Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nss: inspect returnvalue of token check #4110

Closed
wants to merge 1 commit into from
Closed

nss: inspect returnvalue of token check #4110

wants to merge 1 commit into from

Conversation

danielgustafsson
Copy link
Member

PK11_IsPresent() checks for the token for the given slot is available, and sets needlogin flags for the PK11_Authenticate() call. Should it return false, we should however treat it as an error and bail out.

@kdudka is there a reason to ignore the returnvalue of PK11_IsPresent() that I'm not seeing?

@danielgustafsson
nss: inspect returnvalue of token check
36e33eb 
PK11_IsPresent() checks for the token for the given slot is available,
and sets needlogin flags for the PK11_Authenticate() call.  Should it
return false, we should however treat it as an error and bail out.
kdudka
kdudka approved these changes Jul 15, 2019
View changes
Copy link
Collaborator

@kdudka kdudka left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The only purpose of the SECMOD_WaitForAnyTokenEvent()/PK11_IsPresent() calls is to force NSS to invalidate its internal cache (originally intended to optimize out unneeded accesses to HW tokens, which could be slow I/O devices). Even NSS itself ignores the return value of PK11_IsPresent() in such cases:
https://github.com/nss-dev/nss/blob/ac64f9e6/lib/pk11wrap/pk11util.c#L1505
https://github.com/nss-dev/nss/blob/ac64f9e6/lib/pk11wrap/pk11util.c#L1635

However, your patch looks fine and it could ease debugging of some unexpected situations.

@jay jay closed this in e5b371d Jul 17, 2019
@jay
Copy link
Member

jay commented Jul 17, 2019

Thanks

@danielgustafsson
Copy link
Member Author

The only purpose of the SECMOD_WaitForAnyTokenEvent()/PK11_IsPresent() calls is to force NSS to invalidate its internal cache (originally intended to optimize out unneeded accesses to HW tokens, which could be slow I/O devices). Even NSS itself ignores the return value of PK11_IsPresent() in such cases:

Aha, when scanning the NSS code (not carefully enough) I came across cases where the return value was checked and missed these. This makes a lot of sense though, thanks for clarifying.

caraitto pushed a commit to caraitto/curl that referenced this pull request Jul 23, 2019
@danielgustafsson @caraitto
nss: inspect returnvalue of token check
c6c48ef 
PK11_IsPresent() checks for the token for the given slot is available,
and sets needlogin flags for the PK11_Authenticate() call.  Should it
return false, we should however treat it as an error and bail out.

Closes curl#4110
@lock lock bot locked as resolved and limited conversation to collaborators Oct 15, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@kdudka kdudka

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@danielgustafsson @jay @kdudka