On 6/6/2011 6:50 AM, Martin Paljak wrote: > Hello, > On Jun 2, 2011, at 01:07 , Douglas E. Engert wrote: > >> The change #5421 introduced between 0.12.1-rc1 and 0.12.1 >> on 5/4/11 by vtarasov breaks the MIT Kerberos login. A spy >> output is attached. >> >> The code calls C_GetSlotList with tokenPresent=1 which in >> the past has only returned slots with tokens. >> >> But #5421 returns 2 slots, the 0xffffffff virtual slot which >> does NOT have a token, and slot 1 which has a token. >> The code then tries C_OpenSession to the virtual slot >> which does not have a token and fails. > > This is also a place for improvement in the Kerberos software, as it should > try to "intelligently recover" from the problem:
True. But this would naturally occur only if the user pulled the card between the call to the C_GetSlotsList with tokenPresent=1 and the call to C_OpenSession, a very unlikely situation. The code could "intelligently recover" by assuming the user pulled the card to stop the login. If it was by accident, the user would recover by inserting the card and trying again. > > Any Cryptoki function that uses a particular token (i.e., any Cryptoki > function except for C_Initialize, C_Finalize, C_GetInfo, > C_GetFunctionList, C_GetSlotList, C_GetSlotInfo, or C_WaitForSlotEvent) > can return any of the following values: > > CKR_TOKEN_NOT_PRESENT: The token was not present in its slot at the time that > the function was invoked. > > I don't know hot the configuration for Kerberos login works or how it locates > the suitable slot, but this looks like a valid situation nevertheless. > >> I don't understand why this change was made. If the virtual >> slot does not have a token, it should not be returned >> if tokenPresent=1. > > True. > > > Best, > Martin -- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel