|
 |
60ce18 |
diff -up ./nss/lib/softoken/fipstokn.c.fix-fips-login ./nss/lib/softoken/fipstokn.c
|
|
|
60ce18 |
--- ./nss/lib/softoken/fipstokn.c.fix-fips-login 2017-02-17 05:20:06.000000000 -0800
|
|
|
60ce18 |
+++ ./nss/lib/softoken/fipstokn.c 2017-05-05 15:29:23.934308889 -0700
|
|
|
60ce18 |
@@ -540,7 +540,10 @@ FC_GetTokenInfo(CK_SLOT_ID slotID, CK_TO
|
|
|
60ce18 |
|
|
|
60ce18 |
crv = NSC_GetTokenInfo(slotID, pInfo);
|
|
|
60ce18 |
if (crv == CKR_OK) {
|
|
|
60ce18 |
- if ((pInfo->flags & CKF_LOGIN_REQUIRED) == 0) {
|
|
|
60ce18 |
+ /* use the global database to figure out if we are running in
|
|
|
60ce18 |
+ * FIPS 140 Level 1 or Level 2 */
|
|
|
60ce18 |
+ if (slotID == FIPS_SLOT_ID &&
|
|
|
60ce18 |
+ (pInfo->flags & CKF_LOGIN_REQUIRED) == 0) {
|
|
|
60ce18 |
isLevel2 = PR_FALSE;
|
|
|
60ce18 |
}
|
|
|
60ce18 |
}
|
|
|
60ce18 |
@@ -616,7 +619,8 @@ FC_InitPIN(CK_SESSION_HANDLE hSession,
|
|
|
60ce18 |
* we need to make sure the pin meets FIPS requirements */
|
|
|
60ce18 |
if ((ulPinLen == 0) || ((rv = sftk_newPinCheck(pPin, ulPinLen)) == CKR_OK)) {
|
|
|
60ce18 |
rv = NSC_InitPIN(hSession, pPin, ulPinLen);
|
|
|
60ce18 |
- if (rv == CKR_OK) {
|
|
|
60ce18 |
+ if ((rv == CKR_OK) &&
|
|
|
60ce18 |
+ (sftk_SlotIDFromSessionHandle(hSession) == FIPS_SLOT_ID)) {
|
|
|
60ce18 |
isLevel2 = (ulPinLen > 0) ? PR_TRUE : PR_FALSE;
|
|
|
60ce18 |
}
|
|
|
60ce18 |
}
|
|
|
60ce18 |
@@ -644,7 +648,8 @@ FC_SetPIN(CK_SESSION_HANDLE hSession, CK
|
|
|
60ce18 |
if ((rv = sftk_fipsCheck()) == CKR_OK &&
|
|
|
60ce18 |
(rv = sftk_newPinCheck(pNewPin, usNewLen)) == CKR_OK) {
|
|
|
60ce18 |
rv = NSC_SetPIN(hSession, pOldPin, usOldLen, pNewPin, usNewLen);
|
|
|
60ce18 |
- if (rv == CKR_OK) {
|
|
|
60ce18 |
+ if ((rv == CKR_OK) &&
|
|
|
60ce18 |
+ (sftk_SlotIDFromSessionHandle(hSession) == FIPS_SLOT_ID)) {
|
|
|
60ce18 |
/* if we set the password in level1 we now go
|
|
|
60ce18 |
* to level2. NOTE: we don't allow the user to
|
|
|
60ce18 |
* go from level2 to level1 */
|
|
|
60ce18 |
@@ -705,12 +710,24 @@ FC_GetSessionInfo(CK_SESSION_HANDLE hSes
|
|
|
60ce18 |
|
|
|
60ce18 |
rv = NSC_GetSessionInfo(hSession, pInfo);
|
|
|
60ce18 |
if (rv == CKR_OK) {
|
|
|
60ce18 |
- if ((isLoggedIn) && (pInfo->state == CKS_RO_PUBLIC_SESSION)) {
|
|
|
60ce18 |
- pInfo->state = CKS_RO_USER_FUNCTIONS;
|
|
|
60ce18 |
- }
|
|
|
60ce18 |
- if ((isLoggedIn) && (pInfo->state == CKS_RW_PUBLIC_SESSION)) {
|
|
|
60ce18 |
- pInfo->state = CKS_RW_USER_FUNCTIONS;
|
|
|
60ce18 |
- }
|
|
|
60ce18 |
+ /* handle the case where the auxilary slot doesn't require login.
|
|
|
60ce18 |
+ * piggy back on the main token's login state */
|
|
|
60ce18 |
+ if (isLoggedIn &&
|
|
|
60ce18 |
+ ((pInfo->state == CKS_RO_PUBLIC_SESSION) ||
|
|
|
60ce18 |
+ (pInfo->state == CKS_RW_PUBLIC_SESSION))) {
|
|
|
60ce18 |
+ CK_RV crv;
|
|
|
60ce18 |
+ CK_TOKEN_INFO tInfo;
|
|
|
60ce18 |
+ crv = NSC_GetTokenInfo(sftk_SlotIDFromSessionHandle(hSession),
|
|
|
60ce18 |
+ &tInfo);
|
|
|
60ce18 |
+ /* if the token doesn't login, use our global login state */
|
|
|
60ce18 |
+ if ((crv == CKR_OK) && ((tInfo.flags & CKF_LOGIN_REQUIRED) == 0)) {
|
|
|
60ce18 |
+ if (pInfo->state == CKS_RO_PUBLIC_SESSION) {
|
|
|
60ce18 |
+ pInfo->state = CKS_RO_USER_FUNCTIONS;
|
|
|
60ce18 |
+ } else {
|
|
|
60ce18 |
+ pInfo->state = CKS_RW_USER_FUNCTIONS;
|
|
|
60ce18 |
+ }
|
|
|
60ce18 |
+ }
|
|
|
60ce18 |
+ }
|
|
|
60ce18 |
}
|
|
|
60ce18 |
return rv;
|
|
|
60ce18 |
}
|
|
|
60ce18 |
diff -up ./nss/lib/softoken/pkcs11.c.fix-fips-login ./nss/lib/softoken/pkcs11.c
|
|
|
60ce18 |
--- ./nss/lib/softoken/pkcs11.c.fix-fips-login 2017-05-05 15:33:02.247012129 -0700
|
|
|
60ce18 |
+++ ./nss/lib/softoken/pkcs11.c 2017-05-05 15:34:43.399727983 -0700
|
|
|
60ce18 |
@@ -2370,17 +2370,22 @@ sftk_SlotFromID(CK_SLOT_ID slotID, PRBoo
|
|
|
60ce18 |
return slot;
|
|
|
60ce18 |
}
|
|
|
60ce18 |
|
|
|
60ce18 |
-SFTKSlot *
|
|
|
60ce18 |
-sftk_SlotFromSessionHandle(CK_SESSION_HANDLE handle)
|
|
|
60ce18 |
+CK_SLOT_ID
|
|
|
60ce18 |
+sftk_SlotIDFromSessionHandle(CK_SESSION_HANDLE handle)
|
|
|
60ce18 |
{
|
|
|
60ce18 |
CK_ULONG slotIDIndex = (handle >> 24) & 0x7f;
|
|
|
60ce18 |
CK_ULONG moduleIndex = (handle >> 31) & 1;
|
|
|
60ce18 |
|
|
|
60ce18 |
if (slotIDIndex >= nscSlotCount[moduleIndex]) {
|
|
|
60ce18 |
- return NULL;
|
|
|
60ce18 |
+ return (CK_SLOT_ID)-1;
|
|
|
60ce18 |
}
|
|
|
60ce18 |
+ return nscSlotList[moduleIndex][slotIDIndex];
|
|
|
60ce18 |
+}
|
|
|
60ce18 |
|
|
|
60ce18 |
- return sftk_SlotFromID(nscSlotList[moduleIndex][slotIDIndex], PR_FALSE);
|
|
|
60ce18 |
+SFTKSlot *
|
|
|
60ce18 |
+sftk_SlotFromSessionHandle(CK_SESSION_HANDLE handle)
|
|
|
60ce18 |
+{
|
|
|
60ce18 |
+ return sftk_SlotFromID(sftk_SlotIDFromSessionHandle(handle), PR_FALSE);
|
|
|
60ce18 |
}
|
|
|
60ce18 |
|
|
|
60ce18 |
static CK_RV
|
|
|
60ce18 |
diff -up ./nss/lib/softoken/pkcs11i.h.fix-fips-login ./nss/lib/softoken/pkcs11i.h
|
|
|
60ce18 |
--- ./nss/lib/softoken/pkcs11i.h.fix-fips-login 2017-02-17 05:20:06.000000000 -0800
|
|
|
60ce18 |
+++ ./nss/lib/softoken/pkcs11i.h 2017-05-05 15:29:23.934308889 -0700
|
|
|
60ce18 |
@@ -667,6 +667,7 @@ extern CK_RV sftk_handleObject(SFTKObjec
|
|
|
60ce18 |
|
|
|
60ce18 |
extern SFTKSlot *sftk_SlotFromID(CK_SLOT_ID slotID, PRBool all);
|
|
|
60ce18 |
extern SFTKSlot *sftk_SlotFromSessionHandle(CK_SESSION_HANDLE handle);
|
|
|
60ce18 |
+extern CK_SLOT_ID sftk_SlotIDFromSessionHandle(CK_SESSION_HANDLE handle);
|
|
|
60ce18 |
extern SFTKSession *sftk_SessionFromHandle(CK_SESSION_HANDLE handle);
|
|
|
60ce18 |
extern void sftk_FreeSession(SFTKSession *session);
|
|
|
60ce18 |
extern SFTKSession *sftk_NewSession(CK_SLOT_ID slotID, CK_NOTIFY notify,
|