net: tls_credentials: sectag iterators

Add (internal) support for sectag iterating. Also officially marks negative sectag values as reserved for internal use. This will allow a prospective TLS credentials shell to iterate over all available credentials. Signed-off-by: Georges Oates_Larsen <[email protected]>
zephyrproject-rtos · Oct 26, 2023 · cdf1410 · cdf1410
1 parent 5d4e9a0
commit cdf1410
Show file tree

Hide file tree

Showing 4 changed files with 77 additions and 0 deletions.
diff --git a/include/zephyr/net/tls_credentials.h b/include/zephyr/net/tls_credentials.h
@@ -66,6 +66,8 @@ enum tls_credential_type {
  *    - TLS_CREDENTIAL_PSK with TLS_CREDENTIAL_PSK_ID.
  *    Such pairs of credentials must be assigned the same secure tag to be
  *    correctly handled in the system.
+ *
+ * @note Negative values are reserved for internal use.
  */
 typedef int sec_tag_t;
 

diff --git a/subsys/net/lib/tls_credentials/tls_credentials.c b/subsys/net/lib/tls_credentials/tls_credentials.c
@@ -75,6 +75,32 @@ struct tls_credential *credential_next_get(sec_tag_t tag,
 	return NULL;
 }
 
+sec_tag_t credential_next_tag_get(sec_tag_t iter)
+{
+	int i;
+	sec_tag_t lowest = TLS_SEC_TAG_NONE;
+
+	/* Scan all slots and find lowest sectag greater than iter */
+	for (i = 0; i < ARRAY_SIZE(credentials); i++) {
+		/* Skip empty slots. */
+		if (credentials[i].type == TLS_CREDENTIAL_NONE) {
+			continue;
+		}
+
+		/* Skip any slots containing sectags not greater than iter */
+		if (credentials[i].tag <= iter && iter != TLS_SEC_TAG_NONE) {
+			continue;
+		}
+
+		/* Find the lowest of such slots */
+		if (lowest == TLS_SEC_TAG_NONE || credentials[i].tag < lowest) {
+			lowest = credentials[i].tag;
+		}
+	}
+
+	return lowest;
+}
+
 int credential_digest(struct tls_credential *credential, void *dest, size_t *len)
 {
 	return credential_digest_raw(credential, dest, len);

diff --git a/subsys/net/lib/tls_credentials/tls_credentials_trusted.c b/subsys/net/lib/tls_credentials/tls_credentials_trusted.c
@@ -263,6 +263,41 @@ struct tls_credential *credential_next_get(sec_tag_t tag,
 	return NULL;
 }
 
+sec_tag_t credential_next_tag_get(sec_tag_t iter)
+{
+	unsigned int slot;
+	psa_storage_uid_t uid;
+	sec_tag_t lowest_candidate = TLS_SEC_TAG_NONE;
+	sec_tag_t candidate;
+
+	/* Scan all slots and find lowest sectag greater than iter */
+	for (slot = 0; slot < CRED_MAX_SLOTS; slot++) {
+		uid = credentials_toc[slot];
+
+		/* Skip empty slots. */
+		if (uid == 0) {
+			continue;
+		}
+		if (tls_credential_uid_to_type(uid) == TLS_CREDENTIAL_NONE) {
+			continue;
+		}
+
+		candidate = tls_credential_uid_to_tag(uid);
+
+		/* Skip any slots containing sectags not greater than iter */
+		if (candidate <= iter && iter != TLS_SEC_TAG_NONE) {
+			continue;
+		}
+
+		/* Find the lowest of such slots */
+		if (lowest_candidate == TLS_SEC_TAG_NONE || candidate < lowest_candidate) {
+			lowest_candidate = candidate;
+		}
+	}
+
+	return lowest_candidate;
+}
+
 int credential_digest(struct tls_credential *credential, void *dest, size_t *len)
 {
 	return credential_digest_raw(credential, dest, len);

diff --git a/subsys/net/lib/tls_credentials/tls_internal.h b/subsys/net/lib/tls_credentials/tls_internal.h
@@ -28,6 +28,11 @@ struct tls_credential {
 	size_t len;
 };
 
+/*
+ * Special sec_tag value indicating none or invalid sec_tag. For internal use only for now.
+ */
+#define TLS_SEC_TAG_NONE -1
+
 /* Lock TLS credential access. */
 void credentials_lock(void);
 
@@ -50,6 +55,15 @@ struct tls_credential *credential_get(sec_tag_t tag,
 struct tls_credential *credential_next_get(sec_tag_t tag,
 					   struct tls_credential *iter);
 
+/* Function for iterating over occupied sec tags.
+ *
+ * Returns the next occupied sec tag after the one provided, or TLS_SEC_TAG_NONE if there are no
+ * more.
+ *
+ * Provide TLS_SEC_TAG_NONE to start from the first available sec tag.
+ */
+sec_tag_t credential_next_tag_get(sec_tag_t iter);
+
 /* Writes a (NULL-terminated, printable) string digest of the contents of the provided credential
  * to the provided destination buffer.
  *