linux: Add nvme_scan_tls_keys()

Add a function to iterate existing TLS keys in a given keyring. Signed-off-by: Hannes Reinecke <hare@suse.de>
linux-nvme · Mar 7, 2024 · d1fd6a4 · d1fd6a4
1 parent 774b034
commit d1fd6a4
Show file tree

Hide file tree

Showing 2 changed files with 99 additions and 0 deletions.
diff --git a/src/nvme/linux.c b/src/nvme/linux.c
@@ -1244,6 +1244,67 @@ long nvme_update_key(long keyring_id, const char *key_type,
 	return key;
 }
 
+struct __scan_keys_data {
+	nvme_scan_tls_keys_cb_t cb;
+	key_serial_t keyring;
+	void *data;
+};
+
+int __scan_keys_cb(key_serial_t parent, key_serial_t key,
+		   char *desc, int desc_len, void *data)
+{
+	struct __scan_keys_data *d = data;
+	int ver, hmac, uid, gid, perm;
+	char type, *ptr;
+
+	if (desc_len < 6)
+		return 0;
+	if (sscanf(desc, "psk;%d;%d;%08x;NVMe%01d%c%02d %*s",
+		   &uid, &gid, &perm, &ver, &type, &hmac) != 6)
+		return 0;
+	/* skip key type */
+	ptr = strchr(desc, ';');
+	if (!ptr)
+		return 0;
+	/* skip key uid */
+	ptr = strchr(ptr + 1, ';');
+	if (!ptr)
+		return 0;
+	/* skip key gid */
+	ptr = strchr(ptr + 1, ';');
+	if (!ptr)
+		return 0;
+	/* skip key permissions */
+	ptr = strchr(ptr + 1, ';');
+	if (!ptr)
+		return 0;
+	/* Only use the key description for the callback */
+	(d->cb)(d->keyring, key, ptr + 1, strlen(ptr) - 1, d->data);
+	return 1;
+}
+
+int nvme_scan_tls_keys(const char *keyring, nvme_scan_tls_keys_cb_t cb,
+		       void *data)
+{
+	struct __scan_keys_data d;
+	key_serial_t keyring_id = nvme_lookup_keyring(keyring);
+	int ret;
+
+	if (!keyring_id) {
+		errno = EINVAL;
+		return -1;
+	}
+	ret = nvme_set_keyring(keyring_id);
+	if (ret < 0)
+		return ret;
+
+	d.keyring = keyring_id;
+	d.cb = cb;
+	d.data = data;
+	ret = recursive_key_scan(keyring_id, __scan_keys_cb, &d);
+	return ret;
+}
+
 long nvme_insert_tls_key_versioned(const char *keyring, const char *key_type,
 				   const char *hostnqn, const char *subsysnqn,
 				   int version, int hmac,
@@ -1341,6 +1402,13 @@ long nvme_update_key(long keyring_id, const char *key_type,
 	return 0;
 }
 
+int nvme_scan_tls_keys(const char *keyring, nvme_scan_tls_keys_cb_t cb,
+		       void *data)
+{
+	errno = ENOTSUP;
+	return -1;
+}
+
 long nvme_insert_tls_key_versioned(const char *keyring, const char *key_type,
 				   const char *hostnqn, const char *subsysnqn,
 				   int version, int hmac,

diff --git a/src/nvme/linux.h b/src/nvme/linux.h
@@ -308,6 +308,37 @@ long nvme_update_key(long keyring_id, const char *key_type,
 		     const char *identity, unsigned char *key_data,
 		     int key_len);
 
+/**
+ * typedef nvme_scan_tls_keys_cb_t - Callback for iterating TLS keys
+ * @keyring:	Keyring which has been iterated
+ * @key:	Key for which the callback has been invoked
+ * @desc:	Description of the key
+ * @desc_len:	Length of @desc
+ * @data:	Pointer for caller data
+ *
+ * Called for each TLS PSK in the keyring.
+ */
+typedef void (*nvme_scan_tls_keys_cb_t)(long keyring, long key,
+					char *desc, int desc_len, void *data);
+
+/**
+ * nvme_scan_tls_keys() - Iterate over TLS keys in a keyring
+ * @keyring:	Keyring holding TLS keys
+ * @cb:		Callback function
+ * @data:	Pointer for data to be passed to @cb
+ *
+ * Iterates @keyring and call @cb for each TLS key. When @keyring is NULL
+ * the default '.nvme' keyring is used.
+ * A TLS key must be of type 'psk' and the description must be of the
+ * form 'NVMe<0|1><R|G>0<1|2> <identity>', otherwise it will be skipped
+ * during iteration.
+ *
+ * Return: Number of keys for which @cb was called, or -1 with errno set
+ * on error.
+ */
+int nvme_scan_tls_keys(const char *keyring, nvme_scan_tls_keys_cb_t cb,
+		       void *data);
+
 /**
  * nvme_insert_tls_key() - Derive and insert TLS key
  * @keyring:    Keyring to use