From: Mike Christie <mchristi@redhat.com>
To: target-devel@vger.kernel.org
Subject: [PATCH 2/2] iscsi target: Fix CHAP negotiation setup
Date: Sun, 28 Apr 2019 04:17:20 +0000 [thread overview]
Message-ID: <20190428041720.9119-3-mchristi@redhat.com> (raw)
If the user has disabled authentication and not setup CHAP, we will
still try to use CHAP if the initiator sends CHAP,None. The login
will then fail because the user didn't setup CHAP. This patch just
has us detect when CHAP/authentication has been turned off so we
negotiate for None instead of CHAP.
Signed-off-by: Mike Christie <mchristi@redhat.com>
---
drivers/target/iscsi/iscsi_target_nego.c | 41 +++++++++++++++++++++++++++++++-
1 file changed, 40 insertions(+), 1 deletion(-)
diff --git a/drivers/target/iscsi/iscsi_target_nego.c b/drivers/target/iscsi/iscsi_target_nego.c
index 7d794be..055c1cc 100644
--- a/drivers/target/iscsi/iscsi_target_nego.c
+++ b/drivers/target/iscsi/iscsi_target_nego.c
@@ -828,6 +828,45 @@ static int iscsi_target_do_authentication(
return 0;
}
+static struct iscsi_param *iscsi_target_init_auth_param(struct iscsi_conn *conn)
+{
+ struct iscsi_session *sess = conn->sess;
+ struct iscsi_node_auth *auth;
+ struct iscsi_portal_group *iscsi_tpg;
+ struct se_node_acl *se_nacl;
+ struct iscsi_param *param;
+
+ param = iscsi_find_param_from_key(AUTHMETHOD, conn->param_list);
+ if (!param)
+ return NULL;
+
+ if (sess->sess_ops->SessionType) {
+ iscsi_tpg = iscsit_global->discovery_tpg;
+ } else {
+ se_nacl = conn->sess->se_sess->se_node_acl;
+
+ iscsi_tpg = container_of(se_nacl->se_tpg,
+ struct iscsi_portal_group, tpg_se_tpg);
+ }
+
+ auth = iscsi_target_get_auth_from_conn(conn);
+ if (!auth)
+ return NULL;
+ /*
+ * If we have CHAP,None but have not setup any CHAP values and have
+ * disabled enforcement then use None. If the user has partially setup
+ * CHAP then still use CHAP, so login fails and we do not allow access
+ * due to user misconfiguration.
+ */
+ if (strstr("CHAP,None", param->value) && !auth->naf_flags &&
+ !iscsi_tpg->tpg_attrib.authentication) {
+ if (iscsi_update_param_value(param, NONE) < 0)
+ return NULL;
+ }
+
+ return param;
+}
+
static int iscsi_target_handle_csg_zero(
struct iscsi_conn *conn,
struct iscsi_login *login)
@@ -842,7 +881,7 @@ static int iscsi_target_handle_csg_zero(
login_rsp = (struct iscsi_login_rsp *) login->rsp;
payload_length = ntoh24(login_req->dlength);
- param = iscsi_find_param_from_key(AUTHMETHOD, conn->param_list);
+ param = iscsi_target_init_auth_param(conn);
if (!param)
return -1;
--
1.8.3.1
reply other threads:[~2019-04-28 4:17 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190428041720.9119-3-mchristi@redhat.com \
--to=mchristi@redhat.com \
--cc=target-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.