tlshd: Add handshake tags to the DONE command

chucklever · chucklever · commit 62c594dc40a7 · 2025-08-06T13:42:12.000-04:00
The tag list is returned to the kernel as part of a successful
handshake response (the DONE netlink command). The kernel TLS
consumer may use those tags for further authorization checking.

Signed-off-by: Chuck Lever &lt;chuck.lever@oracle.com&gt;
diff --git a/src/tlshd/netlink.c b/src/tlshd/netlink.c
@@ -493,6 +493,25 @@ static int tlshd_genl_put_remote_peerids(struct nl_msg *msg,
 	return 0;
 }
 
+static int tlshd_genl_put_tag(const char *name,
+			      __attribute__ ((unused)) void *data)
+{
+	struct nl_msg *msg = data;
+	int err;
+
+	err = nla_put_string(msg, HANDSHAKE_A_DONE_TAG, name);
+	if (err < 0) {
+		tlshd_log_nl_error("nla_put tag", err);
+		return -1;
+	}
+	return 0;
+}
+
+static int tlshd_genl_put_tag_list(struct nl_msg *msg)
+{
+	return tlshd_for_each_matched_tag(tlshd_genl_put_tag, (void *)msg);
+}
+
 /**
  * tlshd_genl_done - Indicate handshake has completed successfully
  * @parms: buffer filled in with parameters
@@ -550,6 +569,12 @@ void tlshd_genl_done(struct tlshd_handshake_parms *parms)
 	if (err < 0)
 		goto out_free;
 
+	err = tlshd_genl_put_tag_list(msg);
+	if (err < 0) {
+		tlshd_log_nl_error("nla_put tag list", err);
+		goto out_free;
+	}
+
 sendit:
 	if (tlshd_delay_done) {
 		/* Undocumented tlshd.conf parameter:
diff --git a/src/tlshd/tags.c b/src/tlshd/tags.c
@@ -1229,3 +1229,41 @@ void tlsdh_tags_x509_match_session(gnutls_session_t session)
 			    tlshd_tags_x509_match_cb, (gpointer)&peercert);
 	gnutls_x509_crt_deinit(peercert);
 }
+
+struct tlshd_tags_matched_args {
+	int		(*ma_cb)(const char *name, void *data);
+	void		*ma_data;
+};
+
+static void tlshd_tags_matched_cb(gpointer data, gpointer user_data)
+{
+	struct tlshd_tags_tag *tag = (struct tlshd_tags_tag *)data;
+	struct tlshd_tags_matched_args *args =
+		(struct tlshd_tags_matched_args *)user_data;
+
+	if (tag->ta_matched)
+		(args->ma_cb)(tag->ta_name, args->ma_data);
+}
+
+/**
+ * tlshd_for_each_matched_tag - Call @cb for all matched tags
+ * @cb: callback function
+ * @data: data to be passed to each callback
+ *
+ * Returns zero if the callback returned only zeroes. Otherwise, the
+ * first non-zero callback return stops the loop and returns that
+ * non-zero value.
+ */
+int tlshd_for_each_matched_tag(int (*cb)(const char *name, void *data),
+			       void *data)
+{
+	struct tlshd_tags_matched_args args = {
+		.ma_cb		= cb,
+		.ma_data	= data,
+	};
+
+	g_ptr_array_foreach(tlshd_tags_tag_all,
+			    tlshd_tags_matched_cb,
+			    (gpointer)&args);
+	return 0;
+}
diff --git a/src/tlshd/tlshd.h b/src/tlshd/tlshd.h
@@ -122,6 +122,8 @@ extern void tlshd_quic_serverhello_handshake(struct tlshd_handshake_parms *parms
 /* tags.c */
 extern void tlshd_tags_read_configuration(const char *tagsdir);
 extern void tlsdh_tags_x509_match_session(gnutls_session_t session);
+extern int tlshd_for_each_matched_tag(int (*cb)(const char *name, void *data),
+				      void *data);
 extern void tlshd_tags_shutdown(void);
 
 #ifdef HAVE_GNUTLS_QUIC
