Hello community, here is the log from the commit of package open-iscsi for openSUSE:Factory checked in at 2019-10-22 15:41:14 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/open-iscsi (Old) and /work/SRC/openSUSE:Factory/.open-iscsi.new.2352 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "open-iscsi" Tue Oct 22 15:41:14 2019 rev:87 rq:741166 version:unknown Changes: -------- --- /work/SRC/openSUSE:Factory/open-iscsi/open-iscsi.changes 2019-09-18 13:07:50.088735400 +0200 +++ /work/SRC/openSUSE:Factory/.open-iscsi.new.2352/open-iscsi.changes 2019-10-22 15:42:02.117483504 +0200 @@ -1,0 +2,10 @@ +Fri Oct 18 21:00:41 UTC 2019 - Lee Duncan <[email protected]> + +- Merge in latest upstream, with fixes for: + * Support CHAP SHA-1, SHA-256, SHA3-256 vis openssl libcrypto + - this requires an update of the SPEC file, as well + * Initialize timeout for printing specific session info + Updating (in addition to the SPEC file): + * open-iscsi-SUSE-latest.diff.bz2 + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ open-iscsi.spec ++++++ --- /var/tmp/diff_new_pack.sawbi4/_old 2019-10-22 15:42:02.753484228 +0200 +++ /var/tmp/diff_new_pack.sawbi4/_new 2019-10-22 15:42:02.757484233 +0200 @@ -37,7 +37,7 @@ BuildRequires: libtool BuildRequires: make BuildRequires: open-isns-devel -BuildRequires: openssl-devel +BuildRequires: openssl-devel >= 1.1.1c BuildRequires: pkg-config BuildRequires: suse-module-tools BuildRequires: pkgconfig(libsystemd) ++++++ open-iscsi-SUSE-latest.diff.bz2 ++++++ --- /var/tmp/diff_new_pack.sawbi4/_old 2019-10-22 15:42:02.777484255 +0200 +++ /var/tmp/diff_new_pack.sawbi4/_new 2019-10-22 15:42:02.785484265 +0200 @@ -49,3 +49,391 @@ install_iface: $(IFACEFILES) $(INSTALL) -d $(DESTDIR)$(etcdir)/iscsi/ifaces $(INSTALL) -m 644 $^ $(DESTDIR)$(etcdir)/iscsi/ifaces +diff --git a/usr/Makefile b/usr/Makefile +index 42ce6f0cfe1c..338f9ebe1d9d 100644 +--- a/usr/Makefile ++++ b/usr/Makefile +@@ -50,8 +50,8 @@ PROGRAMS = iscsid iscsiadm iscsistart + # libc compat files + SYSDEPS_SRCS = $(sort $(wildcard ../utils/sysdeps/*.o)) + # sources shared between iscsid, iscsiadm and iscsistart +-ISCSI_LIB_SRCS = iscsi_util.o io.o auth.o iscsi_timer.o login.o log.o md5.o \ +- sha1.o iface.o idbm.o sysfs.o host.o session_info.o iscsi_sysfs.o \ ++ISCSI_LIB_SRCS = iscsi_util.o io.o auth.o iscsi_timer.o login.o log.o \ ++ iface.o idbm.o sysfs.o host.o session_info.o iscsi_sysfs.o \ + iscsi_net_util.o iscsid_req.o transport.o iser.o cxgbi.o be2iscsi.o \ + initiator_common.o iscsi_err.o flashnode.o uip_mgmt_ipc.o \ + netlink.o $(SYSDEPS_SRCS) +@@ -75,7 +75,7 @@ iscsiadm: $(ISCSI_LIB_SRCS) $(DISCOVERY_SRCS) iscsiadm.o session_mgmt.o mntcheck + + iscsistart: $(ISCSI_LIB_SRCS) $(INITIATOR_SRCS) $(FW_BOOT_SRCS) \ + iscsistart.o statics.o +- $(CC) $(CFLAGS) $^ -o $@ -lrt $(LDFLAGS) $(ISCSI_LIB) ++ $(CC) $(CFLAGS) $^ -o $@ -lcrypto -lrt $(LDFLAGS) $(ISCSI_LIB) + + clean: + rm -f *.o $(PROGRAMS) .depend $(LIBSYS) +diff --git a/usr/auth.c b/usr/auth.c +index e44a279ca157..afb4ea38f080 100644 +--- a/usr/auth.c ++++ b/usr/auth.c +@@ -34,7 +34,6 @@ + #include "sysdeps.h" + #include "auth.h" + #include "initiator.h" +-#include "md5.h" + #include "log.h" + + static const char acl_hexstring[] = "0123456789abcdefABCDEF"; +@@ -43,9 +42,11 @@ static const char acl_base64_string[] = + static const char acl_authmethod_set_chap_alg_list[] = "CHAP"; + static const char acl_reject_option_name[] = "Reject"; + +-void auth_md5_init(struct MD5Context *); +-void auth_md5_update(struct MD5Context *, unsigned char *, unsigned int); +-void auth_md5_final(unsigned char *, struct MD5Context *); ++#include <openssl/evp.h> ++static int auth_hash_init(EVP_MD_CTX **context, int chap_alg); ++static void auth_hash_update(EVP_MD_CTX *context, unsigned char *md, unsigned int); ++static unsigned int auth_hash_final(unsigned char *, EVP_MD_CTX *context); ++ + void get_random_bytes(unsigned char *data, unsigned int length); + size_t strlcpy(char *, const char *, size_t); + size_t strlcat(char *, const char *, size_t); +@@ -57,18 +58,19 @@ acl_chap_compute_rsp(struct iscsi_acl *client, int rmt_auth, unsigned int id, + unsigned char *response_data) + { + unsigned char id_data[1]; +- struct MD5Context context; ++ EVP_MD_CTX *context = NULL; + unsigned char out_data[AUTH_STR_MAX_LEN]; + unsigned int out_length = AUTH_STR_MAX_LEN; + + if (!client->passwd_present) + return AUTH_DBG_STATUS_LOCAL_PASSWD_NOT_SET; + +- auth_md5_init(&context); ++ if (auth_hash_init(&context, client->negotiated_chap_alg) != 0) ++ return AUTH_DBG_STATUS_AUTH_FAIL; + + /* id byte */ + id_data[0] = id; +- auth_md5_update(&context, id_data, 1); ++ auth_hash_update(context, id_data, 1); + + /* decrypt password */ + if (acl_data(out_data, &out_length, client->passwd_data, +@@ -79,15 +81,15 @@ acl_chap_compute_rsp(struct iscsi_acl *client, int rmt_auth, unsigned int id, + return AUTH_DBG_STATUS_PASSWD_TOO_SHORT_WITH_NO_IPSEC; + + /* shared secret */ +- auth_md5_update(&context, out_data, out_length); ++ auth_hash_update(context, out_data, out_length); + + /* clear decrypted password */ + memset(out_data, 0, AUTH_STR_MAX_LEN); + + /* challenge value */ +- auth_md5_update(&context, challenge_data, challenge_length); ++ auth_hash_update(context, challenge_data, challenge_length); + +- auth_md5_final(response_data, &context); ++ auth_hash_final(response_data, context); + + return AUTH_DBG_STATUS_NOT_SET; /* no error */ + } +@@ -103,8 +105,8 @@ acl_chap_auth_request(struct iscsi_acl *client, char *username, unsigned int id, + unsigned int rsp_length) + { + iscsi_session_t *session = client->session_handle; +- struct MD5Context context; +- unsigned char verify_data[16]; ++ EVP_MD_CTX *context = NULL; ++ unsigned char verify_data[client->chap_challenge_len]; + + /* the expected credentials are in the session */ + if (session->username_in == NULL) { +@@ -137,21 +139,22 @@ acl_chap_auth_request(struct iscsi_acl *client, char *username, unsigned int id, + return AUTH_STATUS_FAIL; + } + +- auth_md5_init(&context); ++ if (auth_hash_init(&context, client->negotiated_chap_alg) != 0) ++ return AUTH_STATUS_FAIL; + + /* id byte */ + verify_data[0] = id; +- auth_md5_update(&context, verify_data, 1); ++ auth_hash_update(context, verify_data, 1); + + /* shared secret */ +- auth_md5_update(&context, (unsigned char *)session->password_in, ++ auth_hash_update(context, (unsigned char *)session->password_in, + session->password_in_length); + + /* challenge value */ +- auth_md5_update(&context, (unsigned char *)challenge_data, ++ auth_hash_update(context, (unsigned char *)challenge_data, + challenge_length); + +- auth_md5_final(verify_data, &context); ++ auth_hash_final(verify_data, context); + + if (memcmp(response_data, verify_data, sizeof(verify_data)) == 0) { + log_debug(1, "initiator authenticated target %s", +@@ -164,23 +167,54 @@ acl_chap_auth_request(struct iscsi_acl *client, char *username, unsigned int id, + return AUTH_STATUS_FAIL; + } + +-void +-auth_md5_init(struct MD5Context *context) +-{ +- MD5Init(context); ++static int auth_hash_init(EVP_MD_CTX **context, int chap_alg) { ++ const EVP_MD *digest = NULL; ++ *context = EVP_MD_CTX_new(); ++ int rc; ++ ++ switch (chap_alg) { ++ case AUTH_CHAP_ALG_MD5: ++ digest = EVP_md5(); ++ break; ++ case AUTH_CHAP_ALG_SHA1: ++ digest = EVP_sha1(); ++ break; ++ case AUTH_CHAP_ALG_SHA256: ++ digest = EVP_sha256(); ++ break; ++ case AUTH_CHAP_ALG_SHA3_256: ++ digest = EVP_sha3_256(); ++ break; ++ } ++ ++ if (*context == NULL) ++ goto fail_context; ++ if (digest == NULL) ++ goto fail_digest; ++ rc = EVP_DigestInit_ex(*context, digest, NULL); ++ if (!rc) ++ goto fail_init; ++ ++ return 0; ++ ++fail_init: ++fail_digest: ++ EVP_MD_CTX_free(*context); ++ *context = NULL; ++fail_context: ++ return -1; + } + +-void +-auth_md5_update(struct MD5Context *context, unsigned char *data, +- unsigned int length) +-{ +- MD5Update(context, data, length); ++static void auth_hash_update(EVP_MD_CTX *context, unsigned char *data, unsigned int length) { ++ EVP_DigestUpdate(context, data, length); + } + +-void +-auth_md5_final(unsigned char *hash, struct MD5Context *context) +-{ +- MD5Final(hash, context); ++static unsigned int auth_hash_final(unsigned char *hash, EVP_MD_CTX *context) { ++ unsigned int md_len; ++ EVP_DigestFinal_ex(context, hash, &md_len); ++ EVP_MD_CTX_free(context); ++ context = NULL; ++ return md_len; + } + + void +@@ -301,6 +335,9 @@ static int + acl_chk_chap_alg_optn(int chap_algorithm) + { + if (chap_algorithm == AUTH_OPTION_NONE || ++ chap_algorithm == AUTH_CHAP_ALG_SHA3_256 || ++ chap_algorithm == AUTH_CHAP_ALG_SHA256 || ++ chap_algorithm == AUTH_CHAP_ALG_SHA1 || + chap_algorithm == AUTH_CHAP_ALG_MD5) + return 0; + +@@ -701,6 +738,20 @@ acl_chk_chap_alg_key(struct iscsi_acl *client) + if (number == (unsigned long)client->chap_alg_list[i]) + { + client->negotiated_chap_alg = number; ++ switch (number) { ++ case AUTH_CHAP_ALG_MD5: ++ client->chap_challenge_len = AUTH_CHAP_MD5_RSP_LEN; ++ break; ++ case AUTH_CHAP_ALG_SHA1: ++ client->chap_challenge_len = AUTH_CHAP_SHA1_RSP_LEN; ++ break; ++ case AUTH_CHAP_ALG_SHA256: ++ client->chap_challenge_len = AUTH_CHAP_SHA256_RSP_LEN; ++ break; ++ case AUTH_CHAP_ALG_SHA3_256: ++ client->chap_challenge_len = AUTH_CHAP_SHA3_256_RSP_LEN; ++ break; ++ } + return; + } + } +@@ -816,7 +867,7 @@ static void + acl_local_auth(struct iscsi_acl *client) + { + unsigned int chap_identifier; +- unsigned char response_data[AUTH_CHAP_RSP_LEN]; ++ unsigned char response_data[AUTH_CHAP_RSP_MAX]; + unsigned long number; + int status; + enum auth_dbg_status dbg_status; +@@ -848,7 +899,10 @@ acl_local_auth(struct iscsi_acl *client) + client->local_state = AUTH_LOCAL_STATE_ERROR; + client->dbg_status = AUTH_DBG_STATUS_CHAP_ALG_REJECT; + break; +- } else if (client->negotiated_chap_alg != AUTH_CHAP_ALG_MD5) { ++ } else if ((client->negotiated_chap_alg != AUTH_CHAP_ALG_SHA3_256) && ++ (client->negotiated_chap_alg != AUTH_CHAP_ALG_SHA256) && ++ (client->negotiated_chap_alg != AUTH_CHAP_ALG_SHA1) && ++ (client->negotiated_chap_alg != AUTH_CHAP_ALG_MD5)) { + client->local_state = AUTH_LOCAL_STATE_ERROR; + client->dbg_status = AUTH_DBG_STATUS_CHAP_ALG_BAD; + break; +@@ -923,8 +977,8 @@ acl_local_auth(struct iscsi_acl *client) + break; + } + +- acl_data_to_text(response_data, +- AUTH_CHAP_RSP_LEN, client->scratch_key_value, ++ acl_data_to_text(response_data, client->chap_challenge_len, ++ client->scratch_key_value, + AUTH_STR_MAX_LEN); + acl_set_key_value(&client->send_key_block, + AUTH_KEY_TYPE_CHAP_RSP, +@@ -949,7 +1003,7 @@ acl_rmt_auth(struct iscsi_acl *client) + unsigned char id_data[1]; + unsigned char response_data[AUTH_STR_MAX_LEN]; + unsigned int rsp_len = AUTH_STR_MAX_LEN; +- unsigned char my_rsp_data[AUTH_CHAP_RSP_LEN]; ++ unsigned char my_rsp_data[AUTH_CHAP_RSP_MAX]; + int status; + enum auth_dbg_status dbg_status; + const char *chap_rsp_key_val; +@@ -1012,7 +1066,7 @@ acl_rmt_auth(struct iscsi_acl *client) + break; + } + +- if (rsp_len == AUTH_CHAP_RSP_LEN) { ++ if (rsp_len == client->chap_challenge_len) { + dbg_status = acl_chap_compute_rsp(client, 1, + client->send_chap_identifier, + client->send_chap_challenge.large_binary, +@@ -1021,7 +1075,7 @@ acl_rmt_auth(struct iscsi_acl *client) + + if (dbg_status == AUTH_DBG_STATUS_NOT_SET && + memcmp(my_rsp_data, response_data, +- AUTH_CHAP_RSP_LEN) == 0) { ++ client->chap_challenge_len) == 0) { + client->rmt_state = AUTH_RMT_STATE_ERROR; + client->dbg_status = AUTH_DBG_STATUS_PASSWD_IDENTICAL; + break; +@@ -1764,6 +1818,26 @@ acl_set_chap_alg_list(struct iscsi_acl *client, unsigned int option_count, + acl_chk_chap_alg_list); + } + ++int ++acl_init_chap_digests(int *value_list) { ++ EVP_MD_CTX *context = EVP_MD_CTX_new(); ++ int i = 0; ++ ++ if (EVP_DigestInit_ex(context, EVP_sha3_256(), NULL)) { ++ value_list[i++] = AUTH_CHAP_ALG_SHA3_256; ++ } ++ if (EVP_DigestInit_ex(context, EVP_sha256(), NULL)) { ++ value_list[i++] = AUTH_CHAP_ALG_SHA256; ++ } ++ if (EVP_DigestInit_ex(context, EVP_sha1(), NULL)) { ++ value_list[i++] = AUTH_CHAP_ALG_SHA1; ++ } ++ if (EVP_DigestInit_ex(context, EVP_md5(), NULL)) { ++ value_list[i++] = AUTH_CHAP_ALG_MD5; ++ } ++ return i; ++} ++ + int + acl_init(int node_type, int buf_desc_count, struct auth_buffer_desc *buff_desc) + { +@@ -1772,7 +1846,7 @@ acl_init(int node_type, int buf_desc_count, struct auth_buffer_desc *buff_desc) + struct auth_str_block *send_str_blk; + struct auth_large_binary *recv_chap_challenge; + struct auth_large_binary *send_chap_challenge; +- int value_list[2]; ++ int value_list[3]; + + if (buf_desc_count != 5 || !buff_desc) + return AUTH_STATUS_ERROR; +@@ -1825,7 +1899,6 @@ acl_init(int node_type, int buf_desc_count, struct auth_buffer_desc *buff_desc) + client->node_type = (enum auth_node_type) node_type; + client->auth_rmt = 1; + client->passwd_present = 0; +- client->chap_challenge_len = AUTH_CHAP_RSP_LEN; + client->ip_sec = 0; + + client->phase = AUTH_PHASE_CONFIGURE; +@@ -1851,10 +1924,8 @@ acl_init(int node_type, int buf_desc_count, struct auth_buffer_desc *buff_desc) + return AUTH_STATUS_ERROR; + } + +- value_list[0] = AUTH_CHAP_ALG_MD5; +- +- if (acl_set_chap_alg_list(client, 1, value_list) != +- AUTH_STATUS_NO_ERROR) { ++ if (acl_set_chap_alg_list(client, acl_init_chap_digests(value_list), ++ value_list) != AUTH_STATUS_NO_ERROR) { + client->phase = AUTH_PHASE_ERROR; + return AUTH_STATUS_ERROR; + } +diff --git a/usr/auth.h b/usr/auth.h +index 2cc348910a07..f6dbbe4be25c 100644 +--- a/usr/auth.h ++++ b/usr/auth.h +@@ -29,7 +29,11 @@ enum { + AUTH_LARGE_BINARY_MAX_LEN = 1024, + AUTH_RECV_END_MAX_COUNT = 10, + ACL_SIGNATURE = 0x5984B2E3, +- AUTH_CHAP_RSP_LEN = 16, ++ AUTH_CHAP_MD5_RSP_LEN = 16, ++ AUTH_CHAP_SHA1_RSP_LEN = 20, ++ AUTH_CHAP_SHA256_RSP_LEN = 32, ++ AUTH_CHAP_SHA3_256_RSP_LEN = 32, ++ AUTH_CHAP_RSP_MAX = 32, + }; + + /* +@@ -61,7 +65,10 @@ enum { + AUTH_METHOD_MAX_COUNT = 2, + + AUTH_CHAP_ALG_MD5 = 5, +- AUTH_CHAP_ALG_MAX_COUNT = 2 ++ AUTH_CHAP_ALG_SHA1 = 6, ++ AUTH_CHAP_ALG_SHA256 = 7, ++ AUTH_CHAP_ALG_SHA3_256 = 8, ++ AUTH_CHAP_ALG_MAX_COUNT = 5 + }; + + enum auth_neg_role { +diff --git a/usr/iscsiadm.c b/usr/iscsiadm.c +index 9215dc11f868..39583ddb6f2b 100644 +--- a/usr/iscsiadm.c ++++ b/usr/iscsiadm.c +@@ -3948,6 +3948,7 @@ main(int argc, char **argv) + rc = ISCSI_ERR_NOMEM; + goto out; + } ++ info->iscsid_req_tmo = -1; + + rc = iscsi_sysfs_get_sessioninfo_by_id(info, session); + if (rc) {
