From: Hannes Reinecke <hare@suse.de>
To: Sagi Grimberg <sagi@grimberg.me>, Christoph Hellwig <hch@lst.de>
Cc: Keith Busch <kbusch@kernel.org>, linux-nvme@lists.infradead.org
Subject: Re: [PATCH 06/11] nvme: Implement In-Band authentication
Date: Wed, 22 Jun 2022 08:01:07 +0200 [thread overview]
Message-ID: <3784f492-67f8-c75a-dccf-7f7272e0b4ad@suse.de> (raw)
In-Reply-To: <a32afeac-983c-2ea4-e693-2d46411e7f4a@grimberg.me>
[-- Attachment #1: Type: text/plain, Size: 800 bytes --]
On 6/21/22 16:59, Sagi Grimberg wrote:
>
>> Looks like if I pass a malformed ctrl key to nvme connect I am able to
>> crash the system:
>
> This was what I used in this:
> $ nvme connect -a 192.168.123.1 -t tcp -s 8009 -n testnqn1 -S
> "DHHC-1:00:QpxVGpctx5J+4SeW2MClUI8rfZO3WdP1llImvsPsx7e3TK+I:" -C
> "DHHC-1:00:Jc/My1o0qtLCWRp+sHhAVafdfaS7YQOMYhk9zSmlatobqB8C:"
>
> The dhchap_ctrl_key is the offending string...
>
Right. Should be fixed with the attached patch.
Can you check?
Cheers,
Hannes
--
Dr. Hannes Reinecke Kernel Storage Architect
hare@suse.de +49 911 74053 688
SUSE Software Solutions GmbH, Maxfeldstr. 5, 90409 Nürnberg
HRB 36809 (AG Nürnberg), Geschäftsführer: Ivo Totev, Andrew
Myers, Andrew McDonald, Martje Boudien Moerman
[-- Attachment #2: 0001-nvme-auth-do-not-use-ctrl-opts-dhchap_ctrl_secret.patch --]
[-- Type: text/x-patch, Size: 3356 bytes --]
From 1f4d34016e7cad41f6947143f07f802b05415e26 Mon Sep 17 00:00:00 2001
From: Hannes Reinecke <hare@suse.de>
Date: Wed, 22 Jun 2022 07:57:06 +0200
Subject: [PATCH] nvme-auth: do not use ctrl->opts->dhchap_ctrl_secret
The user might have passed in an invalid controller secret, causing
ctrl->opts->dhchap_ctrl_secret to be present, but ctrl->ctrl_key to
be empty. So always use ctrl->ctrl_key when checking if a valid
controller secret is present.
Signed-off-by: Hannes Reinecke <hare@suse.de>
---
drivers/nvme/common/auth.c | 13 +++++++------
drivers/nvme/host/auth.c | 8 ++++----
2 files changed, 11 insertions(+), 10 deletions(-)
diff --git a/drivers/nvme/common/auth.c b/drivers/nvme/common/auth.c
index 945f6bb6eb1f..0c86ebce59d2 100644
--- a/drivers/nvme/common/auth.c
+++ b/drivers/nvme/common/auth.c
@@ -237,21 +237,21 @@ EXPORT_SYMBOL_GPL(nvme_auth_free_key);
u8 *nvme_auth_transform_key(struct nvme_dhchap_key *key, char *nqn)
{
- const char *hmac_name = nvme_auth_hmac_name(key->hash);
+ const char *hmac_name;
struct crypto_shash *key_tfm;
struct shash_desc *shash;
u8 *transformed_key;
int ret;
- if (key->hash == 0) {
- transformed_key = kmemdup(key->key, key->len, GFP_KERNEL);
- return transformed_key ? transformed_key : ERR_PTR(-ENOMEM);
- }
-
if (!key || !key->key) {
pr_warn("No key specified\n");
return ERR_PTR(-ENOKEY);
}
+ if (key->hash == 0) {
+ transformed_key = kmemdup(key->key, key->len, GFP_KERNEL);
+ return transformed_key ? transformed_key : ERR_PTR(-ENOMEM);
+ }
+ hmac_name = nvme_auth_hmac_name(key->hash);
if (!hmac_name) {
pr_warn("Invalid key hash id %d\n", key->hash);
return ERR_PTR(-EINVAL);
@@ -470,6 +470,7 @@ int nvme_auth_generate_key(u8 *secret, struct nvme_dhchap_key **ret_key)
/* Pass in the secret without the 'DHHC-1:XX:' prefix */
key = nvme_auth_extract_key(secret + 10, key_hash);
if (IS_ERR(key)) {
+ *ret_key = NULL;
return PTR_ERR(key);
}
diff --git a/drivers/nvme/host/auth.c b/drivers/nvme/host/auth.c
index 9b84e1e54ca7..53184ac76240 100644
--- a/drivers/nvme/host/auth.c
+++ b/drivers/nvme/host/auth.c
@@ -314,7 +314,7 @@ static int nvme_auth_set_dhchap_reply_data(struct nvme_ctrl *ctrl,
data->hl = chap->hash_len;
data->dhvlen = cpu_to_le16(chap->host_key_len);
memcpy(data->rval, chap->response, chap->hash_len);
- if (ctrl->opts->dhchap_ctrl_secret) {
+ if (ctrl->ctrl_key) {
get_random_bytes(chap->c2, chap->hash_len);
data->cvalid = 1;
chap->s2 = nvme_auth_get_seqnum();
@@ -344,7 +344,7 @@ static int nvme_auth_process_dhchap_success1(struct nvme_ctrl *ctrl,
struct nvmf_auth_dhchap_success1_data *data = chap->buf;
size_t size = sizeof(*data);
- if (ctrl->opts->dhchap_ctrl_secret)
+ if (ctrl->ctrl_key)
size += chap->hash_len;
if (chap->buf_size < size) {
@@ -791,7 +791,7 @@ static void __nvme_auth_work(struct work_struct *work)
return;
}
- if (ctrl->opts->dhchap_ctrl_secret) {
+ if (ctrl->ctrl_key) {
dev_dbg(ctrl->device,
"%s: qid %d controller response\n",
__func__, chap->qid);
@@ -809,7 +809,7 @@ static void __nvme_auth_work(struct work_struct *work)
goto fail2;
}
- if (ctrl->opts->dhchap_ctrl_secret) {
+ if (ctrl->ctrl_key) {
/* DH-HMAC-CHAP Step 5: send success2 */
dev_dbg(ctrl->device, "%s: qid %d send success2\n",
__func__, chap->qid);
--
2.26.2
next prev parent reply other threads:[~2022-06-22 6:01 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-21 9:02 [PATCHv15 00/11] nvme: In-band authentication support Hannes Reinecke
2022-06-21 9:02 ` [PATCH 01/11] crypto: add crypto_has_shash() Hannes Reinecke
2022-06-21 9:02 ` [PATCH 02/11] crypto: add crypto_has_kpp() Hannes Reinecke
2022-06-21 9:02 ` [PATCH 03/11] lib/base64: RFC4648-compliant base64 encoding Hannes Reinecke
2022-06-21 9:02 ` [PATCH 04/11] nvme: add definitions for NVMe In-Band authentication Hannes Reinecke
2022-06-21 9:02 ` [PATCH 05/11] nvme-fabrics: decode 'authentication required' connect error Hannes Reinecke
2022-06-21 9:02 ` [PATCH 06/11] nvme: Implement In-Band authentication Hannes Reinecke
2022-06-21 14:24 ` Sagi Grimberg
2022-06-21 14:26 ` Hannes Reinecke
2022-06-21 14:50 ` Sagi Grimberg
2022-06-21 14:59 ` Sagi Grimberg
2022-06-22 6:01 ` Hannes Reinecke [this message]
2022-06-22 8:43 ` Sagi Grimberg
2022-06-22 9:06 ` Hannes Reinecke
2022-06-22 9:09 ` Sagi Grimberg
2022-06-22 9:20 ` Hannes Reinecke
2022-06-22 9:58 ` Sagi Grimberg
2022-06-22 10:26 ` Hannes Reinecke
2022-06-22 10:31 ` Sagi Grimberg
2022-06-22 5:43 ` Hannes Reinecke
2022-06-21 9:02 ` [PATCH 07/11] nvme-auth: Diffie-Hellman key exchange support Hannes Reinecke
2022-06-21 9:02 ` [PATCH 08/11] nvmet: parse fabrics commands on io queues Hannes Reinecke
2022-06-21 9:02 ` [PATCH 09/11] nvmet: Implement basic In-Band Authentication Hannes Reinecke
2022-06-21 9:02 ` [PATCH 10/11] nvmet-auth: Diffie-Hellman key exchange support Hannes Reinecke
2022-06-21 9:02 ` [PATCH 11/11] nvmet-auth: expire authentication sessions Hannes Reinecke
-- strict thread matches above, loose matches on Subject: below --
2022-06-27 9:51 [PATCHv18 00/11] nvme: In-band authentication support Hannes Reinecke
2022-06-27 9:52 ` [PATCH 06/11] nvme: Implement In-Band authentication Hannes Reinecke
2022-06-23 6:17 [PATCHv17 00/11] nvme: In-band authentication support Hannes Reinecke
2022-06-23 6:17 ` [PATCH 06/11] nvme: Implement In-Band authentication Hannes Reinecke
2022-06-21 17:24 [PATCHv16 00/11] nvme: In-band authentication support Hannes Reinecke
2022-06-21 17:24 ` [PATCH 06/11] nvme: Implement In-Band authentication Hannes Reinecke
2022-06-22 17:43 ` Sagi Grimberg
2022-06-08 14:45 [PATCHv14 00/11] nvme: In-band authentication support Hannes Reinecke
2022-06-08 14:45 ` [PATCH 06/11] nvme: Implement In-Band authentication Hannes Reinecke
2022-06-13 18:12 ` Christoph Hellwig
2022-06-20 6:50 ` Hannes Reinecke
2022-05-18 11:22 [PATCHv12 00/11] nvme: In-band authentication support Hannes Reinecke
2022-05-18 11:22 ` [PATCH 06/11] nvme: Implement In-Band authentication Hannes Reinecke
2022-03-28 13:39 [PATCHv11 00/11] nvme: In-band authentication support Hannes Reinecke
2022-03-28 13:39 ` [PATCH 06/11] nvme: Implement In-Band authentication Hannes Reinecke
2022-04-27 17:59 ` Nayak, Prashanth
2022-04-28 6:05 ` Hannes Reinecke
2022-03-28 8:08 [PATCHv10 00/11] nvme: In-band authentication support Hannes Reinecke
2022-03-28 8:08 ` [PATCH 06/11] nvme: Implement In-Band authentication Hannes Reinecke
2022-03-23 7:12 [PATCHv9 00/11] nvme: In-band authentication support Hannes Reinecke
2022-03-23 7:12 ` [PATCH 06/11] nvme: Implement In-Band authentication Hannes Reinecke
2022-03-24 16:53 ` Chaitanya Kulkarni
2022-03-25 7:57 ` Hannes Reinecke
2021-07-16 11:04 [RFC PATCH 00/11] nvme: In-band authentication support Hannes Reinecke
2021-07-16 11:04 ` [PATCH 06/11] nvme: Implement In-Band authentication Hannes Reinecke
2021-07-16 11:04 ` Hannes Reinecke
2021-07-17 7:22 ` Sagi Grimberg
2021-07-17 7:22 ` Sagi Grimberg
2021-07-18 12:21 ` Hannes Reinecke
2021-07-18 12:21 ` Hannes Reinecke
2021-07-19 8:47 ` Sagi Grimberg
2021-07-19 8:47 ` Sagi Grimberg
2021-07-20 20:28 ` Vladislav Bolkhovitin
2021-07-20 20:28 ` Vladislav Bolkhovitin
2021-07-21 6:12 ` Hannes Reinecke
2021-07-21 6:12 ` Hannes Reinecke
2021-07-17 16:49 ` Stephan Müller
2021-07-17 16:49 ` Stephan Müller
2021-07-18 12:43 ` Hannes Reinecke
2021-07-18 12:43 ` Hannes Reinecke
2021-07-18 12:47 ` Stephan Müller
2021-07-18 12:47 ` Stephan Müller
2021-07-20 20:27 ` Vladislav Bolkhovitin
2021-07-20 20:27 ` Vladislav Bolkhovitin
2021-07-21 6:08 ` Hannes Reinecke
2021-07-21 6:08 ` Hannes Reinecke
2021-07-21 12:10 ` Vladislav Bolkhovitin
2021-07-21 12:10 ` Vladislav Bolkhovitin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3784f492-67f8-c75a-dccf-7f7272e0b4ad@suse.de \
--to=hare@suse.de \
--cc=hch@lst.de \
--cc=kbusch@kernel.org \
--cc=linux-nvme@lists.infradead.org \
--cc=sagi@grimberg.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.