Commit dcf49dbc authored by David Howells's avatar David Howells
Browse files

keys: Add a 'recurse' flag for keyring searches 



Add a 'recurse' flag for keyring searches so that the flag can be omitted
and recursion disabled, thereby allowing just the nominated keyring to be
searched and none of the children.

Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
parent 355ef8e1

Documentation/security/keys/core.rst

+6 −4
Original line number Original line Diff line number Diff line
@@ -1162,11 +1162,13 @@ payload contents" for more information. 




	key_ref_t keyring_search(key_ref_t keyring_ref,

	key_ref_t keyring_search(key_ref_t keyring_ref,

				 const struct key_type *type,

				 const struct key_type *type,

				 const char *description)

				 const char *description,

				 bool recurse)





    This searches the keyring tree specified for a matching key. Error ENOKEY

    This searches the specified keyring only (recurse == false) or keyring tree

    is returned upon failure (use IS_ERR/PTR_ERR to determine). If successful,

    (recurse == true) specified for a matching key. Error ENOKEY is returned

    the returned key will need to be released.

    upon failure (use IS_ERR/PTR_ERR to determine). If successful, the returned

    key will need to be released.





    The possession attribute from the keyring reference is used to control

    The possession attribute from the keyring reference is used to control

    access through the permissions mask and is propagated to the returned key

    access through the permissions mask and is propagated to the returned key

certs/blacklist.c

+1 −1
Original line number Original line Diff line number Diff line
@@ -128,7 +128,7 @@ int is_hash_blacklisted(const u8 *hash, size_t hash_len, const char *type) 
	*p = 0;

	*p = 0;





	kref = keyring_search(make_key_ref(blacklist_keyring, true),

	kref = keyring_search(make_key_ref(blacklist_keyring, true),

			      &key_type_blacklist, buffer);

			      &key_type_blacklist, buffer, false);

	if (!IS_ERR(kref)) {

	if (!IS_ERR(kref)) {

		key_ref_put(kref);

		key_ref_put(kref);

		ret = -EKEYREJECTED;

		ret = -EKEYREJECTED;

crypto/asymmetric_keys/asymmetric_type.c

+1 −1
Original line number Original line Diff line number Diff line
@@ -87,7 +87,7 @@ struct key *find_asymmetric_key(struct key *keyring, 
	pr_debug("Look up: \"%s\"\n", req);

	pr_debug("Look up: \"%s\"\n", req);





	ref = keyring_search(make_key_ref(keyring, 1),

	ref = keyring_search(make_key_ref(keyring, 1),

			     &key_type_asymmetric, req);

			     &key_type_asymmetric, req, true);

	if (IS_ERR(ref))

	if (IS_ERR(ref))

		pr_debug("Request for key '%s' err %ld\n", req, PTR_ERR(ref));

		pr_debug("Request for key '%s' err %ld\n", req, PTR_ERR(ref));

	kfree(req);

	kfree(req);

include/linux/key.h

+2 −1
Original line number Original line Diff line number Diff line
@@ -341,7 +341,8 @@ extern int keyring_clear(struct key *keyring); 




extern key_ref_t keyring_search(key_ref_t keyring,

extern key_ref_t keyring_search(key_ref_t keyring,

				struct key_type *type,

				struct key_type *type,

				const char *description);

				const char *description,

				bool recurse);





extern int keyring_add_key(struct key *keyring,

extern int keyring_add_key(struct key *keyring,

			   struct key *key);

			   struct key *key);

lib/digsig.c

+1 −1
Original line number Original line Diff line number Diff line
@@ -221,7 +221,7 @@ int digsig_verify(struct key *keyring, const char *sig, int siglen, 
		/* search in specific keyring */

		/* search in specific keyring */

		key_ref_t kref;

		key_ref_t kref;

		kref = keyring_search(make_key_ref(keyring, 1UL),

		kref = keyring_search(make_key_ref(keyring, 1UL),

						&key_type_user, name);

				      &key_type_user, name, true);

		if (IS_ERR(kref))

		if (IS_ERR(kref))

			key = ERR_CAST(kref);

			key = ERR_CAST(kref);

		else

		else

CRA Git | Maintained and supported by SUSTech CRA and CCSE