Commit a891962a authored by Hannes Reinecke's avatar Hannes Reinecke Committed by Keith Busch
Browse files

nvmet-auth: Do not print DH-HMAC-CHAP secrets 



From a security standpoint we should not allow to print out the DH-HMAC-CHAP
secrets, but at the same time having them is useful for debugging
authentication failures.
So add a Kconfig option NVME_TARGET_AUTH_DEBUG to only enable debugging
if explictly requested at build time.

Reviewed-by: default avatarSagi Grimberg <sagi@grimberg.me>
Signed-off-by: default avatarHannes Reinecke <hare@kernel.org>
Signed-off-by: default avatarKeith Busch <kbusch@kernel.org>
parent 2279cd9c

drivers/nvme/target/Kconfig

+9 −0
Original line number Diff line number Diff line
@@ -117,6 +117,15 @@ config NVME_TARGET_AUTH 


	  If unsure, say N.



config NVME_TARGET_AUTH_DEBUG

	bool "NVMe over Fabrics In-band Authentication debug messages"

	depends on NVME_TARGET_AUTH

	help

	  This enables additional debug messages including the generated

	  DH-HMAC-CHAP secrets to help debugging authentication failures.



	  If unsure, say N.



config NVME_TARGET_PCI_EPF

	tristate "NVMe PCI Endpoint Function target support"

	depends on NVME_TARGET && PCI_ENDPOINT

drivers/nvme/target/auth.c

+8 −5
Original line number Diff line number Diff line
@@ -144,7 +144,6 @@ u8 nvmet_setup_auth(struct nvmet_ctrl *ctrl, struct nvmet_sq *sq, bool reset) 
		goto out_unlock;



	list_for_each_entry(p, &ctrl->subsys->hosts, entry) {

		pr_debug("check %s\n", nvmet_host_name(p->host));

		if (strcmp(nvmet_host_name(p->host), ctrl->hostnqn))

			continue;

		host = p->host;
@@ -189,11 +188,12 @@ u8 nvmet_setup_auth(struct nvmet_ctrl *ctrl, struct nvmet_sq *sq, bool reset) 
		ctrl->host_key = NULL;

		goto out_free_hash;

	}

#ifdef CONFIG_NVME_TARGET_AUTH_DEBUG

	pr_debug("%s: using hash %s key %*ph\n", __func__,

		 ctrl->host_key->hash > 0 ?

		 nvme_auth_hmac_name(ctrl->host_key->hash) : "none",

		 (int)ctrl->host_key->len, ctrl->host_key->key);



#endif

	nvme_auth_free_key(ctrl->ctrl_key);

	if (!host->dhchap_ctrl_secret) {

		ctrl->ctrl_key = NULL;
@@ -207,11 +207,12 @@ u8 nvmet_setup_auth(struct nvmet_ctrl *ctrl, struct nvmet_sq *sq, bool reset) 
		ctrl->ctrl_key = NULL;

		goto out_free_hash;

	}

#ifdef CONFIG_NVME_TARGET_AUTH_DEBUG

	pr_debug("%s: using ctrl hash %s key %*ph\n", __func__,

		 ctrl->ctrl_key->hash > 0 ?

		 nvme_auth_hmac_name(ctrl->ctrl_key->hash) : "none",

		 (int)ctrl->ctrl_key->len, ctrl->ctrl_key->key);



#endif

out_free_hash:

	if (ret) {

		if (ctrl->host_key) {
@@ -317,7 +318,6 @@ int nvmet_auth_host_hash(struct nvmet_req *req, u8 *response, 
		if (ret)

			goto out_free_challenge;

	}



	pr_debug("ctrl %d qid %d host response seq %u transaction %d\n",

		 ctrl->cntlid, req->sq->qid, req->sq->dhchap_s1,

		 req->sq->dhchap_tid);
@@ -434,8 +434,10 @@ int nvmet_auth_ctrl_exponential(struct nvmet_req *req, 
		ret = -EINVAL;

	} else {

		memcpy(buf, ctrl->dh_key, buf_size);

#ifdef CONFIG_NVME_TARGET_AUTH_DEBUG

		pr_debug("%s: ctrl %d public key %*ph\n", __func__,

			 ctrl->cntlid, (int)buf_size, buf);

#endif

	}



	return ret;
@@ -458,11 +460,12 @@ int nvmet_auth_ctrl_sesskey(struct nvmet_req *req, 
					ctrl->shash_id);

	if (ret)

		pr_debug("failed to compute session key, err %d\n", ret);

#ifdef CONFIG_NVME_TARGET_AUTH_DEBUG

	else

		pr_debug("%s: session key %*ph\n", __func__,

			 (int)req->sq->dhchap_skey_len,

			 req->sq->dhchap_skey);



#endif

	return ret;

}