scsi: target: iscsi: Extract auth functions

Create functions that answers simple questions: Whether authentication is required, what credentials, whether connection is autenticated. Link: https://lore.kernel.org/r/20220523095905.26070-3-d.bogdanov@yadro.com Reviewed-by: Roman Bolshakov <r.bolshakov@yadro.com> Reviewed-by: Konstantin Shelekhin <k.shelekhin@yadro.com> Reviewed-by: Mike Christie <michael.christie@oracle.com> Reviewed-by: Lee Duncan <lduncan@suse.com> Signed-off-by: Dmitry Bogdanov <d.bogdanov@yadro.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
2025-03-06 20:59:54 +01:00 · 2022-05-23 12:59:04 +03:00 · 2022-05-23 12:59:04 +03:00 · a75fcb0912
commit a75fcb0912
parent a11b80692b
1 changed files with 93 additions and 49 deletions
--- a/drivers/target/iscsi/iscsi_target_nego.c
+++ b/drivers/target/iscsi/iscsi_target_nego.c
@ -94,6 +94,31 @@ int extract_param(
 	return 0;
 }
 static struct iscsi_node_auth *iscsi_get_node_auth(struct iscsit_conn *conn)
 {
 	struct iscsi_portal_group *tpg;
 	struct iscsi_node_acl *nacl;
 	struct se_node_acl *se_nacl;
 	if (conn->sess->sess_ops->SessionType)
 		return &iscsit_global->discovery_acl.node_auth;
 	se_nacl = conn->sess->se_sess->se_node_acl;
 	if (!se_nacl) {
 		pr_err("Unable to locate struct se_node_acl for CHAP auth\n");
 		return NULL;
 	}
 	if (se_nacl->dynamic_node_acl) {
 		tpg = to_iscsi_tpg(se_nacl->se_tpg);
 		return &tpg->tpg_demo_auth;
 	}
 	nacl = to_iscsi_nacl(se_nacl);
 	return &nacl->node_auth;
 }
 static u32 iscsi_handle_authentication(
 	struct iscsit_conn *conn,
 	char *in_buf,
@ -102,38 +127,11 @@ static u32 iscsi_handle_authentication(
 	int *out_length,
 	unsigned char *authtype)
 {
 	struct iscsit_session *sess = conn->sess;
 	struct iscsi_node_auth *auth;
 	struct iscsi_node_acl *nacl;
 	struct iscsi_portal_group *tpg;
 	struct se_node_acl *se_nacl;
-	if (!sess->sess_ops->SessionType) {
+	auth = iscsi_get_node_auth(conn);
-		/*
+	if (!auth)
 		 * For SessionType=Normal
 		 */
 		se_nacl = conn->sess->se_sess->se_node_acl;
 		if (!se_nacl) {
 			pr_err("Unable to locate struct se_node_acl for"
 					" CHAP auth\n");
 		return -1;
 		}
 		if (se_nacl->dynamic_node_acl) {
 			tpg = to_iscsi_tpg(se_nacl->se_tpg);
 			auth = &tpg->tpg_demo_auth;
 		} else {
 			nacl = to_iscsi_nacl(se_nacl);
 			auth = &nacl->node_auth;
 		}
 	} else {
 		/*
 		 * For SessionType=Discovery
 		 */
 		auth = &iscsit_global->discovery_acl.node_auth;
 	}
 	if (strstr("CHAP", authtype))
 		strcpy(conn->sess->auth_type, "CHAP");
@ -813,6 +811,37 @@ static int iscsi_target_do_authentication(
 	return 0;
 }
 static bool iscsi_conn_auth_required(struct iscsit_conn *conn)
 {
 	struct se_node_acl *se_nacl;
 	if (conn->sess->sess_ops->SessionType) {
 		/*
 		 * For SessionType=Discovery
 		 */
 		return conn->tpg->tpg_attrib.authentication;
 	}
 	/*
 	 * For SessionType=Normal
 	 */
 	se_nacl = conn->sess->se_sess->se_node_acl;
 	if (!se_nacl) {
 		pr_debug("Unknown ACL %s is trying to connect\n",
 			 se_nacl->initiatorname);
 		return true;
 	}
 	if (se_nacl->dynamic_node_acl) {
 		pr_debug("Dynamic ACL %s is trying to connect\n",
 			 se_nacl->initiatorname);
 		return conn->tpg->tpg_attrib.authentication;
 	}
 	pr_debug("Known ACL %s is trying to connect\n",
 		 se_nacl->initiatorname);
 	return conn->tpg->tpg_attrib.authentication;
 }
 static int iscsi_target_handle_csg_zero(
 	struct iscsit_conn *conn,
 	struct iscsi_login *login)
@ -874,22 +903,26 @@ static int iscsi_target_handle_csg_zero(
 		return -1;
 	if (!iscsi_check_negotiated_keys(conn->param_list)) {
-		if (conn->tpg->tpg_attrib.authentication &&
+		bool auth_required = iscsi_conn_auth_required(conn);
-		    !strncmp(param->value, NONE, 4)) {
+
 		if (auth_required) {
 			if (!strncmp(param->value, NONE, 4)) {
 				pr_err("Initiator sent AuthMethod=None but"
 				       " Target is enforcing iSCSI Authentication,"
 				       " login failed.\n");
-			iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_INITIATOR_ERR,
+				iscsit_tx_login_rsp(conn,
 						ISCSI_STATUS_CLS_INITIATOR_ERR,
 						ISCSI_LOGIN_STATUS_AUTH_FAILED);
 				return -1;
 			}
-		if (conn->tpg->tpg_attrib.authentication &&
+			if (!login->auth_complete)
 		    !login->auth_complete)
 				return 0;
-		if (strncmp(param->value, NONE, 4) && !login->auth_complete)
+			if (strncmp(param->value, NONE, 4) &&
 			    !login->auth_complete)
 				return 0;
 		}
 		if ((login_req->flags & ISCSI_FLAG_LOGIN_NEXT_STAGE1) &&
 		    (login_req->flags & ISCSI_FLAG_LOGIN_TRANSIT)) {
@ -904,6 +937,18 @@ do_auth:
 	return iscsi_target_do_authentication(conn, login);
 }
 static bool iscsi_conn_authenticated(struct iscsit_conn *conn,
 				     struct iscsi_login *login)
 {
 	if (!iscsi_conn_auth_required(conn))
 		return true;
 	if (login->auth_complete)
 		return true;
 	return false;
 }
 static int iscsi_target_handle_csg_one(struct iscsit_conn *conn, struct iscsi_login *login)
 {
 	int ret;
@ -947,8 +992,7 @@ static int iscsi_target_handle_csg_one(struct iscsit_conn *conn, struct iscsi_lo
 		return -1;
 	}
-	if (!login->auth_complete &&
+	if (!iscsi_conn_authenticated(conn, login)) {
 	     conn->tpg->tpg_attrib.authentication) {
 		pr_err("Initiator is requesting CSG: 1, has not been"
 		       " successfully authenticated, and the Target is"
 		       " enforcing iSCSI Authentication, login failed.\n");