Skip to content

Commit c24f46d

Browse files
hreineckeigaw
hreinecke
authored and
igaw
committed
nvme: add --compat flag for 'gen-tls-key' and 'check-tls-key'
Add a '--compat' flag for 'gen-tls-key' and 'check-tls-key' to allow interoperability with older implementations. Signed-off-by: Hannes Reinecke <[email protected]>
1 parent 7e04cb7 commit c24f46d

File tree

3 files changed

+44
-6
lines changed

3 files changed

+44
-6
lines changed

Documentation/nvme-check-tls-key.txt

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@ SYNOPSIS
1616
[--output-format=<fmt> | -o <fmt>]
1717
[--identity=<id-vers> | -I <id-vers>]
1818
[--insert | -i ]
19+
[--compat | -C ]
1920
[--keyfile=<keyfile> | -f <keyfile>]
2021
[--verbose | -v]
2122

@@ -62,6 +63,11 @@ OPTIONS
6263
--insert:
6364
Insert the derived 'retained' key in the keyring.
6465

66+
-C:
67+
--compat:
68+
Use the original algorithm when deriving TLS keys for
69+
compatibility with older implentations.
70+
6571
-f <keyfile>
6672
--keyfile=<keyfile>
6773
Append the resulting TLS key to keyfile. This command line option is

Documentation/nvme-gen-tls-key.txt

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@ SYNOPSIS
1616
[--identity=<id-vers> | -I <id-vers>]
1717
[--secret=<secret> | -s <secret>]
1818
[--insert | -i]
19+
[--compat | -C]
1920
[--keyfile=<keyfile> | -f <keyfile>]
2021
[--output-format=<fmt> | -o <fmt>] [--verbose | -v]
2122

@@ -27,7 +28,8 @@ The resulting key is either printed in the PSK interchange format
2728
'retained' key into the specified keyring if the '--insert' option
2829
is given.
2930
When the PSK should be inserted into the keyring a 'retained' key
30-
is derived from the secret key material. The resulting 'retained'
31+
is derived from the secret key material using the HKDF-Expand-Label
32+
algorithm from RFC 8446. The resulting 'retained'
3133
key is stored with the identity
3234
'NVMe0R0<hmac> <host NQN> <subsystem NQN>'
3335
(for identity version '0') or
@@ -82,6 +84,11 @@ OPTIONS
8284
Insert the resulting TLS key into the keyring without printing out
8385
the key in PSK interchange format.
8486

87+
-C:
88+
--compat:
89+
Use the original non-RFC 8446 compliant algorithm when
90+
deriving TLS keys for compatibility with older implentations.
91+
8592
-f <keyfile>
8693
--keyfile=<keyfile>
8794
Append the resulting TLS key to keyfile. This command line option is

nvme.c

Lines changed: 30 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -9757,6 +9757,7 @@ static int gen_tls_key(int argc, char **argv, struct command *command, struct pl
97579757
const char *keytype = "Key type of the retained key.";
97589758
const char *insert = "Insert retained key into the keyring.";
97599759
const char *keyfile = "Update key file with the derive TLS PSK.";
9760+
const char *compat = "Use compatibility algorithm for HKDF-Expand-Label.";
97609761

97619762
_cleanup_free_ unsigned char *raw_secret = NULL;
97629763
_cleanup_free_ char *encoded_key = NULL;
@@ -9775,6 +9776,7 @@ static int gen_tls_key(int argc, char **argv, struct command *command, struct pl
97759776
unsigned char hmac;
97769777
unsigned char version;
97779778
bool insert;
9779+
bool compat;
97789780
};
97799781

97809782
struct config cfg = {
@@ -9787,6 +9789,7 @@ static int gen_tls_key(int argc, char **argv, struct command *command, struct pl
97879789
.hmac = 1,
97889790
.version = 0,
97899791
.insert = false,
9792+
.compat = false,
97909793
};
97919794

97929795
NVME_ARGS(opts,
@@ -9798,7 +9801,8 @@ static int gen_tls_key(int argc, char **argv, struct command *command, struct pl
97989801
OPT_STR("keyfile", 'f', &cfg.keyfile, keyfile),
97999802
OPT_BYTE("hmac", 'm', &cfg.hmac, hmac),
98009803
OPT_BYTE("identity", 'I', &cfg.version, version),
9801-
OPT_FLAG("insert", 'i', &cfg.insert, insert));
9804+
OPT_FLAG("insert", 'i', &cfg.insert, insert),
9805+
OPT_FLAG("compat", 'C', &cfg.compat, compat));
98029806

98039807
err = parse_args(argc, argv, desc, opts);
98049808
if (err)
@@ -9859,7 +9863,13 @@ static int gen_tls_key(int argc, char **argv, struct command *command, struct pl
98599863
printf("%s\n", encoded_key);
98609864

98619865
if (cfg.insert) {
9862-
tls_key = nvme_insert_tls_key_versioned(cfg.keyring,
9866+
if (cfg.compat)
9867+
tls_key = nvme_insert_tls_key_compat(cfg.keyring,
9868+
cfg.keytype, cfg.hostnqn,
9869+
cfg.subsysnqn, cfg.version,
9870+
cfg.hmac, raw_secret, key_len);
9871+
else
9872+
tls_key = nvme_insert_tls_key_versioned(cfg.keyring,
98639873
cfg.keytype, cfg.hostnqn,
98649874
cfg.subsysnqn, cfg.version,
98659875
cfg.hmac, raw_secret, key_len);
@@ -9891,6 +9901,7 @@ static int check_tls_key(int argc, char **argv, struct command *command, struct
98919901
const char *keytype = "Key type of the retained key.";
98929902
const char *insert = "Insert retained key into the keyring.";
98939903
const char *keyfile = "Update key file with the derive TLS PSK.";
9904+
const char *compat = "Use compatibility algorithm for HKDF-Expand-Label.";
98949905

98959906
_cleanup_free_ unsigned char *decoded_key = NULL;
98969907
_cleanup_free_ char *hnqn = NULL;
@@ -9906,6 +9917,7 @@ static int check_tls_key(int argc, char **argv, struct command *command, struct
99069917
char *keyfile;
99079918
unsigned char identity;
99089919
bool insert;
9920+
bool compat;
99099921
};
99109922

99119923
struct config cfg = {
@@ -9917,6 +9929,7 @@ static int check_tls_key(int argc, char **argv, struct command *command, struct
99179929
.keyfile = NULL,
99189930
.identity = 0,
99199931
.insert = false,
9932+
.compat = false,
99209933
};
99219934

99229935
NVME_ARGS(opts,
@@ -9927,7 +9940,8 @@ static int check_tls_key(int argc, char **argv, struct command *command, struct
99279940
OPT_STR("keydata", 'd', &cfg.keydata, keydata),
99289941
OPT_STR("keyfile", 'f', &cfg.keyfile, keyfile),
99299942
OPT_BYTE("identity", 'I', &cfg.identity, identity),
9930-
OPT_FLAG("insert", 'i', &cfg.insert, insert));
9943+
OPT_FLAG("insert", 'i', &cfg.insert, insert),
9944+
OPT_FLAG("compat", 'C', &cfg.compat, compat));
99319945

99329946
err = parse_args(argc, argv, desc, opts);
99339947
if (err)
@@ -9963,7 +9977,13 @@ static int check_tls_key(int argc, char **argv, struct command *command, struct
99639977
}
99649978

99659979
if (cfg.insert) {
9966-
tls_key = nvme_insert_tls_key_versioned(cfg.keyring,
9980+
if (cfg.compat)
9981+
tls_key = nvme_insert_tls_key_compat(cfg.keyring,
9982+
cfg.keytype, cfg.hostnqn,
9983+
cfg.subsysnqn, cfg.identity,
9984+
hmac, decoded_key, decoded_len);
9985+
else
9986+
tls_key = nvme_insert_tls_key_versioned(cfg.keyring,
99679987
cfg.keytype, cfg.hostnqn,
99689988
cfg.subsysnqn, cfg.identity,
99699989
hmac, decoded_key, decoded_len);
@@ -9981,7 +10001,12 @@ static int check_tls_key(int argc, char **argv, struct command *command, struct
998110001
} else {
998210002
_cleanup_free_ char *tls_id = NULL;
998310003

9984-
tls_id = nvme_generate_tls_key_identity(cfg.hostnqn,
10004+
if (cfg.compat)
10005+
tls_id = nvme_generate_tls_key_identity_compat(cfg.hostnqn,
10006+
cfg.subsysnqn, cfg.identity,
10007+
hmac, decoded_key, decoded_len);
10008+
else
10009+
tls_id = nvme_generate_tls_key_identity(cfg.hostnqn,
998510010
cfg.subsysnqn, cfg.identity,
998610011
hmac, decoded_key, decoded_len);
998710012
if (!tls_id) {

0 commit comments

Comments
 (0)