[Bug 2652] PKCS11 login skipped if login required and no pin set

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Tue Oct 3 20:41:15 AEDT 2017


https://bugzilla.mindrot.org/show_bug.cgi?id=2652

--- Comment #5 from Daniel Kucera <openssh at danman.eu> ---
(In reply to Damien Miller from comment #2)
> Comment on attachment 3032 [details]
> patch
> 
> >diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
> >index d1f750db0..938535638 100644
> >--- a/ssh-pkcs11.c
> >+++ b/ssh-pkcs11.c
> >@@ -366,19 +366,16 @@ pkcs11_open_session(struct pkcs11_provider *p, CK_ULONG slotidx, char *pin)
> > 
> > 	f = p->function_list;
> > 	login_required = p->slotinfo[slotidx].token.flags & CKF_LOGIN_REQUIRED;
> >-	if (pin && login_required && !strlen(pin)) {
> >-		error("pin required");
> >-		return (-1);
> >-	}
> >+
> 
> I'm not sure I understand why this section is removed - could you
> explain it?

Oh, I remember now: It's because if pin is not set (is null),
login_required is not evaluated so no error is returned so this check
is useless. 

And we don't even need to return error here, login can be performed by
external library after calling C_Login with pin set to zero.

CKF_LOGIN_REQUIRED only means C_Login has to be called, not that the
pin has to be set.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list