nvme-auth: use chap->s2 to indicate bidirectional authentication (!3366) · Merge requests · Red Hat / centos-stream / src / kernel / centos-stream-9

Chris Leech requested to merge cleech/centos-stream-9:rhel-9-nvme-auth-bidi into main Nov 13, 2023

JIRA: https://issues.redhat.com/browse/RHEL-4103

Commit 546dea18c999 ("nvme-auth: check chap ctrl_key once constructed") replaced the condition "if (ctrl->ctrl_key)" (indicating bidirectional auth) by "if (chap->ctrl_key)", because ctrl->ctrl_key is a resource shared with sysfs. But chap->ctrl_key is set in nvme_auth_process_dhchap_challenge() depending on the DHVLEN in the DH-HMAC-CHAP Challenge message received from the controller, and will thus be non-NULL for every DH-HMAC-CHAP exchange, even if unidirectional auth was requested. This will lead to a protocol violation by sending a Success2 message in the unidirectional case (per NVMe base spec 2.0, the authentication transaction ends after the Success1 message for unidirectional auth). Use chap->s2 instead, which is non-zero if and only if the host requested bi-directional authentication from the controller.

Fixes: 546dea18c999 ("nvme-auth: check chap ctrl_key once constructed")

Signed-off-by: Chris Leech cleech@redhat.com

Edited Nov 13, 2023 by Chris Leech

Admin message

nvme-auth: use chap->s2 to indicate bidirectional authentication

Merge request reports