nvme: Add version '1' identifier for nvme-gen-tls-key

With NVMe TP8018 the NVMe TLS PSK identity changed, and a PSK
digest got attached to the identity.
Update the 'nvme-gen-tls-key' program to accept an 'identity' option
to allow to switch between the two methods.

Default continues to be '0' for now.

Signed-off-by: Hannes Reinecke <hare@suse.de>

diff --git a/Documentation/nvme-gen-tls-key.txt b/Documentation/nvme-gen-tls-key.txt
index 5d134d1ae4cc5b8f4cf19aba6ac960ef20f31db6..def8ecc09975a295f3db62d42a9dfa652ce69088 100644 (file)
--- a/Documentation/nvme-gen-tls-key.txt
+++ b/Documentation/nvme-gen-tls-key.txt
@@ -13,6 +13,7 @@ SYNOPSIS
                        [--hostnqn=<nqn> | -n <nqn>]
                        [--subsysnqn=<nqn> | -c <nqn>]
                        [--hmac=<hmac-id> | -h <hmac-id>]
+                       [--identity=<id-vers> | -I <id-vers>]
                        [--secret=<secret> | -s <secret>]
                        [--insert | -i]
                        [--output-format=<fmt> | -o <fmt>] [--verbose | -v]
@@ -24,10 +25,12 @@ The resulting key is either printed in the PSK interchange format
 'NVMeTLSkey-1:01:<base64 encoded data>:',
 inserted as a 'retained' key into the specified keyring, or both.
 When the PSK should be inserted into the keyring a 'retained' key
-is derived from the secret key material, and the resulting 'retained'
+is derived from the secret key material. The resulting 'retained'
 key is stored with the identity
 'NVMe0R0<hmac> <host NQN> <subsystem NQN>'
-in the keyring.
+(for identity version '0') or
+'NVMe1R0<hmac> <host NQN> <subsystem NQN> <PSK hash>'
+(for identity version '1') in the keyring.
 The 'retained' key is derived from the secret key material,
 the specified subsystem NQN, and the host NQN.
 Once the 'retained' key is stored in the keyring the original
@@ -61,6 +64,12 @@ OPTIONS
        1 - SHA-256 (default)
        2 - SHA-384
 
+-I <vers>::
+--identity=<id-vers>::
+       Select the TLS identity to use. Possible values are:
+       0 - Original NVMe TLS 1.0c identity
+       1 - NVMe TLS 2.0 (TP8018) identity
+
 -s <secret>::
 --secret=<secret>::
        Secret value (in hexadecimal) to be used for the key. If none are

diff --git a/nvme.c b/nvme.c
index 1fb20036e17750e05e2eb90eacf0c6e9f7155173..72a62ac38543b19b067959e87e288c797e1537c2 100644 (file)
--- a/nvme.c
+++ b/nvme.c
@@ -8644,6 +8644,7 @@ static int gen_tls_key(int argc, char **argv, struct command *command, struct pl
        const char *secret =
            "Optional secret (in hexadecimal characters) to be used for the TLS key.";
        const char *hmac = "HMAC function to use for the retained key (1 = SHA-256, 2 = SHA-384).";
+       const char *identity = "TLS identity version to use (0 = NVMe TCP 1.0c, 1 = NVMe TCP 2.0";
        const char *hostnqn = "Host NQN for the retained key.";
        const char *subsysnqn = "Subsystem NQN for the retained key.";
        const char *keyring = "Keyring for the retained key.";
@@ -8664,6 +8665,7 @@ static int gen_tls_key(int argc, char **argv, struct command *command, struct pl
                char            *subsysnqn;
                char            *secret;
                unsigned int    hmac;
+               unsigned int    identity;
                bool            insert;
        };
 
@@ -8674,6 +8676,7 @@ static int gen_tls_key(int argc, char **argv, struct command *command, struct pl
                .subsysnqn      = NULL,
                .secret         = NULL,
                .hmac           = 1,
+               .identity       = 0,
                .insert         = false,
        };
 
@@ -8684,6 +8687,7 @@ static int gen_tls_key(int argc, char **argv, struct command *command, struct pl
                  OPT_STR("subsysnqn",  'c', &cfg.subsysnqn,    subsysnqn),
                  OPT_STR("secret",     's', &cfg.secret,       secret),
                  OPT_UINT("hmac",      'm', &cfg.hmac,         hmac),
+                 OPT_UINT("identity",  'I', &cfg.identity,     identity),
                  OPT_FLAG("insert",    'i', &cfg.insert,       insert));
 
        err = argconfig_parse(argc, argv, desc, opts);
@@ -8693,6 +8697,11 @@ static int gen_tls_key(int argc, char **argv, struct command *command, struct pl
                nvme_show_error("Invalid HMAC identifier %u", cfg.hmac);
                return -EINVAL;
        }
+       if (cfg.identity > 1) {
+               nvme_show_error("Invalid TLS identity version %u",
+                               cfg.identity);
+               return -EINVAL;
+       }
        if (cfg.insert && !cfg.subsysnqn) {
                nvme_show_error("No subsystem NQN specified");
                return -EINVAL;
@@ -8740,8 +8749,10 @@ static int gen_tls_key(int argc, char **argv, struct command *command, struct pl
                        }
                }
 
-               tls_key = nvme_insert_tls_key(cfg.keyring, cfg.keytype, cfg.hostnqn, cfg.subsysnqn,
-                                             cfg.hmac, raw_secret, key_len);
+               tls_key = nvme_insert_tls_key_versioned(cfg.keyring,
+                                       cfg.keytype, cfg.hostnqn,
+                                       cfg.subsysnqn, cfg.identity,
+                                       cfg.hmac, raw_secret, key_len);
                if (tls_key < 0) {
                        nvme_show_error("Failed to insert key, error %d", errno);
                        return -errno;