1 files changed, 21 insertions, 6 deletions

diff --git a/ks_volatile.c b/ks_volatile.c
index 0b39133..02054ff 100644
--- a/ks_volatile.c
+++ b/ks_volatile.c
@@ -167,6 +167,20 @@ static hal_error_t ks_volatile_set_owner(hal_ks_t *ks,
 
 /*
  * Test key ownership.
+ *
+ * One might expect this to be based on whether the session matches,
+ * and indeed it would be in a sane world, but in the world of PKCS
+ * #11, keys belong to sessions, are visible to other sessions, and
+ * may even be modifiable by other sessions, but softly and silently
+ * vanish away when the original creating session is destroyed.
+ *
+ * In our terms, this means that visibility of session objects is
+ * determined only by the client handle, so taking the session handle
+ * as an argument here isn't really necessary, but we've flipflopped
+ * on that enough times that at least for now I'd prefer to leave the
+ * session handle here and not have to revise all the RPC calls again.
+ * Remove it at some later date and redo the RPC calls if we manage to
+ * avoid revising this yet again.
  */
 
 static hal_error_t ks_volatile_test_owner(hal_ks_t *ks,
@@ -177,11 +191,14 @@ static hal_error_t ks_volatile_test_owner(hal_ks_t *ks,
   if (ks != hal_ks_volatile || db->keys == NULL || blockno >= ks->size)
     return HAL_ERROR_IMPOSSIBLE;
 
-  if (db->keys[blockno].client.handle  == client.handle &&
-      db->keys[blockno].session.handle == session.handle)
+  if (db->keys[blockno].client.handle == HAL_HANDLE_NONE ||
+      db->keys[blockno].client.handle == client.handle)
+    return HAL_OK;
+
+  if (hal_rpc_is_logged_in(client, HAL_USER_WHEEL) == HAL_OK)
     return HAL_OK;
-  else
-    return HAL_ERROR_KEY_NOT_FOUND;
+
+  return HAL_ERROR_KEY_NOT_FOUND;
 }
 
 /*
@@ -233,8 +250,6 @@ static hal_error_t ks_volatile_init(hal_ks_t *ks, const int alloc)
   if ((err = hal_ks_init_common(ks)) != HAL_OK)
     goto done;
 
-  ks->per_session = 1;
-
   err = HAL_OK;
 
  done: