xref: /kernel/linux/linux-6.6/drivers/nvme/target/auth.c

59 int nvmet_setup_dhgroup(struct nvmet_ctrl *ctrl, u8 dhgroup_id)
64 	pr_debug("%s: ctrl %d selecting dhgroup %d\n",
65 		 __func__, ctrl->cntlid, dhgroup_id);
67 	if (ctrl->dh_tfm) {
68 		if (ctrl->dh_gid == dhgroup_id) {
69 			pr_debug("%s: ctrl %d reuse existing DH group %d\n",
70 				 __func__, ctrl->cntlid, dhgroup_id);
73 		crypto_free_kpp(ctrl->dh_tfm);
74 		ctrl->dh_tfm = NULL;
75 		ctrl->dh_gid = 0;
83 		pr_debug("%s: ctrl %d invalid DH group %d\n",
84 			 __func__, ctrl->cntlid, dhgroup_id);
87 	ctrl->dh_tfm = crypto_alloc_kpp(dhgroup_kpp, 0, 0);
88 	if (IS_ERR(ctrl->dh_tfm)) {
89 		pr_debug("%s: ctrl %d failed to setup DH group %d, err %ld\n",
90 			 __func__, ctrl->cntlid, dhgroup_id,
91 			 PTR_ERR(ctrl->dh_tfm));
92 		ret = PTR_ERR(ctrl->dh_tfm);
93 		ctrl->dh_tfm = NULL;
94 		ctrl->dh_gid = 0;
96 		ctrl->dh_gid = dhgroup_id;
97 		pr_debug("%s: ctrl %d setup DH group %d\n",
98 			 __func__, ctrl->cntlid, ctrl->dh_gid);
99 		ret = nvme_auth_gen_privkey(ctrl->dh_tfm, ctrl->dh_gid);
101 			pr_debug("%s: ctrl %d failed to generate private key, err %d\n",
102 				 __func__, ctrl->cntlid, ret);
103 			kfree_sensitive(ctrl->dh_key);
106 		ctrl->dh_keysize = crypto_kpp_maxsize(ctrl->dh_tfm);
107 		kfree_sensitive(ctrl->dh_key);
108 		ctrl->dh_key = kzalloc(ctrl->dh_keysize, GFP_KERNEL);
109 		if (!ctrl->dh_key) {
110 			pr_warn("ctrl %d failed to allocate public key\n",
111 				ctrl->cntlid);
114 		ret = nvme_auth_gen_pubkey(ctrl->dh_tfm, ctrl->dh_key,
115 					   ctrl->dh_keysize);
117 			pr_warn("ctrl %d failed to generate public key\n",
118 				ctrl->cntlid);
119 			kfree(ctrl->dh_key);
120 			ctrl->dh_key = NULL;
127 int nvmet_setup_auth(struct nvmet_ctrl *ctrl)
135 	if (nvmet_is_disc_subsys(ctrl->subsys))
138 	if (ctrl->subsys->allow_any_host)
141 	list_for_each_entry(p, &ctrl->subsys->hosts, entry) {
143 		if (strcmp(nvmet_host_name(p->host), ctrl->hostnqn))
149 		pr_debug("host %s not found\n", ctrl->hostnqn);
154 	ret = nvmet_setup_dhgroup(ctrl, host->dhchap_dhgroup_id);
163 	if (host->dhchap_hash_id == ctrl->shash_id) {
165 			 ctrl->shash_id);
173 		ctrl->shash_id = host->dhchap_hash_id;
177 	nvme_auth_free_key(ctrl->host_key);
178 	ctrl->host_key = nvme_auth_extract_key(host->dhchap_secret + 10,
180 	if (IS_ERR(ctrl->host_key)) {
181 		ret = PTR_ERR(ctrl->host_key);
182 		ctrl->host_key = NULL;
186 		 ctrl->host_key->hash > 0 ?
187 		 nvme_auth_hmac_name(ctrl->host_key->hash) : "none",
188 		 (int)ctrl->host_key->len, ctrl->host_key->key);
190 	nvme_auth_free_key(ctrl->ctrl_key);
192 		ctrl->ctrl_key = NULL;
196 	ctrl->ctrl_key = nvme_auth_extract_key(host->dhchap_ctrl_secret + 10,
198 	if (IS_ERR(ctrl->ctrl_key)) {
199 		ret = PTR_ERR(ctrl->ctrl_key);
200 		ctrl->ctrl_key = NULL;
203 	pr_debug("%s: using ctrl hash %s key %*ph\n", __func__,
204 		 ctrl->ctrl_key->hash > 0 ?
205 		 nvme_auth_hmac_name(ctrl->ctrl_key->hash) : "none",
206 		 (int)ctrl->ctrl_key->len, ctrl->ctrl_key->key);
210 		if (ctrl->host_key) {
211 			nvme_auth_free_key(ctrl->host_key);
212 			ctrl->host_key = NULL;
214 		ctrl->shash_id = 0;
233 void nvmet_destroy_auth(struct nvmet_ctrl *ctrl)
235 	ctrl->shash_id = 0;
237 	if (ctrl->dh_tfm) {
238 		crypto_free_kpp(ctrl->dh_tfm);
239 		ctrl->dh_tfm = NULL;
240 		ctrl->dh_gid = 0;
242 	kfree_sensitive(ctrl->dh_key);
243 	ctrl->dh_key = NULL;
245 	if (ctrl->host_key) {
246 		nvme_auth_free_key(ctrl->host_key);
247 		ctrl->host_key = NULL;
249 	if (ctrl->ctrl_key) {
250 		nvme_auth_free_key(ctrl->ctrl_key);
251 		ctrl->ctrl_key = NULL;
257 	if (req->sq->ctrl->host_key &&
268 	struct nvmet_ctrl *ctrl = req->sq->ctrl;
274 	hash_name = nvme_auth_hmac_name(ctrl->shash_id);
276 		pr_warn("Hash ID %d invalid\n", ctrl->shash_id);
294 	host_response = nvme_auth_transform_key(ctrl->host_key, ctrl->hostnqn);
301 				  ctrl->host_key->len);
305 	if (ctrl->dh_gid != NVME_AUTH_DHGROUP_NULL) {
311 		ret = nvme_auth_augmented_challenge(ctrl->shash_id,
320 	pr_debug("ctrl %d qid %d host response seq %u transaction %d\n",
321 		 ctrl->cntlid, req->sq->qid, req->sq->dhchap_s1,
352 	ret = crypto_shash_update(shash, ctrl->hostnqn, strlen(ctrl->hostnqn));
358 	ret = crypto_shash_update(shash, ctrl->subsysnqn,
359 				  strlen(ctrl->subsysnqn));
379 	struct nvmet_ctrl *ctrl = req->sq->ctrl;
385 	hash_name = nvme_auth_hmac_name(ctrl->shash_id);
387 		pr_warn("Hash ID %d invalid\n", ctrl->shash_id);
405 	ctrl_response = nvme_auth_transform_key(ctrl->ctrl_key,
406 						ctrl->subsysnqn);
413 				  ctrl->ctrl_key->len);
417 	if (ctrl->dh_gid != NVME_AUTH_DHGROUP_NULL) {
423 		ret = nvme_auth_augmented_challenge(ctrl->shash_id,
461 	ret = crypto_shash_update(shash, ctrl->subsysnqn,
462 			    strlen(ctrl->subsysnqn));
468 	ret = crypto_shash_update(shash, ctrl->hostnqn, strlen(ctrl->hostnqn));
486 	struct nvmet_ctrl *ctrl = req->sq->ctrl;
489 	if (!ctrl->dh_key) {
490 		pr_warn("ctrl %d no DH public key!\n", ctrl->cntlid);
493 	if (buf_size != ctrl->dh_keysize) {
494 		pr_warn("ctrl %d DH public key size mismatch, need %zu is %d\n",
495 			ctrl->cntlid, ctrl->dh_keysize, buf_size);
498 		memcpy(buf, ctrl->dh_key, buf_size);
499 		pr_debug("%s: ctrl %d public key %*ph\n", __func__,
500 			 ctrl->cntlid, (int)buf_size, buf);
509 	struct nvmet_ctrl *ctrl = req->sq->ctrl;
512 	req->sq->dhchap_skey_len = ctrl->dh_keysize;
516 	ret = nvme_auth_gen_shared_secret(ctrl->dh_tfm,

Indexes created Thu Nov 07 10:32:03 CST 2024