forked from Minki/linux
scsi: target: iscsi: Extract auth functions
Create functions that answers simple questions: Whether authentication is required, what credentials, whether connection is autenticated. Link: https://lore.kernel.org/r/20220523095905.26070-3-d.bogdanov@yadro.com Reviewed-by: Roman Bolshakov <r.bolshakov@yadro.com> Reviewed-by: Konstantin Shelekhin <k.shelekhin@yadro.com> Reviewed-by: Mike Christie <michael.christie@oracle.com> Reviewed-by: Lee Duncan <lduncan@suse.com> Signed-off-by: Dmitry Bogdanov <d.bogdanov@yadro.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
This commit is contained in:
parent
a11b80692b
commit
a75fcb0912
@ -94,6 +94,31 @@ int extract_param(
|
||||
return 0;
|
||||
}
|
||||
|
||||
static struct iscsi_node_auth *iscsi_get_node_auth(struct iscsit_conn *conn)
|
||||
{
|
||||
struct iscsi_portal_group *tpg;
|
||||
struct iscsi_node_acl *nacl;
|
||||
struct se_node_acl *se_nacl;
|
||||
|
||||
if (conn->sess->sess_ops->SessionType)
|
||||
return &iscsit_global->discovery_acl.node_auth;
|
||||
|
||||
se_nacl = conn->sess->se_sess->se_node_acl;
|
||||
if (!se_nacl) {
|
||||
pr_err("Unable to locate struct se_node_acl for CHAP auth\n");
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if (se_nacl->dynamic_node_acl) {
|
||||
tpg = to_iscsi_tpg(se_nacl->se_tpg);
|
||||
return &tpg->tpg_demo_auth;
|
||||
}
|
||||
|
||||
nacl = to_iscsi_nacl(se_nacl);
|
||||
|
||||
return &nacl->node_auth;
|
||||
}
|
||||
|
||||
static u32 iscsi_handle_authentication(
|
||||
struct iscsit_conn *conn,
|
||||
char *in_buf,
|
||||
@ -102,38 +127,11 @@ static u32 iscsi_handle_authentication(
|
||||
int *out_length,
|
||||
unsigned char *authtype)
|
||||
{
|
||||
struct iscsit_session *sess = conn->sess;
|
||||
struct iscsi_node_auth *auth;
|
||||
struct iscsi_node_acl *nacl;
|
||||
struct iscsi_portal_group *tpg;
|
||||
struct se_node_acl *se_nacl;
|
||||
|
||||
if (!sess->sess_ops->SessionType) {
|
||||
/*
|
||||
* For SessionType=Normal
|
||||
*/
|
||||
se_nacl = conn->sess->se_sess->se_node_acl;
|
||||
if (!se_nacl) {
|
||||
pr_err("Unable to locate struct se_node_acl for"
|
||||
" CHAP auth\n");
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (se_nacl->dynamic_node_acl) {
|
||||
tpg = to_iscsi_tpg(se_nacl->se_tpg);
|
||||
|
||||
auth = &tpg->tpg_demo_auth;
|
||||
} else {
|
||||
nacl = to_iscsi_nacl(se_nacl);
|
||||
|
||||
auth = &nacl->node_auth;
|
||||
}
|
||||
} else {
|
||||
/*
|
||||
* For SessionType=Discovery
|
||||
*/
|
||||
auth = &iscsit_global->discovery_acl.node_auth;
|
||||
}
|
||||
auth = iscsi_get_node_auth(conn);
|
||||
if (!auth)
|
||||
return -1;
|
||||
|
||||
if (strstr("CHAP", authtype))
|
||||
strcpy(conn->sess->auth_type, "CHAP");
|
||||
@ -813,6 +811,37 @@ static int iscsi_target_do_authentication(
|
||||
return 0;
|
||||
}
|
||||
|
||||
static bool iscsi_conn_auth_required(struct iscsit_conn *conn)
|
||||
{
|
||||
struct se_node_acl *se_nacl;
|
||||
|
||||
if (conn->sess->sess_ops->SessionType) {
|
||||
/*
|
||||
* For SessionType=Discovery
|
||||
*/
|
||||
return conn->tpg->tpg_attrib.authentication;
|
||||
}
|
||||
/*
|
||||
* For SessionType=Normal
|
||||
*/
|
||||
se_nacl = conn->sess->se_sess->se_node_acl;
|
||||
if (!se_nacl) {
|
||||
pr_debug("Unknown ACL %s is trying to connect\n",
|
||||
se_nacl->initiatorname);
|
||||
return true;
|
||||
}
|
||||
|
||||
if (se_nacl->dynamic_node_acl) {
|
||||
pr_debug("Dynamic ACL %s is trying to connect\n",
|
||||
se_nacl->initiatorname);
|
||||
return conn->tpg->tpg_attrib.authentication;
|
||||
}
|
||||
|
||||
pr_debug("Known ACL %s is trying to connect\n",
|
||||
se_nacl->initiatorname);
|
||||
return conn->tpg->tpg_attrib.authentication;
|
||||
}
|
||||
|
||||
static int iscsi_target_handle_csg_zero(
|
||||
struct iscsit_conn *conn,
|
||||
struct iscsi_login *login)
|
||||
@ -874,23 +903,27 @@ static int iscsi_target_handle_csg_zero(
|
||||
return -1;
|
||||
|
||||
if (!iscsi_check_negotiated_keys(conn->param_list)) {
|
||||
if (conn->tpg->tpg_attrib.authentication &&
|
||||
!strncmp(param->value, NONE, 4)) {
|
||||
pr_err("Initiator sent AuthMethod=None but"
|
||||
" Target is enforcing iSCSI Authentication,"
|
||||
" login failed.\n");
|
||||
iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_INITIATOR_ERR,
|
||||
ISCSI_LOGIN_STATUS_AUTH_FAILED);
|
||||
return -1;
|
||||
bool auth_required = iscsi_conn_auth_required(conn);
|
||||
|
||||
if (auth_required) {
|
||||
if (!strncmp(param->value, NONE, 4)) {
|
||||
pr_err("Initiator sent AuthMethod=None but"
|
||||
" Target is enforcing iSCSI Authentication,"
|
||||
" login failed.\n");
|
||||
iscsit_tx_login_rsp(conn,
|
||||
ISCSI_STATUS_CLS_INITIATOR_ERR,
|
||||
ISCSI_LOGIN_STATUS_AUTH_FAILED);
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (!login->auth_complete)
|
||||
return 0;
|
||||
|
||||
if (strncmp(param->value, NONE, 4) &&
|
||||
!login->auth_complete)
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (conn->tpg->tpg_attrib.authentication &&
|
||||
!login->auth_complete)
|
||||
return 0;
|
||||
|
||||
if (strncmp(param->value, NONE, 4) && !login->auth_complete)
|
||||
return 0;
|
||||
|
||||
if ((login_req->flags & ISCSI_FLAG_LOGIN_NEXT_STAGE1) &&
|
||||
(login_req->flags & ISCSI_FLAG_LOGIN_TRANSIT)) {
|
||||
login_rsp->flags |= ISCSI_FLAG_LOGIN_NEXT_STAGE1 |
|
||||
@ -904,6 +937,18 @@ do_auth:
|
||||
return iscsi_target_do_authentication(conn, login);
|
||||
}
|
||||
|
||||
static bool iscsi_conn_authenticated(struct iscsit_conn *conn,
|
||||
struct iscsi_login *login)
|
||||
{
|
||||
if (!iscsi_conn_auth_required(conn))
|
||||
return true;
|
||||
|
||||
if (login->auth_complete)
|
||||
return true;
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
static int iscsi_target_handle_csg_one(struct iscsit_conn *conn, struct iscsi_login *login)
|
||||
{
|
||||
int ret;
|
||||
@ -947,11 +992,10 @@ static int iscsi_target_handle_csg_one(struct iscsit_conn *conn, struct iscsi_lo
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (!login->auth_complete &&
|
||||
conn->tpg->tpg_attrib.authentication) {
|
||||
if (!iscsi_conn_authenticated(conn, login)) {
|
||||
pr_err("Initiator is requesting CSG: 1, has not been"
|
||||
" successfully authenticated, and the Target is"
|
||||
" enforcing iSCSI Authentication, login failed.\n");
|
||||
" successfully authenticated, and the Target is"
|
||||
" enforcing iSCSI Authentication, login failed.\n");
|
||||
iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_INITIATOR_ERR,
|
||||
ISCSI_LOGIN_STATUS_AUTH_FAILED);
|
||||
return -1;
|
||||
|
Loading…
Reference in New Issue
Block a user