xref: /linux/security/keys/request_key.c (revision 1f2367a39f17bd553a75e179a747f9b257bc9478)
1 /* Request a key from userspace
2  *
3  * Copyright (C) 2004-2007 Red Hat, Inc. All Rights Reserved.
4  * Written by David Howells (dhowells@redhat.com)
5  *
6  * This program is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU General Public License
8  * as published by the Free Software Foundation; either version
9  * 2 of the License, or (at your option) any later version.
10  *
11  * See Documentation/security/keys/request-key.rst
12  */
13 
14 #include <linux/export.h>
15 #include <linux/sched.h>
16 #include <linux/kmod.h>
17 #include <linux/err.h>
18 #include <linux/keyctl.h>
19 #include <linux/slab.h>
20 #include "internal.h"
21 #include <keys/request_key_auth-type.h>
22 
23 #define key_negative_timeout	60	/* default timeout on a negative key's existence */
24 
25 /**
26  * complete_request_key - Complete the construction of a key.
27  * @auth_key: The authorisation key.
28  * @error: The success or failute of the construction.
29  *
30  * Complete the attempt to construct a key.  The key will be negated
31  * if an error is indicated.  The authorisation key will be revoked
32  * unconditionally.
33  */
34 void complete_request_key(struct key *authkey, int error)
35 {
36 	struct request_key_auth *rka = get_request_key_auth(authkey);
37 	struct key *key = rka->target_key;
38 
39 	kenter("%d{%d},%d", authkey->serial, key->serial, error);
40 
41 	if (error < 0)
42 		key_negate_and_link(key, key_negative_timeout, NULL, authkey);
43 	else
44 		key_revoke(authkey);
45 }
46 EXPORT_SYMBOL(complete_request_key);
47 
48 /*
49  * Initialise a usermode helper that is going to have a specific session
50  * keyring.
51  *
52  * This is called in context of freshly forked kthread before kernel_execve(),
53  * so we can simply install the desired session_keyring at this point.
54  */
55 static int umh_keys_init(struct subprocess_info *info, struct cred *cred)
56 {
57 	struct key *keyring = info->data;
58 
59 	return install_session_keyring_to_cred(cred, keyring);
60 }
61 
62 /*
63  * Clean up a usermode helper with session keyring.
64  */
65 static void umh_keys_cleanup(struct subprocess_info *info)
66 {
67 	struct key *keyring = info->data;
68 	key_put(keyring);
69 }
70 
71 /*
72  * Call a usermode helper with a specific session keyring.
73  */
74 static int call_usermodehelper_keys(const char *path, char **argv, char **envp,
75 					struct key *session_keyring, int wait)
76 {
77 	struct subprocess_info *info;
78 
79 	info = call_usermodehelper_setup(path, argv, envp, GFP_KERNEL,
80 					  umh_keys_init, umh_keys_cleanup,
81 					  session_keyring);
82 	if (!info)
83 		return -ENOMEM;
84 
85 	key_get(session_keyring);
86 	return call_usermodehelper_exec(info, wait);
87 }
88 
89 /*
90  * Request userspace finish the construction of a key
91  * - execute "/sbin/request-key <op> <key> <uid> <gid> <keyring> <keyring> <keyring>"
92  */
93 static int call_sbin_request_key(struct key *authkey, void *aux)
94 {
95 	static char const request_key[] = "/sbin/request-key";
96 	struct request_key_auth *rka = get_request_key_auth(authkey);
97 	const struct cred *cred = current_cred();
98 	key_serial_t prkey, sskey;
99 	struct key *key = rka->target_key, *keyring, *session;
100 	char *argv[9], *envp[3], uid_str[12], gid_str[12];
101 	char key_str[12], keyring_str[3][12];
102 	char desc[20];
103 	int ret, i;
104 
105 	kenter("{%d},{%d},%s", key->serial, authkey->serial, rka->op);
106 
107 	ret = install_user_keyrings();
108 	if (ret < 0)
109 		goto error_alloc;
110 
111 	/* allocate a new session keyring */
112 	sprintf(desc, "_req.%u", key->serial);
113 
114 	cred = get_current_cred();
115 	keyring = keyring_alloc(desc, cred->fsuid, cred->fsgid, cred,
116 				KEY_POS_ALL | KEY_USR_VIEW | KEY_USR_READ,
117 				KEY_ALLOC_QUOTA_OVERRUN, NULL, NULL);
118 	put_cred(cred);
119 	if (IS_ERR(keyring)) {
120 		ret = PTR_ERR(keyring);
121 		goto error_alloc;
122 	}
123 
124 	/* attach the auth key to the session keyring */
125 	ret = key_link(keyring, authkey);
126 	if (ret < 0)
127 		goto error_link;
128 
129 	/* record the UID and GID */
130 	sprintf(uid_str, "%d", from_kuid(&init_user_ns, cred->fsuid));
131 	sprintf(gid_str, "%d", from_kgid(&init_user_ns, cred->fsgid));
132 
133 	/* we say which key is under construction */
134 	sprintf(key_str, "%d", key->serial);
135 
136 	/* we specify the process's default keyrings */
137 	sprintf(keyring_str[0], "%d",
138 		cred->thread_keyring ? cred->thread_keyring->serial : 0);
139 
140 	prkey = 0;
141 	if (cred->process_keyring)
142 		prkey = cred->process_keyring->serial;
143 	sprintf(keyring_str[1], "%d", prkey);
144 
145 	rcu_read_lock();
146 	session = rcu_dereference(cred->session_keyring);
147 	if (!session)
148 		session = cred->user->session_keyring;
149 	sskey = session->serial;
150 	rcu_read_unlock();
151 
152 	sprintf(keyring_str[2], "%d", sskey);
153 
154 	/* set up a minimal environment */
155 	i = 0;
156 	envp[i++] = "HOME=/";
157 	envp[i++] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin";
158 	envp[i] = NULL;
159 
160 	/* set up the argument list */
161 	i = 0;
162 	argv[i++] = (char *)request_key;
163 	argv[i++] = (char *)rka->op;
164 	argv[i++] = key_str;
165 	argv[i++] = uid_str;
166 	argv[i++] = gid_str;
167 	argv[i++] = keyring_str[0];
168 	argv[i++] = keyring_str[1];
169 	argv[i++] = keyring_str[2];
170 	argv[i] = NULL;
171 
172 	/* do it */
173 	ret = call_usermodehelper_keys(request_key, argv, envp, keyring,
174 				       UMH_WAIT_PROC);
175 	kdebug("usermode -> 0x%x", ret);
176 	if (ret >= 0) {
177 		/* ret is the exit/wait code */
178 		if (test_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags) ||
179 		    key_validate(key) < 0)
180 			ret = -ENOKEY;
181 		else
182 			/* ignore any errors from userspace if the key was
183 			 * instantiated */
184 			ret = 0;
185 	}
186 
187 error_link:
188 	key_put(keyring);
189 
190 error_alloc:
191 	complete_request_key(authkey, ret);
192 	kleave(" = %d", ret);
193 	return ret;
194 }
195 
196 /*
197  * Call out to userspace for key construction.
198  *
199  * Program failure is ignored in favour of key status.
200  */
201 static int construct_key(struct key *key, const void *callout_info,
202 			 size_t callout_len, void *aux,
203 			 struct key *dest_keyring)
204 {
205 	request_key_actor_t actor;
206 	struct key *authkey;
207 	int ret;
208 
209 	kenter("%d,%p,%zu,%p", key->serial, callout_info, callout_len, aux);
210 
211 	/* allocate an authorisation key */
212 	authkey = request_key_auth_new(key, "create", callout_info, callout_len,
213 				       dest_keyring);
214 	if (IS_ERR(authkey))
215 		return PTR_ERR(authkey);
216 
217 	/* Make the call */
218 	actor = call_sbin_request_key;
219 	if (key->type->request_key)
220 		actor = key->type->request_key;
221 
222 	ret = actor(authkey, aux);
223 
224 	/* check that the actor called complete_request_key() prior to
225 	 * returning an error */
226 	WARN_ON(ret < 0 &&
227 		!test_bit(KEY_FLAG_REVOKED, &authkey->flags));
228 
229 	key_put(authkey);
230 	kleave(" = %d", ret);
231 	return ret;
232 }
233 
234 /*
235  * Get the appropriate destination keyring for the request.
236  *
237  * The keyring selected is returned with an extra reference upon it which the
238  * caller must release.
239  */
240 static int construct_get_dest_keyring(struct key **_dest_keyring)
241 {
242 	struct request_key_auth *rka;
243 	const struct cred *cred = current_cred();
244 	struct key *dest_keyring = *_dest_keyring, *authkey;
245 	int ret;
246 
247 	kenter("%p", dest_keyring);
248 
249 	/* find the appropriate keyring */
250 	if (dest_keyring) {
251 		/* the caller supplied one */
252 		key_get(dest_keyring);
253 	} else {
254 		bool do_perm_check = true;
255 
256 		/* use a default keyring; falling through the cases until we
257 		 * find one that we actually have */
258 		switch (cred->jit_keyring) {
259 		case KEY_REQKEY_DEFL_DEFAULT:
260 		case KEY_REQKEY_DEFL_REQUESTOR_KEYRING:
261 			if (cred->request_key_auth) {
262 				authkey = cred->request_key_auth;
263 				down_read(&authkey->sem);
264 				rka = get_request_key_auth(authkey);
265 				if (!test_bit(KEY_FLAG_REVOKED,
266 					      &authkey->flags))
267 					dest_keyring =
268 						key_get(rka->dest_keyring);
269 				up_read(&authkey->sem);
270 				if (dest_keyring) {
271 					do_perm_check = false;
272 					break;
273 				}
274 			}
275 
276 			/* fall through */
277 		case KEY_REQKEY_DEFL_THREAD_KEYRING:
278 			dest_keyring = key_get(cred->thread_keyring);
279 			if (dest_keyring)
280 				break;
281 
282 			/* fall through */
283 		case KEY_REQKEY_DEFL_PROCESS_KEYRING:
284 			dest_keyring = key_get(cred->process_keyring);
285 			if (dest_keyring)
286 				break;
287 
288 			/* fall through */
289 		case KEY_REQKEY_DEFL_SESSION_KEYRING:
290 			rcu_read_lock();
291 			dest_keyring = key_get(
292 				rcu_dereference(cred->session_keyring));
293 			rcu_read_unlock();
294 
295 			if (dest_keyring)
296 				break;
297 
298 			/* fall through */
299 		case KEY_REQKEY_DEFL_USER_SESSION_KEYRING:
300 			dest_keyring =
301 				key_get(cred->user->session_keyring);
302 			break;
303 
304 		case KEY_REQKEY_DEFL_USER_KEYRING:
305 			dest_keyring = key_get(cred->user->uid_keyring);
306 			break;
307 
308 		case KEY_REQKEY_DEFL_GROUP_KEYRING:
309 		default:
310 			BUG();
311 		}
312 
313 		/*
314 		 * Require Write permission on the keyring.  This is essential
315 		 * because the default keyring may be the session keyring, and
316 		 * joining a keyring only requires Search permission.
317 		 *
318 		 * However, this check is skipped for the "requestor keyring" so
319 		 * that /sbin/request-key can itself use request_key() to add
320 		 * keys to the original requestor's destination keyring.
321 		 */
322 		if (dest_keyring && do_perm_check) {
323 			ret = key_permission(make_key_ref(dest_keyring, 1),
324 					     KEY_NEED_WRITE);
325 			if (ret) {
326 				key_put(dest_keyring);
327 				return ret;
328 			}
329 		}
330 	}
331 
332 	*_dest_keyring = dest_keyring;
333 	kleave(" [dk %d]", key_serial(dest_keyring));
334 	return 0;
335 }
336 
337 /*
338  * Allocate a new key in under-construction state and attempt to link it in to
339  * the requested keyring.
340  *
341  * May return a key that's already under construction instead if there was a
342  * race between two thread calling request_key().
343  */
344 static int construct_alloc_key(struct keyring_search_context *ctx,
345 			       struct key *dest_keyring,
346 			       unsigned long flags,
347 			       struct key_user *user,
348 			       struct key **_key)
349 {
350 	struct assoc_array_edit *edit;
351 	struct key *key;
352 	key_perm_t perm;
353 	key_ref_t key_ref;
354 	int ret;
355 
356 	kenter("%s,%s,,,",
357 	       ctx->index_key.type->name, ctx->index_key.description);
358 
359 	*_key = NULL;
360 	mutex_lock(&user->cons_lock);
361 
362 	perm = KEY_POS_VIEW | KEY_POS_SEARCH | KEY_POS_LINK | KEY_POS_SETATTR;
363 	perm |= KEY_USR_VIEW;
364 	if (ctx->index_key.type->read)
365 		perm |= KEY_POS_READ;
366 	if (ctx->index_key.type == &key_type_keyring ||
367 	    ctx->index_key.type->update)
368 		perm |= KEY_POS_WRITE;
369 
370 	key = key_alloc(ctx->index_key.type, ctx->index_key.description,
371 			ctx->cred->fsuid, ctx->cred->fsgid, ctx->cred,
372 			perm, flags, NULL);
373 	if (IS_ERR(key))
374 		goto alloc_failed;
375 
376 	set_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags);
377 
378 	if (dest_keyring) {
379 		ret = __key_link_begin(dest_keyring, &ctx->index_key, &edit);
380 		if (ret < 0)
381 			goto link_prealloc_failed;
382 	}
383 
384 	/* attach the key to the destination keyring under lock, but we do need
385 	 * to do another check just in case someone beat us to it whilst we
386 	 * waited for locks */
387 	mutex_lock(&key_construction_mutex);
388 
389 	key_ref = search_process_keyrings(ctx);
390 	if (!IS_ERR(key_ref))
391 		goto key_already_present;
392 
393 	if (dest_keyring)
394 		__key_link(key, &edit);
395 
396 	mutex_unlock(&key_construction_mutex);
397 	if (dest_keyring)
398 		__key_link_end(dest_keyring, &ctx->index_key, edit);
399 	mutex_unlock(&user->cons_lock);
400 	*_key = key;
401 	kleave(" = 0 [%d]", key_serial(key));
402 	return 0;
403 
404 	/* the key is now present - we tell the caller that we found it by
405 	 * returning -EINPROGRESS  */
406 key_already_present:
407 	key_put(key);
408 	mutex_unlock(&key_construction_mutex);
409 	key = key_ref_to_ptr(key_ref);
410 	if (dest_keyring) {
411 		ret = __key_link_check_live_key(dest_keyring, key);
412 		if (ret == 0)
413 			__key_link(key, &edit);
414 		__key_link_end(dest_keyring, &ctx->index_key, edit);
415 		if (ret < 0)
416 			goto link_check_failed;
417 	}
418 	mutex_unlock(&user->cons_lock);
419 	*_key = key;
420 	kleave(" = -EINPROGRESS [%d]", key_serial(key));
421 	return -EINPROGRESS;
422 
423 link_check_failed:
424 	mutex_unlock(&user->cons_lock);
425 	key_put(key);
426 	kleave(" = %d [linkcheck]", ret);
427 	return ret;
428 
429 link_prealloc_failed:
430 	mutex_unlock(&user->cons_lock);
431 	key_put(key);
432 	kleave(" = %d [prelink]", ret);
433 	return ret;
434 
435 alloc_failed:
436 	mutex_unlock(&user->cons_lock);
437 	kleave(" = %ld", PTR_ERR(key));
438 	return PTR_ERR(key);
439 }
440 
441 /*
442  * Commence key construction.
443  */
444 static struct key *construct_key_and_link(struct keyring_search_context *ctx,
445 					  const char *callout_info,
446 					  size_t callout_len,
447 					  void *aux,
448 					  struct key *dest_keyring,
449 					  unsigned long flags)
450 {
451 	struct key_user *user;
452 	struct key *key;
453 	int ret;
454 
455 	kenter("");
456 
457 	if (ctx->index_key.type == &key_type_keyring)
458 		return ERR_PTR(-EPERM);
459 
460 	ret = construct_get_dest_keyring(&dest_keyring);
461 	if (ret)
462 		goto error;
463 
464 	user = key_user_lookup(current_fsuid());
465 	if (!user) {
466 		ret = -ENOMEM;
467 		goto error_put_dest_keyring;
468 	}
469 
470 	ret = construct_alloc_key(ctx, dest_keyring, flags, user, &key);
471 	key_user_put(user);
472 
473 	if (ret == 0) {
474 		ret = construct_key(key, callout_info, callout_len, aux,
475 				    dest_keyring);
476 		if (ret < 0) {
477 			kdebug("cons failed");
478 			goto construction_failed;
479 		}
480 	} else if (ret == -EINPROGRESS) {
481 		ret = 0;
482 	} else {
483 		goto error_put_dest_keyring;
484 	}
485 
486 	key_put(dest_keyring);
487 	kleave(" = key %d", key_serial(key));
488 	return key;
489 
490 construction_failed:
491 	key_negate_and_link(key, key_negative_timeout, NULL, NULL);
492 	key_put(key);
493 error_put_dest_keyring:
494 	key_put(dest_keyring);
495 error:
496 	kleave(" = %d", ret);
497 	return ERR_PTR(ret);
498 }
499 
500 /**
501  * request_key_and_link - Request a key and cache it in a keyring.
502  * @type: The type of key we want.
503  * @description: The searchable description of the key.
504  * @callout_info: The data to pass to the instantiation upcall (or NULL).
505  * @callout_len: The length of callout_info.
506  * @aux: Auxiliary data for the upcall.
507  * @dest_keyring: Where to cache the key.
508  * @flags: Flags to key_alloc().
509  *
510  * A key matching the specified criteria is searched for in the process's
511  * keyrings and returned with its usage count incremented if found.  Otherwise,
512  * if callout_info is not NULL, a key will be allocated and some service
513  * (probably in userspace) will be asked to instantiate it.
514  *
515  * If successfully found or created, the key will be linked to the destination
516  * keyring if one is provided.
517  *
518  * Returns a pointer to the key if successful; -EACCES, -ENOKEY, -EKEYREVOKED
519  * or -EKEYEXPIRED if an inaccessible, negative, revoked or expired key was
520  * found; -ENOKEY if no key was found and no @callout_info was given; -EDQUOT
521  * if insufficient key quota was available to create a new key; or -ENOMEM if
522  * insufficient memory was available.
523  *
524  * If the returned key was created, then it may still be under construction,
525  * and wait_for_key_construction() should be used to wait for that to complete.
526  */
527 struct key *request_key_and_link(struct key_type *type,
528 				 const char *description,
529 				 const void *callout_info,
530 				 size_t callout_len,
531 				 void *aux,
532 				 struct key *dest_keyring,
533 				 unsigned long flags)
534 {
535 	struct keyring_search_context ctx = {
536 		.index_key.type		= type,
537 		.index_key.description	= description,
538 		.index_key.desc_len	= strlen(description),
539 		.cred			= current_cred(),
540 		.match_data.cmp		= key_default_cmp,
541 		.match_data.raw_data	= description,
542 		.match_data.lookup_type	= KEYRING_SEARCH_LOOKUP_DIRECT,
543 		.flags			= (KEYRING_SEARCH_DO_STATE_CHECK |
544 					   KEYRING_SEARCH_SKIP_EXPIRED),
545 	};
546 	struct key *key;
547 	key_ref_t key_ref;
548 	int ret;
549 
550 	kenter("%s,%s,%p,%zu,%p,%p,%lx",
551 	       ctx.index_key.type->name, ctx.index_key.description,
552 	       callout_info, callout_len, aux, dest_keyring, flags);
553 
554 	if (type->match_preparse) {
555 		ret = type->match_preparse(&ctx.match_data);
556 		if (ret < 0) {
557 			key = ERR_PTR(ret);
558 			goto error;
559 		}
560 	}
561 
562 	/* search all the process keyrings for a key */
563 	key_ref = search_process_keyrings(&ctx);
564 
565 	if (!IS_ERR(key_ref)) {
566 		key = key_ref_to_ptr(key_ref);
567 		if (dest_keyring) {
568 			ret = key_link(dest_keyring, key);
569 			if (ret < 0) {
570 				key_put(key);
571 				key = ERR_PTR(ret);
572 				goto error_free;
573 			}
574 		}
575 	} else if (PTR_ERR(key_ref) != -EAGAIN) {
576 		key = ERR_CAST(key_ref);
577 	} else  {
578 		/* the search failed, but the keyrings were searchable, so we
579 		 * should consult userspace if we can */
580 		key = ERR_PTR(-ENOKEY);
581 		if (!callout_info)
582 			goto error_free;
583 
584 		key = construct_key_and_link(&ctx, callout_info, callout_len,
585 					     aux, dest_keyring, flags);
586 	}
587 
588 error_free:
589 	if (type->match_free)
590 		type->match_free(&ctx.match_data);
591 error:
592 	kleave(" = %p", key);
593 	return key;
594 }
595 
596 /**
597  * wait_for_key_construction - Wait for construction of a key to complete
598  * @key: The key being waited for.
599  * @intr: Whether to wait interruptibly.
600  *
601  * Wait for a key to finish being constructed.
602  *
603  * Returns 0 if successful; -ERESTARTSYS if the wait was interrupted; -ENOKEY
604  * if the key was negated; or -EKEYREVOKED or -EKEYEXPIRED if the key was
605  * revoked or expired.
606  */
607 int wait_for_key_construction(struct key *key, bool intr)
608 {
609 	int ret;
610 
611 	ret = wait_on_bit(&key->flags, KEY_FLAG_USER_CONSTRUCT,
612 			  intr ? TASK_INTERRUPTIBLE : TASK_UNINTERRUPTIBLE);
613 	if (ret)
614 		return -ERESTARTSYS;
615 	ret = key_read_state(key);
616 	if (ret < 0)
617 		return ret;
618 	return key_validate(key);
619 }
620 EXPORT_SYMBOL(wait_for_key_construction);
621 
622 /**
623  * request_key - Request a key and wait for construction
624  * @type: Type of key.
625  * @description: The searchable description of the key.
626  * @callout_info: The data to pass to the instantiation upcall (or NULL).
627  *
628  * As for request_key_and_link() except that it does not add the returned key
629  * to a keyring if found, new keys are always allocated in the user's quota,
630  * the callout_info must be a NUL-terminated string and no auxiliary data can
631  * be passed.
632  *
633  * Furthermore, it then works as wait_for_key_construction() to wait for the
634  * completion of keys undergoing construction with a non-interruptible wait.
635  */
636 struct key *request_key(struct key_type *type,
637 			const char *description,
638 			const char *callout_info)
639 {
640 	struct key *key;
641 	size_t callout_len = 0;
642 	int ret;
643 
644 	if (callout_info)
645 		callout_len = strlen(callout_info);
646 	key = request_key_and_link(type, description, callout_info, callout_len,
647 				   NULL, NULL, KEY_ALLOC_IN_QUOTA);
648 	if (!IS_ERR(key)) {
649 		ret = wait_for_key_construction(key, false);
650 		if (ret < 0) {
651 			key_put(key);
652 			return ERR_PTR(ret);
653 		}
654 	}
655 	return key;
656 }
657 EXPORT_SYMBOL(request_key);
658 
659 /**
660  * request_key_with_auxdata - Request a key with auxiliary data for the upcaller
661  * @type: The type of key we want.
662  * @description: The searchable description of the key.
663  * @callout_info: The data to pass to the instantiation upcall (or NULL).
664  * @callout_len: The length of callout_info.
665  * @aux: Auxiliary data for the upcall.
666  *
667  * As for request_key_and_link() except that it does not add the returned key
668  * to a keyring if found and new keys are always allocated in the user's quota.
669  *
670  * Furthermore, it then works as wait_for_key_construction() to wait for the
671  * completion of keys undergoing construction with a non-interruptible wait.
672  */
673 struct key *request_key_with_auxdata(struct key_type *type,
674 				     const char *description,
675 				     const void *callout_info,
676 				     size_t callout_len,
677 				     void *aux)
678 {
679 	struct key *key;
680 	int ret;
681 
682 	key = request_key_and_link(type, description, callout_info, callout_len,
683 				   aux, NULL, KEY_ALLOC_IN_QUOTA);
684 	if (!IS_ERR(key)) {
685 		ret = wait_for_key_construction(key, false);
686 		if (ret < 0) {
687 			key_put(key);
688 			return ERR_PTR(ret);
689 		}
690 	}
691 	return key;
692 }
693 EXPORT_SYMBOL(request_key_with_auxdata);
694 
695 /*
696  * request_key_async - Request a key (allow async construction)
697  * @type: Type of key.
698  * @description: The searchable description of the key.
699  * @callout_info: The data to pass to the instantiation upcall (or NULL).
700  * @callout_len: The length of callout_info.
701  *
702  * As for request_key_and_link() except that it does not add the returned key
703  * to a keyring if found, new keys are always allocated in the user's quota and
704  * no auxiliary data can be passed.
705  *
706  * The caller should call wait_for_key_construction() to wait for the
707  * completion of the returned key if it is still undergoing construction.
708  */
709 struct key *request_key_async(struct key_type *type,
710 			      const char *description,
711 			      const void *callout_info,
712 			      size_t callout_len)
713 {
714 	return request_key_and_link(type, description, callout_info,
715 				    callout_len, NULL, NULL,
716 				    KEY_ALLOC_IN_QUOTA);
717 }
718 EXPORT_SYMBOL(request_key_async);
719 
720 /*
721  * request a key with auxiliary data for the upcaller (allow async construction)
722  * @type: Type of key.
723  * @description: The searchable description of the key.
724  * @callout_info: The data to pass to the instantiation upcall (or NULL).
725  * @callout_len: The length of callout_info.
726  * @aux: Auxiliary data for the upcall.
727  *
728  * As for request_key_and_link() except that it does not add the returned key
729  * to a keyring if found and new keys are always allocated in the user's quota.
730  *
731  * The caller should call wait_for_key_construction() to wait for the
732  * completion of the returned key if it is still undergoing construction.
733  */
734 struct key *request_key_async_with_auxdata(struct key_type *type,
735 					   const char *description,
736 					   const void *callout_info,
737 					   size_t callout_len,
738 					   void *aux)
739 {
740 	return request_key_and_link(type, description, callout_info,
741 				    callout_len, aux, NULL, KEY_ALLOC_IN_QUOTA);
742 }
743 EXPORT_SYMBOL(request_key_async_with_auxdata);
744