From 37de95179023931a8938b4652b81ae3a634e5763 Mon Sep 17 00:00:00 2001
From: Timothy Pearson <kb9vqf@pearsoncomputing.net>
Date: Wed, 7 Sep 2016 12:31:18 -0500
Subject: [PATCH] Fix decryption with multiple LUKS keyfiles available

---
 src/cardpincheck.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/cardpincheck.c b/src/cardpincheck.c
index f1e730f..ae1da9a 100644
--- a/src/cardpincheck.c
+++ b/src/cardpincheck.c
@@ -353,8 +353,13 @@ int main(int argc, char* argv[]) {
 					rv = pkcs11h_certificate_decryptAny(certificate, CKM_RSA_PKCS, ciphertext, ciphertextfilesize, NULL, &size);
 					if (rv != CKR_OK) {
 						fprintf(stderr, "Cannot determine decrypted message length: %s (%d)\n", pkcs11h_getMessage(rv), rv);
-						if (rv == CKR_CANCEL) {
-							ret = -1;
+						if (rv == CKR_FUNCTION_FAILED) {
+							/* Decryption failed */
+							ret = -20;
+							abort_decryption = 1;
+						}
+						else if (rv == CKR_CANCEL) {
+							ret = -2;
 							abort_decryption = 1;
 						}
 						else if ((rv == CKR_PIN_INCORRECT) || (rv == CKR_USER_NOT_LOGGED_IN)) {