1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * Copyright (c) 2020 Hannes Reinecke, SUSE Linux 4 */ 5 6 #include <linux/module.h> 7 #include <linux/crc32.h> 8 #include <linux/base64.h> 9 #include <linux/prandom.h> 10 #include <linux/scatterlist.h> 11 #include <linux/unaligned.h> 12 #include <crypto/dh.h> 13 #include <crypto/sha2.h> 14 #include <linux/nvme.h> 15 #include <linux/nvme-auth.h> 16 17 static u32 nvme_dhchap_seqnum; 18 static DEFINE_MUTEX(nvme_dhchap_mutex); 19 20 u32 nvme_auth_get_seqnum(void) 21 { 22 u32 seqnum; 23 24 mutex_lock(&nvme_dhchap_mutex); 25 if (!nvme_dhchap_seqnum) 26 nvme_dhchap_seqnum = get_random_u32(); 27 else { 28 nvme_dhchap_seqnum++; 29 if (!nvme_dhchap_seqnum) 30 nvme_dhchap_seqnum++; 31 } 32 seqnum = nvme_dhchap_seqnum; 33 mutex_unlock(&nvme_dhchap_mutex); 34 return seqnum; 35 } 36 EXPORT_SYMBOL_GPL(nvme_auth_get_seqnum); 37 38 static const struct nvme_auth_dhgroup_map { 39 char name[16]; 40 char kpp[16]; 41 } dhgroup_map[] = { 42 [NVME_AUTH_DHGROUP_NULL] = { 43 .name = "null", .kpp = "null" }, 44 [NVME_AUTH_DHGROUP_2048] = { 45 .name = "ffdhe2048", .kpp = "ffdhe2048(dh)" }, 46 [NVME_AUTH_DHGROUP_3072] = { 47 .name = "ffdhe3072", .kpp = "ffdhe3072(dh)" }, 48 [NVME_AUTH_DHGROUP_4096] = { 49 .name = "ffdhe4096", .kpp = "ffdhe4096(dh)" }, 50 [NVME_AUTH_DHGROUP_6144] = { 51 .name = "ffdhe6144", .kpp = "ffdhe6144(dh)" }, 52 [NVME_AUTH_DHGROUP_8192] = { 53 .name = "ffdhe8192", .kpp = "ffdhe8192(dh)" }, 54 }; 55 56 const char *nvme_auth_dhgroup_name(u8 dhgroup_id) 57 { 58 if (dhgroup_id >= ARRAY_SIZE(dhgroup_map)) 59 return NULL; 60 return dhgroup_map[dhgroup_id].name; 61 } 62 EXPORT_SYMBOL_GPL(nvme_auth_dhgroup_name); 63 64 const char *nvme_auth_dhgroup_kpp(u8 dhgroup_id) 65 { 66 if (dhgroup_id >= ARRAY_SIZE(dhgroup_map)) 67 return NULL; 68 return dhgroup_map[dhgroup_id].kpp; 69 } 70 EXPORT_SYMBOL_GPL(nvme_auth_dhgroup_kpp); 71 72 u8 nvme_auth_dhgroup_id(const char *dhgroup_name) 73 { 74 int i; 75 76 if (!dhgroup_name || !strlen(dhgroup_name)) 77 return NVME_AUTH_DHGROUP_INVALID; 78 for (i = 0; i < ARRAY_SIZE(dhgroup_map); i++) { 79 if (!strlen(dhgroup_map[i].name)) 80 continue; 81 if (!strncmp(dhgroup_map[i].name, dhgroup_name, 82 strlen(dhgroup_map[i].name))) 83 return i; 84 } 85 return NVME_AUTH_DHGROUP_INVALID; 86 } 87 EXPORT_SYMBOL_GPL(nvme_auth_dhgroup_id); 88 89 static const struct nvme_dhchap_hash_map { 90 int len; 91 char hmac[15]; 92 } hash_map[] = { 93 [NVME_AUTH_HASH_SHA256] = { 94 .len = 32, 95 .hmac = "hmac(sha256)", 96 }, 97 [NVME_AUTH_HASH_SHA384] = { 98 .len = 48, 99 .hmac = "hmac(sha384)", 100 }, 101 [NVME_AUTH_HASH_SHA512] = { 102 .len = 64, 103 .hmac = "hmac(sha512)", 104 }, 105 }; 106 107 const char *nvme_auth_hmac_name(u8 hmac_id) 108 { 109 if (hmac_id >= ARRAY_SIZE(hash_map)) 110 return NULL; 111 return hash_map[hmac_id].hmac; 112 } 113 EXPORT_SYMBOL_GPL(nvme_auth_hmac_name); 114 115 u8 nvme_auth_hmac_id(const char *hmac_name) 116 { 117 int i; 118 119 if (!hmac_name || !strlen(hmac_name)) 120 return NVME_AUTH_HASH_INVALID; 121 122 for (i = 0; i < ARRAY_SIZE(hash_map); i++) { 123 if (!strlen(hash_map[i].hmac)) 124 continue; 125 if (!strncmp(hash_map[i].hmac, hmac_name, 126 strlen(hash_map[i].hmac))) 127 return i; 128 } 129 return NVME_AUTH_HASH_INVALID; 130 } 131 EXPORT_SYMBOL_GPL(nvme_auth_hmac_id); 132 133 size_t nvme_auth_hmac_hash_len(u8 hmac_id) 134 { 135 if (hmac_id >= ARRAY_SIZE(hash_map)) 136 return 0; 137 return hash_map[hmac_id].len; 138 } 139 EXPORT_SYMBOL_GPL(nvme_auth_hmac_hash_len); 140 141 u32 nvme_auth_key_struct_size(u32 key_len) 142 { 143 struct nvme_dhchap_key key; 144 145 return struct_size(&key, key, key_len); 146 } 147 EXPORT_SYMBOL_GPL(nvme_auth_key_struct_size); 148 149 struct nvme_dhchap_key *nvme_auth_extract_key(const char *secret, u8 key_hash) 150 { 151 struct nvme_dhchap_key *key; 152 const char *p; 153 u32 crc; 154 int ret, key_len; 155 size_t allocated_len = strlen(secret); 156 157 /* Secret might be affixed with a ':' */ 158 p = strrchr(secret, ':'); 159 if (p) 160 allocated_len = p - secret; 161 key = nvme_auth_alloc_key(allocated_len, 0); 162 if (!key) 163 return ERR_PTR(-ENOMEM); 164 165 key_len = base64_decode(secret, allocated_len, key->key, true, BASE64_STD); 166 if (key_len < 0) { 167 pr_debug("base64 key decoding error %d\n", 168 key_len); 169 ret = key_len; 170 goto out_free_key; 171 } 172 173 if (key_len != 36 && key_len != 52 && 174 key_len != 68) { 175 pr_err("Invalid key len %d\n", key_len); 176 ret = -EINVAL; 177 goto out_free_key; 178 } 179 180 /* The last four bytes is the CRC in little-endian format */ 181 key_len -= 4; 182 /* 183 * The linux implementation doesn't do pre- and post-increments, 184 * so we have to do it manually. 185 */ 186 crc = ~crc32(~0, key->key, key_len); 187 188 if (get_unaligned_le32(key->key + key_len) != crc) { 189 pr_err("key crc mismatch (key %08x, crc %08x)\n", 190 get_unaligned_le32(key->key + key_len), crc); 191 ret = -EKEYREJECTED; 192 goto out_free_key; 193 } 194 key->len = key_len; 195 key->hash = key_hash; 196 return key; 197 out_free_key: 198 nvme_auth_free_key(key); 199 return ERR_PTR(ret); 200 } 201 EXPORT_SYMBOL_GPL(nvme_auth_extract_key); 202 203 struct nvme_dhchap_key *nvme_auth_alloc_key(u32 len, u8 hash) 204 { 205 u32 num_bytes = nvme_auth_key_struct_size(len); 206 struct nvme_dhchap_key *key = kzalloc(num_bytes, GFP_KERNEL); 207 208 if (key) { 209 key->len = len; 210 key->hash = hash; 211 } 212 return key; 213 } 214 EXPORT_SYMBOL_GPL(nvme_auth_alloc_key); 215 216 void nvme_auth_free_key(struct nvme_dhchap_key *key) 217 { 218 if (!key) 219 return; 220 kfree_sensitive(key); 221 } 222 EXPORT_SYMBOL_GPL(nvme_auth_free_key); 223 224 /* 225 * Start computing an HMAC value, given the algorithm ID and raw key. 226 * 227 * The context should be zeroized at the end of its lifetime. The caller can do 228 * that implicitly by calling nvme_auth_hmac_final(), or explicitly (needed when 229 * a context is abandoned without finalizing it) by calling memzero_explicit(). 230 */ 231 int nvme_auth_hmac_init(struct nvme_auth_hmac_ctx *hmac, u8 hmac_id, 232 const u8 *key, size_t key_len) 233 { 234 hmac->hmac_id = hmac_id; 235 switch (hmac_id) { 236 case NVME_AUTH_HASH_SHA256: 237 hmac_sha256_init_usingrawkey(&hmac->sha256, key, key_len); 238 return 0; 239 case NVME_AUTH_HASH_SHA384: 240 hmac_sha384_init_usingrawkey(&hmac->sha384, key, key_len); 241 return 0; 242 case NVME_AUTH_HASH_SHA512: 243 hmac_sha512_init_usingrawkey(&hmac->sha512, key, key_len); 244 return 0; 245 } 246 pr_warn("%s: invalid hash algorithm %d\n", __func__, hmac_id); 247 return -EINVAL; 248 } 249 EXPORT_SYMBOL_GPL(nvme_auth_hmac_init); 250 251 void nvme_auth_hmac_update(struct nvme_auth_hmac_ctx *hmac, const u8 *data, 252 size_t data_len) 253 { 254 switch (hmac->hmac_id) { 255 case NVME_AUTH_HASH_SHA256: 256 hmac_sha256_update(&hmac->sha256, data, data_len); 257 return; 258 case NVME_AUTH_HASH_SHA384: 259 hmac_sha384_update(&hmac->sha384, data, data_len); 260 return; 261 case NVME_AUTH_HASH_SHA512: 262 hmac_sha512_update(&hmac->sha512, data, data_len); 263 return; 264 } 265 /* Unreachable because nvme_auth_hmac_init() validated hmac_id */ 266 WARN_ON_ONCE(1); 267 } 268 EXPORT_SYMBOL_GPL(nvme_auth_hmac_update); 269 270 /* Finish computing an HMAC value. Note that this zeroizes the HMAC context. */ 271 void nvme_auth_hmac_final(struct nvme_auth_hmac_ctx *hmac, u8 *out) 272 { 273 switch (hmac->hmac_id) { 274 case NVME_AUTH_HASH_SHA256: 275 hmac_sha256_final(&hmac->sha256, out); 276 return; 277 case NVME_AUTH_HASH_SHA384: 278 hmac_sha384_final(&hmac->sha384, out); 279 return; 280 case NVME_AUTH_HASH_SHA512: 281 hmac_sha512_final(&hmac->sha512, out); 282 return; 283 } 284 /* Unreachable because nvme_auth_hmac_init() validated hmac_id */ 285 WARN_ON_ONCE(1); 286 } 287 EXPORT_SYMBOL_GPL(nvme_auth_hmac_final); 288 289 static int nvme_auth_hmac(u8 hmac_id, const u8 *key, size_t key_len, 290 const u8 *data, size_t data_len, u8 *out) 291 { 292 struct nvme_auth_hmac_ctx hmac; 293 int ret; 294 295 ret = nvme_auth_hmac_init(&hmac, hmac_id, key, key_len); 296 if (ret == 0) { 297 nvme_auth_hmac_update(&hmac, data, data_len); 298 nvme_auth_hmac_final(&hmac, out); 299 } 300 return ret; 301 } 302 303 static int nvme_auth_hash(u8 hmac_id, const u8 *data, size_t data_len, u8 *out) 304 { 305 switch (hmac_id) { 306 case NVME_AUTH_HASH_SHA256: 307 sha256(data, data_len, out); 308 return 0; 309 case NVME_AUTH_HASH_SHA384: 310 sha384(data, data_len, out); 311 return 0; 312 case NVME_AUTH_HASH_SHA512: 313 sha512(data, data_len, out); 314 return 0; 315 } 316 pr_warn("%s: invalid hash algorithm %d\n", __func__, hmac_id); 317 return -EINVAL; 318 } 319 320 struct nvme_dhchap_key *nvme_auth_transform_key( 321 const struct nvme_dhchap_key *key, const char *nqn) 322 { 323 struct nvme_auth_hmac_ctx hmac; 324 struct nvme_dhchap_key *transformed_key; 325 int ret, key_len; 326 327 if (!key) { 328 pr_warn("No key specified\n"); 329 return ERR_PTR(-ENOKEY); 330 } 331 if (key->hash == 0) { 332 key_len = nvme_auth_key_struct_size(key->len); 333 transformed_key = kmemdup(key, key_len, GFP_KERNEL); 334 if (!transformed_key) 335 return ERR_PTR(-ENOMEM); 336 return transformed_key; 337 } 338 ret = nvme_auth_hmac_init(&hmac, key->hash, key->key, key->len); 339 if (ret) 340 return ERR_PTR(ret); 341 key_len = nvme_auth_hmac_hash_len(key->hash); 342 transformed_key = nvme_auth_alloc_key(key_len, key->hash); 343 if (!transformed_key) { 344 memzero_explicit(&hmac, sizeof(hmac)); 345 return ERR_PTR(-ENOMEM); 346 } 347 nvme_auth_hmac_update(&hmac, nqn, strlen(nqn)); 348 nvme_auth_hmac_update(&hmac, "NVMe-over-Fabrics", 17); 349 nvme_auth_hmac_final(&hmac, transformed_key->key); 350 return transformed_key; 351 } 352 EXPORT_SYMBOL_GPL(nvme_auth_transform_key); 353 354 int nvme_auth_augmented_challenge(u8 hmac_id, const u8 *skey, size_t skey_len, 355 const u8 *challenge, u8 *aug, size_t hlen) 356 { 357 u8 hashed_key[NVME_AUTH_MAX_DIGEST_SIZE]; 358 int ret; 359 360 ret = nvme_auth_hash(hmac_id, skey, skey_len, hashed_key); 361 if (ret) 362 return ret; 363 ret = nvme_auth_hmac(hmac_id, hashed_key, hlen, challenge, hlen, aug); 364 memzero_explicit(hashed_key, sizeof(hashed_key)); 365 return ret; 366 } 367 EXPORT_SYMBOL_GPL(nvme_auth_augmented_challenge); 368 369 int nvme_auth_gen_privkey(struct crypto_kpp *dh_tfm, u8 dh_gid) 370 { 371 int ret; 372 373 ret = crypto_kpp_set_secret(dh_tfm, NULL, 0); 374 if (ret) 375 pr_debug("failed to set private key, error %d\n", ret); 376 377 return ret; 378 } 379 EXPORT_SYMBOL_GPL(nvme_auth_gen_privkey); 380 381 int nvme_auth_gen_pubkey(struct crypto_kpp *dh_tfm, 382 u8 *host_key, size_t host_key_len) 383 { 384 struct kpp_request *req; 385 struct crypto_wait wait; 386 struct scatterlist dst; 387 int ret; 388 389 req = kpp_request_alloc(dh_tfm, GFP_KERNEL); 390 if (!req) 391 return -ENOMEM; 392 393 crypto_init_wait(&wait); 394 kpp_request_set_input(req, NULL, 0); 395 sg_init_one(&dst, host_key, host_key_len); 396 kpp_request_set_output(req, &dst, host_key_len); 397 kpp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG, 398 crypto_req_done, &wait); 399 400 ret = crypto_wait_req(crypto_kpp_generate_public_key(req), &wait); 401 kpp_request_free(req); 402 return ret; 403 } 404 EXPORT_SYMBOL_GPL(nvme_auth_gen_pubkey); 405 406 int nvme_auth_gen_shared_secret(struct crypto_kpp *dh_tfm, 407 const u8 *ctrl_key, size_t ctrl_key_len, 408 u8 *sess_key, size_t sess_key_len) 409 { 410 struct kpp_request *req; 411 struct crypto_wait wait; 412 struct scatterlist src, dst; 413 int ret; 414 415 req = kpp_request_alloc(dh_tfm, GFP_KERNEL); 416 if (!req) 417 return -ENOMEM; 418 419 crypto_init_wait(&wait); 420 sg_init_one(&src, ctrl_key, ctrl_key_len); 421 kpp_request_set_input(req, &src, ctrl_key_len); 422 sg_init_one(&dst, sess_key, sess_key_len); 423 kpp_request_set_output(req, &dst, sess_key_len); 424 kpp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG, 425 crypto_req_done, &wait); 426 427 ret = crypto_wait_req(crypto_kpp_compute_shared_secret(req), &wait); 428 429 kpp_request_free(req); 430 return ret; 431 } 432 EXPORT_SYMBOL_GPL(nvme_auth_gen_shared_secret); 433 434 int nvme_auth_parse_key(const char *secret, struct nvme_dhchap_key **ret_key) 435 { 436 struct nvme_dhchap_key *key; 437 u8 key_hash; 438 439 if (!secret) { 440 *ret_key = NULL; 441 return 0; 442 } 443 444 if (sscanf(secret, "DHHC-1:%hhd:%*s:", &key_hash) != 1) 445 return -EINVAL; 446 447 /* Pass in the secret without the 'DHHC-1:XX:' prefix */ 448 key = nvme_auth_extract_key(secret + 10, key_hash); 449 if (IS_ERR(key)) { 450 *ret_key = NULL; 451 return PTR_ERR(key); 452 } 453 454 *ret_key = key; 455 return 0; 456 } 457 EXPORT_SYMBOL_GPL(nvme_auth_parse_key); 458 459 /** 460 * nvme_auth_generate_psk - Generate a PSK for TLS 461 * @hmac_id: Hash function identifier 462 * @skey: Session key 463 * @skey_len: Length of @skey 464 * @c1: Value of challenge C1 465 * @c2: Value of challenge C2 466 * @hash_len: Hash length of the hash algorithm 467 * @ret_psk: Pointer to the resulting generated PSK 468 * @ret_len: length of @ret_psk 469 * 470 * Generate a PSK for TLS as specified in NVMe base specification, section 471 * 8.13.5.9: Generated PSK for TLS 472 * 473 * The generated PSK for TLS shall be computed applying the HMAC function 474 * using the hash function H( ) selected by the HashID parameter in the 475 * DH-HMAC-CHAP_Challenge message with the session key KS as key to the 476 * concatenation of the two challenges C1 and C2 (i.e., generated 477 * PSK = HMAC(KS, C1 || C2)). 478 * 479 * Returns 0 on success with a valid generated PSK pointer in @ret_psk and 480 * the length of @ret_psk in @ret_len, or a negative error number otherwise. 481 */ 482 int nvme_auth_generate_psk(u8 hmac_id, const u8 *skey, size_t skey_len, 483 const u8 *c1, const u8 *c2, size_t hash_len, 484 u8 **ret_psk, size_t *ret_len) 485 { 486 size_t psk_len = nvme_auth_hmac_hash_len(hmac_id); 487 struct nvme_auth_hmac_ctx hmac; 488 u8 *psk; 489 int ret; 490 491 if (!c1 || !c2) 492 return -EINVAL; 493 494 ret = nvme_auth_hmac_init(&hmac, hmac_id, skey, skey_len); 495 if (ret) 496 return ret; 497 psk = kzalloc(psk_len, GFP_KERNEL); 498 if (!psk) { 499 memzero_explicit(&hmac, sizeof(hmac)); 500 return -ENOMEM; 501 } 502 nvme_auth_hmac_update(&hmac, c1, hash_len); 503 nvme_auth_hmac_update(&hmac, c2, hash_len); 504 nvme_auth_hmac_final(&hmac, psk); 505 *ret_psk = psk; 506 *ret_len = psk_len; 507 return 0; 508 } 509 EXPORT_SYMBOL_GPL(nvme_auth_generate_psk); 510 511 /** 512 * nvme_auth_generate_digest - Generate TLS PSK digest 513 * @hmac_id: Hash function identifier 514 * @psk: Generated input PSK 515 * @psk_len: Length of @psk 516 * @subsysnqn: NQN of the subsystem 517 * @hostnqn: NQN of the host 518 * @ret_digest: Pointer to the returned digest 519 * 520 * Generate a TLS PSK digest as specified in TP8018 Section 3.6.1.3: 521 * TLS PSK and PSK identity Derivation 522 * 523 * The PSK digest shall be computed by encoding in Base64 (refer to RFC 524 * 4648) the result of the application of the HMAC function using the hash 525 * function specified in item 4 above (ie the hash function of the cipher 526 * suite associated with the PSK identity) with the PSK as HMAC key to the 527 * concatenation of: 528 * - the NQN of the host (i.e., NQNh) not including the null terminator; 529 * - a space character; 530 * - the NQN of the NVM subsystem (i.e., NQNc) not including the null 531 * terminator; 532 * - a space character; and 533 * - the seventeen ASCII characters "NVMe-over-Fabrics" 534 * (i.e., <PSK digest> = Base64(HMAC(PSK, NQNh || " " || NQNc || " " || 535 * "NVMe-over-Fabrics"))). 536 * The length of the PSK digest depends on the hash function used to compute 537 * it as follows: 538 * - If the SHA-256 hash function is used, the resulting PSK digest is 44 539 * characters long; or 540 * - If the SHA-384 hash function is used, the resulting PSK digest is 64 541 * characters long. 542 * 543 * Returns 0 on success with a valid digest pointer in @ret_digest, or a 544 * negative error number on failure. 545 */ 546 int nvme_auth_generate_digest(u8 hmac_id, const u8 *psk, size_t psk_len, 547 const char *subsysnqn, const char *hostnqn, 548 char **ret_digest) 549 { 550 struct nvme_auth_hmac_ctx hmac; 551 u8 digest[NVME_AUTH_MAX_DIGEST_SIZE]; 552 size_t hash_len = nvme_auth_hmac_hash_len(hmac_id); 553 char *enc; 554 size_t enc_len; 555 int ret; 556 557 if (WARN_ON(!subsysnqn || !hostnqn)) 558 return -EINVAL; 559 560 if (hash_len == 0) { 561 pr_warn("%s: invalid hash algorithm %d\n", 562 __func__, hmac_id); 563 return -EINVAL; 564 } 565 566 switch (hash_len) { 567 case 32: 568 enc_len = 44; 569 break; 570 case 48: 571 enc_len = 64; 572 break; 573 default: 574 pr_warn("%s: invalid hash algorithm '%s'\n", 575 __func__, nvme_auth_hmac_name(hmac_id)); 576 return -EINVAL; 577 } 578 579 enc = kzalloc(enc_len + 1, GFP_KERNEL); 580 if (!enc) { 581 ret = -ENOMEM; 582 goto out; 583 } 584 585 ret = nvme_auth_hmac_init(&hmac, hmac_id, psk, psk_len); 586 if (ret) 587 goto out; 588 nvme_auth_hmac_update(&hmac, hostnqn, strlen(hostnqn)); 589 nvme_auth_hmac_update(&hmac, " ", 1); 590 nvme_auth_hmac_update(&hmac, subsysnqn, strlen(subsysnqn)); 591 nvme_auth_hmac_update(&hmac, " NVMe-over-Fabrics", 18); 592 nvme_auth_hmac_final(&hmac, digest); 593 594 ret = base64_encode(digest, hash_len, enc, true, BASE64_STD); 595 if (ret < enc_len) { 596 ret = -ENOKEY; 597 goto out; 598 } 599 *ret_digest = enc; 600 ret = 0; 601 602 out: 603 if (ret) 604 kfree_sensitive(enc); 605 memzero_explicit(digest, sizeof(digest)); 606 return ret; 607 } 608 EXPORT_SYMBOL_GPL(nvme_auth_generate_digest); 609 610 /** 611 * nvme_auth_derive_tls_psk - Derive TLS PSK 612 * @hmac_id: Hash function identifier 613 * @psk: generated input PSK 614 * @psk_len: size of @psk 615 * @psk_digest: TLS PSK digest 616 * @ret_psk: Pointer to the resulting TLS PSK 617 * 618 * Derive a TLS PSK as specified in TP8018 Section 3.6.1.3: 619 * TLS PSK and PSK identity Derivation 620 * 621 * The TLS PSK shall be derived as follows from an input PSK 622 * (i.e., either a retained PSK or a generated PSK) and a PSK 623 * identity using the HKDF-Extract and HKDF-Expand-Label operations 624 * (refer to RFC 5869 and RFC 8446) where the hash function is the 625 * one specified by the hash specifier of the PSK identity: 626 * 1. PRK = HKDF-Extract(0, Input PSK); and 627 * 2. TLS PSK = HKDF-Expand-Label(PRK, "nvme-tls-psk", PskIdentityContext, L), 628 * where PskIdentityContext is the hash identifier indicated in 629 * the PSK identity concatenated to a space character and to the 630 * Base64 PSK digest (i.e., "<hash> <PSK digest>") and L is the 631 * output size in bytes of the hash function (i.e., 32 for SHA-256 632 * and 48 for SHA-384). 633 * 634 * Returns 0 on success with a valid psk pointer in @ret_psk or a negative 635 * error number otherwise. 636 */ 637 int nvme_auth_derive_tls_psk(int hmac_id, const u8 *psk, size_t psk_len, 638 const char *psk_digest, u8 **ret_psk) 639 { 640 static const u8 default_salt[NVME_AUTH_MAX_DIGEST_SIZE]; 641 static const char label[] = "tls13 nvme-tls-psk"; 642 const size_t label_len = sizeof(label) - 1; 643 u8 prk[NVME_AUTH_MAX_DIGEST_SIZE]; 644 size_t hash_len, ctx_len; 645 u8 *hmac_data = NULL, *tls_key; 646 size_t i; 647 int ret; 648 649 hash_len = nvme_auth_hmac_hash_len(hmac_id); 650 if (hash_len == 0) { 651 pr_warn("%s: invalid hash algorithm %d\n", 652 __func__, hmac_id); 653 return -EINVAL; 654 } 655 if (hmac_id == NVME_AUTH_HASH_SHA512) { 656 pr_warn("%s: unsupported hash algorithm %s\n", 657 __func__, nvme_auth_hmac_name(hmac_id)); 658 return -EINVAL; 659 } 660 661 if (psk_len != hash_len) { 662 pr_warn("%s: unexpected psk_len %zu\n", __func__, psk_len); 663 return -EINVAL; 664 } 665 666 /* HKDF-Extract */ 667 ret = nvme_auth_hmac(hmac_id, default_salt, hash_len, psk, psk_len, 668 prk); 669 if (ret) 670 goto out; 671 672 /* 673 * HKDF-Expand-Label (RFC 8446 section 7.1), with output length equal to 674 * the hash length (so only a single HMAC operation is needed) 675 */ 676 677 hmac_data = kmalloc(/* output length */ 2 + 678 /* label */ 1 + label_len + 679 /* context (max) */ 1 + 3 + 1 + strlen(psk_digest) + 680 /* counter */ 1, 681 GFP_KERNEL); 682 if (!hmac_data) { 683 ret = -ENOMEM; 684 goto out; 685 } 686 /* output length */ 687 i = 0; 688 hmac_data[i++] = hash_len >> 8; 689 hmac_data[i++] = hash_len; 690 691 /* label */ 692 static_assert(label_len <= 255); 693 hmac_data[i] = label_len; 694 memcpy(&hmac_data[i + 1], label, label_len); 695 i += 1 + label_len; 696 697 /* context */ 698 ctx_len = sprintf(&hmac_data[i + 1], "%02d %s", hmac_id, psk_digest); 699 if (ctx_len > 255) { 700 ret = -EINVAL; 701 goto out; 702 } 703 hmac_data[i] = ctx_len; 704 i += 1 + ctx_len; 705 706 /* counter (this overwrites the NUL terminator written by sprintf) */ 707 hmac_data[i++] = 1; 708 709 tls_key = kzalloc(psk_len, GFP_KERNEL); 710 if (!tls_key) { 711 ret = -ENOMEM; 712 goto out; 713 } 714 ret = nvme_auth_hmac(hmac_id, prk, hash_len, hmac_data, i, tls_key); 715 if (ret) { 716 kfree_sensitive(tls_key); 717 goto out; 718 } 719 *ret_psk = tls_key; 720 out: 721 kfree_sensitive(hmac_data); 722 memzero_explicit(prk, sizeof(prk)); 723 return ret; 724 } 725 EXPORT_SYMBOL_GPL(nvme_auth_derive_tls_psk); 726 727 MODULE_DESCRIPTION("NVMe Authentication framework"); 728 MODULE_LICENSE("GPL v2"); 729