From: Hannes Reinecke <hare@suse.de>
To: Christoph Hellwig <hch@lst.de>
Cc: Sagi Grimberg <sagi@grimberg.me>, Keith Busch <kbusch@kernel.org>,
linux-nvme@lists.infradead.org, Hannes Reinecke <hare@suse.de>
Subject: [PATCH 11/11] nvmet-auth: expire authentication sessions
Date: Wed, 8 Jun 2022 16:45:18 +0200 [thread overview]
Message-ID: <20220608144518.67607-12-hare@suse.de> (raw)
In-Reply-To: <20220608144518.67607-1-hare@suse.de>
Each authentication step is required to be completed within the
KATO interval (or two minutes if not set). So add a workqueue function
to reset the transaction ID and the expected next protocol step;
this will automatically the next authentication command referring
to the terminated authentication.
Signed-off-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
---
drivers/nvme/target/auth.c | 1 +
drivers/nvme/target/fabrics-cmd-auth.c | 20 +++++++++++++++++++-
drivers/nvme/target/nvmet.h | 1 +
3 files changed, 21 insertions(+), 1 deletion(-)
diff --git a/drivers/nvme/target/auth.c b/drivers/nvme/target/auth.c
index d5624bdf834b..bf92435c783c 100644
--- a/drivers/nvme/target/auth.c
+++ b/drivers/nvme/target/auth.c
@@ -218,6 +218,7 @@ int nvmet_setup_auth(struct nvmet_ctrl *ctrl)
void nvmet_auth_sq_free(struct nvmet_sq *sq)
{
+ cancel_delayed_work(&sq->auth_expired_work);
kfree(sq->dhchap_c1);
sq->dhchap_c1 = NULL;
kfree(sq->dhchap_c2);
diff --git a/drivers/nvme/target/fabrics-cmd-auth.c b/drivers/nvme/target/fabrics-cmd-auth.c
index f32e2a4aeaa0..f2a355b8833f 100644
--- a/drivers/nvme/target/fabrics-cmd-auth.c
+++ b/drivers/nvme/target/fabrics-cmd-auth.c
@@ -12,9 +12,22 @@
#include <crypto/kpp.h>
#include "nvmet.h"
+static void nvmet_auth_expired_work(struct work_struct *work)
+{
+ struct nvmet_sq *sq = container_of(to_delayed_work(work),
+ struct nvmet_sq, auth_expired_work);
+
+ pr_debug("%s: ctrl %d qid %d transaction %u expired, resetting\n",
+ __func__, sq->ctrl->cntlid, sq->qid, sq->dhchap_tid);
+ sq->dhchap_step = NVME_AUTH_DHCHAP_MESSAGE_NEGOTIATE;
+ sq->dhchap_tid = -1;
+}
+
void nvmet_init_auth(struct nvmet_ctrl *ctrl, struct nvmet_req *req)
{
/* Initialize in-band authentication */
+ INIT_DELAYED_WORK(&req->sq->auth_expired_work,
+ nvmet_auth_expired_work);
req->sq->authenticated = false;
req->sq->dhchap_step = NVME_AUTH_DHCHAP_MESSAGE_NEGOTIATE;
req->cqe->result.u32 |= 0x2 << 16;
@@ -330,8 +343,13 @@ void nvmet_execute_auth_send(struct nvmet_req *req)
req->cqe->result.u64 = 0;
nvmet_req_complete(req, status);
if (req->sq->dhchap_step != NVME_AUTH_DHCHAP_MESSAGE_SUCCESS2 &&
- req->sq->dhchap_step != NVME_AUTH_DHCHAP_MESSAGE_FAILURE2)
+ req->sq->dhchap_step != NVME_AUTH_DHCHAP_MESSAGE_FAILURE2) {
+ unsigned long auth_expire_secs = ctrl->kato ? ctrl->kato : 120;
+
+ mod_delayed_work(system_wq, &req->sq->auth_expired_work,
+ auth_expire_secs * HZ);
return;
+ }
/* Final states, clear up variables */
nvmet_auth_sq_free(req->sq);
if (req->sq->dhchap_step == NVME_AUTH_DHCHAP_MESSAGE_FAILURE2)
diff --git a/drivers/nvme/target/nvmet.h b/drivers/nvme/target/nvmet.h
index 8b239aec3ca2..829fb1d78ee1 100644
--- a/drivers/nvme/target/nvmet.h
+++ b/drivers/nvme/target/nvmet.h
@@ -109,6 +109,7 @@ struct nvmet_sq {
u32 sqhd;
bool sqhd_disabled;
#ifdef CONFIG_NVME_TARGET_AUTH
+ struct delayed_work auth_expired_work;
bool authenticated;
u16 dhchap_tid;
u16 dhchap_status;
--
2.29.2
next prev parent reply other threads:[~2022-06-08 14:45 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-08 14:45 [PATCHv14 00/11] nvme: In-band authentication support Hannes Reinecke
2022-06-08 14:45 ` [PATCH 01/11] crypto: add crypto_has_shash() Hannes Reinecke
2022-06-08 14:45 ` [PATCH 02/11] crypto: add crypto_has_kpp() Hannes Reinecke
2022-06-08 14:45 ` [PATCH 03/11] lib/base64: RFC4648-compliant base64 encoding Hannes Reinecke
2022-06-08 14:45 ` [PATCH 04/11] nvme: add definitions for NVMe In-Band authentication Hannes Reinecke
2022-06-08 14:45 ` [PATCH 05/11] nvme-fabrics: decode 'authentication required' connect error Hannes Reinecke
2022-06-08 14:45 ` [PATCH 06/11] nvme: Implement In-Band authentication Hannes Reinecke
2022-06-13 18:12 ` Christoph Hellwig
2022-06-20 6:50 ` Hannes Reinecke
2022-06-08 14:45 ` [PATCH 07/11] nvme-auth: Diffie-Hellman key exchange support Hannes Reinecke
2022-06-08 14:45 ` [PATCH 08/11] nvmet: parse fabrics commands on io queues Hannes Reinecke
2022-06-08 14:45 ` [PATCH 09/11] nvmet: Implement basic In-Band Authentication Hannes Reinecke
2022-06-08 14:45 ` [PATCH 10/11] nvmet-auth: Diffie-Hellman key exchange support Hannes Reinecke
2022-06-08 14:45 ` Hannes Reinecke [this message]
2022-06-09 1:13 ` [PATCHv14 00/11] nvme: In-band authentication support Chaitanya Kulkarni
2022-06-09 6:08 ` Hannes Reinecke
2022-06-09 6:20 ` Hannes Reinecke
2022-06-10 9:06 ` Chaitanya Kulkarni
2022-06-10 9:17 ` Chaitanya Kulkarni
2022-06-10 9:23 ` Hannes Reinecke
2022-06-10 8:55 ` Chaitanya Kulkarni
2022-06-10 9:12 ` Hannes Reinecke
2022-06-10 9:28 ` Chaitanya Kulkarni
2022-06-10 9:35 ` Chaitanya Kulkarni
2022-06-10 11:29 ` Hannes Reinecke
2022-06-13 22:29 ` Chaitanya Kulkarni
2022-06-10 9:44 ` Hannes Reinecke
-- strict thread matches above, loose matches on Subject: below --
2022-06-27 9:51 [PATCHv18 " Hannes Reinecke
2022-06-27 9:52 ` [PATCH 11/11] nvmet-auth: expire authentication sessions Hannes Reinecke
2022-06-23 6:17 [PATCHv17 00/11] nvme: In-band authentication support Hannes Reinecke
2022-06-23 6:17 ` [PATCH 11/11] nvmet-auth: expire authentication sessions Hannes Reinecke
2022-06-21 17:24 [PATCHv16 00/11] nvme: In-band authentication support Hannes Reinecke
2022-06-21 17:24 ` [PATCH 11/11] nvmet-auth: expire authentication sessions Hannes Reinecke
2022-06-21 9:02 [PATCHv15 00/11] nvme: In-band authentication support Hannes Reinecke
2022-06-21 9:02 ` [PATCH 11/11] nvmet-auth: expire authentication sessions Hannes Reinecke
2022-05-18 11:22 [PATCHv12 00/11] nvme: In-band authentication support Hannes Reinecke
2022-05-18 11:22 ` [PATCH 11/11] nvmet-auth: expire authentication sessions Hannes Reinecke
2022-03-28 13:39 [PATCHv11 00/11] nvme: In-band authentication support Hannes Reinecke
2022-03-28 13:39 ` [PATCH 11/11] nvmet-auth: expire authentication sessions Hannes Reinecke
2022-03-28 8:08 [PATCHv10 00/11] nvme: In-band authentication support Hannes Reinecke
2022-03-28 8:08 ` [PATCH 11/11] nvmet-auth: expire authentication sessions Hannes Reinecke
2022-03-23 7:12 [PATCHv9 00/11] nvme: In-band authentication support Hannes Reinecke
2022-03-23 7:13 ` [PATCH 11/11] nvmet-auth: expire authentication sessions Hannes Reinecke
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220608144518.67607-12-hare@suse.de \
--to=hare@suse.de \
--cc=hch@lst.de \
--cc=kbusch@kernel.org \
--cc=linux-nvme@lists.infradead.org \
--cc=sagi@grimberg.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.