From: Hannes Reinecke <hare@kernel.org>
To: Christoph Hellwig <hch@lst.de>
Cc: Sagi Grimberg <sagi@grimberg.me>, Keith Busch <kbusch@kernel.org>,
linux-nvme@lists.infradead.org, Hannes Reinecke <hare@kernel.org>
Subject: [PATCH 1/8] nvme-auth: modify nvme_auth_transform_key() to return status
Date: Tue, 17 Mar 2026 14:00:56 +0100 [thread overview]
Message-ID: <20260317130103.107360-2-hare@kernel.org> (raw)
In-Reply-To: <20260317130103.107360-1-hare@kernel.org>
In preparation for converting the DH-HMAC-CHAP code to use the
kernel keyring modify nvme_auth_transform_key() to return a status
and provide the transformed data as argument on the command line as
raw data.
Signed-off-by: Hannes Reinecke <hare@kernel.org>
---
drivers/nvme/common/auth.c | 38 ++++++++++++++++----------------
drivers/nvme/host/auth.c | 44 ++++++++++++++++++++------------------
drivers/nvme/target/auth.c | 37 ++++++++++++++++++--------------
include/linux/nvme-auth.h | 4 ++--
4 files changed, 65 insertions(+), 58 deletions(-)
diff --git a/drivers/nvme/common/auth.c b/drivers/nvme/common/auth.c
index 2d325fb93083..772af9b6dccd 100644
--- a/drivers/nvme/common/auth.c
+++ b/drivers/nvme/common/auth.c
@@ -317,37 +317,37 @@ static int nvme_auth_hash(u8 hmac_id, const u8 *data, size_t data_len, u8 *out)
return -EINVAL;
}
-struct nvme_dhchap_key *nvme_auth_transform_key(
- const struct nvme_dhchap_key *key, const char *nqn)
+int nvme_auth_transform_key(const struct nvme_dhchap_key *key, const char *nqn,
+ u8 **transformed_secret)
{
struct nvme_auth_hmac_ctx hmac;
- struct nvme_dhchap_key *transformed_key;
- int ret, key_len;
+ u8 *transformed_data;
+ u8 *key_data;
+ size_t transformed_len;
+ int ret;
if (!key) {
pr_warn("No key specified\n");
- return ERR_PTR(-ENOKEY);
+ return -ENOKEY;
}
if (key->hash == 0) {
- key_len = nvme_auth_key_struct_size(key->len);
- transformed_key = kmemdup(key, key_len, GFP_KERNEL);
- if (!transformed_key)
- return ERR_PTR(-ENOMEM);
- return transformed_key;
+ key_data = kzalloc(key->len, GFP_KERNEL);
+ memcpy(key_data, key->key, key->len);
+ *transformed_secret = key_data;
+ return key->len;
}
ret = nvme_auth_hmac_init(&hmac, key->hash, key->key, key->len);
if (ret)
- return ERR_PTR(ret);
- key_len = nvme_auth_hmac_hash_len(key->hash);
- transformed_key = nvme_auth_alloc_key(key_len, key->hash);
- if (!transformed_key) {
- memzero_explicit(&hmac, sizeof(hmac));
- return ERR_PTR(-ENOMEM);
- }
+ return ret;
+ transformed_len = nvme_auth_hmac_hash_len(key->hash);
+ key_data = kzalloc(transformed_len, GFP_KERNEL);
+ if (!key_data)
+ return -ENOMEM;
nvme_auth_hmac_update(&hmac, nqn, strlen(nqn));
nvme_auth_hmac_update(&hmac, "NVMe-over-Fabrics", 17);
- nvme_auth_hmac_final(&hmac, transformed_key->key);
- return transformed_key;
+ nvme_auth_hmac_final(&hmac, key_data);
+ *transformed_secret = key_data;
+ return transformed_len;
}
EXPORT_SYMBOL_GPL(nvme_auth_transform_key);
diff --git a/drivers/nvme/host/auth.c b/drivers/nvme/host/auth.c
index a85646891656..2065b3301326 100644
--- a/drivers/nvme/host/auth.c
+++ b/drivers/nvme/host/auth.c
@@ -22,7 +22,8 @@ struct nvme_dhchap_queue_context {
struct work_struct auth_work;
struct nvme_ctrl *ctrl;
struct crypto_kpp *dh_tfm;
- struct nvme_dhchap_key *transformed_key;
+ u8 *transformed_secret;
+ size_t transformed_len;
void *buf;
int qid;
int error;
@@ -421,22 +422,21 @@ static int nvme_auth_dhchap_setup_host_response(struct nvme_ctrl *ctrl,
dev_dbg(ctrl->device, "%s: qid %d host response seq %u transaction %d\n",
__func__, chap->qid, chap->s1, chap->transaction);
- if (!chap->transformed_key) {
- chap->transformed_key = nvme_auth_transform_key(ctrl->host_key,
- ctrl->opts->host->nqn);
- if (IS_ERR(chap->transformed_key)) {
- ret = PTR_ERR(chap->transformed_key);
- chap->transformed_key = NULL;
+ if (!chap->transformed_secret) {
+ ret = nvme_auth_transform_key(ctrl->host_key,
+ ctrl->opts->host->nqn,
+ &chap->transformed_secret);
+ if (ret < 0)
return ret;
- }
+ chap->transformed_len = ret;
} else {
dev_dbg(ctrl->device, "%s: qid %d re-using host response\n",
__func__, chap->qid);
}
ret = nvme_auth_hmac_init(&hmac, chap->hash_id,
- chap->transformed_key->key,
- chap->transformed_key->len);
+ chap->transformed_secret,
+ chap->transformed_len);
if (ret)
goto out;
@@ -485,19 +485,20 @@ static int nvme_auth_dhchap_setup_ctrl_response(struct nvme_ctrl *ctrl,
struct nvme_dhchap_queue_context *chap)
{
struct nvme_auth_hmac_ctx hmac;
- struct nvme_dhchap_key *transformed_key;
+ u8 *transformed_secret;
+ size_t transformed_len;
u8 buf[4], *challenge = chap->c2;
int ret;
- transformed_key = nvme_auth_transform_key(ctrl->ctrl_key,
- ctrl->opts->subsysnqn);
- if (IS_ERR(transformed_key)) {
- ret = PTR_ERR(transformed_key);
+ ret = nvme_auth_transform_key(ctrl->ctrl_key,
+ ctrl->opts->subsysnqn,
+ &transformed_secret);
+ if (ret < 0)
return ret;
- }
+ transformed_len = ret;
- ret = nvme_auth_hmac_init(&hmac, chap->hash_id, transformed_key->key,
- transformed_key->len);
+ ret = nvme_auth_hmac_init(&hmac, chap->hash_id, transformed_secret,
+ transformed_len);
if (ret) {
dev_warn(ctrl->device, "qid %d: failed to init hmac, error %d\n",
chap->qid, ret);
@@ -549,7 +550,7 @@ static int nvme_auth_dhchap_setup_ctrl_response(struct nvme_ctrl *ctrl,
if (challenge != chap->c2)
kfree(challenge);
memzero_explicit(&hmac, sizeof(hmac));
- nvme_auth_free_key(transformed_key);
+ kfree_sensitive(transformed_secret);
return ret;
}
@@ -611,8 +612,9 @@ static int nvme_auth_dhchap_exponential(struct nvme_ctrl *ctrl,
static void nvme_auth_reset_dhchap(struct nvme_dhchap_queue_context *chap)
{
- nvme_auth_free_key(chap->transformed_key);
- chap->transformed_key = NULL;
+ kfree_sensitive(chap->transformed_secret);
+ chap->transformed_secret = NULL;
+ chap->transformed_len = 0;
kfree_sensitive(chap->host_key);
chap->host_key = NULL;
chap->host_key_len = 0;
diff --git a/drivers/nvme/target/auth.c b/drivers/nvme/target/auth.c
index b34610e2f19d..baf4c8223fd5 100644
--- a/drivers/nvme/target/auth.c
+++ b/drivers/nvme/target/auth.c
@@ -285,17 +285,19 @@ int nvmet_auth_host_hash(struct nvmet_req *req, u8 *response,
struct nvme_auth_hmac_ctx hmac;
struct nvmet_ctrl *ctrl = req->sq->ctrl;
u8 *challenge = req->sq->dhchap_c1;
- struct nvme_dhchap_key *transformed_key;
+ u8 *transformed_secret;
+ size_t transformed_len;
u8 buf[4];
int ret;
- transformed_key = nvme_auth_transform_key(ctrl->host_key,
- ctrl->hostnqn);
- if (IS_ERR(transformed_key))
- return PTR_ERR(transformed_key);
+ ret = nvme_auth_transform_key(ctrl->host_key, ctrl->hostnqn,
+ &transformed_secret);
+ if (ret < 0)
+ return ret;
+ transformed_len = ret;
- ret = nvme_auth_hmac_init(&hmac, ctrl->shash_id, transformed_key->key,
- transformed_key->len);
+ ret = nvme_auth_hmac_init(&hmac, ctrl->shash_id, transformed_secret,
+ transformed_len);
if (ret)
goto out_free_response;
@@ -348,7 +350,7 @@ int nvmet_auth_host_hash(struct nvmet_req *req, u8 *response,
kfree(challenge);
out_free_response:
memzero_explicit(&hmac, sizeof(hmac));
- nvme_auth_free_key(transformed_key);
+ kfree_sensitive(transformed_secret);
return ret;
}
@@ -358,17 +360,20 @@ int nvmet_auth_ctrl_hash(struct nvmet_req *req, u8 *response,
struct nvme_auth_hmac_ctx hmac;
struct nvmet_ctrl *ctrl = req->sq->ctrl;
u8 *challenge = req->sq->dhchap_c2;
- struct nvme_dhchap_key *transformed_key;
+ u8 *transformed_secret;
+ size_t transformed_len;
u8 buf[4];
int ret;
- transformed_key = nvme_auth_transform_key(ctrl->ctrl_key,
- ctrl->subsys->subsysnqn);
- if (IS_ERR(transformed_key))
- return PTR_ERR(transformed_key);
+ ret = nvme_auth_transform_key(ctrl->ctrl_key,
+ ctrl->subsys->subsysnqn,
+ &transformed_secret);
+ if (ret < 0)
+ return ret;
+ transformed_len = ret;
- ret = nvme_auth_hmac_init(&hmac, ctrl->shash_id, transformed_key->key,
- transformed_key->len);
+ ret = nvme_auth_hmac_init(&hmac, ctrl->shash_id, transformed_secret,
+ transformed_len);
if (ret)
goto out_free_response;
@@ -416,7 +421,7 @@ int nvmet_auth_ctrl_hash(struct nvmet_req *req, u8 *response,
kfree(challenge);
out_free_response:
memzero_explicit(&hmac, sizeof(hmac));
- nvme_auth_free_key(transformed_key);
+ kfree_sensitive(transformed_secret);
return ret;
}
diff --git a/include/linux/nvme-auth.h b/include/linux/nvme-auth.h
index 184a1f9510fa..37cc8abaf06d 100644
--- a/include/linux/nvme-auth.h
+++ b/include/linux/nvme-auth.h
@@ -41,8 +41,8 @@ u32 nvme_auth_key_struct_size(u32 key_len);
struct nvme_dhchap_key *nvme_auth_extract_key(const char *secret, u8 key_hash);
void nvme_auth_free_key(struct nvme_dhchap_key *key);
struct nvme_dhchap_key *nvme_auth_alloc_key(u32 len, u8 hash);
-struct nvme_dhchap_key *nvme_auth_transform_key(
- const struct nvme_dhchap_key *key, const char *nqn);
+int nvme_auth_transform_key(const struct nvme_dhchap_key *key,
+ const char *nqn, u8 **transformed_secret);
int nvme_auth_parse_key(const char *secret, struct nvme_dhchap_key **ret_key);
int nvme_auth_augmented_challenge(u8 hmac_id, const u8 *skey, size_t skey_len,
const u8 *challenge, u8 *aug, size_t hlen);
--
2.43.0
next prev parent reply other threads:[~2026-03-17 13:01 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-17 13:00 [PATCHv3 0/8] nvme-auth: switch to use the kernel keyring Hannes Reinecke
2026-03-17 13:00 ` Hannes Reinecke [this message]
2026-03-17 13:09 ` [PATCH 1/8] nvme-auth: modify nvme_auth_transform_key() to return status Maurizio Lombardi
2026-03-17 14:55 ` Hannes Reinecke
2026-03-17 13:00 ` [PATCH 2/8] nvme-keyring: add 'dhchap' key type Hannes Reinecke
2026-04-01 18:13 ` Chris Leech
2026-04-07 6:18 ` Hannes Reinecke
2026-03-17 13:00 ` [PATCH 3/8] nvme-auth: switch to use 'struct key' Hannes Reinecke
2026-04-01 18:36 ` Chris Leech
2026-04-07 6:20 ` Hannes Reinecke
2026-03-17 13:00 ` [PATCH 4/8] nvme: parse dhchap keys during option parsing Hannes Reinecke
2026-04-01 18:43 ` Chris Leech
2026-04-07 6:20 ` Hannes Reinecke
2026-03-17 13:01 ` [PATCH 5/8] nvmet-auth: parse dhchap key from configfs attribute Hannes Reinecke
2026-03-17 13:01 ` [PATCH 6/8] nvme: allow to pass in key description as dhchap secret Hannes Reinecke
2026-03-17 13:01 ` [PATCH 7/8] nvme-auth: wait for authentication to finish when changing keys Hannes Reinecke
2026-03-17 13:01 ` [PATCH 8/8] nvme-fabrics: allow to pass in keyring by name Hannes Reinecke
2026-03-17 13:20 ` [PATCHv3 0/8] nvme-auth: switch to use the kernel keyring Maurizio Lombardi
2026-03-17 14:44 ` Hannes Reinecke
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260317130103.107360-2-hare@kernel.org \
--to=hare@kernel.org \
--cc=hch@lst.de \
--cc=kbusch@kernel.org \
--cc=linux-nvme@lists.infradead.org \
--cc=sagi@grimberg.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.