Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nss: inspect returnvalue of token check #4110

Closed

Conversation

danielgustafsson
Copy link
Member

PK11_IsPresent() checks for the token for the given slot is available, and sets needlogin flags for the PK11_Authenticate() call. Should it return false, we should however treat it as an error and bail out.

@kdudka is there a reason to ignore the returnvalue of PK11_IsPresent() that I'm not seeing?

PK11_IsPresent() checks for the token for the given slot is available,
and sets needlogin flags for the PK11_Authenticate() call.  Should it
return false, we should however treat it as an error and bail out.
Copy link
Contributor

@kdudka kdudka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The only purpose of the SECMOD_WaitForAnyTokenEvent()/PK11_IsPresent() calls is to force NSS to invalidate its internal cache (originally intended to optimize out unneeded accesses to HW tokens, which could be slow I/O devices). Even NSS itself ignores the return value of PK11_IsPresent() in such cases:
https://github.com/nss-dev/nss/blob/ac64f9e6/lib/pk11wrap/pk11util.c#L1505
https://github.com/nss-dev/nss/blob/ac64f9e6/lib/pk11wrap/pk11util.c#L1635

However, your patch looks fine and it could ease debugging of some unexpected situations.

@jay jay closed this in e5b371d Jul 17, 2019
@jay
Copy link
Member

jay commented Jul 17, 2019

Thanks

@danielgustafsson
Copy link
Member Author

The only purpose of the SECMOD_WaitForAnyTokenEvent()/PK11_IsPresent() calls is to force NSS to invalidate its internal cache (originally intended to optimize out unneeded accesses to HW tokens, which could be slow I/O devices). Even NSS itself ignores the return value of PK11_IsPresent() in such cases:

Aha, when scanning the NSS code (not carefully enough) I came across cases where the return value was checked and missed these. This makes a lot of sense though, thanks for clarifying.

caraitto pushed a commit to caraitto/curl that referenced this pull request Jul 23, 2019
PK11_IsPresent() checks for the token for the given slot is available,
and sets needlogin flags for the PK11_Authenticate() call.  Should it
return false, we should however treat it as an error and bail out.

Closes curl#4110
@lock lock bot locked as resolved and limited conversation to collaborators Oct 15, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants