@@ -1429,17 +1429,44 @@ long nvme_revoke_tls_key(const char *keyring, const char *key_type,
14291429 return keyctl_revoke (key );
14301430}
14311431
1432- int __nvme_import_keys_from_config (nvme_host_t h , nvme_ctrl_t c ,
1433- long * keyring_id , long * key_id )
1432+ static int __nvme_insert_tls_key (long keyring_id ,
1433+ const char * hostnqn , const char * subsysnqn ,
1434+ const char * identity , const char * key )
14341435{
1435- const char * hostnqn = nvme_host_get_hostnqn (h );
1436- const char * subsysnqn = nvme_ctrl_get_subsysnqn (c );
1437- const char * keyring , * key ;
14381436 _cleanup_free_ unsigned char * key_data = NULL ;
14391437 unsigned char version ;
14401438 unsigned char hmac ;
14411439 size_t key_len ;
1442- long id ;
1440+
1441+ key_data = nvme_import_tls_key_versioned (key , & version ,
1442+ & hmac , & key_len );
1443+ if (!key_data )
1444+ return - EINVAL ;
1445+
1446+ if (hmac == NVME_HMAC_ALG_NONE || !identity ) {
1447+ /*
1448+ * This is a configured key (hmac 0) or we don't know the
1449+ * identity and so the assumtion is it is also a
1450+ * configured key. Derive a new key and load the newly
1451+ * created key into the keystore.
1452+ */
1453+ return __nvme_insert_tls_key_versioned (keyring_id , "psk" ,
1454+ hostnqn , subsysnqn ,
1455+ version , hmac ,
1456+ key_data , key_len );
1457+ }
1458+
1459+ return nvme_update_key (keyring_id , "psk" , identity ,
1460+ key_data , key_len );
1461+ }
1462+
1463+ int __nvme_import_keys_from_config (nvme_host_t h , nvme_ctrl_t c ,
1464+ long * keyring_id , long * key_id )
1465+ {
1466+ const char * hostnqn = nvme_host_get_hostnqn (h );
1467+ const char * subsysnqn = nvme_ctrl_get_subsysnqn (c );
1468+ const char * keyring , * key , * identity ;
1469+ long kr_id , id = 0 ;
14431470
14441471 if (!hostnqn || !subsysnqn ) {
14451472 nvme_msg (h -> r , LOG_ERR , "Invalid NQNs (%s, %s)\n" ,
@@ -1449,34 +1476,42 @@ int __nvme_import_keys_from_config(nvme_host_t h, nvme_ctrl_t c,
14491476
14501477 keyring = nvme_ctrl_get_keyring (c );
14511478 if (keyring )
1452- id = nvme_lookup_keyring (keyring );
1479+ kr_id = nvme_lookup_keyring (keyring );
14531480 else
1454- id = c -> cfg .keyring ;
1481+ kr_id = c -> cfg .keyring ;
14551482
1456- if (nvme_set_keyring (id ) < 0 ) {
1483+ /*
1484+ * Fallback to the default keyring. Note this will also add the
1485+ * keyring to connect command line and to the JSON config output.
1486+ * That means we are explicitly selecting the keyring.
1487+ */
1488+ if (!kr_id )
1489+ kr_id = nvme_lookup_keyring (".nvme" );
1490+
1491+ if (nvme_set_keyring (kr_id ) < 0 ) {
14571492 nvme_msg (h -> r , LOG_ERR , "Failed to set keyring\n" );
14581493 return - errno ;
14591494 }
1460- * keyring_id = id ;
14611495
14621496 key = nvme_ctrl_get_tls_key (c );
1463- key_data = nvme_import_tls_key_versioned (key , & version ,
1464- & hmac , & key_len );
1465- if (!key_data ) {
1466- nvme_msg (h -> r , LOG_ERR , "Failed to decode TLS Key '%s'\n" ,
1467- key );
1468- return -1 ;
1469- }
1497+ if (!key )
1498+ return 0 ;
1499+
1500+ identity = nvme_ctrl_get_tls_key_identity (c );
1501+ if (identity )
1502+ id = nvme_lookup_key ("psk" , identity );
1503+
1504+ if (!id )
1505+ id = __nvme_insert_tls_key (kr_id , hostnqn ,
1506+ subsysnqn , identity , key );
14701507
1471- id = __nvme_insert_tls_key_versioned (* keyring_id , "psk" ,
1472- hostnqn , subsysnqn ,
1473- version , hmac , key_data , key_len );
14741508 if (id <= 0 ) {
14751509 nvme_msg (h -> r , LOG_ERR , "Failed to insert TLS KEY, error %d\n" ,
14761510 errno );
14771511 return - errno ;
14781512 }
14791513
1514+ * keyring_id = kr_id ;
14801515 * key_id = id ;
14811516
14821517 return 0 ;
0 commit comments