1389570 - if NSS is initialized in no-DB mode (NSS_NoDB_Init), PK11_NeedUserInit returns true for the internal token

Status: RESOLVED FIXED

(NSS :: Libraries, defect)

Description

[Dana Keeler (she/her) (use needinfo) [:keeler] (on leave)]

STR:

NSS_NoDB_Init(".");
PK11SlotInfo* slot = PK11_GetInternalKeySlot();

Actual results:
PK11_NeedUserInit(slot) returns PR_TRUE

Expected results:
Arguably, it should return PR_FALSE since there's nothing to init (and, indeed, PK11_InitPin fails, because NSS is in no-DB mode).

Comment 1

[Franziskus Kiefer [:franziskus]]

https://nss-review.dev.mozaws.net/D406

Comment 2

[Franziskus Kiefer [:franziskus]]

https://hg.mozilla.org/projects/nss/rev/984849c0a0f1e2e62cbe5654e679c90b7a5a8f94

Comment 3

[Robert Relyea]

This patch is wrong. PK11_NeedTokenInit must return true if and only if CKF_LOGIN_REQUIRED is true and CKF_USER_PIN_INIALIZED is flags (see https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/PKCS11_Implement). 

I also disagree that it should return true for NO_DB_INIT. NO_DB_INIT creates a non-login access token which should have CKF_LOGIN_REQUIRED set to false and CKF_USER_PIN_INITIALIZED set to false. We need to back out this change and please explain why you need to initialize a non-token. If you want a password based thing, then either use a database or we need to create a new feature for that requirement.

This patch broke regular non-login tokens.

Comment 4

[Robert Relyea]

My bad. The code in question wasn't changed. PK11_NeedUserInit has always been jsut about the state of teh CKF_USER_PIN_INITIALIZED. A bug in a different patch used PK11_NeedUserInit() rather than PK11_NeedPWInitForSlot().

Comment 5

[Robert Relyea]

oops forgot to close the bug again,