From e71b3212745d1fff0c52ef21085ea4f229625bb9 Mon Sep 17 00:00:00 2001 From: Martin George Date: Fri, 16 Jan 2026 11:56:42 +0530 Subject: [PATCH 1/3] fabrics: add error if --tls and --concat are invoked together --tls and --concat are mutually exclusive and not meant to be invoked together. So add an appropriate error message for the same. Signed-off-by: Martin George --- libnvme/src/nvme/fabrics.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libnvme/src/nvme/fabrics.c b/libnvme/src/nvme/fabrics.c index 3ca0f22518..f254edb3c3 100644 --- a/libnvme/src/nvme/fabrics.c +++ b/libnvme/src/nvme/fabrics.c @@ -732,6 +732,11 @@ static int build_options(nvme_host_t h, nvme_ctrl_t c, char **argstr) ctrlkey = nvme_ctrl_get_dhchap_key(c); + if (cfg->tls && cfg->concat) { + nvme_msg(h->ctx, LOG_ERR, "cannot specify --tls and --concat together\n"); + return -ENVME_CONNECT_INVAL; + } + if (cfg->tls) { ret = __nvme_import_keys_from_config(h, c, &keyring_id, &key_id); if (ret) From 7472fc397823267cbe12b2d0814c654d97ad23ac Mon Sep 17 00:00:00 2001 From: Martin George Date: Fri, 16 Jan 2026 12:12:17 +0530 Subject: [PATCH 2/3] fabrics: add error if no dhchap-secret is specified with --concat --concat requires a corresponding dhchap-secret key to be passed with it. So add an appropriate error message if this is not done. Signed-off-by: Martin George --- libnvme/src/nvme/fabrics.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libnvme/src/nvme/fabrics.c b/libnvme/src/nvme/fabrics.c index f254edb3c3..37f82cc662 100644 --- a/libnvme/src/nvme/fabrics.c +++ b/libnvme/src/nvme/fabrics.c @@ -737,6 +737,11 @@ static int build_options(nvme_host_t h, nvme_ctrl_t c, char **argstr) return -ENVME_CONNECT_INVAL; } + if (cfg->concat && !hostkey) { + nvme_msg(h->ctx, LOG_ERR, "required argument [--dhchap-secret | -S] not specified with --concat\n"); + return -ENVME_CONNECT_INVAL; + } + if (cfg->tls) { ret = __nvme_import_keys_from_config(h, c, &keyring_id, &key_id); if (ret) From 33dff6de8042afd83cadf37d236404596a873274 Mon Sep 17 00:00:00 2001 From: Martin George Date: Fri, 16 Jan 2026 12:33:21 +0530 Subject: [PATCH 3/3] fabrics: add error if dhchap-ctrl-secret is specified with --concat --concat works only with unidirectional auth and not bidirectional auth. As per section 8.3.4.5.9 Generated PSK for TLS in the NVMe base spec 2.1: "The host may request secure channel concatenation with the TLS protocol by setting the SC_C field in the AUTH_Negotiate message to NEWTLSPSK while performing only unidirectional auth. In this case, the host shall send a challenge value C2 to the controller and clear the sequence number S2 to 0h to indicate that controller authentication is not requested". In the kernel too, if both host and controller auth keys are specified with secure channel concat, it would ignore the controller key and and default to using the host key itself for uni-auth with concat TLS. So add an appropriate error to catch the same in the userspace itself. Signed-off-by: Martin George --- libnvme/src/nvme/fabrics.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libnvme/src/nvme/fabrics.c b/libnvme/src/nvme/fabrics.c index 37f82cc662..e480976d33 100644 --- a/libnvme/src/nvme/fabrics.c +++ b/libnvme/src/nvme/fabrics.c @@ -742,6 +742,11 @@ static int build_options(nvme_host_t h, nvme_ctrl_t c, char **argstr) return -ENVME_CONNECT_INVAL; } + if (cfg->concat && ctrlkey) { + nvme_msg(h->ctx, LOG_ERR, "cannot specify [--dhchap-ctrl-secret | -C] with --concat\n"); + return -ENVME_CONNECT_INVAL; + } + if (cfg->tls) { ret = __nvme_import_keys_from_config(h, c, &keyring_id, &key_id); if (ret)