Let me see what I can find…
From: Rabeda, Maciej<mailto:firstname.lastname@example.org>
Sent: Tuesday, April 6, 2021 3:37 AM
To: Daniel P. Berrangé<mailto:email@example.com>
Cc: Desimone, Nathaniel L<mailto:firstname.lastname@example.org>; email@example.com<mailto:firstname.lastname@example.org>; Samer El-Haj-Mahmoud<mailto:Samer.El-Haj-Mahmoud@arm.com>; email@example.com<mailto:firstname.lastname@example.org>; Laszlo Ersek<mailto:email@example.com>; Wu, Jiaxin<mailto:firstname.lastname@example.org>; Fu, Siyuan<mailto:email@example.com>; Yash Mankad<mailto:firstname.lastname@example.org>; Pete Batard<mailto:email@example.com>; Bret Barkelew<mailto:Bret.Barkelew@microsoft.com>; Sean Brogan<mailto:firstname.lastname@example.org>; Jose Barreto<mailto:Jose.Barreto@microsoft.com>
Subject: [EXTERNAL] Re: [edk2-rfc] removing CHAP-MD5 from IScsiDxe
+Bret, Sean, Jose
Hi Sean, Bret,
In one of previous threads, Jose wrote that he pointed you to a
Microsoft person who should have more information on iSCSI on Windows.
I am wondering whether Windows iSCSI initiator supports CHAP hash
algorithms other than MD5.
Any chance we could reach out to that person and find it out?
On 01-Apr-21 16:45, Daniel P. Berrangé wrote:
On Thu, Apr 01, 2021 at 04:24:27PM +0200, Rabeda, Maciej wrote:
Hi,Linux kernel gained support for the SHA* family of hashes:
Sorry for the very late response.
Dropping iSCSI overall is a no-go - too many users + this is the only remote
block I/O we seem to support in EDKII.
As for RFC compliance vs EDKII policy on MD5... Naturally, CHAP with MD5
does not bring any security features due to MD5's vulnerability.
However, since MD5 is the only hash algorithm for CHAP supported by
IScsiDxe, removing MD5 implies removing CHAP-related code from IScsiDxe
overall, which I would be pretty hesitant to do.
RFC states that MD5 has to be supported, though I can see that CHAP
algorithm allows for different hash algorithms (https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.iana.org%2Fassignments%2Fppp-numbers%2Fppp-numbers.xhtml%23ppp-numbers-9&data=04%7C01%7CBret.Barkelew%40microsoft.com%7Cab8feb1e15994536427308d8f8e7ea2c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637533022248147469%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=BlTgYNPfP3vJF7u6QcRLZvt8BobHpy7n3H%2B7tIqxLqo%3D&reserved=0).
We could support CHAP with SHA-x in IScsiDxe, which removes the MD5
dependency and keeps the CHAP-related code in iSCSI still in place.
The question is: do OS-based initiators support hash algorithms other than
MD5 for CHAP?
I am pretty sure RHEL does (controlled via /etc/iscsi/iscsid.conf), but I am
not sure about others: Windows, VMware, ...
Author: Maurizio Lombardi <email@example.com>
Date: Mon Oct 28 13:38:20 2019 +0100
scsi: target: iscsi: CHAP: add support for SHA1, SHA256 and SHA3-256
This patch modifies the chap_server_compute_hash() function to make it
agnostic to the choice of hash algorithm that is used. It also adds
support to three new hash algorithms: SHA1, SHA256 and SHA3-256.
The chap_got_response() function has been removed because the digest type
validity is already checked by chap_server_open()
Signed-off-by: Maurizio Lombardi <firstname.lastname@example.org>
Tested-by: Chris Leech <email@example.com>
Signed-off-by: Martin K. Petersen <firstname.lastname@example.org>
NB SHA1 is just as undesirable as MD5 these days, so only the other two
are especially interesting/useful.