[PATCH] Treat pkcs11 TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED as a transient failure.

Mike Gerow gerow
Sat Feb 21 16:37:58 PST 2015


This can get returned by modules that simply aren't ready yet, so just throwing
away the pkcs11 pin doesn't really make sense.

This also addresses a problem where an error condition isn't communicated to the
caller appropriately in this specific case.
---
 src/eap_peer/eap_tls_common.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c
index 8710781..78f33c2 100644
--- a/src/eap_peer/eap_tls_common.c
+++ b/src/eap_peer/eap_tls_common.c
@@ -198,12 +198,12 @@ static int eap_tls_init_connection(struct eap_sm *sm,
 	res = tls_connection_set_params(data->ssl_ctx, data->conn, params);
 	if (res == TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED) {
 		/*
-		 * At this point with the pkcs11 engine the PIN might be wrong.
-		 * We reset the PIN in the configuration to be sure to not use
-		 * it again and the calling function must request a new one.
+		 * This generally means whatever we're talking to through
+		 * PKCS#11 simply isn't ready and should be treated as a
+		 * transient failure.
 		 */
-		os_free(config->pin);
-		config->pin = NULL;
+		sm->ignore = TRUE;
+		return -1;
 	} else if (res == TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED) {
 		wpa_printf(MSG_INFO, "TLS: Failed to load private key");
 		/*
-- 
2.2.0.rc0.207.ga3a616c




More information about the Hostap mailing list