[net-next-2.6.git] / security / keys / request_key.c

/* request_key.c: request a key from userspace
 *
 * Copyright (C) 2004-5 Red Hat, Inc. All Rights Reserved.
 * Written by David Howells (dhowells@redhat.com)
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
 * as published by the Free Software Foundation; either version
 * 2 of the License, or (at your option) any later version.
 */

#include <linux/module.h>
#include <linux/sched.h>
#include <linux/kmod.h>
#include <linux/err.h>
#include <linux/keyctl.h>
#include "internal.h"

struct key_construction {
	struct list_head	link;	/* link in construction queue */
	struct key		*key;	/* key being constructed */
};

/* when waiting for someone else's keys, you get added to this */
DECLARE_WAIT_QUEUE_HEAD(request_key_conswq);

/*****************************************************************************/
/*
 * request userspace finish the construction of a key
 * - execute "/sbin/request-key <op> <key> <uid> <gid> <keyring> <keyring> <keyring> <info>"
 */
static int call_request_key(struct key *key,
			    const char *op,
			    const char *callout_info)
{
	struct task_struct *tsk = current;
	key_serial_t prkey, sskey;
	struct key *session_keyring, *rkakey;
	char *argv[10], *envp[3], uid_str[12], gid_str[12];
	char key_str[12], keyring_str[3][12];
	int ret, i;

	kenter("{%d},%s,%s", key->serial, op, callout_info);

	/* generate a new session keyring with an auth key in it */
	session_keyring = request_key_auth_new(key, &rkakey);
	if (IS_ERR(session_keyring)) {
		ret = PTR_ERR(session_keyring);
		goto error;
	}

	/* record the UID and GID */
	sprintf(uid_str, "%d", current->fsuid);
	sprintf(gid_str, "%d", current->fsgid);

	/* we say which key is under construction */
	sprintf(key_str, "%d", key->serial);

	/* we specify the process's default keyrings */
	sprintf(keyring_str[0], "%d",
		tsk->thread_keyring ? tsk->thread_keyring->serial : 0);

	prkey = 0;
	if (tsk->signal->process_keyring)
		prkey = tsk->signal->process_keyring->serial;

	sprintf(keyring_str[1], "%d", prkey);

	if (tsk->signal->session_keyring) {
		rcu_read_lock();
		sskey = rcu_dereference(tsk->signal->session_keyring)->serial;
		rcu_read_unlock();
	}
	else {
		sskey = tsk->user->session_keyring->serial;
	}

	sprintf(keyring_str[2], "%d", sskey);

	/* set up a minimal environment */
	i = 0;
	envp[i++] = "HOME=/";
	envp[i++] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin";
	envp[i] = NULL;

	/* set up the argument list */
	i = 0;
	argv[i++] = "/sbin/request-key";
	argv[i++] = (char *) op;
	argv[i++] = key_str;
	argv[i++] = uid_str;
	argv[i++] = gid_str;
	argv[i++] = keyring_str[0];
	argv[i++] = keyring_str[1];
	argv[i++] = keyring_str[2];
	argv[i++] = (char *) callout_info;
	argv[i] = NULL;

	/* do it */
	ret = call_usermodehelper_keys(argv[0], argv, envp, session_keyring, 1);

	/* dispose of the special keys */
	key_revoke(rkakey);
	key_put(rkakey);
	key_put(session_keyring);

 error:
	kleave(" = %d", ret);
	return ret;

} /* end call_request_key() */

/*****************************************************************************/
/*
 * call out to userspace for the key
 * - called with the construction sem held, but the sem is dropped here
 * - we ignore program failure and go on key status instead
 */
static struct key *__request_key_construction(struct key_type *type,
					      const char *description,
					      const char *callout_info)
{
	struct key_construction cons;
	struct timespec now;
	struct key *key;
	int ret, negated;

	kenter("%s,%s,%s", type->name, description, callout_info);

	/* create a key and add it to the queue */
	key = key_alloc(type, description,
			current->fsuid, current->fsgid, KEY_POS_ALL, 0);
	if (IS_ERR(key))
		goto alloc_failed;

	set_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags);

	cons.key = key;
	list_add_tail(&cons.link, &key->user->consq);

	/* we drop the construction sem here on behalf of the caller */
	up_write(&key_construction_sem);

	/* make the call */
	ret = call_request_key(key, "create", callout_info);
	if (ret < 0)
		goto request_failed;

	/* if the key wasn't instantiated, then we want to give an error */
	ret = -ENOKEY;
	if (!test_bit(KEY_FLAG_INSTANTIATED, &key->flags))
		goto request_failed;

	down_write(&key_construction_sem);
	list_del(&cons.link);
	up_write(&key_construction_sem);

	/* also give an error if the key was negatively instantiated */
 check_not_negative:
	if (test_bit(KEY_FLAG_NEGATIVE, &key->flags)) {
		key_put(key);
		key = ERR_PTR(-ENOKEY);
	}

 out:
	kleave(" = %p", key);
	return key;

 request_failed:
	/* it wasn't instantiated
	 * - remove from construction queue
	 * - mark the key as dead
	 */
	negated = 0;
	down_write(&key_construction_sem);

	list_del(&cons.link);

	/* check it didn't get instantiated between the check and the down */
	if (!test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) {
		set_bit(KEY_FLAG_NEGATIVE, &key->flags);
		set_bit(KEY_FLAG_INSTANTIATED, &key->flags);
		negated = 1;
	}

	clear_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags);

	up_write(&key_construction_sem);

	if (!negated)
		goto check_not_negative; /* surprisingly, the key got
					  * instantiated */

	/* set the timeout and store in the session keyring if we can */
	now = current_kernel_time();
	key->expiry = now.tv_sec + key_negative_timeout;

	if (current->signal->session_keyring) {
		struct key *keyring;

		rcu_read_lock();
		keyring = rcu_dereference(current->signal->session_keyring);
		atomic_inc(&keyring->usage);
		rcu_read_unlock();

		key_link(keyring, key);
		key_put(keyring);
	}

	key_put(key);

	/* notify anyone who was waiting */
	wake_up_all(&request_key_conswq);

	key = ERR_PTR(ret);
	goto out;

 alloc_failed:
	up_write(&key_construction_sem);
	goto out;

} /* end __request_key_construction() */

/*****************************************************************************/
/*
 * call out to userspace to request the key
 * - we check the construction queue first to see if an appropriate key is
 *   already being constructed by userspace
 */
static struct key *request_key_construction(struct key_type *type,
					    const char *description,
					    struct key_user *user,
					    const char *callout_info)
{
	struct key_construction *pcons;
	struct key *key, *ckey;

	DECLARE_WAITQUEUE(myself, current);

	kenter("%s,%s,{%d},%s",
	       type->name, description, user->uid, callout_info);

	/* see if there's such a key under construction already */
	down_write(&key_construction_sem);

	list_for_each_entry(pcons, &user->consq, link) {
		ckey = pcons->key;

		if (ckey->type != type)
			continue;

		if (type->match(ckey, description))
			goto found_key_under_construction;
	}

	/* see about getting userspace to construct the key */
	key = __request_key_construction(type, description, callout_info);
 error:
	kleave(" = %p", key);
	return key;

	/* someone else has the same key under construction
	 * - we want to keep an eye on their key
	 */
 found_key_under_construction:
	atomic_inc(&ckey->usage);
	up_write(&key_construction_sem);

	/* wait for the key to be completed one way or another */
	add_wait_queue(&request_key_conswq, &myself);

	for (;;) {
		set_current_state(TASK_INTERRUPTIBLE);
		if (!test_bit(KEY_FLAG_USER_CONSTRUCT, &ckey->flags))
			break;
		if (signal_pending(current))
			break;
		schedule();
	}

	set_current_state(TASK_RUNNING);
	remove_wait_queue(&request_key_conswq, &myself);

	/* we'll need to search this process's keyrings to see if the key is
	 * now there since we can't automatically assume it's also available
	 * there */
	key_put(ckey);
	ckey = NULL;

	key = NULL; /* request a retry */
	goto error;

} /* end request_key_construction() */

/*****************************************************************************/
/*
 * link a freshly minted key to an appropriate destination keyring
 */
static void request_key_link(struct key *key, struct key *dest_keyring)
{
	struct task_struct *tsk = current;
	struct key *drop = NULL;

	kenter("{%d},%p", key->serial, dest_keyring);

	/* find the appropriate keyring */
	if (!dest_keyring) {
		switch (tsk->jit_keyring) {
		case KEY_REQKEY_DEFL_DEFAULT:
		case KEY_REQKEY_DEFL_THREAD_KEYRING:
			dest_keyring = tsk->thread_keyring;
			if (dest_keyring)
				break;

		case KEY_REQKEY_DEFL_PROCESS_KEYRING:
			dest_keyring = tsk->signal->process_keyring;
			if (dest_keyring)
				break;

		case KEY_REQKEY_DEFL_SESSION_KEYRING:
			rcu_read_lock();
			dest_keyring = key_get(
				rcu_dereference(tsk->signal->session_keyring));
			rcu_read_unlock();
			drop = dest_keyring;

			if (dest_keyring)
				break;

		case KEY_REQKEY_DEFL_USER_SESSION_KEYRING:
			dest_keyring = current->user->session_keyring;
			break;

		case KEY_REQKEY_DEFL_USER_KEYRING:
			dest_keyring = current->user->uid_keyring;
			break;

		case KEY_REQKEY_DEFL_GROUP_KEYRING:
		default:
			BUG();
		}
	}

	/* and attach the key to it */
	key_link(dest_keyring, key);

	key_put(drop);

	kleave("");

} /* end request_key_link() */

/*****************************************************************************/
/*
 * request a key
 * - search the process's keyrings
 * - check the list of keys being created or updated
 * - call out to userspace for a key if supplementary info was provided
 * - cache the key in an appropriate keyring
 */
struct key *request_key_and_link(struct key_type *type,
				 const char *description,
				 const char *callout_info,
				 struct key *dest_keyring)
{
	struct key_user *user;
	struct key *key;
	key_ref_t key_ref;

	kenter("%s,%s,%s,%p",
	       type->name, description, callout_info, dest_keyring);

	/* search all the process keyrings for a key */
	key_ref = search_process_keyrings(type, description, type->match,
					  current);

	kdebug("search 1: %p", key_ref);

	if (!IS_ERR(key_ref)) {
		key = key_ref_to_ptr(key_ref);
	}
	else if (PTR_ERR(key_ref) != -EAGAIN) {
		key = ERR_PTR(PTR_ERR(key_ref));
	}
	else  {
		/* the search failed, but the keyrings were searchable, so we
		 * should consult userspace if we can */
		key = ERR_PTR(-ENOKEY);
		if (!callout_info)
			goto error;

		/* - get hold of the user's construction queue */
		user = key_user_lookup(current->fsuid);
		if (!user)
			goto nomem;

		for (;;) {
			if (signal_pending(current))
				goto interrupted;

			/* ask userspace (returns NULL if it waited on a key
			 * being constructed) */
			key = request_key_construction(type, description,
						       user, callout_info);
			if (key)
				break;

			/* someone else made the key we want, so we need to
			 * search again as it might now be available to us */
			key_ref = search_process_keyrings(type, description,
							  type->match,
							  current);

			kdebug("search 2: %p", key_ref);

			if (!IS_ERR(key_ref)) {
				key = key_ref_to_ptr(key_ref);
				break;
			}

			if (PTR_ERR(key_ref) != -EAGAIN) {
				key = ERR_PTR(PTR_ERR(key_ref));
				break;
			}
		}

		key_user_put(user);

		/* link the new key into the appropriate keyring */
		if (!IS_ERR(key))
			request_key_link(key, dest_keyring);
	}

error:
	kleave(" = %p", key);
	return key;

nomem:
	key = ERR_PTR(-ENOMEM);
	goto error;

interrupted:
	key_user_put(user);
	key = ERR_PTR(-EINTR);
	goto error;

} /* end request_key_and_link() */

/*****************************************************************************/
/*
 * request a key
 * - search the process's keyrings
 * - check the list of keys being created or updated
 * - call out to userspace for a key if supplementary info was provided
 */
struct key *request_key(struct key_type *type,
			const char *description,
			const char *callout_info)
{
	return request_key_and_link(type, description, callout_info, NULL);

} /* end request_key() */

EXPORT_SYMBOL(request_key);

/*****************************************************************************/
/*
 * validate a key
 */
int key_validate(struct key *key)
{
	struct timespec now;
	int ret = 0;

	if (key) {
		/* check it's still accessible */
		ret = -EKEYREVOKED;
		if (test_bit(KEY_FLAG_REVOKED, &key->flags) ||
		    test_bit(KEY_FLAG_DEAD, &key->flags))
			goto error;

		/* check it hasn't expired */
		ret = 0;
		if (key->expiry) {
			now = current_kernel_time();
			if (now.tv_sec >= key->expiry)
				ret = -EKEYEXPIRED;
		}
	}

 error:
	return ret;

} /* end key_validate() */

EXPORT_SYMBOL(key_validate);
Commit	Line	Data
1da177e4 LT	1	/* request_key.c: request a key from userspace
1da177e4 LT	2	*
3e30148c	3	* Copyright (C) 2004-5 Red Hat, Inc. All Rights Reserved.
1da177e4 LT	4	* Written by David Howells (dhowells@redhat.com)
	5	*
	6	* This program is free software; you can redistribute it and/or
	7	* modify it under the terms of the GNU General Public License
	8	* as published by the Free Software Foundation; either version
	9	* 2 of the License, or (at your option) any later version.
	10	*/
	11
	12	#include <linux/module.h>
	13	#include <linux/sched.h>
	14	#include <linux/kmod.h>
	15	#include <linux/err.h>
3e30148c	16	#include <linux/keyctl.h>
1da177e4 LT	17	#include "internal.h"
	18
	19	struct key_construction {
	20	struct list_head link; /* link in construction queue */
	21	struct key key; / key being constructed */
	22	};
	23
	24	/* when waiting for someone else's keys, you get added to this */
	25	DECLARE_WAIT_QUEUE_HEAD(request_key_conswq);
	26
	27	/*****************************************************************************/
	28	/*
	29	* request userspace finish the construction of a key
	30	* - execute "/sbin/request-key <op> <key> <uid> <gid> <keyring> <keyring> <keyring> <info>"
1da177e4 LT	31	*/
	32	static int call_request_key(struct key *key,
	33	const char *op,
	34	const char *callout_info)
	35	{
	36	struct task_struct *tsk = current;
1da177e4	37	key_serial_t prkey, sskey;
3e30148c	38	struct key session_keyring, rkakey;
1da177e4 LT	39	char argv[10], envp[3], uid_str[12], gid_str[12];
1da177e4 LT	40	char key_str[12], keyring_str[3][12];
3e30148c DH	41	int ret, i;
	42
	43	kenter("{%d},%s,%s", key->serial, op, callout_info);
	44
	45	/* generate a new session keyring with an auth key in it */
	46	session_keyring = request_key_auth_new(key, &rkakey);
	47	if (IS_ERR(session_keyring)) {
	48	ret = PTR_ERR(session_keyring);
	49	goto error;
	50	}
1da177e4 LT	51
	52	/* record the UID and GID */
	53	sprintf(uid_str, "%d", current->fsuid);
	54	sprintf(gid_str, "%d", current->fsgid);
	55
	56	/* we say which key is under construction */
	57	sprintf(key_str, "%d", key->serial);
	58
	59	/* we specify the process's default keyrings */
	60	sprintf(keyring_str[0], "%d",
	61	tsk->thread_keyring ? tsk->thread_keyring->serial : 0);
	62
	63	prkey = 0;
	64	if (tsk->signal->process_keyring)
	65	prkey = tsk->signal->process_keyring->serial;
	66
3e30148c	67	sprintf(keyring_str[1], "%d", prkey);
1da177e4	68
3e30148c DH	69	if (tsk->signal->session_keyring) {
	70	rcu_read_lock();
	71	sskey = rcu_dereference(tsk->signal->session_keyring)->serial;
	72	rcu_read_unlock();
	73	}
	74	else {
1da177e4	75	sskey = tsk->user->session_keyring->serial;
3e30148c	76	}
1da177e4	77
1da177e4 LT	78	sprintf(keyring_str[2], "%d", sskey);
	79
	80	/* set up a minimal environment */
	81	i = 0;
	82	envp[i++] = "HOME=/";
	83	envp[i++] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin";
	84	envp[i] = NULL;
	85
	86	/* set up the argument list */
	87	i = 0;
	88	argv[i++] = "/sbin/request-key";
	89	argv[i++] = (char *) op;
	90	argv[i++] = key_str;
	91	argv[i++] = uid_str;
	92	argv[i++] = gid_str;
	93	argv[i++] = keyring_str[0];
	94	argv[i++] = keyring_str[1];
	95	argv[i++] = keyring_str[2];
3e30148c	96	argv[i++] = (char *) callout_info;
1da177e4 LT	97	argv[i] = NULL;
	98
	99	/* do it */
3e30148c DH	100	ret = call_usermodehelper_keys(argv[0], argv, envp, session_keyring, 1);
	101
	102	/* dispose of the special keys */
	103	key_revoke(rkakey);
	104	key_put(rkakey);
	105	key_put(session_keyring);
	106
	107	error:
	108	kleave(" = %d", ret);
	109	return ret;
1da177e4 LT	110
	111	} /* end call_request_key() */
	112
	113	/*****************************************************************************/
	114	/*
	115	* call out to userspace for the key
	116	* - called with the construction sem held, but the sem is dropped here
	117	* - we ignore program failure and go on key status instead
	118	*/
	119	static struct key __request_key_construction(struct key_type type,
	120	const char *description,
	121	const char *callout_info)
	122	{
	123	struct key_construction cons;
	124	struct timespec now;
	125	struct key *key;
76d8aeab	126	int ret, negated;
1da177e4	127
3e30148c DH	128	kenter("%s,%s,%s", type->name, description, callout_info);
3e30148c DH	129
1da177e4 LT	130	/* create a key and add it to the queue */
1da177e4 LT	131	key = key_alloc(type, description,
664cceb0	132	current->fsuid, current->fsgid, KEY_POS_ALL, 0);
1da177e4 LT	133	if (IS_ERR(key))
	134	goto alloc_failed;
	135
76d8aeab	136	set_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags);
1da177e4 LT	137
	138	cons.key = key;
	139	list_add_tail(&cons.link, &key->user->consq);
	140
	141	/* we drop the construction sem here on behalf of the caller */
	142	up_write(&key_construction_sem);
	143
	144	/* make the call */
	145	ret = call_request_key(key, "create", callout_info);
	146	if (ret < 0)
	147	goto request_failed;
	148
	149	/* if the key wasn't instantiated, then we want to give an error */
	150	ret = -ENOKEY;
76d8aeab	151	if (!test_bit(KEY_FLAG_INSTANTIATED, &key->flags))
1da177e4 LT	152	goto request_failed;
	153
	154	down_write(&key_construction_sem);
	155	list_del(&cons.link);
	156	up_write(&key_construction_sem);
	157
	158	/* also give an error if the key was negatively instantiated */
	159	check_not_negative:
76d8aeab	160	if (test_bit(KEY_FLAG_NEGATIVE, &key->flags)) {
1da177e4 LT	161	key_put(key);
	162	key = ERR_PTR(-ENOKEY);
	163	}
	164
	165	out:
3e30148c	166	kleave(" = %p", key);
1da177e4 LT	167	return key;
	168
	169	request_failed:
	170	/* it wasn't instantiated
	171	* - remove from construction queue
	172	* - mark the key as dead
	173	*/
76d8aeab	174	negated = 0;
1da177e4 LT	175	down_write(&key_construction_sem);
	176
	177	list_del(&cons.link);
	178
1da177e4	179	/* check it didn't get instantiated between the check and the down */
76d8aeab DH	180	if (!test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) {
	181	set_bit(KEY_FLAG_NEGATIVE, &key->flags);
	182	set_bit(KEY_FLAG_INSTANTIATED, &key->flags);
	183	negated = 1;
1da177e4 LT	184	}
1da177e4 LT	185
76d8aeab DH	186	clear_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags);
76d8aeab DH	187
1da177e4 LT	188	up_write(&key_construction_sem);
1da177e4 LT	189
76d8aeab	190	if (!negated)
1da177e4 LT	191	goto check_not_negative; /* surprisingly, the key got
	192	* instantiated */
	193
	194	/* set the timeout and store in the session keyring if we can */
	195	now = current_kernel_time();
	196	key->expiry = now.tv_sec + key_negative_timeout;
	197
	198	if (current->signal->session_keyring) {
1da177e4 LT	199	struct key *keyring;
1da177e4 LT	200
8589b4e0 DH	201	rcu_read_lock();
8589b4e0 DH	202	keyring = rcu_dereference(current->signal->session_keyring);
1da177e4	203	atomic_inc(&keyring->usage);
8589b4e0	204	rcu_read_unlock();
1da177e4 LT	205
	206	key_link(keyring, key);
	207	key_put(keyring);
	208	}
	209
	210	key_put(key);
	211
	212	/* notify anyone who was waiting */
	213	wake_up_all(&request_key_conswq);
	214
	215	key = ERR_PTR(ret);
	216	goto out;
	217
	218	alloc_failed:
	219	up_write(&key_construction_sem);
	220	goto out;
	221
	222	} /* end __request_key_construction() */
	223
	224	/*****************************************************************************/
	225	/*
	226	* call out to userspace to request the key
	227	* - we check the construction queue first to see if an appropriate key is
	228	* already being constructed by userspace
	229	*/
	230	static struct key request_key_construction(struct key_type type,
	231	const char *description,
	232	struct key_user *user,
	233	const char *callout_info)
	234	{
	235	struct key_construction *pcons;
	236	struct key key, ckey;
	237
	238	DECLARE_WAITQUEUE(myself, current);
	239
3e30148c DH	240	kenter("%s,%s,{%d},%s",
	241	type->name, description, user->uid, callout_info);
	242
1da177e4 LT	243	/* see if there's such a key under construction already */
	244	down_write(&key_construction_sem);
	245
	246	list_for_each_entry(pcons, &user->consq, link) {
	247	ckey = pcons->key;
	248
	249	if (ckey->type != type)
	250	continue;
	251
	252	if (type->match(ckey, description))
	253	goto found_key_under_construction;
	254	}
	255
	256	/* see about getting userspace to construct the key */
	257	key = __request_key_construction(type, description, callout_info);
	258	error:
3e30148c	259	kleave(" = %p", key);
1da177e4 LT	260	return key;
	261
	262	/* someone else has the same key under construction
	263	* - we want to keep an eye on their key
	264	*/
	265	found_key_under_construction:
	266	atomic_inc(&ckey->usage);
	267	up_write(&key_construction_sem);
	268
	269	/* wait for the key to be completed one way or another */
	270	add_wait_queue(&request_key_conswq, &myself);
	271
	272	for (;;) {
3e30148c	273	set_current_state(TASK_INTERRUPTIBLE);
76d8aeab	274	if (!test_bit(KEY_FLAG_USER_CONSTRUCT, &ckey->flags))
1da177e4	275	break;
3e30148c DH	276	if (signal_pending(current))
3e30148c DH	277	break;
1da177e4 LT	278	schedule();
	279	}
	280
	281	set_current_state(TASK_RUNNING);
	282	remove_wait_queue(&request_key_conswq, &myself);
	283
	284	/* we'll need to search this process's keyrings to see if the key is
	285	* now there since we can't automatically assume it's also available
	286	* there */
	287	key_put(ckey);
	288	ckey = NULL;
	289
	290	key = NULL; /* request a retry */
	291	goto error;
	292
	293	} /* end request_key_construction() */
	294
3e30148c DH	295	/*****************************************************************************/
	296	/*
	297	* link a freshly minted key to an appropriate destination keyring
	298	*/
	299	static void request_key_link(struct key key, struct key dest_keyring)
	300	{
	301	struct task_struct *tsk = current;
	302	struct key *drop = NULL;
	303
	304	kenter("{%d},%p", key->serial, dest_keyring);
	305
	306	/* find the appropriate keyring */
	307	if (!dest_keyring) {
	308	switch (tsk->jit_keyring) {
	309	case KEY_REQKEY_DEFL_DEFAULT:
	310	case KEY_REQKEY_DEFL_THREAD_KEYRING:
	311	dest_keyring = tsk->thread_keyring;
	312	if (dest_keyring)
	313	break;
	314
	315	case KEY_REQKEY_DEFL_PROCESS_KEYRING:
	316	dest_keyring = tsk->signal->process_keyring;
	317	if (dest_keyring)
	318	break;
	319
	320	case KEY_REQKEY_DEFL_SESSION_KEYRING:
	321	rcu_read_lock();
	322	dest_keyring = key_get(
	323	rcu_dereference(tsk->signal->session_keyring));
	324	rcu_read_unlock();
	325	drop = dest_keyring;
	326
	327	if (dest_keyring)
	328	break;
	329
	330	case KEY_REQKEY_DEFL_USER_SESSION_KEYRING:
	331	dest_keyring = current->user->session_keyring;
	332	break;
	333
	334	case KEY_REQKEY_DEFL_USER_KEYRING:
	335	dest_keyring = current->user->uid_keyring;
	336	break;
	337
	338	case KEY_REQKEY_DEFL_GROUP_KEYRING:
	339	default:
	340	BUG();
	341	}
	342	}
	343
	344	/* and attach the key to it */
	345	key_link(dest_keyring, key);
	346
	347	key_put(drop);
	348
	349	kleave("");
	350
	351	} /* end request_key_link() */
	352
1da177e4 LT	353	/*****************************************************************************/
	354	/*
	355	* request a key
	356	* - search the process's keyrings
	357	* - check the list of keys being created or updated
3e30148c DH	358	* - call out to userspace for a key if supplementary info was provided
3e30148c DH	359	* - cache the key in an appropriate keyring
1da177e4	360	*/
3e30148c DH	361	struct key request_key_and_link(struct key_type type,
	362	const char *description,
	363	const char *callout_info,
	364	struct key *dest_keyring)
1da177e4 LT	365	{
	366	struct key_user *user;
	367	struct key *key;
664cceb0	368	key_ref_t key_ref;
1da177e4	369
3e30148c DH	370	kenter("%s,%s,%s,%p",
	371	type->name, description, callout_info, dest_keyring);
	372
1da177e4	373	/* search all the process keyrings for a key */
664cceb0 DH	374	key_ref = search_process_keyrings(type, description, type->match,
664cceb0 DH	375	current);
1da177e4	376
664cceb0 DH	377	kdebug("search 1: %p", key_ref);
	378
	379	if (!IS_ERR(key_ref)) {
	380	key = key_ref_to_ptr(key_ref);
	381	}
	382	else if (PTR_ERR(key_ref) != -EAGAIN) {
	383	key = ERR_PTR(PTR_ERR(key_ref));
	384	}
	385	else {
1da177e4 LT	386	/* the search failed, but the keyrings were searchable, so we
	387	* should consult userspace if we can */
	388	key = ERR_PTR(-ENOKEY);
	389	if (!callout_info)
	390	goto error;
	391
	392	/* - get hold of the user's construction queue */
	393	user = key_user_lookup(current->fsuid);
3e30148c DH	394	if (!user)
	395	goto nomem;
	396
664cceb0	397	for (;;) {
3e30148c DH	398	if (signal_pending(current))
3e30148c DH	399	goto interrupted;
1da177e4	400
1da177e4 LT	401	/* ask userspace (returns NULL if it waited on a key
	402	* being constructed) */
	403	key = request_key_construction(type, description,
	404	user, callout_info);
	405	if (key)
	406	break;
	407
	408	/* someone else made the key we want, so we need to
	409	* search again as it might now be available to us */
664cceb0 DH	410	key_ref = search_process_keyrings(type, description,
	411	type->match,
	412	current);
	413
	414	kdebug("search 2: %p", key_ref);
3e30148c	415
664cceb0 DH	416	if (!IS_ERR(key_ref)) {
	417	key = key_ref_to_ptr(key_ref);
	418	break;
	419	}
	420
	421	if (PTR_ERR(key_ref) != -EAGAIN) {
	422	key = ERR_PTR(PTR_ERR(key_ref));
	423	break;
	424	}
	425	}
1da177e4 LT	426
1da177e4 LT	427	key_user_put(user);
3e30148c DH	428
3e30148c DH	429	/* link the new key into the appropriate keyring */
1260f801	430	if (!IS_ERR(key))
3e30148c	431	request_key_link(key, dest_keyring);
1da177e4 LT	432	}
1da177e4 LT	433
3e30148c DH	434	error:
3e30148c DH	435	kleave(" = %p", key);
1da177e4 LT	436	return key;
1da177e4 LT	437
3e30148c DH	438	nomem:
	439	key = ERR_PTR(-ENOMEM);
	440	goto error;
	441
	442	interrupted:
	443	key_user_put(user);
	444	key = ERR_PTR(-EINTR);
	445	goto error;
	446
	447	} /* end request_key_and_link() */
	448
	449	/*****************************************************************************/
	450	/*
	451	* request a key
	452	* - search the process's keyrings
	453	* - check the list of keys being created or updated
	454	* - call out to userspace for a key if supplementary info was provided
	455	*/
	456	struct key request_key(struct key_type type,
	457	const char *description,
	458	const char *callout_info)
	459	{
	460	return request_key_and_link(type, description, callout_info, NULL);
	461
1da177e4 LT	462	} /* end request_key() */
	463
	464	EXPORT_SYMBOL(request_key);
	465
	466	/*****************************************************************************/
	467	/*
	468	* validate a key
	469	*/
	470	int key_validate(struct key *key)
	471	{
	472	struct timespec now;
	473	int ret = 0;
	474
	475	if (key) {
	476	/* check it's still accessible */
	477	ret = -EKEYREVOKED;
76d8aeab DH	478	if (test_bit(KEY_FLAG_REVOKED, &key->flags) \|\|
76d8aeab DH	479	test_bit(KEY_FLAG_DEAD, &key->flags))
1da177e4 LT	480	goto error;
	481
	482	/* check it hasn't expired */
	483	ret = 0;
	484	if (key->expiry) {
	485	now = current_kernel_time();
	486	if (now.tv_sec >= key->expiry)
	487	ret = -EKEYEXPIRED;
	488	}
	489	}
	490
	491	error:
	492	return ret;
	493
	494	} /* end key_validate() */
	495
	496	EXPORT_SYMBOL(key_validate);