Untangle iSCSI authentication code by splitting off the CHAP

implementation.

Reviewed by:	mav@
MFC after:	1 month
Sponsored by:	The FreeBSD Foundation

1 files changed, 27 insertions, 199 deletions

diff --git a/usr.sbin/ctld/login.c b/usr.sbin/ctld/login.c
index 209582b..d6fd1ff 100644
--- a/usr.sbin/ctld/login.c
+++ b/usr.sbin/ctld/login.c
@@ -39,9 +39,6 @@ __FBSDID("$FreeBSD$");
 #include <string.h>
 #include <unistd.h>
 #include <netinet/in.h>
-#include <openssl/err.h>
-#include <openssl/md5.h>
-#include <openssl/rand.h>
 
 #include "ctld.h"
 #include "iscsi_proto.h"
@@ -229,150 +226,6 @@ login_list_prefers(const char *list,
 	return (-1);
 }
 
-static int
-login_hex2int(const char hex)
-{
-	switch (hex) {
-	case '0':
-		return (0x00);
-	case '1':
-		return (0x01);
-	case '2':
-		return (0x02);
-	case '3':
-		return (0x03);
-	case '4':
-		return (0x04);
-	case '5':
-		return (0x05);
-	case '6':
-		return (0x06);
-	case '7':
-		return (0x07);
-	case '8':
-		return (0x08);
-	case '9':
-		return (0x09);
-	case 'a':
-	case 'A':
-		return (0x0a);
-	case 'b':
-	case 'B':
-		return (0x0b);
-	case 'c':
-	case 'C':
-		return (0x0c);
-	case 'd':
-	case 'D':
-		return (0x0d);
-	case 'e':
-	case 'E':
-		return (0x0e);
-	case 'f':
-	case 'F':
-		return (0x0f);
-	default:
-		return (-1);
-	}
-}
-
-/*
- * XXX: Review this _carefully_.
- */
-static int
-login_hex2bin(const char *hex, char **binp, size_t *bin_lenp)
-{
-	int i, hex_len, nibble;
-	bool lo = true; /* As opposed to 'hi'. */
-	char *bin;
-	size_t bin_off, bin_len;
-
-	if (strncasecmp(hex, "0x", strlen("0x")) != 0) {
-		log_warnx("malformed variable, should start with \"0x\"");
-		return (-1);
-	}
-
-	hex += strlen("0x");
-	hex_len = strlen(hex);
-	if (hex_len < 1) {
-		log_warnx("malformed variable; doesn't contain anything "
-		    "but \"0x\"");
-		return (-1);
-	}
-
-	bin_len = hex_len / 2 + hex_len % 2;
-	bin = calloc(bin_len, 1);
-	if (bin == NULL)
-		log_err(1, "calloc");
-
-	bin_off = bin_len - 1;
-	for (i = hex_len - 1; i >= 0; i--) {
-		nibble = login_hex2int(hex[i]);
-		if (nibble < 0) {
-			log_warnx("malformed variable, invalid char \"%c\"",
-			    hex[i]);
-			return (-1);
-		}
-
-		assert(bin_off < bin_len);
-		if (lo) {
-			bin[bin_off] = nibble;
-			lo = false;
-		} else {
-			bin[bin_off] |= nibble << 4;
-			bin_off--;
-			lo = true;
-		}
-	}
-
-	*binp = bin;
-	*bin_lenp = bin_len;
-	return (0);
-}
-
-static char *
-login_bin2hex(const char *bin, size_t bin_len)
-{
-	unsigned char *hex, *tmp, ch;
-	size_t hex_len;
-	size_t i;
-
-	hex_len = bin_len * 2 + 3; /* +2 for "0x", +1 for '\0'. */
-	hex = malloc(hex_len);
-	if (hex == NULL)
-		log_err(1, "malloc");
-
-	tmp = hex;
-	tmp += sprintf(tmp, "0x");
-	for (i = 0; i < bin_len; i++) {
-		ch = bin[i];
-		tmp += sprintf(tmp, "%02x", ch);
-	}
-
-	return (hex);
-}
-
-static void
-login_compute_md5(const char id, const char *secret,
-    const void *challenge, size_t challenge_len, void *response,
-    size_t response_len)
-{
-	MD5_CTX ctx;
-	int rv;
-
-	assert(response_len == MD5_DIGEST_LENGTH);
-
-	MD5_Init(&ctx);
-	MD5_Update(&ctx, &id, sizeof(id));
-	MD5_Update(&ctx, secret, strlen(secret));
-	MD5_Update(&ctx, challenge, challenge_len);
-	rv = MD5_Final(response, &ctx);
-	if (rv != 1)
-		log_errx(1, "MD5_Final");
-}
-
-#define	LOGIN_CHALLENGE_LEN	1024
-
 static struct pdu *
 login_receive_chap_a(struct connection *conn)
 {
@@ -400,21 +253,21 @@ login_receive_chap_a(struct connection *conn)
 }
 
 static void
-login_send_chap_c(struct pdu *request, const unsigned char id,
-    const void *challenge, const size_t challenge_len)
+login_send_chap_c(struct pdu *request, struct chap *chap)
 {
 	struct pdu *response;
 	struct keys *response_keys;
-	char *chap_c, chap_i[4];
+	char *chap_c, *chap_i;
 
-	chap_c = login_bin2hex(challenge, challenge_len);
-	snprintf(chap_i, sizeof(chap_i), "%d", id);
+	chap_c = chap_get_challenge(chap);
+	chap_i = chap_get_id(chap);
 
 	response = login_new_response(request);
 	response_keys = keys_new();
 	keys_add(response_keys, "CHAP_A", "5");
 	keys_add(response_keys, "CHAP_I", chap_i);
 	keys_add(response_keys, "CHAP_C", chap_c);
+	free(chap_i);
 	free(chap_c);
 	keys_save(response_keys, response);
 	pdu_send(response);
@@ -423,15 +276,12 @@ login_send_chap_c(struct pdu *request, const unsigned char id,
 }
 
 static struct pdu *
-login_receive_chap_r(struct connection *conn,
-    struct auth_group *ag, const unsigned char id, const void *challenge,
-    const size_t challenge_len, const struct auth **cap)
+login_receive_chap_r(struct connection *conn, struct auth_group *ag,
+    struct chap *chap, const struct auth **authp)
 {
 	struct pdu *request;
 	struct keys *request_keys;
 	const char *chap_n, *chap_r;
-	char *response_bin, expected_response_bin[MD5_DIGEST_LENGTH];
-	size_t response_bin_len;
 	const struct auth *auth;
 	int error;
 
@@ -449,7 +299,7 @@ login_receive_chap_r(struct connection *conn,
 		login_send_error(request, 0x02, 0x07);
 		log_errx(1, "received CHAP Login PDU without CHAP_R");
 	}
-	error = login_hex2bin(chap_r, &response_bin, &response_bin_len);
+	error = chap_receive(chap, chap_r);
 	if (error != 0) {
 		login_send_error(request, 0x02, 0x07);
 		log_errx(1, "received CHAP Login PDU with malformed CHAP_R");
@@ -469,21 +319,17 @@ login_receive_chap_r(struct connection *conn,
 
 	assert(auth->a_secret != NULL);
 	assert(strlen(auth->a_secret) > 0);
-	login_compute_md5(id, auth->a_secret, challenge,
-	    challenge_len, expected_response_bin,
-	    sizeof(expected_response_bin));
 
-	if (memcmp(response_bin, expected_response_bin,
-	    sizeof(expected_response_bin)) != 0) {
+	error = chap_authenticate(chap, auth->a_secret);
+	if (error != 0) {
 		login_send_error(request, 0x02, 0x01);
 		log_errx(1, "CHAP authentication failed for user \"%s\"",
 		    auth->a_user);
 	}
 
 	keys_delete(request_keys);
-	free(response_bin);
 
-	*cap = auth;
+	*authp = auth;
 	return (request);
 }
 
@@ -494,10 +340,9 @@ login_send_chap_success(struct pdu *request,
 	struct pdu *response;
 	struct keys *request_keys, *response_keys;
 	struct iscsi_bhs_login_response *bhslr2;
+	struct rchap *rchap;
 	const char *chap_i, *chap_c;
-	char *chap_r, *challenge, response_bin[MD5_DIGEST_LENGTH];
-	size_t challenge_len;
-	unsigned char id;
+	char *chap_r;
 	int error;
 
 	response = login_new_response(request);
@@ -530,21 +375,18 @@ login_send_chap_success(struct pdu *request,
 			    "is not set", auth->a_user);
 		}
 
-		id = strtoul(chap_i, NULL, 10);
-		error = login_hex2bin(chap_c, &challenge, &challenge_len);
+		log_debugx("performing mutual authentication as user \"%s\"",
+		    auth->a_mutual_user);
+
+		rchap = rchap_new(auth->a_mutual_secret);
+		error = rchap_receive(rchap, chap_i, chap_c);
 		if (error != 0) {
 			login_send_error(request, 0x02, 0x07);
 			log_errx(1, "received CHAP Login PDU with malformed "
-			    "CHAP_C");
+			    "CHAP_I or CHAP_C");
 		}
-
-		log_debugx("performing mutual authentication as user \"%s\"",
-		    auth->a_mutual_user);
-		login_compute_md5(id, auth->a_mutual_secret, challenge,
-		    challenge_len, response_bin, sizeof(response_bin));
-
-		chap_r = login_bin2hex(response_bin,
-		    sizeof(response_bin));
+		chap_r = rchap_get_response(rchap);
+		rchap_delete(rchap);
 		response_keys = keys_new();
 		keys_add(response_keys, "CHAP_N", auth->a_mutual_user);
 		keys_add(response_keys, "CHAP_R", chap_r);
@@ -564,10 +406,8 @@ static void
 login_chap(struct connection *conn, struct auth_group *ag)
 {
 	const struct auth *auth;
+	struct chap *chap;
 	struct pdu *request;
-	char challenge_bin[LOGIN_CHALLENGE_LEN];
-	unsigned char id;
-	int rv;
 
 	/*
 	 * Receive CHAP_A PDU.
@@ -578,34 +418,21 @@ login_chap(struct connection *conn, struct auth_group *ag)
 	/*
 	 * Generate the challenge.
 	 */
-	rv = RAND_bytes(challenge_bin, sizeof(challenge_bin));
-	if (rv != 1) {
-		login_send_error(request, 0x03, 0x02);
-		log_errx(1, "RAND_bytes failed: %s",
-		    ERR_error_string(ERR_get_error(), NULL));
-	}
-	rv = RAND_bytes(&id, sizeof(id));
-	if (rv != 1) {
-		login_send_error(request, 0x03, 0x02);
-		log_errx(1, "RAND_bytes failed: %s",
-		    ERR_error_string(ERR_get_error(), NULL));
-	}
+	chap = chap_new();
 
 	/*
 	 * Send the challenge.
 	 */
 	log_debugx("sending CHAP_C, binary challenge size is %zd bytes",
-	    sizeof(challenge_bin));
-	login_send_chap_c(request, id, challenge_bin,
-	    sizeof(challenge_bin));
+	    sizeof(chap->chap_challenge));
+	login_send_chap_c(request, chap);
 	pdu_delete(request);
 
 	/*
 	 * Receive CHAP_N/CHAP_R PDU and authenticate.
 	 */
 	log_debugx("waiting for CHAP_N/CHAP_R");
-	request = login_receive_chap_r(conn, ag, id, challenge_bin,
-	    sizeof(challenge_bin), &auth);
+	request = login_receive_chap_r(conn, ag, chap, &auth);
 
 	/*
 	 * Yay, authentication succeeded!
@@ -614,6 +441,7 @@ login_chap(struct connection *conn, struct auth_group *ag)
 	    "transitioning to Negotiation Phase", auth->a_user);
 	login_send_chap_success(request, auth);
 	pdu_delete(request);
+	chap_delete(chap);
 }
 
 static void