[opensc-devel] PKCS#11 and read-only session

Tue, 08 Dec 2009 03:10:21 -0800 

Hello,
I propose a patch for PKCS#11
Fix: return CKR_SESSION_READ_ONLY from C_InitPIN, C_SetPIN, C_CreateObject, C_CopyObject, C_DestroyObject, C_SetAttributeValue, C_GenerateKey, C_GenerateKeyPair, C_UnwrapKey, C_DeriveKey if session is read-only. 

PKCS#11:
"C_InitPIN can only be called in the 'R/W SO Functions' state."


"C_SetPIN can only be called in the 'R/W Public Session' state, 'R/W SO 
Functions' state, or 'R/W User Functions' state. An attempt to call it 
from a session in any other state fails with error CKR_SESSION_READ_ONLY."



"Only session objects can be created/destroyed/modified 
(C_CreateObject/C_DestroyObject/C_SetAttributeValue) during a read-only 
session."


But,
http://www.opensc-project.org/opensc/browser/trunk/src/pkcs11/pkcs11-session.c?rev=3862#L344
Why does it need (#if 0)?

Any idea?


Index: src/pkcs11/pkcs11-object.c
===================================================================
--- src/pkcs11/pkcs11-object.c  (revision 3885)
+++ src/pkcs11/pkcs11-object.c  (working copy)
@@ -46,6 +46,11 @@
        if (rv != CKR_OK)
                goto out;
 
+       if (!(session->flags & CKF_RW_SESSION)) {
+               rv = CKR_SESSION_READ_ONLY;
+               goto out;
+       }
+
        card = session->slot->card;
        if (card->framework->create_object == NULL)
                rv = CKR_FUNCTION_NOT_SUPPORTED;
@@ -86,6 +91,11 @@
        if (rv != CKR_OK)
                goto out;
 
+       if (!(session->flags & CKF_RW_SESSION)) {
+               rv = CKR_SESSION_READ_ONLY;
+               goto out;
+       }
+
        rv = pool_find_and_delete(&session->slot->object_pool, hObject, 
(void**) &object);
        if (rv != CKR_OK)
                goto out;
@@ -193,6 +203,11 @@
        if (rv != CKR_OK)
                goto out;
 
+       if (!(session->flags & CKF_RW_SESSION)) {
+               rv = CKR_SESSION_READ_ONLY;
+               goto out;
+       }
+
        rv = pool_find(&session->slot->object_pool, hObject, (void**) &object);
        if (rv != CKR_OK)
                goto out;
@@ -871,6 +886,11 @@
        if (rv != CKR_OK)
                goto out;
 
+       if (!(session->flags & CKF_RW_SESSION)) {
+               rv = CKR_SESSION_READ_ONLY;
+               goto out;
+       }
+
        slot = session->slot;
        if (slot->card->framework->gen_keypair == NULL) {
                rv = CKR_FUNCTION_NOT_SUPPORTED;
@@ -916,6 +936,11 @@
        if (rv != CKR_OK)
                goto out;
 
+       if (!(session->flags & CKF_RW_SESSION)) {
+               rv = CKR_SESSION_READ_ONLY;
+               goto out;
+       }
+
        rv = pool_find(&session->slot->object_pool, hUnwrappingKey,
                                (void**) &object);
        if (rv != CKR_OK) {
Index: src/pkcs11/pkcs11-session.c
===================================================================
--- src/pkcs11/pkcs11-session.c (revision 3885)
+++ src/pkcs11/pkcs11-session.c (working copy)
@@ -307,6 +307,11 @@
        if (rv != CKR_OK)
                goto out;
 
+       if (!(session->flags & CKF_RW_SESSION)) {
+               rv = CKR_SESSION_READ_ONLY;
+               goto out;
+       }
+
        slot = session->slot;
        if (slot->login_user != CKU_SO) {
                rv = CKR_USER_NOT_LOGGED_IN;
@@ -341,12 +346,11 @@
                goto out;
 
        sc_debug(context, "Changing PIN (session %d)\n", hSession);
-#if 0
-       if (!(ses->flags & CKF_RW_SESSION)) {
+
+       if (!(session->flags & CKF_RW_SESSION)) {
                rv = CKR_SESSION_READ_ONLY;
                goto out;
        }
-#endif
 
        slot = session->slot;
        rv = slot->card->framework->change_pin(slot->card, slot->fw_data,

_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel





















					Reply via email to