aboutsummaryrefslogtreecommitdiff
path: root/libcacard
diff options
context:
space:
mode:
authorRay Strode <rstrode@redhat.com>2014-10-18 22:12:48 -0400
committerGerd Hoffmann <kraxel@redhat.com>2014-10-28 11:38:18 +0100
commit1223bc4cee3fcdbcb1f6a3ff4ff7a3ab1d875b8a (patch)
treea4b75828aa30f6ad310badf209e6907c50c8f35f /libcacard
parentf032cfab6158e981a6ea0c369c5366e654e668a6 (diff)
libcacard: Lock NSS cert db when selecting an applet on an emulated card
When a process in a guest uses an emulated smartcard, libcacard running on the host passes the PIN from the guest to the PK11_Authenticate NSS function. The first time PK11_Authenticate is called the passed in PIN is used to unlock the certificate database. Subsequent calls to PK11_Authenticate will transparently succeed, regardless of the passed in PIN. This is a convenience for applications provided by NSS. Of course, the guest may have many applications using the one emulated smart card all driven from the same host QEMU process. That means if a user enters the right PIN in one program in the guest, and then enters the wrong PIN in another program in the guest, the wrong PIN will still successfully unlock the virtual smartcard. This commit forces the NSS certificate database to be locked anytime an applet is selected on an emulated smartcard by calling vcard_emul_logout. Signed-off-by: Ray Strode <rstrode@redhat.com> Reviewed-By: Robert Relyea <rrelyea@redhat.com> Reviewed-By: Alon Levy <alevy@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Diffstat (limited to 'libcacard')
-rw-r--r--libcacard/vcard.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/libcacard/vcard.c b/libcacard/vcard.c
index 87ad5166a8..d140a8ed1a 100644
--- a/libcacard/vcard.c
+++ b/libcacard/vcard.c
@@ -250,6 +250,11 @@ void
vcard_select_applet(VCard *card, int channel, VCardApplet *applet)
{
assert(channel < MAX_CHANNEL);
+
+ /* If using an emulated card, make sure to log out of any already logged in
+ * session. */
+ vcard_emul_logout(card);
+
card->current_applet[channel] = applet;
/* reset the applet */
if (applet && applet->reset_applet) {