10Sstevel@tonic-gate /*
20Sstevel@tonic-gate * CDDL HEADER START
30Sstevel@tonic-gate *
40Sstevel@tonic-gate * The contents of this file are subject to the terms of the
54632Smcpowers * Common Development and Distribution License (the "License").
64632Smcpowers * You may not use this file except in compliance with the License.
70Sstevel@tonic-gate *
80Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
90Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing.
100Sstevel@tonic-gate * See the License for the specific language governing permissions
110Sstevel@tonic-gate * and limitations under the License.
120Sstevel@tonic-gate *
130Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each
140Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
150Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the
160Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying
170Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner]
180Sstevel@tonic-gate *
190Sstevel@tonic-gate * CDDL HEADER END
200Sstevel@tonic-gate */
210Sstevel@tonic-gate /*
22*11030Sopensolaris@drydog.com * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
230Sstevel@tonic-gate * Use is subject to license terms.
240Sstevel@tonic-gate */
250Sstevel@tonic-gate
260Sstevel@tonic-gate #include <pthread.h>
270Sstevel@tonic-gate #include <stdlib.h>
280Sstevel@tonic-gate #include <errno.h>
290Sstevel@tonic-gate #include <sys/crypto/ioctl.h>
300Sstevel@tonic-gate #include <security/cryptoki.h>
310Sstevel@tonic-gate #include "kernelGlobal.h"
320Sstevel@tonic-gate #include "kernelSession.h"
330Sstevel@tonic-gate #include "kernelObject.h"
340Sstevel@tonic-gate
350Sstevel@tonic-gate
360Sstevel@tonic-gate CK_RV
C_EncryptInit(CK_SESSION_HANDLE hSession,CK_MECHANISM_PTR pMechanism,CK_OBJECT_HANDLE hKey)370Sstevel@tonic-gate C_EncryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
380Sstevel@tonic-gate CK_OBJECT_HANDLE hKey)
390Sstevel@tonic-gate {
400Sstevel@tonic-gate
410Sstevel@tonic-gate CK_RV rv;
420Sstevel@tonic-gate kernel_session_t *session_p;
430Sstevel@tonic-gate kernel_object_t *key_p;
440Sstevel@tonic-gate boolean_t ses_lock_held = B_FALSE;
450Sstevel@tonic-gate crypto_encrypt_init_t encrypt_init;
460Sstevel@tonic-gate crypto_mech_type_t k_mech_type;
470Sstevel@tonic-gate int r;
480Sstevel@tonic-gate
490Sstevel@tonic-gate if (!kernel_initialized)
500Sstevel@tonic-gate return (CKR_CRYPTOKI_NOT_INITIALIZED);
510Sstevel@tonic-gate
520Sstevel@tonic-gate if (pMechanism == NULL) {
530Sstevel@tonic-gate return (CKR_ARGUMENTS_BAD);
540Sstevel@tonic-gate }
550Sstevel@tonic-gate
560Sstevel@tonic-gate /* Get the kernel's internal mechanism number. */
570Sstevel@tonic-gate rv = kernel_mech(pMechanism->mechanism, &k_mech_type);
580Sstevel@tonic-gate if (rv != CKR_OK)
590Sstevel@tonic-gate return (rv);
600Sstevel@tonic-gate
610Sstevel@tonic-gate /* Obtain the session pointer. */
620Sstevel@tonic-gate rv = handle2session(hSession, &session_p);
630Sstevel@tonic-gate if (rv != CKR_OK)
640Sstevel@tonic-gate return (rv);
650Sstevel@tonic-gate
660Sstevel@tonic-gate /* Obtain the object pointer. */
670Sstevel@tonic-gate HANDLE2OBJECT(hKey, key_p, rv);
68214Smcpowers if (rv != CKR_OK) {
69214Smcpowers REFRELE(session_p, ses_lock_held);
70214Smcpowers return (rv);
71214Smcpowers }
720Sstevel@tonic-gate
730Sstevel@tonic-gate /* Check to see if key object allows for encryption. */
740Sstevel@tonic-gate if (key_p->is_lib_obj && !(key_p->bool_attr_mask & ENCRYPT_BOOL_ON)) {
750Sstevel@tonic-gate rv = CKR_KEY_TYPE_INCONSISTENT;
760Sstevel@tonic-gate goto clean_exit;
770Sstevel@tonic-gate }
780Sstevel@tonic-gate
790Sstevel@tonic-gate (void) pthread_mutex_lock(&session_p->session_mutex);
800Sstevel@tonic-gate ses_lock_held = B_TRUE;
810Sstevel@tonic-gate
820Sstevel@tonic-gate /*
830Sstevel@tonic-gate * This active flag will remain ON until application calls either
840Sstevel@tonic-gate * C_Encrypt or C_EncryptFinal to actually obtain the final piece
850Sstevel@tonic-gate * of ciphertext.
860Sstevel@tonic-gate */
870Sstevel@tonic-gate session_p->encrypt.flags = CRYPTO_OPERATION_ACTIVE;
880Sstevel@tonic-gate
890Sstevel@tonic-gate /* set up key data */
900Sstevel@tonic-gate if (!key_p->is_lib_obj) {
910Sstevel@tonic-gate encrypt_init.ei_key.ck_format = CRYPTO_KEY_REFERENCE;
920Sstevel@tonic-gate encrypt_init.ei_key.ck_obj_id = key_p->k_handle;
930Sstevel@tonic-gate } else {
940Sstevel@tonic-gate if (key_p->class == CKO_SECRET_KEY) {
950Sstevel@tonic-gate encrypt_init.ei_key.ck_format = CRYPTO_KEY_RAW;
960Sstevel@tonic-gate encrypt_init.ei_key.ck_data =
970Sstevel@tonic-gate get_symmetric_key_value(key_p);
980Sstevel@tonic-gate if (encrypt_init.ei_key.ck_data == NULL) {
990Sstevel@tonic-gate rv = CKR_HOST_MEMORY;
1000Sstevel@tonic-gate goto clean_exit;
1010Sstevel@tonic-gate }
1020Sstevel@tonic-gate encrypt_init.ei_key.ck_length =
1034632Smcpowers OBJ_SEC(key_p)->sk_value_len << 3;
1040Sstevel@tonic-gate
1050Sstevel@tonic-gate } else if (key_p->key_type == CKK_RSA) {
1060Sstevel@tonic-gate if (get_rsa_public_key(key_p, &encrypt_init.ei_key) !=
1070Sstevel@tonic-gate CKR_OK) {
1080Sstevel@tonic-gate rv = CKR_HOST_MEMORY;
1090Sstevel@tonic-gate goto clean_exit;
1100Sstevel@tonic-gate }
1110Sstevel@tonic-gate } else {
1120Sstevel@tonic-gate rv = CKR_KEY_TYPE_INCONSISTENT;
1130Sstevel@tonic-gate goto clean_exit;
1140Sstevel@tonic-gate }
1150Sstevel@tonic-gate }
1160Sstevel@tonic-gate
1170Sstevel@tonic-gate encrypt_init.ei_session = session_p->k_session;
1184632Smcpowers session_p->encrypt.mech = *pMechanism;
119*11030Sopensolaris@drydog.com
120*11030Sopensolaris@drydog.com /* Cache this capability value for efficiency */
121*11030Sopensolaris@drydog.com if (INPLACE_MECHANISM(session_p->encrypt.mech.mechanism)) {
122*11030Sopensolaris@drydog.com session_p->encrypt.flags |= CRYPTO_OPERATION_INPLACE_OK;
123*11030Sopensolaris@drydog.com }
1240Sstevel@tonic-gate (void) pthread_mutex_unlock(&session_p->session_mutex);
125*11030Sopensolaris@drydog.com
1260Sstevel@tonic-gate ses_lock_held = B_FALSE;
1270Sstevel@tonic-gate encrypt_init.ei_mech.cm_type = k_mech_type;
1280Sstevel@tonic-gate encrypt_init.ei_mech.cm_param = pMechanism->pParameter;
1290Sstevel@tonic-gate encrypt_init.ei_mech.cm_param_len = pMechanism->ulParameterLen;
1300Sstevel@tonic-gate
1310Sstevel@tonic-gate while ((r = ioctl(kernel_fd, CRYPTO_ENCRYPT_INIT, &encrypt_init)) < 0) {
1320Sstevel@tonic-gate if (errno != EINTR)
1330Sstevel@tonic-gate break;
1340Sstevel@tonic-gate }
1350Sstevel@tonic-gate if (r < 0) {
1360Sstevel@tonic-gate rv = CKR_FUNCTION_FAILED;
1370Sstevel@tonic-gate } else {
1380Sstevel@tonic-gate if (encrypt_init.ei_return_value != CRYPTO_SUCCESS) {
1390Sstevel@tonic-gate rv = crypto2pkcs11_error_number(
1400Sstevel@tonic-gate encrypt_init.ei_return_value);
1410Sstevel@tonic-gate }
1420Sstevel@tonic-gate }
1430Sstevel@tonic-gate
1440Sstevel@tonic-gate /* Free memory allocated for decrypt_init.di_key */
1450Sstevel@tonic-gate if (key_p->is_lib_obj) {
1460Sstevel@tonic-gate if (key_p->class == CKO_SECRET_KEY) {
1470Sstevel@tonic-gate free(encrypt_init.ei_key.ck_data);
1480Sstevel@tonic-gate } else if (key_p->key_type == CKK_RSA) {
1490Sstevel@tonic-gate free_key_attributes(&encrypt_init.ei_key);
1500Sstevel@tonic-gate }
1510Sstevel@tonic-gate }
1520Sstevel@tonic-gate
1530Sstevel@tonic-gate if (rv != CKR_OK) {
1540Sstevel@tonic-gate (void) pthread_mutex_lock(&session_p->session_mutex);
1550Sstevel@tonic-gate session_p->encrypt.flags &= ~CRYPTO_OPERATION_ACTIVE;
1560Sstevel@tonic-gate ses_lock_held = B_TRUE;
1570Sstevel@tonic-gate }
1580Sstevel@tonic-gate
1590Sstevel@tonic-gate clean_exit:
160214Smcpowers OBJ_REFRELE(key_p);
1610Sstevel@tonic-gate REFRELE(session_p, ses_lock_held);
1620Sstevel@tonic-gate return (rv);
1630Sstevel@tonic-gate }
1640Sstevel@tonic-gate
1650Sstevel@tonic-gate
1660Sstevel@tonic-gate CK_RV
C_Encrypt(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pData,CK_ULONG ulDataLen,CK_BYTE_PTR pEncryptedData,CK_ULONG_PTR pulEncryptedDataLen)1670Sstevel@tonic-gate C_Encrypt(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_ULONG ulDataLen,
1680Sstevel@tonic-gate CK_BYTE_PTR pEncryptedData, CK_ULONG_PTR pulEncryptedDataLen)
1690Sstevel@tonic-gate {
1700Sstevel@tonic-gate
1710Sstevel@tonic-gate CK_RV rv;
1720Sstevel@tonic-gate kernel_session_t *session_p;
1730Sstevel@tonic-gate boolean_t ses_lock_held = B_FALSE;
1744632Smcpowers boolean_t inplace;
1750Sstevel@tonic-gate crypto_encrypt_t encrypt;
1760Sstevel@tonic-gate int r;
1770Sstevel@tonic-gate
1780Sstevel@tonic-gate if (!kernel_initialized)
1790Sstevel@tonic-gate return (CKR_CRYPTOKI_NOT_INITIALIZED);
1800Sstevel@tonic-gate
1810Sstevel@tonic-gate /* Obtain the session pointer. */
1820Sstevel@tonic-gate rv = handle2session(hSession, &session_p);
1830Sstevel@tonic-gate if (rv != CKR_OK)
1840Sstevel@tonic-gate return (rv);
1850Sstevel@tonic-gate
1860Sstevel@tonic-gate if (pData == NULL) {
1870Sstevel@tonic-gate rv = CKR_ARGUMENTS_BAD;
1880Sstevel@tonic-gate goto clean_exit;
1890Sstevel@tonic-gate }
1900Sstevel@tonic-gate
1910Sstevel@tonic-gate /*
1920Sstevel@tonic-gate * Only check if pulEncryptedDataLen is NULL.
1930Sstevel@tonic-gate * No need to check if pEncryptedData is NULL because
1940Sstevel@tonic-gate * application might just ask for the length of buffer to hold
1950Sstevel@tonic-gate * the ciphertext.
1960Sstevel@tonic-gate */
1970Sstevel@tonic-gate if (pulEncryptedDataLen == NULL) {
1980Sstevel@tonic-gate rv = CKR_ARGUMENTS_BAD;
1990Sstevel@tonic-gate goto clean_exit;
2000Sstevel@tonic-gate }
2010Sstevel@tonic-gate
2020Sstevel@tonic-gate (void) pthread_mutex_lock(&session_p->session_mutex);
2030Sstevel@tonic-gate ses_lock_held = B_TRUE;
2040Sstevel@tonic-gate
2050Sstevel@tonic-gate /* Application must call C_EncryptInit before calling C_Encrypt. */
2060Sstevel@tonic-gate if (!(session_p->encrypt.flags & CRYPTO_OPERATION_ACTIVE)) {
2070Sstevel@tonic-gate REFRELE(session_p, ses_lock_held);
2080Sstevel@tonic-gate return (CKR_OPERATION_NOT_INITIALIZED);
2090Sstevel@tonic-gate }
2100Sstevel@tonic-gate
2110Sstevel@tonic-gate /*
2120Sstevel@tonic-gate * C_Encrypt must be called without intervening C_EncryptUpdate
2130Sstevel@tonic-gate * calls.
2140Sstevel@tonic-gate */
2150Sstevel@tonic-gate if (session_p->encrypt.flags & CRYPTO_OPERATION_UPDATE) {
2160Sstevel@tonic-gate /*
2170Sstevel@tonic-gate * C_Encrypt can not be used to terminate a multi-part
2180Sstevel@tonic-gate * operation, so we'll leave the active encrypt operation
2190Sstevel@tonic-gate * flag on and let the application continue with the
2200Sstevel@tonic-gate * encrypt update operation.
2210Sstevel@tonic-gate */
2220Sstevel@tonic-gate REFRELE(session_p, ses_lock_held);
2230Sstevel@tonic-gate return (CKR_FUNCTION_FAILED);
2240Sstevel@tonic-gate }
2250Sstevel@tonic-gate
2260Sstevel@tonic-gate encrypt.ce_session = session_p->k_session;
2274632Smcpowers
2284632Smcpowers /*
2294632Smcpowers * Certain mechanisms, where the length of the ciphertext is
2304632Smcpowers * same as the transformed plaintext, can be optimized
2314632Smcpowers * by the kernel into an in-place operation. Unfortunately,
2324632Smcpowers * some applications use a ciphertext buffer that is larger
2334632Smcpowers * than it needs to be. We fix that here.
2344632Smcpowers */
235*11030Sopensolaris@drydog.com inplace = (session_p->encrypt.flags & CRYPTO_OPERATION_INPLACE_OK) != 0;
2364632Smcpowers if (ulDataLen < *pulEncryptedDataLen && inplace) {
2374632Smcpowers encrypt.ce_encrlen = ulDataLen;
2384632Smcpowers } else {
2394632Smcpowers encrypt.ce_encrlen = *pulEncryptedDataLen;
2404632Smcpowers }
2410Sstevel@tonic-gate (void) pthread_mutex_unlock(&session_p->session_mutex);
2420Sstevel@tonic-gate ses_lock_held = B_FALSE;
2430Sstevel@tonic-gate
2440Sstevel@tonic-gate encrypt.ce_datalen = ulDataLen;
2450Sstevel@tonic-gate encrypt.ce_databuf = (char *)pData;
2460Sstevel@tonic-gate encrypt.ce_encrbuf = (char *)pEncryptedData;
247*11030Sopensolaris@drydog.com encrypt.ce_flags =
248*11030Sopensolaris@drydog.com ((inplace && (pEncryptedData != NULL)) ||
249*11030Sopensolaris@drydog.com (pData == pEncryptedData)) &&
250*11030Sopensolaris@drydog.com (encrypt.ce_encrlen == encrypt.ce_datalen) ?
2514632Smcpowers CRYPTO_INPLACE_OPERATION : 0;
2520Sstevel@tonic-gate
2530Sstevel@tonic-gate while ((r = ioctl(kernel_fd, CRYPTO_ENCRYPT, &encrypt)) < 0) {
2540Sstevel@tonic-gate if (errno != EINTR)
2550Sstevel@tonic-gate break;
2560Sstevel@tonic-gate }
2570Sstevel@tonic-gate if (r < 0) {
2580Sstevel@tonic-gate rv = CKR_FUNCTION_FAILED;
2590Sstevel@tonic-gate } else {
2600Sstevel@tonic-gate rv = crypto2pkcs11_error_number(encrypt.ce_return_value);
2610Sstevel@tonic-gate }
2620Sstevel@tonic-gate
2630Sstevel@tonic-gate if (rv == CKR_OK || rv == CKR_BUFFER_TOO_SMALL)
2640Sstevel@tonic-gate *pulEncryptedDataLen = encrypt.ce_encrlen;
2650Sstevel@tonic-gate
2660Sstevel@tonic-gate if ((rv == CKR_BUFFER_TOO_SMALL) ||
2670Sstevel@tonic-gate (rv == CKR_OK && pEncryptedData == NULL)) {
2680Sstevel@tonic-gate /*
2690Sstevel@tonic-gate * We will not terminate the active encrypt operation flag,
2700Sstevel@tonic-gate * when the application-supplied buffer is too small, or
2710Sstevel@tonic-gate * the application asks for the length of buffer to hold
2720Sstevel@tonic-gate * the ciphertext.
2730Sstevel@tonic-gate */
2740Sstevel@tonic-gate REFRELE(session_p, ses_lock_held);
2750Sstevel@tonic-gate return (rv);
2760Sstevel@tonic-gate }
2770Sstevel@tonic-gate
2780Sstevel@tonic-gate clean_exit:
2790Sstevel@tonic-gate /*
2800Sstevel@tonic-gate * Terminates the active encrypt operation.
2810Sstevel@tonic-gate * Application needs to call C_EncryptInit again for next
2820Sstevel@tonic-gate * encrypt operation.
2830Sstevel@tonic-gate */
2840Sstevel@tonic-gate (void) pthread_mutex_lock(&session_p->session_mutex);
2850Sstevel@tonic-gate session_p->encrypt.flags = 0;
2860Sstevel@tonic-gate ses_lock_held = B_TRUE;
2870Sstevel@tonic-gate REFRELE(session_p, ses_lock_held);
2880Sstevel@tonic-gate
2890Sstevel@tonic-gate return (rv);
2900Sstevel@tonic-gate }
2910Sstevel@tonic-gate
2920Sstevel@tonic-gate
2930Sstevel@tonic-gate CK_RV
C_EncryptUpdate(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pPart,CK_ULONG ulPartLen,CK_BYTE_PTR pEncryptedPart,CK_ULONG_PTR pulEncryptedPartLen)2940Sstevel@tonic-gate C_EncryptUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
2950Sstevel@tonic-gate CK_ULONG ulPartLen, CK_BYTE_PTR pEncryptedPart,
2960Sstevel@tonic-gate CK_ULONG_PTR pulEncryptedPartLen)
2970Sstevel@tonic-gate {
2980Sstevel@tonic-gate
2990Sstevel@tonic-gate CK_RV rv;
3000Sstevel@tonic-gate kernel_session_t *session_p;
3010Sstevel@tonic-gate boolean_t ses_lock_held = B_FALSE;
302*11030Sopensolaris@drydog.com boolean_t inplace;
3030Sstevel@tonic-gate crypto_encrypt_update_t encrypt_update;
3040Sstevel@tonic-gate int r;
3050Sstevel@tonic-gate
3060Sstevel@tonic-gate if (!kernel_initialized)
3070Sstevel@tonic-gate return (CKR_CRYPTOKI_NOT_INITIALIZED);
3080Sstevel@tonic-gate
3090Sstevel@tonic-gate /* Obtain the session pointer. */
3100Sstevel@tonic-gate rv = handle2session(hSession, &session_p);
3110Sstevel@tonic-gate if (rv != CKR_OK)
3120Sstevel@tonic-gate return (rv);
3130Sstevel@tonic-gate
3140Sstevel@tonic-gate if (pPart == NULL) {
3150Sstevel@tonic-gate rv = CKR_ARGUMENTS_BAD;
3160Sstevel@tonic-gate goto clean_exit;
3170Sstevel@tonic-gate }
3180Sstevel@tonic-gate
3190Sstevel@tonic-gate /*
3200Sstevel@tonic-gate * Only check if pulEncryptedPartLen is NULL.
3210Sstevel@tonic-gate * No need to check if pEncryptedPart is NULL because
3220Sstevel@tonic-gate * application might just ask for the length of buffer to hold
3230Sstevel@tonic-gate * the ciphertext.
3240Sstevel@tonic-gate */
3250Sstevel@tonic-gate if (pulEncryptedPartLen == NULL) {
3260Sstevel@tonic-gate rv = CKR_ARGUMENTS_BAD;
3270Sstevel@tonic-gate goto clean_exit;
3280Sstevel@tonic-gate }
3290Sstevel@tonic-gate
3300Sstevel@tonic-gate (void) pthread_mutex_lock(&session_p->session_mutex);
3310Sstevel@tonic-gate ses_lock_held = B_TRUE;
3320Sstevel@tonic-gate
3330Sstevel@tonic-gate /*
3340Sstevel@tonic-gate * Application must call C_EncryptInit before calling
3350Sstevel@tonic-gate * C_EncryptUpdate.
3360Sstevel@tonic-gate */
3370Sstevel@tonic-gate if (!(session_p->encrypt.flags & CRYPTO_OPERATION_ACTIVE)) {
3380Sstevel@tonic-gate REFRELE(session_p, ses_lock_held);
3390Sstevel@tonic-gate return (CKR_OPERATION_NOT_INITIALIZED);
3400Sstevel@tonic-gate }
3410Sstevel@tonic-gate
3420Sstevel@tonic-gate session_p->encrypt.flags |= CRYPTO_OPERATION_UPDATE;
3430Sstevel@tonic-gate
3440Sstevel@tonic-gate encrypt_update.eu_session = session_p->k_session;
3450Sstevel@tonic-gate (void) pthread_mutex_unlock(&session_p->session_mutex);
3460Sstevel@tonic-gate ses_lock_held = B_FALSE;
3470Sstevel@tonic-gate
3480Sstevel@tonic-gate encrypt_update.eu_datalen = ulPartLen;
3490Sstevel@tonic-gate encrypt_update.eu_databuf = (char *)pPart;
3500Sstevel@tonic-gate encrypt_update.eu_encrlen = *pulEncryptedPartLen;
3510Sstevel@tonic-gate encrypt_update.eu_encrbuf = (char *)pEncryptedPart;
3520Sstevel@tonic-gate
353*11030Sopensolaris@drydog.com inplace = (session_p->encrypt.flags & CRYPTO_OPERATION_INPLACE_OK) != 0;
354*11030Sopensolaris@drydog.com encrypt_update.eu_flags =
355*11030Sopensolaris@drydog.com ((inplace && (pEncryptedPart != NULL)) ||
356*11030Sopensolaris@drydog.com (pPart == pEncryptedPart)) &&
357*11030Sopensolaris@drydog.com (encrypt_update.eu_encrlen == encrypt_update.eu_datalen) ?
358*11030Sopensolaris@drydog.com CRYPTO_INPLACE_OPERATION : 0;
359*11030Sopensolaris@drydog.com
3600Sstevel@tonic-gate while ((r = ioctl(kernel_fd, CRYPTO_ENCRYPT_UPDATE,
3610Sstevel@tonic-gate &encrypt_update)) < 0) {
3620Sstevel@tonic-gate if (errno != EINTR)
3630Sstevel@tonic-gate break;
3640Sstevel@tonic-gate }
3650Sstevel@tonic-gate if (r < 0) {
3660Sstevel@tonic-gate rv = CKR_FUNCTION_FAILED;
3670Sstevel@tonic-gate } else {
3680Sstevel@tonic-gate rv = crypto2pkcs11_error_number(
3690Sstevel@tonic-gate encrypt_update.eu_return_value);
3700Sstevel@tonic-gate }
3710Sstevel@tonic-gate
3720Sstevel@tonic-gate /*
3730Sstevel@tonic-gate * If CKR_OK or CKR_BUFFER_TOO_SMALL, set the output length.
3740Sstevel@tonic-gate * We don't terminate the current encryption operation.
3750Sstevel@tonic-gate */
3760Sstevel@tonic-gate if (rv == CKR_OK || rv == CKR_BUFFER_TOO_SMALL) {
3770Sstevel@tonic-gate *pulEncryptedPartLen = encrypt_update.eu_encrlen;
3780Sstevel@tonic-gate REFRELE(session_p, ses_lock_held);
3790Sstevel@tonic-gate return (rv);
3800Sstevel@tonic-gate }
3810Sstevel@tonic-gate
3820Sstevel@tonic-gate clean_exit:
3830Sstevel@tonic-gate /*
3840Sstevel@tonic-gate * After an error occurred, terminate the current encrypt
3850Sstevel@tonic-gate * operation by resetting the active and update flags.
3860Sstevel@tonic-gate */
3870Sstevel@tonic-gate (void) pthread_mutex_lock(&session_p->session_mutex);
3880Sstevel@tonic-gate session_p->encrypt.flags = 0;
3890Sstevel@tonic-gate ses_lock_held = B_TRUE;
3900Sstevel@tonic-gate REFRELE(session_p, ses_lock_held);
3910Sstevel@tonic-gate
3920Sstevel@tonic-gate return (rv);
3930Sstevel@tonic-gate }
3940Sstevel@tonic-gate
3950Sstevel@tonic-gate
3960Sstevel@tonic-gate CK_RV
C_EncryptFinal(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pLastEncryptedPart,CK_ULONG_PTR pulLastEncryptedPartLen)3970Sstevel@tonic-gate C_EncryptFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pLastEncryptedPart,
3980Sstevel@tonic-gate CK_ULONG_PTR pulLastEncryptedPartLen)
3990Sstevel@tonic-gate {
4000Sstevel@tonic-gate
4010Sstevel@tonic-gate CK_RV rv;
4020Sstevel@tonic-gate kernel_session_t *session_p;
4030Sstevel@tonic-gate boolean_t ses_lock_held = B_FALSE;
4040Sstevel@tonic-gate crypto_encrypt_final_t encrypt_final;
4050Sstevel@tonic-gate int r;
4060Sstevel@tonic-gate
4070Sstevel@tonic-gate if (!kernel_initialized)
4080Sstevel@tonic-gate return (CKR_CRYPTOKI_NOT_INITIALIZED);
4090Sstevel@tonic-gate
4100Sstevel@tonic-gate /* Obtain the session pointer. */
4110Sstevel@tonic-gate rv = handle2session(hSession, &session_p);
4120Sstevel@tonic-gate if (rv != CKR_OK)
4130Sstevel@tonic-gate return (rv);
4140Sstevel@tonic-gate
4150Sstevel@tonic-gate if (pulLastEncryptedPartLen == NULL) {
4160Sstevel@tonic-gate rv = CKR_ARGUMENTS_BAD;
4170Sstevel@tonic-gate goto clean_exit;
4180Sstevel@tonic-gate }
4190Sstevel@tonic-gate
4200Sstevel@tonic-gate (void) pthread_mutex_lock(&session_p->session_mutex);
4210Sstevel@tonic-gate ses_lock_held = B_TRUE;
4220Sstevel@tonic-gate
4230Sstevel@tonic-gate /*
4240Sstevel@tonic-gate * Application must call C_EncryptInit before calling
4250Sstevel@tonic-gate * C_EncryptFinal.
4260Sstevel@tonic-gate */
4270Sstevel@tonic-gate if (!(session_p->encrypt.flags & CRYPTO_OPERATION_ACTIVE)) {
4280Sstevel@tonic-gate REFRELE(session_p, ses_lock_held);
4290Sstevel@tonic-gate return (CKR_OPERATION_NOT_INITIALIZED);
4300Sstevel@tonic-gate }
4310Sstevel@tonic-gate
4320Sstevel@tonic-gate encrypt_final.ef_session = session_p->k_session;
4330Sstevel@tonic-gate (void) pthread_mutex_unlock(&session_p->session_mutex);
4340Sstevel@tonic-gate ses_lock_held = B_FALSE;
4350Sstevel@tonic-gate
4360Sstevel@tonic-gate encrypt_final.ef_encrlen = *pulLastEncryptedPartLen;
4370Sstevel@tonic-gate encrypt_final.ef_encrbuf = (char *)pLastEncryptedPart;
4380Sstevel@tonic-gate
4390Sstevel@tonic-gate while ((r = ioctl(kernel_fd, CRYPTO_ENCRYPT_FINAL,
4400Sstevel@tonic-gate &encrypt_final)) < 0) {
4410Sstevel@tonic-gate if (errno != EINTR)
4420Sstevel@tonic-gate break;
4430Sstevel@tonic-gate }
4440Sstevel@tonic-gate if (r < 0) {
4450Sstevel@tonic-gate rv = CKR_FUNCTION_FAILED;
4460Sstevel@tonic-gate } else {
4470Sstevel@tonic-gate rv = crypto2pkcs11_error_number(encrypt_final.ef_return_value);
4480Sstevel@tonic-gate }
4490Sstevel@tonic-gate
4500Sstevel@tonic-gate if (rv == CKR_OK || rv == CKR_BUFFER_TOO_SMALL)
4510Sstevel@tonic-gate *pulLastEncryptedPartLen = encrypt_final.ef_encrlen;
4520Sstevel@tonic-gate
4530Sstevel@tonic-gate if ((rv == CKR_BUFFER_TOO_SMALL) ||
4540Sstevel@tonic-gate (rv == CKR_OK && pLastEncryptedPart == NULL)) {
4550Sstevel@tonic-gate /*
4560Sstevel@tonic-gate * We will not terminate the active encrypt operation flag,
4570Sstevel@tonic-gate * when the application-supplied buffer is too small, or
4580Sstevel@tonic-gate * the application asks for the length of buffer to hold
4590Sstevel@tonic-gate * the ciphertext.
4600Sstevel@tonic-gate */
4610Sstevel@tonic-gate REFRELE(session_p, ses_lock_held);
4620Sstevel@tonic-gate return (rv);
4630Sstevel@tonic-gate }
4640Sstevel@tonic-gate
4650Sstevel@tonic-gate clean_exit:
4660Sstevel@tonic-gate /* Terminates the active encrypt operation. */
4670Sstevel@tonic-gate (void) pthread_mutex_lock(&session_p->session_mutex);
4680Sstevel@tonic-gate session_p->encrypt.flags = 0;
4690Sstevel@tonic-gate ses_lock_held = B_TRUE;
4700Sstevel@tonic-gate REFRELE(session_p, ses_lock_held);
4710Sstevel@tonic-gate
4720Sstevel@tonic-gate return (rv);
4730Sstevel@tonic-gate }
474