Hello, On Jun 2, 2011, at 01:07 , Douglas E. Engert wrote: > The change #5421 introduced between 0.12.1-rc1 and 0.12.1 > on 5/4/11 by vtarasov breaks the MIT Kerberos login. A spy > output is attached. > > The code calls C_GetSlotList with tokenPresent=1 which in > the past has only returned slots with tokens. > > But #5421 returns 2 slots, the 0xffffffff virtual slot which > does NOT have a token, and slot 1 which has a token. > The code then tries C_OpenSession to the virtual slot > which does not have a token and fails.
This is also a place for improvement in the Kerberos software, as it should try to "intelligently recover" from the problem: Any Cryptoki function that uses a particular token (i.e., any Cryptoki function except for C_Initialize, C_Finalize, C_GetInfo, C_GetFunctionList, C_GetSlotList, C_GetSlotInfo, or C_WaitForSlotEvent) can return any of the following values: CKR_TOKEN_NOT_PRESENT: The token was not present in its slot at the time that the function was invoked. I don't know hot the configuration for Kerberos login works or how it locates the suitable slot, but this looks like a valid situation nevertheless. > I don't understand why this change was made. If the virtual > slot does not have a token, it should not be returned > if tokenPresent=1. True. Best, Martin -- @MartinPaljak.net +3725156495 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel