Re: [PATCH 06/21] nvme-auth: common: explicitly verify psk_len == hash_len
From: Hannes Reinecke
Date: Mon Mar 02 2026 - 05:10:15 EST
On 3/2/26 08:59, Eric Biggers wrote:
nvme_auth_derive_tls_psk() is always called with psk_len == hash_len.
And based on the comments above nvme_auth_generate_psk() and
nvme_auth_derive_tls_psk(), this isn't an implementation choice but
rather just the length the spec uses. Add a check which makes this
explicit, so that when cleaning up nvme_auth_derive_tls_psk() we don't
have to retain support for arbitrary values of psk_len.
Signed-off-by: Eric Biggers <ebiggers@xxxxxxxxxx>
---
drivers/nvme/common/auth.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/nvme/common/auth.c b/drivers/nvme/common/auth.c
index 2f83c9ddea5ec..9e33fc02cf51a 100644
--- a/drivers/nvme/common/auth.c
+++ b/drivers/nvme/common/auth.c
@@ -786,10 +786,15 @@ int nvme_auth_derive_tls_psk(int hmac_id, const u8 *psk, size_t psk_len,
pr_warn("%s: unsupported hash algorithm %s\n",
__func__, hmac_name);
return -EINVAL;
}
+ if (psk_len != nvme_auth_hmac_hash_len(hmac_id)) {
+ pr_warn("%s: unexpected psk_len %zu\n", __func__, psk_len);
+ return -EINVAL;
+ }
+
hmac_tfm = crypto_alloc_shash(hmac_name, 0, 0);
if (IS_ERR(hmac_tfm))
return PTR_ERR(hmac_tfm);
prk_len = crypto_shash_digestsize(hmac_tfm);
Reviewed-by: Hannes Reinecke <hare@xxxxxxx>
Cheers,
Hannes
--
Dr. Hannes Reinecke Kernel Storage Architect
hare@xxxxxxx +49 911 74053 688
SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg
HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich