fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * CDDL HEADER START
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * The contents of this file are subject to the terms of the
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * Common Development and Distribution License (the "License").
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * You may not use this file except in compliance with the License.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * See the License for the specific language governing permissions
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * and limitations under the License.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * When distributing Covered Code, include this CDDL HEADER in each
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * If applicable, add the following below this CDDL HEADER, with the
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * fields enclosed by brackets "[]" replaced with your own identifying
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * information: Portions Copyright [yyyy] [name of copyright owner]
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * CDDL HEADER END
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * Copyright 2000 by Cisco Systems, Inc. All rights reserved.
1a1a84a324206b6b1f5f704ab166c4ebf78aed76Peter Dunlap * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * Use is subject to license terms.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * This file implements the iSCSI CHAP authentication method based.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * The code in this file is meant to be platform independent, and
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * makes use of only limited library functions, presently only string.h.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * Platform dependent routines are defined in iscsiAuthClient.h, but
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * implemented in another file.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * This code in this files assumes a single thread of execution
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * for each IscsiAuthClient structure, and does no locking.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Fortetypedef struct iscsiAuthKeyInfo_t IscsiAuthKeyInfo;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteIscsiAuthClientGlobalStats iscsiAuthClientGlobalStats;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * Note: The ordering of this table must match the order
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * defined by IscsiAuthKeyType in iscsiAuthClient.h.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Fortestatic IscsiAuthKeyInfo iscsiAuthClientKeyInfo[iscsiAuthKeyTypeMaxCount] = {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte {"AuthMethod"},
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Fortestatic const char iscsiAuthClientHexString[] = "0123456789abcdefABCDEF";
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Fortestatic const char iscsiAuthClientAuthMethodChapOptionName[] = "CHAP";
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte unsigned int maxLength, unsigned int *pOutLength)
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (*s++ == '\0') {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientStringCopy(char *stringOut, const char *stringIn,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte unsigned int length)
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (--length == 0) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientStringAppend(char *stringOut, const char *stringIn,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte unsigned int length)
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (--length == 0) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (--length == 0) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte while (*s != '\0') {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (*s++ == c) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte return (-1);
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (value == iscsiAuthVersionDraft8 || value == iscsiAuthVersionRfc) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (value == iscsiAuthOptionNone || value == iscsiAuthMethodChap) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Fortestatic const char *
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientAuthMethodOptionToText(IscsiAuthClient * client, int value)
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte const char *s;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientCheckChapAlgorithmOption(int chapAlgorithm)
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientDataToHex(unsigned char *data, unsigned int dataLength,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte unsigned long n;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte while (dataLength > 0) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte *text++ = iscsiAuthClientHexString[(n >> 4) & 0xf];
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientDataToBase64(unsigned char *data, unsigned int dataLength,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte unsigned long n;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte *text++ = iscsiAuthClientBase64String[(n >> 18) & 0x3f];
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte *text++ = iscsiAuthClientBase64String[(n >> 12) & 0x3f];
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte *text++ = iscsiAuthClientBase64String[(n >> 6) & 0x3f];
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte *text++ = iscsiAuthClientBase64String[(n >> 6) & 0x3f];
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte *text++ = iscsiAuthClientBase64String[(n >> 12) & 0x3f];
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte *text++ = iscsiAuthClientBase64String[(n >> 6) & 0x3f];
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientDataToText(int base64, unsigned char *data,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte unsigned int dataLength, char *text, unsigned int textLength)
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientHexToData(const char *text, unsigned int textLength,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte i = iscsiAuthClientStringIndex(iscsiAuthClientHexString,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (i < 0) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (i < 0) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (i < 0) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientBase64ToData(const char *text, unsigned int textLength,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte unsigned int n;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (i < 0) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte n = (n << 6 | (unsigned int)i);
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * do nothing
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientTextToData(const char *text, unsigned char *data,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte unsigned int *dataLength)
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte 2 + 2 * iscsiAuthLargeBinaryMaxLength + 1, &textLength);
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (text[0] == '0' && (text[1] == 'x' || text[1] == 'X')) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * skip prefix
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte } else if (text[0] == '0' && (text[1] == 'b' || text[1] == 'B')) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * skip prefix
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientChapComputeResponse(IscsiAuthClient * client,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte unsigned char *challengeData, unsigned int challengeLength,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte unsigned char *responseData)
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte unsigned int outLength = iscsiAuthStringMaxLength;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte return (iscsiAuthDebugStatusLocalPasswordNotSet);
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * decrypt password
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte return (iscsiAuthDebugStatusPasswordDecryptFailed);
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (!remoteAuthentication && !client->ipSec && outLength < 12) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte return (iscsiAuthDebugStatusPasswordTooShortWithNoIpSec);
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * shared secret
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte iscsiAuthMd5Update(&context, outData, outLength);
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * clear decrypted password
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * challenge value
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte iscsiAuthMd5Update(&context, challengeData, challengeLength);
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte return (iscsiAuthDebugStatusNotSet); /* no error */
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientInitKeyBlock(IscsiAuthKeyBlock * keyBlock)
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientSetKeyValue(IscsiAuthKeyBlock * keyBlock,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if ((keyBlock->blockLength + length) > iscsiAuthStringBlockMaxLength) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte string = &keyBlock->stringBlock[keyBlock->blockLength];
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (iscsiAuthClientStringCopy(string, keyValue, length)) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Fortestatic const char *
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientGetKeyValue(IscsiAuthKeyBlock * keyBlock, int keyType)
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte int *optionList, const char *(*valueToText) (IscsiAuthClient *, int))
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte unsigned int i;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte keyValue = iscsiAuthClientGetKeyValue(&client->recvKeyBlock, keyType);
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte for (i = 0; i < optionCount; i++) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte const char *s = (*valueToText) (client, optionList[i]);
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte int *optionList, const char *(*valueToText) (IscsiAuthClient *, int))
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte unsigned int i;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * No valid options to send, but we always want to
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * send something.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte iscsiAuthClientSetKeyValue(&client->sendKeyBlock, keyType,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (optionCount == 1 && optionList[0] == iscsiAuthOptionNotPresent) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte iscsiAuthClientSetKeyValue(&client->sendKeyBlock, keyType, 0);
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte for (i = 0; i < optionCount; i++) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte const char *s = (*valueToText) (client, optionList[i]);
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (i == 0) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte iscsiAuthClientSetKeyValue(&client->sendKeyBlock,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientCheckAuthMethodKey(IscsiAuthClient * client)
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte client->authMethodValidList, iscsiAuthClientAuthMethodOptionToText);
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientSetAuthMethodKey(IscsiAuthClient * client,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte unsigned int authMethodCount, int *authMethodList)
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte iscsiAuthClientSetKey(client, iscsiAuthKeyTypeAuthMethod,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientCheckChapAlgorithmKey(IscsiAuthClient * client)
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte unsigned int i;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte keyValue = iscsiAuthClientGetKeyValue(&client->recvKeyBlock,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte client->negotiatedChapAlgorithm = iscsiAuthOptionNotPresent;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (iscsiAuthClientTextToNumber(client->scratchKeyValue,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte for (i = 0; i < client->chapAlgorithmCount; i++) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte client->negotiatedChapAlgorithm = iscsiAuthOptionReject;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientSetChapAlgorithmKey(IscsiAuthClient * client,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte unsigned int chapAlgorithmCount, int *chapAlgorithmList)
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte unsigned int i;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte iscsiAuthClientSetKeyValue(&client->sendKeyBlock,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte chapAlgorithmList[0] == iscsiAuthOptionNotPresent) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte iscsiAuthClientSetKeyValue(&client->sendKeyBlock,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte iscsiAuthClientSetKeyValue(&client->sendKeyBlock,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte iscsiAuthKeyTypeChapAlgorithm, client->rejectOptionName);
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte for (i = 0; i < chapAlgorithmCount; i++) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte iscsiAuthClientNumberToText(chapAlgorithmList[i],
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte s, sizeof (s));
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (i == 0) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte iscsiAuthClientSetKeyValue(&client->sendKeyBlock,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte iscsiAuthKeyTypeChapAlgorithm, client->scratchKeyValue);
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientNextPhase(IscsiAuthClient * client)
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte client->negotiatedAuthMethod == iscsiAuthOptionNone) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte client->localState = iscsiAuthLocalStateSendAlgorithm;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte client->remoteState = iscsiAuthRemoteStateSendAlgorithm;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte client->debugStatus = iscsiAuthDebugStatusAuthMethodBad;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientLocalAuthentication(IscsiAuthClient * client)
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte unsigned char responseData[iscsiAuthChapResponseLength];
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (client->nodeType == iscsiAuthNodeTypeInitiator) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte client->localState = iscsiAuthLocalStateRecvAlgorithm;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte /* FALLTHRU */
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (client->nodeType == iscsiAuthNodeTypeTarget) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * Make sure only supported CHAP algorithm is used.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (client->nodeType == iscsiAuthNodeTypeTarget) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte client->localState = iscsiAuthLocalStateRecvChallenge;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte /* FALLTHRU */
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte chapIdentifierKeyValue = iscsiAuthClientGetKeyValue(
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte &client->recvKeyBlock, iscsiAuthKeyTypeChapIdentifier);
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte chapChallengeKeyValue = iscsiAuthClientGetKeyValue(
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte &client->recvKeyBlock, iscsiAuthKeyTypeChapChallenge);
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (client->nodeType == iscsiAuthNodeTypeTarget) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (!chapIdentifierKeyValue && !chapChallengeKeyValue) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (client->nodeType == iscsiAuthNodeTypeTarget &&
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte debugStatus = iscsiAuthClientChapComputeResponse(client,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte client->scratchKeyValue, iscsiAuthStringMaxLength);
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte iscsiAuthClientSetKeyValue(&client->sendKeyBlock,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte iscsiAuthKeyTypeChapResponse, client->scratchKeyValue);
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte iscsiAuthClientSetKeyValue(&client->sendKeyBlock,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientRemoteAuthentication(IscsiAuthClient * client)
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte unsigned char responseData[iscsiAuthStringMaxLength];
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte unsigned int responseLength = iscsiAuthStringMaxLength;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte unsigned char myResponseData[iscsiAuthChapResponseLength];
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (client->nodeType == iscsiAuthNodeTypeInitiator) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte client->remoteState = iscsiAuthRemoteStateSendChallenge;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte /* FALLTHRU */
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte iscsiAuthClientNumberToText(client->sendChapIdentifier,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte client->scratchKeyValue, iscsiAuthStringMaxLength);
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte iscsiAuthClientSetKeyValue(&client->sendKeyBlock,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte iscsiAuthKeyTypeChapIdentifier, client->scratchKeyValue);
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte client->sendChapChallenge.length = client->chapChallengeLength;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte iscsiAuthRandomSetData(client->sendChapChallenge.largeBinary,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte iscsiAuthClientSetKeyValue(&client->sendKeyBlock,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte client->remoteState = iscsiAuthRemoteStateRecvResponse;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte chapResponseKeyValue = iscsiAuthClientGetKeyValue(
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte &client->recvKeyBlock, iscsiAuthKeyTypeChapResponse);
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte chapUsernameKeyValue = iscsiAuthClientGetKeyValue(
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte &client->recvKeyBlock, iscsiAuthKeyTypeChapUsername);
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte status = iscsiAuthClientTextToData(chapResponseKeyValue,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (responseLength == iscsiAuthChapResponseLength) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte debugStatus = iscsiAuthClientChapComputeResponse(
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte client->sendChapChallenge.length, myResponseData);
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * Check if the same CHAP secret is being used for
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * authentication in both directions.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte (void) iscsiAuthClientStringCopy(client->chapUsername,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte /* To verify the target's response. */
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte client, client->chapUsername, client->sendChapIdentifier,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte client->remoteState = iscsiAuthRemoteStateAuthRequest;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte client->remoteAuthStatus = (IscsiAuthStatus) status;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte /* FALLTHRU */
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * client->remoteAuthStatus already set
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte } else if (client->remoteAuthStatus == iscsiAuthStatusPass) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte client->debugStatus = iscsiAuthDebugStatusAuthPass;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte } else if (client->remoteAuthStatus == iscsiAuthStatusFail) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte client->debugStatus = iscsiAuthDebugStatusAuthFail;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte client->debugStatus = iscsiAuthDebugStatusAuthStatusBad;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte /* FALLTHRU */
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientHandshake(IscsiAuthClient * client)
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * Should only happen if authentication
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * protocol error occured.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (client->remoteState == iscsiAuthRemoteStateAuthRequest) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * Defer until authentication response received
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * from internal authentication service.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (client->nodeType == iscsiAuthNodeTypeInitiator) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * Target should only have set T bit on response if
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * initiator set it on previous message.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * Should only happen if waiting for peer
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * to send AuthMethod key or set Transit Bit.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (client->nodeType == iscsiAuthNodeTypeInitiator) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (client->remoteState == iscsiAuthRemoteStateRecvResponse ||
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte client->remoteState == iscsiAuthRemoteStateDone) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (client->nodeType == iscsiAuthNodeTypeInitiator) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (client->remoteState == iscsiAuthRemoteStateDone &&
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte client->remoteAuthStatus != iscsiAuthStatusPass) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * Authentication failed, don't
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * do T bit handshake.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * Target can only set T bit on response if
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * initiator set it on current message.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (client->nodeType == iscsiAuthNodeTypeInitiator) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * Target set T bit on response but
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * initiator was not done with authentication.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte client->debugStatus = iscsiAuthDebugStatusTbitSetPremature;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientRecvEndStatus(IscsiAuthClient * client)
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * Perform sanity check against configured parameters.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (client->authRemote && !client->authResponseFlag &&
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte client->remoteAuthStatus == iscsiAuthStatusPass) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte } else if (client->remoteState == iscsiAuthRemoteStateAuthRequest) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * Check that all incoming keys have been processed.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * Suppress send keys on error, except
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * for AuthMethod and CHAP_A.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (client->nodeType == iscsiAuthNodeTypeTarget) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (iscsiAuthClientGetKeyValue(&client->sendKeyBlock,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte iscsiAuthClientInitKeyBlock(&client->sendKeyBlock);
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (client->nodeType == iscsiAuthNodeTypeTarget) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientRecvBegin(IscsiAuthClient * client)
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (!client || client->signature != iscsiAuthClientSignature) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte client->transitBitSentFlag = client->sendKeyBlock.transitBit;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte iscsiAuthClientInitKeyBlock(&client->recvKeyBlock);
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte iscsiAuthClientInitKeyBlock(&client->sendKeyBlock);
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte IscsiAuthClientCallback * callback, void *userHandle, void *messageHandle)
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (!client || client->signature != iscsiAuthClientSignature) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (client->recvEndCount > iscsiAuthRecvEndMaxCount) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte client->debugStatus = iscsiAuthDebugStatusRecvStringTooLong;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte client->debugStatus = iscsiAuthDebugStatusRecvTooMuchData;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * No AuthMethod key from peer
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * on first message, try moving
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * the process along by sending
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * the AuthMethod key.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * Special case if peer sent no
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * AuthMethod key, but did set Transit
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * Bit, allowing this side to do a
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * null authentication, and compelete
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * the iSCSI security phase without
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * either side sending the AuthMethod
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * Send response to AuthMethod key.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (client->nodeType == iscsiAuthNodeTypeInitiator) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * Must call iscsiAuthClientLocalAuthentication()
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * before iscsiAuthClientRemoteAuthentication()
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * to insure processing of the CHAP algorithm key,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * and to avoid leaving an in progress request to the
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * authentication service.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (client->localState != iscsiAuthLocalStateError) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (client->localState == iscsiAuthLocalStateError ||
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte client->remoteState == iscsiAuthRemoteStateError) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * client->debugStatus should already be set.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientAuthResponse(IscsiAuthClient * client, int authStatus)
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (!client || client->signature != iscsiAuthClientSignature) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte client->remoteState != iscsiAuthRemoteStateAuthRequest) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte client->remoteAuthStatus = (IscsiAuthStatus) authStatus;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte authStatus = iscsiAuthClientRecvEndStatus(client);
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte client->callback(client->userHandle, client->messageHandle, authStatus);
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (keyType < iscsiAuthKeyTypeFirst || keyType > iscsiAuthKeyTypeLast) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientKeyNameToKeyType(const char *keyName)
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte while (iscsiAuthClientGetNextKeyType(&keyType) ==
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte const char *keyName2 = iscsiAuthClientGetKeyName(keyType);
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientRecvKeyValue(IscsiAuthClient * client, int keyType,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (!client || client->signature != iscsiAuthClientSignature) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (keyType < iscsiAuthKeyTypeFirst || keyType > iscsiAuthKeyTypeLast) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte iscsiAuthClientSetKeyValue(&client->recvKeyBlock,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientSendKeyValue(IscsiAuthClient * client, int keyType,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte int *keyPresent, char *userKeyValue, unsigned int maxLength)
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (!client || client->signature != iscsiAuthClientSignature) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (keyType < iscsiAuthKeyTypeFirst || keyType > iscsiAuthKeyTypeLast) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte keyValue = iscsiAuthClientGetKeyValue(&client->sendKeyBlock, keyType);
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientRecvTransitBit(IscsiAuthClient * client, int value)
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (!client || client->signature != iscsiAuthClientSignature) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientSendTransitBit(IscsiAuthClient * client, int *value)
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (!client || client->signature != iscsiAuthClientSignature) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientInit(int nodeType, int bufferDescCount,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte client = (IscsiAuthClient *) bufferDesc[0].address;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte bufferDesc[1].length != sizeof (*recvStringBlock)) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte recvStringBlock = (IscsiAuthStringBlock *) bufferDesc[1].address;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte bufferDesc[2].length != sizeof (*sendStringBlock)) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte sendStringBlock = (IscsiAuthStringBlock *) bufferDesc[2].address;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte bufferDesc[3].length != sizeof (*recvChapChallenge)) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte recvChapChallenge = (IscsiAuthLargeBinary *) bufferDesc[3].address;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte bufferDesc[4].length != sizeof (*sendChapChallenge)) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte sendChapChallenge = (IscsiAuthLargeBinary *) bufferDesc[4].address;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte bzero(recvStringBlock, sizeof (*recvStringBlock));
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte bzero(sendStringBlock, sizeof (*sendStringBlock));
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte bzero(recvChapChallenge, sizeof (*recvChapChallenge));
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte bzero(sendChapChallenge, sizeof (*sendChapChallenge));
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte client->recvKeyBlock.stringBlock = recvStringBlock->stringBlock;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte client->sendKeyBlock.stringBlock = sendStringBlock->stringBlock;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte client->recvChapChallenge.largeBinary = recvChapChallenge->largeBinary;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte client->sendChapChallenge.largeBinary = sendChapChallenge->largeBinary;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte /* Assume bi-directional authentication enabled. */
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte client->chapChallengeLength = iscsiAuthChapResponseLength;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte client->negotiatedAuthMethod = iscsiAuthOptionNotPresent;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte client->negotiatedChapAlgorithm = iscsiAuthOptionNotPresent;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (client->nodeType == iscsiAuthNodeTypeInitiator) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte client->authMethodNegRole = iscsiAuthNegRoleOriginator;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * Initial value ignored for Target.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte client->authMethodNegRole = iscsiAuthNegRoleResponder;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte /* All supported authentication methods */
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * Must call after setting authRemote, password,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * version and authMethodNegRole
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (iscsiAuthClientSetAuthMethodList(client, 2, valueList) !=
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (iscsiAuthClientSetChapAlgorithmList(client, 1, valueList) !=
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (!client || client->signature != iscsiAuthClientSignature) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientSetOptionList(IscsiAuthClient * client,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte int (*checkList) (unsigned int optionCount, const int *optionList))
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte unsigned int i;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte unsigned int j;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (!client || client->signature != iscsiAuthClientSignature) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte for (i = 0; i < optionCount; i++) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * Check for duplicate entries.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte for (i = 0; i < optionCount; i++) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte for (j = 0; j < optionCount; j++) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * Check for key specific constraints.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte for (i = 0; i < optionCount; i++) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientSetAuthMethodValid(IscsiAuthClient * client)
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte static const char rejectOptionNameDraft8[] = "reject";
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte static const char rejectOptionNameRfc[] = "Reject";
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte static const char noneOptionNameDraft8[] = "none";
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte unsigned int i;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte unsigned int j = 0;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte client->rejectOptionName = rejectOptionNameDraft8;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * Following checks may need to be revised if
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * authentication options other than CHAP and none
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * are supported.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (client->nodeType == iscsiAuthNodeTypeInitiator) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * If initiator doing authentication,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * don't offer authentication option none.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * If initiator password not set,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * only offer authentication option none.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (client->nodeType == iscsiAuthNodeTypeTarget) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * If target doing authentication,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * don't accept authentication option none.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * If target not doing authentication,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * only accept authentication option none.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (client->authMethodList[i] == iscsiAuthOptionNone) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (client->authMethodList[i] != iscsiAuthOptionNone) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte client->authMethodValidList[j++] = client->authMethodList[i];
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte iscsiAuthClientInitKeyBlock(&client->sendKeyBlock);
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (client->nodeType == iscsiAuthNodeTypeInitiator) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * Initiator wants to authenticate target,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * always send AuthMethod key.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte client->authMethodValidNegRole = iscsiAuthNegRoleResponder;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (client->authMethodValidNegRole == iscsiAuthNegRoleOriginator) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte iscsiAuthClientSetAuthMethodKey(client, 1, &value);
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientCheckAuthMethodList(unsigned int optionCount,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte unsigned int i;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (optionList[optionCount - 1] != iscsiAuthOptionNone) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientSetAuthMethodList(IscsiAuthClient * client,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte client, optionCount, optionList, &client->authMethodCount,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * Setting authMethod affects authMethodValid.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientSetAuthMethodNegRole(IscsiAuthClient * client, int negRole)
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (!client || client->signature != iscsiAuthClientSignature) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte client->nodeType != iscsiAuthNodeTypeInitiator) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte client->authMethodNegRole = (IscsiAuthNegRole) negRole;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * Setting negRole affects authMethodValid.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientCheckChapAlgorithmList(unsigned int optionCount,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientSetChapAlgorithmList(IscsiAuthClient * client,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientSetUsername(IscsiAuthClient * client, const char *username)
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (!client || client->signature != iscsiAuthClientSignature) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte iscsiAuthClientCheckString(username, iscsiAuthStringMaxLength, 0)) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (iscsiAuthClientStringCopy(client->username, username,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientSetPassword(IscsiAuthClient * client,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte const unsigned char *passwordData, unsigned int passwordLength)
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (!client || client->signature != iscsiAuthClientSignature) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte bcopy(passwordData, client->passwordData, passwordLength);
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * Setting password may affect authMethodValid.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientSetAuthRemote(IscsiAuthClient * client, int authRemote)
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (!client || client->signature != iscsiAuthClientSignature) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * Setting authRemote may affect authMethodValid.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientSetGlueHandle(IscsiAuthClient * client, void *glueHandle)
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (!client || client->signature != iscsiAuthClientSignature) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientSetMethodListName(IscsiAuthClient *client,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (!client || client->signature != iscsiAuthClientSignature) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (iscsiAuthClientStringCopy(client->methodListName, methodListName,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientSetVersion(IscsiAuthClient * client, int version)
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientSetIpSec(IscsiAuthClient * client, int ipSec)
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (!client || client->signature != iscsiAuthClientSignature) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientSetBase64(IscsiAuthClient * client, int base64)
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (!client || client->signature != iscsiAuthClientSignature) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientSetChapChallengeLength(IscsiAuthClient * client,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (!client || client->signature != iscsiAuthClientSignature) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte chapChallengeLength < iscsiAuthChapResponseLength ||
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte chapChallengeLength > iscsiAuthLargeBinaryMaxLength) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte client->chapChallengeLength = chapChallengeLength;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientCheckPasswordNeeded(IscsiAuthClient *client, int *passwordNeeded)
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (!client || client->signature != iscsiAuthClientSignature) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (client->nodeType == iscsiAuthNodeTypeInitiator) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (client->authRemote && !client->passwordPresent) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientGetAuthPhase(IscsiAuthClient * client, int *value)
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (!client || client->signature != iscsiAuthClientSignature) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientGetAuthStatus(IscsiAuthClient * client, int *value)
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (!client || client->signature != iscsiAuthClientSignature) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientGetAuthMethod(IscsiAuthClient * client, int *value)
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (!client || client->signature != iscsiAuthClientSignature) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientGetChapAlgorithm(IscsiAuthClient * client, int *value)
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (!client || client->signature != iscsiAuthClientSignature) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientGetChapUsername(IscsiAuthClient * client,
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (!client || client->signature != iscsiAuthClientSignature) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (iscsiAuthClientStringCopy(value, client->chapUsername, maxLength)) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientSendStatusCode(IscsiAuthClient * client, int *statusCode)
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (!client || client->signature != iscsiAuthClientSignature) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * Authentication error with peer.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (client->nodeType == iscsiAuthNodeTypeInitiator) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * iSCSI Target error
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * iSCSI Initiator error
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * Missing parameter with peer.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (client->nodeType == iscsiAuthNodeTypeInitiator) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * iSCSI Target error
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * iSCSI Initiator error
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * Could not authenticate with peer.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (client->nodeType == iscsiAuthNodeTypeInitiator) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * iSCSI Target error
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * iSCSI Initiator error
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * Local password not set.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (client->nodeType == iscsiAuthNodeTypeInitiator) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * iSCSI Initiator error
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * iSCSI Target error
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte case iscsiAuthDebugStatusRecvDuplicateSetKeyValue:
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * Other error with peer.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (client->nodeType == iscsiAuthNodeTypeInitiator) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * iSCSI Target error
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * iSCSI Initiator error
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte case iscsiAuthDebugStatusPasswordTooShortWithNoIpSec:
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte case iscsiAuthDebugStatusSendDuplicateSetKeyValue:
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * Error on this side.
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (client->nodeType == iscsiAuthNodeTypeInitiator) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * iSCSI Initiator error
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * iSCSI Target error
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * Bad authStatus
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (client->nodeType == iscsiAuthNodeTypeInitiator) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * iSCSI Initiator error
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte * iSCSI Target error
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn ForteiscsiAuthClientGetDebugStatus(IscsiAuthClient * client, int *value)
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte if (!client || client->signature != iscsiAuthClientSignature) {
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte const char *s;
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte s = "Debug status not set";
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte s = "Authentication request passed";
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte s = "Authentication not enabled";
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte s = "Authentication request failed";
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte s = "AuthMethod bad";
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte s = "CHAP algorithm bad";
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte s = "Decrypt password failed";
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte case iscsiAuthDebugStatusPasswordTooShortWithNoIpSec:
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte s = "Local password too short with no IPSec";
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte s = "Unexpected error from authentication server";
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte s = "Authentication request status bad";
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte s = "Authentication pass status not valid";
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte case iscsiAuthDebugStatusSendDuplicateSetKeyValue:
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte s = "Same key set more than once on send";
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte s = "Key value too long on send";
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte s = "Too much data on send";
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte s = "AuthMethod key expected";
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte s = "CHAP algorithm key expected";
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte s = "CHAP identifier expected";
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte s = "CHAP challenge expected";
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte s = "CHAP response expected";
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte s = "CHAP username expected";
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte s = "AuthMethod key not present";
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte s = "AuthMethod negotiation failed";
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte s = "AuthMethod negotiated to none";
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte s = "CHAP algorithm negotiation failed";
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte s = "CHAP challange reflected";
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte s = "Local password same as remote";
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte s = "Local password not set";
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte s = "CHAP identifier bad";
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte s = "CHAP challenge bad";
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte s = "CHAP response bad";
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte s = "Unexpected key present";
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte s = "T bit set on response, but not on previous message";
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte s = "T bit set on response, but authenticaton not complete";
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte s = "Message count limit reached on receive";
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte case iscsiAuthDebugStatusRecvDuplicateSetKeyValue:
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte s = "Same key set more than once on receive";
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte s = "Key value too long on receive";
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte s = "Too much data on receive";
fcf3ce441efd61da9bb2884968af01cb7c1452ccJohn Forte s = "Unknown error";