nvmf: process in-band authentication

enum spdk_nvmf_qpair_state {

	SPDK_NVMF_QPAIR_UNINITIALIZED = 0,

	SPDK_NVMF_QPAIR_CONNECTING,

	SPDK_NVMF_QPAIR_AUTHENTICATING,

	SPDK_NVMF_QPAIR_ENABLED,

	SPDK_NVMF_QPAIR_DEACTIVATING,

	SPDK_NVMF_QPAIR_ERROR,

typedef void (*spdk_nvmf_state_change_done)(void *cb_arg, int status);

struct spdk_nvmf_qpair_auth;

struct spdk_nvmf_qpair {

	uint8_t					state; /* ref spdk_nvmf_qpair_state */

	uint8_t					rsvd;

	bool					disconnect_started;

	uint16_t				trace_id;

	struct spdk_nvmf_qpair_auth		*auth;

};

struct spdk_nvmf_transport_poll_group {

spdk_nvmf_qpair_is_active(struct spdk_nvmf_qpair *qpair)

{

	return qpair->state == SPDK_NVMF_QPAIR_CONNECTING ||

	       qpair->state == SPDK_NVMF_QPAIR_AUTHENTICATING ||

	       qpair->state == SPDK_NVMF_QPAIR_ENABLED;

}

SO_MINOR := 0

C_SRCS = ctrlr.c ctrlr_discovery.c ctrlr_bdev.c \

	 subsystem.c nvmf.c nvmf_rpc.c transport.c tcp.c

	 subsystem.c nvmf.c nvmf_rpc.c transport.c tcp.c \

	 auth.c

C_SRCS-$(CONFIG_RDMA) += rdma.c

LIBNAME = nvmf

/* SPDX-License-Identifier: BSD-3-Clause

 * Copyright (c) 2024 Intel Corporation

 */

#include "spdk/log.h"

#include "spdk/stdinc.h"

#include "nvmf_internal.h"

#define AUTH_ERRLOG(q, fmt, ...) \

	SPDK_ERRLOG("[%s:%s:%u] " fmt, (q)->ctrlr->subsys->subnqn, (q)->ctrlr->hostnqn, \

		    (q)->qid, ## __VA_ARGS__)

#define AUTH_DEBUGLOG(q, fmt, ...) \

	SPDK_DEBUGLOG(nvmf_auth, "[%s:%s:%u] " fmt, \

		      (q)->ctrlr->subsys->subnqn, (q)->ctrlr->hostnqn, (q)->qid, ## __VA_ARGS__)

enum nvmf_qpair_auth_state {

	NVMF_QPAIR_AUTH_NEGOTIATE,

};

struct spdk_nvmf_qpair_auth {

	enum nvmf_qpair_auth_state state;

};

static void

nvmf_auth_request_complete(struct spdk_nvmf_request *req, int sct, int sc, int dnr)

{

	struct spdk_nvme_cpl *response = &req->rsp->nvme_cpl;

	response->status.sct = sct;

	response->status.sc = sc;

	response->status.dnr = dnr;

	spdk_nvmf_request_complete(req);

}

__attribute__((unused)) static const char *

nvmf_auth_get_state_name(enum nvmf_qpair_auth_state state)

{

	static const char *state_names[] = {

		[NVMF_QPAIR_AUTH_NEGOTIATE] = "negotiate",

	};

	return state_names[state];

}

static void

nvmf_auth_set_state(struct spdk_nvmf_qpair *qpair, enum nvmf_qpair_auth_state state)

{

	struct spdk_nvmf_qpair_auth *auth = qpair->auth;

	if (auth->state == state) {

		return;

	}

	AUTH_DEBUGLOG(qpair, "auth state: %s\n", nvmf_auth_get_state_name(state));

	auth->state = state;

}

int

nvmf_auth_request_exec(struct spdk_nvmf_request *req)

{

	nvmf_auth_request_complete(req, SPDK_NVME_SCT_GENERIC,

				   SPDK_NVME_SC_INVALID_OPCODE, 1);

	return SPDK_NVMF_REQUEST_EXEC_STATUS_ASYNCHRONOUS;

}

int

nvmf_qpair_auth_init(struct spdk_nvmf_qpair *qpair)

{

	struct spdk_nvmf_qpair_auth *auth;

	assert(qpair->auth == NULL);

	auth = calloc(1, sizeof(*qpair->auth));

	if (auth == NULL) {

		return -ENOMEM;

	}

	qpair->auth = auth;

	nvmf_auth_set_state(qpair, NVMF_QPAIR_AUTH_NEGOTIATE);

	return 0;

}

void

nvmf_qpair_auth_destroy(struct spdk_nvmf_qpair *qpair)

{

	free(qpair->auth);

	qpair->auth = NULL;

}

SPDK_LOG_REGISTER_COMPONENT(nvmf_auth)

	struct spdk_nvmf_qpair *qpair = req->qpair;

	struct spdk_nvmf_ctrlr *ctrlr = qpair->ctrlr;

	struct spdk_nvmf_fabric_connect_rsp *rsp = &req->rsp->connect_rsp;

	int rc;

	/* The qpair might have been disconnected in the meantime */

	assert(qpair->state == SPDK_NVMF_QPAIR_CONNECTING ||

	       qpair->state == SPDK_NVMF_QPAIR_DEACTIVATING);

	if (qpair->state == SPDK_NVMF_QPAIR_CONNECTING) {

		if (nvmf_subsystem_host_auth_required(ctrlr->subsys, ctrlr->hostnqn)) {

			rc = nvmf_qpair_auth_init(qpair);

			if (rc != 0) {

				rsp->status.sct = SPDK_NVME_SCT_GENERIC;

				rsp->status.sc = SPDK_NVME_SC_INTERNAL_DEVICE_ERROR;

				spdk_nvmf_request_complete(req);

				spdk_nvmf_qpair_disconnect(qpair);

				return;

			}

			rsp->status_code_specific.success.authreq.atr = 1;

			nvmf_qpair_set_state(qpair, SPDK_NVMF_QPAIR_AUTHENTICATING);

		} else {

			nvmf_qpair_set_state(qpair, SPDK_NVMF_QPAIR_ENABLED);

		}

	}

	SPDK_DEBUGLOG(nvmf, "connect capsule response: cntlid = 0x%04x\n", ctrlr->cntlid);

			return nvmf_property_set(req);

		case SPDK_NVMF_FABRIC_COMMAND_PROPERTY_GET:

			return nvmf_property_get(req);

		case SPDK_NVMF_FABRIC_COMMAND_AUTHENTICATION_SEND:

		case SPDK_NVMF_FABRIC_COMMAND_AUTHENTICATION_RECV:

			return nvmf_auth_request_exec(req);

		default:

			SPDK_DEBUGLOG(nvmf, "unknown fctype 0x%02x\n",

				      cap_hdr->fctype);

			return SPDK_NVMF_REQUEST_EXEC_STATUS_COMPLETE;

		}

	} else {

		/* Controller session is established, and this is an I/O queue */

		/* For now, no I/O-specific Fabrics commands are implemented (other than Connect) */

		/*

		 * Controller session is established, and this is an I/O queue.

		 * Disallow everything besides authentication commands.

		 */

		switch (cap_hdr->fctype) {

		case SPDK_NVMF_FABRIC_COMMAND_AUTHENTICATION_SEND:

		case SPDK_NVMF_FABRIC_COMMAND_AUTHENTICATION_RECV:

			return nvmf_auth_request_exec(req);

		default:

			SPDK_DEBUGLOG(nvmf, "Unexpected I/O fctype 0x%x\n", cap_hdr->fctype);

			req->rsp->nvme_cpl.status.sct = SPDK_NVME_SCT_GENERIC;

			req->rsp->nvme_cpl.status.sc = SPDK_NVME_SC_INVALID_OPCODE;

			return SPDK_NVMF_REQUEST_EXEC_STATUS_COMPLETE;

		}

	}

}

static inline void

nvmf_ctrlr_queue_pending_async_event(struct spdk_nvmf_ctrlr *ctrlr,

nvmf_check_qpair_active(struct spdk_nvmf_request *req)

{

	struct spdk_nvmf_qpair *qpair = req->qpair;

	int sc, sct;

	if (spdk_likely(qpair->state == SPDK_NVMF_QPAIR_ENABLED)) {

		return true;

	}

	sct = SPDK_NVME_SCT_GENERIC;

	sc = SPDK_NVME_SC_COMMAND_SEQUENCE_ERROR;

	switch (qpair->state) {

	case SPDK_NVMF_QPAIR_CONNECTING:

		if (req->cmd->nvmf_cmd.opcode != SPDK_NVME_OPC_FABRIC) {

			break;

		}

		return true;

	case SPDK_NVMF_QPAIR_AUTHENTICATING:

		sct = SPDK_NVME_SCT_COMMAND_SPECIFIC;

		sc = SPDK_NVMF_FABRIC_SC_AUTH_REQUIRED;

		if (req->cmd->nvmf_cmd.opcode != SPDK_NVME_OPC_FABRIC) {

			SPDK_ERRLOG("Received command 0x%x on qid %u before authentication\n",

				    req->cmd->nvmf_cmd.opcode, qpair->qid);

			break;

		}

		if (req->cmd->nvmf_cmd.fctype != SPDK_NVMF_FABRIC_COMMAND_AUTHENTICATION_SEND &&

		    req->cmd->nvmf_cmd.fctype != SPDK_NVMF_FABRIC_COMMAND_AUTHENTICATION_RECV) {

			SPDK_ERRLOG("Received fctype 0x%x on qid %u before authentication\n",

				    req->cmd->nvmf_cmd.fctype, qpair->qid);

			break;

		}

		return true;

	default:

		SPDK_ERRLOG("Received command 0x%x on qid %u in state %d\n",

			    req->cmd->nvmf_cmd.opcode, qpair->qid, qpair->state);

		break;

	}

	req->rsp->nvme_cpl.status.sct = SPDK_NVME_SCT_GENERIC;

	req->rsp->nvme_cpl.status.sc = SPDK_NVME_SC_COMMAND_SEQUENCE_ERROR;

	req->rsp->nvme_cpl.status.sct = sct;

	req->rsp->nvme_cpl.status.sc = sc;

	TAILQ_INSERT_TAIL(&qpair->outstanding, req, link);

	_nvmf_request_complete(req);

		}

	}

	nvmf_qpair_auth_destroy(qpair);

	qpair_ctx->ctrlr = ctrlr;

	spdk_nvmf_poll_group_remove(qpair);

	nvmf_transport_qpair_fini(qpair, _nvmf_transport_qpair_fini_complete, qpair_ctx);