From 0cc3b422561b6b5f40c1f29a0c171c4637184ced Mon Sep 17 00:00:00 2001
From: Jakub Zelenka <jakub.openssl@gmail.com>
Date: Fri, 27 Dec 2024 14:33:31 +0100
Subject: [PATCH 1/3] Clear session opening errors on successful re-opening

Signed-off-by: Jakub Zelenka <jakub.openssl@gmail.com>
---
 src/session.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/session.c b/src/session.c
index 69c3a1f3..9c717df4 100644
--- a/src/session.c
+++ b/src/session.c
@@ -807,6 +807,7 @@ static CK_RV slot_login(P11PROV_SLOT *slot, P11PROV_URI *uri,
     }
 
     /* we acquired the session, check that it is ok */
+    p11prov_set_error_mark(pool->provctx);
     ret = session_check(session, session->flags);
     if (ret != CKR_OK) {
         num_open_sessions--;
@@ -816,9 +817,13 @@ static CK_RV slot_login(P11PROV_SLOT *slot, P11PROV_URI *uri,
         ret = token_session_open(session, flags);
         if (ret == CKR_OK) {
             num_open_sessions++;
+            p11prov_pop_error_to_mark(pool->provctx);
         } else {
+            p11prov_clear_last_error_mark(pool->provctx);
             goto done;
         }
+    } else {
+        p11prov_clear_last_error_mark(pool->provctx);
     }
 
     if (is_login_state(session->state)) {
@@ -1008,6 +1013,7 @@ CK_RV p11prov_get_session(P11PROV_CTX *provctx, CK_SLOT_ID *slotid,
 
     ret = fetch_session(pool, flags, false, &session);
     if (ret == CKR_OK) {
+        p11prov_set_error_mark(pool->provctx);
         ret = session_check(session, flags);
         if (ret != CKR_OK) {
             num_open_sessions--;
@@ -1017,8 +1023,11 @@ CK_RV p11prov_get_session(P11PROV_CTX *provctx, CK_SLOT_ID *slotid,
             ret = token_session_open(session, flags);
             if (ret == CKR_OK) {
                 num_open_sessions++;
+                p11prov_pop_error_to_mark(pool->provctx);
+                goto done;
             }
         }
+        p11prov_clear_last_error_mark(pool->provctx);
     }
 
 done:

From d9dc0866c693b242311b40d1d0ea1ba3c28053df Mon Sep 17 00:00:00 2001
From: Jakub Zelenka <jakub.openssl@gmail.com>
Date: Fri, 27 Dec 2024 14:34:35 +0100
Subject: [PATCH 2/3] Introduce p11prov_obj_refresh_invalid

This is useful for refreshing invalid object handles

Signed-off-by: Jakub Zelenka <jakub.openssl@gmail.com>
---
 src/objects.c | 11 +++++++++++
 src/objects.h |  1 +
 2 files changed, 12 insertions(+)

diff --git a/src/objects.c b/src/objects.c
index d18149e5..de29ca37 100644
--- a/src/objects.c
+++ b/src/objects.c
@@ -1315,6 +1315,17 @@ static void p11prov_obj_refresh(P11PROV_OBJ *obj)
     p11prov_return_session(session);
 }
 
+CK_RV p11prov_obj_refresh_invalid(P11PROV_OBJ *obj)
+{
+    obj->handle = CK_INVALID_HANDLE;
+    obj->cached = CK_INVALID_HANDLE;
+    p11prov_obj_refresh(obj);
+    if (obj->handle == CK_INVALID_HANDLE) {
+        return CKR_OBJECT_HANDLE_INVALID;
+    }
+    return CKR_OK;
+}
+
 #define SECRET_KEY_ATTRS 2
 P11PROV_OBJ *p11prov_create_secret_key(P11PROV_CTX *provctx,
                                        P11PROV_SESSION *session,
diff --git a/src/objects.h b/src/objects.h
index c6ee04ff..aa30b9e7 100644
--- a/src/objects.h
+++ b/src/objects.h
@@ -40,6 +40,7 @@ CK_RV p11prov_obj_from_handle(P11PROV_CTX *ctx, P11PROV_SESSION *session,
 CK_RV p11prov_obj_find(P11PROV_CTX *provctx, P11PROV_SESSION *session,
                        CK_SLOT_ID slotid, P11PROV_URI *uri,
                        store_obj_callback cb, void *cb_ctx);
+CK_RV p11prov_obj_refresh_invalid(P11PROV_OBJ *obj);
 P11PROV_OBJ *p11prov_create_secret_key(P11PROV_CTX *provctx,
                                        P11PROV_SESSION *session,
                                        bool session_key, unsigned char *secret,

From c925eadf34e23a43e3f3c3cd587452d177ec7104 Mon Sep 17 00:00:00 2001
From: Jakub Zelenka <jakub.openssl@gmail.com>
Date: Fri, 27 Dec 2024 14:35:30 +0100
Subject: [PATCH 3/3] Refresh signature key object on invalid handle

Signed-off-by: Jakub Zelenka <jakub.openssl@gmail.com>
---
 src/signature.c | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/src/signature.c b/src/signature.c
index 10465962..dd6e5dec 100644
--- a/src/signature.c
+++ b/src/signature.c
@@ -870,7 +870,7 @@ static CK_RV p11prov_sig_operate_init(P11PROV_SIG_CTX *sigctx, bool digest_op,
     }
 
 done:
-    if (ret != CKR_OK) {
+    if (ret != CKR_OK && ret != CKR_OBJECT_HANDLE_INVALID) {
         p11prov_return_session(session);
     } else {
         *_session = session;
@@ -935,10 +935,22 @@ static CK_RV p11prov_sig_operate(P11PROV_SIG_CTX *sigctx, unsigned char *sig,
         tbslen += mech->der_digestinfo_len;
     }
 
+    p11prov_set_error_mark(sigctx->provctx);
     ret = p11prov_sig_operate_init(sigctx, false, &session);
     if (ret != CKR_OK) {
-        return ret;
+        if (ret == CKR_OBJECT_HANDLE_INVALID && p11prov_obj_refresh_invalid(sigctx->key) == CKR_OK) {
+            ret = p11prov_sig_operate_init(sigctx, false, &session);
+        }
+        if (ret != CKR_OK) {
+            p11prov_clear_last_error_mark(sigctx->provctx);
+            return ret;
+        } else {
+            p11prov_pop_error_to_mark(sigctx->provctx);
+        }
+    } else {
+        p11prov_clear_last_error_mark(sigctx->provctx);
     }
+
     sess = p11prov_session_handle(session);
 
     if (sigctx->operation == CKF_SIGN) {