json: move keystore operations out of the JSON parser

The JSON parser is loading the keys into the kernel. This is a
privileged operations (root) thus the parser will fail for a normal
user. This also makes 'nvme list' etc fail for normal users.
Furthermore, we try to insert each time the keys into the keystore when
libnvme parses the JSON configuration.

Let's move the key import operations to the connect call path where we
need the right permission. A nice side benefit is that we also are able
to pass in a configured key.

The export feature will be added back later.

Signed-off-by: Daniel Wagner <[email protected]>

Author: dwsuse

src/nvme/fabrics.c

@@ -552,6 +552,9 @@ static int build_options(nvme_host_t h, nvme_ctrl_t c, char **argstr)
 	const char *hostnqn, *hostid, *hostkey, *ctrlkey;
 	bool discover = false, discovery_nqn = false;
 	nvme_root_t r = h->r;
+	long keyring_id = 0;
+	long key_id = 0;
+	int ret;
 
 	if (!transport) {
 		nvme_msg(h->r, LOG_ERR, "need a transport (-t) argument\n");
@@ -573,19 +576,37 @@ static int build_options(nvme_host_t h, nvme_ctrl_t c, char **argstr)
 		errno = ENOMEM;
 		return -1;
 	}
+
 	if (!strcmp(nvme_ctrl_get_subsysnqn(c), NVME_DISC_SUBSYS_NAME)) {
 		nvme_ctrl_set_discovery_ctrl(c, true);
 		nvme_ctrl_set_unique_discovery_ctrl(c, false);
 		discovery_nqn = true;
 	}
+
 	if (nvme_ctrl_is_discovery_ctrl(c))
 		discover = true;
+
 	hostnqn = nvme_host_get_hostnqn(h);
 	hostid = nvme_host_get_hostid(h);
 	hostkey = nvme_host_get_dhchap_key(h);
 	if (!hostkey)
 		hostkey = nvme_ctrl_get_dhchap_host_key(c);
+
 	ctrlkey = nvme_ctrl_get_dhchap_key(c);
+
+	ret = __nvme_import_keys_from_config(h, c, &keyring_id, &key_id);
+	if (ret) {
+		errno = -ret;
+		return -1;
+	}
+
+	if (key_id == 0) {
+		if (cfg->tls_configured_key)
+			key_id = cfg->tls_configured_key;
+		else
+			key_id = cfg->tls_key;
+	}
+
 	if (add_argument(r, argstr, transport, transport) ||
 	    add_argument(r, argstr, traddr,
 			 nvme_ctrl_get_traddr(c)) ||
@@ -627,9 +648,9 @@ static int build_options(nvme_host_t h, nvme_ctrl_t c, char **argstr)
 			      cfg->fast_io_fail_tmo, false)) ||
 	    (strcmp(transport, "loop") &&
 	     add_int_argument(r, argstr, tos, cfg->tos, true)) ||
-	    add_int_argument(r, argstr, keyring, cfg->keyring, false) ||
+	    add_int_argument(r, argstr, keyring, keyring_id, false) ||
 	    (!strcmp(transport, "tcp") &&
-	     add_int_argument(r, argstr, tls_key, cfg->tls_key, false)) ||
+	     add_int_argument(r, argstr, tls_key, key_id, false)) ||
 	    add_bool_argument(r, argstr, duplicate_connect,
 			      cfg->duplicate_connect) ||
 	    add_bool_argument(r, argstr, disable_sqflow,

src/nvme/json.c

@@ -25,62 +25,10 @@
 #define JSON_UPDATE_BOOL_OPTION(c, k, a, o)				\
 	if (!strcmp(# a, k ) && !c->a) c->a = json_object_get_boolean(o);
 
-static void json_import_nvme_tls_key(nvme_ctrl_t c, const char *keyring_str,
-				     const char *encoded_key)
-{
-	struct nvme_fabrics_config *cfg = nvme_ctrl_get_config(c);
-	const char *hostnqn = nvme_host_get_hostnqn(c->s->h);
-	const char *subsysnqn = nvme_ctrl_get_subsysnqn(c);
-	int key_len;
-	unsigned int hmac;
-	long key_id;
-	_cleanup_free_ unsigned char *key_data = NULL;
-
-	if (!hostnqn || !subsysnqn) {
-		nvme_msg(NULL, LOG_ERR, "Invalid NQNs (%s, %s)\n",
-			 hostnqn, subsysnqn);
-		return;
-	}
-	key_data = nvme_import_tls_key(encoded_key, &key_len, &hmac);
-	if (!key_data) {
-		nvme_msg(NULL, LOG_ERR, "Failed to decode TLS Key '%s'\n",
-			encoded_key);
-		return;
-	}
-	key_id = nvme_insert_tls_key_versioned(keyring_str, "psk",
-					       hostnqn, subsysnqn,
-					       0, hmac, key_data, key_len);
-	if (key_id <= 0)
-		nvme_msg(NULL, LOG_ERR, "Failed to insert TLS KEY, error %d\n",
-			 errno);
-	else {
-		cfg->tls_key = key_id;
-		cfg->tls = true;
-	}
-}
-
-static void json_export_nvme_tls_key(long keyring_id, long tls_key,
-				     struct json_object *obj)
-{
-	int key_len;
-	_cleanup_free_ unsigned char *key_data = NULL;
-
-	key_data = nvme_read_key(keyring_id, tls_key, &key_len);
-	if (key_data) {
-		_cleanup_free_ char *tls_str = NULL;
-
-		tls_str = nvme_export_tls_key(key_data, key_len);
-		if (tls_str)
-			json_object_object_add(obj, "tls_key",
-					       json_object_new_string(tls_str));
-	}
-}
-
 static void json_update_attributes(nvme_ctrl_t c,
 				   struct json_object *ctrl_obj)
 {
 	struct nvme_fabrics_config *cfg = nvme_ctrl_get_config(c);
-	const char *keyring_str = NULL, *encoded_key = NULL;
 
 	json_object_object_foreach(ctrl_obj, key_str, val_obj) {
 		JSON_UPDATE_INT_OPTION(cfg, key_str,
@@ -120,31 +68,18 @@ static void json_update_attributes(nvme_ctrl_t c,
 		if (!strcmp("discovery", key_str) &&
 		    !nvme_ctrl_is_discovery_ctrl(c))
 			nvme_ctrl_set_discovery_ctrl(c, true);
-		/*
-		 * The JSON configuration holds the keyring description
-		 * which needs to be converted into the keyring serial number.
-		 */
-		if (!strcmp("keyring", key_str) && cfg->keyring == 0) {
-			long keyring;
-
-			keyring_str = json_object_get_string(val_obj);
-			keyring = nvme_lookup_keyring(keyring_str);
-			if (keyring) {
-				cfg->keyring = keyring;
-				nvme_set_keyring(cfg->keyring);
-			}
+		if (!strcmp("keyring", key_str))
+			nvme_ctrl_set_keyring(c,
+				json_object_get_string(val_obj));
+		if (!strcmp("tls_key_identity", key_str)) {
+			nvme_ctrl_set_tls_key_identity(c,
+				json_object_get_string(val_obj));
+		}
+		if (!strcmp("tls_key", key_str)) {
+			nvme_ctrl_set_tls_key(c,
+				json_object_get_string(val_obj));
 		}
-		if (!strcmp("tls_key", key_str) && cfg->tls_key == 0)
-			encoded_key = json_object_get_string(val_obj);
 	}
-
-	/*
-	 * We might need the keyring information from the above loop,
-	 * so we can only import the TLS key once all entries are
-	 * processed.
-	 */
-	if (encoded_key)
-		json_import_nvme_tls_key(c, keyring_str, encoded_key);
 }
 
 static void json_parse_port(nvme_subsystem_t s, struct json_object *port_obj)
@@ -181,6 +116,19 @@ static void json_parse_port(nvme_subsystem_t s, struct json_object *port_obj)
 	attr_obj = json_object_object_get(port_obj, "dhchap_ctrl_key");
 	if (attr_obj)
 		nvme_ctrl_set_dhchap_key(c, json_object_get_string(attr_obj));
+	attr_obj = json_object_object_get(port_obj, "keyring");
+	if (attr_obj)
+		nvme_ctrl_set_keyring(c, json_object_get_string(attr_obj));
+	attr_obj = json_object_object_get(port_obj, "tls_key_identity");
+	if (attr_obj) {
+		nvme_ctrl_set_tls_key_identity(c,
+			json_object_get_string(attr_obj));
+	}
+	attr_obj = json_object_object_get(port_obj, "tls_key");
+	if (attr_obj) {
+		nvme_ctrl_set_tls_key(c,
+			json_object_get_string(attr_obj));
+	}
 }
 
 static void json_parse_subsys(nvme_host_t h, struct json_object *subsys_obj)
@@ -368,6 +316,19 @@ static void json_update_port(struct json_object *ctrl_array, nvme_ctrl_t c)
 	if (value)
 		json_object_object_add(port_obj, "dhchap_ctrl_key",
 				       json_object_new_string(value));
+	JSON_BOOL_OPTION(cfg, port_obj, tls);
+	value = nvme_ctrl_get_keyring(c);
+	if (value)
+		json_object_object_add(port_obj, "keyring",
+				       json_object_new_string(value));
+	value = nvme_ctrl_get_tls_key_identity(c);
+	if (value)
+		json_object_object_add(port_obj, "tls_key_identity",
+				       json_object_new_string(value));
+	value = nvme_ctrl_get_tls_key(c);
+	if (value)
+		json_object_object_add(port_obj, "tls_key",
+				       json_object_new_string(value));
 	JSON_INT_OPTION(cfg, port_obj, nr_io_queues, 0);
 	JSON_INT_OPTION(cfg, port_obj, nr_write_queues, 0);
 	JSON_INT_OPTION(cfg, port_obj, nr_poll_queues, 0);
@@ -384,31 +345,13 @@ static void json_update_port(struct json_object *ctrl_array, nvme_ctrl_t c)
 	JSON_BOOL_OPTION(cfg, port_obj, disable_sqflow);
 	JSON_BOOL_OPTION(cfg, port_obj, hdr_digest);
 	JSON_BOOL_OPTION(cfg, port_obj, data_digest);
-	JSON_BOOL_OPTION(cfg, port_obj, tls);
 	JSON_BOOL_OPTION(cfg, port_obj, concat);
 	if (nvme_ctrl_is_persistent(c))
 		json_object_object_add(port_obj, "persistent",
 				       json_object_new_boolean(true));
 	if (nvme_ctrl_is_discovery_ctrl(c))
 		json_object_object_add(port_obj, "discovery",
 				       json_object_new_boolean(true));
-	/*
-	 * Store the keyring description in the JSON config file.
-	 */
-	if (cfg->keyring) {
-		_cleanup_free_ char *desc =
-			nvme_describe_key_serial(cfg->keyring);
-
-		if (desc) {
-			json_object_object_add(port_obj, "keyring",
-					       json_object_new_string(desc));
-		}
-	}
-	/*
-	 * Store the TLS key in PSK interchange format
-	 */
-	if (cfg->tls_key)
-		json_export_nvme_tls_key(cfg->keyring, cfg->tls_key, port_obj);
 
 	json_object_array_add(ctrl_array, port_obj);
 }
@@ -564,9 +507,18 @@ static void json_dump_ctrl(struct json_object *ctrl_array, nvme_ctrl_t c)
 	if (!strcmp(transport, "tcp")) {
 		JSON_BOOL_OPTION(cfg, ctrl_obj, tls);
 
-		if (cfg->tls_key)
-			json_export_nvme_tls_key(cfg->keyring, cfg->tls_key,
-						 ctrl_obj);
+		value = nvme_ctrl_get_keyring(c);
+		if (value)
+			json_object_object_add(ctrl_obj, "keyring",
+					       json_object_new_string(value));
+		value = nvme_ctrl_get_tls_key_identity(c);
+		if (value)
+			json_object_object_add(ctrl_obj, "tls_key_identity",
+					       json_object_new_string(value));
+		value = nvme_ctrl_get_tls_key(c);
+		if (value)
+			json_object_object_add(ctrl_obj, "tls_key",
+					       json_object_new_string(value));
 	}
 	JSON_BOOL_OPTION(cfg, ctrl_obj, concat);
 	if (nvme_ctrl_is_persistent(c))

src/nvme/linux.c

@@ -1347,27 +1347,17 @@ int nvme_scan_tls_keys(const char *keyring, nvme_scan_tls_keys_cb_t cb,
 	return ret;
 }
 
-long nvme_insert_tls_key_versioned(const char *keyring, const char *key_type,
-				   const char *hostnqn, const char *subsysnqn,
-				   int version, int hmac,
-				   unsigned char *configured_key, int key_len)
+static long __nvme_insert_tls_key_versioned(key_serial_t keyring_id, const char *key_type,
+					    const char *hostnqn, const char *subsysnqn,
+					    int version, int hmac,
+					    unsigned char *configured_key, int key_len)
 {
 	_cleanup_free_ unsigned char *psk = NULL;
 	_cleanup_free_ char *identity = NULL;
-	key_serial_t keyring_id, key;
 	ssize_t identity_len;
+	key_serial_t key;
 	int ret;
 
-	keyring_id = nvme_lookup_keyring(keyring);
-	if (keyring_id == 0) {
-		errno = ENOKEY;
-		return 0;
-	}
-
-	ret = nvme_set_keyring(keyring_id);
-	if (ret < 0)
-		return 0;
-
 	identity_len = nvme_identity_len(hmac, version, hostnqn, subsysnqn);
 	if (identity_len < 0)
 		return 0;
@@ -1397,6 +1387,29 @@ long nvme_insert_tls_key_versioned(const char *keyring, const char *key_type,
 	return key;
 }
 
+long nvme_insert_tls_key_versioned(const char *keyring, const char *key_type,
+				   const char *hostnqn, const char *subsysnqn,
+				   int version, int hmac,
+				   unsigned char *configured_key, int key_len)
+{
+	key_serial_t keyring_id;
+	int ret;
+
+	keyring_id = nvme_lookup_keyring(keyring);
+	if (keyring_id == 0) {
+		errno = ENOKEY;
+		return 0;
+	}
+
+	ret = nvme_set_keyring(keyring_id);
+	if (ret < 0)
+		return 0;
+	return __nvme_insert_tls_key_versioned(keyring_id, key_type,
+					       hostnqn, subsysnqn,
+					       version, hmac,
+					       configured_key, key_len);
+}
+
 long nvme_revoke_tls_key(const char *keyring, const char *key_type,
 			 const char *identity)
 {
@@ -1415,6 +1428,59 @@ long nvme_revoke_tls_key(const char *keyring, const char *key_type,
 
 	return keyctl_revoke(key);
 }
+
+int __nvme_import_keys_from_config(nvme_host_t h, nvme_ctrl_t c,
+				   long *keyring_id, long *key_id)
+{
+	const char *hostnqn = nvme_host_get_hostnqn(h);
+	const char *subsysnqn = nvme_ctrl_get_subsysnqn(c);
+	const char *keyring, *key;
+	_cleanup_free_ unsigned char *key_data = NULL;
+	unsigned char version;
+	unsigned char hmac;
+	size_t key_len;
+	long id;
+
+	if (!hostnqn || !subsysnqn) {
+		nvme_msg(h->r, LOG_ERR, "Invalid NQNs (%s, %s)\n",
+			 hostnqn, subsysnqn);
+		return -EINVAL;
+	}
+
+	keyring = nvme_ctrl_get_keyring(c);
+	if (keyring)
+		id = nvme_lookup_keyring(keyring);
+	else
+		id = c->cfg.keyring;
+
+	if (nvme_set_keyring(id) < 0) {
+		nvme_msg(h->r, LOG_ERR, "Failed to set keyring\n");
+		return -errno;
+	}
+	*keyring_id = id;
+
+	key = nvme_ctrl_get_tls_key(c);
+	key_data = nvme_import_tls_key_versioned(key, &version,
+						 &hmac, &key_len);
+	if (!key_data) {
+		nvme_msg(h->r, LOG_ERR, "Failed to decode TLS Key '%s'\n",
+			 key);
+		return -1;
+	}
+
+	id = __nvme_insert_tls_key_versioned(*keyring_id, "psk",
+					     hostnqn, subsysnqn,
+					     version, hmac, key_data, key_len);
+	if (id <= 0) {
+		nvme_msg(h->r, LOG_ERR, "Failed to insert TLS KEY, error %d\n",
+			 errno);
+		return -errno;
+	}
+
+	*key_id = id;
+
+	return 0;
+}
 #else
 long nvme_lookup_keyring(const char *keyring)
 {
@@ -1488,6 +1554,14 @@ long nvme_revoke_tls_key(const char *keyring, const char *key_type,
 	errno = ENOTSUP;
 	return -1;
 }
+
+int __nvme_import_keys_from_config(nvme_host_t h, nvme_ctrl_t c,
+				   long *keyring_id, long *key_id)
+{
+	nvme_msg(h->r, LOG_ERR, "key operations not supported; "
+		 "recompile with keyutils support.\n");
+	return -ENOTSUP;
+}
 #endif
 
 long nvme_insert_tls_key(const char *keyring, const char *key_type,