From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Thu, 6 Nov 2014 20:30:31 +0000 (+0100)
Subject: pkcs11: force login on tokens that require it
X-Git-Tag: gnutls_3_4_0~667
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b91172de2df41ff46e73078f5276a9403ed0e100;p=thirdparty%2Fgnutls.git

pkcs11: force login on tokens that require it
---

diff --git a/lib/pkcs11.c b/lib/pkcs11.c
index d4e7096405..d9bce84cc3 100644
--- a/lib/pkcs11.c
+++ b/lib/pkcs11.c
@@ -1063,7 +1063,7 @@ pkcs11_open_session(struct pkcs11_session_info *sinfo,
 	if (flags & SESSION_LOGIN) {
 		ret =
 		    pkcs11_login(sinfo, pin_info, info,
-				 (flags & SESSION_SO) ? 1 : 0);
+				 (flags & SESSION_SO) ? 1 : 0, 0);
 		if (ret < 0) {
 			gnutls_assert();
 			pkcs11_close_session(sinfo);
@@ -1145,7 +1145,8 @@ _pkcs11_traverse_tokens(find_func_t find_func, void *input,
 			if (flags & SESSION_LOGIN) {
 				ret =
 				    pkcs11_login(&sinfo, pin_info,
-						 info, (flags & SESSION_SO) ? 1 :	 0);
+						 info, (flags & SESSION_SO) ? 1 : 0,
+						 0);
 				if (ret < 0) {
 					gnutls_assert();
 					return ret;
@@ -2191,7 +2192,8 @@ int
 pkcs11_login(struct pkcs11_session_info *sinfo,
 	     struct pin_info_st *pin_info,
 	     struct p11_kit_uri *info,
-	     int so)
+	     unsigned so,
+	     unsigned force)
 {
 	struct ck_session_info session_info;
 	int attempt = 0, ret;
@@ -2233,8 +2235,8 @@ pkcs11_login(struct pkcs11_session_info *sinfo,
 		/* Check whether the session is already logged in, and if so, just skip */
 		rv = (sinfo->module)->C_GetSessionInfo(sinfo->pks,
 						       &session_info);
-		if (rv == CKR_OK
-		    && (session_info.state == CKS_RO_USER_FUNCTIONS
+		if (rv == CKR_OK && force == 0 &&
+		    (session_info.state == CKS_RO_USER_FUNCTIONS
 			|| session_info.state == CKS_RW_USER_FUNCTIONS)) {
 			ret = 0;
 			goto cleanup;
diff --git a/lib/pkcs11_int.h b/lib/pkcs11_int.h
index 2528a90982..f3e73dde09 100644
--- a/lib/pkcs11_int.h
+++ b/lib/pkcs11_int.h
@@ -99,7 +99,8 @@ int pkcs11_get_info(struct p11_kit_uri *info,
 		    size_t * output_size);
 int pkcs11_login(struct pkcs11_session_info *sinfo,
 		 struct pin_info_st *pin_info,
-		 struct p11_kit_uri *info, int so);
+		 struct p11_kit_uri *info, unsigned so,
+		 unsigned force);
 
 int pkcs11_call_token_func(struct p11_kit_uri *info, const unsigned retry);
 
diff --git a/lib/pkcs11_privkey.c b/lib/pkcs11_privkey.c
index 2864dbcfc2..496f814a4c 100644
--- a/lib/pkcs11_privkey.c
+++ b/lib/pkcs11_privkey.c
@@ -257,7 +257,7 @@ _gnutls_pkcs11_privkey_sign_hash(gnutls_pkcs11_privkey_t key,
 	if (key->reauth) {
 		ret =
 		    pkcs11_login(&key->sinfo, &key->pin,
-		    		 key->uinfo, 0);
+		    		 key->uinfo, 0, 1);
 		if (ret < 0) {
 			gnutls_assert();
 			_gnutls_debug_log("PKCS #11 login failed, trying operation anyway\n");
@@ -498,7 +498,7 @@ _gnutls_pkcs11_privkey_decrypt_data(gnutls_pkcs11_privkey_t key,
 	if (key->reauth) {
 		ret =
 		    pkcs11_login(&key->sinfo, &key->pin,
-		    		 key->uinfo, 0);
+		    		 key->uinfo, 0, 1);
 		if (ret < 0) {
 			gnutls_assert();
 			_gnutls_debug_log("PKCS #11 login failed, trying operation anyway\n");