diff --git a/cmd/modutil/error.h b/cmd/modutil/error.h index d9f06592f8..33ed7bde7d 100644 --- a/cmd/modutil/error.h +++ b/cmd/modutil/error.h @@ -131,6 +131,7 @@ typedef enum { UNDEFAULT_SUCCESS_MSG, BROWSER_RUNNING_MSG, ABORTING_MSG, + P11_KIT_ENABLED_MSG, LAST_MSG /* must be last */ } Message; diff --git a/cmd/modutil/modutil.c b/cmd/modutil/modutil.c index c1b44be536..f04ad3d925 100644 --- a/cmd/modutil/modutil.c +++ b/cmd/modutil/modutil.c @@ -138,7 +138,11 @@ char* msgStrings[] = { "\ncorruption of your security databases. If the browser is currently running," "\nyou should exit browser before continuing this operation. Type " "\n'q ' to abort, or to continue: ", - "\nAborting...\n" + "\nAborting...\n", + "\nWARNING: Manually adding a module while p11-kit is enabled could cause" + "\nduplicate module registration in your security database. It is suggested " + "\nto configure the module through p11-kit configuration file instead.\n" + "\nType 'q ' to abort, or to continue: " }; /* Increment i if doing so would have i still be less than j. If you @@ -856,6 +860,28 @@ main(int argc, char* argv[]) goto loser; } + /* Warn if we are adding a module while p11-kit is enabled in the + * database. */ + if ((command == ADD_COMMAND || command == RAW_ADD_COMMAND) && + IsP11KitEnabled()) { + char* response; + + PR_fprintf(PR_STDOUT, msgStrings[P11_KIT_ENABLED_MSG]); + if (!PR_fgets(stdinbuf, STDINBUF_SIZE, PR_STDIN)) { + PR_fprintf(PR_STDERR, errStrings[STDIN_READ_ERR]); + errcode = STDIN_READ_ERR; + goto loser; + } + if ((response = strtok(stdinbuf, " \r\n\t"))) { + if (!PL_strcasecmp(response, "q")) { + PR_fprintf(PR_STDOUT, msgStrings[ABORTING_MSG]); + errcode = SUCCESS; + goto loser; + } + } + PR_fprintf(PR_STDOUT, "\n"); + } + /* Execute the command */ switch (command) { case ADD_COMMAND: diff --git a/cmd/modutil/modutil.h b/cmd/modutil/modutil.h index 04aa908c85..1981fec7bc 100644 --- a/cmd/modutil/modutil.h +++ b/cmd/modutil/modutil.h @@ -36,6 +36,7 @@ Error RawAddModule(char *dbmodulespec, char *modulespec); Error RawListModule(char *modulespec); Error SetDefaultModule(char *moduleName, char *slotName, char *mechanisms); Error UnsetDefaultModule(char *moduleName, char *slotName, char *mechanisms); +PRBool IsP11KitEnabled(void); void out_of_memory(void); #endif /*MODUTIL_H*/ diff --git a/cmd/modutil/pk11.c b/cmd/modutil/pk11.c index 1efc1895c4..6d17a33657 100644 --- a/cmd/modutil/pk11.c +++ b/cmd/modutil/pk11.c @@ -259,6 +259,55 @@ getStringFromFlags(unsigned long flags, const MaskString array[], int elements) return buf; } +static PRBool +IsP11KitProxyModule(SECMODModule *module) +{ + CK_INFO modinfo; + static const char p11KitManufacturerID[33] = + "PKCS#11 Kit "; + static const char p11KitLibraryDescription[33] = + "PKCS#11 Kit Proxy Module "; + + if (PK11_GetModInfo(module, &modinfo) == SECSuccess && + PORT_Memcmp(modinfo.manufacturerID, + p11KitManufacturerID, + sizeof(modinfo.manufacturerID)) == 0 && + PORT_Memcmp(modinfo.libraryDescription, + p11KitLibraryDescription, + sizeof(modinfo.libraryDescription)) == 0) { + return PR_TRUE; + } + + return PR_FALSE; +} + +PRBool +IsP11KitEnabled(void) +{ + SECMODListLock *lock; + SECMODModuleList *mlp; + PRBool found = PR_FALSE; + + lock = SECMOD_GetDefaultModuleListLock(); + if (!lock) { + PR_fprintf(PR_STDERR, errStrings[NO_LIST_LOCK_ERR]); + return found; + } + + SECMOD_GetReadLock(lock); + + mlp = SECMOD_GetDefaultModuleList(); + for (; mlp != NULL; mlp = mlp->next) { + if (IsP11KitProxyModule(mlp->module)) { + found = PR_TRUE; + break; + } + } + + SECMOD_ReleaseReadLock(lock); + return found; +} + /********************************************************************** * * A d d M o d u l e