1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2012 The FreeBSD Foundation 5 * 6 * This software was developed by Edward Tomasz Napierala under sponsorship 7 * from the FreeBSD Foundation. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 19 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 22 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28 * SUCH DAMAGE. 29 * 30 */ 31 32 #include <sys/time.h> 33 #include <assert.h> 34 #include <stdbool.h> 35 #include <stdio.h> 36 #include <stdlib.h> 37 #include <string.h> 38 #include <unistd.h> 39 #include <netinet/in.h> 40 #include <cam/ctl/ctl.h> 41 #include <cam/ctl/ctl_io.h> 42 #include <cam/ctl/ctl_ioctl.h> 43 44 #include "ctld.h" 45 #include "iscsi_proto.h" 46 47 #define MAX_DATA_SEGMENT_LENGTH (128 * 1024) 48 49 static void login_send_error(struct pdu *request, 50 char error_class, char detail); 51 52 static void 53 kernel_limits(const char *offload, int s, int *max_recv_dsl, int *max_send_dsl, 54 int *max_burst_length, int *first_burst_length) 55 { 56 struct ctl_iscsi req; 57 struct ctl_iscsi_limits_params *cilp; 58 59 bzero(&req, sizeof(req)); 60 61 req.type = CTL_ISCSI_LIMITS; 62 cilp = (struct ctl_iscsi_limits_params *)&(req.data.limits); 63 if (offload != NULL) { 64 strlcpy(cilp->offload, offload, sizeof(cilp->offload)); 65 } 66 cilp->socket = s; 67 68 if (ioctl(ctl_fd, CTL_ISCSI, &req) == -1) { 69 log_err(1, "error issuing CTL_ISCSI ioctl; " 70 "dropping connection"); 71 } 72 73 if (req.status != CTL_ISCSI_OK) { 74 log_errx(1, "error returned from CTL iSCSI limits request: " 75 "%s; dropping connection", req.error_str); 76 } 77 78 if (cilp->max_recv_data_segment_length != 0) { 79 *max_recv_dsl = cilp->max_recv_data_segment_length; 80 *max_send_dsl = cilp->max_recv_data_segment_length; 81 } 82 if (cilp->max_send_data_segment_length != 0) 83 *max_send_dsl = cilp->max_send_data_segment_length; 84 if (cilp->max_burst_length != 0) 85 *max_burst_length = cilp->max_burst_length; 86 if (cilp->first_burst_length != 0) 87 *first_burst_length = cilp->first_burst_length; 88 if (*max_burst_length < *first_burst_length) 89 *first_burst_length = *max_burst_length; 90 91 if (offload != NULL) { 92 log_debugx("Kernel limits for offload \"%s\" are " 93 "MaxRecvDataSegment=%d, max_send_dsl=%d, " 94 "MaxBurstLength=%d, FirstBurstLength=%d", 95 offload, *max_recv_dsl, *max_send_dsl, *max_burst_length, 96 *first_burst_length); 97 } else { 98 log_debugx("Kernel limits are " 99 "MaxRecvDataSegment=%d, max_send_dsl=%d, " 100 "MaxBurstLength=%d, FirstBurstLength=%d", 101 *max_recv_dsl, *max_send_dsl, *max_burst_length, 102 *first_burst_length); 103 } 104 } 105 106 static void 107 login_set_nsg(struct pdu *response, int nsg) 108 { 109 struct iscsi_bhs_login_response *bhslr; 110 111 assert(nsg == BHSLR_STAGE_SECURITY_NEGOTIATION || 112 nsg == BHSLR_STAGE_OPERATIONAL_NEGOTIATION || 113 nsg == BHSLR_STAGE_FULL_FEATURE_PHASE); 114 115 bhslr = (struct iscsi_bhs_login_response *)response->pdu_bhs; 116 117 bhslr->bhslr_flags &= 0xFC; 118 bhslr->bhslr_flags |= nsg; 119 bhslr->bhslr_flags |= BHSLR_FLAGS_TRANSIT; 120 } 121 122 static int 123 login_csg(const struct pdu *request) 124 { 125 struct iscsi_bhs_login_request *bhslr; 126 127 bhslr = (struct iscsi_bhs_login_request *)request->pdu_bhs; 128 129 return ((bhslr->bhslr_flags & 0x0C) >> 2); 130 } 131 132 static void 133 login_set_csg(struct pdu *response, int csg) 134 { 135 struct iscsi_bhs_login_response *bhslr; 136 137 assert(csg == BHSLR_STAGE_SECURITY_NEGOTIATION || 138 csg == BHSLR_STAGE_OPERATIONAL_NEGOTIATION || 139 csg == BHSLR_STAGE_FULL_FEATURE_PHASE); 140 141 bhslr = (struct iscsi_bhs_login_response *)response->pdu_bhs; 142 143 bhslr->bhslr_flags &= 0xF3; 144 bhslr->bhslr_flags |= csg << 2; 145 } 146 147 static struct pdu * 148 login_receive(struct connection *conn, bool initial) 149 { 150 struct pdu *request; 151 struct iscsi_bhs_login_request *bhslr; 152 153 request = pdu_new(conn); 154 pdu_receive(request); 155 if ((request->pdu_bhs->bhs_opcode & ~ISCSI_BHS_OPCODE_IMMEDIATE) != 156 ISCSI_BHS_OPCODE_LOGIN_REQUEST) { 157 /* 158 * The first PDU in session is special - if we receive any PDU 159 * different than login request, we have to drop the connection 160 * without sending response ("A target receiving any PDU 161 * except a Login request before the Login Phase is started MUST 162 * immediately terminate the connection on which the PDU 163 * was received.") 164 */ 165 if (initial == false) 166 login_send_error(request, 0x02, 0x0b); 167 log_errx(1, "protocol error: received invalid opcode 0x%x", 168 request->pdu_bhs->bhs_opcode); 169 } 170 bhslr = (struct iscsi_bhs_login_request *)request->pdu_bhs; 171 /* 172 * XXX: Implement the C flag some day. 173 */ 174 if ((bhslr->bhslr_flags & BHSLR_FLAGS_CONTINUE) != 0) { 175 login_send_error(request, 0x03, 0x00); 176 log_errx(1, "received Login PDU with unsupported \"C\" flag"); 177 } 178 if (bhslr->bhslr_version_max != 0x00) { 179 login_send_error(request, 0x02, 0x05); 180 log_errx(1, "received Login PDU with unsupported " 181 "Version-max 0x%x", bhslr->bhslr_version_max); 182 } 183 if (bhslr->bhslr_version_min != 0x00) { 184 login_send_error(request, 0x02, 0x05); 185 log_errx(1, "received Login PDU with unsupported " 186 "Version-min 0x%x", bhslr->bhslr_version_min); 187 } 188 if (initial == false && 189 ISCSI_SNLT(ntohl(bhslr->bhslr_cmdsn), conn->conn_cmdsn)) { 190 login_send_error(request, 0x02, 0x00); 191 log_errx(1, "received Login PDU with decreasing CmdSN: " 192 "was %u, is %u", conn->conn_cmdsn, 193 ntohl(bhslr->bhslr_cmdsn)); 194 } 195 if (initial == false && 196 ntohl(bhslr->bhslr_expstatsn) != conn->conn_statsn) { 197 login_send_error(request, 0x02, 0x00); 198 log_errx(1, "received Login PDU with wrong ExpStatSN: " 199 "is %u, should be %u", ntohl(bhslr->bhslr_expstatsn), 200 conn->conn_statsn); 201 } 202 conn->conn_cmdsn = ntohl(bhslr->bhslr_cmdsn); 203 204 return (request); 205 } 206 207 static struct pdu * 208 login_new_response(struct pdu *request) 209 { 210 struct pdu *response; 211 struct connection *conn; 212 struct iscsi_bhs_login_request *bhslr; 213 struct iscsi_bhs_login_response *bhslr2; 214 215 bhslr = (struct iscsi_bhs_login_request *)request->pdu_bhs; 216 conn = request->pdu_connection; 217 218 response = pdu_new_response(request); 219 bhslr2 = (struct iscsi_bhs_login_response *)response->pdu_bhs; 220 bhslr2->bhslr_opcode = ISCSI_BHS_OPCODE_LOGIN_RESPONSE; 221 login_set_csg(response, BHSLR_STAGE_SECURITY_NEGOTIATION); 222 memcpy(bhslr2->bhslr_isid, 223 bhslr->bhslr_isid, sizeof(bhslr2->bhslr_isid)); 224 bhslr2->bhslr_initiator_task_tag = bhslr->bhslr_initiator_task_tag; 225 bhslr2->bhslr_statsn = htonl(conn->conn_statsn++); 226 bhslr2->bhslr_expcmdsn = htonl(conn->conn_cmdsn); 227 bhslr2->bhslr_maxcmdsn = htonl(conn->conn_cmdsn); 228 229 return (response); 230 } 231 232 static void 233 login_send_error(struct pdu *request, char error_class, char detail) 234 { 235 struct pdu *response; 236 struct iscsi_bhs_login_response *bhslr2; 237 238 log_debugx("sending Login Response PDU with failure class 0x%x/0x%x; " 239 "see next line for reason", error_class, detail); 240 response = login_new_response(request); 241 bhslr2 = (struct iscsi_bhs_login_response *)response->pdu_bhs; 242 bhslr2->bhslr_status_class = error_class; 243 bhslr2->bhslr_status_detail = detail; 244 245 pdu_send(response); 246 pdu_delete(response); 247 } 248 249 static int 250 login_list_contains(const char *list, const char *what) 251 { 252 char *tofree, *str, *token; 253 254 tofree = str = checked_strdup(list); 255 256 while ((token = strsep(&str, ",")) != NULL) { 257 if (strcmp(token, what) == 0) { 258 free(tofree); 259 return (1); 260 } 261 } 262 free(tofree); 263 return (0); 264 } 265 266 static int 267 login_list_prefers(const char *list, 268 const char *choice1, const char *choice2) 269 { 270 char *tofree, *str, *token; 271 272 tofree = str = checked_strdup(list); 273 274 while ((token = strsep(&str, ",")) != NULL) { 275 if (strcmp(token, choice1) == 0) { 276 free(tofree); 277 return (1); 278 } 279 if (strcmp(token, choice2) == 0) { 280 free(tofree); 281 return (2); 282 } 283 } 284 free(tofree); 285 return (-1); 286 } 287 288 static struct pdu * 289 login_receive_chap_a(struct connection *conn) 290 { 291 struct pdu *request; 292 struct keys *request_keys; 293 const char *chap_a; 294 295 request = login_receive(conn, false); 296 request_keys = keys_new(); 297 keys_load_pdu(request_keys, request); 298 299 chap_a = keys_find(request_keys, "CHAP_A"); 300 if (chap_a == NULL) { 301 login_send_error(request, 0x02, 0x07); 302 log_errx(1, "received CHAP Login PDU without CHAP_A"); 303 } 304 if (login_list_contains(chap_a, "5") == 0) { 305 login_send_error(request, 0x02, 0x01); 306 log_errx(1, "received CHAP Login PDU with unsupported CHAP_A " 307 "\"%s\"", chap_a); 308 } 309 keys_delete(request_keys); 310 311 return (request); 312 } 313 314 static void 315 login_send_chap_c(struct pdu *request, struct chap *chap) 316 { 317 struct pdu *response; 318 struct keys *response_keys; 319 char *chap_c, *chap_i; 320 321 chap_c = chap_get_challenge(chap); 322 chap_i = chap_get_id(chap); 323 324 response = login_new_response(request); 325 response_keys = keys_new(); 326 keys_add(response_keys, "CHAP_A", "5"); 327 keys_add(response_keys, "CHAP_I", chap_i); 328 keys_add(response_keys, "CHAP_C", chap_c); 329 free(chap_i); 330 free(chap_c); 331 keys_save_pdu(response_keys, response); 332 pdu_send(response); 333 pdu_delete(response); 334 keys_delete(response_keys); 335 } 336 337 static struct pdu * 338 login_receive_chap_r(struct connection *conn, struct auth_group *ag, 339 struct chap *chap, const struct auth **authp) 340 { 341 struct pdu *request; 342 struct keys *request_keys; 343 const char *chap_n, *chap_r; 344 const struct auth *auth; 345 int error; 346 347 request = login_receive(conn, false); 348 request_keys = keys_new(); 349 keys_load_pdu(request_keys, request); 350 351 chap_n = keys_find(request_keys, "CHAP_N"); 352 if (chap_n == NULL) { 353 login_send_error(request, 0x02, 0x07); 354 log_errx(1, "received CHAP Login PDU without CHAP_N"); 355 } 356 chap_r = keys_find(request_keys, "CHAP_R"); 357 if (chap_r == NULL) { 358 login_send_error(request, 0x02, 0x07); 359 log_errx(1, "received CHAP Login PDU without CHAP_R"); 360 } 361 error = chap_receive(chap, chap_r); 362 if (error != 0) { 363 login_send_error(request, 0x02, 0x07); 364 log_errx(1, "received CHAP Login PDU with malformed CHAP_R"); 365 } 366 367 /* 368 * Verify the response. 369 */ 370 assert(ag->ag_type == AG_TYPE_CHAP || 371 ag->ag_type == AG_TYPE_CHAP_MUTUAL); 372 auth = auth_find(ag, chap_n); 373 if (auth == NULL) { 374 login_send_error(request, 0x02, 0x01); 375 log_errx(1, "received CHAP Login with invalid user \"%s\"", 376 chap_n); 377 } 378 379 assert(auth->a_secret != NULL); 380 assert(strlen(auth->a_secret) > 0); 381 382 error = chap_authenticate(chap, auth->a_secret); 383 if (error != 0) { 384 login_send_error(request, 0x02, 0x01); 385 log_errx(1, "CHAP authentication failed for user \"%s\"", 386 auth->a_user); 387 } 388 389 keys_delete(request_keys); 390 391 *authp = auth; 392 return (request); 393 } 394 395 static void 396 login_send_chap_success(struct pdu *request, 397 const struct auth *auth) 398 { 399 struct pdu *response; 400 struct keys *request_keys, *response_keys; 401 struct rchap *rchap; 402 const char *chap_i, *chap_c; 403 char *chap_r; 404 int error; 405 406 response = login_new_response(request); 407 login_set_nsg(response, BHSLR_STAGE_OPERATIONAL_NEGOTIATION); 408 409 /* 410 * Actually, one more thing: mutual authentication. 411 */ 412 request_keys = keys_new(); 413 keys_load_pdu(request_keys, request); 414 chap_i = keys_find(request_keys, "CHAP_I"); 415 chap_c = keys_find(request_keys, "CHAP_C"); 416 if (chap_i != NULL || chap_c != NULL) { 417 if (chap_i == NULL) { 418 login_send_error(request, 0x02, 0x07); 419 log_errx(1, "initiator requested target " 420 "authentication, but didn't send CHAP_I"); 421 } 422 if (chap_c == NULL) { 423 login_send_error(request, 0x02, 0x07); 424 log_errx(1, "initiator requested target " 425 "authentication, but didn't send CHAP_C"); 426 } 427 if (auth->a_auth_group->ag_type != AG_TYPE_CHAP_MUTUAL) { 428 login_send_error(request, 0x02, 0x01); 429 log_errx(1, "initiator requests target authentication " 430 "for user \"%s\", but mutual user/secret " 431 "is not set", auth->a_user); 432 } 433 434 log_debugx("performing mutual authentication as user \"%s\"", 435 auth->a_mutual_user); 436 437 rchap = rchap_new(auth->a_mutual_secret); 438 error = rchap_receive(rchap, chap_i, chap_c); 439 if (error != 0) { 440 login_send_error(request, 0x02, 0x07); 441 log_errx(1, "received CHAP Login PDU with malformed " 442 "CHAP_I or CHAP_C"); 443 } 444 chap_r = rchap_get_response(rchap); 445 rchap_delete(rchap); 446 response_keys = keys_new(); 447 keys_add(response_keys, "CHAP_N", auth->a_mutual_user); 448 keys_add(response_keys, "CHAP_R", chap_r); 449 free(chap_r); 450 keys_save_pdu(response_keys, response); 451 keys_delete(response_keys); 452 } else { 453 log_debugx("initiator did not request target authentication"); 454 } 455 456 keys_delete(request_keys); 457 pdu_send(response); 458 pdu_delete(response); 459 } 460 461 static void 462 login_chap(struct ctld_connection *conn, struct auth_group *ag) 463 { 464 const struct auth *auth; 465 struct chap *chap; 466 struct pdu *request; 467 468 /* 469 * Receive CHAP_A PDU. 470 */ 471 log_debugx("beginning CHAP authentication; waiting for CHAP_A"); 472 request = login_receive_chap_a(&conn->conn); 473 474 /* 475 * Generate the challenge. 476 */ 477 chap = chap_new(); 478 479 /* 480 * Send the challenge. 481 */ 482 log_debugx("sending CHAP_C, binary challenge size is %zd bytes", 483 sizeof(chap->chap_challenge)); 484 login_send_chap_c(request, chap); 485 pdu_delete(request); 486 487 /* 488 * Receive CHAP_N/CHAP_R PDU and authenticate. 489 */ 490 log_debugx("waiting for CHAP_N/CHAP_R"); 491 request = login_receive_chap_r(&conn->conn, ag, chap, &auth); 492 493 /* 494 * Yay, authentication succeeded! 495 */ 496 log_debugx("authentication succeeded for user \"%s\"; " 497 "transitioning to operational parameter negotiation", auth->a_user); 498 login_send_chap_success(request, auth); 499 pdu_delete(request); 500 501 /* 502 * Leave username and CHAP information for discovery(). 503 */ 504 conn->conn_user = auth->a_user; 505 conn->conn_chap = chap; 506 } 507 508 static void 509 login_negotiate_key(struct pdu *request, const char *name, 510 const char *value, bool skipped_security, struct keys *response_keys) 511 { 512 int which; 513 size_t tmp; 514 struct ctld_connection *conn; 515 516 conn = (struct ctld_connection *)request->pdu_connection; 517 518 if (strcmp(name, "InitiatorName") == 0) { 519 if (!skipped_security) 520 log_errx(1, "initiator resent InitiatorName"); 521 } else if (strcmp(name, "SessionType") == 0) { 522 if (!skipped_security) 523 log_errx(1, "initiator resent SessionType"); 524 } else if (strcmp(name, "TargetName") == 0) { 525 if (!skipped_security) 526 log_errx(1, "initiator resent TargetName"); 527 } else if (strcmp(name, "InitiatorAlias") == 0) { 528 if (conn->conn_initiator_alias != NULL) 529 free(conn->conn_initiator_alias); 530 conn->conn_initiator_alias = checked_strdup(value); 531 } else if (strcmp(value, "Irrelevant") == 0) { 532 /* Ignore. */ 533 } else if (strcmp(name, "HeaderDigest") == 0) { 534 /* 535 * We don't handle digests for discovery sessions. 536 */ 537 if (conn->conn_session_type == CONN_SESSION_TYPE_DISCOVERY) { 538 log_debugx("discovery session; digests disabled"); 539 keys_add(response_keys, name, "None"); 540 return; 541 } 542 543 which = login_list_prefers(value, "CRC32C", "None"); 544 switch (which) { 545 case 1: 546 log_debugx("initiator prefers CRC32C " 547 "for header digest; we'll use it"); 548 conn->conn.conn_header_digest = CONN_DIGEST_CRC32C; 549 keys_add(response_keys, name, "CRC32C"); 550 break; 551 case 2: 552 log_debugx("initiator prefers not to do " 553 "header digest; we'll comply"); 554 keys_add(response_keys, name, "None"); 555 break; 556 default: 557 log_warnx("initiator sent unrecognized " 558 "HeaderDigest value \"%s\"; will use None", value); 559 keys_add(response_keys, name, "None"); 560 break; 561 } 562 } else if (strcmp(name, "DataDigest") == 0) { 563 if (conn->conn_session_type == CONN_SESSION_TYPE_DISCOVERY) { 564 log_debugx("discovery session; digests disabled"); 565 keys_add(response_keys, name, "None"); 566 return; 567 } 568 569 which = login_list_prefers(value, "CRC32C", "None"); 570 switch (which) { 571 case 1: 572 log_debugx("initiator prefers CRC32C " 573 "for data digest; we'll use it"); 574 conn->conn.conn_data_digest = CONN_DIGEST_CRC32C; 575 keys_add(response_keys, name, "CRC32C"); 576 break; 577 case 2: 578 log_debugx("initiator prefers not to do " 579 "data digest; we'll comply"); 580 keys_add(response_keys, name, "None"); 581 break; 582 default: 583 log_warnx("initiator sent unrecognized " 584 "DataDigest value \"%s\"; will use None", value); 585 keys_add(response_keys, name, "None"); 586 break; 587 } 588 } else if (strcmp(name, "MaxConnections") == 0) { 589 keys_add(response_keys, name, "1"); 590 } else if (strcmp(name, "InitialR2T") == 0) { 591 keys_add(response_keys, name, "Yes"); 592 } else if (strcmp(name, "ImmediateData") == 0) { 593 if (conn->conn_session_type == CONN_SESSION_TYPE_DISCOVERY) { 594 log_debugx("discovery session; ImmediateData irrelevant"); 595 keys_add(response_keys, name, "Irrelevant"); 596 } else { 597 if (strcmp(value, "Yes") == 0) { 598 conn->conn.conn_immediate_data = true; 599 keys_add(response_keys, name, "Yes"); 600 } else { 601 conn->conn.conn_immediate_data = false; 602 keys_add(response_keys, name, "No"); 603 } 604 } 605 } else if (strcmp(name, "MaxRecvDataSegmentLength") == 0) { 606 tmp = strtoul(value, NULL, 10); 607 if (tmp <= 0) { 608 login_send_error(request, 0x02, 0x00); 609 log_errx(1, "received invalid " 610 "MaxRecvDataSegmentLength"); 611 } 612 613 /* 614 * MaxRecvDataSegmentLength is a direction-specific parameter. 615 * We'll limit our _send_ to what the initiator can handle but 616 * our MaxRecvDataSegmentLength is not influenced by the 617 * initiator in any way. 618 */ 619 if ((int)tmp > conn->conn_max_send_data_segment_limit) { 620 log_debugx("capping MaxRecvDataSegmentLength " 621 "from %zd to %d", tmp, 622 conn->conn_max_send_data_segment_limit); 623 tmp = conn->conn_max_send_data_segment_limit; 624 } 625 conn->conn.conn_max_send_data_segment_length = tmp; 626 } else if (strcmp(name, "MaxBurstLength") == 0) { 627 tmp = strtoul(value, NULL, 10); 628 if (tmp <= 0) { 629 login_send_error(request, 0x02, 0x00); 630 log_errx(1, "received invalid MaxBurstLength"); 631 } 632 if ((int)tmp > conn->conn_max_burst_limit) { 633 log_debugx("capping MaxBurstLength from %zd to %d", 634 tmp, conn->conn_max_burst_limit); 635 tmp = conn->conn_max_burst_limit; 636 } 637 conn->conn.conn_max_burst_length = tmp; 638 keys_add_int(response_keys, name, tmp); 639 } else if (strcmp(name, "FirstBurstLength") == 0) { 640 tmp = strtoul(value, NULL, 10); 641 if (tmp <= 0) { 642 login_send_error(request, 0x02, 0x00); 643 log_errx(1, "received invalid FirstBurstLength"); 644 } 645 if ((int)tmp > conn->conn_first_burst_limit) { 646 log_debugx("capping FirstBurstLength from %zd to %d", 647 tmp, conn->conn_first_burst_limit); 648 tmp = conn->conn_first_burst_limit; 649 } 650 conn->conn.conn_first_burst_length = tmp; 651 keys_add_int(response_keys, name, tmp); 652 } else if (strcmp(name, "DefaultTime2Wait") == 0) { 653 keys_add(response_keys, name, value); 654 } else if (strcmp(name, "DefaultTime2Retain") == 0) { 655 keys_add(response_keys, name, "0"); 656 } else if (strcmp(name, "MaxOutstandingR2T") == 0) { 657 keys_add(response_keys, name, "1"); 658 } else if (strcmp(name, "DataPDUInOrder") == 0) { 659 keys_add(response_keys, name, "Yes"); 660 } else if (strcmp(name, "DataSequenceInOrder") == 0) { 661 keys_add(response_keys, name, "Yes"); 662 } else if (strcmp(name, "ErrorRecoveryLevel") == 0) { 663 keys_add(response_keys, name, "0"); 664 } else if (strcmp(name, "OFMarker") == 0) { 665 keys_add(response_keys, name, "No"); 666 } else if (strcmp(name, "IFMarker") == 0) { 667 keys_add(response_keys, name, "No"); 668 } else if (strcmp(name, "iSCSIProtocolLevel") == 0) { 669 tmp = strtoul(value, NULL, 10); 670 if (tmp > 2) 671 tmp = 2; 672 keys_add_int(response_keys, name, tmp); 673 } else { 674 log_debugx("unknown key \"%s\"; responding " 675 "with NotUnderstood", name); 676 keys_add(response_keys, name, "NotUnderstood"); 677 } 678 } 679 680 static void 681 login_redirect(struct pdu *request, const char *target_address) 682 { 683 struct pdu *response; 684 struct iscsi_bhs_login_response *bhslr2; 685 struct keys *response_keys; 686 687 response = login_new_response(request); 688 login_set_csg(response, login_csg(request)); 689 bhslr2 = (struct iscsi_bhs_login_response *)response->pdu_bhs; 690 bhslr2->bhslr_status_class = 0x01; 691 bhslr2->bhslr_status_detail = 0x01; 692 693 response_keys = keys_new(); 694 keys_add(response_keys, "TargetAddress", target_address); 695 696 keys_save_pdu(response_keys, response); 697 pdu_send(response); 698 pdu_delete(response); 699 keys_delete(response_keys); 700 } 701 702 static bool 703 login_portal_redirect(struct ctld_connection *conn, struct pdu *request) 704 { 705 const struct portal_group *pg; 706 707 pg = conn->conn_portal->p_portal_group; 708 if (pg->pg_redirection == NULL) 709 return (false); 710 711 log_debugx("portal-group \"%s\" configured to redirect to %s", 712 pg->pg_name, pg->pg_redirection); 713 login_redirect(request, pg->pg_redirection); 714 715 return (true); 716 } 717 718 static bool 719 login_target_redirect(struct ctld_connection *conn, struct pdu *request) 720 { 721 const char *target_address; 722 723 assert(conn->conn_portal->p_portal_group->pg_redirection == NULL); 724 725 if (conn->conn_target == NULL) 726 return (false); 727 728 target_address = conn->conn_target->t_redirection; 729 if (target_address == NULL) 730 return (false); 731 732 log_debugx("target \"%s\" configured to redirect to %s", 733 conn->conn_target->t_name, target_address); 734 login_redirect(request, target_address); 735 736 return (true); 737 } 738 739 static void 740 login_negotiate(struct ctld_connection *conn, struct pdu *request) 741 { 742 struct pdu *response; 743 struct iscsi_bhs_login_response *bhslr2; 744 struct keys *request_keys, *response_keys; 745 int i; 746 bool redirected, skipped_security; 747 748 if (conn->conn_session_type == CONN_SESSION_TYPE_NORMAL) { 749 /* 750 * Query the kernel for various size limits. In case of 751 * offload, it depends on hardware capabilities. 752 */ 753 assert(conn->conn_target != NULL); 754 conn->conn_max_recv_data_segment_limit = (1 << 24) - 1; 755 conn->conn_max_send_data_segment_limit = (1 << 24) - 1; 756 conn->conn_max_burst_limit = (1 << 24) - 1; 757 conn->conn_first_burst_limit = (1 << 24) - 1; 758 kernel_limits(conn->conn_portal->p_portal_group->pg_offload, 759 conn->conn.conn_socket, 760 &conn->conn_max_recv_data_segment_limit, 761 &conn->conn_max_send_data_segment_limit, 762 &conn->conn_max_burst_limit, 763 &conn->conn_first_burst_limit); 764 765 /* We expect legal, usable values at this point. */ 766 assert(conn->conn_max_recv_data_segment_limit >= 512); 767 assert(conn->conn_max_recv_data_segment_limit < (1 << 24)); 768 assert(conn->conn_max_send_data_segment_limit >= 512); 769 assert(conn->conn_max_send_data_segment_limit < (1 << 24)); 770 assert(conn->conn_max_burst_limit >= 512); 771 assert(conn->conn_max_burst_limit < (1 << 24)); 772 assert(conn->conn_first_burst_limit >= 512); 773 assert(conn->conn_first_burst_limit < (1 << 24)); 774 assert(conn->conn_first_burst_limit <= 775 conn->conn_max_burst_limit); 776 777 /* 778 * Limit default send length in case it won't be negotiated. 779 * We can't do it for other limits, since they may affect both 780 * sender and receiver operation, and we must obey defaults. 781 */ 782 if (conn->conn_max_send_data_segment_limit < 783 conn->conn.conn_max_send_data_segment_length) { 784 conn->conn.conn_max_send_data_segment_length = 785 conn->conn_max_send_data_segment_limit; 786 } 787 } else { 788 conn->conn_max_recv_data_segment_limit = 789 MAX_DATA_SEGMENT_LENGTH; 790 conn->conn_max_send_data_segment_limit = 791 MAX_DATA_SEGMENT_LENGTH; 792 } 793 794 if (request == NULL) { 795 log_debugx("beginning operational parameter negotiation; " 796 "waiting for Login PDU"); 797 request = login_receive(&conn->conn, false); 798 skipped_security = false; 799 } else 800 skipped_security = true; 801 802 /* 803 * RFC 3720, 10.13.5. Status-Class and Status-Detail, says 804 * the redirection SHOULD be accepted by the initiator before 805 * authentication, but MUST be accepted afterwards; that's 806 * why we're doing it here and not earlier. 807 */ 808 redirected = login_target_redirect(conn, request); 809 if (redirected) { 810 log_debugx("initiator redirected; exiting"); 811 exit(0); 812 } 813 814 request_keys = keys_new(); 815 keys_load_pdu(request_keys, request); 816 817 response = login_new_response(request); 818 bhslr2 = (struct iscsi_bhs_login_response *)response->pdu_bhs; 819 bhslr2->bhslr_tsih = htons(0xbadd); 820 login_set_csg(response, BHSLR_STAGE_OPERATIONAL_NEGOTIATION); 821 login_set_nsg(response, BHSLR_STAGE_FULL_FEATURE_PHASE); 822 response_keys = keys_new(); 823 824 if (skipped_security && 825 conn->conn_session_type == CONN_SESSION_TYPE_NORMAL) { 826 if (conn->conn_target->t_alias != NULL) 827 keys_add(response_keys, 828 "TargetAlias", conn->conn_target->t_alias); 829 keys_add_int(response_keys, "TargetPortalGroupTag", 830 conn->conn_portal->p_portal_group->pg_tag); 831 } 832 833 for (i = 0; i < KEYS_MAX; i++) { 834 if (request_keys->keys_names[i] == NULL) 835 break; 836 837 login_negotiate_key(request, request_keys->keys_names[i], 838 request_keys->keys_values[i], skipped_security, 839 response_keys); 840 } 841 842 /* 843 * We'd started with usable values at our end. But a bad initiator 844 * could have presented a large FirstBurstLength and then a smaller 845 * MaxBurstLength (in that order) and because we process the key/value 846 * pairs in the order they are in the request we might have ended up 847 * with illegal values here. 848 */ 849 if (conn->conn_session_type == CONN_SESSION_TYPE_NORMAL && 850 conn->conn.conn_first_burst_length > 851 conn->conn.conn_max_burst_length) { 852 log_errx(1, "initiator sent FirstBurstLength > MaxBurstLength"); 853 } 854 855 conn->conn.conn_max_recv_data_segment_length = 856 conn->conn_max_recv_data_segment_limit; 857 keys_add_int(response_keys, "MaxRecvDataSegmentLength", 858 conn->conn.conn_max_recv_data_segment_length); 859 860 log_debugx("operational parameter negotiation done; " 861 "transitioning to Full Feature Phase"); 862 863 keys_save_pdu(response_keys, response); 864 pdu_send(response); 865 pdu_delete(response); 866 keys_delete(response_keys); 867 pdu_delete(request); 868 keys_delete(request_keys); 869 } 870 871 static void 872 login_wait_transition(struct ctld_connection *conn) 873 { 874 struct pdu *request, *response; 875 struct iscsi_bhs_login_request *bhslr; 876 877 log_debugx("waiting for state transition request"); 878 request = login_receive(&conn->conn, false); 879 bhslr = (struct iscsi_bhs_login_request *)request->pdu_bhs; 880 if ((bhslr->bhslr_flags & BHSLR_FLAGS_TRANSIT) == 0) { 881 login_send_error(request, 0x02, 0x00); 882 log_errx(1, "got no \"T\" flag after answering AuthMethod"); 883 } 884 885 log_debugx("got state transition request"); 886 response = login_new_response(request); 887 pdu_delete(request); 888 login_set_nsg(response, BHSLR_STAGE_OPERATIONAL_NEGOTIATION); 889 pdu_send(response); 890 pdu_delete(response); 891 892 login_negotiate(conn, NULL); 893 } 894 895 void 896 login(struct ctld_connection *conn) 897 { 898 struct pdu *request, *response; 899 struct iscsi_bhs_login_request *bhslr; 900 struct keys *request_keys, *response_keys; 901 struct auth_group *ag; 902 struct portal_group *pg; 903 const char *initiator_name, *initiator_alias, *session_type, 904 *target_name, *auth_method; 905 bool redirected, fail, trans; 906 907 /* 908 * Handle the initial Login Request - figure out required authentication 909 * method and either transition to the next phase, if no authentication 910 * is required, or call appropriate authentication code. 911 */ 912 log_debugx("beginning Login Phase; waiting for Login PDU"); 913 request = login_receive(&conn->conn, true); 914 bhslr = (struct iscsi_bhs_login_request *)request->pdu_bhs; 915 if (bhslr->bhslr_tsih != 0) { 916 login_send_error(request, 0x02, 0x0a); 917 log_errx(1, "received Login PDU with non-zero TSIH"); 918 } 919 920 pg = conn->conn_portal->p_portal_group; 921 922 memcpy(conn->conn_initiator_isid, bhslr->bhslr_isid, 923 sizeof(conn->conn_initiator_isid)); 924 925 /* 926 * XXX: Implement the C flag some day. 927 */ 928 request_keys = keys_new(); 929 keys_load_pdu(request_keys, request); 930 931 assert(conn->conn_initiator_name == NULL); 932 initiator_name = keys_find(request_keys, "InitiatorName"); 933 if (initiator_name == NULL) { 934 login_send_error(request, 0x02, 0x07); 935 log_errx(1, "received Login PDU without InitiatorName"); 936 } 937 if (valid_iscsi_name(initiator_name, log_warnx) == false) { 938 login_send_error(request, 0x02, 0x00); 939 log_errx(1, "received Login PDU with invalid InitiatorName"); 940 } 941 conn->conn_initiator_name = checked_strdup(initiator_name); 942 log_set_peer_name(conn->conn_initiator_name); 943 setproctitle("%s (%s)", conn->conn_initiator_addr, conn->conn_initiator_name); 944 945 redirected = login_portal_redirect(conn, request); 946 if (redirected) { 947 log_debugx("initiator redirected; exiting"); 948 exit(0); 949 } 950 951 initiator_alias = keys_find(request_keys, "InitiatorAlias"); 952 if (initiator_alias != NULL) 953 conn->conn_initiator_alias = checked_strdup(initiator_alias); 954 955 assert(conn->conn_session_type == CONN_SESSION_TYPE_NONE); 956 session_type = keys_find(request_keys, "SessionType"); 957 if (session_type != NULL) { 958 if (strcmp(session_type, "Normal") == 0) { 959 conn->conn_session_type = CONN_SESSION_TYPE_NORMAL; 960 } else if (strcmp(session_type, "Discovery") == 0) { 961 conn->conn_session_type = CONN_SESSION_TYPE_DISCOVERY; 962 } else { 963 login_send_error(request, 0x02, 0x00); 964 log_errx(1, "received Login PDU with invalid " 965 "SessionType \"%s\"", session_type); 966 } 967 } else 968 conn->conn_session_type = CONN_SESSION_TYPE_NORMAL; 969 970 assert(conn->conn_target == NULL); 971 if (conn->conn_session_type == CONN_SESSION_TYPE_NORMAL) { 972 target_name = keys_find(request_keys, "TargetName"); 973 if (target_name == NULL) { 974 login_send_error(request, 0x02, 0x07); 975 log_errx(1, "received Login PDU without TargetName"); 976 } 977 978 conn->conn_port = port_find_in_pg(pg, target_name); 979 if (conn->conn_port == NULL) { 980 login_send_error(request, 0x02, 0x03); 981 log_errx(1, "requested target \"%s\" not found", 982 target_name); 983 } 984 conn->conn_target = conn->conn_port->p_target; 985 } 986 987 /* 988 * At this point we know what kind of authentication we need. 989 */ 990 if (conn->conn_session_type == CONN_SESSION_TYPE_NORMAL) { 991 ag = conn->conn_port->p_auth_group; 992 if (ag == NULL) 993 ag = conn->conn_target->t_auth_group; 994 if (ag->ag_name != NULL) { 995 log_debugx("initiator requests to connect " 996 "to target \"%s\"; auth-group \"%s\"", 997 conn->conn_target->t_name, 998 ag->ag_name); 999 } else { 1000 log_debugx("initiator requests to connect " 1001 "to target \"%s\"", conn->conn_target->t_name); 1002 } 1003 } else { 1004 assert(conn->conn_session_type == CONN_SESSION_TYPE_DISCOVERY); 1005 ag = pg->pg_discovery_auth_group; 1006 log_debugx("initiator requests discovery session; %s", 1007 ag->ag_label); 1008 } 1009 1010 if (ag->ag_type == AG_TYPE_DENY) { 1011 login_send_error(request, 0x02, 0x01); 1012 log_errx(1, "auth-type is \"deny\""); 1013 } 1014 1015 if (ag->ag_type == AG_TYPE_UNKNOWN) { 1016 /* 1017 * This can happen with empty auth-group. 1018 */ 1019 login_send_error(request, 0x02, 0x01); 1020 log_errx(1, "auth-type not set, denying access"); 1021 } 1022 1023 /* 1024 * Enforce initiator-name and initiator-portal. 1025 */ 1026 if (!auth_name_check(ag, initiator_name)) { 1027 login_send_error(request, 0x02, 0x02); 1028 log_errx(1, "initiator does not match allowed initiator names"); 1029 } 1030 1031 if (!auth_portal_check(ag, &conn->conn_initiator_sa)) { 1032 login_send_error(request, 0x02, 0x02); 1033 log_errx(1, "initiator does not match allowed " 1034 "initiator portals"); 1035 } 1036 1037 /* 1038 * Let's see if the initiator intends to do any kind of authentication 1039 * at all. 1040 */ 1041 if (login_csg(request) == BHSLR_STAGE_OPERATIONAL_NEGOTIATION) { 1042 if (ag->ag_type != AG_TYPE_NO_AUTHENTICATION) { 1043 login_send_error(request, 0x02, 0x01); 1044 log_errx(1, "initiator skipped the authentication, " 1045 "but authentication is required"); 1046 } 1047 1048 keys_delete(request_keys); 1049 1050 log_debugx("initiator skipped the authentication, " 1051 "and we don't need it; proceeding with negotiation"); 1052 login_negotiate(conn, request); 1053 return; 1054 } 1055 1056 fail = false; 1057 response = login_new_response(request); 1058 response_keys = keys_new(); 1059 trans = (bhslr->bhslr_flags & BHSLR_FLAGS_TRANSIT) != 0; 1060 auth_method = keys_find(request_keys, "AuthMethod"); 1061 if (ag->ag_type == AG_TYPE_NO_AUTHENTICATION) { 1062 log_debugx("authentication not required"); 1063 if (auth_method == NULL || 1064 login_list_contains(auth_method, "None")) { 1065 keys_add(response_keys, "AuthMethod", "None"); 1066 } else { 1067 log_warnx("initiator requests " 1068 "AuthMethod \"%s\" instead of \"None\"", 1069 auth_method); 1070 keys_add(response_keys, "AuthMethod", "Reject"); 1071 } 1072 if (trans) 1073 login_set_nsg(response, BHSLR_STAGE_OPERATIONAL_NEGOTIATION); 1074 } else { 1075 log_debugx("CHAP authentication required"); 1076 if (auth_method == NULL || 1077 login_list_contains(auth_method, "CHAP")) { 1078 keys_add(response_keys, "AuthMethod", "CHAP"); 1079 } else { 1080 log_warnx("initiator requests unsupported " 1081 "AuthMethod \"%s\" instead of \"CHAP\"", 1082 auth_method); 1083 keys_add(response_keys, "AuthMethod", "Reject"); 1084 fail = true; 1085 } 1086 } 1087 if (conn->conn_session_type == CONN_SESSION_TYPE_NORMAL) { 1088 if (conn->conn_target->t_alias != NULL) 1089 keys_add(response_keys, 1090 "TargetAlias", conn->conn_target->t_alias); 1091 keys_add_int(response_keys, 1092 "TargetPortalGroupTag", pg->pg_tag); 1093 } 1094 keys_save_pdu(response_keys, response); 1095 1096 pdu_send(response); 1097 pdu_delete(response); 1098 keys_delete(response_keys); 1099 pdu_delete(request); 1100 keys_delete(request_keys); 1101 1102 if (fail) { 1103 log_debugx("sent reject for AuthMethod; exiting"); 1104 exit(1); 1105 } 1106 1107 if (ag->ag_type != AG_TYPE_NO_AUTHENTICATION) { 1108 login_chap(conn, ag); 1109 login_negotiate(conn, NULL); 1110 } else if (trans) { 1111 login_negotiate(conn, NULL); 1112 } else { 1113 login_wait_transition(conn); 1114 } 1115 } 1116