Hello,
I propose a patch for PKCS#11
Fix: return CKR_SESSION_READ_ONLY from C_InitPIN, C_SetPIN,
C_CreateObject, C_CopyObject, C_DestroyObject, C_SetAttributeValue,
C_GenerateKey, C_GenerateKeyPair, C_UnwrapKey, C_DeriveKey if session is
read-only.
PKCS#11:
C_InitPIN can only be called in the 'R/W SO Functions' state.
C_SetPIN can only be called in the 'R/W Public Session' state, 'R/W SO
Functions' state, or 'R/W User Functions' state. An attempt to call it
from a session in any other state fails with error CKR_SESSION_READ_ONLY.
Only session objects can be created/destroyed/modified
(C_CreateObject/C_DestroyObject/C_SetAttributeValue) during a read-only
session.
But,
http://www.opensc-project.org/opensc/browser/trunk/src/pkcs11/pkcs11-session.c?rev=3862#L344
Why does it need (#if 0)?
Any idea?
Index: src/pkcs11/pkcs11-object.c
===
--- src/pkcs11/pkcs11-object.c (revision 3885)
+++ src/pkcs11/pkcs11-object.c (working copy)
@@ -46,6 +46,11 @@
if (rv != CKR_OK)
goto out;
+ if (!(session-flags CKF_RW_SESSION)) {
+ rv = CKR_SESSION_READ_ONLY;
+ goto out;
+ }
+
card = session-slot-card;
if (card-framework-create_object == NULL)
rv = CKR_FUNCTION_NOT_SUPPORTED;
@@ -86,6 +91,11 @@
if (rv != CKR_OK)
goto out;
+ if (!(session-flags CKF_RW_SESSION)) {
+ rv = CKR_SESSION_READ_ONLY;
+ goto out;
+ }
+
rv = pool_find_and_delete(session-slot-object_pool, hObject,
(void**) object);
if (rv != CKR_OK)
goto out;
@@ -193,6 +203,11 @@
if (rv != CKR_OK)
goto out;
+ if (!(session-flags CKF_RW_SESSION)) {
+ rv = CKR_SESSION_READ_ONLY;
+ goto out;
+ }
+
rv = pool_find(session-slot-object_pool, hObject, (void**) object);
if (rv != CKR_OK)
goto out;
@@ -871,6 +886,11 @@
if (rv != CKR_OK)
goto out;
+ if (!(session-flags CKF_RW_SESSION)) {
+ rv = CKR_SESSION_READ_ONLY;
+ goto out;
+ }
+
slot = session-slot;
if (slot-card-framework-gen_keypair == NULL) {
rv = CKR_FUNCTION_NOT_SUPPORTED;
@@ -916,6 +936,11 @@
if (rv != CKR_OK)
goto out;
+ if (!(session-flags CKF_RW_SESSION)) {
+ rv = CKR_SESSION_READ_ONLY;
+ goto out;
+ }
+
rv = pool_find(session-slot-object_pool, hUnwrappingKey,
(void**) object);
if (rv != CKR_OK) {
Index: src/pkcs11/pkcs11-session.c
===
--- src/pkcs11/pkcs11-session.c (revision 3885)
+++ src/pkcs11/pkcs11-session.c (working copy)
@@ -307,6 +307,11 @@
if (rv != CKR_OK)
goto out;
+ if (!(session-flags CKF_RW_SESSION)) {
+ rv = CKR_SESSION_READ_ONLY;
+ goto out;
+ }
+
slot = session-slot;
if (slot-login_user != CKU_SO) {
rv = CKR_USER_NOT_LOGGED_IN;
@@ -341,12 +346,11 @@
goto out;
sc_debug(context, Changing PIN (session %d)\n, hSession);
-#if 0
- if (!(ses-flags CKF_RW_SESSION)) {
+
+ if (!(session-flags CKF_RW_SESSION)) {
rv = CKR_SESSION_READ_ONLY;
goto out;
}
-#endif
slot = session-slot;
rv = slot-card-framework-change_pin(slot-card, slot-fw_data,
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel