[pkg-opensc-commit] [libp11] 10/51: Removed CKA_ALWAYS_AUTHENTICATE check

[Eric Dorland]

This is an automated email from the git hooks/post-receive script.

eric pushed a commit to branch master
in repository libp11.

commit 5394c2c55ac49ffb6c7d360f7b78b6764bdef7c9
Author: Michał Trojnara <Michal.Trojnara at stunnel.org>
Date:   Fri Oct 7 21:57:14 2016 +0200

    Removed CKA_ALWAYS_AUTHENTICATE check
    
    Avoid using CKA_ALWAYS_AUTHENTICATE to check whether
    a CKU_CONTEXT_SPECIFIC login is needed (courtesy of Mouse).
---
 NEWS          | 2 +-
 src/p11_ec.c  | 2 +-
 src/p11_key.c | 3 ---
 src/p11_rsa.c | 6 +++---
 4 files changed, 5 insertions(+), 8 deletions(-)

diff --git a/NEWS b/NEWS
index 870cc5a..ccc3577 100644
--- a/NEWS
+++ b/NEWS
@@ -1,7 +1,7 @@
 NEWS for Libp11 -- History of user visible changes
 
 New in 0.4.3; unreleased
-* Use UI to get the CKA_ALWAYS_AUTHENTICATE PIN (Michał Trojnara).
+* Use UI to get the CKU_CONTEXT_SPECIFIC PIN (Michał Trojnara).
 * Fixed an EVP_PKEY refcount leak (David Woodhouse).
 
 New in 0.4.2; 2016-09-25; Michał Trojnara
diff --git a/src/p11_ec.c b/src/p11_ec.c
index 1852920..dd1742e 100644
--- a/src/p11_ec.c
+++ b/src/p11_ec.c
@@ -209,7 +209,7 @@ static int pkcs11_ecdsa_sign(const unsigned char *msg, unsigned int msg_len,
 	CRYPTO_THREAD_write_lock(PRIVSLOT(slot)->rwlock);
 	rv = CRYPTOKI_call(ctx,
 		C_SignInit(spriv->session, &mechanism, kpriv->object));
-	if (!rv)
+	if (rv == CKR_USER_NOT_LOGGED_IN)
 		rv = pkcs11_authenticate(key);
 	if (!rv)
 		rv = CRYPTOKI_call(ctx,
diff --git a/src/p11_key.c b/src/p11_key.c
index 7cc5b4f..bdbdf0b 100644
--- a/src/p11_key.c
+++ b/src/p11_key.c
@@ -347,9 +347,6 @@ int pkcs11_authenticate(PKCS11_KEY *key)
 	UI *ui;
 	int rv;
 
-	if (!kpriv->always_authenticate)
-		return 0;
-
 	/* Handle CKF_PROTECTED_AUTHENTICATION_PATH */
 	if (token->secureLogin) {
 		rv = CRYPTOKI_call(ctx,
diff --git a/src/p11_rsa.c b/src/p11_rsa.c
index ca81975..e36bc76 100644
--- a/src/p11_rsa.c
+++ b/src/p11_rsa.c
@@ -99,7 +99,7 @@ int pkcs11_private_encrypt(int flen,
 	/* Try signing first, as applications are more likely to use it */
 	rv = CRYPTOKI_call(ctx,
 		C_SignInit(spriv->session, &mechanism, kpriv->object));
-	if (!rv)
+	if (rv == CKR_USER_NOT_LOGGED_IN)
 		rv = pkcs11_authenticate(key);
 	if (!rv)
 		rv = CRYPTOKI_call(ctx,
@@ -108,7 +108,7 @@ int pkcs11_private_encrypt(int flen,
 		/* OpenSSL may use it for encryption rather than signing */
 		rv = CRYPTOKI_call(ctx,
 			C_EncryptInit(spriv->session, &mechanism, kpriv->object));
-		if (!rv)
+		if (rv == CKR_USER_NOT_LOGGED_IN)
 			rv = pkcs11_authenticate(key);
 		if (!rv)
 			rv = CRYPTOKI_call(ctx,
@@ -142,7 +142,7 @@ int pkcs11_private_decrypt(int flen, const unsigned char *from, unsigned char *t
 	CRYPTO_THREAD_write_lock(PRIVSLOT(slot)->rwlock);
 	rv = CRYPTOKI_call(ctx,
 		C_DecryptInit(spriv->session, &mechanism, kpriv->object));
-	if (!rv)
+	if (rv == CKR_USER_NOT_LOGGED_IN)
 		rv = pkcs11_authenticate(key);
 	if (!rv)
 		rv = CRYPTOKI_call(ctx,

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-opensc/libp11.git