1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * Copyright (c) 2020 Hannes Reinecke, SUSE Linux
4 */
5
6 #include <linux/module.h>
7 #include <linux/crc32.h>
8 #include <linux/base64.h>
9 #include <linux/prandom.h>
10 #include <linux/scatterlist.h>
11 #include <linux/unaligned.h>
12 #include <crypto/dh.h>
13 #include <crypto/sha2.h>
14 #include <linux/nvme.h>
15 #include <linux/nvme-auth.h>
16
17 static u32 nvme_dhchap_seqnum;
18 static DEFINE_MUTEX(nvme_dhchap_mutex);
19
nvme_auth_get_seqnum(void)20 u32 nvme_auth_get_seqnum(void)
21 {
22 u32 seqnum;
23
24 mutex_lock(&nvme_dhchap_mutex);
25 if (!nvme_dhchap_seqnum)
26 nvme_dhchap_seqnum = get_random_u32();
27 else {
28 nvme_dhchap_seqnum++;
29 if (!nvme_dhchap_seqnum)
30 nvme_dhchap_seqnum++;
31 }
32 seqnum = nvme_dhchap_seqnum;
33 mutex_unlock(&nvme_dhchap_mutex);
34 return seqnum;
35 }
36 EXPORT_SYMBOL_GPL(nvme_auth_get_seqnum);
37
38 static const struct nvme_auth_dhgroup_map {
39 char name[16];
40 char kpp[16];
41 } dhgroup_map[] = {
42 [NVME_AUTH_DHGROUP_NULL] = {
43 .name = "null", .kpp = "null" },
44 [NVME_AUTH_DHGROUP_2048] = {
45 .name = "ffdhe2048", .kpp = "ffdhe2048(dh)" },
46 [NVME_AUTH_DHGROUP_3072] = {
47 .name = "ffdhe3072", .kpp = "ffdhe3072(dh)" },
48 [NVME_AUTH_DHGROUP_4096] = {
49 .name = "ffdhe4096", .kpp = "ffdhe4096(dh)" },
50 [NVME_AUTH_DHGROUP_6144] = {
51 .name = "ffdhe6144", .kpp = "ffdhe6144(dh)" },
52 [NVME_AUTH_DHGROUP_8192] = {
53 .name = "ffdhe8192", .kpp = "ffdhe8192(dh)" },
54 };
55
nvme_auth_dhgroup_name(u8 dhgroup_id)56 const char *nvme_auth_dhgroup_name(u8 dhgroup_id)
57 {
58 if (dhgroup_id >= ARRAY_SIZE(dhgroup_map))
59 return NULL;
60 return dhgroup_map[dhgroup_id].name;
61 }
62 EXPORT_SYMBOL_GPL(nvme_auth_dhgroup_name);
63
nvme_auth_dhgroup_kpp(u8 dhgroup_id)64 const char *nvme_auth_dhgroup_kpp(u8 dhgroup_id)
65 {
66 if (dhgroup_id >= ARRAY_SIZE(dhgroup_map))
67 return NULL;
68 return dhgroup_map[dhgroup_id].kpp;
69 }
70 EXPORT_SYMBOL_GPL(nvme_auth_dhgroup_kpp);
71
nvme_auth_dhgroup_id(const char * dhgroup_name)72 u8 nvme_auth_dhgroup_id(const char *dhgroup_name)
73 {
74 int i;
75
76 if (!dhgroup_name || !strlen(dhgroup_name))
77 return NVME_AUTH_DHGROUP_INVALID;
78 for (i = 0; i < ARRAY_SIZE(dhgroup_map); i++) {
79 if (!strlen(dhgroup_map[i].name))
80 continue;
81 if (!strncmp(dhgroup_map[i].name, dhgroup_name,
82 strlen(dhgroup_map[i].name)))
83 return i;
84 }
85 return NVME_AUTH_DHGROUP_INVALID;
86 }
87 EXPORT_SYMBOL_GPL(nvme_auth_dhgroup_id);
88
89 static const struct nvme_dhchap_hash_map {
90 int len;
91 char hmac[15];
92 } hash_map[] = {
93 [NVME_AUTH_HASH_SHA256] = {
94 .len = 32,
95 .hmac = "hmac(sha256)",
96 },
97 [NVME_AUTH_HASH_SHA384] = {
98 .len = 48,
99 .hmac = "hmac(sha384)",
100 },
101 [NVME_AUTH_HASH_SHA512] = {
102 .len = 64,
103 .hmac = "hmac(sha512)",
104 },
105 };
106
nvme_auth_hmac_name(u8 hmac_id)107 const char *nvme_auth_hmac_name(u8 hmac_id)
108 {
109 if (hmac_id >= ARRAY_SIZE(hash_map))
110 return NULL;
111 return hash_map[hmac_id].hmac;
112 }
113 EXPORT_SYMBOL_GPL(nvme_auth_hmac_name);
114
nvme_auth_hmac_id(const char * hmac_name)115 u8 nvme_auth_hmac_id(const char *hmac_name)
116 {
117 int i;
118
119 if (!hmac_name || !strlen(hmac_name))
120 return NVME_AUTH_HASH_INVALID;
121
122 for (i = 0; i < ARRAY_SIZE(hash_map); i++) {
123 if (!strlen(hash_map[i].hmac))
124 continue;
125 if (!strncmp(hash_map[i].hmac, hmac_name,
126 strlen(hash_map[i].hmac)))
127 return i;
128 }
129 return NVME_AUTH_HASH_INVALID;
130 }
131 EXPORT_SYMBOL_GPL(nvme_auth_hmac_id);
132
nvme_auth_hmac_hash_len(u8 hmac_id)133 size_t nvme_auth_hmac_hash_len(u8 hmac_id)
134 {
135 if (hmac_id >= ARRAY_SIZE(hash_map))
136 return 0;
137 return hash_map[hmac_id].len;
138 }
139 EXPORT_SYMBOL_GPL(nvme_auth_hmac_hash_len);
140
nvme_auth_key_struct_size(u32 key_len)141 u32 nvme_auth_key_struct_size(u32 key_len)
142 {
143 struct nvme_dhchap_key key;
144
145 return struct_size(&key, key, key_len);
146 }
147 EXPORT_SYMBOL_GPL(nvme_auth_key_struct_size);
148
nvme_auth_extract_key(const char * secret,u8 key_hash)149 struct nvme_dhchap_key *nvme_auth_extract_key(const char *secret, u8 key_hash)
150 {
151 struct nvme_dhchap_key *key;
152 const char *p;
153 u32 crc;
154 int ret, key_len;
155 size_t allocated_len = strlen(secret);
156
157 /* Secret might be affixed with a ':' */
158 p = strrchr(secret, ':');
159 if (p)
160 allocated_len = p - secret;
161 key = nvme_auth_alloc_key(allocated_len, 0);
162 if (!key)
163 return ERR_PTR(-ENOMEM);
164
165 key_len = base64_decode(secret, allocated_len, key->key, true, BASE64_STD);
166 if (key_len < 0) {
167 pr_debug("base64 key decoding error %d\n",
168 key_len);
169 ret = key_len;
170 goto out_free_key;
171 }
172
173 if (key_len != 36 && key_len != 52 &&
174 key_len != 68) {
175 pr_err("Invalid key len %d\n", key_len);
176 ret = -EINVAL;
177 goto out_free_key;
178 }
179
180 /* The last four bytes is the CRC in little-endian format */
181 key_len -= 4;
182 /*
183 * The linux implementation doesn't do pre- and post-increments,
184 * so we have to do it manually.
185 */
186 crc = ~crc32(~0, key->key, key_len);
187
188 if (get_unaligned_le32(key->key + key_len) != crc) {
189 pr_err("key crc mismatch (key %08x, crc %08x)\n",
190 get_unaligned_le32(key->key + key_len), crc);
191 ret = -EKEYREJECTED;
192 goto out_free_key;
193 }
194 key->len = key_len;
195 key->hash = key_hash;
196 return key;
197 out_free_key:
198 nvme_auth_free_key(key);
199 return ERR_PTR(ret);
200 }
201 EXPORT_SYMBOL_GPL(nvme_auth_extract_key);
202
nvme_auth_alloc_key(u32 len,u8 hash)203 struct nvme_dhchap_key *nvme_auth_alloc_key(u32 len, u8 hash)
204 {
205 u32 num_bytes = nvme_auth_key_struct_size(len);
206 struct nvme_dhchap_key *key = kzalloc(num_bytes, GFP_KERNEL);
207
208 if (key) {
209 key->len = len;
210 key->hash = hash;
211 }
212 return key;
213 }
214 EXPORT_SYMBOL_GPL(nvme_auth_alloc_key);
215
nvme_auth_free_key(struct nvme_dhchap_key * key)216 void nvme_auth_free_key(struct nvme_dhchap_key *key)
217 {
218 if (!key)
219 return;
220 kfree_sensitive(key);
221 }
222 EXPORT_SYMBOL_GPL(nvme_auth_free_key);
223
224 /*
225 * Start computing an HMAC value, given the algorithm ID and raw key.
226 *
227 * The context should be zeroized at the end of its lifetime. The caller can do
228 * that implicitly by calling nvme_auth_hmac_final(), or explicitly (needed when
229 * a context is abandoned without finalizing it) by calling memzero_explicit().
230 */
nvme_auth_hmac_init(struct nvme_auth_hmac_ctx * hmac,u8 hmac_id,const u8 * key,size_t key_len)231 int nvme_auth_hmac_init(struct nvme_auth_hmac_ctx *hmac, u8 hmac_id,
232 const u8 *key, size_t key_len)
233 {
234 hmac->hmac_id = hmac_id;
235 switch (hmac_id) {
236 case NVME_AUTH_HASH_SHA256:
237 hmac_sha256_init_usingrawkey(&hmac->sha256, key, key_len);
238 return 0;
239 case NVME_AUTH_HASH_SHA384:
240 hmac_sha384_init_usingrawkey(&hmac->sha384, key, key_len);
241 return 0;
242 case NVME_AUTH_HASH_SHA512:
243 hmac_sha512_init_usingrawkey(&hmac->sha512, key, key_len);
244 return 0;
245 }
246 pr_warn("%s: invalid hash algorithm %d\n", __func__, hmac_id);
247 return -EINVAL;
248 }
249 EXPORT_SYMBOL_GPL(nvme_auth_hmac_init);
250
nvme_auth_hmac_update(struct nvme_auth_hmac_ctx * hmac,const u8 * data,size_t data_len)251 void nvme_auth_hmac_update(struct nvme_auth_hmac_ctx *hmac, const u8 *data,
252 size_t data_len)
253 {
254 switch (hmac->hmac_id) {
255 case NVME_AUTH_HASH_SHA256:
256 hmac_sha256_update(&hmac->sha256, data, data_len);
257 return;
258 case NVME_AUTH_HASH_SHA384:
259 hmac_sha384_update(&hmac->sha384, data, data_len);
260 return;
261 case NVME_AUTH_HASH_SHA512:
262 hmac_sha512_update(&hmac->sha512, data, data_len);
263 return;
264 }
265 /* Unreachable because nvme_auth_hmac_init() validated hmac_id */
266 WARN_ON_ONCE(1);
267 }
268 EXPORT_SYMBOL_GPL(nvme_auth_hmac_update);
269
270 /* Finish computing an HMAC value. Note that this zeroizes the HMAC context. */
nvme_auth_hmac_final(struct nvme_auth_hmac_ctx * hmac,u8 * out)271 void nvme_auth_hmac_final(struct nvme_auth_hmac_ctx *hmac, u8 *out)
272 {
273 switch (hmac->hmac_id) {
274 case NVME_AUTH_HASH_SHA256:
275 hmac_sha256_final(&hmac->sha256, out);
276 return;
277 case NVME_AUTH_HASH_SHA384:
278 hmac_sha384_final(&hmac->sha384, out);
279 return;
280 case NVME_AUTH_HASH_SHA512:
281 hmac_sha512_final(&hmac->sha512, out);
282 return;
283 }
284 /* Unreachable because nvme_auth_hmac_init() validated hmac_id */
285 WARN_ON_ONCE(1);
286 }
287 EXPORT_SYMBOL_GPL(nvme_auth_hmac_final);
288
nvme_auth_hmac(u8 hmac_id,const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * out)289 static int nvme_auth_hmac(u8 hmac_id, const u8 *key, size_t key_len,
290 const u8 *data, size_t data_len, u8 *out)
291 {
292 struct nvme_auth_hmac_ctx hmac;
293 int ret;
294
295 ret = nvme_auth_hmac_init(&hmac, hmac_id, key, key_len);
296 if (ret == 0) {
297 nvme_auth_hmac_update(&hmac, data, data_len);
298 nvme_auth_hmac_final(&hmac, out);
299 }
300 return ret;
301 }
302
nvme_auth_hash(u8 hmac_id,const u8 * data,size_t data_len,u8 * out)303 static int nvme_auth_hash(u8 hmac_id, const u8 *data, size_t data_len, u8 *out)
304 {
305 switch (hmac_id) {
306 case NVME_AUTH_HASH_SHA256:
307 sha256(data, data_len, out);
308 return 0;
309 case NVME_AUTH_HASH_SHA384:
310 sha384(data, data_len, out);
311 return 0;
312 case NVME_AUTH_HASH_SHA512:
313 sha512(data, data_len, out);
314 return 0;
315 }
316 pr_warn("%s: invalid hash algorithm %d\n", __func__, hmac_id);
317 return -EINVAL;
318 }
319
nvme_auth_transform_key(const struct nvme_dhchap_key * key,const char * nqn)320 struct nvme_dhchap_key *nvme_auth_transform_key(
321 const struct nvme_dhchap_key *key, const char *nqn)
322 {
323 struct nvme_auth_hmac_ctx hmac;
324 struct nvme_dhchap_key *transformed_key;
325 int ret, key_len;
326
327 if (!key) {
328 pr_warn("No key specified\n");
329 return ERR_PTR(-ENOKEY);
330 }
331 if (key->hash == 0) {
332 key_len = nvme_auth_key_struct_size(key->len);
333 transformed_key = kmemdup(key, key_len, GFP_KERNEL);
334 if (!transformed_key)
335 return ERR_PTR(-ENOMEM);
336 return transformed_key;
337 }
338 ret = nvme_auth_hmac_init(&hmac, key->hash, key->key, key->len);
339 if (ret)
340 return ERR_PTR(ret);
341 key_len = nvme_auth_hmac_hash_len(key->hash);
342 transformed_key = nvme_auth_alloc_key(key_len, key->hash);
343 if (!transformed_key) {
344 memzero_explicit(&hmac, sizeof(hmac));
345 return ERR_PTR(-ENOMEM);
346 }
347 nvme_auth_hmac_update(&hmac, nqn, strlen(nqn));
348 nvme_auth_hmac_update(&hmac, "NVMe-over-Fabrics", 17);
349 nvme_auth_hmac_final(&hmac, transformed_key->key);
350 return transformed_key;
351 }
352 EXPORT_SYMBOL_GPL(nvme_auth_transform_key);
353
nvme_auth_augmented_challenge(u8 hmac_id,const u8 * skey,size_t skey_len,const u8 * challenge,u8 * aug,size_t hlen)354 int nvme_auth_augmented_challenge(u8 hmac_id, const u8 *skey, size_t skey_len,
355 const u8 *challenge, u8 *aug, size_t hlen)
356 {
357 u8 hashed_key[NVME_AUTH_MAX_DIGEST_SIZE];
358 int ret;
359
360 ret = nvme_auth_hash(hmac_id, skey, skey_len, hashed_key);
361 if (ret)
362 return ret;
363 ret = nvme_auth_hmac(hmac_id, hashed_key, hlen, challenge, hlen, aug);
364 memzero_explicit(hashed_key, sizeof(hashed_key));
365 return ret;
366 }
367 EXPORT_SYMBOL_GPL(nvme_auth_augmented_challenge);
368
nvme_auth_gen_privkey(struct crypto_kpp * dh_tfm,u8 dh_gid)369 int nvme_auth_gen_privkey(struct crypto_kpp *dh_tfm, u8 dh_gid)
370 {
371 int ret;
372
373 ret = crypto_kpp_set_secret(dh_tfm, NULL, 0);
374 if (ret)
375 pr_debug("failed to set private key, error %d\n", ret);
376
377 return ret;
378 }
379 EXPORT_SYMBOL_GPL(nvme_auth_gen_privkey);
380
nvme_auth_gen_pubkey(struct crypto_kpp * dh_tfm,u8 * host_key,size_t host_key_len)381 int nvme_auth_gen_pubkey(struct crypto_kpp *dh_tfm,
382 u8 *host_key, size_t host_key_len)
383 {
384 struct kpp_request *req;
385 struct crypto_wait wait;
386 struct scatterlist dst;
387 int ret;
388
389 req = kpp_request_alloc(dh_tfm, GFP_KERNEL);
390 if (!req)
391 return -ENOMEM;
392
393 crypto_init_wait(&wait);
394 kpp_request_set_input(req, NULL, 0);
395 sg_init_one(&dst, host_key, host_key_len);
396 kpp_request_set_output(req, &dst, host_key_len);
397 kpp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
398 crypto_req_done, &wait);
399
400 ret = crypto_wait_req(crypto_kpp_generate_public_key(req), &wait);
401 kpp_request_free(req);
402 return ret;
403 }
404 EXPORT_SYMBOL_GPL(nvme_auth_gen_pubkey);
405
nvme_auth_gen_shared_secret(struct crypto_kpp * dh_tfm,const u8 * ctrl_key,size_t ctrl_key_len,u8 * sess_key,size_t sess_key_len)406 int nvme_auth_gen_shared_secret(struct crypto_kpp *dh_tfm,
407 const u8 *ctrl_key, size_t ctrl_key_len,
408 u8 *sess_key, size_t sess_key_len)
409 {
410 struct kpp_request *req;
411 struct crypto_wait wait;
412 struct scatterlist src, dst;
413 int ret;
414
415 req = kpp_request_alloc(dh_tfm, GFP_KERNEL);
416 if (!req)
417 return -ENOMEM;
418
419 crypto_init_wait(&wait);
420 sg_init_one(&src, ctrl_key, ctrl_key_len);
421 kpp_request_set_input(req, &src, ctrl_key_len);
422 sg_init_one(&dst, sess_key, sess_key_len);
423 kpp_request_set_output(req, &dst, sess_key_len);
424 kpp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
425 crypto_req_done, &wait);
426
427 ret = crypto_wait_req(crypto_kpp_compute_shared_secret(req), &wait);
428
429 kpp_request_free(req);
430 return ret;
431 }
432 EXPORT_SYMBOL_GPL(nvme_auth_gen_shared_secret);
433
nvme_auth_parse_key(const char * secret,struct nvme_dhchap_key ** ret_key)434 int nvme_auth_parse_key(const char *secret, struct nvme_dhchap_key **ret_key)
435 {
436 struct nvme_dhchap_key *key;
437 u8 key_hash;
438
439 if (!secret) {
440 *ret_key = NULL;
441 return 0;
442 }
443
444 if (sscanf(secret, "DHHC-1:%hhd:%*s:", &key_hash) != 1)
445 return -EINVAL;
446
447 /* Pass in the secret without the 'DHHC-1:XX:' prefix */
448 key = nvme_auth_extract_key(secret + 10, key_hash);
449 if (IS_ERR(key)) {
450 *ret_key = NULL;
451 return PTR_ERR(key);
452 }
453
454 *ret_key = key;
455 return 0;
456 }
457 EXPORT_SYMBOL_GPL(nvme_auth_parse_key);
458
459 /**
460 * nvme_auth_generate_psk - Generate a PSK for TLS
461 * @hmac_id: Hash function identifier
462 * @skey: Session key
463 * @skey_len: Length of @skey
464 * @c1: Value of challenge C1
465 * @c2: Value of challenge C2
466 * @hash_len: Hash length of the hash algorithm
467 * @ret_psk: Pointer to the resulting generated PSK
468 * @ret_len: length of @ret_psk
469 *
470 * Generate a PSK for TLS as specified in NVMe base specification, section
471 * 8.13.5.9: Generated PSK for TLS
472 *
473 * The generated PSK for TLS shall be computed applying the HMAC function
474 * using the hash function H( ) selected by the HashID parameter in the
475 * DH-HMAC-CHAP_Challenge message with the session key KS as key to the
476 * concatenation of the two challenges C1 and C2 (i.e., generated
477 * PSK = HMAC(KS, C1 || C2)).
478 *
479 * Returns 0 on success with a valid generated PSK pointer in @ret_psk and
480 * the length of @ret_psk in @ret_len, or a negative error number otherwise.
481 */
nvme_auth_generate_psk(u8 hmac_id,const u8 * skey,size_t skey_len,const u8 * c1,const u8 * c2,size_t hash_len,u8 ** ret_psk,size_t * ret_len)482 int nvme_auth_generate_psk(u8 hmac_id, const u8 *skey, size_t skey_len,
483 const u8 *c1, const u8 *c2, size_t hash_len,
484 u8 **ret_psk, size_t *ret_len)
485 {
486 size_t psk_len = nvme_auth_hmac_hash_len(hmac_id);
487 struct nvme_auth_hmac_ctx hmac;
488 u8 *psk;
489 int ret;
490
491 if (!c1 || !c2)
492 return -EINVAL;
493
494 ret = nvme_auth_hmac_init(&hmac, hmac_id, skey, skey_len);
495 if (ret)
496 return ret;
497 psk = kzalloc(psk_len, GFP_KERNEL);
498 if (!psk) {
499 memzero_explicit(&hmac, sizeof(hmac));
500 return -ENOMEM;
501 }
502 nvme_auth_hmac_update(&hmac, c1, hash_len);
503 nvme_auth_hmac_update(&hmac, c2, hash_len);
504 nvme_auth_hmac_final(&hmac, psk);
505 *ret_psk = psk;
506 *ret_len = psk_len;
507 return 0;
508 }
509 EXPORT_SYMBOL_GPL(nvme_auth_generate_psk);
510
511 /**
512 * nvme_auth_generate_digest - Generate TLS PSK digest
513 * @hmac_id: Hash function identifier
514 * @psk: Generated input PSK
515 * @psk_len: Length of @psk
516 * @subsysnqn: NQN of the subsystem
517 * @hostnqn: NQN of the host
518 * @ret_digest: Pointer to the returned digest
519 *
520 * Generate a TLS PSK digest as specified in TP8018 Section 3.6.1.3:
521 * TLS PSK and PSK identity Derivation
522 *
523 * The PSK digest shall be computed by encoding in Base64 (refer to RFC
524 * 4648) the result of the application of the HMAC function using the hash
525 * function specified in item 4 above (ie the hash function of the cipher
526 * suite associated with the PSK identity) with the PSK as HMAC key to the
527 * concatenation of:
528 * - the NQN of the host (i.e., NQNh) not including the null terminator;
529 * - a space character;
530 * - the NQN of the NVM subsystem (i.e., NQNc) not including the null
531 * terminator;
532 * - a space character; and
533 * - the seventeen ASCII characters "NVMe-over-Fabrics"
534 * (i.e., <PSK digest> = Base64(HMAC(PSK, NQNh || " " || NQNc || " " ||
535 * "NVMe-over-Fabrics"))).
536 * The length of the PSK digest depends on the hash function used to compute
537 * it as follows:
538 * - If the SHA-256 hash function is used, the resulting PSK digest is 44
539 * characters long; or
540 * - If the SHA-384 hash function is used, the resulting PSK digest is 64
541 * characters long.
542 *
543 * Returns 0 on success with a valid digest pointer in @ret_digest, or a
544 * negative error number on failure.
545 */
nvme_auth_generate_digest(u8 hmac_id,const u8 * psk,size_t psk_len,const char * subsysnqn,const char * hostnqn,char ** ret_digest)546 int nvme_auth_generate_digest(u8 hmac_id, const u8 *psk, size_t psk_len,
547 const char *subsysnqn, const char *hostnqn,
548 char **ret_digest)
549 {
550 struct nvme_auth_hmac_ctx hmac;
551 u8 digest[NVME_AUTH_MAX_DIGEST_SIZE];
552 size_t hash_len = nvme_auth_hmac_hash_len(hmac_id);
553 char *enc;
554 size_t enc_len;
555 int ret;
556
557 if (WARN_ON(!subsysnqn || !hostnqn))
558 return -EINVAL;
559
560 if (hash_len == 0) {
561 pr_warn("%s: invalid hash algorithm %d\n",
562 __func__, hmac_id);
563 return -EINVAL;
564 }
565
566 switch (hash_len) {
567 case 32:
568 enc_len = 44;
569 break;
570 case 48:
571 enc_len = 64;
572 break;
573 default:
574 pr_warn("%s: invalid hash algorithm '%s'\n",
575 __func__, nvme_auth_hmac_name(hmac_id));
576 return -EINVAL;
577 }
578
579 enc = kzalloc(enc_len + 1, GFP_KERNEL);
580 if (!enc) {
581 ret = -ENOMEM;
582 goto out;
583 }
584
585 ret = nvme_auth_hmac_init(&hmac, hmac_id, psk, psk_len);
586 if (ret)
587 goto out;
588 nvme_auth_hmac_update(&hmac, hostnqn, strlen(hostnqn));
589 nvme_auth_hmac_update(&hmac, " ", 1);
590 nvme_auth_hmac_update(&hmac, subsysnqn, strlen(subsysnqn));
591 nvme_auth_hmac_update(&hmac, " NVMe-over-Fabrics", 18);
592 nvme_auth_hmac_final(&hmac, digest);
593
594 ret = base64_encode(digest, hash_len, enc, true, BASE64_STD);
595 if (ret < enc_len) {
596 ret = -ENOKEY;
597 goto out;
598 }
599 *ret_digest = enc;
600 ret = 0;
601
602 out:
603 if (ret)
604 kfree_sensitive(enc);
605 memzero_explicit(digest, sizeof(digest));
606 return ret;
607 }
608 EXPORT_SYMBOL_GPL(nvme_auth_generate_digest);
609
610 /**
611 * nvme_auth_derive_tls_psk - Derive TLS PSK
612 * @hmac_id: Hash function identifier
613 * @psk: generated input PSK
614 * @psk_len: size of @psk
615 * @psk_digest: TLS PSK digest
616 * @ret_psk: Pointer to the resulting TLS PSK
617 *
618 * Derive a TLS PSK as specified in TP8018 Section 3.6.1.3:
619 * TLS PSK and PSK identity Derivation
620 *
621 * The TLS PSK shall be derived as follows from an input PSK
622 * (i.e., either a retained PSK or a generated PSK) and a PSK
623 * identity using the HKDF-Extract and HKDF-Expand-Label operations
624 * (refer to RFC 5869 and RFC 8446) where the hash function is the
625 * one specified by the hash specifier of the PSK identity:
626 * 1. PRK = HKDF-Extract(0, Input PSK); and
627 * 2. TLS PSK = HKDF-Expand-Label(PRK, "nvme-tls-psk", PskIdentityContext, L),
628 * where PskIdentityContext is the hash identifier indicated in
629 * the PSK identity concatenated to a space character and to the
630 * Base64 PSK digest (i.e., "<hash> <PSK digest>") and L is the
631 * output size in bytes of the hash function (i.e., 32 for SHA-256
632 * and 48 for SHA-384).
633 *
634 * Returns 0 on success with a valid psk pointer in @ret_psk or a negative
635 * error number otherwise.
636 */
nvme_auth_derive_tls_psk(int hmac_id,const u8 * psk,size_t psk_len,const char * psk_digest,u8 ** ret_psk)637 int nvme_auth_derive_tls_psk(int hmac_id, const u8 *psk, size_t psk_len,
638 const char *psk_digest, u8 **ret_psk)
639 {
640 static const u8 default_salt[NVME_AUTH_MAX_DIGEST_SIZE];
641 static const char label[] = "tls13 nvme-tls-psk";
642 const size_t label_len = sizeof(label) - 1;
643 u8 prk[NVME_AUTH_MAX_DIGEST_SIZE];
644 size_t hash_len, ctx_len;
645 u8 *hmac_data = NULL, *tls_key;
646 size_t i;
647 int ret;
648
649 hash_len = nvme_auth_hmac_hash_len(hmac_id);
650 if (hash_len == 0) {
651 pr_warn("%s: invalid hash algorithm %d\n",
652 __func__, hmac_id);
653 return -EINVAL;
654 }
655 if (hmac_id == NVME_AUTH_HASH_SHA512) {
656 pr_warn("%s: unsupported hash algorithm %s\n",
657 __func__, nvme_auth_hmac_name(hmac_id));
658 return -EINVAL;
659 }
660
661 if (psk_len != hash_len) {
662 pr_warn("%s: unexpected psk_len %zu\n", __func__, psk_len);
663 return -EINVAL;
664 }
665
666 /* HKDF-Extract */
667 ret = nvme_auth_hmac(hmac_id, default_salt, hash_len, psk, psk_len,
668 prk);
669 if (ret)
670 goto out;
671
672 /*
673 * HKDF-Expand-Label (RFC 8446 section 7.1), with output length equal to
674 * the hash length (so only a single HMAC operation is needed)
675 */
676
677 hmac_data = kmalloc(/* output length */ 2 +
678 /* label */ 1 + label_len +
679 /* context (max) */ 1 + 3 + 1 + strlen(psk_digest) +
680 /* counter */ 1,
681 GFP_KERNEL);
682 if (!hmac_data) {
683 ret = -ENOMEM;
684 goto out;
685 }
686 /* output length */
687 i = 0;
688 hmac_data[i++] = hash_len >> 8;
689 hmac_data[i++] = hash_len;
690
691 /* label */
692 static_assert(label_len <= 255);
693 hmac_data[i] = label_len;
694 memcpy(&hmac_data[i + 1], label, label_len);
695 i += 1 + label_len;
696
697 /* context */
698 ctx_len = sprintf(&hmac_data[i + 1], "%02d %s", hmac_id, psk_digest);
699 if (ctx_len > 255) {
700 ret = -EINVAL;
701 goto out;
702 }
703 hmac_data[i] = ctx_len;
704 i += 1 + ctx_len;
705
706 /* counter (this overwrites the NUL terminator written by sprintf) */
707 hmac_data[i++] = 1;
708
709 tls_key = kzalloc(psk_len, GFP_KERNEL);
710 if (!tls_key) {
711 ret = -ENOMEM;
712 goto out;
713 }
714 ret = nvme_auth_hmac(hmac_id, prk, hash_len, hmac_data, i, tls_key);
715 if (ret) {
716 kfree_sensitive(tls_key);
717 goto out;
718 }
719 *ret_psk = tls_key;
720 out:
721 kfree_sensitive(hmac_data);
722 memzero_explicit(prk, sizeof(prk));
723 return ret;
724 }
725 EXPORT_SYMBOL_GPL(nvme_auth_derive_tls_psk);
726
727 MODULE_DESCRIPTION("NVMe Authentication framework");
728 MODULE_LICENSE("GPL v2");
729