[PATCH 06/21] nvme-auth: common: explicitly verify psk_len == hash_len
Eric Biggers
ebiggers at kernel.org
Sun Mar 1 23:59:44 PST 2026
nvme_auth_derive_tls_psk() is always called with psk_len == hash_len.
And based on the comments above nvme_auth_generate_psk() and
nvme_auth_derive_tls_psk(), this isn't an implementation choice but
rather just the length the spec uses. Add a check which makes this
explicit, so that when cleaning up nvme_auth_derive_tls_psk() we don't
have to retain support for arbitrary values of psk_len.
Signed-off-by: Eric Biggers <ebiggers at kernel.org>
---
drivers/nvme/common/auth.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/nvme/common/auth.c b/drivers/nvme/common/auth.c
index 2f83c9ddea5ec..9e33fc02cf51a 100644
--- a/drivers/nvme/common/auth.c
+++ b/drivers/nvme/common/auth.c
@@ -786,10 +786,15 @@ int nvme_auth_derive_tls_psk(int hmac_id, const u8 *psk, size_t psk_len,
pr_warn("%s: unsupported hash algorithm %s\n",
__func__, hmac_name);
return -EINVAL;
}
+ if (psk_len != nvme_auth_hmac_hash_len(hmac_id)) {
+ pr_warn("%s: unexpected psk_len %zu\n", __func__, psk_len);
+ return -EINVAL;
+ }
+
hmac_tfm = crypto_alloc_shash(hmac_name, 0, 0);
if (IS_ERR(hmac_tfm))
return PTR_ERR(hmac_tfm);
prk_len = crypto_shash_digestsize(hmac_tfm);
--
2.53.0
More information about the Linux-nvme
mailing list