LXR linux/security/keys/request

   1/* Request a key from userspace
   2 *
   3 * Copyright (C) 2004-2007 Red Hat, Inc. All Rights Reserved.
   4 * Written by David Howells (dhowells@redhat.com)
   5 *
   6 * This program is free software; you can redistribute it and/or
   7 * modify it under the terms of the GNU General Public License
   8 * as published by the Free Software Foundation; either version
   9 * 2 of the License, or (at your option) any later version.
  10 *
  11 * See Documentation/security/keys/request-key.rst
  12 */
  13
  14#include <linux/module.h>
  15#include <linux/sched.h>
  16#include <linux/kmod.h>
  17#include <linux/err.h>
  18#include <linux/keyctl.h>
  19#include <linux/slab.h>
  20#include "internal.h"
  21
  22#define key_negative_timeout    60      /* default timeout on a negative key's existence */
  23
  24/**
  25 * complete_request_key - Complete the construction of a key.
  26 * @cons: The key construction record.
  27 * @error: The success or failute of the construction.
  28 *
  29 * Complete the attempt to construct a key.  The key will be negated
  30 * if an error is indicated.  The authorisation key will be revoked
  31 * unconditionally.
  32 */
  33void complete_request_key(struct key_construction *cons, int error)
  34{
  35        kenter("{%d,%d},%d", cons->key->serial, cons->authkey->serial, error);
  36
  37        if (error < 0)
  38                key_negate_and_link(cons->key, key_negative_timeout, NULL,
  39                                    cons->authkey);
  40        else
  41                key_revoke(cons->authkey);
  42
  43        key_put(cons->key);
  44        key_put(cons->authkey);
  45        kfree(cons);
  46}
  47EXPORT_SYMBOL(complete_request_key);
  48
  49/*
  50 * Initialise a usermode helper that is going to have a specific session
  51 * keyring.
  52 *
  53 * This is called in context of freshly forked kthread before kernel_execve(),
  54 * so we can simply install the desired session_keyring at this point.
  55 */
  56static int umh_keys_init(struct subprocess_info *info, struct cred *cred)
  57{
  58        struct key *keyring = info->data;
  59
  60        return install_session_keyring_to_cred(cred, keyring);
  61}
  62
  63/*
  64 * Clean up a usermode helper with session keyring.
  65 */
  66static void umh_keys_cleanup(struct subprocess_info *info)
  67{
  68        struct key *keyring = info->data;
  69        key_put(keyring);
  70}
  71
  72/*
  73 * Call a usermode helper with a specific session keyring.
  74 */
  75static int call_usermodehelper_keys(const char *path, char **argv, char **envp,
  76                                        struct key *session_keyring, int wait)
  77{
  78        struct subprocess_info *info;
  79
  80        info = call_usermodehelper_setup(path, argv, envp, GFP_KERNEL,
  81                                          umh_keys_init, umh_keys_cleanup,
  82                                          session_keyring);
  83        if (!info)
  84                return -ENOMEM;
  85
  86        key_get(session_keyring);
  87        return call_usermodehelper_exec(info, wait);
  88}
  89
  90/*
  91 * Request userspace finish the construction of a key
  92 * - execute "/sbin/request-key <op> <key> <uid> <gid> <keyring> <keyring> <keyring>"
  93 */
  94static int call_sbin_request_key(struct key_construction *cons,
  95                                 const char *op,
  96                                 void *aux)
  97{
  98        static char const request_key[] = "/sbin/request-key";
  99        const struct cred *cred = current_cred();
 100        key_serial_t prkey, sskey;
 101        struct key *key = cons->key, *authkey = cons->authkey, *keyring,
 102                *session;
 103        char *argv[9], *envp[3], uid_str[12], gid_str[12];
 104        char key_str[12], keyring_str[3][12];
 105        char desc[20];
 106        int ret, i;
 107
 108        kenter("{%d},{%d},%s", key->serial, authkey->serial, op);
 109
 110        ret = install_user_keyrings();
 111        if (ret < 0)
 112                goto error_alloc;
 113
 114        /* allocate a new session keyring */
 115        sprintf(desc, "_req.%u", key->serial);
 116
 117        cred = get_current_cred();
 118        keyring = keyring_alloc(desc, cred->fsuid, cred->fsgid, cred,
 119                                KEY_POS_ALL | KEY_USR_VIEW | KEY_USR_READ,
 120                                KEY_ALLOC_QUOTA_OVERRUN, NULL, NULL);
 121        put_cred(cred);
 122        if (IS_ERR(keyring)) {
 123                ret = PTR_ERR(keyring);
 124                goto error_alloc;
 125        }
 126
 127        /* attach the auth key to the session keyring */
 128        ret = key_link(keyring, authkey);
 129        if (ret < 0)
 130                goto error_link;
 131
 132        /* record the UID and GID */
 133        sprintf(uid_str, "%d", from_kuid(&init_user_ns, cred->fsuid));
 134        sprintf(gid_str, "%d", from_kgid(&init_user_ns, cred->fsgid));
 135
 136        /* we say which key is under construction */
 137        sprintf(key_str, "%d", key->serial);
 138
 139        /* we specify the process's default keyrings */
 140        sprintf(keyring_str[0], "%d",
 141                cred->thread_keyring ? cred->thread_keyring->serial : 0);
 142
 143        prkey = 0;
 144        if (cred->process_keyring)
 145                prkey = cred->process_keyring->serial;
 146        sprintf(keyring_str[1], "%d", prkey);
 147
 148        rcu_read_lock();
 149        session = rcu_dereference(cred->session_keyring);
 150        if (!session)
 151                session = cred->user->session_keyring;
 152        sskey = session->serial;
 153        rcu_read_unlock();
 154
 155        sprintf(keyring_str[2], "%d", sskey);
 156
 157        /* set up a minimal environment */
 158        i = 0;
 159        envp[i++] = "HOME=/";
 160        envp[i++] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin";
 161        envp[i] = NULL;
 162
 163        /* set up the argument list */
 164        i = 0;
 165        argv[i++] = (char *)request_key;
 166        argv[i++] = (char *) op;
 167        argv[i++] = key_str;
 168        argv[i++] = uid_str;
 169        argv[i++] = gid_str;
 170        argv[i++] = keyring_str[0];
 171        argv[i++] = keyring_str[1];
 172        argv[i++] = keyring_str[2];
 173        argv[i] = NULL;
 174
 175        /* do it */
 176        ret = call_usermodehelper_keys(request_key, argv, envp, keyring,
 177                                       UMH_WAIT_PROC);
 178        kdebug("usermode -> 0x%x", ret);
 179        if (ret >= 0) {
 180                /* ret is the exit/wait code */
 181                if (test_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags) ||
 182                    key_validate(key) < 0)
 183                        ret = -ENOKEY;
 184                else
 185                        /* ignore any errors from userspace if the key was
 186                         * instantiated */
 187                        ret = 0;
 188        }
 189
 190error_link:
 191        key_put(keyring);
 192
 193error_alloc:
 194        complete_request_key(cons, ret);
 195        kleave(" = %d", ret);
 196        return ret;
 197}
 198
 199/*
 200 * Call out to userspace for key construction.
 201 *
 202 * Program failure is ignored in favour of key status.
 203 */
 204static int construct_key(struct key *key, const void *callout_info,
 205                         size_t callout_len, void *aux,
 206                         struct key *dest_keyring)
 207{
 208        struct key_construction *cons;
 209        request_key_actor_t actor;
 210        struct key *authkey;
 211        int ret;
 212
 213        kenter("%d,%p,%zu,%p", key->serial, callout_info, callout_len, aux);
 214
 215        cons = kmalloc(sizeof(*cons), GFP_KERNEL);
 216        if (!cons)
 217                return -ENOMEM;
 218
 219        /* allocate an authorisation key */
 220        authkey = request_key_auth_new(key, callout_info, callout_len,
 221                                       dest_keyring);
 222        if (IS_ERR(authkey)) {
 223                kfree(cons);
 224                ret = PTR_ERR(authkey);
 225                authkey = NULL;
 226        } else {
 227                cons->authkey = key_get(authkey);
 228                cons->key = key_get(key);
 229
 230                /* make the call */
 231                actor = call_sbin_request_key;
 232                if (key->type->request_key)
 233                        actor = key->type->request_key;
 234
 235                ret = actor(cons, "create", aux);
 236
 237                /* check that the actor called complete_request_key() prior to
 238                 * returning an error */
 239                WARN_ON(ret < 0 &&
 240                        !test_bit(KEY_FLAG_REVOKED, &authkey->flags));
 241                key_put(authkey);
 242        }
 243
 244        kleave(" = %d", ret);
 245        return ret;
 246}
 247
 248/*
 249 * Get the appropriate destination keyring for the request.
 250 *
 251 * The keyring selected is returned with an extra reference upon it which the
 252 * caller must release.
 253 */
 254static int construct_get_dest_keyring(struct key **_dest_keyring)
 255{
 256        struct request_key_auth *rka;
 257        const struct cred *cred = current_cred();
 258        struct key *dest_keyring = *_dest_keyring, *authkey;
 259        int ret;
 260
 261        kenter("%p", dest_keyring);
 262
 263        /* find the appropriate keyring */
 264        if (dest_keyring) {
 265                /* the caller supplied one */
 266                key_get(dest_keyring);
 267        } else {
 268                bool do_perm_check = true;
 269
 270                /* use a default keyring; falling through the cases until we
 271                 * find one that we actually have */
 272                switch (cred->jit_keyring) {
 273                case KEY_REQKEY_DEFL_DEFAULT:
 274                case KEY_REQKEY_DEFL_REQUESTOR_KEYRING:
 275                        if (cred->request_key_auth) {
 276                                authkey = cred->request_key_auth;
 277                                down_read(&authkey->sem);
 278                                rka = authkey->payload.data[0];
 279                                if (!test_bit(KEY_FLAG_REVOKED,
 280                                              &authkey->flags))
 281                                        dest_keyring =
 282                                                key_get(rka->dest_keyring);
 283                                up_read(&authkey->sem);
 284                                if (dest_keyring) {
 285                                        do_perm_check = false;
 286                                        break;
 287                                }
 288                        }
 289
 290                case KEY_REQKEY_DEFL_THREAD_KEYRING:
 291                        dest_keyring = key_get(cred->thread_keyring);
 292                        if (dest_keyring)
 293                                break;
 294
 295                case KEY_REQKEY_DEFL_PROCESS_KEYRING:
 296                        dest_keyring = key_get(cred->process_keyring);
 297                        if (dest_keyring)
 298                                break;
 299
 300                case KEY_REQKEY_DEFL_SESSION_KEYRING:
 301                        rcu_read_lock();
 302                        dest_keyring = key_get(
 303                                rcu_dereference(cred->session_keyring));
 304                        rcu_read_unlock();
 305
 306                        if (dest_keyring)
 307                                break;
 308
 309                case KEY_REQKEY_DEFL_USER_SESSION_KEYRING:
 310                        dest_keyring =
 311                                key_get(cred->user->session_keyring);
 312                        break;
 313
 314                case KEY_REQKEY_DEFL_USER_KEYRING:
 315                        dest_keyring = key_get(cred->user->uid_keyring);
 316                        break;
 317
 318                case KEY_REQKEY_DEFL_GROUP_KEYRING:
 319                default:
 320                        BUG();
 321                }
 322
 323                /*
 324                 * Require Write permission on the keyring.  This is essential
 325                 * because the default keyring may be the session keyring, and
 326                 * joining a keyring only requires Search permission.
 327                 *
 328                 * However, this check is skipped for the "requestor keyring" so
 329                 * that /sbin/request-key can itself use request_key() to add
 330                 * keys to the original requestor's destination keyring.
 331                 */
 332                if (dest_keyring && do_perm_check) {
 333                        ret = key_permission(make_key_ref(dest_keyring, 1),
 334                                             KEY_NEED_WRITE);
 335                        if (ret) {
 336                                key_put(dest_keyring);
 337                                return ret;
 338                        }
 339                }
 340        }
 341
 342        *_dest_keyring = dest_keyring;
 343        kleave(" [dk %d]", key_serial(dest_keyring));
 344        return 0;
 345}
 346
 347/*
 348 * Allocate a new key in under-construction state and attempt to link it in to
 349 * the requested keyring.
 350 *
 351 * May return a key that's already under construction instead if there was a
 352 * race between two thread calling request_key().
 353 */
 354static int construct_alloc_key(struct keyring_search_context *ctx,
 355                               struct key *dest_keyring,
 356                               unsigned long flags,
 357                               struct key_user *user,
 358                               struct key **_key)
 359{
 360        struct assoc_array_edit *edit;
 361        struct key *key;
 362        key_perm_t perm;
 363        key_ref_t key_ref;
 364        int ret;
 365
 366        kenter("%s,%s,,,",
 367               ctx->index_key.type->name, ctx->index_key.description);
 368
 369        *_key = NULL;
 370        mutex_lock(&user->cons_lock);
 371
 372        perm = KEY_POS_VIEW | KEY_POS_SEARCH | KEY_POS_LINK | KEY_POS_SETATTR;
 373        perm |= KEY_USR_VIEW;
 374        if (ctx->index_key.type->read)
 375                perm |= KEY_POS_READ;
 376        if (ctx->index_key.type == &key_type_keyring ||
 377            ctx->index_key.type->update)
 378                perm |= KEY_POS_WRITE;
 379
 380        key = key_alloc(ctx->index_key.type, ctx->index_key.description,
 381                        ctx->cred->fsuid, ctx->cred->fsgid, ctx->cred,
 382                        perm, flags, NULL);
 383        if (IS_ERR(key))
 384                goto alloc_failed;
 385
 386        set_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags);
 387
 388        if (dest_keyring) {
 389                ret = __key_link_begin(dest_keyring, &ctx->index_key, &edit);
 390                if (ret < 0)
 391                        goto link_prealloc_failed;
 392        }
 393
 394        /* attach the key to the destination keyring under lock, but we do need
 395         * to do another check just in case someone beat us to it whilst we
 396         * waited for locks */
 397        mutex_lock(&key_construction_mutex);
 398
 399        key_ref = search_process_keyrings(ctx);
 400        if (!IS_ERR(key_ref))
 401                goto key_already_present;
 402
 403        if (dest_keyring)
 404                __key_link(key, &edit);
 405
 406        mutex_unlock(&key_construction_mutex);
 407        if (dest_keyring)
 408                __key_link_end(dest_keyring, &ctx->index_key, edit);
 409        mutex_unlock(&user->cons_lock);
 410        *_key = key;
 411        kleave(" = 0 [%d]", key_serial(key));
 412        return 0;
 413
 414        /* the key is now present - we tell the caller that we found it by
 415         * returning -EINPROGRESS  */
 416key_already_present:
 417        key_put(key);
 418        mutex_unlock(&key_construction_mutex);
 419        key = key_ref_to_ptr(key_ref);
 420        if (dest_keyring) {
 421                ret = __key_link_check_live_key(dest_keyring, key);
 422                if (ret == 0)
 423                        __key_link(key, &edit);
 424                __key_link_end(dest_keyring, &ctx->index_key, edit);
 425                if (ret < 0)
 426                        goto link_check_failed;
 427        }
 428        mutex_unlock(&user->cons_lock);
 429        *_key = key;
 430        kleave(" = -EINPROGRESS [%d]", key_serial(key));
 431        return -EINPROGRESS;
 432
 433link_check_failed:
 434        mutex_unlock(&user->cons_lock);
 435        key_put(key);
 436        kleave(" = %d [linkcheck]", ret);
 437        return ret;
 438
 439link_prealloc_failed:
 440        mutex_unlock(&user->cons_lock);
 441        key_put(key);
 442        kleave(" = %d [prelink]", ret);
 443        return ret;
 444
 445alloc_failed:
 446        mutex_unlock(&user->cons_lock);
 447        kleave(" = %ld", PTR_ERR(key));
 448        return PTR_ERR(key);
 449}
 450
 451/*
 452 * Commence key construction.
 453 */
 454static struct key *construct_key_and_link(struct keyring_search_context *ctx,
 455                                          const char *callout_info,
 456                                          size_t callout_len,
 457                                          void *aux,
 458                                          struct key *dest_keyring,
 459                                          unsigned long flags)
 460{
 461        struct key_user *user;
 462        struct key *key;
 463        int ret;
 464
 465        kenter("");
 466
 467        if (ctx->index_key.type == &key_type_keyring)
 468                return ERR_PTR(-EPERM);
 469
 470        ret = construct_get_dest_keyring(&dest_keyring);
 471        if (ret)
 472                goto error;
 473
 474        user = key_user_lookup(current_fsuid());
 475        if (!user) {
 476                ret = -ENOMEM;
 477                goto error_put_dest_keyring;
 478        }
 479
 480        ret = construct_alloc_key(ctx, dest_keyring, flags, user, &key);
 481        key_user_put(user);
 482
 483        if (ret == 0) {
 484                ret = construct_key(key, callout_info, callout_len, aux,
 485                                    dest_keyring);
 486                if (ret < 0) {
 487                        kdebug("cons failed");
 488                        goto construction_failed;
 489                }
 490        } else if (ret == -EINPROGRESS) {
 491                ret = 0;
 492        } else {
 493                goto error_put_dest_keyring;
 494        }
 495
 496        key_put(dest_keyring);
 497        kleave(" = key %d", key_serial(key));
 498        return key;
 499
 500construction_failed:
 501        key_negate_and_link(key, key_negative_timeout, NULL, NULL);
 502        key_put(key);
 503error_put_dest_keyring:
 504        key_put(dest_keyring);
 505error:
 506        kleave(" = %d", ret);
 507        return ERR_PTR(ret);
 508}
 509
 510/**
 511 * request_key_and_link - Request a key and cache it in a keyring.
 512 * @type: The type of key we want.
 513 * @description: The searchable description of the key.
 514 * @callout_info: The data to pass to the instantiation upcall (or NULL).
 515 * @callout_len: The length of callout_info.
 516 * @aux: Auxiliary data for the upcall.
 517 * @dest_keyring: Where to cache the key.
 518 * @flags: Flags to key_alloc().
 519 *
 520 * A key matching the specified criteria is searched for in the process's
 521 * keyrings and returned with its usage count incremented if found.  Otherwise,
 522 * if callout_info is not NULL, a key will be allocated and some service
 523 * (probably in userspace) will be asked to instantiate it.
 524 *
 525 * If successfully found or created, the key will be linked to the destination
 526 * keyring if one is provided.
 527 *
 528 * Returns a pointer to the key if successful; -EACCES, -ENOKEY, -EKEYREVOKED
 529 * or -EKEYEXPIRED if an inaccessible, negative, revoked or expired key was
 530 * found; -ENOKEY if no key was found and no @callout_info was given; -EDQUOT
 531 * if insufficient key quota was available to create a new key; or -ENOMEM if
 532 * insufficient memory was available.
 533 *
 534 * If the returned key was created, then it may still be under construction,
 535 * and wait_for_key_construction() should be used to wait for that to complete.
 536 */
 537struct key *request_key_and_link(struct key_type *type,
 538                                 const char *description,
 539                                 const void *callout_info,
 540                                 size_t callout_len,
 541                                 void *aux,
 542                                 struct key *dest_keyring,
 543                                 unsigned long flags)
 544{
 545        struct keyring_search_context ctx = {
 546                .index_key.type         = type,
 547                .index_key.description  = description,
 548                .cred                   = current_cred(),
 549                .match_data.cmp         = key_default_cmp,
 550                .match_data.raw_data    = description,
 551                .match_data.lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT,
 552                .flags                  = (KEYRING_SEARCH_DO_STATE_CHECK |
 553                                           KEYRING_SEARCH_SKIP_EXPIRED),
 554        };
 555        struct key *key;
 556        key_ref_t key_ref;
 557        int ret;
 558
 559        kenter("%s,%s,%p,%zu,%p,%p,%lx",
 560               ctx.index_key.type->name, ctx.index_key.description,
 561               callout_info, callout_len, aux, dest_keyring, flags);
 562
 563        if (type->match_preparse) {
 564                ret = type->match_preparse(&ctx.match_data);
 565                if (ret < 0) {
 566                        key = ERR_PTR(ret);
 567                        goto error;
 568                }
 569        }
 570
 571        /* search all the process keyrings for a key */
 572        key_ref = search_process_keyrings(&ctx);
 573
 574        if (!IS_ERR(key_ref)) {
 575                key = key_ref_to_ptr(key_ref);
 576                if (dest_keyring) {
 577                        ret = key_link(dest_keyring, key);
 578                        if (ret < 0) {
 579                                key_put(key);
 580                                key = ERR_PTR(ret);
 581                                goto error_free;
 582                        }
 583                }
 584        } else if (PTR_ERR(key_ref) != -EAGAIN) {
 585                key = ERR_CAST(key_ref);
 586        } else  {
 587                /* the search failed, but the keyrings were searchable, so we
 588                 * should consult userspace if we can */
 589                key = ERR_PTR(-ENOKEY);
 590                if (!callout_info)
 591                        goto error_free;
 592
 593                key = construct_key_and_link(&ctx, callout_info, callout_len,
 594                                             aux, dest_keyring, flags);
 595        }
 596
 597error_free:
 598        if (type->match_free)
 599                type->match_free(&ctx.match_data);
 600error:
 601        kleave(" = %p", key);
 602        return key;
 603}
 604
 605/**
 606 * wait_for_key_construction - Wait for construction of a key to complete
 607 * @key: The key being waited for.
 608 * @intr: Whether to wait interruptibly.
 609 *
 610 * Wait for a key to finish being constructed.
 611 *
 612 * Returns 0 if successful; -ERESTARTSYS if the wait was interrupted; -ENOKEY
 613 * if the key was negated; or -EKEYREVOKED or -EKEYEXPIRED if the key was
 614 * revoked or expired.
 615 */
 616int wait_for_key_construction(struct key *key, bool intr)
 617{
 618        int ret;
 619
 620        ret = wait_on_bit(&key->flags, KEY_FLAG_USER_CONSTRUCT,
 621                          intr ? TASK_INTERRUPTIBLE : TASK_UNINTERRUPTIBLE);
 622        if (ret)
 623                return -ERESTARTSYS;
 624        ret = key_read_state(key);
 625        if (ret < 0)
 626                return ret;
 627        return key_validate(key);
 628}
 629EXPORT_SYMBOL(wait_for_key_construction);
 630
 631/**
 632 * request_key - Request a key and wait for construction
 633 * @type: Type of key.
 634 * @description: The searchable description of the key.
 635 * @callout_info: The data to pass to the instantiation upcall (or NULL).
 636 *
 637 * As for request_key_and_link() except that it does not add the returned key
 638 * to a keyring if found, new keys are always allocated in the user's quota,
 639 * the callout_info must be a NUL-terminated string and no auxiliary data can
 640 * be passed.
 641 *
 642 * Furthermore, it then works as wait_for_key_construction() to wait for the
 643 * completion of keys undergoing construction with a non-interruptible wait.
 644 */
 645struct key *request_key(struct key_type *type,
 646                        const char *description,
 647                        const char *callout_info)
 648{
 649        struct key *key;
 650        size_t callout_len = 0;
 651        int ret;
 652
 653        if (callout_info)
 654                callout_len = strlen(callout_info);
 655        key = request_key_and_link(type, description, callout_info, callout_len,
 656                                   NULL, NULL, KEY_ALLOC_IN_QUOTA);
 657        if (!IS_ERR(key)) {
 658                ret = wait_for_key_construction(key, false);
 659                if (ret < 0) {
 660                        key_put(key);
 661                        return ERR_PTR(ret);
 662                }
 663        }
 664        return key;
 665}
 666EXPORT_SYMBOL(request_key);
 667
 668/**
 669 * request_key_with_auxdata - Request a key with auxiliary data for the upcaller
 670 * @type: The type of key we want.
 671 * @description: The searchable description of the key.
 672 * @callout_info: The data to pass to the instantiation upcall (or NULL).
 673 * @callout_len: The length of callout_info.
 674 * @aux: Auxiliary data for the upcall.
 675 *
 676 * As for request_key_and_link() except that it does not add the returned key
 677 * to a keyring if found and new keys are always allocated in the user's quota.
 678 *
 679 * Furthermore, it then works as wait_for_key_construction() to wait for the
 680 * completion of keys undergoing construction with a non-interruptible wait.
 681 */
 682struct key *request_key_with_auxdata(struct key_type *type,
 683                                     const char *description,
 684                                     const void *callout_info,
 685                                     size_t callout_len,
 686                                     void *aux)
 687{
 688        struct key *key;
 689        int ret;
 690
 691        key = request_key_and_link(type, description, callout_info, callout_len,
 692                                   aux, NULL, KEY_ALLOC_IN_QUOTA);
 693        if (!IS_ERR(key)) {
 694                ret = wait_for_key_construction(key, false);
 695                if (ret < 0) {
 696                        key_put(key);
 697                        return ERR_PTR(ret);
 698                }
 699        }
 700        return key;
 701}
 702EXPORT_SYMBOL(request_key_with_auxdata);
 703
 704/*
 705 * request_key_async - Request a key (allow async construction)
 706 * @type: Type of key.
 707 * @description: The searchable description of the key.
 708 * @callout_info: The data to pass to the instantiation upcall (or NULL).
 709 * @callout_len: The length of callout_info.
 710 *
 711 * As for request_key_and_link() except that it does not add the returned key
 712 * to a keyring if found, new keys are always allocated in the user's quota and
 713 * no auxiliary data can be passed.
 714 *
 715 * The caller should call wait_for_key_construction() to wait for the
 716 * completion of the returned key if it is still undergoing construction.
 717 */
 718struct key *request_key_async(struct key_type *type,
 719                              const char *description,
 720                              const void *callout_info,
 721                              size_t callout_len)
 722{
 723        return request_key_and_link(type, description, callout_info,
 724                                    callout_len, NULL, NULL,
 725                                    KEY_ALLOC_IN_QUOTA);
 726}
 727EXPORT_SYMBOL(request_key_async);
 728
 729/*
 730 * request a key with auxiliary data for the upcaller (allow async construction)
 731 * @type: Type of key.
 732 * @description: The searchable description of the key.
 733 * @callout_info: The data to pass to the instantiation upcall (or NULL).
 734 * @callout_len: The length of callout_info.
 735 * @aux: Auxiliary data for the upcall.
 736 *
 737 * As for request_key_and_link() except that it does not add the returned key
 738 * to a keyring if found and new keys are always allocated in the user's quota.
 739 *
 740 * The caller should call wait_for_key_construction() to wait for the
 741 * completion of the returned key if it is still undergoing construction.
 742 */
 743struct key *request_key_async_with_auxdata(struct key_type *type,
 744                                           const char *description,
 745                                           const void *callout_info,
 746                                           size_t callout_len,
 747                                           void *aux)
 748{
 749        return request_key_and_link(type, description, callout_info,
 750                                    callout_len, aux, NULL, KEY_ALLOC_IN_QUOTA);
 751}
 752EXPORT_SYMBOL(request_key_async_with_auxdata);
 753