Blame jdk8203182-pr3603-rh1568033_release_session_if_initialization_of_sunpkcs11_signature_fails.patch

baf0ca
# HG changeset patch
baf0ca
# User igerasim
baf0ca
# Date 1528992969 25200
baf0ca
#      Thu Jun 14 09:16:09 2018 -0700
baf0ca
# Node ID d9b0b4bd2526818afa73b60da77403245554caa8
baf0ca
# Parent  1f4b038b9550afaf88a70cee4cf9c1422ecd86d6
baf0ca
8203182, PR3603: Release session if initialization of SunPKCS11 Signature fails
baf0ca
Summary: Ensure session is properly released in P11Signature class
baf0ca
Reviewed-by: valeriep
baf0ca
Contributed-by: Martin Balao <mbalao@redhat.com>
baf0ca
baf0ca
diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11Signature.java openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Signature.java
baf0ca
--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11Signature.java
baf0ca
+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Signature.java
baf0ca
@@ -309,47 +309,51 @@
baf0ca
             session = token.killSession(session);
baf0ca
             return;
baf0ca
         }
baf0ca
-        // "cancel" operation by finishing it
baf0ca
-        // XXX make sure all this always works correctly
baf0ca
-        if (mode == M_SIGN) {
baf0ca
-            try {
baf0ca
-                if (type == T_UPDATE) {
baf0ca
-                    token.p11.C_SignFinal(session.id(), 0);
baf0ca
-                } else {
baf0ca
-                    byte[] digest;
baf0ca
-                    if (type == T_DIGEST) {
baf0ca
-                        digest = md.digest();
baf0ca
-                    } else { // T_RAW
baf0ca
-                        digest = buffer;
baf0ca
+        try {
baf0ca
+            // "cancel" operation by finishing it
baf0ca
+            // XXX make sure all this always works correctly
baf0ca
+            if (mode == M_SIGN) {
baf0ca
+                try {
baf0ca
+                    if (type == T_UPDATE) {
baf0ca
+                        token.p11.C_SignFinal(session.id(), 0);
baf0ca
+                    } else {
baf0ca
+                        byte[] digest;
baf0ca
+                        if (type == T_DIGEST) {
baf0ca
+                            digest = md.digest();
baf0ca
+                        } else { // T_RAW
baf0ca
+                            digest = buffer;
baf0ca
+                        }
baf0ca
+                        token.p11.C_Sign(session.id(), digest);
baf0ca
                     }
baf0ca
-                    token.p11.C_Sign(session.id(), digest);
baf0ca
+                } catch (PKCS11Exception e) {
baf0ca
+                    throw new ProviderException("cancel failed", e);
baf0ca
                 }
baf0ca
-            } catch (PKCS11Exception e) {
baf0ca
-                throw new ProviderException("cancel failed", e);
baf0ca
+            } else { // M_VERIFY
baf0ca
+                try {
baf0ca
+                    byte[] signature;
baf0ca
+                    if (keyAlgorithm.equals("DSA")) {
baf0ca
+                        signature = new byte[40];
baf0ca
+                    } else {
baf0ca
+                        signature = new byte[(p11Key.length() + 7) >> 3];
baf0ca
+                    }
baf0ca
+                    if (type == T_UPDATE) {
baf0ca
+                        token.p11.C_VerifyFinal(session.id(), signature);
baf0ca
+                    } else {
baf0ca
+                        byte[] digest;
baf0ca
+                        if (type == T_DIGEST) {
baf0ca
+                            digest = md.digest();
baf0ca
+                        } else { // T_RAW
baf0ca
+                            digest = buffer;
baf0ca
+                        }
baf0ca
+                        token.p11.C_Verify(session.id(), digest, signature);
baf0ca
+                    }
baf0ca
+                } catch (PKCS11Exception e) {
baf0ca
+                    // will fail since the signature is incorrect
baf0ca
+                    // XXX check error code
baf0ca
+                }
baf0ca
             }
baf0ca
-        } else { // M_VERIFY
baf0ca
-            try {
baf0ca
-                byte[] signature;
baf0ca
-                if (keyAlgorithm.equals("DSA")) {
baf0ca
-                    signature = new byte[40];
baf0ca
-                } else {
baf0ca
-                    signature = new byte[(p11Key.length() + 7) >> 3];
baf0ca
-                }
baf0ca
-                if (type == T_UPDATE) {
baf0ca
-                    token.p11.C_VerifyFinal(session.id(), signature);
baf0ca
-                } else {
baf0ca
-                    byte[] digest;
baf0ca
-                    if (type == T_DIGEST) {
baf0ca
-                        digest = md.digest();
baf0ca
-                    } else { // T_RAW
baf0ca
-                        digest = buffer;
baf0ca
-                    }
baf0ca
-                    token.p11.C_Verify(session.id(), digest, signature);
baf0ca
-                }
baf0ca
-            } catch (PKCS11Exception e) {
baf0ca
-                // will fail since the signature is incorrect
baf0ca
-                // XXX check error code
baf0ca
-            }
baf0ca
+        } finally {
baf0ca
+            session = token.releaseSession(session);
baf0ca
         }
baf0ca
     }
baf0ca
 
baf0ca
@@ -368,6 +372,8 @@
baf0ca
             }
baf0ca
             initialized = true;
baf0ca
         } catch (PKCS11Exception e) {
baf0ca
+            // release session when initialization failed
baf0ca
+            session = token.releaseSession(session);
baf0ca
             throw new ProviderException("Initialization failed", e);
baf0ca
         }
baf0ca
         if (bytesProcessed != 0) {
baf0ca
@@ -529,6 +535,8 @@
baf0ca
                 }
baf0ca
                 bytesProcessed += len;
baf0ca
             } catch (PKCS11Exception e) {
baf0ca
+                initialized = false;
baf0ca
+                session = token.releaseSession(session);
baf0ca
                 throw new ProviderException(e);
baf0ca
             }
baf0ca
             break;
baf0ca
@@ -576,6 +584,8 @@
baf0ca
                 bytesProcessed += len;
baf0ca
                 byteBuffer.position(ofs + len);
baf0ca
             } catch (PKCS11Exception e) {
baf0ca
+                initialized = false;
baf0ca
+                session = token.releaseSession(session);
baf0ca
                 throw new ProviderException("Update failed", e);
baf0ca
             }
baf0ca
             break;