10Sstevel@tonic-gate /*
20Sstevel@tonic-gate * CDDL HEADER START
30Sstevel@tonic-gate *
40Sstevel@tonic-gate * The contents of this file are subject to the terms of the
54632Smcpowers * Common Development and Distribution License (the "License").
64632Smcpowers * You may not use this file except in compliance with the License.
70Sstevel@tonic-gate *
80Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
90Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing.
100Sstevel@tonic-gate * See the License for the specific language governing permissions
110Sstevel@tonic-gate * and limitations under the License.
120Sstevel@tonic-gate *
130Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each
140Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
150Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the
160Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying
170Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner]
180Sstevel@tonic-gate *
190Sstevel@tonic-gate * CDDL HEADER END
200Sstevel@tonic-gate */
210Sstevel@tonic-gate /*
22*11030Sopensolaris@drydog.com * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
230Sstevel@tonic-gate * Use is subject to license terms.
240Sstevel@tonic-gate */
250Sstevel@tonic-gate
260Sstevel@tonic-gate #include <pthread.h>
270Sstevel@tonic-gate #include <stdlib.h>
280Sstevel@tonic-gate #include <errno.h>
290Sstevel@tonic-gate #include <sys/crypto/ioctl.h>
300Sstevel@tonic-gate #include <security/cryptoki.h>
310Sstevel@tonic-gate #include "kernelGlobal.h"
320Sstevel@tonic-gate #include "kernelSession.h"
330Sstevel@tonic-gate #include "kernelObject.h"
340Sstevel@tonic-gate
350Sstevel@tonic-gate
360Sstevel@tonic-gate /*
370Sstevel@tonic-gate * Real decryptInit work. The caller doesn't hold the session lock.
380Sstevel@tonic-gate */
390Sstevel@tonic-gate CK_RV
kernel_decrypt_init(kernel_session_t * session_p,kernel_object_t * key_p,CK_MECHANISM_PTR pMechanism)400Sstevel@tonic-gate kernel_decrypt_init(kernel_session_t *session_p, kernel_object_t *key_p,
410Sstevel@tonic-gate CK_MECHANISM_PTR pMechanism)
420Sstevel@tonic-gate {
430Sstevel@tonic-gate CK_RV rv;
440Sstevel@tonic-gate crypto_decrypt_init_t decrypt_init;
450Sstevel@tonic-gate crypto_mech_type_t k_mech_type;
460Sstevel@tonic-gate boolean_t ses_lock_held = B_FALSE;
470Sstevel@tonic-gate int r;
480Sstevel@tonic-gate
490Sstevel@tonic-gate /* Check to see if key object allows for decryption. */
500Sstevel@tonic-gate if (key_p->is_lib_obj && !(key_p->bool_attr_mask & DECRYPT_BOOL_ON)) {
510Sstevel@tonic-gate return (CKR_KEY_TYPE_INCONSISTENT);
520Sstevel@tonic-gate }
530Sstevel@tonic-gate
540Sstevel@tonic-gate /* Get the kernel's internal mechanism number. */
550Sstevel@tonic-gate rv = kernel_mech(pMechanism->mechanism, &k_mech_type);
560Sstevel@tonic-gate if (rv != CKR_OK)
570Sstevel@tonic-gate return (rv);
580Sstevel@tonic-gate
590Sstevel@tonic-gate (void) pthread_mutex_lock(&session_p->session_mutex);
600Sstevel@tonic-gate ses_lock_held = B_TRUE;
610Sstevel@tonic-gate
620Sstevel@tonic-gate /*
630Sstevel@tonic-gate * This active flag will remain ON until application calls either
640Sstevel@tonic-gate * C_Decrypt or C_DecryptFinal to actually obtain the final piece
650Sstevel@tonic-gate * of plaintext.
660Sstevel@tonic-gate */
670Sstevel@tonic-gate session_p->decrypt.flags = CRYPTO_OPERATION_ACTIVE;
680Sstevel@tonic-gate
690Sstevel@tonic-gate /* set up key data */
700Sstevel@tonic-gate if (!key_p->is_lib_obj) {
710Sstevel@tonic-gate decrypt_init.di_key.ck_format = CRYPTO_KEY_REFERENCE;
720Sstevel@tonic-gate decrypt_init.di_key.ck_obj_id = key_p->k_handle;
730Sstevel@tonic-gate } else {
740Sstevel@tonic-gate if (key_p->class == CKO_SECRET_KEY) {
750Sstevel@tonic-gate decrypt_init.di_key.ck_format = CRYPTO_KEY_RAW;
760Sstevel@tonic-gate decrypt_init.di_key.ck_data =
770Sstevel@tonic-gate get_symmetric_key_value(key_p);
780Sstevel@tonic-gate if (decrypt_init.di_key.ck_data == NULL) {
790Sstevel@tonic-gate rv = CKR_HOST_MEMORY;
800Sstevel@tonic-gate goto clean_exit;
810Sstevel@tonic-gate }
820Sstevel@tonic-gate /* KEF key lengths are expressed in bits */
830Sstevel@tonic-gate decrypt_init.di_key.ck_length =
844632Smcpowers OBJ_SEC(key_p)->sk_value_len << 3;
850Sstevel@tonic-gate
860Sstevel@tonic-gate } else if (key_p->key_type == CKK_RSA) {
870Sstevel@tonic-gate if (get_rsa_private_key(key_p, &decrypt_init.di_key) !=
880Sstevel@tonic-gate CKR_OK) {
890Sstevel@tonic-gate rv = CKR_HOST_MEMORY;
900Sstevel@tonic-gate goto clean_exit;
910Sstevel@tonic-gate }
920Sstevel@tonic-gate } else {
930Sstevel@tonic-gate rv = CKR_KEY_TYPE_INCONSISTENT;
940Sstevel@tonic-gate goto clean_exit;
950Sstevel@tonic-gate }
960Sstevel@tonic-gate }
970Sstevel@tonic-gate
980Sstevel@tonic-gate decrypt_init.di_session = session_p->k_session;
994632Smcpowers session_p->decrypt.mech = *pMechanism;
100*11030Sopensolaris@drydog.com
101*11030Sopensolaris@drydog.com /* Cache this capability value for efficiency */
102*11030Sopensolaris@drydog.com if (INPLACE_MECHANISM(session_p->decrypt.mech.mechanism)) {
103*11030Sopensolaris@drydog.com session_p->decrypt.flags |= CRYPTO_OPERATION_INPLACE_OK;
104*11030Sopensolaris@drydog.com }
1050Sstevel@tonic-gate (void) pthread_mutex_unlock(&session_p->session_mutex);
106*11030Sopensolaris@drydog.com
1070Sstevel@tonic-gate ses_lock_held = B_FALSE;
1080Sstevel@tonic-gate decrypt_init.di_mech.cm_type = k_mech_type;
1090Sstevel@tonic-gate decrypt_init.di_mech.cm_param = pMechanism->pParameter;
1100Sstevel@tonic-gate decrypt_init.di_mech.cm_param_len = pMechanism->ulParameterLen;
1110Sstevel@tonic-gate
1120Sstevel@tonic-gate while ((r = ioctl(kernel_fd, CRYPTO_DECRYPT_INIT, &decrypt_init)) < 0) {
1130Sstevel@tonic-gate if (errno != EINTR)
1140Sstevel@tonic-gate break;
1150Sstevel@tonic-gate }
1160Sstevel@tonic-gate if (r < 0) {
1170Sstevel@tonic-gate rv = CKR_FUNCTION_FAILED;
1180Sstevel@tonic-gate } else {
1190Sstevel@tonic-gate rv = crypto2pkcs11_error_number(decrypt_init.di_return_value);
1200Sstevel@tonic-gate }
1210Sstevel@tonic-gate
1220Sstevel@tonic-gate /* Free memory allocated for decrypt_init.di_key */
1230Sstevel@tonic-gate if (key_p->is_lib_obj) {
1240Sstevel@tonic-gate if (key_p->class == CKO_SECRET_KEY) {
1250Sstevel@tonic-gate free(decrypt_init.di_key.ck_data);
1260Sstevel@tonic-gate } else if (key_p->key_type == CKK_RSA) {
1270Sstevel@tonic-gate free_key_attributes(&decrypt_init.di_key);
1280Sstevel@tonic-gate }
1290Sstevel@tonic-gate }
1300Sstevel@tonic-gate
1310Sstevel@tonic-gate clean_exit:
1320Sstevel@tonic-gate
1330Sstevel@tonic-gate if (!ses_lock_held) {
1340Sstevel@tonic-gate (void) pthread_mutex_lock(&session_p->session_mutex);
1350Sstevel@tonic-gate ses_lock_held = B_TRUE;
1360Sstevel@tonic-gate }
1370Sstevel@tonic-gate
1380Sstevel@tonic-gate if (rv != CKR_OK)
1390Sstevel@tonic-gate session_p->decrypt.flags &= ~CRYPTO_OPERATION_ACTIVE;
1400Sstevel@tonic-gate
1410Sstevel@tonic-gate if (ses_lock_held) {
1420Sstevel@tonic-gate (void) pthread_mutex_unlock(&session_p->session_mutex);
1430Sstevel@tonic-gate ses_lock_held = B_FALSE;
1440Sstevel@tonic-gate }
1450Sstevel@tonic-gate
1460Sstevel@tonic-gate return (rv);
1470Sstevel@tonic-gate }
1480Sstevel@tonic-gate
1490Sstevel@tonic-gate CK_RV
C_DecryptInit(CK_SESSION_HANDLE hSession,CK_MECHANISM_PTR pMechanism,CK_OBJECT_HANDLE hKey)1500Sstevel@tonic-gate C_DecryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
1510Sstevel@tonic-gate CK_OBJECT_HANDLE hKey)
1520Sstevel@tonic-gate {
1530Sstevel@tonic-gate
1540Sstevel@tonic-gate CK_RV rv;
1550Sstevel@tonic-gate kernel_session_t *session_p;
1560Sstevel@tonic-gate kernel_object_t *key_p;
1570Sstevel@tonic-gate boolean_t ses_lock_held = B_FALSE;
1580Sstevel@tonic-gate
1590Sstevel@tonic-gate if (!kernel_initialized)
1600Sstevel@tonic-gate return (CKR_CRYPTOKI_NOT_INITIALIZED);
1610Sstevel@tonic-gate
1620Sstevel@tonic-gate if (pMechanism == NULL) {
1630Sstevel@tonic-gate return (CKR_ARGUMENTS_BAD);
1640Sstevel@tonic-gate }
1650Sstevel@tonic-gate
1660Sstevel@tonic-gate /* Obtain the session pointer. */
1670Sstevel@tonic-gate rv = handle2session(hSession, &session_p);
1680Sstevel@tonic-gate if (rv != CKR_OK)
1690Sstevel@tonic-gate return (rv);
1700Sstevel@tonic-gate
1710Sstevel@tonic-gate /* Obtain the object pointer. */
1720Sstevel@tonic-gate HANDLE2OBJECT(hKey, key_p, rv);
1730Sstevel@tonic-gate if (rv == CKR_OK) {
1740Sstevel@tonic-gate rv = kernel_decrypt_init(session_p, key_p, pMechanism);
175214Smcpowers OBJ_REFRELE(key_p);
1760Sstevel@tonic-gate }
1770Sstevel@tonic-gate
1780Sstevel@tonic-gate REFRELE(session_p, ses_lock_held);
1790Sstevel@tonic-gate return (rv);
1800Sstevel@tonic-gate }
1810Sstevel@tonic-gate
1820Sstevel@tonic-gate
1830Sstevel@tonic-gate
1840Sstevel@tonic-gate /*
1850Sstevel@tonic-gate * Real decrypt work. The caller doesn't hold the session lock.
1860Sstevel@tonic-gate */
1870Sstevel@tonic-gate CK_RV
kernel_decrypt(kernel_session_t * session_p,CK_BYTE_PTR pEncryptedData,CK_ULONG ulEncryptedData,CK_BYTE_PTR pData,CK_ULONG_PTR pulDataLen)1880Sstevel@tonic-gate kernel_decrypt(kernel_session_t *session_p, CK_BYTE_PTR pEncryptedData,
1890Sstevel@tonic-gate CK_ULONG ulEncryptedData, CK_BYTE_PTR pData, CK_ULONG_PTR pulDataLen)
1900Sstevel@tonic-gate {
1910Sstevel@tonic-gate crypto_decrypt_t decrypt;
1920Sstevel@tonic-gate boolean_t ses_lock_held = B_FALSE;
1934632Smcpowers boolean_t inplace;
1940Sstevel@tonic-gate CK_RV rv;
1950Sstevel@tonic-gate int r;
1960Sstevel@tonic-gate
1970Sstevel@tonic-gate (void) pthread_mutex_lock(&session_p->session_mutex);
1980Sstevel@tonic-gate ses_lock_held = B_TRUE;
1990Sstevel@tonic-gate
2000Sstevel@tonic-gate /* Application must call C_DecryptInit before calling C_Decrypt. */
2010Sstevel@tonic-gate if (!(session_p->decrypt.flags & CRYPTO_OPERATION_ACTIVE)) {
2020Sstevel@tonic-gate rv = CKR_OPERATION_NOT_INITIALIZED;
2030Sstevel@tonic-gate goto clean_exit;
2040Sstevel@tonic-gate }
2050Sstevel@tonic-gate
2060Sstevel@tonic-gate /*
2070Sstevel@tonic-gate * C_Decrypt must be called without intervening C_DecryptUpdate
2080Sstevel@tonic-gate * calls.
2090Sstevel@tonic-gate */
2100Sstevel@tonic-gate if (session_p->decrypt.flags & CRYPTO_OPERATION_UPDATE) {
2110Sstevel@tonic-gate /*
2120Sstevel@tonic-gate * C_Decrypt cannot be used to terminate a multiple-part
2130Sstevel@tonic-gate * operation, so we'll leave the active decrypt operation
2140Sstevel@tonic-gate * flag on and let the application continue with the
2150Sstevel@tonic-gate * decrypt update operation.
2160Sstevel@tonic-gate */
2170Sstevel@tonic-gate rv = CKR_FUNCTION_FAILED;
2180Sstevel@tonic-gate goto clean_exit;
2190Sstevel@tonic-gate }
2200Sstevel@tonic-gate
2210Sstevel@tonic-gate decrypt.cd_session = session_p->k_session;
2224632Smcpowers
2234632Smcpowers /*
2244632Smcpowers * Certain mechanisms, where the length of the plaintext is
2254632Smcpowers * same as the transformed ciphertext, can be optimized
2264632Smcpowers * by the kernel into an in-place operation. Unfortunately,
2274632Smcpowers * some applications use a plaintext buffer that is larger
2284632Smcpowers * than it needs to be. We fix that here.
2294632Smcpowers */
230*11030Sopensolaris@drydog.com inplace = (session_p->decrypt.flags & CRYPTO_OPERATION_INPLACE_OK) != 0;
231*11030Sopensolaris@drydog.com
2324632Smcpowers if (ulEncryptedData < *pulDataLen && inplace) {
2334632Smcpowers decrypt.cd_datalen = ulEncryptedData;
2344632Smcpowers } else {
2354632Smcpowers decrypt.cd_datalen = *pulDataLen;
2364632Smcpowers }
2370Sstevel@tonic-gate (void) pthread_mutex_unlock(&session_p->session_mutex);
2380Sstevel@tonic-gate ses_lock_held = B_FALSE;
2390Sstevel@tonic-gate
2400Sstevel@tonic-gate decrypt.cd_databuf = (char *)pData;
2410Sstevel@tonic-gate decrypt.cd_encrlen = ulEncryptedData;
2420Sstevel@tonic-gate decrypt.cd_encrbuf = (char *)pEncryptedData;
243*11030Sopensolaris@drydog.com decrypt.cd_flags =
244*11030Sopensolaris@drydog.com ((inplace && (pData != NULL)) || (pData == pEncryptedData)) &&
245*11030Sopensolaris@drydog.com (decrypt.cd_datalen == decrypt.cd_encrlen) ?
2464632Smcpowers CRYPTO_INPLACE_OPERATION : 0;
2470Sstevel@tonic-gate
2480Sstevel@tonic-gate while ((r = ioctl(kernel_fd, CRYPTO_DECRYPT, &decrypt)) < 0) {
2490Sstevel@tonic-gate if (errno != EINTR)
2500Sstevel@tonic-gate break;
2510Sstevel@tonic-gate }
2520Sstevel@tonic-gate if (r < 0) {
2530Sstevel@tonic-gate rv = CKR_FUNCTION_FAILED;
2540Sstevel@tonic-gate } else {
2550Sstevel@tonic-gate rv = crypto2pkcs11_error_number(decrypt.cd_return_value);
2560Sstevel@tonic-gate }
2570Sstevel@tonic-gate
2580Sstevel@tonic-gate if (rv == CKR_OK || rv == CKR_BUFFER_TOO_SMALL)
2590Sstevel@tonic-gate *pulDataLen = decrypt.cd_datalen;
2600Sstevel@tonic-gate
2610Sstevel@tonic-gate clean_exit:
2620Sstevel@tonic-gate
2630Sstevel@tonic-gate if (ses_lock_held)
2640Sstevel@tonic-gate (void) pthread_mutex_unlock(&session_p->session_mutex);
2650Sstevel@tonic-gate
2660Sstevel@tonic-gate return (rv);
2670Sstevel@tonic-gate }
2680Sstevel@tonic-gate
2690Sstevel@tonic-gate CK_RV
C_Decrypt(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pEncryptedData,CK_ULONG ulEncryptedData,CK_BYTE_PTR pData,CK_ULONG_PTR pulDataLen)2700Sstevel@tonic-gate C_Decrypt(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pEncryptedData,
2710Sstevel@tonic-gate CK_ULONG ulEncryptedData, CK_BYTE_PTR pData, CK_ULONG_PTR pulDataLen)
2720Sstevel@tonic-gate {
2730Sstevel@tonic-gate CK_RV rv;
2740Sstevel@tonic-gate kernel_session_t *session_p;
2750Sstevel@tonic-gate boolean_t ses_lock_held = B_FALSE;
2760Sstevel@tonic-gate
2770Sstevel@tonic-gate if (!kernel_initialized)
2780Sstevel@tonic-gate return (CKR_CRYPTOKI_NOT_INITIALIZED);
2790Sstevel@tonic-gate
2800Sstevel@tonic-gate /* Obtain the session pointer. */
2810Sstevel@tonic-gate rv = handle2session(hSession, &session_p);
2820Sstevel@tonic-gate if (rv != CKR_OK)
2830Sstevel@tonic-gate return (rv);
2840Sstevel@tonic-gate
2850Sstevel@tonic-gate /*
2860Sstevel@tonic-gate * No need to check pData because application might
2870Sstevel@tonic-gate * just want to know the length of decrypted data.
2880Sstevel@tonic-gate */
2890Sstevel@tonic-gate if (pulDataLen == NULL) {
2900Sstevel@tonic-gate rv = CKR_ARGUMENTS_BAD;
2910Sstevel@tonic-gate goto clean_exit;
2920Sstevel@tonic-gate }
2930Sstevel@tonic-gate
2940Sstevel@tonic-gate rv = kernel_decrypt(session_p, pEncryptedData, ulEncryptedData, pData,
2950Sstevel@tonic-gate pulDataLen);
2960Sstevel@tonic-gate
2970Sstevel@tonic-gate if ((rv == CKR_BUFFER_TOO_SMALL) ||
2980Sstevel@tonic-gate (rv == CKR_OK && pData == NULL)) {
2990Sstevel@tonic-gate /*
3000Sstevel@tonic-gate * We will not terminate the active decrypt operation flag,
3010Sstevel@tonic-gate * when the application-supplied buffer is too small, or
3020Sstevel@tonic-gate * the application asks for the length of buffer to hold
3030Sstevel@tonic-gate * the plaintext.
3040Sstevel@tonic-gate */
3050Sstevel@tonic-gate REFRELE(session_p, ses_lock_held);
3060Sstevel@tonic-gate return (rv);
3070Sstevel@tonic-gate }
3080Sstevel@tonic-gate
3090Sstevel@tonic-gate clean_exit:
3100Sstevel@tonic-gate /*
3110Sstevel@tonic-gate * Terminates the active decrypt operation.
3120Sstevel@tonic-gate * Application needs to call C_DecryptInit again for next
3130Sstevel@tonic-gate * decrypt operation.
3140Sstevel@tonic-gate */
3150Sstevel@tonic-gate (void) pthread_mutex_lock(&session_p->session_mutex);
3160Sstevel@tonic-gate session_p->decrypt.flags = 0;
3170Sstevel@tonic-gate ses_lock_held = B_TRUE;
3180Sstevel@tonic-gate REFRELE(session_p, ses_lock_held);
3190Sstevel@tonic-gate
3200Sstevel@tonic-gate return (rv);
3210Sstevel@tonic-gate }
3220Sstevel@tonic-gate
3230Sstevel@tonic-gate
3240Sstevel@tonic-gate CK_RV
C_DecryptUpdate(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pEncryptedPart,CK_ULONG ulEncryptedPartLen,CK_BYTE_PTR pPart,CK_ULONG_PTR pulPartLen)3250Sstevel@tonic-gate C_DecryptUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pEncryptedPart,
3260Sstevel@tonic-gate CK_ULONG ulEncryptedPartLen, CK_BYTE_PTR pPart,
3270Sstevel@tonic-gate CK_ULONG_PTR pulPartLen)
3280Sstevel@tonic-gate {
3290Sstevel@tonic-gate
3300Sstevel@tonic-gate CK_RV rv;
3310Sstevel@tonic-gate kernel_session_t *session_p;
3320Sstevel@tonic-gate boolean_t ses_lock_held = B_FALSE;
333*11030Sopensolaris@drydog.com boolean_t inplace;
3340Sstevel@tonic-gate crypto_decrypt_update_t decrypt_update;
3350Sstevel@tonic-gate int r;
3360Sstevel@tonic-gate
3370Sstevel@tonic-gate if (!kernel_initialized)
3380Sstevel@tonic-gate return (CKR_CRYPTOKI_NOT_INITIALIZED);
3390Sstevel@tonic-gate
3400Sstevel@tonic-gate /* Obtain the session pointer. */
3410Sstevel@tonic-gate rv = handle2session(hSession, &session_p);
3420Sstevel@tonic-gate if (rv != CKR_OK)
3430Sstevel@tonic-gate return (rv);
3440Sstevel@tonic-gate
3450Sstevel@tonic-gate if (pEncryptedPart == NULL) {
3460Sstevel@tonic-gate rv = CKR_ARGUMENTS_BAD;
3470Sstevel@tonic-gate goto clean_exit;
3480Sstevel@tonic-gate }
3490Sstevel@tonic-gate
3500Sstevel@tonic-gate /*
3510Sstevel@tonic-gate * Only check if pulPartLen is NULL.
3520Sstevel@tonic-gate * No need to check if pPart is NULL because application
3530Sstevel@tonic-gate * might just ask for the length of buffer to hold the
3540Sstevel@tonic-gate * recovered data.
3550Sstevel@tonic-gate */
3560Sstevel@tonic-gate if (pulPartLen == NULL) {
3570Sstevel@tonic-gate rv = CKR_ARGUMENTS_BAD;
3580Sstevel@tonic-gate goto clean_exit;
3590Sstevel@tonic-gate }
3600Sstevel@tonic-gate
3610Sstevel@tonic-gate (void) pthread_mutex_lock(&session_p->session_mutex);
3620Sstevel@tonic-gate ses_lock_held = B_TRUE;
3630Sstevel@tonic-gate
3640Sstevel@tonic-gate /*
3650Sstevel@tonic-gate * Application must call C_DecryptInit before calling
3660Sstevel@tonic-gate * C_DecryptUpdate.
3670Sstevel@tonic-gate */
3680Sstevel@tonic-gate if (!(session_p->decrypt.flags & CRYPTO_OPERATION_ACTIVE)) {
3690Sstevel@tonic-gate REFRELE(session_p, ses_lock_held);
3700Sstevel@tonic-gate return (CKR_OPERATION_NOT_INITIALIZED);
3710Sstevel@tonic-gate }
3720Sstevel@tonic-gate
3730Sstevel@tonic-gate session_p->decrypt.flags |= CRYPTO_OPERATION_UPDATE;
3740Sstevel@tonic-gate
3750Sstevel@tonic-gate decrypt_update.du_session = session_p->k_session;
3760Sstevel@tonic-gate (void) pthread_mutex_unlock(&session_p->session_mutex);
3770Sstevel@tonic-gate ses_lock_held = B_FALSE;
3780Sstevel@tonic-gate
3790Sstevel@tonic-gate decrypt_update.du_datalen = *pulPartLen;
3800Sstevel@tonic-gate decrypt_update.du_databuf = (char *)pPart;
3810Sstevel@tonic-gate decrypt_update.du_encrlen = ulEncryptedPartLen;
3820Sstevel@tonic-gate decrypt_update.du_encrbuf = (char *)pEncryptedPart;
3830Sstevel@tonic-gate
384*11030Sopensolaris@drydog.com inplace = (session_p->decrypt.flags & CRYPTO_OPERATION_INPLACE_OK) != 0;
385*11030Sopensolaris@drydog.com decrypt_update.du_flags =
386*11030Sopensolaris@drydog.com ((inplace && (pPart != NULL)) || (pPart == pEncryptedPart)) &&
387*11030Sopensolaris@drydog.com (decrypt_update.du_datalen == decrypt_update.du_encrlen) ?
388*11030Sopensolaris@drydog.com CRYPTO_INPLACE_OPERATION : 0;
389*11030Sopensolaris@drydog.com
3900Sstevel@tonic-gate while ((r = ioctl(kernel_fd, CRYPTO_DECRYPT_UPDATE,
3910Sstevel@tonic-gate &decrypt_update)) < 0) {
3920Sstevel@tonic-gate if (errno != EINTR)
3930Sstevel@tonic-gate break;
3940Sstevel@tonic-gate }
3950Sstevel@tonic-gate if (r < 0) {
3960Sstevel@tonic-gate rv = CKR_FUNCTION_FAILED;
3970Sstevel@tonic-gate } else {
3980Sstevel@tonic-gate rv = crypto2pkcs11_error_number(
3990Sstevel@tonic-gate decrypt_update.du_return_value);
4000Sstevel@tonic-gate }
4010Sstevel@tonic-gate
4020Sstevel@tonic-gate /*
4030Sstevel@tonic-gate * If CKR_OK or CKR_BUFFER_TOO_SMALL, set the output length.
4040Sstevel@tonic-gate * We don't terminate the current decryption operation.
4050Sstevel@tonic-gate */
4060Sstevel@tonic-gate if (rv == CKR_OK || rv == CKR_BUFFER_TOO_SMALL) {
4070Sstevel@tonic-gate *pulPartLen = decrypt_update.du_datalen;
4080Sstevel@tonic-gate REFRELE(session_p, ses_lock_held);
4090Sstevel@tonic-gate return (rv);
4100Sstevel@tonic-gate }
4110Sstevel@tonic-gate
4120Sstevel@tonic-gate clean_exit:
4130Sstevel@tonic-gate /*
4140Sstevel@tonic-gate * After an error occurred, terminate the current decrypt
4150Sstevel@tonic-gate * operation by resetting the active and update flags.
4160Sstevel@tonic-gate */
4170Sstevel@tonic-gate (void) pthread_mutex_lock(&session_p->session_mutex);
4180Sstevel@tonic-gate session_p->decrypt.flags = 0;
4190Sstevel@tonic-gate ses_lock_held = B_TRUE;
4200Sstevel@tonic-gate REFRELE(session_p, ses_lock_held);
4210Sstevel@tonic-gate
4220Sstevel@tonic-gate return (rv);
4230Sstevel@tonic-gate }
4240Sstevel@tonic-gate
4250Sstevel@tonic-gate
4260Sstevel@tonic-gate CK_RV
C_DecryptFinal(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pLastPart,CK_ULONG_PTR pulLastPartLen)4270Sstevel@tonic-gate C_DecryptFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pLastPart,
4280Sstevel@tonic-gate CK_ULONG_PTR pulLastPartLen)
4290Sstevel@tonic-gate {
4300Sstevel@tonic-gate
4310Sstevel@tonic-gate CK_RV rv;
4320Sstevel@tonic-gate kernel_session_t *session_p;
4330Sstevel@tonic-gate boolean_t ses_lock_held = B_FALSE;
4340Sstevel@tonic-gate crypto_decrypt_final_t decrypt_final;
4350Sstevel@tonic-gate int r;
4360Sstevel@tonic-gate
4370Sstevel@tonic-gate if (!kernel_initialized)
4380Sstevel@tonic-gate return (CKR_CRYPTOKI_NOT_INITIALIZED);
4390Sstevel@tonic-gate
4400Sstevel@tonic-gate /* Obtain the session pointer. */
4410Sstevel@tonic-gate rv = handle2session(hSession, &session_p);
4420Sstevel@tonic-gate if (rv != CKR_OK)
4430Sstevel@tonic-gate return (rv);
4440Sstevel@tonic-gate
4450Sstevel@tonic-gate if (pulLastPartLen == NULL) {
4460Sstevel@tonic-gate rv = CKR_ARGUMENTS_BAD;
4470Sstevel@tonic-gate goto clean_exit;
4480Sstevel@tonic-gate }
4490Sstevel@tonic-gate
4500Sstevel@tonic-gate (void) pthread_mutex_lock(&session_p->session_mutex);
4510Sstevel@tonic-gate ses_lock_held = B_TRUE;
4520Sstevel@tonic-gate
4530Sstevel@tonic-gate /*
4540Sstevel@tonic-gate * Application must call C_DecryptInit before calling
4550Sstevel@tonic-gate * C_DecryptFinal.
4560Sstevel@tonic-gate */
4570Sstevel@tonic-gate if (!(session_p->decrypt.flags & CRYPTO_OPERATION_ACTIVE)) {
4580Sstevel@tonic-gate REFRELE(session_p, ses_lock_held);
4590Sstevel@tonic-gate return (CKR_OPERATION_NOT_INITIALIZED);
4600Sstevel@tonic-gate }
4610Sstevel@tonic-gate
4620Sstevel@tonic-gate decrypt_final.df_session = session_p->k_session;
4630Sstevel@tonic-gate (void) pthread_mutex_unlock(&session_p->session_mutex);
4640Sstevel@tonic-gate ses_lock_held = B_FALSE;
4650Sstevel@tonic-gate
4660Sstevel@tonic-gate decrypt_final.df_datalen = *pulLastPartLen;
4670Sstevel@tonic-gate decrypt_final.df_databuf = (char *)pLastPart;
4680Sstevel@tonic-gate
4690Sstevel@tonic-gate while ((r = ioctl(kernel_fd, CRYPTO_DECRYPT_FINAL,
4700Sstevel@tonic-gate &decrypt_final)) < 0) {
4710Sstevel@tonic-gate if (errno != EINTR)
4720Sstevel@tonic-gate break;
4730Sstevel@tonic-gate }
4740Sstevel@tonic-gate if (r < 0) {
4750Sstevel@tonic-gate rv = CKR_FUNCTION_FAILED;
4760Sstevel@tonic-gate } else {
4770Sstevel@tonic-gate rv = crypto2pkcs11_error_number(decrypt_final.df_return_value);
4780Sstevel@tonic-gate }
4790Sstevel@tonic-gate
4800Sstevel@tonic-gate if (rv == CKR_OK || rv == CKR_BUFFER_TOO_SMALL)
4810Sstevel@tonic-gate *pulLastPartLen = decrypt_final.df_datalen;
4820Sstevel@tonic-gate
4830Sstevel@tonic-gate if (rv == CKR_BUFFER_TOO_SMALL ||
4840Sstevel@tonic-gate (rv == CKR_OK && pLastPart == NULL)) {
4850Sstevel@tonic-gate /*
4860Sstevel@tonic-gate * We will not terminate the active decrypt operation flag,
4870Sstevel@tonic-gate * when the application-supplied buffer is too small, or
4880Sstevel@tonic-gate * the application asks for the length of buffer to hold
4890Sstevel@tonic-gate * the plaintext.
4900Sstevel@tonic-gate */
4910Sstevel@tonic-gate REFRELE(session_p, ses_lock_held);
4920Sstevel@tonic-gate return (rv);
4930Sstevel@tonic-gate }
4940Sstevel@tonic-gate
4950Sstevel@tonic-gate clean_exit:
4960Sstevel@tonic-gate /* Terminates the active decrypt operation */
4970Sstevel@tonic-gate (void) pthread_mutex_lock(&session_p->session_mutex);
4980Sstevel@tonic-gate session_p->decrypt.flags = 0;
4990Sstevel@tonic-gate ses_lock_held = B_TRUE;
5000Sstevel@tonic-gate REFRELE(session_p, ses_lock_held);
5010Sstevel@tonic-gate
5020Sstevel@tonic-gate return (rv);
5030Sstevel@tonic-gate }
504