TLS keys handling #894
Open
TLS keys handling #894
Commits on Oct 10, 2024
-
test: add test case for importing/exporting PSKs
Test the pre-shared key interchange format import/export function. Signed-off-by: Daniel Wagner <dwagner@suse.de>
-
linux: add import/export function for TLS pre-shared keys
The existing import/export function do not handle different version of the interchange format nor do the handle the HMAC independent of the version. Thus allow the caller to select version and HMAC independently when exporting resp. importing. This makes this interface also future proof when new HMAC or key lengths are added to the spec. Signed-off-by: Daniel Wagner <dwagner@suse.de>
-
test: extend psk to test new 'versioned' API
Also test for nvme_{import|export}_tls_key_versioned API. Signed-off-by: Daniel Wagner <dwagner@suse.de> -
linux: support PSK interchange format HMAC none
The pre-shared key interchange format also has 'no transform' option when the configured key should be used as retained key. Update the export/imports to support this case. Signed-off-by: Daniel Wagner <dwagner@suse.de>
-
test/psk: test all available HMACs
Extend the test case also to check for the NONE and SHA2-384 algorithm Signed-off-by: Daniel Wagner <dwagner@suse.de>
-
test: make config-diff more flexible to use
The config-diff script is expecting a sysfs tar file besides an input and a output file. Let's make the sysfs tar file optional so we can use this config diff script more flexible. Signed-off-by: Daniel Wagner <dwagner@suse.de>
-
linux: reorder variable declarations
Use the inverse x-mas tree pattern for variable declarations. Signed-off-by: Daniel Wagner <dwagner@suse.de>
-
tree: add getter/setters for tls_key and keyring
Extend the ctrl API to allow the users to set the tls_key/keyring on the ctrl object directly. Signed-off-by: Daniel Wagner <dwagner@suse.de>
-
fabrics: move key store operation to connect
When the JSON parser detects a TLS key it inserts it into the keystore. Keystore operations on the default '.nvme' keyring are privileged operations (root) thus the parser will fail. This will fail nvme-cli commands which are run as normal user. Let's move the key store operations to the connect call path where we need the right permission. A nice side benefit is that we also are able to pass in a configured key. Signed-off-by: Daniel Wagner <dwagner@suse.de>
-
test: add pre-shared key json tests
Add a test case for the PSK API to ensure that the generated JSON is correct. Signed-off-by: Daniel Wagner <dwagner@suse.de>
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.