From: Hannes Reinecke <hare@kernel.org>
To: Christoph Hellwig <hch@lst.de>
Cc: Keith Busch <kbusch@kernel.org>, Sagi Grimberg <sagi@grimberg.me>,
linux-nvme@lists.infradead.org, Hannes Reinecke <hare@kernel.org>
Subject: [PATCH 01/12] nvme-auth: modify nvme_auth_transform_key() to return status
Date: Fri, 25 Apr 2025 11:49:16 +0200 [thread overview]
Message-ID: <20250425094927.102656-2-hare@kernel.org> (raw)
In-Reply-To: <20250425094927.102656-1-hare@kernel.org>
Modify nvme_auth_transform_key() to return a status and provide
the transformed data as argument on the command line as raw data.
Signed-off-by: Hannes Reinecke <hare@kernel.org>
---
drivers/nvme/common/auth.c | 80 +++++++++++++++++++++++---------------
drivers/nvme/host/auth.c | 40 ++++++++++---------
drivers/nvme/target/auth.c | 36 ++++++++---------
include/linux/nvme-auth.h | 4 +-
4 files changed, 89 insertions(+), 71 deletions(-)
diff --git a/drivers/nvme/common/auth.c b/drivers/nvme/common/auth.c
index 2c092ec8c0a9..d6dfc4ff39a2 100644
--- a/drivers/nvme/common/auth.c
+++ b/drivers/nvme/common/auth.c
@@ -237,81 +237,97 @@ void nvme_auth_free_key(struct nvme_dhchap_key *key)
}
EXPORT_SYMBOL_GPL(nvme_auth_free_key);
-struct nvme_dhchap_key *nvme_auth_transform_key(
- struct nvme_dhchap_key *key, char *nqn)
+int nvme_auth_transform_key(struct nvme_dhchap_key *key, char *nqn,
+ u8 **transformed_secret)
{
const char *hmac_name;
struct crypto_shash *key_tfm;
struct shash_desc *shash;
- struct nvme_dhchap_key *transformed_key;
- int ret, key_len;
+ u8 *transformed_data;
+ u8 *key_data;
+ size_t transformed_len;
+ int ret;
if (!key) {
pr_warn("No key specified\n");
- return ERR_PTR(-ENOKEY);
+ return -ENOKEY;
}
+ key_data = kzalloc(key->len, GFP_KERNEL);
+ if (!key_data)
+ return -ENOMEM;
+ memcpy(key_data, key->key, key->len);
if (key->hash == 0) {
- key_len = nvme_auth_key_struct_size(key->len);
- transformed_key = kmemdup(key, key_len, GFP_KERNEL);
- if (!transformed_key)
- return ERR_PTR(-ENOMEM);
- return transformed_key;
+ *transformed_secret = key_data;
+ return key->len;
}
hmac_name = nvme_auth_hmac_name(key->hash);
if (!hmac_name) {
pr_warn("Invalid key hash id %d\n", key->hash);
- return ERR_PTR(-EINVAL);
+ ret = -EINVAL;
+ goto out_free_data;
}
key_tfm = crypto_alloc_shash(hmac_name, 0, 0);
- if (IS_ERR(key_tfm))
- return ERR_CAST(key_tfm);
+ if (IS_ERR(key_tfm)) {
+ ret = PTR_ERR(key_tfm);
+ goto out_free_data;
+ }
+
+ transformed_len = crypto_shash_digestsize(key_tfm);
+ if (transformed_len != key->len) {
+ pr_warn("incompatible digest size %ld for key (hash %s, len %ld)\n",
+ transformed_len, hmac_name, key->len);
+ ret = -EINVAL;
+ goto out_free_tfm;
+ }
+
+ transformed_data = kzalloc(transformed_len, GFP_KERNEL);
+ if (!transformed_data) {
+ ret = -ENOMEM;
+ goto out_free_tfm;
+ }
shash = kmalloc(sizeof(struct shash_desc) +
crypto_shash_descsize(key_tfm),
GFP_KERNEL);
if (!shash) {
ret = -ENOMEM;
- goto out_free_key;
- }
-
- key_len = crypto_shash_digestsize(key_tfm);
- transformed_key = nvme_auth_alloc_key(key_len, key->hash);
- if (!transformed_key) {
- ret = -ENOMEM;
- goto out_free_shash;
+ goto out_free_transformed_data;
}
shash->tfm = key_tfm;
ret = crypto_shash_setkey(key_tfm, key->key, key->len);
if (ret < 0)
- goto out_free_transformed_key;
+ goto out_free_shash;
ret = crypto_shash_init(shash);
if (ret < 0)
- goto out_free_transformed_key;
+ goto out_free_shash;
ret = crypto_shash_update(shash, nqn, strlen(nqn));
if (ret < 0)
- goto out_free_transformed_key;
+ goto out_free_shash;
ret = crypto_shash_update(shash, "NVMe-over-Fabrics", 17);
if (ret < 0)
- goto out_free_transformed_key;
- ret = crypto_shash_final(shash, transformed_key->key);
+ goto out_free_shash;
+ ret = crypto_shash_final(shash, transformed_data);
if (ret < 0)
- goto out_free_transformed_key;
+ goto out_free_shash;
kfree(shash);
crypto_free_shash(key_tfm);
+ *transformed_secret = transformed_data;
- return transformed_key;
+ return transformed_len;
-out_free_transformed_key:
- nvme_auth_free_key(transformed_key);
out_free_shash:
kfree(shash);
-out_free_key:
+out_free_transformed_data:
+ kfree(transformed_data);
+out_free_tfm:
crypto_free_shash(key_tfm);
+out_free_data:
+ kfree(key_data);
- return ERR_PTR(ret);
+ return ret;
}
EXPORT_SYMBOL_GPL(nvme_auth_transform_key);
diff --git a/drivers/nvme/host/auth.c b/drivers/nvme/host/auth.c
index 6115fef74c1e..4b6dc1dd5f66 100644
--- a/drivers/nvme/host/auth.c
+++ b/drivers/nvme/host/auth.c
@@ -24,7 +24,8 @@ struct nvme_dhchap_queue_context {
struct nvme_ctrl *ctrl;
struct crypto_shash *shash_tfm;
struct crypto_kpp *dh_tfm;
- struct nvme_dhchap_key *transformed_key;
+ u8 *transformed_secret;
+ size_t transformed_len;
void *buf;
int qid;
int error;
@@ -436,21 +437,20 @@ static int nvme_auth_dhchap_setup_host_response(struct nvme_ctrl *ctrl,
dev_dbg(ctrl->device, "%s: qid %d host response seq %u transaction %d\n",
__func__, chap->qid, chap->s1, chap->transaction);
- if (!chap->transformed_key) {
- chap->transformed_key = nvme_auth_transform_key(ctrl->host_key,
- ctrl->opts->host->nqn);
- if (IS_ERR(chap->transformed_key)) {
- ret = PTR_ERR(chap->transformed_key);
- chap->transformed_key = NULL;
+ if (!chap->transformed_secret) {
+ ret = nvme_auth_transform_key(ctrl->host_key,
+ ctrl->opts->host->nqn,
+ &chap->transformed_secret);
+ if (ret < 0)
return ret;
- }
+ chap->transformed_len = ret;
} else {
dev_dbg(ctrl->device, "%s: qid %d re-using host response\n",
__func__, chap->qid);
}
ret = crypto_shash_setkey(chap->shash_tfm,
- chap->transformed_key->key, chap->transformed_key->len);
+ chap->transformed_secret, chap->transformed_len);
if (ret) {
dev_warn(ctrl->device, "qid %d: failed to set key, error %d\n",
chap->qid, ret);
@@ -516,19 +516,20 @@ static int nvme_auth_dhchap_setup_ctrl_response(struct nvme_ctrl *ctrl,
struct nvme_dhchap_queue_context *chap)
{
SHASH_DESC_ON_STACK(shash, chap->shash_tfm);
- struct nvme_dhchap_key *transformed_key;
+ u8 *transformed_secret;
+ size_t transformed_len;
u8 buf[4], *challenge = chap->c2;
int ret;
- transformed_key = nvme_auth_transform_key(ctrl->ctrl_key,
- ctrl->opts->subsysnqn);
- if (IS_ERR(transformed_key)) {
- ret = PTR_ERR(transformed_key);
+ ret = nvme_auth_transform_key(ctrl->ctrl_key,
+ ctrl->opts->subsysnqn,
+ &transformed_secret);
+ if (ret < 0)
return ret;
- }
+ transformed_len = ret;
ret = crypto_shash_setkey(chap->shash_tfm,
- transformed_key->key, transformed_key->len);
+ transformed_secret, transformed_len);
if (ret) {
dev_warn(ctrl->device, "qid %d: failed to set key, error %d\n",
chap->qid, ret);
@@ -594,7 +595,7 @@ static int nvme_auth_dhchap_setup_ctrl_response(struct nvme_ctrl *ctrl,
out:
if (challenge != chap->c2)
kfree(challenge);
- nvme_auth_free_key(transformed_key);
+ kfree(transformed_secret);
return ret;
}
@@ -656,8 +657,9 @@ static int nvme_auth_dhchap_exponential(struct nvme_ctrl *ctrl,
static void nvme_auth_reset_dhchap(struct nvme_dhchap_queue_context *chap)
{
- nvme_auth_free_key(chap->transformed_key);
- chap->transformed_key = NULL;
+ kfree(chap->transformed_secret);
+ chap->transformed_secret = NULL;
+ chap->transformed_len = 0;
kfree_sensitive(chap->host_key);
chap->host_key = NULL;
chap->host_key_len = 0;
diff --git a/drivers/nvme/target/auth.c b/drivers/nvme/target/auth.c
index cef8d77f477b..46a25b76544d 100644
--- a/drivers/nvme/target/auth.c
+++ b/drivers/nvme/target/auth.c
@@ -294,7 +294,8 @@ int nvmet_auth_host_hash(struct nvmet_req *req, u8 *response,
struct nvmet_ctrl *ctrl = req->sq->ctrl;
const char *hash_name;
u8 *challenge = req->sq->dhchap_c1;
- struct nvme_dhchap_key *transformed_key;
+ u8 *transformed_secret;
+ size_t transformed_len;
u8 buf[4];
int ret;
@@ -318,15 +319,14 @@ int nvmet_auth_host_hash(struct nvmet_req *req, u8 *response,
goto out_free_tfm;
}
- transformed_key = nvme_auth_transform_key(ctrl->host_key,
- ctrl->hostnqn);
- if (IS_ERR(transformed_key)) {
- ret = PTR_ERR(transformed_key);
+ ret = nvme_auth_transform_key(ctrl->host_key, ctrl->hostnqn,
+ &transformed_secret);
+ if (ret < 0)
goto out_free_tfm;
- }
- ret = crypto_shash_setkey(shash_tfm, transformed_key->key,
- transformed_key->len);
+ transformed_len = ret;
+ ret = crypto_shash_setkey(shash_tfm, transformed_secret,
+ transformed_len);
if (ret)
goto out_free_response;
@@ -394,7 +394,7 @@ int nvmet_auth_host_hash(struct nvmet_req *req, u8 *response,
if (challenge != req->sq->dhchap_c1)
kfree(challenge);
out_free_response:
- nvme_auth_free_key(transformed_key);
+ kfree(transformed_secret);
out_free_tfm:
crypto_free_shash(shash_tfm);
return ret;
@@ -408,7 +408,8 @@ int nvmet_auth_ctrl_hash(struct nvmet_req *req, u8 *response,
struct nvmet_ctrl *ctrl = req->sq->ctrl;
const char *hash_name;
u8 *challenge = req->sq->dhchap_c2;
- struct nvme_dhchap_key *transformed_key;
+ u8 *transformed_secret;
+ size_t transformed_len;
u8 buf[4];
int ret;
@@ -432,15 +433,14 @@ int nvmet_auth_ctrl_hash(struct nvmet_req *req, u8 *response,
goto out_free_tfm;
}
- transformed_key = nvme_auth_transform_key(ctrl->ctrl_key,
- ctrl->subsysnqn);
- if (IS_ERR(transformed_key)) {
- ret = PTR_ERR(transformed_key);
+ ret = nvme_auth_transform_key(ctrl->ctrl_key, ctrl->subsysnqn,
+ &transformed_secret);
+ if (ret < 0)
goto out_free_tfm;
- }
+ transformed_len = ret;
- ret = crypto_shash_setkey(shash_tfm, transformed_key->key,
- transformed_key->len);
+ ret = crypto_shash_setkey(shash_tfm, transformed_secret,
+ transformed_len);
if (ret)
goto out_free_response;
@@ -505,7 +505,7 @@ int nvmet_auth_ctrl_hash(struct nvmet_req *req, u8 *response,
if (challenge != req->sq->dhchap_c2)
kfree(challenge);
out_free_response:
- nvme_auth_free_key(transformed_key);
+ kfree(transformed_secret);
out_free_tfm:
crypto_free_shash(shash_tfm);
return ret;
diff --git a/include/linux/nvme-auth.h b/include/linux/nvme-auth.h
index 60e069a6757f..fd43fa042c88 100644
--- a/include/linux/nvme-auth.h
+++ b/include/linux/nvme-auth.h
@@ -29,8 +29,8 @@ struct nvme_dhchap_key *nvme_auth_extract_key(unsigned char *secret,
u8 key_hash);
void nvme_auth_free_key(struct nvme_dhchap_key *key);
struct nvme_dhchap_key *nvme_auth_alloc_key(u32 len, u8 hash);
-struct nvme_dhchap_key *nvme_auth_transform_key(
- struct nvme_dhchap_key *key, char *nqn);
+int nvme_auth_transform_key(struct nvme_dhchap_key *key, char *nqn,
+ u8 **transformed_secret) ;
int nvme_auth_generate_key(u8 *secret, struct nvme_dhchap_key **ret_key);
int nvme_auth_augmented_challenge(u8 hmac_id, u8 *skey, size_t skey_len,
u8 *challenge, u8 *aug, size_t hlen);
--
2.35.3
next prev parent reply other threads:[~2025-04-25 11:14 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-25 9:49 [PATCH 00/12] nvme-auth: switch to use the kernel keyring Hannes Reinecke
2025-04-25 9:49 ` Hannes Reinecke [this message]
2025-05-07 7:24 ` [PATCH 01/12] nvme-auth: modify nvme_auth_transform_key() to return status Christoph Hellwig
2025-05-07 7:29 ` Hannes Reinecke
2025-04-25 9:49 ` [PATCH 02/12] nvme-auth: use SHASH_DESC_ON_STACK Hannes Reinecke
2025-05-07 7:28 ` Christoph Hellwig
2025-05-07 7:29 ` Hannes Reinecke
2025-05-07 7:35 ` Christoph Hellwig
2025-04-25 9:49 ` [PATCH 03/12] nvmet-auth: " Hannes Reinecke
2025-04-25 9:49 ` [PATCH 04/12] nvme-auth: do not cache the transformed secret Hannes Reinecke
2025-05-07 7:25 ` Christoph Hellwig
2025-04-25 9:49 ` [PATCH 05/12] nvme-keyring: add 'dhchap' key type Hannes Reinecke
2025-04-25 9:49 ` [PATCH 06/12] nvme-auth: switch to use 'struct key' Hannes Reinecke
2025-04-25 9:49 ` [PATCH 07/12] nvme-auth: drop nvme_dhchap_key structure and unused functions Hannes Reinecke
2025-05-07 7:26 ` Christoph Hellwig
2025-05-07 7:30 ` Hannes Reinecke
2025-04-25 9:49 ` [PATCH 08/12] nvme: parse dhchap keys during option parsing Hannes Reinecke
2025-04-25 9:49 ` [PATCH 09/12] nvmet-auth: parse dhchap key from configfs attribute Hannes Reinecke
2025-04-25 9:49 ` [PATCH 10/12] nvme: allow to pass in key serial number as dhchap secret Hannes Reinecke
2025-04-25 9:49 ` [PATCH 11/12] nvme-auth: wait for authentication to finish when changing keys Hannes Reinecke
2025-04-25 9:49 ` [PATCH 12/12] nvme: Unify Kconfig settings Hannes Reinecke
2025-05-07 7:23 ` Christoph Hellwig
2025-05-07 7:30 ` Hannes Reinecke
2025-05-07 7:19 ` [PATCH 00/12] nvme-auth: switch to use the kernel keyring Christoph Hellwig
2025-05-07 7:42 ` Hannes Reinecke
2025-05-07 7:53 ` Sagi Grimberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250425094927.102656-2-hare@kernel.org \
--to=hare@kernel.org \
--cc=hch@lst.de \
--cc=kbusch@kernel.org \
--cc=linux-nvme@lists.infradead.org \
--cc=sagi@grimberg.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.