password.c

安全开发库。含客户端建立ssl连接、签名、证书验证、证书发布和撤销等。编译用到nss

    PK11_RestoreROSession(slot, session);*/
  
  /* fill in the tokenInfo structure */
  info->encrypted = encrypted;
  info->encryptedLen = encryptedLength;
  info->slot = slot;
  return SSM_SUCCESS;
 loser:
  SSM_DEBUG("Failed to encrypt password.\n");
  if (context != NULL)
    PK11_DestroyContext(context, PR_TRUE);
  /*if (session != CK_INVALID_SESSION)
    PK11_RestoreROSession(slot, session);*/
  if (encrypted && *encrypted) 
    PR_Free(encrypted);
  return SSM_FAILURE;
}

/* Needs to be fixed using NLS lib and proper string storage. */
char * SSM_GetPrompt(PK11SlotInfo *slot, PRBool retry, PRBool init)
{
  char * prompt = NULL, * tmp = NULL, * key;
  SSMTextGenContext * cx;
  SSMStatus rv;

  PR_ASSERT(init != PR_TRUE);
 
  rv = SSMTextGen_NewTopLevelContext(NULL, &cx);
  if (rv != SSM_SUCCESS || !cx) 
    goto loser;
  if (retry) 
    key = "retry_token_password";
  else 
    key = "ask_token_password";
  
  rv = SSM_GetAndExpandTextKeyedByString(cx, key, &tmp);
  if (rv != SSM_SUCCESS || !tmp)
    goto loser;
  prompt = PR_smprintf(tmp, PK11_GetTokenName(slot));
  
 loser:
  PR_FREEIF(tmp);
  return prompt;
}


/* Send a password request for the client */
SSMStatus SSM_AskUserPassword(SSMResource * res, 
                             PK11SlotInfo * slot, PRInt32 retry, PRBool init)
{
  SECItem message;
  char * prompt = NULL;
  PRInt32 tokenKey = SSM_GetTokenKey(slot);
  SSMStatus rv = PR_FAILURE;
  SSMConnection *conn = (SSMConnection *)res->m_connection;
  PasswordRequest request;
  
  prompt = SSM_GetPrompt(slot, retry, init);
  retry++;
  if (!prompt) {
    SSM_DEBUG("%ld: error getting prompt for password request.\n", conn);
    goto loser;
  }
  request.tokenKey = tokenKey;
  request.prompt = prompt;
  request.clientContext = res->m_clientContext;
  if (CMT_EncodeMessage(PasswordRequestTemplate, (CMTItem*)&message, &request) != CMTSuccess) {
      goto loser;
  }
  if (message.len == 0 || !message.data) {
    SSM_DEBUG("%ld: could not create password request message.\n", conn);
    goto loser;
  }
  message.type = (SECItemType) (SSM_EVENT_MESSAGE | SSM_AUTH_EVENT);
  rv = SSM_SendQMessage(SSM_OUT_QUEUE(conn), SSM_PRIORITY_UI, message.type, 
                        message.len, (char *)message.data, PR_TRUE);
  if (rv != PR_SUCCESS) { 
    SSM_DEBUG("%ld: Can't enqueue password request. \n", conn);
    goto loser;
  }
 loser:
  if (prompt)
    PR_Free(prompt);
  if (message.data)
    PR_Free(message.data);
  return rv;
}

SSMStatus SSMControlConnection_WaitPassword(SSMConnection * conn, 
                                           PRInt32 key, char ** str)
{
  char * passwd;
  PRIntervalTime before;
  SSMStatus rv = PR_FAILURE;
  
  *str = NULL;
  /* Wait no longer than our time-out period. */
  before = PR_IntervalNow();
  SSM_LockPasswdTable(conn);    
 wait:
  SSM_DEBUG("%ld : waiting on password table for the password\n", conn); 
  SSM_WaitPasswdTable(conn);
  /* Returned from wait.
   * Look for password.
   */
  rv = SSM_HashFind(SSM_PWD_TABLE(conn), key, (void **)&passwd);
  if (rv!=PR_SUCCESS || !passwd || passwd ==(char *)SSM_NO_PASSWORD) {
    /* password not found, check for timeout */
    if (PR_IntervalNow() - before > SSM_PASSWORD_WAIT_TIME) {
      SSM_DEBUG("%ld:Timed out waiting for password.Bailing out.\n", 
                conn);
      SSM_UnlockPasswdTable(conn);
      return PR_FAILURE;
    } 
    else 
      goto wait; /* continue waiting */
  } /* end of no password found */
  SSM_UnlockPasswdTable(conn);
  *str = passwd;
  return rv;
}

extern PK11SlotListElement * 
PK11_GetNextSafe(PK11SlotList * list, PK11SlotListElement * element,PRBool start);
                                       
PK11SlotListElement *
ssm_GetSlotWithPwd(PK11SlotList * slotlist, PK11SlotListElement * current,
                        PRBool start)
{
  PK11SlotListElement * next = NULL;
  PR_ASSERT(slotlist);
  if (!current || start)
    next = PK11_GetFirstSafe(slotlist);
  else
    next = PK11_GetNextSafe(slotlist, current, PR_FALSE);
  while (next && PK11_NeedUserInit(next->slot) && !PK11_NeedLogin(next->slot))
    
    next = PK11_GetNextSafe(slotlist, next, PR_FALSE);
  return next;
}

PRIntn
ssm_NumSlotsWithPassword(PK11SlotList * slotList)
{
  PRIntn numslots = 0;
  PK11SlotListElement * element = PK11_GetFirstSafe(slotList);
  while (element) {
    if (PK11_NeedLogin(element->slot) || !PK11_NeedUserInit(element->slot))
      numslots++;
    element = PK11_GetNextSafe(slotList, element,PR_FALSE);
  }
  return numslots;
}

SSMStatus SSM_ReSetPasswordKeywordHandler(SSMTextGenContext * cx)
{  
  char * slotname = NULL;
  PK11SlotInfo * slot; 
  char * text = NULL, *tmp = NULL;
  SSMStatus rv;
  SSMResource * target = cx->m_request->target;
  PK11SlotList * slotList = NULL;
  PK11SlotListElement * el = NULL;

  PR_ASSERT(cx != NULL);
  PR_ASSERT(cx->m_request != NULL);
  PR_ASSERT(&cx->m_result != NULL);

  rv = SSM_HTTPParamValue(cx->m_request, "action", &slotname);
  
  if (!slotname || strcmp(slotname, "")== 0) 
    slot = PK11_GetInternalKeySlot();
  else if (strcmp(slotname, "all") == 0) {
    /* ask user */
    slotList = PK11_GetAllTokens(CKM_INVALID_MECHANISM, PR_TRUE, PR_TRUE, target);
    if (!slotList || !slotList->head)
      goto loser;
    if (ssm_NumSlotsWithPassword(slotList)>1) {
      char * mech = PR_smprintf("mech=%d",CKM_INVALID_MECHANISM);
      SSM_LockUIEvent(target);
      rv = SSMControlConnection_SendUIEvent(cx->m_request->ctrlconn,
                                            "get", "select_token",
                                            target,mech,&target->m_clientContext);
      SSM_WaitUIEvent(target, PR_INTERVAL_NO_TIMEOUT);
      slot = (PK11SlotInfo *) target->m_uiData;
      if (!slot) 
        goto cancel;
    } else {
      /* only one interesting slot in the list */
      el = ssm_GetSlotWithPwd(slotList, NULL, PR_TRUE);
      slot = el->slot;
    }
  }
  else 
    slot = PK11_FindSlotByName(slotname);
  if (!slot) {
    SSM_DEBUG("ReSetPasswordKeywordHandler: bad slotname %s\n", slotname);
    goto loser;
  }
  
  slotname = PK11_GetTokenName(slot);
  if (PK11_NeedPWInitForSlot(slot))
    rv = SSM_GetAndExpandTextKeyedByString(cx, "set_new_password", &tmp);
  else 
    rv = SSM_GetAndExpandTextKeyedByString(cx, "reset_password", &tmp);
  if (rv != SSM_SUCCESS) 
    goto loser;
  PR_FREEIF(cx->m_result);
  cx->m_result = PR_smprintf(tmp, slotname);
  return rv;
  
 loser:
  if (cx->m_result) 
    PR_Free(cx->m_result);
  cx->m_result = NULL;
  return PR_FAILURE;
 cancel:
  SSM_HTTPCloseWindow(cx->m_request);
  goto loser;
}

PRBool 
ssm_VerifyPwdLength(char * password)
{
  if (!password)
    return (!SSM_MIN_PWD_LEN);

  if (strlen(password) < SSM_MIN_PWD_LEN)
    return PR_FALSE;
  if (strlen(password) > SSM_MAX_PWD_LEN)
    return PR_FALSE;
  return PR_TRUE;
}

SSMStatus SSM_PasswordPrefKeywordHandler(SSMTextGenContext * cx)
{
  char * fmt = NULL, * checked = NULL;
  char * markchecked[] = { "", "", ""};
  SSMStatus rv;
  PRIntn askpw, timeout;

  PR_ASSERT(cx != NULL);
  PR_ASSERT(cx->m_request != NULL);
  PR_ASSERT(cx->m_result != NULL);
  
  /* need to get the table and fill it with current preferences */
  rv = SSM_GetAndExpandTextKeyedByString(cx, "password_lifetime", &fmt);
  if (rv != SSM_SUCCESS || !fmt) 
    goto done;
  rv = SSM_GetAndExpandTextKeyedByString(cx, "text_checked", &checked);
  if (rv != SSM_SUCCESS || !checked) 
    goto done;
  rv = PREF_GetIntPref(cx->m_request->ctrlconn->m_prefs, 
                       "security.ask_for_password", &askpw);
  if (rv != SSM_SUCCESS)
    goto done;
  rv = PREF_GetIntPref(cx->m_request->ctrlconn->m_prefs, 
                       "security.password_lifetime", &timeout);
  if (rv != SSM_SUCCESS)
    goto done;

  markchecked[askpw] = checked;
  PR_FREEIF(cx->m_result);
  cx->m_result = PR_smprintf(fmt, markchecked[0], markchecked[1], 
                             markchecked[2], timeout);
  
done: 
  return rv;
}

SSMStatus SSM_SetDBPasswordHandler(HTTPRequest * req)
{
  SSMStatus rv = SSM_FAILURE;
  char * oldpassword, * newpassword, *repeatpassword, * action;
  PK11SlotInfo * slot;
  char * responseKey = NULL;
  char * result = NULL;
  char * slotname = NULL, * askpwdoption, * pwdlifetime;
  PRIntn askpw, timeout;

  rv = SSM_HTTPParamValue(req, "baseRef", &action);
  if (rv != SSM_SUCCESS || strcmp(action, "windowclose_doclose_js")!= 0)
    SSM_DEBUG("SetDBPasswordHandler: bad action %s\n", action);
  
  rv = SSM_HTTPParamValue(req, "slot", &slotname);
  if (rv != SSM_SUCCESS || !slotname || 
      !(slot = PK11_FindSlotByName(slotname)))
    goto loser;

  /* process password preferences */
  rv = SSM_HTTPParamValue(req, "passwordlife", &askpwdoption);
  if (rv != SSM_SUCCESS || !askpwdoption) 
    goto loser;
  rv = SSM_HTTPParamValue(req, "passwordwillexpire", &pwdlifetime);
  if (rv != SSM_SUCCESS || !pwdlifetime) 
    goto loser;
  if (strcmp(askpwdoption, "firsttime") == 0)
    askpw = 0;
  else if (strcmp(askpwdoption, "everytime") == 0)
    askpw = 1;
  else if (strcmp(askpwdoption, "expiretime")==0) {
    askpw = 2;
  }
  else {
    SSM_DEBUG("SetDBPasswordHandler: bad password lifetime parameter %s\n", 
              askpwdoption);
    goto loser;
  }
  timeout = atoi(pwdlifetime);
  if (askpw == 2 && !timeout) 
    goto loser;

  PK11_SetSlotPWValues(slot, askpw, timeout);
  rv = SSMControlConnection_SaveIntPref(req->ctrlconn, 
                                        "security.ask_for_password", askpw);
  if (rv != PR_SUCCESS)
    goto loser;
  rv = SSMControlConnection_SaveIntPref(req->ctrlconn,
                                        "security.password_lifetime", timeout);
  if (rv != SSM_SUCCESS)
    goto loser;

  rv = SSM_HTTPParamValue(req, "newpassword", &newpassword);
  if (rv != SSM_SUCCESS) 
    goto loser;
  rv = SSM_HTTPParamValue(req, "repeatpassword", &repeatpassword);
  if (rv != SSM_SUCCESS) 
    goto loser;

  if (!PK11_NeedPWInitForSlot(slot)) {
      /* oldpassword doesn't make sense for password initialization dialog */
      rv = SSM_HTTPParamValue(req, "oldpassword", &oldpassword);
      if (rv != SSM_SUCCESS) {
          goto loser;
      }

      /* we do this check to find the case where the user changed only password
       * settings, not the password itself
       */
      if ((oldpassword[0] == '\0') && (newpassword[0] == '\0') &&
          (repeatpassword[0] == '\0')) {
          rv = SSM_HTTPDefaultCommandHandler(req);
          goto done;
      }
  }

  if (!ssm_VerifyPwdLength(newpassword))
    goto loser;

  if (strcmp(newpassword, repeatpassword) != 0)
    goto loser;

  if (!PK11_NeedPWInitForSlot(slot)) { /* there is some password on the DB */
    if (!oldpassword) 
      goto loser;
    if (PK11_CheckUserPassword(slot, oldpassword) != 
        SECSuccess)
      goto loser;
    if (PK11_ChangePW(slot, oldpassword, newpassword) != 
      SECSuccess)
      goto loser;
  }
  else 
    {
      if (PK11_NeedUserInit(slot)) {
        if (PK11_InitPin(slot, NULL, newpassword) != SECSuccess)
          goto loser;
        }
      else {
        if (PK11_ChangePW(slot, NULL, newpassword) != SECSuccess) 
          goto loser;
      }
    }

  result = PR_smprintf("result=password_success");
 loser:
  if (!result)
    result = PR_smprintf("result=password_failure");
  
  rv = SSM_HTTPCloseAndSleep(req);
  if (rv != SSM_SUCCESS) 
    SSM_DEBUG("SetDBPasswordHandler: failure in DefaultCommandHandler\n");

  /* post status if password dialog was invoked from the SecurityAdvisor */
  if (SSM_IsA(req->target, SSM_RESTYPE_SECADVISOR_CONTEXT))
    SSMControlConnection_SendUIEvent(req->ctrlconn, "get", 
                                     "show_followup", NULL, 
                                     result, 
                                     &((SSMResource *)req->ctrlconn)->m_clientContext);
  
  PR_FREEIF(responseKey);
done:
  if (req->target && req->target->m_UILock)
    SSM_NotifyUIEvent(req->target);
  return rv;
}

SSMStatus SSM_ShowFollowupKeywordHandler(SSMTextGenContext * cx)
{
  char * resultvalue;
  SSMStatus rv;

  PR_ASSERT(cx != NULL);
  PR_ASSERT(cx->m_request != NULL);
  PR_ASSERT(cx->m_result != NULL);
  
  rv = SSM_HTTPParamValue(cx->m_request, "result", &resultvalue);
  if (rv != SSM_SUCCESS || !resultvalue)
    goto loser;
  if (!strcmp(resultvalue, "password_success"))
    rv = SSM_GetAndExpandTextKeyedByString(cx, "set_password_success",
                                           &cx->m_result);
  else if (!strcmp(resultvalue,"password_failure"))
    rv = SSM_GetAndExpandTextKeyedByString(cx, "set_password_failure",
                                           &cx->m_result);
  else if (!strcmp(resultvalue, "no_ldap_setup"))
    rv = SSM_GetAndExpandTextKeyedByString(cx, "no_ldap_server_set",
                                           &cx->m_result);
 loser:
  return rv;
}

SSMStatus SSM_SetUserPassword(PK11SlotInfo * slot, SSMResource * ct)
{
  SSMStatus rv;
  char * params = PR_smprintf("slot=%s&mechanism=%d",
                              PK11_GetTokenName(slot), 
                              CKM_INVALID_MECHANISM);
  
  SSM_LockUIEvent(ct);
  rv = SSMControlConnection_SendUIEvent(ct->m_connection,
                                        "get", "set_password",
                                        ct, params,
                                        &ct->m_clientContext);
  if (rv != SSM_SUCCESS) 
    goto loser;
  SSM_WaitUIEvent(ct, PR_INTERVAL_NO_TIMEOUT);
  return rv;
loser:
  SSM_UnlockUIEvent(ct);
  return rv;
}

SSMStatus SSM_ProcessPasswordWindow(HTTPRequest * req)
{
  SSMStatus rv = SSM_FAILURE;
  SSMResource * target = NULL;
  
  if (!req || !req->ctrlconn) 
    goto loser;
  /*
   * The window contents aren't going to change, so just send back
   * a NO_CONTENT error which causes leave its content as is.
   */
  rv = SSM_HTTPReportError(req, HTTP_NO_CONTENT);
  target = (req->target ? req->target : (SSMResource *) req->ctrlconn);
  /* send UI event to bring up the dialog */
  SSM_LockUIEvent(&req->ctrlconn->super.super);
  rv = SSMControlConnection_SendUIEvent(req->ctrlconn, "get", 
                                        "set_password", target, 
                                        "slot=all&mech=1", 
                                        &target->m_clientContext);
  if (rv != SSM_SUCCESS) { 
    SSM_UnlockUIEvent(&req->ctrlconn->super.super);
    goto loser;
  }
  SSM_WaitUIEvent(&req->ctrlconn->super.super, PR_INTERVAL_NO_TIMEOUT);
 loser:
  return rv;
}