pkcs11 C_Login improvements
Yuri Samoilenko
kinnalru at gmail.com
Tue Feb 3 04:22:10 AEDT 2015
Hello.
I'am using openssh with custom pkcs11 library and I have reach a little
issue in result code handling. C_Login function from pkcs11 specification
can return CKR_USER_ALREADY_LOGGED_IN code which is not an error, but
openssh expects only CKA_OK. There is an patch to fix this.
diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
index c49cbf4..1b236a6 100644
--- a/ssh-pkcs11.c
+++ b/ssh-pkcs11.c
@@ -263,8 +263,9 @@ pkcs11_rsa_private_encrypt(int flen, const u_char
*from, u_char *to, RSA *rsa,
pin = read_passphrase(prompt, RP_ALLOW_EOF);
if (pin == NULL)
return (-1); /* bail out */
- if ((rv = f->C_Login(si->session, CKU_USER,
- (u_char *)pin, strlen(pin))) != CKR_OK) {
+ rv = f->C_Login(si->session, CKU_USER,
+ (u_char *)pin, strlen(pin));
+ if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) {
free(pin);
error("C_Login failed: %lu", rv);
return (-1);
More information about the openssh-unix-dev
mailing list