From: Gerd Hoffmann <kraxel@redhat.com>
To: qemu-devel@nongnu.org
Cc: Ray Strode <rstrode@redhat.com>, Gerd Hoffmann <kraxel@redhat.com>
Subject: [Qemu-devel] [PULL 2/5] libcacard: Lock NSS cert db when selecting an applet on an emulated card
Date: Tue, 28 Oct 2014 11:50:19 +0100 [thread overview]
Message-ID: <1414493422-4422-3-git-send-email-kraxel@redhat.com> (raw)
In-Reply-To: <1414493422-4422-1-git-send-email-kraxel@redhat.com>
From: Ray Strode <rstrode@redhat.com>
When a process in a guest uses an emulated smartcard, libcacard running
on the host passes the PIN from the guest to the PK11_Authenticate NSS
function. The first time PK11_Authenticate is called the passed in PIN
is used to unlock the certificate database. Subsequent calls to
PK11_Authenticate will transparently succeed, regardless of the passed in
PIN. This is a convenience for applications provided by NSS.
Of course, the guest may have many applications using the one emulated
smart card all driven from the same host QEMU process. That means if a
user enters the right PIN in one program in the guest, and then enters the
wrong PIN in another program in the guest, the wrong PIN will still
successfully unlock the virtual smartcard.
This commit forces the NSS certificate database to be locked anytime an
applet is selected on an emulated smartcard by calling vcard_emul_logout.
Signed-off-by: Ray Strode <rstrode@redhat.com>
Reviewed-By: Robert Relyea <rrelyea@redhat.com>
Reviewed-By: Alon Levy <alevy@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
libcacard/vcard.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/libcacard/vcard.c b/libcacard/vcard.c
index 87ad516..d140a8e 100644
--- a/libcacard/vcard.c
+++ b/libcacard/vcard.c
@@ -250,6 +250,11 @@ void
vcard_select_applet(VCard *card, int channel, VCardApplet *applet)
{
assert(channel < MAX_CHANNEL);
+
+ /* If using an emulated card, make sure to log out of any already logged in
+ * session. */
+ vcard_emul_logout(card);
+
card->current_applet[channel] = applet;
/* reset the applet */
if (applet && applet->reset_applet) {
--
1.8.3.1
next prev parent reply other threads:[~2014-10-28 10:50 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-10-28 10:50 [Qemu-devel] [PULL 0/5] usb patch queue Gerd Hoffmann
2014-10-28 10:50 ` [Qemu-devel] [PULL 1/5] libcacard: introduce new vcard_emul_logout Gerd Hoffmann
2014-10-28 10:50 ` Gerd Hoffmann [this message]
2014-10-28 10:50 ` [Qemu-devel] [PULL 3/5] libcacard: don't free sign buffer while sign op is pending Gerd Hoffmann
2014-10-28 10:50 ` [Qemu-devel] [PULL 4/5] xhci: add property to turn on/off streams support Gerd Hoffmann
2014-10-28 10:50 ` [Qemu-devel] [PULL 5/5] uhci: remove useless DEBUG Gerd Hoffmann
2014-10-30 18:21 ` [Qemu-devel] [PULL 0/5] usb patch queue Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1414493422-4422-3-git-send-email-kraxel@redhat.com \
--to=kraxel@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=rstrode@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).