From: Hannes Reinecke <hare@suse.de>
Date: Wed, 15 Nov 2023 15:51:10 +0000 (+0100)
Subject: nvme: Add version '1' identifier for nvme-gen-tls-key
X-Git-Tag: v2.7~37
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=4e666d3f1cc7658b1a6520fbe7c70fb8990dfc28;p=users%2Fsagi%2Fnvme-cli.git

nvme: Add version '1' identifier for nvme-gen-tls-key

With NVMe TP8018 the NVMe TLS PSK identity changed, and a PSK
digest got attached to the identity.
Update the 'nvme-gen-tls-key' program to accept an 'identity' option
to allow to switch between the two methods.

Default continues to be '0' for now.

Signed-off-by: Hannes Reinecke <hare@suse.de>
---

diff --git a/Documentation/nvme-gen-tls-key.txt b/Documentation/nvme-gen-tls-key.txt
index 5d134d1a..def8ecc0 100644
--- a/Documentation/nvme-gen-tls-key.txt
+++ b/Documentation/nvme-gen-tls-key.txt
@@ -13,6 +13,7 @@ SYNOPSIS
 			[--hostnqn=<nqn> | -n <nqn>]
 			[--subsysnqn=<nqn> | -c <nqn>]
 			[--hmac=<hmac-id> | -h <hmac-id>]
+			[--identity=<id-vers> | -I <id-vers>]
 			[--secret=<secret> | -s <secret>]
 			[--insert | -i]
 			[--output-format=<fmt> | -o <fmt>] [--verbose | -v]
@@ -24,10 +25,12 @@ The resulting key is either printed in the PSK interchange format
 'NVMeTLSkey-1:01:<base64 encoded data>:',
 inserted as a 'retained' key into the specified keyring, or both.
 When the PSK should be inserted into the keyring a 'retained' key
-is derived from the secret key material, and the resulting 'retained'
+is derived from the secret key material. The resulting 'retained'
 key is stored with the identity
 'NVMe0R0<hmac> <host NQN> <subsystem NQN>'
-in the keyring.
+(for identity version '0') or
+'NVMe1R0<hmac> <host NQN> <subsystem NQN> <PSK hash>'
+(for identity version '1') in the keyring.
 The 'retained' key is derived from the secret key material,
 the specified subsystem NQN, and the host NQN.
 Once the 'retained' key is stored in the keyring the original
@@ -61,6 +64,12 @@ OPTIONS
 	1 - SHA-256 (default)
 	2 - SHA-384
 
+-I <vers>::
+--identity=<id-vers>::
+	Select the TLS identity to use. Possible values are:
+	0 - Original NVMe TLS 1.0c identity
+	1 - NVMe TLS 2.0 (TP8018) identity
+
 -s <secret>::
 --secret=<secret>::
 	Secret value (in hexadecimal) to be used for the key. If none are
diff --git a/nvme.c b/nvme.c
index 1fb20036..72a62ac3 100644
--- a/nvme.c
+++ b/nvme.c
@@ -8644,6 +8644,7 @@ static int gen_tls_key(int argc, char **argv, struct command *command, struct pl
 	const char *secret =
 	    "Optional secret (in hexadecimal characters) to be used for the TLS key.";
 	const char *hmac = "HMAC function to use for the retained key (1 = SHA-256, 2 = SHA-384).";
+	const char *identity = "TLS identity version to use (0 = NVMe TCP 1.0c, 1 = NVMe TCP 2.0";
 	const char *hostnqn = "Host NQN for the retained key.";
 	const char *subsysnqn = "Subsystem NQN for the retained key.";
 	const char *keyring = "Keyring for the retained key.";
@@ -8664,6 +8665,7 @@ static int gen_tls_key(int argc, char **argv, struct command *command, struct pl
 		char		*subsysnqn;
 		char		*secret;
 		unsigned int	hmac;
+		unsigned int	identity;
 		bool		insert;
 	};
 
@@ -8674,6 +8676,7 @@ static int gen_tls_key(int argc, char **argv, struct command *command, struct pl
 		.subsysnqn	= NULL,
 		.secret		= NULL,
 		.hmac		= 1,
+		.identity	= 0,
 		.insert		= false,
 	};
 
@@ -8684,6 +8687,7 @@ static int gen_tls_key(int argc, char **argv, struct command *command, struct pl
 		  OPT_STR("subsysnqn",	'c', &cfg.subsysnqn,	subsysnqn),
 		  OPT_STR("secret",	's', &cfg.secret,	secret),
 		  OPT_UINT("hmac",	'm', &cfg.hmac,		hmac),
+		  OPT_UINT("identity",	'I', &cfg.identity,	identity),
 		  OPT_FLAG("insert",	'i', &cfg.insert,	insert));
 
 	err = argconfig_parse(argc, argv, desc, opts);
@@ -8693,6 +8697,11 @@ static int gen_tls_key(int argc, char **argv, struct command *command, struct pl
 		nvme_show_error("Invalid HMAC identifier %u", cfg.hmac);
 		return -EINVAL;
 	}
+	if (cfg.identity > 1) {
+		nvme_show_error("Invalid TLS identity version %u",
+				cfg.identity);
+		return -EINVAL;
+	}
 	if (cfg.insert && !cfg.subsysnqn) {
 		nvme_show_error("No subsystem NQN specified");
 		return -EINVAL;
@@ -8740,8 +8749,10 @@ static int gen_tls_key(int argc, char **argv, struct command *command, struct pl
 			}
 		}
 
-		tls_key = nvme_insert_tls_key(cfg.keyring, cfg.keytype, cfg.hostnqn, cfg.subsysnqn,
-					      cfg.hmac, raw_secret, key_len);
+		tls_key = nvme_insert_tls_key_versioned(cfg.keyring,
+					cfg.keytype, cfg.hostnqn,
+					cfg.subsysnqn, cfg.identity,
+					cfg.hmac, raw_secret, key_len);
 		if (tls_key < 0) {
 			nvme_show_error("Failed to insert key, error %d", errno);
 			return -errno;