xref: /illumos-gate/usr/src/lib/pkcs11/pkcs11_softtoken/common/softEncryptUtil.c (revision 4c28a617e3922d92a58e813a5b955eb526b9c386)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
24  * Copyright 2015 Nexenta Systems, Inc.  All rights reserved.
25  */
26 
27 #include <pthread.h>
28 #include <stdlib.h>
29 #include <string.h>
30 #include <strings.h>
31 #include <sys/types.h>
32 #include <security/cryptoki.h>
33 #include <modes/modes.h>
34 #include <arcfour.h>
35 #include "softSession.h"
36 #include "softObject.h"
37 #include "softOps.h"
38 #include "softCrypt.h"
39 #include "softRSA.h"
40 
41 /*
42  * Add padding bytes with the value of length of padding.
43  */
44 void
45 soft_add_pkcs7_padding(CK_BYTE *buf, int block_size, CK_ULONG data_len)
46 {
47 	(void) pkcs7_encode(NULL, data_len, buf, block_size, block_size);
48 }
49 
50 /*
51  * Perform encrypt init operation internally for the support of
52  * CKM_AES and CKM_DES MAC operations.
53  *
54  * This function is called with the session being held, and without
55  * its mutex taken.
56  */
57 CK_RV
58 soft_encrypt_init_internal(soft_session_t *session_p, CK_MECHANISM_PTR
59     pMechanism, soft_object_t *key_p)
60 {
61 	CK_RV rv;
62 
63 	(void) pthread_mutex_lock(&session_p->session_mutex);
64 
65 	/* Check to see if encrypt operation is already active */
66 	if (session_p->encrypt.flags & CRYPTO_OPERATION_ACTIVE) {
67 		(void) pthread_mutex_unlock(&session_p->session_mutex);
68 		return (CKR_OPERATION_ACTIVE);
69 	}
70 
71 	session_p->encrypt.flags = CRYPTO_OPERATION_ACTIVE;
72 
73 	(void) pthread_mutex_unlock(&session_p->session_mutex);
74 
75 	rv = soft_encrypt_init(session_p, pMechanism, key_p);
76 
77 	if (rv != CKR_OK) {
78 		(void) pthread_mutex_lock(&session_p->session_mutex);
79 		session_p->encrypt.flags &= ~CRYPTO_OPERATION_ACTIVE;
80 		(void) pthread_mutex_unlock(&session_p->session_mutex);
81 	}
82 
83 	return (rv);
84 }
85 
86 /*
87  * soft_encrypt_init()
88  *
89  * Arguments:
90  *	session_p:	pointer to soft_session_t struct
91  *	pMechanism:	pointer to CK_MECHANISM struct provided by application
92  *	key_p:		pointer to key soft_object_t struct
93  *
94  * Description:
95  *	called by C_EncryptInit(). This function calls the corresponding
96  *	encrypt init routine based on the mechanism.
97  *
98  * Returns:
99  *	CKR_OK: success
100  *	CKR_HOST_MEMORY: run out of system memory
101  *	CKR_MECHANISM_PARAM_INVALID: invalid parameters in mechanism
102  *	CKR_MECHANISM_INVALID: invalid mechanism type
103  *	CKR_KEY_TYPE_INCONSISTENT: incorrect type of key to use
104  *		with the specified mechanism
105  */
106 CK_RV
107 soft_encrypt_init(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
108     soft_object_t *key_p)
109 {
110 
111 	CK_RV rv;
112 
113 	switch (pMechanism->mechanism) {
114 
115 	case CKM_DES_ECB:
116 
117 		if (key_p->key_type != CKK_DES) {
118 			return (CKR_KEY_TYPE_INCONSISTENT);
119 		}
120 		goto ecb_common;
121 
122 	case CKM_DES3_ECB:
123 
124 		if ((key_p->key_type != CKK_DES2) &&
125 		    (key_p->key_type != CKK_DES3)) {
126 			return (CKR_KEY_TYPE_INCONSISTENT);
127 		}
128 
129 ecb_common:
130 		return (soft_des_crypt_init_common(session_p, pMechanism,
131 		    key_p, B_TRUE));
132 
133 	case CKM_DES_CBC:
134 	case CKM_DES_CBC_PAD:
135 
136 		if (key_p->key_type != CKK_DES) {
137 			return (CKR_KEY_TYPE_INCONSISTENT);
138 		}
139 
140 		goto cbc_common;
141 
142 	case CKM_DES3_CBC:
143 	case CKM_DES3_CBC_PAD:
144 	{
145 
146 		soft_des_ctx_t *soft_des_ctx;
147 
148 		if ((key_p->key_type != CKK_DES2) &&
149 		    (key_p->key_type != CKK_DES3)) {
150 			return (CKR_KEY_TYPE_INCONSISTENT);
151 		}
152 
153 cbc_common:
154 		if ((pMechanism->pParameter == NULL) ||
155 		    (pMechanism->ulParameterLen != DES_BLOCK_LEN)) {
156 			return (CKR_MECHANISM_PARAM_INVALID);
157 		}
158 
159 		rv = soft_des_crypt_init_common(session_p, pMechanism,
160 		    key_p, B_TRUE);
161 
162 		if (rv != CKR_OK)
163 			return (rv);
164 
165 		(void) pthread_mutex_lock(&session_p->session_mutex);
166 
167 		soft_des_ctx = (soft_des_ctx_t *)session_p->encrypt.context;
168 		/* Copy Initialization Vector (IV) into the context. */
169 		(void) memcpy(soft_des_ctx->ivec, pMechanism->pParameter,
170 		    DES_BLOCK_LEN);
171 
172 		/* Allocate a context for DES cipher-block chaining. */
173 		soft_des_ctx->des_cbc = (void *)des_cbc_ctx_init(
174 		    soft_des_ctx->key_sched, soft_des_ctx->keysched_len,
175 		    soft_des_ctx->ivec, key_p->key_type);
176 
177 		if (soft_des_ctx->des_cbc == NULL) {
178 			bzero(soft_des_ctx->key_sched,
179 			    soft_des_ctx->keysched_len);
180 			free(soft_des_ctx->key_sched);
181 			free(session_p->encrypt.context);
182 			session_p->encrypt.context = NULL;
183 			rv = CKR_HOST_MEMORY;
184 		}
185 
186 		(void) pthread_mutex_unlock(&session_p->session_mutex);
187 
188 		return (rv);
189 	}
190 	case CKM_AES_ECB:
191 
192 		if (key_p->key_type != CKK_AES) {
193 			return (CKR_KEY_TYPE_INCONSISTENT);
194 		}
195 
196 		return (soft_aes_crypt_init_common(session_p, pMechanism,
197 		    key_p, B_TRUE));
198 
199 	case CKM_AES_CBC:
200 	case CKM_AES_CBC_PAD:
201 		if ((pMechanism->pParameter == NULL) ||
202 		    (pMechanism->ulParameterLen != AES_BLOCK_LEN)) {
203 			return (CKR_MECHANISM_PARAM_INVALID);
204 		}
205 	/* FALLTHRU */
206 	case CKM_AES_CMAC:
207 	{
208 		soft_aes_ctx_t *soft_aes_ctx;
209 
210 		if (key_p->key_type != CKK_AES) {
211 			return (CKR_KEY_TYPE_INCONSISTENT);
212 		}
213 
214 
215 		rv = soft_aes_crypt_init_common(session_p, pMechanism,
216 		    key_p, B_TRUE);
217 
218 		if (rv != CKR_OK)
219 			return (rv);
220 
221 		(void) pthread_mutex_lock(&session_p->session_mutex);
222 
223 		soft_aes_ctx = (soft_aes_ctx_t *)session_p->encrypt.context;
224 		/* Copy Initialization Vector (IV) into the context. */
225 		if (pMechanism->mechanism == CKM_AES_CMAC) {
226 			(void) bzero(soft_aes_ctx->ivec, AES_BLOCK_LEN);
227 			/* Allocate a context for AES cipher-block chaining. */
228 			soft_aes_ctx->aes_cbc = (void *)aes_cmac_ctx_init(
229 			    soft_aes_ctx->key_sched,
230 			    soft_aes_ctx->keysched_len);
231 		} else {
232 			(void) memcpy(soft_aes_ctx->ivec,
233 			    pMechanism->pParameter,
234 			    AES_BLOCK_LEN);
235 			/* Allocate a context for AES cipher-block chaining. */
236 			soft_aes_ctx->aes_cbc = (void *)aes_cbc_ctx_init(
237 			    soft_aes_ctx->key_sched,
238 			    soft_aes_ctx->keysched_len,
239 			    soft_aes_ctx->ivec);
240 		}
241 		if (soft_aes_ctx->aes_cbc == NULL) {
242 			bzero(soft_aes_ctx->key_sched,
243 			    soft_aes_ctx->keysched_len);
244 			free(soft_aes_ctx->key_sched);
245 			free(session_p->encrypt.context);
246 			session_p->encrypt.context = NULL;
247 			rv = CKR_HOST_MEMORY;
248 		}
249 
250 		(void) pthread_mutex_unlock(&session_p->session_mutex);
251 
252 		return (rv);
253 	}
254 	case CKM_AES_CTR:
255 	{
256 		soft_aes_ctx_t *soft_aes_ctx;
257 
258 		if (key_p->key_type != CKK_AES) {
259 			return (CKR_KEY_TYPE_INCONSISTENT);
260 		}
261 
262 		if (pMechanism->pParameter == NULL ||
263 		    pMechanism->ulParameterLen != sizeof (CK_AES_CTR_PARAMS)) {
264 			return (CKR_MECHANISM_PARAM_INVALID);
265 		}
266 
267 		rv = soft_aes_crypt_init_common(session_p, pMechanism,
268 		    key_p, B_TRUE);
269 
270 		if (rv != CKR_OK)
271 			return (rv);
272 
273 		(void) pthread_mutex_lock(&session_p->session_mutex);
274 
275 		soft_aes_ctx = (soft_aes_ctx_t *)session_p->encrypt.context;
276 		soft_aes_ctx->aes_cbc = aes_ctr_ctx_init(
277 		    soft_aes_ctx->key_sched, soft_aes_ctx->keysched_len,
278 		    pMechanism->pParameter);
279 
280 		if (soft_aes_ctx->aes_cbc == NULL) {
281 			bzero(soft_aes_ctx->key_sched,
282 			    soft_aes_ctx->keysched_len);
283 			free(soft_aes_ctx->key_sched);
284 			free(session_p->encrypt.context);
285 			session_p->encrypt.context = NULL;
286 			rv = CKR_HOST_MEMORY;
287 		}
288 
289 		(void) pthread_mutex_unlock(&session_p->session_mutex);
290 
291 		return (rv);
292 	}
293 	case CKM_RC4:
294 
295 		if (key_p->key_type != CKK_RC4) {
296 			return (CKR_KEY_TYPE_INCONSISTENT);
297 		}
298 
299 		return (soft_arcfour_crypt_init(session_p, pMechanism, key_p,
300 		    B_TRUE));
301 
302 	case CKM_RSA_X_509:
303 	case CKM_RSA_PKCS:
304 
305 		if (key_p->key_type != CKK_RSA) {
306 			return (CKR_KEY_TYPE_INCONSISTENT);
307 		}
308 
309 		return (soft_rsa_crypt_init_common(session_p, pMechanism,
310 		    key_p, B_TRUE));
311 
312 	case CKM_BLOWFISH_CBC:
313 	{
314 		soft_blowfish_ctx_t *soft_blowfish_ctx;
315 
316 		if (key_p->key_type != CKK_BLOWFISH)
317 			return (CKR_KEY_TYPE_INCONSISTENT);
318 
319 		if ((pMechanism->pParameter == NULL) ||
320 		    (pMechanism->ulParameterLen != BLOWFISH_BLOCK_LEN))
321 			return (CKR_MECHANISM_PARAM_INVALID);
322 
323 		rv = soft_blowfish_crypt_init_common(session_p, pMechanism,
324 		    key_p, B_TRUE);
325 
326 		if (rv != CKR_OK)
327 			return (rv);
328 
329 		(void) pthread_mutex_lock(&session_p->session_mutex);
330 
331 		soft_blowfish_ctx =
332 		    (soft_blowfish_ctx_t *)session_p->encrypt.context;
333 		/* Copy Initialization Vector (IV) into the context. */
334 		(void) memcpy(soft_blowfish_ctx->ivec, pMechanism->pParameter,
335 		    BLOWFISH_BLOCK_LEN);
336 
337 		/* Allocate a context for Blowfish cipher-block chaining */
338 		soft_blowfish_ctx->blowfish_cbc =
339 		    (void *)blowfish_cbc_ctx_init(soft_blowfish_ctx->key_sched,
340 		    soft_blowfish_ctx->keysched_len,
341 		    soft_blowfish_ctx->ivec);
342 
343 		if (soft_blowfish_ctx->blowfish_cbc == NULL) {
344 			bzero(soft_blowfish_ctx->key_sched,
345 			    soft_blowfish_ctx->keysched_len);
346 			free(soft_blowfish_ctx->key_sched);
347 			free(session_p->encrypt.context);
348 			session_p->encrypt.context = NULL;
349 			rv = CKR_HOST_MEMORY;
350 		}
351 
352 		(void) pthread_mutex_unlock(&session_p->session_mutex);
353 
354 		return (rv);
355 	}
356 	default:
357 		return (CKR_MECHANISM_INVALID);
358 	}
359 }
360 
361 
362 /*
363  * soft_encrypt_common()
364  *
365  * Arguments:
366  *      session_p:	pointer to soft_session_t struct
367  *	pData:		pointer to the input data to be encrypted
368  *	ulDataLen:	length of the input data
369  *	pEncrypted:	pointer to the output data after encryption
370  *	pulEncryptedLen: pointer to the length of the output data
371  *	update:		boolean flag indicates caller is soft_encrypt
372  *			or soft_encrypt_update
373  *
374  * Description:
375  *      This function calls the corresponding encrypt routine based
376  *	on the mechanism.
377  *
378  * Returns:
379  *	see corresponding encrypt routine.
380  */
381 CK_RV
382 soft_encrypt_common(soft_session_t *session_p, CK_BYTE_PTR pData,
383     CK_ULONG ulDataLen, CK_BYTE_PTR pEncrypted,
384     CK_ULONG_PTR pulEncryptedLen, boolean_t update)
385 {
386 
387 	CK_MECHANISM_TYPE mechanism = session_p->encrypt.mech.mechanism;
388 
389 	switch (mechanism) {
390 
391 	case CKM_DES_ECB:
392 	case CKM_DES_CBC:
393 	case CKM_DES3_ECB:
394 	case CKM_DES3_CBC:
395 
396 		if (ulDataLen == 0) {
397 			*pulEncryptedLen = 0;
398 			return (CKR_OK);
399 		}
400 		/* FALLTHROUGH */
401 
402 	case CKM_DES_CBC_PAD:
403 	case CKM_DES3_CBC_PAD:
404 
405 		return (soft_des_encrypt_common(session_p, pData,
406 		    ulDataLen, pEncrypted, pulEncryptedLen, update));
407 
408 	case CKM_AES_ECB:
409 	case CKM_AES_CBC:
410 	case CKM_AES_CTR:
411 
412 		if (ulDataLen == 0) {
413 			*pulEncryptedLen = 0;
414 			return (CKR_OK);
415 		}
416 		/* FALLTHROUGH */
417 
418 	case CKM_AES_CMAC:
419 	case CKM_AES_CBC_PAD:
420 
421 		return (soft_aes_encrypt_common(session_p, pData,
422 		    ulDataLen, pEncrypted, pulEncryptedLen, update));
423 
424 	case CKM_BLOWFISH_CBC:
425 
426 		if (ulDataLen == 0) {
427 			*pulEncryptedLen = 0;
428 			return (CKR_OK);
429 		}
430 
431 		return (soft_blowfish_encrypt_common(session_p, pData,
432 		    ulDataLen, pEncrypted, pulEncryptedLen, update));
433 
434 	case CKM_RC4:
435 
436 		if (ulDataLen == 0) {
437 			*pulEncryptedLen = 0;
438 			return (CKR_OK);
439 		}
440 
441 		return (soft_arcfour_crypt(&(session_p->encrypt), pData,
442 		    ulDataLen, pEncrypted, pulEncryptedLen));
443 
444 	case CKM_RSA_X_509:
445 	case CKM_RSA_PKCS:
446 
447 		return (soft_rsa_encrypt_common(session_p, pData,
448 		    ulDataLen, pEncrypted, pulEncryptedLen, mechanism));
449 
450 	default:
451 		return (CKR_MECHANISM_INVALID);
452 	}
453 }
454 
455 
456 /*
457  * soft_encrypt()
458  *
459  * Arguments:
460  *      session_p:	pointer to soft_session_t struct
461  *	pData:		pointer to the input data to be encrypted
462  *	ulDataLen:	length of the input data
463  *	pEncryptedData:	pointer to the output data after encryption
464  *	pulEncryptedDataLen: pointer to the length of the output data
465  *
466  * Description:
467  *      called by C_Encrypt(). This function calls the soft_encrypt_common
468  *	routine.
469  *
470  * Returns:
471  *	see soft_encrypt_common().
472  */
473 CK_RV
474 soft_encrypt(soft_session_t *session_p, CK_BYTE_PTR pData,
475     CK_ULONG ulDataLen, CK_BYTE_PTR pEncryptedData,
476     CK_ULONG_PTR pulEncryptedDataLen)
477 {
478 
479 	return (soft_encrypt_common(session_p, pData, ulDataLen,
480 	    pEncryptedData, pulEncryptedDataLen, B_FALSE));
481 }
482 
483 
484 /*
485  * soft_encrypt_update()
486  *
487  * Arguments:
488  *      session_p:	pointer to soft_session_t struct
489  *      pPart:		pointer to the input data to be digested
490  *      ulPartLen:	length of the input data
491  *	pEncryptedPart:	pointer to the ciphertext
492  *	pulEncryptedPartLen: pointer to the length of the ciphertext
493  *
494  * Description:
495  *      called by C_EncryptUpdate(). This function calls the
496  *	soft_encrypt_common routine (with update flag on).
497  *
498  * Returns:
499  *	see soft_encrypt_common().
500  */
501 CK_RV
502 soft_encrypt_update(soft_session_t *session_p, CK_BYTE_PTR pPart,
503     CK_ULONG ulPartLen, CK_BYTE_PTR pEncryptedPart,
504     CK_ULONG_PTR pulEncryptedPartLen)
505 {
506 
507 	CK_MECHANISM_TYPE mechanism = session_p->encrypt.mech.mechanism;
508 
509 	switch (mechanism) {
510 
511 	case CKM_DES_ECB:
512 	case CKM_DES_CBC:
513 	case CKM_DES_CBC_PAD:
514 	case CKM_DES3_ECB:
515 	case CKM_DES3_CBC:
516 	case CKM_DES3_CBC_PAD:
517 	case CKM_AES_ECB:
518 	case CKM_AES_CBC:
519 	case CKM_AES_CBC_PAD:
520 	case CKM_AES_CMAC:
521 	case CKM_AES_CTR:
522 	case CKM_BLOWFISH_CBC:
523 	case CKM_RC4:
524 
525 		return (soft_encrypt_common(session_p, pPart, ulPartLen,
526 		    pEncryptedPart, pulEncryptedPartLen, B_TRUE));
527 
528 	default:
529 		/* PKCS11: The mechanism only supports single-part operation. */
530 		return (CKR_MECHANISM_INVALID);
531 	}
532 }
533 
534 
535 /*
536  * soft_encrypt_final()
537  *
538  * Arguments:
539  *      session_p:		pointer to soft_session_t struct
540  *      pLastEncryptedPart:	pointer to the last encrypted data part
541  *      pulLastEncryptedPartLen: pointer to the length of the last
542  *				encrypted data part
543  *
544  * Description:
545  *      called by C_EncryptFinal().
546  *
547  * Returns:
548  *	CKR_OK: success
549  *	CKR_FUNCTION_FAILED: encrypt final function failed
550  *	CKR_DATA_LEN_RANGE: remaining buffer contains bad length
551  */
552 CK_RV
553 soft_encrypt_final(soft_session_t *session_p, CK_BYTE_PTR pLastEncryptedPart,
554     CK_ULONG_PTR pulLastEncryptedPartLen)
555 {
556 
557 	CK_MECHANISM_TYPE mechanism = session_p->encrypt.mech.mechanism;
558 	CK_ULONG out_len;
559 	CK_RV rv = CKR_OK;
560 	int rc;
561 
562 	(void) pthread_mutex_lock(&session_p->session_mutex);
563 
564 	if (session_p->encrypt.context == NULL) {
565 		rv = CKR_OPERATION_NOT_INITIALIZED;
566 		*pulLastEncryptedPartLen = 0;
567 		goto clean1;
568 	}
569 	switch (mechanism) {
570 
571 	case CKM_DES_CBC_PAD:
572 	case CKM_DES3_CBC_PAD:
573 	{
574 		soft_des_ctx_t *soft_des_ctx;
575 
576 		soft_des_ctx = (soft_des_ctx_t *)session_p->encrypt.context;
577 		/*
578 		 * For CKM_DES_CBC_PAD, compute output length with
579 		 * padding. If the remaining buffer has one block
580 		 * of data, then output length will be two blocksize of
581 		 * ciphertext. If the remaining buffer has less than
582 		 * one block of data, then output length will be
583 		 * one blocksize.
584 		 */
585 		if (soft_des_ctx->remain_len == DES_BLOCK_LEN)
586 			out_len = 2 * DES_BLOCK_LEN;
587 		else
588 			out_len = DES_BLOCK_LEN;
589 
590 		if (pLastEncryptedPart == NULL) {
591 			/*
592 			 * Application asks for the length of the output
593 			 * buffer to hold the ciphertext.
594 			 */
595 			*pulLastEncryptedPartLen = out_len;
596 			goto clean1;
597 		} else {
598 			crypto_data_t out;
599 
600 			/* Copy remaining data to the output buffer. */
601 			(void) memcpy(pLastEncryptedPart, soft_des_ctx->data,
602 			    soft_des_ctx->remain_len);
603 
604 			/*
605 			 * Add padding bytes prior to encrypt final.
606 			 */
607 			soft_add_pkcs7_padding(pLastEncryptedPart +
608 			    soft_des_ctx->remain_len, DES_BLOCK_LEN,
609 			    soft_des_ctx->remain_len);
610 
611 			out.cd_format = CRYPTO_DATA_RAW;
612 			out.cd_offset = 0;
613 			out.cd_length = out_len;
614 			out.cd_raw.iov_base = (char *)pLastEncryptedPart;
615 			out.cd_raw.iov_len = out_len;
616 
617 			/* Encrypt multiple blocks of data. */
618 			rc = des_encrypt_contiguous_blocks(
619 			    (des_ctx_t *)soft_des_ctx->des_cbc,
620 			    (char *)pLastEncryptedPart, out_len, &out);
621 
622 			if (rc == 0) {
623 				*pulLastEncryptedPartLen = out_len;
624 			} else {
625 				*pulLastEncryptedPartLen = 0;
626 				rv = CKR_FUNCTION_FAILED;
627 			}
628 
629 			/* Cleanup memory space. */
630 			free(soft_des_ctx->des_cbc);
631 			bzero(soft_des_ctx->key_sched,
632 			    soft_des_ctx->keysched_len);
633 			free(soft_des_ctx->key_sched);
634 		}
635 
636 		break;
637 	}
638 	case CKM_DES_CBC:
639 	case CKM_DES_ECB:
640 	case CKM_DES3_CBC:
641 	case CKM_DES3_ECB:
642 	{
643 
644 		soft_des_ctx_t *soft_des_ctx;
645 
646 		soft_des_ctx = (soft_des_ctx_t *)session_p->encrypt.context;
647 		/*
648 		 * CKM_DES_CBC and CKM_DES_ECB does not do any padding,
649 		 * so when the final is called, the remaining buffer
650 		 * should not contain any more data.
651 		 */
652 		*pulLastEncryptedPartLen = 0;
653 		if (soft_des_ctx->remain_len != 0) {
654 			rv = CKR_DATA_LEN_RANGE;
655 		} else {
656 			if (pLastEncryptedPart == NULL)
657 				goto clean1;
658 		}
659 
660 		/* Cleanup memory space. */
661 		free(soft_des_ctx->des_cbc);
662 		bzero(soft_des_ctx->key_sched, soft_des_ctx->keysched_len);
663 		free(soft_des_ctx->key_sched);
664 
665 		break;
666 	}
667 	case CKM_AES_CBC_PAD:
668 	{
669 		soft_aes_ctx_t *soft_aes_ctx;
670 
671 		soft_aes_ctx = (soft_aes_ctx_t *)session_p->encrypt.context;
672 		/*
673 		 * For CKM_AES_CBC_PAD, compute output length with
674 		 * padding. If the remaining buffer has one block
675 		 * of data, then output length will be two blocksize of
676 		 * ciphertext. If the remaining buffer has less than
677 		 * one block of data, then output length will be
678 		 * one blocksize.
679 		 */
680 		if (soft_aes_ctx->remain_len == AES_BLOCK_LEN)
681 			out_len = 2 * AES_BLOCK_LEN;
682 		else
683 			out_len = AES_BLOCK_LEN;
684 
685 		if (pLastEncryptedPart == NULL) {
686 			/*
687 			 * Application asks for the length of the output
688 			 * buffer to hold the ciphertext.
689 			 */
690 			*pulLastEncryptedPartLen = out_len;
691 			goto clean1;
692 		} else {
693 			crypto_data_t out;
694 
695 			/* Copy remaining data to the output buffer. */
696 			(void) memcpy(pLastEncryptedPart, soft_aes_ctx->data,
697 			    soft_aes_ctx->remain_len);
698 
699 			/*
700 			 * Add padding bytes prior to encrypt final.
701 			 */
702 			soft_add_pkcs7_padding(pLastEncryptedPart +
703 			    soft_aes_ctx->remain_len, AES_BLOCK_LEN,
704 			    soft_aes_ctx->remain_len);
705 
706 			out.cd_format = CRYPTO_DATA_RAW;
707 			out.cd_offset = 0;
708 			out.cd_length = out_len;
709 			out.cd_raw.iov_base = (char *)pLastEncryptedPart;
710 			out.cd_raw.iov_len = out_len;
711 
712 			/* Encrypt multiple blocks of data. */
713 			rc = aes_encrypt_contiguous_blocks(
714 			    (aes_ctx_t *)soft_aes_ctx->aes_cbc,
715 			    (char *)pLastEncryptedPart, out_len, &out);
716 
717 			if (rc == 0) {
718 				*pulLastEncryptedPartLen = out_len;
719 			} else {
720 				*pulLastEncryptedPartLen = 0;
721 				rv = CKR_FUNCTION_FAILED;
722 			}
723 
724 			/* Cleanup memory space. */
725 			free(soft_aes_ctx->aes_cbc);
726 			bzero(soft_aes_ctx->key_sched,
727 			    soft_aes_ctx->keysched_len);
728 			free(soft_aes_ctx->key_sched);
729 		}
730 
731 		break;
732 	}
733 	case CKM_AES_CMAC:
734 	{
735 		soft_aes_ctx_t *soft_aes_ctx;
736 		soft_aes_ctx = (soft_aes_ctx_t *)session_p->encrypt.context;
737 
738 		if (pLastEncryptedPart == NULL) {
739 			/*
740 			 * Application asks for the length of the output
741 			 * buffer to hold the ciphertext.
742 			 */
743 			*pulLastEncryptedPartLen = AES_BLOCK_LEN;
744 			goto clean1;
745 		} else {
746 			crypto_data_t out;
747 
748 			out.cd_format = CRYPTO_DATA_RAW;
749 			out.cd_offset = 0;
750 			out.cd_length = AES_BLOCK_LEN;
751 			out.cd_raw.iov_base = (char *)pLastEncryptedPart;
752 			out.cd_raw.iov_len = AES_BLOCK_LEN;
753 
754 			rc = cmac_mode_final(soft_aes_ctx->aes_cbc, &out,
755 			    aes_encrypt_block, aes_xor_block);
756 
757 			if (rc == 0) {
758 				*pulLastEncryptedPartLen = AES_BLOCK_LEN;
759 			} else {
760 				*pulLastEncryptedPartLen = 0;
761 				rv = CKR_FUNCTION_FAILED;
762 			}
763 
764 			/* Cleanup memory space. */
765 			free(soft_aes_ctx->aes_cbc);
766 			bzero(soft_aes_ctx->key_sched,
767 			    soft_aes_ctx->keysched_len);
768 			free(soft_aes_ctx->key_sched);
769 		}
770 
771 		break;
772 	}
773 	case CKM_AES_CBC:
774 	case CKM_AES_ECB:
775 	{
776 		soft_aes_ctx_t *soft_aes_ctx;
777 
778 		soft_aes_ctx = (soft_aes_ctx_t *)session_p->encrypt.context;
779 		/*
780 		 * CKM_AES_CBC and CKM_AES_ECB does not do any padding,
781 		 * so when the final is called, the remaining buffer
782 		 * should not contain any more data.
783 		 */
784 		*pulLastEncryptedPartLen = 0;
785 		if (soft_aes_ctx->remain_len != 0) {
786 			rv = CKR_DATA_LEN_RANGE;
787 		} else {
788 			if (pLastEncryptedPart == NULL)
789 				goto clean1;
790 		}
791 
792 		/* Cleanup memory space. */
793 		free(soft_aes_ctx->aes_cbc);
794 		bzero(soft_aes_ctx->key_sched, soft_aes_ctx->keysched_len);
795 		free(soft_aes_ctx->key_sched);
796 
797 		break;
798 	}
799 	case CKM_AES_CTR:
800 	{
801 		crypto_data_t out;
802 		soft_aes_ctx_t *soft_aes_ctx;
803 		ctr_ctx_t *ctr_ctx;
804 		size_t len;
805 
806 		soft_aes_ctx = (soft_aes_ctx_t *)session_p->encrypt.context;
807 		ctr_ctx = soft_aes_ctx->aes_cbc;
808 		len = ctr_ctx->ctr_remainder_len;
809 
810 		if (pLastEncryptedPart == NULL) {
811 			*pulLastEncryptedPartLen = len;
812 			goto clean1;
813 		}
814 		if (len > 0) {
815 			out.cd_format = CRYPTO_DATA_RAW;
816 			out.cd_offset = 0;
817 			out.cd_length = len;
818 			out.cd_raw.iov_base = (char *)pLastEncryptedPart;
819 			out.cd_raw.iov_len = len;
820 
821 			rv = ctr_mode_final(ctr_ctx, &out, aes_encrypt_block);
822 		}
823 		if (rv == CRYPTO_BUFFER_TOO_SMALL) {
824 			*pulLastEncryptedPartLen = len;
825 			goto clean1;
826 		}
827 
828 		/* Cleanup memory space. */
829 		free(ctr_ctx);
830 		bzero(soft_aes_ctx->key_sched, soft_aes_ctx->keysched_len);
831 		free(soft_aes_ctx->key_sched);
832 
833 		break;
834 	}
835 	case CKM_BLOWFISH_CBC:
836 	{
837 		soft_blowfish_ctx_t *soft_blowfish_ctx;
838 
839 		soft_blowfish_ctx =
840 		    (soft_blowfish_ctx_t *)session_p->encrypt.context;
841 		/*
842 		 * CKM_BLOWFISH_CBC does not do any padding, so when the
843 		 * final is called, the remaining buffer should not contain
844 		 * any more data
845 		 */
846 		*pulLastEncryptedPartLen = 0;
847 		if (soft_blowfish_ctx->remain_len != 0)
848 			rv = CKR_DATA_LEN_RANGE;
849 		else {
850 			if (pLastEncryptedPart == NULL)
851 				goto clean1;
852 		}
853 
854 		free(soft_blowfish_ctx->blowfish_cbc);
855 		bzero(soft_blowfish_ctx->key_sched,
856 		    soft_blowfish_ctx->keysched_len);
857 		free(soft_blowfish_ctx->key_sched);
858 		break;
859 	}
860 
861 	case CKM_RC4:
862 	{
863 		ARCFour_key *key = (ARCFour_key *)session_p->encrypt.context;
864 		/* Remaining data size is always zero for RC4. */
865 		*pulLastEncryptedPartLen = 0;
866 		if (pLastEncryptedPart == NULL)
867 			goto clean1;
868 		bzero(key, sizeof (*key));
869 		break;
870 	}
871 	default:
872 		/* PKCS11: The mechanism only supports single-part operation. */
873 		rv = CKR_MECHANISM_INVALID;
874 		break;
875 	}
876 
877 	free(session_p->encrypt.context);
878 	session_p->encrypt.context = NULL;
879 clean1:
880 	(void) pthread_mutex_unlock(&session_p->session_mutex);
881 
882 	return (rv);
883 }
884 
885 /*
886  * This function frees the allocated active crypto context and the
887  * lower level of allocated struct as needed.
888  * This function is called by the 1st tier of encrypt/decrypt routines
889  * or by the 2nd tier of session close routine. Since the 1st tier
890  * caller will always call this function without locking the session
891  * mutex and the 2nd tier caller will call with the lock, we add the
892  * third parameter "lock_held" to distinguish this case.
893  */
894 void
895 soft_crypt_cleanup(soft_session_t *session_p, boolean_t encrypt,
896     boolean_t lock_held)
897 {
898 
899 	crypto_active_op_t *active_op;
900 	boolean_t lock_true = B_TRUE;
901 
902 	if (!lock_held)
903 		(void) pthread_mutex_lock(&session_p->session_mutex);
904 
905 	active_op = (encrypt) ? &(session_p->encrypt) : &(session_p->decrypt);
906 
907 	switch (active_op->mech.mechanism) {
908 
909 	case CKM_DES_CBC_PAD:
910 	case CKM_DES3_CBC_PAD:
911 	case CKM_DES_CBC:
912 	case CKM_DES_ECB:
913 	case CKM_DES3_CBC:
914 	case CKM_DES3_ECB:
915 	{
916 
917 		soft_des_ctx_t *soft_des_ctx =
918 		    (soft_des_ctx_t *)active_op->context;
919 		des_ctx_t *des_ctx;
920 
921 		if (soft_des_ctx != NULL) {
922 			des_ctx = (des_ctx_t *)soft_des_ctx->des_cbc;
923 			if (des_ctx != NULL) {
924 				bzero(des_ctx->dc_keysched,
925 				    des_ctx->dc_keysched_len);
926 				free(soft_des_ctx->des_cbc);
927 			}
928 			bzero(soft_des_ctx->key_sched,
929 			    soft_des_ctx->keysched_len);
930 			free(soft_des_ctx->key_sched);
931 		}
932 		break;
933 	}
934 
935 	case CKM_AES_CBC_PAD:
936 	case CKM_AES_CBC:
937 	case CKM_AES_CMAC:
938 	case CKM_AES_ECB:
939 	{
940 		soft_aes_ctx_t *soft_aes_ctx =
941 		    (soft_aes_ctx_t *)active_op->context;
942 		aes_ctx_t *aes_ctx;
943 
944 		if (soft_aes_ctx != NULL) {
945 			aes_ctx = (aes_ctx_t *)soft_aes_ctx->aes_cbc;
946 			if (aes_ctx != NULL) {
947 				bzero(aes_ctx->ac_keysched,
948 				    aes_ctx->ac_keysched_len);
949 				free(soft_aes_ctx->aes_cbc);
950 			}
951 			bzero(soft_aes_ctx->key_sched,
952 			    soft_aes_ctx->keysched_len);
953 			free(soft_aes_ctx->key_sched);
954 		}
955 		break;
956 	}
957 
958 	case CKM_BLOWFISH_CBC:
959 	{
960 		soft_blowfish_ctx_t *soft_blowfish_ctx =
961 		    (soft_blowfish_ctx_t *)active_op->context;
962 		blowfish_ctx_t *blowfish_ctx;
963 
964 		if (soft_blowfish_ctx != NULL) {
965 			blowfish_ctx =
966 			    (blowfish_ctx_t *)soft_blowfish_ctx->blowfish_cbc;
967 			if (blowfish_ctx != NULL) {
968 				bzero(blowfish_ctx->bc_keysched,
969 				    blowfish_ctx->bc_keysched_len);
970 				free(soft_blowfish_ctx->blowfish_cbc);
971 			}
972 
973 			bzero(soft_blowfish_ctx->key_sched,
974 			    soft_blowfish_ctx->keysched_len);
975 			free(soft_blowfish_ctx->key_sched);
976 		}
977 		break;
978 	}
979 
980 	case CKM_RC4:
981 	{
982 		ARCFour_key *key = (ARCFour_key *)active_op->context;
983 
984 		if (key != NULL)
985 			bzero(key, sizeof (*key));
986 		break;
987 	}
988 
989 	case CKM_RSA_X_509:
990 	case CKM_RSA_PKCS:
991 	{
992 		soft_rsa_ctx_t *rsa_ctx =
993 		    (soft_rsa_ctx_t *)active_op->context;
994 
995 		if (rsa_ctx != NULL)
996 			if (rsa_ctx->key != NULL) {
997 				soft_cleanup_object(rsa_ctx->key);
998 				free(rsa_ctx->key);
999 			}
1000 
1001 		break;
1002 	}
1003 
1004 	} /* switch */
1005 
1006 	if (active_op->context != NULL) {
1007 		free(active_op->context);
1008 		active_op->context = NULL;
1009 	}
1010 
1011 	active_op->flags = 0;
1012 
1013 	if (!lock_held)
1014 		SES_REFRELE(session_p, lock_true);
1015 }
1016