xref: /drivers/nvme/target/auth.c

74 int nvmet_setup_dhgroup(struct nvmet_ctrl *ctrl, u8 dhgroup_id)  in nvmet_setup_dhgroup()  argument
80 		 __func__, ctrl->cntlid, dhgroup_id);  in nvmet_setup_dhgroup()
82 	if (ctrl->dh_tfm) {  in nvmet_setup_dhgroup()
83 		if (ctrl->dh_gid == dhgroup_id) {  in nvmet_setup_dhgroup()
85 				 __func__, ctrl->cntlid, dhgroup_id);  in nvmet_setup_dhgroup()
88 		crypto_free_kpp(ctrl->dh_tfm);  in nvmet_setup_dhgroup()
89 		ctrl->dh_tfm = NULL;  in nvmet_setup_dhgroup()
90 		ctrl->dh_gid = 0;  in nvmet_setup_dhgroup()
99 			 __func__, ctrl->cntlid, dhgroup_id);  in nvmet_setup_dhgroup()
102 	ctrl->dh_tfm = crypto_alloc_kpp(dhgroup_kpp, 0, 0);  in nvmet_setup_dhgroup()
103 	if (IS_ERR(ctrl->dh_tfm)) {  in nvmet_setup_dhgroup()
105 			 __func__, ctrl->cntlid, dhgroup_id,  in nvmet_setup_dhgroup()
106 			 PTR_ERR(ctrl->dh_tfm));  in nvmet_setup_dhgroup()
107 		ret = PTR_ERR(ctrl->dh_tfm);  in nvmet_setup_dhgroup()
108 		ctrl->dh_tfm = NULL;  in nvmet_setup_dhgroup()
109 		ctrl->dh_gid = 0;  in nvmet_setup_dhgroup()
111 		ctrl->dh_gid = dhgroup_id;  in nvmet_setup_dhgroup()
113 			 __func__, ctrl->cntlid, ctrl->dh_gid);  in nvmet_setup_dhgroup()
114 		ret = nvme_auth_gen_privkey(ctrl->dh_tfm, ctrl->dh_gid);  in nvmet_setup_dhgroup()
117 				 __func__, ctrl->cntlid, ret);  in nvmet_setup_dhgroup()
118 			kfree_sensitive(ctrl->dh_key);  in nvmet_setup_dhgroup()
119 			ctrl->dh_key = NULL;  in nvmet_setup_dhgroup()
122 		ctrl->dh_keysize = crypto_kpp_maxsize(ctrl->dh_tfm);  in nvmet_setup_dhgroup()
123 		kfree_sensitive(ctrl->dh_key);  in nvmet_setup_dhgroup()
124 		ctrl->dh_key = kzalloc(ctrl->dh_keysize, GFP_KERNEL);  in nvmet_setup_dhgroup()
125 		if (!ctrl->dh_key) {  in nvmet_setup_dhgroup()
127 				ctrl->cntlid);  in nvmet_setup_dhgroup()
130 		ret = nvme_auth_gen_pubkey(ctrl->dh_tfm, ctrl->dh_key,  in nvmet_setup_dhgroup()
131 					   ctrl->dh_keysize);  in nvmet_setup_dhgroup()
134 				ctrl->cntlid);  in nvmet_setup_dhgroup()
135 			kfree(ctrl->dh_key);  in nvmet_setup_dhgroup()
136 			ctrl->dh_key = NULL;  in nvmet_setup_dhgroup()
143 u8 nvmet_setup_auth(struct nvmet_ctrl *ctrl, struct nvmet_sq *sq)  in nvmet_setup_auth()  argument
150 	if (nvmet_is_disc_subsys(ctrl->subsys))  in nvmet_setup_auth()
153 	if (ctrl->subsys->allow_any_host)  in nvmet_setup_auth()
156 	list_for_each_entry(p, &ctrl->subsys->hosts, entry) {  in nvmet_setup_auth()
158 		if (strcmp(nvmet_host_name(p->host), ctrl->hostnqn))  in nvmet_setup_auth()
164 		pr_debug("host %s not found\n", ctrl->hostnqn);  in nvmet_setup_auth()
170 		pr_debug("host %s tls enabled\n", ctrl->hostnqn);  in nvmet_setup_auth()
174 	ret = nvmet_setup_dhgroup(ctrl, host->dhchap_dhgroup_id);  in nvmet_setup_auth()
186 	if (host->dhchap_hash_id == ctrl->shash_id) {  in nvmet_setup_auth()
188 			 ctrl->shash_id);  in nvmet_setup_auth()
190 		ctrl->shash_id = host->dhchap_hash_id;  in nvmet_setup_auth()
194 	nvme_auth_free_key(ctrl->host_key);  in nvmet_setup_auth()
195 	ctrl->host_key = nvme_auth_extract_key(host->dhchap_secret + 10,  in nvmet_setup_auth()
197 	if (IS_ERR(ctrl->host_key)) {  in nvmet_setup_auth()
199 		ctrl->host_key = NULL;  in nvmet_setup_auth()
203 		 ctrl->host_key->hash > 0 ?  in nvmet_setup_auth()
204 		 nvme_auth_hmac_name(ctrl->host_key->hash) : "none",  in nvmet_setup_auth()
205 		 (int)ctrl->host_key->len, ctrl->host_key->key);  in nvmet_setup_auth()
207 	nvme_auth_free_key(ctrl->ctrl_key);  in nvmet_setup_auth()
209 		ctrl->ctrl_key = NULL;  in nvmet_setup_auth()
213 	ctrl->ctrl_key = nvme_auth_extract_key(host->dhchap_ctrl_secret + 10,  in nvmet_setup_auth()
215 	if (IS_ERR(ctrl->ctrl_key)) {  in nvmet_setup_auth()
217 		ctrl->ctrl_key = NULL;  in nvmet_setup_auth()
221 		 ctrl->ctrl_key->hash > 0 ?  in nvmet_setup_auth()
222 		 nvme_auth_hmac_name(ctrl->ctrl_key->hash) : "none",  in nvmet_setup_auth()
223 		 (int)ctrl->ctrl_key->len, ctrl->ctrl_key->key);  in nvmet_setup_auth()
227 		if (ctrl->host_key) {  in nvmet_setup_auth()
228 			nvme_auth_free_key(ctrl->host_key);  in nvmet_setup_auth()
229 			ctrl->host_key = NULL;  in nvmet_setup_auth()
231 		ctrl->shash_id = 0;  in nvmet_setup_auth()
253 void nvmet_destroy_auth(struct nvmet_ctrl *ctrl)  in nvmet_destroy_auth()  argument
255 	ctrl->shash_id = 0;  in nvmet_destroy_auth()
257 	if (ctrl->dh_tfm) {  in nvmet_destroy_auth()
258 		crypto_free_kpp(ctrl->dh_tfm);  in nvmet_destroy_auth()
259 		ctrl->dh_tfm = NULL;  in nvmet_destroy_auth()
260 		ctrl->dh_gid = 0;  in nvmet_destroy_auth()
262 	kfree_sensitive(ctrl->dh_key);  in nvmet_destroy_auth()
263 	ctrl->dh_key = NULL;  in nvmet_destroy_auth()
265 	if (ctrl->host_key) {  in nvmet_destroy_auth()
266 		nvme_auth_free_key(ctrl->host_key);  in nvmet_destroy_auth()
267 		ctrl->host_key = NULL;  in nvmet_destroy_auth()
269 	if (ctrl->ctrl_key) {  in nvmet_destroy_auth()
270 		nvme_auth_free_key(ctrl->ctrl_key);  in nvmet_destroy_auth()
271 		ctrl->ctrl_key = NULL;  in nvmet_destroy_auth()
274 	if (ctrl->tls_key) {  in nvmet_destroy_auth()
275 		key_put(ctrl->tls_key);  in nvmet_destroy_auth()
276 		ctrl->tls_key = NULL;  in nvmet_destroy_auth()
283 	if (req->sq->ctrl->host_key) {  in nvmet_check_auth_status()
297 	struct nvmet_ctrl *ctrl = req->sq->ctrl;  in nvmet_auth_host_hash()  local
304 	hash_name = nvme_auth_hmac_name(ctrl->shash_id);  in nvmet_auth_host_hash()
306 		pr_warn("Hash ID %d invalid\n", ctrl->shash_id);  in nvmet_auth_host_hash()
324 	transformed_key = nvme_auth_transform_key(ctrl->host_key,  in nvmet_auth_host_hash()
325 						  ctrl->hostnqn);  in nvmet_auth_host_hash()
336 	if (ctrl->dh_gid != NVME_AUTH_DHGROUP_NULL) {  in nvmet_auth_host_hash()
342 		ret = nvme_auth_augmented_challenge(ctrl->shash_id,  in nvmet_auth_host_hash()
352 		 ctrl->cntlid, req->sq->qid, req->sq->dhchap_s1,  in nvmet_auth_host_hash()
377 	ret = crypto_shash_update(shash, ctrl->hostnqn, strlen(ctrl->hostnqn));  in nvmet_auth_host_hash()
383 	ret = crypto_shash_update(shash, ctrl->subsysnqn,  in nvmet_auth_host_hash()
384 				  strlen(ctrl->subsysnqn));  in nvmet_auth_host_hash()
403 	struct nvmet_ctrl *ctrl = req->sq->ctrl;  in nvmet_auth_ctrl_hash()  local
410 	hash_name = nvme_auth_hmac_name(ctrl->shash_id);  in nvmet_auth_ctrl_hash()
412 		pr_warn("Hash ID %d invalid\n", ctrl->shash_id);  in nvmet_auth_ctrl_hash()
430 	transformed_key = nvme_auth_transform_key(ctrl->ctrl_key,  in nvmet_auth_ctrl_hash()
431 						ctrl->subsysnqn);  in nvmet_auth_ctrl_hash()
442 	if (ctrl->dh_gid != NVME_AUTH_DHGROUP_NULL) {  in nvmet_auth_ctrl_hash()
448 		ret = nvme_auth_augmented_challenge(ctrl->shash_id,  in nvmet_auth_ctrl_hash()
486 	ret = crypto_shash_update(shash, ctrl->subsysnqn,  in nvmet_auth_ctrl_hash()
487 			    strlen(ctrl->subsysnqn));  in nvmet_auth_ctrl_hash()
493 	ret = crypto_shash_update(shash, ctrl->hostnqn, strlen(ctrl->hostnqn));  in nvmet_auth_ctrl_hash()
512 	struct nvmet_ctrl *ctrl = req->sq->ctrl;  in nvmet_auth_ctrl_exponential()  local
515 	if (!ctrl->dh_key) {  in nvmet_auth_ctrl_exponential()
516 		pr_warn("ctrl %d no DH public key!\n", ctrl->cntlid);  in nvmet_auth_ctrl_exponential()
519 	if (buf_size != ctrl->dh_keysize) {  in nvmet_auth_ctrl_exponential()
521 			ctrl->cntlid, ctrl->dh_keysize, buf_size);  in nvmet_auth_ctrl_exponential()
524 		memcpy(buf, ctrl->dh_key, buf_size);  in nvmet_auth_ctrl_exponential()
526 			 ctrl->cntlid, (int)buf_size, buf);  in nvmet_auth_ctrl_exponential()
535 	struct nvmet_ctrl *ctrl = req->sq->ctrl;  in nvmet_auth_ctrl_sesskey()  local
538 	req->sq->dhchap_skey_len = ctrl->dh_keysize;  in nvmet_auth_ctrl_sesskey()
542 	ret = nvme_auth_gen_shared_secret(ctrl->dh_tfm,  in nvmet_auth_ctrl_sesskey()
558 	int hash_len = nvme_auth_hmac_hash_len(sq->ctrl->shash_id);  in nvmet_auth_insert_psk()
566 	ret = nvme_auth_generate_psk(sq->ctrl->shash_id,  in nvmet_auth_insert_psk()
573 			__func__, sq->ctrl->cntlid, sq->qid, ret);  in nvmet_auth_insert_psk()
576 	ret = nvme_auth_generate_digest(sq->ctrl->shash_id, psk, psk_len,  in nvmet_auth_insert_psk()
577 					sq->ctrl->subsysnqn,  in nvmet_auth_insert_psk()
578 					sq->ctrl->hostnqn, &digest);  in nvmet_auth_insert_psk()
581 			__func__, sq->ctrl->cntlid, sq->qid, ret);  in nvmet_auth_insert_psk()
584 	ret = nvme_auth_derive_tls_psk(sq->ctrl->shash_id, psk, psk_len,  in nvmet_auth_insert_psk()
588 			__func__, sq->ctrl->cntlid, sq->qid, ret);  in nvmet_auth_insert_psk()
592 	tls_key = nvme_tls_psk_refresh(NULL, sq->ctrl->hostnqn, sq->ctrl->subsysnqn,  in nvmet_auth_insert_psk()
593 				       sq->ctrl->shash_id, tls_psk, psk_len, digest);  in nvmet_auth_insert_psk()
596 			__func__, sq->ctrl->cntlid, sq->qid, PTR_ERR(tls_key));  in nvmet_auth_insert_psk()
599 	if (sq->ctrl->tls_key)  in nvmet_auth_insert_psk()
600 		key_put(sq->ctrl->tls_key);  in nvmet_auth_insert_psk()
601 	sq->ctrl->tls_key = tls_key;  in nvmet_auth_insert_psk()

Last Index update Fri Aug 22 10:33:58 CST 2025