From 26fcef727d68af97b1187d2ac3cad19acc3d97c8 Mon Sep 17 00:00:00 2001

From: Tomas Bzatek <tbzatek@redhat.com>

Date: Tue, 16 May 2023 18:33:59 +0200

Subject: [PATCH 1/2] iscsi: Set node parameters before the Login/Logout action

This allows to properly pass required arguments like the CHAP

auth algorithms, etc.

---

 modules/iscsi/udisksiscsiutil.c | 54 ++++++++++++++++++---------------

 1 file changed, 29 insertions(+), 25 deletions(-)

diff --git a/modules/iscsi/udisksiscsiutil.c b/modules/iscsi/udisksiscsiutil.c

index 78890106f0..b279442876 100644

--- a/modules/iscsi/udisksiscsiutil.c

+++ b/modules/iscsi/udisksiscsiutil.c

@@ -186,9 +186,10 @@ iscsi_perform_login_action (UDisksLinuxModuleISCSI     *module,

 }

 static gint

-iscsi_node_set_parameters (struct libiscsi_context *ctx,

-                           struct libiscsi_node    *node,

-                           GVariant                *params)

+iscsi_node_set_parameters (struct libiscsi_context  *ctx,

+                           struct libiscsi_node     *node,

+                           GVariant                 *params,

+                           gchar                   **errorstr)

 {

   GVariantIter  iter;

   GVariant     *value;

@@ -207,9 +208,11 @@ iscsi_node_set_parameters (struct libiscsi_context *ctx,

       /* Update the node parameter value. */

       err = libiscsi_node_set_parameter (ctx, node, key, param_value);

+      if (errorstr && err != 0)

+        *errorstr = g_strdup (libiscsi_get_error_string (ctx));

       g_variant_unref (value);

-      g_free ((gpointer) key);

+      g_free (key);

     }

   return 0;

@@ -279,7 +282,7 @@ iscsi_login (UDisksLinuxModuleISCSI *module,

   const gchar *password = NULL;

   const gchar *reverse_username = NULL;

   const gchar *reverse_password = NULL;

-  gint err;

+  gint err = 0;

   g_return_val_if_fail (UDISKS_IS_LINUX_MODULE_ISCSI (module), 1);

@@ -304,17 +307,18 @@ iscsi_login (UDisksLinuxModuleISCSI *module,

   /* Get iscsi context. */

   ctx = udisks_linux_module_iscsi_get_libiscsi_context (module);

-  /* Login */

-  err = iscsi_perform_login_action (module,

-                                    ACTION_LOGIN,

-                                    &node,

-                                    &auth_info,

-                                    errorstr);

+  /* Update node parameters. */

+  if (params)

+    err = iscsi_node_set_parameters (ctx, &node, params_without_chap, errorstr);

-  if (err == 0 && params)

+  /* Login */

+  if (err == 0)

     {

-      /* Update node parameters. */

-      err = iscsi_node_set_parameters (ctx, &node, params_without_chap);

+      err = iscsi_perform_login_action (module,

+                                        ACTION_LOGIN,

+                                        &node,

+                                        &auth_info,

+                                        errorstr);

     }

   g_variant_unref (params_without_chap);

@@ -334,7 +338,7 @@ iscsi_logout (UDisksLinuxModuleISCSI *module,

 {

   struct libiscsi_context *ctx;

   struct libiscsi_node node = {0,};

-  gint err;

+  gint err = 0;

   g_return_val_if_fail (UDISKS_IS_LINUX_MODULE_ISCSI (module), 1);

@@ -344,18 +348,18 @@ iscsi_logout (UDisksLinuxModuleISCSI *module,

   /* Get iscsi context. */

   ctx = udisks_linux_module_iscsi_get_libiscsi_context (module);

-  /* Logout */

-  err = iscsi_perform_login_action (module,

-                                    ACTION_LOGOUT,

-                                    &node,

-                                    NULL,

-                                    errorstr);

+  /* Update node parameters. */

+  if (params)

+    err = iscsi_node_set_parameters (ctx, &node, params, errorstr);

-  if (err == 0 && params)

+  /* Logout */

+  if (err == 0)

     {

-      /* Update node parameters. */

-      err = iscsi_node_set_parameters (ctx, &node, params);

-

+      err = iscsi_perform_login_action (module,

+                                        ACTION_LOGOUT,

+                                        &node,

+                                        NULL,

+                                        errorstr);

     }

   return err;

From 749812784abcc4c0492bda0703bff5d3dae052f9 Mon Sep 17 00:00:00 2001

From: Tomas Bzatek <tbzatek@redhat.com>

Date: Tue, 16 May 2023 18:35:42 +0200

Subject: [PATCH 2/2] tests: Disallow MD5 for iscsi CHAP login

MD5 is unavailable in FIPS mode:

  iscsid[82167]: iscsid: Ignoring CHAP algorthm request for MD5 due to crypto lib configuration

  iscsid[82167]: iscsid: Couldn't set CHAP algorithm list

  kernel: rx_data returned 0, expecting 48.

  kernel: iSCSI Login negotiation failed.

---

 src/tests/dbus-tests/test_30_iscsi.py | 3 +++

 1 file changed, 3 insertions(+)

diff --git a/src/tests/dbus-tests/test_30_iscsi.py b/src/tests/dbus-tests/test_30_iscsi.py

index 09e975f30c..02ba6c92b0 100644

--- a/src/tests/dbus-tests/test_30_iscsi.py

+++ b/src/tests/dbus-tests/test_30_iscsi.py

@@ -161,6 +161,7 @@ def test_login_chap_auth(self):

         self.assertEqual(port, self.port)

         options = dbus.Dictionary(signature='sv')

+        options['node.session.auth.chap_algs'] = 'SHA3-256,SHA256,SHA1'  # disallow MD5

         options['username'] = self.initiator

         msg = 'Login failed: initiator reported error \(24 - iSCSI login failed due to authorization failure\)'

@@ -227,6 +228,7 @@ def test_login_mutual_auth(self):

         self.assertEqual(port, self.port)

         options = dbus.Dictionary(signature='sv')

+        options['node.session.auth.chap_algs'] = 'SHA3-256,SHA256,SHA1'  # disallow MD5

         options['username'] = self.initiator

         options['password'] = self.password

         options['reverse-username'] = self.mutual_iqn

@@ -335,6 +337,7 @@ def test_login_noauth_badauth(self):

         # first attempt - wrong password

         options = dbus.Dictionary(signature='sv')

+        options['node.session.auth.chap_algs'] = 'SHA3-256,SHA256,SHA1'  # disallow MD5

         options['username'] = self.initiator

         msg = r'Login failed: initiator reported error \((19 - encountered non-retryable iSCSI login failure|24 - iSCSI login failed due to authorization failure)\)'

         with six.assertRaisesRegex(self, dbus.exceptions.DBusException, msg):