From: hare@kernel.org
To: Christoph Hellwig <hch@lst.de>
Cc: Sagi Grimberg <sagi@grimberg.me>, Keith Busch <kbusch@kernel.org>,
linux-nvme@lists.infradead.org, Hannes Reinecke <hare@suse.de>
Subject: [PATCH 06/11] nvme-keyring: restrict match length for version '1' identifiers
Date: Tue, 23 Jan 2024 15:19:04 +0100 [thread overview]
Message-ID: <20240123141909.79061-7-hare@kernel.org> (raw)
In-Reply-To: <20240123141909.79061-1-hare@kernel.org>
From: Hannes Reinecke <hare@suse.de>
TP8018 changed the TLS PSK identifiers to append a PSK hash value,
so to lookup any version '1' identifiers we need to restrict the
match length to exclude the PSK hash value (which we don't have
when looking up keys).
Signed-off-by: Hannes Reinecke <hare@suse.de>
---
drivers/nvme/common/keyring.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/drivers/nvme/common/keyring.c b/drivers/nvme/common/keyring.c
index c16f9496643f..51b99b34e100 100644
--- a/drivers/nvme/common/keyring.c
+++ b/drivers/nvme/common/keyring.c
@@ -44,6 +44,27 @@ static bool nvme_tls_psk_match(const struct key *key,
return false;
}
match_id = match_data->raw_data;
+ if (memcmp(match_id, "NVMe1", 5)) {
+ char *e = (char *)match_id;
+ size_t offset = 0;
+ int n = 0;
+
+ while (*e != ' ' && offset < match_len) {
+ if (*e == ' ') {
+ n++;
+ if (n == 3)
+ break;
+ }
+ e++;
+ offset++;
+ }
+ if (n != 3) {
+ pr_debug("%s: error parsing '%s'\n",
+ __func__, match_id);
+ return false;
+ }
+ match_len = offset;
+ }
pr_debug("%s: match '%s' '%s' len %zd\n",
__func__, match_id, key->description, match_len);
return !memcmp(key->description, match_id, match_len);
--
2.35.3
next prev parent reply other threads:[~2024-01-23 14:19 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-23 14:18 [RFC PATCH 00/11] nvme: implement secure concatenation hare
2024-01-23 14:18 ` [PATCH 01/11] crypto,fs: Separate out hkdf_extract() and hkdf_expand() hare
2024-01-23 14:19 ` [PATCH 02/11] nvme: add nvme_auth_generate_psk() hare
2024-01-23 14:19 ` [PATCH 03/11] nvme: add nvme_auth_generate_digest() hare
2024-01-23 14:19 ` [PATCH 04/11] nvme: add nvme_auth_derive_tls_psk() hare
2024-01-23 14:19 ` [PATCH 05/11] nvme-keyring: add nvme_tls_psk_refresh() hare
2024-01-23 14:19 ` hare [this message]
2024-01-23 14:19 ` [PATCH 07/11] nvme-tcp: check for invalidated or revoked key hare
2024-01-23 14:19 ` [PATCH 08/11] nvme-fabrics: authentication errors are not retryable hare
2024-01-23 14:19 ` [PATCH 09/11] nvme: add nvme_noretry_error() hare
2024-01-23 14:19 ` [PATCH 10/11] nvme-tcp: request secure channel concatenation hare
2024-01-23 14:19 ` [PATCH 11/11] nvmet-tcp: support " hare
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240123141909.79061-7-hare@kernel.org \
--to=hare@kernel.org \
--cc=hare@suse.de \
--cc=hch@lst.de \
--cc=kbusch@kernel.org \
--cc=linux-nvme@lists.infradead.org \
--cc=sagi@grimberg.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox