/*
* before we do a private key op, we check to see if we
* need to reauthenticate.
*/
void
PK11_HandlePasswordCheck(PK11SlotInfo *slot,void *wincx)
{
int askpw = slot->askpw;
PRBool NeedAuth = PR_FALSE;
if (!slot->needLogin) return;
if ((slot->defaultFlags & PK11_OWN_PW_DEFAULTS) == 0) {
PK11SlotInfo *def_slot = PK11_GetInternalKeySlot();
if (def_slot) {
askpw = def_slot->askpw;
PK11_FreeSlot(def_slot);
}
}
/* timeouts are handled by isLoggedIn */
if (!PK11_IsLoggedIn(slot,wincx)) {
NeedAuth = PR_TRUE;
} else if (askpw == -1) {
if (!PK11_Global.inTransaction ||
(PK11_Global.transaction != slot->authTransact)) {
PK11_EnterSlotMonitor(slot);
PK11_GETTAB(slot)->C_Logout(slot->session);
slot->lastLoginCheck = 0;
PK11_ExitSlotMonitor(slot);
NeedAuth = PR_TRUE;
}
}
if (NeedAuth) PK11_DoPassword(slot, slot->session, PR_TRUE,
wincx, PR_FALSE, PR_FALSE);
}
NS_IMETHODIMP
nsPK11Token::IsLoggedIn(bool* _retval)
{
NS_ENSURE_ARG_POINTER(_retval);
*_retval = PK11_IsLoggedIn(mSlot.get(), 0);
return NS_OK;
}
NSS_IMPLEMENT PRBool
nssSlot_IsLoggedIn(NSSSlot *slot)
{
if (!slot->pk11slot->needLogin) {
return PR_TRUE;
}
return PK11_IsLoggedIn(slot->pk11slot, NULL);
}
NS_IMETHODIMP nsPK11Token::IsLoggedIn(bool *_retval)
{
nsNSSShutDownPreventionLock locker;
if (isAlreadyShutDown())
return NS_ERROR_NOT_AVAILABLE;
nsresult rv = NS_OK;
*_retval = PK11_IsLoggedIn(mSlot, 0);
return rv;
}
NS_IMETHODIMP
nsPKCS11Slot::GetStatus(uint32_t *_retval)
{
nsNSSShutDownPreventionLock locker;
if (isAlreadyShutDown())
return NS_ERROR_NOT_AVAILABLE;
if (PK11_IsDisabled(mSlot))
*_retval = SLOT_DISABLED;
else if (!PK11_IsPresent(mSlot))
*_retval = SLOT_NOT_PRESENT;
else if (PK11_NeedLogin(mSlot) && PK11_NeedUserInit(mSlot))
*_retval = SLOT_UNINITIALIZED;
else if (PK11_NeedLogin(mSlot) && !PK11_IsLoggedIn(mSlot, nullptr))
*_retval = SLOT_NOT_LOGGED_IN;
else if (PK11_NeedLogin(mSlot))
*_retval = SLOT_LOGGED_IN;
else
*_retval = SLOT_READY;
return NS_OK;
}
nsresult
LocalCertService::LoginToKeySlot()
{
nsresult rv;
// Get access to key slot
UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
if (!slot) {
return mozilla::psm::GetXPCOMFromNSSError(PR_GetError());
}
// If no user password yet, set it an empty one
if (PK11_NeedUserInit(slot.get())) {
rv = MapSECStatus(PK11_InitPin(slot.get(), "", ""));
if (NS_FAILED(rv)) {
return rv;
}
}
// If user has a password set, prompt to login
if (PK11_NeedLogin(slot.get()) && !PK11_IsLoggedIn(slot.get(), nullptr)) {
// Switching to XPCOM to get the UI prompt that PSM owns
nsCOMPtr<nsIPK11TokenDB> tokenDB =
do_GetService(NS_PK11TOKENDB_CONTRACTID);
if (!tokenDB) {
return NS_ERROR_FAILURE;
}
nsCOMPtr<nsIPK11Token> keyToken;
tokenDB->GetInternalKeyToken(getter_AddRefs(keyToken));
if (!keyToken) {
return NS_ERROR_FAILURE;
}
// Prompt the user to login
return keyToken->Login(false /* force */);
}
return NS_OK;
}
NS_IMETHODIMP
LocalCertService::GetLoginPromptRequired(bool* aRequired)
{
nsresult rv;
// Get access to key slot
UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
if (!slot) {
return mozilla::psm::GetXPCOMFromNSSError(PR_GetError());
}
// If no user password yet, set it an empty one
if (PK11_NeedUserInit(slot.get())) {
rv = MapSECStatus(PK11_InitPin(slot.get(), "", ""));
if (NS_FAILED(rv)) {
return rv;
}
}
*aRequired = PK11_NeedLogin(slot.get()) &&
!PK11_IsLoggedIn(slot.get(), nullptr);
return NS_OK;
}
/*
* authenticate to a slot. This loops until we can't recover, the user
* gives up, or we succeed. If we're already logged in and this function
* is called we will still prompt for a password, but we will probably
* succeed no matter what the password was (depending on the implementation
* of the PKCS 11 module.
*/
SECStatus
PK11_DoPassword(PK11SlotInfo *slot, PRBool loadCerts, void *wincx)
{
SECStatus rv = SECFailure;
char * password;
PRBool attempt = PR_FALSE;
if (PK11_NeedUserInit(slot)) {
PORT_SetError(SEC_ERROR_IO);
return SECFailure;
}
/*
* Central server type applications which control access to multiple
* slave applications to single crypto devices need to virtuallize the
* login state. This is done by a callback out of PK11_IsLoggedIn and
* here. If we are actually logged in, then we got here because the
* higher level code told us that the particular client application may
* still need to be logged in. If that is the case, we simply tell the
* server code that it should now verify the clients password and tell us
* the results.
*/
if (PK11_IsLoggedIn(slot,NULL) &&
(PK11_Global.verifyPass != NULL)) {
if (!PK11_Global.verifyPass(slot,wincx)) {
PORT_SetError(SEC_ERROR_BAD_PASSWORD);
return SECFailure;
}
return SECSuccess;
}
/* get the password. This can drop out of the while loop
* for the following reasons:
* (1) the user refused to enter a password.
* (return error to caller)
* (2) the token user password is disabled [usually due to
* too many failed authentication attempts].
* (return error to caller)
* (3) the password was successful.
*/
while ((password = pk11_GetPassword(slot, attempt, wincx)) != NULL) {
/* if the token has a protectedAuthPath, the application may have
* already issued the C_Login as part of it's pk11_GetPassword call.
* In this case the application will tell us what the results were in
* the password value (retry or the authentication was successful) so
* we can skip our own C_Login call (which would force the token to
* try to login again).
*
* Applications that don't know about protectedAuthPath will return a
* password, which we will ignore and trigger the token to
* 'authenticate' itself anyway. Hopefully the blinking display on
* the reader, or the flashing light under the thumbprint reader will
* attract the user's attention */
attempt = PR_TRUE;
if (slot->protectedAuthPath) {
/* application tried to authenticate and failed. it wants to try
* again, continue looping */
if (strcmp(password, PK11_PW_RETRY) == 0) {
rv = SECWouldBlock;
PORT_Free(password);
continue;
}
/* applicaton tried to authenticate and succeeded we're done */
if (strcmp(password, PK11_PW_AUTHENTICATED) == 0) {
rv = SECSuccess;
PORT_Free(password);
break;
}
}
rv = pk11_CheckPassword(slot,password);
PORT_Memset(password, 0, PORT_Strlen(password));
PORT_Free(password);
if (rv != SECWouldBlock) break;
}
if (rv == SECSuccess) {
if (!PK11_IsFriendly(slot)) {
nssTrustDomain_UpdateCachedTokenCerts(slot->nssToken->trustDomain,
slot->nssToken);
}
} else if (!attempt) PORT_SetError(SEC_ERROR_BAD_PASSWORD);
return rv;
}
/*
* Returns true if the token is needLogin and isn't logged in.
* This function is used to determine if authentication is needed
* before attempting a potentially privelleged operation.
*/
PRBool
pk11_LoginStillRequired(PK11SlotInfo *slot, void *wincx)
{
return slot->needLogin && !PK11_IsLoggedIn(slot,wincx);
}
int
main(int argc, char **argv)
{
PLOptState *optstate;
PLOptStatus optstatus;
PRUint32 flags = 0;
Error ret;
SECStatus rv;
char *dbString = NULL;
PRBool doInitTest = PR_FALSE;
int i;
progName = strrchr(argv[0], '/');
if (!progName)
progName = strrchr(argv[0], '\\');
progName = progName ? progName + 1 : argv[0];
optstate = PL_CreateOptState(argc, argv, "rfip:d:h");
while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
switch (optstate->option) {
case 'h':
default:
Usage(progName);
break;
case 'r':
flags |= NSS_INIT_READONLY;
break;
case 'f':
flags |= NSS_INIT_FORCEOPEN;
break;
case 'i':
doInitTest = PR_TRUE;
break;
case 'p':
userPassword = PORT_Strdup(optstate->value);
break;
case 'd':
dbDir = PORT_Strdup(optstate->value);
break;
}
}
if (optstatus == PL_OPT_BAD)
Usage(progName);
if (!dbDir) {
dbDir = SECU_DefaultSSLDir(); /* Look in $SSL_DIR */
}
dbDir = SECU_ConfigDirectory(dbDir);
PR_fprintf(PR_STDERR, "dbdir selected is %s\n\n", dbDir);
if (dbDir[0] == '\0') {
PR_fprintf(PR_STDERR, errStrings[DIR_DOESNT_EXIST_ERR], dbDir);
ret = DIR_DOESNT_EXIST_ERR;
goto loser;
}
PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);
/* get the status of the directory and databases and output message */
if (PR_Access(dbDir, PR_ACCESS_EXISTS) != PR_SUCCESS) {
PR_fprintf(PR_STDERR, errStrings[DIR_DOESNT_EXIST_ERR], dbDir);
} else if (PR_Access(dbDir, PR_ACCESS_READ_OK) != PR_SUCCESS) {
PR_fprintf(PR_STDERR, errStrings[DIR_NOT_READABLE_ERR], dbDir);
} else {
if (!(flags & NSS_INIT_READONLY) &&
PR_Access(dbDir, PR_ACCESS_WRITE_OK) != PR_SUCCESS) {
PR_fprintf(PR_STDERR, errStrings[DIR_NOT_WRITEABLE_ERR], dbDir);
}
if (!doInitTest) {
for (i = 0; i < 3; i++) {
dbString = PR_smprintf("%s/%s", dbDir, dbName[i]);
PR_fprintf(PR_STDOUT, "database checked is %s\n", dbString);
if (PR_Access(dbString, PR_ACCESS_EXISTS) != PR_SUCCESS) {
PR_fprintf(PR_STDERR, errStrings[FILE_DOESNT_EXIST_ERR],
dbString);
} else if (PR_Access(dbString, PR_ACCESS_READ_OK) != PR_SUCCESS) {
PR_fprintf(PR_STDERR, errStrings[FILE_NOT_READABLE_ERR],
dbString);
} else if (!(flags & NSS_INIT_READONLY) &&
PR_Access(dbString, PR_ACCESS_WRITE_OK) != PR_SUCCESS) {
PR_fprintf(PR_STDERR, errStrings[FILE_NOT_WRITEABLE_ERR],
dbString);
}
}
}
}
rv = NSS_Initialize(SECU_ConfigDirectory(dbDir), dbprefix, dbprefix,
secmodName, flags);
if (rv != SECSuccess) {
SECU_PrintPRandOSError(progName);
ret = NSS_INITIALIZE_FAILED_ERR;
} else {
ret = SUCCESS;
if (doInitTest) {
PK11SlotInfo *slot = PK11_GetInternalKeySlot();
SECStatus rv;
int passwordSuccess = 0;
int type = CKM_DES3_CBC;
SECItem keyid = { 0, NULL, 0 };
unsigned char keyIdData[] = { 0xff, 0xfe };
PK11SymKey *key = NULL;
keyid.data = keyIdData;
keyid.len = sizeof(keyIdData);
PK11_SetPasswordFunc(getPassword);
rv = PK11_InitPin(slot, (char *)NULL, userPassword);
if (rv != SECSuccess) {
PR_fprintf(PR_STDERR, "Failed to Init DB: %s\n",
SECU_Strerror(PORT_GetError()));
ret = CHANGEPW_FAILED_ERR;
}
if (*userPassword && !PK11_IsLoggedIn(slot, &passwordSuccess)) {
PR_fprintf(PR_STDERR, "New DB did not log in after init\n");
ret = AUTHENTICATION_FAILED_ERR;
}
/* generate a symetric key */
key = PK11_TokenKeyGen(slot, type, NULL, 0, &keyid,
PR_TRUE, &passwordSuccess);
if (!key) {
PR_fprintf(PR_STDERR, "Could not generated symetric key: %s\n",
SECU_Strerror(PORT_GetError()));
exit(UNSPECIFIED_ERR);
}
PK11_FreeSymKey(key);
PK11_Logout(slot);
PK11_Authenticate(slot, PR_TRUE, &passwordSuccess);
if (*userPassword && !passwordSuccess) {
PR_fprintf(PR_STDERR, "New DB Did not initalize\n");
ret = AUTHENTICATION_FAILED_ERR;
}
key = PK11_FindFixedKey(slot, type, &keyid, &passwordSuccess);
if (!key) {
PR_fprintf(PR_STDERR, "Could not find generated key: %s\n",
SECU_Strerror(PORT_GetError()));
ret = UNSPECIFIED_ERR;
} else {
PK11_FreeSymKey(key);
}
PK11_FreeSlot(slot);
}
if (NSS_Shutdown() != SECSuccess) {
PR_fprintf(PR_STDERR, "Could not find generated key: %s\n",
SECU_Strerror(PORT_GetError()));
exit(1);
}
}
loser:
return ret;
}
