On 09/08/2013 01:18 AM, Alon Levy wrote: >> I started writing a blog post yesterday about virtualized smartcards here: >> >> https://blogs.gnome.org/halfline/2013/09/08/another-smartcard-post/ >> >> and while testing what I was writing I noticed an invalid PIN worked when >> it shouldn't have. It turns out that typing a valid PIN once in one program >> in >> the guest, is enough to make all future programs asking for the PIN to >> succeed >> regardless of what gets typed in for the PIN. >> >> I did some digging through the libcacard code, and noticed it uses the >> NSS PK11_Authenticate function which calls a function that has this comment >> above it: >> >> If we're already logged in and this function is called we >> will still prompt for a password, but we will probably succeed >> no matter what the password was. >> >> Also, PK11_Authenticate short-circuits to an early "return SECSuccess" if the >> token >> is already logged in. >> >> The two patches in this series attempt to correct this problem by calling >> PK11_Logout. >> I'm not 100% certain I've placed the PK11_Logout call in the best place, but >> it does >> seeming to fix the issue. > Hi Ray, > > Thanks for the patches! It looks good to me but I'll defer to Robert, > > Alon
ack... The original problem is a little worse than ray says. It's not a 60 second window, it's pretty much anytime until the card is explicitly logged out. Ray's patch will fix this. bob > >> >>
smime.p7s
Description: S/MIME Cryptographic Signature