/* * before we do a private key op, we check to see if we * need to reauthenticate. */ void PK11_HandlePasswordCheck(PK11SlotInfo *slot,void *wincx) { int askpw = slot->askpw; PRBool NeedAuth = PR_FALSE; if (!slot->needLogin) return; if ((slot->defaultFlags & PK11_OWN_PW_DEFAULTS) == 0) { PK11SlotInfo *def_slot = PK11_GetInternalKeySlot(); if (def_slot) { askpw = def_slot->askpw; PK11_FreeSlot(def_slot); } } /* timeouts are handled by isLoggedIn */ if (!PK11_IsLoggedIn(slot,wincx)) { NeedAuth = PR_TRUE; } else if (askpw == -1) { if (!PK11_Global.inTransaction || (PK11_Global.transaction != slot->authTransact)) { PK11_EnterSlotMonitor(slot); PK11_GETTAB(slot)->C_Logout(slot->session); slot->lastLoginCheck = 0; PK11_ExitSlotMonitor(slot); NeedAuth = PR_TRUE; } } if (NeedAuth) PK11_DoPassword(slot, slot->session, PR_TRUE, wincx, PR_FALSE, PR_FALSE); }
NS_IMETHODIMP nsPK11Token::IsLoggedIn(bool* _retval) { NS_ENSURE_ARG_POINTER(_retval); *_retval = PK11_IsLoggedIn(mSlot.get(), 0); return NS_OK; }
NSS_IMPLEMENT PRBool nssSlot_IsLoggedIn(NSSSlot *slot) { if (!slot->pk11slot->needLogin) { return PR_TRUE; } return PK11_IsLoggedIn(slot->pk11slot, NULL); }
NS_IMETHODIMP nsPK11Token::IsLoggedIn(bool *_retval) { nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; nsresult rv = NS_OK; *_retval = PK11_IsLoggedIn(mSlot, 0); return rv; }
NS_IMETHODIMP nsPKCS11Slot::GetStatus(uint32_t *_retval) { nsNSSShutDownPreventionLock locker; if (isAlreadyShutDown()) return NS_ERROR_NOT_AVAILABLE; if (PK11_IsDisabled(mSlot)) *_retval = SLOT_DISABLED; else if (!PK11_IsPresent(mSlot)) *_retval = SLOT_NOT_PRESENT; else if (PK11_NeedLogin(mSlot) && PK11_NeedUserInit(mSlot)) *_retval = SLOT_UNINITIALIZED; else if (PK11_NeedLogin(mSlot) && !PK11_IsLoggedIn(mSlot, nullptr)) *_retval = SLOT_NOT_LOGGED_IN; else if (PK11_NeedLogin(mSlot)) *_retval = SLOT_LOGGED_IN; else *_retval = SLOT_READY; return NS_OK; }
nsresult LocalCertService::LoginToKeySlot() { nsresult rv; // Get access to key slot UniquePK11SlotInfo slot(PK11_GetInternalKeySlot()); if (!slot) { return mozilla::psm::GetXPCOMFromNSSError(PR_GetError()); } // If no user password yet, set it an empty one if (PK11_NeedUserInit(slot.get())) { rv = MapSECStatus(PK11_InitPin(slot.get(), "", "")); if (NS_FAILED(rv)) { return rv; } } // If user has a password set, prompt to login if (PK11_NeedLogin(slot.get()) && !PK11_IsLoggedIn(slot.get(), nullptr)) { // Switching to XPCOM to get the UI prompt that PSM owns nsCOMPtr<nsIPK11TokenDB> tokenDB = do_GetService(NS_PK11TOKENDB_CONTRACTID); if (!tokenDB) { return NS_ERROR_FAILURE; } nsCOMPtr<nsIPK11Token> keyToken; tokenDB->GetInternalKeyToken(getter_AddRefs(keyToken)); if (!keyToken) { return NS_ERROR_FAILURE; } // Prompt the user to login return keyToken->Login(false /* force */); } return NS_OK; }
NS_IMETHODIMP LocalCertService::GetLoginPromptRequired(bool* aRequired) { nsresult rv; // Get access to key slot UniquePK11SlotInfo slot(PK11_GetInternalKeySlot()); if (!slot) { return mozilla::psm::GetXPCOMFromNSSError(PR_GetError()); } // If no user password yet, set it an empty one if (PK11_NeedUserInit(slot.get())) { rv = MapSECStatus(PK11_InitPin(slot.get(), "", "")); if (NS_FAILED(rv)) { return rv; } } *aRequired = PK11_NeedLogin(slot.get()) && !PK11_IsLoggedIn(slot.get(), nullptr); return NS_OK; }
/* * authenticate to a slot. This loops until we can't recover, the user * gives up, or we succeed. If we're already logged in and this function * is called we will still prompt for a password, but we will probably * succeed no matter what the password was (depending on the implementation * of the PKCS 11 module. */ SECStatus PK11_DoPassword(PK11SlotInfo *slot, PRBool loadCerts, void *wincx) { SECStatus rv = SECFailure; char * password; PRBool attempt = PR_FALSE; if (PK11_NeedUserInit(slot)) { PORT_SetError(SEC_ERROR_IO); return SECFailure; } /* * Central server type applications which control access to multiple * slave applications to single crypto devices need to virtuallize the * login state. This is done by a callback out of PK11_IsLoggedIn and * here. If we are actually logged in, then we got here because the * higher level code told us that the particular client application may * still need to be logged in. If that is the case, we simply tell the * server code that it should now verify the clients password and tell us * the results. */ if (PK11_IsLoggedIn(slot,NULL) && (PK11_Global.verifyPass != NULL)) { if (!PK11_Global.verifyPass(slot,wincx)) { PORT_SetError(SEC_ERROR_BAD_PASSWORD); return SECFailure; } return SECSuccess; } /* get the password. This can drop out of the while loop * for the following reasons: * (1) the user refused to enter a password. * (return error to caller) * (2) the token user password is disabled [usually due to * too many failed authentication attempts]. * (return error to caller) * (3) the password was successful. */ while ((password = pk11_GetPassword(slot, attempt, wincx)) != NULL) { /* if the token has a protectedAuthPath, the application may have * already issued the C_Login as part of it's pk11_GetPassword call. * In this case the application will tell us what the results were in * the password value (retry or the authentication was successful) so * we can skip our own C_Login call (which would force the token to * try to login again). * * Applications that don't know about protectedAuthPath will return a * password, which we will ignore and trigger the token to * 'authenticate' itself anyway. Hopefully the blinking display on * the reader, or the flashing light under the thumbprint reader will * attract the user's attention */ attempt = PR_TRUE; if (slot->protectedAuthPath) { /* application tried to authenticate and failed. it wants to try * again, continue looping */ if (strcmp(password, PK11_PW_RETRY) == 0) { rv = SECWouldBlock; PORT_Free(password); continue; } /* applicaton tried to authenticate and succeeded we're done */ if (strcmp(password, PK11_PW_AUTHENTICATED) == 0) { rv = SECSuccess; PORT_Free(password); break; } } rv = pk11_CheckPassword(slot,password); PORT_Memset(password, 0, PORT_Strlen(password)); PORT_Free(password); if (rv != SECWouldBlock) break; } if (rv == SECSuccess) { if (!PK11_IsFriendly(slot)) { nssTrustDomain_UpdateCachedTokenCerts(slot->nssToken->trustDomain, slot->nssToken); } } else if (!attempt) PORT_SetError(SEC_ERROR_BAD_PASSWORD); return rv; }
/* * Returns true if the token is needLogin and isn't logged in. * This function is used to determine if authentication is needed * before attempting a potentially privelleged operation. */ PRBool pk11_LoginStillRequired(PK11SlotInfo *slot, void *wincx) { return slot->needLogin && !PK11_IsLoggedIn(slot,wincx); }
int main(int argc, char **argv) { PLOptState *optstate; PLOptStatus optstatus; PRUint32 flags = 0; Error ret; SECStatus rv; char *dbString = NULL; PRBool doInitTest = PR_FALSE; int i; progName = strrchr(argv[0], '/'); if (!progName) progName = strrchr(argv[0], '\\'); progName = progName ? progName + 1 : argv[0]; optstate = PL_CreateOptState(argc, argv, "rfip:d:h"); while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) { switch (optstate->option) { case 'h': default: Usage(progName); break; case 'r': flags |= NSS_INIT_READONLY; break; case 'f': flags |= NSS_INIT_FORCEOPEN; break; case 'i': doInitTest = PR_TRUE; break; case 'p': userPassword = PORT_Strdup(optstate->value); break; case 'd': dbDir = PORT_Strdup(optstate->value); break; } } if (optstatus == PL_OPT_BAD) Usage(progName); if (!dbDir) { dbDir = SECU_DefaultSSLDir(); /* Look in $SSL_DIR */ } dbDir = SECU_ConfigDirectory(dbDir); PR_fprintf(PR_STDERR, "dbdir selected is %s\n\n", dbDir); if (dbDir[0] == '\0') { PR_fprintf(PR_STDERR, errStrings[DIR_DOESNT_EXIST_ERR], dbDir); ret = DIR_DOESNT_EXIST_ERR; goto loser; } PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0); /* get the status of the directory and databases and output message */ if (PR_Access(dbDir, PR_ACCESS_EXISTS) != PR_SUCCESS) { PR_fprintf(PR_STDERR, errStrings[DIR_DOESNT_EXIST_ERR], dbDir); } else if (PR_Access(dbDir, PR_ACCESS_READ_OK) != PR_SUCCESS) { PR_fprintf(PR_STDERR, errStrings[DIR_NOT_READABLE_ERR], dbDir); } else { if (!(flags & NSS_INIT_READONLY) && PR_Access(dbDir, PR_ACCESS_WRITE_OK) != PR_SUCCESS) { PR_fprintf(PR_STDERR, errStrings[DIR_NOT_WRITEABLE_ERR], dbDir); } if (!doInitTest) { for (i = 0; i < 3; i++) { dbString = PR_smprintf("%s/%s", dbDir, dbName[i]); PR_fprintf(PR_STDOUT, "database checked is %s\n", dbString); if (PR_Access(dbString, PR_ACCESS_EXISTS) != PR_SUCCESS) { PR_fprintf(PR_STDERR, errStrings[FILE_DOESNT_EXIST_ERR], dbString); } else if (PR_Access(dbString, PR_ACCESS_READ_OK) != PR_SUCCESS) { PR_fprintf(PR_STDERR, errStrings[FILE_NOT_READABLE_ERR], dbString); } else if (!(flags & NSS_INIT_READONLY) && PR_Access(dbString, PR_ACCESS_WRITE_OK) != PR_SUCCESS) { PR_fprintf(PR_STDERR, errStrings[FILE_NOT_WRITEABLE_ERR], dbString); } } } } rv = NSS_Initialize(SECU_ConfigDirectory(dbDir), dbprefix, dbprefix, secmodName, flags); if (rv != SECSuccess) { SECU_PrintPRandOSError(progName); ret = NSS_INITIALIZE_FAILED_ERR; } else { ret = SUCCESS; if (doInitTest) { PK11SlotInfo *slot = PK11_GetInternalKeySlot(); SECStatus rv; int passwordSuccess = 0; int type = CKM_DES3_CBC; SECItem keyid = { 0, NULL, 0 }; unsigned char keyIdData[] = { 0xff, 0xfe }; PK11SymKey *key = NULL; keyid.data = keyIdData; keyid.len = sizeof(keyIdData); PK11_SetPasswordFunc(getPassword); rv = PK11_InitPin(slot, (char *)NULL, userPassword); if (rv != SECSuccess) { PR_fprintf(PR_STDERR, "Failed to Init DB: %s\n", SECU_Strerror(PORT_GetError())); ret = CHANGEPW_FAILED_ERR; } if (*userPassword && !PK11_IsLoggedIn(slot, &passwordSuccess)) { PR_fprintf(PR_STDERR, "New DB did not log in after init\n"); ret = AUTHENTICATION_FAILED_ERR; } /* generate a symetric key */ key = PK11_TokenKeyGen(slot, type, NULL, 0, &keyid, PR_TRUE, &passwordSuccess); if (!key) { PR_fprintf(PR_STDERR, "Could not generated symetric key: %s\n", SECU_Strerror(PORT_GetError())); exit(UNSPECIFIED_ERR); } PK11_FreeSymKey(key); PK11_Logout(slot); PK11_Authenticate(slot, PR_TRUE, &passwordSuccess); if (*userPassword && !passwordSuccess) { PR_fprintf(PR_STDERR, "New DB Did not initalize\n"); ret = AUTHENTICATION_FAILED_ERR; } key = PK11_FindFixedKey(slot, type, &keyid, &passwordSuccess); if (!key) { PR_fprintf(PR_STDERR, "Could not find generated key: %s\n", SECU_Strerror(PORT_GetError())); ret = UNSPECIFIED_ERR; } else { PK11_FreeSymKey(key); } PK11_FreeSlot(slot); } if (NSS_Shutdown() != SECSuccess) { PR_fprintf(PR_STDERR, "Could not find generated key: %s\n", SECU_Strerror(PORT_GetError())); exit(1); } } loser: return ret; }