bybrooklyn/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-04-18 06:44:00 -04:00
Code Issues Packages Projects Releases Wiki Activity

nvme-auth: Don't propose NVME_AUTH_DHGROUP_NULL with SC_C

Browse Source 
Section 8.3.4.5.2 of the NVMe 2.1 base spec states that

"""
The 00h identifier shall not be proposed in an AUTH_Negotiate message
that requests secure channel concatenation (i.e., with the SC_C field
set to a non-zero value).
"""

We need to ensure that we don't set the NVME_AUTH_DHGROUP_NULL idlist if
SC_C is set.

Reviewed-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Chris Leech <cleech@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Kamaljit Singh <kamaljit.singh@opensource.wdc.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>
This commit is contained in:
Alistair Francis
2026-03-20 10:20:45 +10:00
committed by Keith Busch
parent 09e8f0f934
commit 33eb451044
1 changed files with 15 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
drivers/nvme/host/auth.c
View File

@@ -123,6 +123,8 @@ static int nvme_auth_set_dhchap_negotiate_data(struct nvme_ctrl *ctrl,
{
struct nvmf_auth_dhchap_negotiate_data *data = chap->buf;
size_t size = sizeof(*data) + sizeof(union nvmf_auth_protocol);
u8 dh_list_offset = NVME_AUTH_DHCHAP_MAX_DH_IDS;
u8 *idlist = data->auth_protocol[0].dhchap.idlist;
if (size > CHAP_BUF_SIZE) {
chap->status = NVME_AUTH_DHCHAP_FAILURE_INCORRECT_PAYLOAD;
@@ -139,21 +141,22 @@ static int nvme_auth_set_dhchap_negotiate_data(struct nvme_ctrl *ctrl,
data->sc_c = NVME_AUTH_SECP_NEWTLSPSK;
} else
data->sc_c = NVME_AUTH_SECP_NOSC;
chap->sc_c = data->sc_c;
data->napd = 1;
data->auth_protocol[0].dhchap.authid = NVME_AUTH_DHCHAP_AUTH_ID;
data->auth_protocol[0].dhchap.halen = 3;
data->auth_protocol[0].dhchap.dhlen = 6;
data->auth_protocol[0].dhchap.idlist[0] = NVME_AUTH_HASH_SHA256;
data->auth_protocol[0].dhchap.idlist[1] = NVME_AUTH_HASH_SHA384;
data->auth_protocol[0].dhchap.idlist[2] = NVME_AUTH_HASH_SHA512;
data->auth_protocol[0].dhchap.idlist[30] = NVME_AUTH_DHGROUP_NULL;
data->auth_protocol[0].dhchap.idlist[31] = NVME_AUTH_DHGROUP_2048;
data->auth_protocol[0].dhchap.idlist[32] = NVME_AUTH_DHGROUP_3072;
data->auth_protocol[0].dhchap.idlist[33] = NVME_AUTH_DHGROUP_4096;
data->auth_protocol[0].dhchap.idlist[34] = NVME_AUTH_DHGROUP_6144;
data->auth_protocol[0].dhchap.idlist[35] = NVME_AUTH_DHGROUP_8192;
chap->sc_c = data->sc_c;
idlist[0] = NVME_AUTH_HASH_SHA256;
idlist[1] = NVME_AUTH_HASH_SHA384;
idlist[2] = NVME_AUTH_HASH_SHA512;
if (chap->sc_c == NVME_AUTH_SECP_NOSC)
idlist[dh_list_offset++] = NVME_AUTH_DHGROUP_NULL;
idlist[dh_list_offset++] = NVME_AUTH_DHGROUP_2048;
idlist[dh_list_offset++] = NVME_AUTH_DHGROUP_3072;
idlist[dh_list_offset++] = NVME_AUTH_DHGROUP_4096;
idlist[dh_list_offset++] = NVME_AUTH_DHGROUP_6144;
idlist[dh_list_offset++] = NVME_AUTH_DHGROUP_8192;
data->auth_protocol[0].dhchap.dhlen =
dh_list_offset - NVME_AUTH_DHCHAP_MAX_DH_IDS;
return size;
}