From de70d712fb3db8796d6ef3b2e2beb0c3231c51e0 Mon Sep 17 00:00:00 2001 From: Shuhei Matsumoto Date: Fri, 12 Jan 2018 11:02:53 +0900 Subject: [PATCH] iscsi: Check CHAP params when a target is created by JSON-RPC When a target is created by iSCSI.conf, only valid CHAP params are passed to spdk_iscsi_tgt_node_construct(). When a target is created by JSON-RPC, help information encourages users to specify valid CHAP params but spdk_iscsi_tgt_node_construct() does not check CHAP params and users can create targets whose CHAP params are invalid. Change-Id: I7e9057a982f21f04782481cda74208a139c1fdad Signed-off-by: Shuhei Matsumoto Reviewed-on: https://review.gerrithub.io/394481 Tested-by: SPDK Automated Test System Reviewed-by: Jim Harris Reviewed-by: Ben Walker --- lib/iscsi/tgt_node.c | 22 ++++++++++-- test/unit/lib/iscsi/tgt_node.c/tgt_node_ut.c | 38 ++++++++++++++++++++ 2 files changed, 58 insertions(+), 2 deletions(-) diff --git a/lib/iscsi/tgt_node.c b/lib/iscsi/tgt_node.c index 5aa1275d8..f375fddf6 100644 --- a/lib/iscsi/tgt_node.c +++ b/lib/iscsi/tgt_node.c @@ -843,6 +843,24 @@ spdk_check_iscsi_name(const char *name) return 0; } +static bool +spdk_iscsi_check_chap_params(int disabled, int required, int mutual, int group) +{ + if (group < 0) { + SPDK_ERRLOG("Invalid auth group ID (%d)\n", group); + return false; + } + if ((disabled == 0 && required == 0 && mutual == 0) || /* Auto */ + (disabled == 1 && required == 0 && mutual == 0) || /* None */ + (disabled == 0 && required == 1 && mutual == 0) || /* CHAP */ + (disabled == 0 && required == 1 && mutual == 1)) { /* CHAP Mutual */ + return true; + } + SPDK_ERRLOG("Invalid combination of CHAP params (d=%d,r=%d,m=%d)\n", + disabled, required, mutual); + return false; +} + _spdk_iscsi_tgt_node * spdk_iscsi_tgt_node_construct(int target_index, const char *name, const char *alias, @@ -856,8 +874,8 @@ spdk_iscsi_tgt_node_construct(int target_index, struct spdk_iscsi_tgt_node *target; int rc; - if (auth_chap_disabled && auth_chap_required) { - SPDK_ERRLOG("auth_chap_disabled and auth_chap_required are mutually exclusive\n"); + if (!spdk_iscsi_check_chap_params(auth_chap_disabled, auth_chap_required, + auth_chap_mutual, auth_group)) { return NULL; } diff --git a/test/unit/lib/iscsi/tgt_node.c/tgt_node_ut.c b/test/unit/lib/iscsi/tgt_node.c/tgt_node_ut.c index 0f1793c7c..8b510aa3d 100644 --- a/test/unit/lib/iscsi/tgt_node.c/tgt_node_ut.c +++ b/test/unit/lib/iscsi/tgt_node.c/tgt_node_ut.c @@ -794,6 +794,43 @@ allow_iscsi_name_multi_maps_case(void) spdk_iscsi_tgt_node_delete_pg_map(&tgtnode, &pg2); } +/* + * static bool + * spdk_iscsi_check_chap_params(int auth_chap_disabled, int auth_chap_required, + * int auth_chap_mutual, int auth_group); + */ +static void +chap_param_test_cases(void) +{ + /* Auto */ + CU_ASSERT(spdk_iscsi_check_chap_params(0, 0, 0, 0) == true); + + /* None */ + CU_ASSERT(spdk_iscsi_check_chap_params(1, 0, 0, 0) == true); + + /* CHAP */ + CU_ASSERT(spdk_iscsi_check_chap_params(0, 1, 0, 0) == true); + + /* CHAP Mutual */ + CU_ASSERT(spdk_iscsi_check_chap_params(0, 1, 1, 0) == true); + + /* Check mutual exclusiveness of disabled and required */ + CU_ASSERT(spdk_iscsi_check_chap_params(1, 1, 0, 0) == false); + + /* Mutual requires Required */ + CU_ASSERT(spdk_iscsi_check_chap_params(0, 0, 1, 0) == false); + + /* Remaining combinations */ + CU_ASSERT(spdk_iscsi_check_chap_params(1, 0, 1, 0) == false); + CU_ASSERT(spdk_iscsi_check_chap_params(1, 1, 1, 0) == false); + + /* Valid auth group ID */ + CU_ASSERT(spdk_iscsi_check_chap_params(0, 0, 0, 1) == true); + + /* Invalid auth group ID */ + CU_ASSERT(spdk_iscsi_check_chap_params(0, 0, 0, -1) == false); +} + int main(int argc, char **argv) { @@ -834,6 +871,7 @@ main(int argc, char **argv) node_access_multi_initiator_groups_cases) == NULL || CU_add_test(suite, "allow iscsi name case", allow_iscsi_name_multi_maps_case) == NULL + || CU_add_test(suite, "chap param test cases", chap_param_test_cases) == NULL ) { CU_cleanup_registry(); return CU_get_error();