]> git.ipfire.org Git - thirdparty/kernel/linux.git/commitdiff
projects / thirdparty / kernel / linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: be01b84)
nvme-auth: common: use crypto library in nvme_auth_generate_digest()
authorEric Biggers <ebiggers@kernel.org>
Mon, 2 Mar 2026 07:59:49 +0000 (23:59 -0800)
committerKeith Busch <kbusch@kernel.org>
Fri, 27 Mar 2026 14:35:01 +0000 (07:35 -0700)
For the HMAC computation in nvme_auth_generate_digest(), use the crypto
library instead of crypto_shash.  This is simpler, faster, and more
reliable.  Notably, this eliminates the crypto transformation object
allocation for every call, which was very slow.

Acked-by: Ard Biesheuvel <ardb@kernel.org>
Acked-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Keith Busch <kbusch@kernel.org>
drivers/nvme/common/auth.c patch | blob | blame | history

diff --git a/drivers/nvme/common/auth.c b/drivers/nvme/common/auth.c
index 781d1d5d46dd3bdb87ddb04e7f802d5688fcae7b..f0b4e1c6ade7e491c4f8e70deca1335e7f8a8580 100644 (file)
--- a/drivers/nvme/common/auth.c
+++ b/drivers/nvme/common/auth.c
@@ -561,99 +561,62 @@ int nvme_auth_generate_digest(u8 hmac_id, const u8 *psk, size_t psk_len,
                              const char *subsysnqn, const char *hostnqn,
                              char **ret_digest)
 {
-       struct crypto_shash *tfm;
-       SHASH_DESC_ON_STACK(shash, tfm);
-       u8 *digest;
+       struct nvme_auth_hmac_ctx hmac;
+       u8 digest[NVME_AUTH_MAX_DIGEST_SIZE];
+       size_t hash_len = nvme_auth_hmac_hash_len(hmac_id);
        char *enc;
-       const char *hmac_name;
-       size_t digest_len, hmac_len;
+       size_t enc_len;
        int ret;
 
        if (WARN_ON(!subsysnqn || !hostnqn))
                return -EINVAL;
 
-       hmac_name = nvme_auth_hmac_name(hmac_id);
-       if (!hmac_name) {
+       if (hash_len == 0) {
                pr_warn("%s: invalid hash algorithm %d\n",
                        __func__, hmac_id);
                return -EINVAL;
        }
 
-       switch (nvme_auth_hmac_hash_len(hmac_id)) {
+       switch (hash_len) {
        case 32:
-               hmac_len = 44;
+               enc_len = 44;
                break;
        case 48:
-               hmac_len = 64;
+               enc_len = 64;
                break;
        default:
                pr_warn("%s: invalid hash algorithm '%s'\n",
-                       __func__, hmac_name);
+                       __func__, nvme_auth_hmac_name(hmac_id));
                return -EINVAL;
        }
 
-       enc = kzalloc(hmac_len + 1, GFP_KERNEL);
-       if (!enc)
-               return -ENOMEM;
-
-       tfm = crypto_alloc_shash(hmac_name, 0, 0);
-       if (IS_ERR(tfm)) {
-               ret = PTR_ERR(tfm);
-               goto out_free_enc;
-       }
-
-       digest_len = crypto_shash_digestsize(tfm);
-       digest = kzalloc(digest_len, GFP_KERNEL);
-       if (!digest) {
+       enc = kzalloc(enc_len + 1, GFP_KERNEL);
+       if (!enc) {
                ret = -ENOMEM;
-               goto out_free_tfm;
+               goto out;
        }
 
-       shash->tfm = tfm;
-       ret = crypto_shash_setkey(tfm, psk, psk_len);
+       ret = nvme_auth_hmac_init(&hmac, hmac_id, psk, psk_len);
        if (ret)
-               goto out_free_digest;
-
-       ret = crypto_shash_init(shash);
-       if (ret)
-               goto out_free_digest;
-
-       ret = crypto_shash_update(shash, hostnqn, strlen(hostnqn));
-       if (ret)
-               goto out_free_digest;
-
-       ret = crypto_shash_update(shash, " ", 1);
-       if (ret)
-               goto out_free_digest;
-
-       ret = crypto_shash_update(shash, subsysnqn, strlen(subsysnqn));
-       if (ret)
-               goto out_free_digest;
-
-       ret = crypto_shash_update(shash, " NVMe-over-Fabrics", 18);
-       if (ret)
-               goto out_free_digest;
-
-       ret = crypto_shash_final(shash, digest);
-       if (ret)
-               goto out_free_digest;
-
-       ret = base64_encode(digest, digest_len, enc, true, BASE64_STD);
-       if (ret < hmac_len) {
+               goto out;
+       nvme_auth_hmac_update(&hmac, hostnqn, strlen(hostnqn));
+       nvme_auth_hmac_update(&hmac, " ", 1);
+       nvme_auth_hmac_update(&hmac, subsysnqn, strlen(subsysnqn));
+       nvme_auth_hmac_update(&hmac, " NVMe-over-Fabrics", 18);
+       nvme_auth_hmac_final(&hmac, digest);
+
+       ret = base64_encode(digest, hash_len, enc, true, BASE64_STD);
+       if (ret < enc_len) {
                ret = -ENOKEY;
-               goto out_free_digest;
+               goto out;
        }
        *ret_digest = enc;
        ret = 0;
 
-out_free_digest:
-       kfree_sensitive(digest);
-out_free_tfm:
-       crypto_free_shash(tfm);
-out_free_enc:
+out:
        if (ret)
                kfree_sensitive(enc);
-
+       memzero_explicit(digest, sizeof(digest));
        return ret;
 }
 EXPORT_SYMBOL_GPL(nvme_auth_generate_digest);
A mirror of Linus' kernel repository