linux: add nvme_create_raw_secret

Move helper function to create the raw secret from the input string to
the library. This allows to use a common function to consistently create
the raw secret in nvme-cli and libnvme.

Signed-off-by: Daniel Wagner <[email protected]>

Author: igaw

libnvme/src/libnvme.ld

@@ -6,6 +6,7 @@ LIBNVME_3 {
 		nvme_close;
 		nvme_create_ctrl;
 		nvme_create_global_ctx;
+		nvme_create_raw_secret;
 		nvme_ctrl_first_ns;
 		nvme_ctrl_first_path;
 		nvme_ctrl_get_config;

libnvme/src/nvme/linux.c

@@ -19,6 +19,9 @@
 
 #include <sys/ioctl.h>
 #include <sys/param.h>
+#if HAVE_SYS_RANDOM
+#include <sys/random.h>
+#endif
 #include <sys/stat.h>
 
 #ifndef _GNU_SOURCE
@@ -979,6 +982,76 @@ __public int nvme_set_keyring(struct nvme_global_ctx *ctx, long key_id)
 	return 0;
 }
 
+static ssize_t getrandom_bytes(void *buf, size_t buflen)
+{
+	ssize_t result;
+#if HAVE_SYS_RANDOM
+	result = getrandom(buf, buflen, GRND_NONBLOCK);
+#else
+	_cleanup_fd_ int fd = -1;
+
+	fd = open("/dev/urandom", O_RDONLY);
+	if (fd < 0)
+		return -errno;
+	result = read(fd, buf, buflen);
+#endif
+	if (result < 0)
+		return -errno;
+	return result;
+}
+
+__public int nvme_create_raw_secret(struct nvme_global_ctx *ctx,
+		const char *secret, size_t key_len, unsigned char **raw_secret)
+{
+	_cleanup_free_ unsigned char *buf = NULL;
+	int err;
+
+	if (key_len != 32 && key_len != 48 && key_len != 64) {
+		nvme_msg(ctx, LOG_ERR, "Invalid key length %ld", key_len);
+		return -EINVAL;
+	}
+
+	buf = malloc(key_len);
+	if (!buf)
+		return -ENOMEM;
+
+	if (!secret) {
+		err = getrandom_bytes(buf, key_len);
+		if (err < 0)
+			return err;
+
+		*raw_secret = buf;
+		buf = NULL;
+		return 0;
+	} else {
+		int secret_len = 0, i;
+		unsigned int c;
+
+		for (i = 0; i < strlen(secret); i += 2) {
+			if (sscanf(&secret[i], "%02x", &c) != 1) {
+				nvme_msg(ctx, LOG_ERR,
+					"Invalid secret '%s'", secret);
+				return -EINVAL;
+			}
+			if (i >= key_len * 2) {
+				nvme_msg(ctx, LOG_ERR,
+					"Skipping excess secret bytes\n");
+				break;
+			}
+			buf[secret_len++] = (unsigned char)c;
+		}
+		if (secret_len != key_len) {
+			nvme_msg(ctx, LOG_ERR,
+				"Invalid key length (%d bytes)", secret_len);
+			return -EINVAL;
+		}
+	}
+
+	*raw_secret = buf;
+	buf = NULL;
+	return 0;
+}
+
 __public int nvme_read_key(struct nvme_global_ctx *ctx, long keyring_id,
 		long key_id, int *len, unsigned char **key)
 {

libnvme/src/nvme/linux.h

@@ -103,6 +103,24 @@ int nvme_lookup_key(struct nvme_global_ctx *ctx, const char *type,
  */
 int nvme_set_keyring(struct nvme_global_ctx *ctx, long keyring_id);
 
+/**
+ * nvme_create_raw_secret - Generate a raw secret buffer from input data
+ * @ctx:		struct nvme_global_ctx object
+ * @secret:		Input secret data
+ * @key_len:		The length of the raw_secret in bytes
+ * @raw_secret:		Return buffer with the generated raw secret
+ *
+ * Transforms the provided @secret into a raw secret buffer suitable for
+ * use with NVMe key management operations.
+ *
+ * The generated raw secret can subsequently be passed to nvme_read_key()
+ * or nvme_update_key().
+ *
+ * Return: 0 on success, or a negative error code on failure.
+ */
+int nvme_create_raw_secret(struct nvme_global_ctx *ctx,
+		const char *secret, size_t key_len, unsigned char **raw_secret);
+
 /**
  * nvme_read_key() - Read key raw data
  * @ctx:		struct nvme_global_ctx object

nvme.c

@@ -46,9 +46,6 @@
 #include <sys/stat.h>
 #include <sys/types.h>
 
-#if HAVE_SYS_RANDOM
-	#include <sys/random.h>
-#endif
 
 #include <libnvme.h>
 
@@ -311,24 +308,6 @@ static OPT_VALS(feature_name) = {
 	VAL_END()
 };
 
-static ssize_t getrandom_bytes(void *buf, size_t buflen)
-{
-	ssize_t result;
-#if HAVE_SYS_RANDOM
-	result = getrandom(buf, buflen, GRND_NONBLOCK);
-#else
-	_cleanup_fd_ int fd = -1;
-
-	fd = open("/dev/urandom", O_RDONLY);
-	if (fd < 0)
-		return -errno;
-	result = read(fd, buf, buflen);
-#endif
-	if (result < 0)
-		return -errno;
-	return result;
-}
-
 static int check_arg_dev(int argc, char **argv)
 {
 	if (optind >= argc) {
@@ -9554,7 +9533,6 @@ static int show_hostnqn_cmd(int argc, char **argv, struct command *acmd, struct
 	return 0;
 }
 
-
 static int gen_dhchap_key(int argc, char **argv, struct command *acmd, struct plugin *plugin)
 {
 	const char *desc =
@@ -9641,32 +9619,9 @@ static int gen_dhchap_key(int argc, char **argv, struct command *acmd, struct pl
 		cfg.key_len = 32;
 	}
 
-	if (cfg.key_len != 32 && cfg.key_len != 48 && cfg.key_len != 64) {
-		nvme_show_error("Invalid key length %u", cfg.key_len);
-		return -EINVAL;
-	}
-	raw_secret = malloc(cfg.key_len);
-	if (!raw_secret)
-		return -ENOMEM;
-	if (!cfg.secret) {
-		if (getrandom_bytes(raw_secret, cfg.key_len) < 0)
-			return -errno;
-	} else {
-		int secret_len = 0, i;
-		unsigned int c;
-
-		for (i = 0; i < strlen(cfg.secret); i += 2) {
-			if (sscanf(&cfg.secret[i], "%02x", &c) != 1) {
-				nvme_show_error("Invalid secret '%s'", cfg.secret);
-				return -EINVAL;
-			}
-			raw_secret[secret_len++] = (unsigned char)c;
-		}
-		if (secret_len != cfg.key_len) {
-			nvme_show_error("Invalid key length (%d bytes)", secret_len);
-			return -EINVAL;
-		}
-	}
+	err = nvme_create_raw_secret(ctx, cfg.secret, cfg.key_len, &raw_secret);
+	if (err)
+		return err;
 
 	if (!cfg.nqn) {
 		cfg.nqn = hnqn = nvme_read_hostnqn();
@@ -9854,6 +9809,7 @@ static int append_keyfile(struct nvme_global_ctx *ctx, const char *keyring,
 	return err;
 }
 
+
 static int gen_tls_key(int argc, char **argv, struct command *acmd, struct plugin *plugin)
 {
 	const char *desc = "Generate a TLS key in NVMe PSK Interchange format.";
@@ -9943,38 +9899,16 @@ static int gen_tls_key(int argc, char **argv, struct command *acmd, struct plugi
 	if (cfg.hmac == 2)
 		key_len = 48;
 
+
 	ctx = nvme_create_global_ctx(stderr, log_level);
 	if (!ctx) {
 		nvme_show_error("Failed to create global context");
 		return -ENOMEM;
 	}
 
-	raw_secret = malloc(key_len + 4);
-	if (!raw_secret)
-		return -ENOMEM;
-	if (!cfg.secret) {
-		if (getrandom_bytes(raw_secret, key_len) < 0)
-			return -errno;
-	} else {
-		int secret_len = 0, i;
-		unsigned int c;
-
-		for (i = 0; i < strlen(cfg.secret); i += 2) {
-			if (sscanf(&cfg.secret[i], "%02x", &c) != 1) {
-				nvme_show_error("Invalid secret '%s'", cfg.secret);
-				return -EINVAL;
-			}
-			if (i >= key_len * 2) {
-				fprintf(stderr, "Skipping excess secret bytes\n");
-				break;
-			}
-			raw_secret[secret_len++] = (unsigned char)c;
-		}
-		if (secret_len != key_len) {
-			nvme_show_error("Invalid key length (%d bytes)", secret_len);
-			return -EINVAL;
-		}
-	}
+	err = nvme_create_raw_secret(ctx, cfg.secret, key_len, &raw_secret);
+	if (err)
+		return err;
 
 	err = nvme_export_tls_key(ctx, raw_secret, key_len, &encoded_key);
 	if (err) {