aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2014-12-01 17:52:50 -0500
committerDavid Howells <dhowells@redhat.com>2014-12-01 17:52:50 -0500
commit054f6180d8b5602b431b5924976c956e760488b1 (patch)
tree73cccb1ec105e726e1ee72a71c99be8a5aebb10b /security
parentaa9d4437893f7e015ce5b6d6c443a9ba92c8a2e7 (diff)
KEYS: Simplify KEYRING_SEARCH_{NO,DO}_STATE_CHECK flags
Simplify KEYRING_SEARCH_{NO,DO}_STATE_CHECK flags to be two variations of the same flag. They are effectively mutually exclusive and one or the other should be provided, but not both. Keyring cycle detection and key possession determination are the only things that set NO_STATE_CHECK, except that neither flag really does anything there because neither purpose makes use of the keyring_search_iterator() function, but rather provides their own. For cycle detection we definitely want to check inside of expired keyrings, just so that we don't create a cycle we can't get rid of. Revoked keyrings are cleared at revocation time and can't then be reused, so shouldn't be a problem either way. For possession determination, we *might* want to validate each keyring before searching it: do you possess a key that's hidden behind an expired or just plain inaccessible keyring? Currently, the answer is yes. Note that you cannot, however, possess a key behind a revoked keyring because they are cleared on revocation. keyring_search() sets DO_STATE_CHECK, which is correct. request_key_and_link() currently doesn't specify whether to check the key state or not - but it should set DO_STATE_CHECK. key_get_instantiation_authkey() also currently doesn't specify whether to check the key state or not - but it probably should also set DO_STATE_CHECK. Signed-off-by: David Howells <dhowells@redhat.com> Tested-by: Chuck Lever <chuck.lever@oracle.com>
Diffstat (limited to 'security')
-rw-r--r--security/keys/keyring.c7
-rw-r--r--security/keys/request_key.c1
-rw-r--r--security/keys/request_key_auth.c1
3 files changed, 6 insertions, 3 deletions
diff --git a/security/keys/keyring.c b/security/keys/keyring.c
index 8177010174f7..238aa172f25b 100644
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -628,6 +628,10 @@ static bool search_nested_keyrings(struct key *keyring,
628 ctx->index_key.type->name, 628 ctx->index_key.type->name,
629 ctx->index_key.description); 629 ctx->index_key.description);
630 630
631#define STATE_CHECKS (KEYRING_SEARCH_NO_STATE_CHECK | KEYRING_SEARCH_DO_STATE_CHECK)
632 BUG_ON((ctx->flags & STATE_CHECKS) == 0 ||
633 (ctx->flags & STATE_CHECKS) == STATE_CHECKS);
634
631 if (ctx->index_key.description) 635 if (ctx->index_key.description)
632 ctx->index_key.desc_len = strlen(ctx->index_key.description); 636 ctx->index_key.desc_len = strlen(ctx->index_key.description);
633 637
@@ -637,7 +641,6 @@ static bool search_nested_keyrings(struct key *keyring,
637 if (ctx->match_data.lookup_type == KEYRING_SEARCH_LOOKUP_ITERATE || 641 if (ctx->match_data.lookup_type == KEYRING_SEARCH_LOOKUP_ITERATE ||
638 keyring_compare_object(keyring, &ctx->index_key)) { 642 keyring_compare_object(keyring, &ctx->index_key)) {
639 ctx->skipped_ret = 2; 643 ctx->skipped_ret = 2;
640 ctx->flags |= KEYRING_SEARCH_DO_STATE_CHECK;
641 switch (ctx->iterator(keyring_key_to_ptr(keyring), ctx)) { 644 switch (ctx->iterator(keyring_key_to_ptr(keyring), ctx)) {
642 case 1: 645 case 1:
643 goto found; 646 goto found;
@@ -649,8 +652,6 @@ static bool search_nested_keyrings(struct key *keyring,
649 } 652 }
650 653
651 ctx->skipped_ret = 0; 654 ctx->skipped_ret = 0;
652 if (ctx->flags & KEYRING_SEARCH_NO_STATE_CHECK)
653 ctx->flags &= ~KEYRING_SEARCH_DO_STATE_CHECK;
654 655
655 /* Start processing a new keyring */ 656 /* Start processing a new keyring */
656descend_to_keyring: 657descend_to_keyring:
diff --git a/security/keys/request_key.c b/security/keys/request_key.c
index bb4337c7ae1b..0bb23f98e4ca 100644
--- a/security/keys/request_key.c
+++ b/security/keys/request_key.c
@@ -516,6 +516,7 @@ struct key *request_key_and_link(struct key_type *type,
516 .match_data.cmp = key_default_cmp, 516 .match_data.cmp = key_default_cmp,
517 .match_data.raw_data = description, 517 .match_data.raw_data = description,
518 .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT, 518 .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT,
519 .flags = KEYRING_SEARCH_DO_STATE_CHECK,
519 }; 520 };
520 struct key *key; 521 struct key *key;
521 key_ref_t key_ref; 522 key_ref_t key_ref;
diff --git a/security/keys/request_key_auth.c b/security/keys/request_key_auth.c
index 6639e2cb8853..5d672f7580dd 100644
--- a/security/keys/request_key_auth.c
+++ b/security/keys/request_key_auth.c
@@ -249,6 +249,7 @@ struct key *key_get_instantiation_authkey(key_serial_t target_id)
249 .match_data.cmp = key_default_cmp, 249 .match_data.cmp = key_default_cmp,
250 .match_data.raw_data = description, 250 .match_data.raw_data = description,
251 .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT, 251 .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT,
252 .flags = KEYRING_SEARCH_DO_STATE_CHECK,
252 }; 253 };
253 struct key *authkey; 254 struct key *authkey;
254 key_ref_t authkey_ref; 255 key_ref_t authkey_ref;