Skip to content

Commit 79559c7

Browse files
Hannes Reineckekeithbusch
Hannes Reinecke
authored and
keithbusch
committed
nvme-keyring: restrict match length for version '1' identifiers
TP8018 introduced a new TLS PSK identifier version (version 1), which appended a PSK hash value to the existing identifier (cf NVMe TCP specification v1.1, section 3.6.1.3 'TLS PSK and PSK Identity Derivation'). An original (version 0) identifier has the form: NVMe0<type><hmac> <hostnqn> <subsysnqn> and a version 1 identifier has the form: NVMe1<type><hmac> <hostnqn> <subsysnqn> <hash> This patch modifies the lookup algorthm to compare only the first part of the identifier (excluding the hash value) to handle both version 0 and version 1 identifiers. And the spec declares 'version 0' identifiers obsolete, so the lookup algorithm is modified to prever v1 identifiers. Signed-off-by: Hannes Reinecke <[email protected]> Reviewed-by: Sagi Grimberg <[email protected]> Reviewed-by: Christoph Hellwig <[email protected]> Signed-off-by: Keith Busch <[email protected]>
1 parent 4e893ca commit 79559c7

File tree

1 file changed

+26
-10
lines changed

1 file changed

+26
-10
lines changed

drivers/nvme/common/keyring.c

Lines changed: 26 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -36,14 +36,12 @@ static bool nvme_tls_psk_match(const struct key *key,
3636
pr_debug("%s: no key description\n", __func__);
3737
return false;
3838
}
39-
match_len = strlen(key->description);
40-
pr_debug("%s: id %s len %zd\n", __func__, key->description, match_len);
41-
4239
if (!match_data->raw_data) {
4340
pr_debug("%s: no match data\n", __func__);
4441
return false;
4542
}
4643
match_id = match_data->raw_data;
44+
match_len = strlen(match_id);
4745
pr_debug("%s: match '%s' '%s' len %zd\n",
4846
__func__, match_id, key->description, match_len);
4947
return !memcmp(key->description, match_id, match_len);
@@ -71,7 +69,7 @@ static struct key_type nvme_tls_psk_key_type = {
7169

7270
static struct key *nvme_tls_psk_lookup(struct key *keyring,
7371
const char *hostnqn, const char *subnqn,
74-
int hmac, bool generated)
72+
u8 hmac, u8 psk_ver, bool generated)
7573
{
7674
char *identity;
7775
size_t identity_len = (NVMF_NQN_SIZE) * 2 + 11;
@@ -82,8 +80,8 @@ static struct key *nvme_tls_psk_lookup(struct key *keyring,
8280
if (!identity)
8381
return ERR_PTR(-ENOMEM);
8482

85-
snprintf(identity, identity_len, "NVMe0%c%02d %s %s",
86-
generated ? 'G' : 'R', hmac, hostnqn, subnqn);
83+
snprintf(identity, identity_len, "NVMe%u%c%02u %s %s",
84+
psk_ver, generated ? 'G' : 'R', hmac, hostnqn, subnqn);
8785

8886
if (!keyring)
8987
keyring = nvme_keyring;
@@ -107,21 +105,38 @@ static struct key *nvme_tls_psk_lookup(struct key *keyring,
107105
/*
108106
* NVMe PSK priority list
109107
*
110-
* 'Retained' PSKs (ie 'generated == false')
111-
* should be preferred to 'generated' PSKs,
112-
* and SHA-384 should be preferred to SHA-256.
108+
* 'Retained' PSKs (ie 'generated == false') should be preferred to 'generated'
109+
* PSKs, PSKs with hash (psk_ver 1) should be preferred to PSKs without hash
110+
* (psk_ver 0), and SHA-384 should be preferred to SHA-256.
113111
*/
114112
static struct nvme_tls_psk_priority_list {
115113
bool generated;
114+
u8 psk_ver;
116115
enum nvme_tcp_tls_cipher cipher;
117116
} nvme_tls_psk_prio[] = {
118117
{ .generated = false,
118+
.psk_ver = 1,
119+
.cipher = NVME_TCP_TLS_CIPHER_SHA384, },
120+
{ .generated = false,
121+
.psk_ver = 1,
122+
.cipher = NVME_TCP_TLS_CIPHER_SHA256, },
123+
{ .generated = false,
124+
.psk_ver = 0,
119125
.cipher = NVME_TCP_TLS_CIPHER_SHA384, },
120126
{ .generated = false,
127+
.psk_ver = 0,
128+
.cipher = NVME_TCP_TLS_CIPHER_SHA256, },
129+
{ .generated = true,
130+
.psk_ver = 1,
131+
.cipher = NVME_TCP_TLS_CIPHER_SHA384, },
132+
{ .generated = true,
133+
.psk_ver = 1,
121134
.cipher = NVME_TCP_TLS_CIPHER_SHA256, },
122135
{ .generated = true,
136+
.psk_ver = 0,
123137
.cipher = NVME_TCP_TLS_CIPHER_SHA384, },
124138
{ .generated = true,
139+
.psk_ver = 0,
125140
.cipher = NVME_TCP_TLS_CIPHER_SHA256, },
126141
};
127142

@@ -137,10 +152,11 @@ key_serial_t nvme_tls_psk_default(struct key *keyring,
137152

138153
for (prio = 0; prio < ARRAY_SIZE(nvme_tls_psk_prio); prio++) {
139154
bool generated = nvme_tls_psk_prio[prio].generated;
155+
u8 ver = nvme_tls_psk_prio[prio].psk_ver;
140156
enum nvme_tcp_tls_cipher cipher = nvme_tls_psk_prio[prio].cipher;
141157

142158
tls_key = nvme_tls_psk_lookup(keyring, hostnqn, subnqn,
143-
cipher, generated);
159+
cipher, ver, generated);
144160
if (!IS_ERR(tls_key)) {
145161
tls_key_id = tls_key->serial;
146162
key_put(tls_key);

0 commit comments

Comments
 (0)