From e6d2be4bfe24677457d2d1b14644c35693e36129 Mon Sep 17 00:00:00 2001
From: Hannes Reinecke <hare@suse.de>
Date: Tue, 27 Feb 2024 14:52:00 +0100
Subject: [PATCH] linux: add nvme_update_key()

Add function to update a key by identity string.

Signed-off-by: Hannes Reinecke <hare@suse.de>
---
 src/libnvme.map  |  1 +
 src/nvme/linux.c | 38 ++++++++++++++++++++++++++++----------
 src/nvme/linux.h | 19 +++++++++++++++++++
 3 files changed, 48 insertions(+), 10 deletions(-)

diff --git a/src/libnvme.map b/src/libnvme.map
index 6d343922..2576425a 100644
--- a/src/libnvme.map
+++ b/src/libnvme.map
@@ -5,6 +5,7 @@ LIBNVME_1.9 {
 		nvme_read_key;
 		nvme_submit_passthru;
 		nvme_submit_passthru64;
+		nvme_update_key;
 };
 
 LIBNVME_1_8 {
diff --git a/src/nvme/linux.c b/src/nvme/linux.c
index d8b17739..6155cc26 100644
--- a/src/nvme/linux.c
+++ b/src/nvme/linux.c
@@ -1225,6 +1225,24 @@ unsigned char *nvme_read_key(long keyring_id, long key_id, int *len)
 	return buffer;
 }
 
+long nvme_update_key(long keyring_id, const char *key_type,
+		     const char *identity, unsigned char *key_data,
+		     int key_len)
+{
+	long key;
+
+	key = keyctl_search(keyring_id, key_type, identity, 0);
+	if (key > 0) {
+		if (keyctl_revoke(key) < 0)
+			return 0;
+	}
+	key = add_key(key_type, identity,
+		      key_data, key_len, keyring_id);
+	if (key < 0)
+		key = 0;
+	return key;
+}
+
 long nvme_insert_tls_key_versioned(const char *keyring, const char *key_type,
 				   const char *hostnqn, const char *subsysnqn,
 				   int version, int hmac,
@@ -1261,16 +1279,8 @@ long nvme_insert_tls_key_versioned(const char *keyring, const char *key_type,
 	if (ret != key_len)
 		return 0;
 
-	key = keyctl_search(keyring_id, key_type, identity, 0);
-	if (key > 0) {
-		if (keyctl_update(key, psk, key_len) < 0)
-			key = 0;
-	} else {
-		key = add_key(key_type, identity,
-			      psk, key_len, keyring_id);
-		if (key < 0)
-			key = 0;
-	}
+	key = nvme_update_key(keyring_id, key_type, identity,
+			      psk, key_len);
 	return key;
 }
 
@@ -1313,6 +1323,14 @@ unsigned char *nvme_read_key(long keyring_id, long key_id, int *len)
 	return NULL;
 }
 
+long nvme_update_key(long keyring_id, const char *key_type,
+		     const char *identity, unsigned char *key_data,
+		     int key_len)
+{
+	errno = ENOTSUP;
+	return 0;
+}
+
 long nvme_insert_tls_key_versioned(const char *keyring, const char *key_type,
 				   const char *hostnqn, const char *subsysnqn,
 				   int version, int hmac,
diff --git a/src/nvme/linux.h b/src/nvme/linux.h
index 75f58bd6..454ae0da 100644
--- a/src/nvme/linux.h
+++ b/src/nvme/linux.h
@@ -289,6 +289,25 @@ int nvme_set_keyring(long keyring_id);
  */
 unsigned char *nvme_read_key(long keyring_id, long key_id, int *len);
 
+/**
+ * nvme_update_key() - Update key raw data
+ * @keyring_id:  Id of the keyring holding %key_id
+ * @key_type:    Type of the key to insert
+ * @identity:    Key identity string
+ * @key_data:    Raw data of the key
+ * @key_len:     Length of @key_data
+ *
+ * Links the keyring specified by @keyring_id into the session
+ * keyring and updates the key reference by @identity with @key_data.
+ * The old key with identity @identity will be revoked to make it
+ * inaccessible.
+ *
+ * Return: Key id of the new key or 0 with errno set otherwise.
+ */
+long nvme_update_key(long keyring_id, const char *key_type,
+		     const char *identity, unsigned char *key_data,
+		     int key_len);
+
 /**
  * nvme_insert_tls_key() - Derive and insert TLS key
  * @keyring:    Keyring to use
-- 
2.50.1