Commit 5bc46b49 authored by Hannes Reinecke's avatar Hannes Reinecke Committed by Keith Busch
Browse files

nvme-tcp: check for invalidated or revoked key 



key_lookup() will always return a key, even if that key is revoked
or invalidated. So check for invalid keys before continuing.

Signed-off-by: default avatarHannes Reinecke <hare@kernel.org>
Reviewed-by: default avatarSagi Grimberg <sagi@grimberg.me>
Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
Signed-off-by: default avatarKeith Busch <kbusch@kernel.org>
parent 36389576

drivers/nvme/common/keyring.c

+22 −0
Original line number Diff line number Diff line
@@ -20,6 +20,28 @@ key_serial_t nvme_keyring_id(void) 
}

EXPORT_SYMBOL_GPL(nvme_keyring_id);



static bool nvme_tls_psk_revoked(struct key *psk)

{

	return test_bit(KEY_FLAG_REVOKED, &psk->flags) ||

		test_bit(KEY_FLAG_INVALIDATED, &psk->flags);

}



struct key *nvme_tls_key_lookup(key_serial_t key_id)

{

	struct key *key = key_lookup(key_id);



	if (IS_ERR(key)) {

		pr_err("key id %08x not found\n", key_id);

		return key;

	}

	if (nvme_tls_psk_revoked(key)) {

		pr_err("key id %08x revoked\n", key_id);

		return ERR_PTR(-EKEYREVOKED);

	}

	return key;

}

EXPORT_SYMBOL_GPL(nvme_tls_key_lookup);



static void nvme_tls_psk_describe(const struct key *key, struct seq_file *m)

{

	seq_puts(m, key->description);

drivers/nvme/host/Kconfig

+1 −0
Original line number Diff line number Diff line
@@ -109,6 +109,7 @@ config NVME_HOST_AUTH 
	bool "NVMe over Fabrics In-Band Authentication in host side"

	depends on NVME_CORE

	select NVME_AUTH

	select NVME_KEYRING if NVME_TCP_TLS

	help

	  This provides support for NVMe over Fabrics In-Band Authentication in

	  host side.

drivers/nvme/host/fabrics.c

+1 −1
Original line number Diff line number Diff line
@@ -665,7 +665,7 @@ static struct key *nvmf_parse_key(int key_id) 
		return ERR_PTR(-EINVAL);

	}



	key = key_lookup(key_id);

	key = nvme_tls_key_lookup(key_id);

	if (IS_ERR(key))

		pr_err("key id %08x not found\n", key_id);

	else

drivers/nvme/host/tcp.c

+1 −1
Original line number Diff line number Diff line
@@ -1596,7 +1596,7 @@ static void nvme_tcp_tls_done(void *data, int status, key_serial_t pskid) 
		goto out_complete;

	}



	tls_key = key_lookup(pskid);

	tls_key = nvme_tls_key_lookup(pskid);

	if (IS_ERR(tls_key)) {

		dev_warn(ctrl->ctrl.device, "queue %d: Invalid key %x\n",

			 qid, pskid);

include/linux/nvme-keyring.h

+5 −1
Original line number Diff line number Diff line
@@ -12,7 +12,7 @@ key_serial_t nvme_tls_psk_default(struct key *keyring, 
		const char *hostnqn, const char *subnqn);



key_serial_t nvme_keyring_id(void);



struct key *nvme_tls_key_lookup(key_serial_t key_id);

#else



static inline key_serial_t nvme_tls_psk_default(struct key *keyring,
@@ -24,5 +24,9 @@ static inline key_serial_t nvme_keyring_id(void) 
{

	return 0;

}

static inline struct key *nvme_tls_key_lookup(key_serial_t key_id)

{

	return ERR_PTR(-ENOTSUPP);

}

#endif /* !CONFIG_NVME_KEYRING */

#endif /* _NVME_KEYRING_H */