KEYS: Keyring asymmetric key restrict method with chaining

Add a restrict_link_by_key_or_keyring_chain link restriction that
searches for signing keys in the destination keyring in addition to the
signing key or keyring designated when the destination keyring was
created. Userspace enables this behavior by including the "chain" option
in the keyring restriction:

  keyctl(KEYCTL_RESTRICT_KEYRING, keyring, "asymmetric",
         "key_or_keyring:<signing key>:chain");

Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>

1 files changed, 24 insertions, 7 deletions

diff --git a/crypto/asymmetric_keys/asymmetric_type.c b/crypto/asymmetric_keys/asymmetric_type.c
index 72700ed81594..e4b0ed386bc8 100644
--- a/crypto/asymmetric_keys/asymmetric_type.c
+++ b/crypto/asymmetric_keys/asymmetric_type.c
@@ -496,20 +496,37 @@ static struct key_restriction *asymmetric_lookup_restriction(
 	restrict_method = strsep(&next, ":");
 
 	if ((strcmp(restrict_method, "key_or_keyring") == 0) && next) {
+		char *key_text;
 		key_serial_t serial;
 		struct key *key;
+		key_restrict_link_func_t link_fn =
+			restrict_link_by_key_or_keyring;
+		bool allow_null_key = false;
 
-		if (kstrtos32(next, 0, &serial) < 0)
-			goto out;
+		key_text = strsep(&next, ":");
+
+		if (next) {
+			if (strcmp(next, "chain") != 0)
+				goto out;
+
+			link_fn = restrict_link_by_key_or_keyring_chain;
+			allow_null_key = true;
+		}
 
-		key = key_lookup(serial);
-		if (IS_ERR(key)) {
-			ret = ERR_CAST(key);
+		if (kstrtos32(key_text, 0, &serial) < 0)
 			goto out;
+
+		if ((serial == 0) && allow_null_key) {
+			key = NULL;
+		} else {
+			key = key_lookup(serial);
+			if (IS_ERR(key)) {
+				ret = ERR_CAST(key);
+				goto out;
+			}
 		}
 
-		ret = asymmetric_restriction_alloc(
-			restrict_link_by_key_or_keyring, key);
+		ret = asymmetric_restriction_alloc(link_fn, key);
 		if (IS_ERR(ret))
 			key_put(key);
 	}