pkcs11: the GNUTLS_PKCS11_OBJ_FLAG_LOGIN will force a login

That is, even in tokens which do not have a CKF_LOGIN_REQUIRED flag
a login will be forced. This allows operation on the safenet HSMs
which do not set that flag.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

1 files changed, 8 insertions, 2 deletions

diff --git a/lib/pkcs11_privkey.c b/lib/pkcs11_privkey.c
index d5772a0ae2..51a20dc7be 100644
--- a/lib/pkcs11_privkey.c
+++ b/lib/pkcs11_privkey.c
@@ -291,6 +291,7 @@ _gnutls_pkcs11_privkey_sign_hash(gnutls_pkcs11_privkey_t key,
 	unsigned long siglen;
 	struct pkcs11_session_info *sinfo;
 	unsigned retried_login = 0;
+	unsigned flags = SESSION_LOGIN;
 
 	PKCS11_CHECK_INIT_PRIVKEY(key);
 
@@ -315,9 +316,11 @@ _gnutls_pkcs11_privkey_sign_hash(gnutls_pkcs11_privkey_t key,
 
  retry_login:
 	if (key->reauth || retried_login) {
+		if (retried_login)
+			flags |= SESSION_FORCE_LOGIN;
 		ret =
 		    pkcs11_login(&key->sinfo, &key->pin,
-				 key->uinfo, 0, 1);
+				 key->uinfo, flags, 1);
 		if (ret < 0) {
 			gnutls_assert();
 			_gnutls_debug_log("PKCS #11 login failed, trying operation anyway\n");
@@ -560,6 +563,7 @@ _gnutls_pkcs11_privkey_decrypt_data(gnutls_pkcs11_privkey_t key,
 	struct ck_mechanism mech;
 	unsigned long siglen;
 	unsigned retried_login = 0;
+	unsigned login_flags = SESSION_LOGIN;
 
 	PKCS11_CHECK_INIT_PRIVKEY(key);
 
@@ -585,9 +589,11 @@ _gnutls_pkcs11_privkey_decrypt_data(gnutls_pkcs11_privkey_t key,
 
  retry_login:
 	if (key->reauth || retried_login) {
+		if (retried_login)
+			login_flags |= SESSION_FORCE_LOGIN;
 		ret =
 		    pkcs11_login(&key->sinfo, &key->pin,
-				 key->uinfo, 0, 1);
+				 key->uinfo, login_flags, 1);
 		if (ret < 0) {
 			gnutls_assert();
 			_gnutls_debug_log("PKCS #11 login failed, trying operation anyway\n");