* [PATCH v1 0/1] nvme-auth: constant-time DH-HMAC-CHAP response comparison
@ 2026-07-01 6:30 Xixin Liu
2026-07-01 6:30 ` [PATCH v1 1/1] nvme-auth: use crypto_memneq for " Xixin Liu
0 siblings, 1 reply; 4+ messages in thread
From: Xixin Liu @ 2026-07-01 6:30 UTC (permalink / raw)
To: linux-nvme; +Cc: kbusch, axboe, hch, sagi, kch, hare, linux-kernel, liuxixin
DH-HMAC-CHAP compares HMAC digests during in-band authentication. The
host and target paths currently use memcmp(), which may short-circuit on
the first differing byte and leak timing information to a remote party.
This series switches both security-sensitive comparisons to
crypto_memneq(). Non-secret memcmp() uses (fixed prefix strings, NGUID
checks) are unchanged.
Xixin Liu (1):
nvme-auth: use crypto_memneq for DH-HMAC-CHAP response comparison
drivers/nvme/host/auth.c | 3 ++-
drivers/nvme/target/fabrics-cmd-auth.c | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
--
2.43.0
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH v1 1/1] nvme-auth: use crypto_memneq for DH-HMAC-CHAP response comparison
2026-07-01 6:30 [PATCH v1 0/1] nvme-auth: constant-time DH-HMAC-CHAP response comparison Xixin Liu
@ 2026-07-01 6:30 ` Xixin Liu
2026-07-02 14:13 ` Christoph Hellwig
2026-07-03 6:24 ` Hannes Reinecke
0 siblings, 2 replies; 4+ messages in thread
From: Xixin Liu @ 2026-07-01 6:30 UTC (permalink / raw)
To: linux-nvme; +Cc: kbusch, axboe, hch, sagi, kch, hare, linux-kernel, liuxixin
DH-HMAC-CHAP authentication compares HMAC response digests with memcmp().
Standard memcmp() may stop at the first differing byte, which can leak
timing information to a remote attacker and allow incremental recovery
of the expected digest.
Use crypto_memneq() for constant-time comparison on both the host path
that validates the controller Success1 response and the target path that
validates the host Reply digest. Other memcmp() uses in the NVMe auth
code (e.g. fixed string prefix checks) are not security-sensitive and
are left unchanged.
Signed-off-by: Xixin Liu <liuxixin@kylinos.cn>
---
drivers/nvme/host/auth.c | 3 ++-
drivers/nvme/target/fabrics-cmd-auth.c | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/nvme/host/auth.c b/drivers/nvme/host/auth.c
index 111111111111..222222222222 100644
--- a/drivers/nvme/host/auth.c
+++ b/drivers/nvme/host/auth.c
@@ -8,6 +8,7 @@
#include <linux/prandom.h>
#include <linux/unaligned.h>
#include <crypto/dh.h>
+#include <crypto/utils.h>
#include "nvme.h"
#include "fabrics.h"
#include <linux/nvme-auth.h>
@@ -361,7 +362,7 @@ static int nvme_auth_process_dhchap_success1(struct nvme_ctrl *ctrl,
return 0;
/* Validate controller response */
- if (memcmp(chap->response, data->rval, data->hl)) {
+ if (crypto_memneq(chap->response, data->rval, data->hl)) {
dev_dbg(ctrl->device, "%s: qid %d ctrl response %*ph\n",
__func__, chap->qid, (int)chap->hash_len, data->rval);
dev_dbg(ctrl->device, "%s: qid %d host response %*ph\n",
diff --git a/drivers/nvme/target/fabrics-cmd-auth.c b/drivers/nvme/target/fabrics-cmd-auth.c
index 333333333333..444444444444 100644
--- a/drivers/nvme/target/fabrics-cmd-auth.c
+++ b/drivers/nvme/target/fabrics-cmd-auth.c
@@ -8,6 +8,7 @@
#include <linux/random.h>
#include <linux/nvme-auth.h>
#include <crypto/kpp.h>
+#include <crypto/utils.h>
#include "nvmet.h"
static void nvmet_auth_expired_work(struct work_struct *work)
@@ -177,7 +178,7 @@ static u16 nvmet_auth_reply(struct nvmet_req *req,
return NVME_AUTH_DHCHAP_FAILURE_FAILED;
}
- if (memcmp(data->rval, response, data->hl)) {
+ if (crypto_memneq(data->rval, response, data->hl)) {
pr_info("ctrl %d qid %d host response mismatch\n",
ctrl->cntlid, req->sq->qid);
pr_debug("ctrl %d qid %d rval %*ph\n",
--
2.43.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH v1 1/1] nvme-auth: use crypto_memneq for DH-HMAC-CHAP response comparison
2026-07-01 6:30 ` [PATCH v1 1/1] nvme-auth: use crypto_memneq for " Xixin Liu
@ 2026-07-02 14:13 ` Christoph Hellwig
2026-07-03 6:24 ` Hannes Reinecke
1 sibling, 0 replies; 4+ messages in thread
From: Christoph Hellwig @ 2026-07-02 14:13 UTC (permalink / raw)
To: Xixin Liu; +Cc: linux-nvme, kbusch, axboe, hch, sagi, kch, hare, linux-kernel
Looks good:
Reviewed-by: Christoph Hellwig <hch@lst.de>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v1 1/1] nvme-auth: use crypto_memneq for DH-HMAC-CHAP response comparison
2026-07-01 6:30 ` [PATCH v1 1/1] nvme-auth: use crypto_memneq for " Xixin Liu
2026-07-02 14:13 ` Christoph Hellwig
@ 2026-07-03 6:24 ` Hannes Reinecke
1 sibling, 0 replies; 4+ messages in thread
From: Hannes Reinecke @ 2026-07-03 6:24 UTC (permalink / raw)
To: Xixin Liu, linux-nvme; +Cc: kbusch, axboe, hch, sagi, kch, linux-kernel
On 7/1/26 8:30 AM, Xixin Liu wrote:
> DH-HMAC-CHAP authentication compares HMAC response digests with memcmp().
> Standard memcmp() may stop at the first differing byte, which can leak
> timing information to a remote attacker and allow incremental recovery
> of the expected digest.
>
> Use crypto_memneq() for constant-time comparison on both the host path
> that validates the controller Success1 response and the target path that
> validates the host Reply digest. Other memcmp() uses in the NVMe auth
> code (e.g. fixed string prefix checks) are not security-sensitive and
> are left unchanged.
>
> Signed-off-by: Xixin Liu <liuxixin@kylinos.cn>
> ---
> drivers/nvme/host/auth.c | 3 ++-
> drivers/nvme/target/fabrics-cmd-auth.c | 3 ++-
> 2 files changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/nvme/host/auth.c b/drivers/nvme/host/auth.c
> index 111111111111..222222222222 100644
> --- a/drivers/nvme/host/auth.c
> +++ b/drivers/nvme/host/auth.c
> @@ -8,6 +8,7 @@
> #include <linux/prandom.h>
> #include <linux/unaligned.h>
> #include <crypto/dh.h>
> +#include <crypto/utils.h>
> #include "nvme.h"
> #include "fabrics.h"
> #include <linux/nvme-auth.h>
> @@ -361,7 +362,7 @@ static int nvme_auth_process_dhchap_success1(struct nvme_ctrl *ctrl,
> return 0;
>
> /* Validate controller response */
> - if (memcmp(chap->response, data->rval, data->hl)) {
> + if (crypto_memneq(chap->response, data->rval, data->hl)) {
> dev_dbg(ctrl->device, "%s: qid %d ctrl response %*ph\n",
> __func__, chap->qid, (int)chap->hash_len, data->rval);
> dev_dbg(ctrl->device, "%s: qid %d host response %*ph\n",
> diff --git a/drivers/nvme/target/fabrics-cmd-auth.c b/drivers/nvme/target/fabrics-cmd-auth.c
> index 333333333333..444444444444 100644
> --- a/drivers/nvme/target/fabrics-cmd-auth.c
> +++ b/drivers/nvme/target/fabrics-cmd-auth.c
> @@ -8,6 +8,7 @@
> #include <linux/random.h>
> #include <linux/nvme-auth.h>
> #include <crypto/kpp.h>
> +#include <crypto/utils.h>
> #include "nvmet.h"
>
> static void nvmet_auth_expired_work(struct work_struct *work)
> @@ -177,7 +178,7 @@ static u16 nvmet_auth_reply(struct nvmet_req *req,
> return NVME_AUTH_DHCHAP_FAILURE_FAILED;
> }
>
> - if (memcmp(data->rval, response, data->hl)) {
> + if (crypto_memneq(data->rval, response, data->hl)) {
> pr_info("ctrl %d qid %d host response mismatch\n",
> ctrl->cntlid, req->sq->qid);
> pr_debug("ctrl %d qid %d rval %*ph\n",
Reviewed-by: Hannes Reinecke <hare@kernel.org>
Cheers,
Hannes
--
Dr. Hannes Reinecke Kernel Storage Architect
hare@suse.de +49 911 74053 688
SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg
HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-07-03 6:24 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-01 6:30 [PATCH v1 0/1] nvme-auth: constant-time DH-HMAC-CHAP response comparison Xixin Liu
2026-07-01 6:30 ` [PATCH v1 1/1] nvme-auth: use crypto_memneq for " Xixin Liu
2026-07-02 14:13 ` Christoph Hellwig
2026-07-03 6:24 ` Hannes Reinecke
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox