[iSCSI] Add support for mutual CHAP

Allow initiator to verify target authentication using CHAP.

src/include/gpxe/chap.h

@@ -12,8 +12,8 @@
 
 struct crypto_algorithm;
 
-/** A CHAP challenge/response */
-struct chap_challenge {
+/** A CHAP response */
+struct chap_response {
 	/** Digest algorithm used for the response */
 	struct crypto_algorithm *digest;
 	/** Context used by the digest algorithm */
@@ -24,24 +24,24 @@ struct chap_challenge {
 	size_t response_len;
 };
 
-extern int chap_init ( struct chap_challenge *chap,
+extern int chap_init ( struct chap_response *chap,
 		       struct crypto_algorithm *digest );
-extern void chap_update ( struct chap_challenge *chap, const void *data,
+extern void chap_update ( struct chap_response *chap, const void *data,
 			  size_t len );
-extern void chap_respond ( struct chap_challenge *chap );
-extern void chap_finish ( struct chap_challenge *chap );
+extern void chap_respond ( struct chap_response *chap );
+extern void chap_finish ( struct chap_response *chap );
 
 /**
  * Add identifier data to the CHAP challenge
  *
- * @v chap		CHAP challenge/response
+ * @v chap		CHAP response
  * @v identifier	CHAP identifier
  *
  * The CHAP identifier is the first byte of the CHAP challenge.  This
  * function is a notational convenience for calling chap_update() for
  * the identifier byte.
  */
-static inline void chap_set_identifier ( struct chap_challenge *chap,
+static inline void chap_set_identifier ( struct chap_response *chap,
 					 unsigned int identifier ) {
 	uint8_t ident_byte = identifier;
 

src/include/gpxe/dhcp.h

@@ -241,6 +241,24 @@ struct dhcp_packet;
  */
 #define DHCP_EB_PASSWORD DHCP_ENCAP_OPT ( DHCP_EB_ENCAP, 0xbf )
 
+/** Reverse username
+ *
+ * This will be used as the reverse username (i.e. the username
+ * provided by the server) for any required authentication.  It is
+ * expected that this option's value will be held in non-volatile
+ * storage, rather than transmitted as part of a DHCP packet.
+ */
+#define DHCP_EB_REVERSE_USERNAME DHCP_ENCAP_OPT ( DHCP_EB_ENCAP, 0xc0 )
+
+/** Reverse password
+ *
+ * This will be used as the reverse password (i.e. the password
+ * provided by the server) for any required authentication.  It is
+ * expected that this option's value will be held in non-volatile
+ * storage, rather than transmitted as part of a DHCP packet.
+ */
+#define DHCP_EB_REVERSE_PASSWORD DHCP_ENCAP_OPT ( DHCP_EB_ENCAP, 0xc1 )
+
 /** iSCSI primary target IQN */
 #define DHCP_ISCSI_PRIMARY_TARGET_IQN 201
 

src/include/gpxe/iscsi.h

@@ -522,12 +522,25 @@ struct iscsi_session {
 	 */
 	int retry_count;
 
-	/** Username (if any) */
-	char *username;
-	/** Password (if any) */
-	char *password;
-	/** CHAP challenge/response */
-	struct chap_challenge chap;
+	/** Initiator username (if any) */
+	char *initiator_username;
+	/** Initiator password (if any) */
+	char *initiator_password;
+	/** Target username (if any) */
+	char *target_username;
+	/** Target password (if any) */
+	char *target_password;
+	/** Target has authenticated acceptably */
+	int target_auth_ok;
+	/** CHAP challenge (for target auth only)
+	 *
+	 * This is a block of random data; the first byte is used as
+	 * the CHAP identifier (CHAP_I) and the remainder as the CHAP
+	 * challenge (CHAP_C).
+	 */
+	unsigned char chap_challenge[17];
+	/** CHAP response (used for both initiator and target auth) */
+	struct chap_response chap;
 
 	/** Target session identifying handle
 	 *
@@ -642,8 +655,11 @@ struct iscsi_session {
 /** iSCSI session needs to send the CHAP response */
 #define ISCSI_STATUS_STRINGS_CHAP_RESPONSE 0x0400
 
+/** iSCSI session needs to send the mutual CHAP challenge */
+#define ISCSI_STATUS_STRINGS_CHAP_CHALLENGE 0x0800
+
 /** iSCSI session needs to send the operational negotiation strings */
-#define ISCSI_STATUS_STRINGS_OPERATIONAL 0x0800
+#define ISCSI_STATUS_STRINGS_OPERATIONAL 0x1000
 
 /** Mask for all iSCSI "needs to send" flags */
 #define ISCSI_STATUS_STRINGS_MASK 0xff00