Update NSS to NSS 3.14 pre-release snapshot 2012-06-26 01:00:00 PDT.

mozilla/security/nss/lib/pk11wrap/pk11auth.c

 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 /*
  * This file deals with PKCS #11 passwords and authentication.
  */
 #include "seccomon.h"
 #include "secmod.h"
 #include "secmodi.h"
 #include "secmodti.h"
@@ skipping 28 matching lines @@
 } PK11_Global = { 1, PR_FALSE, NULL, NULL, NULL };
  
 /***********************************************************
  * Password Utilities
  ***********************************************************/
 /*
  * Check the user's password. Log into the card if it's correct.
  * succeed if the user is already logged in.
  */
 SECStatus
-pk11_CheckPassword(PK11SlotInfo *slot,char *pw)
+pk11_CheckPassword(PK11SlotInfo *slot,char *pw,PRBool contextSpecific)
 {
     int len = 0;
     CK_RV crv;
     SECStatus rv;
     int64 currtime = PR_Now();
     PRBool mustRetry;
     int retry = 0;
 
     if (slot->protectedAuthPath) {
         len = 0;
         pw = NULL;
     } else if (pw == NULL) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     } else {
         len = PORT_Strlen(pw);
     }
 
     do {
         PK11_EnterSlotMonitor(slot);
-        crv = PK11_GETTAB(slot)->C_Login(slot->session,CKU_USER,
+        crv = PK11_GETTAB(slot)->C_Login(slot->session,
+                contextSpecific ? CKU_CONTEXT_SPECIFIC : CKU_USER,
                                                 (unsigned char *)pw,len);
         slot->lastLoginCheck = 0;
         mustRetry = PR_FALSE;
         PK11_ExitSlotMonitor(slot);
         switch (crv) {
         /* if we're already logged in, we're good to go */
         case CKR_OK:
+                /* TODO If it was for CKU_CONTEXT_SPECIFIC should we do this */

[wtc, 2012/11/07 22:12:33]

Indentation looks wrong.

             slot->authTransact = PK11_Global.transaction;
             /* Fall through */
         case CKR_USER_ALREADY_LOGGED_IN:
             slot->authTime = currtime;
             rv = SECSuccess;
             break;
         case CKR_PIN_INCORRECT:
             PORT_SetError(SEC_ERROR_BAD_PASSWORD);
             rv = SECWouldBlock; /* everything else is ok, only the pin is bad */
             break;
@@ skipping 145 matching lines @@
     } else if (askpw == -1) {
         if (!PK11_Global.inTransaction  ||
                          (PK11_Global.transaction != slot->authTransact)) {
             PK11_EnterSlotMonitor(slot);
             PK11_GETTAB(slot)->C_Logout(slot->session);
             slot->lastLoginCheck = 0;
             PK11_ExitSlotMonitor(slot);
             NeedAuth = PR_TRUE;
         }
     }
-    if (NeedAuth) PK11_DoPassword(slot,PR_TRUE,wincx);
+    if (NeedAuth) PK11_DoPassword(slot,PR_TRUE,wincx,PR_FALSE);
 }
 
 void
 PK11_SlotDBUpdate(PK11SlotInfo *slot)
 {
     SECMOD_UpdateModule(slot->module);
 }
 
 /*
  * set new askpw and timeout values
@@ skipping 38 matching lines @@
     return slot->needLogin && !PK11_IsLoggedIn(slot,wincx);
 }
 
 /*
  * make sure a slot is authenticated...
  * This function only does the authentication if it is needed.
  */
 SECStatus
 PK11_Authenticate(PK11SlotInfo *slot, PRBool loadCerts, void *wincx) {
     if (pk11_LoginStillRequired(slot,wincx)) {
-        return PK11_DoPassword(slot,loadCerts,wincx);
+        return PK11_DoPassword(slot,loadCerts,wincx,PR_FALSE);
     }
     return SECSuccess;
 }
 
 /*
  * Authenticate to "unfriendly" tokens (tokens which need to be logged
  * in to find the certs.
  */
 SECStatus
 pk11_AuthenticateUnfriendly(PK11SlotInfo *slot, PRBool loadCerts, void *wincx)
@@ skipping 210 matching lines @@
 
 
 /*
  * authenticate to a slot. This loops until we can't recover, the user
  * gives up, or we succeed. If we're already logged in and this function
  * is called we will still prompt for a password, but we will probably
  * succeed no matter what the password was (depending on the implementation
  * of the PKCS 11 module.
  */
 SECStatus
-PK11_DoPassword(PK11SlotInfo *slot, PRBool loadCerts, void *wincx)
+PK11_DoPassword(PK11SlotInfo *slot, PRBool loadCerts, void *wincx,
+                        PRBool contextSpecific)
 {
     SECStatus rv = SECFailure;
     char * password;
     PRBool attempt = PR_FALSE;
 
     if (PK11_NeedUserInit(slot)) {
         PORT_SetError(SEC_ERROR_IO);
         return SECFailure;
     }
 
@@ skipping 48 matching lines @@
                 PORT_Free(password);
                 continue;
             }
             /* applicaton tried to authenticate and succeeded we're done */
             if (strcmp(password, PK11_PW_AUTHENTICATED) == 0) {
                 rv = SECSuccess;
                 PORT_Free(password);
                 break;
             }
         }
-        rv = pk11_CheckPassword(slot,password);
+        rv = pk11_CheckPassword(slot,password,contextSpecific);
         PORT_Memset(password, 0, PORT_Strlen(password));
         PORT_Free(password);
         if (rv != SECWouldBlock) break;
     }
     if (rv == SECSuccess) {
         if (!PK11_IsFriendly(slot)) {
             nssTrustDomain_UpdateCachedTokenCerts(slot->nssToken->trustDomain,
                                               slot->nssToken);
         }
     } else if (!attempt) PORT_SetError(SEC_ERROR_BAD_PASSWORD);
@@ skipping 149 matching lines @@
     case CKS_RO_PUBLIC_SESSION:
     default:
         break; /* fail */
     case CKS_RW_USER_FUNCTIONS:
     case CKS_RW_SO_FUNCTIONS:
     case CKS_RO_USER_FUNCTIONS:
         return PR_TRUE;
     }
     return PR_FALSE; 
 }