Commit 5c12a9cd authored by Hannes Reinecke's avatar Hannes Reinecke Committed by Keith Busch
Browse files

nvme: add nvme_auth_generate_psk() 



Add a function to generate a NVMe PSK from the shared credentials
negotiated by DH-HMAC-CHAP.

Signed-off-by: default avatarHannes Reinecke <hare@kernel.org>
Reviewed-by: default avatarSagi Grimberg <sagi@grimberg.me>
Signed-off-by: default avatarKeith Busch <kbusch@kernel.org>
parent 3241cd0c

drivers/nvme/common/auth.c

+87 −0
Original line number Diff line number Diff line
@@ -11,6 +11,7 @@ 
#include <linux/unaligned.h>

#include <crypto/hash.h>

#include <crypto/dh.h>

#include <crypto/hkdf.h>

#include <linux/nvme.h>

#include <linux/nvme-auth.h>
@@ -471,5 +472,91 @@ int nvme_auth_generate_key(u8 *secret, struct nvme_dhchap_key **ret_key) 
}

EXPORT_SYMBOL_GPL(nvme_auth_generate_key);



/**

 * nvme_auth_generate_psk - Generate a PSK for TLS

 * @hmac_id: Hash function identifier

 * @skey: Session key

 * @skey_len: Length of @skey

 * @c1: Value of challenge C1

 * @c2: Value of challenge C2

 * @hash_len: Hash length of the hash algorithm

 * @ret_psk: Pointer too the resulting generated PSK

 * @ret_len: length of @ret_psk

 *

 * Generate a PSK for TLS as specified in NVMe base specification, section

 * 8.13.5.9: Generated PSK for TLS

 *

 * The generated PSK for TLS shall be computed applying the HMAC function

 * using the hash function H( ) selected by the HashID parameter in the

 * DH-HMAC-CHAP_Challenge message with the session key KS as key to the

 * concatenation of the two challenges C1 and C2 (i.e., generated

 * PSK = HMAC(KS, C1 || C2)).

 *

 * Returns 0 on success with a valid generated PSK pointer in @ret_psk and

 * the length of @ret_psk in @ret_len, or a negative error number otherwise.

 */

int nvme_auth_generate_psk(u8 hmac_id, u8 *skey, size_t skey_len,

		u8 *c1, u8 *c2, size_t hash_len, u8 **ret_psk, size_t *ret_len)

{

	struct crypto_shash *tfm;

	SHASH_DESC_ON_STACK(shash, tfm);

	u8 *psk;

	const char *hmac_name;

	int ret, psk_len;



	if (!c1 || !c2)

		return -EINVAL;



	hmac_name = nvme_auth_hmac_name(hmac_id);

	if (!hmac_name) {

		pr_warn("%s: invalid hash algorithm %d\n",

			__func__, hmac_id);

		return -EINVAL;

	}



	tfm = crypto_alloc_shash(hmac_name, 0, 0);

	if (IS_ERR(tfm))

		return PTR_ERR(tfm);



	psk_len = crypto_shash_digestsize(tfm);

	psk = kzalloc(psk_len, GFP_KERNEL);

	if (!psk) {

		ret = -ENOMEM;

		goto out_free_tfm;

	}



	shash->tfm = tfm;

	ret = crypto_shash_setkey(tfm, skey, skey_len);

	if (ret)

		goto out_free_psk;



	ret = crypto_shash_init(shash);

	if (ret)

		goto out_free_psk;



	ret = crypto_shash_update(shash, c1, hash_len);

	if (ret)

		goto out_free_psk;



	ret = crypto_shash_update(shash, c2, hash_len);

	if (ret)

		goto out_free_psk;



	ret = crypto_shash_final(shash, psk);

	if (!ret) {

		*ret_psk = psk;

		*ret_len = psk_len;

	}



out_free_psk:

	if (ret)

		kfree_sensitive(psk);

out_free_tfm:

	crypto_free_shash(tfm);



	return ret;

}

EXPORT_SYMBOL_GPL(nvme_auth_generate_psk);



MODULE_DESCRIPTION("NVMe Authentication framework");

MODULE_LICENSE("GPL v2");

include/linux/nvme-auth.h

+3 −0
Original line number Diff line number Diff line
@@ -40,5 +40,8 @@ int nvme_auth_gen_pubkey(struct crypto_kpp *dh_tfm, 
int nvme_auth_gen_shared_secret(struct crypto_kpp *dh_tfm,

				u8 *ctrl_key, size_t ctrl_key_len,

				u8 *sess_key, size_t sess_key_len);

int nvme_auth_generate_psk(u8 hmac_id, u8 *skey, size_t skey_len,

			   u8 *c1, u8 *c2, size_t hash_len,

			   u8 **ret_psk, size_t *ret_len);



#endif /* _NVME_AUTH_H */