Commit f74bf0d0 authored by Konrad Sztyber's avatar Konrad Sztyber Committed by Tomasz Zawadzki
Browse files

nvmf/auth: check for support when adding dhchap keys 



In-band authentication requires certain version of openssl (it needs to
define the EVP_MAC* functions).  With an older version, it's possible to
specify a dhchap key when adding a host, but it wouldn't be possible to
use it for authentication because calculating DH-HMAC-CHAP response
would always fail.

This behavior could be a bit misleading to the users, so this patch
makes it impossible to add a host with dhchap key if the version of
openssl is too old.

Signed-off-by: default avatarKonrad Sztyber <konrad.sztyber@intel.com>
Change-Id: I03738b0c16d4b641aaa165262284cd6f5ca9a7aa
Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/22657


Tested-by: default avatarSPDK CI Jenkins <sys_sgci@intel.com>
Community-CI: Mellanox Build Bot
Reviewed-by: default avatarJim Harris <jim.harris@samsung.com>
Reviewed-by: default avatarBen Walker <ben@nvidia.com>
parent 0a6bb8ca

lib/nvmf/Makefile

+3 −1
Original line number Diff line number Diff line
@@ -11,9 +11,11 @@ SO_MINOR := 0 


C_SRCS = ctrlr.c ctrlr_discovery.c ctrlr_bdev.c \

	 subsystem.c nvmf.c nvmf_rpc.c transport.c tcp.c \

	 auth.c

	 stubs.c



C_SRCS-$(CONFIG_RDMA) += rdma.c

C_SRCS-$(CONFIG_HAVE_EVP_MAC) += auth.c



LIBNAME = nvmf

LOCAL_SYS_LIBS =

ifeq ($(CONFIG_RDMA),y)

lib/nvmf/auth.c

+6 −0
Original line number Diff line number Diff line
@@ -89,4 +89,10 @@ nvmf_qpair_auth_destroy(struct spdk_nvmf_qpair *qpair) 
	free(qpair->auth);

	qpair->auth = NULL;

}



bool

nvmf_auth_is_supported(void)

{

	return true;

}

SPDK_LOG_REGISTER_COMPONENT(nvmf_auth)

lib/nvmf/nvmf_internal.h

+1 −0
Original line number Diff line number Diff line
@@ -518,6 +518,7 @@ int nvmf_qpair_auth_init(struct spdk_nvmf_qpair *qpair); 
void nvmf_qpair_auth_destroy(struct spdk_nvmf_qpair *qpair);



int nvmf_auth_request_exec(struct spdk_nvmf_request *req);

bool nvmf_auth_is_supported(void);



static inline bool

nvmf_request_is_fabric_connect(struct spdk_nvmf_request *req)

lib/nvmf/stubs.c

0 → 100644
+44 −0
Original line number Diff line number Diff line 
/* SPDX-License-Identifier: BSD-3-Clause

 * Copyright (c) 2024 Intel Corporation

 */



#include "spdk/config.h"

#include "spdk/log.h"

#include "spdk/nvmf_transport.h"



#include "nvmf_internal.h"



#ifndef SPDK_CONFIG_HAVE_EVP_MAC

int

nvmf_qpair_auth_init(struct spdk_nvmf_qpair *qpair)

{

	return -ENOTSUP;

}



void

nvmf_qpair_auth_destroy(struct spdk_nvmf_qpair *qpair)

{

	assert(qpair->auth == NULL);

}



int

nvmf_auth_request_exec(struct spdk_nvmf_request *req)

{

	struct spdk_nvme_cpl *cpl = &req->rsp->nvme_cpl;



	cpl->status.sct = SPDK_NVME_SCT_GENERIC;

	cpl->status.sc = SPDK_NVME_SC_INVALID_OPCODE;



	spdk_nvmf_request_complete(req);



	return SPDK_NVMF_REQUEST_EXEC_STATUS_ASYNCHRONOUS;

}



bool

nvmf_auth_is_supported(void)

{

	return false;

}



SPDK_LOG_REGISTER_COMPONENT(nvmf_auth)

#endif /* !SPDK_CONFIG_HAVE_EVP_MAC */

lib/nvmf/subsystem.c

+6 −0
Original line number Diff line number Diff line
@@ -997,6 +997,12 @@ spdk_nvmf_subsystem_add_host_ext(struct spdk_nvmf_subsystem *subsystem, 


	key = SPDK_GET_FIELD(opts, dhchap_key, NULL);

	if (key != NULL) {

		if (!nvmf_auth_is_supported()) {

			SPDK_ERRLOG("NVMe in-band authentication is unsupported\n");

			pthread_mutex_unlock(&subsystem->mutex);

			free(host);

			return -EINVAL;

		}

		host->dhchap_key = spdk_key_dup(key);

		if (host->dhchap_key == NULL) {

			pthread_mutex_unlock(&subsystem->mutex);