SCSI target development
 help / color / mirror / Atom feed
* [PATCH V3 0/3] iscsi: chap: introduce support for SHA1, SHA256 and SHA3-256
@ 2019-10-28 12:38 Maurizio Lombardi
  2019-11-06  3:26 ` Chris Leech
  2019-11-06  5:15 ` Martin K. Petersen
  0 siblings, 2 replies; 3+ messages in thread
From: Maurizio Lombardi @ 2019-10-28 12:38 UTC (permalink / raw)
  To: target-devel

iSCSI with the Challenge-Handshake Authentication Protocol is not FIPS compliant.
This is due to the fact that CHAP currently uses MD5 as the only supported
digest algorithm and MD5 is not allowed by FIPS.

When FIPS mode is enabled on the target server, the CHAP authentication
won't work because the target driver will be prevented from using the MD5 module.

Given that CHAP is agnostic regarding the algorithm it uses, this
patchset introduce support for three new alternatives: SHA1, SHA256 and SHA3-256.

They all have their protocol identifiers assigned by IANA:
https://www.iana.org/assignments/ppp-numbers/ppp-numbers.xml#ppp-numbers-9

Initiator-side code for open-iscsi has already been merged:
https://github.com/open-iscsi/open-iscsi/pull/170

V2: adds SHA256
V3: rebased on top of 5.5/scsi-queue
    PATCH 3: renames initiatorchg_* variables to client_challenge_*

Maurizio Lombardi (3):
  target-iscsi: CHAP: add support to SHA1, SHA256 and SHA3-256 hash
    functions
  target-iscsi: tie the challenge length to the hash digest size
  target-iscsi: rename some variables to avoid confusion.

 drivers/target/iscsi/iscsi_target_auth.c | 235 +++++++++++++++--------
 drivers/target/iscsi/iscsi_target_auth.h |  17 +-
 2 files changed, 163 insertions(+), 89 deletions(-)

-- 
Maurizio Lombardi

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH V3 0/3] iscsi: chap: introduce support for SHA1, SHA256 and SHA3-256
  2019-10-28 12:38 [PATCH V3 0/3] iscsi: chap: introduce support for SHA1, SHA256 and SHA3-256 Maurizio Lombardi
@ 2019-11-06  3:26 ` Chris Leech
  2019-11-06  5:15 ` Martin K. Petersen
  1 sibling, 0 replies; 3+ messages in thread
From: Chris Leech @ 2019-11-06  3:26 UTC (permalink / raw)
  To: target-devel

On Mon, Oct 28, 2019 at 01:38:19PM +0100, Maurizio Lombardi wrote:
> iSCSI with the Challenge-Handshake Authentication Protocol is not FIPS compliant.
> This is due to the fact that CHAP currently uses MD5 as the only supported
> digest algorithm and MD5 is not allowed by FIPS.
> 
> When FIPS mode is enabled on the target server, the CHAP authentication
> won't work because the target driver will be prevented from using the MD5 module.
> 
> Given that CHAP is agnostic regarding the algorithm it uses, this
> patchset introduce support for three new alternatives: SHA1, SHA256 and SHA3-256.
> 
> They all have their protocol identifiers assigned by IANA:
> https://www.iana.org/assignments/ppp-numbers/ppp-numbers.xml#ppp-numbers-9
> 
> Initiator-side code for open-iscsi has already been merged:
> https://github.com/open-iscsi/open-iscsi/pull/170
> 
> V2: adds SHA256
> V3: rebased on top of 5.5/scsi-queue
>     PATCH 3: renames initiatorchg_* variables to client_challenge_*
> 
> Maurizio Lombardi (3):
>   target-iscsi: CHAP: add support to SHA1, SHA256 and SHA3-256 hash
>     functions
>   target-iscsi: tie the challenge length to the hash digest size
>   target-iscsi: rename some variables to avoid confusion.
> 
>  drivers/target/iscsi/iscsi_target_auth.c | 235 +++++++++++++++--------
>  drivers/target/iscsi/iscsi_target_auth.h |  17 +-
>  2 files changed, 163 insertions(+), 89 deletions(-)
> 
> -- 

I've tested this latest version against the latest upstream Open-iSCSI
tools and verified that all of the new digest modes negotiate and
function for mutual CHAP authentication.

Tested-by: Chris Leech <cleech@redhat.com>

Note that configfs in 5.5/scsi-queue is currently broken and you can't
actually configure the target subsystem with first applying the patch 
"configfs: calculate the depth of parent item" from Honggang Li.

Also, I didn't actually put the target system into FIPS enforcing mode,
becuase that kernel failed to boot due to a FIPS self-test failure for
ofb(aes)

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH V3 0/3] iscsi: chap: introduce support for SHA1, SHA256 and SHA3-256
  2019-10-28 12:38 [PATCH V3 0/3] iscsi: chap: introduce support for SHA1, SHA256 and SHA3-256 Maurizio Lombardi
  2019-11-06  3:26 ` Chris Leech
@ 2019-11-06  5:15 ` Martin K. Petersen
  1 sibling, 0 replies; 3+ messages in thread
From: Martin K. Petersen @ 2019-11-06  5:15 UTC (permalink / raw)
  To: target-devel


Maurizio,

> Given that CHAP is agnostic regarding the algorithm it uses, this
> patchset introduce support for three new alternatives: SHA1, SHA256
> and SHA3-256.

Applied to 5.5/scsi-queue, thanks!

-- 
Martin K. Petersen	Oracle Linux Engineering

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2019-11-06  5:15 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-10-28 12:38 [PATCH V3 0/3] iscsi: chap: introduce support for SHA1, SHA256 and SHA3-256 Maurizio Lombardi
2019-11-06  3:26 ` Chris Leech
2019-11-06  5:15 ` Martin K. Petersen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox