162 lines
6.1 KiB
Diff
162 lines
6.1 KiB
Diff
From 26fcef727d68af97b1187d2ac3cad19acc3d97c8 Mon Sep 17 00:00:00 2001
|
|
From: Tomas Bzatek <tbzatek@redhat.com>
|
|
Date: Tue, 16 May 2023 18:33:59 +0200
|
|
Subject: [PATCH 1/2] iscsi: Set node parameters before the Login/Logout action
|
|
|
|
This allows to properly pass required arguments like the CHAP
|
|
auth algorithms, etc.
|
|
---
|
|
modules/iscsi/udisksiscsiutil.c | 54 ++++++++++++++++++---------------
|
|
1 file changed, 29 insertions(+), 25 deletions(-)
|
|
|
|
diff --git a/modules/iscsi/udisksiscsiutil.c b/modules/iscsi/udisksiscsiutil.c
|
|
index 78890106f0..b279442876 100644
|
|
--- a/modules/iscsi/udisksiscsiutil.c
|
|
+++ b/modules/iscsi/udisksiscsiutil.c
|
|
@@ -186,9 +186,10 @@ iscsi_perform_login_action (UDisksLinuxModuleISCSI *module,
|
|
}
|
|
|
|
static gint
|
|
-iscsi_node_set_parameters (struct libiscsi_context *ctx,
|
|
- struct libiscsi_node *node,
|
|
- GVariant *params)
|
|
+iscsi_node_set_parameters (struct libiscsi_context *ctx,
|
|
+ struct libiscsi_node *node,
|
|
+ GVariant *params,
|
|
+ gchar **errorstr)
|
|
{
|
|
GVariantIter iter;
|
|
GVariant *value;
|
|
@@ -207,9 +208,11 @@ iscsi_node_set_parameters (struct libiscsi_context *ctx,
|
|
|
|
/* Update the node parameter value. */
|
|
err = libiscsi_node_set_parameter (ctx, node, key, param_value);
|
|
+ if (errorstr && err != 0)
|
|
+ *errorstr = g_strdup (libiscsi_get_error_string (ctx));
|
|
|
|
g_variant_unref (value);
|
|
- g_free ((gpointer) key);
|
|
+ g_free (key);
|
|
}
|
|
|
|
return 0;
|
|
@@ -279,7 +282,7 @@ iscsi_login (UDisksLinuxModuleISCSI *module,
|
|
const gchar *password = NULL;
|
|
const gchar *reverse_username = NULL;
|
|
const gchar *reverse_password = NULL;
|
|
- gint err;
|
|
+ gint err = 0;
|
|
|
|
g_return_val_if_fail (UDISKS_IS_LINUX_MODULE_ISCSI (module), 1);
|
|
|
|
@@ -304,17 +307,18 @@ iscsi_login (UDisksLinuxModuleISCSI *module,
|
|
/* Get iscsi context. */
|
|
ctx = udisks_linux_module_iscsi_get_libiscsi_context (module);
|
|
|
|
- /* Login */
|
|
- err = iscsi_perform_login_action (module,
|
|
- ACTION_LOGIN,
|
|
- &node,
|
|
- &auth_info,
|
|
- errorstr);
|
|
+ /* Update node parameters. */
|
|
+ if (params)
|
|
+ err = iscsi_node_set_parameters (ctx, &node, params_without_chap, errorstr);
|
|
|
|
- if (err == 0 && params)
|
|
+ /* Login */
|
|
+ if (err == 0)
|
|
{
|
|
- /* Update node parameters. */
|
|
- err = iscsi_node_set_parameters (ctx, &node, params_without_chap);
|
|
+ err = iscsi_perform_login_action (module,
|
|
+ ACTION_LOGIN,
|
|
+ &node,
|
|
+ &auth_info,
|
|
+ errorstr);
|
|
}
|
|
|
|
g_variant_unref (params_without_chap);
|
|
@@ -334,7 +338,7 @@ iscsi_logout (UDisksLinuxModuleISCSI *module,
|
|
{
|
|
struct libiscsi_context *ctx;
|
|
struct libiscsi_node node = {0,};
|
|
- gint err;
|
|
+ gint err = 0;
|
|
|
|
g_return_val_if_fail (UDISKS_IS_LINUX_MODULE_ISCSI (module), 1);
|
|
|
|
@@ -344,18 +348,18 @@ iscsi_logout (UDisksLinuxModuleISCSI *module,
|
|
/* Get iscsi context. */
|
|
ctx = udisks_linux_module_iscsi_get_libiscsi_context (module);
|
|
|
|
- /* Logout */
|
|
- err = iscsi_perform_login_action (module,
|
|
- ACTION_LOGOUT,
|
|
- &node,
|
|
- NULL,
|
|
- errorstr);
|
|
+ /* Update node parameters. */
|
|
+ if (params)
|
|
+ err = iscsi_node_set_parameters (ctx, &node, params, errorstr);
|
|
|
|
- if (err == 0 && params)
|
|
+ /* Logout */
|
|
+ if (err == 0)
|
|
{
|
|
- /* Update node parameters. */
|
|
- err = iscsi_node_set_parameters (ctx, &node, params);
|
|
-
|
|
+ err = iscsi_perform_login_action (module,
|
|
+ ACTION_LOGOUT,
|
|
+ &node,
|
|
+ NULL,
|
|
+ errorstr);
|
|
}
|
|
|
|
return err;
|
|
|
|
From 749812784abcc4c0492bda0703bff5d3dae052f9 Mon Sep 17 00:00:00 2001
|
|
From: Tomas Bzatek <tbzatek@redhat.com>
|
|
Date: Tue, 16 May 2023 18:35:42 +0200
|
|
Subject: [PATCH 2/2] tests: Disallow MD5 for iscsi CHAP login
|
|
|
|
MD5 is unavailable in FIPS mode:
|
|
|
|
iscsid[82167]: iscsid: Ignoring CHAP algorthm request for MD5 due to crypto lib configuration
|
|
iscsid[82167]: iscsid: Couldn't set CHAP algorithm list
|
|
kernel: rx_data returned 0, expecting 48.
|
|
kernel: iSCSI Login negotiation failed.
|
|
---
|
|
src/tests/dbus-tests/test_30_iscsi.py | 3 +++
|
|
1 file changed, 3 insertions(+)
|
|
|
|
diff --git a/src/tests/dbus-tests/test_30_iscsi.py b/src/tests/dbus-tests/test_30_iscsi.py
|
|
index 09e975f30c..02ba6c92b0 100644
|
|
--- a/src/tests/dbus-tests/test_30_iscsi.py
|
|
+++ b/src/tests/dbus-tests/test_30_iscsi.py
|
|
@@ -161,6 +161,7 @@ def test_login_chap_auth(self):
|
|
self.assertEqual(port, self.port)
|
|
|
|
options = dbus.Dictionary(signature='sv')
|
|
+ options['node.session.auth.chap_algs'] = 'SHA3-256,SHA256,SHA1' # disallow MD5
|
|
options['username'] = self.initiator
|
|
|
|
msg = 'Login failed: initiator reported error \(24 - iSCSI login failed due to authorization failure\)'
|
|
@@ -227,6 +228,7 @@ def test_login_mutual_auth(self):
|
|
self.assertEqual(port, self.port)
|
|
|
|
options = dbus.Dictionary(signature='sv')
|
|
+ options['node.session.auth.chap_algs'] = 'SHA3-256,SHA256,SHA1' # disallow MD5
|
|
options['username'] = self.initiator
|
|
options['password'] = self.password
|
|
options['reverse-username'] = self.mutual_iqn
|
|
@@ -335,6 +337,7 @@ def test_login_noauth_badauth(self):
|
|
|
|
# first attempt - wrong password
|
|
options = dbus.Dictionary(signature='sv')
|
|
+ options['node.session.auth.chap_algs'] = 'SHA3-256,SHA256,SHA1' # disallow MD5
|
|
options['username'] = self.initiator
|
|
msg = r'Login failed: initiator reported error \((19 - encountered non-retryable iSCSI login failure|24 - iSCSI login failed due to authorization failure)\)'
|
|
with six.assertRaisesRegex(self, dbus.exceptions.DBusException, msg):
|