Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-119799

[NetApp RHEL 9.7 Bug]: libnvme/nvme-cli TLS PSK generation logic not compliant to RFC 8446

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • rhel-9.7
    • nvme-cli
    • None
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      The current libnvme/nvme-cli TLS PSK derivations is not compliant to RFC 8446 due to the following deviations:

      1) The 16-bit HkdfLabel.length value is not converted to network byte order.

      2) The variable length HkdfLabel.label and HkdfLabel.context vectors is not prefixed with a length byte.

      These are now addressed through the following upstream commits:

      libnvme:

      libnvme: TLS PSK derivation fixes - https://github.com/linux-nvme/libnvme/commit/fde6b1f51646

      linux: fix HKDF TLS key derivation back to OpenSSL 3.0.8 - https://github.com/linux-nvme/libnvme/commit/eff0ffef0273

      linux: use EVP_PKEY_CTX_add1_hkdf_info only once in compat function - https://github.com/linux-nvme/libnvme/commit/59f702085e92

      nvme-cli:

      nvme: add --compat flag for 'gen-tls-key' and 'check-tls-key' - https://github.com/linux-nvme/nvme-cli/commit/c24f46da88d7 

      Requesting RH to pull in these fixes to RHEL9 now.

              mlombard@redhat.com Maurizio Lombardi
              marting_netapp Martin George
              NetApp Confidential Group
              Maurizio Lombardi Maurizio Lombardi
              Yi Zhang Yi Zhang
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: