Revoked keys are no longer returned by request_key kernel
function. So it is now necessary to remove revoked keys from
keyring when flushing context.
Moreover, if a revoked key is present, do not consider it
matches when searching for a valid key with request_key. That
way it will be replaced with a valid, newly created one.
Signed-off-by: Sebastien Buisson <sbuisson@ddn.com>
Change-Id: I0fbaf01f6a8f50e9fb06eef96c74e73c25de257f
Reviewed-on: http://review.whamcloud.com/17721
Tested-by: Jenkins
Reviewed-by: Jeremy Filizetti <jeremy.filizetti@gmail.com>
Tested-by: James Nunez <james.a.nunez@intel.com>
Tested-by: Maloo <hpdd-maloo@intel.com>
Reviewed-by: John L. Hammond <john.hammond@intel.com>
Reviewed-by: Oleg Drokin <oleg.drokin@intel.com>
construct_key_desc(desc, sizeof(desc), sec, uid);
construct_key_desc(desc, sizeof(desc), sec, uid);
- /* there should be only one valid key, but we put it in the
- * loop in case of any weird cases */
- for (;;) {
- key = request_key(&gss_key_type, desc, NULL);
- if (IS_ERR(key)) {
- CDEBUG(D_SEC, "No more key found for current user\n");
- break;
- }
+ /* there should be only one valid key, but we put it in the
+ * loop in case of any weird cases */
+ for (;;) {
+ key = request_key(&gss_key_type, desc, NULL);
+ if (IS_ERR(key)) {
+ CDEBUG(D_SEC, "No more key found for current user\n");
+ break;
+ }
- /* kill_key_locked() should usually revoke the key, but we
- * revoke it again to make sure, e.g. some case the key may
- * not well coupled with a context. */
- key_revoke_locked(key);
+ /* kill_key_locked() should usually revoke the key, but we
+ * revoke it again to make sure, e.g. some case the key may
+ * not well coupled with a context. */
+ key_revoke_locked(key);
+ request_key_unlink(key);
+
+ key_put(key);
+ }
static int
gss_kt_match(const struct key *key, const void *desc)
{
static int
gss_kt_match(const struct key *key, const void *desc)
{
- return (strcmp(key->description, (const char *) desc) == 0);
+ return strcmp(key->description, (const char *) desc) == 0 &&
+ !test_bit(KEY_FLAG_REVOKED, &key->flags);
}
#else /* ! HAVE_KEY_MATCH_DATA */
static bool
}
#else /* ! HAVE_KEY_MATCH_DATA */
static bool
{
const char *desc = match_data->raw_data;
{
const char *desc = match_data->raw_data;
- return (strcmp(key->description, desc) == 0);
+ return strcmp(key->description, desc) == 0 &&
+ !test_bit(KEY_FLAG_REVOKED, &key->flags);