tlshd: Add handshake tags to the DONE command

chucklever · chucklever · commit 2d33d8434210 · 2025-10-06T16:20:55.000-04:00
The tag list is returned to the kernel as part of a successful
handshake response (the DONE netlink command). The kernel TLS
consumer may use those tags for further authorization checking.

Signed-off-by: Chuck Lever &lt;chuck.lever@oracle.com&gt;
diff --git a/src/tlshd/netlink.c b/src/tlshd/netlink.c
@@ -574,6 +574,25 @@ static int tlshd_genl_put_remote_peerids(struct nl_msg *msg,
 	return 0;
 }
 
+static int tlshd_genl_put_tag(const char *name,
+			      __attribute__ ((unused)) void *data)
+{
+	struct nl_msg *msg = data;
+	int err;
+
+	err = nla_put_string(msg, HANDSHAKE_A_DONE_TAG, name);
+	if (err < 0) {
+		tlshd_log_nl_error("nla_put tag", err);
+		return -1;
+	}
+	return 0;
+}
+
+static int tlshd_genl_put_tag_list(struct nl_msg *msg)
+{
+	return tlshd_tags_for_each_matched(tlshd_genl_put_tag, (void *)msg);
+}
+
 /**
  * @brief Indicate handshake has completed successfully
  * @param[in]     parms  Buffer filled in with parameters
@@ -630,6 +649,12 @@ void tlshd_genl_done(struct tlshd_handshake_parms *parms)
 	if (err < 0)
 		goto out_free;
 
+	err = tlshd_genl_put_tag_list(msg);
+	if (err < 0) {
+		tlshd_log_nl_error("nla_put tag list", err);
+		goto out_free;
+	}
+
 sendit:
 	if (tlshd_delay_done) {
 		/* Undocumented tlshd.conf parameter:
diff --git a/src/tlshd/tags.c b/src/tlshd/tags.c
@@ -2012,4 +2012,37 @@ void tlshd_tags_config_shutdown(void)
 	tlshd_tags_name_destroy();
 }
 
+
 ///@}
+
+/**
+ * @brief Invoke "cb" for each global tag marked as a match
+ * @param[in]     cb     Function to be called for each matched tag
+ * @param[in]     data   Context to be passed on each call to "cb"
+ *
+ * @returns zero if the callback returned only zeroes; otherwise, the
+ * first non-zero callback return stops the loop and returns that
+ * non-zero value.
+ */
+int tlshd_tags_for_each_matched(int (*cb)(const char *name, void *data),
+			        void *data)
+{
+	GHashTableIter iter;
+	gpointer key, value;
+
+	if (!tlshd_tags_tag_hash)
+		return 0;
+
+	g_hash_table_iter_init(&iter, tlshd_tags_tag_hash);
+	while (g_hash_table_iter_next(&iter, &key, &value)) {
+		struct tlshd_tags_tag *tag = (struct tlshd_tags_tag *)value;
+		int ret;
+
+		if (tag->ta_matched) {
+			ret = (cb)(tag->ta_name, data);
+			if (ret)
+				return ret;
+		}
+	}
+	return 0;
+}
diff --git a/src/tlshd/tlshd.h b/src/tlshd/tlshd.h
@@ -138,6 +138,8 @@ extern void tlshd_quic_serverhello_handshake(struct tlshd_handshake_parms *parms
 extern bool tlshd_tags_config_init(const char *tagsdir);
 extern void tlshd_tags_config_shutdown(void);
 extern void tlshd_tags_match_session(gnutls_session_t session);
+extern int tlshd_tags_for_each_matched(int (*cb)(const char *name, void *data),
+				       void *data);
 
 #ifdef HAVE_GNUTLS_QUIC
 #include "quic.h"
