nvme: add --compat flag for 'gen-tls-key' and 'check-tls-key'

hreinecke · hreinecke · commit 96d33658681c · 2025-08-19T15:21:08.000+02:00
Add a '--compat' flag for 'gen-tls-key' and 'check-tls-key' to
allow interoperability with older implementations.

Signed-off-by: Hannes Reinecke &lt;hare@suse.de&gt;
diff --git a/Documentation/nvme-check-tls-key.txt b/Documentation/nvme-check-tls-key.txt
@@ -16,6 +16,7 @@ SYNOPSIS
 			[--output-format=<fmt> | -o <fmt>]
 			[--identity=<id-vers> | -I <id-vers>]
 			[--insert | -i ]
+			[--compat | -C ]
 			[--keyfile=<keyfile> | -f <keyfile>]
 			[--verbose | -v]
 
@@ -62,6 +63,11 @@ OPTIONS
 --insert:
 	Insert the derived 'retained' key in the keyring.
 
+-C:
+--compat:
+	Use the original algorithm when deriving TLS keys for
+	compatibility with older implentations.
+
 -f <keyfile>
 --keyfile=<keyfile>
 	Append the resulting TLS key to keyfile. This command line option is
diff --git a/Documentation/nvme-gen-tls-key.txt b/Documentation/nvme-gen-tls-key.txt
@@ -16,6 +16,7 @@ SYNOPSIS
 			[--identity=<id-vers> | -I <id-vers>]
 			[--secret=<secret> | -s <secret>]
 			[--insert | -i]
+			[--compat | -C]
 			[--keyfile=<keyfile> | -f <keyfile>]
 			[--output-format=<fmt> | -o <fmt>] [--verbose | -v]
 
@@ -82,6 +83,11 @@ OPTIONS
 	Insert the resulting TLS key into the keyring without printing out
 	the key in PSK interchange format.
 
+-C:
+--compat:
+	Use the original algorithm when deriving TLS keys for
+	compatibility with older implentations.
+
 -f <keyfile>
 --keyfile=<keyfile>
 	Append the resulting TLS key to keyfile. This command line option is
diff --git a/nvme.c b/nvme.c
@@ -9729,6 +9729,7 @@ static int gen_tls_key(int argc, char **argv, struct command *command, struct pl
 	const char *keytype = "Key type of the retained key.";
 	const char *insert = "Insert retained key into the keyring.";
 	const char *keyfile = "Update key file with the derive TLS PSK.";
+	const char *compat = "Use compatibility algorithm for HKDF-Expand-Label.";
 
 	_cleanup_free_ unsigned char *raw_secret = NULL;
 	_cleanup_free_ char *encoded_key = NULL;
@@ -9747,6 +9748,7 @@ static int gen_tls_key(int argc, char **argv, struct command *command, struct pl
 		unsigned char	hmac;
 		unsigned char	version;
 		bool		insert;
+		bool		compat;
 	};
 
 	struct config cfg = {
@@ -9759,6 +9761,7 @@ static int gen_tls_key(int argc, char **argv, struct command *command, struct pl
 		.hmac		= 1,
 		.version	= 0,
 		.insert		= false,
+		.compat		= false,
 	};
 
 	NVME_ARGS(opts,
@@ -9770,7 +9773,8 @@ static int gen_tls_key(int argc, char **argv, struct command *command, struct pl
 		  OPT_STR("keyfile",	'f', &cfg.keyfile,	keyfile),
 		  OPT_BYTE("hmac",	'm', &cfg.hmac,		hmac),
 		  OPT_BYTE("identity",	'I', &cfg.version,	version),
-		  OPT_FLAG("insert",	'i', &cfg.insert,	insert));
+		  OPT_FLAG("insert",	'i', &cfg.insert,	insert),
+		  OPT_FLAG("compat",	'C', &cfg.compat,	compat));
 
 	err = parse_args(argc, argv, desc, opts);
 	if (err)
@@ -9831,7 +9835,13 @@ static int gen_tls_key(int argc, char **argv, struct command *command, struct pl
 	printf("%s\n", encoded_key);
 
 	if (cfg.insert) {
-		tls_key = nvme_insert_tls_key_versioned(cfg.keyring,
+		if (cfg.compat)
+			tls_key = nvme_insert_tls_key_compat(cfg.keyring,
+					cfg.keytype, cfg.hostnqn,
+					cfg.subsysnqn, cfg.version,
+					cfg.hmac, raw_secret, key_len);
+		else
+			tls_key = nvme_insert_tls_key_versioned(cfg.keyring,
 					cfg.keytype, cfg.hostnqn,
 					cfg.subsysnqn, cfg.version,
 					cfg.hmac, raw_secret, key_len);
@@ -9863,6 +9873,7 @@ static int check_tls_key(int argc, char **argv, struct command *command, struct
 	const char *keytype = "Key type of the retained key.";
 	const char *insert = "Insert retained key into the keyring.";
 	const char *keyfile = "Update key file with the derive TLS PSK.";
+	const char *compat = "Use compatibility algorithm for HKDF-Expand-Label.";
 
 	_cleanup_free_ unsigned char *decoded_key = NULL;
 	_cleanup_free_ char *hnqn = NULL;
@@ -9878,6 +9889,7 @@ static int check_tls_key(int argc, char **argv, struct command *command, struct
 		char		*keyfile;
 		unsigned char	identity;
 		bool		insert;
+		bool		compat;
 	};
 
 	struct config cfg = {
@@ -9889,6 +9901,7 @@ static int check_tls_key(int argc, char **argv, struct command *command, struct
 		.keyfile	= NULL,
 		.identity	= 0,
 		.insert		= false,
+		.compat		= false,
 	};
 
 	NVME_ARGS(opts,
@@ -9899,7 +9912,8 @@ static int check_tls_key(int argc, char **argv, struct command *command, struct
 		  OPT_STR("keydata",	'd', &cfg.keydata,	keydata),
 		  OPT_STR("keyfile",	'f', &cfg.keyfile,	keyfile),
 		  OPT_BYTE("identity",	'I', &cfg.identity,	identity),
-		  OPT_FLAG("insert",	'i', &cfg.insert,	insert));
+		  OPT_FLAG("insert",	'i', &cfg.insert,	insert),
+		  OPT_FLAG("compat",	'C', &cfg.compat,	compat));
 
 	err = parse_args(argc, argv, desc, opts);
 	if (err)
@@ -9935,7 +9949,13 @@ static int check_tls_key(int argc, char **argv, struct command *command, struct
 	}
 
 	if (cfg.insert) {
-		tls_key = nvme_insert_tls_key_versioned(cfg.keyring,
+		if (cfg.compat)
+			tls_key = nvme_insert_tls_key_compat(cfg.keyring,
+					cfg.keytype, cfg.hos`tnqn,
+					cfg.subsysnqn, cfg.identity,
+					hmac, decoded_key, decoded_len);
+		else
+			tls_key = nvme_insert_tls_key_versioned(cfg.keyring,
 					cfg.keytype, cfg.hostnqn,
 					cfg.subsysnqn, cfg.identity,
 					hmac, decoded_key, decoded_len);
@@ -9953,7 +9973,12 @@ static int check_tls_key(int argc, char **argv, struct command *command, struct
 	} else {
 		_cleanup_free_ char *tls_id = NULL;
 
-		tls_id = nvme_generate_tls_key_identity(cfg.hostnqn,
+		if (cfg.compat)
+			tls_id = nvme_generate_tls_key_identity_compat(cfg.hostnqn,
+					cfg.subsysnqn, cfg.identity,
+					hmac, decoded_key, decoded_len);
+		else
+			tls_id = nvme_generate_tls_key_identity(cfg.hostnqn,
 					cfg.subsysnqn, cfg.identity,
 					hmac, decoded_key, decoded_len);
 		if (!tls_id) {
