* [PATCH v1 0/1] nvme-auth: constant-time DH-HMAC-CHAP response comparison @ 2026-07-01 6:30 Xixin Liu 2026-07-01 6:30 ` [PATCH v1 1/1] nvme-auth: use crypto_memneq for " Xixin Liu 0 siblings, 1 reply; 4+ messages in thread From: Xixin Liu @ 2026-07-01 6:30 UTC (permalink / raw) To: linux-nvme; +Cc: kbusch, axboe, hch, sagi, kch, hare, linux-kernel, liuxixin DH-HMAC-CHAP compares HMAC digests during in-band authentication. The host and target paths currently use memcmp(), which may short-circuit on the first differing byte and leak timing information to a remote party. This series switches both security-sensitive comparisons to crypto_memneq(). Non-secret memcmp() uses (fixed prefix strings, NGUID checks) are unchanged. Xixin Liu (1): nvme-auth: use crypto_memneq for DH-HMAC-CHAP response comparison drivers/nvme/host/auth.c | 3 ++- drivers/nvme/target/fabrics-cmd-auth.c | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) -- 2.43.0 ^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH v1 1/1] nvme-auth: use crypto_memneq for DH-HMAC-CHAP response comparison 2026-07-01 6:30 [PATCH v1 0/1] nvme-auth: constant-time DH-HMAC-CHAP response comparison Xixin Liu @ 2026-07-01 6:30 ` Xixin Liu 2026-07-02 14:13 ` Christoph Hellwig 2026-07-03 6:24 ` Hannes Reinecke 0 siblings, 2 replies; 4+ messages in thread From: Xixin Liu @ 2026-07-01 6:30 UTC (permalink / raw) To: linux-nvme; +Cc: kbusch, axboe, hch, sagi, kch, hare, linux-kernel, liuxixin DH-HMAC-CHAP authentication compares HMAC response digests with memcmp(). Standard memcmp() may stop at the first differing byte, which can leak timing information to a remote attacker and allow incremental recovery of the expected digest. Use crypto_memneq() for constant-time comparison on both the host path that validates the controller Success1 response and the target path that validates the host Reply digest. Other memcmp() uses in the NVMe auth code (e.g. fixed string prefix checks) are not security-sensitive and are left unchanged. Signed-off-by: Xixin Liu <liuxixin@kylinos.cn> --- drivers/nvme/host/auth.c | 3 ++- drivers/nvme/target/fabrics-cmd-auth.c | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/nvme/host/auth.c b/drivers/nvme/host/auth.c index 111111111111..222222222222 100644 --- a/drivers/nvme/host/auth.c +++ b/drivers/nvme/host/auth.c @@ -8,6 +8,7 @@ #include <linux/prandom.h> #include <linux/unaligned.h> #include <crypto/dh.h> +#include <crypto/utils.h> #include "nvme.h" #include "fabrics.h" #include <linux/nvme-auth.h> @@ -361,7 +362,7 @@ static int nvme_auth_process_dhchap_success1(struct nvme_ctrl *ctrl, return 0; /* Validate controller response */ - if (memcmp(chap->response, data->rval, data->hl)) { + if (crypto_memneq(chap->response, data->rval, data->hl)) { dev_dbg(ctrl->device, "%s: qid %d ctrl response %*ph\n", __func__, chap->qid, (int)chap->hash_len, data->rval); dev_dbg(ctrl->device, "%s: qid %d host response %*ph\n", diff --git a/drivers/nvme/target/fabrics-cmd-auth.c b/drivers/nvme/target/fabrics-cmd-auth.c index 333333333333..444444444444 100644 --- a/drivers/nvme/target/fabrics-cmd-auth.c +++ b/drivers/nvme/target/fabrics-cmd-auth.c @@ -8,6 +8,7 @@ #include <linux/random.h> #include <linux/nvme-auth.h> #include <crypto/kpp.h> +#include <crypto/utils.h> #include "nvmet.h" static void nvmet_auth_expired_work(struct work_struct *work) @@ -177,7 +178,7 @@ static u16 nvmet_auth_reply(struct nvmet_req *req, return NVME_AUTH_DHCHAP_FAILURE_FAILED; } - if (memcmp(data->rval, response, data->hl)) { + if (crypto_memneq(data->rval, response, data->hl)) { pr_info("ctrl %d qid %d host response mismatch\n", ctrl->cntlid, req->sq->qid); pr_debug("ctrl %d qid %d rval %*ph\n", -- 2.43.0 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH v1 1/1] nvme-auth: use crypto_memneq for DH-HMAC-CHAP response comparison 2026-07-01 6:30 ` [PATCH v1 1/1] nvme-auth: use crypto_memneq for " Xixin Liu @ 2026-07-02 14:13 ` Christoph Hellwig 2026-07-03 6:24 ` Hannes Reinecke 1 sibling, 0 replies; 4+ messages in thread From: Christoph Hellwig @ 2026-07-02 14:13 UTC (permalink / raw) To: Xixin Liu; +Cc: linux-nvme, kbusch, axboe, hch, sagi, kch, hare, linux-kernel Looks good: Reviewed-by: Christoph Hellwig <hch@lst.de> ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v1 1/1] nvme-auth: use crypto_memneq for DH-HMAC-CHAP response comparison 2026-07-01 6:30 ` [PATCH v1 1/1] nvme-auth: use crypto_memneq for " Xixin Liu 2026-07-02 14:13 ` Christoph Hellwig @ 2026-07-03 6:24 ` Hannes Reinecke 1 sibling, 0 replies; 4+ messages in thread From: Hannes Reinecke @ 2026-07-03 6:24 UTC (permalink / raw) To: Xixin Liu, linux-nvme; +Cc: kbusch, axboe, hch, sagi, kch, linux-kernel On 7/1/26 8:30 AM, Xixin Liu wrote: > DH-HMAC-CHAP authentication compares HMAC response digests with memcmp(). > Standard memcmp() may stop at the first differing byte, which can leak > timing information to a remote attacker and allow incremental recovery > of the expected digest. > > Use crypto_memneq() for constant-time comparison on both the host path > that validates the controller Success1 response and the target path that > validates the host Reply digest. Other memcmp() uses in the NVMe auth > code (e.g. fixed string prefix checks) are not security-sensitive and > are left unchanged. > > Signed-off-by: Xixin Liu <liuxixin@kylinos.cn> > --- > drivers/nvme/host/auth.c | 3 ++- > drivers/nvme/target/fabrics-cmd-auth.c | 3 ++- > 2 files changed, 4 insertions(+), 2 deletions(-) > > diff --git a/drivers/nvme/host/auth.c b/drivers/nvme/host/auth.c > index 111111111111..222222222222 100644 > --- a/drivers/nvme/host/auth.c > +++ b/drivers/nvme/host/auth.c > @@ -8,6 +8,7 @@ > #include <linux/prandom.h> > #include <linux/unaligned.h> > #include <crypto/dh.h> > +#include <crypto/utils.h> > #include "nvme.h" > #include "fabrics.h" > #include <linux/nvme-auth.h> > @@ -361,7 +362,7 @@ static int nvme_auth_process_dhchap_success1(struct nvme_ctrl *ctrl, > return 0; > > /* Validate controller response */ > - if (memcmp(chap->response, data->rval, data->hl)) { > + if (crypto_memneq(chap->response, data->rval, data->hl)) { > dev_dbg(ctrl->device, "%s: qid %d ctrl response %*ph\n", > __func__, chap->qid, (int)chap->hash_len, data->rval); > dev_dbg(ctrl->device, "%s: qid %d host response %*ph\n", > diff --git a/drivers/nvme/target/fabrics-cmd-auth.c b/drivers/nvme/target/fabrics-cmd-auth.c > index 333333333333..444444444444 100644 > --- a/drivers/nvme/target/fabrics-cmd-auth.c > +++ b/drivers/nvme/target/fabrics-cmd-auth.c > @@ -8,6 +8,7 @@ > #include <linux/random.h> > #include <linux/nvme-auth.h> > #include <crypto/kpp.h> > +#include <crypto/utils.h> > #include "nvmet.h" > > static void nvmet_auth_expired_work(struct work_struct *work) > @@ -177,7 +178,7 @@ static u16 nvmet_auth_reply(struct nvmet_req *req, > return NVME_AUTH_DHCHAP_FAILURE_FAILED; > } > > - if (memcmp(data->rval, response, data->hl)) { > + if (crypto_memneq(data->rval, response, data->hl)) { > pr_info("ctrl %d qid %d host response mismatch\n", > ctrl->cntlid, req->sq->qid); > pr_debug("ctrl %d qid %d rval %*ph\n", Reviewed-by: Hannes Reinecke <hare@kernel.org> Cheers, Hannes -- Dr. Hannes Reinecke Kernel Storage Architect hare@suse.de +49 911 74053 688 SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-07-03 6:24 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-07-01 6:30 [PATCH v1 0/1] nvme-auth: constant-time DH-HMAC-CHAP response comparison Xixin Liu 2026-07-01 6:30 ` [PATCH v1 1/1] nvme-auth: use crypto_memneq for " Xixin Liu 2026-07-02 14:13 ` Christoph Hellwig 2026-07-03 6:24 ` Hannes Reinecke
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox