[Qemu-devel] [PATCH 2/2] libcacard: Lock NSS cert db when selecting an applet on an emulated card

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: Ray Strode <halfline@gmail.com>
To: qemu-devel@nongnu.org
Cc: Alon Levy <alevy@redhat.com>, Ray Strode <rstrode@redhat.com>,
	Michael Tokarev <mjt@tls.msk.ru>,
	Robert Relyea <rrelyea@redhat.com>
Subject: [Qemu-devel] [PATCH 2/2] libcacard: Lock NSS cert db when selecting an applet on an emulated card
Date: Sun,  8 Sep 2013 01:08:39 -0400	[thread overview]
Message-ID: <1378616919-18169-3-git-send-email-halfline@gmail.com> (raw)
In-Reply-To: <1378616919-18169-1-git-send-email-halfline@gmail.com>

From: Ray Strode <rstrode@redhat.com>

When a process in a guest uses an emulated smartcard, libcacard passes
the PIN from the guest to the PK11_Authenticate NSS function. The first
time PK11_Authenticate is called the passed in PIN is used to unlock the
certificate database. Subsequent calls to PK11_Authenticate within the
next 60 seconds will transparently succeed, regardless of the passed in
PIN. This is a convenience for applications provided by NSS.

Of course, the guest may have many applications using the one emulated
smart card all driven from the same host qemu process.  That means if a
user enters the right PIN in one program in the guest, and then enters the
wrong PIN in another program in the guest, the wrong PIN will still
succeed (as long as it's within 60 seconds of the right PIN being entered).

This commit forces the NSS certificate database to be locked anytime an
applet is selected on an emulated smartcard by calling vcard_emul_logout.

Signed-off-by: Ray Strode <rstrode@redhat.com>
---
 libcacard/vcard.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libcacard/vcard.c b/libcacard/vcard.c
index 539177b..cf02a25 100644
--- a/libcacard/vcard.c
+++ b/libcacard/vcard.c
@@ -243,60 +243,65 @@ vcard_find_applet(VCard *card, unsigned char *aid, int aid_len)
 {
     VCardApplet *current_applet;
 
     for (current_applet = card->applet_list; current_applet;
                                         current_applet = current_applet->next) {
         if (current_applet->aid_len != aid_len) {
             continue;
         }
         if (memcmp(current_applet->aid, aid, aid_len) == 0) {
             break;
         }
     }
     return current_applet;
 }
 
 unsigned char *
 vcard_applet_get_aid(VCardApplet *applet, int *aid_len)
 {
     if (applet == NULL) {
         return NULL;
     }
     *aid_len = applet->aid_len;
     return applet->aid;
 }
 
 
 void
 vcard_select_applet(VCard *card, int channel, VCardApplet *applet)
 {
     assert(channel < MAX_CHANNEL);
+
+    /* If using an emulated card, make sure to log out of any already logged in
+     * session. */
+    vcard_emul_logout(card);
+
     card->current_applet[channel] = applet;
     /* reset the applet */
     if (applet && applet->reset_applet) {
         applet->reset_applet(card, channel);
     }
 }
 
 VCardAppletPrivate *
 vcard_get_current_applet_private(VCard *card, int channel)
 {
     VCardApplet *applet = card->current_applet[channel];
 
     if (applet == NULL) {
         return NULL;
     }
     return applet->applet_private;
 }
 
 VCardStatus
 vcard_process_applet_apdu(VCard *card, VCardAPDU *apdu,
                           VCardResponse **response)
 {
     if (card->current_applet[apdu->a_channel]) {
         return card->current_applet[apdu->a_channel]->process_apdu(
                                                         card, apdu, response);
     }
     return VCARD_NEXT;
 }
 
 /*
-- 
1.8.3.1

next prev parent reply	other threads:[~2013-09-08  5:09 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-09-08  5:08 [Qemu-devel] [PATCH 0/2] Try to fix problem with emulated smartcards where invalid PIN succeeds Ray Strode
2013-09-08  5:08 ` [Qemu-devel] [PATCH 1/2] libcacard: introduce new vcard_emul_logout Ray Strode
2013-09-08  5:08 ` Ray Strode [this message]
2013-09-08  8:18 ` [Qemu-devel] [PATCH 0/2] Try to fix problem with emulated smartcards where invalid PIN succeeds Alon Levy
2013-09-09 18:19   ` Robert Relyea
2013-09-11 13:35     ` Ray Strode

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:539177b dfblob:cf02a25 )
 OR (
bs:"[Qemu-devel] [PATCH 2/2] libcacard: Lock NSS cert db when selecting an applet on an emulated card" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1378616919-18169-3-git-send-email-halfline@gmail.com \
    --to=halfline@gmail.com \
    --cc=alevy@redhat.com \
    --cc=mjt@tls.msk.ru \
    --cc=qemu-devel@nongnu.org \
    --cc=rrelyea@redhat.com \
    --cc=rstrode@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).