On Mon, 2 Feb 2015, Yuri Samoilenko wrote: > Hello. > I'am using openssh with custom pkcs11 library and I have reach a little > issue in result code handling. C_Login function from pkcs11 specification > can return CKR_USER_ALREADY_LOGGED_IN code which is not an error, but > openssh expects only CKA_OK. There is an patch to fix this. Thanks, that looks reasonable. There's actually one more place where this could conceivably happen: diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c index 1d8135d..4ee948f 100644 --- a/ssh-pkcs11.c +++ b/ssh-pkcs11.c @@ -254,8 +254,9 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa, pin = read_passphrase(prompt, RP_ALLOW_EOF); if (pin == NULL) return (-1); /* bail out */ - if ((rv = f->C_Login(si->session, CKU_USER, - (u_char *)pin, strlen(pin))) != CKR_OK) { + rv = f->C_Login(si->session, CKU_USER, + (u_char *)pin, strlen(pin)); + if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) { free(pin); error("C_Login failed: %lu", rv); return (-1); @@ -357,8 +358,9 @@ pkcs11_open_session(struct pkcs11_provider *p, CK_ULONG slotidx, char *pin) return (-1); } if (login_required && pin) { - if ((rv = f->C_Login(session, CKU_USER, - (u_char *)pin, strlen(pin))) != CKR_OK) { + rv = f->C_Login(session, CKU_USER, + (u_char *)pin, strlen(pin)) + if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) { error("C_Login failed: %lu", rv); if ((rv = f->C_CloseSession(session)) != CKR_OK) error("C_CloseSession failed: %lu", rv); _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev