Skip to content

Commit 64a513d

Browse files
igawigaw
committed
nvme: add support to add derive TLS PSK to keyfile
When creating a new key and it is inserted into keystore also support to append it to a keyfile. Signed-off-by: Daniel Wagner <[email protected]>
1 parent 3ece7a8 commit 64a513d

File tree

1 file changed

+64
-0
lines changed

1 file changed

+64
-0
lines changed

nvme.c

Lines changed: 64 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9187,6 +9187,7 @@ static int gen_tls_key(int argc, char **argv, struct command *command, struct pl
91879187
const char *keyring = "Keyring for the retained key.";
91889188
const char *keytype = "Key type of the retained key.";
91899189
const char *insert = "Insert retained key into the keyring.";
9190+
const char *keyfile = "Update key file with the derive TLS PSK.";
91909191

91919192
_cleanup_free_ unsigned char *raw_secret = NULL;
91929193
_cleanup_free_ char *encoded_key = NULL;
@@ -9201,6 +9202,7 @@ static int gen_tls_key(int argc, char **argv, struct command *command, struct pl
92019202
char *hostnqn;
92029203
char *subsysnqn;
92039204
char *secret;
9205+
char *keyfile;
92049206
unsigned char hmac;
92059207
unsigned char version;
92069208
bool insert;
@@ -9212,6 +9214,7 @@ static int gen_tls_key(int argc, char **argv, struct command *command, struct pl
92129214
.hostnqn = NULL,
92139215
.subsysnqn = NULL,
92149216
.secret = NULL,
9217+
.keyfile = NULL,
92159218
.hmac = 1,
92169219
.version = 0,
92179220
.insert = false,
@@ -9223,6 +9226,7 @@ static int gen_tls_key(int argc, char **argv, struct command *command, struct pl
92239226
OPT_STR("hostnqn", 'n', &cfg.hostnqn, hostnqn),
92249227
OPT_STR("subsysnqn", 'c', &cfg.subsysnqn, subsysnqn),
92259228
OPT_STR("secret", 's', &cfg.secret, secret),
9229+
OPT_STR("keyfile", 'f', &cfg.keyfile, keyfile),
92269230
OPT_BYTE("hmac", 'm', &cfg.hmac, hmac),
92279231
OPT_BYTE("identity", 'I', &cfg.version, version),
92289232
OPT_FLAG("insert", 'i', &cfg.insert, insert));
@@ -9297,6 +9301,66 @@ static int gen_tls_key(int argc, char **argv, struct command *command, struct pl
92979301

92989302
printf("Inserted TLS key %08x\n", (unsigned int)tls_key);
92999303
}
9304+
if (tls_key && cfg.keyfile) {
9305+
_cleanup_free_ unsigned char *key_data = NULL;
9306+
_cleanup_free_ char *exported_key = NULL;
9307+
_cleanup_free_ char *identity = NULL;
9308+
_cleanup_file_ FILE *fd = NULL;
9309+
mode_t old_umask;
9310+
int key_len;
9311+
long kr_id;
9312+
9313+
kr_id = nvme_lookup_keyring(cfg.keyring);
9314+
if (kr_id <= 0) {
9315+
nvme_show_error("Failed to lookup keyring '%s'",
9316+
cfg.keyring);
9317+
return -errno;
9318+
}
9319+
9320+
key_data = nvme_read_key(kr_id, tls_key, &key_len);
9321+
if (!key_data) {
9322+
nvme_show_error("Failed to read back derive TLS PSK");
9323+
return -errno;
9324+
}
9325+
9326+
exported_key = nvme_export_tls_key_versioned(cfg.version, cfg.hmac,
9327+
key_data, key_len);
9328+
if (!exported_key) {
9329+
nvme_show_error("Failed to export key");
9330+
return -errno;
9331+
}
9332+
9333+
identity = nvme_describe_key_serial(tls_key);
9334+
if (!identity) {
9335+
nvme_show_error("Failed to get identity info");
9336+
return -errno;
9337+
}
9338+
9339+
old_umask = umask(0);
9340+
9341+
fd = fopen(cfg.keyfile, "a");
9342+
if (!fd) {
9343+
nvme_show_error("Failed to open '%s', %s",
9344+
cfg.keyfile, strerror(errno));
9345+
err = -errno;
9346+
goto out;
9347+
}
9348+
9349+
err = fprintf(fd, "%s %s\n", identity, exported_key);
9350+
if (err < 0) {
9351+
nvme_show_error("Failed to append key to '%', %s",
9352+
cfg.keyfile, strerror(errno));
9353+
err = -errno;
9354+
}
9355+
9356+
out:
9357+
chmod(cfg.keyfile, S_IRUSR | S_IWUSR);
9358+
umask(old_umask);
9359+
9360+
if (err)
9361+
return err;
9362+
}
9363+
93009364
return 0;
93019365
}
93029366

0 commit comments

Comments
 (0)