From 43374e451fbcba59213700535772194090f03a18 Mon Sep 17 00:00:00 2001
From: Georges Oates_Larsen <georges.larsen@nordicsemi.no>
Date: Tue, 26 Sep 2023 17:18:49 -0700
Subject: [PATCH] net: tls_credentials: sectag iterators

Add (internal) support for sectag iterating.

Also officially marks negative sectag values as reserved for internal
use.

This will allow a prospective TLS credentials shell to iterate over all
available credentials.

Signed-off-by: Georges Oates_Larsen <georges.larsen@nordicsemi.no>
---
 include/zephyr/net/tls_credentials.h          |  2 ++
 .../net/lib/tls_credentials/tls_credentials.c | 26 ++++++++++++++
 .../tls_credentials/tls_credentials_trusted.c | 35 +++++++++++++++++++
 subsys/net/lib/tls_credentials/tls_internal.h | 14 ++++++++
 4 files changed, 77 insertions(+)

diff --git a/include/zephyr/net/tls_credentials.h b/include/zephyr/net/tls_credentials.h
index 8436774ec65e6a0..77e2a2308527a1c 100644
--- a/include/zephyr/net/tls_credentials.h
+++ b/include/zephyr/net/tls_credentials.h
@@ -66,6 +66,8 @@ enum tls_credential_type {
  *    - TLS_CREDENTIAL_PSK with TLS_CREDENTIAL_PSK_ID.
  *    Such pairs of credentials must be assigned the same secure tag to be
  *    correctly handled in the system.
+ *
+ * @note Negative values are reserved for internal use.
  */
 typedef int sec_tag_t;
 
diff --git a/subsys/net/lib/tls_credentials/tls_credentials.c b/subsys/net/lib/tls_credentials/tls_credentials.c
index b15397ed697db28..94f4d9c5cd5a90a 100644
--- a/subsys/net/lib/tls_credentials/tls_credentials.c
+++ b/subsys/net/lib/tls_credentials/tls_credentials.c
@@ -75,6 +75,32 @@ struct tls_credential *credential_next_get(sec_tag_t tag,
 	return NULL;
 }
 
+sec_tag_t credential_next_tag_get(sec_tag_t iter)
+{
+	int i;
+	sec_tag_t lowest = TLS_SEC_TAG_NONE;
+
+	/* Scan all slots and find lowest sectag greater than iter */
+	for (i = 0; i < ARRAY_SIZE(credentials); i++) {
+		/* Skip empty slots. */
+		if (credentials[i].type == TLS_CREDENTIAL_NONE) {
+			continue;
+		}
+
+		/* Skip any slots containing sectags not greater than iter */
+		if (credentials[i].tag <= iter && iter != TLS_SEC_TAG_NONE) {
+			continue;
+		}
+
+		/* Find the lowest of such slots */
+		if (lowest == TLS_SEC_TAG_NONE || credentials[i].tag < lowest) {
+			lowest = credentials[i].tag;
+		}
+	}
+
+	return lowest;
+}
+
 int credential_digest(struct tls_credential *credential, void *dest, size_t *len)
 {
 	return credential_digest_raw(credential, dest, len);
diff --git a/subsys/net/lib/tls_credentials/tls_credentials_trusted.c b/subsys/net/lib/tls_credentials/tls_credentials_trusted.c
index 99f53ebddb4b42a..0b77e52f558817c 100644
--- a/subsys/net/lib/tls_credentials/tls_credentials_trusted.c
+++ b/subsys/net/lib/tls_credentials/tls_credentials_trusted.c
@@ -263,6 +263,41 @@ struct tls_credential *credential_next_get(sec_tag_t tag,
 	return NULL;
 }
 
+sec_tag_t credential_next_tag_get(sec_tag_t iter)
+{
+	unsigned int slot;
+	psa_storage_uid_t uid;
+	sec_tag_t lowest_candidate = TLS_SEC_TAG_NONE;
+	sec_tag_t candidate;
+
+	/* Scan all slots and find lowest sectag greater than iter */
+	for (slot = 0; slot < CRED_MAX_SLOTS; slot++) {
+		uid = credentials_toc[slot];
+
+		/* Skip empty slots. */
+		if (uid == 0) {
+			continue;
+		}
+		if (tls_credential_uid_to_type(uid) == TLS_CREDENTIAL_NONE) {
+			continue;
+		}
+
+		candidate = tls_credential_uid_to_tag(uid);
+
+		/* Skip any slots containing sectags not greater than iter */
+		if (candidate <= iter && iter != TLS_SEC_TAG_NONE) {
+			continue;
+		}
+
+		/* Find the lowest of such slots */
+		if (lowest_candidate == TLS_SEC_TAG_NONE || candidate < lowest_candidate) {
+			lowest_candidate = candidate;
+		}
+	}
+
+	return lowest_candidate;
+}
+
 int credential_digest(struct tls_credential *credential, void *dest, size_t *len)
 {
 	return credential_digest_raw(credential, dest, len);
diff --git a/subsys/net/lib/tls_credentials/tls_internal.h b/subsys/net/lib/tls_credentials/tls_internal.h
index e92584d0c858119..e7cfc0a1c0b8f2a 100644
--- a/subsys/net/lib/tls_credentials/tls_internal.h
+++ b/subsys/net/lib/tls_credentials/tls_internal.h
@@ -28,6 +28,11 @@ struct tls_credential {
 	size_t len;
 };
 
+/*
+ * Special sec_tag value indicating none or invalid sec_tag. For internal use only for now.
+ */
+#define TLS_SEC_TAG_NONE -1
+
 /* Lock TLS credential access. */
 void credentials_lock(void);
 
@@ -50,6 +55,15 @@ struct tls_credential *credential_get(sec_tag_t tag,
 struct tls_credential *credential_next_get(sec_tag_t tag,
 					   struct tls_credential *iter);
 
+/* Function for iterating over occupied sec tags.
+ *
+ * Returns the next occupied sec tag after the one provided, or TLS_SEC_TAG_NONE if there are no
+ * more.
+ *
+ * Provide TLS_SEC_TAG_NONE to start from the first available sec tag.
+ */
+sec_tag_t credential_next_tag_get(sec_tag_t iter);
+
 /* Writes a (NULL-terminated, printable) string digest of the contents of the provided credential
  * to the provided destination buffer.
  *