Bugzilla Bug 298506: Do not log the token name (so the declaration of NSS_3_11_BRANCH
authorwtchang%redhat.com
Wed, 10 May 2006 21:48:52 +0000
branchNSS_3_11_BRANCH
changeset 6996 54a8fc7a485f00f14a7026757301986b53d8d4fc
parent 6992 1e790575586a86bc93e6632d9fb1f00a05fc2368
child 7001 548da2d0c5e86a822ba206535b84fe4c44825b6a
push idunknown
push userunknown
push dateunknown
bugs298506
Bugzilla Bug 298506: Do not log the token name (so the declaration of sftk_getDefTokName in pkcs11i.h and the previous change to sftk_SlotFromID weren't necessary). Use Linux's audit subsystem if available. r=relyea. Modified files: fipstokn.c pkcs11.c pkcs11i.h Tag: NSS_3_11_BRANCH
security/nss/lib/softoken/fipstokn.c
security/nss/lib/softoken/pkcs11.c
security/nss/lib/softoken/pkcs11i.h
--- a/security/nss/lib/softoken/fipstokn.c
+++ b/security/nss/lib/softoken/fipstokn.c
@@ -61,16 +61,46 @@
 #include <ctype.h>
 
 #ifdef XP_UNIX
 #define NSS_AUDIT_WITH_SYSLOG 1
 #include <syslog.h>
 #include <unistd.h>
 #endif
 
+#ifdef LINUX
+#include <pthread.h>
+#include <dlfcn.h>
+#define LIBAUDIT_NAME "libaudit.so.0"
+#ifndef AUDIT_USER
+#define AUDIT_USER 1005  /* message type: message from userspace */
+#endif
+static void *libaudit_handle;
+static int (*audit_open_func)(void);
+static void (*audit_close_func)(int fd);
+static int (*audit_log_user_message_func)(int audit_fd, int type,
+    const char *message, const char *hostname, const char *addr,
+    const char *tty, int result);
+
+static pthread_once_t libaudit_once_control = PTHREAD_ONCE_INIT;
+
+static void
+libaudit_init(void)
+{
+    libaudit_handle = dlopen(LIBAUDIT_NAME, RTLD_LAZY);
+    if (!libaudit_handle) {
+	return;
+    }
+    audit_open_func = dlsym(libaudit_handle, "audit_open");
+    audit_close_func = dlsym(libaudit_handle, "audit_close");
+    audit_log_user_message_func = dlsym(libaudit_handle,
+					"audit_log_user_message");
+}
+#endif /* LINUX */
+
 
 /*
  * ******************** Password Utilities *******************************
  */
 static PRBool isLoggedIn = PR_FALSE;
 static PRBool fatalError = PR_FALSE;
 
 /*
@@ -280,37 +310,55 @@ PRBool sftk_audit_enabled = PR_FALSE;
  * - for authentication attempts, the origin of the attempt (e.g., terminal
  *   identifier)
  * - for assuming a role, the type of role, and the location of the request
  */
 void
 sftk_LogAuditMessage(NSSAuditSeverity severity, const char *msg)
 {
 #ifdef NSS_AUDIT_WITH_SYSLOG
-    SFTKSlot *slot = sftk_SlotFromID(FIPS_SLOT_ID, PR_FALSE);
-    const char *tokenLabel =
-	    slot ? slot->tokDescription : sftk_getDefTokName(FIPS_SLOT_ID);
     int level;
 
     switch (severity) {
     case NSS_AUDIT_ERROR:
 	level = LOG_ERR;
 	break;
     case NSS_AUDIT_WARNING:
 	level = LOG_WARNING;
 	break;
     default:
 	level = LOG_INFO;
 	break;
     }
     /* timestamp is provided by syslog in the message header */
-    /* tokenLabel points to a 32-byte label, which is not null-terminated */
     syslog(level | LOG_USER /* facility */,
-	   "%.32s[pid=%d uid=%d]: %s",
-	   tokenLabel, (int)getpid(), (int)getuid(), msg);
+	   "NSS " SOFTOKEN_LIB_NAME "[pid=%d uid=%d]: %s",
+	   (int)getpid(), (int)getuid(), msg);
+#ifdef LINUX
+    if (pthread_once(&libaudit_once_control, libaudit_init) != 0) {
+	return;
+    }
+    if (libaudit_handle) {
+	int audit_fd;
+	int result = (severity != NSS_AUDIT_ERROR); /* 1=success; 0=failed */
+	char *message = PR_smprintf("NSS " SOFTOKEN_LIB_NAME ": %s", msg);
+	if (!message) {
+	    return;
+	}
+	audit_fd = audit_open_func();
+	if (audit_fd < 0) {
+	    PR_smprintf_free(message);
+	    return;
+	}
+	audit_log_user_message_func(audit_fd, AUDIT_USER, message,
+				    NULL, NULL, NULL, result);
+	audit_close_func(audit_fd);
+	PR_smprintf_free(message);
+    }
+#endif /* LINUX */
 #else
     /* do nothing */
 #endif
 }
 
 
 /**********************************************************************
  *
--- a/security/nss/lib/softoken/pkcs11.c
+++ b/security/nss/lib/softoken/pkcs11.c
@@ -2405,19 +2405,16 @@ sftk_GetModuleIndex(CK_SLOT_ID slotID)
  * had two slots) */
 /* if all is true, return the slot even if it has been 'unloaded' */
 /* if all is false, only return the slots which are present */
 SFTKSlot *
 sftk_SlotFromID(CK_SLOT_ID slotID, PRBool all)
 {
     SFTKSlot *slot;
     int index = sftk_GetModuleIndex(slotID);
-    if (nscSlotHashTable[index] == NULL) {
-	return NULL;
-    }
     slot = (SFTKSlot *)PL_HashTableLookupConst(nscSlotHashTable[index], 
 							(void *)slotID);
     /* cleared slots shouldn't 'show up' */
     if (slot && !all && !slot->present) slot = NULL;
     return slot;
 }
 
 SFTKSlot *
--- a/security/nss/lib/softoken/pkcs11i.h
+++ b/security/nss/lib/softoken/pkcs11i.h
@@ -630,17 +630,16 @@ extern void sftk_FreeSearch(SFTKSearchRe
 extern CK_RV sftk_handleObject(SFTKObject *object, SFTKSession *session);
 
 extern SFTKSlot *sftk_SlotFromID(CK_SLOT_ID slotID, PRBool all);
 extern SFTKSlot *sftk_SlotFromSessionHandle(CK_SESSION_HANDLE handle);
 extern SFTKSession *sftk_SessionFromHandle(CK_SESSION_HANDLE handle);
 extern void sftk_FreeSession(SFTKSession *session);
 extern SFTKSession *sftk_NewSession(CK_SLOT_ID slotID, CK_NOTIFY notify,
 				    CK_VOID_PTR pApplication, CK_FLAGS flags);
-extern const char *sftk_getDefTokName(CK_SLOT_ID slotID);
 extern void sftk_update_state(SFTKSlot *slot,SFTKSession *session);
 extern void sftk_update_all_states(SFTKSlot *slot);
 extern void sftk_FreeContext(SFTKSessionContext *context);
 extern void sftk_InitFreeLists(void);
 extern void sftk_CleanupFreeLists(void);
 
 extern NSSLOWKEYPublicKey *sftk_GetPubKey(SFTKObject *object,
 					  CK_KEY_TYPE key_type, CK_RV *crvp);