hcrypto PKCS#11 backend: don't leak sessions on digest reinit

Clients of the EVP API can reinitialize message digest contexts without destroying them. The PKCS#11 backend assumed they were only used once, and was leaking session handles upon reinitialization. This fix disposes of any existing PKCS#11 message digest context in the initialization method. (cherry picked from commit 9518f29)
heimdal · May 15, 2019 · c381868 · c381868
1 parent 7c785cc
commit c381868
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/lib/hcrypto/evp-pkcs11.c b/lib/hcrypto/evp-pkcs11.c
@@ -364,12 +364,18 @@ p11_cleanup(EVP_CIPHER_CTX *ctx)
     return 1;
 }
 
+static int
+p11_md_cleanup(EVP_MD_CTX *ctx);
+
 static int
 p11_md_hash_init(CK_MECHANISM_TYPE mechanismType, EVP_MD_CTX *ctx)
 {
     struct pkcs11_md_ctx *p11ctx = (struct pkcs11_md_ctx *)ctx;
     CK_RV rv;
 
+    if (p11ctx->hSession != CK_INVALID_HANDLE)
+        p11_md_cleanup(ctx);
+
     rv = p11_session_init(mechanismType, &p11ctx->hSession);
     if (rv == CKR_OK) {
         CK_MECHANISM mechanism = { mechanismType, NULL, 0 };