[PATCH 0/6] NetworkPkg/IScsiDxe: support SHA256 in CHAP


Laszlo Ersek
 

Bugzilla: https://bugzilla.tianocore.org/show_bug.cgi?id=3355
Repo: https://pagure.io/lersek/edk2.git
Branch: iscsi_sha256_bz3355

Please find the Feature Request described in comment#0 of the BZ.

The patch series depends on:

[edk2-devel] [PUBLIC edk2 PATCH v2 00/10]
NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs

https://bugzilla.tianocore.org/show_bug.cgi?id=3356
Message-Id: <20210608121259.32451-1-lersek@redhat.com>
https://listman.redhat.com/archives/edk2-devel-archive/2021-June/msg00316.html
https://edk2.groups.io/g/devel/message/76198

Please find the test matrix *template* in comment#2 of the BZ.

Actual test results, with this series applied:

Tests with no authentication Results
---------------------------- -------------------------
login result test result
------------ -----------
ok PASS


Tests with mutual authentication Results
---------------------------------- --------------------------------------
secret of ...
matches CHAP_A
target initiator ------------- -------------------
supports supports offered picked login test
SHA256 MD5 target init. by init. by target result result
-------- --------- ------ ----- -------- --------- --------- ------
no no n/a n/a 7 n/a targ abrt PASS
no yes no n/a 7,5 5 targ abrt PASS
no yes yes no 7,5 5 init abrt PASS
no yes yes yes 7,5 5 ok PASS
yes no no n/a 7 7 targ abrt PASS
yes no yes no 7 7 init abrt PASS
yes no yes yes 7 7 ok PASS
yes yes no n/a 7,5 7 targ abrt PASS
yes yes yes no 7,5 7 init abrt PASS
yes yes yes yes 7,5 7 ok PASS

Notes:

- iSCSI communication was monitored with wireshark.

- RHEL-7.6 was used as the target without SHA256 support. RHEL-7.9 was
used as the target with SHA256 support.

- The expression "initiator doesn't support MD5" means building the
series with "-D NETWORK_ISCSI_MD5_ENABLE=FALSE".

- SHA256 support is always present in the initiator (simply by virtue of
the series being applied). MD5 support is always present in the
target.

Cc: Jiaxin Wu <jiaxin.wu@intel.com>
Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>

Thanks,
Laszlo

Laszlo Ersek (6):
NetworkPkg/IScsiDxe: re-set session-level authentication state before
login
NetworkPkg/IScsiDxe: add horizontal whitespace to IScsiCHAP files
NetworkPkg/IScsiDxe: distinguish "maximum" and "selected" CHAP digest
sizes
NetworkPkg/IScsiDxe: support multiple hash algorithms for CHAP
NetworkPkg/IScsiDxe: support SHA256 in CHAP
NetworkPkg: introduce the NETWORK_ISCSI_MD5_ENABLE feature test macro

NetworkPkg/IScsiDxe/IScsiCHAP.c | 192 ++++++++++++++++----
NetworkPkg/IScsiDxe/IScsiCHAP.h | 95 ++++++++--
NetworkPkg/IScsiDxe/IScsiDriver.c | 2 +
NetworkPkg/IScsiDxe/IScsiProto.c | 21 +++
NetworkPkg/NetworkBuildOptions.dsc.inc | 2 +-
NetworkPkg/NetworkDefines.dsc.inc | 20 ++
6 files changed, 281 insertions(+), 51 deletions(-)

--
2.19.1.3.g30247aa5d201

Join devel@edk2.groups.io to automatically receive all group messages.