Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp3591694pxv; Mon, 19 Jul 2021 04:13:11 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwu+okBwN2K8s5Fl+YvxKFnAIT/GcJ+lHTnM2mAo7e2zp6FH5vpDI5jFKOlckEv5r7r9e6I X-Received: by 2002:a17:906:9c84:: with SMTP id fj4mr25605150ejc.180.1626693191481; Mon, 19 Jul 2021 04:13:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626693191; cv=none; d=google.com; s=arc-20160816; b=goCrCocZ+cCUUE+uPpT5kxO5qVWT8k+1iPqb37clTSNgPXJxSMZRhad/sJ/FFruIYN kEm6flZMWb1qkKF+39VY8i7J4kiTBBq1wDuk/u9i9RTbSdY62SnCWDkgLf80tSWUiBEN /31hHJif/3UofpYrYuoigLVGD+Q04wHFvS6IClVCFgD60IcIgq3gy8XJVuvuKkYdojSg +e4aFQOnD/YFP3IWLWoNzm6fr22o5CdT5YJZyKqZhVtL0bHPBiWcjjLdqksG+8ga4JIo r6Qk8tKB0J0fd14ldVsrM4bX9dWnOGr9YvybgW6UdfSBNLmjkBND+FsUu00koQFN7d/Y RYlw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:subject:from :references:cc:to:dkim-signature:dkim-signature; bh=I3F3x6ejzeetKwA6HIYGtlYGA0sYpAZPeq5bfUcHzUI=; b=Uwuivei2GweHdo5OaUSQHypxYYYV3Eu+oqIy8iydVVf28GBZCoEvkaZGla94px2uj4 KXIAsCe38t1qRV/hzM63ZYDoLGTWXyxUFB8hh8c3W964DBPl0255U3ehHouJRs7OkdRv tZdnnRziCzIrLNI0SjP9sXTigmanzLxWgWVtnliU/yedrQ6XMR2tVvWYNHeNmkrZowc3 YQn+qQ4veHmg8e7zdmK2GunDNH34DLX9tWTlGj/r4+x5QAstHth8hrNcHAl2J8v3hPpx +S00g0XpzSq/ULnM6A47GQI7M/V8rPwzWAYZWiVSWn3SB3l2DHpHjZljsN/750TrpnVq 9tlQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=yXMTPFxd; dkim=neutral (no key) header.i=@suse.de header.b="XzMqnk/V"; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g20si19880659edv.570.2021.07.19.04.12.47; Mon, 19 Jul 2021 04:13:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=yXMTPFxd; dkim=neutral (no key) header.i=@suse.de header.b="XzMqnk/V"; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236437AbhGSK3v (ORCPT + 99 others); Mon, 19 Jul 2021 06:29:51 -0400 Received: from smtp-out2.suse.de ([195.135.220.29]:41128 "EHLO smtp-out2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235905AbhGSK3v (ORCPT ); Mon, 19 Jul 2021 06:29:51 -0400 Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 5022C2021F; Mon, 19 Jul 2021 11:10:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1626693030; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=I3F3x6ejzeetKwA6HIYGtlYGA0sYpAZPeq5bfUcHzUI=; b=yXMTPFxdLsJcpr/o3d822WBZxse+jgSV0Kn7Qy5y7Ea/uhAbi4/5yHpHYy5yLMlejZI1AQ 3iJoDHWdbg95QALBNBvbfRM2yC+vRLcXqR0WrzMSAh5DHnMI1N7VrpMqroHntyqxNOpttm 1DsRb9d/yoFX2MXMKk99Ra+TYADb4OQ= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1626693030; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=I3F3x6ejzeetKwA6HIYGtlYGA0sYpAZPeq5bfUcHzUI=; b=XzMqnk/VS4h2V1HmRm8eQuZDz5m5LXxJLxrFbQAD9LfK9b0b+5vrvpZ3Rxa6iymyEOdO6s DYieXTVLtD1wEtDw== Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 3FDA613CDE; Mon, 19 Jul 2021 11:10:30 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id 7RRVD6Zd9WDWSQAAMHmgww (envelope-from ); Mon, 19 Jul 2021 11:10:30 +0000 To: Stephan Mueller , Christoph Hellwig Cc: Sagi Grimberg , Keith Busch , linux-nvme@lists.infradead.org, Herbert Xu , "David S . Miller" , linux-crypto@vger.kernel.org References: <20210716110428.9727-1-hare@suse.de> <2510347.locV8n3378@positron.chronox.de> <6538288.aohFRl0Q45@positron.chronox.de> <59695981-9edc-6b7a-480a-94cca95a0b8c@suse.de> <463a191b9896dd708015645cfc125988cd5deaef.camel@chronox.de> <2af95a8e-50d9-7e2d-a556-696e9404fee4@suse.de> <740af9f7334c294ce879bef33985dfab6d0523b3.camel@chronox.de> From: Hannes Reinecke Subject: Re: [PATCH 09/11] nvmet: Implement basic In-Band Authentication Message-ID: <1eab1472-3b7b-307b-62ae-8bed39603b96@suse.de> Date: Mon, 19 Jul 2021 13:10:29 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 MIME-Version: 1.0 In-Reply-To: <740af9f7334c294ce879bef33985dfab6d0523b3.camel@chronox.de> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On 7/19/21 12:19 PM, Stephan Mueller wrote: > Am Montag, dem 19.07.2021 um 11:57 +0200 schrieb Hannes Reinecke: >> On 7/19/21 10:51 AM, Stephan Mueller wrote: >>> Am Montag, dem 19.07.2021 um 10:15 +0200 schrieb Hannes Reinecke: >>>> On 7/18/21 2:56 PM, Stephan Müller wrote: >>>>> Am Sonntag, 18. Juli 2021, 14:37:34 CEST schrieb Hannes Reinecke: >>> >>>>>> The key is also used when using the ffdhe algorithm. >>>>>> Note: I _think_ that I need to use this key for the ffdhe algorithm, >>>>>> because the implementation I came up with is essentially plain DH >>>>>> with >>>>>> pre-defined 'p', 'q' and 'g' values. But the DH implementation also >>>>>> requires a 'key', and for that I'm using this key here. >>>>>> >>>>>> It might be that I'm completely off, and don't need to use a key for >>>>>> our >>>>>> DH implementation. In that case you are correct. >>>>>> (And that's why I said I'll need a review of the FFDHE >>>>>> implementation). >>>>>> But for now I'll need the key for FFDHE. >>>>> >>>>> Do I understand you correctly that the dhchap_key is used as the input >>>>> to >>>>> the >>>>> DH - i.e. it is the remote public key then? It looks strange that this >>>>> is >>>>> used >>>>> for DH but then it is changed here by hashing it together with >>>>> something >>>>> else >>>>> to form a new dhchap_key. Maybe that is what the protocol says. But it >>>>> sounds >>>>> strange to me, especially when you think that dhchap_key would be, >>>>> say, >>>>> 2048 >>>>> bits if it is truly the remote public key and then after the hashing >>>>> it is >>>>> 256 >>>>> this dhchap_key cannot be used for FFC-DH. >>>>> >>>>> Or are you using the dhchap_key for two different purposes? >>>>> >>>>> It seems I miss something here. >>>>> >>>> No, not entirely. It's me who buggered it up. >>>> I got carried away by the fact that there is a crypto_dh_encode_key() >>>> function, and thought I need to use it here. >>> >>> Thank you for clarifying that. It sounds to me that there is no defined >>> protocol (or if there, I would be wondering how the code would have worked >>> with a different implementation). Would it make sense to first specify a >>> protocol for authentication and have it discussed? I personally think it >>> is a >>> bit difficult to fully understand the protocol from the code and discuss >>> protocol-level items based on the code. >>> >> Oh, the protocol _is_ specified: >> >> https://nvmexpress.org/wp-content/uploads/NVM-Express-Base-Specification-2_0-2021.06.02-Ratified-5.pdf >> >> It's just that I have issues translating that spec onto what the kernel >> provides. > > according to the naming conventions there in figures 447 and following: > > - x and y: DH private key (kernel calls it secret set with dh_set_secret or > encoded into param.key) > But that's were I got confused; one needs a private key here, but there is no obvious candidate for it. But reading it more closely I guess the private key is just a random number (cf the spec: g^y mod p, where y is a random number selected by the host that shall be at least 256 bits long). So I'll fix it up with the next round. > - g^x mod p / g^y mod p: DH public keys from either end that is communicated > over the wire (corresponding to the the DH private keys of x and y) - to set > it, you initialize a dh request and set the public key to it with > kpp_request_set_input. After performing the crypto_kpp_compute_shared_secret > you receive the shared secret > > - g^xy mod p: DH shared secret - this is the one that is to be used for the > subsequent hashing /HMAC operations as this is the one that is identical on > both, the host and the controller. > Thanks. Will be checking the code if I do it correctly. Cheers, Hannes -- Dr. Hannes Reinecke Kernel Storage Architect hare@suse.de +49 911 74053 688 SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg HRB 36809 (AG Nürnberg), GF: Felix Imendörffer