diff options
| author | Eric Biggers <ebiggers@kernel.org> | 2026-03-01 23:59:55 -0800 |
|---|---|---|
| committer | Keith Busch <kbusch@kernel.org> | 2026-03-27 07:35:02 -0700 |
| commit | e501533f671f6576c032fa40376e413cba4bfb25 (patch) | |
| tree | 71c680bf836179c3d966cc6ac823435d96e484e4 | |
| parent | efe8df9f9ce12903244e42038346de6afec473de (diff) | |
nvme-auth: target: use crypto library in nvmet_auth_host_hash()
For the HMAC computation in nvmet_auth_host_hash(), use the crypto
library instead of crypto_shash. This is simpler, faster, and more
reliable. Notably, this eliminates the crypto transformation object
allocation for every call, which was very slow.
Acked-by: Ard Biesheuvel <ardb@kernel.org>
Acked-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Keith Busch <kbusch@kernel.org>
| -rw-r--r-- | drivers/nvme/target/auth.c | 90 |
1 files changed, 28 insertions, 62 deletions
diff --git a/drivers/nvme/target/auth.c b/drivers/nvme/target/auth.c index 08c1783d70fc..fc56ce74d20f 100644 --- a/drivers/nvme/target/auth.c +++ b/drivers/nvme/target/auth.c @@ -283,47 +283,30 @@ bool nvmet_check_auth_status(struct nvmet_req *req) int nvmet_auth_host_hash(struct nvmet_req *req, u8 *response, unsigned int shash_len) { - struct crypto_shash *shash_tfm; - SHASH_DESC_ON_STACK(shash, shash_tfm); + struct nvme_auth_hmac_ctx hmac; struct nvmet_ctrl *ctrl = req->sq->ctrl; - const char *hash_name; u8 *challenge = req->sq->dhchap_c1; struct nvme_dhchap_key *transformed_key; u8 buf[4]; int ret; - hash_name = nvme_auth_hmac_name(ctrl->shash_id); - if (!hash_name) { - pr_warn("Hash ID %d invalid\n", ctrl->shash_id); - return -EINVAL; - } - - shash_tfm = crypto_alloc_shash(hash_name, 0, 0); - if (IS_ERR(shash_tfm)) { - pr_err("failed to allocate shash %s\n", hash_name); - return PTR_ERR(shash_tfm); - } - - if (shash_len != crypto_shash_digestsize(shash_tfm)) { - pr_err("%s: hash len mismatch (len %d digest %d)\n", - __func__, shash_len, - crypto_shash_digestsize(shash_tfm)); - ret = -EINVAL; - goto out_free_tfm; - } - transformed_key = nvme_auth_transform_key(ctrl->host_key, ctrl->hostnqn); - if (IS_ERR(transformed_key)) { - ret = PTR_ERR(transformed_key); - goto out_free_tfm; - } + if (IS_ERR(transformed_key)) + return PTR_ERR(transformed_key); - ret = crypto_shash_setkey(shash_tfm, transformed_key->key, + ret = nvme_auth_hmac_init(&hmac, ctrl->shash_id, transformed_key->key, transformed_key->len); if (ret) goto out_free_response; + if (shash_len != nvme_auth_hmac_hash_len(ctrl->shash_id)) { + pr_err("%s: hash len mismatch (len %u digest %zu)\n", __func__, + shash_len, nvme_auth_hmac_hash_len(ctrl->shash_id)); + ret = -EINVAL; + goto out_free_response; + } + if (ctrl->dh_gid != NVME_AUTH_DHGROUP_NULL) { challenge = kmalloc(shash_len, GFP_KERNEL); if (!challenge) { @@ -336,54 +319,37 @@ int nvmet_auth_host_hash(struct nvmet_req *req, u8 *response, req->sq->dhchap_c1, challenge, shash_len); if (ret) - goto out; + goto out_free_challenge; } pr_debug("ctrl %d qid %d host response seq %u transaction %d\n", ctrl->cntlid, req->sq->qid, req->sq->dhchap_s1, req->sq->dhchap_tid); - shash->tfm = shash_tfm; - ret = crypto_shash_init(shash); - if (ret) - goto out; - ret = crypto_shash_update(shash, challenge, shash_len); - if (ret) - goto out; + nvme_auth_hmac_update(&hmac, challenge, shash_len); + put_unaligned_le32(req->sq->dhchap_s1, buf); - ret = crypto_shash_update(shash, buf, 4); - if (ret) - goto out; + nvme_auth_hmac_update(&hmac, buf, 4); + put_unaligned_le16(req->sq->dhchap_tid, buf); - ret = crypto_shash_update(shash, buf, 2); - if (ret) - goto out; + nvme_auth_hmac_update(&hmac, buf, 2); + *buf = req->sq->sc_c; - ret = crypto_shash_update(shash, buf, 1); - if (ret) - goto out; - ret = crypto_shash_update(shash, "HostHost", 8); - if (ret) - goto out; + nvme_auth_hmac_update(&hmac, buf, 1); + nvme_auth_hmac_update(&hmac, "HostHost", 8); memset(buf, 0, 4); - ret = crypto_shash_update(shash, ctrl->hostnqn, strlen(ctrl->hostnqn)); - if (ret) - goto out; - ret = crypto_shash_update(shash, buf, 1); - if (ret) - goto out; - ret = crypto_shash_update(shash, ctrl->subsys->subsysnqn, - strlen(ctrl->subsys->subsysnqn)); - if (ret) - goto out; - ret = crypto_shash_final(shash, response); -out: + nvme_auth_hmac_update(&hmac, ctrl->hostnqn, strlen(ctrl->hostnqn)); + nvme_auth_hmac_update(&hmac, buf, 1); + nvme_auth_hmac_update(&hmac, ctrl->subsys->subsysnqn, + strlen(ctrl->subsys->subsysnqn)); + nvme_auth_hmac_final(&hmac, response); + ret = 0; +out_free_challenge: if (challenge != req->sq->dhchap_c1) kfree(challenge); out_free_response: + memzero_explicit(&hmac, sizeof(hmac)); nvme_auth_free_key(transformed_key); -out_free_tfm: - crypto_free_shash(shash_tfm); return ret; } |