Adding patch from upstream to handle unavailable keyring gracefully (Closes: #1087516).
Signed-off-by: Daniel Baumann <daniel@debian.org>
This commit is contained in:
parent
7327d42aca
commit
cdb74aaa8c
2 changed files with 140 additions and 0 deletions
139
debian/patches/0001-graceful-keyring.patch
vendored
Normal file
139
debian/patches/0001-graceful-keyring.patch
vendored
Normal file
|
@ -0,0 +1,139 @@
|
||||||
|
From c195e3b09198f4a1f266f57da30f88a8c9f8062c Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Wagner <wagi@kernel.org>
|
||||||
|
Date: Fri, 15 Nov 2024 15:58:30 +0100
|
||||||
|
Subject: [PATCH 1/2] linux: do not do any keyring ops when no key is provided
|
||||||
|
|
||||||
|
There is no point in accessing the keyring if we don't have to load a
|
||||||
|
key into the kernel.
|
||||||
|
|
||||||
|
Signed-off-by: Daniel Wagner <wagi@kernel.org>
|
||||||
|
---
|
||||||
|
src/nvme/linux.c | 29 ++++++++++++++++++-----------
|
||||||
|
1 file changed, 18 insertions(+), 11 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/nvme/linux.c b/src/nvme/linux.c
|
||||||
|
index 53c0573c..a9ba58b3 100644
|
||||||
|
--- a/src/nvme/linux.c
|
||||||
|
+++ b/src/nvme/linux.c
|
||||||
|
@@ -1517,9 +1517,9 @@ long nvme_revoke_tls_key(const char *keyring, const char *key_type,
|
||||||
|
return keyctl_revoke(key);
|
||||||
|
}
|
||||||
|
|
||||||
|
-static int __nvme_insert_tls_key(long keyring_id,
|
||||||
|
- const char *hostnqn, const char *subsysnqn,
|
||||||
|
- const char *identity, const char *key)
|
||||||
|
+static long __nvme_insert_tls_key(long keyring_id,
|
||||||
|
+ const char *hostnqn, const char *subsysnqn,
|
||||||
|
+ const char *identity, const char *key)
|
||||||
|
{
|
||||||
|
_cleanup_free_ unsigned char *key_data = NULL;
|
||||||
|
unsigned char version;
|
||||||
|
@@ -1554,7 +1554,7 @@ int __nvme_import_keys_from_config(nvme_host_t h, nvme_ctrl_t c,
|
||||||
|
const char *hostnqn = nvme_host_get_hostnqn(h);
|
||||||
|
const char *subsysnqn = nvme_ctrl_get_subsysnqn(c);
|
||||||
|
const char *keyring, *key, *identity;
|
||||||
|
- long kr_id, id = 0;
|
||||||
|
+ long kr_id = 0, id = 0;
|
||||||
|
|
||||||
|
if (!hostnqn || !subsysnqn) {
|
||||||
|
nvme_msg(h->r, LOG_ERR, "Invalid NQNs (%s, %s)\n",
|
||||||
|
@@ -1562,10 +1562,17 @@ int __nvme_import_keys_from_config(nvme_host_t h, nvme_ctrl_t c,
|
||||||
|
return -EINVAL;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /* If we don't have a key avoid all keyring operations */
|
||||||
|
+ key = nvme_ctrl_get_tls_key(c);
|
||||||
|
+ if (!key)
|
||||||
|
+ goto out;
|
||||||
|
+
|
||||||
|
keyring = nvme_ctrl_get_keyring(c);
|
||||||
|
- if (keyring)
|
||||||
|
+ if (keyring) {
|
||||||
|
kr_id = nvme_lookup_keyring(keyring);
|
||||||
|
- else
|
||||||
|
+ if (kr_id == 0)
|
||||||
|
+ return -errno;
|
||||||
|
+ } else
|
||||||
|
kr_id = c->cfg.keyring;
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -1573,18 +1580,17 @@ int __nvme_import_keys_from_config(nvme_host_t h, nvme_ctrl_t c,
|
||||||
|
* keyring to connect command line and to the JSON config output.
|
||||||
|
* That means we are explicitly selecting the keyring.
|
||||||
|
*/
|
||||||
|
- if (!kr_id)
|
||||||
|
+ if (!kr_id) {
|
||||||
|
kr_id = nvme_lookup_keyring(".nvme");
|
||||||
|
+ if (kr_id == 0)
|
||||||
|
+ return -errno;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
if (nvme_set_keyring(kr_id) < 0) {
|
||||||
|
nvme_msg(h->r, LOG_ERR, "Failed to set keyring\n");
|
||||||
|
return -errno;
|
||||||
|
}
|
||||||
|
|
||||||
|
- key = nvme_ctrl_get_tls_key(c);
|
||||||
|
- if (!key)
|
||||||
|
- return 0;
|
||||||
|
-
|
||||||
|
identity = nvme_ctrl_get_tls_key_identity(c);
|
||||||
|
if (identity)
|
||||||
|
id = nvme_lookup_key("psk", identity);
|
||||||
|
@@ -1599,6 +1605,7 @@ int __nvme_import_keys_from_config(nvme_host_t h, nvme_ctrl_t c,
|
||||||
|
return -errno;
|
||||||
|
}
|
||||||
|
|
||||||
|
+out:
|
||||||
|
*keyring_id = kr_id;
|
||||||
|
*key_id = id;
|
||||||
|
|
||||||
|
|
||||||
|
From 847ca6b6f7f8a04377da7183d663229e8b51b65d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Wagner <wagi@kernel.org>
|
||||||
|
Date: Fri, 15 Nov 2024 16:05:05 +0100
|
||||||
|
Subject: [PATCH 2/2] fabrics: do not attempt to import keys if tls is not
|
||||||
|
enabled
|
||||||
|
|
||||||
|
There is no point in trying to import a key if the TLS option
|
||||||
|
is not enabled.
|
||||||
|
|
||||||
|
Signed-off-by: Daniel Wagner <wagi@kernel.org>
|
||||||
|
---
|
||||||
|
src/nvme/fabrics.c | 22 ++++++++++++----------
|
||||||
|
1 file changed, 12 insertions(+), 10 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/nvme/fabrics.c b/src/nvme/fabrics.c
|
||||||
|
index 69acf04d..6aa62eea 100644
|
||||||
|
--- a/src/nvme/fabrics.c
|
||||||
|
+++ b/src/nvme/fabrics.c
|
||||||
|
@@ -627,17 +627,19 @@ static int build_options(nvme_host_t h, nvme_ctrl_t c, char **argstr)
|
||||||
|
|
||||||
|
ctrlkey = nvme_ctrl_get_dhchap_key(c);
|
||||||
|
|
||||||
|
- ret = __nvme_import_keys_from_config(h, c, &keyring_id, &key_id);
|
||||||
|
- if (ret) {
|
||||||
|
- errno = -ret;
|
||||||
|
- return -1;
|
||||||
|
- }
|
||||||
|
+ if (cfg->tls) {
|
||||||
|
+ ret = __nvme_import_keys_from_config(h, c, &keyring_id, &key_id);
|
||||||
|
+ if (ret) {
|
||||||
|
+ errno = -ret;
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- if (key_id == 0) {
|
||||||
|
- if (cfg->tls_configured_key)
|
||||||
|
- key_id = cfg->tls_configured_key;
|
||||||
|
- else
|
||||||
|
- key_id = cfg->tls_key;
|
||||||
|
+ if (key_id == 0) {
|
||||||
|
+ if (cfg->tls_configured_key)
|
||||||
|
+ key_id = cfg->tls_configured_key;
|
||||||
|
+ else
|
||||||
|
+ key_id = cfg->tls_key;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
if (add_argument(r, argstr, transport, transport) ||
|
1
debian/patches/series
vendored
Normal file
1
debian/patches/series
vendored
Normal file
|
@ -0,0 +1 @@
|
||||||
|
0001-graceful-keyring.patch
|
Loading…
Add table
Reference in a new issue