tcp: change the way we pass PSKs

ctrlr_loss_timeout_sec     | Optional | number      | Time to wait until ctrlr is reconnected before deleting ctrlr.  -1 means infinite reconnects. 0 means no reconnect.

reconnect_delay_sec        | Optional | number      | Time to delay a reconnect trial. 0 means no reconnect.

fast_io_fail_timeout_sec   | Optional | number      | Time to wait until ctrlr is reconnected before failing I/O to ctrlr. 0 means no such timeout.

psk                        | Optional | string      | PSK in hexadecimal digits, e.g. 1234567890ABCDEF (Enables SSL socket implementation for TCP)

psk                        | Optional | string      | Path to a file contatining PSK for TLS (Enables SSL socket implementation for TCP)

max_bdevs                  | Optional | number      | The size of the name array for newly created bdevs. Default is 128.

#### Example

nqn                     | Required | string      | Subsystem NQN

host                    | Required | string      | Host NQN to add to the list of allowed host NQNs

tgt_name                | Optional | string      | Parent NVMe-oF target name.

psk                     | Optional | string      | Path to a file containing PSK for TLS connection

#### Example

#include "spdk/likely.h"

#include "spdk/sock.h"

#include "spdk/zipf.h"

#include "spdk/nvmf.h"

#ifdef SPDK_CONFIG_URING

#include <liburing.h>

		sock_opts.tls_version = val;

	} else if (strcmp(field, "ktls") == 0) {

		sock_opts.enable_ktls = val;

	} else if (strcmp(field, "psk_key") == 0) {

	} else if (strcmp(field, "psk_path") == 0) {

		if (!valstr) {

			fprintf(stderr, "No socket opts value specified\n");

			return;

		}

		g_psk = strdup(valstr);

		g_psk = calloc(1, SPDK_TLS_PSK_MAX_LEN + 1);

		if (g_psk == NULL) {

			fprintf(stderr, "Failed to allocate memory for psk\n");

			return;

		}

		FILE *psk_file = fopen(valstr, "r");

		if (psk_file == NULL) {

			fprintf(stderr, "Could not open PSK file\n");

			return;

		}

		if (fscanf(psk_file, "%" SPDK_STRINGIFY(SPDK_TLS_PSK_MAX_LEN) "s", g_psk) != 1) {

			fprintf(stderr, "Could not retrieve PSK from file\n");

			fclose(psk_file);

			return;

		}

		if (fclose(psk_file)) {

			fprintf(stderr, "Failed to close PSK file\n");

			return;

		}

	} else if (strcmp(field, "zerocopy_threshold") == 0) {

		sock_opts.zerocopy_threshold = val;

	} else {

	printf("\t[--disable-ktls disable Kernel TLS. Only valid for ssl impl. Default for ssl impl]\n");

	printf("\t[--enable-ktls enable Kernel TLS. Only valid for ssl impl]\n");

	printf("\t[--tls-version <val> TLS version to use. Only valid for ssl impl. Default: 0 (auto-negotiation)]\n");

	printf("\t[--psk-key <val> Default PSK KEY in hexadecimal digits, e.g. 1234567890ABCDEF (only applies when sock_impl == ssl)]\n");

	printf("\t[--psk-path <val> Path to PSK file (only applies when sock_impl == ssl)]\n");

	printf("\t[--psk-identity <val> Default PSK ID, e.g. psk.spdk.io (only applies when sock_impl == ssl)]\n");

	printf("\t[--zerocopy-threshold <val> data is sent with MSG_ZEROCOPY if size is greater than this val. Default: 0 to disable it]\n");

	printf("\t[--zerocopy-threshold-sock-impl <impl> specify the sock implementation to set zerocopy_threshold]\n");

	{"enable-ktls", no_argument, NULL, PERF_ENABLE_KTLS},

#define PERF_TLS_VERSION	262

	{"tls-version", required_argument, NULL, PERF_TLS_VERSION},

#define PERF_PSK_KEY		263

	{"psk-key", required_argument, NULL, PERF_PSK_KEY},

#define PERF_PSK_PATH		263

	{"psk-path", required_argument, NULL, PERF_PSK_PATH},

#define PERF_PSK_IDENTITY	264

	{"psk-identity ", required_argument, NULL, PERF_PSK_IDENTITY},

#define PERF_ZEROCOPY_THRESHOLD		265

			}

			perf_set_sock_opts("ssl", "tls_version", val, NULL);

			break;

		case PERF_PSK_KEY:

		case PERF_PSK_PATH:

			ssl_used = true;

			perf_set_sock_opts("ssl", "psk_key", 0, optarg);

			perf_set_sock_opts("ssl", "psk_path", 0, optarg);

			break;

		case PERF_PSK_IDENTITY:

			ssl_used = true;

	opts.pci_allowed = g_allowed_pci_addr;

	rc = parse_args(argc, argv, &opts);

	if (rc != 0) {

		free(g_psk);

		return rc;

	}

	/* Transport statistics are printed from each thread.

	rc = pthread_mutex_init(&g_stats_mutex, NULL);

	if (rc != 0) {

		fprintf(stderr, "Failed to init mutex\n");

		free(g_psk);

		return -1;

	}

	if (spdk_env_init(&opts) < 0) {

		fprintf(stderr, "Unable to initialize SPDK env\n");

		unregister_trids();

		pthread_mutex_destroy(&g_stats_mutex);

		free(g_psk);

		return -1;

	}

extern "C" {

#endif

#define _SPDK_STRINGIFY(x) #x

#define SPDK_STRINGIFY(x) _SPDK_STRINGIFY(x)

/**

 * sprintf with automatic buffer allocation.

 *

#define SPDK_NVMF_TCP_DEFAULT_DIF_INSERT_OR_STRIP false

#define SPDK_NVMF_TCP_DEFAULT_ABORT_TIMEOUT_SEC 1

#define TCP_PSK_INVALID_PERMISSIONS 0177

const struct spdk_nvmf_transport_ops spdk_nvmf_transport_tcp;

/* spdk nvmf related structure */

	char				subnqn[SPDK_NVMF_NQN_MAX_LEN + 1];

	char				psk_identity[NVMF_PSK_IDENTITY_LEN];

	uint8_t				psk[SPDK_TLS_PSK_MAX_LEN];

	/* Original path saved to emit SPDK configuration via "save_config". */

	char				psk_path[PATH_MAX];

	uint32_t			psk_size;

	enum nvme_tcp_cipher_suite	tls_cipher_suite;

	TAILQ_ENTRY(tcp_psk_entry)	link;

	{"psk", offsetof(struct tcp_subsystem_add_host_opts, psk), spdk_json_decode_string, true},

};

static int

tcp_load_psk(const char *fname, char *buf, size_t bufsz)

{

	FILE *psk_file;

	struct stat statbuf;

	int rc;

	if (stat(fname, &statbuf) != 0) {

		SPDK_ERRLOG("Could not read permissions for PSK file\n");

		return -EACCES;

	}

	if ((statbuf.st_mode & TCP_PSK_INVALID_PERMISSIONS) != 0) {

		SPDK_ERRLOG("Incorrect permissions for PSK file\n");

		return -EPERM;

	}

	if ((size_t)statbuf.st_size >= bufsz) {

		SPDK_ERRLOG("Invalid PSK: too long\n");

		return -EINVAL;

	}

	psk_file = fopen(fname, "r");

	if (psk_file == NULL) {

		SPDK_ERRLOG("Could not open PSK file\n");

		return -EINVAL;

	}

	memset(buf, 0, bufsz);

	rc = fread(buf, 1, statbuf.st_size, psk_file);

	if (rc != statbuf.st_size) {

		SPDK_ERRLOG("Failed to read PSK\n");

		fclose(psk_file);

		return -EINVAL;

	}

	fclose(psk_file);

	return 0;

}

static int

nvmf_tcp_subsystem_add_host(struct spdk_nvmf_transport *transport,

			    const struct spdk_nvmf_subsystem *subsystem,

	struct tcp_psk_entry *entry;

	char psk_identity[NVMF_PSK_IDENTITY_LEN];

	uint8_t psk_configured[SPDK_TLS_PSK_MAX_LEN] = {};

	char psk_interchange[SPDK_TLS_PSK_MAX_LEN] = {};

	uint8_t tls_cipher_suite;

	uint64_t key_len;

	int rc = 0;

	uint8_t psk_retained_hash;

	uint64_t psk_configured_size;

	memset(&opts, 0, sizeof(opts));

	/* Decode PSK */

	/* Decode PSK file path */

	if (spdk_json_decode_object_relaxed(transport_specific, tcp_subsystem_add_host_opts_decoder,

					    SPDK_COUNTOF(tcp_subsystem_add_host_opts_decoder), &opts)) {

		SPDK_ERRLOG("spdk_json_decode_object failed\n");

	if (opts.psk == NULL) {

		return 0;

	}

	if (strlen(opts.psk) >= sizeof(entry->psk)) {

		SPDK_ERRLOG("PSK path too long\n");

		rc = -EINVAL;

		goto end;

	}

	rc = tcp_load_psk(opts.psk, psk_interchange, sizeof(psk_interchange));

	if (rc) {

		SPDK_ERRLOG("Could not retrieve PSK from file\n");

		goto end;

	}

	/* Parse PSK interchange to get length of base64 encoded data.

	 * This is then used to decide which cipher suite should be used

	 * to generate PSK identity and TLS PSK later on. */

	rc = nvme_tcp_parse_interchange_psk(opts.psk, psk_configured, sizeof(psk_configured),

	rc = nvme_tcp_parse_interchange_psk(psk_interchange, psk_configured, sizeof(psk_configured),

					    &psk_configured_size, &psk_retained_hash);

	if (rc < 0) {

		SPDK_ERRLOG("Failed to parse PSK interchange!\n");

	}

	entry->tls_cipher_suite = tls_cipher_suite;

	if (strlen(opts.psk) >= sizeof(entry->psk)) {

		SPDK_ERRLOG("PSK of length: %ld cannot fit in max buffer size: %ld\n", strlen(opts.psk),

			    sizeof(entry->psk));

		rc = -EINVAL;

		free(entry);

		goto end;

	}

	/* No hash indicates that Configured PSK must be used as Retained PSK. */

	if (psk_retained_hash == NVME_TCP_HASH_ALGORITHM_NONE) {

		/* Psk configured is either 32 or 48 bytes long. */

end:

	spdk_memset_s(psk_configured, sizeof(psk_configured), 0, sizeof(psk_configured));

	key_len = strnlen(opts.psk, SPDK_TLS_PSK_MAX_LEN);

	spdk_memset_s(opts.psk, key_len, 0, key_len);

	spdk_memset_s(psk_interchange, sizeof(psk_interchange), 0, sizeof(psk_interchange));

	free(opts.psk);

	return rc;

#include "spdk/log.h"

#include "spdk/bdev_module.h"

#define TCP_PSK_INVALID_PERMISSIONS 0177

static int

rpc_decode_action_on_timeout(const struct spdk_json_val *val, void *out)

{

	spdk_bdev_wait_for_examine(rpc_bdev_nvme_attach_controller_examined, ctx);

}

static int

tcp_load_psk(const char *fname, char *buf, size_t bufsz)

{

	FILE *psk_file;

	struct stat statbuf;

	int rc;

	if (stat(fname, &statbuf) != 0) {

		SPDK_ERRLOG("Could not read permissions for PSK file\n");

		return -EACCES;

	}

	if ((statbuf.st_mode & TCP_PSK_INVALID_PERMISSIONS) != 0) {

		SPDK_ERRLOG("Incorrect permissions for PSK file\n");

		return -EPERM;

	}

	if ((size_t)statbuf.st_size >= bufsz) {

		SPDK_ERRLOG("Invalid PSK: too long\n");

		return -EINVAL;

	}

	psk_file = fopen(fname, "r");

	if (psk_file == NULL) {

		SPDK_ERRLOG("Could not open PSK file\n");

		return -EINVAL;

	}

	memset(buf, 0, bufsz);

	rc = fread(buf, 1, statbuf.st_size, psk_file);

	if (rc != statbuf.st_size) {

		SPDK_ERRLOG("Failed to read PSK\n");

		fclose(psk_file);

		return -EINVAL;

	}

	fclose(psk_file);

	return 0;

}

static void

rpc_bdev_nvme_attach_controller(struct spdk_jsonrpc_request *request,

				const struct spdk_json_val *params)

	}

	if (ctx->req.psk) {

		snprintf(ctx->req.drv_opts.psk, sizeof(ctx->req.drv_opts.psk), "%s",

		rc = tcp_load_psk(ctx->req.psk, ctx->req.drv_opts.psk, sizeof(ctx->req.drv_opts.psk));

		if (rc) {

			spdk_jsonrpc_send_error_response_fmt(request, -EINVAL, "Could not retrieve PSK from file: %s",

							     ctx->req.psk);

			goto cleanup;

		}

	}

	if (ctx->req.hostaddr) {