tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

nvme-auth: Don't propose NVME_AUTH_DHGROUP_NULL with SC_C

Section 8.3.4.5.2 of the NVMe 2.1 base spec states that

"""
The 00h identifier shall not be proposed in an AUTH_Negotiate message
that requests secure channel concatenation (i.e., with the SC_C field
set to a non-zero value).
"""

We need to ensure that we don't set the NVME_AUTH_DHGROUP_NULL idlist if
SC_C is set.

Reviewed-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Chris Leech <cleech@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Kamaljit Singh <kamaljit.singh@opensource.wdc.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>

authored by

Alistair Francis and committed by
Keith Busch 33eb4510 09e8f0f9

+15 -12
+15 -12
drivers/nvme/host/auth.c
··· 123 123 { 124 124 struct nvmf_auth_dhchap_negotiate_data *data = chap->buf; 125 125 size_t size = sizeof(*data) + sizeof(union nvmf_auth_protocol); 126 + u8 dh_list_offset = NVME_AUTH_DHCHAP_MAX_DH_IDS; 127 + u8 *idlist = data->auth_protocol[0].dhchap.idlist; 126 128 127 129 if (size > CHAP_BUF_SIZE) { 128 130 chap->status = NVME_AUTH_DHCHAP_FAILURE_INCORRECT_PAYLOAD; ··· 141 139 data->sc_c = NVME_AUTH_SECP_NEWTLSPSK; 142 140 } else 143 141 data->sc_c = NVME_AUTH_SECP_NOSC; 142 + chap->sc_c = data->sc_c; 144 143 data->napd = 1; 145 144 data->auth_protocol[0].dhchap.authid = NVME_AUTH_DHCHAP_AUTH_ID; 146 145 data->auth_protocol[0].dhchap.halen = 3; 147 - data->auth_protocol[0].dhchap.dhlen = 6; 148 - data->auth_protocol[0].dhchap.idlist[0] = NVME_AUTH_HASH_SHA256; 149 - data->auth_protocol[0].dhchap.idlist[1] = NVME_AUTH_HASH_SHA384; 150 - data->auth_protocol[0].dhchap.idlist[2] = NVME_AUTH_HASH_SHA512; 151 - data->auth_protocol[0].dhchap.idlist[30] = NVME_AUTH_DHGROUP_NULL; 152 - data->auth_protocol[0].dhchap.idlist[31] = NVME_AUTH_DHGROUP_2048; 153 - data->auth_protocol[0].dhchap.idlist[32] = NVME_AUTH_DHGROUP_3072; 154 - data->auth_protocol[0].dhchap.idlist[33] = NVME_AUTH_DHGROUP_4096; 155 - data->auth_protocol[0].dhchap.idlist[34] = NVME_AUTH_DHGROUP_6144; 156 - data->auth_protocol[0].dhchap.idlist[35] = NVME_AUTH_DHGROUP_8192; 157 - 158 - chap->sc_c = data->sc_c; 146 + idlist[0] = NVME_AUTH_HASH_SHA256; 147 + idlist[1] = NVME_AUTH_HASH_SHA384; 148 + idlist[2] = NVME_AUTH_HASH_SHA512; 149 + if (chap->sc_c == NVME_AUTH_SECP_NOSC) 150 + idlist[dh_list_offset++] = NVME_AUTH_DHGROUP_NULL; 151 + idlist[dh_list_offset++] = NVME_AUTH_DHGROUP_2048; 152 + idlist[dh_list_offset++] = NVME_AUTH_DHGROUP_3072; 153 + idlist[dh_list_offset++] = NVME_AUTH_DHGROUP_4096; 154 + idlist[dh_list_offset++] = NVME_AUTH_DHGROUP_6144; 155 + idlist[dh_list_offset++] = NVME_AUTH_DHGROUP_8192; 156 + data->auth_protocol[0].dhchap.dhlen = 157 + dh_list_offset - NVME_AUTH_DHCHAP_MAX_DH_IDS; 159 158 160 159 return size; 161 160 }