diff mbox series

[RFC,24/30] keys: Include key domain tag in the iterative search

Message ID 20200818154230.14016-15-krzysztof.struczynski@huawei.com (mailing list archive)
State New, archived
Headers show
Series None | expand

Commit Message

Krzysztof Struczynski Aug. 18, 2020, 3:42 p.m. UTC 
From: Krzysztof Struczynski <krzysztof.struczynski@huawei.com>

Add domain tag to the key_match_data. If set, check domain tag in the
default match function and asymmetric keys match functions.

This will allow to use the key domain tag in the search criteria for
the iterative search, not only for the direct lookup that is based on
the index key.

Signed-off-by: Krzysztof Struczynski <krzysztof.struczynski@huawei.com>
---
 crypto/asymmetric_keys/asymmetric_type.c | 20 ++++++++++++++++----
 include/linux/key-type.h                 |  1 +
 security/keys/keyring.c                  | 10 +++++++++-
 3 files changed, 26 insertions(+), 5 deletions(-)
diff mbox series

Patch

diff --git a/crypto/asymmetric_keys/asymmetric_type.c b/crypto/asymmetric_keys/asymmetric_type.c
index 33e77d846caa..177429bc5c7b 100644
--- a/crypto/asymmetric_keys/asymmetric_type.c
+++ b/crypto/asymmetric_keys/asymmetric_type.c
@@ -249,9 +249,15 @@  static bool asymmetric_key_cmp(const struct key *key,
 {
 	const struct asymmetric_key_ids *kids = asymmetric_key_ids(key);
 	const struct asymmetric_key_id *match_id = match_data->preparsed;
+	bool match;
 
-	return asymmetric_match_key_ids(kids, match_id,
-					asymmetric_key_id_same);
+	match = asymmetric_match_key_ids(kids, match_id,
+					 asymmetric_key_id_same);
+
+	if (match_data->domain_tag)
+		match &= key->index_key.domain_tag == match_data->domain_tag;
+
+	return match;
 }
 
 /*
@@ -262,9 +268,15 @@  static bool asymmetric_key_cmp_partial(const struct key *key,
 {
 	const struct asymmetric_key_ids *kids = asymmetric_key_ids(key);
 	const struct asymmetric_key_id *match_id = match_data->preparsed;
+	bool match;
+
+	match = asymmetric_match_key_ids(kids, match_id,
+					 asymmetric_key_id_partial);
+
+	if (match_data->domain_tag)
+		match &= key->index_key.domain_tag == match_data->domain_tag;
 
-	return asymmetric_match_key_ids(kids, match_id,
-					asymmetric_key_id_partial);
+	return match;
 }
 
 /*
diff --git a/include/linux/key-type.h b/include/linux/key-type.h
index 2ab2d6d6aeab..c8ea26ab242c 100644
--- a/include/linux/key-type.h
+++ b/include/linux/key-type.h
@@ -55,6 +55,7 @@  struct key_match_data {
 	unsigned	lookup_type;	/* Type of lookup for this search. */
 #define KEYRING_SEARCH_LOOKUP_DIRECT	0x0000	/* Direct lookup by description. */
 #define KEYRING_SEARCH_LOOKUP_ITERATE	0x0001	/* Iterative search. */
+	struct key_tag  *domain_tag;    /* Key domain tag */
 };
 
 /*
diff --git a/security/keys/keyring.c b/security/keys/keyring.c
index 12583241ff63..7e45e534035f 100644
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -565,7 +565,13 @@  int restrict_link_reject(struct key *keyring,
 bool key_default_cmp(const struct key *key,
 		     const struct key_match_data *match_data)
 {
-	return strcmp(key->description, match_data->raw_data) == 0;
+	bool match;
+
+	match = strcmp(key->description, match_data->raw_data) == 0;
+	if (match_data->domain_tag)
+		match &= key->index_key.domain_tag == match_data->domain_tag;
+
+	return match;
 }
 
 /*
@@ -957,6 +963,8 @@  key_ref_t keyring_search_tag(key_ref_t keyring,
 
 	if (recurse)
 		ctx.flags |= KEYRING_SEARCH_RECURSE;
+	if (domain_tag)
+		ctx.match_data.domain_tag = domain_tag;
 	if (type->match_preparse) {
 		ret = type->match_preparse(&ctx.match_data);
 		if (ret < 0)