nvmf/tcp: require TLS PSKs to be specified via keyring

removed in the v24.09 release.  Instead, a key obtained from the keyring library should be passed

in `spdk_nvme_ctrlr_opts.tls_psk`.

### nvmf

#### `nvmf_subsystem_add_host`

The ability to specifying path to a PSK file via the `psk` parameter in `nvmf_subsystem_add_host` is

deprecated and will be removed in the v24.09 release.  Instead, the name of a key attached to the

keyring should be used.

### gpt

#### `old_gpt_guid`

#define SPDK_NVMF_TCP_DEFAULT_DIF_INSERT_OR_STRIP false

#define SPDK_NVMF_TCP_DEFAULT_ABORT_TIMEOUT_SEC 1

#define TCP_PSK_INVALID_PERMISSIONS 0177

const struct spdk_nvmf_transport_ops spdk_nvmf_transport_tcp;

static bool g_tls_log = false;

	char				pskid[NVMF_PSK_IDENTITY_LEN];

	uint8_t				psk[SPDK_TLS_PSK_MAX_LEN];

	struct spdk_key			*key;

	/* Original path saved to emit SPDK configuration via "save_config". */

	char				psk_path[PATH_MAX];

	uint32_t			psk_size;

	enum nvme_tcp_cipher_suite	tls_cipher_suite;

	TAILQ_ENTRY(tcp_psk_entry)	link;

	{"psk", offsetof(struct tcp_subsystem_add_host_opts, psk), spdk_json_decode_string, true},

};

static int

tcp_load_psk(const char *fname, char *buf, size_t bufsz)

{

	FILE *psk_file;

	struct stat statbuf;

	int rc;

	if (stat(fname, &statbuf) != 0) {

		SPDK_ERRLOG("Could not read permissions for PSK file\n");

		return -EACCES;

	}

	if ((statbuf.st_mode & TCP_PSK_INVALID_PERMISSIONS) != 0) {

		SPDK_ERRLOG("Incorrect permissions for PSK file\n");

		return -EPERM;

	}

	if ((size_t)statbuf.st_size > bufsz) {

		SPDK_ERRLOG("Invalid PSK: too long\n");

		return -EINVAL;

	}

	psk_file = fopen(fname, "r");

	if (psk_file == NULL) {

		SPDK_ERRLOG("Could not open PSK file\n");

		return -EINVAL;

	}

	rc = fread(buf, 1, statbuf.st_size, psk_file);

	if (rc != statbuf.st_size) {

		SPDK_ERRLOG("Failed to read PSK\n");

		fclose(psk_file);

		return -EINVAL;

	}

	fclose(psk_file);

	return 0;

}

SPDK_LOG_DEPRECATION_REGISTER(nvmf_tcp_psk_path, "PSK path", "v24.09", 0);

static int

nvmf_tcp_subsystem_add_host(struct spdk_nvmf_transport *transport,

			    const struct spdk_nvmf_subsystem *subsystem,

	}

	entry->key = spdk_keyring_get_key(opts.psk);

	if (entry->key != NULL) {

		rc = spdk_key_get_key(entry->key, psk_interchange, SPDK_TLS_PSK_MAX_LEN);

		if (rc < 0) {

			SPDK_ERRLOG("Failed to retrieve PSK '%s'\n", opts.psk);

			rc = -EINVAL;

			goto end;

		}

	} else {

		if (strlen(opts.psk) >= sizeof(entry->psk)) {

			SPDK_ERRLOG("PSK path too long\n");

	if (entry->key == NULL) {

		SPDK_ERRLOG("Key '%s' does not exist\n", opts.psk);

		rc = -EINVAL;

		goto end;

	}

		rc = tcp_load_psk(opts.psk, psk_interchange, SPDK_TLS_PSK_MAX_LEN);

		if (rc) {

			SPDK_ERRLOG("Could not retrieve PSK from file\n");

	rc = spdk_key_get_key(entry->key, psk_interchange, SPDK_TLS_PSK_MAX_LEN);

	if (rc < 0) {

		SPDK_ERRLOG("Failed to retrieve PSK '%s'\n", opts.psk);

		rc = -EINVAL;

		goto end;

	}

		SPDK_LOG_DEPRECATED(nvmf_tcp_psk_path);

	}

	/* Parse PSK interchange to get length of base64 encoded data.

	 * This is then used to decide which cipher suite should be used

	 * to generate PSK identity and TLS PSK later on. */

		entry->psk_size = rc;

	}

	if (entry->key == NULL) {

		rc = snprintf(entry->psk_path, sizeof(entry->psk_path), "%s", opts.psk);

		if (rc < 0 || (size_t)rc >= sizeof(entry->psk_path)) {

			SPDK_ERRLOG("Could not save PSK path!\n");

			rc = -ENAMETOOLONG;

			goto end;

		}

	}

	TAILQ_INSERT_TAIL(&ttransport->psks, entry, link);

	rc = 0;

	TAILQ_FOREACH(entry, &ttransport->psks, link) {

		if ((strncmp(entry->hostnqn, hostnqn, SPDK_NVMF_NQN_MAX_LEN)) == 0 &&

		    (strncmp(entry->subnqn, subsystem->subnqn, SPDK_NVMF_NQN_MAX_LEN)) == 0) {

			spdk_json_write_named_string(w, "psk", entry->key ?

						     spdk_key_get_name(entry->key) : entry->psk_path);

			spdk_json_write_named_string(w, "psk",  spdk_key_get_name(entry->key));

			break;

		}

	}

	bdev_null_create null0 100 4096

	nvmf_subsystem_add_ns "$subnqn" null0

	nvmf_subsystem_add_listener -t tcp -a 127.0.0.1 -s 4420 --secure-channel "$subnqn"

	nvmf_subsystem_add_host --psk "$key0path" "$subnqn" "$hostnqn"

	keyring_file_add_key key0 "$key0path"

	nvmf_subsystem_add_host --psk key0 "$subnqn" "$hostnqn"

CMD

# Test, if another listener cannot be added, with different secure channel value

		-a $NVMF_FIRST_TARGET_IP -s $NVMF_PORT -k

		bdev_malloc_create 32 4096 -b malloc0

		nvmf_subsystem_add_ns nqn.2016-06.io.spdk:cnode1 malloc0 -n 1

		keyring_file_add_key key0 "$key"

		nvmf_subsystem_add_host nqn.2016-06.io.spdk:cnode1 nqn.2016-06.io.spdk:host1 \

		--psk $key

			--psk key0

	EOF

}

key_path=$(mktemp)

echo -n "NVMeTLSkey-1:01:MDAxMTIyMzM0NDU1NjY3Nzg4OTlhYWJiY2NkZGVlZmZwJEiQ:" > $key_path

chmod 0600 $key_path

$rpc_py keyring_file_add_key key0 "$key_path"

$rpc_py nvmf_subsystem_allow_any_host nqn.2016-06.io.spdk:cnode0 --disable

$rpc_py nvmf_subsystem_add_listener nqn.2016-06.io.spdk:cnode0 -t $TEST_TRANSPORT \

	-a $NVMF_FIRST_TARGET_IP -s $NVMF_SECOND_PORT --secure-channel

$rpc_py nvmf_subsystem_add_host nqn.2016-06.io.spdk:cnode0 nqn.2016-06.io.spdk:host1 \

	--psk $key_path

	--psk key0

# Then attach NVMe bdev by connecting back to itself, with the target app running on a single core.

# This verifies that the initialization is completely asynchronous, as each blocking call would