pkcs11: Fix return value when trying to open parallel session

It is mandatory to have CKF_SERIAL_SESSION set when invoking
C_OpenSession(). Return value CKR_SESSION_PARALLEL_NOT_SUPPORTED must be
returned.

Specified in:
PKCS OP-TEE#11 Cryptographic Token Interface Base Specification Version 2.40
Plus Errata 01
5.6 Session management functions
C_OpenSession

Signed-off-by: Vesa Jääskeläinen <[email protected]>

ta/pkcs11/include/pkcs11_ta.h

@@ -612,6 +612,7 @@ enum pkcs11_rc {
 	PKCS11_CKR_SESSION_CLOSED		= 0x00b0,
 	PKCS11_CKR_SESSION_COUNT		= 0x00b1,
 	PKCS11_CKR_SESSION_HANDLE_INVALID	= 0x00b3,
+	PKCS11_CKR_SESSION_PARALLEL_NOT_SUPPORTED = 0x00b4,
 	PKCS11_CKR_SESSION_READ_ONLY		= 0x00b5,
 	PKCS11_CKR_SESSION_EXISTS		= 0x00b6,
 	PKCS11_CKR_SESSION_READ_ONLY_EXISTS	= 0x00b7,

ta/pkcs11/src/pkcs11_helpers.c

@@ -247,6 +247,7 @@ static const struct any_id __maybe_unused string_rc[] = {
 	PKCS11_ID(PKCS11_CKR_PIN_INVALID),
 	PKCS11_ID(PKCS11_CKR_PIN_LEN_RANGE),
 	PKCS11_ID(PKCS11_CKR_SESSION_EXISTS),
+	PKCS11_ID(PKCS11_CKR_SESSION_PARALLEL_NOT_SUPPORTED),
 	PKCS11_ID(PKCS11_CKR_SESSION_READ_ONLY),
 	PKCS11_ID(PKCS11_CKR_SESSION_READ_WRITE_SO_EXISTS),
 	PKCS11_ID(PKCS11_CKR_OPERATION_ACTIVE),

ta/pkcs11/src/pkcs11_token.c

@@ -603,9 +603,10 @@ enum pkcs11_rc entry_ck_open_session(struct pkcs11_client *client,
 		return PKCS11_CKR_SLOT_ID_INVALID;
 
 	/* Sanitize session flags */
-	if (!(flags & PKCS11_CKFSS_SERIAL_SESSION) ||
-	    (flags & ~(PKCS11_CKFSS_RW_SESSION |
-		       PKCS11_CKFSS_SERIAL_SESSION)))
+	if (!(flags & PKCS11_CKFSS_SERIAL_SESSION))
+		return PKCS11_CKR_SESSION_PARALLEL_NOT_SUPPORTED;
+
+	if (flags & ~(PKCS11_CKFSS_RW_SESSION | PKCS11_CKFSS_SERIAL_SESSION))
 		return PKCS11_CKR_ARGUMENTS_BAD;
 
 	readonly = !(flags & PKCS11_CKFSS_RW_SESSION);