Insert a SHA256 CHAP_HASH structure at the start of "mChapHash". Update ISCSI_CHAP_MAX_DIGEST_SIZE to SHA256_DIGEST_SIZE (32).
This enables the initiator and the target to negotiate SHA256 for CHAP, in preference to MD5. Cc: Jiaxin Wu <jiaxin...@intel.com> Cc: Maciej Rabeda <maciej.rab...@linux.intel.com> Cc: Philippe Mathieu-Daudé <phi...@redhat.com> Cc: Siyuan Fu <siyuan...@intel.com> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3355 Signed-off-by: Laszlo Ersek <ler...@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <phi...@redhat.com> Reviewed-by: Maciej Rabeda <maciej.rab...@linux.intel.com> --- Notes: v2: - pick up R-b's [Phil, Maciej] NetworkPkg/IScsiDxe/IScsiCHAP.h | 3 ++- NetworkPkg/IScsiDxe/IScsiCHAP.c | 12 ++++++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.h b/NetworkPkg/IScsiDxe/IScsiCHAP.h index 1e5cc0b287ed..e2df634c4e67 100644 --- a/NetworkPkg/IScsiDxe/IScsiCHAP.h +++ b/NetworkPkg/IScsiDxe/IScsiCHAP.h @@ -6,44 +6,45 @@ SPDX-License-Identifier: BSD-2-Clause-Patent **/ #ifndef _ISCSI_CHAP_H_ #define _ISCSI_CHAP_H_ #define ISCSI_AUTH_METHOD_CHAP "CHAP" #define ISCSI_KEY_CHAP_ALGORITHM "CHAP_A" #define ISCSI_KEY_CHAP_IDENTIFIER "CHAP_I" #define ISCSI_KEY_CHAP_CHALLENGE "CHAP_C" #define ISCSI_KEY_CHAP_NAME "CHAP_N" #define ISCSI_KEY_CHAP_RESPONSE "CHAP_R" // // Identifiers of supported CHAP hash algorithms: // https://www.iana.org/assignments/ppp-numbers/ppp-numbers.xhtml#ppp-numbers-9 // #define ISCSI_CHAP_ALGORITHM_MD5 5 +#define ISCSI_CHAP_ALGORITHM_SHA256 7 // // Byte count of the largest digest over the above-listed // ISCSI_CHAP_ALGORITHM_* hash algorithms. // -#define ISCSI_CHAP_MAX_DIGEST_SIZE MD5_DIGEST_SIZE +#define ISCSI_CHAP_MAX_DIGEST_SIZE SHA256_DIGEST_SIZE #define ISCSI_CHAP_STEP_ONE 1 #define ISCSI_CHAP_STEP_TWO 2 #define ISCSI_CHAP_STEP_THREE 3 #define ISCSI_CHAP_STEP_FOUR 4 #pragma pack(1) typedef struct _ISCSI_CHAP_AUTH_CONFIG_NVDATA { UINT8 CHAPType; CHAR8 CHAPName[ISCSI_CHAP_NAME_STORAGE]; CHAR8 CHAPSecret[ISCSI_CHAP_SECRET_STORAGE]; CHAR8 ReverseCHAPName[ISCSI_CHAP_NAME_STORAGE]; CHAR8 ReverseCHAPSecret[ISCSI_CHAP_SECRET_STORAGE]; } ISCSI_CHAP_AUTH_CONFIG_NVDATA; #pragma pack() diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c index 351bf329b739..80035ece9887 100644 --- a/NetworkPkg/IScsiDxe/IScsiCHAP.c +++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c @@ -1,36 +1,48 @@ /** @file This file is for Challenge-Handshake Authentication Protocol (CHAP) Configuration. Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.<BR> SPDX-License-Identifier: BSD-2-Clause-Patent **/ #include "IScsiImpl.h" // // Supported CHAP hash algorithms, mapped to sets of BaseCryptLib APIs and // macros. CHAP_HASH structures at lower subscripts in the array are preferred // by the initiator. // STATIC CONST CHAP_HASH mChapHash[] = { + { + ISCSI_CHAP_ALGORITHM_SHA256, + SHA256_DIGEST_SIZE, + Sha256GetContextSize, + Sha256Init, + Sha256Update, + Sha256Final + }, + // + // Keep the deprecated MD5 entry at the end of the array (making MD5 the + // least preferred choice of the initiator). + // { ISCSI_CHAP_ALGORITHM_MD5, MD5_DIGEST_SIZE, Md5GetContextSize, Md5Init, Md5Update, Md5Final }, }; // // Ordered list of mChapHash[*].Algorithm values. It is formatted for the // CHAP_A=<A1,A2...> value string, by the IScsiCHAPInitHashList() function. It // is sent by the initiator in ISCSI_CHAP_STEP_ONE. // STATIC CHAR8 mChapHashListString[ 3 + // UINT8 identifier in // decimal (1 + 3) * (ARRAY_SIZE (mChapHash) - 1) + // comma prepended for -- 2.19.1.3.g30247aa5d201 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#77287): https://edk2.groups.io/g/devel/message/77287 Mute This Topic: https://groups.io/mt/83872648/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
