xref: /illumos-gate/usr/src/uts/common/io/scsi/adapters/iscsi/iscsiAuthClientGlue.c (revision d036a205252fb571ad98bf872416a3d413d75f82)

/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */
/*
 * Copyright 2000 by Cisco Systems, Inc.  All rights reserved.
 * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 *
 * iSCSI Pseudo HBA Driver
 */

#include <sys/random.h>

#include "chap.h"
#include "iscsi.h"
#include <sys/iscsi_protocol.h>
#include "iscsiAuthClient.h"
#include "persistent.h"

/*
 * Authenticate a target's CHAP response.
 *
 * username - Incoming username from the the target.
 * responseData - Incoming response data from the target.
 */
int
iscsiAuthClientChapAuthRequest(IscsiAuthClient *client,
    char *username, unsigned int id, uchar_t *challengeData,
    unsigned int challengeLength, uchar_t *responseData,
    unsigned int responseLength)
{
	iscsi_sess_t		*isp = (iscsi_sess_t *)client->userHandle;
	IscsiAuthMd5Context	context;
	uchar_t			verifyData[16];
	iscsi_radius_props_t p_radius_cfg;

	if (isp == NULL) {
		return (iscsiAuthStatusFail);
	}

	/*
	 * the expected credentials are in the session
	 */
	if (strcmp(username, isp->sess_auth.username_in) != 0) {
		cmn_err(CE_WARN, "iscsi session(%u) failed authentication, "
		    "received incorrect username from target",
		    isp->sess_oid);
		return (iscsiAuthStatusFail);
	}

	/* Check if RADIUS access is enabled */
	if (persistent_radius_get(&p_radius_cfg) == ISCSI_NVFILE_SUCCESS &&
	    p_radius_cfg.r_radius_access == B_TRUE) {
		chap_validation_status_type chap_valid_status;
		int authStatus;
		RADIUS_CONFIG radius_cfg;

		if (p_radius_cfg.r_radius_config_valid == B_FALSE) {
			/*
			 * Radius enabled but configuration invalid -
			 * invalid condition
			 */
			return (iscsiAuthStatusFail);
		}

		/* Use RADIUS server to authentication target */
		if (p_radius_cfg.r_insize == sizeof (in_addr_t)) {
			/* IPv4 */
			radius_cfg.rad_svr_addr.i_addr.in4.s_addr =
			    p_radius_cfg.r_addr.u_in4.s_addr;
			radius_cfg.rad_svr_addr.i_insize
			    = sizeof (in_addr_t);
		} else if (p_radius_cfg.r_insize == sizeof (in6_addr_t)) {
			/* IPv6 */
			bcopy(p_radius_cfg.r_addr.u_in6.s6_addr,
			    radius_cfg.rad_svr_addr.i_addr.in6.s6_addr,
			    16);
			radius_cfg.rad_svr_addr.i_insize = sizeof (in6_addr_t);
		} else {
			return (iscsiAuthStatusFail);
		}

		radius_cfg.rad_svr_port = p_radius_cfg.r_port;
		bcopy(p_radius_cfg.r_shared_secret,
		    radius_cfg.rad_svr_shared_secret,
		    MAX_RAD_SHARED_SECRET_LEN);
		radius_cfg.rad_svr_shared_secret_len =
		    p_radius_cfg.r_shared_secret_len;

		/* Entry point to the CHAP authentication module. */
		chap_valid_status = chap_validate_tgt(
		    isp->sess_auth.username_in,
		    isp->sess_auth.username,
		    challengeData,
		    challengeLength,
		    responseData,
		    responseLength,
		    id,
		    RADIUS_AUTHENTICATION,
		    (void *)&radius_cfg);

		switch (chap_valid_status) {
			case CHAP_VALIDATION_PASSED:
				authStatus = iscsiAuthStatusPass;
				break;
			case CHAP_VALIDATION_INVALID_RESPONSE:
				authStatus = iscsiAuthStatusFail;
				break;
			case CHAP_VALIDATION_DUP_SECRET:
				authStatus = iscsiAuthStatusFail;
				break;
			case CHAP_VALIDATION_RADIUS_ACCESS_ERROR:
				authStatus = iscsiAuthStatusFail;
				break;
			case CHAP_VALIDATION_BAD_RADIUS_SECRET:
				authStatus = iscsiAuthStatusFail;
				break;
			default:
				authStatus = iscsiAuthStatusFail;
				break;
		}
		return (authStatus);
	} else {
		/* Use target secret (if defined) to authenticate target */
		if ((isp->sess_auth.password_length_in < 1) ||
		    (isp->sess_auth.password_in[0] == '\0')) {
			/* No target secret defined - invalid condition */
			return (iscsiAuthStatusFail);
		}

		/*
		 * challenge length is I->T, and shouldn't need to
		 * be checked
		 */
		if (responseLength != sizeof (verifyData)) {
			cmn_err(CE_WARN, "iscsi session(%u) failed "
			    "authentication, received incorrect CHAP response "
			    "from target", isp->sess_oid);
			return (iscsiAuthStatusFail);
		}

		iscsiAuthMd5Init(&context);

		/*
		 * id byte
		 */
		verifyData[0] = id;
		iscsiAuthMd5Update(&context, verifyData, 1);

		/*
		 * shared secret
		 */
		iscsiAuthMd5Update(&context,
		    (uchar_t *)isp->sess_auth.password_in,
		    isp->sess_auth.password_length_in);

		/*
		 * challenge value
		 */
		iscsiAuthMd5Update(&context,
		    (uchar_t *)challengeData,
		    challengeLength);

		iscsiAuthMd5Final(verifyData, &context);

		if (bcmp(responseData, verifyData,
		    sizeof (verifyData)) == 0) {
			return (iscsiAuthStatusPass);
		}

		cmn_err(CE_WARN, "iscsi session(%u) failed authentication, "
		    "received incorrect CHAP response from target",
		    isp->sess_oid);
	}

	return (iscsiAuthStatusFail);
}

/* ARGSUSED */
void
iscsiAuthClientChapAuthCancel(IscsiAuthClient * client)
{
}


int
iscsiAuthClientTextToNumber(const char *text, unsigned long *pNumber)
{
	char *pEnd;
	unsigned long number;

	if (text[0] == '0' && (text[1] == 'x' || text[1] == 'X')) {
		if (ddi_strtoul(text + 2, &pEnd, 16, &number) != 0) {
			return (1); /* Error */
		}
	} else {
		if (ddi_strtoul(text, &pEnd, 10, &number) != 0) {
			return (1); /* Error */
		}
	}

	if (*text != '\0' && *pEnd == '\0') {
		*pNumber = number;
		return (0);	/* No error */
	} else {
		return (1);	/* Error */
	}
}

/* ARGSUSED */
void
iscsiAuthClientNumberToText(unsigned long number, char *text,
    unsigned int length)
{
	(void) sprintf(text, "%lu", number);
}


void
iscsiAuthRandomSetData(uchar_t *data, unsigned int length)
{
	(void) random_get_pseudo_bytes(data, length);
}


void
iscsiAuthMd5Init(IscsiAuthMd5Context * context)
{
	MD5Init(context);
}


void
iscsiAuthMd5Update(IscsiAuthMd5Context *context, uchar_t *data,
    unsigned int length)
{
	MD5Update(context, data, length);
}


void
iscsiAuthMd5Final(uchar_t *hash, IscsiAuthMd5Context *context)
{
	MD5Final(hash, context);
}


int
iscsiAuthClientData(uchar_t *outData, unsigned int *outLength,
    uchar_t *inData, unsigned int inLength)
{
	if (*outLength < inLength) {
		return (1);	/* error */
	}
	bcopy(inData, outData, inLength);
	*outLength = inLength;
	return (0);		/* no error */
}