1/* Keyring handling
2 *
3 * Copyright (C) 2004-2005, 2008, 2013 Red Hat, Inc. All Rights Reserved.
4 * Written by David Howells (dhowells@redhat.com)
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version
9 * 2 of the License, or (at your option) any later version.
10 */
11
12#include <linux/module.h>
13#include <linux/init.h>
14#include <linux/sched.h>
15#include <linux/slab.h>
16#include <linux/security.h>
17#include <linux/seq_file.h>
18#include <linux/err.h>
19#include <keys/keyring-type.h>
20#include <keys/user-type.h>
21#include <linux/assoc_array_priv.h>
22#include <linux/uaccess.h>
23#include "internal.h"
24
25/*
26 * When plumbing the depths of the key tree, this sets a hard limit
27 * set on how deep we're willing to go.
28 */
29#define KEYRING_SEARCH_MAX_DEPTH 6
30
31/*
32 * We keep all named keyrings in a hash to speed looking them up.
33 */
34#define KEYRING_NAME_HASH_SIZE	(1 << 5)
35
36/*
37 * We mark pointers we pass to the associative array with bit 1 set if
38 * they're keyrings and clear otherwise.
39 */
40#define KEYRING_PTR_SUBTYPE	0x2UL
41
42static inline bool keyring_ptr_is_keyring(const struct assoc_array_ptr *x)
43{
44	return (unsigned long)x & KEYRING_PTR_SUBTYPE;
45}
46static inline struct key *keyring_ptr_to_key(const struct assoc_array_ptr *x)
47{
48	void *object = assoc_array_ptr_to_leaf(x);
49	return (struct key *)((unsigned long)object & ~KEYRING_PTR_SUBTYPE);
50}
51static inline void *keyring_key_to_ptr(struct key *key)
52{
53	if (key->type == &key_type_keyring)
54		return (void *)((unsigned long)key | KEYRING_PTR_SUBTYPE);
55	return key;
56}
57
58static struct list_head	keyring_name_hash[KEYRING_NAME_HASH_SIZE];
59static DEFINE_RWLOCK(keyring_name_lock);
60
61static inline unsigned keyring_hash(const char *desc)
62{
63	unsigned bucket = 0;
64
65	for (; *desc; desc++)
66		bucket += (unsigned char)*desc;
67
68	return bucket & (KEYRING_NAME_HASH_SIZE - 1);
69}
70
71/*
72 * The keyring key type definition.  Keyrings are simply keys of this type and
73 * can be treated as ordinary keys in addition to having their own special
74 * operations.
75 */
76static int keyring_preparse(struct key_preparsed_payload *prep);
77static void keyring_free_preparse(struct key_preparsed_payload *prep);
78static int keyring_instantiate(struct key *keyring,
79			       struct key_preparsed_payload *prep);
80static void keyring_revoke(struct key *keyring);
81static void keyring_destroy(struct key *keyring);
82static void keyring_describe(const struct key *keyring, struct seq_file *m);
83static long keyring_read(const struct key *keyring,
84			 char __user *buffer, size_t buflen);
85
86struct key_type key_type_keyring = {
87	.name		= "keyring",
88	.def_datalen	= 0,
89	.preparse	= keyring_preparse,
90	.free_preparse	= keyring_free_preparse,
91	.instantiate	= keyring_instantiate,
92	.revoke		= keyring_revoke,
93	.destroy	= keyring_destroy,
94	.describe	= keyring_describe,
95	.read		= keyring_read,
96};
97EXPORT_SYMBOL(key_type_keyring);
98
99/*
100 * Semaphore to serialise link/link calls to prevent two link calls in parallel
101 * introducing a cycle.
102 */
103static DECLARE_RWSEM(keyring_serialise_link_sem);
104
105/*
106 * Publish the name of a keyring so that it can be found by name (if it has
107 * one).
108 */
109static void keyring_publish_name(struct key *keyring)
110{
111	int bucket;
112
113	if (keyring->description) {
114		bucket = keyring_hash(keyring->description);
115
116		write_lock(&keyring_name_lock);
117
118		if (!keyring_name_hash[bucket].next)
119			INIT_LIST_HEAD(&keyring_name_hash[bucket]);
120
121		list_add_tail(&keyring->type_data.link,
122			      &keyring_name_hash[bucket]);
123
124		write_unlock(&keyring_name_lock);
125	}
126}
127
128/*
129 * Preparse a keyring payload
130 */
131static int keyring_preparse(struct key_preparsed_payload *prep)
132{
133	return prep->datalen != 0 ? -EINVAL : 0;
134}
135
136/*
137 * Free a preparse of a user defined key payload
138 */
139static void keyring_free_preparse(struct key_preparsed_payload *prep)
140{
141}
142
143/*
144 * Initialise a keyring.
145 *
146 * Returns 0 on success, -EINVAL if given any data.
147 */
148static int keyring_instantiate(struct key *keyring,
149			       struct key_preparsed_payload *prep)
150{
151	assoc_array_init(&keyring->keys);
152	/* make the keyring available by name if it has one */
153	keyring_publish_name(keyring);
154	return 0;
155}
156
157/*
158 * Multiply 64-bits by 32-bits to 96-bits and fold back to 64-bit.  Ideally we'd
159 * fold the carry back too, but that requires inline asm.
160 */
161static u64 mult_64x32_and_fold(u64 x, u32 y)
162{
163	u64 hi = (u64)(u32)(x >> 32) * y;
164	u64 lo = (u64)(u32)(x) * y;
165	return lo + ((u64)(u32)hi << 32) + (u32)(hi >> 32);
166}
167
168/*
169 * Hash a key type and description.
170 */
171static unsigned long hash_key_type_and_desc(const struct keyring_index_key *index_key)
172{
173	const unsigned level_shift = ASSOC_ARRAY_LEVEL_STEP;
174	const unsigned long fan_mask = ASSOC_ARRAY_FAN_MASK;
175	const char *description = index_key->description;
176	unsigned long hash, type;
177	u32 piece;
178	u64 acc;
179	int n, desc_len = index_key->desc_len;
180
181	type = (unsigned long)index_key->type;
182
183	acc = mult_64x32_and_fold(type, desc_len + 13);
184	acc = mult_64x32_and_fold(acc, 9207);
185	for (;;) {
186		n = desc_len;
187		if (n <= 0)
188			break;
189		if (n > 4)
190			n = 4;
191		piece = 0;
192		memcpy(&piece, description, n);
193		description += n;
194		desc_len -= n;
195		acc = mult_64x32_and_fold(acc, piece);
196		acc = mult_64x32_and_fold(acc, 9207);
197	}
198
199	/* Fold the hash down to 32 bits if need be. */
200	hash = acc;
201	if (ASSOC_ARRAY_KEY_CHUNK_SIZE == 32)
202		hash ^= acc >> 32;
203
204	/* Squidge all the keyrings into a separate part of the tree to
205	 * ordinary keys by making sure the lowest level segment in the hash is
206	 * zero for keyrings and non-zero otherwise.
207	 */
208	if (index_key->type != &key_type_keyring && (hash & fan_mask) == 0)
209		return hash | (hash >> (ASSOC_ARRAY_KEY_CHUNK_SIZE - level_shift)) | 1;
210	if (index_key->type == &key_type_keyring && (hash & fan_mask) != 0)
211		return (hash + (hash << level_shift)) & ~fan_mask;
212	return hash;
213}
214
215/*
216 * Build the next index key chunk.
217 *
218 * On 32-bit systems the index key is laid out as:
219 *
220 *	0	4	5	9...
221 *	hash	desclen	typeptr	desc[]
222 *
223 * On 64-bit systems:
224 *
225 *	0	8	9	17...
226 *	hash	desclen	typeptr	desc[]
227 *
228 * We return it one word-sized chunk at a time.
229 */
230static unsigned long keyring_get_key_chunk(const void *data, int level)
231{
232	const struct keyring_index_key *index_key = data;
233	unsigned long chunk = 0;
234	long offset = 0;
235	int desc_len = index_key->desc_len, n = sizeof(chunk);
236
237	level /= ASSOC_ARRAY_KEY_CHUNK_SIZE;
238	switch (level) {
239	case 0:
240		return hash_key_type_and_desc(index_key);
241	case 1:
242		return ((unsigned long)index_key->type << 8) | desc_len;
243	case 2:
244		if (desc_len == 0)
245			return (u8)((unsigned long)index_key->type >>
246				    (ASSOC_ARRAY_KEY_CHUNK_SIZE - 8));
247		n--;
248		offset = 1;
249	default:
250		offset += sizeof(chunk) - 1;
251		offset += (level - 3) * sizeof(chunk);
252		if (offset >= desc_len)
253			return 0;
254		desc_len -= offset;
255		if (desc_len > n)
256			desc_len = n;
257		offset += desc_len;
258		do {
259			chunk <<= 8;
260			chunk |= ((u8*)index_key->description)[--offset];
261		} while (--desc_len > 0);
262
263		if (level == 2) {
264			chunk <<= 8;
265			chunk |= (u8)((unsigned long)index_key->type >>
266				      (ASSOC_ARRAY_KEY_CHUNK_SIZE - 8));
267		}
268		return chunk;
269	}
270}
271
272static unsigned long keyring_get_object_key_chunk(const void *object, int level)
273{
274	const struct key *key = keyring_ptr_to_key(object);
275	return keyring_get_key_chunk(&key->index_key, level);
276}
277
278static bool keyring_compare_object(const void *object, const void *data)
279{
280	const struct keyring_index_key *index_key = data;
281	const struct key *key = keyring_ptr_to_key(object);
282
283	return key->index_key.type == index_key->type &&
284		key->index_key.desc_len == index_key->desc_len &&
285		memcmp(key->index_key.description, index_key->description,
286		       index_key->desc_len) == 0;
287}
288
289/*
290 * Compare the index keys of a pair of objects and determine the bit position
291 * at which they differ - if they differ.
292 */
293static int keyring_diff_objects(const void *object, const void *data)
294{
295	const struct key *key_a = keyring_ptr_to_key(object);
296	const struct keyring_index_key *a = &key_a->index_key;
297	const struct keyring_index_key *b = data;
298	unsigned long seg_a, seg_b;
299	int level, i;
300
301	level = 0;
302	seg_a = hash_key_type_and_desc(a);
303	seg_b = hash_key_type_and_desc(b);
304	if ((seg_a ^ seg_b) != 0)
305		goto differ;
306
307	/* The number of bits contributed by the hash is controlled by a
308	 * constant in the assoc_array headers.  Everything else thereafter we
309	 * can deal with as being machine word-size dependent.
310	 */
311	level += ASSOC_ARRAY_KEY_CHUNK_SIZE / 8;
312	seg_a = a->desc_len;
313	seg_b = b->desc_len;
314	if ((seg_a ^ seg_b) != 0)
315		goto differ;
316
317	/* The next bit may not work on big endian */
318	level++;
319	seg_a = (unsigned long)a->type;
320	seg_b = (unsigned long)b->type;
321	if ((seg_a ^ seg_b) != 0)
322		goto differ;
323
324	level += sizeof(unsigned long);
325	if (a->desc_len == 0)
326		goto same;
327
328	i = 0;
329	if (((unsigned long)a->description | (unsigned long)b->description) &
330	    (sizeof(unsigned long) - 1)) {
331		do {
332			seg_a = *(unsigned long *)(a->description + i);
333			seg_b = *(unsigned long *)(b->description + i);
334			if ((seg_a ^ seg_b) != 0)
335				goto differ_plus_i;
336			i += sizeof(unsigned long);
337		} while (i < (a->desc_len & (sizeof(unsigned long) - 1)));
338	}
339
340	for (; i < a->desc_len; i++) {
341		seg_a = *(unsigned char *)(a->description + i);
342		seg_b = *(unsigned char *)(b->description + i);
343		if ((seg_a ^ seg_b) != 0)
344			goto differ_plus_i;
345	}
346
347same:
348	return -1;
349
350differ_plus_i:
351	level += i;
352differ:
353	i = level * 8 + __ffs(seg_a ^ seg_b);
354	return i;
355}
356
357/*
358 * Free an object after stripping the keyring flag off of the pointer.
359 */
360static void keyring_free_object(void *object)
361{
362	key_put(keyring_ptr_to_key(object));
363}
364
365/*
366 * Operations for keyring management by the index-tree routines.
367 */
368static const struct assoc_array_ops keyring_assoc_array_ops = {
369	.get_key_chunk		= keyring_get_key_chunk,
370	.get_object_key_chunk	= keyring_get_object_key_chunk,
371	.compare_object		= keyring_compare_object,
372	.diff_objects		= keyring_diff_objects,
373	.free_object		= keyring_free_object,
374};
375
376/*
377 * Clean up a keyring when it is destroyed.  Unpublish its name if it had one
378 * and dispose of its data.
379 *
380 * The garbage collector detects the final key_put(), removes the keyring from
381 * the serial number tree and then does RCU synchronisation before coming here,
382 * so we shouldn't need to worry about code poking around here with the RCU
383 * readlock held by this time.
384 */
385static void keyring_destroy(struct key *keyring)
386{
387	if (keyring->description) {
388		write_lock(&keyring_name_lock);
389
390		if (keyring->type_data.link.next != NULL &&
391		    !list_empty(&keyring->type_data.link))
392			list_del(&keyring->type_data.link);
393
394		write_unlock(&keyring_name_lock);
395	}
396
397	assoc_array_destroy(&keyring->keys, &keyring_assoc_array_ops);
398}
399
400/*
401 * Describe a keyring for /proc.
402 */
403static void keyring_describe(const struct key *keyring, struct seq_file *m)
404{
405	if (keyring->description)
406		seq_puts(m, keyring->description);
407	else
408		seq_puts(m, "[anon]");
409
410	if (key_is_instantiated(keyring)) {
411		if (keyring->keys.nr_leaves_on_tree != 0)
412			seq_printf(m, ": %lu", keyring->keys.nr_leaves_on_tree);
413		else
414			seq_puts(m, ": empty");
415	}
416}
417
418struct keyring_read_iterator_context {
419	size_t			qty;
420	size_t			count;
421	key_serial_t __user	*buffer;
422};
423
424static int keyring_read_iterator(const void *object, void *data)
425{
426	struct keyring_read_iterator_context *ctx = data;
427	const struct key *key = keyring_ptr_to_key(object);
428	int ret;
429
430	kenter("{%s,%d},,{%zu/%zu}",
431	       key->type->name, key->serial, ctx->count, ctx->qty);
432
433	if (ctx->count >= ctx->qty)
434		return 1;
435
436	ret = put_user(key->serial, ctx->buffer);
437	if (ret < 0)
438		return ret;
439	ctx->buffer++;
440	ctx->count += sizeof(key->serial);
441	return 0;
442}
443
444/*
445 * Read a list of key IDs from the keyring's contents in binary form
446 *
447 * The keyring's semaphore is read-locked by the caller.  This prevents someone
448 * from modifying it under us - which could cause us to read key IDs multiple
449 * times.
450 */
451static long keyring_read(const struct key *keyring,
452			 char __user *buffer, size_t buflen)
453{
454	struct keyring_read_iterator_context ctx;
455	unsigned long nr_keys;
456	int ret;
457
458	kenter("{%d},,%zu", key_serial(keyring), buflen);
459
460	if (buflen & (sizeof(key_serial_t) - 1))
461		return -EINVAL;
462
463	nr_keys = keyring->keys.nr_leaves_on_tree;
464	if (nr_keys == 0)
465		return 0;
466
467	/* Calculate how much data we could return */
468	ctx.qty = nr_keys * sizeof(key_serial_t);
469
470	if (!buffer || !buflen)
471		return ctx.qty;
472
473	if (buflen > ctx.qty)
474		ctx.qty = buflen;
475
476	/* Copy the IDs of the subscribed keys into the buffer */
477	ctx.buffer = (key_serial_t __user *)buffer;
478	ctx.count = 0;
479	ret = assoc_array_iterate(&keyring->keys, keyring_read_iterator, &ctx);
480	if (ret < 0) {
481		kleave(" = %d [iterate]", ret);
482		return ret;
483	}
484
485	kleave(" = %zu [ok]", ctx.count);
486	return ctx.count;
487}
488
489/*
490 * Allocate a keyring and link into the destination keyring.
491 */
492struct key *keyring_alloc(const char *description, kuid_t uid, kgid_t gid,
493			  const struct cred *cred, key_perm_t perm,
494			  unsigned long flags, struct key *dest)
495{
496	struct key *keyring;
497	int ret;
498
499	keyring = key_alloc(&key_type_keyring, description,
500			    uid, gid, cred, perm, flags);
501	if (!IS_ERR(keyring)) {
502		ret = key_instantiate_and_link(keyring, NULL, 0, dest, NULL);
503		if (ret < 0) {
504			key_put(keyring);
505			keyring = ERR_PTR(ret);
506		}
507	}
508
509	return keyring;
510}
511EXPORT_SYMBOL(keyring_alloc);
512
513/*
514 * By default, we keys found by getting an exact match on their descriptions.
515 */
516bool key_default_cmp(const struct key *key,
517		     const struct key_match_data *match_data)
518{
519	return strcmp(key->description, match_data->raw_data) == 0;
520}
521
522/*
523 * Iteration function to consider each key found.
524 */
525static int keyring_search_iterator(const void *object, void *iterator_data)
526{
527	struct keyring_search_context *ctx = iterator_data;
528	const struct key *key = keyring_ptr_to_key(object);
529	unsigned long kflags = key->flags;
530
531	kenter("{%d}", key->serial);
532
533	/* ignore keys not of this type */
534	if (key->type != ctx->index_key.type) {
535		kleave(" = 0 [!type]");
536		return 0;
537	}
538
539	/* skip invalidated, revoked and expired keys */
540	if (ctx->flags & KEYRING_SEARCH_DO_STATE_CHECK) {
541		if (kflags & ((1 << KEY_FLAG_INVALIDATED) |
542			      (1 << KEY_FLAG_REVOKED))) {
543			ctx->result = ERR_PTR(-EKEYREVOKED);
544			kleave(" = %d [invrev]", ctx->skipped_ret);
545			goto skipped;
546		}
547
548		if (key->expiry && ctx->now.tv_sec >= key->expiry) {
549			if (!(ctx->flags & KEYRING_SEARCH_SKIP_EXPIRED))
550				ctx->result = ERR_PTR(-EKEYEXPIRED);
551			kleave(" = %d [expire]", ctx->skipped_ret);
552			goto skipped;
553		}
554	}
555
556	/* keys that don't match */
557	if (!ctx->match_data.cmp(key, &ctx->match_data)) {
558		kleave(" = 0 [!match]");
559		return 0;
560	}
561
562	/* key must have search permissions */
563	if (!(ctx->flags & KEYRING_SEARCH_NO_CHECK_PERM) &&
564	    key_task_permission(make_key_ref(key, ctx->possessed),
565				ctx->cred, KEY_NEED_SEARCH) < 0) {
566		ctx->result = ERR_PTR(-EACCES);
567		kleave(" = %d [!perm]", ctx->skipped_ret);
568		goto skipped;
569	}
570
571	if (ctx->flags & KEYRING_SEARCH_DO_STATE_CHECK) {
572		/* we set a different error code if we pass a negative key */
573		if (kflags & (1 << KEY_FLAG_NEGATIVE)) {
574			smp_rmb();
575			ctx->result = ERR_PTR(key->type_data.reject_error);
576			kleave(" = %d [neg]", ctx->skipped_ret);
577			goto skipped;
578		}
579	}
580
581	/* Found */
582	ctx->result = make_key_ref(key, ctx->possessed);
583	kleave(" = 1 [found]");
584	return 1;
585
586skipped:
587	return ctx->skipped_ret;
588}
589
590/*
591 * Search inside a keyring for a key.  We can search by walking to it
592 * directly based on its index-key or we can iterate over the entire
593 * tree looking for it, based on the match function.
594 */
595static int search_keyring(struct key *keyring, struct keyring_search_context *ctx)
596{
597	if (ctx->match_data.lookup_type == KEYRING_SEARCH_LOOKUP_DIRECT) {
598		const void *object;
599
600		object = assoc_array_find(&keyring->keys,
601					  &keyring_assoc_array_ops,
602					  &ctx->index_key);
603		return object ? ctx->iterator(object, ctx) : 0;
604	}
605	return assoc_array_iterate(&keyring->keys, ctx->iterator, ctx);
606}
607
608/*
609 * Search a tree of keyrings that point to other keyrings up to the maximum
610 * depth.
611 */
612static bool search_nested_keyrings(struct key *keyring,
613				   struct keyring_search_context *ctx)
614{
615	struct {
616		struct key *keyring;
617		struct assoc_array_node *node;
618		int slot;
619	} stack[KEYRING_SEARCH_MAX_DEPTH];
620
621	struct assoc_array_shortcut *shortcut;
622	struct assoc_array_node *node;
623	struct assoc_array_ptr *ptr;
624	struct key *key;
625	int sp = 0, slot;
626
627	kenter("{%d},{%s,%s}",
628	       keyring->serial,
629	       ctx->index_key.type->name,
630	       ctx->index_key.description);
631
632#define STATE_CHECKS (KEYRING_SEARCH_NO_STATE_CHECK | KEYRING_SEARCH_DO_STATE_CHECK)
633	BUG_ON((ctx->flags & STATE_CHECKS) == 0 ||
634	       (ctx->flags & STATE_CHECKS) == STATE_CHECKS);
635
636	if (ctx->index_key.description)
637		ctx->index_key.desc_len = strlen(ctx->index_key.description);
638
639	/* Check to see if this top-level keyring is what we are looking for
640	 * and whether it is valid or not.
641	 */
642	if (ctx->match_data.lookup_type == KEYRING_SEARCH_LOOKUP_ITERATE ||
643	    keyring_compare_object(keyring, &ctx->index_key)) {
644		ctx->skipped_ret = 2;
645		switch (ctx->iterator(keyring_key_to_ptr(keyring), ctx)) {
646		case 1:
647			goto found;
648		case 2:
649			return false;
650		default:
651			break;
652		}
653	}
654
655	ctx->skipped_ret = 0;
656
657	/* Start processing a new keyring */
658descend_to_keyring:
659	kdebug("descend to %d", keyring->serial);
660	if (keyring->flags & ((1 << KEY_FLAG_INVALIDATED) |
661			      (1 << KEY_FLAG_REVOKED)))
662		goto not_this_keyring;
663
664	/* Search through the keys in this keyring before its searching its
665	 * subtrees.
666	 */
667	if (search_keyring(keyring, ctx))
668		goto found;
669
670	/* Then manually iterate through the keyrings nested in this one.
671	 *
672	 * Start from the root node of the index tree.  Because of the way the
673	 * hash function has been set up, keyrings cluster on the leftmost
674	 * branch of the root node (root slot 0) or in the root node itself.
675	 * Non-keyrings avoid the leftmost branch of the root entirely (root
676	 * slots 1-15).
677	 */
678	ptr = ACCESS_ONCE(keyring->keys.root);
679	if (!ptr)
680		goto not_this_keyring;
681
682	if (assoc_array_ptr_is_shortcut(ptr)) {
683		/* If the root is a shortcut, either the keyring only contains
684		 * keyring pointers (everything clusters behind root slot 0) or
685		 * doesn't contain any keyring pointers.
686		 */
687		shortcut = assoc_array_ptr_to_shortcut(ptr);
688		smp_read_barrier_depends();
689		if ((shortcut->index_key[0] & ASSOC_ARRAY_FAN_MASK) != 0)
690			goto not_this_keyring;
691
692		ptr = ACCESS_ONCE(shortcut->next_node);
693		node = assoc_array_ptr_to_node(ptr);
694		goto begin_node;
695	}
696
697	node = assoc_array_ptr_to_node(ptr);
698	smp_read_barrier_depends();
699
700	ptr = node->slots[0];
701	if (!assoc_array_ptr_is_meta(ptr))
702		goto begin_node;
703
704descend_to_node:
705	/* Descend to a more distal node in this keyring's content tree and go
706	 * through that.
707	 */
708	kdebug("descend");
709	if (assoc_array_ptr_is_shortcut(ptr)) {
710		shortcut = assoc_array_ptr_to_shortcut(ptr);
711		smp_read_barrier_depends();
712		ptr = ACCESS_ONCE(shortcut->next_node);
713		BUG_ON(!assoc_array_ptr_is_node(ptr));
714	}
715	node = assoc_array_ptr_to_node(ptr);
716
717begin_node:
718	kdebug("begin_node");
719	smp_read_barrier_depends();
720	slot = 0;
721ascend_to_node:
722	/* Go through the slots in a node */
723	for (; slot < ASSOC_ARRAY_FAN_OUT; slot++) {
724		ptr = ACCESS_ONCE(node->slots[slot]);
725
726		if (assoc_array_ptr_is_meta(ptr) && node->back_pointer)
727			goto descend_to_node;
728
729		if (!keyring_ptr_is_keyring(ptr))
730			continue;
731
732		key = keyring_ptr_to_key(ptr);
733
734		if (sp >= KEYRING_SEARCH_MAX_DEPTH) {
735			if (ctx->flags & KEYRING_SEARCH_DETECT_TOO_DEEP) {
736				ctx->result = ERR_PTR(-ELOOP);
737				return false;
738			}
739			goto not_this_keyring;
740		}
741
742		/* Search a nested keyring */
743		if (!(ctx->flags & KEYRING_SEARCH_NO_CHECK_PERM) &&
744		    key_task_permission(make_key_ref(key, ctx->possessed),
745					ctx->cred, KEY_NEED_SEARCH) < 0)
746			continue;
747
748		/* stack the current position */
749		stack[sp].keyring = keyring;
750		stack[sp].node = node;
751		stack[sp].slot = slot;
752		sp++;
753
754		/* begin again with the new keyring */
755		keyring = key;
756		goto descend_to_keyring;
757	}
758
759	/* We've dealt with all the slots in the current node, so now we need
760	 * to ascend to the parent and continue processing there.
761	 */
762	ptr = ACCESS_ONCE(node->back_pointer);
763	slot = node->parent_slot;
764
765	if (ptr && assoc_array_ptr_is_shortcut(ptr)) {
766		shortcut = assoc_array_ptr_to_shortcut(ptr);
767		smp_read_barrier_depends();
768		ptr = ACCESS_ONCE(shortcut->back_pointer);
769		slot = shortcut->parent_slot;
770	}
771	if (!ptr)
772		goto not_this_keyring;
773	node = assoc_array_ptr_to_node(ptr);
774	smp_read_barrier_depends();
775	slot++;
776
777	/* If we've ascended to the root (zero backpointer), we must have just
778	 * finished processing the leftmost branch rather than the root slots -
779	 * so there can't be any more keyrings for us to find.
780	 */
781	if (node->back_pointer) {
782		kdebug("ascend %d", slot);
783		goto ascend_to_node;
784	}
785
786	/* The keyring we're looking at was disqualified or didn't contain a
787	 * matching key.
788	 */
789not_this_keyring:
790	kdebug("not_this_keyring %d", sp);
791	if (sp <= 0) {
792		kleave(" = false");
793		return false;
794	}
795
796	/* Resume the processing of a keyring higher up in the tree */
797	sp--;
798	keyring = stack[sp].keyring;
799	node = stack[sp].node;
800	slot = stack[sp].slot + 1;
801	kdebug("ascend to %d [%d]", keyring->serial, slot);
802	goto ascend_to_node;
803
804	/* We found a viable match */
805found:
806	key = key_ref_to_ptr(ctx->result);
807	key_check(key);
808	if (!(ctx->flags & KEYRING_SEARCH_NO_UPDATE_TIME)) {
809		key->last_used_at = ctx->now.tv_sec;
810		keyring->last_used_at = ctx->now.tv_sec;
811		while (sp > 0)
812			stack[--sp].keyring->last_used_at = ctx->now.tv_sec;
813	}
814	kleave(" = true");
815	return true;
816}
817
818/**
819 * keyring_search_aux - Search a keyring tree for a key matching some criteria
820 * @keyring_ref: A pointer to the keyring with possession indicator.
821 * @ctx: The keyring search context.
822 *
823 * Search the supplied keyring tree for a key that matches the criteria given.
824 * The root keyring and any linked keyrings must grant Search permission to the
825 * caller to be searchable and keys can only be found if they too grant Search
826 * to the caller. The possession flag on the root keyring pointer controls use
827 * of the possessor bits in permissions checking of the entire tree.  In
828 * addition, the LSM gets to forbid keyring searches and key matches.
829 *
830 * The search is performed as a breadth-then-depth search up to the prescribed
831 * limit (KEYRING_SEARCH_MAX_DEPTH).
832 *
833 * Keys are matched to the type provided and are then filtered by the match
834 * function, which is given the description to use in any way it sees fit.  The
835 * match function may use any attributes of a key that it wishes to to
836 * determine the match.  Normally the match function from the key type would be
837 * used.
838 *
839 * RCU can be used to prevent the keyring key lists from disappearing without
840 * the need to take lots of locks.
841 *
842 * Returns a pointer to the found key and increments the key usage count if
843 * successful; -EAGAIN if no matching keys were found, or if expired or revoked
844 * keys were found; -ENOKEY if only negative keys were found; -ENOTDIR if the
845 * specified keyring wasn't a keyring.
846 *
847 * In the case of a successful return, the possession attribute from
848 * @keyring_ref is propagated to the returned key reference.
849 */
850key_ref_t keyring_search_aux(key_ref_t keyring_ref,
851			     struct keyring_search_context *ctx)
852{
853	struct key *keyring;
854	long err;
855
856	ctx->iterator = keyring_search_iterator;
857	ctx->possessed = is_key_possessed(keyring_ref);
858	ctx->result = ERR_PTR(-EAGAIN);
859
860	keyring = key_ref_to_ptr(keyring_ref);
861	key_check(keyring);
862
863	if (keyring->type != &key_type_keyring)
864		return ERR_PTR(-ENOTDIR);
865
866	if (!(ctx->flags & KEYRING_SEARCH_NO_CHECK_PERM)) {
867		err = key_task_permission(keyring_ref, ctx->cred, KEY_NEED_SEARCH);
868		if (err < 0)
869			return ERR_PTR(err);
870	}
871
872	rcu_read_lock();
873	ctx->now = current_kernel_time();
874	if (search_nested_keyrings(keyring, ctx))
875		__key_get(key_ref_to_ptr(ctx->result));
876	rcu_read_unlock();
877	return ctx->result;
878}
879
880/**
881 * keyring_search - Search the supplied keyring tree for a matching key
882 * @keyring: The root of the keyring tree to be searched.
883 * @type: The type of keyring we want to find.
884 * @description: The name of the keyring we want to find.
885 *
886 * As keyring_search_aux() above, but using the current task's credentials and
887 * type's default matching function and preferred search method.
888 */
889key_ref_t keyring_search(key_ref_t keyring,
890			 struct key_type *type,
891			 const char *description)
892{
893	struct keyring_search_context ctx = {
894		.index_key.type		= type,
895		.index_key.description	= description,
896		.cred			= current_cred(),
897		.match_data.cmp		= key_default_cmp,
898		.match_data.raw_data	= description,
899		.match_data.lookup_type	= KEYRING_SEARCH_LOOKUP_DIRECT,
900		.flags			= KEYRING_SEARCH_DO_STATE_CHECK,
901	};
902	key_ref_t key;
903	int ret;
904
905	if (type->match_preparse) {
906		ret = type->match_preparse(&ctx.match_data);
907		if (ret < 0)
908			return ERR_PTR(ret);
909	}
910
911	key = keyring_search_aux(keyring, &ctx);
912
913	if (type->match_free)
914		type->match_free(&ctx.match_data);
915	return key;
916}
917EXPORT_SYMBOL(keyring_search);
918
919/*
920 * Search the given keyring for a key that might be updated.
921 *
922 * The caller must guarantee that the keyring is a keyring and that the
923 * permission is granted to modify the keyring as no check is made here.  The
924 * caller must also hold a lock on the keyring semaphore.
925 *
926 * Returns a pointer to the found key with usage count incremented if
927 * successful and returns NULL if not found.  Revoked and invalidated keys are
928 * skipped over.
929 *
930 * If successful, the possession indicator is propagated from the keyring ref
931 * to the returned key reference.
932 */
933key_ref_t find_key_to_update(key_ref_t keyring_ref,
934			     const struct keyring_index_key *index_key)
935{
936	struct key *keyring, *key;
937	const void *object;
938
939	keyring = key_ref_to_ptr(keyring_ref);
940
941	kenter("{%d},{%s,%s}",
942	       keyring->serial, index_key->type->name, index_key->description);
943
944	object = assoc_array_find(&keyring->keys, &keyring_assoc_array_ops,
945				  index_key);
946
947	if (object)
948		goto found;
949
950	kleave(" = NULL");
951	return NULL;
952
953found:
954	key = keyring_ptr_to_key(object);
955	if (key->flags & ((1 << KEY_FLAG_INVALIDATED) |
956			  (1 << KEY_FLAG_REVOKED))) {
957		kleave(" = NULL [x]");
958		return NULL;
959	}
960	__key_get(key);
961	kleave(" = {%d}", key->serial);
962	return make_key_ref(key, is_key_possessed(keyring_ref));
963}
964
965/*
966 * Find a keyring with the specified name.
967 *
968 * All named keyrings in the current user namespace are searched, provided they
969 * grant Search permission directly to the caller (unless this check is
970 * skipped).  Keyrings whose usage points have reached zero or who have been
971 * revoked are skipped.
972 *
973 * Returns a pointer to the keyring with the keyring's refcount having being
974 * incremented on success.  -ENOKEY is returned if a key could not be found.
975 */
976struct key *find_keyring_by_name(const char *name, bool skip_perm_check)
977{
978	struct key *keyring;
979	int bucket;
980
981	if (!name)
982		return ERR_PTR(-EINVAL);
983
984	bucket = keyring_hash(name);
985
986	read_lock(&keyring_name_lock);
987
988	if (keyring_name_hash[bucket].next) {
989		/* search this hash bucket for a keyring with a matching name
990		 * that's readable and that hasn't been revoked */
991		list_for_each_entry(keyring,
992				    &keyring_name_hash[bucket],
993				    type_data.link
994				    ) {
995			if (!kuid_has_mapping(current_user_ns(), keyring->user->uid))
996				continue;
997
998			if (test_bit(KEY_FLAG_REVOKED, &keyring->flags))
999				continue;
1000
1001			if (strcmp(keyring->description, name) != 0)
1002				continue;
1003
1004			if (!skip_perm_check &&
1005			    key_permission(make_key_ref(keyring, 0),
1006					   KEY_NEED_SEARCH) < 0)
1007				continue;
1008
1009			/* we've got a match but we might end up racing with
1010			 * key_cleanup() if the keyring is currently 'dead'
1011			 * (ie. it has a zero usage count) */
1012			if (!atomic_inc_not_zero(&keyring->usage))
1013				continue;
1014			keyring->last_used_at = current_kernel_time().tv_sec;
1015			goto out;
1016		}
1017	}
1018
1019	keyring = ERR_PTR(-ENOKEY);
1020out:
1021	read_unlock(&keyring_name_lock);
1022	return keyring;
1023}
1024
1025static int keyring_detect_cycle_iterator(const void *object,
1026					 void *iterator_data)
1027{
1028	struct keyring_search_context *ctx = iterator_data;
1029	const struct key *key = keyring_ptr_to_key(object);
1030
1031	kenter("{%d}", key->serial);
1032
1033	/* We might get a keyring with matching index-key that is nonetheless a
1034	 * different keyring. */
1035	if (key != ctx->match_data.raw_data)
1036		return 0;
1037
1038	ctx->result = ERR_PTR(-EDEADLK);
1039	return 1;
1040}
1041
1042/*
1043 * See if a cycle will will be created by inserting acyclic tree B in acyclic
1044 * tree A at the topmost level (ie: as a direct child of A).
1045 *
1046 * Since we are adding B to A at the top level, checking for cycles should just
1047 * be a matter of seeing if node A is somewhere in tree B.
1048 */
1049static int keyring_detect_cycle(struct key *A, struct key *B)
1050{
1051	struct keyring_search_context ctx = {
1052		.index_key		= A->index_key,
1053		.match_data.raw_data	= A,
1054		.match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT,
1055		.iterator		= keyring_detect_cycle_iterator,
1056		.flags			= (KEYRING_SEARCH_NO_STATE_CHECK |
1057					   KEYRING_SEARCH_NO_UPDATE_TIME |
1058					   KEYRING_SEARCH_NO_CHECK_PERM |
1059					   KEYRING_SEARCH_DETECT_TOO_DEEP),
1060	};
1061
1062	rcu_read_lock();
1063	search_nested_keyrings(B, &ctx);
1064	rcu_read_unlock();
1065	return PTR_ERR(ctx.result) == -EAGAIN ? 0 : PTR_ERR(ctx.result);
1066}
1067
1068/*
1069 * Preallocate memory so that a key can be linked into to a keyring.
1070 */
1071int __key_link_begin(struct key *keyring,
1072		     const struct keyring_index_key *index_key,
1073		     struct assoc_array_edit **_edit)
1074	__acquires(&keyring->sem)
1075	__acquires(&keyring_serialise_link_sem)
1076{
1077	struct assoc_array_edit *edit;
1078	int ret;
1079
1080	kenter("%d,%s,%s,",
1081	       keyring->serial, index_key->type->name, index_key->description);
1082
1083	BUG_ON(index_key->desc_len == 0);
1084
1085	if (keyring->type != &key_type_keyring)
1086		return -ENOTDIR;
1087
1088	down_write(&keyring->sem);
1089
1090	ret = -EKEYREVOKED;
1091	if (test_bit(KEY_FLAG_REVOKED, &keyring->flags))
1092		goto error_krsem;
1093
1094	/* serialise link/link calls to prevent parallel calls causing a cycle
1095	 * when linking two keyring in opposite orders */
1096	if (index_key->type == &key_type_keyring)
1097		down_write(&keyring_serialise_link_sem);
1098
1099	/* Create an edit script that will insert/replace the key in the
1100	 * keyring tree.
1101	 */
1102	edit = assoc_array_insert(&keyring->keys,
1103				  &keyring_assoc_array_ops,
1104				  index_key,
1105				  NULL);
1106	if (IS_ERR(edit)) {
1107		ret = PTR_ERR(edit);
1108		goto error_sem;
1109	}
1110
1111	/* If we're not replacing a link in-place then we're going to need some
1112	 * extra quota.
1113	 */
1114	if (!edit->dead_leaf) {
1115		ret = key_payload_reserve(keyring,
1116					  keyring->datalen + KEYQUOTA_LINK_BYTES);
1117		if (ret < 0)
1118			goto error_cancel;
1119	}
1120
1121	*_edit = edit;
1122	kleave(" = 0");
1123	return 0;
1124
1125error_cancel:
1126	assoc_array_cancel_edit(edit);
1127error_sem:
1128	if (index_key->type == &key_type_keyring)
1129		up_write(&keyring_serialise_link_sem);
1130error_krsem:
1131	up_write(&keyring->sem);
1132	kleave(" = %d", ret);
1133	return ret;
1134}
1135
1136/*
1137 * Check already instantiated keys aren't going to be a problem.
1138 *
1139 * The caller must have called __key_link_begin(). Don't need to call this for
1140 * keys that were created since __key_link_begin() was called.
1141 */
1142int __key_link_check_live_key(struct key *keyring, struct key *key)
1143{
1144	if (key->type == &key_type_keyring)
1145		/* check that we aren't going to create a cycle by linking one
1146		 * keyring to another */
1147		return keyring_detect_cycle(keyring, key);
1148	return 0;
1149}
1150
1151/*
1152 * Link a key into to a keyring.
1153 *
1154 * Must be called with __key_link_begin() having being called.  Discards any
1155 * already extant link to matching key if there is one, so that each keyring
1156 * holds at most one link to any given key of a particular type+description
1157 * combination.
1158 */
1159void __key_link(struct key *key, struct assoc_array_edit **_edit)
1160{
1161	__key_get(key);
1162	assoc_array_insert_set_object(*_edit, keyring_key_to_ptr(key));
1163	assoc_array_apply_edit(*_edit);
1164	*_edit = NULL;
1165}
1166
1167/*
1168 * Finish linking a key into to a keyring.
1169 *
1170 * Must be called with __key_link_begin() having being called.
1171 */
1172void __key_link_end(struct key *keyring,
1173		    const struct keyring_index_key *index_key,
1174		    struct assoc_array_edit *edit)
1175	__releases(&keyring->sem)
1176	__releases(&keyring_serialise_link_sem)
1177{
1178	BUG_ON(index_key->type == NULL);
1179	kenter("%d,%s,", keyring->serial, index_key->type->name);
1180
1181	if (index_key->type == &key_type_keyring)
1182		up_write(&keyring_serialise_link_sem);
1183
1184	if (edit) {
1185		if (!edit->dead_leaf) {
1186			key_payload_reserve(keyring,
1187				keyring->datalen - KEYQUOTA_LINK_BYTES);
1188		}
1189		assoc_array_cancel_edit(edit);
1190	}
1191	up_write(&keyring->sem);
1192}
1193
1194/**
1195 * key_link - Link a key to a keyring
1196 * @keyring: The keyring to make the link in.
1197 * @key: The key to link to.
1198 *
1199 * Make a link in a keyring to a key, such that the keyring holds a reference
1200 * on that key and the key can potentially be found by searching that keyring.
1201 *
1202 * This function will write-lock the keyring's semaphore and will consume some
1203 * of the user's key data quota to hold the link.
1204 *
1205 * Returns 0 if successful, -ENOTDIR if the keyring isn't a keyring,
1206 * -EKEYREVOKED if the keyring has been revoked, -ENFILE if the keyring is
1207 * full, -EDQUOT if there is insufficient key data quota remaining to add
1208 * another link or -ENOMEM if there's insufficient memory.
1209 *
1210 * It is assumed that the caller has checked that it is permitted for a link to
1211 * be made (the keyring should have Write permission and the key Link
1212 * permission).
1213 */
1214int key_link(struct key *keyring, struct key *key)
1215{
1216	struct assoc_array_edit *edit;
1217	int ret;
1218
1219	kenter("{%d,%d}", keyring->serial, atomic_read(&keyring->usage));
1220
1221	key_check(keyring);
1222	key_check(key);
1223
1224	if (test_bit(KEY_FLAG_TRUSTED_ONLY, &keyring->flags) &&
1225	    !test_bit(KEY_FLAG_TRUSTED, &key->flags))
1226		return -EPERM;
1227
1228	ret = __key_link_begin(keyring, &key->index_key, &edit);
1229	if (ret == 0) {
1230		kdebug("begun {%d,%d}", keyring->serial, atomic_read(&keyring->usage));
1231		ret = __key_link_check_live_key(keyring, key);
1232		if (ret == 0)
1233			__key_link(key, &edit);
1234		__key_link_end(keyring, &key->index_key, edit);
1235	}
1236
1237	kleave(" = %d {%d,%d}", ret, keyring->serial, atomic_read(&keyring->usage));
1238	return ret;
1239}
1240EXPORT_SYMBOL(key_link);
1241
1242/**
1243 * key_unlink - Unlink the first link to a key from a keyring.
1244 * @keyring: The keyring to remove the link from.
1245 * @key: The key the link is to.
1246 *
1247 * Remove a link from a keyring to a key.
1248 *
1249 * This function will write-lock the keyring's semaphore.
1250 *
1251 * Returns 0 if successful, -ENOTDIR if the keyring isn't a keyring, -ENOENT if
1252 * the key isn't linked to by the keyring or -ENOMEM if there's insufficient
1253 * memory.
1254 *
1255 * It is assumed that the caller has checked that it is permitted for a link to
1256 * be removed (the keyring should have Write permission; no permissions are
1257 * required on the key).
1258 */
1259int key_unlink(struct key *keyring, struct key *key)
1260{
1261	struct assoc_array_edit *edit;
1262	int ret;
1263
1264	key_check(keyring);
1265	key_check(key);
1266
1267	if (keyring->type != &key_type_keyring)
1268		return -ENOTDIR;
1269
1270	down_write(&keyring->sem);
1271
1272	edit = assoc_array_delete(&keyring->keys, &keyring_assoc_array_ops,
1273				  &key->index_key);
1274	if (IS_ERR(edit)) {
1275		ret = PTR_ERR(edit);
1276		goto error;
1277	}
1278	ret = -ENOENT;
1279	if (edit == NULL)
1280		goto error;
1281
1282	assoc_array_apply_edit(edit);
1283	key_payload_reserve(keyring, keyring->datalen - KEYQUOTA_LINK_BYTES);
1284	ret = 0;
1285
1286error:
1287	up_write(&keyring->sem);
1288	return ret;
1289}
1290EXPORT_SYMBOL(key_unlink);
1291
1292/**
1293 * keyring_clear - Clear a keyring
1294 * @keyring: The keyring to clear.
1295 *
1296 * Clear the contents of the specified keyring.
1297 *
1298 * Returns 0 if successful or -ENOTDIR if the keyring isn't a keyring.
1299 */
1300int keyring_clear(struct key *keyring)
1301{
1302	struct assoc_array_edit *edit;
1303	int ret;
1304
1305	if (keyring->type != &key_type_keyring)
1306		return -ENOTDIR;
1307
1308	down_write(&keyring->sem);
1309
1310	edit = assoc_array_clear(&keyring->keys, &keyring_assoc_array_ops);
1311	if (IS_ERR(edit)) {
1312		ret = PTR_ERR(edit);
1313	} else {
1314		if (edit)
1315			assoc_array_apply_edit(edit);
1316		key_payload_reserve(keyring, 0);
1317		ret = 0;
1318	}
1319
1320	up_write(&keyring->sem);
1321	return ret;
1322}
1323EXPORT_SYMBOL(keyring_clear);
1324
1325/*
1326 * Dispose of the links from a revoked keyring.
1327 *
1328 * This is called with the key sem write-locked.
1329 */
1330static void keyring_revoke(struct key *keyring)
1331{
1332	struct assoc_array_edit *edit;
1333
1334	edit = assoc_array_clear(&keyring->keys, &keyring_assoc_array_ops);
1335	if (!IS_ERR(edit)) {
1336		if (edit)
1337			assoc_array_apply_edit(edit);
1338		key_payload_reserve(keyring, 0);
1339	}
1340}
1341
1342static bool keyring_gc_select_iterator(void *object, void *iterator_data)
1343{
1344	struct key *key = keyring_ptr_to_key(object);
1345	time_t *limit = iterator_data;
1346
1347	if (key_is_dead(key, *limit))
1348		return false;
1349	key_get(key);
1350	return true;
1351}
1352
1353static int keyring_gc_check_iterator(const void *object, void *iterator_data)
1354{
1355	const struct key *key = keyring_ptr_to_key(object);
1356	time_t *limit = iterator_data;
1357
1358	key_check(key);
1359	return key_is_dead(key, *limit);
1360}
1361
1362/*
1363 * Garbage collect pointers from a keyring.
1364 *
1365 * Not called with any locks held.  The keyring's key struct will not be
1366 * deallocated under us as only our caller may deallocate it.
1367 */
1368void keyring_gc(struct key *keyring, time_t limit)
1369{
1370	int result;
1371
1372	kenter("%x{%s}", keyring->serial, keyring->description ?: "");
1373
1374	if (keyring->flags & ((1 << KEY_FLAG_INVALIDATED) |
1375			      (1 << KEY_FLAG_REVOKED)))
1376		goto dont_gc;
1377
1378	/* scan the keyring looking for dead keys */
1379	rcu_read_lock();
1380	result = assoc_array_iterate(&keyring->keys,
1381				     keyring_gc_check_iterator, &limit);
1382	rcu_read_unlock();
1383	if (result == true)
1384		goto do_gc;
1385
1386dont_gc:
1387	kleave(" [no gc]");
1388	return;
1389
1390do_gc:
1391	down_write(&keyring->sem);
1392	assoc_array_gc(&keyring->keys, &keyring_assoc_array_ops,
1393		       keyring_gc_select_iterator, &limit);
1394	up_write(&keyring->sem);
1395	kleave(" [gc]");
1396}
1397