pkcs11 C_Login improvements

Yuri Samoilenko kinnalru at gmail.com
Tue Feb 3 04:22:10 AEDT 2015


Hello.
I'am using openssh with custom pkcs11 library and I have reach a little
issue in result code handling. C_Login function from pkcs11 specification
can return CKR_USER_ALREADY_LOGGED_IN code which is not an error, but
openssh expects only CKA_OK. There is an patch to fix this.

diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
index c49cbf4..1b236a6 100644
--- a/ssh-pkcs11.c
+++ b/ssh-pkcs11.c
@@ -263,8 +263,9 @@ pkcs11_rsa_private_encrypt(int flen, const u_char
*from, u_char *to, RSA *rsa,
                pin = read_passphrase(prompt, RP_ALLOW_EOF);
                if (pin == NULL)
                        return (-1);    /* bail out */
-               if ((rv = f->C_Login(si->session, CKU_USER,
-                   (u_char *)pin, strlen(pin))) != CKR_OK) {
+               rv = f->C_Login(si->session, CKU_USER,
+                   (u_char *)pin, strlen(pin));
+               if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) {
                        free(pin);
                        error("C_Login failed: %lu", rv);
                        return (-1);


More information about the openssh-unix-dev mailing list