Commit 868be8ed authored by Oded Mashbach's avatar Oded Mashbach Committed by Tomasz Zawadzki
Browse files

iscs: chap mutual authentication should apply when configured. 



mutual chap authentication should be used when the -m option is sent
via iscsi_auth_group_add_secret rpc.
The commit comes to fix the problem where the mutual authentication
depends solely on the existance of the muser + msecret configured in the auth
group.

Change-Id: I8d703ea2b643508c97e7e64bd2194e47cc6ab8cd
Signed-off-by: default avatarOded Mashbach <oded.mashbach@silk.us>
Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/23617


Tested-by: default avatarSPDK CI Jenkins <sys_sgci@intel.com>
Community-CI: Mellanox Build Bot
Reviewed-by: default avatarShuhei Matsumoto <smatsumoto@nvidia.com>
Reviewed-by: default avatarJim Harris <jim.harris@samsung.com>
parent 16b33d51

lib/iscsi/iscsi.c

+5 −0
Original line number Diff line number Diff line
@@ -978,6 +978,11 @@ iscsi_auth_params(struct spdk_iscsi_conn *conn, 
				goto error_return;

			}



			if (conn->mutual_chap == false) {

				SPDK_ERRLOG("Initiator wants to use mutual CHAP for security, but it's not enabled.\n");

				goto error_return;

			}



			md5init(&md5ctx);

			/* Identifier */

			md5update(&md5ctx, conn->auth.chap_mid, 1);

test/iscsi_tgt/chap/chap_mutual_not_set.sh

0 → 100755
+61 −0
Original line number Diff line number Diff line 
#!/usr/bin/env bash

#  SPDX-License-Identifier: BSD-3-Clause

#  Copyright (C) 2018 Intel Corporation

#  All rights reserved.

#



testdir=$(readlink -f $(dirname $0))

rootdir=$(readlink -f $testdir/../../..)

source $rootdir/test/common/autotest_common.sh

source $rootdir/test/iscsi_tgt/common.sh

source $rootdir/test/iscsi_tgt/chap/chap_common.sh



USER="chapo"

MUSER="mchapo"

PASS="123456789123"

MPASS="321978654321"



#initialize test:

iscsitestinit

#set up iscsi target

set_up_iscsi_target



#configure target to require chap authentication: add muser+mpassword but dont ask to use it with -m:

echo "configuring target for authentication"

config_chap_credentials_for_target -t 1 -u $USER -s $PASS -r $MUSER -m $MPASS -d -l

echo "executing discovery without adding credential to initiator - we expect failure"

#configure  initiator credentials:

echo "configuring initiator with biderectional authentication"

config_chap_credentials_for_initiator -t 1 -u $USER -s $PASS -r $MUSER -m $MPASS -d -l -b

echo "executing discovery - target should not be discovered since the -m option was not used"

rc=0

iscsiadm -m discovery -t sendtargets -p $TARGET_IP:$ISCSI_PORT || rc=$?

if [ $rc -eq 0 ]; then

	echo "[ERROR] - target should not be discovered since the -m option was not used"

	exit 1

fi

echo "configuring target for authentication with the -m option"

config_chap_credentials_for_target -t 2 -u $USER -s $PASS -r $MUSER -m $MPASS -d -l -b

echo "executing discovery:"

rc=0

iscsiadm -m discovery -t sendtargets -p $TARGET_IP:$ISCSI_PORT || rc=$?

if [ $rc -ne 0 ]; then

	echo "[ERROR] - now that we have set the -m option - we should be able to discover."

	exit 1

fi

echo "executing login:"

rc=0

iscsiadm -m node -l -p $TARGET_IP:$ISCSI_PORT || rc=$?

if [ $rc -ne 0 ]; then

	echo "[ERROR] - now that we have set the -m option - we should be able to login."

	exit 1

fi



echo "DONE"

default_initiator_chap_credentials



trap - SIGINT SIGTERM EXIT



killprocess $pid



iscsitestfini

test/iscsi_tgt/iscsi_tgt.sh

+1 −0
Original line number Diff line number Diff line
@@ -30,6 +30,7 @@ else 
fi

run_test "iscsi_tgt_filesystem" $rootdir/test/iscsi_tgt/filesystem/filesystem.sh

run_test "chap_during_discovery" $rootdir/test/iscsi_tgt/chap/chap_discovery.sh

run_test "chap_mutual_auth" $rootdir/test/iscsi_tgt/chap/chap_mutual_not_set.sh

run_test "iscsi_tgt_reset" $rootdir/test/iscsi_tgt/reset/reset.sh

run_test "iscsi_tgt_rpc_config" $rootdir/test/iscsi_tgt/rpc_config/rpc_config.sh

run_test "iscsi_tgt_iscsi_lvol" $rootdir/test/iscsi_tgt/lvol/iscsi_lvol.sh