[PATCH 04/21] nvme-auth: common: add KUnit tests for TLS key derivation
Eric Biggers
ebiggers at kernel.org
Mon Mar 2 16:26:49 PST 2026
On Mon, Mar 02, 2026 at 11:04:43AM +0100, Hannes Reinecke wrote:
> Which discrepancies do you see between the specified algorithm
> and the implementation?
I'm looking at the latest NVM Express Base Specification, v2.3.
First, there's the following:
The host computes KS as the hash of the ephemeral DH key resulting
from the combination of the random value y selected by the host with
the DH exponential (i.e., gx mod p) received from the controller
(i.e., KS = H((gx mod p)y mod p) = H(gxy mod p)).
The actual code skips that step when deriving the PSK, and just
considers the DH value directly to be "KS" and uses it directly as an
HMAC key. That is something that should never be done. DH values are
not uniformly distributed and must not be used directly as keys.
Second, the only mention of HKDF is in section 8.3.5.6.2. Assuming that
corresponds to what was attempted to be implemented in
nvme_auth_derive_tls_psk(), it does not match because (at least) the
specified label does not match the one used in the code.
Those are just a couple things I noticed in a very quick glance.
(There's also the key reuse bug I pointed out before. But it sounds
like that's a bug in the spec, not the code.)
- Eric
More information about the Linux-nvme
mailing list