linux: add key helper functions

Add helper functions for key handling.

Signed-off-by: Hannes Reinecke <hare@suse.de>
[dwagner:
  - set errno on failure and updated documentation accordingly
  - fix return check of nvme_lookup_key in nvme_insert_tls_key]
Signed-off-by: Daniel Wagner <dwagner@suse.de>

diff --git a/src/libnvme.map b/src/libnvme.map
index 0979c4ea3aaa4e5ed233bcb7c6b3b5084031cf0a..a1294f4a8150785b4d77f39991a8caffb08fc039 100644 (file)
--- a/src/libnvme.map
+++ b/src/libnvme.map
@@ -3,6 +3,9 @@
 LIBNVME_1_4 {
        global:
                nvme_lookup_keyring;
+               nvme_describe_key_serial;
+               nvme_lookup_key;
+               nvme_set_keyring;
                nvme_insert_tls_key;
 };
 

diff --git a/src/nvme/linux.c b/src/nvme/linux.c
index 722d01436a25e2aabda87524871494b1fb6565aa..c6eedc2a63cc505da67949b4151284f127a40f96 100644 (file)
--- a/src/nvme/linux.c
+++ b/src/nvme/linux.c
@@ -791,6 +791,35 @@ long nvme_lookup_keyring(const char *keyring)
        return keyring_id;
 }
 
+char *nvme_describe_key_serial(long key_id)
+{
+       char *desc;
+
+       if (keyctl_describe_alloc(key_id, &desc) < 0)
+               desc = NULL;
+       return desc;
+}
+
+long nvme_lookup_key(const char *type, const char *identity)
+{
+       key_serial_t key;
+
+       key = keyctl_search(KEY_SPEC_SESSION_KEYRING, type, identity, 0);
+       if (key < 0)
+               return 0;
+       return key;
+}
+
+int nvme_set_keyring(long key_id)
+{
+       long err;
+
+       err = keyctl_link(key_id, KEY_SPEC_SESSION_KEYRING);
+       if (err < 0)
+               return -1;
+       return 0;
+}
+
 long nvme_insert_tls_key(const char *keyring, const char *key_type,
                         const char *hostnqn, const char *subsysnqn, int hmac,
                         unsigned char *configured_key, int key_len)
@@ -801,7 +830,7 @@ long nvme_insert_tls_key(const char *keyring, const char *key_type,
        int ret = -1;
 
        keyring_id = nvme_lookup_keyring(keyring);
-       if (keyring_id < 0)
+       if (keyring_id == 0)
                return -1;
 
        identity = malloc(strlen(hostnqn) + strlen(subsysnqn) + 12);
@@ -849,6 +878,30 @@ long nvme_lookup_keyring(const char *keyring)
        return 0;
 }
 
+char *nvme_describe_key_serial(long key_id)
+{
+       nvme_msg(NULL, LOG_ERR, "key operations not supported; "\
+                "recompile with keyutils support.\n");
+       errno = ENOTSUP;
+       return NULL;
+}
+
+long nvme_lookup_key(const char *type, const char *identity)
+{
+       nvme_msg(NULL, LOG_ERR, "key operations not supported; "\
+                "recompile with keyutils support.\n");
+       errno = ENOTSUP;
+       return 0;
+}
+
+int nvme_set_keyring(long key_id)
+{
+       nvme_msg(NULL, LOG_ERR, "key operations not supported; "\
+                "recompile with keyutils support.\n");
+       errno = ENOTSUP;
+       return -1;
+}
+
 long nvme_insert_tls_key(const char *keyring, const char *key_type,
                         const char *hostnqn, const char *subsysnqn, int hmac,
                         unsigned char *configured_key, int key_len)

diff --git a/src/nvme/linux.h b/src/nvme/linux.h
index 6a5c090f3cdcada35361b5516bb16ee728f6c910..37ba9d4cdd60198440e043b5f1c26926385f244d 100644 (file)
--- a/src/nvme/linux.h
+++ b/src/nvme/linux.h
@@ -205,6 +205,43 @@ int nvme_gen_dhchap_key(char *hostnqn, enum nvme_hmac_alg hmac,
  */
 long nvme_lookup_keyring(const char *keyring);
 
+/**
+ * nvme_describe_key_serial() - Return key description
+ * @key_id:    Key serial number
+ *
+ * Fetches the description of the key or keyring identified
+ * by the serial number @key_id.
+ *
+ * Return: The description of @key_id or NULL on failure.
+ * The returned string needs to be freed by the caller.
+ */
+char *nvme_describe_key_serial(long key_id);
+
+/**
+ * nvme_lookup_key() - Lookup key serial number
+ * @type:        Key type
+ * @identity:    Key description
+ *
+ * Looks up the serial number of the key @identity
+ * with type %type in the current session keyring.
+ *
+ * Return: The key serial number of the key
+ * or 0 with errno set otherwise.
+ */
+long nvme_lookup_key(const char *type, const char *identity);
+
+/**
+ * nvme_set_keyring() - Link keyring for lookup
+ * @keyring_id:    Keyring id
+ *
+ * Links @keyring_id into the session keyring such that
+ * its keys are available for further key lookups.
+ *
+ * Return: 0 on success, a negative number on error
+ * with errno set.
+ */
+int nvme_set_keyring(long keyring_id);
+
 /**
  * nvme_insert_tls_key() - Derive and insert TLS key
  * @keyring:    Keyring to use