forked from Minki/linux
6c32978414
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEqG5UsNXhtOCrfGQP+7dXa6fLC2sFAl7U/i8ACgkQ+7dXa6fL C2u2eg/+Oy6ybq0hPovYVkFI9WIG7ZCz7w9Q6BEnfYMqqn3dnfJxKQ3l4pnQEOWw f4QfvpvevsYfMtOJkYcG6s66rQgbFdqc5TEyBBy0QNp3acRolN7IXkcopvv9xOpQ JxedpbFG1PTFLWjvBpyjlrUPouwLzq2FXAf1Ox0ZIMw6165mYOMWoli1VL8dh0A0 Ai7JUB0WrvTNbrwhV413obIzXT/rPCdcrgbQcgrrLPex8lQ47ZAE9bq6k4q5HiwK KRzEqkQgnzId6cCNTFBfkTWsx89zZunz7jkfM5yx30MvdAtPSxvvpfIPdZRZkXsP E2K9Fk1/6OQZTC0Op3Pi/bt+hVG/mD1p0sQUDgo2MO3qlSS+5mMkR8h3mJEgwK12 72P4YfOJkuAy2z3v4lL0GYdUDAZY6i6G8TMxERKu/a9O3VjTWICDOyBUS6F8YEAK C7HlbZxAEOKTVK0BTDTeEUBwSeDrBbvH6MnRlZCG5g1Fos2aWP0udhjiX8IfZLO7 GN6nWBvK1fYzfsUczdhgnoCzQs3suoDo04HnsTPGJ8De52T4x2RsjV+gPx0nrNAq eWChl1JvMWsY2B3GLnl9XQz4NNN+EreKEkk+PULDGllrArrPsp5Vnhb9FJO1PVCU hMDJHohPiXnKbc8f4Bd78OhIvnuoGfJPdM5MtNe2flUKy2a2ops= =YTGf -----END PGP SIGNATURE----- Merge tag 'notifications-20200601' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs Pull notification queue from David Howells: "This adds a general notification queue concept and adds an event source for keys/keyrings, such as linking and unlinking keys and changing their attributes. Thanks to Debarshi Ray, we do have a pull request to use this to fix a problem with gnome-online-accounts - as mentioned last time: https://gitlab.gnome.org/GNOME/gnome-online-accounts/merge_requests/47 Without this, g-o-a has to constantly poll a keyring-based kerberos cache to find out if kinit has changed anything. [ There are other notification pending: mount/sb fsinfo notifications for libmount that Karel Zak and Ian Kent have been working on, and Christian Brauner would like to use them in lxc, but let's see how this one works first ] LSM hooks are included: - A set of hooks are provided that allow an LSM to rule on whether or not a watch may be set. Each of these hooks takes a different "watched object" parameter, so they're not really shareable. The LSM should use current's credentials. [Wanted by SELinux & Smack] - A hook is provided to allow an LSM to rule on whether or not a particular message may be posted to a particular queue. This is given the credentials from the event generator (which may be the system) and the watch setter. [Wanted by Smack] I've provided SELinux and Smack with implementations of some of these hooks. WHY === Key/keyring notifications are desirable because if you have your kerberos tickets in a file/directory, your Gnome desktop will monitor that using something like fanotify and tell you if your credentials cache changes. However, we also have the ability to cache your kerberos tickets in the session, user or persistent keyring so that it isn't left around on disk across a reboot or logout. Keyrings, however, cannot currently be monitored asynchronously, so the desktop has to poll for it - not so good on a laptop. This facility will allow the desktop to avoid the need to poll. DESIGN DECISIONS ================ - The notification queue is built on top of a standard pipe. Messages are effectively spliced in. The pipe is opened with a special flag: pipe2(fds, O_NOTIFICATION_PIPE); The special flag has the same value as O_EXCL (which doesn't seem like it will ever be applicable in this context)[?]. It is given up front to make it a lot easier to prohibit splice&co from accessing the pipe. [?] Should this be done some other way? I'd rather not use up a new O_* flag if I can avoid it - should I add a pipe3() system call instead? The pipe is then configured:: ioctl(fds[1], IOC_WATCH_QUEUE_SET_SIZE, queue_depth); ioctl(fds[1], IOC_WATCH_QUEUE_SET_FILTER, &filter); Messages are then read out of the pipe using read(). - It should be possible to allow write() to insert data into the notification pipes too, but this is currently disabled as the kernel has to be able to insert messages into the pipe *without* holding pipe->mutex and the code to make this work needs careful auditing. - sendfile(), splice() and vmsplice() are disabled on notification pipes because of the pipe->mutex issue and also because they sometimes want to revert what they just did - but one or more notification messages might've been interleaved in the ring. - The kernel inserts messages with the wait queue spinlock held. This means that pipe_read() and pipe_write() have to take the spinlock to update the queue pointers. - Records in the buffer are binary, typed and have a length so that they can be of varying size. This allows multiple heterogeneous sources to share a common buffer; there are 16 million types available, of which I've used just a few, so there is scope for others to be used. Tags may be specified when a watchpoint is created to help distinguish the sources. - Records are filterable as types have up to 256 subtypes that can be individually filtered. Other filtration is also available. - Notification pipes don't interfere with each other; each may be bound to a different set of watches. Any particular notification will be copied to all the queues that are currently watching for it - and only those that are watching for it. - When recording a notification, the kernel will not sleep, but will rather mark a queue as having lost a message if there's insufficient space. read() will fabricate a loss notification message at an appropriate point later. - The notification pipe is created and then watchpoints are attached to it, using one of: keyctl_watch_key(KEY_SPEC_SESSION_KEYRING, fds[1], 0x01); watch_mount(AT_FDCWD, "/", 0, fd, 0x02); watch_sb(AT_FDCWD, "/mnt", 0, fd, 0x03); where in both cases, fd indicates the queue and the number after is a tag between 0 and 255. - Watches are removed if either the notification pipe is destroyed or the watched object is destroyed. In the latter case, a message will be generated indicating the enforced watch removal. Things I want to avoid: - Introducing features that make the core VFS dependent on the network stack or networking namespaces (ie. usage of netlink). - Dumping all this stuff into dmesg and having a daemon that sits there parsing the output and distributing it as this then puts the responsibility for security into userspace and makes handling namespaces tricky. Further, dmesg might not exist or might be inaccessible inside a container. - Letting users see events they shouldn't be able to see. TESTING AND MANPAGES ==================== - The keyutils tree has a pipe-watch branch that has keyctl commands for making use of notifications. Proposed manual pages can also be found on this branch, though a couple of them really need to go to the main manpages repository instead. If the kernel supports the watching of keys, then running "make test" on that branch will cause the testing infrastructure to spawn a monitoring process on the side that monitors a notifications pipe for all the key/keyring changes induced by the tests and they'll all be checked off to make sure they happened. https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/keyutils.git/log/?h=pipe-watch - A test program is provided (samples/watch_queue/watch_test) that can be used to monitor for keyrings, mount and superblock events. Information on the notifications is simply logged to stdout" * tag 'notifications-20200601' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs: smack: Implement the watch_key and post_notification hooks selinux: Implement the watch_key security hook keys: Make the KEY_NEED_* perms an enum rather than a mask pipe: Add notification lossage handling pipe: Allow buffers to be marked read-whole-or-error for notifications Add sample notification program watch_queue: Add a key/keyring notification facility security: Add hooks to rule on setting a watch pipe: Add general notification queue support pipe: Add O_NOTIFICATION_PIPE security: Add a hook for the point of notification insertion uapi: General notification queue definitions
382 lines
12 KiB
C
382 lines
12 KiB
C
/* SPDX-License-Identifier: GPL-2.0-or-later */
|
|
/* Authentication token and access key management internal defs
|
|
*
|
|
* Copyright (C) 2003-5, 2007 Red Hat, Inc. All Rights Reserved.
|
|
* Written by David Howells (dhowells@redhat.com)
|
|
*/
|
|
|
|
#ifndef _INTERNAL_H
|
|
#define _INTERNAL_H
|
|
|
|
#include <linux/sched.h>
|
|
#include <linux/wait_bit.h>
|
|
#include <linux/cred.h>
|
|
#include <linux/key-type.h>
|
|
#include <linux/task_work.h>
|
|
#include <linux/keyctl.h>
|
|
#include <linux/refcount.h>
|
|
#include <linux/watch_queue.h>
|
|
#include <linux/compat.h>
|
|
#include <linux/mm.h>
|
|
#include <linux/vmalloc.h>
|
|
|
|
struct iovec;
|
|
|
|
#ifdef __KDEBUG
|
|
#define kenter(FMT, ...) \
|
|
printk(KERN_DEBUG "==> %s("FMT")\n", __func__, ##__VA_ARGS__)
|
|
#define kleave(FMT, ...) \
|
|
printk(KERN_DEBUG "<== %s()"FMT"\n", __func__, ##__VA_ARGS__)
|
|
#define kdebug(FMT, ...) \
|
|
printk(KERN_DEBUG " "FMT"\n", ##__VA_ARGS__)
|
|
#else
|
|
#define kenter(FMT, ...) \
|
|
no_printk(KERN_DEBUG "==> %s("FMT")\n", __func__, ##__VA_ARGS__)
|
|
#define kleave(FMT, ...) \
|
|
no_printk(KERN_DEBUG "<== %s()"FMT"\n", __func__, ##__VA_ARGS__)
|
|
#define kdebug(FMT, ...) \
|
|
no_printk(KERN_DEBUG FMT"\n", ##__VA_ARGS__)
|
|
#endif
|
|
|
|
extern struct key_type key_type_dead;
|
|
extern struct key_type key_type_user;
|
|
extern struct key_type key_type_logon;
|
|
|
|
/*****************************************************************************/
|
|
/*
|
|
* Keep track of keys for a user.
|
|
*
|
|
* This needs to be separate to user_struct to avoid a refcount-loop
|
|
* (user_struct pins some keyrings which pin this struct).
|
|
*
|
|
* We also keep track of keys under request from userspace for this UID here.
|
|
*/
|
|
struct key_user {
|
|
struct rb_node node;
|
|
struct mutex cons_lock; /* construction initiation lock */
|
|
spinlock_t lock;
|
|
refcount_t usage; /* for accessing qnkeys & qnbytes */
|
|
atomic_t nkeys; /* number of keys */
|
|
atomic_t nikeys; /* number of instantiated keys */
|
|
kuid_t uid;
|
|
int qnkeys; /* number of keys allocated to this user */
|
|
int qnbytes; /* number of bytes allocated to this user */
|
|
};
|
|
|
|
extern struct rb_root key_user_tree;
|
|
extern spinlock_t key_user_lock;
|
|
extern struct key_user root_key_user;
|
|
|
|
extern struct key_user *key_user_lookup(kuid_t uid);
|
|
extern void key_user_put(struct key_user *user);
|
|
|
|
/*
|
|
* Key quota limits.
|
|
* - root has its own separate limits to everyone else
|
|
*/
|
|
extern unsigned key_quota_root_maxkeys;
|
|
extern unsigned key_quota_root_maxbytes;
|
|
extern unsigned key_quota_maxkeys;
|
|
extern unsigned key_quota_maxbytes;
|
|
|
|
#define KEYQUOTA_LINK_BYTES 4 /* a link in a keyring is worth 4 bytes */
|
|
|
|
|
|
extern struct kmem_cache *key_jar;
|
|
extern struct rb_root key_serial_tree;
|
|
extern spinlock_t key_serial_lock;
|
|
extern struct mutex key_construction_mutex;
|
|
extern wait_queue_head_t request_key_conswq;
|
|
|
|
extern void key_set_index_key(struct keyring_index_key *index_key);
|
|
extern struct key_type *key_type_lookup(const char *type);
|
|
extern void key_type_put(struct key_type *ktype);
|
|
|
|
extern int __key_link_lock(struct key *keyring,
|
|
const struct keyring_index_key *index_key);
|
|
extern int __key_move_lock(struct key *l_keyring, struct key *u_keyring,
|
|
const struct keyring_index_key *index_key);
|
|
extern int __key_link_begin(struct key *keyring,
|
|
const struct keyring_index_key *index_key,
|
|
struct assoc_array_edit **_edit);
|
|
extern int __key_link_check_live_key(struct key *keyring, struct key *key);
|
|
extern void __key_link(struct key *keyring, struct key *key,
|
|
struct assoc_array_edit **_edit);
|
|
extern void __key_link_end(struct key *keyring,
|
|
const struct keyring_index_key *index_key,
|
|
struct assoc_array_edit *edit);
|
|
|
|
extern key_ref_t find_key_to_update(key_ref_t keyring_ref,
|
|
const struct keyring_index_key *index_key);
|
|
|
|
extern struct key *keyring_search_instkey(struct key *keyring,
|
|
key_serial_t target_id);
|
|
|
|
extern int iterate_over_keyring(const struct key *keyring,
|
|
int (*func)(const struct key *key, void *data),
|
|
void *data);
|
|
|
|
struct keyring_search_context {
|
|
struct keyring_index_key index_key;
|
|
const struct cred *cred;
|
|
struct key_match_data match_data;
|
|
unsigned flags;
|
|
#define KEYRING_SEARCH_NO_STATE_CHECK 0x0001 /* Skip state checks */
|
|
#define KEYRING_SEARCH_DO_STATE_CHECK 0x0002 /* Override NO_STATE_CHECK */
|
|
#define KEYRING_SEARCH_NO_UPDATE_TIME 0x0004 /* Don't update times */
|
|
#define KEYRING_SEARCH_NO_CHECK_PERM 0x0008 /* Don't check permissions */
|
|
#define KEYRING_SEARCH_DETECT_TOO_DEEP 0x0010 /* Give an error on excessive depth */
|
|
#define KEYRING_SEARCH_SKIP_EXPIRED 0x0020 /* Ignore expired keys (intention to replace) */
|
|
#define KEYRING_SEARCH_RECURSE 0x0040 /* Search child keyrings also */
|
|
|
|
int (*iterator)(const void *object, void *iterator_data);
|
|
|
|
/* Internal stuff */
|
|
int skipped_ret;
|
|
bool possessed;
|
|
key_ref_t result;
|
|
time64_t now;
|
|
};
|
|
|
|
extern bool key_default_cmp(const struct key *key,
|
|
const struct key_match_data *match_data);
|
|
extern key_ref_t keyring_search_rcu(key_ref_t keyring_ref,
|
|
struct keyring_search_context *ctx);
|
|
|
|
extern key_ref_t search_cred_keyrings_rcu(struct keyring_search_context *ctx);
|
|
extern key_ref_t search_process_keyrings_rcu(struct keyring_search_context *ctx);
|
|
|
|
extern struct key *find_keyring_by_name(const char *name, bool uid_keyring);
|
|
|
|
extern int look_up_user_keyrings(struct key **, struct key **);
|
|
extern struct key *get_user_session_keyring_rcu(const struct cred *);
|
|
extern int install_thread_keyring_to_cred(struct cred *);
|
|
extern int install_process_keyring_to_cred(struct cred *);
|
|
extern int install_session_keyring_to_cred(struct cred *, struct key *);
|
|
|
|
extern struct key *request_key_and_link(struct key_type *type,
|
|
const char *description,
|
|
struct key_tag *domain_tag,
|
|
const void *callout_info,
|
|
size_t callout_len,
|
|
void *aux,
|
|
struct key *dest_keyring,
|
|
unsigned long flags);
|
|
|
|
extern bool lookup_user_key_possessed(const struct key *key,
|
|
const struct key_match_data *match_data);
|
|
#define KEY_LOOKUP_CREATE 0x01
|
|
#define KEY_LOOKUP_PARTIAL 0x02
|
|
|
|
extern long join_session_keyring(const char *name);
|
|
extern void key_change_session_keyring(struct callback_head *twork);
|
|
|
|
extern struct work_struct key_gc_work;
|
|
extern unsigned key_gc_delay;
|
|
extern void keyring_gc(struct key *keyring, time64_t limit);
|
|
extern void keyring_restriction_gc(struct key *keyring,
|
|
struct key_type *dead_type);
|
|
extern void key_schedule_gc(time64_t gc_at);
|
|
extern void key_schedule_gc_links(void);
|
|
extern void key_gc_keytype(struct key_type *ktype);
|
|
|
|
extern int key_task_permission(const key_ref_t key_ref,
|
|
const struct cred *cred,
|
|
enum key_need_perm need_perm);
|
|
|
|
static inline void notify_key(struct key *key,
|
|
enum key_notification_subtype subtype, u32 aux)
|
|
{
|
|
#ifdef CONFIG_KEY_NOTIFICATIONS
|
|
struct key_notification n = {
|
|
.watch.type = WATCH_TYPE_KEY_NOTIFY,
|
|
.watch.subtype = subtype,
|
|
.watch.info = watch_sizeof(n),
|
|
.key_id = key_serial(key),
|
|
.aux = aux,
|
|
};
|
|
|
|
post_watch_notification(key->watchers, &n.watch, current_cred(),
|
|
n.key_id);
|
|
#endif
|
|
}
|
|
|
|
/*
|
|
* Check to see whether permission is granted to use a key in the desired way.
|
|
*/
|
|
static inline int key_permission(const key_ref_t key_ref,
|
|
enum key_need_perm need_perm)
|
|
{
|
|
return key_task_permission(key_ref, current_cred(), need_perm);
|
|
}
|
|
|
|
extern struct key_type key_type_request_key_auth;
|
|
extern struct key *request_key_auth_new(struct key *target,
|
|
const char *op,
|
|
const void *callout_info,
|
|
size_t callout_len,
|
|
struct key *dest_keyring);
|
|
|
|
extern struct key *key_get_instantiation_authkey(key_serial_t target_id);
|
|
|
|
/*
|
|
* Determine whether a key is dead.
|
|
*/
|
|
static inline bool key_is_dead(const struct key *key, time64_t limit)
|
|
{
|
|
return
|
|
key->flags & ((1 << KEY_FLAG_DEAD) |
|
|
(1 << KEY_FLAG_INVALIDATED)) ||
|
|
(key->expiry > 0 && key->expiry <= limit) ||
|
|
key->domain_tag->removed;
|
|
}
|
|
|
|
/*
|
|
* keyctl() functions
|
|
*/
|
|
extern long keyctl_get_keyring_ID(key_serial_t, int);
|
|
extern long keyctl_join_session_keyring(const char __user *);
|
|
extern long keyctl_update_key(key_serial_t, const void __user *, size_t);
|
|
extern long keyctl_revoke_key(key_serial_t);
|
|
extern long keyctl_keyring_clear(key_serial_t);
|
|
extern long keyctl_keyring_link(key_serial_t, key_serial_t);
|
|
extern long keyctl_keyring_move(key_serial_t, key_serial_t, key_serial_t, unsigned int);
|
|
extern long keyctl_keyring_unlink(key_serial_t, key_serial_t);
|
|
extern long keyctl_describe_key(key_serial_t, char __user *, size_t);
|
|
extern long keyctl_keyring_search(key_serial_t, const char __user *,
|
|
const char __user *, key_serial_t);
|
|
extern long keyctl_read_key(key_serial_t, char __user *, size_t);
|
|
extern long keyctl_chown_key(key_serial_t, uid_t, gid_t);
|
|
extern long keyctl_setperm_key(key_serial_t, key_perm_t);
|
|
extern long keyctl_instantiate_key(key_serial_t, const void __user *,
|
|
size_t, key_serial_t);
|
|
extern long keyctl_negate_key(key_serial_t, unsigned, key_serial_t);
|
|
extern long keyctl_set_reqkey_keyring(int);
|
|
extern long keyctl_set_timeout(key_serial_t, unsigned);
|
|
extern long keyctl_assume_authority(key_serial_t);
|
|
extern long keyctl_get_security(key_serial_t keyid, char __user *buffer,
|
|
size_t buflen);
|
|
extern long keyctl_session_to_parent(void);
|
|
extern long keyctl_reject_key(key_serial_t, unsigned, unsigned, key_serial_t);
|
|
extern long keyctl_instantiate_key_iov(key_serial_t,
|
|
const struct iovec __user *,
|
|
unsigned, key_serial_t);
|
|
extern long keyctl_invalidate_key(key_serial_t);
|
|
|
|
struct iov_iter;
|
|
extern long keyctl_instantiate_key_common(key_serial_t,
|
|
struct iov_iter *,
|
|
key_serial_t);
|
|
extern long keyctl_restrict_keyring(key_serial_t id,
|
|
const char __user *_type,
|
|
const char __user *_restriction);
|
|
#ifdef CONFIG_PERSISTENT_KEYRINGS
|
|
extern long keyctl_get_persistent(uid_t, key_serial_t);
|
|
extern unsigned persistent_keyring_expiry;
|
|
#else
|
|
static inline long keyctl_get_persistent(uid_t uid, key_serial_t destring)
|
|
{
|
|
return -EOPNOTSUPP;
|
|
}
|
|
#endif
|
|
|
|
#ifdef CONFIG_KEY_DH_OPERATIONS
|
|
extern long keyctl_dh_compute(struct keyctl_dh_params __user *, char __user *,
|
|
size_t, struct keyctl_kdf_params __user *);
|
|
extern long __keyctl_dh_compute(struct keyctl_dh_params __user *, char __user *,
|
|
size_t, struct keyctl_kdf_params *);
|
|
#ifdef CONFIG_COMPAT
|
|
extern long compat_keyctl_dh_compute(struct keyctl_dh_params __user *params,
|
|
char __user *buffer, size_t buflen,
|
|
struct compat_keyctl_kdf_params __user *kdf);
|
|
#endif
|
|
#define KEYCTL_KDF_MAX_OUTPUT_LEN 1024 /* max length of KDF output */
|
|
#define KEYCTL_KDF_MAX_OI_LEN 64 /* max length of otherinfo */
|
|
#else
|
|
static inline long keyctl_dh_compute(struct keyctl_dh_params __user *params,
|
|
char __user *buffer, size_t buflen,
|
|
struct keyctl_kdf_params __user *kdf)
|
|
{
|
|
return -EOPNOTSUPP;
|
|
}
|
|
|
|
#ifdef CONFIG_COMPAT
|
|
static inline long compat_keyctl_dh_compute(
|
|
struct keyctl_dh_params __user *params,
|
|
char __user *buffer, size_t buflen,
|
|
struct keyctl_kdf_params __user *kdf)
|
|
{
|
|
return -EOPNOTSUPP;
|
|
}
|
|
#endif
|
|
#endif
|
|
|
|
#ifdef CONFIG_ASYMMETRIC_KEY_TYPE
|
|
extern long keyctl_pkey_query(key_serial_t,
|
|
const char __user *,
|
|
struct keyctl_pkey_query __user *);
|
|
|
|
extern long keyctl_pkey_verify(const struct keyctl_pkey_params __user *,
|
|
const char __user *,
|
|
const void __user *, const void __user *);
|
|
|
|
extern long keyctl_pkey_e_d_s(int,
|
|
const struct keyctl_pkey_params __user *,
|
|
const char __user *,
|
|
const void __user *, void __user *);
|
|
#else
|
|
static inline long keyctl_pkey_query(key_serial_t id,
|
|
const char __user *_info,
|
|
struct keyctl_pkey_query __user *_res)
|
|
{
|
|
return -EOPNOTSUPP;
|
|
}
|
|
|
|
static inline long keyctl_pkey_verify(const struct keyctl_pkey_params __user *params,
|
|
const char __user *_info,
|
|
const void __user *_in,
|
|
const void __user *_in2)
|
|
{
|
|
return -EOPNOTSUPP;
|
|
}
|
|
|
|
static inline long keyctl_pkey_e_d_s(int op,
|
|
const struct keyctl_pkey_params __user *params,
|
|
const char __user *_info,
|
|
const void __user *_in,
|
|
void __user *_out)
|
|
{
|
|
return -EOPNOTSUPP;
|
|
}
|
|
#endif
|
|
|
|
extern long keyctl_capabilities(unsigned char __user *_buffer, size_t buflen);
|
|
|
|
#ifdef CONFIG_KEY_NOTIFICATIONS
|
|
extern long keyctl_watch_key(key_serial_t, int, int);
|
|
#else
|
|
static inline long keyctl_watch_key(key_serial_t key_id, int watch_fd, int watch_id)
|
|
{
|
|
return -EOPNOTSUPP;
|
|
}
|
|
#endif
|
|
|
|
/*
|
|
* Debugging key validation
|
|
*/
|
|
#ifdef KEY_DEBUGGING
|
|
extern void __key_check(const struct key *);
|
|
|
|
static inline void key_check(const struct key *key)
|
|
{
|
|
if (key && (IS_ERR(key) || key->magic != KEY_DEBUG_MAGIC))
|
|
__key_check(key);
|
|
}
|
|
|
|
#else
|
|
|
|
#define key_check(key) do {} while(0)
|
|
|
|
#endif
|
|
#endif /* _INTERNAL_H */
|