Commit efe8df9f authored Mar 01, 2026 by Eric Biggers Committed by Keith Busch Mar 27, 2026

nvme-auth: target: remove obsolete crypto_has_shash() checks



Since nvme-auth is now doing its HMAC computations using the crypto
library, it's guaranteed that all the algorithms actually work.
Therefore, remove the crypto_has_shash() checks which are now obsolete.

However, the caller in nvmet_auth_negotiate() seems to have also been
relying on crypto_has_shash(nvme_auth_hmac_name(host_hmac_id)) to
validate the host_hmac_id.  Therefore, make it validate the ID more
directly by checking whether nvme_auth_hmac_hash_len() returns 0 or not.

Acked-by: Ard Biesheuvel <ardb@kernel.org>
Acked-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Keith Busch <kbusch@kernel.org>

parent ac9a49cf

drivers/nvme/target/auth.c

+0 −9

Original line number	Diff line number	Diff line
		@@ -45,15 +45,6 @@ int nvmet_auth_set_key(struct nvmet_host host, const char secret,
		key_hash);
		return -EINVAL;
		}
		if (key_hash > 0) {
		/* Validate selected hash algorithm */
		const char *hmac = nvme_auth_hmac_name(key_hash);

		if (!crypto_has_shash(hmac, 0, 0)) {
		pr_err("DH-HMAC-CHAP hash %s unsupported\n", hmac);
		return -ENOTSUPP;
		}
		}
		dhchap_secret = kstrdup(secret, GFP_KERNEL);
		if (!dhchap_secret)
		return -ENOMEM;

drivers/nvme/target/configfs.c

+0 −3

Original line number	Diff line number	Diff line
		@@ -17,7 +17,6 @@
		#include <linux/nvme-auth.h>
		#endif
		#include <linux/nvme-keyring.h>
		#include <crypto/hash.h>
		#include <crypto/kpp.h>
		#include <linux/nospec.h>

		@@ -2181,8 +2180,6 @@ static ssize_t nvmet_host_dhchap_hash_store(struct config_item *item,
		hmac_id = nvme_auth_hmac_id(page);
		if (hmac_id == NVME_AUTH_HASH_INVALID)
		return -EINVAL;
		if (!crypto_has_shash(nvme_auth_hmac_name(hmac_id), 0, 0))
		return -ENOTSUPP;
		host->dhchap_hash_id = hmac_id;
		return count;
		}

drivers/nvme/target/fabrics-cmd-auth.c

+1 −3

Original line number	Diff line number	Diff line
		@@ -8,7 +8,6 @@
		#include <linux/blkdev.h>
		#include <linux/random.h>
		#include <linux/nvme-auth.h>
		#include <crypto/hash.h>
		#include <crypto/kpp.h>
		#include "nvmet.h"

		@@ -75,8 +74,7 @@ static u8 nvmet_auth_negotiate(struct nvmet_req req, void d)
		for (i = 0; i < data->auth_protocol[0].dhchap.halen; i++) {
		u8 host_hmac_id = data->auth_protocol[0].dhchap.idlist[i];

		if (!fallback_hash_id &&
		crypto_has_shash(nvme_auth_hmac_name(host_hmac_id), 0, 0))
		if (!fallback_hash_id && nvme_auth_hmac_hash_len(host_hmac_id))
		fallback_hash_id = host_hmac_id;
		if (ctrl->shash_id != host_hmac_id)
		continue;