All of lore.kernel.org
 help / color / mirror / Atom feed
From: Hannes Reinecke <hare@suse.de>
To: Sagi Grimberg <sagi@grimberg.me>
Cc: Christoph Hellwig <hch@lst.de>, Keith Busch <keith.busch@wdc.com>,
	linux-nvme@lists.infradead.org,
	Herbert Xu <herberg@gondor.apana.org.au>,
	David Miller <davem@davemloft.org>,
	linux-crypto@vger.kernel.org, Hannes Reinecke <hare@suse.de>
Subject: [PATCH 12/12] nvmet-auth: expire authentication sessions
Date: Mon, 22 Nov 2021 08:47:27 +0100	[thread overview]
Message-ID: <20211122074727.25988-13-hare@suse.de> (raw)
In-Reply-To: <20211122074727.25988-1-hare@suse.de>

Each authentication step is required to be completed within the
KATO interval (or two minutes if not set). So add a workqueue function
to reset the transaction ID and the expected next protocol step;
this will automatically the next authentication command referring
to the terminated authentication.

Signed-off-by: Hannes Reinecke <hare@suse.de>
---
 drivers/nvme/target/auth.c             |  1 +
 drivers/nvme/target/fabrics-cmd-auth.c | 20 +++++++++++++++++++-
 drivers/nvme/target/nvmet.h            |  1 +
 3 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/drivers/nvme/target/auth.c b/drivers/nvme/target/auth.c
index 22d8a44e0323..f795de7c84de 100644
--- a/drivers/nvme/target/auth.c
+++ b/drivers/nvme/target/auth.c
@@ -222,6 +222,7 @@ int nvmet_setup_auth(struct nvmet_ctrl *ctrl)
 
 void nvmet_auth_sq_free(struct nvmet_sq *sq)
 {
+	cancel_delayed_work(&sq->auth_expired_work);
 	kfree(sq->dhchap_c1);
 	sq->dhchap_c1 = NULL;
 	kfree(sq->dhchap_c2);
diff --git a/drivers/nvme/target/fabrics-cmd-auth.c b/drivers/nvme/target/fabrics-cmd-auth.c
index 51955fbc6c55..2beaacedf2b6 100644
--- a/drivers/nvme/target/fabrics-cmd-auth.c
+++ b/drivers/nvme/target/fabrics-cmd-auth.c
@@ -12,9 +12,22 @@
 #include "nvmet.h"
 #include "../host/auth.h"
 
+static void nvmet_auth_expired_work(struct work_struct *work)
+{
+	struct nvmet_sq *sq = container_of(to_delayed_work(work),
+			struct nvmet_sq, auth_expired_work);
+
+	pr_debug("%s: ctrl %d qid %d transaction %u expired, resetting\n",
+		 __func__, sq->ctrl->cntlid, sq->qid, sq->dhchap_tid);
+	sq->dhchap_step = NVME_AUTH_DHCHAP_MESSAGE_NEGOTIATE;
+	sq->dhchap_tid = -1;
+}
+
 void nvmet_init_auth(struct nvmet_ctrl *ctrl, struct nvmet_req *req)
 {
 	/* Initialize in-band authentication */
+	INIT_DELAYED_WORK(&req->sq->auth_expired_work,
+			  nvmet_auth_expired_work);
 	req->sq->authenticated = false;
 	req->sq->dhchap_step = NVME_AUTH_DHCHAP_MESSAGE_NEGOTIATE;
 	req->cqe->result.u32 |= 0x2 << 16;
@@ -305,8 +318,13 @@ void nvmet_execute_auth_send(struct nvmet_req *req)
 	req->cqe->result.u64 = 0;
 	nvmet_req_complete(req, status);
 	if (req->sq->dhchap_step != NVME_AUTH_DHCHAP_MESSAGE_SUCCESS2 &&
-	    req->sq->dhchap_step != NVME_AUTH_DHCHAP_MESSAGE_FAILURE2)
+	    req->sq->dhchap_step != NVME_AUTH_DHCHAP_MESSAGE_FAILURE2) {
+		unsigned long auth_expire_secs = ctrl->kato ? ctrl->kato : 120;
+
+		mod_delayed_work(system_wq, &req->sq->auth_expired_work,
+				 auth_expire_secs * HZ);
 		return;
+	}
 	/* Final states, clear up variables */
 	nvmet_auth_sq_free(req->sq);
 	if (req->sq->dhchap_step == NVME_AUTH_DHCHAP_MESSAGE_FAILURE2)
diff --git a/drivers/nvme/target/nvmet.h b/drivers/nvme/target/nvmet.h
index 33c68393440b..67a81bbedbde 100644
--- a/drivers/nvme/target/nvmet.h
+++ b/drivers/nvme/target/nvmet.h
@@ -109,6 +109,7 @@ struct nvmet_sq {
 	u32			sqhd;
 	bool			sqhd_disabled;
 #ifdef CONFIG_NVME_TARGET_AUTH
+	struct delayed_work	auth_expired_work;
 	bool			authenticated;
 	u16			dhchap_tid;
 	u16			dhchap_status;
-- 
2.29.2


  parent reply	other threads:[~2021-11-22  7:47 UTC|newest]

Thread overview: 41+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-11-22  7:47 [PATCHv6 00/12] nvme: In-band authentication support Hannes Reinecke
2021-11-22  7:47 ` [PATCH 01/12] crypto: add crypto_has_shash() Hannes Reinecke
2021-11-22  7:47 ` [PATCH 02/12] crypto: add crypto_has_kpp() Hannes Reinecke
2021-11-22  7:47 ` [PATCH 03/12] crypto/ffdhe: Finite Field DH Ephemeral Parameters Hannes Reinecke
2021-11-23  8:41   ` Chaitanya Kulkarni
2021-11-22  7:47 ` [PATCH 04/12] lib/base64: RFC4648-compliant base64 encoding Hannes Reinecke
2021-11-22 12:06   ` Sagi Grimberg
2021-11-22  7:47 ` [PATCH 05/12] nvme: add definitions for NVMe In-Band authentication Hannes Reinecke
2021-11-23  8:43   ` Chaitanya Kulkarni
2021-11-22  7:47 ` [PATCH 06/12] nvme-fabrics: decode 'authentication required' connect error Hannes Reinecke
2021-11-22  7:47 ` [PATCH 07/12] nvme: Implement In-Band authentication Hannes Reinecke
2021-11-22  8:12   ` Sagi Grimberg
2021-11-22  9:15     ` Hannes Reinecke
2021-11-23  9:02   ` Chaitanya Kulkarni
2021-11-22  7:47 ` [PATCH 08/12] nvme-auth: Diffie-Hellman key exchange support Hannes Reinecke
2021-11-22  7:47 ` [PATCH 09/12] nvmet: Parse fabrics commands on all queues Hannes Reinecke
2021-11-23  9:06   ` Chaitanya Kulkarni
2021-11-22  7:47 ` [PATCH 10/12] nvmet: Implement basic In-Band Authentication Hannes Reinecke
2021-11-22 11:59   ` Sagi Grimberg
2021-11-22 12:06     ` Hannes Reinecke
2021-11-22 13:21     ` Hannes Reinecke
2021-11-22 14:00       ` Sagi Grimberg
2021-11-22 14:17         ` Hannes Reinecke
2021-11-22 14:31           ` Sagi Grimberg
2021-11-22  7:47 ` [PATCH 11/12] nvmet-auth: Diffie-Hellman key exchange support Hannes Reinecke
2021-11-22  7:47 ` Hannes Reinecke [this message]
2021-11-22 12:03   ` [PATCH 12/12] nvmet-auth: expire authentication sessions Sagi Grimberg
2021-11-22  8:13 ` [PATCHv6 00/12] nvme: In-band authentication support Sagi Grimberg
2021-11-22  9:03   ` Hannes Reinecke
2021-11-22 11:32     ` Sagi Grimberg
2021-11-22 11:37       ` Hannes Reinecke
2021-11-22 11:45         ` Sagi Grimberg
2021-11-22 11:56           ` Hannes Reinecke
2021-11-22 12:01             ` Sagi Grimberg
  -- strict thread matches above, loose matches on Subject: below --
2021-12-02 15:23 [PATCHv8 " Hannes Reinecke
2021-12-02 15:23 ` [PATCH 12/12] nvmet-auth: expire authentication sessions Hannes Reinecke
2021-11-23 12:37 [PATCHv7 00/12] nvme: In-band authentication support Hannes Reinecke
2021-11-23 12:38 ` [PATCH 12/12] nvmet-auth: expire authentication sessions Hannes Reinecke
2021-11-12 12:59 [PATCHv5 00/12] nvme: In-band authentication support Hannes Reinecke
2021-11-12 12:59 ` [PATCH 12/12] nvmet-auth: expire authentication sessions Hannes Reinecke
2021-09-28  6:03 [PATCHv4 00/12] nvme: In-band authentication support Hannes Reinecke
2021-09-28  6:03 ` [PATCH 12/12] nvmet-auth: expire authentication sessions Hannes Reinecke
2021-09-28  6:03   ` Hannes Reinecke
2021-09-10  6:43 [PATCHv3 00/12] nvme: In-band authentication support Hannes Reinecke
2021-09-10  6:43 ` [PATCH 12/12] nvmet-auth: expire authentication sessions Hannes Reinecke
2021-09-10  6:43   ` Hannes Reinecke

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20211122074727.25988-13-hare@suse.de \
    --to=hare@suse.de \
    --cc=davem@davemloft.org \
    --cc=hch@lst.de \
    --cc=herberg@gondor.apana.org.au \
    --cc=keith.busch@wdc.com \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-nvme@lists.infradead.org \
    --cc=sagi@grimberg.me \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.