From be9d48c540c2b9141c40e3c1493a7dca4010eebc Mon Sep 17 00:00:00 2001
From: Stefan Walter <stefw@src.gnome.org>
Date: Thu, 8 Jan 2009 18:41:26 +0000
Subject: [PATCH] Don't try to keep authenticating when bad password on
 protected auth path

	* gp11/gp11-module.c:
	* gp11/gp11-session.c:
	* gp11/gp11-slot.c: Don't try to keep authenticating when
	bad password on protected auth path authentication. Protected
	auth path repeats internally as necessary.

	* pkcs11/pkcs11g.h:
	* pkcs11/gck/gck-attributes.c:
	* pkcs11/gck/gck-object.c:
	* pkcs11/gck/gck-object.h:
	* pkcs11/ssh-store/gck-ssh-module.c:
	* pkcs11/ssh-store/gck-ssh-private-key.c:
	* pkcs11/ssh-store/gck-ssh-private-key.h:
	* pkcs11/ssh-store/gck-ssh-public-key.c:
	* pkcs11/ssh-store/gck-ssh-public-key.h: Added CKA_GNOME_UNIQUE
	attribute.

	* daemon/gkr-daemon.c:
	* daemon/Makefile.am:
	* daemon/pkcs11/gkr-pkcs11-auth.c: (added)
	* daemon/pkcs11/gkr-pkcs11-auth.h: (added)
	* daemon/pkcs11/gkr-pkcs11-auth-ep.c: (added)
	* daemon/pkcs11/gkr-pkcs11-daemon.c: (added)
	* daemon/pkcs11/gkr-pkcs11-daemon.h: (added)
	* daemon/pkcs11/Makefile.am:
	* daemon/pkix/gkr-pkix-asn1.c:
	* daemon/ssh/gkr-ssh-daemon.h: (removed)
	* daemon/ssh/gkr-ssh-daemon-io.c: (removed)
	* daemon/ssh/gkr-ssh-daemon-ops.c: (removed)
	* daemon/ssh/Makefile.am: (removed)
	* daemon/ui/gkr-ask-daemon.c:
	* pkcs11/ssh-agent/gck-ssh-agent.c:
	* pkcs11/ssh-agent/gck-ssh-agent-ops.c: Integrate new modular SSH agent
	as the main gnome-keyring-daemon SSH agent.

svn path=/trunk/; revision=1447
---
 gp11/gp11-module.c  | 14 +++++++++-----
 gp11/gp11-session.c |  5 +----
 gp11/gp11-slot.c    |  2 +-
 3 files changed, 11 insertions(+), 10 deletions(-)

diff --git a/gp11/gp11-module.c b/gp11/gp11-module.c
index b26c97b..fe39e75 100644
--- a/gp11/gp11-module.c
+++ b/gp11/gp11-module.c
@@ -369,11 +369,15 @@ _gp11_module_fire_authenticate_slot (GP11Module *self, GP11Slot *slot, gchar *la
 
 	info = gp11_slot_get_token_info (slot);
 	if (info != NULL) {
-		if (info->flags & CKF_PROTECTED_AUTHENTICATION_PATH) {
-			gp11_token_info_free (info);
-			*password = NULL;
-			return TRUE;
-		}
+
+		/*
+		 * We'll have tried to login at least once at this point,
+		 * with NULL password. This means that CKF_PROTECTED_AUTHENTICATION_PATH
+		 * tokens have had their chance and we don't need to prompt for it.
+		 */
+
+		if (info->flags & CKF_PROTECTED_AUTHENTICATION_PATH)
+			return FALSE;
 
 		if (label == NULL)
 			label = allocated = g_strdup (info->label);
diff --git a/gp11/gp11-session.c b/gp11/gp11-session.c
index a60cf02..fe84a56 100644
--- a/gp11/gp11-session.c
+++ b/gp11/gp11-session.c
@@ -1047,10 +1047,7 @@ authenticate_perform (Authenticate *args, GP11Arguments *base)
 		/* Protected authentication path, just go to perform */
 		if (args->protected_auth) {
 			args->state = AUTHENTICATE_PERFORM;
-			do {
-				rv = authenticate_perform (args, base);
-			} while (rv == CKR_PIN_INCORRECT);
-			return rv;
+			return authenticate_perform (args, base);
 		}
 
 		/* Get the label for a prompt */
diff --git a/gp11/gp11-slot.c b/gp11/gp11-slot.c
index 843b796..ecb45f7 100644
--- a/gp11/gp11-slot.c
+++ b/gp11/gp11-slot.c
@@ -683,7 +683,7 @@ complete_open_session (OpenSession *args, CK_RV result)
 
 		ret = _gp11_module_fire_authenticate_slot (module, args->slot, NULL, &args->password);
 
-		/* Call is not complete */
+		/* If authenticate returns TRUE then call is not complete */
 		ret = !ret;
 	}
 
-- 
2.7.4