Fix GnuTLS PIN cache leak when only *key* is PKCS#11 and not certificate.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

diff --git a/gnutls.c b/gnutls.c
index 23edd75ee56c113c42fe13d63d26b52212f06db8..c4d814176c28021abe792ecdbe26d6b58e59c920 100644 (file)
--- a/gnutls.c
+++ b/gnutls.c
@@ -1454,7 +1454,8 @@ void openconnect_close_https(struct openconnect_info *vpninfo, int final)
                gnutls_certificate_free_credentials(vpninfo->https_cred);
                vpninfo->https_cred = NULL;
 #ifdef HAVE_P11KIT
-               if (!strncmp(vpninfo->cert, "pkcs11:", 7)) {
+               if (!strncmp(vpninfo->cert, "pkcs11:", 7) ||
+                   !strncmp(vpninfo->sslkey, "pkcs11:", 7)) {
                        char pin_source[40];
 
                        sprintf(pin_source, "openconnect:%p", vpninfo);