On Mon, 2 Feb 2015, Yuri Samoilenko wrote:
> Hello.
> I'am using openssh with custom pkcs11 library and I have reach a little
> issue in result code handling. C_Login function from pkcs11 specification
> can return CKR_USER_ALREADY_LOGGED_IN code which is not an error, but
> openssh expects only CKA_OK. There is an patch to fix this.
Thanks, that looks reasonable. There's actually one more place where
this could conceivably happen:
diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
index 1d8135d..4ee948f 100644
--- a/ssh-pkcs11.c
+++ b/ssh-pkcs11.c
@@ -254,8 +254,9 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from,
u_char *to, RSA *rsa,
pin = read_passphrase(prompt, RP_ALLOW_EOF);
if (pin == NULL)
return (-1); /* bail out */
- if ((rv = f->C_Login(si->session, CKU_USER,
- (u_char *)pin, strlen(pin))) != CKR_OK) {
+ rv = f->C_Login(si->session, CKU_USER,
+ (u_char *)pin, strlen(pin));
+ if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) {
free(pin);
error("C_Login failed: %lu", rv);
return (-1);
@@ -357,8 +358,9 @@ pkcs11_open_session(struct pkcs11_provider *p, CK_ULONG
slotidx, char *pin)
return (-1);
}
if (login_required && pin) {
- if ((rv = f->C_Login(session, CKU_USER,
- (u_char *)pin, strlen(pin))) != CKR_OK) {
+ rv = f->C_Login(session, CKU_USER,
+ (u_char *)pin, strlen(pin))
+ if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) {
error("C_Login failed: %lu", rv);
if ((rv = f->C_CloseSession(session)) != CKR_OK)
error("C_CloseSession failed: %lu", rv);