[PATCH 06/21] nvme-auth: common: explicitly verify psk_len == hash_len
Hannes Reinecke
hare at suse.de
Mon Mar 2 02:05:57 PST 2026
On 3/2/26 08:59, Eric Biggers wrote:
> nvme_auth_derive_tls_psk() is always called with psk_len == hash_len.
> And based on the comments above nvme_auth_generate_psk() and
> nvme_auth_derive_tls_psk(), this isn't an implementation choice but
> rather just the length the spec uses. Add a check which makes this
> explicit, so that when cleaning up nvme_auth_derive_tls_psk() we don't
> have to retain support for arbitrary values of psk_len.
>
> Signed-off-by: Eric Biggers <ebiggers at kernel.org>
> ---
> drivers/nvme/common/auth.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/drivers/nvme/common/auth.c b/drivers/nvme/common/auth.c
> index 2f83c9ddea5ec..9e33fc02cf51a 100644
> --- a/drivers/nvme/common/auth.c
> +++ b/drivers/nvme/common/auth.c
> @@ -786,10 +786,15 @@ int nvme_auth_derive_tls_psk(int hmac_id, const u8 *psk, size_t psk_len,
> pr_warn("%s: unsupported hash algorithm %s\n",
> __func__, hmac_name);
> return -EINVAL;
> }
>
> + if (psk_len != nvme_auth_hmac_hash_len(hmac_id)) {
> + pr_warn("%s: unexpected psk_len %zu\n", __func__, psk_len);
> + return -EINVAL;
> + }
> +
> hmac_tfm = crypto_alloc_shash(hmac_name, 0, 0);
> if (IS_ERR(hmac_tfm))
> return PTR_ERR(hmac_tfm);
>
> prk_len = crypto_shash_digestsize(hmac_tfm);
Reviewed-by: Hannes Reinecke <hare at suse.de>
Cheers,
Hannes
--
Dr. Hannes Reinecke Kernel Storage Architect
hare at suse.de +49 911 74053 688
SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg
HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich
More information about the Linux-nvme
mailing list