296096 - NSC_OpenSession doesn't return CKR_TOKEN_WRITE_PROTECTED when we ask a RW session but only RO session are allowed

Status: RESOLVED INACTIVE

(NSS :: Libraries, defect)

Description

[EPerlade.spam]

User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; X11; Linux i686) Opera 7.54  [en]
Build Identifier: 

NSC_OpenSession never return CKR_TOKEN_WRITE_PROTECTED error code as mentined in 
PKCS11 RSA documentation. When we ask a RW session and only RO session are 
allowed (nss initialized with NSS_Init) it simply open a RO session without 
telling us an error occured. 
Moreover nss functions based on NSC_OpenSession as PK11_GetRWSession only check 
for an error occured but not for an implicit flag modification in session. 
Developer believe that evrything went good whereas the opened session is 
unusable.   

Reproducible: Always

Steps to Reproduce:
1.intialize NSS with NSS_Init(path) 
2.call SEC_PKCS12DecoderImportBags for exemple with a valid context
3.you won't have an explicit read only error code returned but it will fail

Actual Results:  
when NSC_OpenSession is called with CKF_RW_SESSION flag and nss is initialized 
read only, CKF_RW_SESSION flag is implicitly disable and a RO session is opened.


Expected Results:  
NSC_OpenSession should failed with CKR_TOKEN_WRITE_PROTECTED when slot->readOnly 
is true and CKF_RW_SESSION flag too.
By this way PK11_GetRWSession could be consistent returning an error when it 
only can open a read only session. Isn't it what nss developers expect?
 


a possible correction:

security/nss/lib/softoken/pkcs11.c

3381     if (slot->readOnly && (flags & CKF_RW_SESSION)) {
3382         /* NETSCAPE_SLOT_ID is Read ONLY */
3383         session->info.flags &= ~CKF_RW_SESSION;
3384     }

should be replaced by:

if (slot->readOnly && (flags & CKF_RW_SESSION)){
    sftk_DestroySession(session);
    return (CKR_TOKEN_WRITE_PROTECTED);
}