036 login_send_error(request, 0x02, 0x01); 1037 log_errx(1, "initiator skipped the authentication, " 1038 "but authentication is required"); 1039 } 1040 1041 keys_delete(request_keys); 1042 1043 log_debugx("initiator skipped the authentication, " 1044 "and we don't need it; proceeding with negotiation"); 1045 login_negotiate(request); 1046 return; 1047 } 1048 1049 fail = false; 1050 response = login_new_response(request); 1051 response_keys = keys_new(); 1052 trans = (bhslr->bhslr_flags & BHSLR_FLAGS_TRANSIT) != 0; 1053 auth_method = keys_find(request_keys, "AuthMethod"); 1054 if (ag->type() == auth_type::NO_AUTHENTICATION) { 1055 log_debugx("authentication not required"); 1056 if (auth_method == NULL || 1057 login_list_contains(auth_method, "None")) { 1058 keys_add(response_keys, "AuthMethod", "None"); 1059 } else { 1060 log_warnx("initiator requests " 1061 "AuthMethod \"%s\" instead of \"None\"", 1062 auth_method); 1063 keys_add(response_keys, "AuthMethod", "Reject"); 1064 } 1065 if (trans) 1066 login_set_nsg(response, BHSLR_STAGE_OPERATIONAL_NEGOTIATION); 1067 } else { 1068 log_debugx("CHAP authentication required"); 1069 if (auth_method == NULL || 1070 login_list_contains(auth_method, "CHAP")) { 1071 keys_add(response_keys, "AuthMethod", "CHAP"); 1072 } else { 1073 log_warnx("initiator requests unsupported " 1074 "AuthMethod \"%s\" instead of \"CHAP\"", 1075 auth_method); 1076 keys_add(response_keys, "AuthMethod", "Reject"); 1077 fail = true; 1078 } 1079 } 1080 if (conn_session_type == CONN_SESSION_TYPE_NORMAL) { 1081 if (conn_target->has_alias()) 1082 keys_add(response_keys, 1083 "TargetAlias", conn_target->alias()); 1084 keys_add_int(response_keys, 1085 "TargetPortalGroupTag", pg->tag()); 1086 } 1087 keys_save_pdu(response_keys, response); 1088 1089 pdu_send(response); 1090 pdu_delete(response); 1091 keys_delete(response_keys); 1092 pdu_delete(request); 1093 keys_delete(request_keys); 1094 1095 if (fail) { 1096 log_debugx("sent reject for AuthMethod; exiting"); 1097 exit(1); 1098 } 1099 1100 if (ag->type() != auth_type::NO_AUTHENTICATION) { 1101 login_chap(ag); 1102 login_negotiate(nullptr); 1103 } else if (trans) { 1104 login_negotiate(nullptr); 1105 } else { 1106 login_wait_transition(); 1107 } 1108 } 1109