[PATCH 03/13] nvme: add nvme_auth_generate_digest()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: hare@kernel.org
To: Christoph Hellwig <hch@lst.de>
Cc: Keith Busch <kbusch@kernel.org>, Sagi Grimberg <sagi@grimberg.me>,
	linux-nvme@lists.infradead.org, Hannes Reinecke <hare@suse.de>
Subject: [PATCH 03/13] nvme: add nvme_auth_generate_digest()
Date: Sat, 27 Jan 2024 10:30:48 +0100	[thread overview]
Message-ID: <20240127093058.15699-4-hare@kernel.org> (raw)
In-Reply-To: <20240127093058.15699-1-hare@kernel.org>

From: Hannes Reinecke <hare@suse.de>

Add a function to calculate the PSK digest as specified in TP8018.

Signed-off-by: Hannes Reinecke <hare@suse.de>
---
 drivers/nvme/common/auth.c | 105 +++++++++++++++++++++++++++++++++++++
 include/linux/nvme-auth.h  |   2 +
 2 files changed, 107 insertions(+)

diff --git a/drivers/nvme/common/auth.c b/drivers/nvme/common/auth.c
index 9ee459a9400e..87e095fe3852 100644
--- a/drivers/nvme/common/auth.c
+++ b/drivers/nvme/common/auth.c
@@ -547,4 +547,109 @@ u8 *nvme_auth_generate_psk(u8 hmac_id, u8 *skey, size_t skey_len,
 }
 EXPORT_SYMBOL_GPL(nvme_auth_generate_psk);
 
+u8 *nvme_auth_generate_digest(u8 hmac_id, u8 *psk, size_t psk_len,
+			      char *subsysnqn, char *hostnqn)
+{
+	struct crypto_shash *tfm;
+	struct shash_desc *shash;
+	u8 *digest, *hmac;
+	const char *hmac_name;
+	size_t digest_len, hmac_len;
+	int ret;
+
+	if (WARN_ON(!subsysnqn || !hostnqn))
+		return ERR_PTR(-EINVAL);
+
+	hmac_name = nvme_auth_hmac_name(hmac_id);
+	if (!hmac_name) {
+		pr_warn("%s: invalid hash algoritm %d\n",
+			__func__, hmac_id);
+		return ERR_PTR(-EINVAL);
+	}
+
+	switch (nvme_auth_hmac_hash_len(hmac_id)) {
+	case 32:
+		hmac_len = 44;
+		break;
+	case 48:
+		hmac_len = 64;
+		break;
+	default:
+		pr_warn("%s: invalid hash algorithm '%s'\n",
+			__func__, hmac_name);
+		return ERR_PTR(-EINVAL);
+	}
+
+	hmac = kzalloc(hmac_len + 1, GFP_KERNEL);
+	if (!hmac)
+		return ERR_PTR(-ENOMEM);
+
+	tfm = crypto_alloc_shash(hmac_name, 0, 0);
+	if (IS_ERR(tfm))
+		goto out_free_hmac;
+
+	digest_len = crypto_shash_digestsize(tfm);
+	digest = kzalloc(digest_len, GFP_KERNEL);
+	if (!digest) {
+		ret = -ENOMEM;
+		goto out_free_tfm;
+	}
+
+	shash = kmalloc(sizeof(struct shash_desc) +
+			crypto_shash_descsize(tfm),
+			GFP_KERNEL);
+	if (!shash) {
+		ret = -ENOMEM;
+		goto out_free_digest;
+	}
+
+	shash->tfm = tfm;
+	ret = crypto_shash_setkey(tfm, psk, psk_len);
+	if (ret)
+		goto out_free_shash;
+
+	ret = crypto_shash_init(shash);
+	if (ret)
+		goto out_free_shash;
+
+	ret = crypto_shash_update(shash, hostnqn, strlen(hostnqn));
+	if (ret)
+		goto out_free_shash;
+
+	ret = crypto_shash_update(shash, " ", 1);
+	if (ret)
+		goto out_free_shash;
+
+	ret = crypto_shash_update(shash, subsysnqn, strlen(subsysnqn));
+	if (ret)
+		goto out_free_shash;
+
+	ret = crypto_shash_update(shash, " NVMe-over-Fabrics", 18);
+	if (ret)
+		goto out_free_shash;
+
+	ret = crypto_shash_final(shash, digest);
+	if (ret)
+		goto out_free_shash;
+
+	ret = base64_encode(digest, digest_len, hmac);
+	if (ret < hmac_len)
+		ret = -ENOKEY;
+	ret = 0;
+
+out_free_shash:
+	kfree_sensitive(shash);
+out_free_digest:
+	kfree_sensitive(digest);
+out_free_tfm:
+	crypto_free_shash(tfm);
+out_free_hmac:
+	if (ret) {
+		kfree_sensitive(hmac);
+		hmac = NULL;
+	}
+	return ret ? ERR_PTR(ret) : hmac;
+}
+EXPORT_SYMBOL_GPL(nvme_auth_generate_digest);
+
 MODULE_LICENSE("GPL v2");
diff --git a/include/linux/nvme-auth.h b/include/linux/nvme-auth.h
index 31dc1db2d4d6..2cbb9249a8b3 100644
--- a/include/linux/nvme-auth.h
+++ b/include/linux/nvme-auth.h
@@ -42,5 +42,7 @@ int nvme_auth_gen_shared_secret(struct crypto_kpp *dh_tfm,
 				u8 *sess_key, size_t sess_key_len);
 u8 *nvme_auth_generate_psk(u8 hmac_id, u8 *skey, size_t skey_len,
 			   u8 *c1, u8 *c2, size_t hash_len, size_t *ret_len);
+u8 *nvme_auth_generate_digest(u8 hmac_id, u8 *psk, size_t psk_len,
+			      char *subsysnqn, char *hostnqn);
 
 #endif /* _NVME_AUTH_H */
-- 
2.35.3

next prev parent reply	other threads:[~2024-01-27  9:31 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-01-27  9:30 [PATCHv2 00/13] nvme: implement secure concatenation hare
2024-01-27  9:30 ` [PATCH 01/13] crypto,fs: Separate out hkdf_extract() and hkdf_expand() hare
2024-01-27  9:30 ` [PATCH 02/13] nvme: add nvme_auth_generate_psk() hare
2024-03-07 10:42   ` Sagi Grimberg
2024-01-27  9:30 ` hare [this message]
2024-03-07 10:44   ` [PATCH 03/13] nvme: add nvme_auth_generate_digest() Sagi Grimberg
2024-01-27  9:30 ` [PATCH 04/13] nvme: add nvme_auth_derive_tls_psk() hare
2024-01-27  9:30 ` [PATCH 05/13] nvme-keyring: add nvme_tls_psk_refresh() hare
2024-01-27  9:30 ` [PATCH 06/13] nvme-keyring: restrict match length for version '1' identifiers hare
2024-03-07 10:49   ` Sagi Grimberg
2024-03-07 11:35     ` Hannes Reinecke
2024-03-07 12:08       ` Sagi Grimberg
2024-03-07 12:13         ` Hannes Reinecke
2024-01-27  9:30 ` [PATCH 07/13] nvme-tcp: check for invalidated or revoked key hare
2024-03-07 10:51   ` Sagi Grimberg
2024-03-07 11:36     ` Hannes Reinecke
2024-01-27  9:30 ` [PATCH 08/13] nvme-fabrics: authentication errors are not retryable hare
2024-03-07 10:52   ` Sagi Grimberg
2024-03-07 11:37     ` Hannes Reinecke
2024-01-27  9:30 ` [PATCH 09/13] nvme-tcp: sanitize TLS key handling hare
2024-03-07 11:03   ` Sagi Grimberg
2024-03-07 11:42     ` Hannes Reinecke
2024-01-27  9:30 ` [PATCH 10/13] nvme-tcp: request secure channel concatenation hare
2024-01-27  9:30 ` [PATCH 11/13] nvme-tcp: combine reset and recovery hare
2024-03-07 11:08   ` Sagi Grimberg
2024-03-07 11:43     ` Hannes Reinecke
2024-01-27  9:30 ` [PATCH 12/13] nvme-tcp: reset after recovery for secure concatenation hare
2024-01-27  9:30 ` [PATCH 13/13] nvmet-tcp: support secure channel concatenation hare
2024-02-12  7:40 ` [PATCHv2 00/13] nvme: implement secure concatenation Hannes Reinecke

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:9ee459a9400 dfblob:87e095fe385 dfblob:31dc1db2d4d
dfblob:2cbb9249a8b )
 OR (
bs:"[PATCH 03/13] nvme: add nvme_auth_generate_digest()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240127093058.15699-4-hare@kernel.org \
    --to=hare@kernel.org \
    --cc=hare@suse.de \
    --cc=hch@lst.de \
    --cc=kbusch@kernel.org \
    --cc=linux-nvme@lists.infradead.org \
    --cc=sagi@grimberg.me \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.