a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * CDDL HEADER START
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * The contents of this file are subject to the terms of the
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * Common Development and Distribution License (the "License").
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * You may not use this file except in compliance with the License.
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * See the License for the specific language governing permissions
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * and limitations under the License.
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * When distributing Covered Code, include this CDDL HEADER in each
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * If applicable, add the following below this CDDL HEADER, with the
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * fields enclosed by brackets "[]" replaced with your own identifying
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * information: Portions Copyright [yyyy] [name of copyright owner]
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * CDDL HEADER END
4558d122136f151d62acbbc02ddb42df89a5ef66Viswanathan Kannappan * Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved.
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlapiscsit_select_auth(iscsit_conn_t *ict, nvpair_t *nvp,
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlapauth_propose_chap(iscsit_conn_t *ict, nvpair_t *nvp,
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlapauth_chap_select_alg(iscsit_conn_t *ict, nvpair_t *nvp,
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlapauth_chap_recv_n(iscsit_conn_t *ict, nvpair_t *nvp,
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlapauth_chap_recv_r(iscsit_conn_t *ict, nvpair_t *nvp,
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlapauth_chap_recv_i(iscsit_conn_t *ict, nvpair_t *nvp,
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlapauth_chap_recv_c(iscsit_conn_t *ict, nvpair_t *nvp,
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlapiscsit_auth_propose(iscsit_conn_t *ict, nvpair_t *nvp,
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlapiscsit_auth_expect_key(iscsit_conn_t *ict, nvpair_t *nvp,
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlapauth_chap_expect_r(iscsit_conn_t *ict, nvpair_t *nvp,
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlapauth_chap_done(iscsit_conn_t *ict, nvpair_t *nvp,
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlaptypedef struct {
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * This table defines all authentication phases which have valid
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * handler. The entries which have a non-zero key index are for
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * a key/value pair handling when a key/value is being received,
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * the rest of entries are for target checking the authentication
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * phase after all key/value pair(s) are handled.
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap /* by key */
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap { AP_AM_UNDECIDED, KI_AUTH_METHOD, iscsit_select_auth },
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap { AP_AM_PROPOSED, KI_CHAP_A, auth_propose_chap },
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap { AP_CHAP_A_WAITING, KI_CHAP_A, auth_chap_select_alg },
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap { AP_CHAP_R_WAITING, KI_CHAP_N, auth_chap_recv_n },
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap { AP_CHAP_R_WAITING, KI_CHAP_R, auth_chap_recv_r },
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap { AP_CHAP_R_WAITING, KI_CHAP_I, auth_chap_recv_i },
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap { AP_CHAP_R_WAITING, KI_CHAP_C, auth_chap_recv_c },
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap { AP_CHAP_R_RCVD, KI_CHAP_N, auth_chap_recv_n },
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap { AP_CHAP_R_RCVD, KI_CHAP_R, auth_chap_recv_r },
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap { AP_CHAP_R_RCVD, KI_CHAP_I, auth_chap_recv_i },
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap { AP_CHAP_R_RCVD, KI_CHAP_C, auth_chap_recv_c },
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap /* by target */
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlaptypedef struct {
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * a table of mapping from the authentication index to name.
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap /* { AM_SPKM1, "SPKM1" }, */ /* Not supported */
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap /* { AM_SPKM2, "SPKM2" }, */ /* Not supported */
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap#define ARRAY_LENGTH(ARRAY) (sizeof (ARRAY) / sizeof (ARRAY[0]))
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * get the authentication method name for the method id.
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlapstatic const char *
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * Look for an apporiate function handler which is defined for
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * current authentication phase and matches the key which is
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * being handled. The key index is passed in as zero when it
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * is looking for an handler for checking the authentication phase
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * after all security keys are handled.
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlapiscsit_auth_get_handler(iscsit_auth_client_t *client, iscsikey_id_t kv_id)
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap /* No handler can be found, it must be an invalid requst. */
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * Select an authentication method from a list of values proposed
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * by initiator. After a valid method is selected, shift the
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * authentication phase to AP_AM_DECIDED.
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlapiscsit_select_auth(iscsit_conn_t *ict, nvpair_t *nvp,
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap iscsit_auth_method_t *am_list = &auth->ca_method_valid_list[0];
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap iscsit_auth_client_t *client = &lsm->icl_auth_client;
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap /* select a valid authentication method */
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap while (am_id != 0) {
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap am_choice = idm_get_next_listvalue(nvp, am_choice);
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap /* none of authentication method is valid */
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap /* add the selected method to the response nvlist */
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap nvrc = nvlist_add_string(lsm->icl_response_nvlist,
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * Initiator chooses to use CHAP after target proposed a list of
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * authentication method. Set the authentication method to CHAP and
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * continue on chap authentication phase.
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlapauth_propose_chap(iscsit_conn_t *ict, nvpair_t *nvp,
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap iscsit_auth_client_t *client = &lsm->icl_auth_client;
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * Select a CHAP algorithm from a list of values proposed by
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * initiator and shift the authentication phase to AP_CHAP_A_RCVD.
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlapauth_chap_select_alg(iscsit_conn_t *ict, nvpair_t *nvp,
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap iscsit_auth_client_t *client = &lsm->icl_auth_client;
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap alg_choice = idm_get_next_listvalue(nvp, NULL);
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap nvrc = nvpair_value_string(alg_choice, &alg_string);
2ef9abdc6ea9bad985430325b12b90938a8cd18fjv rc = ddi_strtoull(alg_string, NULL, 0, (u_longlong_t *)&alg);
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap /* only MD5 is supported */
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap alg_choice = idm_get_next_listvalue(nvp, alg_choice);
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap /* none of algorithm is selected */
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap /* save the selected algorithm or zero for none is selected */
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap /* add the selected algorithm to the response nvlist */
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap nvrc = nvlist_add_string(lsm->icl_response_nvlist,
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap kvrc = KV_AUTH_FAILED; /* No algorithm selected */
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * Validate and save the the chap name which is sent by initiator
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * and shift the authentication phase to AP_CHAP_R_RCVD.
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * Note: the CHAP_N, CHAP_R, optionally CHAP_I and CHAP_C key/value
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * pairs need to be received in one packet, we handle each of them
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * separately, in order to track the authentication phase, we set
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * the authentication phase to AP_CHAP_R_RCVD once one of them is
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * handled. So both of AP_CHAP_R_WAITING and AP_CHAP_R_RCVD phases
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * are valid for these keys. The function auth_chap_done is going
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * to detect if any of these keys is missing.
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlapauth_chap_recv_n(iscsit_conn_t *ict, nvpair_t *nvp,
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap iscsit_auth_client_t *client = &lsm->icl_auth_client;
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * Validate and save the the chap response which is sent by initiator
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * and shift the authentication phase to AP_CHAP_R_RCVD.
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * Note: see function auth_chap_recv_n.
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlapauth_chap_recv_r(iscsit_conn_t *ict, nvpair_t *nvp,
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap iscsit_auth_client_t *client = &lsm->icl_auth_client;
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap nvrc = nvpair_value_byte_array(nvp, &chap_resp, &len);
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * Validate and save the the chap identifier which is sent by initiator
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * and shift the authentication phase to AP_CHAP_R_RCVD.
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * Note: see function auth_chap_recv_n.
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlapauth_chap_recv_i(iscsit_conn_t *ict, nvpair_t *nvp,
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap iscsit_auth_client_t *client = &lsm->icl_auth_client;
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * Validate and save the the chap challenge which is sent by initiator
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * and shift the authentication phase to AP_CHAP_R_RCVD.
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * Note: see function auth_chap_recv_n.
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlapauth_chap_recv_c(iscsit_conn_t *ict, nvpair_t *nvp,
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap iscsit_auth_client_t *client = &lsm->icl_auth_client;
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap nvrc = nvpair_value_byte_array(nvp, &chap_challenge, &len);
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * Shift the authentication phase to AP_CHAP_R_WAITING after target
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * has successfully selected a chap algorithm.
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlapauth_chap_expect_r(iscsit_conn_t *ict, nvpair_t *nvp,
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap iscsit_auth_client_t *client = &lsm->icl_auth_client;
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap /* none of proposed algorithm is supported or understood. */
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * Initiator does not propose security negotiation, target needs to
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * verify if we can bypass the security negotiation phase or propose
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * a security negotiation for the initiator.
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlapiscsit_auth_propose(iscsit_conn_t *ict, nvpair_t *nvp,
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap iscsit_auth_method_t *am_list = &auth->ca_method_valid_list[0];
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap iscsit_auth_client_t *client = &lsm->icl_auth_client;
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap if (am_list[0] == AM_NONE || am_list[0] == 0) {
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * It should be noted that the negotiation might also
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * be directed by the target if the initiator does
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * support security, but is not ready to direct the
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * negotiation (propose options).
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * - RFC3720 section 5.3.2.
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * Shift the authentication phase according to the authentication
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * method once it is selected.
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlapiscsit_auth_expect_key(iscsit_conn_t *ict, nvpair_t *nvp,
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap iscsit_auth_client_t *client = &lsm->icl_auth_client;
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap /* Shift security negotiation phase. */
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap /* None of proposed method is supported or understood. */
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * The last step of the chap authentication. We will validate the
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * chap parameters we received and authenticate the client here.
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlapauth_chap_done(iscsit_conn_t *ict, nvpair_t *nvp,
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap iscsit_auth_client_t *client = &lsm->icl_auth_client;
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * Check if we have received a valid list of response keys.
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap if (!client_auth_key_present(&client->recvKeyBlock, AKT_CHAP_N) ||
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap !client_auth_key_present(&client->recvKeyBlock, AKT_CHAP_R) ||
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap client_auth_key_present(&client->recvKeyBlock, AKT_CHAP_I)) ^
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap client_auth_key_present(&client->recvKeyBlock, AKT_CHAP_C))) {
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap /* check username */
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap /* bi-direction authentication is required */
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap iscsit_auth_client_t *client = &lsm->icl_auth_client;
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap /* send chap identifier */
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap bin = &(client->auth_send_binary_block.largeBinary[0]);
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap /* send chap challenge */
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap iscsit_auth_client_t *client = &lsm->icl_auth_client;
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap tgt_password_length = auth->ca_tgt_chapsecretlen;
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * We can't know in advance whether the initiator will attempt
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * mutual authentication, so now we need to check whether we
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap * have a target CHAP secret configured.