[Bug 2638] Honor PKCS#11 CKA_ALWAYS_AUTHENTICATE attribute of the private objects
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Fri Aug 11 20:36:57 AEST 2017
https://bugzilla.mindrot.org/show_bug.cgi?id=2638
Jakub Jelen <jjelen at redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #2890|0 |1
is obsolete| |
--- Comment #2 from Jakub Jelen <jjelen at redhat.com> ---
Created attachment 3033
--> https://bugzilla.mindrot.org/attachment.cgi?id=3033&action=edit
patch sharing the login code
We (In reply to Damien Miller from comment #1)
> Can't we reuse si->logged_in here and skip the extra variable?
We would need to reset the variable after the signing if you talk only
about variable sharing. It would work, but the actual
always-authenticate function would not get called for the second time.
It would call the original login before SignInit with
non-CONTEXT_SPECIFIC_LOGIN. It would work in some of the cases, but it
would not be according to the PKCS#11 specification. For example, if
the PINs are different, it would fail.
I don't see a way how to retain the same functionality without this
variable, but feel free to propose a solution.
Though after the second thought (year after), sharing the code for
C_Login, which is quite the same except the login type would make
sense.
I do not share the pkcs11_interactive check, because we need this
prompt from non-interactive ssh-agent process using askpass.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list