aboutsummaryrefslogtreecommitdiffstats
path: root/gpxe/src/net
diff options
context:
space:
mode:
Diffstat (limited to 'gpxe/src/net')
-rw-r--r--gpxe/src/net/tcp/iscsi.c23
-rw-r--r--gpxe/src/net/tls.c64
2 files changed, 35 insertions, 52 deletions
diff --git a/gpxe/src/net/tcp/iscsi.c b/gpxe/src/net/tcp/iscsi.c
index aa99db71..45519e66 100644
--- a/gpxe/src/net/tcp/iscsi.c
+++ b/gpxe/src/net/tcp/iscsi.c
@@ -125,6 +125,8 @@ static int iscsi_open_connection ( struct iscsi_session *iscsi ) {
/* Enter security negotiation phase */
iscsi->status = ( ISCSI_STATUS_SECURITY_NEGOTIATION_PHASE |
ISCSI_STATUS_STRINGS_SECURITY );
+ if ( iscsi->target_username )
+ iscsi->status |= ISCSI_STATUS_AUTH_REVERSE_REQUIRED;
/* Assign fresh initiator task tag */
iscsi->itt++;
@@ -152,9 +154,6 @@ static void iscsi_close_connection ( struct iscsi_session *iscsi, int rc ) {
/* Clear connection status */
iscsi->status = 0;
- /* Deauthenticate target */
- iscsi->target_auth_ok = 0;
-
/* Reset TX and RX state machines */
iscsi->tx_state = ISCSI_TX_IDLE;
iscsi->rx_state = ISCSI_RX_BHS;
@@ -634,15 +633,12 @@ static int iscsi_handle_targetaddress_value ( struct iscsi_session *iscsi,
static int iscsi_handle_authmethod_value ( struct iscsi_session *iscsi,
const char *value ) {
- /* Mark target as authenticated if no authentication required */
- if ( ! iscsi->target_username )
- iscsi->target_auth_ok = 1;
-
/* If server requests CHAP, send the CHAP_A string */
if ( strcmp ( value, "CHAP" ) == 0 ) {
DBGC ( iscsi, "iSCSI %p initiating CHAP authentication\n",
iscsi );
- iscsi->status |= ISCSI_STATUS_STRINGS_CHAP_ALGORITHM;
+ iscsi->status |= ( ISCSI_STATUS_STRINGS_CHAP_ALGORITHM |
+ ISCSI_STATUS_AUTH_FORWARD_REQUIRED );
}
return 0;
@@ -858,7 +854,7 @@ static int iscsi_handle_chap_r_value ( struct iscsi_session *iscsi,
assert ( i == iscsi->chap.response_len );
/* Mark session as authenticated */
- iscsi->target_auth_ok = 1;
+ iscsi->status |= ISCSI_STATUS_AUTH_REVERSE_OK;
return 0;
}
@@ -1064,14 +1060,16 @@ static int iscsi_rx_login_response ( struct iscsi_session *iscsi,
/* Handle login transitions */
if ( response->flags & ISCSI_LOGIN_FLAG_TRANSITION ) {
+ iscsi->status &= ~( ISCSI_STATUS_PHASE_MASK |
+ ISCSI_STATUS_STRINGS_MASK );
switch ( response->flags & ISCSI_LOGIN_NSG_MASK ) {
case ISCSI_LOGIN_NSG_OPERATIONAL_NEGOTIATION:
- iscsi->status =
+ iscsi->status |=
( ISCSI_STATUS_OPERATIONAL_NEGOTIATION_PHASE |
ISCSI_STATUS_STRINGS_OPERATIONAL );
break;
case ISCSI_LOGIN_NSG_FULL_FEATURE_PHASE:
- iscsi->status = ISCSI_STATUS_FULL_FEATURE_PHASE;
+ iscsi->status |= ISCSI_STATUS_FULL_FEATURE_PHASE;
break;
default:
DBGC ( iscsi, "iSCSI %p got invalid response flags "
@@ -1090,7 +1088,8 @@ static int iscsi_rx_login_response ( struct iscsi_session *iscsi,
}
/* Check that target authentication was successful (if required) */
- if ( ! iscsi->target_auth_ok ) {
+ if ( ( iscsi->status & ISCSI_STATUS_AUTH_REVERSE_REQUIRED ) &&
+ ! ( iscsi->status & ISCSI_STATUS_AUTH_REVERSE_OK ) ) {
DBGC ( iscsi, "iSCSI %p nefarious target tried to bypass "
"authentication\n", iscsi );
return -EPROTO;
diff --git a/gpxe/src/net/tls.c b/gpxe/src/net/tls.c
index f5bff7a4..73f9ad06 100644
--- a/gpxe/src/net/tls.c
+++ b/gpxe/src/net/tls.c
@@ -136,7 +136,7 @@ static void tls_generate_random ( void *data, size_t len ) {
* @v digest_ctx Digest context
* @v args ( data, len ) pairs of data, terminated by NULL
*/
-static void tls_hmac_update_va ( struct crypto_algorithm *digest,
+static void tls_hmac_update_va ( struct digest_algorithm *digest,
void *digest_ctx, va_list args ) {
void *data;
size_t len;
@@ -159,7 +159,7 @@ static void tls_hmac_update_va ( struct crypto_algorithm *digest,
* @v seeds ( data, len ) pairs of seed data, terminated by NULL
*/
static void tls_p_hash_va ( struct tls_session *tls,
- struct crypto_algorithm *digest,
+ struct digest_algorithm *digest,
void *secret, size_t secret_len,
void *out, size_t out_len,
va_list seeds ) {
@@ -372,10 +372,6 @@ static int tls_generate_keys ( struct tls_session *tls ) {
tls, strerror ( rc ) );
return rc;
}
-
- /* FIXME: AES needs to be fixed to not require this */
- AES_convert_key ( rx_cipherspec->cipher_ctx );
-
DBGC ( tls, "TLS %p RX key:\n", tls );
DBGC_HD ( tls, key, key_size );
key += key_size;
@@ -413,9 +409,9 @@ static void tls_clear_cipher ( struct tls_session *tls __unused,
struct tls_cipherspec *cipherspec ) {
free ( cipherspec->dynamic );
memset ( cipherspec, 0, sizeof ( cipherspec ) );
- cipherspec->pubkey = &crypto_null;
- cipherspec->cipher = &crypto_null;
- cipherspec->digest = &crypto_null;
+ cipherspec->pubkey = &pubkey_null;
+ cipherspec->cipher = &cipher_null;
+ cipherspec->digest = &digest_null;
}
/**
@@ -431,9 +427,9 @@ static void tls_clear_cipher ( struct tls_session *tls __unused,
*/
static int tls_set_cipher ( struct tls_session *tls,
struct tls_cipherspec *cipherspec,
- struct crypto_algorithm *pubkey,
- struct crypto_algorithm *cipher,
- struct crypto_algorithm *digest,
+ struct pubkey_algorithm *pubkey,
+ struct cipher_algorithm *cipher,
+ struct digest_algorithm *digest,
size_t key_len ) {
size_t total;
void *dynamic;
@@ -477,21 +473,21 @@ static int tls_set_cipher ( struct tls_session *tls,
*/
static int tls_select_cipher ( struct tls_session *tls,
unsigned int cipher_suite ) {
- struct crypto_algorithm *pubkey = &crypto_null;
- struct crypto_algorithm *cipher = &crypto_null;
- struct crypto_algorithm *digest = &crypto_null;
+ struct pubkey_algorithm *pubkey = &pubkey_null;
+ struct cipher_algorithm *cipher = &cipher_null;
+ struct digest_algorithm *digest = &digest_null;
unsigned int key_len = 0;
int rc;
switch ( cipher_suite ) {
case htons ( TLS_RSA_WITH_AES_128_CBC_SHA ):
key_len = ( 128 / 8 );
- cipher = &aes_algorithm;
+ cipher = &aes_cbc_algorithm;
digest = &sha1_algorithm;
break;
case htons ( TLS_RSA_WITH_AES_256_CBC_SHA ):
key_len = ( 256 / 8 );
- cipher = &aes_algorithm;
+ cipher = &aes_cbc_algorithm;
digest = &sha1_algorithm;
break;
default:
@@ -528,9 +524,9 @@ static int tls_change_cipher ( struct tls_session *tls,
/* Sanity check */
if ( /* FIXME (when pubkey is not hard-coded to RSA):
- * ( pending->pubkey == &crypto_null ) || */
- ( pending->cipher == &crypto_null ) ||
- ( pending->digest == &crypto_null ) ) {
+ * ( pending->pubkey == &pubkey_null ) || */
+ ( pending->cipher == &cipher_null ) ||
+ ( pending->digest == &digest_null ) ) {
DBGC ( tls, "TLS %p refusing to use null cipher\n", tls );
return -ENOTSUP;
}
@@ -571,8 +567,8 @@ static void tls_add_handshake ( struct tls_session *tls,
* far.
*/
static void tls_verify_handshake ( struct tls_session *tls, void *out ) {
- struct crypto_algorithm *md5 = &md5_algorithm;
- struct crypto_algorithm *sha1 = &sha1_algorithm;
+ struct digest_algorithm *md5 = &md5_algorithm;
+ struct digest_algorithm *sha1 = &sha1_algorithm;
uint8_t md5_ctx[md5->ctxsize];
uint8_t sha1_ctx[sha1->ctxsize];
void *md5_digest = out;
@@ -1064,7 +1060,7 @@ static void tls_hmac ( struct tls_session *tls __unused,
struct tls_cipherspec *cipherspec,
uint64_t seq, struct tls_header *tlshdr,
const void *data, size_t len, void *hmac ) {
- struct crypto_algorithm *digest = cipherspec->digest;
+ struct digest_algorithm *digest = cipherspec->digest;
uint8_t digest_ctx[digest->ctxsize];
hmac_init ( digest, digest_ctx, cipherspec->mac_secret,
@@ -1227,15 +1223,9 @@ static int tls_send_plaintext ( struct tls_session *tls, unsigned int type,
tlshdr->length = htons ( plaintext_len );
memcpy ( cipherspec->cipher_next_ctx, cipherspec->cipher_ctx,
cipherspec->cipher->ctxsize );
- if ( ( rc = cipher_encrypt ( cipherspec->cipher,
- cipherspec->cipher_next_ctx, plaintext,
- iob_put ( ciphertext, plaintext_len ),
- plaintext_len ) ) != 0 ) {
- DBGC ( tls, "TLS %p could not encrypt: %s\n",
- tls, strerror ( rc ) );
- DBGC_HD ( tls, plaintext, plaintext_len );
- goto done;
- }
+ cipher_encrypt ( cipherspec->cipher, cipherspec->cipher_next_ctx,
+ plaintext, iob_put ( ciphertext, plaintext_len ),
+ plaintext_len );
/* Free plaintext as soon as possible to conserve memory */
free ( plaintext );
@@ -1397,14 +1387,8 @@ static int tls_new_ciphertext ( struct tls_session *tls,
}
/* Decrypt the record */
- if ( ( rc = cipher_decrypt ( cipherspec->cipher,
- cipherspec->cipher_ctx, ciphertext,
- plaintext, record_len ) ) != 0 ) {
- DBGC ( tls, "TLS %p could not decrypt: %s\n",
- tls, strerror ( rc ) );
- DBGC_HD ( tls, ciphertext, record_len );
- goto done;
- }
+ cipher_decrypt ( cipherspec->cipher, cipherspec->cipher_ctx,
+ ciphertext, plaintext, record_len );
/* Split record into content and MAC */
if ( is_stream_cipher ( cipherspec->cipher ) ) {