3e78198862
-----BEGIN PGP SIGNATURE----- iQJEBAABCAAuFiEEwPw5LcreJtl1+l5K99NY+ylx4KYFAmaOTd8QHGF4Ym9lQGtl cm5lbC5kawAKCRD301j7KXHgppqIEACUr8Vv2FtezvT3OfVSlYWHHLXzkRhwEG5s vdk0o7Ow6U54sMjfymbHTgLD0ZOJf3uJ6BI95FQuW41jPzDFVbx4Hy8QzqonMkw9 1D/YQ4zrVL2mOKBzATbKpoGJzMOzGeoXEueFZ1AYPAX7RrDtP4xPQNfrcfkdE2zF LycJN70Vp6lrZZMuI9yb9ts1tf7TFzK0HJANxOAKTgSiPmBmxesjkJlhrdUrgkAU qDVyjj7u/ssndBJAb9i6Bl95Do8s9t4DeJq5/6wgKqtf5hClMXzPVB8Wy084gr6E rTRsCEhOug3qEZSqfAgAxnd3XFRNc/p2KMUe5YZ4mAqux4hpSmIQQDM/5X5K9vEv f4MNqUGlqyqntZx+KPyFpf7kLHFYS1qK4ub0FojWJEY4GrbBPNjjncLJ9+ozR0c8 kNDaFjMNAjalBee1FxNNH8LdVcd28rrCkPxRLEfO/gvBMUmvJf4ZyKmSED0v5DhY vZqKlBqG+wg0EXvdiWEHMDh9Y+q/2XBIkS6NN/Bhh61HNu+XzC838ts1X7lR+4o2 AM5Vapw+v0q6kFBMRP3IcJI/c0UcIU8EQU7axMyzWtvhog8kx8x01hIj1L4UyYYr rUdWrkugBVXJbywFuH/QIJxWxS/z4JdSw5VjASJLIrXy+aANmmG9Wonv95eyhpUv 5iv+EdRSNA== =wVi8 -----END PGP SIGNATURE----- Merge tag 'for-6.11/block-20240710' of git://git.kernel.dk/linux Pull block updates from Jens Axboe: - NVMe updates via Keith: - Device initialization memory leak fixes (Keith) - More constants defined (Weiwen) - Target debugfs support (Hannes) - PCIe subsystem reset enhancements (Keith) - Queue-depth multipath policy (Redhat and PureStorage) - Implement get_unique_id (Christoph) - Authentication error fixes (Gaosheng) - MD updates via Song - sync_action fix and refactoring (Yu Kuai) - Various small fixes (Christoph Hellwig, Li Nan, and Ofir Gal, Yu Kuai, Benjamin Marzinski, Christophe JAILLET, Yang Li) - Fix loop detach/open race (Gulam) - Fix lower control limit for blk-throttle (Yu) - Add module descriptions to various drivers (Jeff) - Add support for atomic writes for block devices, and statx reporting for same. Includes SCSI and NVMe (John, Prasad, Alan) - Add IO priority information to block trace points (Dongliang) - Various zone improvements and tweaks (Damien) - mq-deadline tag reservation improvements (Bart) - Ignore direct reclaim swap writes in writeback throttling (Baokun) - Block integrity improvements and fixes (Anuj) - Add basic support for rust based block drivers. Has a dummy null_blk variant for now (Andreas) - Series converting driver settings to queue limits, and cleanups and fixes related to that (Christoph) - Cleanup for poking too deeply into the bvec internals, in preparation for DMA mapping API changes (Christoph) - Various minor tweaks and fixes (Jiapeng, John, Kanchan, Mikulas, Ming, Zhu, Damien, Christophe, Chaitanya) * tag 'for-6.11/block-20240710' of git://git.kernel.dk/linux: (206 commits) floppy: add missing MODULE_DESCRIPTION() macro loop: add missing MODULE_DESCRIPTION() macro ublk_drv: add missing MODULE_DESCRIPTION() macro xen/blkback: add missing MODULE_DESCRIPTION() macro block/rnbd: Constify struct kobj_type block: take offset into account in blk_bvec_map_sg again block: fix get_max_segment_size() warning loop: Don't bother validating blocksize virtio_blk: Don't bother validating blocksize null_blk: Don't bother validating blocksize block: Validate logical block size in blk_validate_limits() virtio_blk: Fix default logical block size fallback nvmet-auth: fix nvmet_auth hash error handling nvme: implement ->get_unique_id block: pass a phys_addr_t to get_max_segment_size block: add a bvec_phys helper blk-lib: check for kill signal in ioctl BLKZEROOUT block: limit the Write Zeroes to manually writing zeroes fallback block: refacto blkdev_issue_zeroout block: move read-only and supported checks into (__)blkdev_issue_zeroout ...
526 lines
16 KiB
C
526 lines
16 KiB
C
// SPDX-License-Identifier: GPL-2.0
|
|
/*
|
|
* NVMe over Fabrics DH-HMAC-CHAP authentication command handling.
|
|
* Copyright (c) 2020 Hannes Reinecke, SUSE Software Solutions.
|
|
* All rights reserved.
|
|
*/
|
|
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
|
|
#include <linux/blkdev.h>
|
|
#include <linux/random.h>
|
|
#include <linux/nvme-auth.h>
|
|
#include <crypto/hash.h>
|
|
#include <crypto/kpp.h>
|
|
#include "nvmet.h"
|
|
|
|
static void nvmet_auth_expired_work(struct work_struct *work)
|
|
{
|
|
struct nvmet_sq *sq = container_of(to_delayed_work(work),
|
|
struct nvmet_sq, auth_expired_work);
|
|
|
|
pr_debug("%s: ctrl %d qid %d transaction %u expired, resetting\n",
|
|
__func__, sq->ctrl->cntlid, sq->qid, sq->dhchap_tid);
|
|
sq->dhchap_step = NVME_AUTH_DHCHAP_MESSAGE_NEGOTIATE;
|
|
sq->dhchap_tid = -1;
|
|
}
|
|
|
|
void nvmet_auth_sq_init(struct nvmet_sq *sq)
|
|
{
|
|
/* Initialize in-band authentication */
|
|
INIT_DELAYED_WORK(&sq->auth_expired_work, nvmet_auth_expired_work);
|
|
sq->authenticated = false;
|
|
sq->dhchap_step = NVME_AUTH_DHCHAP_MESSAGE_NEGOTIATE;
|
|
}
|
|
|
|
static u8 nvmet_auth_negotiate(struct nvmet_req *req, void *d)
|
|
{
|
|
struct nvmet_ctrl *ctrl = req->sq->ctrl;
|
|
struct nvmf_auth_dhchap_negotiate_data *data = d;
|
|
int i, hash_id = 0, fallback_hash_id = 0, dhgid, fallback_dhgid;
|
|
|
|
pr_debug("%s: ctrl %d qid %d: data sc_d %d napd %d authid %d halen %d dhlen %d\n",
|
|
__func__, ctrl->cntlid, req->sq->qid,
|
|
data->sc_c, data->napd, data->auth_protocol[0].dhchap.authid,
|
|
data->auth_protocol[0].dhchap.halen,
|
|
data->auth_protocol[0].dhchap.dhlen);
|
|
req->sq->dhchap_tid = le16_to_cpu(data->t_id);
|
|
if (data->sc_c)
|
|
return NVME_AUTH_DHCHAP_FAILURE_CONCAT_MISMATCH;
|
|
|
|
if (data->napd != 1)
|
|
return NVME_AUTH_DHCHAP_FAILURE_HASH_UNUSABLE;
|
|
|
|
if (data->auth_protocol[0].dhchap.authid !=
|
|
NVME_AUTH_DHCHAP_AUTH_ID)
|
|
return NVME_AUTH_DHCHAP_FAILURE_INCORRECT_PAYLOAD;
|
|
|
|
for (i = 0; i < data->auth_protocol[0].dhchap.halen; i++) {
|
|
u8 host_hmac_id = data->auth_protocol[0].dhchap.idlist[i];
|
|
|
|
if (!fallback_hash_id &&
|
|
crypto_has_shash(nvme_auth_hmac_name(host_hmac_id), 0, 0))
|
|
fallback_hash_id = host_hmac_id;
|
|
if (ctrl->shash_id != host_hmac_id)
|
|
continue;
|
|
hash_id = ctrl->shash_id;
|
|
break;
|
|
}
|
|
if (hash_id == 0) {
|
|
if (fallback_hash_id == 0) {
|
|
pr_debug("%s: ctrl %d qid %d: no usable hash found\n",
|
|
__func__, ctrl->cntlid, req->sq->qid);
|
|
return NVME_AUTH_DHCHAP_FAILURE_HASH_UNUSABLE;
|
|
}
|
|
pr_debug("%s: ctrl %d qid %d: no usable hash found, falling back to %s\n",
|
|
__func__, ctrl->cntlid, req->sq->qid,
|
|
nvme_auth_hmac_name(fallback_hash_id));
|
|
ctrl->shash_id = fallback_hash_id;
|
|
}
|
|
|
|
dhgid = -1;
|
|
fallback_dhgid = -1;
|
|
for (i = 0; i < data->auth_protocol[0].dhchap.dhlen; i++) {
|
|
int tmp_dhgid = data->auth_protocol[0].dhchap.idlist[i + 30];
|
|
|
|
if (tmp_dhgid != ctrl->dh_gid) {
|
|
dhgid = tmp_dhgid;
|
|
break;
|
|
}
|
|
if (fallback_dhgid < 0) {
|
|
const char *kpp = nvme_auth_dhgroup_kpp(tmp_dhgid);
|
|
|
|
if (crypto_has_kpp(kpp, 0, 0))
|
|
fallback_dhgid = tmp_dhgid;
|
|
}
|
|
}
|
|
if (dhgid < 0) {
|
|
if (fallback_dhgid < 0) {
|
|
pr_debug("%s: ctrl %d qid %d: no usable DH group found\n",
|
|
__func__, ctrl->cntlid, req->sq->qid);
|
|
return NVME_AUTH_DHCHAP_FAILURE_DHGROUP_UNUSABLE;
|
|
}
|
|
pr_debug("%s: ctrl %d qid %d: configured DH group %s not found\n",
|
|
__func__, ctrl->cntlid, req->sq->qid,
|
|
nvme_auth_dhgroup_name(fallback_dhgid));
|
|
ctrl->dh_gid = fallback_dhgid;
|
|
}
|
|
pr_debug("%s: ctrl %d qid %d: selected DH group %s (%d)\n",
|
|
__func__, ctrl->cntlid, req->sq->qid,
|
|
nvme_auth_dhgroup_name(ctrl->dh_gid), ctrl->dh_gid);
|
|
return 0;
|
|
}
|
|
|
|
static u8 nvmet_auth_reply(struct nvmet_req *req, void *d)
|
|
{
|
|
struct nvmet_ctrl *ctrl = req->sq->ctrl;
|
|
struct nvmf_auth_dhchap_reply_data *data = d;
|
|
u16 dhvlen = le16_to_cpu(data->dhvlen);
|
|
u8 *response;
|
|
|
|
pr_debug("%s: ctrl %d qid %d: data hl %d cvalid %d dhvlen %u\n",
|
|
__func__, ctrl->cntlid, req->sq->qid,
|
|
data->hl, data->cvalid, dhvlen);
|
|
|
|
if (dhvlen) {
|
|
if (!ctrl->dh_tfm)
|
|
return NVME_AUTH_DHCHAP_FAILURE_INCORRECT_PAYLOAD;
|
|
if (nvmet_auth_ctrl_sesskey(req, data->rval + 2 * data->hl,
|
|
dhvlen) < 0)
|
|
return NVME_AUTH_DHCHAP_FAILURE_DHGROUP_UNUSABLE;
|
|
}
|
|
|
|
response = kmalloc(data->hl, GFP_KERNEL);
|
|
if (!response)
|
|
return NVME_AUTH_DHCHAP_FAILURE_FAILED;
|
|
|
|
if (!ctrl->host_key) {
|
|
pr_warn("ctrl %d qid %d no host key\n",
|
|
ctrl->cntlid, req->sq->qid);
|
|
kfree(response);
|
|
return NVME_AUTH_DHCHAP_FAILURE_FAILED;
|
|
}
|
|
if (nvmet_auth_host_hash(req, response, data->hl) < 0) {
|
|
pr_debug("ctrl %d qid %d host hash failed\n",
|
|
ctrl->cntlid, req->sq->qid);
|
|
kfree(response);
|
|
return NVME_AUTH_DHCHAP_FAILURE_FAILED;
|
|
}
|
|
|
|
if (memcmp(data->rval, response, data->hl)) {
|
|
pr_info("ctrl %d qid %d host response mismatch\n",
|
|
ctrl->cntlid, req->sq->qid);
|
|
kfree(response);
|
|
return NVME_AUTH_DHCHAP_FAILURE_FAILED;
|
|
}
|
|
kfree(response);
|
|
pr_debug("%s: ctrl %d qid %d host authenticated\n",
|
|
__func__, ctrl->cntlid, req->sq->qid);
|
|
if (data->cvalid) {
|
|
req->sq->dhchap_c2 = kmemdup(data->rval + data->hl, data->hl,
|
|
GFP_KERNEL);
|
|
if (!req->sq->dhchap_c2)
|
|
return NVME_AUTH_DHCHAP_FAILURE_FAILED;
|
|
|
|
pr_debug("%s: ctrl %d qid %d challenge %*ph\n",
|
|
__func__, ctrl->cntlid, req->sq->qid, data->hl,
|
|
req->sq->dhchap_c2);
|
|
} else {
|
|
req->sq->authenticated = true;
|
|
req->sq->dhchap_c2 = NULL;
|
|
}
|
|
req->sq->dhchap_s2 = le32_to_cpu(data->seqnum);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static u8 nvmet_auth_failure2(void *d)
|
|
{
|
|
struct nvmf_auth_dhchap_failure_data *data = d;
|
|
|
|
return data->rescode_exp;
|
|
}
|
|
|
|
void nvmet_execute_auth_send(struct nvmet_req *req)
|
|
{
|
|
struct nvmet_ctrl *ctrl = req->sq->ctrl;
|
|
struct nvmf_auth_dhchap_success2_data *data;
|
|
void *d;
|
|
u32 tl;
|
|
u16 status = 0;
|
|
u8 dhchap_status;
|
|
|
|
if (req->cmd->auth_send.secp != NVME_AUTH_DHCHAP_PROTOCOL_IDENTIFIER) {
|
|
status = NVME_SC_INVALID_FIELD | NVME_STATUS_DNR;
|
|
req->error_loc =
|
|
offsetof(struct nvmf_auth_send_command, secp);
|
|
goto done;
|
|
}
|
|
if (req->cmd->auth_send.spsp0 != 0x01) {
|
|
status = NVME_SC_INVALID_FIELD | NVME_STATUS_DNR;
|
|
req->error_loc =
|
|
offsetof(struct nvmf_auth_send_command, spsp0);
|
|
goto done;
|
|
}
|
|
if (req->cmd->auth_send.spsp1 != 0x01) {
|
|
status = NVME_SC_INVALID_FIELD | NVME_STATUS_DNR;
|
|
req->error_loc =
|
|
offsetof(struct nvmf_auth_send_command, spsp1);
|
|
goto done;
|
|
}
|
|
tl = le32_to_cpu(req->cmd->auth_send.tl);
|
|
if (!tl) {
|
|
status = NVME_SC_INVALID_FIELD | NVME_STATUS_DNR;
|
|
req->error_loc =
|
|
offsetof(struct nvmf_auth_send_command, tl);
|
|
goto done;
|
|
}
|
|
if (!nvmet_check_transfer_len(req, tl)) {
|
|
pr_debug("%s: transfer length mismatch (%u)\n", __func__, tl);
|
|
return;
|
|
}
|
|
|
|
d = kmalloc(tl, GFP_KERNEL);
|
|
if (!d) {
|
|
status = NVME_SC_INTERNAL;
|
|
goto done;
|
|
}
|
|
|
|
status = nvmet_copy_from_sgl(req, 0, d, tl);
|
|
if (status)
|
|
goto done_kfree;
|
|
|
|
data = d;
|
|
pr_debug("%s: ctrl %d qid %d type %d id %d step %x\n", __func__,
|
|
ctrl->cntlid, req->sq->qid, data->auth_type, data->auth_id,
|
|
req->sq->dhchap_step);
|
|
if (data->auth_type != NVME_AUTH_COMMON_MESSAGES &&
|
|
data->auth_type != NVME_AUTH_DHCHAP_MESSAGES)
|
|
goto done_failure1;
|
|
if (data->auth_type == NVME_AUTH_COMMON_MESSAGES) {
|
|
if (data->auth_id == NVME_AUTH_DHCHAP_MESSAGE_NEGOTIATE) {
|
|
/* Restart negotiation */
|
|
pr_debug("%s: ctrl %d qid %d reset negotiation\n",
|
|
__func__, ctrl->cntlid, req->sq->qid);
|
|
if (!req->sq->qid) {
|
|
dhchap_status = nvmet_setup_auth(ctrl);
|
|
if (dhchap_status) {
|
|
pr_err("ctrl %d qid 0 failed to setup re-authentication\n",
|
|
ctrl->cntlid);
|
|
req->sq->dhchap_status = dhchap_status;
|
|
req->sq->dhchap_step =
|
|
NVME_AUTH_DHCHAP_MESSAGE_FAILURE1;
|
|
goto done_kfree;
|
|
}
|
|
}
|
|
req->sq->dhchap_step =
|
|
NVME_AUTH_DHCHAP_MESSAGE_NEGOTIATE;
|
|
} else if (data->auth_id != req->sq->dhchap_step)
|
|
goto done_failure1;
|
|
/* Validate negotiation parameters */
|
|
dhchap_status = nvmet_auth_negotiate(req, d);
|
|
if (dhchap_status == 0)
|
|
req->sq->dhchap_step =
|
|
NVME_AUTH_DHCHAP_MESSAGE_CHALLENGE;
|
|
else {
|
|
req->sq->dhchap_step =
|
|
NVME_AUTH_DHCHAP_MESSAGE_FAILURE1;
|
|
req->sq->dhchap_status = dhchap_status;
|
|
}
|
|
goto done_kfree;
|
|
}
|
|
if (data->auth_id != req->sq->dhchap_step) {
|
|
pr_debug("%s: ctrl %d qid %d step mismatch (%d != %d)\n",
|
|
__func__, ctrl->cntlid, req->sq->qid,
|
|
data->auth_id, req->sq->dhchap_step);
|
|
goto done_failure1;
|
|
}
|
|
if (le16_to_cpu(data->t_id) != req->sq->dhchap_tid) {
|
|
pr_debug("%s: ctrl %d qid %d invalid transaction %d (expected %d)\n",
|
|
__func__, ctrl->cntlid, req->sq->qid,
|
|
le16_to_cpu(data->t_id),
|
|
req->sq->dhchap_tid);
|
|
req->sq->dhchap_step =
|
|
NVME_AUTH_DHCHAP_MESSAGE_FAILURE1;
|
|
req->sq->dhchap_status =
|
|
NVME_AUTH_DHCHAP_FAILURE_INCORRECT_PAYLOAD;
|
|
goto done_kfree;
|
|
}
|
|
|
|
switch (data->auth_id) {
|
|
case NVME_AUTH_DHCHAP_MESSAGE_REPLY:
|
|
dhchap_status = nvmet_auth_reply(req, d);
|
|
if (dhchap_status == 0)
|
|
req->sq->dhchap_step =
|
|
NVME_AUTH_DHCHAP_MESSAGE_SUCCESS1;
|
|
else {
|
|
req->sq->dhchap_step =
|
|
NVME_AUTH_DHCHAP_MESSAGE_FAILURE1;
|
|
req->sq->dhchap_status = dhchap_status;
|
|
}
|
|
goto done_kfree;
|
|
case NVME_AUTH_DHCHAP_MESSAGE_SUCCESS2:
|
|
req->sq->authenticated = true;
|
|
pr_debug("%s: ctrl %d qid %d ctrl authenticated\n",
|
|
__func__, ctrl->cntlid, req->sq->qid);
|
|
goto done_kfree;
|
|
case NVME_AUTH_DHCHAP_MESSAGE_FAILURE2:
|
|
dhchap_status = nvmet_auth_failure2(d);
|
|
if (dhchap_status) {
|
|
pr_warn("ctrl %d qid %d: authentication failed (%d)\n",
|
|
ctrl->cntlid, req->sq->qid, dhchap_status);
|
|
req->sq->dhchap_status = dhchap_status;
|
|
req->sq->authenticated = false;
|
|
}
|
|
goto done_kfree;
|
|
default:
|
|
req->sq->dhchap_status =
|
|
NVME_AUTH_DHCHAP_FAILURE_INCORRECT_MESSAGE;
|
|
req->sq->dhchap_step =
|
|
NVME_AUTH_DHCHAP_MESSAGE_FAILURE2;
|
|
req->sq->authenticated = false;
|
|
goto done_kfree;
|
|
}
|
|
done_failure1:
|
|
req->sq->dhchap_status = NVME_AUTH_DHCHAP_FAILURE_INCORRECT_MESSAGE;
|
|
req->sq->dhchap_step = NVME_AUTH_DHCHAP_MESSAGE_FAILURE2;
|
|
|
|
done_kfree:
|
|
kfree(d);
|
|
done:
|
|
pr_debug("%s: ctrl %d qid %d dhchap status %x step %x\n", __func__,
|
|
ctrl->cntlid, req->sq->qid,
|
|
req->sq->dhchap_status, req->sq->dhchap_step);
|
|
if (status)
|
|
pr_debug("%s: ctrl %d qid %d nvme status %x error loc %d\n",
|
|
__func__, ctrl->cntlid, req->sq->qid,
|
|
status, req->error_loc);
|
|
if (req->sq->dhchap_step != NVME_AUTH_DHCHAP_MESSAGE_SUCCESS2 &&
|
|
req->sq->dhchap_step != NVME_AUTH_DHCHAP_MESSAGE_FAILURE2) {
|
|
unsigned long auth_expire_secs = ctrl->kato ? ctrl->kato : 120;
|
|
|
|
mod_delayed_work(system_wq, &req->sq->auth_expired_work,
|
|
auth_expire_secs * HZ);
|
|
goto complete;
|
|
}
|
|
/* Final states, clear up variables */
|
|
nvmet_auth_sq_free(req->sq);
|
|
if (req->sq->dhchap_step == NVME_AUTH_DHCHAP_MESSAGE_FAILURE2)
|
|
nvmet_ctrl_fatal_error(ctrl);
|
|
|
|
complete:
|
|
nvmet_req_complete(req, status);
|
|
}
|
|
|
|
static int nvmet_auth_challenge(struct nvmet_req *req, void *d, int al)
|
|
{
|
|
struct nvmf_auth_dhchap_challenge_data *data = d;
|
|
struct nvmet_ctrl *ctrl = req->sq->ctrl;
|
|
int ret = 0;
|
|
int hash_len = nvme_auth_hmac_hash_len(ctrl->shash_id);
|
|
int data_size = sizeof(*d) + hash_len;
|
|
|
|
if (ctrl->dh_tfm)
|
|
data_size += ctrl->dh_keysize;
|
|
if (al < data_size) {
|
|
pr_debug("%s: buffer too small (al %d need %d)\n", __func__,
|
|
al, data_size);
|
|
return -EINVAL;
|
|
}
|
|
memset(data, 0, data_size);
|
|
req->sq->dhchap_s1 = nvme_auth_get_seqnum();
|
|
data->auth_type = NVME_AUTH_DHCHAP_MESSAGES;
|
|
data->auth_id = NVME_AUTH_DHCHAP_MESSAGE_CHALLENGE;
|
|
data->t_id = cpu_to_le16(req->sq->dhchap_tid);
|
|
data->hashid = ctrl->shash_id;
|
|
data->hl = hash_len;
|
|
data->seqnum = cpu_to_le32(req->sq->dhchap_s1);
|
|
req->sq->dhchap_c1 = kmalloc(data->hl, GFP_KERNEL);
|
|
if (!req->sq->dhchap_c1)
|
|
return -ENOMEM;
|
|
get_random_bytes(req->sq->dhchap_c1, data->hl);
|
|
memcpy(data->cval, req->sq->dhchap_c1, data->hl);
|
|
if (ctrl->dh_tfm) {
|
|
data->dhgid = ctrl->dh_gid;
|
|
data->dhvlen = cpu_to_le16(ctrl->dh_keysize);
|
|
ret = nvmet_auth_ctrl_exponential(req, data->cval + data->hl,
|
|
ctrl->dh_keysize);
|
|
}
|
|
pr_debug("%s: ctrl %d qid %d seq %d transaction %d hl %d dhvlen %zu\n",
|
|
__func__, ctrl->cntlid, req->sq->qid, req->sq->dhchap_s1,
|
|
req->sq->dhchap_tid, data->hl, ctrl->dh_keysize);
|
|
return ret;
|
|
}
|
|
|
|
static int nvmet_auth_success1(struct nvmet_req *req, void *d, int al)
|
|
{
|
|
struct nvmf_auth_dhchap_success1_data *data = d;
|
|
struct nvmet_ctrl *ctrl = req->sq->ctrl;
|
|
int hash_len = nvme_auth_hmac_hash_len(ctrl->shash_id);
|
|
|
|
WARN_ON(al < sizeof(*data));
|
|
memset(data, 0, sizeof(*data));
|
|
data->auth_type = NVME_AUTH_DHCHAP_MESSAGES;
|
|
data->auth_id = NVME_AUTH_DHCHAP_MESSAGE_SUCCESS1;
|
|
data->t_id = cpu_to_le16(req->sq->dhchap_tid);
|
|
data->hl = hash_len;
|
|
if (req->sq->dhchap_c2) {
|
|
if (!ctrl->ctrl_key) {
|
|
pr_warn("ctrl %d qid %d no ctrl key\n",
|
|
ctrl->cntlid, req->sq->qid);
|
|
return NVME_AUTH_DHCHAP_FAILURE_FAILED;
|
|
}
|
|
if (nvmet_auth_ctrl_hash(req, data->rval, data->hl))
|
|
return NVME_AUTH_DHCHAP_FAILURE_HASH_UNUSABLE;
|
|
data->rvalid = 1;
|
|
pr_debug("ctrl %d qid %d response %*ph\n",
|
|
ctrl->cntlid, req->sq->qid, data->hl, data->rval);
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
static void nvmet_auth_failure1(struct nvmet_req *req, void *d, int al)
|
|
{
|
|
struct nvmf_auth_dhchap_failure_data *data = d;
|
|
|
|
WARN_ON(al < sizeof(*data));
|
|
data->auth_type = NVME_AUTH_COMMON_MESSAGES;
|
|
data->auth_id = NVME_AUTH_DHCHAP_MESSAGE_FAILURE1;
|
|
data->t_id = cpu_to_le16(req->sq->dhchap_tid);
|
|
data->rescode = NVME_AUTH_DHCHAP_FAILURE_REASON_FAILED;
|
|
data->rescode_exp = req->sq->dhchap_status;
|
|
}
|
|
|
|
void nvmet_execute_auth_receive(struct nvmet_req *req)
|
|
{
|
|
struct nvmet_ctrl *ctrl = req->sq->ctrl;
|
|
void *d;
|
|
u32 al;
|
|
u16 status = 0;
|
|
|
|
if (req->cmd->auth_receive.secp != NVME_AUTH_DHCHAP_PROTOCOL_IDENTIFIER) {
|
|
status = NVME_SC_INVALID_FIELD | NVME_STATUS_DNR;
|
|
req->error_loc =
|
|
offsetof(struct nvmf_auth_receive_command, secp);
|
|
goto done;
|
|
}
|
|
if (req->cmd->auth_receive.spsp0 != 0x01) {
|
|
status = NVME_SC_INVALID_FIELD | NVME_STATUS_DNR;
|
|
req->error_loc =
|
|
offsetof(struct nvmf_auth_receive_command, spsp0);
|
|
goto done;
|
|
}
|
|
if (req->cmd->auth_receive.spsp1 != 0x01) {
|
|
status = NVME_SC_INVALID_FIELD | NVME_STATUS_DNR;
|
|
req->error_loc =
|
|
offsetof(struct nvmf_auth_receive_command, spsp1);
|
|
goto done;
|
|
}
|
|
al = le32_to_cpu(req->cmd->auth_receive.al);
|
|
if (!al) {
|
|
status = NVME_SC_INVALID_FIELD | NVME_STATUS_DNR;
|
|
req->error_loc =
|
|
offsetof(struct nvmf_auth_receive_command, al);
|
|
goto done;
|
|
}
|
|
if (!nvmet_check_transfer_len(req, al)) {
|
|
pr_debug("%s: transfer length mismatch (%u)\n", __func__, al);
|
|
return;
|
|
}
|
|
|
|
d = kmalloc(al, GFP_KERNEL);
|
|
if (!d) {
|
|
status = NVME_SC_INTERNAL;
|
|
goto done;
|
|
}
|
|
pr_debug("%s: ctrl %d qid %d step %x\n", __func__,
|
|
ctrl->cntlid, req->sq->qid, req->sq->dhchap_step);
|
|
switch (req->sq->dhchap_step) {
|
|
case NVME_AUTH_DHCHAP_MESSAGE_CHALLENGE:
|
|
if (nvmet_auth_challenge(req, d, al) < 0) {
|
|
pr_warn("ctrl %d qid %d: challenge error (%d)\n",
|
|
ctrl->cntlid, req->sq->qid, status);
|
|
status = NVME_SC_INTERNAL;
|
|
break;
|
|
}
|
|
req->sq->dhchap_step = NVME_AUTH_DHCHAP_MESSAGE_REPLY;
|
|
break;
|
|
case NVME_AUTH_DHCHAP_MESSAGE_SUCCESS1:
|
|
status = nvmet_auth_success1(req, d, al);
|
|
if (status) {
|
|
req->sq->dhchap_status = status;
|
|
req->sq->authenticated = false;
|
|
nvmet_auth_failure1(req, d, al);
|
|
pr_warn("ctrl %d qid %d: success1 status (%x)\n",
|
|
ctrl->cntlid, req->sq->qid,
|
|
req->sq->dhchap_status);
|
|
break;
|
|
}
|
|
req->sq->dhchap_step = NVME_AUTH_DHCHAP_MESSAGE_SUCCESS2;
|
|
break;
|
|
case NVME_AUTH_DHCHAP_MESSAGE_FAILURE1:
|
|
req->sq->authenticated = false;
|
|
nvmet_auth_failure1(req, d, al);
|
|
pr_warn("ctrl %d qid %d failure1 (%x)\n",
|
|
ctrl->cntlid, req->sq->qid, req->sq->dhchap_status);
|
|
break;
|
|
default:
|
|
pr_warn("ctrl %d qid %d unhandled step (%d)\n",
|
|
ctrl->cntlid, req->sq->qid, req->sq->dhchap_step);
|
|
req->sq->dhchap_step = NVME_AUTH_DHCHAP_MESSAGE_FAILURE1;
|
|
req->sq->dhchap_status = NVME_AUTH_DHCHAP_FAILURE_FAILED;
|
|
nvmet_auth_failure1(req, d, al);
|
|
status = 0;
|
|
break;
|
|
}
|
|
|
|
status = nvmet_copy_to_sgl(req, 0, d, al);
|
|
kfree(d);
|
|
done:
|
|
if (req->sq->dhchap_step == NVME_AUTH_DHCHAP_MESSAGE_SUCCESS2)
|
|
nvmet_auth_sq_free(req->sq);
|
|
else if (req->sq->dhchap_step == NVME_AUTH_DHCHAP_MESSAGE_FAILURE1) {
|
|
nvmet_auth_sq_free(req->sq);
|
|
nvmet_ctrl_fatal_error(ctrl);
|
|
}
|
|
nvmet_req_complete(req, status);
|
|
}
|