pkcs11 C_Login improvements

[Damien Miller]

On Mon, 2 Feb 2015, Yuri Samoilenko wrote:

> Hello.
> I'am using openssh with custom pkcs11 library and I have reach a little
> issue in result code handling. C_Login function from pkcs11 specification
> can return CKR_USER_ALREADY_LOGGED_IN code which is not an error, but
> openssh expects only CKA_OK. There is an patch to fix this.

Thanks, that looks reasonable. There's actually one more place where
this could conceivably happen:

diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
index 1d8135d..4ee948f 100644
--- a/ssh-pkcs11.c
+++ b/ssh-pkcs11.c
@@ -254,8 +254,9 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa,
 		pin = read_passphrase(prompt, RP_ALLOW_EOF);
 		if (pin == NULL)
 			return (-1);	/* bail out */
-		if ((rv = f->C_Login(si->session, CKU_USER,
-		    (u_char *)pin, strlen(pin))) != CKR_OK) {
+		rv = f->C_Login(si->session, CKU_USER,
+		    (u_char *)pin, strlen(pin));
+		if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) {
 			free(pin);
 			error("C_Login failed: %lu", rv);
 			return (-1);
@@ -357,8 +358,9 @@ pkcs11_open_session(struct pkcs11_provider *p, CK_ULONG slotidx, char *pin)
 		return (-1);
 	}
 	if (login_required && pin) {
-		if ((rv = f->C_Login(session, CKU_USER,
-		    (u_char *)pin, strlen(pin))) != CKR_OK) {
+		rv = f->C_Login(session, CKU_USER,
+		    (u_char *)pin, strlen(pin))
+		if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) {
 			error("C_Login failed: %lu", rv);
 			if ((rv = f->C_CloseSession(session)) != CKR_OK)
 				error("C_CloseSession failed: %lu", rv);