From 9d36121534183195bd2892447ca07724013cef57 Mon Sep 17 00:00:00 2001

From: Chris Leech <cleech@redhat.com>

Date: Sun, 24 Nov 2019 13:51:09 -0800

Subject: [PATCH 1/1] configuration support for CHAP algorithms

Introduces support for preference lists in configuration files, and uses

that for the 'node.session.auth.chap_algs' setting.

This is also re-used for discovery authentication, rather than have two

different configurations.

---

 etc/iscsid.conf               |   7 ++

 libopeniscsiusr/default.c     |   3 +

 libopeniscsiusr/idbm.c        |  95 +++++++++++++++++++++++++

 libopeniscsiusr/idbm.h        |   9 +++

 libopeniscsiusr/idbm_fields.h |   1 +

 usr/auth.c                    |  64 ++++++++++++-----

 usr/auth.h                    |   3 +

 usr/config.h                  |   1 +

 usr/idbm.c                    | 126 ++++++++++++++++++++++++++++++----

 usr/idbm.h                    |   2 +

 usr/idbm_fields.h             |   1 +

 usr/initiator.h               |   1 +

 usr/initiator_common.c        |   2 +

 usr/login.c                   |  11 +++

 14 files changed, 294 insertions(+), 32 deletions(-)

diff --git a/etc/iscsid.conf b/etc/iscsid.conf

index 2f3a28c..420145b 100644

--- a/etc/iscsid.conf

+++ b/etc/iscsid.conf

@@ -57,6 +57,13 @@ node.leading_login = No

 # to CHAP. The default is None.

 #node.session.auth.authmethod = CHAP

+# To configure which CHAP algorithms to enable set

+# node.session.auth.chap_algs to a comma seperated list.

+# The algorithms should be listen with most prefered first.

+# Valid values are MD5, SHA1, SHA256, and SHA3-256.

+# The default is MD5.

+#node.session.auth.chap_algs = SHA3-256,SHA256,SHA1,MD5

+

 # To set a CHAP username and password for initiator

 # authentication by the target(s), uncomment the following lines:

 #node.session.auth.username = username

diff --git a/libopeniscsiusr/default.c b/libopeniscsiusr/default.c

index d01d892..d3b3da3 100644

--- a/libopeniscsiusr/default.c

+++ b/libopeniscsiusr/default.c

@@ -78,6 +78,9 @@ void _default_node(struct iscsi_node *node)

 	node->session.initial_login_retry_max = DEF_INITIAL_LOGIN_RETRIES_MAX;

 	node->session.reopen_max = DEF_SESSION_REOPEN_MAX;

 	node->session.auth.authmethod = 0;

+	/* TYPE_INT_LIST fields should be initialized to ~0 to indicate unset values */

+	memset(node->session.auth.chap_algs, ~0, sizeof(node->session.auth.chap_algs));

+	node->session.auth.chap_algs[0] = ISCSI_AUTH_CHAP_ALG_MD5;

 	node->session.auth.password_length = 0;

 	node->session.auth.password_in_length = 0;

 	node->session.err_tmo.abort_timeout = DEF_ABORT_TIMEO;

diff --git a/libopeniscsiusr/idbm.c b/libopeniscsiusr/idbm.c

index 342aab5..d1fc03d 100644

--- a/libopeniscsiusr/idbm.c

+++ b/libopeniscsiusr/idbm.c

@@ -73,6 +73,7 @@

 #define TYPE_INT32	6

 #define TYPE_INT64	7

 #define TYPE_BOOL	8

+#define TYPE_INT_LIST	9

 #define MAX_KEYS	256   /* number of keys total(including CNX_MAX) */

 #define NAME_MAXVAL	128   /* the maximum length of key name */

 #define VALUE_MAXVAL	256   /* the maximum length of 223 bytes in the RFC. */

@@ -248,6 +249,39 @@ do { \

 	_n++; \

 } while(0)

+#define ARRAY_LEN(x) ( sizeof(x) / sizeof((x)[0]) )

+

+/* Options list type, rather than matching a single value this populates an

+ * array with a list of values in user specified order.

+ * Requires a table matching config strings to values.

+ **/

+#define _rec_int_list(_key, _recs, _org, _name, _show, _tbl, _n, _mod) \

+do {\

+	_recs[_n].type = TYPE_INT_LIST; \

+	_strncpy(_recs[_n].name, _key, NAME_MAXVAL); \

+	for (unsigned int _i = 0; _i < ARRAY_LEN(_org->_name); _i++) { \

+		if (_org->_name[_i] != ~0UL) { \

+			for (unsigned int _j = 0; _j < ARRAY_LEN(_tbl); _j++) { \

+				if (_tbl[_j].value == _org->_name[_i]) { \

+					strcat(_recs[_n].value, _tbl[_j].name); \

+					strcat(_recs[_n].value, ","); \

+					break; \

+				} \

+			} \

+		} \

+	} \

+	/* delete traling ',' */ \

+	if (strrchr(_recs[_n].value, ',')) \

+		*strrchr(_recs[_n].value, ',') = '\0'; \

+	_recs[_n].data = &_org->_name; \

+	_recs[_n].data_len = sizeof(_org->_name); \

+	_recs[_n].visible = _show; \

+	_recs[_n].opts[0] = (void *)&_tbl; \

+	_recs[_n].numopts = ARRAY_LEN(_tbl); \

+	_recs[_n].can_modify = _mod; \

+	_n++; \

+} while(0)

+

 enum modify_mode {

 	_CANNOT_MODIFY,

 	_CAN_MODIFY,

@@ -557,6 +591,11 @@ void _idbm_node_print(struct iscsi_node *node, FILE *f, bool show_secret)

 	_idbm_recs_free(recs);

 }

+struct int_list_tbl {

+	const char *name;

+	unsigned int value;

+};

+

 static int _idbm_rec_update_param(struct iscsi_context *ctx,

 				  struct idbm_rec *recs, char *name,

 				  char *value, int line_number)

@@ -564,8 +603,14 @@ static int _idbm_rec_update_param(struct iscsi_context *ctx,

 	int rc = LIBISCSI_OK;

 	int i = 0;

 	int j = 0;

+	int k = 0;

 	int passwd_done = 0;

 	char passwd_len[8];

+	struct int_list_tbl *tbl = NULL;

+	char *tmp_value;

+	int *tmp_data;

+	bool *found;

+	char *token;

 	assert(ctx != NULL);

 	assert(recs != NULL);

@@ -642,6 +687,47 @@ setup_passwd_len:

 				else

 					goto unknown_value;

 				goto updated;

+			case TYPE_INT_LIST:

+				if (!recs[i].data)

+					continue;

+				tbl = (void *)recs[i].opts[0];

+				/* strsep is destructive, make a copy to work with */

+				tmp_value = strdup(value);

+				k = 0;

+				tmp_data = malloc(recs[i].data_len);

+				memset(tmp_data, ~0, recs[i].data_len);

+				found = calloc(recs[i].numopts, sizeof(bool));

+next_token:			while ((token = strsep(&tmp_value, ", \n"))) {

+					if (!strlen(token))

+						continue;

+					if ((k * (int)sizeof(int)) >= (recs[i].data_len)) {

+						_warn(ctx, "Too many values set for '%s'"

+						      ", continuing without processing them all",

+						      recs[i].name);

+						break;

+					}

+					for (j = 0; j < recs[i].numopts; j++) {

+						if (!strcmp(token, tbl[j].name)) {

+							if ((found[j])) {

+								_warn(ctx, "Ignoring repeated value '%s'"

+								      " for '%s'", token, recs[i].name);

+								goto next_token;

+							}

+							((unsigned *)tmp_data)[k++] = tbl[j].value;

+							found[j] = true;

+							goto next_token;

+						}

+					}

+					_warn(ctx, "Ignoring unknown value '%s'"

+					      " for '%s'", token, recs[i].name);

+				}

+				memcpy(recs[i].data, tmp_data, recs[i].data_len);

+				free(tmp_value);

+				free(tmp_data);

+				tmp_value = NULL;

+				tmp_data = NULL;

+				token = NULL;

+				goto updated;

 			default:

 unknown_value:

 				_error(ctx, "Got unknown data type %d "

@@ -881,6 +967,13 @@ void _idbm_free(struct idbm *db)

 	free(db);

 }

+static struct int_list_tbl chap_algs[] = {

+	{ "MD5", ISCSI_AUTH_CHAP_ALG_MD5 },

+	{ "SHA1", ISCSI_AUTH_CHAP_ALG_SHA1 },

+	{ "SHA256", ISCSI_AUTH_CHAP_ALG_SHA256 },

+	{ "SHA3-256", ISCSI_AUTH_CHAP_ALG_SHA3_256 },

+};

+

 static void _idbm_node_rec_link(struct iscsi_node *node, struct idbm_rec *recs)

 {

 	int num = 0;

@@ -943,6 +1036,8 @@ static void _idbm_node_rec_link(struct iscsi_node *node, struct idbm_rec *recs)

 	_rec_uint32(SESSION_PASSWORD_IN_LEN, recs, node,

 		    session.auth.password_in_length, IDBM_HIDE, num,

 		    _CAN_MODIFY);

+	_rec_int_list(SESSION_CHAP_ALGS, recs, node, session.auth.chap_algs,

+		IDBM_SHOW, chap_algs, num, _CAN_MODIFY);

 	_rec_int64(SESSION_REPLACEMENT_TMO, recs, node,

 		   session.tmo.replacement_timeout, IDBM_SHOW, num,

 		   _CAN_MODIFY);

diff --git a/libopeniscsiusr/idbm.h b/libopeniscsiusr/idbm.h

index c84d332..5a4d2fa 100644

--- a/libopeniscsiusr/idbm.h

+++ b/libopeniscsiusr/idbm.h

@@ -49,6 +49,14 @@ enum iscsi_auth_method {

 	ISCSI_AUTH_METHOD_CHAP,

 };

+enum iscsi_chap_algs {

+	ISCSI_AUTH_CHAP_ALG_MD5 = 5,

+	ISCSI_AUTH_CHAP_ALG_SHA1 = 6,

+	ISCSI_AUTH_CHAP_ALG_SHA256 = 7,

+	ISCSI_AUTH_CHAP_ALG_SHA3_256 = 8,

+	AUTH_CHAP_ALG_MAX_COUNT = 5,

+};

+

 enum iscsi_startup_type {

 	ISCSI_STARTUP_MANUAL,

 	ISCSI_STARTUP_AUTOMATIC,

@@ -93,6 +101,7 @@ struct iscsi_auth_config {

 	char					username_in[AUTH_STR_MAX_LEN];

 	unsigned char				password_in[AUTH_STR_MAX_LEN];

 	uint32_t				password_in_length;

+	unsigned int				chap_algs[AUTH_CHAP_ALG_MAX_COUNT];

 };

 /* all TCP options go in this structure.

diff --git a/libopeniscsiusr/idbm_fields.h b/libopeniscsiusr/idbm_fields.h

index 29a2090..8bf17b0 100644

--- a/libopeniscsiusr/idbm_fields.h

+++ b/libopeniscsiusr/idbm_fields.h

@@ -120,6 +120,7 @@

 #define SESSION_USERNAME_IN	"node.session.auth.username_in"

 #define SESSION_PASSWORD_IN	"node.session.auth.password_in"

 #define SESSION_PASSWORD_IN_LEN	"node.session.auth.password_in_length"

+#define SESSION_CHAP_ALGS	"node.session.auth.chap_algs"

 #define SESSION_REPLACEMENT_TMO	"node.session.timeo.replacement_timeout"

 #define SESSION_ABORT_TMO	"node.session.err_timeo.abort_timeout"

 #define SESSION_LU_RESET_TMO	"node.session.err_timeo.lu_reset_timeout"

diff --git a/usr/auth.c b/usr/auth.c

index 5c819c2..a222c53 100644

--- a/usr/auth.c

+++ b/usr/auth.c

@@ -1806,7 +1806,7 @@ acl_chk_chap_alg_list(unsigned int option_count, const int *option_list)

 	return 0;

 }

-static int

+int

 acl_set_chap_alg_list(struct iscsi_acl *client, unsigned int option_count,

 		      const int *option_list)

 {

@@ -1819,22 +1819,54 @@ acl_set_chap_alg_list(struct iscsi_acl *client, unsigned int option_count,

 }

 int

-acl_init_chap_digests(int *value_list) {

+acl_init_chap_digests(int *value_list, unsigned *chap_algs, int conf_count) {

 	EVP_MD_CTX *context = EVP_MD_CTX_new();

 	int i = 0;

-	if (EVP_DigestInit_ex(context, EVP_sha3_256(), NULL)) {

-		value_list[i++] = AUTH_CHAP_ALG_SHA3_256;

-	}

-	if (EVP_DigestInit_ex(context, EVP_sha256(), NULL)) {

-		value_list[i++] = AUTH_CHAP_ALG_SHA256;

-	}

-	if (EVP_DigestInit_ex(context, EVP_sha1(), NULL)) {

-		value_list[i++] = AUTH_CHAP_ALG_SHA1;

-	}

-	if (EVP_DigestInit_ex(context, EVP_md5(), NULL)) {

-		value_list[i++] = AUTH_CHAP_ALG_MD5;

+	for (int j = 0; j < conf_count; j++) {

+		switch (chap_algs[j]) {

+		case AUTH_CHAP_ALG_MD5:

+			if (EVP_DigestInit_ex(context, EVP_md5(), NULL)) {

+				value_list[i++] = AUTH_CHAP_ALG_MD5;

+			} else {

+				log_warning("Ignoring CHAP algorthm request for "

+				            "MD5 due to crypto lib configuration");

+			}

+			break;

+		case AUTH_CHAP_ALG_SHA1:

+			if (EVP_DigestInit_ex(context, EVP_sha1(), NULL)) {

+				value_list[i++] = AUTH_CHAP_ALG_SHA1;

+			} else {

+				log_warning("Ignoring CHAP algorthm request for "

+				            "SHA1 due to crypto lib configuration");

+			}

+			break;

+		case AUTH_CHAP_ALG_SHA256:

+			if (EVP_DigestInit_ex(context, EVP_sha256(), NULL)) {

+				value_list[i++] = AUTH_CHAP_ALG_SHA256;

+			} else {

+				log_warning("Ignoring CHAP algorthm request for "

+				            "SHA256 due to crypto lib configuration");

+			}

+			break;

+		case AUTH_CHAP_ALG_SHA3_256:

+			if (EVP_DigestInit_ex(context, EVP_sha3_256(), NULL)) {

+				value_list[i++] = AUTH_CHAP_ALG_SHA3_256;

+			} else {

+				log_warning("Ignoring CHAP algorthm request for "

+				            "SHA3-256 due to crypto lib configuration");

+			}

+			break;

+		case ~0:

+			/* unset value in array, just ignore */

+			break;

+		default:

+			log_warning("Ignoring unknown CHAP algorithm request "

+				    "'%d'", chap_algs[j]);

+			break;

+		}

 	}

+

 	return i;

 }

@@ -1926,12 +1958,6 @@ acl_init(int node_type, int buf_desc_count, struct auth_buffer_desc *buff_desc)

 		return AUTH_STATUS_ERROR;

 	}

-	if (acl_set_chap_alg_list(client, acl_init_chap_digests(value_list),

-					value_list) != AUTH_STATUS_NO_ERROR) {

-		client->phase = AUTH_PHASE_ERROR;

-		return AUTH_STATUS_ERROR;

-	}

-

 	return AUTH_STATUS_NO_ERROR;

 }

diff --git a/usr/auth.h b/usr/auth.h

index f6dbbe4..16cdb24 100644

--- a/usr/auth.h

+++ b/usr/auth.h

@@ -271,6 +271,9 @@ extern int acl_send_transit_bit(struct iscsi_acl *client, int *value);

 extern int acl_set_user_name(struct iscsi_acl *client, const char *username);

 extern int acl_set_passwd(struct iscsi_acl *client,

 			  const unsigned char *pw_data, unsigned int pw_len);

+extern int acl_set_chap_alg_list(struct iscsi_acl *client, unsigned int option_count,

+		      const int *option_list);

+extern int acl_init_chap_digests(int *value_list, unsigned int *chap_algs, int count);

 extern int acl_set_auth_rmt(struct iscsi_acl *client, int auth_rmt);

 extern int acl_set_ip_sec(struct iscsi_acl *client, int ip_sec);

 extern int acl_get_dbg_status(struct iscsi_acl *client, int *value);

diff --git a/usr/config.h b/usr/config.h

index 250879d..79059ec 100644

--- a/usr/config.h

+++ b/usr/config.h

@@ -58,6 +58,7 @@ struct iscsi_auth_config {

 	char username_in[AUTH_STR_MAX_LEN];

 	unsigned char password_in[AUTH_STR_MAX_LEN];

 	unsigned int password_in_length;

+	unsigned int chap_algs[AUTH_CHAP_ALG_MAX_COUNT];

 };

 /* all per-connection timeouts go in this structure.

diff --git a/usr/idbm.c b/usr/idbm.c

index 0c6870c..749203a 100644

--- a/usr/idbm.c

+++ b/usr/idbm.c

@@ -51,6 +51,8 @@

 static struct idbm *db;

+#define ARRAY_LEN(x) ( sizeof(x) / sizeof((x)[0]) )

+

 #define __recinfo_str(_key, _info, _rec, _name, _show, _n, _mod) do { \

 	_info[_n].type = TYPE_STR; \

 	strlcpy(_info[_n].name, _key, NAME_MAXVAL); \

@@ -165,6 +167,42 @@ static struct idbm *db;

 	_n++; \

 } while(0)

+#define __recinfo_int_list(_key,_info,_rec,_name,_show,_tbl,_n,_mod) do { \

+	_info[_n].type = TYPE_INT_LIST; \

+	strlcpy(_info[_n].name, _key, NAME_MAXVAL); \

+	for(int _i = 0; _i < ARRAY_LEN(_rec->_name); _i++) { \

+		if (_rec->_name[_i] != ~0) { \

+			for (int _j = 0; _j < ARRAY_LEN(_tbl); _j++) { \

+				if (_tbl[_j].value == _rec->_name[_i]) { \

+					strcat(_info[_n].value, _tbl[_j].name); \

+					strcat(_info[_n].value, ","); \

+					break; \

+				} \

+			} \

+		} \

+	} \

+	/* delete trailing ',' */ \

+	if (strrchr(_info[_n].value, ',')) \

+		*strrchr(_info[_n].value, ',') = '\0'; \

+	_info[_n].data = &_rec->_name; \

+	_info[_n].data_len = sizeof(_rec->_name); \

+	_info[_n].visible = _show; \

+	_info[_n].opts[0] = (void *)&_tbl; \

+	_info[_n].numopts = ARRAY_LEN(_tbl); \

+	_info[_n].can_modify = _mod; \

+	_n++; \

+} while (0)

+

+static struct int_list_tbl {

+	const char *name;

+	int value;

+} chap_algs [] = {

+	{ "MD5", AUTH_CHAP_ALG_MD5 },

+	{ "SHA1", AUTH_CHAP_ALG_SHA1 },

+	{ "SHA256", AUTH_CHAP_ALG_SHA256 },

+	{ "SHA3-256", AUTH_CHAP_ALG_SHA3_256 },

+};

+

 static int idbm_remove_disc_to_node_link(node_rec_t *rec, char *portal);

 static void

@@ -199,6 +237,10 @@ idbm_recinfo_discovery(discovery_rec_t *r, recinfo_t *ri)

 		__recinfo_int(DISC_ST_PASSWORD_IN_LEN, ri, r,

 			u.sendtargets.auth.password_in_length, IDBM_HIDE,

 			num, 1);

+		/* reusing SESSION_CHAP_ALGS */

+		__recinfo_int_list(SESSION_CHAP_ALGS, ri, r,

+				   u.sendtargets.auth.chap_algs,

+				   IDBM_SHOW, chap_algs, num, 1);

 		__recinfo_int(DISC_ST_LOGIN_TMO, ri, r,

 			u.sendtargets.conn_timeo.login_timeout,

 			IDBM_SHOW, num, 1);

@@ -431,6 +473,8 @@ idbm_recinfo_node(node_rec_t *r, recinfo_t *ri)

 		      session.auth.password_in, IDBM_MASKED, num, 1);

 	__recinfo_int(SESSION_PASSWORD_IN_LEN, ri, r,

 		      session.auth.password_in_length, IDBM_HIDE, num, 1);

+	__recinfo_int_list(SESSION_CHAP_ALGS, ri, r,

+			   session.auth.chap_algs, IDBM_SHOW, chap_algs, num, 1);

 	__recinfo_int(SESSION_REPLACEMENT_TMO, ri, r,

 		      session.timeo.replacement_timeout,

 		      IDBM_SHOW, num, 1);

@@ -940,6 +984,9 @@ idbm_discovery_setup_defaults(discovery_rec_t *rec, discovery_type_e type)

 		rec->u.sendtargets.auth.authmethod = 0;

 		rec->u.sendtargets.auth.password_length = 0;

 		rec->u.sendtargets.auth.password_in_length = 0;

+		/* TYPE_INT_LIST fields should be initialized to ~0 to indicate unset values */

+		memset(rec->u.sendtargets.auth.chap_algs, ~0, sizeof(rec->u.sendtargets.auth.chap_algs));

+		rec->u.sendtargets.auth.chap_algs[0] = AUTH_CHAP_ALG_MD5;

 		rec->u.sendtargets.conn_timeo.login_timeout=15;

 		rec->u.sendtargets.conn_timeo.auth_timeout = 45;

 		rec->u.sendtargets.conn_timeo.active_timeout=30;

@@ -973,59 +1020,109 @@ int idbm_rec_update_param(recinfo_t *info, char *name, char *value,

 	int i;

 	int passwd_done = 0;

 	char passwd_len[8];

+	char *tmp_value, *token;

+	bool *found;

+	int *tmp_data;

 setup_passwd_len:

 	for (i=0; i

 		if (!strcmp(name, info[i].name)) {

-			int j;

+			int j,k;

+			struct int_list_tbl *tbl;

 			log_debug(7, "updated '%s', '%s' => '%s'", name,

 				  info[i].value, value);

 			/* parse recinfo by type */

-			if (info[i].type == TYPE_INT) {

+			switch (info[i].type) {

+			case TYPE_INT:

 				if (!info[i].data)

 					continue;

 				*(int*)info[i].data =

 					strtoul(value, NULL, 10);

 				goto updated;

-			} else if (info[i].type == TYPE_UINT8) {

+			case TYPE_UINT8:

 				if (!info[i].data)

 					continue;

 				*(uint8_t *)info[i].data =

 					strtoul(value, NULL, 10);

 				goto updated;

-			} else if (info[i].type == TYPE_UINT16) {

+			case TYPE_UINT16:

 				if (!info[i].data)

 					continue;

 				*(uint16_t *)info[i].data =

 					strtoul(value, NULL, 10);

 				goto updated;

-			} else if (info[i].type == TYPE_UINT32) {

+			case TYPE_UINT32:

 				if (!info[i].data)

 					continue;

 				*(uint32_t *)info[i].data =

 					strtoul(value, NULL, 10);

 				goto updated;

-			} else if (info[i].type == TYPE_STR) {

+			case TYPE_STR:

 				if (!info[i].data)

 					continue;

 				strlcpy((char*)info[i].data,

 					value, info[i].data_len);

 				goto updated;

-			}

-			for (j=0; j

-				if (!strcmp(value, info[i].opts[j])) {

-					if (!info[i].data)

+			case TYPE_INT_O:

+				for (j=0; j

+					if (!strcmp(value, info[i].opts[j])) {

+						if (!info[i].data)

+							continue;

+

+						*(int*)info[i].data = j;

+						goto updated;

+					}

+				}

+			case TYPE_INT_LIST:

+				if (!info[i].data)

+					continue;

+				tbl = (void *)info[i].opts[0];

+				/* strsep is destructive, make a copy to work with */

+				tmp_value = strdup(value);

+				k = 0;

+				tmp_data = malloc(info[i].data_len);

+				memset(tmp_data, ~0, info[i].data_len);

+				found = calloc(info[i].numopts, sizeof(bool));

+

+next_token:			while ((token = strsep(&tmp_value, ", \n"))) {

+					if (!strlen(token))

 						continue;

-

-					*(int*)info[i].data = j;

-					goto updated;

+					if ((k * (int)sizeof(int)) >= (info[i].data_len)) {

+						log_warning("Too many values set for '%s'"

+						            ", continuing without processing them all",

+						            info[i].name);

+						break;

+					}

+					for (j = 0; j < info[i].numopts; j++) {

+						if (!strcmp(token, tbl[j].name)) {

+							if ((found[j])) {

+								log_warning("Ignoring repeated "

+								            "value '%s' "

+								            "for '%s'", token,

+								            info[i].name);

+								goto next_token;

+							}

+							((int*)tmp_data)[k++] = tbl[j].value;

+							found[j] = true;

+							goto next_token;

+						}

+					}

+					log_warning("Ignoring unknown value '%s'"

+					            " for '%s'", token, info[i].name);

 				}

+				memcpy(info[i].data, tmp_data, info[i].data_len);

+				free(tmp_value);

+				free(tmp_data);

+				tmp_value = NULL;

+				tmp_data = NULL;

+				token = NULL;

+				goto updated;

 			}

 			if (line_number) {

 				log_warning("config file line %d contains "

@@ -3098,6 +3195,9 @@ void idbm_node_setup_defaults(node_rec_t *rec)

 	rec->session.initial_login_retry_max = DEF_INITIAL_LOGIN_RETRIES_MAX;

 	rec->session.reopen_max = DEF_SESSION_REOPEN_MAX;

 	rec->session.auth.authmethod = 0;

+	/* TYPE_INT_LIST fields should be initialized to ~0 to indicate unset values */

+	memset(rec->session.auth.chap_algs, ~0, sizeof(rec->session.auth.chap_algs));

+	rec->session.auth.chap_algs[0] = AUTH_CHAP_ALG_MD5;

 	rec->session.auth.password_length = 0;

 	rec->session.auth.password_in_length = 0;

 	rec->session.err_timeo.abort_timeout = DEF_ABORT_TIMEO;

diff --git a/usr/idbm.h b/usr/idbm.h

index c6982e4..d1a7f63 100644

--- a/usr/idbm.h

+++ b/usr/idbm.h

@@ -46,6 +46,8 @@

 #define TYPE_UINT8	3

 #define TYPE_UINT16	4

 #define TYPE_UINT32	5

+#define TYPE_INT_LIST	6

+

 #define MAX_KEYS	256   /* number of keys total(including CNX_MAX) */

 #define NAME_MAXVAL	128   /* the maximum length of key name */

 #define VALUE_MAXVAL	256   /* the maximum length of 223 bytes in the RFC. */

diff --git a/usr/idbm_fields.h b/usr/idbm_fields.h

index 142c7ae..4a967fc 100644

--- a/usr/idbm_fields.h

+++ b/usr/idbm_fields.h

@@ -30,6 +30,7 @@

 #define SESSION_USERNAME_IN	"node.session.auth.username_in"

 #define SESSION_PASSWORD_IN	"node.session.auth.password_in"

 #define SESSION_PASSWORD_IN_LEN	"node.session.auth.password_in_length"

+#define SESSION_CHAP_ALGS	"node.session.auth.chap_algs"

 #define SESSION_REPLACEMENT_TMO	"node.session.timeo.replacement_timeout"

 #define SESSION_ABORT_TMO	"node.session.err_timeo.abort_timeout"

 #define SESSION_LU_RESET_TMO	"node.session.err_timeo.lu_reset_timeout"

diff --git a/usr/initiator.h b/usr/initiator.h

index eccafb9..6a49ea6 100644

--- a/usr/initiator.h

+++ b/usr/initiator.h

@@ -243,6 +243,7 @@ typedef struct iscsi_session {

 	char username_in[AUTH_STR_MAX_LEN];

 	uint8_t password_in[AUTH_STR_MAX_LEN];

 	int password_in_length;

+	unsigned int chap_algs[AUTH_CHAP_ALG_MAX_COUNT];

 	iscsi_conn_t conn[ISCSI_CONN_MAX];

 	uint64_t param_mask;

diff --git a/usr/initiator_common.c b/usr/initiator_common.c

index 790f13d..81da8fd 100644

--- a/usr/initiator_common.c

+++ b/usr/initiator_common.c

@@ -94,6 +94,8 @@ int iscsi_setup_authentication(struct iscsi_session *session,

 		memcpy(session->password_in, auth_cfg->password_in,

 		       session->password_in_length);

+	memcpy(session->chap_algs, auth_cfg->chap_algs, sizeof(auth_cfg->chap_algs));

+

 	if (session->password_length || session->password_in_length) {

 		/* setup the auth buffers */

 		session->auth_buffers[0].address = &session->auth_client_block;

diff --git a/usr/login.c b/usr/login.c

index d7dad21..1251e61 100644

--- a/usr/login.c

+++ b/usr/login.c

@@ -1262,6 +1262,17 @@ check_for_authentication(iscsi_session_t *session,

 		goto end;

 	}

+	int value_list[AUTH_CHAP_ALG_MAX_COUNT];

+

+	if (acl_set_chap_alg_list(auth_client,

+				acl_init_chap_digests(value_list,

+					session->chap_algs,

+					AUTH_CHAP_ALG_MAX_COUNT),

+				value_list) != AUTH_STATUS_NO_ERROR) {

+		log_error("Couldn't set CHAP algorithm list");

+		goto end;

+	}

+

 	if (acl_set_ip_sec(auth_client, 1) != AUTH_STATUS_NO_ERROR) {

 		log_error("Couldn't set IPSec");

 		goto end;

-- 

2.21.1