From: Ray Strode <halfline@gmail.com>
To: qemu-devel@nongnu.org
Cc: Alon Levy <alevy@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>,
Robert Relyea <rrelyea@redhat.com>
Subject: [Qemu-devel] [PATCH 0/2] Try to fix problem with emulated smartcards where invalid PIN succeeds
Date: Sun, 8 Sep 2013 01:08:37 -0400 [thread overview]
Message-ID: <1378616919-18169-1-git-send-email-halfline@gmail.com> (raw)
I started writing a blog post yesterday about virtualized smartcards here:
https://blogs.gnome.org/halfline/2013/09/08/another-smartcard-post/
and while testing what I was writing I noticed an invalid PIN worked when
it shouldn't have. It turns out that typing a valid PIN once in one program in
the guest, is enough to make all future programs asking for the PIN to succeed
regardless of what gets typed in for the PIN.
I did some digging through the libcacard code, and noticed it uses the
NSS PK11_Authenticate function which calls a function that has this comment above it:
If we're already logged in and this function is called we
will still prompt for a password, but we will probably succeed
no matter what the password was.
Also, PK11_Authenticate short-circuits to an early "return SECSuccess" if the token
is already logged in.
The two patches in this series attempt to correct this problem by calling PK11_Logout.
I'm not 100% certain I've placed the PK11_Logout call in the best place, but it does
seeming to fix the issue.
next reply other threads:[~2013-09-08 5:08 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-08 5:08 Ray Strode [this message]
2013-09-08 5:08 ` [Qemu-devel] [PATCH 1/2] libcacard: introduce new vcard_emul_logout Ray Strode
2013-09-08 5:08 ` [Qemu-devel] [PATCH 2/2] libcacard: Lock NSS cert db when selecting an applet on an emulated card Ray Strode
2013-09-08 8:18 ` [Qemu-devel] [PATCH 0/2] Try to fix problem with emulated smartcards where invalid PIN succeeds Alon Levy
2013-09-09 18:19 ` Robert Relyea
2013-09-11 13:35 ` Ray Strode
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1378616919-18169-1-git-send-email-halfline@gmail.com \
--to=halfline@gmail.com \
--cc=alevy@redhat.com \
--cc=mjt@tls.msk.ru \
--cc=qemu-devel@nongnu.org \
--cc=rrelyea@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).