KEYS: Make request_key() and co. return an error for a negative key

Make request_key() and co. return an error for a negative or rejected key.  If
the key was simply negated, then return ENOKEY, otherwise return the error
with which it was rejected.

Without this patch, the following command returns a key number (with the latest
keyutils):

	[root@andromeda ~]# keyctl request2 user debug:foo rejected @s
	586569904

Trying to print the key merely gets you a permission denied error:

	[root@andromeda ~]# keyctl print 586569904
	keyctl_read_alloc: Permission denied

Doing another request_key() call does get you the error, as long as it hasn't
expired yet:

	[root@andromeda ~]# keyctl request user debug:foo
	request_key: Key was rejected by service

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>

1 files changed, 6 insertions, 0 deletions

diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index 427fddcaeb19..eca51918c951 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -206,8 +206,14 @@ SYSCALL_DEFINE4(request_key, const char __user *, _type,
                 goto error5;
         }
 
+        /* wait for the key to finish being constructed */
+        ret = wait_for_key_construction(key, 1);
+        if (ret < 0)
+                goto error6;
+
         ret = key->serial;
 
+error6:
         key_put(key);
 error5:
         key_type_put(ktype);