diff --git a/SOURCES/0199-use-Red-Hat-version-string-to-match-RPM-package-vers.patch b/SOURCES/0199-use-Red-Hat-version-string-to-match-RPM-package-vers.patch index a930370..a43f7f6 100644 --- a/SOURCES/0199-use-Red-Hat-version-string-to-match-RPM-package-vers.patch +++ b/SOURCES/0199-use-Red-Hat-version-string-to-match-RPM-package-vers.patch @@ -16,7 +16,7 @@ index 20f07946be1f..baa8c00c7185 100644 * some other maintainer could merge a patch without going through us */ -#define ISCSI_VERSION_STR "2.0-874" -+#define ISCSI_VERSION_STR "6.2.0.874-17" ++#define ISCSI_VERSION_STR "6.2.0.874-19" #define ISCSI_VERSION_FILE "/sys/module/scsi_transport_iscsi/version" #endif diff --git a/SOURCES/0500-CHAP-SHA-1-SHA-256-SHA3-256-via-OpenSSL-s-libcrypto.patch b/SOURCES/0500-CHAP-SHA-1-SHA-256-SHA3-256-via-OpenSSL-s-libcrypto.patch new file mode 100644 index 0000000..9724f5c --- /dev/null +++ b/SOURCES/0500-CHAP-SHA-1-SHA-256-SHA3-256-via-OpenSSL-s-libcrypto.patch @@ -0,0 +1,924 @@ +From 579f12dfa2dab3e2b7a3c02ee32ac624de644f58 Mon Sep 17 00:00:00 2001 +From: Chris Leech +Date: Thu, 13 Jun 2019 16:07:07 -0700 +Subject: [PATCH] CHAP SHA-1, SHA-256, SHA3-256 via OpenSSL's libcrypto + +Extended CHAP authentication modes using newer hash digest functions +than MD5. SHA-256 and SHA3-256 should be usable in FIPS-140 +environments for some time. + +These CHAP algorithms have been registered with IANA for this purpose. +https://www.iana.org/assignments/ppp-numbers/ppp-numbers.xhtml#ppp-numbers-9 + +Makes OpenSSL libcrypto use a requirement, replacing the in tree MD5 +implementation as well (and removing the unused SHA1 code). + +Signed-off-by: Chris Leech +(cherry picked from commit 48a4e5b475836bcb952fb53a8bde45bdf68fe38f) +--- + usr/Makefile | 6 +- + usr/auth.c | 157 ++++++++++++++++++++++++---------- + usr/auth.h | 11 ++- + usr/md5.c | 236 --------------------------------------------------- + usr/md5.h | 60 ------------- + usr/sha1.c | 167 ------------------------------------ + usr/sha1.h | 27 ------ + 7 files changed, 126 insertions(+), 538 deletions(-) + delete mode 100644 usr/md5.c + delete mode 100644 usr/md5.h + delete mode 100644 usr/sha1.c + delete mode 100644 usr/sha1.h + +diff --git a/usr/Makefile b/usr/Makefile +index 742a0fb..db40c3a 100644 +--- a/usr/Makefile ++++ b/usr/Makefile +@@ -45,8 +45,8 @@ PROGRAMS = iscsid iscsiadm iscsistart + # libc compat files + SYSDEPS_SRCS = $(sort $(wildcard ../utils/sysdeps/*.o)) + # sources shared between iscsid, iscsiadm and iscsistart +-ISCSI_LIB_SRCS = iscsi_util.o io.o auth.o iscsi_timer.o login.o log.o md5.o \ +- sha1.o iface.o idbm.o sysfs.o host.o session_info.o iscsi_sysfs.o \ ++ISCSI_LIB_SRCS = iscsi_util.o io.o auth.o iscsi_timer.o login.o log.o \ ++ iface.o idbm.o sysfs.o host.o session_info.o iscsi_sysfs.o \ + iscsi_net_util.o iscsid_req.o transport.o iser.o cxgbi.o be2iscsi.o \ + initiator_common.o iscsi_err.o flashnode.o uip_mgmt_ipc.o \ + $(IPC_OBJ) $(SYSDEPS_SRCS) +@@ -70,7 +70,7 @@ iscsiadm: $(ISCSI_LIB_SRCS) $(DISCOVERY_SRCS) iscsiadm.o session_mgmt.o mntcheck + + iscsistart: $(ISCSI_LIB_SRCS) $(INITIATOR_SRCS) $(FW_BOOT_SRCS) \ + iscsistart.o statics.o +- $(CC) $(CFLAGS) $^ -o $@ -lrt $(LDFLAGS) ++ $(CC) $(CFLAGS) $^ -o $@ -lcrypto -lrt $(LDFLAGS) + clean: + rm -f *.o $(PROGRAMS) .depend $(LIBSYS) + +diff --git a/usr/auth.c b/usr/auth.c +index e44a279..afb4ea3 100644 +--- a/usr/auth.c ++++ b/usr/auth.c +@@ -34,7 +34,6 @@ + #include "sysdeps.h" + #include "auth.h" + #include "initiator.h" +-#include "md5.h" + #include "log.h" + + static const char acl_hexstring[] = "0123456789abcdefABCDEF"; +@@ -43,9 +42,11 @@ static const char acl_base64_string[] = + static const char acl_authmethod_set_chap_alg_list[] = "CHAP"; + static const char acl_reject_option_name[] = "Reject"; + +-void auth_md5_init(struct MD5Context *); +-void auth_md5_update(struct MD5Context *, unsigned char *, unsigned int); +-void auth_md5_final(unsigned char *, struct MD5Context *); ++#include ++static int auth_hash_init(EVP_MD_CTX **context, int chap_alg); ++static void auth_hash_update(EVP_MD_CTX *context, unsigned char *md, unsigned int); ++static unsigned int auth_hash_final(unsigned char *, EVP_MD_CTX *context); ++ + void get_random_bytes(unsigned char *data, unsigned int length); + size_t strlcpy(char *, const char *, size_t); + size_t strlcat(char *, const char *, size_t); +@@ -57,18 +58,19 @@ acl_chap_compute_rsp(struct iscsi_acl *client, int rmt_auth, unsigned int id, + unsigned char *response_data) + { + unsigned char id_data[1]; +- struct MD5Context context; ++ EVP_MD_CTX *context = NULL; + unsigned char out_data[AUTH_STR_MAX_LEN]; + unsigned int out_length = AUTH_STR_MAX_LEN; + + if (!client->passwd_present) + return AUTH_DBG_STATUS_LOCAL_PASSWD_NOT_SET; + +- auth_md5_init(&context); ++ if (auth_hash_init(&context, client->negotiated_chap_alg) != 0) ++ return AUTH_DBG_STATUS_AUTH_FAIL; + + /* id byte */ + id_data[0] = id; +- auth_md5_update(&context, id_data, 1); ++ auth_hash_update(context, id_data, 1); + + /* decrypt password */ + if (acl_data(out_data, &out_length, client->passwd_data, +@@ -79,15 +81,15 @@ acl_chap_compute_rsp(struct iscsi_acl *client, int rmt_auth, unsigned int id, + return AUTH_DBG_STATUS_PASSWD_TOO_SHORT_WITH_NO_IPSEC; + + /* shared secret */ +- auth_md5_update(&context, out_data, out_length); ++ auth_hash_update(context, out_data, out_length); + + /* clear decrypted password */ + memset(out_data, 0, AUTH_STR_MAX_LEN); + + /* challenge value */ +- auth_md5_update(&context, challenge_data, challenge_length); ++ auth_hash_update(context, challenge_data, challenge_length); + +- auth_md5_final(response_data, &context); ++ auth_hash_final(response_data, context); + + return AUTH_DBG_STATUS_NOT_SET; /* no error */ + } +@@ -103,8 +105,8 @@ acl_chap_auth_request(struct iscsi_acl *client, char *username, unsigned int id, + unsigned int rsp_length) + { + iscsi_session_t *session = client->session_handle; +- struct MD5Context context; +- unsigned char verify_data[16]; ++ EVP_MD_CTX *context = NULL; ++ unsigned char verify_data[client->chap_challenge_len]; + + /* the expected credentials are in the session */ + if (session->username_in == NULL) { +@@ -137,21 +139,22 @@ acl_chap_auth_request(struct iscsi_acl *client, char *username, unsigned int id, + return AUTH_STATUS_FAIL; + } + +- auth_md5_init(&context); ++ if (auth_hash_init(&context, client->negotiated_chap_alg) != 0) ++ return AUTH_STATUS_FAIL; + + /* id byte */ + verify_data[0] = id; +- auth_md5_update(&context, verify_data, 1); ++ auth_hash_update(context, verify_data, 1); + + /* shared secret */ +- auth_md5_update(&context, (unsigned char *)session->password_in, ++ auth_hash_update(context, (unsigned char *)session->password_in, + session->password_in_length); + + /* challenge value */ +- auth_md5_update(&context, (unsigned char *)challenge_data, ++ auth_hash_update(context, (unsigned char *)challenge_data, + challenge_length); + +- auth_md5_final(verify_data, &context); ++ auth_hash_final(verify_data, context); + + if (memcmp(response_data, verify_data, sizeof(verify_data)) == 0) { + log_debug(1, "initiator authenticated target %s", +@@ -164,23 +167,54 @@ acl_chap_auth_request(struct iscsi_acl *client, char *username, unsigned int id, + return AUTH_STATUS_FAIL; + } + +-void +-auth_md5_init(struct MD5Context *context) +-{ +- MD5Init(context); ++static int auth_hash_init(EVP_MD_CTX **context, int chap_alg) { ++ const EVP_MD *digest = NULL; ++ *context = EVP_MD_CTX_new(); ++ int rc; ++ ++ switch (chap_alg) { ++ case AUTH_CHAP_ALG_MD5: ++ digest = EVP_md5(); ++ break; ++ case AUTH_CHAP_ALG_SHA1: ++ digest = EVP_sha1(); ++ break; ++ case AUTH_CHAP_ALG_SHA256: ++ digest = EVP_sha256(); ++ break; ++ case AUTH_CHAP_ALG_SHA3_256: ++ digest = EVP_sha3_256(); ++ break; ++ } ++ ++ if (*context == NULL) ++ goto fail_context; ++ if (digest == NULL) ++ goto fail_digest; ++ rc = EVP_DigestInit_ex(*context, digest, NULL); ++ if (!rc) ++ goto fail_init; ++ ++ return 0; ++ ++fail_init: ++fail_digest: ++ EVP_MD_CTX_free(*context); ++ *context = NULL; ++fail_context: ++ return -1; + } + +-void +-auth_md5_update(struct MD5Context *context, unsigned char *data, +- unsigned int length) +-{ +- MD5Update(context, data, length); ++static void auth_hash_update(EVP_MD_CTX *context, unsigned char *data, unsigned int length) { ++ EVP_DigestUpdate(context, data, length); + } + +-void +-auth_md5_final(unsigned char *hash, struct MD5Context *context) +-{ +- MD5Final(hash, context); ++static unsigned int auth_hash_final(unsigned char *hash, EVP_MD_CTX *context) { ++ unsigned int md_len; ++ EVP_DigestFinal_ex(context, hash, &md_len); ++ EVP_MD_CTX_free(context); ++ context = NULL; ++ return md_len; + } + + void +@@ -301,6 +335,9 @@ static int + acl_chk_chap_alg_optn(int chap_algorithm) + { + if (chap_algorithm == AUTH_OPTION_NONE || ++ chap_algorithm == AUTH_CHAP_ALG_SHA3_256 || ++ chap_algorithm == AUTH_CHAP_ALG_SHA256 || ++ chap_algorithm == AUTH_CHAP_ALG_SHA1 || + chap_algorithm == AUTH_CHAP_ALG_MD5) + return 0; + +@@ -701,6 +738,20 @@ acl_chk_chap_alg_key(struct iscsi_acl *client) + if (number == (unsigned long)client->chap_alg_list[i]) + { + client->negotiated_chap_alg = number; ++ switch (number) { ++ case AUTH_CHAP_ALG_MD5: ++ client->chap_challenge_len = AUTH_CHAP_MD5_RSP_LEN; ++ break; ++ case AUTH_CHAP_ALG_SHA1: ++ client->chap_challenge_len = AUTH_CHAP_SHA1_RSP_LEN; ++ break; ++ case AUTH_CHAP_ALG_SHA256: ++ client->chap_challenge_len = AUTH_CHAP_SHA256_RSP_LEN; ++ break; ++ case AUTH_CHAP_ALG_SHA3_256: ++ client->chap_challenge_len = AUTH_CHAP_SHA3_256_RSP_LEN; ++ break; ++ } + return; + } + } +@@ -816,7 +867,7 @@ static void + acl_local_auth(struct iscsi_acl *client) + { + unsigned int chap_identifier; +- unsigned char response_data[AUTH_CHAP_RSP_LEN]; ++ unsigned char response_data[AUTH_CHAP_RSP_MAX]; + unsigned long number; + int status; + enum auth_dbg_status dbg_status; +@@ -848,7 +899,10 @@ acl_local_auth(struct iscsi_acl *client) + client->local_state = AUTH_LOCAL_STATE_ERROR; + client->dbg_status = AUTH_DBG_STATUS_CHAP_ALG_REJECT; + break; +- } else if (client->negotiated_chap_alg != AUTH_CHAP_ALG_MD5) { ++ } else if ((client->negotiated_chap_alg != AUTH_CHAP_ALG_SHA3_256) && ++ (client->negotiated_chap_alg != AUTH_CHAP_ALG_SHA256) && ++ (client->negotiated_chap_alg != AUTH_CHAP_ALG_SHA1) && ++ (client->negotiated_chap_alg != AUTH_CHAP_ALG_MD5)) { + client->local_state = AUTH_LOCAL_STATE_ERROR; + client->dbg_status = AUTH_DBG_STATUS_CHAP_ALG_BAD; + break; +@@ -923,8 +977,8 @@ acl_local_auth(struct iscsi_acl *client) + break; + } + +- acl_data_to_text(response_data, +- AUTH_CHAP_RSP_LEN, client->scratch_key_value, ++ acl_data_to_text(response_data, client->chap_challenge_len, ++ client->scratch_key_value, + AUTH_STR_MAX_LEN); + acl_set_key_value(&client->send_key_block, + AUTH_KEY_TYPE_CHAP_RSP, +@@ -949,7 +1003,7 @@ acl_rmt_auth(struct iscsi_acl *client) + unsigned char id_data[1]; + unsigned char response_data[AUTH_STR_MAX_LEN]; + unsigned int rsp_len = AUTH_STR_MAX_LEN; +- unsigned char my_rsp_data[AUTH_CHAP_RSP_LEN]; ++ unsigned char my_rsp_data[AUTH_CHAP_RSP_MAX]; + int status; + enum auth_dbg_status dbg_status; + const char *chap_rsp_key_val; +@@ -1012,7 +1066,7 @@ acl_rmt_auth(struct iscsi_acl *client) + break; + } + +- if (rsp_len == AUTH_CHAP_RSP_LEN) { ++ if (rsp_len == client->chap_challenge_len) { + dbg_status = acl_chap_compute_rsp(client, 1, + client->send_chap_identifier, + client->send_chap_challenge.large_binary, +@@ -1021,7 +1075,7 @@ acl_rmt_auth(struct iscsi_acl *client) + + if (dbg_status == AUTH_DBG_STATUS_NOT_SET && + memcmp(my_rsp_data, response_data, +- AUTH_CHAP_RSP_LEN) == 0) { ++ client->chap_challenge_len) == 0) { + client->rmt_state = AUTH_RMT_STATE_ERROR; + client->dbg_status = AUTH_DBG_STATUS_PASSWD_IDENTICAL; + break; +@@ -1764,6 +1818,26 @@ acl_set_chap_alg_list(struct iscsi_acl *client, unsigned int option_count, + acl_chk_chap_alg_list); + } + ++int ++acl_init_chap_digests(int *value_list) { ++ EVP_MD_CTX *context = EVP_MD_CTX_new(); ++ int i = 0; ++ ++ if (EVP_DigestInit_ex(context, EVP_sha3_256(), NULL)) { ++ value_list[i++] = AUTH_CHAP_ALG_SHA3_256; ++ } ++ if (EVP_DigestInit_ex(context, EVP_sha256(), NULL)) { ++ value_list[i++] = AUTH_CHAP_ALG_SHA256; ++ } ++ if (EVP_DigestInit_ex(context, EVP_sha1(), NULL)) { ++ value_list[i++] = AUTH_CHAP_ALG_SHA1; ++ } ++ if (EVP_DigestInit_ex(context, EVP_md5(), NULL)) { ++ value_list[i++] = AUTH_CHAP_ALG_MD5; ++ } ++ return i; ++} ++ + int + acl_init(int node_type, int buf_desc_count, struct auth_buffer_desc *buff_desc) + { +@@ -1772,7 +1846,7 @@ acl_init(int node_type, int buf_desc_count, struct auth_buffer_desc *buff_desc) + struct auth_str_block *send_str_blk; + struct auth_large_binary *recv_chap_challenge; + struct auth_large_binary *send_chap_challenge; +- int value_list[2]; ++ int value_list[3]; + + if (buf_desc_count != 5 || !buff_desc) + return AUTH_STATUS_ERROR; +@@ -1825,7 +1899,6 @@ acl_init(int node_type, int buf_desc_count, struct auth_buffer_desc *buff_desc) + client->node_type = (enum auth_node_type) node_type; + client->auth_rmt = 1; + client->passwd_present = 0; +- client->chap_challenge_len = AUTH_CHAP_RSP_LEN; + client->ip_sec = 0; + + client->phase = AUTH_PHASE_CONFIGURE; +@@ -1851,10 +1924,8 @@ acl_init(int node_type, int buf_desc_count, struct auth_buffer_desc *buff_desc) + return AUTH_STATUS_ERROR; + } + +- value_list[0] = AUTH_CHAP_ALG_MD5; +- +- if (acl_set_chap_alg_list(client, 1, value_list) != +- AUTH_STATUS_NO_ERROR) { ++ if (acl_set_chap_alg_list(client, acl_init_chap_digests(value_list), ++ value_list) != AUTH_STATUS_NO_ERROR) { + client->phase = AUTH_PHASE_ERROR; + return AUTH_STATUS_ERROR; + } +diff --git a/usr/auth.h b/usr/auth.h +index 2cc3489..f6dbbe4 100644 +--- a/usr/auth.h ++++ b/usr/auth.h +@@ -29,7 +29,11 @@ enum { + AUTH_LARGE_BINARY_MAX_LEN = 1024, + AUTH_RECV_END_MAX_COUNT = 10, + ACL_SIGNATURE = 0x5984B2E3, +- AUTH_CHAP_RSP_LEN = 16, ++ AUTH_CHAP_MD5_RSP_LEN = 16, ++ AUTH_CHAP_SHA1_RSP_LEN = 20, ++ AUTH_CHAP_SHA256_RSP_LEN = 32, ++ AUTH_CHAP_SHA3_256_RSP_LEN = 32, ++ AUTH_CHAP_RSP_MAX = 32, + }; + + /* +@@ -61,7 +65,10 @@ enum { + AUTH_METHOD_MAX_COUNT = 2, + + AUTH_CHAP_ALG_MD5 = 5, +- AUTH_CHAP_ALG_MAX_COUNT = 2 ++ AUTH_CHAP_ALG_SHA1 = 6, ++ AUTH_CHAP_ALG_SHA256 = 7, ++ AUTH_CHAP_ALG_SHA3_256 = 8, ++ AUTH_CHAP_ALG_MAX_COUNT = 5 + }; + + enum auth_neg_role { +diff --git a/usr/md5.c b/usr/md5.c +deleted file mode 100644 +index ba6c86d..0000000 +--- a/usr/md5.c ++++ /dev/null +@@ -1,236 +0,0 @@ +-/* +- * This code implements the MD5 message-digest algorithm. +- * The algorithm is due to Ron Rivest. This code was +- * written by Colin Plumb in 1993, no copyright is claimed. +- * This code is in the public domain; do with it what you wish. +- * +- * Equivalent code is available from RSA Data Security, Inc. +- * This code has been tested against that, and is equivalent, +- * except that you don't need to include two pages of legalese +- * with every copy. +- * +- * To compute the message digest of a chunk of bytes, declare an +- * MD5Context structure, pass it to MD5Init, call MD5Update as +- * needed on buffers full of bytes, and then call MD5Final, which +- * will fill a supplied 16-byte array with the digest. +- * +- * Changed so as no longer to depend on Colin Plumb's `usual.h' header +- * definitions; now uses stuff from dpkg's config.h. +- * - Ian Jackson . +- * Still in the public domain. +- */ +- +-#include "md5.h" +- +-#ifdef WORDS_BIGENDIAN +-void +-byteSwap(UWORD32 *buf, unsigned words) +-{ +- md5byte *p = (md5byte *)buf; +- +- do { +- *buf++ = (UWORD32)((unsigned)p[3] << 8 | p[2]) << 16 | +- ((unsigned)p[1] << 8 | p[0]); +- p += 4; +- } while (--words); +-} +-#else +-#define byteSwap(buf,words) +-#endif +- +-/* +- * Start MD5 accumulation. Set bit count to 0 and buffer to mysterious +- * initialization constants. +- */ +-void +-MD5Init(struct MD5Context *ctx) +-{ +- ctx->buf[0] = 0x67452301; +- ctx->buf[1] = 0xefcdab89; +- ctx->buf[2] = 0x98badcfe; +- ctx->buf[3] = 0x10325476; +- +- ctx->bytes[0] = 0; +- ctx->bytes[1] = 0; +-} +- +-/* +- * Update context to reflect the concatenation of another buffer full +- * of bytes. +- */ +-void +-MD5Update(struct MD5Context *ctx, md5byte const *buf, unsigned len) +-{ +- UWORD32 t; +- +- /* Update byte count */ +- +- t = ctx->bytes[0]; +- if ((ctx->bytes[0] = t + len) < t) +- ctx->bytes[1]++; /* Carry from low to high */ +- +- t = 64 - (t & 0x3f); /* Space available in ctx->in (at least 1) */ +- if (t > len) { +- memcpy((md5byte *)ctx->in + 64 - t, buf, len); +- return; +- } +- /* First chunk is an odd size */ +- memcpy((md5byte *)ctx->in + 64 - t, buf, t); +- byteSwap(ctx->in, 16); +- MD5Transform(ctx->buf, ctx->in); +- buf += t; +- len -= t; +- +- /* Process data in 64-byte chunks */ +- while (len >= 64) { +- memcpy(ctx->in, buf, 64); +- byteSwap(ctx->in, 16); +- MD5Transform(ctx->buf, ctx->in); +- buf += 64; +- len -= 64; +- } +- +- /* Handle any remaining bytes of data. */ +- memcpy(ctx->in, buf, len); +-} +- +-/* +- * Final wrapup - pad to 64-byte boundary with the bit pattern +- * 1 0* (64-bit count of bits processed, MSB-first) +- */ +-void +-MD5Final(md5byte digest[16], struct MD5Context *ctx) +-{ +- int count = ctx->bytes[0] & 0x3f; /* Number of bytes in ctx->in */ +- md5byte *p = (md5byte *)ctx->in + count; +- +- /* Set the first char of padding to 0x80. There is always room. */ +- *p++ = 0x80; +- +- /* Bytes of padding needed to make 56 bytes (-8..55) */ +- count = 56 - 1 - count; +- +- if (count < 0) { /* Padding forces an extra block */ +- memset(p, 0, count + 8); +- byteSwap(ctx->in, 16); +- MD5Transform(ctx->buf, ctx->in); +- p = (md5byte *)ctx->in; +- count = 56; +- } +- memset(p, 0, count); +- byteSwap(ctx->in, 14); +- +- /* Append length in bits and transform */ +- ctx->in[14] = ctx->bytes[0] << 3; +- ctx->in[15] = ctx->bytes[1] << 3 | ctx->bytes[0] >> 29; +- MD5Transform(ctx->buf, ctx->in); +- +- byteSwap(ctx->buf, 4); +- memcpy(digest, ctx->buf, 16); +- memset(ctx, 0, sizeof(*ctx)); /* In case it's sensitive */ +-} +- +-#ifndef ASM_MD5 +- +-/* The four core functions - F1 is optimized somewhat */ +- +-/* #define F1(x, y, z) (x & y | ~x & z) */ +-#define F1(x, y, z) (z ^ (x & (y ^ z))) +-#define F2(x, y, z) F1(z, x, y) +-#define F3(x, y, z) (x ^ y ^ z) +-#define F4(x, y, z) (y ^ (x | ~z)) +- +-/* This is the central step in the MD5 algorithm. */ +-#define MD5STEP(f,w,x,y,z,in,s) \ +- (w += f(x,y,z) + in, w = (w<>(32-s)) + x) +- +-/* +- * The core of the MD5 algorithm, this alters an existing MD5 hash to +- * reflect the addition of 16 longwords of new data. MD5Update blocks +- * the data and converts bytes into longwords for this routine. +- */ +-void +-MD5Transform(UWORD32 buf[4], UWORD32 const in[16]) +-{ +- register UWORD32 a, b, c, d; +- +- a = buf[0]; +- b = buf[1]; +- c = buf[2]; +- d = buf[3]; +- +- MD5STEP(F1, a, b, c, d, in[0] + 0xd76aa478, 7); +- MD5STEP(F1, d, a, b, c, in[1] + 0xe8c7b756, 12); +- MD5STEP(F1, c, d, a, b, in[2] + 0x242070db, 17); +- MD5STEP(F1, b, c, d, a, in[3] + 0xc1bdceee, 22); +- MD5STEP(F1, a, b, c, d, in[4] + 0xf57c0faf, 7); +- MD5STEP(F1, d, a, b, c, in[5] + 0x4787c62a, 12); +- MD5STEP(F1, c, d, a, b, in[6] + 0xa8304613, 17); +- MD5STEP(F1, b, c, d, a, in[7] + 0xfd469501, 22); +- MD5STEP(F1, a, b, c, d, in[8] + 0x698098d8, 7); +- MD5STEP(F1, d, a, b, c, in[9] + 0x8b44f7af, 12); +- MD5STEP(F1, c, d, a, b, in[10] + 0xffff5bb1, 17); +- MD5STEP(F1, b, c, d, a, in[11] + 0x895cd7be, 22); +- MD5STEP(F1, a, b, c, d, in[12] + 0x6b901122, 7); +- MD5STEP(F1, d, a, b, c, in[13] + 0xfd987193, 12); +- MD5STEP(F1, c, d, a, b, in[14] + 0xa679438e, 17); +- MD5STEP(F1, b, c, d, a, in[15] + 0x49b40821, 22); +- +- MD5STEP(F2, a, b, c, d, in[1] + 0xf61e2562, 5); +- MD5STEP(F2, d, a, b, c, in[6] + 0xc040b340, 9); +- MD5STEP(F2, c, d, a, b, in[11] + 0x265e5a51, 14); +- MD5STEP(F2, b, c, d, a, in[0] + 0xe9b6c7aa, 20); +- MD5STEP(F2, a, b, c, d, in[5] + 0xd62f105d, 5); +- MD5STEP(F2, d, a, b, c, in[10] + 0x02441453, 9); +- MD5STEP(F2, c, d, a, b, in[15] + 0xd8a1e681, 14); +- MD5STEP(F2, b, c, d, a, in[4] + 0xe7d3fbc8, 20); +- MD5STEP(F2, a, b, c, d, in[9] + 0x21e1cde6, 5); +- MD5STEP(F2, d, a, b, c, in[14] + 0xc33707d6, 9); +- MD5STEP(F2, c, d, a, b, in[3] + 0xf4d50d87, 14); +- MD5STEP(F2, b, c, d, a, in[8] + 0x455a14ed, 20); +- MD5STEP(F2, a, b, c, d, in[13] + 0xa9e3e905, 5); +- MD5STEP(F2, d, a, b, c, in[2] + 0xfcefa3f8, 9); +- MD5STEP(F2, c, d, a, b, in[7] + 0x676f02d9, 14); +- MD5STEP(F2, b, c, d, a, in[12] + 0x8d2a4c8a, 20); +- +- MD5STEP(F3, a, b, c, d, in[5] + 0xfffa3942, 4); +- MD5STEP(F3, d, a, b, c, in[8] + 0x8771f681, 11); +- MD5STEP(F3, c, d, a, b, in[11] + 0x6d9d6122, 16); +- MD5STEP(F3, b, c, d, a, in[14] + 0xfde5380c, 23); +- MD5STEP(F3, a, b, c, d, in[1] + 0xa4beea44, 4); +- MD5STEP(F3, d, a, b, c, in[4] + 0x4bdecfa9, 11); +- MD5STEP(F3, c, d, a, b, in[7] + 0xf6bb4b60, 16); +- MD5STEP(F3, b, c, d, a, in[10] + 0xbebfbc70, 23); +- MD5STEP(F3, a, b, c, d, in[13] + 0x289b7ec6, 4); +- MD5STEP(F3, d, a, b, c, in[0] + 0xeaa127fa, 11); +- MD5STEP(F3, c, d, a, b, in[3] + 0xd4ef3085, 16); +- MD5STEP(F3, b, c, d, a, in[6] + 0x04881d05, 23); +- MD5STEP(F3, a, b, c, d, in[9] + 0xd9d4d039, 4); +- MD5STEP(F3, d, a, b, c, in[12] + 0xe6db99e5, 11); +- MD5STEP(F3, c, d, a, b, in[15] + 0x1fa27cf8, 16); +- MD5STEP(F3, b, c, d, a, in[2] + 0xc4ac5665, 23); +- +- MD5STEP(F4, a, b, c, d, in[0] + 0xf4292244, 6); +- MD5STEP(F4, d, a, b, c, in[7] + 0x432aff97, 10); +- MD5STEP(F4, c, d, a, b, in[14] + 0xab9423a7, 15); +- MD5STEP(F4, b, c, d, a, in[5] + 0xfc93a039, 21); +- MD5STEP(F4, a, b, c, d, in[12] + 0x655b59c3, 6); +- MD5STEP(F4, d, a, b, c, in[3] + 0x8f0ccc92, 10); +- MD5STEP(F4, c, d, a, b, in[10] + 0xffeff47d, 15); +- MD5STEP(F4, b, c, d, a, in[1] + 0x85845dd1, 21); +- MD5STEP(F4, a, b, c, d, in[8] + 0x6fa87e4f, 6); +- MD5STEP(F4, d, a, b, c, in[15] + 0xfe2ce6e0, 10); +- MD5STEP(F4, c, d, a, b, in[6] + 0xa3014314, 15); +- MD5STEP(F4, b, c, d, a, in[13] + 0x4e0811a1, 21); +- MD5STEP(F4, a, b, c, d, in[4] + 0xf7537e82, 6); +- MD5STEP(F4, d, a, b, c, in[11] + 0xbd3af235, 10); +- MD5STEP(F4, c, d, a, b, in[2] + 0x2ad7d2bb, 15); +- MD5STEP(F4, b, c, d, a, in[9] + 0xeb86d391, 21); +- +- buf[0] += a; +- buf[1] += b; +- buf[2] += c; +- buf[3] += d; +-} +- +-#endif +diff --git a/usr/md5.h b/usr/md5.h +deleted file mode 100644 +index 100eecc..0000000 +--- a/usr/md5.h ++++ /dev/null +@@ -1,60 +0,0 @@ +-/* +- * This is the header file for the MD5 message-digest algorithm. +- * The algorithm is due to Ron Rivest. This code was +- * written by Colin Plumb in 1993, no copyright is claimed. +- * This code is in the public domain; do with it what you wish. +- * +- * Equivalent code is available from RSA Data Security, Inc. +- * This code has been tested against that, and is equivalent, +- * except that you don't need to include two pages of legalese +- * with every copy. +- * +- * To compute the message digest of a chunk of bytes, declare an +- * MD5Context structure, pass it to MD5Init, call MD5Update as +- * needed on buffers full of bytes, and then call MD5Final, which +- * will fill a supplied 16-byte array with the digest. +- * +- * Changed so as no longer to depend on Colin Plumb's `usual.h' +- * header definitions; now uses stuff from dpkg's config.h +- * - Ian Jackson . +- * Still in the public domain. +- */ +- +-#ifndef MD5_H +-#define MD5_H +- +-#include +-#include +-#include +-#include +-#if (__BYTE_ORDER == __BIG_ENDIAN) +-# define WORDS_BIGENDIAN 1 +-#endif +- +-typedef uint32_t UWORD32; +- +- +-#ifdef __cplusplus +-extern "C" { +-#endif +- +- +-#define md5byte unsigned char +- +-struct MD5Context { +- UWORD32 buf[4]; +- UWORD32 bytes[2]; +- UWORD32 in[16]; +-}; +- +-void MD5Init(struct MD5Context *context); +-void MD5Update(struct MD5Context *context, md5byte const *buf, unsigned len); +-void MD5Final(unsigned char digest[16], struct MD5Context *context); +-void MD5Transform(UWORD32 buf[4], UWORD32 const in[16]); +- +- +-#ifdef __cplusplus +-} +-#endif +- +-#endif /* !MD5_H */ +diff --git a/usr/sha1.c b/usr/sha1.c +deleted file mode 100644 +index 8285a5e..0000000 +--- a/usr/sha1.c ++++ /dev/null +@@ -1,167 +0,0 @@ +-/* +- * Cryptographic API. +- * +- * SHA1 Secure Hash Algorithm. +- * +- * Derived from cryptoapi implementation, adapted for in-place +- * scatterlist interface. Originally based on the public domain +- * implementation written by Steve Reid. +- * +- * Copyright (c) Alan Smithee. +- * Copyright (c) Andrew McDonald +- * Copyright (c) Jean-Francois Dive +- * +- * This program is free software; you can redistribute it and/or modify it +- * under the terms of the GNU General Public License as published by the Free +- * Software Foundation; either version 2 of the License, or (at your option) +- * any later version. +- * +- */ +-#include "sha1.h" +- +-#define SHA1_DIGEST_SIZE 20 +-#define SHA1_HMAC_BLOCK_SIZE 64 +- +-static inline uint32_t rol(uint32_t value, uint32_t bits) +-{ +- return (((value) << (bits)) | ((value) >> (32 - (bits)))); +-} +- +-/* blk0() and blk() perform the initial expand. */ +-/* I got the idea of expanding during the round function from SSLeay */ +-# define blk0(i) block32[i] +- +-#define blk(i) (block32[i&15] = rol(block32[(i+13)&15]^block32[(i+8)&15] \ +- ^block32[(i+2)&15]^block32[i&15],1)) +- +-/* (R0+R1), R2, R3, R4 are the different operations used in SHA1 */ +-#define R0(v,w,x,y,z,i) z+=((w&(x^y))^y)+blk0(i)+0x5A827999+rol(v,5); \ +- w=rol(w,30); +-#define R1(v,w,x,y,z,i) z+=((w&(x^y))^y)+blk(i)+0x5A827999+rol(v,5); \ +- w=rol(w,30); +-#define R2(v,w,x,y,z,i) z+=(w^x^y)+blk(i)+0x6ED9EBA1+rol(v,5);w=rol(w,30); +-#define R3(v,w,x,y,z,i) z+=(((w|x)&y)|(w&x))+blk(i)+0x8F1BBCDC+rol(v,5); \ +- w=rol(w,30); +-#define R4(v,w,x,y,z,i) z+=(w^x^y)+blk(i)+0xCA62C1D6+rol(v,5);w=rol(w,30); +- +-/* Hash a single 512-bit block. This is the core of the algorithm. */ +-static void sha1_transform(uint32_t *state, const uint8_t *in) +-{ +- uint32_t a, b, c, d, e; +- uint32_t block32[16]; +- +- /* convert/copy data to workspace */ +- for (a = 0; a < sizeof(block32)/sizeof(uint32_t); a++) +- block32[a] = ntohl (((const uint32_t *)in)[a]); +- +- /* Copy context->state[] to working vars */ +- a = state[0]; +- b = state[1]; +- c = state[2]; +- d = state[3]; +- e = state[4]; +- +- /* 4 rounds of 20 operations each. Loop unrolled. */ +- R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3); +- R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7); +- R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11); +- R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15); +- R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19); +- R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23); +- R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27); +- R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31); +- R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35); +- R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39); +- R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43); +- R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47); +- R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51); +- R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55); +- R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59); +- R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63); +- R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67); +- R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71); +- R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75); +- R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79); +- /* Add the working vars back into context.state[] */ +- state[0] += a; +- state[1] += b; +- state[2] += c; +- state[3] += d; +- state[4] += e; +- /* Wipe variables */ +- a = b = c = d = e = 0; +- memset (block32, 0x00, sizeof block32); +-} +- +-void sha1_init(void *ctx) +-{ +- struct sha1_ctx *sctx = ctx; +- static const struct sha1_ctx initstate = { +- 0, +- { 0x67452301, 0xEFCDAB89, 0x98BADCFE, 0x10325476, 0xC3D2E1F0 }, +- { 0, } +- }; +- +- *sctx = initstate; +-} +- +-void sha1_update(void *ctx, const uint8_t *data, unsigned int len) +-{ +- struct sha1_ctx *sctx = ctx; +- unsigned int i, j; +- +- j = (sctx->count >> 3) & 0x3f; +- sctx->count += len << 3; +- +- if ((j + len) > 63) { +- memcpy(&sctx->buffer[j], data, (i = 64-j)); +- sha1_transform(sctx->state, sctx->buffer); +- for ( ; i + 63 < len; i += 64) { +- sha1_transform(sctx->state, &data[i]); +- } +- j = 0; +- } +- else i = 0; +- memcpy(&sctx->buffer[j], &data[i], len - i); +-} +- +- +-/* Add padding and return the message digest. */ +-void sha1_final(void* ctx, uint8_t *out) +-{ +- struct sha1_ctx *sctx = ctx; +- uint32_t i, j, index, padlen; +- uint64_t t; +- uint8_t bits[8] = { 0, }; +- static const uint8_t padding[64] = { 0x80, }; +- +- t = sctx->count; +- bits[7] = 0xff & t; t>>=8; +- bits[6] = 0xff & t; t>>=8; +- bits[5] = 0xff & t; t>>=8; +- bits[4] = 0xff & t; t>>=8; +- bits[3] = 0xff & t; t>>=8; +- bits[2] = 0xff & t; t>>=8; +- bits[1] = 0xff & t; t>>=8; +- bits[0] = 0xff & t; +- +- /* Pad out to 56 mod 64 */ +- index = (sctx->count >> 3) & 0x3f; +- padlen = (index < 56) ? (56 - index) : ((64+56) - index); +- sha1_update(sctx, padding, padlen); +- +- /* Append length */ +- sha1_update(sctx, bits, sizeof bits); +- +- /* Store state in digest */ +- for (i = j = 0; i < 5; i++, j += 4) { +- uint32_t t2 = sctx->state[i]; +- out[j+3] = t2 & 0xff; t2>>=8; +- out[j+2] = t2 & 0xff; t2>>=8; +- out[j+1] = t2 & 0xff; t2>>=8; +- out[j ] = t2 & 0xff; +- } +- +- /* Wipe context */ +- memset(sctx, 0, sizeof *sctx); +-} +diff --git a/usr/sha1.h b/usr/sha1.h +deleted file mode 100644 +index af436b3..0000000 +--- a/usr/sha1.h ++++ /dev/null +@@ -1,27 +0,0 @@ +-/* +- * sha1.h - SHA1 Secure Hash Algorithm used for CHAP authentication. +- * copied from the Linux kernel's Cryptographic API and slightly adjusted to +- * fit IET's needs +- * +- * This file is (c) 2004 Xiranet Communications GmbH +- * and licensed under the GPL. +- */ +- +-#ifndef SHA1_H +-#define SHA1_H +- +-#include +-#include +-#include "types.h" +- +-struct sha1_ctx { +- uint64_t count; +- uint32_t state[5]; +- uint8_t buffer[64]; +-}; +- +-void sha1_init(void *ctx); +-void sha1_update(void *ctx, const uint8_t *data, unsigned int len); +-void sha1_final(void* ctx, uint8_t *out); +- +-#endif +-- +2.21.3 + diff --git a/SOURCES/0501-configuration-support-for-CHAP-algorithms.patch b/SOURCES/0501-configuration-support-for-CHAP-algorithms.patch new file mode 100644 index 0000000..2c2ef79 --- /dev/null +++ b/SOURCES/0501-configuration-support-for-CHAP-algorithms.patch @@ -0,0 +1,456 @@ +From 62741fb13c64bfe41ea45b353b1223a501d36c27 Mon Sep 17 00:00:00 2001 +From: Chris Leech +Date: Sun, 24 Nov 2019 13:51:09 -0800 +Subject: [PATCH] configuration support for CHAP algorithms + +Introduces support for preference lists in configuration files, and uses +that for the 'node.session.auth.chap_algs' setting. + +This is also re-used for discovery authentication, rather than have two +different configurations. + +(cherry picked from commit d3daa7a2bc3f5bca874d3efd072b34a657c4d492) +--- + etc/iscsid.conf | 7 +++ + usr/auth.c | 64 ++++++++++++++------- + usr/auth.h | 3 + + usr/config.h | 1 + + usr/idbm.c | 126 ++++++++++++++++++++++++++++++++++++----- + usr/idbm.h | 2 + + usr/idbm_fields.h | 1 + + usr/initiator.h | 1 + + usr/initiator_common.c | 2 + + usr/login.c | 11 ++++ + 10 files changed, 186 insertions(+), 32 deletions(-) + +diff --git a/etc/iscsid.conf b/etc/iscsid.conf +index 1af8ed2..82cc7d0 100644 +--- a/etc/iscsid.conf ++++ b/etc/iscsid.conf +@@ -56,6 +56,13 @@ node.leading_login = No + # to CHAP. The default is None. + #node.session.auth.authmethod = CHAP + ++# To configure which CHAP algorithms to enable set ++# node.session.auth.chap_algs to a comma seperated list. ++# The algorithms should be listen with most prefered first. ++# Valid values are MD5, SHA1, SHA256, and SHA3-256. ++# The default is MD5. ++#node.session.auth.chap_algs = SHA3-256,SHA256,SHA1,MD5 ++ + # To set a CHAP username and password for initiator + # authentication by the target(s), uncomment the following lines: + #node.session.auth.username = username +diff --git a/usr/auth.c b/usr/auth.c +index afb4ea3..ec934e6 100644 +--- a/usr/auth.c ++++ b/usr/auth.c +@@ -1806,7 +1806,7 @@ acl_chk_chap_alg_list(unsigned int option_count, const int *option_list) + return 0; + } + +-static int ++int + acl_set_chap_alg_list(struct iscsi_acl *client, unsigned int option_count, + const int *option_list) + { +@@ -1819,22 +1819,54 @@ acl_set_chap_alg_list(struct iscsi_acl *client, unsigned int option_count, + } + + int +-acl_init_chap_digests(int *value_list) { ++acl_init_chap_digests(int *value_list, unsigned *chap_algs, int conf_count) { + EVP_MD_CTX *context = EVP_MD_CTX_new(); + int i = 0; + +- if (EVP_DigestInit_ex(context, EVP_sha3_256(), NULL)) { +- value_list[i++] = AUTH_CHAP_ALG_SHA3_256; +- } +- if (EVP_DigestInit_ex(context, EVP_sha256(), NULL)) { +- value_list[i++] = AUTH_CHAP_ALG_SHA256; +- } +- if (EVP_DigestInit_ex(context, EVP_sha1(), NULL)) { +- value_list[i++] = AUTH_CHAP_ALG_SHA1; +- } +- if (EVP_DigestInit_ex(context, EVP_md5(), NULL)) { +- value_list[i++] = AUTH_CHAP_ALG_MD5; ++ for (int j = 0; j < conf_count; j++) { ++ switch (chap_algs[j]) { ++ case AUTH_CHAP_ALG_MD5: ++ if (EVP_DigestInit_ex(context, EVP_md5(), NULL)) { ++ value_list[i++] = AUTH_CHAP_ALG_MD5; ++ } else { ++ log_warning("Ignoring CHAP algorthm request for " ++ "MD5 due to crypto lib configuration"); ++ } ++ break; ++ case AUTH_CHAP_ALG_SHA1: ++ if (EVP_DigestInit_ex(context, EVP_sha1(), NULL)) { ++ value_list[i++] = AUTH_CHAP_ALG_SHA1; ++ } else { ++ log_warning("Ignoring CHAP algorthm request for " ++ "SHA1 due to crypto lib configuration"); ++ } ++ break; ++ case AUTH_CHAP_ALG_SHA256: ++ if (EVP_DigestInit_ex(context, EVP_sha256(), NULL)) { ++ value_list[i++] = AUTH_CHAP_ALG_SHA256; ++ } else { ++ log_warning("Ignoring CHAP algorthm request for " ++ "SHA256 due to crypto lib configuration"); ++ } ++ break; ++ case AUTH_CHAP_ALG_SHA3_256: ++ if (EVP_DigestInit_ex(context, EVP_sha3_256(), NULL)) { ++ value_list[i++] = AUTH_CHAP_ALG_SHA3_256; ++ } else { ++ log_warning("Ignoring CHAP algorthm request for " ++ "SHA3-256 due to crypto lib configuration"); ++ } ++ break; ++ case ~0: ++ /* unset value in array, just ignore */ ++ break; ++ default: ++ log_warning("Ignoring unknown CHAP algorithm request " ++ "'%d'", chap_algs[j]); ++ break; ++ } + } ++ + return i; + } + +@@ -1924,12 +1956,6 @@ acl_init(int node_type, int buf_desc_count, struct auth_buffer_desc *buff_desc) + return AUTH_STATUS_ERROR; + } + +- if (acl_set_chap_alg_list(client, acl_init_chap_digests(value_list), +- value_list) != AUTH_STATUS_NO_ERROR) { +- client->phase = AUTH_PHASE_ERROR; +- return AUTH_STATUS_ERROR; +- } +- + return AUTH_STATUS_NO_ERROR; + } + +diff --git a/usr/auth.h b/usr/auth.h +index f6dbbe4..16cdb24 100644 +--- a/usr/auth.h ++++ b/usr/auth.h +@@ -271,6 +271,9 @@ extern int acl_send_transit_bit(struct iscsi_acl *client, int *value); + extern int acl_set_user_name(struct iscsi_acl *client, const char *username); + extern int acl_set_passwd(struct iscsi_acl *client, + const unsigned char *pw_data, unsigned int pw_len); ++extern int acl_set_chap_alg_list(struct iscsi_acl *client, unsigned int option_count, ++ const int *option_list); ++extern int acl_init_chap_digests(int *value_list, unsigned int *chap_algs, int count); + extern int acl_set_auth_rmt(struct iscsi_acl *client, int auth_rmt); + extern int acl_set_ip_sec(struct iscsi_acl *client, int ip_sec); + extern int acl_get_dbg_status(struct iscsi_acl *client, int *value); +diff --git a/usr/config.h b/usr/config.h +index 8807c07..dfa4991 100644 +--- a/usr/config.h ++++ b/usr/config.h +@@ -58,6 +58,7 @@ struct iscsi_auth_config { + char username_in[AUTH_STR_MAX_LEN]; + unsigned char password_in[AUTH_STR_MAX_LEN]; + unsigned int password_in_length; ++ unsigned int chap_algs[AUTH_CHAP_ALG_MAX_COUNT]; + }; + + /* all per-connection timeouts go in this structure. +diff --git a/usr/idbm.c b/usr/idbm.c +index f47ff28..a9c7b40 100644 +--- a/usr/idbm.c ++++ b/usr/idbm.c +@@ -49,6 +49,8 @@ + + static struct idbm *db; + ++#define ARRAY_LEN(x) ( sizeof(x) / sizeof((x)[0]) ) ++ + #define __recinfo_str(_key, _info, _rec, _name, _show, _n, _mod) do { \ + _info[_n].type = TYPE_STR; \ + strlcpy(_info[_n].name, _key, NAME_MAXVAL); \ +@@ -163,6 +165,42 @@ static struct idbm *db; + _n++; \ + } while(0) + ++#define __recinfo_int_list(_key,_info,_rec,_name,_show,_tbl,_n,_mod) do { \ ++ _info[_n].type = TYPE_INT_LIST; \ ++ strlcpy(_info[_n].name, _key, NAME_MAXVAL); \ ++ for(int _i = 0; _i < ARRAY_LEN(_rec->_name); _i++) { \ ++ if (_rec->_name[_i] != ~0) { \ ++ for (int _j = 0; _j < ARRAY_LEN(_tbl); _j++) { \ ++ if (_tbl[_j].value == _rec->_name[_i]) { \ ++ strcat(_info[_n].value, _tbl[_j].name); \ ++ strcat(_info[_n].value, ","); \ ++ break; \ ++ } \ ++ } \ ++ } \ ++ } \ ++ /* delete trailing ',' */ \ ++ if (strrchr(_info[_n].value, ',')) \ ++ *strrchr(_info[_n].value, ',') = '\0'; \ ++ _info[_n].data = &_rec->_name; \ ++ _info[_n].data_len = sizeof(_rec->_name); \ ++ _info[_n].visible = _show; \ ++ _info[_n].opts[0] = (void *)&_tbl; \ ++ _info[_n].numopts = ARRAY_LEN(_tbl); \ ++ _info[_n].can_modify = _mod; \ ++ _n++; \ ++} while (0) ++ ++static struct int_list_tbl { ++ const char *name; ++ int value; ++} chap_algs [] = { ++ { "MD5", AUTH_CHAP_ALG_MD5 }, ++ { "SHA1", AUTH_CHAP_ALG_SHA1 }, ++ { "SHA256", AUTH_CHAP_ALG_SHA256 }, ++ { "SHA3-256", AUTH_CHAP_ALG_SHA3_256 }, ++}; ++ + static int idbm_remove_disc_to_node_link(node_rec_t *rec, char *portal); + + static void +@@ -197,6 +235,10 @@ idbm_recinfo_discovery(discovery_rec_t *r, recinfo_t *ri) + __recinfo_int(DISC_ST_PASSWORD_IN_LEN, ri, r, + u.sendtargets.auth.password_in_length, IDBM_HIDE, + num, 1); ++ /* reusing SESSION_CHAP_ALGS */ ++ __recinfo_int_list(SESSION_CHAP_ALGS, ri, r, ++ u.sendtargets.auth.chap_algs, ++ IDBM_SHOW, chap_algs, num, 1); + __recinfo_int(DISC_ST_LOGIN_TMO, ri, r, + u.sendtargets.conn_timeo.login_timeout, + IDBM_SHOW, num, 1); +@@ -427,6 +469,8 @@ idbm_recinfo_node(node_rec_t *r, recinfo_t *ri) + session.auth.password_in, IDBM_MASKED, num, 1); + __recinfo_int(SESSION_PASSWORD_IN_LEN, ri, r, + session.auth.password_in_length, IDBM_HIDE, num, 1); ++ __recinfo_int_list(SESSION_CHAP_ALGS, ri, r, ++ session.auth.chap_algs, IDBM_SHOW, chap_algs, num, 1); + __recinfo_int(SESSION_REPLACEMENT_TMO, ri, r, + session.timeo.replacement_timeout, + IDBM_SHOW, num, 1); +@@ -932,6 +976,9 @@ idbm_discovery_setup_defaults(discovery_rec_t *rec, discovery_type_e type) + rec->u.sendtargets.auth.authmethod = 0; + rec->u.sendtargets.auth.password_length = 0; + rec->u.sendtargets.auth.password_in_length = 0; ++ /* TYPE_INT_LIST fields should be initialized to ~0 to indicate unset values */ ++ memset(rec->u.sendtargets.auth.chap_algs, ~0, sizeof(rec->u.sendtargets.auth.chap_algs)); ++ rec->u.sendtargets.auth.chap_algs[0] = AUTH_CHAP_ALG_MD5; + rec->u.sendtargets.conn_timeo.login_timeout=15; + rec->u.sendtargets.conn_timeo.auth_timeout = 45; + rec->u.sendtargets.conn_timeo.active_timeout=30; +@@ -965,59 +1012,109 @@ int idbm_rec_update_param(recinfo_t *info, char *name, char *value, + int i; + int passwd_done = 0; + char passwd_len[8]; ++ char *tmp_value, *token; ++ bool *found; ++ int *tmp_data; + + setup_passwd_len: + for (i=0; i '%s'", name, + info[i].value, value); + /* parse recinfo by type */ +- if (info[i].type == TYPE_INT) { ++ switch (info[i].type) { ++ case TYPE_INT: + if (!info[i].data) + continue; + + *(int*)info[i].data = + strtoul(value, NULL, 10); + goto updated; +- } else if (info[i].type == TYPE_UINT8) { ++ case TYPE_UINT8: + if (!info[i].data) + continue; + + *(uint8_t *)info[i].data = + strtoul(value, NULL, 10); + goto updated; +- } else if (info[i].type == TYPE_UINT16) { ++ case TYPE_UINT16: + if (!info[i].data) + continue; + + *(uint16_t *)info[i].data = + strtoul(value, NULL, 10); + goto updated; +- } else if (info[i].type == TYPE_UINT32) { ++ case TYPE_UINT32: + if (!info[i].data) + continue; + + *(uint32_t *)info[i].data = + strtoul(value, NULL, 10); + goto updated; +- } else if (info[i].type == TYPE_STR) { ++ case TYPE_STR: + if (!info[i].data) + continue; + + strlcpy((char*)info[i].data, + value, info[i].data_len); + goto updated; +- } +- for (j=0; j= (info[i].data_len)) { ++ log_warning("Too many values set for '%s'" ++ ", continuing without processing them all", ++ info[i].name); ++ break; ++ } ++ for (j = 0; j < info[i].numopts; j++) { ++ if (!strcmp(token, tbl[j].name)) { ++ if ((found[j])) { ++ log_warning("Ignoring repeated " ++ "value '%s' " ++ "for '%s'", token, ++ info[i].name); ++ goto next_token; ++ } ++ ((int*)tmp_data)[k++] = tbl[j].value; ++ found[j] = true; ++ goto next_token; ++ } ++ } ++ log_warning("Ignoring unknown value '%s'" ++ " for '%s'", token, info[i].name); + } ++ memcpy(info[i].data, tmp_data, info[i].data_len); ++ free(tmp_value); ++ free(tmp_data); ++ tmp_value = NULL; ++ tmp_data = NULL; ++ token = NULL; ++ goto updated; + } + if (line_number) { + log_warning("config file line %d contains " +@@ -3098,6 +3195,9 @@ void idbm_node_setup_defaults(node_rec_t *rec) + rec->session.initial_login_retry_max = DEF_INITIAL_LOGIN_RETRIES_MAX; + rec->session.reopen_max = 32; + rec->session.auth.authmethod = 0; ++ /* TYPE_INT_LIST fields should be initialized to ~0 to indicate unset values */ ++ memset(rec->session.auth.chap_algs, ~0, sizeof(rec->session.auth.chap_algs)); ++ rec->session.auth.chap_algs[0] = AUTH_CHAP_ALG_MD5; + rec->session.auth.password_length = 0; + rec->session.auth.password_in_length = 0; + rec->session.err_timeo.abort_timeout = DEF_ABORT_TIMEO; +diff --git a/usr/idbm.h b/usr/idbm.h +index cb5dd8f..65ea876 100644 +--- a/usr/idbm.h ++++ b/usr/idbm.h +@@ -46,6 +46,8 @@ + #define TYPE_UINT8 3 + #define TYPE_UINT16 4 + #define TYPE_UINT32 5 ++#define TYPE_INT_LIST 6 ++ + #define MAX_KEYS 256 /* number of keys total(including CNX_MAX) */ + #define NAME_MAXVAL 128 /* the maximum length of key name */ + #define VALUE_MAXVAL 256 /* the maximum length of 223 bytes in the RFC. */ +diff --git a/usr/idbm_fields.h b/usr/idbm_fields.h +index 4a92758..8749ef7 100644 +--- a/usr/idbm_fields.h ++++ b/usr/idbm_fields.h +@@ -30,6 +30,7 @@ + #define SESSION_USERNAME_IN "node.session.auth.username_in" + #define SESSION_PASSWORD_IN "node.session.auth.password_in" + #define SESSION_PASSWORD_IN_LEN "node.session.auth.password_in_length" ++#define SESSION_CHAP_ALGS "node.session.auth.chap_algs" + #define SESSION_REPLACEMENT_TMO "node.session.timeo.replacement_timeout" + #define SESSION_ABORT_TMO "node.session.err_timeo.abort_timeout" + #define SESSION_LU_RESET_TMO "node.session.err_timeo.lu_reset_timeout" +diff --git a/usr/initiator.h b/usr/initiator.h +index 3ee1454..01caf3f 100644 +--- a/usr/initiator.h ++++ b/usr/initiator.h +@@ -243,6 +243,7 @@ typedef struct iscsi_session { + char username_in[AUTH_STR_MAX_LEN]; + uint8_t password_in[AUTH_STR_MAX_LEN]; + int password_in_length; ++ unsigned int chap_algs[AUTH_CHAP_ALG_MAX_COUNT]; + iscsi_conn_t conn[ISCSI_CONN_MAX]; + uint64_t param_mask; + +diff --git a/usr/initiator_common.c b/usr/initiator_common.c +index d00bd9e..7cb45bc 100644 +--- a/usr/initiator_common.c ++++ b/usr/initiator_common.c +@@ -94,6 +94,8 @@ int iscsi_setup_authentication(struct iscsi_session *session, + memcpy(session->password_in, auth_cfg->password_in, + session->password_in_length); + ++ memcpy(session->chap_algs, auth_cfg->chap_algs, sizeof(auth_cfg->chap_algs)); ++ + if (session->password_length || session->password_in_length) { + /* setup the auth buffers */ + session->auth_buffers[0].address = &session->auth_client_block; +diff --git a/usr/login.c b/usr/login.c +index d7dad21..1251e61 100644 +--- a/usr/login.c ++++ b/usr/login.c +@@ -1262,6 +1262,17 @@ check_for_authentication(iscsi_session_t *session, + goto end; + } + ++ int value_list[AUTH_CHAP_ALG_MAX_COUNT]; ++ ++ if (acl_set_chap_alg_list(auth_client, ++ acl_init_chap_digests(value_list, ++ session->chap_algs, ++ AUTH_CHAP_ALG_MAX_COUNT), ++ value_list) != AUTH_STATUS_NO_ERROR) { ++ log_error("Couldn't set CHAP algorithm list"); ++ goto end; ++ } ++ + if (acl_set_ip_sec(auth_client, 1) != AUTH_STATUS_NO_ERROR) { + log_error("Couldn't set IPSec"); + goto end; +-- +2.21.3 + diff --git a/SOURCES/0502-CHAP-FIPS-backport-fixups.patch b/SOURCES/0502-CHAP-FIPS-backport-fixups.patch new file mode 100644 index 0000000..1828c30 --- /dev/null +++ b/SOURCES/0502-CHAP-FIPS-backport-fixups.patch @@ -0,0 +1,200 @@ +From 62a9ff5e206e33addbe3b206c398fe33d0666117 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Fri, 22 May 2020 10:10:17 -0700 +Subject: [PATCH 502/502] CHAP enhancement backport fixes for RHEL 7 + +Minor build fixes +OpenSSL 1.0.1 API differences +disable SHA3 (OpenSSL version isssue) +--- + Makefile | 2 +- + etc/iscsid.conf | 4 ++-- + libiscsi/Makefile | 5 +++-- + usr/Makefile | 4 ++-- + usr/auth.c | 18 ++++++++++++------ + usr/idbm.c | 2 +- + 6 files changed, 21 insertions(+), 14 deletions(-) + +diff --git a/Makefile b/Makefile +index 340c457..d4f705c 100644 +--- a/Makefile ++++ b/Makefile +@@ -22,7 +22,7 @@ IFACEFILES = etc/iface.example + + # Compatibility: parse old OPTFLAGS argument + ifdef OPTFLAGS +-CFLAGS = $(OPTFLAGS) ++CFLAGS = $(OPTFLAGS) --std=gnu99 + endif + + # Export it so configure of iscsiuio & open-isns will +diff --git a/etc/iscsid.conf b/etc/iscsid.conf +index 82cc7d0..0bb7675 100644 +--- a/etc/iscsid.conf ++++ b/etc/iscsid.conf +@@ -59,9 +59,9 @@ node.leading_login = No + # To configure which CHAP algorithms to enable set + # node.session.auth.chap_algs to a comma seperated list. + # The algorithms should be listen with most prefered first. +-# Valid values are MD5, SHA1, SHA256, and SHA3-256. ++# Valid values are MD5, SHA1, SHA256 + # The default is MD5. +-#node.session.auth.chap_algs = SHA3-256,SHA256,SHA1,MD5 ++#node.session.auth.chap_algs = SHA256,SHA1,MD5 + + # To set a CHAP username and password for initiator + # authentication by the target(s), uncomment the following lines: +diff --git a/libiscsi/Makefile b/libiscsi/Makefile +index 317a7ec..5a920ff 100644 +--- a/libiscsi/Makefile ++++ b/libiscsi/Makefile +@@ -4,7 +4,8 @@ OSNAME=$(shell uname -s) + OPTFLAGS ?= -O2 -g + WARNFLAGS ?= -Wall -Wstrict-prototypes + CFLAGS = $(OPTFLAGS) $(WARNFLAGS) -I../include -I../usr \ +- -D$(OSNAME) -fPIC -D_GNU_SOURCE -fvisibility=hidden ++ -D$(OSNAME) -fPIC -D_GNU_SOURCE -fvisibility=hidden --std=gnu99 ++CFLAGS += -lcrypto + LIB = libiscsi.so.0 + TESTS = tests/test_discovery_sendtargets tests/test_discovery_firmware + TESTS += tests/test_login tests/test_logout tests/test_params +@@ -13,7 +14,7 @@ TESTS += tests/test_set_auth tests/test_get_auth + + COMMON_SRCS = sysdeps.o + # sources shared between iscsid, iscsiadm and iscsistart +-ISCSI_LIB_SRCS = netlink.o transport.o cxgbi.o be2iscsi.o iscsi_timer.o initiator_common.o iscsi_err.o session_info.o iscsi_util.o io.o auth.o discovery.o login.o log.o md5.o sha1.o iface.o idbm.o sysfs.o iscsi_sysfs.o iscsi_net_util.o iscsid_req.o iser.o uip_mgmt_ipc.o ++ISCSI_LIB_SRCS = netlink.o transport.o cxgbi.o be2iscsi.o iscsi_timer.o initiator_common.o iscsi_err.o session_info.o iscsi_util.o io.o auth.o discovery.o login.o log.o iface.o idbm.o sysfs.o iscsi_sysfs.o iscsi_net_util.o iscsid_req.o iser.o uip_mgmt_ipc.o + FW_PARAM_SRCS = fw_entry.o prom_lex.o prom_parse.tab.o fwparam_ppc.o fwparam_sysfs.o + + # sources shared with the userspace utils, note we build these separately +diff --git a/usr/Makefile b/usr/Makefile +index db40c3a..8d3b9ae 100644 +--- a/usr/Makefile ++++ b/usr/Makefile +@@ -63,10 +63,10 @@ all: $(PROGRAMS) + + iscsid: $(ISCSI_LIB_SRCS) $(INITIATOR_SRCS) $(DISCOVERY_SRCS) \ + iscsid.o session_mgmt.o discoveryd.o mntcheck.o +- $(CC) $(CFLAGS) $^ -o $@ -L../utils/open-isns -lisns -lrt -lmount $(LDFLAGS) ++ $(CC) $(CFLAGS) $^ -o $@ -L../utils/open-isns -lisns -lrt -lcrypto -lmount $(LDFLAGS) + + iscsiadm: $(ISCSI_LIB_SRCS) $(DISCOVERY_SRCS) iscsiadm.o session_mgmt.o mntcheck.o +- $(CC) $(CFLAGS) $^ -o $@ -L../utils/open-isns -lisns -lmount $(LDFLAGS) ++ $(CC) $(CFLAGS) $^ -o $@ -L../utils/open-isns -lcrypto -lisns -lmount $(LDFLAGS) + + iscsistart: $(ISCSI_LIB_SRCS) $(INITIATOR_SRCS) $(FW_BOOT_SRCS) \ + iscsistart.o statics.o +diff --git a/usr/auth.c b/usr/auth.c +index ec934e6..5a02434 100644 +--- a/usr/auth.c ++++ b/usr/auth.c +@@ -169,7 +169,7 @@ acl_chap_auth_request(struct iscsi_acl *client, char *username, unsigned int id, + + static int auth_hash_init(EVP_MD_CTX **context, int chap_alg) { + const EVP_MD *digest = NULL; +- *context = EVP_MD_CTX_new(); ++ *context = EVP_MD_CTX_create(); + int rc; + + switch (chap_alg) { +@@ -182,9 +182,11 @@ static int auth_hash_init(EVP_MD_CTX **context, int chap_alg) { + case AUTH_CHAP_ALG_SHA256: + digest = EVP_sha256(); + break; ++ /* + case AUTH_CHAP_ALG_SHA3_256: + digest = EVP_sha3_256(); + break; ++ */ + } + + if (*context == NULL) +@@ -199,7 +201,7 @@ static int auth_hash_init(EVP_MD_CTX **context, int chap_alg) { + + fail_init: + fail_digest: +- EVP_MD_CTX_free(*context); ++ EVP_MD_CTX_destroy(*context); + *context = NULL; + fail_context: + return -1; +@@ -212,7 +214,7 @@ static void auth_hash_update(EVP_MD_CTX *context, unsigned char *data, unsigned + static unsigned int auth_hash_final(unsigned char *hash, EVP_MD_CTX *context) { + unsigned int md_len; + EVP_DigestFinal_ex(context, hash, &md_len); +- EVP_MD_CTX_free(context); ++ EVP_MD_CTX_destroy(context); + context = NULL; + return md_len; + } +@@ -335,7 +337,7 @@ static int + acl_chk_chap_alg_optn(int chap_algorithm) + { + if (chap_algorithm == AUTH_OPTION_NONE || +- chap_algorithm == AUTH_CHAP_ALG_SHA3_256 || ++ // chap_algorithm == AUTH_CHAP_ALG_SHA3_256 || + chap_algorithm == AUTH_CHAP_ALG_SHA256 || + chap_algorithm == AUTH_CHAP_ALG_SHA1 || + chap_algorithm == AUTH_CHAP_ALG_MD5) +@@ -748,9 +750,11 @@ acl_chk_chap_alg_key(struct iscsi_acl *client) + case AUTH_CHAP_ALG_SHA256: + client->chap_challenge_len = AUTH_CHAP_SHA256_RSP_LEN; + break; ++ /* + case AUTH_CHAP_ALG_SHA3_256: + client->chap_challenge_len = AUTH_CHAP_SHA3_256_RSP_LEN; + break; ++ */ + } + return; + } +@@ -899,7 +903,7 @@ acl_local_auth(struct iscsi_acl *client) + client->local_state = AUTH_LOCAL_STATE_ERROR; + client->dbg_status = AUTH_DBG_STATUS_CHAP_ALG_REJECT; + break; +- } else if ((client->negotiated_chap_alg != AUTH_CHAP_ALG_SHA3_256) && ++ } else if ( // (client->negotiated_chap_alg != AUTH_CHAP_ALG_SHA3_256) && + (client->negotiated_chap_alg != AUTH_CHAP_ALG_SHA256) && + (client->negotiated_chap_alg != AUTH_CHAP_ALG_SHA1) && + (client->negotiated_chap_alg != AUTH_CHAP_ALG_MD5)) { +@@ -1820,7 +1824,7 @@ acl_set_chap_alg_list(struct iscsi_acl *client, unsigned int option_count, + + int + acl_init_chap_digests(int *value_list, unsigned *chap_algs, int conf_count) { +- EVP_MD_CTX *context = EVP_MD_CTX_new(); ++ EVP_MD_CTX *context = EVP_MD_CTX_create(); + int i = 0; + + for (int j = 0; j < conf_count; j++) { +@@ -1849,6 +1853,7 @@ acl_init_chap_digests(int *value_list, unsigned *chap_algs, int conf_count) { + "SHA256 due to crypto lib configuration"); + } + break; ++ /* + case AUTH_CHAP_ALG_SHA3_256: + if (EVP_DigestInit_ex(context, EVP_sha3_256(), NULL)) { + value_list[i++] = AUTH_CHAP_ALG_SHA3_256; +@@ -1857,6 +1862,7 @@ acl_init_chap_digests(int *value_list, unsigned *chap_algs, int conf_count) { + "SHA3-256 due to crypto lib configuration"); + } + break; ++ */ + case ~0: + /* unset value in array, just ignore */ + break; +diff --git a/usr/idbm.c b/usr/idbm.c +index a9c7b40..8d80b33 100644 +--- a/usr/idbm.c ++++ b/usr/idbm.c +@@ -198,7 +198,7 @@ static struct int_list_tbl { + { "MD5", AUTH_CHAP_ALG_MD5 }, + { "SHA1", AUTH_CHAP_ALG_SHA1 }, + { "SHA256", AUTH_CHAP_ALG_SHA256 }, +- { "SHA3-256", AUTH_CHAP_ALG_SHA3_256 }, ++ // { "SHA3-256", AUTH_CHAP_ALG_SHA3_256 }, + }; + + static int idbm_remove_disc_to_node_link(node_rec_t *rec, char *portal); +-- +2.21.3 + diff --git a/SOURCES/0503-fix-libiscsi-after-adding-libcrypto-requirement.patch b/SOURCES/0503-fix-libiscsi-after-adding-libcrypto-requirement.patch new file mode 100644 index 0000000..654ee50 --- /dev/null +++ b/SOURCES/0503-fix-libiscsi-after-adding-libcrypto-requirement.patch @@ -0,0 +1,25 @@ +From 88d3f69d500826a94af62861a5e230be90e91786 Mon Sep 17 00:00:00 2001 +From: Chris Leech +Date: Thu, 2 Jul 2020 13:14:23 -0700 +Subject: [PATCH 1/1] fix libiscsi after adding libcrypto requirement + +--- + libiscsi/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libiscsi/Makefile b/libiscsi/Makefile +index a7f708c..bd58e97 100644 +--- a/libiscsi/Makefile ++++ b/libiscsi/Makefile +@@ -24,7 +24,7 @@ USR_OBJS = $(patsubst %.o, usr-objs/%.o, $(ISCSI_LIB_SRCS) strings.o) + FW_OBJS = $(patsubst %.o, fw-objs/%.o, $(FW_PARAM_SRCS)) + + # Flags for the tests +-tests/% : CFLAGS = $(OPTFLAGS) $(WARNFLAGS) -I. ++tests/% : CFLAGS = $(OPTFLAGS) $(WARNFLAGS) -I. -lcrypto + + all: lib tests html + +-- +2.26.2 + diff --git a/SPECS/iscsi-initiator-utils.spec b/SPECS/iscsi-initiator-utils.spec index cb3c105..b1671bc 100644 --- a/SPECS/iscsi-initiator-utils.spec +++ b/SPECS/iscsi-initiator-utils.spec @@ -4,7 +4,7 @@ Summary: iSCSI daemon and utility programs Name: iscsi-initiator-utils Version: 6.%{open_iscsi_version}.%{open_iscsi_build} -Release: 17%{?dist} +Release: 19%{?dist} Group: System Environment/Daemons License: GPLv2+ URL: http://www.open-iscsi.org @@ -104,7 +104,12 @@ Patch402: 0001-restore-some-service-file-differences.patch Patch403: 0001-fix-upstream-build-breakage-of-iscsiuio-LDFLAGS.patch Patch404: 0001-improve-systemd-service-files-for-boot-session-handl.patch -BuildRequires: flex bison python-devel doxygen kmod-devel systemd-devel libmount-devel autoconf automake libtool +Patch500: 0500-CHAP-SHA-1-SHA-256-SHA3-256-via-OpenSSL-s-libcrypto.patch +Patch501: 0501-configuration-support-for-CHAP-algorithms.patch +Patch502: 0502-CHAP-FIPS-backport-fixups.patch +Patch503: 0503-fix-libiscsi-after-adding-libcrypto-requirement.patch + +BuildRequires: flex bison python-devel doxygen kmod-devel systemd-devel libmount-devel autoconf automake libtool openssl-devel # For dir ownership Requires: %{name}-iscsiuio >= %{version}-%{release} Requires(post): systemd @@ -244,17 +249,17 @@ if [ $1 -eq 1 ]; then fi %preun -%systemd_preun iscsi.service iscsi-onboot.service iscsi-shutdown.service iscsid.service iscsiuio.service iscsid.socket iscsiuio.socket +%systemd_preun iscsi.service iscsi-onboot.service iscsi-shutdown.service iscsid.service iscsid.socket %preun iscsiuio %systemd_preun iscsiuio.service iscsiuio.socket %postun /sbin/ldconfig -%systemd_postun +%systemd_postun iscsi.service iscsi-onboot.service iscsi-shutdown.service iscsid.service iscsid.socket %postun iscsiuio -%systemd_postun +%systemd_postun iscsiuio.service iscsiuio.socket %triggerun -- iscsi-initiator-utils < 6.2.0.873-22 # prior to 6.2.0.873-22 iscsi.service was missing a Wants=remote-fs-pre.target @@ -326,6 +331,12 @@ fi %{_includedir}/libiscsi.h %changelog +* Thu Jul 02 2020 Chris Leech - 6.2.0.874-19 +- 1851250 fix libiscsi for libcrypto requirement + +* Tue May 12 2020 Chris Leech - 6.2.0.874-18 +- 1809945 backport new CHAP modes for FIPS environments (SHA1 and SHA256 only, no SHA3 in OpenSSL-1.0.2) + * Mon Oct 28 2019 Chris Leech - 6.2.0.874-17 - 1518367 boot from iSCSI not establishing all sessions persistently - 1667965 A manual restart of iscsi.service modifies records node.startup value