From 26fcef727d68af97b1187d2ac3cad19acc3d97c8 Mon Sep 17 00:00:00 2001 From: Tomas Bzatek Date: Tue, 16 May 2023 18:33:59 +0200 Subject: [PATCH 1/2] iscsi: Set node parameters before the Login/Logout action This allows to properly pass required arguments like the CHAP auth algorithms, etc. --- modules/iscsi/udisksiscsiutil.c | 54 ++++++++++++++++++--------------- 1 file changed, 29 insertions(+), 25 deletions(-) diff --git a/modules/iscsi/udisksiscsiutil.c b/modules/iscsi/udisksiscsiutil.c index 78890106f0..b279442876 100644 --- a/modules/iscsi/udisksiscsiutil.c +++ b/modules/iscsi/udisksiscsiutil.c @@ -186,9 +186,10 @@ iscsi_perform_login_action (UDisksLinuxModuleISCSI *module, } static gint -iscsi_node_set_parameters (struct libiscsi_context *ctx, - struct libiscsi_node *node, - GVariant *params) +iscsi_node_set_parameters (struct libiscsi_context *ctx, + struct libiscsi_node *node, + GVariant *params, + gchar **errorstr) { GVariantIter iter; GVariant *value; @@ -207,9 +208,11 @@ iscsi_node_set_parameters (struct libiscsi_context *ctx, /* Update the node parameter value. */ err = libiscsi_node_set_parameter (ctx, node, key, param_value); + if (errorstr && err != 0) + *errorstr = g_strdup (libiscsi_get_error_string (ctx)); g_variant_unref (value); - g_free ((gpointer) key); + g_free (key); } return 0; @@ -279,7 +282,7 @@ iscsi_login (UDisksLinuxModuleISCSI *module, const gchar *password = NULL; const gchar *reverse_username = NULL; const gchar *reverse_password = NULL; - gint err; + gint err = 0; g_return_val_if_fail (UDISKS_IS_LINUX_MODULE_ISCSI (module), 1); @@ -304,17 +307,18 @@ iscsi_login (UDisksLinuxModuleISCSI *module, /* Get iscsi context. */ ctx = udisks_linux_module_iscsi_get_libiscsi_context (module); - /* Login */ - err = iscsi_perform_login_action (module, - ACTION_LOGIN, - &node, - &auth_info, - errorstr); + /* Update node parameters. */ + if (params) + err = iscsi_node_set_parameters (ctx, &node, params_without_chap, errorstr); - if (err == 0 && params) + /* Login */ + if (err == 0) { - /* Update node parameters. */ - err = iscsi_node_set_parameters (ctx, &node, params_without_chap); + err = iscsi_perform_login_action (module, + ACTION_LOGIN, + &node, + &auth_info, + errorstr); } g_variant_unref (params_without_chap); @@ -334,7 +338,7 @@ iscsi_logout (UDisksLinuxModuleISCSI *module, { struct libiscsi_context *ctx; struct libiscsi_node node = {0,}; - gint err; + gint err = 0; g_return_val_if_fail (UDISKS_IS_LINUX_MODULE_ISCSI (module), 1); @@ -344,18 +348,18 @@ iscsi_logout (UDisksLinuxModuleISCSI *module, /* Get iscsi context. */ ctx = udisks_linux_module_iscsi_get_libiscsi_context (module); - /* Logout */ - err = iscsi_perform_login_action (module, - ACTION_LOGOUT, - &node, - NULL, - errorstr); + /* Update node parameters. */ + if (params) + err = iscsi_node_set_parameters (ctx, &node, params, errorstr); - if (err == 0 && params) + /* Logout */ + if (err == 0) { - /* Update node parameters. */ - err = iscsi_node_set_parameters (ctx, &node, params); - + err = iscsi_perform_login_action (module, + ACTION_LOGOUT, + &node, + NULL, + errorstr); } return err; From 749812784abcc4c0492bda0703bff5d3dae052f9 Mon Sep 17 00:00:00 2001 From: Tomas Bzatek Date: Tue, 16 May 2023 18:35:42 +0200 Subject: [PATCH 2/2] tests: Disallow MD5 for iscsi CHAP login MD5 is unavailable in FIPS mode: iscsid[82167]: iscsid: Ignoring CHAP algorthm request for MD5 due to crypto lib configuration iscsid[82167]: iscsid: Couldn't set CHAP algorithm list kernel: rx_data returned 0, expecting 48. kernel: iSCSI Login negotiation failed. --- src/tests/dbus-tests/test_30_iscsi.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/tests/dbus-tests/test_30_iscsi.py b/src/tests/dbus-tests/test_30_iscsi.py index 09e975f30c..02ba6c92b0 100644 --- a/src/tests/dbus-tests/test_30_iscsi.py +++ b/src/tests/dbus-tests/test_30_iscsi.py @@ -161,6 +161,7 @@ def test_login_chap_auth(self): self.assertEqual(port, self.port) options = dbus.Dictionary(signature='sv') + options['node.session.auth.chap_algs'] = 'SHA3-256,SHA256,SHA1' # disallow MD5 options['username'] = self.initiator msg = 'Login failed: initiator reported error \(24 - iSCSI login failed due to authorization failure\)' @@ -227,6 +228,7 @@ def test_login_mutual_auth(self): self.assertEqual(port, self.port) options = dbus.Dictionary(signature='sv') + options['node.session.auth.chap_algs'] = 'SHA3-256,SHA256,SHA1' # disallow MD5 options['username'] = self.initiator options['password'] = self.password options['reverse-username'] = self.mutual_iqn @@ -335,6 +337,7 @@ def test_login_noauth_badauth(self): # first attempt - wrong password options = dbus.Dictionary(signature='sv') + options['node.session.auth.chap_algs'] = 'SHA3-256,SHA256,SHA1' # disallow MD5 options['username'] = self.initiator msg = r'Login failed: initiator reported error \((19 - encountered non-retryable iSCSI login failure|24 - iSCSI login failed due to authorization failure)\)' with six.assertRaisesRegex(self, dbus.exceptions.DBusException, msg):