Bug 1507760, modutil: print warning when adding module while p11-kit is enabled, r=rrelyea

author: Daiki Ueno <dueno@redhat.com> 2018-11-16 13:13:37 +0100
committer: Daiki Ueno <dueno@redhat.com> 2018-11-16 13:13:37 +0100
commit: a1280e010a3c6f9105c01552cd0245af516054ba (patch)
tree: e323b2f8622631af650b0c27fb4b9b984a81b7cd
parent: 813d79cee3525060ede41765b8e0b12465256778 (diff)
download: nss-hg-a1280e010a3c6f9105c01552cd0245af516054ba.tar.gz
4 files changed, 78 insertions, 1 deletions
diff --git a/cmd/modutil/error.h b/cmd/modutil/error.h
index d9f06592f..33ed7bde7 100644
--- a/cmd/modutil/error.h
+++ b/cmd/modutil/error.h
@@ -131,6 +131,7 @@ typedef enum {
     UNDEFAULT_SUCCESS_MSG,
     BROWSER_RUNNING_MSG,
     ABORTING_MSG,
+    P11_KIT_ENABLED_MSG,
 
     LAST_MSG /* must be last */
 } Message;
diff --git a/cmd/modutil/modutil.c b/cmd/modutil/modutil.c
index c1b44be53..f04ad3d92 100644
--- a/cmd/modutil/modutil.c
+++ b/cmd/modutil/modutil.c
@@ -138,7 +138,11 @@ char* msgStrings[] = {
     "\ncorruption of your security databases. If the browser is currently running,"
     "\nyou should exit browser before continuing this operation. Type "
     "\n'q <enter>' to abort, or <enter> to continue: ",
-    "\nAborting...\n"
+    "\nAborting...\n",
+    "\nWARNING: Manually adding a module while p11-kit is enabled could cause"
+    "\nduplicate module registration in your security database. It is suggested "
+    "\nto configure the module through p11-kit configuration file instead.\n"
+    "\nType 'q <enter>' to abort, or <enter> to continue: "
 };
 
 /* Increment i if doing so would have i still be less than j.  If you
@@ -856,6 +860,28 @@ main(int argc, char* argv[])
         goto loser;
     }
 
+    /* Warn if we are adding a module while p11-kit is enabled in the
+     * database. */
+    if ((command == ADD_COMMAND || command == RAW_ADD_COMMAND) &&
+        IsP11KitEnabled()) {
+        char* response;
+
+        PR_fprintf(PR_STDOUT, msgStrings[P11_KIT_ENABLED_MSG]);
+        if (!PR_fgets(stdinbuf, STDINBUF_SIZE, PR_STDIN)) {
+            PR_fprintf(PR_STDERR, errStrings[STDIN_READ_ERR]);
+            errcode = STDIN_READ_ERR;
+            goto loser;
+        }
+        if ((response = strtok(stdinbuf, " \r\n\t"))) {
+            if (!PL_strcasecmp(response, "q")) {
+                PR_fprintf(PR_STDOUT, msgStrings[ABORTING_MSG]);
+                errcode = SUCCESS;
+                goto loser;
+            }
+        }
+        PR_fprintf(PR_STDOUT, "\n");
+    }
+
     /* Execute the command */
     switch (command) {
         case ADD_COMMAND:
diff --git a/cmd/modutil/modutil.h b/cmd/modutil/modutil.h
index 04aa908c8..1981fec7b 100644
--- a/cmd/modutil/modutil.h
+++ b/cmd/modutil/modutil.h
@@ -36,6 +36,7 @@ Error RawAddModule(char *dbmodulespec, char *modulespec);
 Error RawListModule(char *modulespec);
 Error SetDefaultModule(char *moduleName, char *slotName, char *mechanisms);
 Error UnsetDefaultModule(char *moduleName, char *slotName, char *mechanisms);
+PRBool IsP11KitEnabled(void);
 void out_of_memory(void);
 
 #endif /*MODUTIL_H*/
diff --git a/cmd/modutil/pk11.c b/cmd/modutil/pk11.c
index 1efc1895c..6d17a3365 100644
--- a/cmd/modutil/pk11.c
+++ b/cmd/modutil/pk11.c
@@ -259,6 +259,55 @@ getStringFromFlags(unsigned long flags, const MaskString array[], int elements)
     return buf;
 }
 
+static PRBool
+IsP11KitProxyModule(SECMODModule *module)
+{
+    CK_INFO modinfo;
+    static const char p11KitManufacturerID[33] =
+        "PKCS#11 Kit                     ";
+    static const char p11KitLibraryDescription[33] =
+        "PKCS#11 Kit Proxy Module        ";
+
+    if (PK11_GetModInfo(module, &modinfo) == SECSuccess &&
+        PORT_Memcmp(modinfo.manufacturerID,
+                    p11KitManufacturerID,
+                    sizeof(modinfo.manufacturerID)) == 0 &&
+        PORT_Memcmp(modinfo.libraryDescription,
+                    p11KitLibraryDescription,
+                    sizeof(modinfo.libraryDescription)) == 0) {
+        return PR_TRUE;
+    }
+
+    return PR_FALSE;
+}
+
+PRBool
+IsP11KitEnabled(void)
+{
+    SECMODListLock *lock;
+    SECMODModuleList *mlp;
+    PRBool found = PR_FALSE;
+
+    lock = SECMOD_GetDefaultModuleListLock();
+    if (!lock) {
+        PR_fprintf(PR_STDERR, errStrings[NO_LIST_LOCK_ERR]);
+        return found;
+    }
+
+    SECMOD_GetReadLock(lock);
+
+    mlp = SECMOD_GetDefaultModuleList();
+    for (; mlp != NULL; mlp = mlp->next) {
+        if (IsP11KitProxyModule(mlp->module)) {
+            found = PR_TRUE;
+            break;
+        }
+    }
+
+    SECMOD_ReleaseReadLock(lock);
+    return found;
+}
+
 /**********************************************************************
  *
  * A d d M o d u l e
author	Daiki Ueno <dueno@redhat.com>	2018-11-16 13:13:37 +0100
committer	Daiki Ueno <dueno@redhat.com>	2018-11-16 13:13:37 +0100
commit	a1280e010a3c6f9105c01552cd0245af516054ba (patch)
tree	e323b2f8622631af650b0c27fb4b9b984a81b7cd
parent	813d79cee3525060ede41765b8e0b12465256778 (diff)
download	nss-hg-a1280e010a3c6f9105c01552cd0245af516054ba.tar.gz