diff options
Diffstat (limited to 'security')
-rw-r--r-- | security/nss/lib/softoken/pkcs11.c | 67 | ||||
-rw-r--r-- | security/nss/lib/softoken/pkcs11i.h | 2 |
2 files changed, 53 insertions, 16 deletions
diff --git a/security/nss/lib/softoken/pkcs11.c b/security/nss/lib/softoken/pkcs11.c index 93150cd789..ed723985a6 100644 --- a/security/nss/lib/softoken/pkcs11.c +++ b/security/nss/lib/softoken/pkcs11.c @@ -1652,6 +1652,7 @@ sftk_handleObject(SFTKObject *object, SFTKSession *session) CK_OBJECT_HANDLE handle; CK_BBOOL ckfalse = CK_FALSE; CK_BBOOL cktrue = CK_TRUE; + PRBool isLoggedIn, needLogin; CK_RV crv; /* make sure all the base object types are defined. If not set the @@ -1669,9 +1670,13 @@ sftk_handleObject(SFTKObject *object, SFTKSession *session) if (crv != CKR_OK) return crv; + PZ_Lock(slot->slotLock); + isLoggedIn = slot->isLoggedIn; + needLogin = slot->needLogin; + PZ_Unlock(slot->slotLock); + /* don't create a private object if we aren't logged in */ - if ((!slot->isLoggedIn) && (slot->needLogin) && - (sftk_isTrue(object, CKA_PRIVATE))) { + if (!isLoggedIn && needLogin && (sftk_isTrue(object, CKA_PRIVATE))) { return CKR_USER_NOT_LOGGED_IN; } @@ -3617,11 +3622,18 @@ NSC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) static PRBool sftk_checkNeedLogin(SFTKSlot *slot, SFTKDBHandle *keyHandle) { + PRBool needLogin; if (sftkdb_PWCached(keyHandle) == SECSuccess) { - return slot->needLogin; + PZ_Lock(slot->slotLock); + needLogin = slot->needLogin; + PZ_Unlock(slot->slotLock); + } else { + needLogin = (PRBool)!sftk_hasNullPassword(slot, keyHandle); + PZ_Lock(slot->slotLock); + slot->needLogin = needLogin; + PZ_Unlock(slot->slotLock); } - slot->needLogin = (PRBool)!sftk_hasNullPassword(slot, keyHandle); - return (slot->needLogin); + return needLogin; } static PRBool @@ -4021,8 +4033,11 @@ NSC_InitPIN(CK_SESSION_HANDLE hSession, /* Now update our local copy of the pin */ if (rv == SECSuccess) { - if (ulPinLen == 0) + if (ulPinLen == 0) { + PZ_Lock(slot->slotLock); slot->needLogin = PR_FALSE; + PZ_Unlock(slot->slotLock); + } /* database has been initialized, now force min password in FIPS * mode. NOTE: if we are in level1, we may not have a password, but * forcing it now will prevent an insufficient password from being set. @@ -4057,6 +4072,7 @@ NSC_SetPIN(CK_SESSION_HANDLE hSession, CK_CHAR_PTR pOldPin, char newPinStr[SFTK_MAX_PIN + 1], oldPinStr[SFTK_MAX_PIN + 1]; SECStatus rv; CK_RV crv = CKR_SESSION_HANDLE_INVALID; + PRBool needLogin; PRBool tokenRemoved = PR_FALSE; CHECK_FORK(); @@ -4077,7 +4093,10 @@ NSC_SetPIN(CK_SESSION_HANDLE hSession, CK_CHAR_PTR pOldPin, return CKR_PIN_LEN_RANGE; /* XXX FIXME wrong return value */ } - if (slot->needLogin && sp->info.state != CKS_RW_USER_FUNCTIONS) { + PZ_Lock(slot->slotLock); + needLogin = slot->needLogin; + PZ_Unlock(slot->slotLock); + if (needLogin && sp->info.state != CKS_RW_USER_FUNCTIONS) { crv = CKR_USER_NOT_LOGGED_IN; goto loser; } @@ -4305,6 +4324,8 @@ NSC_Login(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType, CK_RV crv; char pinStr[SFTK_MAX_PIN + 1]; PRBool tokenRemoved = PR_FALSE; + PRBool isLoggedIn; + PRBool needLogin; CHECK_FORK(); @@ -4328,9 +4349,14 @@ NSC_Login(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType, return CKR_USER_TYPE_INVALID; } - if (slot->isLoggedIn) + PZ_Lock(slot->slotLock); + isLoggedIn = slot->isLoggedIn; + needLogin = slot->needLogin; + PZ_Unlock(slot->slotLock); + + if (isLoggedIn) return CKR_USER_ALREADY_LOGGED_IN; - if (!slot->needLogin) { + if (!needLogin) { return ulPinLen ? CKR_PIN_INCORRECT : CKR_OK; } slot->ssoLoggedIn = PR_FALSE; @@ -4793,7 +4819,7 @@ NSC_GetAttributeValue(CK_SESSION_HANDLE hSession, SFTKSession *session; SFTKObject *object; SFTKAttribute *attribute; - PRBool sensitive; + PRBool sensitive, isLoggedIn, needLogin; CK_RV crv; int i; @@ -4824,9 +4850,13 @@ NSC_GetAttributeValue(CK_SESSION_HANDLE hSession, return CKR_OBJECT_HANDLE_INVALID; } + PZ_Lock(slot->slotLock); + isLoggedIn = slot->isLoggedIn; + needLogin = slot->needLogin; + PZ_Unlock(slot->slotLock); + /* don't read a private object if we aren't logged in */ - if ((!slot->isLoggedIn) && (slot->needLogin) && - (sftk_isTrue(object, CKA_PRIVATE))) { + if (!isLoggedIn && needLogin && (sftk_isTrue(object, CKA_PRIVATE))) { sftk_FreeObject(object); return CKR_USER_NOT_LOGGED_IN; } @@ -4867,7 +4897,7 @@ NSC_SetAttributeValue(CK_SESSION_HANDLE hSession, SFTKSession *session; SFTKAttribute *attribute; SFTKObject *object; - PRBool isToken; + PRBool isToken, isLoggedIn, needLogin; CK_RV crv = CKR_OK; CK_BBOOL legal; int i; @@ -4891,9 +4921,13 @@ NSC_SetAttributeValue(CK_SESSION_HANDLE hSession, return CKR_OBJECT_HANDLE_INVALID; } + PZ_Lock(slot->slotLock); + isLoggedIn = slot->isLoggedIn; + needLogin = slot->needLogin; + PZ_Unlock(slot->slotLock); + /* don't modify a private object if we aren't logged in */ - if ((!slot->isLoggedIn) && (slot->needLogin) && - (sftk_isTrue(object, CKA_PRIVATE))) { + if (!isLoggedIn && needLogin && (sftk_isTrue(object, CKA_PRIVATE))) { sftk_FreeSession(session); sftk_FreeObject(object); return CKR_USER_NOT_LOGGED_IN; @@ -5171,7 +5205,10 @@ NSC_FindObjectsInit(CK_SESSION_HANDLE hSession, search->index = 0; search->size = 0; search->array_size = NSC_SEARCH_BLOCK_SIZE; + + PZ_Lock(slot->slotLock); isLoggedIn = (PRBool)((!slot->needLogin) || slot->isLoggedIn); + PZ_Unlock(slot->slotLock); crv = sftk_searchTokenList(slot, search, pTemplate, ulCount, isLoggedIn); if (crv != CKR_OK) { diff --git a/security/nss/lib/softoken/pkcs11i.h b/security/nss/lib/softoken/pkcs11i.h index 1630442c9f..0e5153b7b0 100644 --- a/security/nss/lib/softoken/pkcs11i.h +++ b/security/nss/lib/softoken/pkcs11i.h @@ -318,7 +318,7 @@ struct SFTKSessionStr { * object hash tables (sessObjHashTable[] and tokObjHashTable), and * sessionObjectHandleCount. * slotLock protects the remaining protected elements: - * password, isLoggedIn, ssoLoggedIn, and sessionCount, + * password, needLogin, isLoggedIn, ssoLoggedIn, and sessionCount, * and pwCheckLock serializes the key database password checks in * NSC_SetPIN and NSC_Login. * |