/*
* iSCSI Authorization Library
*
* maintained by open-iscsi@@googlegroups.com
*
* Originally based on:
* Copyright (C) 2001 Cisco Systems, Inc.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published
* by the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* See the file COPYING included with this distribution for more details.
*/
#ifndef AUTH_CLIENT_H
#define AUTH_CLIENT_H
struct iscsi_session;
enum {
AUTH_STR_MAX_LEN = 256,
AUTH_STR_BLOCK_MAX_LEN = 1024,
AUTH_LARGE_BINARY_MAX_LEN = 1024,
AUTH_RECV_END_MAX_COUNT = 10,
ACL_SIGNATURE = 0x5984B2E3,
AUTH_CHAP_MD5_RSP_LEN = 16,
AUTH_CHAP_SHA1_RSP_LEN = 20,
AUTH_CHAP_SHA256_RSP_LEN = 32,
AUTH_CHAP_SHA3_256_RSP_LEN = 32,
AUTH_CHAP_RSP_MAX = 32,
};
/*
* Note: The ordering of these values are chosen to match
* the ordering of the keys as shown in the iSCSI spec.
* The order of table key_names in acl_get_key_name()
* must match the order defined by enum auth_key_type.
*/
enum auth_key_type {
AUTH_KEY_TYPE_NONE = -1,
AUTH_KEY_TYPE_FIRST = 0,
AUTH_KEY_TYPE_AUTH_METHOD = AUTH_KEY_TYPE_FIRST,
AUTH_KEY_TYPE_CHAP_ALG,
AUTH_KEY_TYPE_CHAP_USERNAME,
AUTH_KEY_TYPE_CHAP_RSP,
AUTH_KEY_TYPE_CHAP_IDENTIFIER,
AUTH_KEY_TYPE_CHAP_CHALLENGE,
AUTH_KEY_TYPE_MAX_COUNT,
AUTH_KEY_TYPE_LAST = AUTH_KEY_TYPE_MAX_COUNT - 1
};
enum {
/* Common options for all keys. */
AUTH_OPTION_REJECT = -2,
AUTH_OPTION_NOT_PRESENT = -1,
AUTH_OPTION_NONE = 1,
AUTH_METHOD_CHAP = 2,
AUTH_METHOD_MAX_COUNT = 2,
AUTH_CHAP_ALG_MD5 = 5,
AUTH_CHAP_ALG_SHA1 = 6,
AUTH_CHAP_ALG_SHA256 = 7,
AUTH_CHAP_ALG_SHA3_256 = 8,
AUTH_CHAP_ALG_MAX_COUNT = 5
};
enum auth_neg_role {
AUTH_NEG_ROLE_ORIGINATOR = 1,
AUTH_NEG_ROLE_RESPONDER = 2
};
enum auth_status {
AUTH_STATUS_NO_ERROR = 0,
AUTH_STATUS_ERROR,
AUTH_STATUS_PASS,
AUTH_STATUS_FAIL,
AUTH_STATUS_CONTINUE,
};
/*
* Note: The order of table dbg_text in acl_dbg_status_to_text()
* must match the ordered defined by enum auth_dbg_status.
*/
enum auth_dbg_status {
AUTH_DBG_STATUS_NOT_SET = 0,
AUTH_DBG_STATUS_AUTH_PASS,
AUTH_DBG_STATUS_AUTH_RMT_FALSE,
AUTH_DBG_STATUS_AUTH_FAIL,
AUTH_DBG_STATUS_AUTH_METHOD_BAD,
AUTH_DBG_STATUS_CHAP_ALG_BAD,
AUTH_DBG_STATUS_PASSWD_DECRYPT_FAILED,
AUTH_DBG_STATUS_PASSWD_TOO_SHORT_WITH_NO_IPSEC,
AUTH_DBG_STATUS_AUTH_SERVER_ERROR,
AUTH_DBG_STATUS_AUTH_STATUS_BAD,
AUTH_DBG_STATUS_AUTHPASS_NOT_VALID,
AUTH_DBG_STATUS_SEND_DUP_SET_KEY_VALUE,
AUTH_DBG_STATUS_SEND_STR_TOO_LONG,
AUTH_DBG_STATUS_SEND_TOO_MUCH_DATA,
AUTH_DBG_STATUS_AUTH_METHOD_EXPECTED,
AUTH_DBG_STATUS_CHAP_ALG_EXPECTED,
AUTH_DBG_STATUS_CHAP_IDENTIFIER_EXPECTED,
AUTH_DBG_STATUS_CHAP_CHALLENGE_EXPECTED,
AUTH_DBG_STATUS_CHAP_RSP_EXPECTED,
AUTH_DBG_STATUS_CHAP_USERNAME_EXPECTED,
AUTH_DBG_STATUS_AUTH_METHOD_NOT_PRESENT,
AUTH_DBG_STATUS_AUTH_METHOD_REJECT,
AUTH_DBG_STATUS_AUTH_METHOD_NONE,
AUTH_DBG_STATUS_CHAP_ALG_REJECT,
AUTH_DBG_STATUS_CHAP_CHALLENGE_REFLECTED,
AUTH_DBG_STATUS_PASSWD_IDENTICAL,
AUTH_DBG_STATUS_LOCAL_PASSWD_NOT_SET,
AUTH_DBG_STATUS_CHAP_IDENTIFIER_BAD,
AUTH_DBG_STATUS_CHALLENGE_BAD,
AUTH_DBG_STATUS_CHAP_RSP_BAD,
AUTH_DBG_STATUS_UNEXPECTED_KEY_PRESENT,
AUTH_DBG_STATUS_T_BIT_SET_ILLEGAL,
AUTH_DBG_STATUS_T_BIT_SET_PREMATURE,
AUTH_DBG_STATUS_RECV_MSG_COUNT_LIMIT,
AUTH_DBG_STATUS_RECV_DUP_SET_KEY_VALUE,
AUTH_DBG_STATUS_RECV_STR_TOO_LONG,
AUTH_DBG_STATUS_RECV_TOO_MUCH_DATA,
AUTH_DBG_STATUS_MAX_COUNT
};
enum auth_node_type {
TYPE_INITIATOR = 1,
TYPE_TARGET = 2
};
enum auth_phase {
AUTH_PHASE_CONFIGURE = 1,
AUTH_PHASE_NEGOTIATE,
AUTH_PHASE_AUTHENTICATE,
AUTH_PHASE_DONE,
AUTH_PHASE_ERROR
};
enum auth_local_state {
AUTH_LOCAL_STATE_SEND_ALG = 1,
AUTH_LOCAL_STATE_RECV_ALG,
AUTH_LOCAL_STATE_RECV_CHALLENGE,
AUTH_LOCAL_STATE_DONE,
AUTH_LOCAL_STATE_ERROR
};
enum auth_rmt_state {
AUTH_RMT_STATE_SEND_ALG = 1,
AUTH_RMT_STATE_SEND_CHALLENGE,
AUTH_RMT_STATE_RECV_RSP,
AUTH_RMT_STATE_DONE,
AUTH_RMT_STATE_ERROR
};
struct auth_buffer_desc {
unsigned int length;
void *address;
};
struct auth_key {
unsigned int present:1;
unsigned int processed:1;
unsigned int value_set:1;
char *string;
};
struct auth_large_binary_key {
unsigned int length;
unsigned char *large_binary;
};
struct auth_key_block {
unsigned int transit_bit:1;
unsigned int dup_set:1;
unsigned int str_too_long:1;
unsigned int too_much_data:1;
unsigned int blk_length:16;
char *str_block;
struct auth_key key[AUTH_KEY_TYPE_MAX_COUNT];
};
struct auth_str_block {
char str_block[AUTH_STR_BLOCK_MAX_LEN];
};
struct auth_large_binary {
unsigned char large_binary[AUTH_LARGE_BINARY_MAX_LEN];
};
struct iscsi_acl {
unsigned long signature;
enum auth_node_type node_type;
unsigned int auth_method_count;
int auth_method_list[AUTH_METHOD_MAX_COUNT];
enum auth_neg_role auth_method_neg_role;
unsigned int chap_alg_count;
int chap_alg_list[AUTH_CHAP_ALG_MAX_COUNT];
int auth_rmt;
char username[AUTH_STR_MAX_LEN];
int passwd_present;
unsigned int passwd_length;
unsigned char passwd_data[AUTH_STR_MAX_LEN];
unsigned int chap_challenge_len;
int ip_sec;
unsigned int auth_method_valid_count;
int auth_method_valid_list[AUTH_METHOD_MAX_COUNT];
int auth_method_valid_neg_role;
int recv_in_progress_flag;
int recv_end_count;
struct iscsi_session *session_handle; /*
* session_handle can only be
* used by acl_chap_auth_request
*/
enum auth_phase phase;
enum auth_local_state local_state;
enum auth_rmt_state rmt_state;
enum auth_status rmt_auth_status;
enum auth_dbg_status dbg_status;
int negotiated_auth_method;
int negotiated_chap_alg;
int auth_rsp_flag;
int auth_server_error_flag;
int transit_bit_sent_flag;
unsigned int send_chap_identifier;
struct auth_large_binary_key send_chap_challenge;
char chap_username[AUTH_STR_MAX_LEN];
int recv_chap_challenge_status;
struct auth_large_binary_key recv_chap_challenge;
char scratch_key_value[AUTH_STR_MAX_LEN];
struct auth_key_block recv_key_block;
struct auth_key_block send_key_block;
};
extern int acl_init(int node_type, int buf_desc_count,
struct auth_buffer_desc *buff_desc);
extern int acl_finish(struct iscsi_acl *client);
extern int acl_recv_begin(struct iscsi_acl *client);
extern int acl_recv_end(struct iscsi_acl *client,
struct iscsi_session *session_handle);
extern const char *acl_get_key_name(int key_type);
extern int acl_get_next_key_type(int *key_type);
extern int acl_recv_key_value(struct iscsi_acl *client, int key_type,
const char *user_key_val);
extern int acl_send_key_val(struct iscsi_acl *client, int key_type,
int *key_present, char *user_key_val,
unsigned int max_length);
extern int acl_recv_transit_bit(struct iscsi_acl *client, int value);
extern int acl_send_transit_bit(struct iscsi_acl *client, int *value);
extern int acl_set_user_name(struct iscsi_acl *client, const char *username);
extern int acl_set_passwd(struct iscsi_acl *client,
const unsigned char *pw_data, unsigned int pw_len);
extern int acl_set_auth_rmt(struct iscsi_acl *client, int auth_rmt);
extern int acl_set_ip_sec(struct iscsi_acl *client, int ip_sec);
extern int acl_get_dbg_status(struct iscsi_acl *client, int *value);
extern const char *acl_dbg_status_to_text(int dbg_status);
extern enum auth_dbg_status acl_chap_compute_rsp(struct iscsi_acl *client,
int rmt_auth,
unsigned int id,
unsigned char *challenge_data,
unsigned int challenge_len,
unsigned char *response_data);
extern int acl_chap_auth_request(struct iscsi_acl *client, char *username,
unsigned int id,
unsigned char *challenge_data,
unsigned int challenge_length,
unsigned char *response_data,
unsigned int rsp_length);
extern int acl_data(unsigned char *out_data, unsigned int *out_length,
unsigned char *in_data, unsigned int in_length);
#endif /* #ifndef ISCSIAUTHCLIENT_H */