[net-next-2.6.git] / security / keys / request_key.c

/* request_key.c: request a key from userspace
 *
 * Copyright (C) 2004-5 Red Hat, Inc. All Rights Reserved.
 * Written by David Howells (dhowells@redhat.com)
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
 * as published by the Free Software Foundation; either version
 * 2 of the License, or (at your option) any later version.
 *
 * See Documentation/keys-request-key.txt
 */

#include <linux/module.h>
#include <linux/sched.h>
#include <linux/kmod.h>
#include <linux/err.h>
#include <linux/keyctl.h>
#include "internal.h"

struct key_construction {
	struct list_head	link;	/* link in construction queue */
	struct key		*key;	/* key being constructed */
};

/* when waiting for someone else's keys, you get added to this */
DECLARE_WAIT_QUEUE_HEAD(request_key_conswq);

/*****************************************************************************/
/*
 * request userspace finish the construction of a key
 * - execute "/sbin/request-key <op> <key> <uid> <gid> <keyring> <keyring> <keyring>"
 */
static int call_sbin_request_key(struct key *key,
				 struct key *authkey,
				 const char *op)
{
	struct task_struct *tsk = current;
	key_serial_t prkey, sskey;
	struct key *keyring;
	char *argv[9], *envp[3], uid_str[12], gid_str[12];
	char key_str[12], keyring_str[3][12];
	char desc[20];
	int ret, i;

	kenter("{%d},{%d},%s", key->serial, authkey->serial, op);

	/* allocate a new session keyring */
	sprintf(desc, "_req.%u", key->serial);

	keyring = keyring_alloc(desc, current->fsuid, current->fsgid, current,
				KEY_ALLOC_QUOTA_OVERRUN, NULL);
	if (IS_ERR(keyring)) {
		ret = PTR_ERR(keyring);
		goto error_alloc;
	}

	/* attach the auth key to the session keyring */
	ret = __key_link(keyring, authkey);
	if (ret < 0)
		goto error_link;

	/* record the UID and GID */
	sprintf(uid_str, "%d", current->fsuid);
	sprintf(gid_str, "%d", current->fsgid);

	/* we say which key is under construction */
	sprintf(key_str, "%d", key->serial);

	/* we specify the process's default keyrings */
	sprintf(keyring_str[0], "%d",
		tsk->thread_keyring ? tsk->thread_keyring->serial : 0);

	prkey = 0;
	if (tsk->signal->process_keyring)
		prkey = tsk->signal->process_keyring->serial;

	sprintf(keyring_str[1], "%d", prkey);

	if (tsk->signal->session_keyring) {
		rcu_read_lock();
		sskey = rcu_dereference(tsk->signal->session_keyring)->serial;
		rcu_read_unlock();
	}
	else {
		sskey = tsk->user->session_keyring->serial;
	}

	sprintf(keyring_str[2], "%d", sskey);

	/* set up a minimal environment */
	i = 0;
	envp[i++] = "HOME=/";
	envp[i++] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin";
	envp[i] = NULL;

	/* set up the argument list */
	i = 0;
	argv[i++] = "/sbin/request-key";
	argv[i++] = (char *) op;
	argv[i++] = key_str;
	argv[i++] = uid_str;
	argv[i++] = gid_str;
	argv[i++] = keyring_str[0];
	argv[i++] = keyring_str[1];
	argv[i++] = keyring_str[2];
	argv[i] = NULL;

	/* do it */
	ret = call_usermodehelper_keys(argv[0], argv, envp, keyring, 1);

error_link:
	key_put(keyring);

error_alloc:
	kleave(" = %d", ret);
	return ret;

} /* end call_sbin_request_key() */

/*****************************************************************************/
/*
 * call out to userspace for the key
 * - called with the construction sem held, but the sem is dropped here
 * - we ignore program failure and go on key status instead
 */
static struct key *__request_key_construction(struct key_type *type,
					      const char *description,
					      const char *callout_info,
					      unsigned long flags)
{
	request_key_actor_t actor;
	struct key_construction cons;
	struct timespec now;
	struct key *key, *authkey;
	int ret, negated;

	kenter("%s,%s,%s,%lx", type->name, description, callout_info, flags);

	/* create a key and add it to the queue */
	key = key_alloc(type, description,
			current->fsuid, current->fsgid, current, KEY_POS_ALL,
			flags);
	if (IS_ERR(key))
		goto alloc_failed;

	set_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags);

	cons.key = key;
	list_add_tail(&cons.link, &key->user->consq);

	/* we drop the construction sem here on behalf of the caller */
	up_write(&key_construction_sem);

	/* allocate an authorisation key */
	authkey = request_key_auth_new(key, callout_info);
	if (IS_ERR(authkey)) {
		ret = PTR_ERR(authkey);
		authkey = NULL;
		goto alloc_authkey_failed;
	}

	/* make the call */
	actor = call_sbin_request_key;
	if (type->request_key)
		actor = type->request_key;
	ret = actor(key, authkey, "create");
	if (ret < 0)
		goto request_failed;

	/* if the key wasn't instantiated, then we want to give an error */
	ret = -ENOKEY;
	if (!test_bit(KEY_FLAG_INSTANTIATED, &key->flags))
		goto request_failed;

	key_revoke(authkey);
	key_put(authkey);

	down_write(&key_construction_sem);
	list_del(&cons.link);
	up_write(&key_construction_sem);

	/* also give an error if the key was negatively instantiated */
check_not_negative:
	if (test_bit(KEY_FLAG_NEGATIVE, &key->flags)) {
		key_put(key);
		key = ERR_PTR(-ENOKEY);
	}

out:
	kleave(" = %p", key);
	return key;

request_failed:
	key_revoke(authkey);
	key_put(authkey);

alloc_authkey_failed:
	/* it wasn't instantiated
	 * - remove from construction queue
	 * - mark the key as dead
	 */
	negated = 0;
	down_write(&key_construction_sem);

	list_del(&cons.link);

	/* check it didn't get instantiated between the check and the down */
	if (!test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) {
		set_bit(KEY_FLAG_NEGATIVE, &key->flags);
		set_bit(KEY_FLAG_INSTANTIATED, &key->flags);
		negated = 1;
	}

	clear_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags);

	up_write(&key_construction_sem);

	if (!negated)
		goto check_not_negative; /* surprisingly, the key got
					  * instantiated */

	/* set the timeout and store in the session keyring if we can */
	now = current_kernel_time();
	key->expiry = now.tv_sec + key_negative_timeout;

	if (current->signal->session_keyring) {
		struct key *keyring;

		rcu_read_lock();
		keyring = rcu_dereference(current->signal->session_keyring);
		atomic_inc(&keyring->usage);
		rcu_read_unlock();

		key_link(keyring, key);
		key_put(keyring);
	}

	key_put(key);

	/* notify anyone who was waiting */
	wake_up_all(&request_key_conswq);

	key = ERR_PTR(ret);
	goto out;

alloc_failed:
	up_write(&key_construction_sem);
	goto out;

} /* end __request_key_construction() */

/*****************************************************************************/
/*
 * call out to userspace to request the key
 * - we check the construction queue first to see if an appropriate key is
 *   already being constructed by userspace
 */
static struct key *request_key_construction(struct key_type *type,
					    const char *description,
					    struct key_user *user,
					    const char *callout_info,
					    unsigned long flags)
{
	struct key_construction *pcons;
	struct key *key, *ckey;

	DECLARE_WAITQUEUE(myself, current);

	kenter("%s,%s,{%d},%s,%lx",
	       type->name, description, user->uid, callout_info, flags);

	/* see if there's such a key under construction already */
	down_write(&key_construction_sem);

	list_for_each_entry(pcons, &user->consq, link) {
		ckey = pcons->key;

		if (ckey->type != type)
			continue;

		if (type->match(ckey, description))
			goto found_key_under_construction;
	}

	/* see about getting userspace to construct the key */
	key = __request_key_construction(type, description, callout_info,
					 flags);
 error:
	kleave(" = %p", key);
	return key;

	/* someone else has the same key under construction
	 * - we want to keep an eye on their key
	 */
 found_key_under_construction:
	atomic_inc(&ckey->usage);
	up_write(&key_construction_sem);

	/* wait for the key to be completed one way or another */
	add_wait_queue(&request_key_conswq, &myself);

	for (;;) {
		set_current_state(TASK_INTERRUPTIBLE);
		if (!test_bit(KEY_FLAG_USER_CONSTRUCT, &ckey->flags))
			break;
		if (signal_pending(current))
			break;
		schedule();
	}

	set_current_state(TASK_RUNNING);
	remove_wait_queue(&request_key_conswq, &myself);

	/* we'll need to search this process's keyrings to see if the key is
	 * now there since we can't automatically assume it's also available
	 * there */
	key_put(ckey);
	ckey = NULL;

	key = NULL; /* request a retry */
	goto error;

} /* end request_key_construction() */

/*****************************************************************************/
/*
 * link a freshly minted key to an appropriate destination keyring
 */
static void request_key_link(struct key *key, struct key *dest_keyring)
{
	struct task_struct *tsk = current;
	struct key *drop = NULL;

	kenter("{%d},%p", key->serial, dest_keyring);

	/* find the appropriate keyring */
	if (!dest_keyring) {
		switch (tsk->jit_keyring) {
		case KEY_REQKEY_DEFL_DEFAULT:
		case KEY_REQKEY_DEFL_THREAD_KEYRING:
			dest_keyring = tsk->thread_keyring;
			if (dest_keyring)
				break;

		case KEY_REQKEY_DEFL_PROCESS_KEYRING:
			dest_keyring = tsk->signal->process_keyring;
			if (dest_keyring)
				break;

		case KEY_REQKEY_DEFL_SESSION_KEYRING:
			rcu_read_lock();
			dest_keyring = key_get(
				rcu_dereference(tsk->signal->session_keyring));
			rcu_read_unlock();
			drop = dest_keyring;

			if (dest_keyring)
				break;

		case KEY_REQKEY_DEFL_USER_SESSION_KEYRING:
			dest_keyring = current->user->session_keyring;
			break;

		case KEY_REQKEY_DEFL_USER_KEYRING:
			dest_keyring = current->user->uid_keyring;
			break;

		case KEY_REQKEY_DEFL_GROUP_KEYRING:
		default:
			BUG();
		}
	}

	/* and attach the key to it */
	key_link(dest_keyring, key);

	key_put(drop);

	kleave("");

} /* end request_key_link() */

/*****************************************************************************/
/*
 * request a key
 * - search the process's keyrings
 * - check the list of keys being created or updated
 * - call out to userspace for a key if supplementary info was provided
 * - cache the key in an appropriate keyring
 */
struct key *request_key_and_link(struct key_type *type,
				 const char *description,
				 const char *callout_info,
				 struct key *dest_keyring,
				 unsigned long flags)
{
	struct key_user *user;
	struct key *key;
	key_ref_t key_ref;

	kenter("%s,%s,%s,%p,%lx",
	       type->name, description, callout_info, dest_keyring, flags);

	/* search all the process keyrings for a key */
	key_ref = search_process_keyrings(type, description, type->match,
					  current);

	kdebug("search 1: %p", key_ref);

	if (!IS_ERR(key_ref)) {
		key = key_ref_to_ptr(key_ref);
	}
	else if (PTR_ERR(key_ref) != -EAGAIN) {
		key = ERR_PTR(PTR_ERR(key_ref));
	}
	else  {
		/* the search failed, but the keyrings were searchable, so we
		 * should consult userspace if we can */
		key = ERR_PTR(-ENOKEY);
		if (!callout_info)
			goto error;

		/* - get hold of the user's construction queue */
		user = key_user_lookup(current->fsuid);
		if (!user)
			goto nomem;

		for (;;) {
			if (signal_pending(current))
				goto interrupted;

			/* ask userspace (returns NULL if it waited on a key
			 * being constructed) */
			key = request_key_construction(type, description,
						       user, callout_info,
						       flags);
			if (key)
				break;

			/* someone else made the key we want, so we need to
			 * search again as it might now be available to us */
			key_ref = search_process_keyrings(type, description,
							  type->match,
							  current);

			kdebug("search 2: %p", key_ref);

			if (!IS_ERR(key_ref)) {
				key = key_ref_to_ptr(key_ref);
				break;
			}

			if (PTR_ERR(key_ref) != -EAGAIN) {
				key = ERR_PTR(PTR_ERR(key_ref));
				break;
			}
		}

		key_user_put(user);

		/* link the new key into the appropriate keyring */
		if (!IS_ERR(key))
			request_key_link(key, dest_keyring);
	}

error:
	kleave(" = %p", key);
	return key;

nomem:
	key = ERR_PTR(-ENOMEM);
	goto error;

interrupted:
	key_user_put(user);
	key = ERR_PTR(-EINTR);
	goto error;

} /* end request_key_and_link() */

/*****************************************************************************/
/*
 * request a key
 * - search the process's keyrings
 * - check the list of keys being created or updated
 * - call out to userspace for a key if supplementary info was provided
 */
struct key *request_key(struct key_type *type,
			const char *description,
			const char *callout_info)
{
	return request_key_and_link(type, description, callout_info, NULL,
				    KEY_ALLOC_IN_QUOTA);

} /* end request_key() */

EXPORT_SYMBOL(request_key);
Commit	Line	Data
1da177e4 LT	1	/* request_key.c: request a key from userspace
1da177e4 LT	2	*
3e30148c	3	* Copyright (C) 2004-5 Red Hat, Inc. All Rights Reserved.
1da177e4 LT	4	* Written by David Howells (dhowells@redhat.com)
	5	*
	6	* This program is free software; you can redistribute it and/or
	7	* modify it under the terms of the GNU General Public License
	8	* as published by the Free Software Foundation; either version
	9	* 2 of the License, or (at your option) any later version.
f1a9badc DH	10	*
f1a9badc DH	11	* See Documentation/keys-request-key.txt
1da177e4 LT	12	*/
	13
	14	#include <linux/module.h>
	15	#include <linux/sched.h>
	16	#include <linux/kmod.h>
	17	#include <linux/err.h>
3e30148c	18	#include <linux/keyctl.h>
1da177e4 LT	19	#include "internal.h"
	20
	21	struct key_construction {
	22	struct list_head link; /* link in construction queue */
	23	struct key key; / key being constructed */
	24	};
	25
	26	/* when waiting for someone else's keys, you get added to this */
	27	DECLARE_WAIT_QUEUE_HEAD(request_key_conswq);
	28
	29	/*****************************************************************************/
	30	/*
	31	* request userspace finish the construction of a key
b5f545c8	32	* - execute "/sbin/request-key <op> <key> <uid> <gid> <keyring> <keyring> <keyring>"
1da177e4	33	*/
b5f545c8 DH	34	static int call_sbin_request_key(struct key *key,
	35	struct key *authkey,
	36	const char *op)
1da177e4 LT	37	{
1da177e4 LT	38	struct task_struct *tsk = current;
1da177e4	39	key_serial_t prkey, sskey;
b5f545c8 DH	40	struct key *keyring;
b5f545c8 DH	41	char argv[9], envp[3], uid_str[12], gid_str[12];
1da177e4	42	char key_str[12], keyring_str[3][12];
b5f545c8	43	char desc[20];
3e30148c DH	44	int ret, i;
3e30148c DH	45
b5f545c8	46	kenter("{%d},{%d},%s", key->serial, authkey->serial, op);
3e30148c	47
b5f545c8 DH	48	/* allocate a new session keyring */
	49	sprintf(desc, "_req.%u", key->serial);
	50
7e047ef5 DH	51	keyring = keyring_alloc(desc, current->fsuid, current->fsgid, current,
7e047ef5 DH	52	KEY_ALLOC_QUOTA_OVERRUN, NULL);
b5f545c8 DH	53	if (IS_ERR(keyring)) {
	54	ret = PTR_ERR(keyring);
	55	goto error_alloc;
3e30148c	56	}
1da177e4	57
b5f545c8 DH	58	/* attach the auth key to the session keyring */
	59	ret = __key_link(keyring, authkey);
	60	if (ret < 0)
	61	goto error_link;
	62
1da177e4 LT	63	/* record the UID and GID */
	64	sprintf(uid_str, "%d", current->fsuid);
	65	sprintf(gid_str, "%d", current->fsgid);
	66
	67	/* we say which key is under construction */
	68	sprintf(key_str, "%d", key->serial);
	69
	70	/* we specify the process's default keyrings */
	71	sprintf(keyring_str[0], "%d",
	72	tsk->thread_keyring ? tsk->thread_keyring->serial : 0);
	73
	74	prkey = 0;
	75	if (tsk->signal->process_keyring)
	76	prkey = tsk->signal->process_keyring->serial;
	77
3e30148c	78	sprintf(keyring_str[1], "%d", prkey);
1da177e4	79
3e30148c DH	80	if (tsk->signal->session_keyring) {
	81	rcu_read_lock();
	82	sskey = rcu_dereference(tsk->signal->session_keyring)->serial;
	83	rcu_read_unlock();
	84	}
	85	else {
1da177e4	86	sskey = tsk->user->session_keyring->serial;
3e30148c	87	}
1da177e4	88
1da177e4 LT	89	sprintf(keyring_str[2], "%d", sskey);
	90
	91	/* set up a minimal environment */
	92	i = 0;
	93	envp[i++] = "HOME=/";
	94	envp[i++] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin";
	95	envp[i] = NULL;
	96
	97	/* set up the argument list */
	98	i = 0;
	99	argv[i++] = "/sbin/request-key";
	100	argv[i++] = (char *) op;
	101	argv[i++] = key_str;
	102	argv[i++] = uid_str;
	103	argv[i++] = gid_str;
	104	argv[i++] = keyring_str[0];
	105	argv[i++] = keyring_str[1];
	106	argv[i++] = keyring_str[2];
1da177e4 LT	107	argv[i] = NULL;
	108
	109	/* do it */
b5f545c8	110	ret = call_usermodehelper_keys(argv[0], argv, envp, keyring, 1);
3e30148c	111
b5f545c8 DH	112	error_link:
b5f545c8 DH	113	key_put(keyring);
3e30148c	114
b5f545c8	115	error_alloc:
3e30148c DH	116	kleave(" = %d", ret);
3e30148c DH	117	return ret;
1da177e4	118
b5f545c8	119	} /* end call_sbin_request_key() */
1da177e4 LT	120
	121	/*****************************************************************************/
	122	/*
	123	* call out to userspace for the key
	124	* - called with the construction sem held, but the sem is dropped here
	125	* - we ignore program failure and go on key status instead
	126	*/
	127	static struct key __request_key_construction(struct key_type type,
	128	const char *description,
7e047ef5 DH	129	const char *callout_info,
7e047ef5 DH	130	unsigned long flags)
1da177e4	131	{
b5f545c8	132	request_key_actor_t actor;
1da177e4 LT	133	struct key_construction cons;
1da177e4 LT	134	struct timespec now;
b5f545c8	135	struct key key, authkey;
76d8aeab	136	int ret, negated;
1da177e4	137
7e047ef5	138	kenter("%s,%s,%s,%lx", type->name, description, callout_info, flags);
3e30148c	139
1da177e4 LT	140	/* create a key and add it to the queue */
1da177e4 LT	141	key = key_alloc(type, description,
7e047ef5 DH	142	current->fsuid, current->fsgid, current, KEY_POS_ALL,
7e047ef5 DH	143	flags);
1da177e4 LT	144	if (IS_ERR(key))
	145	goto alloc_failed;
	146
76d8aeab	147	set_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags);
1da177e4 LT	148
	149	cons.key = key;
	150	list_add_tail(&cons.link, &key->user->consq);
	151
	152	/* we drop the construction sem here on behalf of the caller */
	153	up_write(&key_construction_sem);
	154
b5f545c8 DH	155	/* allocate an authorisation key */
	156	authkey = request_key_auth_new(key, callout_info);
	157	if (IS_ERR(authkey)) {
	158	ret = PTR_ERR(authkey);
	159	authkey = NULL;
	160	goto alloc_authkey_failed;
	161	}
	162
1da177e4	163	/* make the call */
b5f545c8 DH	164	actor = call_sbin_request_key;
	165	if (type->request_key)
	166	actor = type->request_key;
	167	ret = actor(key, authkey, "create");
1da177e4 LT	168	if (ret < 0)
	169	goto request_failed;
	170
	171	/* if the key wasn't instantiated, then we want to give an error */
	172	ret = -ENOKEY;
76d8aeab	173	if (!test_bit(KEY_FLAG_INSTANTIATED, &key->flags))
1da177e4 LT	174	goto request_failed;
1da177e4 LT	175
b5f545c8 DH	176	key_revoke(authkey);
	177	key_put(authkey);
	178
1da177e4 LT	179	down_write(&key_construction_sem);
	180	list_del(&cons.link);
	181	up_write(&key_construction_sem);
	182
	183	/* also give an error if the key was negatively instantiated */
b5f545c8	184	check_not_negative:
76d8aeab	185	if (test_bit(KEY_FLAG_NEGATIVE, &key->flags)) {
1da177e4 LT	186	key_put(key);
	187	key = ERR_PTR(-ENOKEY);
	188	}
	189
b5f545c8	190	out:
3e30148c	191	kleave(" = %p", key);
1da177e4 LT	192	return key;
1da177e4 LT	193
b5f545c8 DH	194	request_failed:
	195	key_revoke(authkey);
	196	key_put(authkey);
	197
	198	alloc_authkey_failed:
1da177e4 LT	199	/* it wasn't instantiated
	200	* - remove from construction queue
	201	* - mark the key as dead
	202	*/
76d8aeab	203	negated = 0;
1da177e4 LT	204	down_write(&key_construction_sem);
	205
	206	list_del(&cons.link);
	207
1da177e4	208	/* check it didn't get instantiated between the check and the down */
76d8aeab DH	209	if (!test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) {
	210	set_bit(KEY_FLAG_NEGATIVE, &key->flags);
	211	set_bit(KEY_FLAG_INSTANTIATED, &key->flags);
	212	negated = 1;
1da177e4 LT	213	}
1da177e4 LT	214
76d8aeab DH	215	clear_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags);
76d8aeab DH	216
1da177e4 LT	217	up_write(&key_construction_sem);
1da177e4 LT	218
76d8aeab	219	if (!negated)
1da177e4 LT	220	goto check_not_negative; /* surprisingly, the key got
	221	* instantiated */
	222
	223	/* set the timeout and store in the session keyring if we can */
	224	now = current_kernel_time();
	225	key->expiry = now.tv_sec + key_negative_timeout;
	226
	227	if (current->signal->session_keyring) {
1da177e4 LT	228	struct key *keyring;
1da177e4 LT	229
8589b4e0 DH	230	rcu_read_lock();
8589b4e0 DH	231	keyring = rcu_dereference(current->signal->session_keyring);
1da177e4	232	atomic_inc(&keyring->usage);
8589b4e0	233	rcu_read_unlock();
1da177e4 LT	234
	235	key_link(keyring, key);
	236	key_put(keyring);
	237	}
	238
	239	key_put(key);
	240
	241	/* notify anyone who was waiting */
	242	wake_up_all(&request_key_conswq);
	243
	244	key = ERR_PTR(ret);
	245	goto out;
	246
b5f545c8	247	alloc_failed:
1da177e4 LT	248	up_write(&key_construction_sem);
	249	goto out;
	250
	251	} /* end __request_key_construction() */
	252
	253	/*****************************************************************************/
	254	/*
	255	* call out to userspace to request the key
	256	* - we check the construction queue first to see if an appropriate key is
	257	* already being constructed by userspace
	258	*/
	259	static struct key request_key_construction(struct key_type type,
	260	const char *description,
	261	struct key_user *user,
7e047ef5 DH	262	const char *callout_info,
7e047ef5 DH	263	unsigned long flags)
1da177e4 LT	264	{
	265	struct key_construction *pcons;
	266	struct key key, ckey;
	267
	268	DECLARE_WAITQUEUE(myself, current);
	269
7e047ef5 DH	270	kenter("%s,%s,{%d},%s,%lx",
7e047ef5 DH	271	type->name, description, user->uid, callout_info, flags);
3e30148c	272
1da177e4 LT	273	/* see if there's such a key under construction already */
	274	down_write(&key_construction_sem);
	275
	276	list_for_each_entry(pcons, &user->consq, link) {
	277	ckey = pcons->key;
	278
	279	if (ckey->type != type)
	280	continue;
	281
	282	if (type->match(ckey, description))
	283	goto found_key_under_construction;
	284	}
	285
	286	/* see about getting userspace to construct the key */
7e047ef5 DH	287	key = __request_key_construction(type, description, callout_info,
7e047ef5 DH	288	flags);
1da177e4	289	error:
3e30148c	290	kleave(" = %p", key);
1da177e4 LT	291	return key;
	292
	293	/* someone else has the same key under construction
	294	* - we want to keep an eye on their key
	295	*/
	296	found_key_under_construction:
	297	atomic_inc(&ckey->usage);
	298	up_write(&key_construction_sem);
	299
	300	/* wait for the key to be completed one way or another */
	301	add_wait_queue(&request_key_conswq, &myself);
	302
	303	for (;;) {
3e30148c	304	set_current_state(TASK_INTERRUPTIBLE);
76d8aeab	305	if (!test_bit(KEY_FLAG_USER_CONSTRUCT, &ckey->flags))
1da177e4	306	break;
3e30148c DH	307	if (signal_pending(current))
3e30148c DH	308	break;
1da177e4 LT	309	schedule();
	310	}
	311
	312	set_current_state(TASK_RUNNING);
	313	remove_wait_queue(&request_key_conswq, &myself);
	314
	315	/* we'll need to search this process's keyrings to see if the key is
	316	* now there since we can't automatically assume it's also available
	317	* there */
	318	key_put(ckey);
	319	ckey = NULL;
	320
	321	key = NULL; /* request a retry */
	322	goto error;
	323
	324	} /* end request_key_construction() */
	325
3e30148c DH	326	/*****************************************************************************/
	327	/*
	328	* link a freshly minted key to an appropriate destination keyring
	329	*/
	330	static void request_key_link(struct key key, struct key dest_keyring)
	331	{
	332	struct task_struct *tsk = current;
	333	struct key *drop = NULL;
	334
	335	kenter("{%d},%p", key->serial, dest_keyring);
	336
	337	/* find the appropriate keyring */
	338	if (!dest_keyring) {
	339	switch (tsk->jit_keyring) {
	340	case KEY_REQKEY_DEFL_DEFAULT:
	341	case KEY_REQKEY_DEFL_THREAD_KEYRING:
	342	dest_keyring = tsk->thread_keyring;
	343	if (dest_keyring)
	344	break;
	345
	346	case KEY_REQKEY_DEFL_PROCESS_KEYRING:
	347	dest_keyring = tsk->signal->process_keyring;
	348	if (dest_keyring)
	349	break;
	350
	351	case KEY_REQKEY_DEFL_SESSION_KEYRING:
	352	rcu_read_lock();
	353	dest_keyring = key_get(
	354	rcu_dereference(tsk->signal->session_keyring));
	355	rcu_read_unlock();
	356	drop = dest_keyring;
	357
	358	if (dest_keyring)
	359	break;
	360
	361	case KEY_REQKEY_DEFL_USER_SESSION_KEYRING:
	362	dest_keyring = current->user->session_keyring;
	363	break;
	364
	365	case KEY_REQKEY_DEFL_USER_KEYRING:
	366	dest_keyring = current->user->uid_keyring;
	367	break;
	368
	369	case KEY_REQKEY_DEFL_GROUP_KEYRING:
	370	default:
	371	BUG();
	372	}
	373	}
	374
	375	/* and attach the key to it */
	376	key_link(dest_keyring, key);
	377
	378	key_put(drop);
	379
	380	kleave("");
	381
	382	} /* end request_key_link() */
	383
1da177e4 LT	384	/*****************************************************************************/
	385	/*
	386	* request a key
	387	* - search the process's keyrings
	388	* - check the list of keys being created or updated
3e30148c DH	389	* - call out to userspace for a key if supplementary info was provided
3e30148c DH	390	* - cache the key in an appropriate keyring
1da177e4	391	*/
3e30148c DH	392	struct key request_key_and_link(struct key_type type,
	393	const char *description,
	394	const char *callout_info,
7e047ef5 DH	395	struct key *dest_keyring,
7e047ef5 DH	396	unsigned long flags)
1da177e4 LT	397	{
	398	struct key_user *user;
	399	struct key *key;
664cceb0	400	key_ref_t key_ref;
1da177e4	401
7e047ef5 DH	402	kenter("%s,%s,%s,%p,%lx",
7e047ef5 DH	403	type->name, description, callout_info, dest_keyring, flags);
3e30148c	404
1da177e4	405	/* search all the process keyrings for a key */
664cceb0 DH	406	key_ref = search_process_keyrings(type, description, type->match,
664cceb0 DH	407	current);
1da177e4	408
664cceb0 DH	409	kdebug("search 1: %p", key_ref);
	410
	411	if (!IS_ERR(key_ref)) {
	412	key = key_ref_to_ptr(key_ref);
	413	}
	414	else if (PTR_ERR(key_ref) != -EAGAIN) {
	415	key = ERR_PTR(PTR_ERR(key_ref));
	416	}
	417	else {
1da177e4 LT	418	/* the search failed, but the keyrings were searchable, so we
	419	* should consult userspace if we can */
	420	key = ERR_PTR(-ENOKEY);
	421	if (!callout_info)
	422	goto error;
	423
	424	/* - get hold of the user's construction queue */
	425	user = key_user_lookup(current->fsuid);
3e30148c DH	426	if (!user)
	427	goto nomem;
	428
664cceb0	429	for (;;) {
3e30148c DH	430	if (signal_pending(current))
3e30148c DH	431	goto interrupted;
1da177e4	432
1da177e4 LT	433	/* ask userspace (returns NULL if it waited on a key
	434	* being constructed) */
	435	key = request_key_construction(type, description,
7e047ef5 DH	436	user, callout_info,
7e047ef5 DH	437	flags);
1da177e4 LT	438	if (key)
	439	break;
	440
	441	/* someone else made the key we want, so we need to
	442	* search again as it might now be available to us */
664cceb0 DH	443	key_ref = search_process_keyrings(type, description,
	444	type->match,
	445	current);
	446
	447	kdebug("search 2: %p", key_ref);
3e30148c	448
664cceb0 DH	449	if (!IS_ERR(key_ref)) {
	450	key = key_ref_to_ptr(key_ref);
	451	break;
	452	}
	453
	454	if (PTR_ERR(key_ref) != -EAGAIN) {
	455	key = ERR_PTR(PTR_ERR(key_ref));
	456	break;
	457	}
	458	}
1da177e4 LT	459
1da177e4 LT	460	key_user_put(user);
3e30148c DH	461
3e30148c DH	462	/* link the new key into the appropriate keyring */
1260f801	463	if (!IS_ERR(key))
3e30148c	464	request_key_link(key, dest_keyring);
1da177e4 LT	465	}
1da177e4 LT	466
3e30148c DH	467	error:
3e30148c DH	468	kleave(" = %p", key);
1da177e4 LT	469	return key;
1da177e4 LT	470
3e30148c DH	471	nomem:
	472	key = ERR_PTR(-ENOMEM);
	473	goto error;
	474
	475	interrupted:
	476	key_user_put(user);
	477	key = ERR_PTR(-EINTR);
	478	goto error;
	479
	480	} /* end request_key_and_link() */
	481
	482	/*****************************************************************************/
	483	/*
	484	* request a key
	485	* - search the process's keyrings
	486	* - check the list of keys being created or updated
	487	* - call out to userspace for a key if supplementary info was provided
	488	*/
	489	struct key request_key(struct key_type type,
	490	const char *description,
	491	const char *callout_info)
	492	{
7e047ef5 DH	493	return request_key_and_link(type, description, callout_info, NULL,
7e047ef5 DH	494	KEY_ALLOC_IN_QUOTA);
3e30148c	495
1da177e4 LT	496	} /* end request_key() */
	497
	498	EXPORT_SYMBOL(request_key);