|
 |
154a6e |
From 395280a1e87ce876f3a601c00a429e852bfc9f3b Mon Sep 17 00:00:00 2001
|
|
|
154a6e |
From: Rob Crittenden <rcritten@redhat.com>
|
|
|
154a6e |
Date: Wed, 23 Nov 2016 09:53:02 -0500
|
|
|
154a6e |
Subject: [PATCH] Don't use same NSS db in nss_pcache as mod_nss, use
|
|
|
154a6e |
NSS_NoDB_Init()
|
|
|
154a6e |
|
|
|
154a6e |
This is to avoid doing the wrapping within an HSM. There have been
|
|
|
154a6e |
reports of disconnects which causes future mod_nss children to fail
|
|
|
154a6e |
to spawn because the PIN cannot be retrieved.
|
|
|
154a6e |
|
|
|
154a6e |
A side-effect is that nss_pcache is only used for storage now. It used
|
|
|
154a6e |
to also verify that the PIN was correct since it had the NSS database
|
|
|
154a6e |
with the token available.
|
|
|
154a6e |
|
|
|
154a6e |
mod_nss will be responsible for validating the PIN which it already
|
|
|
154a6e |
does.
|
|
|
154a6e |
|
|
|
154a6e |
This move is also needed if mod_nss eventually moves to using
|
|
|
154a6e |
NSS Contexts because multiple databases may be configured at once.
|
|
|
154a6e |
---
|
|
|
154a6e |
docs/mod_nss.html | 4 ++--
|
|
|
154a6e |
nss_engine_init.c | 6 ++----
|
|
|
154a6e |
nss_pcache.c | 34 ++++++----------------------------
|
|
|
154a6e |
nss_pcache.h | 2 +-
|
|
|
154a6e |
4 files changed, 11 insertions(+), 35 deletions(-)
|
|
|
154a6e |
|
|
|
154a6e |
diff --git a/docs/mod_nss.html b/docs/mod_nss.html
|
|
|
154a6e |
index 655d2f2..c3ae924 100644
|
|
|
154a6e |
--- a/docs/mod_nss.html
|
|
|
154a6e |
+++ b/docs/mod_nss.html
|
|
|
154a6e |
@@ -1811,7 +1811,7 @@ httpd.service - The Apache HTTP Server
|
|
|
154a6e |
Status: "Total requests: 0; Current requests/sec: 0; Current traffic: 0 B/sec"
|
|
|
154a6e |
CGroup: name=systemd:/system/httpd.service
|
|
|
154a6e |
|_____20807 /usr/sbin/httpd -DFOREGROUND
|
|
|
154a6e |
- |_____20808 /usr/libexec/nss_pcache 10027086 off /etc/httpd/alias
|
|
|
154a6e |
+ |_____20808 /usr/libexec/nss_pcache 10027086 off
|
|
|
154a6e |
|_____20809 /usr/sbin/httpd -DFOREGROUND
|
|
|
154a6e |
|_____20810 /usr/sbin/httpd -DFOREGROUND
|
|
|
154a6e |
|_____20811 /usr/sbin/httpd -DFOREGROUND
|
|
|
154a6e |
@@ -1972,7 +1972,7 @@ httpd.service - The Apache HTTP Server
|
|
|
154a6e |
Status: "Total requests: 0; Current requests/sec: 0; Current traffic: 0 B/sec"
|
|
|
154a6e |
CGroup: name=systemd:/system/httpd.service
|
|
|
154a6e |
|_____21299 /usr/sbin/httpd -DFOREGROUND
|
|
|
154a6e |
- |_____21300 /usr/libexec/nss_pcache 10289231 on /etc/httpd/alias
|
|
|
154a6e |
+ |_____21300 /usr/libexec/nss_pcache 10289231 on
|
|
|
154a6e |
|_____21340 /usr/sbin/httpd -DFOREGROUND
|
|
|
154a6e |
|_____21341 /usr/sbin/httpd -DFOREGROUND
|
|
|
154a6e |
|_____21342 /usr/sbin/httpd -DFOREGROUND
|
|
|
154a6e |
diff --git a/nss_engine_init.c b/nss_engine_init.c
|
|
|
154a6e |
index 2571591..bf90994 100644
|
|
|
154a6e |
--- a/nss_engine_init.c
|
|
|
154a6e |
+++ b/nss_engine_init.c
|
|
|
154a6e |
@@ -582,7 +582,7 @@ int nss_init_Module(apr_pool_t *p, apr_pool_t *plog,
|
|
|
154a6e |
|
|
|
154a6e |
/* Do we need to fire up our password helper? */
|
|
|
154a6e |
if (mc->nInitCount == 1) {
|
|
|
154a6e |
- const char * child_argv[6];
|
|
|
154a6e |
+ const char * child_argv[4];
|
|
|
154a6e |
apr_status_t rv;
|
|
|
154a6e |
struct sembuf sb;
|
|
|
154a6e |
char sembuf[32];
|
|
|
154a6e |
@@ -615,9 +615,7 @@ int nss_init_Module(apr_pool_t *p, apr_pool_t *plog,
|
|
|
154a6e |
child_argv[0] = mc->pphrase_dialog_helper;
|
|
|
154a6e |
child_argv[1] = sembuf;
|
|
|
154a6e |
child_argv[2] = fipsenabled ? "on" : "off";
|
|
|
154a6e |
- child_argv[3] = mc->pCertificateDatabase;
|
|
|
154a6e |
- child_argv[4] = mc->pDBPrefix;
|
|
|
154a6e |
- child_argv[5] = NULL;
|
|
|
154a6e |
+ child_argv[3] = NULL;
|
|
|
154a6e |
|
|
|
154a6e |
rv = apr_procattr_create(&mc->procattr, mc->pPool);
|
|
|
154a6e |
|
|
|
154a6e |
diff --git a/nss_pcache.c b/nss_pcache.c
|
|
|
154a6e |
index 5e98adb..d0e457b 100644
|
|
|
154a6e |
--- a/nss_pcache.c
|
|
|
154a6e |
+++ b/nss_pcache.c
|
|
|
154a6e |
@@ -131,7 +131,7 @@ void signalhandler(int signo) {
|
|
|
154a6e |
* CreatePk11PinStore
|
|
|
154a6e |
*/
|
|
|
154a6e |
int
|
|
|
154a6e |
-CreatePk11PinStore(Pk11PinStore **out, const char *tokenName, const char *pin)
|
|
|
154a6e |
+CreatePk11PinStore(Pk11PinStore **out, const char *pin)
|
|
|
154a6e |
{
|
|
|
154a6e |
int err = PIN_SUCCESS;
|
|
|
154a6e |
Pk11PinStore *store;
|
|
|
154a6e |
@@ -146,29 +146,9 @@ CreatePk11PinStore(Pk11PinStore **out, const char *tokenName, const char *pin)
|
|
|
154a6e |
store->params = 0;
|
|
|
154a6e |
store->crypt = 0;
|
|
|
154a6e |
|
|
|
154a6e |
- /* Use the tokenName to find a PKCS11 slot */
|
|
|
154a6e |
- store->slot = PK11_FindSlotByName((char *)tokenName);
|
|
|
154a6e |
+ store->slot = PK11_GetInternalSlot();
|
|
|
154a6e |
if (store->slot == 0) { err = PIN_NOSUCHTOKEN; break; }
|
|
|
154a6e |
|
|
|
154a6e |
- /* Check the password/PIN. This allows access to the token */
|
|
|
154a6e |
- {
|
|
|
154a6e |
- SECStatus rv = PK11_CheckUserPassword(store->slot, (char *)pin);
|
|
|
154a6e |
-
|
|
|
154a6e |
- if (rv == SECSuccess)
|
|
|
154a6e |
- ;
|
|
|
154a6e |
- else if (rv == SECWouldBlock)
|
|
|
154a6e |
- {
|
|
|
154a6e |
- /* NSS returns a blocking error when the pin is wrong */
|
|
|
154a6e |
- err = PIN_INCORRECTPW;
|
|
|
154a6e |
- break;
|
|
|
154a6e |
- }
|
|
|
154a6e |
- else
|
|
|
154a6e |
- {
|
|
|
154a6e |
- err = PIN_SYSTEMERROR;
|
|
|
154a6e |
- break;
|
|
|
154a6e |
- }
|
|
|
154a6e |
- }
|
|
|
154a6e |
-
|
|
|
154a6e |
/* Find the mechanism that this token can do */
|
|
|
154a6e |
{
|
|
|
154a6e |
const mech_item *tp;
|
|
|
154a6e |
@@ -349,8 +329,8 @@ int main(int argc, char ** argv)
|
|
|
154a6e |
int fipsmode = 0;
|
|
|
154a6e |
union semun semarg;
|
|
|
154a6e |
|
|
|
154a6e |
- if (argc < 4 || argc > 5) {
|
|
|
154a6e |
- fprintf(stderr, "Usage: nss_pcache <semid> <fips on/off> <directory> [prefix]\n");
|
|
|
154a6e |
+ if (argc != 3) {
|
|
|
154a6e |
+ fprintf(stderr, "Usage: nss_pcache <semid> <fips on/off>\n");
|
|
|
154a6e |
exit(1);
|
|
|
154a6e |
}
|
|
|
154a6e |
|
|
|
154a6e |
@@ -368,8 +348,7 @@ int main(int argc, char ** argv)
|
|
|
154a6e |
/* Set the PKCS #11 strings for the internal token. */
|
|
|
154a6e |
PK11_ConfigurePKCS11(NULL,NULL,NULL, INTERNAL_TOKEN_NAME, NULL, NULL,NULL,NULL,8,1);
|
|
|
154a6e |
|
|
|
154a6e |
- /* Initialize NSS and open the certificate database read-only. */
|
|
|
154a6e |
- rv = NSS_Initialize(argv[3], argc == 5 ? argv[4] : NULL, argc == 5 ? argv[4] : NULL, "secmod.db", NSS_INIT_READONLY);
|
|
|
154a6e |
+ rv = NSS_NoDB_Init(NULL);
|
|
|
154a6e |
|
|
|
154a6e |
if (rv != SECSuccess) {
|
|
|
154a6e |
fprintf(stderr, "Unable to initialize NSS database: %d\n", rv);
|
|
|
154a6e |
@@ -436,8 +415,7 @@ int main(int argc, char ** argv)
|
|
|
154a6e |
node->next = 0;
|
|
|
154a6e |
|
|
|
154a6e |
if (err == PIN_SUCCESS)
|
|
|
154a6e |
- err = CreatePk11PinStore(&node->store,
|
|
|
154a6e |
- tokenName, tokenpw);
|
|
|
154a6e |
+ err = CreatePk11PinStore(&node->store, tokenpw);
|
|
|
154a6e |
memset(tokenpw, 0, strlen(tokenpw));
|
|
|
154a6e |
}
|
|
|
154a6e |
} else
|
|
|
154a6e |
diff --git a/nss_pcache.h b/nss_pcache.h
|
|
|
154a6e |
index 74cb19d..a0b8e62 100644
|
|
|
154a6e |
--- a/nss_pcache.h
|
|
|
154a6e |
+++ b/nss_pcache.h
|
|
|
154a6e |
@@ -21,7 +21,7 @@
|
|
|
154a6e |
|
|
|
154a6e |
typedef struct Pk11PinStore Pk11PinStore;
|
|
|
154a6e |
|
|
|
154a6e |
-int CreatePk11PinStore(Pk11PinStore **out, const char *tokenName, const char *pin);
|
|
|
154a6e |
+int CreatePk11PinStore(Pk11PinStore **out, const char *pin);
|
|
|
154a6e |
|
|
|
154a6e |
int Pk11StoreGetPin(char **out, Pk11PinStore *store);
|
|
|
154a6e |
|
|
|
154a6e |
--
|
|
|
154a6e |
2.9.3
|
|
|
154a6e |
|