зеркало из https://github.com/mozilla/gecko-dev.git
792 строки
21 KiB
C
792 строки
21 KiB
C
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
/*
|
|
* This file deals with PKCS #11 passwords and authentication.
|
|
*/
|
|
#include "seccomon.h"
|
|
#include "secmod.h"
|
|
#include "secmodi.h"
|
|
#include "secmodti.h"
|
|
#include "pkcs11t.h"
|
|
#include "pk11func.h"
|
|
#include "secitem.h"
|
|
#include "secerr.h"
|
|
|
|
#include "pkim.h"
|
|
|
|
|
|
/*************************************************************
|
|
* local static and global data
|
|
*************************************************************/
|
|
/*
|
|
* This structure keeps track of status that spans all the Slots.
|
|
* NOTE: This is a global data structure. It semantics expect thread crosstalk
|
|
* be very careful when you see it used.
|
|
* It's major purpose in life is to allow the user to log in one PER
|
|
* Tranaction, even if a transaction spans threads. The problem is the user
|
|
* may have to enter a password one just to be able to look at the
|
|
* personalities/certificates (s)he can use. Then if Auth every is one, they
|
|
* may have to enter the password again to use the card. See PK11_StartTransac
|
|
* and PK11_EndTransaction.
|
|
*/
|
|
static struct PK11GlobalStruct {
|
|
int transaction;
|
|
PRBool inTransaction;
|
|
char *(PR_CALLBACK *getPass)(PK11SlotInfo *,PRBool,void *);
|
|
PRBool (PR_CALLBACK *verifyPass)(PK11SlotInfo *,void *);
|
|
PRBool (PR_CALLBACK *isLoggedIn)(PK11SlotInfo *,void *);
|
|
} PK11_Global = { 1, PR_FALSE, NULL, NULL, NULL };
|
|
|
|
/***********************************************************
|
|
* Password Utilities
|
|
***********************************************************/
|
|
/*
|
|
* Check the user's password. Log into the card if it's correct.
|
|
* succeed if the user is already logged in.
|
|
*/
|
|
static SECStatus
|
|
pk11_CheckPassword(PK11SlotInfo *slot, CK_SESSION_HANDLE session,
|
|
char *pw, PRBool alreadyLocked, PRBool contextSpecific)
|
|
{
|
|
int len = 0;
|
|
CK_RV crv;
|
|
SECStatus rv;
|
|
PRTime currtime = PR_Now();
|
|
PRBool mustRetry;
|
|
int retry = 0;
|
|
|
|
if (slot->protectedAuthPath) {
|
|
len = 0;
|
|
pw = NULL;
|
|
} else if (pw == NULL) {
|
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
|
return SECFailure;
|
|
} else {
|
|
len = PORT_Strlen(pw);
|
|
}
|
|
|
|
do {
|
|
if (!alreadyLocked) PK11_EnterSlotMonitor(slot);
|
|
crv = PK11_GETTAB(slot)->C_Login(session,
|
|
contextSpecific ? CKU_CONTEXT_SPECIFIC : CKU_USER,
|
|
(unsigned char *)pw,len);
|
|
slot->lastLoginCheck = 0;
|
|
mustRetry = PR_FALSE;
|
|
if (!alreadyLocked) PK11_ExitSlotMonitor(slot);
|
|
switch (crv) {
|
|
/* if we're already logged in, we're good to go */
|
|
case CKR_OK:
|
|
/* TODO If it was for CKU_CONTEXT_SPECIFIC should we do this */
|
|
slot->authTransact = PK11_Global.transaction;
|
|
/* Fall through */
|
|
case CKR_USER_ALREADY_LOGGED_IN:
|
|
slot->authTime = currtime;
|
|
rv = SECSuccess;
|
|
break;
|
|
case CKR_PIN_INCORRECT:
|
|
PORT_SetError(SEC_ERROR_BAD_PASSWORD);
|
|
rv = SECWouldBlock; /* everything else is ok, only the pin is bad */
|
|
break;
|
|
/* someone called reset while we fetched the password, try again once
|
|
* if the token is still there. */
|
|
case CKR_SESSION_HANDLE_INVALID:
|
|
case CKR_SESSION_CLOSED:
|
|
if (session != slot->session) {
|
|
/* don't bother retrying, we were in a middle of an operation,
|
|
* which is now lost. Just fail. */
|
|
PORT_SetError(PK11_MapError(crv));
|
|
rv = SECFailure;
|
|
break;
|
|
}
|
|
if (retry++ == 0) {
|
|
rv = PK11_InitToken(slot,PR_FALSE);
|
|
if (rv == SECSuccess) {
|
|
if (slot->session != CK_INVALID_SESSION) {
|
|
session = slot->session; /* we should have
|
|
* a new session now */
|
|
mustRetry = PR_TRUE;
|
|
} else {
|
|
PORT_SetError(PK11_MapError(crv));
|
|
rv = SECFailure;
|
|
}
|
|
}
|
|
break;
|
|
}
|
|
/* Fall through */
|
|
default:
|
|
PORT_SetError(PK11_MapError(crv));
|
|
rv = SECFailure; /* some failure we can't fix by retrying */
|
|
}
|
|
} while (mustRetry);
|
|
return rv;
|
|
}
|
|
|
|
/*
|
|
* Check the user's password. Logout before hand to make sure that
|
|
* we are really checking the password.
|
|
*/
|
|
SECStatus
|
|
PK11_CheckUserPassword(PK11SlotInfo *slot, const char *pw)
|
|
{
|
|
int len = 0;
|
|
CK_RV crv;
|
|
SECStatus rv;
|
|
PRTime currtime = PR_Now();
|
|
|
|
if (slot->protectedAuthPath) {
|
|
len = 0;
|
|
pw = NULL;
|
|
} else if (pw == NULL) {
|
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
|
return SECFailure;
|
|
} else {
|
|
len = PORT_Strlen(pw);
|
|
}
|
|
|
|
/*
|
|
* If the token doesn't need a login, don't try to relogin because the
|
|
* effect is undefined. It's not clear what it means to check a non-empty
|
|
* password with such a token, so treat that as an error.
|
|
*/
|
|
if (!slot->needLogin) {
|
|
if (len == 0) {
|
|
rv = SECSuccess;
|
|
} else {
|
|
PORT_SetError(SEC_ERROR_BAD_PASSWORD);
|
|
rv = SECFailure;
|
|
}
|
|
return rv;
|
|
}
|
|
|
|
/* force a logout */
|
|
PK11_EnterSlotMonitor(slot);
|
|
PK11_GETTAB(slot)->C_Logout(slot->session);
|
|
|
|
crv = PK11_GETTAB(slot)->C_Login(slot->session,CKU_USER,
|
|
(unsigned char *)pw,len);
|
|
slot->lastLoginCheck = 0;
|
|
PK11_ExitSlotMonitor(slot);
|
|
switch (crv) {
|
|
/* if we're already logged in, we're good to go */
|
|
case CKR_OK:
|
|
slot->authTransact = PK11_Global.transaction;
|
|
slot->authTime = currtime;
|
|
rv = SECSuccess;
|
|
break;
|
|
case CKR_PIN_INCORRECT:
|
|
PORT_SetError(SEC_ERROR_BAD_PASSWORD);
|
|
rv = SECWouldBlock; /* everything else is ok, only the pin is bad */
|
|
break;
|
|
default:
|
|
PORT_SetError(PK11_MapError(crv));
|
|
rv = SECFailure; /* some failure we can't fix by retrying */
|
|
}
|
|
return rv;
|
|
}
|
|
|
|
SECStatus
|
|
PK11_Logout(PK11SlotInfo *slot)
|
|
{
|
|
CK_RV crv;
|
|
|
|
/* force a logout */
|
|
PK11_EnterSlotMonitor(slot);
|
|
crv = PK11_GETTAB(slot)->C_Logout(slot->session);
|
|
slot->lastLoginCheck = 0;
|
|
PK11_ExitSlotMonitor(slot);
|
|
if (crv != CKR_OK) {
|
|
PORT_SetError(PK11_MapError(crv));
|
|
return SECFailure;
|
|
}
|
|
return SECSuccess;
|
|
}
|
|
|
|
/*
|
|
* transaction stuff is for when we test for the need to do every
|
|
* time auth to see if we already did it for this slot/transaction
|
|
*/
|
|
void PK11_StartAuthTransaction(void)
|
|
{
|
|
PK11_Global.transaction++;
|
|
PK11_Global.inTransaction = PR_TRUE;
|
|
}
|
|
|
|
void PK11_EndAuthTransaction(void)
|
|
{
|
|
PK11_Global.transaction++;
|
|
PK11_Global.inTransaction = PR_FALSE;
|
|
}
|
|
|
|
/*
|
|
* before we do a private key op, we check to see if we
|
|
* need to reauthenticate.
|
|
*/
|
|
void
|
|
PK11_HandlePasswordCheck(PK11SlotInfo *slot,void *wincx)
|
|
{
|
|
int askpw = slot->askpw;
|
|
PRBool NeedAuth = PR_FALSE;
|
|
|
|
if (!slot->needLogin) return;
|
|
|
|
if ((slot->defaultFlags & PK11_OWN_PW_DEFAULTS) == 0) {
|
|
PK11SlotInfo *def_slot = PK11_GetInternalKeySlot();
|
|
|
|
if (def_slot) {
|
|
askpw = def_slot->askpw;
|
|
PK11_FreeSlot(def_slot);
|
|
}
|
|
}
|
|
|
|
/* timeouts are handled by isLoggedIn */
|
|
if (!PK11_IsLoggedIn(slot,wincx)) {
|
|
NeedAuth = PR_TRUE;
|
|
} else if (askpw == -1) {
|
|
if (!PK11_Global.inTransaction ||
|
|
(PK11_Global.transaction != slot->authTransact)) {
|
|
PK11_EnterSlotMonitor(slot);
|
|
PK11_GETTAB(slot)->C_Logout(slot->session);
|
|
slot->lastLoginCheck = 0;
|
|
PK11_ExitSlotMonitor(slot);
|
|
NeedAuth = PR_TRUE;
|
|
}
|
|
}
|
|
if (NeedAuth) PK11_DoPassword(slot, slot->session, PR_TRUE,
|
|
wincx, PR_FALSE, PR_FALSE);
|
|
}
|
|
|
|
void
|
|
PK11_SlotDBUpdate(PK11SlotInfo *slot)
|
|
{
|
|
SECMOD_UpdateModule(slot->module);
|
|
}
|
|
|
|
/*
|
|
* set new askpw and timeout values
|
|
*/
|
|
void
|
|
PK11_SetSlotPWValues(PK11SlotInfo *slot,int askpw, int timeout)
|
|
{
|
|
slot->askpw = askpw;
|
|
slot->timeout = timeout;
|
|
slot->defaultFlags |= PK11_OWN_PW_DEFAULTS;
|
|
PK11_SlotDBUpdate(slot);
|
|
}
|
|
|
|
/*
|
|
* Get the askpw and timeout values for this slot
|
|
*/
|
|
void
|
|
PK11_GetSlotPWValues(PK11SlotInfo *slot,int *askpw, int *timeout)
|
|
{
|
|
*askpw = slot->askpw;
|
|
*timeout = slot->timeout;
|
|
|
|
if ((slot->defaultFlags & PK11_OWN_PW_DEFAULTS) == 0) {
|
|
PK11SlotInfo *def_slot = PK11_GetInternalKeySlot();
|
|
|
|
if (def_slot) {
|
|
*askpw = def_slot->askpw;
|
|
*timeout = def_slot->timeout;
|
|
PK11_FreeSlot(def_slot);
|
|
}
|
|
}
|
|
}
|
|
|
|
/*
|
|
* Returns true if the token is needLogin and isn't logged in.
|
|
* This function is used to determine if authentication is needed
|
|
* before attempting a potentially privelleged operation.
|
|
*/
|
|
PRBool
|
|
pk11_LoginStillRequired(PK11SlotInfo *slot, void *wincx)
|
|
{
|
|
return slot->needLogin && !PK11_IsLoggedIn(slot,wincx);
|
|
}
|
|
|
|
/*
|
|
* make sure a slot is authenticated...
|
|
* This function only does the authentication if it is needed.
|
|
*/
|
|
SECStatus
|
|
PK11_Authenticate(PK11SlotInfo *slot, PRBool loadCerts, void *wincx) {
|
|
if (!slot) {
|
|
return SECFailure;
|
|
}
|
|
if (pk11_LoginStillRequired(slot,wincx)) {
|
|
return PK11_DoPassword(slot, slot->session, loadCerts, wincx,
|
|
PR_FALSE, PR_FALSE);
|
|
}
|
|
return SECSuccess;
|
|
}
|
|
|
|
/*
|
|
* Authenticate to "unfriendly" tokens (tokens which need to be logged
|
|
* in to find the certs.
|
|
*/
|
|
SECStatus
|
|
pk11_AuthenticateUnfriendly(PK11SlotInfo *slot, PRBool loadCerts, void *wincx)
|
|
{
|
|
SECStatus rv = SECSuccess;
|
|
if (!PK11_IsFriendly(slot)) {
|
|
rv = PK11_Authenticate(slot, loadCerts, wincx);
|
|
}
|
|
return rv;
|
|
}
|
|
|
|
|
|
/*
|
|
* NOTE: this assumes that we are logged out of the card before hand
|
|
*/
|
|
SECStatus
|
|
PK11_CheckSSOPassword(PK11SlotInfo *slot, char *ssopw)
|
|
{
|
|
CK_SESSION_HANDLE rwsession;
|
|
CK_RV crv;
|
|
SECStatus rv = SECFailure;
|
|
int len = 0;
|
|
|
|
/* get a rwsession */
|
|
rwsession = PK11_GetRWSession(slot);
|
|
if (rwsession == CK_INVALID_SESSION) {
|
|
PORT_SetError(SEC_ERROR_BAD_DATA);
|
|
return rv;
|
|
}
|
|
|
|
if (slot->protectedAuthPath) {
|
|
len = 0;
|
|
ssopw = NULL;
|
|
} else if (ssopw == NULL) {
|
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
|
return SECFailure;
|
|
} else {
|
|
len = PORT_Strlen(ssopw);
|
|
}
|
|
|
|
/* check the password */
|
|
crv = PK11_GETTAB(slot)->C_Login(rwsession,CKU_SO,
|
|
(unsigned char *)ssopw,len);
|
|
slot->lastLoginCheck = 0;
|
|
switch (crv) {
|
|
/* if we're already logged in, we're good to go */
|
|
case CKR_OK:
|
|
rv = SECSuccess;
|
|
break;
|
|
case CKR_PIN_INCORRECT:
|
|
PORT_SetError(SEC_ERROR_BAD_PASSWORD);
|
|
rv = SECWouldBlock; /* everything else is ok, only the pin is bad */
|
|
break;
|
|
default:
|
|
PORT_SetError(PK11_MapError(crv));
|
|
rv = SECFailure; /* some failure we can't fix by retrying */
|
|
}
|
|
PK11_GETTAB(slot)->C_Logout(rwsession);
|
|
slot->lastLoginCheck = 0;
|
|
|
|
/* release rwsession */
|
|
PK11_RestoreROSession(slot,rwsession);
|
|
return rv;
|
|
}
|
|
|
|
/*
|
|
* make sure the password conforms to your token's requirements.
|
|
*/
|
|
SECStatus
|
|
PK11_VerifyPW(PK11SlotInfo *slot,char *pw)
|
|
{
|
|
int len = PORT_Strlen(pw);
|
|
|
|
if ((slot->minPassword > len) || (slot->maxPassword < len)) {
|
|
PORT_SetError(SEC_ERROR_BAD_DATA);
|
|
return SECFailure;
|
|
}
|
|
return SECSuccess;
|
|
}
|
|
|
|
/*
|
|
* initialize a user PIN Value
|
|
*/
|
|
SECStatus
|
|
PK11_InitPin(PK11SlotInfo *slot, const char *ssopw, const char *userpw)
|
|
{
|
|
CK_SESSION_HANDLE rwsession = CK_INVALID_SESSION;
|
|
CK_RV crv;
|
|
SECStatus rv = SECFailure;
|
|
int len;
|
|
int ssolen;
|
|
|
|
if (userpw == NULL) userpw = "";
|
|
if (ssopw == NULL) ssopw = "";
|
|
|
|
len = PORT_Strlen(userpw);
|
|
ssolen = PORT_Strlen(ssopw);
|
|
|
|
/* get a rwsession */
|
|
rwsession = PK11_GetRWSession(slot);
|
|
if (rwsession == CK_INVALID_SESSION) {
|
|
PORT_SetError(SEC_ERROR_BAD_DATA);
|
|
slot->lastLoginCheck = 0;
|
|
return rv;
|
|
}
|
|
|
|
if (slot->protectedAuthPath) {
|
|
len = 0;
|
|
ssolen = 0;
|
|
ssopw = NULL;
|
|
userpw = NULL;
|
|
}
|
|
|
|
/* check the password */
|
|
crv = PK11_GETTAB(slot)->C_Login(rwsession,CKU_SO,
|
|
(unsigned char *)ssopw,ssolen);
|
|
slot->lastLoginCheck = 0;
|
|
if (crv != CKR_OK) {
|
|
PORT_SetError(PK11_MapError(crv));
|
|
goto done;
|
|
}
|
|
|
|
crv = PK11_GETTAB(slot)->C_InitPIN(rwsession,(unsigned char *)userpw,len);
|
|
if (crv != CKR_OK) {
|
|
PORT_SetError(PK11_MapError(crv));
|
|
} else {
|
|
rv = SECSuccess;
|
|
}
|
|
|
|
done:
|
|
PK11_GETTAB(slot)->C_Logout(rwsession);
|
|
slot->lastLoginCheck = 0;
|
|
PK11_RestoreROSession(slot,rwsession);
|
|
if (rv == SECSuccess) {
|
|
/* update our view of the world */
|
|
PK11_InitToken(slot,PR_TRUE);
|
|
if (slot->needLogin) {
|
|
PK11_EnterSlotMonitor(slot);
|
|
PK11_GETTAB(slot)->C_Login(slot->session,CKU_USER,
|
|
(unsigned char *)userpw,len);
|
|
slot->lastLoginCheck = 0;
|
|
PK11_ExitSlotMonitor(slot);
|
|
}
|
|
}
|
|
return rv;
|
|
}
|
|
|
|
/*
|
|
* Change an existing user password
|
|
*/
|
|
SECStatus
|
|
PK11_ChangePW(PK11SlotInfo *slot, const char *oldpw, const char *newpw)
|
|
{
|
|
CK_RV crv;
|
|
SECStatus rv = SECFailure;
|
|
int newLen = 0;
|
|
int oldLen = 0;
|
|
CK_SESSION_HANDLE rwsession;
|
|
|
|
/* use NULL values to trigger the protected authentication path */
|
|
if (!slot->protectedAuthPath) {
|
|
if (newpw == NULL) newpw = "";
|
|
if (oldpw == NULL) oldpw = "";
|
|
}
|
|
if (newpw) newLen = PORT_Strlen(newpw);
|
|
if (oldpw) oldLen = PORT_Strlen(oldpw);
|
|
|
|
/* get a rwsession */
|
|
rwsession = PK11_GetRWSession(slot);
|
|
if (rwsession == CK_INVALID_SESSION) {
|
|
PORT_SetError(SEC_ERROR_BAD_DATA);
|
|
return rv;
|
|
}
|
|
|
|
crv = PK11_GETTAB(slot)->C_SetPIN(rwsession,
|
|
(unsigned char *)oldpw,oldLen,(unsigned char *)newpw,newLen);
|
|
if (crv == CKR_OK) {
|
|
rv = SECSuccess;
|
|
} else {
|
|
PORT_SetError(PK11_MapError(crv));
|
|
}
|
|
|
|
PK11_RestoreROSession(slot,rwsession);
|
|
|
|
/* update our view of the world */
|
|
PK11_InitToken(slot,PR_TRUE);
|
|
return rv;
|
|
}
|
|
|
|
static char *
|
|
pk11_GetPassword(PK11SlotInfo *slot, PRBool retry, void * wincx)
|
|
{
|
|
if (PK11_Global.getPass == NULL) return NULL;
|
|
return (*PK11_Global.getPass)(slot, retry, wincx);
|
|
}
|
|
|
|
void
|
|
PK11_SetPasswordFunc(PK11PasswordFunc func)
|
|
{
|
|
PK11_Global.getPass = func;
|
|
}
|
|
|
|
void
|
|
PK11_SetVerifyPasswordFunc(PK11VerifyPasswordFunc func)
|
|
{
|
|
PK11_Global.verifyPass = func;
|
|
}
|
|
|
|
void
|
|
PK11_SetIsLoggedInFunc(PK11IsLoggedInFunc func)
|
|
{
|
|
PK11_Global.isLoggedIn = func;
|
|
}
|
|
|
|
|
|
/*
|
|
* authenticate to a slot. This loops until we can't recover, the user
|
|
* gives up, or we succeed. If we're already logged in and this function
|
|
* is called we will still prompt for a password, but we will probably
|
|
* succeed no matter what the password was (depending on the implementation
|
|
* of the PKCS 11 module.
|
|
*/
|
|
SECStatus
|
|
PK11_DoPassword(PK11SlotInfo *slot, CK_SESSION_HANDLE session,
|
|
PRBool loadCerts, void *wincx, PRBool alreadyLocked,
|
|
PRBool contextSpecific)
|
|
{
|
|
SECStatus rv = SECFailure;
|
|
char * password;
|
|
PRBool attempt = PR_FALSE;
|
|
|
|
if (PK11_NeedUserInit(slot)) {
|
|
PORT_SetError(SEC_ERROR_IO);
|
|
return SECFailure;
|
|
}
|
|
|
|
|
|
/*
|
|
* Central server type applications which control access to multiple
|
|
* slave applications to single crypto devices need to virtuallize the
|
|
* login state. This is done by a callback out of PK11_IsLoggedIn and
|
|
* here. If we are actually logged in, then we got here because the
|
|
* higher level code told us that the particular client application may
|
|
* still need to be logged in. If that is the case, we simply tell the
|
|
* server code that it should now verify the clients password and tell us
|
|
* the results.
|
|
*/
|
|
if (PK11_IsLoggedIn(slot,NULL) &&
|
|
(PK11_Global.verifyPass != NULL)) {
|
|
if (!PK11_Global.verifyPass(slot,wincx)) {
|
|
PORT_SetError(SEC_ERROR_BAD_PASSWORD);
|
|
return SECFailure;
|
|
}
|
|
return SECSuccess;
|
|
}
|
|
|
|
/* get the password. This can drop out of the while loop
|
|
* for the following reasons:
|
|
* (1) the user refused to enter a password.
|
|
* (return error to caller)
|
|
* (2) the token user password is disabled [usually due to
|
|
* too many failed authentication attempts].
|
|
* (return error to caller)
|
|
* (3) the password was successful.
|
|
*/
|
|
while ((password = pk11_GetPassword(slot, attempt, wincx)) != NULL) {
|
|
/* if the token has a protectedAuthPath, the application may have
|
|
* already issued the C_Login as part of it's pk11_GetPassword call.
|
|
* In this case the application will tell us what the results were in
|
|
* the password value (retry or the authentication was successful) so
|
|
* we can skip our own C_Login call (which would force the token to
|
|
* try to login again).
|
|
*
|
|
* Applications that don't know about protectedAuthPath will return a
|
|
* password, which we will ignore and trigger the token to
|
|
* 'authenticate' itself anyway. Hopefully the blinking display on
|
|
* the reader, or the flashing light under the thumbprint reader will
|
|
* attract the user's attention */
|
|
attempt = PR_TRUE;
|
|
if (slot->protectedAuthPath) {
|
|
/* application tried to authenticate and failed. it wants to try
|
|
* again, continue looping */
|
|
if (strcmp(password, PK11_PW_RETRY) == 0) {
|
|
rv = SECWouldBlock;
|
|
PORT_Free(password);
|
|
continue;
|
|
}
|
|
/* applicaton tried to authenticate and succeeded we're done */
|
|
if (strcmp(password, PK11_PW_AUTHENTICATED) == 0) {
|
|
rv = SECSuccess;
|
|
PORT_Free(password);
|
|
break;
|
|
}
|
|
}
|
|
rv = pk11_CheckPassword(slot, session, password,
|
|
alreadyLocked, contextSpecific);
|
|
PORT_Memset(password, 0, PORT_Strlen(password));
|
|
PORT_Free(password);
|
|
if (rv != SECWouldBlock) break;
|
|
}
|
|
if (rv == SECSuccess) {
|
|
if (!PK11_IsFriendly(slot)) {
|
|
nssTrustDomain_UpdateCachedTokenCerts(slot->nssToken->trustDomain,
|
|
slot->nssToken);
|
|
}
|
|
} else if (!attempt) PORT_SetError(SEC_ERROR_BAD_PASSWORD);
|
|
return rv;
|
|
}
|
|
|
|
void PK11_LogoutAll(void)
|
|
{
|
|
SECMODListLock *lock = SECMOD_GetDefaultModuleListLock();
|
|
SECMODModuleList *modList;
|
|
SECMODModuleList *mlp = NULL;
|
|
int i;
|
|
|
|
/* NSS is not initialized, there are not tokens to log out */
|
|
if (lock == NULL) {
|
|
return;
|
|
}
|
|
|
|
SECMOD_GetReadLock(lock);
|
|
modList = SECMOD_GetDefaultModuleList();
|
|
/* find the number of entries */
|
|
for (mlp = modList; mlp != NULL; mlp = mlp->next) {
|
|
for (i=0; i < mlp->module->slotCount; i++) {
|
|
PK11_Logout(mlp->module->slots[i]);
|
|
}
|
|
}
|
|
|
|
SECMOD_ReleaseReadLock(lock);
|
|
}
|
|
|
|
int
|
|
PK11_GetMinimumPwdLength(PK11SlotInfo *slot)
|
|
{
|
|
return ((int)slot->minPassword);
|
|
}
|
|
|
|
/* Does this slot have a protected pin path? */
|
|
PRBool
|
|
PK11_ProtectedAuthenticationPath(PK11SlotInfo *slot)
|
|
{
|
|
return slot->protectedAuthPath;
|
|
}
|
|
|
|
/*
|
|
* we can initialize the password if 1) The toke is not inited
|
|
* (need login == true and see need UserInit) or 2) the token has
|
|
* a NULL password. (slot->needLogin = false & need user Init = false).
|
|
*/
|
|
PRBool PK11_NeedPWInitForSlot(PK11SlotInfo *slot)
|
|
{
|
|
if (slot->needLogin && PK11_NeedUserInit(slot)) {
|
|
return PR_TRUE;
|
|
}
|
|
if (!slot->needLogin && !PK11_NeedUserInit(slot)) {
|
|
return PR_TRUE;
|
|
}
|
|
return PR_FALSE;
|
|
}
|
|
|
|
PRBool PK11_NeedPWInit()
|
|
{
|
|
PK11SlotInfo *slot = PK11_GetInternalKeySlot();
|
|
PRBool ret = PK11_NeedPWInitForSlot(slot);
|
|
|
|
PK11_FreeSlot(slot);
|
|
return ret;
|
|
}
|
|
|
|
PRBool
|
|
pk11_InDelayPeriod(PRIntervalTime lastTime, PRIntervalTime delayTime,
|
|
PRIntervalTime *retTime)
|
|
{
|
|
PRIntervalTime time;
|
|
|
|
*retTime = time = PR_IntervalNow();
|
|
return (PRBool) (lastTime) && ((time-lastTime) < delayTime);
|
|
}
|
|
|
|
/*
|
|
* Determine if the token is logged in. We have to actually query the token,
|
|
* because it's state can change without intervention from us.
|
|
*/
|
|
PRBool
|
|
PK11_IsLoggedIn(PK11SlotInfo *slot,void *wincx)
|
|
{
|
|
CK_SESSION_INFO sessionInfo;
|
|
int askpw = slot->askpw;
|
|
int timeout = slot->timeout;
|
|
CK_RV crv;
|
|
PRIntervalTime curTime;
|
|
static PRIntervalTime login_delay_time = 0;
|
|
|
|
if (login_delay_time == 0) {
|
|
login_delay_time = PR_SecondsToInterval(1);
|
|
}
|
|
|
|
/* If we don't have our own password default values, use the system
|
|
* ones */
|
|
if ((slot->defaultFlags & PK11_OWN_PW_DEFAULTS) == 0) {
|
|
PK11SlotInfo *def_slot = PK11_GetInternalKeySlot();
|
|
|
|
if (def_slot) {
|
|
askpw = def_slot->askpw;
|
|
timeout = def_slot->timeout;
|
|
PK11_FreeSlot(def_slot);
|
|
}
|
|
}
|
|
|
|
if ((wincx != NULL) && (PK11_Global.isLoggedIn != NULL) &&
|
|
(*PK11_Global.isLoggedIn)(slot, wincx) == PR_FALSE) { return PR_FALSE; }
|
|
|
|
|
|
/* forget the password if we've been inactive too long */
|
|
if (askpw == 1) {
|
|
PRTime currtime = PR_Now();
|
|
PRTime result;
|
|
PRTime mult;
|
|
|
|
LL_I2L(result, timeout);
|
|
LL_I2L(mult, 60*1000*1000);
|
|
LL_MUL(result,result,mult);
|
|
LL_ADD(result, result, slot->authTime);
|
|
if (LL_CMP(result, <, currtime) ) {
|
|
PK11_EnterSlotMonitor(slot);
|
|
PK11_GETTAB(slot)->C_Logout(slot->session);
|
|
slot->lastLoginCheck = 0;
|
|
PK11_ExitSlotMonitor(slot);
|
|
} else {
|
|
slot->authTime = currtime;
|
|
}
|
|
}
|
|
|
|
PK11_EnterSlotMonitor(slot);
|
|
if (pk11_InDelayPeriod(slot->lastLoginCheck,login_delay_time, &curTime)) {
|
|
sessionInfo.state = slot->lastState;
|
|
crv = CKR_OK;
|
|
} else {
|
|
crv = PK11_GETTAB(slot)->C_GetSessionInfo(slot->session,&sessionInfo);
|
|
if (crv == CKR_OK) {
|
|
slot->lastState = sessionInfo.state;
|
|
slot->lastLoginCheck = curTime;
|
|
}
|
|
}
|
|
PK11_ExitSlotMonitor(slot);
|
|
/* if we can't get session info, something is really wrong */
|
|
if (crv != CKR_OK) {
|
|
slot->session = CK_INVALID_SESSION;
|
|
return PR_FALSE;
|
|
}
|
|
|
|
switch (sessionInfo.state) {
|
|
case CKS_RW_PUBLIC_SESSION:
|
|
case CKS_RO_PUBLIC_SESSION:
|
|
default:
|
|
break; /* fail */
|
|
case CKS_RW_USER_FUNCTIONS:
|
|
case CKS_RW_SO_FUNCTIONS:
|
|
case CKS_RO_USER_FUNCTIONS:
|
|
return PR_TRUE;
|
|
}
|
|
return PR_FALSE;
|
|
}
|