From: Eric Biggers <ebiggers@kernel.org>
To: Chris Leech <cleech@redhat.com>
Cc: linux-nvme@lists.infradead.org, Hannes Reinecke <hare@suse.de>,
Keith Busch <kbusch@kernel.org>, Christoph Hellwig <hch@lst.de>,
Sagi Grimberg <sagi@grimberg.me>,
Chaitanya Kulkarni <kch@nvidia.com>
Subject: Re: [PATCH v2] nvme-auth: Hash DH shared secret to create session key
Date: Wed, 11 Mar 2026 21:09:18 -0700 [thread overview]
Message-ID: <20260312040918.GB2359@sol> (raw)
In-Reply-To: <20260311231643.2672061-1-cleech@redhat.com>
On Wed, Mar 11, 2026 at 04:16:43PM -0700, Chris Leech wrote:
> The NVMe Base Specification 8.3.5.5.9 states that the session key Ks
> shall be computed from the ephemeral DH key by applying the hash
> function selected by the HashID parameter.
>
> The current implementation stores the raw DH shared secret as the
> session key without hashing it. This causes redundant hash operations:
>
> 1. Augmented challenge computation (section 8.3.5.5.4) requires
> Ca = HMAC(H(g^xy mod p), C). The code compensates by hashing the
> unhashed session key in nvme_auth_augmented_challenge() to produce
> the correct result.
>
> 2. PSK generation (section 8.3.5.5.9) requires PSK = HMAC(Ks, C1 || C2)
> where Ks should already be H(g^xy mod p). As the DH shared secret
> is always larger than the HMAC block size, HMAC internally hashes
> it before use, accidentally producing the correct result.
>
> When using secure channel concatenation with bidirectional
> authentication, this results in hashing the DH value three times: twice
> for augmented challenge calculations and once during PSK generation.
>
> Fix this by:
> - Modifying nvme_auth_gen_shared_secret() to hash the DH shared secret
> once after computation: Ks = H(g^xy mod p)
> - Removing the hash operation from nvme_auth_augmented_challenge()
> as the session key is now already hashed
> - Updating session key buffer size from DH key size to hash output size
> - Adding specification references in comments
>
> This avoid storing the raw DH shared secret and reduces the number of
> hash operations from three to one when using secure channel
> concatenation.
>
> Signed-off-by: Chris Leech <cleech@redhat.com>
> ---
> v2:
> - Renamed nvme_auth_gen_session_key() arguments from ctrl_key to
> public_key, as it is the peers public DH key and this code is also
> used on the target/controller side when the peer is the host.
> - Changed argument validation from erroring on sess_key_len < hash_len
> to sess_key_len != hash_len to be more precise in calling requirements
>
> created on the nvme-7.1 branch
> this depends on Eric Biggers "nvme-auth use crypto library" patches
> from <20260302075959.338638-1-ebiggers@kernel.org>
>
> drivers/nvme/common/auth.c | 88 ++++++++++++++++++++++++++++++--------
> drivers/nvme/host/auth.c | 13 +++---
> drivers/nvme/target/auth.c | 15 +++---
> include/linux/nvme-auth.h | 6 +--
> 4 files changed, 92 insertions(+), 36 deletions(-)
Reviewed-by: Eric Biggers <ebiggers@kernel.org>
- Eric
next prev parent reply other threads:[~2026-03-12 4:10 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-11 1:21 [PATCH] nvme-auth: Hash DH shared secret to create session key Chris Leech
2026-03-11 5:13 ` Eric Biggers
2026-03-11 15:47 ` Martin George
2026-03-11 16:44 ` Chris Leech
2026-03-12 6:57 ` Hannes Reinecke
2026-03-11 23:16 ` [PATCH v2] " Chris Leech
2026-03-12 4:09 ` Eric Biggers [this message]
2026-04-10 20:25 ` Chris Leech
2026-04-13 7:48 ` Hannes Reinecke
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260312040918.GB2359@sol \
--to=ebiggers@kernel.org \
--cc=cleech@redhat.com \
--cc=hare@suse.de \
--cc=hch@lst.de \
--cc=kbusch@kernel.org \
--cc=kch@nvidia.com \
--cc=linux-nvme@lists.infradead.org \
--cc=sagi@grimberg.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.