From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mga03.intel.com (mga03.intel.com [134.134.136.65])
 by mx.groups.io with SMTP id smtpd.web08.7440.1623412500830218101
 for <devel@edk2.groups.io>;
 Fri, 11 Jun 2021 04:55:00 -0700
Authentication-Results: mx.groups.io;
 dkim=missing; spf=none, err=permanent DNS error (domain: linux.intel.com, ip: 134.134.136.65, mailfrom: maciej.rabeda@linux.intel.com)
IronPort-SDR: HM116yv4GImFfuT3l0z30B12Z3X3aXFWRRn/BmrEhOm6sirl8Gj3nW6ICTQp7J9YaLAAUByHvH
 9ctYVTujDjiQ==
X-IronPort-AV: E=McAfee;i="6200,9189,10011"; a="205539625"
X-IronPort-AV: E=Sophos;i="5.83,265,1616482800"; 
   d="scan'208";a="205539625"
Received: from orsmga001.jf.intel.com ([10.7.209.18])
  by orsmga103.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 Jun 2021 04:54:59 -0700
IronPort-SDR: u/27EB8sMeevKko8jrFLhAA0H8g/Gy7x7VG6JzGhhsh2Gb8sPhSrIiVt0hivtQ1RTjv7mdb9li
 6CbKHC9ncGCg==
X-IronPort-AV: E=Sophos;i="5.83,265,1616482800"; 
   d="scan'208";a="483240773"
Received: from mrabeda-mobl.ger.corp.intel.com (HELO [10.213.2.3]) ([10.213.2.3])
  by orsmga001-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 Jun 2021 04:54:57 -0700
Subject: Re: [PATCH 5/6] NetworkPkg/IScsiDxe: support SHA256 in CHAP
To: Laszlo Ersek <lersek@redhat.com>,
 edk2-devel-groups-io <devel@edk2.groups.io>
Cc: Jiaxin Wu <jiaxin.wu@intel.com>,
 =?UTF-8?Q?Philippe_Mathieu-Daud=c3=a9?= <philmd@redhat.com>,
 Siyuan Fu <siyuan.fu@intel.com>
References: <20210608130652.2434-1-lersek@redhat.com>
 <20210608130652.2434-6-lersek@redhat.com>
From: "Maciej Rabeda" <maciej.rabeda@linux.intel.com>
Message-ID: <337b8cdd-5eac-6b74-7a31-87a7a8a2e9cf@linux.intel.com>
Date: Fri, 11 Jun 2021 13:54:55 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101
 Thunderbird/78.11.0
MIME-Version: 1.0
In-Reply-To: <20210608130652.2434-6-lersek@redhat.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: pl

Reviewed-by: Maciej Rabeda <maciej.rabeda@linux.intel.com>

On 08-Jun-21 15:06, Laszlo Ersek wrote:
> Insert a SHA256 CHAP_HASH structure at the start of "mChapHash".
>
> Update ISCSI_CHAP_MAX_DIGEST_SIZE to SHA256_DIGEST_SIZE (32).
>
> This enables the initiator and the target to negotiate SHA256 for CHAP, in
> preference to MD5.
>
> Cc: Jiaxin Wu <jiaxin.wu@intel.com>
> Cc: Maciej Rabeda <maciej.rabeda@linux.intel.com>
> Cc: Philippe Mathieu-Daudé <philmd@redhat.com>
> Cc: Siyuan Fu <siyuan.fu@intel.com>
> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3355
> Signed-off-by: Laszlo Ersek <lersek@redhat.com>
> ---
>   NetworkPkg/IScsiDxe/IScsiCHAP.h |  3 ++-
>   NetworkPkg/IScsiDxe/IScsiCHAP.c | 12 ++++++++++++
>   2 files changed, 14 insertions(+), 1 deletion(-)
>
> diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.h b/NetworkPkg/IScsiDxe/IScsiCHAP.h
> index 1e5cc0b287ed..e2df634c4e67 100644
> --- a/NetworkPkg/IScsiDxe/IScsiCHAP.h
> +++ b/NetworkPkg/IScsiDxe/IScsiCHAP.h
> @@ -6,44 +6,45 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
>   
>   **/
>   
>   #ifndef _ISCSI_CHAP_H_
>   #define _ISCSI_CHAP_H_
>   
>   #define ISCSI_AUTH_METHOD_CHAP                    "CHAP"
>   
>   #define ISCSI_KEY_CHAP_ALGORITHM                  "CHAP_A"
>   #define ISCSI_KEY_CHAP_IDENTIFIER                 "CHAP_I"
>   #define ISCSI_KEY_CHAP_CHALLENGE                  "CHAP_C"
>   #define ISCSI_KEY_CHAP_NAME                       "CHAP_N"
>   #define ISCSI_KEY_CHAP_RESPONSE                   "CHAP_R"
>   
>   //
>   // Identifiers of supported CHAP hash algorithms:
>   // https://www.iana.org/assignments/ppp-numbers/ppp-numbers.xhtml#ppp-numbers-9
>   //
>   #define ISCSI_CHAP_ALGORITHM_MD5                  5
> +#define ISCSI_CHAP_ALGORITHM_SHA256               7
>   
>   //
>   // Byte count of the largest digest over the above-listed
>   // ISCSI_CHAP_ALGORITHM_* hash algorithms.
>   //
> -#define ISCSI_CHAP_MAX_DIGEST_SIZE                MD5_DIGEST_SIZE
> +#define ISCSI_CHAP_MAX_DIGEST_SIZE                SHA256_DIGEST_SIZE
>   
>   #define ISCSI_CHAP_STEP_ONE                       1
>   #define ISCSI_CHAP_STEP_TWO                       2
>   #define ISCSI_CHAP_STEP_THREE                     3
>   #define ISCSI_CHAP_STEP_FOUR                      4
>   
>   
>   #pragma pack(1)
>   
>   typedef struct _ISCSI_CHAP_AUTH_CONFIG_NVDATA {
>     UINT8 CHAPType;
>     CHAR8 CHAPName[ISCSI_CHAP_NAME_STORAGE];
>     CHAR8 CHAPSecret[ISCSI_CHAP_SECRET_STORAGE];
>     CHAR8 ReverseCHAPName[ISCSI_CHAP_NAME_STORAGE];
>     CHAR8 ReverseCHAPSecret[ISCSI_CHAP_SECRET_STORAGE];
>   } ISCSI_CHAP_AUTH_CONFIG_NVDATA;
>   
>   #pragma pack()
>   
> diff --git a/NetworkPkg/IScsiDxe/IScsiCHAP.c b/NetworkPkg/IScsiDxe/IScsiCHAP.c
> index f02ada6444ce..2ce53c1ea4af 100644
> --- a/NetworkPkg/IScsiDxe/IScsiCHAP.c
> +++ b/NetworkPkg/IScsiDxe/IScsiCHAP.c
> @@ -1,36 +1,48 @@
>   /** @file
>     This file is for Challenge-Handshake Authentication Protocol (CHAP)
>     Configuration.
>   
>   Copyright (c) 2004 - 2018, Intel Corporation. All rights reserved.<BR>
>   SPDX-License-Identifier: BSD-2-Clause-Patent
>   
>   **/
>   
>   #include "IScsiImpl.h"
>   
>   //
>   // Supported CHAP hash algorithms, mapped to sets of BaseCryptLib APIs and
>   // macros. CHAP_HASH structures at lower subscripts in the array are preferred
>   // by the initiator.
>   //
>   STATIC CONST CHAP_HASH mChapHash[] = {
> +  {
> +    ISCSI_CHAP_ALGORITHM_SHA256,
> +    SHA256_DIGEST_SIZE,
> +    Sha256GetContextSize,
> +    Sha256Init,
> +    Sha256Update,
> +    Sha256Final
> +  },
> +  //
> +  // Keep the deprecated MD5 entry at the end of the array (making MD5 the
> +  // least preferred choice of the initiator).
> +  //
>     {
>       ISCSI_CHAP_ALGORITHM_MD5,
>       MD5_DIGEST_SIZE,
>       Md5GetContextSize,
>       Md5Init,
>       Md5Update,
>       Md5Final
>     },
>   };
>   
>   //
>   // Ordered list of mChapHash[*].Algorithm values. It is formatted for the
>   // CHAP_A=<A1,A2...> value string, by the IScsiCHAPInitHashList() function. It
>   // is sent by the initiator in ISCSI_CHAP_STEP_ONE.
>   //
>   STATIC CHAR8 mChapHashListString[
>                  3 +                                      // UINT8 identifier in
>                                                           //   decimal
>                  (1 + 3) * (ARRAY_SIZE (mChapHash) - 1) + // comma prepended for