]> git.proxmox.com Git - mirror_ubuntu-jammy-kernel.git/blame - security/keys/request_key.c
projects / mirror_ubuntu-jammy-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
KEYS: user: Align the payload buffer
[mirror_ubuntu-jammy-kernel.git] / security / keys / request_key.c
CommitLineData
76181c13 1/* Request a key from userspace
1da177e4 2 *
76181c13 3 * Copyright (C) 2004-2007 Red Hat, Inc. All Rights Reserved.
1da177e4
LT		 4 * Written by David Howells (dhowells@redhat.com)
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version
9 * 2 of the License, or (at your option) any later version.
f1a9badc 10 *
3db38ed7 11 * See Documentation/security/keys/request-key.rst
1da177e4
LT		 12 */
13
876979c9 14#include <linux/export.h>
1da177e4
LT		 15#include <linux/sched.h>
16#include <linux/kmod.h>
17#include <linux/err.h>
3e30148c 18#include <linux/keyctl.h>
fdb89bce 19#include <linux/slab.h>
1da177e4 20#include "internal.h"
822ad64d 21#include <keys/request_key_auth-type.h>
1da177e4 22
e9e349b0
DH		 23#define key_negative_timeout 60 /* default timeout on a negative key's existence */
24
973c9f4f
DH		 25/**
26 * complete_request_key - Complete the construction of a key.
822ad64d 27 * @auth_key: The authorisation key.
973c9f4f
DH		 28 * @error: The success or failute of the construction.
29 *
30 * Complete the attempt to construct a key. The key will be negated
31 * if an error is indicated. The authorisation key will be revoked
32 * unconditionally.
76181c13 33 */
822ad64d 34void complete_request_key(struct key *authkey, int error)
76181c13 35{
822ad64d
DH		 36 struct request_key_auth *rka = get_request_key_auth(authkey);
37 struct key *key = rka->target_key;
38
39 kenter("%d{%d},%d", authkey->serial, key->serial, error);
1da177e4 40
76181c13 41 if (error < 0)
822ad64d 42 key_negate_and_link(key, key_negative_timeout, NULL, authkey);
76181c13 43 else
822ad64d 44 key_revoke(authkey);
76181c13
DH		 45}
46EXPORT_SYMBOL(complete_request_key);
1da177e4 47
973c9f4f
DH		 48/*
49 * Initialise a usermode helper that is going to have a specific session
50 * keyring.
51 *
52 * This is called in context of freshly forked kthread before kernel_execve(),
53 * so we can simply install the desired session_keyring at this point.
54 */
87966996 55static int umh_keys_init(struct subprocess_info *info, struct cred *cred)
685bfd2c 56{
685bfd2c 57 struct key *keyring = info->data;
973c9f4f 58
685bfd2c
ON		 59 return install_session_keyring_to_cred(cred, keyring);
60}
61
973c9f4f
DH		 62/*
63 * Clean up a usermode helper with session keyring.
64 */
685bfd2c
ON		 65static void umh_keys_cleanup(struct subprocess_info *info)
66{
67 struct key *keyring = info->data;
68 key_put(keyring);
69}
70
973c9f4f
DH		 71/*
72 * Call a usermode helper with a specific session keyring.
73 */
377e7a27 74static int call_usermodehelper_keys(const char *path, char **argv, char **envp,
9d944ef3 75 struct key *session_keyring, int wait)
685bfd2c 76{
93997f6d
LDM		 77 struct subprocess_info *info;
78
79 info = call_usermodehelper_setup(path, argv, envp, GFP_KERNEL,
80 umh_keys_init, umh_keys_cleanup,
81 session_keyring);
82 if (!info)
83 return -ENOMEM;
84
85 key_get(session_keyring);
86 return call_usermodehelper_exec(info, wait);
685bfd2c
ON		 87}
88
1da177e4 89/*
973c9f4f 90 * Request userspace finish the construction of a key
b5f545c8 91 * - execute "/sbin/request-key <op> <key> <uid> <gid> <keyring> <keyring> <keyring>"
1da177e4 92 */
822ad64d 93static int call_sbin_request_key(struct key *authkey, void *aux)
1da177e4 94{
377e7a27 95 static char const request_key[] = "/sbin/request-key";
822ad64d 96 struct request_key_auth *rka = get_request_key_auth(authkey);
86a264ab 97 const struct cred *cred = current_cred();
1da177e4 98 key_serial_t prkey, sskey;
822ad64d 99 struct key *key = rka->target_key, *keyring, *session;
b5f545c8 100 char *argv[9], *envp[3], uid_str[12], gid_str[12];
1da177e4 101 char key_str[12], keyring_str[3][12];
b5f545c8 102 char desc[20];
3e30148c
DH		 103 int ret, i;
104
822ad64d 105 kenter("{%d},{%d},%s", key->serial, authkey->serial, rka->op);
3e30148c 106
8bbf4976
DH		 107 ret = install_user_keyrings();
108 if (ret < 0)
109 goto error_alloc;
110
b5f545c8
DH		 111 /* allocate a new session keyring */
112 sprintf(desc, "_req.%u", key->serial);
113
d84f4f99
DH		 114 cred = get_current_cred();
115 keyring = keyring_alloc(desc, cred->fsuid, cred->fsgid, cred,
96b5c8fe 116 KEY_POS_ALL | KEY_USR_VIEW | KEY_USR_READ,
5ac7eace 117 KEY_ALLOC_QUOTA_OVERRUN, NULL, NULL);
d84f4f99 118 put_cred(cred);
b5f545c8
DH		 119 if (IS_ERR(keyring)) {
120 ret = PTR_ERR(keyring);
121 goto error_alloc;
3e30148c 122 }
1da177e4 123
b5f545c8 124 /* attach the auth key to the session keyring */
896903c2 125 ret = key_link(keyring, authkey);
b5f545c8
DH		 126 if (ret < 0)
127 goto error_link;
128
1da177e4 129 /* record the UID and GID */
9a56c2db
EB		 130 sprintf(uid_str, "%d", from_kuid(&init_user_ns, cred->fsuid));
131 sprintf(gid_str, "%d", from_kgid(&init_user_ns, cred->fsgid));
1da177e4
LT		 132
133 /* we say which key is under construction */
134 sprintf(key_str, "%d", key->serial);
135
136 /* we specify the process's default keyrings */
137 sprintf(keyring_str[0], "%d",
d84f4f99 138 cred->thread_keyring ? cred->thread_keyring->serial : 0);
1da177e4
LT		 139
140 prkey = 0;
3a50597d
DH		 141 if (cred->process_keyring)
142 prkey = cred->process_keyring->serial;
5ad18a0d 143 sprintf(keyring_str[1], "%d", prkey);
1da177e4 144
93b4a44f 145 rcu_read_lock();
3a50597d 146 session = rcu_dereference(cred->session_keyring);
93b4a44f
DH		 147 if (!session)
148 session = cred->user->session_keyring;
149 sskey = session->serial;
150 rcu_read_unlock();
1da177e4 151
1da177e4
LT		 152 sprintf(keyring_str[2], "%d", sskey);
153
154 /* set up a minimal environment */
155 i = 0;
156 envp[i++] = "HOME=/";
157 envp[i++] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin";
158 envp[i] = NULL;
159
160 /* set up the argument list */
161 i = 0;
377e7a27 162 argv[i++] = (char *)request_key;
822ad64d 163 argv[i++] = (char *)rka->op;
1da177e4
LT		 164 argv[i++] = key_str;
165 argv[i++] = uid_str;
166 argv[i++] = gid_str;
167 argv[i++] = keyring_str[0];
168 argv[i++] = keyring_str[1];
169 argv[i++] = keyring_str[2];
1da177e4
LT		 170 argv[i] = NULL;
171
172 /* do it */
377e7a27 173 ret = call_usermodehelper_keys(request_key, argv, envp, keyring,
86313c48 174 UMH_WAIT_PROC);
76181c13
DH		 175 kdebug("usermode -> 0x%x", ret);
176 if (ret >= 0) {
177 /* ret is the exit/wait code */
178 if (test_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags) ||
179 key_validate(key) < 0)
180 ret = -ENOKEY;
181 else
182 /* ignore any errors from userspace if the key was
183 * instantiated */
184 ret = 0;
185 }
3e30148c 186
b5f545c8
DH		 187error_link:
188 key_put(keyring);
3e30148c 189
b5f545c8 190error_alloc:
822ad64d 191 complete_request_key(authkey, ret);
d84f4f99 192 kleave(" = %d", ret);
3e30148c 193 return ret;
76181c13 194}
1da177e4 195
1da177e4 196/*
973c9f4f
DH		 197 * Call out to userspace for key construction.
198 *
199 * Program failure is ignored in favour of key status.
1da177e4 200 */
4a38e122 201static int construct_key(struct key *key, const void *callout_info,
8bbf4976
DH		 202 size_t callout_len, void *aux,
203 struct key *dest_keyring)
1da177e4 204{
b5f545c8 205 request_key_actor_t actor;
76181c13
DH		 206 struct key *authkey;
207 int ret;
1da177e4 208
4a38e122 209 kenter("%d,%p,%zu,%p", key->serial, callout_info, callout_len, aux);
3e30148c 210
b5f545c8 211 /* allocate an authorisation key */
822ad64d 212 authkey = request_key_auth_new(key, "create", callout_info, callout_len,
8bbf4976 213 dest_keyring);
822ad64d
DH		 214 if (IS_ERR(authkey))
215 return PTR_ERR(authkey);
76181c13 216
822ad64d
DH		 217 /* Make the call */
218 actor = call_sbin_request_key;
219 if (key->type->request_key)
220 actor = key->type->request_key;
76181c13 221
822ad64d 222 ret = actor(authkey, aux);
76181c13 223
822ad64d
DH		 224 /* check that the actor called complete_request_key() prior to
225 * returning an error */
226 WARN_ON(ret < 0 &&
227 !test_bit(KEY_FLAG_REVOKED, &authkey->flags));
1da177e4 228
822ad64d 229 key_put(authkey);
76181c13
DH		 230 kleave(" = %d", ret);
231 return ret;
232}
1da177e4 233
3e30148c 234/*
973c9f4f
DH		 235 * Get the appropriate destination keyring for the request.
236 *
237 * The keyring selected is returned with an extra reference upon it which the
238 * caller must release.
3e30148c 239 */
4dca6ea1 240static int construct_get_dest_keyring(struct key **_dest_keyring)
3e30148c 241{
8bbf4976 242 struct request_key_auth *rka;
bb952bb9 243 const struct cred *cred = current_cred();
8bbf4976 244 struct key *dest_keyring = *_dest_keyring, *authkey;
4dca6ea1 245 int ret;
3e30148c 246
8bbf4976 247 kenter("%p", dest_keyring);
3e30148c
DH		 248
249 /* find the appropriate keyring */
8bbf4976
DH		 250 if (dest_keyring) {
251 /* the caller supplied one */
252 key_get(dest_keyring);
253 } else {
4dca6ea1
EB		 254 bool do_perm_check = true;
255
8bbf4976
DH		 256 /* use a default keyring; falling through the cases until we
257 * find one that we actually have */
bb952bb9 258 switch (cred->jit_keyring) {
3e30148c 259 case KEY_REQKEY_DEFL_DEFAULT:
8bbf4976 260 case KEY_REQKEY_DEFL_REQUESTOR_KEYRING:
bb952bb9
DH		 261 if (cred->request_key_auth) {
262 authkey = cred->request_key_auth;
8bbf4976 263 down_read(&authkey->sem);
822ad64d 264 rka = get_request_key_auth(authkey);
8bbf4976
DH		 265 if (!test_bit(KEY_FLAG_REVOKED,
266 &authkey->flags))
267 dest_keyring =
268 key_get(rka->dest_keyring);
269 up_read(&authkey->sem);
4dca6ea1
EB		 270 if (dest_keyring) {
271 do_perm_check = false;
8bbf4976 272 break;
4dca6ea1 273 }
8bbf4976
DH		 274 }
275
3e30148c 276 case KEY_REQKEY_DEFL_THREAD_KEYRING:
bb952bb9 277 dest_keyring = key_get(cred->thread_keyring);
3e30148c
DH		 278 if (dest_keyring)
279 break;
280
281 case KEY_REQKEY_DEFL_PROCESS_KEYRING:
3a50597d 282 dest_keyring = key_get(cred->process_keyring);
3e30148c
DH		 283 if (dest_keyring)
284 break;
285
286 case KEY_REQKEY_DEFL_SESSION_KEYRING:
287 rcu_read_lock();
288 dest_keyring = key_get(
3a50597d 289 rcu_dereference(cred->session_keyring));
3e30148c 290 rcu_read_unlock();
3e30148c
DH		 291
292 if (dest_keyring)
293 break;
294
295 case KEY_REQKEY_DEFL_USER_SESSION_KEYRING:
b6dff3ec 296 dest_keyring =
bb952bb9 297 key_get(cred->user->session_keyring);
3e30148c
DH		 298 break;
299
300 case KEY_REQKEY_DEFL_USER_KEYRING:
bb952bb9 301 dest_keyring = key_get(cred->user->uid_keyring);
3e30148c
DH		 302 break;
303
304 case KEY_REQKEY_DEFL_GROUP_KEYRING:
305 default:
306 BUG();
307 }
4dca6ea1
EB		 308
309 /*
310 * Require Write permission on the keyring. This is essential
311 * because the default keyring may be the session keyring, and
312 * joining a keyring only requires Search permission.
313 *
314 * However, this check is skipped for the "requestor keyring" so
315 * that /sbin/request-key can itself use request_key() to add
316 * keys to the original requestor's destination keyring.
317 */
318 if (dest_keyring && do_perm_check) {
319 ret = key_permission(make_key_ref(dest_keyring, 1),
320 KEY_NEED_WRITE);
321 if (ret) {
322 key_put(dest_keyring);
323 return ret;
324 }
325 }
3e30148c
DH		 326 }
327
8bbf4976
DH		 328 *_dest_keyring = dest_keyring;
329 kleave(" [dk %d]", key_serial(dest_keyring));
4dca6ea1 330 return 0;
76181c13 331}
3e30148c 332
76181c13 333/*
973c9f4f
DH		 334 * Allocate a new key in under-construction state and attempt to link it in to
335 * the requested keyring.
336 *
337 * May return a key that's already under construction instead if there was a
338 * race between two thread calling request_key().
76181c13 339 */
4bdf0bc3 340static int construct_alloc_key(struct keyring_search_context *ctx,
76181c13
DH		 341 struct key *dest_keyring,
342 unsigned long flags,
343 struct key_user *user,
344 struct key **_key)
345{
b2a4df20 346 struct assoc_array_edit *edit;
76181c13 347 struct key *key;
96b5c8fe 348 key_perm_t perm;
76181c13 349 key_ref_t key_ref;
2b9e4688 350 int ret;
76181c13 351
4bdf0bc3
DH		 352 kenter("%s,%s,,,",
353 ctx->index_key.type->name, ctx->index_key.description);
76181c13 354
f70e2e06 355 *_key = NULL;
76181c13
DH		 356 mutex_lock(&user->cons_lock);
357
96b5c8fe
DH		 358 perm = KEY_POS_VIEW | KEY_POS_SEARCH | KEY_POS_LINK | KEY_POS_SETATTR;
359 perm |= KEY_USR_VIEW;
4bdf0bc3 360 if (ctx->index_key.type->read)
96b5c8fe 361 perm |= KEY_POS_READ;
4bdf0bc3
DH		 362 if (ctx->index_key.type == &key_type_keyring ||
363 ctx->index_key.type->update)
96b5c8fe
DH		 364 perm |= KEY_POS_WRITE;
365
4bdf0bc3
DH		 366 key = key_alloc(ctx->index_key.type, ctx->index_key.description,
367 ctx->cred->fsuid, ctx->cred->fsgid, ctx->cred,
5ac7eace 368 perm, flags, NULL);
76181c13
DH		 369 if (IS_ERR(key))
370 goto alloc_failed;
371
372 set_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags);
373
f70e2e06 374 if (dest_keyring) {
b2a4df20 375 ret = __key_link_begin(dest_keyring, &ctx->index_key, &edit);
f70e2e06
DH		 376 if (ret < 0)
377 goto link_prealloc_failed;
378 }
76181c13
DH		 379
380 /* attach the key to the destination keyring under lock, but we do need
381 * to do another check just in case someone beat us to it whilst we
382 * waited for locks */
383 mutex_lock(&key_construction_mutex);
384
4bdf0bc3 385 key_ref = search_process_keyrings(ctx);
76181c13
DH		 386 if (!IS_ERR(key_ref))
387 goto key_already_present;
388
34574dd1 389 if (dest_keyring)
b2a4df20 390 __key_link(key, &edit);
76181c13
DH		 391
392 mutex_unlock(&key_construction_mutex);
34574dd1 393 if (dest_keyring)
b2a4df20 394 __key_link_end(dest_keyring, &ctx->index_key, edit);
76181c13
DH		 395 mutex_unlock(&user->cons_lock);
396 *_key = key;
397 kleave(" = 0 [%d]", key_serial(key));
398 return 0;
399
2b9e4688
DH		 400 /* the key is now present - we tell the caller that we found it by
401 * returning -EINPROGRESS */
76181c13 402key_already_present:
f70e2e06 403 key_put(key);
76181c13 404 mutex_unlock(&key_construction_mutex);
f70e2e06 405 key = key_ref_to_ptr(key_ref);
03449cd9 406 if (dest_keyring) {
f70e2e06
DH		 407 ret = __key_link_check_live_key(dest_keyring, key);
408 if (ret == 0)
b2a4df20
DH		 409 __key_link(key, &edit);
410 __key_link_end(dest_keyring, &ctx->index_key, edit);
f70e2e06
DH		 411 if (ret < 0)
412 goto link_check_failed;
03449cd9 413 }
76181c13 414 mutex_unlock(&user->cons_lock);
f70e2e06 415 *_key = key;
76181c13
DH		 416 kleave(" = -EINPROGRESS [%d]", key_serial(key));
417 return -EINPROGRESS;
418
f70e2e06
DH		 419link_check_failed:
420 mutex_unlock(&user->cons_lock);
421 key_put(key);
422 kleave(" = %d [linkcheck]", ret);
423 return ret;
424
425link_prealloc_failed:
f70e2e06 426 mutex_unlock(&user->cons_lock);
d0709f1e 427 key_put(key);
f70e2e06
DH		 428 kleave(" = %d [prelink]", ret);
429 return ret;
430
76181c13
DH		 431alloc_failed:
432 mutex_unlock(&user->cons_lock);
76181c13
DH		 433 kleave(" = %ld", PTR_ERR(key));
434 return PTR_ERR(key);
435}
436
437/*
973c9f4f 438 * Commence key construction.
76181c13 439 */
4bdf0bc3 440static struct key *construct_key_and_link(struct keyring_search_context *ctx,
76181c13 441 const char *callout_info,
4a38e122 442 size_t callout_len,
76181c13
DH		 443 void *aux,
444 struct key *dest_keyring,
445 unsigned long flags)
446{
447 struct key_user *user;
448 struct key *key;
449 int ret;
450
d84f4f99
DH		 451 kenter("");
452
911b79cd
DH		 453 if (ctx->index_key.type == &key_type_keyring)
454 return ERR_PTR(-EPERM);
965475ac 455
4dca6ea1
EB		 456 ret = construct_get_dest_keyring(&dest_keyring);
457 if (ret)
458 goto error;
76181c13 459
4dca6ea1
EB		 460 user = key_user_lookup(current_fsuid());
461 if (!user) {
462 ret = -ENOMEM;
463 goto error_put_dest_keyring;
464 }
8bbf4976 465
4bdf0bc3 466 ret = construct_alloc_key(ctx, dest_keyring, flags, user, &key);
76181c13
DH		 467 key_user_put(user);
468
469 if (ret == 0) {
8bbf4976
DH		 470 ret = construct_key(key, callout_info, callout_len, aux,
471 dest_keyring);
d84f4f99
DH		 472 if (ret < 0) {
473 kdebug("cons failed");
76181c13 474 goto construction_failed;
d84f4f99 475 }
2b9e4688
DH		 476 } else if (ret == -EINPROGRESS) {
477 ret = 0;
478 } else {
4dca6ea1 479 goto error_put_dest_keyring;
76181c13
DH		 480 }
481
8bbf4976 482 key_put(dest_keyring);
d84f4f99 483 kleave(" = key %d", key_serial(key));
76181c13
DH		 484 return key;
485
486construction_failed:
487 key_negate_and_link(key, key_negative_timeout, NULL, NULL);
488 key_put(key);
4dca6ea1 489error_put_dest_keyring:
8bbf4976 490 key_put(dest_keyring);
4dca6ea1 491error:
d84f4f99 492 kleave(" = %d", ret);
76181c13
DH		 493 return ERR_PTR(ret);
494}
3e30148c 495
973c9f4f
DH		 496/**
497 * request_key_and_link - Request a key and cache it in a keyring.
498 * @type: The type of key we want.
499 * @description: The searchable description of the key.
500 * @callout_info: The data to pass to the instantiation upcall (or NULL).
501 * @callout_len: The length of callout_info.
502 * @aux: Auxiliary data for the upcall.
503 * @dest_keyring: Where to cache the key.
504 * @flags: Flags to key_alloc().
505 *
506 * A key matching the specified criteria is searched for in the process's
507 * keyrings and returned with its usage count incremented if found. Otherwise,
508 * if callout_info is not NULL, a key will be allocated and some service
509 * (probably in userspace) will be asked to instantiate it.
510 *
511 * If successfully found or created, the key will be linked to the destination
512 * keyring if one is provided.
513 *
514 * Returns a pointer to the key if successful; -EACCES, -ENOKEY, -EKEYREVOKED
515 * or -EKEYEXPIRED if an inaccessible, negative, revoked or expired key was
516 * found; -ENOKEY if no key was found and no @callout_info was given; -EDQUOT
517 * if insufficient key quota was available to create a new key; or -ENOMEM if
518 * insufficient memory was available.
519 *
520 * If the returned key was created, then it may still be under construction,
521 * and wait_for_key_construction() should be used to wait for that to complete.
1da177e4 522 */
3e30148c
DH		 523struct key *request_key_and_link(struct key_type *type,
524 const char *description,
4a38e122
DH		 525 const void *callout_info,
526 size_t callout_len,
4e54f085 527 void *aux,
7e047ef5
DH		 528 struct key *dest_keyring,
529 unsigned long flags)
1da177e4 530{
4bdf0bc3
DH		 531 struct keyring_search_context ctx = {
532 .index_key.type = type,
533 .index_key.description = description,
534 .cred = current_cred(),
c06cfb08 535 .match_data.cmp = key_default_cmp,
46291959
DH		 536 .match_data.raw_data = description,
537 .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT,
0b0a8415
DH		 538 .flags = (KEYRING_SEARCH_DO_STATE_CHECK |
539 KEYRING_SEARCH_SKIP_EXPIRED),
4bdf0bc3 540 };
1da177e4 541 struct key *key;
664cceb0 542 key_ref_t key_ref;
2b9e4688 543 int ret;
1da177e4 544
4a38e122 545 kenter("%s,%s,%p,%zu,%p,%p,%lx",
4bdf0bc3
DH		 546 ctx.index_key.type->name, ctx.index_key.description,
547 callout_info, callout_len, aux, dest_keyring, flags);
3e30148c 548
46291959
DH		 549 if (type->match_preparse) {
550 ret = type->match_preparse(&ctx.match_data);
551 if (ret < 0) {
552 key = ERR_PTR(ret);
553 goto error;
554 }
555 }
556
1da177e4 557 /* search all the process keyrings for a key */
4bdf0bc3 558 key_ref = search_process_keyrings(&ctx);
1da177e4 559
664cceb0
DH		 560 if (!IS_ERR(key_ref)) {
561 key = key_ref_to_ptr(key_ref);
03449cd9 562 if (dest_keyring) {
2b9e4688 563 ret = key_link(dest_keyring, key);
2b9e4688
DH		 564 if (ret < 0) {
565 key_put(key);
566 key = ERR_PTR(ret);
46291959 567 goto error_free;
2b9e4688 568 }
03449cd9 569 }
76181c13 570 } else if (PTR_ERR(key_ref) != -EAGAIN) {
e231c2ee 571 key = ERR_CAST(key_ref);
76181c13 572 } else {
1da177e4
LT		 573 /* the search failed, but the keyrings were searchable, so we
574 * should consult userspace if we can */
575 key = ERR_PTR(-ENOKEY);
576 if (!callout_info)
46291959 577 goto error_free;
1da177e4 578
4bdf0bc3
DH		 579 key = construct_key_and_link(&ctx, callout_info, callout_len,
580 aux, dest_keyring, flags);
1da177e4
LT		 581 }
582
46291959
DH		 583error_free:
584 if (type->match_free)
585 type->match_free(&ctx.match_data);
3e30148c
DH		 586error:
587 kleave(" = %p", key);
1da177e4 588 return key;
76181c13 589}
1da177e4 590
973c9f4f
DH		 591/**
592 * wait_for_key_construction - Wait for construction of a key to complete
593 * @key: The key being waited for.
594 * @intr: Whether to wait interruptibly.
595 *
596 * Wait for a key to finish being constructed.
597 *
598 * Returns 0 if successful; -ERESTARTSYS if the wait was interrupted; -ENOKEY
599 * if the key was negated; or -EKEYREVOKED or -EKEYEXPIRED if the key was
600 * revoked or expired.
76181c13
DH		 601 */
602int wait_for_key_construction(struct key *key, bool intr)
603{
604 int ret;
3e30148c 605
76181c13 606 ret = wait_on_bit(&key->flags, KEY_FLAG_USER_CONSTRUCT,
76181c13 607 intr ? TASK_INTERRUPTIBLE : TASK_UNINTERRUPTIBLE);
74316201
N		 608 if (ret)
609 return -ERESTARTSYS;
363b02da
DH		 610 ret = key_read_state(key);
611 if (ret < 0)
612 return ret;
76181c13
DH		 613 return key_validate(key);
614}
615EXPORT_SYMBOL(wait_for_key_construction);
3e30148c 616
973c9f4f
DH		 617/**
618 * request_key - Request a key and wait for construction
619 * @type: Type of key.
620 * @description: The searchable description of the key.
621 * @callout_info: The data to pass to the instantiation upcall (or NULL).
622 *
623 * As for request_key_and_link() except that it does not add the returned key
624 * to a keyring if found, new keys are always allocated in the user's quota,
625 * the callout_info must be a NUL-terminated string and no auxiliary data can
626 * be passed.
627 *
628 * Furthermore, it then works as wait_for_key_construction() to wait for the
629 * completion of keys undergoing construction with a non-interruptible wait.
3e30148c
DH		 630 */
631struct key *request_key(struct key_type *type,
632 const char *description,
633 const char *callout_info)
634{
76181c13 635 struct key *key;
4a38e122 636 size_t callout_len = 0;
76181c13
DH		 637 int ret;
638
4a38e122
DH		 639 if (callout_info)
640 callout_len = strlen(callout_info);
641 key = request_key_and_link(type, description, callout_info, callout_len,
642 NULL, NULL, KEY_ALLOC_IN_QUOTA);
76181c13
DH		 643 if (!IS_ERR(key)) {
644 ret = wait_for_key_construction(key, false);
645 if (ret < 0) {
646 key_put(key);
647 return ERR_PTR(ret);
648 }
649 }
650 return key;
651}
1da177e4 652EXPORT_SYMBOL(request_key);
4e54f085 653
973c9f4f
DH		 654/**
655 * request_key_with_auxdata - Request a key with auxiliary data for the upcaller
656 * @type: The type of key we want.
657 * @description: The searchable description of the key.
658 * @callout_info: The data to pass to the instantiation upcall (or NULL).
659 * @callout_len: The length of callout_info.
660 * @aux: Auxiliary data for the upcall.
661 *
662 * As for request_key_and_link() except that it does not add the returned key
663 * to a keyring if found and new keys are always allocated in the user's quota.
664 *
665 * Furthermore, it then works as wait_for_key_construction() to wait for the
666 * completion of keys undergoing construction with a non-interruptible wait.
4e54f085
DH		 667 */
668struct key *request_key_with_auxdata(struct key_type *type,
669 const char *description,
4a38e122
DH		 670 const void *callout_info,
671 size_t callout_len,
4e54f085
DH		 672 void *aux)
673{
76181c13
DH		 674 struct key *key;
675 int ret;
676
4a38e122
DH		 677 key = request_key_and_link(type, description, callout_info, callout_len,
678 aux, NULL, KEY_ALLOC_IN_QUOTA);
76181c13
DH		 679 if (!IS_ERR(key)) {
680 ret = wait_for_key_construction(key, false);
681 if (ret < 0) {
682 key_put(key);
683 return ERR_PTR(ret);
684 }
685 }
686 return key;
687}
688EXPORT_SYMBOL(request_key_with_auxdata);
4e54f085 689
76181c13 690/*
973c9f4f
DH		 691 * request_key_async - Request a key (allow async construction)
692 * @type: Type of key.
693 * @description: The searchable description of the key.
694 * @callout_info: The data to pass to the instantiation upcall (or NULL).
695 * @callout_len: The length of callout_info.
696 *
697 * As for request_key_and_link() except that it does not add the returned key
698 * to a keyring if found, new keys are always allocated in the user's quota and
699 * no auxiliary data can be passed.
700 *
701 * The caller should call wait_for_key_construction() to wait for the
702 * completion of the returned key if it is still undergoing construction.
76181c13
DH		 703 */
704struct key *request_key_async(struct key_type *type,
705 const char *description,
4a38e122
DH		 706 const void *callout_info,
707 size_t callout_len)
76181c13 708{
4a38e122
DH		 709 return request_key_and_link(type, description, callout_info,
710 callout_len, NULL, NULL,
711 KEY_ALLOC_IN_QUOTA);
76181c13
DH		 712}
713EXPORT_SYMBOL(request_key_async);
4e54f085 714
76181c13
DH		 715/*
716 * request a key with auxiliary data for the upcaller (allow async construction)
973c9f4f
DH		 717 * @type: Type of key.
718 * @description: The searchable description of the key.
719 * @callout_info: The data to pass to the instantiation upcall (or NULL).
720 * @callout_len: The length of callout_info.
721 * @aux: Auxiliary data for the upcall.
722 *
723 * As for request_key_and_link() except that it does not add the returned key
724 * to a keyring if found and new keys are always allocated in the user's quota.
725 *
726 * The caller should call wait_for_key_construction() to wait for the
727 * completion of the returned key if it is still undergoing construction.
76181c13
DH		 728 */
729struct key *request_key_async_with_auxdata(struct key_type *type,
730 const char *description,
4a38e122
DH		 731 const void *callout_info,
732 size_t callout_len,
76181c13
DH		 733 void *aux)
734{
4a38e122
DH		 735 return request_key_and_link(type, description, callout_info,
736 callout_len, aux, NULL, KEY_ALLOC_IN_QUOTA);
76181c13
DH		 737}
738EXPORT_SYMBOL(request_key_async_with_auxdata);
Ubuntu Jammy Linux kernel mirror