/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */
/*
 * Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved.
 */

#include <sys/types.h>
#include <sys/random.h>
#include <sys/conf.h>
#include <sys/ddi.h>
#include <sys/sunddi.h>

#include <sys/socket.h>
#include <inet/tcp.h>

#include <sys/stmf.h>
#include <sys/stmf_ioctl.h>
#include <sys/portif.h>
#include <sys/idm/idm.h>
#include <sys/iscsit/chap.h>

#include "iscsit.h"
#include "radius_auth.h"

void
client_set_numeric_data(auth_key_block_t *keyBlock,
    int key_type,
    uint32_t numeric)
{
	auth_key_t *p;

	ASSERT(key_type < AUTH_KEY_TYPE_MAX);

	p = &keyBlock->key[key_type];
	p->value.numeric = numeric;
	p->present = 1;
}

void
client_set_string_data(auth_key_block_t *keyBlock,
    int key_type,
    char *string)
{
	auth_key_t *p;

	ASSERT(key_type < AUTH_KEY_TYPE_MAX);

	p = &keyBlock->key[key_type];
	p->value.string = string;
	p->present = 1;
}

void
client_set_binary_data(auth_key_block_t *keyBlock,
    int key_type,
    unsigned char *binary, unsigned int len)
{
	auth_key_t *p;

	ASSERT(key_type < AUTH_KEY_TYPE_MAX);

	p = &keyBlock->key[key_type];
	p->value.binary = binary;
	p->len = len;
	p->present = 1;
}

void
client_get_numeric_data(auth_key_block_t *keyBlock,
    int key_type,
    uint32_t *numeric)
{
	auth_key_t *p;

	ASSERT(key_type < AUTH_KEY_TYPE_MAX);

	p = &keyBlock->key[key_type];
	*numeric = p->value.numeric;
}

void
client_get_string_data(auth_key_block_t *keyBlock,
    int key_type,
    char **string)
{
	auth_key_t *p;

	ASSERT(key_type < AUTH_KEY_TYPE_MAX);

	p = &keyBlock->key[key_type];
	*string = p->value.string;
}

void
client_get_binary_data(auth_key_block_t *keyBlock,
    int key_type,
    unsigned char **binary, unsigned int *len)
{
	auth_key_t *p;

	ASSERT(key_type < AUTH_KEY_TYPE_MAX);

	p = &keyBlock->key[key_type];
	*binary = p->value.binary;
	*len = p->len;
}

int
client_auth_key_present(auth_key_block_t *keyBlock,
    int key_type)
{
	auth_key_t *p;

	ASSERT(key_type < AUTH_KEY_TYPE_MAX);

	p = &keyBlock->key[key_type];

	return (p->present != 0 ? 1 : 0);
}

/*ARGSUSED*/
void
client_compute_chap_resp(uchar_t *resp,
    unsigned int chap_i,
    uint8_t *password, int password_len,
    uchar_t *chap_c, unsigned int challenge_len)
{
	MD5_CTX		context;

	MD5Init(&context);

	/*
	 * id byte
	 */
	resp[0] = (uchar_t)chap_i;
	MD5Update(&context, resp, 1);

	/*
	 * shared secret
	 */
	MD5Update(&context, (uchar_t *)password, password_len);

	/*
	 * challenge value
	 */
	MD5Update(&context, chap_c, challenge_len);

	MD5Final(resp, &context);
}

int
iscsit_verify_chap_resp(iscsit_conn_login_t *lsm,
    unsigned int chap_i,
    uchar_t *chap_c, unsigned int challenge_len,
    uchar_t *chap_r, unsigned int resp_len)
{
	uchar_t		verifyData[iscsitAuthChapResponseLength];
	conn_auth_t	*auth = &lsm->icl_auth;

	/* Check if RADIUS access is enabled */
	if (auth->ca_use_radius == B_TRUE) {
		chap_validation_status_type	chap_valid_status;
		RADIUS_CONFIG		radius_cfg;
		struct sockaddr_storage *sa = &auth->ca_radius_server;
		struct sockaddr_in	*sin;
		struct sockaddr_in6	*sin6;

		/* Use RADIUS server to authentication target */
		sin = (struct sockaddr_in *)sa;
		radius_cfg.rad_svr_port = ntohs(sin->sin_port);
		if (sa->ss_family == AF_INET) {
			/* IPv4 */
			radius_cfg.rad_svr_addr.i_addr.in4.s_addr =
			    sin->sin_addr.s_addr;
			radius_cfg.rad_svr_addr.i_insize = sizeof (in_addr_t);
		} else if (sa->ss_family == AF_INET6) {
			/* IPv6 */
			sin6 = (struct sockaddr_in6 *)sa;
			bcopy(sin6->sin6_addr.s6_addr,
			    radius_cfg.rad_svr_addr.i_addr.in6.s6_addr,
			    sizeof (struct in6_addr));
			radius_cfg.rad_svr_addr.i_insize = sizeof (in6_addr_t);
		} else {
			return (ISCSI_AUTH_FAILED);
		}

		bcopy(auth->ca_radius_secret,
		    radius_cfg.rad_svr_shared_secret,
		    MAX_RAD_SHARED_SECRET_LEN);
		radius_cfg.rad_svr_shared_secret_len =
		    auth->ca_radius_secretlen;

		chap_valid_status = iscsit_radius_chap_validate(
		    auth->ca_ini_chapuser,
		    auth->ca_tgt_chapuser,
		    chap_c,
		    challenge_len,
		    chap_r,
		    resp_len,
		    chap_i,
		    radius_cfg.rad_svr_addr,
		    radius_cfg.rad_svr_port,
		    radius_cfg.rad_svr_shared_secret,
		    radius_cfg.rad_svr_shared_secret_len);

		if (chap_valid_status == CHAP_VALIDATION_PASSED) {
			return (ISCSI_AUTH_PASSED);
		}
		return (ISCSI_AUTH_FAILED);
	}

	/* Empty chap secret is not allowed */
	if (auth->ca_ini_chapsecretlen == 0) {
		return (ISCSI_AUTH_FAILED);
	}

	/* only MD5 is supported */
	if (resp_len != sizeof (verifyData)) {
		return (ISCSI_AUTH_FAILED);
	}

	client_compute_chap_resp(
	    &verifyData[0],
	    chap_i,
	    auth->ca_ini_chapsecret, auth->ca_ini_chapsecretlen,
	    chap_c, challenge_len);

	if (bcmp(chap_r, verifyData,
	    sizeof (verifyData)) != 0) {
		return (ISCSI_AUTH_FAILED);
	}

	/* chap response OK */
	return (ISCSI_AUTH_PASSED);
}

void
auth_random_set_data(uchar_t *data, unsigned int length)
{
	(void) random_get_pseudo_bytes(data, length);
}