Fix from Ian to address Bugzilla bug 202179.

The fix restores some old code that was removed as part of our
performance work (Bugzilla bug 145322).  Thus, there may be a
slight performance hit, but obviously, we need to have correct
code first.

This is a part of the code I really don't like.  To summarize,
there was a hack put in a long time ago to make sure that the
PKCS#11 session in which the SSL keys are generated was never
closed until the last key was deleted.  This only worked by chance,
and if any part of the code was changed (as was the case here), this
unstable equilibrium would be lost.  As with all hacks, it wasn't
really documented, so the problem escaped our notice.  As a result of
putting the hack back in, we're going back to the horribly wasteful
operation of opening 4 sessions and immediately closing them.  I intend
to have a proper solution in a later release.

1 files changed, 11 insertions, 0 deletions

diff --git a/security/nss/lib/pk11wrap/pk11skey.c b/security/nss/lib/pk11wrap/pk11skey.c
index 0253a6ed0..cbed749f2 100644
--- a/security/nss/lib/pk11wrap/pk11skey.c
+++ b/security/nss/lib/pk11wrap/pk11skey.c
@@ -305,6 +305,17 @@ PK11_SymKeyFromHandle(PK11SlotInfo *slot, PK11SymKey *parent, PK11Origin origin,
     symKey->origin = origin;
     symKey->owner = owner;
 
+    /* adopt the parent's session */
+    /* This is only used by SSL. What we really want here is a session
+     * structure with a ref count so  the session goes away only after all the
+     * keys do. */
+    if (owner && parent) {
+	pk11_CloseSession(symKey->slot, symKey->session,symKey->sessionOwner);
+	symKey->sessionOwner = parent->sessionOwner;
+	symKey->session = parent->session;
+	parent->sessionOwner = PR_FALSE;
+    }
+
     return symKey;
 }