tlshd: Add handshake tags to the DONE command

The tag list is returned to the kernel as part of a successful
handshake response (the DONE netlink command). The kernel TLS
consumer may use those tags for further authorization checking.

Signed-off-by: Chuck Lever <[email protected]>

Author: chucklever

src/tlshd/netlink.c

@@ -493,6 +493,25 @@ static int tlshd_genl_put_remote_peerids(struct nl_msg *msg,
 	return 0;
 }
 
+static int tlshd_genl_put_tag(const char *name,
+			      __attribute__ ((unused)) void *data)
+{
+	struct nl_msg *msg = data;
+	int err;
+
+	err = nla_put_string(msg, HANDSHAKE_A_DONE_TAG, name);
+	if (err < 0) {
+		tlshd_log_nl_error("nla_put tag", err);
+		return -1;
+	}
+	return 0;
+}
+
+static int tlshd_genl_put_tag_list(struct nl_msg *msg)
+{
+	return tlshd_tags_for_each_matched(tlshd_genl_put_tag, (void *)msg);
+}
+
 /**
  * tlshd_genl_done - Indicate handshake has completed successfully
  * @parms: buffer filled in with parameters
@@ -550,6 +569,12 @@ void tlshd_genl_done(struct tlshd_handshake_parms *parms)
 	if (err < 0)
 		goto out_free;
 
+	err = tlshd_genl_put_tag_list(msg);
+	if (err < 0) {
+		tlshd_log_nl_error("nla_put tag list", err);
+		goto out_free;
+	}
+
 sendit:
 	if (tlshd_delay_done) {
 		/* Undocumented tlshd.conf parameter:

src/tlshd/tags.c

@@ -1669,3 +1669,31 @@ void tlshd_tags_config_shutdown(void)
 	tlshd_tags_filter_type_hash_destroy();
 	tlshd_tags_name_destroy();
 }
+
+/**
+ * tlshd_tags_for_each_matched - Call @cb for each matched tag
+ * @cb: callback function
+ * @data: data to be passed to each callback
+ *
+ * Returns zero if the callback returned only zeroes. Otherwise, the
+ * first non-zero callback return stops the loop and returns that
+ * non-zero value.
+ */
+int tlshd_tags_for_each_matched(int (*cb)(const char *name, void *data),
+			        void *data)
+{
+	GHashTableIter iter;
+	gpointer key, value;
+
+	if (!tlshd_tags_tag_hash)
+		return 0;
+
+	g_hash_table_iter_init(&iter, tlshd_tags_tag_hash);
+	while (g_hash_table_iter_next(&iter, &key, &value)) {
+		struct tlshd_tags_tag *tag = (struct tlshd_tags_tag *)value;
+
+		if (tag->ta_matched)
+			(cb)(tag->ta_name, data);
+	}
+	return 0;
+}

src/tlshd/tlshd.h

@@ -123,6 +123,8 @@ extern void tlshd_quic_serverhello_handshake(struct tlshd_handshake_parms *parms
 extern bool tlshd_tags_config_init(const char *tagsdir);
 extern void tlshd_tags_config_shutdown(void);
 extern void tlshd_tags_match_session(gnutls_session_t session);
+extern int tlshd_tags_for_each_matched(int (*cb)(const char *name, void *data),
+				       void *data);
 
 #ifdef HAVE_GNUTLS_QUIC
 #include <linux/quic.h>