Merge pull request #158 from igaw/nvme_gen_dhchap_key

linux: Add support to generate DH-HMAC-CHAP keys

Author: dwsuse

meson.build

@@ -43,6 +43,21 @@ conf.set('CONFIG_LIBUUID', libuuid_dep.found(), description: 'Is libuuid require
 json_c_dep = dependency('json-c', version: '>=0.13', fallback : ['json-c', 'json_c_dep'])
 conf.set('CONFIG_JSONC', json_c_dep.found(), description: 'Is json-c required?')
 
+# Check for OpenSSL availability
+openssl_dep = dependency('openssl',
+                         required: get_option('openssl'),
+                         fallback : ['openssl', 'openssl_dep'])
+if openssl_dep.found()
+  conf.set('CONFIG_OPENSSL', true, description: 'Is OpenSSL available?')
+  conf.set('CONFIG_OPENSSL_1',
+           openssl_dep.version().version_compare('<2.0.0') and
+           openssl_dep.version().version_compare('>=1.1.0'),
+           description: 'OpenSSL version 1.x')
+  conf.set('CONFIG_OPENSSL_3',
+           openssl_dep.version().version_compare('>=3.0.0'),
+           description: 'OpenSSL version 3.x')
+endif
+
 # local (cross-compilable) implementations of ccan configure steps
 conf.set10(
     'HAVE_BUILTIN_TYPES_COMPATIBLE_P',

meson_options.txt

@@ -4,3 +4,4 @@ option('pkgconfiglibdir', type : 'string', value : '', description : 'directory
 
 option('man', type : 'boolean', value : false, description : 'build and install man pages (requires sphinx-build)')
 option('python', type : 'combo', choices : ['auto', 'true', 'false'], description : 'Generate libnvme python bindings')
+option('openssl', type : 'feature', value: 'auto', description : 'OpenSSL support')

src/libnvme.map

@@ -68,6 +68,7 @@ LIBNVME_1_0 {
 		nvme_fw_commit;
 		nvme_fw_download;
 		nvme_fw_download_seq;
+		nvme_gen_dhchap_key;
 		nvme_get_ana_log_len;
 		nvme_get_attr;
 		nvme_get_ctrl_attr;

src/meson.build

@@ -23,6 +23,7 @@ endif
 deps = [
     libuuid_dep,
     json_c_dep,
+    openssl_dep,
 ]
 
 source_dir = meson.current_source_dir()
@@ -51,6 +52,7 @@ pkg.generate(libnvme,
 
 libnvme_dep = declare_dependency(
     include_directories: incdir,
+    dependencies: deps,
     link_with: libnvme,
 )
 

src/nvme/linux.c

@@ -17,6 +17,17 @@
 #include <fcntl.h>
 #include <unistd.h>
 
+#ifdef CONFIG_OPENSSL
+#include <openssl/engine.h>
+#include <openssl/evp.h>
+#include <openssl/hmac.h>
+
+#ifdef CONFIG_OPENSSL_3
+#include <openssl/core_names.h>
+#include <openssl/params.h>
+#endif
+#endif
+
 #include <ccan/endian/endian.h>
 
 #include "linux.h"
@@ -386,3 +397,201 @@ char *nvme_get_path_attr(nvme_path_t p, const char *attr)
 {
 	return nvme_get_attr(nvme_path_get_sysfs_dir(p), attr);
 }
+
+#ifndef CONFIG_OPENSSL
+int nvme_gen_dhchap_key(char *hostnqn, enum nvme_hmac_alg hmac,
+			unsigned int key_len, unsigned char *secret,
+			unsigned char *key)
+{
+	if (hmac != NVME_HMAC_ALG_NONE) {
+		nvme_msg(LOG_ERR, "HMAC transformation not supported; " \
+			"recompile with OpenSSL support.\n");
+		errno = -EINVAL;
+		return -1;
+	}
+
+	memcpy(key, secret, key_len);
+	return 0;
+}
+#endif /* !CONFIG_OPENSSL */
+
+#ifdef CONFIG_OPENSSL_1
+int nvme_gen_dhchap_key(char *hostnqn, enum nvme_hmac_alg hmac,
+			unsigned int key_len, unsigned char *secret,
+			unsigned char *key)
+{
+	const char hmac_seed[] = "NVMe-over-Fabrics";
+	HMAC_CTX *hmac_ctx;
+	const EVP_MD *md;
+	int err = -1;
+
+	ENGINE_load_builtin_engines();
+	ENGINE_register_all_complete();
+
+	hmac_ctx = HMAC_CTX_new();
+	if (!hmac_ctx) {
+		nvme_msg(LOG_ERR, "OpenSSL: could not create HMAC context\n");
+		errno = ENOENT;
+		return err;
+	}
+
+	switch (hmac) {
+	case NVME_HMAC_ALG_NONE:
+		memcpy(key, secret, key_len);
+		err = 0;
+		goto out;
+	case NVME_HMAC_ALG_SHA2_256:
+		md = EVP_sha256();
+		break;
+	case NVME_HMAC_ALG_SHA2_384:
+		md = EVP_sha384();
+		break;
+	case NVME_HMAC_ALG_SHA2_512:
+		md = EVP_sha512();
+		break;
+	default:
+		errno = EINVAL;
+		goto out;
+	}
+
+	if (!md) {
+		nvme_msg(LOG_ERR, "OpenSSL: could not fetch hash function\n");
+		errno = ENOENT;
+		goto out;
+	}
+
+	if (!HMAC_Init_ex(hmac_ctx, secret, key_len, md, NULL)) {
+		nvme_msg(LOG_ERR, "OpenSSL: initializing HMAC context failed\n");
+		errno = ENOENT;
+		goto out;
+	}
+
+	if (!HMAC_Update(hmac_ctx, (unsigned char *)hostnqn,
+			 strlen(hostnqn))) {
+		nvme_msg(LOG_ERR, "OpenSSL: HMAC for hostnqn failed\n");
+		errno = ENOENT;
+		goto out;
+	}
+
+	if (!HMAC_Update(hmac_ctx, (unsigned char *)hmac_seed,
+			 strlen(hmac_seed))) {
+		nvme_msg(LOG_ERR, "OpenSSL: HMAC for seed failed\n");
+		errno = ENOENT;
+		goto out;
+	}
+
+	if (!HMAC_Final(hmac_ctx, key, &key_len)) {
+		nvme_msg(LOG_ERR, "OpenSSL: finializing MAC failed\n");
+		errno = ENOENT;
+		goto out;
+	}
+
+	err = 0;
+
+out:
+	HMAC_CTX_free(hmac_ctx);
+	return err;
+}
+#endif /* !CONFIG_OPENSSL_1 */
+
+#ifdef CONFIG_OPENSSL_3
+int nvme_gen_dhchap_key(char *hostnqn, enum nvme_hmac_alg hmac,
+			unsigned int key_len, unsigned char *secret,
+			unsigned char *key)
+{
+	const char hmac_seed[] = "NVMe-over-Fabrics";
+	OSSL_PARAM params[2], *p = params;
+	OSSL_LIB_CTX *lib_ctx;
+	EVP_MAC_CTX *mac_ctx = NULL;
+	EVP_MAC *mac = NULL;
+	char *progq = NULL;
+	char *digest;
+	size_t len;
+	int err = -1;
+
+	lib_ctx = OSSL_LIB_CTX_new();
+	if (!lib_ctx) {
+		nvme_msg(LOG_ERR, "OpenSSL: Library initializing failed\n");
+		errno = ENOENT;
+		return err;
+	}
+
+	mac = EVP_MAC_fetch(lib_ctx, OSSL_MAC_NAME_HMAC, progq);
+	if (!mac) {
+		nvme_msg(LOG_ERR, "OpenSSL: could not fetch HMAC algorithm\n");
+		errno = EINVAL;
+		goto out;
+	}
+
+	mac_ctx = EVP_MAC_CTX_new(mac);
+	if (!mac_ctx) {
+		nvme_msg(LOG_ERR, "OpenSSL: could not create HMAC context\n");
+		errno = ENOENT;
+		goto out;
+	}
+
+	switch (hmac) {
+	case NVME_HMAC_ALG_NONE:
+		memcpy(key, secret, key_len);
+		err = 0;
+		goto out;
+	case NVME_HMAC_ALG_SHA2_256:
+		digest = OSSL_DIGEST_NAME_SHA2_256;
+		break;
+	case NVME_HMAC_ALG_SHA2_384:
+		digest = OSSL_DIGEST_NAME_SHA2_384;
+		break;
+	case NVME_HMAC_ALG_SHA2_512:
+		digest = OSSL_DIGEST_NAME_SHA2_512;
+		break;
+	default:
+		errno = EINVAL;
+		goto out;
+	}
+	*p++ = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
+						digest,
+						0);
+	*p = OSSL_PARAM_construct_end();
+
+	if (!EVP_MAC_init(mac_ctx, secret, key_len, params)) {
+		nvme_msg(LOG_ERR, "OpenSSL: could not initialize HMAC context\n");
+		errno = EINVAL;
+		goto out;
+	}
+
+	if (!EVP_MAC_update(mac_ctx, (unsigned char *)hostnqn,
+			    strlen(hostnqn))) {
+		nvme_msg(LOG_ERR, "OpenSSL: HMAC for hostnqn failed\n");
+		errno = ENOENT;
+		goto out;
+	}
+
+	if (!EVP_MAC_update(mac_ctx, (unsigned char *)hmac_seed,
+			    strlen(hmac_seed))) {
+		nvme_msg(LOG_ERR, "OpenSSL: HMAC for seed failed\n");
+		errno = ENOENT;
+		goto out;
+	}
+
+	if (!EVP_MAC_final(mac_ctx, key, &len, key_len)) {
+		nvme_msg(LOG_ERR, "OpenSSL: finializing MAC failed\n");
+		errno = ENOENT;
+		goto out;
+	}
+
+	if (len != key_len) {
+		nvme_msg(LOG_ERR, "OpenSSL: generated HMAC has an unexpected lenght\n");
+		errno = EINVAL;
+		goto out;
+	}
+
+	err = 0;
+
+out:
+	EVP_MAC_CTX_free(mac_ctx);
+	EVP_MAC_free(mac);
+	OSSL_LIB_CTX_free(lib_ctx);
+
+	return err;
+}
+#endif /* !CONFIG_OPENSSL_3 */

src/nvme/linux.h

@@ -153,4 +153,33 @@ int nvme_namespace_detach_ctrls(int fd, __u32 nsid, __u16 num_ctrls, __u16 *ctrl
  */
 int nvme_open(const char *name);
 
+/**
+ * enum nvme_hmac_alg - HMAC algorithm
+ * NVME_HMAC_ALG_NONE:		No HMAC algorithm
+ * NVME_HMAC_ALG_SHA2_256:	SHA2-256
+ * NVME_HMAC_ALG_SHA2_384:	SHA2-384
+ * NVME_HMAC_ALG_SHA2_512:	SHA2-512
+ */
+enum nvme_hmac_alg {
+	NVME_HMAC_ALG_NONE	= 0,
+	NVME_HMAC_ALG_SHA2_256	= 1,
+	NVME_HMAC_ALG_SHA2_384	= 2,
+	NVME_HMAC_ALG_SHA2_512	= 3,
+};
+
+/**
+ * nvme_gen_dhchap_key() - DH-HMAC-CHAP key generation
+ * @hostnqn:	Host NVMe Qualified Name
+ * @hmac:	HMAC algorithm
+ * @key_len:	Output key lenght
+ * @secret:	Secret to used for digest
+ * @key:	Generated DH-HMAC-CHAP key
+ *
+ * Return: If key generation was successful the function returns 0 or
+ * -1 with errno set otherwise.
+ */
+int nvme_gen_dhchap_key(char *hostnqn, enum nvme_hmac_alg hmac,
+			unsigned int key_len, unsigned char *secret,
+			unsigned char *key);
+
 #endif /* _LIBNVME_LINUX_H */

subprojects/openssl.wrap

@@ -0,0 +1,14 @@
+[wrap-file]
+directory = openssl-1.1.1l
+source_url = https://www.openssl.org/source/openssl-1.1.1l.tar.gz
+source_filename = openssl-1.1.1l.tar.gz
+source_hash = 0b7a3e5e59c34827fe0c3a74b7ec8baef302b98fa80088d7f9153aa16fa76bd1
+patch_filename = openssl_1.1.1l-2_patch.zip
+patch_url = https://wrapdb.mesonbuild.com/v2/openssl_1.1.1l-2/get_patch
+patch_hash = 852521fb016fa2deee8ebf9ffeeee0292c6de86a03c775cf72ac04e86f9f177e
+
+[provide]
+libcrypto = libcrypto_dep
+libssl = libssl_dep
+openssl = openssl_dep
+