> I started writing a blog post yesterday about virtualized smartcards here: > > https://blogs.gnome.org/halfline/2013/09/08/another-smartcard-post/ > > and while testing what I was writing I noticed an invalid PIN worked when > it shouldn't have. It turns out that typing a valid PIN once in one program > in > the guest, is enough to make all future programs asking for the PIN to > succeed > regardless of what gets typed in for the PIN. > > I did some digging through the libcacard code, and noticed it uses the > NSS PK11_Authenticate function which calls a function that has this comment > above it: > > If we're already logged in and this function is called we > will still prompt for a password, but we will probably succeed > no matter what the password was. > > Also, PK11_Authenticate short-circuits to an early "return SECSuccess" if the > token > is already logged in. > > The two patches in this series attempt to correct this problem by calling > PK11_Logout. > I'm not 100% certain I've placed the PK11_Logout call in the best place, but > it does > seeming to fix the issue.
Hi Ray, Thanks for the patches! It looks good to me but I'll defer to Robert, Alon > > >