1. Libhsm encapsulates sequences C_FindObjectsInit ; C_FindObjects* ; C_FindObjectsFinal. When an error occurs, it breaks off this sequence, which means it might have called C_FindObjectsInit without closing it off with C_FindObjectsFinal.
2. PKCS #11 states clearly: "At most one search operation may be active at a given time in a given session."
3. Libhsm tries to abstract session handling and the fact that operations with such constraints are used.
4. This means that applications can lead to sequential invocations of C_FindObjectsInit, which is not proper form. A compiling patch is attached.
5. Libhsm aggravates the problem by providing a default (NULL) context whose session is shared among its calllers (which may run from threaded code).
- is cloned by
OPENDNSSEC-521 CLONE - libhsm wrong use of C_FindObjectsXXX
- relates to
OPENDNSSEC-580 libhsm: Remove usage of NULL context