From 7b6c2b2a26d0ae0a1d0beb8a9ac81cd934646c99 Mon Sep 17 00:00:00 2001 From: Laszlo Ersek Date: Tue, 29 Jun 2021 18:33:34 +0200 Subject: NetworkPkg/IScsiDxe: distinguish "maximum" and "selected" CHAP digest sizes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit IScsiDxe uses the ISCSI_CHAP_RSP_LEN macro for expressing the size of the digest (16) that it solely supports at this point (MD5). ISCSI_CHAP_RSP_LEN is used for both (a) *allocating* digest-related buffers (binary buffers and hex encodings alike), and (b) *processing* binary digest buffers (comparing them, filling them, reading them). In preparation for adding other hash algorithms, split purpose (a) from purpose (b). For purpose (a) -- buffer allocation --, introduce ISCSI_CHAP_MAX_DIGEST_SIZE. For purpose (b) -- processing --, rely on MD5_DIGEST_SIZE from . Distinguishing these purposes is justified because purpose (b) -- processing -- must depend on the hashing algorithm negotiated between initiator and target, while for purpose (a) -- allocation --, using the maximum supported digest size is suitable. For now, because only MD5 is supported, introduce ISCSI_CHAP_MAX_DIGEST_SIZE *as* MD5_DIGEST_SIZE. Note that the argument for using the digest size as the size of the outgoing challenge (in case mutual authentication is desired by the initiator) remains in place. Because of this, the above two purposes are distinguished for the "ISCSI_CHAP_AUTH_DATA.OutChallenge" field as well. This patch is functionally a no-op, just yet. Cc: Jiaxin Wu Cc: Maciej Rabeda Cc: Philippe Mathieu-Daudé Cc: Siyuan Fu Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3355 Signed-off-by: Laszlo Ersek Reviewed-by: Philippe Mathieu-Daudé Reviewed-by: Maciej Rabeda Message-Id: <20210629163337.14120-4-lersek@redhat.com> --- NetworkPkg/IScsiDxe/IScsiCHAP.c | 22 +++++++++++----------- NetworkPkg/IScsiDxe/IScsiCHAP.h | 17 +++++++++++------ 2 files changed, 22 insertions(+), 17 deletions(-) diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c index bb84f4359d..744824e63d 100644 --- a/NetworkPkg/IScsiDxe/IScsiCHAP.c +++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c @@ -112,7 +112,7 @@ IScsiCHAPAuthTarget ( { EFI_STATUS Status; UINT32 SecretSize; - UINT8 VerifyRsp[ISCSI_CHAP_RSP_LEN]; + UINT8 VerifyRsp[ISCSI_CHAP_MAX_DIGEST_SIZE]; Status = EFI_SUCCESS; @@ -122,11 +122,11 @@ IScsiCHAPAuthTarget ( AuthData->AuthConfig->ReverseCHAPSecret, SecretSize, AuthData->OutChallenge, - ISCSI_CHAP_RSP_LEN, // ChallengeLength + MD5_DIGEST_SIZE, // ChallengeLength VerifyRsp ); - if (CompareMem (VerifyRsp, TargetResponse, ISCSI_CHAP_RSP_LEN) != 0) { + if (CompareMem (VerifyRsp, TargetResponse, MD5_DIGEST_SIZE) != 0) { Status = EFI_SECURITY_VIOLATION; } @@ -163,7 +163,7 @@ IScsiCHAPOnRspReceived ( CHAR8 *Challenge; CHAR8 *Name; CHAR8 *Response; - UINT8 TargetRsp[ISCSI_CHAP_RSP_LEN]; + UINT8 TargetRsp[ISCSI_CHAP_MAX_DIGEST_SIZE]; UINT32 RspLen; UINTN Result; @@ -340,9 +340,9 @@ IScsiCHAPOnRspReceived ( goto ON_EXIT; } - RspLen = ISCSI_CHAP_RSP_LEN; + RspLen = MD5_DIGEST_SIZE; Status = IScsiHexToBin (TargetRsp, &RspLen, Response); - if (EFI_ERROR (Status) || RspLen != ISCSI_CHAP_RSP_LEN) { + if (EFI_ERROR (Status) || RspLen != MD5_DIGEST_SIZE) { Status = EFI_PROTOCOL_ERROR; goto ON_EXIT; } @@ -411,13 +411,13 @@ IScsiCHAPToSendReq ( } Status = EFI_SUCCESS; - RspLen = 2 * ISCSI_CHAP_RSP_LEN + 3; + RspLen = 2 * ISCSI_CHAP_MAX_DIGEST_SIZE + 3; Response = AllocateZeroPool (RspLen); if (Response == NULL) { return EFI_OUT_OF_RESOURCES; } - ChallengeLen = 2 * ISCSI_CHAP_RSP_LEN + 3; + ChallengeLen = 2 * ISCSI_CHAP_MAX_DIGEST_SIZE + 3; Challenge = AllocateZeroPool (ChallengeLen); if (Challenge == NULL) { FreePool (Response); @@ -482,7 +482,7 @@ IScsiCHAPToSendReq ( // BinToHexStatus = IScsiBinToHex ( (UINT8 *) AuthData->CHAPResponse, - ISCSI_CHAP_RSP_LEN, + MD5_DIGEST_SIZE, Response, &RspLen ); @@ -499,10 +499,10 @@ IScsiCHAPToSendReq ( // // CHAP_C= // - IScsiGenRandom ((UINT8 *) AuthData->OutChallenge, ISCSI_CHAP_RSP_LEN); + IScsiGenRandom ((UINT8 *) AuthData->OutChallenge, MD5_DIGEST_SIZE); BinToHexStatus = IScsiBinToHex ( (UINT8 *) AuthData->OutChallenge, - ISCSI_CHAP_RSP_LEN, + MD5_DIGEST_SIZE, Challenge, &ChallengeLen ); diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.h b/NetworkPkg/IScsiDxe/IScsiCHAP.h index d6a90fc27f..b8811b7580 100644 --- a/NetworkPkg/IScsiDxe/IScsiCHAP.h +++ b/NetworkPkg/IScsiDxe/IScsiCHAP.h @@ -17,12 +17,17 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #define ISCSI_KEY_CHAP_NAME "CHAP_N" #define ISCSI_KEY_CHAP_RESPONSE "CHAP_R" +// +// Identifiers of supported CHAP hash algorithms: +// https://www.iana.org/assignments/ppp-numbers/ppp-numbers.xhtml#ppp-numbers-9 +// #define ISCSI_CHAP_ALGORITHM_MD5 5 -/// -/// MD5_HASHSIZE -/// -#define ISCSI_CHAP_RSP_LEN 16 +// +// Byte count of the largest digest over the above-listed +// ISCSI_CHAP_ALGORITHM_* hash algorithms. +// +#define ISCSI_CHAP_MAX_DIGEST_SIZE MD5_DIGEST_SIZE #define ISCSI_CHAP_STEP_ONE 1 #define ISCSI_CHAP_STEP_TWO 2 @@ -53,7 +58,7 @@ typedef struct _ISCSI_CHAP_AUTH_DATA { // // Calculated CHAP Response (CHAP_R) value. // - UINT8 CHAPResponse[ISCSI_CHAP_RSP_LEN]; + UINT8 CHAPResponse[ISCSI_CHAP_MAX_DIGEST_SIZE]; // // Auth-data to be sent out for mutual authentication. @@ -64,7 +69,7 @@ typedef struct _ISCSI_CHAP_AUTH_DATA { // bytes* to the hashing algorithm as the hashing algorithm will output. // UINT32 OutIdentifier; - UINT8 OutChallenge[ISCSI_CHAP_RSP_LEN]; + UINT8 OutChallenge[ISCSI_CHAP_MAX_DIGEST_SIZE]; } ISCSI_CHAP_AUTH_DATA; /** -- cgit v1.2.3