Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
1// SPDX-License-Identifier: GPL-2.0
2/*
3 * Copyright (c) 2020 Hannes Reinecke, SUSE Linux
4 */
5
6#include <linux/module.h>
7#include <linux/crc32.h>
8#include <linux/base64.h>
9#include <linux/prandom.h>
10#include <linux/scatterlist.h>
11#include <linux/unaligned.h>
12#include <crypto/dh.h>
13#include <crypto/sha2.h>
14#include <linux/nvme.h>
15#include <linux/nvme-auth.h>
16
17static u32 nvme_dhchap_seqnum;
18static DEFINE_MUTEX(nvme_dhchap_mutex);
19
20u32 nvme_auth_get_seqnum(void)
21{
22 u32 seqnum;
23
24 mutex_lock(&nvme_dhchap_mutex);
25 if (!nvme_dhchap_seqnum)
26 nvme_dhchap_seqnum = get_random_u32();
27 else {
28 nvme_dhchap_seqnum++;
29 if (!nvme_dhchap_seqnum)
30 nvme_dhchap_seqnum++;
31 }
32 seqnum = nvme_dhchap_seqnum;
33 mutex_unlock(&nvme_dhchap_mutex);
34 return seqnum;
35}
36EXPORT_SYMBOL_GPL(nvme_auth_get_seqnum);
37
38static const struct nvme_auth_dhgroup_map {
39 char name[16];
40 char kpp[16];
41} dhgroup_map[] = {
42 [NVME_AUTH_DHGROUP_NULL] = {
43 .name = "null", .kpp = "null" },
44 [NVME_AUTH_DHGROUP_2048] = {
45 .name = "ffdhe2048", .kpp = "ffdhe2048(dh)" },
46 [NVME_AUTH_DHGROUP_3072] = {
47 .name = "ffdhe3072", .kpp = "ffdhe3072(dh)" },
48 [NVME_AUTH_DHGROUP_4096] = {
49 .name = "ffdhe4096", .kpp = "ffdhe4096(dh)" },
50 [NVME_AUTH_DHGROUP_6144] = {
51 .name = "ffdhe6144", .kpp = "ffdhe6144(dh)" },
52 [NVME_AUTH_DHGROUP_8192] = {
53 .name = "ffdhe8192", .kpp = "ffdhe8192(dh)" },
54};
55
56const char *nvme_auth_dhgroup_name(u8 dhgroup_id)
57{
58 if (dhgroup_id >= ARRAY_SIZE(dhgroup_map))
59 return NULL;
60 return dhgroup_map[dhgroup_id].name;
61}
62EXPORT_SYMBOL_GPL(nvme_auth_dhgroup_name);
63
64const char *nvme_auth_dhgroup_kpp(u8 dhgroup_id)
65{
66 if (dhgroup_id >= ARRAY_SIZE(dhgroup_map))
67 return NULL;
68 return dhgroup_map[dhgroup_id].kpp;
69}
70EXPORT_SYMBOL_GPL(nvme_auth_dhgroup_kpp);
71
72u8 nvme_auth_dhgroup_id(const char *dhgroup_name)
73{
74 int i;
75
76 if (!dhgroup_name || !strlen(dhgroup_name))
77 return NVME_AUTH_DHGROUP_INVALID;
78 for (i = 0; i < ARRAY_SIZE(dhgroup_map); i++) {
79 if (!strlen(dhgroup_map[i].name))
80 continue;
81 if (!strncmp(dhgroup_map[i].name, dhgroup_name,
82 strlen(dhgroup_map[i].name)))
83 return i;
84 }
85 return NVME_AUTH_DHGROUP_INVALID;
86}
87EXPORT_SYMBOL_GPL(nvme_auth_dhgroup_id);
88
89static const struct nvme_dhchap_hash_map {
90 int len;
91 char hmac[15];
92} hash_map[] = {
93 [NVME_AUTH_HASH_SHA256] = {
94 .len = 32,
95 .hmac = "hmac(sha256)",
96 },
97 [NVME_AUTH_HASH_SHA384] = {
98 .len = 48,
99 .hmac = "hmac(sha384)",
100 },
101 [NVME_AUTH_HASH_SHA512] = {
102 .len = 64,
103 .hmac = "hmac(sha512)",
104 },
105};
106
107const char *nvme_auth_hmac_name(u8 hmac_id)
108{
109 if (hmac_id >= ARRAY_SIZE(hash_map))
110 return NULL;
111 return hash_map[hmac_id].hmac;
112}
113EXPORT_SYMBOL_GPL(nvme_auth_hmac_name);
114
115u8 nvme_auth_hmac_id(const char *hmac_name)
116{
117 int i;
118
119 if (!hmac_name || !strlen(hmac_name))
120 return NVME_AUTH_HASH_INVALID;
121
122 for (i = 0; i < ARRAY_SIZE(hash_map); i++) {
123 if (!strlen(hash_map[i].hmac))
124 continue;
125 if (!strncmp(hash_map[i].hmac, hmac_name,
126 strlen(hash_map[i].hmac)))
127 return i;
128 }
129 return NVME_AUTH_HASH_INVALID;
130}
131EXPORT_SYMBOL_GPL(nvme_auth_hmac_id);
132
133size_t nvme_auth_hmac_hash_len(u8 hmac_id)
134{
135 if (hmac_id >= ARRAY_SIZE(hash_map))
136 return 0;
137 return hash_map[hmac_id].len;
138}
139EXPORT_SYMBOL_GPL(nvme_auth_hmac_hash_len);
140
141u32 nvme_auth_key_struct_size(u32 key_len)
142{
143 struct nvme_dhchap_key key;
144
145 return struct_size(&key, key, key_len);
146}
147EXPORT_SYMBOL_GPL(nvme_auth_key_struct_size);
148
149struct nvme_dhchap_key *nvme_auth_extract_key(const char *secret, u8 key_hash)
150{
151 struct nvme_dhchap_key *key;
152 const char *p;
153 u32 crc;
154 int ret, key_len;
155 size_t allocated_len = strlen(secret);
156
157 /* Secret might be affixed with a ':' */
158 p = strrchr(secret, ':');
159 if (p)
160 allocated_len = p - secret;
161 key = nvme_auth_alloc_key(allocated_len, 0);
162 if (!key)
163 return ERR_PTR(-ENOMEM);
164
165 key_len = base64_decode(secret, allocated_len, key->key, true, BASE64_STD);
166 if (key_len < 0) {
167 pr_debug("base64 key decoding error %d\n",
168 key_len);
169 ret = key_len;
170 goto out_free_key;
171 }
172
173 if (key_len != 36 && key_len != 52 &&
174 key_len != 68) {
175 pr_err("Invalid key len %d\n", key_len);
176 ret = -EINVAL;
177 goto out_free_key;
178 }
179
180 /* The last four bytes is the CRC in little-endian format */
181 key_len -= 4;
182 /*
183 * The linux implementation doesn't do pre- and post-increments,
184 * so we have to do it manually.
185 */
186 crc = ~crc32(~0, key->key, key_len);
187
188 if (get_unaligned_le32(key->key + key_len) != crc) {
189 pr_err("key crc mismatch (key %08x, crc %08x)\n",
190 get_unaligned_le32(key->key + key_len), crc);
191 ret = -EKEYREJECTED;
192 goto out_free_key;
193 }
194 key->len = key_len;
195 key->hash = key_hash;
196 return key;
197out_free_key:
198 nvme_auth_free_key(key);
199 return ERR_PTR(ret);
200}
201EXPORT_SYMBOL_GPL(nvme_auth_extract_key);
202
203struct nvme_dhchap_key *nvme_auth_alloc_key(u32 len, u8 hash)
204{
205 u32 num_bytes = nvme_auth_key_struct_size(len);
206 struct nvme_dhchap_key *key = kzalloc(num_bytes, GFP_KERNEL);
207
208 if (key) {
209 key->len = len;
210 key->hash = hash;
211 }
212 return key;
213}
214EXPORT_SYMBOL_GPL(nvme_auth_alloc_key);
215
216void nvme_auth_free_key(struct nvme_dhchap_key *key)
217{
218 if (!key)
219 return;
220 kfree_sensitive(key);
221}
222EXPORT_SYMBOL_GPL(nvme_auth_free_key);
223
224/*
225 * Start computing an HMAC value, given the algorithm ID and raw key.
226 *
227 * The context should be zeroized at the end of its lifetime. The caller can do
228 * that implicitly by calling nvme_auth_hmac_final(), or explicitly (needed when
229 * a context is abandoned without finalizing it) by calling memzero_explicit().
230 */
231int nvme_auth_hmac_init(struct nvme_auth_hmac_ctx *hmac, u8 hmac_id,
232 const u8 *key, size_t key_len)
233{
234 hmac->hmac_id = hmac_id;
235 switch (hmac_id) {
236 case NVME_AUTH_HASH_SHA256:
237 hmac_sha256_init_usingrawkey(&hmac->sha256, key, key_len);
238 return 0;
239 case NVME_AUTH_HASH_SHA384:
240 hmac_sha384_init_usingrawkey(&hmac->sha384, key, key_len);
241 return 0;
242 case NVME_AUTH_HASH_SHA512:
243 hmac_sha512_init_usingrawkey(&hmac->sha512, key, key_len);
244 return 0;
245 }
246 pr_warn("%s: invalid hash algorithm %d\n", __func__, hmac_id);
247 return -EINVAL;
248}
249EXPORT_SYMBOL_GPL(nvme_auth_hmac_init);
250
251void nvme_auth_hmac_update(struct nvme_auth_hmac_ctx *hmac, const u8 *data,
252 size_t data_len)
253{
254 switch (hmac->hmac_id) {
255 case NVME_AUTH_HASH_SHA256:
256 hmac_sha256_update(&hmac->sha256, data, data_len);
257 return;
258 case NVME_AUTH_HASH_SHA384:
259 hmac_sha384_update(&hmac->sha384, data, data_len);
260 return;
261 case NVME_AUTH_HASH_SHA512:
262 hmac_sha512_update(&hmac->sha512, data, data_len);
263 return;
264 }
265 /* Unreachable because nvme_auth_hmac_init() validated hmac_id */
266 WARN_ON_ONCE(1);
267}
268EXPORT_SYMBOL_GPL(nvme_auth_hmac_update);
269
270/* Finish computing an HMAC value. Note that this zeroizes the HMAC context. */
271void nvme_auth_hmac_final(struct nvme_auth_hmac_ctx *hmac, u8 *out)
272{
273 switch (hmac->hmac_id) {
274 case NVME_AUTH_HASH_SHA256:
275 hmac_sha256_final(&hmac->sha256, out);
276 return;
277 case NVME_AUTH_HASH_SHA384:
278 hmac_sha384_final(&hmac->sha384, out);
279 return;
280 case NVME_AUTH_HASH_SHA512:
281 hmac_sha512_final(&hmac->sha512, out);
282 return;
283 }
284 /* Unreachable because nvme_auth_hmac_init() validated hmac_id */
285 WARN_ON_ONCE(1);
286}
287EXPORT_SYMBOL_GPL(nvme_auth_hmac_final);
288
289static int nvme_auth_hmac(u8 hmac_id, const u8 *key, size_t key_len,
290 const u8 *data, size_t data_len, u8 *out)
291{
292 struct nvme_auth_hmac_ctx hmac;
293 int ret;
294
295 ret = nvme_auth_hmac_init(&hmac, hmac_id, key, key_len);
296 if (ret == 0) {
297 nvme_auth_hmac_update(&hmac, data, data_len);
298 nvme_auth_hmac_final(&hmac, out);
299 }
300 return ret;
301}
302
303static int nvme_auth_hash(u8 hmac_id, const u8 *data, size_t data_len, u8 *out)
304{
305 switch (hmac_id) {
306 case NVME_AUTH_HASH_SHA256:
307 sha256(data, data_len, out);
308 return 0;
309 case NVME_AUTH_HASH_SHA384:
310 sha384(data, data_len, out);
311 return 0;
312 case NVME_AUTH_HASH_SHA512:
313 sha512(data, data_len, out);
314 return 0;
315 }
316 pr_warn("%s: invalid hash algorithm %d\n", __func__, hmac_id);
317 return -EINVAL;
318}
319
320struct nvme_dhchap_key *nvme_auth_transform_key(
321 const struct nvme_dhchap_key *key, const char *nqn)
322{
323 struct nvme_auth_hmac_ctx hmac;
324 struct nvme_dhchap_key *transformed_key;
325 int ret, key_len;
326
327 if (!key) {
328 pr_warn("No key specified\n");
329 return ERR_PTR(-ENOKEY);
330 }
331 if (key->hash == 0) {
332 key_len = nvme_auth_key_struct_size(key->len);
333 transformed_key = kmemdup(key, key_len, GFP_KERNEL);
334 if (!transformed_key)
335 return ERR_PTR(-ENOMEM);
336 return transformed_key;
337 }
338 ret = nvme_auth_hmac_init(&hmac, key->hash, key->key, key->len);
339 if (ret)
340 return ERR_PTR(ret);
341 key_len = nvme_auth_hmac_hash_len(key->hash);
342 transformed_key = nvme_auth_alloc_key(key_len, key->hash);
343 if (!transformed_key) {
344 memzero_explicit(&hmac, sizeof(hmac));
345 return ERR_PTR(-ENOMEM);
346 }
347 nvme_auth_hmac_update(&hmac, nqn, strlen(nqn));
348 nvme_auth_hmac_update(&hmac, "NVMe-over-Fabrics", 17);
349 nvme_auth_hmac_final(&hmac, transformed_key->key);
350 return transformed_key;
351}
352EXPORT_SYMBOL_GPL(nvme_auth_transform_key);
353
354/**
355 * nvme_auth_augmented_challenge() - Compute the augmented DH-HMAC-CHAP challenge
356 * @hmac_id: Hash algorithm identifier
357 * @skey: Session key
358 * @skey_len: Length of @skey
359 * @challenge: Challenge value
360 * @aug: Output buffer for the augmented challenge
361 * @hlen: Hash output length (length of @challenge and @aug)
362 *
363 * NVMe base specification 8.3.5.5.4: The augmented challenge is computed
364 * applying the HMAC function using the hash function H() selected by the
365 * HashID parameter ... with the hash of the ephemeral DH key ... as HMAC key
366 * to the challenge C (i.e., Ca = HMAC(H(g^xy mod p), C)).
367 *
368 * As the session key skey is already H(g^xy mod p) per section 8.3.5.5.9, use
369 * it directly as the HMAC key without additional hashing.
370 *
371 * Return: 0 on success, negative errno on failure.
372 */
373int nvme_auth_augmented_challenge(u8 hmac_id, const u8 *skey, size_t skey_len,
374 const u8 *challenge, u8 *aug, size_t hlen)
375{
376 return nvme_auth_hmac(hmac_id, skey, skey_len, challenge, hlen, aug);
377}
378EXPORT_SYMBOL_GPL(nvme_auth_augmented_challenge);
379
380int nvme_auth_gen_privkey(struct crypto_kpp *dh_tfm, u8 dh_gid)
381{
382 int ret;
383
384 ret = crypto_kpp_set_secret(dh_tfm, NULL, 0);
385 if (ret)
386 pr_debug("failed to set private key, error %d\n", ret);
387
388 return ret;
389}
390EXPORT_SYMBOL_GPL(nvme_auth_gen_privkey);
391
392int nvme_auth_gen_pubkey(struct crypto_kpp *dh_tfm,
393 u8 *host_key, size_t host_key_len)
394{
395 struct kpp_request *req;
396 struct crypto_wait wait;
397 struct scatterlist dst;
398 int ret;
399
400 req = kpp_request_alloc(dh_tfm, GFP_KERNEL);
401 if (!req)
402 return -ENOMEM;
403
404 crypto_init_wait(&wait);
405 kpp_request_set_input(req, NULL, 0);
406 sg_init_one(&dst, host_key, host_key_len);
407 kpp_request_set_output(req, &dst, host_key_len);
408 kpp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
409 crypto_req_done, &wait);
410
411 ret = crypto_wait_req(crypto_kpp_generate_public_key(req), &wait);
412 kpp_request_free(req);
413 return ret;
414}
415EXPORT_SYMBOL_GPL(nvme_auth_gen_pubkey);
416
417/**
418 * nvme_auth_gen_session_key() - Generate an ephemeral session key
419 * @dh_tfm: Diffie-Hellman transform with local private key already set
420 * @public_key: Peer's public key
421 * @public_key_len: Length of @public_key
422 * @sess_key: Output buffer for the session key
423 * @sess_key_len: Size of @sess_key buffer
424 * @hash_id: Hash algorithm identifier
425 *
426 * NVMe base specification 8.3.5.5.9: The session key Ks shall be computed from
427 * the ephemeral DH key (i.e., g^xy mod p) ... by applying the hash function
428 * H() selected by the HashID parameter ... (i.e., Ks = H(g^xy mod p)).
429 *
430 * Return: 0 on success, negative errno on failure.
431 */
432int nvme_auth_gen_session_key(struct crypto_kpp *dh_tfm,
433 const u8 *public_key, size_t public_key_len,
434 u8 *sess_key, size_t sess_key_len, u8 hash_id)
435{
436 struct kpp_request *req;
437 struct crypto_wait wait;
438 struct scatterlist src, dst;
439 u8 *dh_secret;
440 size_t dh_secret_len, hash_len;
441 int ret;
442
443 hash_len = nvme_auth_hmac_hash_len(hash_id);
444 if (!hash_len) {
445 pr_warn("%s: invalid hash algorithm %d\n", __func__, hash_id);
446 return -EINVAL;
447 }
448
449 if (sess_key_len != hash_len) {
450 pr_warn("%s: sess_key buffer missized (%zu != %zu)\n",
451 __func__, sess_key_len, hash_len);
452 return -EINVAL;
453 }
454
455 dh_secret_len = crypto_kpp_maxsize(dh_tfm);
456 dh_secret = kzalloc(dh_secret_len, GFP_KERNEL);
457 if (!dh_secret)
458 return -ENOMEM;
459
460 req = kpp_request_alloc(dh_tfm, GFP_KERNEL);
461 if (!req) {
462 ret = -ENOMEM;
463 goto out_free_secret;
464 }
465
466 crypto_init_wait(&wait);
467 sg_init_one(&src, public_key, public_key_len);
468 kpp_request_set_input(req, &src, public_key_len);
469 sg_init_one(&dst, dh_secret, dh_secret_len);
470 kpp_request_set_output(req, &dst, dh_secret_len);
471 kpp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
472 crypto_req_done, &wait);
473
474 ret = crypto_wait_req(crypto_kpp_compute_shared_secret(req), &wait);
475 kpp_request_free(req);
476
477 if (ret)
478 goto out_free_secret;
479
480 ret = nvme_auth_hash(hash_id, dh_secret, dh_secret_len, sess_key);
481
482out_free_secret:
483 kfree_sensitive(dh_secret);
484 return ret;
485}
486EXPORT_SYMBOL_GPL(nvme_auth_gen_session_key);
487
488int nvme_auth_parse_key(const char *secret, struct nvme_dhchap_key **ret_key)
489{
490 struct nvme_dhchap_key *key;
491 u8 key_hash;
492
493 if (!secret) {
494 *ret_key = NULL;
495 return 0;
496 }
497
498 if (sscanf(secret, "DHHC-1:%hhd:%*s:", &key_hash) != 1)
499 return -EINVAL;
500
501 /* Pass in the secret without the 'DHHC-1:XX:' prefix */
502 key = nvme_auth_extract_key(secret + 10, key_hash);
503 if (IS_ERR(key)) {
504 *ret_key = NULL;
505 return PTR_ERR(key);
506 }
507
508 *ret_key = key;
509 return 0;
510}
511EXPORT_SYMBOL_GPL(nvme_auth_parse_key);
512
513/**
514 * nvme_auth_generate_psk - Generate a PSK for TLS
515 * @hmac_id: Hash function identifier
516 * @skey: Session key
517 * @skey_len: Length of @skey
518 * @c1: Value of challenge C1
519 * @c2: Value of challenge C2
520 * @hash_len: Hash length of the hash algorithm
521 * @ret_psk: Pointer to the resulting generated PSK
522 * @ret_len: length of @ret_psk
523 *
524 * Generate a PSK for TLS as specified in NVMe base specification, section
525 * 8.13.5.9: Generated PSK for TLS
526 *
527 * The generated PSK for TLS shall be computed applying the HMAC function
528 * using the hash function H( ) selected by the HashID parameter in the
529 * DH-HMAC-CHAP_Challenge message with the session key KS as key to the
530 * concatenation of the two challenges C1 and C2 (i.e., generated
531 * PSK = HMAC(KS, C1 || C2)).
532 *
533 * Returns 0 on success with a valid generated PSK pointer in @ret_psk and
534 * the length of @ret_psk in @ret_len, or a negative error number otherwise.
535 */
536int nvme_auth_generate_psk(u8 hmac_id, const u8 *skey, size_t skey_len,
537 const u8 *c1, const u8 *c2, size_t hash_len,
538 u8 **ret_psk, size_t *ret_len)
539{
540 size_t psk_len = nvme_auth_hmac_hash_len(hmac_id);
541 struct nvme_auth_hmac_ctx hmac;
542 u8 *psk;
543 int ret;
544
545 if (!c1 || !c2)
546 return -EINVAL;
547
548 ret = nvme_auth_hmac_init(&hmac, hmac_id, skey, skey_len);
549 if (ret)
550 return ret;
551 psk = kzalloc(psk_len, GFP_KERNEL);
552 if (!psk) {
553 memzero_explicit(&hmac, sizeof(hmac));
554 return -ENOMEM;
555 }
556 nvme_auth_hmac_update(&hmac, c1, hash_len);
557 nvme_auth_hmac_update(&hmac, c2, hash_len);
558 nvme_auth_hmac_final(&hmac, psk);
559 *ret_psk = psk;
560 *ret_len = psk_len;
561 return 0;
562}
563EXPORT_SYMBOL_GPL(nvme_auth_generate_psk);
564
565/**
566 * nvme_auth_generate_digest - Generate TLS PSK digest
567 * @hmac_id: Hash function identifier
568 * @psk: Generated input PSK
569 * @psk_len: Length of @psk
570 * @subsysnqn: NQN of the subsystem
571 * @hostnqn: NQN of the host
572 * @ret_digest: Pointer to the returned digest
573 *
574 * Generate a TLS PSK digest as specified in TP8018 Section 3.6.1.3:
575 * TLS PSK and PSK identity Derivation
576 *
577 * The PSK digest shall be computed by encoding in Base64 (refer to RFC
578 * 4648) the result of the application of the HMAC function using the hash
579 * function specified in item 4 above (ie the hash function of the cipher
580 * suite associated with the PSK identity) with the PSK as HMAC key to the
581 * concatenation of:
582 * - the NQN of the host (i.e., NQNh) not including the null terminator;
583 * - a space character;
584 * - the NQN of the NVM subsystem (i.e., NQNc) not including the null
585 * terminator;
586 * - a space character; and
587 * - the seventeen ASCII characters "NVMe-over-Fabrics"
588 * (i.e., <PSK digest> = Base64(HMAC(PSK, NQNh || " " || NQNc || " " ||
589 * "NVMe-over-Fabrics"))).
590 * The length of the PSK digest depends on the hash function used to compute
591 * it as follows:
592 * - If the SHA-256 hash function is used, the resulting PSK digest is 44
593 * characters long; or
594 * - If the SHA-384 hash function is used, the resulting PSK digest is 64
595 * characters long.
596 *
597 * Returns 0 on success with a valid digest pointer in @ret_digest, or a
598 * negative error number on failure.
599 */
600int nvme_auth_generate_digest(u8 hmac_id, const u8 *psk, size_t psk_len,
601 const char *subsysnqn, const char *hostnqn,
602 char **ret_digest)
603{
604 struct nvme_auth_hmac_ctx hmac;
605 u8 digest[NVME_AUTH_MAX_DIGEST_SIZE];
606 size_t hash_len = nvme_auth_hmac_hash_len(hmac_id);
607 char *enc;
608 size_t enc_len;
609 int ret;
610
611 if (WARN_ON(!subsysnqn || !hostnqn))
612 return -EINVAL;
613
614 if (hash_len == 0) {
615 pr_warn("%s: invalid hash algorithm %d\n",
616 __func__, hmac_id);
617 return -EINVAL;
618 }
619
620 switch (hash_len) {
621 case 32:
622 enc_len = 44;
623 break;
624 case 48:
625 enc_len = 64;
626 break;
627 default:
628 pr_warn("%s: invalid hash algorithm '%s'\n",
629 __func__, nvme_auth_hmac_name(hmac_id));
630 return -EINVAL;
631 }
632
633 enc = kzalloc(enc_len + 1, GFP_KERNEL);
634 if (!enc) {
635 ret = -ENOMEM;
636 goto out;
637 }
638
639 ret = nvme_auth_hmac_init(&hmac, hmac_id, psk, psk_len);
640 if (ret)
641 goto out;
642 nvme_auth_hmac_update(&hmac, hostnqn, strlen(hostnqn));
643 nvme_auth_hmac_update(&hmac, " ", 1);
644 nvme_auth_hmac_update(&hmac, subsysnqn, strlen(subsysnqn));
645 nvme_auth_hmac_update(&hmac, " NVMe-over-Fabrics", 18);
646 nvme_auth_hmac_final(&hmac, digest);
647
648 ret = base64_encode(digest, hash_len, enc, true, BASE64_STD);
649 if (ret < enc_len) {
650 ret = -ENOKEY;
651 goto out;
652 }
653 *ret_digest = enc;
654 ret = 0;
655
656out:
657 if (ret)
658 kfree_sensitive(enc);
659 memzero_explicit(digest, sizeof(digest));
660 return ret;
661}
662EXPORT_SYMBOL_GPL(nvme_auth_generate_digest);
663
664/**
665 * nvme_auth_derive_tls_psk - Derive TLS PSK
666 * @hmac_id: Hash function identifier
667 * @psk: generated input PSK
668 * @psk_len: size of @psk
669 * @psk_digest: TLS PSK digest
670 * @ret_psk: Pointer to the resulting TLS PSK
671 *
672 * Derive a TLS PSK as specified in TP8018 Section 3.6.1.3:
673 * TLS PSK and PSK identity Derivation
674 *
675 * The TLS PSK shall be derived as follows from an input PSK
676 * (i.e., either a retained PSK or a generated PSK) and a PSK
677 * identity using the HKDF-Extract and HKDF-Expand-Label operations
678 * (refer to RFC 5869 and RFC 8446) where the hash function is the
679 * one specified by the hash specifier of the PSK identity:
680 * 1. PRK = HKDF-Extract(0, Input PSK); and
681 * 2. TLS PSK = HKDF-Expand-Label(PRK, "nvme-tls-psk", PskIdentityContext, L),
682 * where PskIdentityContext is the hash identifier indicated in
683 * the PSK identity concatenated to a space character and to the
684 * Base64 PSK digest (i.e., "<hash> <PSK digest>") and L is the
685 * output size in bytes of the hash function (i.e., 32 for SHA-256
686 * and 48 for SHA-384).
687 *
688 * Returns 0 on success with a valid psk pointer in @ret_psk or a negative
689 * error number otherwise.
690 */
691int nvme_auth_derive_tls_psk(int hmac_id, const u8 *psk, size_t psk_len,
692 const char *psk_digest, u8 **ret_psk)
693{
694 static const u8 default_salt[NVME_AUTH_MAX_DIGEST_SIZE];
695 static const char label[] = "tls13 nvme-tls-psk";
696 const size_t label_len = sizeof(label) - 1;
697 u8 prk[NVME_AUTH_MAX_DIGEST_SIZE];
698 size_t hash_len, ctx_len;
699 u8 *hmac_data = NULL, *tls_key;
700 size_t i;
701 int ret;
702
703 hash_len = nvme_auth_hmac_hash_len(hmac_id);
704 if (hash_len == 0) {
705 pr_warn("%s: invalid hash algorithm %d\n",
706 __func__, hmac_id);
707 return -EINVAL;
708 }
709 if (hmac_id == NVME_AUTH_HASH_SHA512) {
710 pr_warn("%s: unsupported hash algorithm %s\n",
711 __func__, nvme_auth_hmac_name(hmac_id));
712 return -EINVAL;
713 }
714
715 if (psk_len != hash_len) {
716 pr_warn("%s: unexpected psk_len %zu\n", __func__, psk_len);
717 return -EINVAL;
718 }
719
720 /* HKDF-Extract */
721 ret = nvme_auth_hmac(hmac_id, default_salt, hash_len, psk, psk_len,
722 prk);
723 if (ret)
724 goto out;
725
726 /*
727 * HKDF-Expand-Label (RFC 8446 section 7.1), with output length equal to
728 * the hash length (so only a single HMAC operation is needed)
729 */
730
731 hmac_data = kmalloc(/* output length */ 2 +
732 /* label */ 1 + label_len +
733 /* context (max) */ 1 + 3 + 1 + strlen(psk_digest) +
734 /* counter */ 1,
735 GFP_KERNEL);
736 if (!hmac_data) {
737 ret = -ENOMEM;
738 goto out;
739 }
740 /* output length */
741 i = 0;
742 hmac_data[i++] = hash_len >> 8;
743 hmac_data[i++] = hash_len;
744
745 /* label */
746 static_assert(label_len <= 255);
747 hmac_data[i] = label_len;
748 memcpy(&hmac_data[i + 1], label, label_len);
749 i += 1 + label_len;
750
751 /* context */
752 ctx_len = sprintf(&hmac_data[i + 1], "%02d %s", hmac_id, psk_digest);
753 if (ctx_len > 255) {
754 ret = -EINVAL;
755 goto out;
756 }
757 hmac_data[i] = ctx_len;
758 i += 1 + ctx_len;
759
760 /* counter (this overwrites the NUL terminator written by sprintf) */
761 hmac_data[i++] = 1;
762
763 tls_key = kzalloc(psk_len, GFP_KERNEL);
764 if (!tls_key) {
765 ret = -ENOMEM;
766 goto out;
767 }
768 ret = nvme_auth_hmac(hmac_id, prk, hash_len, hmac_data, i, tls_key);
769 if (ret) {
770 kfree_sensitive(tls_key);
771 goto out;
772 }
773 *ret_psk = tls_key;
774out:
775 kfree_sensitive(hmac_data);
776 memzero_explicit(prk, sizeof(prk));
777 return ret;
778}
779EXPORT_SYMBOL_GPL(nvme_auth_derive_tls_psk);
780
781MODULE_DESCRIPTION("NVMe Authentication framework");
782MODULE_LICENSE("GPL v2");