[PATCH] pkcs11: Don't ask for a new PIN on TLS handshake failure

Mon Jul 6 14:26:57 PDT 2015

The only time the PIN should fail is when we initialize the TLS connection, so
it doesn't really make sense to get rid of the PIN just because some other part
of the handshake failed.

This is a followup to fd4fb28179a0b750dff4d38a72a7bf89a2c49813

Signed-off-by: Mike Gerow <gerow at google.com>
---
 src/eap_peer/eap_tls.c | 14 --------------
 1 file changed, 14 deletions(-)

diff --git a/src/eap_peer/eap_tls.c b/src/eap_peer/eap_tls.c
index d81b1cf..66a027a 100644
--- a/src/eap_peer/eap_tls.c
+++ b/src/eap_peer/eap_tls.c
@@ -156,20 +156,6 @@ static struct wpabuf * eap_tls_failure(struct eap_sm *sm,
 	ret->methodState = METHOD_DONE;
 	ret->decision = DECISION_FAIL;
 
-	if (res == -1) {
-		struct eap_peer_config *config = eap_get_config(sm);
-		if (config) {
-			/*
-			 * The TLS handshake failed. So better forget the old
-			 * PIN. It may be wrong, we cannot be sure but trying
-			 * the wrong one again might block it on the card--so
-			 * better ask the user again.
-			 */
-			os_free(config->pin);
-			config->pin = NULL;
-		}
-	}
-
 	if (resp) {
 		/*
 		 * This is likely an alert message, so send it instead of just
-- 
2.4.3.573.g4eafbef


