Skip to content

fix: log out token on C_CloseAllSessions#204

Open
MarkAtwood wants to merge 1 commit into
wolfSSL:masterfrom
MarkAtwood:fix/close-all-sessions-logout
Open

fix: log out token on C_CloseAllSessions#204
MarkAtwood wants to merge 1 commit into
wolfSSL:masterfrom
MarkAtwood:fix/close-all-sessions-logout

Conversation

@MarkAtwood

Copy link
Copy Markdown
Contributor

Problem

C_CloseAllSessions does not log the application out of the token. WP11_Slot_CloseSessions closes every session for the slot but never resets the token login state, so a session opened after C_CloseAllSessions still reports CKS_RW_USER_FUNCTIONS instead of CKS_RW_PUBLIC_SESSION.

Per PKCS#11 (v2.40 / v3.0), closing all of a slot's sessions returns the token to the logged-out state. The single-session path WP11_Slot_CloseSession already does this — it calls WP11_Slot_Logout once no in-use sessions remain — but the bulk path was missing the equivalent call.

Fix

Call WP11_Slot_Logout(slot) in WP11_Slot_CloseSessions after all sessions are closed, mirroring the single-session path. WP11_Slot_Logout acquires the slot lock itself (so it runs after the walk's unlock) and is a no-op when the token is already public.

Test

Adds tests/close_all_sessions_logout_test.c: initialize a token, set a user PIN, log in CKU_USER, call C_CloseAllSessions, reopen a session and assert C_GetSessionInfo reports CKS_RW_PUBLIC_SESSION.

  • Passes with this fix; the full make check suite is green.
  • Against the pre-fix library the test fails at exactly the logout assertion (reopened session reports state 3 RW_USER_FUNCTIONS instead of 2 RW_PUBLIC_SESSION), so it genuinely gates the regression.

Verified by build + run on Ubuntu 24.04.

WP11_Slot_CloseSessions closed every session for the slot but never reset
the token login state, so a session opened after C_CloseAllSessions still
reported CKS_RW_USER_FUNCTIONS instead of CKS_RW_PUBLIC_SESSION. Per
PKCS#11, closing all of a slot's sessions logs the application out of the
token.

Call WP11_Slot_Logout after the sessions are closed, mirroring the
single-session WP11_Slot_CloseSession path (which already logs out when no
in-use sessions remain). WP11_Slot_Logout takes the slot lock itself and is
a no-op when the token is already public, so it is called after the walk.

Add tests/close_all_sessions_logout_test.c: log in CKU_USER, call
C_CloseAllSessions, reopen a session and assert it is CKS_RW_PUBLIC_SESSION.
The test fails against the pre-fix library (reopened session reports
state 3 instead of 2).
Copilot AI review requested due to automatic review settings July 9, 2026 22:12

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR aligns C_CloseAllSessions behavior with PKCS#11 semantics by ensuring that closing all sessions for a slot also resets the token login state back to public, and adds a regression test to prevent the issue from recurring.

Changes:

  • Call WP11_Slot_Logout(slot) at the end of WP11_Slot_CloseSessions to reset the token to the logged-out (public) state.
  • Add a new regression test that logs in, calls C_CloseAllSessions, reopens a session, and verifies the session is public.
  • Wire the new test into the Automake test build in tests/include.am.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File Description
tests/include.am Registers the new regression test target in the test build/run lists.
tests/close_all_sessions_logout_test.c New regression test that asserts C_CloseAllSessions returns the token/session to public state.
src/internal.c Adds the missing logout call after bulk session close to match PKCS#11 logout semantics.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +189 to +191
funcList->C_Logout(session);
funcList->C_CloseSession(session);
session = 0;
Comment on lines +208 to +211
rv = funcList->C_CloseAllSessions(slot);
CHECK_RV(rv, "C_CloseAllSessions", CKR_OK);
session = 0;

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants