Skip to content

Commit f8f82ab

Browse files
dwsuseigaw
authored andcommitted
tree: do no export tls keys when not provided by user
The config output should only contain the entries which were also provided by the user via the command line. Thus we should not lookup the keys used in the keystore when only --tls is used. Signed-off-by: Daniel Wagner <[email protected]>
1 parent 17cead2 commit f8f82ab

3 files changed

Lines changed: 0 additions & 93 deletions

File tree

src/nvme/linux.c

Lines changed: 0 additions & 78 deletions
Original file line numberDiff line numberDiff line change
@@ -1604,79 +1604,6 @@ int __nvme_import_keys_from_config(nvme_host_t h, nvme_ctrl_t c,
16041604

16051605
return 0;
16061606
}
1607-
1608-
static char *__nvme_export_key(long keyring, long key_id, char **identity)
1609-
{
1610-
_cleanup_free_ unsigned char *key = NULL;
1611-
int len, ver, hmac;
1612-
char type, *desc, *encoded_key;
1613-
1614-
key = nvme_read_key(keyring, key_id, &len);
1615-
if (!key) {
1616-
/*
1617-
* Accessing the keyring is a priveleged opartion, thus it
1618-
* might fail for a normal user, this is not an error.
1619-
*/
1620-
return NULL;
1621-
}
1622-
1623-
desc = nvme_describe_key_serial(key_id);
1624-
if (!desc) {
1625-
/*
1626-
* Revoked keys don't return a description, thus ignore
1627-
* them.
1628-
*/
1629-
return NULL;
1630-
}
1631-
1632-
if (sscanf(desc, "NVMe%01d%c%02d %*s", &ver, &type, &hmac) != 3)
1633-
return NULL;
1634-
1635-
encoded_key = nvme_export_tls_key_versioned(ver, hmac, key, len);
1636-
if (!encoded_key)
1637-
return NULL;
1638-
1639-
if (identity)
1640-
*identity = desc;
1641-
return encoded_key;
1642-
}
1643-
1644-
static void export_keys_to_config(nvme_ctrl_t c)
1645-
{
1646-
char *identity = NULL, *encoded_key;
1647-
1648-
if (!c->cfg.tls)
1649-
return;
1650-
/*
1651-
* Do not update the configuration blindly. The user could have
1652-
* provided configuration, but they keys are not loaded into
1653-
* keystore yet.
1654-
*/
1655-
1656-
encoded_key =
1657-
__nvme_export_key(c->cfg.keyring, c->cfg.tls_key, &identity);
1658-
if (identity) {
1659-
nvme_ctrl_set_tls_key_identity(c, identity);
1660-
free(identity);
1661-
}
1662-
if (encoded_key) {
1663-
nvme_ctrl_set_tls_key(c, encoded_key);
1664-
free(encoded_key);
1665-
}
1666-
}
1667-
1668-
int __nvme_export_keys_to_config(nvme_root_t r)
1669-
{
1670-
nvme_host_t h;
1671-
nvme_subsystem_t s;
1672-
nvme_ctrl_t c;
1673-
1674-
nvme_for_each_host(r, h)
1675-
nvme_for_each_subsystem(h, s)
1676-
nvme_subsystem_for_each_ctrl(s, c)
1677-
export_keys_to_config(c);
1678-
return 0;
1679-
}
16801607
#else
16811608
long nvme_lookup_keyring(const char *keyring)
16821609
{
@@ -1756,11 +1683,6 @@ int __nvme_import_keys_from_config(nvme_host_t h, nvme_ctrl_t c,
17561683
{
17571684
return -ENOTSUP;
17581685
}
1759-
1760-
int __nvme_export_keys_to_config(nvme_root_t r)
1761-
{
1762-
return -ENOTSUP;
1763-
}
17641686
#endif
17651687

17661688
long nvme_insert_tls_key(const char *keyring, const char *key_type,

src/nvme/private.h

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -302,6 +302,5 @@ void __nvme_mi_mctp_set_ops(const struct __mi_mctp_socket_ops *newops);
302302

303303
int __nvme_import_keys_from_config(nvme_host_t h, nvme_ctrl_t c,
304304
long *keyring_id, long *key_id);
305-
int __nvme_export_keys_to_config(nvme_root_t r);
306305

307306
#endif /* _LIBNVME_PRIVATE_H */

src/nvme/tree.c

Lines changed: 0 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -346,20 +346,6 @@ int nvme_update_config(nvme_root_t r)
346346

347347
int nvme_dump_config(nvme_root_t r)
348348
{
349-
int err;
350-
351-
err = __nvme_export_keys_to_config(r);
352-
if (err) {
353-
if (err == -ENOTSUP) {
354-
nvme_msg(r, LOG_NOTICE,
355-
"exporting keys to the configuration failed because keysutils is missing\n");
356-
} else {
357-
nvme_msg(r, LOG_ERR,
358-
"exporting keys to the configuration failed with %s\n",
359-
nvme_errno_to_string(err));
360-
}
361-
}
362-
363349
return json_update_config(r, NULL);
364350
}
365351

0 commit comments

Comments
 (0)