diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2017-06-16 22:04:49 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2017-06-17 14:04:35 +0200 |
commit | 41a9cb35b0bcd056fc506f985eb3716bd0c41365 (patch) | |
tree | 43819d5a333281ef702aaaf0ec703d3a1c27dc03 /lib/pkcs11.c | |
parent | b60b8a42c4c972c82d80c9e875b2afdb61f0f109 (diff) | |
download | gnutls-41a9cb35b0bcd056fc506f985eb3716bd0c41365.tar.gz |
pkcs11: improved handling of HSMs without CKU_CONTEXT_SPECIFIC support
That is, when the HSM returns CKR_USER_NOT_LOGGED_IN, switch
to CKU_USER, instead of relying to a fallback within pkcs11_login().
That simplifies login logic.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Diffstat (limited to 'lib/pkcs11.c')
-rw-r--r-- | lib/pkcs11.c | 34 |
1 files changed, 14 insertions, 20 deletions
diff --git a/lib/pkcs11.c b/lib/pkcs11.c index b88b5af846..b22d8e8e5b 100644 --- a/lib/pkcs11.c +++ b/lib/pkcs11.c @@ -2583,7 +2583,6 @@ pkcs11_login(struct pkcs11_session_info *sinfo, return 0; } - retry_login: /* For a token with a "protected" (out-of-band) authentication * path, calling login with a NULL username is all that is * required. */ @@ -2597,7 +2596,8 @@ pkcs11_login(struct pkcs11_session_info *sinfo, gnutls_assert(); _gnutls_debug_log ("p11: Protected login failed.\n"); - goto login_finished; + ret = GNUTLS_E_PKCS11_ERROR; + goto cleanup; } } @@ -2607,16 +2607,18 @@ pkcs11_login(struct pkcs11_session_info *sinfo, memcpy(&tinfo, &sinfo->tinfo, sizeof(tinfo)); - /* Check whether the session is already logged in, and if so, just skip */ - rv = (sinfo->module)->C_GetSessionInfo(sinfo->pks, - &session_info); - if (rv == CKR_OK && !(flags & SESSION_CONTEXT_SPECIFIC) && - (session_info.state == CKS_RO_USER_FUNCTIONS - || session_info.state == CKS_RW_USER_FUNCTIONS)) { - ret = 0; - _gnutls_debug_log - ("p11: Already logged in\n"); - goto cleanup; + if (!(flags & SESSION_CONTEXT_SPECIFIC)) { + /* Check whether the session is already logged in, and if so, just skip */ + rv = (sinfo->module)->C_GetSessionInfo(sinfo->pks, + &session_info); + if (rv == CKR_OK && + (session_info.state == CKS_RO_USER_FUNCTIONS + || session_info.state == CKS_RW_USER_FUNCTIONS)) { + ret = 0; + _gnutls_debug_log + ("p11: Already logged in\n"); + goto cleanup; + } } /* If login has been attempted once already, check the token @@ -2651,16 +2653,8 @@ pkcs11_login(struct pkcs11_session_info *sinfo, } while (rv == CKR_PIN_INCORRECT); - login_finished: _gnutls_debug_log("p11: Login result = %s (%lu)\n", (rv==0)?"ok":p11_kit_strerror(rv), rv); - if (unlikely(rv == CKR_USER_TYPE_INVALID && user_type == CKU_CONTEXT_SPECIFIC)) { - _gnutls_debug_log("p11: Retrying login with CKU_USER\n"); - /* PKCS#11 v2.10 don't know about CKU_CONTEXT_SPECIFIC */ - user_type = CKU_USER; - goto retry_login; - } - ret = (rv == CKR_OK || rv == CKR_USER_ALREADY_LOGGED_IN) ? 0 : pkcs11_rv_to_err(rv); |