Re: [opensc-devel] Change 5421 breaks MIT Kerberos login

Thu, 02 Jun 2011 06:39:23 -0700 

Yes, the patch fixes the problem. Please commit it.

Eric,
Since Debian is in the process of accepting 1.12.1,
(I saw your note from 02 Jun 2011 06:33:03 +0000
7 hours ago) and this bug will affect the use of OpenSC
with Kerberos/PKINIT with login or kinit, (and maybe other
applications) I would like to make sure that this patch
also gets in to Debian somehow.

Without this change, the circumvention would appear to be
set plug_and_play=false; in the opensc.conf file. But this
would then turn off the hotplug of tokens that are are
combination of USB reader and card.



On 6/2/2011 3:59 AM, Viktor Tarasov wrote:

Le 02/06/2011 00:07, Douglas E. Engert a écrit :

The change #5421 introduced between 0.12.1-rc1 and 0.12.1
on 5/4/11 by vtarasov breaks the MIT Kerberos login. A spy
output is attached.

The code calls C_GetSlotList with tokenPresent=1 which in
the past has only returned slots with tokens.

But #5421 returns 2 slots, the 0xffffffff virtual slot which
does NOT have a token, and slot 1 which has a token.
The code then tries C_OpenSession to the virtual slot
which does not have a token and fails.


Please, try the attached patch.



I don't understand why this change was made. If the virtual
slot does not have a token, it should not be returned
if tokenPresent=1.


It was done to reduce the number of useless empty slots per reader (default 
number is 4),
shown by the applications that use the PKCS#11 module (like Firefox, ...).







_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel




--

 Douglas E. Engert  <deeng...@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444

Index: src/pkcs11/pkcs11-global.c
===================================================================
--- src/pkcs11/pkcs11-global.c	(révision 5533)
+++ src/pkcs11/pkcs11-global.c	(copie de travail)
@@ -400,7 +400,9 @@
 		 * - any slot with token;
 		 * - without token(s), one empty slot per reader;
 		 */
-	        if (!slot->reader || (!tokenPresent && slot->reader != prev_reader) || (slot->slot_info.flags & CKF_TOKEN_PRESENT))
+	        if ((!tokenPresent && !slot->reader) 
+				|| (!tokenPresent && slot->reader != prev_reader) 
+				|| (slot->slot_info.flags & CKF_TOKEN_PRESENT))
 			found[numMatches++] = slot->id;
 		prev_reader = slot->reader;
 	}

_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Reply via email to