Re: [PATCHv5 00/12] nvme: In-band authentication support

[PATCHv5 00/12] nvme: In-band authentication support · Hannes Reinecke <hare@suse.de> · 2021-11-12
[PATCH 09/12] nvmet: Parse fabrics commands on all queues · Hannes Reinecke <hare@suse.de> · 2021-11-12
Re: [PATCH 09/12] nvmet: Parse fabrics commands on all queues · Himanshu Madhani <hidden> · 2021-11-15
[PATCH 12/12] nvmet-auth: expire authentication sessions · Hannes Reinecke <hare@suse.de> · 2021-11-12
[PATCH 04/12] lib/base64: RFC4648-compliant base64 encoding · Hannes Reinecke <hare@suse.de> · 2021-11-12
Re: [PATCH 04/12] lib/base64: RFC4648-compliant base64 encoding · Himanshu Madhani <hidden> · 2021-11-15
[PATCH 01/12] crypto: add crypto_has_shash() · Hannes Reinecke <hare@suse.de> · 2021-11-12
Re: [PATCH 01/12] crypto: add crypto_has_shash() · Himanshu Madhani <hidden> · 2021-11-15
[PATCH 11/12] nvmet-auth: Diffie-Hellman key exchange support · Hannes Reinecke <hare@suse.de> · 2021-11-12
[PATCH 06/12] nvme-fabrics: decode 'authentication required' connect error · Hannes Reinecke <hare@suse.de> · 2021-11-12
Re: [PATCH 06/12] nvme-fabrics: decode 'authentication required' connect error · Himanshu Madhani <hidden> · 2021-11-15
[PATCH 02/12] crypto: add crypto_has_kpp() · Hannes Reinecke <hare@suse.de> · 2021-11-12
Re: [PATCH 02/12] crypto: add crypto_has_kpp() · Himanshu Madhani <hidden> · 2021-11-15
[PATCH 08/12] nvme-auth: Diffie-Hellman key exchange support · Hannes Reinecke <hare@suse.de> · 2021-11-12
[PATCH 05/12] nvme: add definitions for NVMe In-Band authentication · Hannes Reinecke <hare@suse.de> · 2021-11-12
Re: [PATCH 05/12] nvme: add definitions for NVMe In-Band authentication · Himanshu Madhani <hidden> · 2021-11-15
[PATCH 03/12] crypto/ffdhe: Finite Field DH Ephemeral Parameters · Hannes Reinecke <hare@suse.de> · 2021-11-12
Re: [PATCH 03/12] crypto/ffdhe: Finite Field DH Ephemeral Parameters · Sagi Grimberg <sagi@grimberg.me> · 2021-11-15
Re: [PATCH 03/12] crypto/ffdhe: Finite Field DH Ephemeral Parameters · Himanshu Madhani <hidden> · 2021-11-15
[PATCH 10/12] nvmet: Implement basic In-Band Authentication · Hannes Reinecke <hare@suse.de> · 2021-11-12
[PATCH 07/12] nvme: Implement In-Band authentication · Hannes Reinecke <hare@suse.de> · 2021-11-12
Re: [PATCH 07/12] nvme: Implement In-Band authentication · Sagi Grimberg <sagi@grimberg.me> · 2021-11-16
Re: [PATCH 07/12] nvme: Implement In-Band authentication · Hannes Reinecke <hare@suse.de> · 2021-11-16
Re: [PATCH 07/12] nvme: Implement In-Band authentication · Sagi Grimberg <sagi@grimberg.me> · 2021-11-16
Re: [PATCH 07/12] nvme: Implement In-Band authentication · Hannes Reinecke <hare@suse.de> · 2021-11-16
Re: [PATCHv5 00/12] nvme: In-band authentication support · Sagi Grimberg <sagi@grimberg.me> · 2021-11-14
Re: [PATCHv5 00/12] nvme: In-band authentication support · Hannes Reinecke <hare@suse.de> · 2021-11-14
Re: [PATCHv5 00/12] nvme: In-band authentication support · Sagi Grimberg <sagi@grimberg.me> · 2021-11-15
Re: [PATCHv5 00/12] nvme: In-band authentication support · Hannes Reinecke <hare@suse.de> · 2021-11-15
Re: [PATCHv5 00/12] nvme: In-band authentication support · Sagi Grimberg <sagi@grimberg.me> · 2021-11-15
Re: [PATCHv5 00/12] nvme: In-band authentication support · Sagi Grimberg <sagi@grimberg.me> · 2021-11-16
Re: [PATCHv5 00/12] nvme: In-band authentication support · Hannes Reinecke <hare@suse.de> · 2021-11-16
Re: [PATCHv5 00/12] nvme: In-band authentication support · Sagi Grimberg <sagi@grimberg.me> · 2021-11-16

From: Hannes Reinecke <hare@suse.de>
Date: 2021-11-16 10:23:58
Also in: linux-nvme

On 11/16/21 11:18 AM, Sagi Grimberg wrote:

quoted

- Transform secret with correct hmac algorithm

Is that what I reported last time? Can you perhaps
point me to the exact patch that fixes this?

Well, no, not really; the patch itself got squashed in the main
patches.
But problem here was that the key transformation from section 8.13.5.7
had been using the hash algorithm from the initial challenge, not the
one specified in the key itself.
This lead to decoding errors when using a key with a different length
than the hash algorithm.

That is exactly what I reported, changing the key length leads to
authentication errors.

Right-o. So it should be sorted then.

Hannes, was the issue on the host side or the controller side?

The issue was actually on the host side.

I'm a little lost into what was the actual fix...

The basic fix was this:

@@ -927,13 +944,17 @@ static int nvme_auth_dhchap_host_response(struct

nvme_ctrl
 *ctrl,

        if (!chap->host_response) {
                chap->host_response =
nvme_auth_transform_key(ctrl->dhchap_key,
-                                       ctrl->dhchap_key_len, chap->hash_id,
+                                       ctrl->dhchap_key_len,
+                                       ctrl->dhchap_key_hash,
                                        ctrl->opts->host->nqn);
                if (IS_ERR(chap->host_response)) {
                        ret = PTR_ERR(chap->host_response);
                        chap->host_response = NULL;
                        return ret;
                }


(minus the linebreaks, of course).
'chap->hash_id' is the hash selected by the initial negotiation, which
is wrong as we should have used the hash function selected by the key
itself.

Cheers,

Hannes
-- 
Dr. Hannes Reinecke		           Kernel Storage Architect
hare@suse.de			                  +49 911 74053 688
SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg
HRB 36809 (AG Nürnberg), GF: Felix Imendörffer

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help