Skip to content

Commit 21f5e86

Browse files
igawigaw
committed
linux: do not do any keyring ops when no key is provided
There is no point in accessing the keyring if we don't have to load a key into the kernel. Signed-off-by: Daniel Wagner <[email protected]>
1 parent f1ddb96 commit 21f5e86

1 file changed

Lines changed: 18 additions & 11 deletions

File tree

src/nvme/linux.c

Lines changed: 18 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -1517,9 +1517,9 @@ long nvme_revoke_tls_key(const char *keyring, const char *key_type,
15171517
return keyctl_revoke(key);
15181518
}
15191519

1520-
static int __nvme_insert_tls_key(long keyring_id,
1521-
const char *hostnqn, const char *subsysnqn,
1522-
const char *identity, const char *key)
1520+
static long __nvme_insert_tls_key(long keyring_id,
1521+
const char *hostnqn, const char *subsysnqn,
1522+
const char *identity, const char *key)
15231523
{
15241524
_cleanup_free_ unsigned char *key_data = NULL;
15251525
unsigned char version;
@@ -1554,37 +1554,43 @@ int __nvme_import_keys_from_config(nvme_host_t h, nvme_ctrl_t c,
15541554
const char *hostnqn = nvme_host_get_hostnqn(h);
15551555
const char *subsysnqn = nvme_ctrl_get_subsysnqn(c);
15561556
const char *keyring, *key, *identity;
1557-
long kr_id, id = 0;
1557+
long kr_id = 0, id = 0;
15581558

15591559
if (!hostnqn || !subsysnqn) {
15601560
nvme_msg(h->r, LOG_ERR, "Invalid NQNs (%s, %s)\n",
15611561
hostnqn, subsysnqn);
15621562
return -EINVAL;
15631563
}
15641564

1565+
/* If we don't have a key avoid all keyring operations */
1566+
key = nvme_ctrl_get_tls_key(c);
1567+
if (!key)
1568+
goto out;
1569+
15651570
keyring = nvme_ctrl_get_keyring(c);
1566-
if (keyring)
1571+
if (keyring) {
15671572
kr_id = nvme_lookup_keyring(keyring);
1568-
else
1573+
if (kr_id == 0)
1574+
return -errno;
1575+
} else
15691576
kr_id = c->cfg.keyring;
15701577

15711578
/*
15721579
* Fallback to the default keyring. Note this will also add the
15731580
* keyring to connect command line and to the JSON config output.
15741581
* That means we are explicitly selecting the keyring.
15751582
*/
1576-
if (!kr_id)
1583+
if (!kr_id) {
15771584
kr_id = nvme_lookup_keyring(".nvme");
1585+
if (kr_id == 0)
1586+
return -errno;
1587+
}
15781588

15791589
if (nvme_set_keyring(kr_id) < 0) {
15801590
nvme_msg(h->r, LOG_ERR, "Failed to set keyring\n");
15811591
return -errno;
15821592
}
15831593

1584-
key = nvme_ctrl_get_tls_key(c);
1585-
if (!key)
1586-
return 0;
1587-
15881594
identity = nvme_ctrl_get_tls_key_identity(c);
15891595
if (identity)
15901596
id = nvme_lookup_key("psk", identity);
@@ -1599,6 +1605,7 @@ int __nvme_import_keys_from_config(nvme_host_t h, nvme_ctrl_t c,
15991605
return -errno;
16001606
}
16011607

1608+
out:
16021609
*keyring_id = kr_id;
16031610
*key_id = id;
16041611

0 commit comments

Comments
 (0)