Blob Blame Raw
From 395280a1e87ce876f3a601c00a429e852bfc9f3b Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 23 Nov 2016 09:53:02 -0500
Subject: [PATCH] Don't use same NSS db in nss_pcache as mod_nss, use
 NSS_NoDB_Init()

This is to avoid doing the wrapping within an HSM. There have been
reports of disconnects which causes future mod_nss children to fail
to spawn because the PIN cannot be retrieved.

A side-effect is that nss_pcache is only used for storage now. It used
to also verify that the PIN was correct since it had the NSS database
with the token available.

mod_nss will be responsible for validating the PIN which it already
does.

This move is also needed if mod_nss eventually moves to using
NSS Contexts because multiple databases may be configured at once.
---
 docs/mod_nss.html |  4 ++--
 nss_engine_init.c |  6 ++----
 nss_pcache.c      | 34 ++++++----------------------------
 nss_pcache.h      |  2 +-
 4 files changed, 11 insertions(+), 35 deletions(-)

diff --git a/docs/mod_nss.html b/docs/mod_nss.html
index 655d2f2..c3ae924 100644
--- a/docs/mod_nss.html
+++ b/docs/mod_nss.html
@@ -1811,7 +1811,7 @@ httpd.service - The Apache HTTP Server
    Status: "Total requests: 0; Current requests/sec: 0; Current traffic:   0 B/sec"
    CGroup: name=systemd:/system/httpd.service
            |_____20807 /usr/sbin/httpd -DFOREGROUND
-           |_____20808 /usr/libexec/nss_pcache 10027086 off /etc/httpd/alias
+           |_____20808 /usr/libexec/nss_pcache 10027086 off
            |_____20809 /usr/sbin/httpd -DFOREGROUND
            |_____20810 /usr/sbin/httpd -DFOREGROUND
            |_____20811 /usr/sbin/httpd -DFOREGROUND
@@ -1972,7 +1972,7 @@ httpd.service - The Apache HTTP Server
    Status: "Total requests: 0; Current requests/sec: 0; Current traffic:   0 B/sec"
    CGroup: name=systemd:/system/httpd.service
            |_____21299 /usr/sbin/httpd -DFOREGROUND
-           |_____21300 /usr/libexec/nss_pcache 10289231 on /etc/httpd/alias
+           |_____21300 /usr/libexec/nss_pcache 10289231 on
            |_____21340 /usr/sbin/httpd -DFOREGROUND
            |_____21341 /usr/sbin/httpd -DFOREGROUND
            |_____21342 /usr/sbin/httpd -DFOREGROUND
diff --git a/nss_engine_init.c b/nss_engine_init.c
index 2571591..bf90994 100644
--- a/nss_engine_init.c
+++ b/nss_engine_init.c
@@ -582,7 +582,7 @@ int nss_init_Module(apr_pool_t *p, apr_pool_t *plog,
 
     /* Do we need to fire up our password helper? */
     if (mc->nInitCount == 1) {
-        const char * child_argv[6];
+        const char * child_argv[4];
         apr_status_t rv;
         struct sembuf sb;
         char sembuf[32];
@@ -615,9 +615,7 @@ int nss_init_Module(apr_pool_t *p, apr_pool_t *plog,
         child_argv[0] = mc->pphrase_dialog_helper;
         child_argv[1] = sembuf;
         child_argv[2] = fipsenabled ? "on" : "off";
-        child_argv[3] = mc->pCertificateDatabase;
-        child_argv[4] = mc->pDBPrefix;
-        child_argv[5] = NULL;
+        child_argv[3] = NULL;
 
         rv = apr_procattr_create(&mc->procattr, mc->pPool);
 
diff --git a/nss_pcache.c b/nss_pcache.c
index 5e98adb..d0e457b 100644
--- a/nss_pcache.c
+++ b/nss_pcache.c
@@ -131,7 +131,7 @@ void signalhandler(int signo) {
  * CreatePk11PinStore
  */
 int
-CreatePk11PinStore(Pk11PinStore **out, const char *tokenName, const char *pin)
+CreatePk11PinStore(Pk11PinStore **out, const char *pin)
 {
     int err = PIN_SUCCESS;
     Pk11PinStore *store;
@@ -146,29 +146,9 @@ CreatePk11PinStore(Pk11PinStore **out, const char *tokenName, const char *pin)
         store->params = 0;
         store->crypt = 0;
 
-        /* Use the tokenName to find a PKCS11 slot */
-        store->slot = PK11_FindSlotByName((char *)tokenName);
+        store->slot = PK11_GetInternalSlot();
         if (store->slot == 0) { err = PIN_NOSUCHTOKEN; break; }
 
-        /* Check the password/PIN.  This allows access to the token */
-        {
-            SECStatus rv = PK11_CheckUserPassword(store->slot, (char *)pin);
-
-            if (rv == SECSuccess)
-                ;
-            else if (rv == SECWouldBlock)
-            {
-                /* NSS returns a blocking error when the pin is wrong */
-                err = PIN_INCORRECTPW;
-                break;
-            }
-            else
-            {
-                err = PIN_SYSTEMERROR;
-                break;
-            }
-        }
-
         /* Find the mechanism that this token can do */
         {
             const mech_item *tp;
@@ -349,8 +329,8 @@ int main(int argc, char ** argv)
     int fipsmode = 0;
     union semun semarg;
 
-    if (argc < 4 || argc > 5) {
-        fprintf(stderr, "Usage: nss_pcache <semid> <fips on/off> <directory> [prefix]\n");
+    if (argc != 3) {
+        fprintf(stderr, "Usage: nss_pcache <semid> <fips on/off>\n");
         exit(1);
     }
 
@@ -368,8 +348,7 @@ int main(int argc, char ** argv)
     /* Set the PKCS #11 strings for the internal token. */
     PK11_ConfigurePKCS11(NULL,NULL,NULL, INTERNAL_TOKEN_NAME, NULL, NULL,NULL,NULL,8,1);
 
-    /* Initialize NSS and open the certificate database read-only. */
-    rv = NSS_Initialize(argv[3], argc == 5 ? argv[4] : NULL, argc == 5 ? argv[4] : NULL, "secmod.db", NSS_INIT_READONLY);
+    rv = NSS_NoDB_Init(NULL);
 
     if (rv != SECSuccess) {
         fprintf(stderr, "Unable to initialize NSS database: %d\n", rv);
@@ -436,8 +415,7 @@ int main(int argc, char ** argv)
                         node->next = 0;
 
                         if (err == PIN_SUCCESS)
-                            err = CreatePk11PinStore(&node->store,
-                                                     tokenName, tokenpw);
+                            err = CreatePk11PinStore(&node->store, tokenpw);
                         memset(tokenpw, 0, strlen(tokenpw));
                     }
                 } else
diff --git a/nss_pcache.h b/nss_pcache.h
index 74cb19d..a0b8e62 100644
--- a/nss_pcache.h
+++ b/nss_pcache.h
@@ -21,7 +21,7 @@
 
 typedef struct Pk11PinStore Pk11PinStore;
 
-int CreatePk11PinStore(Pk11PinStore **out, const char *tokenName, const char *pin);
+int CreatePk11PinStore(Pk11PinStore **out, const char *pin);
 
 int Pk11StoreGetPin(char **out, Pk11PinStore *store);
 
-- 
2.9.3