xref: /illumos-gate/usr/src/lib/pkcs11/pkcs11_tpm/common/api_interface.c (revision aedf2b3bb56b025fcaf87b49ec6c8aeea07f16d7)
1 /*
2  *		Common Public License Version 0.5
3  *
4  *		THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF
5  *		THIS COMMON PUBLIC LICENSE ("AGREEMENT"). ANY USE,
6  *		REPRODUCTION OR DISTRIBUTION OF THE PROGRAM CONSTITUTES
7  *		RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT.
8  *
9  *		1. DEFINITIONS
10  *
11  *		"Contribution" means:
12  *		      a) in the case of the initial Contributor, the
13  *		      initial code and documentation distributed under
14  *		      this Agreement, and
15  *
16  *		      b) in the case of each subsequent Contributor:
17  *		      i) changes to the Program, and
18  *		      ii) additions to the Program;
19  *
20  *		      where such changes and/or additions to the Program
21  *		      originate from and are distributed by that
22  *		      particular Contributor. A Contribution 'originates'
23  *		      from a Contributor if it was added to the Program
24  *		      by such Contributor itself or anyone acting on such
25  *		      Contributor's behalf. Contributions do not include
26  *		      additions to the Program which: (i) are separate
27  *		      modules of software distributed in conjunction with
28  *		      the Program under their own license agreement, and
29  *		      (ii) are not derivative works of the Program.
30  *
31  *
32  *		"Contributor" means any person or entity that distributes
33  *		the Program.
34  *
35  *		"Licensed Patents " mean patent claims licensable by a
36  *		Contributor which are necessarily infringed by the use or
37  *		sale of its Contribution alone or when combined with the
38  *		Program.
39  *
40  *		"Program" means the Contributions distributed in
41  *		accordance with this Agreement.
42  *
43  *		"Recipient" means anyone who receives the Program under
44  *		this Agreement, including all Contributors.
45  *
46  *		2. GRANT OF RIGHTS
47  *
48  *		      a) Subject to the terms of this Agreement, each
49  *		      Contributor hereby grants Recipient a
50  *		      no - exclusive, worldwide, royalt - free copyright
51  *		      license to reproduce, prepare derivative works of,
52  *		      publicly display, publicly perform, distribute and
53  *		      sublicense the Contribution of such Contributor, if
54  *		      any, and such derivative works, in source code and
55  *		      object code form.
56  *
57  *		      b) Subject to the terms of this Agreement, each
58  *		      Contributor hereby grants Recipient a
59  *		      no - exclusive, worldwide, royalt - free patent
60  *		      license under Licensed Patents to make, use, sell,
61  *		      offer to sell, import and otherwise transfer the
62  *		      Contribution of such Contributor, if any, in source
63  *		      code and object code form. This patent license
64  *		      shall apply to the combination of the Contribution
65  *		      and the Program if, at the time the Contribution is
66  *		      added by the Contributor, such addition of the
67  *		      Contribution causes such combination to be covered
68  *		      by the Licensed Patents. The patent license shall
69  *		      not apply to any other combinations which include
70  *		      the Contribution. No hardware per se is licensed
71  *		      hereunder.
72  *
73  *		      c) Recipient understands that although each
74  *		      Contributor grants the licenses to its
75  *		      Contributions set forth herein, no assurances are
76  *		      provided by any Contributor that the Program does
77  *		      not infringe the patent or other intellectual
78  *		      property rights of any other entity. Each
79  *		      Contributor disclaims any liability to Recipient
80  *		      for claims brought by any other entity based on
81  *		      infringement of intellectual property rights or
82  *		      otherwise. As a condition to exercising the rights
83  *		      and licenses granted hereunder, each Recipient
84  *		      hereby assumes sole responsibility to secure any
85  *		      other intellectual property rights needed, if any.
86  *
87  *		      For example, if a third party patent license is
88  *		      required to allow Recipient to distribute the
89  *		      Program, it is Recipient's responsibility to
90  *		      acquire that license before distributing the
91  *		      Program.
92  *
93  *		      d) Each Contributor represents that to its
94  *		      knowledge it has sufficient copyright rights in its
95  *		      Contribution, if any, to grant the copyright
96  *		      license set forth in this Agreement.
97  *
98  *		3. REQUIREMENTS
99  *
100  *		A Contributor may choose to distribute the Program in
101  *		object code form under its own license agreement, provided
102  *		that:
103  *		      a) it complies with the terms and conditions of
104  *		      this Agreement; and
105  *
106  *		      b) its license agreement:
107  *		      i) effectively disclaims on behalf of all
108  *		      Contributors all warranties and conditions, express
109  *		      and implied, including warranties or conditions of
110  *		      title and no - infringement, and implied warranties
111  *		      or conditions of merchantability and fitness for a
112  *		      particular purpose;
113  *
114  *		      ii) effectively excludes on behalf of all
115  *		      Contributors all liability for damages, including
116  *		      direct, indirect, special, incidental and
117  *		      consequential damages, such as lost profits;
118  *
119  *		      iii) states that any provisions which differ from
120  *		      this Agreement are offered by that Contributor
121  *		      alone and not by any other party; and
122  *
123  *		      iv) states that source code for the Program is
124  *		      available from such Contributor, and informs
125  *		      licensees how to obtain it in a reasonable manner
126  *		      on or through a medium customarily used for
127  *		      software exchange.
128  *
129  *		When the Program is made available in source code form:
130  *		      a) it must be made available under this Agreement;
131  *		      and
132  *		      b) a copy of this Agreement must be included with
133  *		      each copy of the Program.
134  *
135  *		Contributors may not remove or alter any copyright notices
136  *		contained within the Program.
137  *
138  *		Each Contributor must identify itself as the originator of
139  *		its Contribution, if any, in a manner that reasonably
140  *		allows subsequent Recipients to identify the originator of
141  *		the Contribution.
142  *
143  *
144  *		4. COMMERCIAL DISTRIBUTION
145  *
146  *		Commercial distributors of software may accept certain
147  *		responsibilities with respect to end users, business
148  *		partners and the like. While this license is intended to
149  *		facilitate the commercial use of the Program, the
150  *		Contributor who includes the Program in a commercial
151  *		product offering should do so in a manner which does not
152  *		create potential liability for other Contributors.
153  *		Therefore, if a Contributor includes the Program in a
154  *		commercial product offering, such Contributor ("Commercial
155  *		Contributor") hereby agrees to defend and indemnify every
156  *		other Contributor ("Indemnified Contributor") against any
157  *		losses, damages and costs (collectively "Losses") arising
158  *		from claims, lawsuits and other legal actions brought by a
159  *		third party against the Indemnified Contributor to the
160  *		extent caused by the acts or omissions of such Commercial
161  *		Contributor in connection with its distribution of the
162  *		Program in a commercial product offering. The obligations
163  *		in this section do not apply to any claims or Losses
164  *		relating to any actual or alleged intellectual property
165  *		infringement. In order to qualify, an Indemnified
166  *		Contributor must: a) promptly notify the Commercial
167  *		Contributor in writing of such claim, and b) allow the
168  *		Commercial Contributor to control, and cooperate with the
169  *		Commercial Contributor in, the defense and any related
170  *		settlement negotiations. The Indemnified Contributor may
171  *		participate in any such claim at its own expense.
172  *
173  *
174  *		For example, a Contributor might include the Program in a
175  *		commercial product offering, Product X. That Contributor
176  *		is then a Commercial Contributor. If that Commercial
177  *		Contributor then makes performance claims, or offers
178  *		warranties related to Product X, those performance claims
179  *		and warranties are such Commercial Contributor's
180  *		responsibility alone. Under this section, the Commercial
181  *		Contributor would have to defend claims against the other
182  *		Contributors related to those performance claims and
183  *		warranties, and if a court requires any other Contributor
184  *		to pay any damages as a result, the Commercial Contributor
185  *		must pay those damages.
186  *
187  *
188  *		5. NO WARRANTY
189  *
190  *		EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE
191  *		PROGRAM IS PROVIDED ON AN "AS IS" BASIS, WITHOUT
192  *		WARRANTIES OR CONDITIONS OF ANY KIND, EITHER EXPRESS OR
193  *		IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR
194  *		CONDITIONS OF TITLE, NO - INFRINGEMENT, MERCHANTABILITY OR
195  *		FITNESS FOR A PARTICULAR PURPOSE. Each Recipient is solely
196  *		responsible for determining the appropriateness of using
197  *		and distributing the Program and assumes all risks
198  *		associated with its exercise of rights under this
199  *		Agreement, including but not limited to the risks and
200  *		costs of program errors, compliance with applicable laws,
201  *		damage to or loss of data, programs or equipment, and
202  *		unavailability or interruption of operations.
203  *
204  *		6. DISCLAIMER OF LIABILITY
205  *		EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER
206  *		RECIPIENT NOR ANY CONTRIBUTORS SHALL HAVE ANY LIABILITY
207  *		FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
208  *		OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION
209  *		LOST PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF
210  *		LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
211  *		(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
212  *		OF THE USE OR DISTRIBUTION OF THE PROGRAM OR THE EXERCISE
213  *		OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF ADVISED OF THE
214  *		POSSIBILITY OF SUCH DAMAGES.
215  *
216  *		7. GENERAL
217  *
218  *		If any provision of this Agreement is invalid or
219  *		unenforceable under applicable law, it shall not affect
220  *		the validity or enforceability of the remainder of the
221  *		terms of this Agreement, and without further action by the
222  *		parties hereto, such provision shall be reformed to the
223  *		minimum extent necessary to make such provision valid and
224  *		enforceable.
225  *
226  *
227  *		If Recipient institutes patent litigation against a
228  *		Contributor with respect to a patent applicable to
229  *		software (including a cros - claim or counterclaim in a
230  *		lawsuit), then any patent licenses granted by that
231  *		Contributor to such Recipient under this Agreement shall
232  *		terminate as of the date such litigation is filed. In
233  *		addition, If Recipient institutes patent litigation
234  *		against any entity (including a cros - claim or
235  *		counterclaim in a lawsuit) alleging that the Program
236  *		itself (excluding combinations of the Program with other
237  *		software or hardware) infringes such Recipient's
238  *		patent(s), then such Recipient's rights granted under
239  *		Section 2(b) shall terminate as of the date such
240  *		litigation is filed.
241  *
242  *		All Recipient's rights under this Agreement shall
243  *		terminate if it fails to comply with any of the material
244  *		terms or conditions of this Agreement and does not cure
245  *		such failure in a reasonable period of time after becoming
246  *		aware of such noncompliance. If all Recipient's rights
247  *		under this Agreement terminate, Recipient agrees to cease
248  *		use and distribution of the Program as soon as reasonably
249  *		practicable. However, Recipient's obligations under this
250  *		Agreement and any licenses granted by Recipient relating
251  *		to the Program shall continue and survive.
252  *
253  *		Everyone is permitted to copy and distribute copies of
254  *		this Agreement, but in order to avoid inconsistency the
255  *		Agreement is copyrighted and may only be modified in the
256  *		following manner. The Agreement Steward reserves the right
257  *		to publish new versions (including revisions) of this
258  *		Agreement from time to time. No one other than the
259  *		Agreement Steward has the right to modify this Agreement.
260  *
261  *		IBM is the initial Agreement Steward. IBM may assign the
262  *		responsibility to serve as the Agreement Steward to a
263  *		suitable separate entity. Each new version of the
264  *		Agreement will be given a distinguishing version number.
265  *		The Program (including Contributions) may always be
266  *		distributed subject to the version of the Agreement under
267  *		which it was received. In addition, after a new version of
268  *		the Agreement is published, Contributor may elect to
269  *		distribute the Program (including its Contributions) under
270  *		the new version. Except as expressly stated in Sections
271  *		2(a) and 2(b) above, Recipient receives no rights or
272  *		licenses to the intellectual property of any Contributor
273  *		under this Agreement, whether expressly, by implication,
274  *		estoppel or otherwise. All rights in the Program not
275  *		expressly granted under this Agreement are reserved.
276  *
277  *
278  *		This Agreement is governed by the laws of the State of New
279  *		York and the intellectual property laws of the United
280  *		States of America. No party to this Agreement will bring a
281  *		legal action under this Agreement more than one year after
282  *		the cause of action arose. Each party waives its rights to
283  *		a jury trial in any resulting litigation.
284  *
285  *
286  *
287  * (C) COPYRIGHT International Business Machines Corp. 2001, 2002
288  */
289 /*
290  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
291  * Use is subject to license terms.
292  */
293 
294 #include "tpmtok_int.h"
295 
296 #define	LOG(x)  logit(LOG_DEBUG, x)
297 
298 /*
299  * NOTES:
300  * In many cases the specificaiton does not allow returns
301  * of CKR_ARGUMENTSB_BAD.  We break the spec, since validation of parameters
302  * to the function are best represented by this return code (where
303  * specific RC's such as CKR_INVALID_SESSION do not exist).
304  * NOTE NOTE NOTE NOTE
305  *    The parameter checking on the update operations may need to be
306  *    modified (as well as the encrypt/decrypt) to call the std API
307  *    anyway with sanatized parameters since on error, the encrypt/decrypt
308  *    sign operations are all supposed to complete.
309  *    Therefor the parameter checking here might need to be done in
310  *    the STDLL instead of the API.
311  *    This would affect ALL the Multipart operations which have
312  *    an init followed by one or more operations.
313  *
314  * Globals for the API
315  */
316 API_Proc_Struct_t  *Anchor = NULL;
317 static unsigned int   Initialized = 0;
318 static pthread_mutex_t global_mutex = PTHREAD_MUTEX_INITIALIZER;
319 struct ST_FCN_LIST FuncList;
320 CK_FUNCTION_LIST PK11_Functions;
321 extern pthread_rwlock_t obj_list_rw_mutex;
322 
323 
324 static void
325 tpmtoken_fork_prepare()
326 {
327 	(void) pthread_mutex_lock(&global_mutex);
328 	(void) pthread_mutex_lock(&pkcs_mutex);
329 	(void) pthread_mutex_lock(&obj_list_mutex);
330 	(void) pthread_rwlock_wrlock(&obj_list_rw_mutex);
331 	(void) pthread_mutex_lock(&sess_list_mutex);
332 	(void) pthread_mutex_lock(&login_mutex);
333 	if (Anchor) {
334 		(void) pthread_mutex_lock(&Anchor->ProcMutex);
335 		(void) pthread_mutex_lock(&Anchor->SessListMutex);
336 	}
337 }
338 
339 static void
340 tpmtoken_fork_parent()
341 {
342 	if (Anchor) {
343 		(void) pthread_mutex_unlock(&Anchor->SessListMutex);
344 		(void) pthread_mutex_unlock(&Anchor->ProcMutex);
345 	}
346 	(void) pthread_mutex_unlock(&login_mutex);
347 	(void) pthread_mutex_unlock(&sess_list_mutex);
348 	(void) pthread_rwlock_unlock(&obj_list_rw_mutex);
349 	(void) pthread_mutex_unlock(&obj_list_mutex);
350 	(void) pthread_mutex_unlock(&pkcs_mutex);
351 	(void) pthread_mutex_unlock(&global_mutex);
352 }
353 
354 static void
355 tpmtoken_fork_child()
356 {
357 	if (Anchor) {
358 		(void) pthread_mutex_unlock(&Anchor->SessListMutex);
359 		(void) pthread_mutex_unlock(&Anchor->ProcMutex);
360 	}
361 
362 	(void) pthread_mutex_unlock(&login_mutex);
363 	(void) pthread_mutex_unlock(&sess_list_mutex);
364 	(void) pthread_rwlock_unlock(&obj_list_rw_mutex);
365 	(void) pthread_mutex_unlock(&obj_list_mutex);
366 	(void) pthread_mutex_unlock(&pkcs_mutex);
367 	(void) pthread_mutex_unlock(&global_mutex);
368 
369 	if (Anchor) {
370 		Terminate_All_Process_Sessions();
371 		free(Anchor);
372 		Anchor = NULL;
373 	}
374 	if (FuncList.ST_Finalize)
375 		FuncList.ST_Finalize(0);
376 
377 	logterm();
378 	loginit();
379 }
380 
381 /*ARGSUSED*/
382 CK_RV
383 C_CancelFunction(CK_SESSION_HANDLE hSession)
384 {
385 	LOG("C_CancelFunction");
386 	if (API_Initialized() == FALSE) {
387 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
388 	}
389 	return (CKR_FUNCTION_NOT_PARALLEL);
390 }
391 
392 CK_RV
393 C_CloseAllSessions(CK_SLOT_ID slotID)
394 {
395 	Session_Struct_t *pCur, *pPrev;
396 	CK_RV    rv;
397 	/*
398 	 * Although why does modutil do a close all sessions.  It is a single
399 	 * application it can only close its sessions...
400 	 * And all sessions should be closed anyhow.
401 	 */
402 	LOG("CloseAllSessions");
403 	if (API_Initialized() == FALSE)
404 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
405 
406 	if (!global_shm->token_available || (slotID > NUMBER_SLOTS_MANAGED))
407 		return (CKR_SLOT_ID_INVALID);
408 	/*
409 	 * Proc Mutex is locked when we remove from the seesion list in
410 	 * Close SEssion.  Therefore we don't need to do any locking
411 	 * the atomic operations are controled when we use the linked list
412 	 */
413 	pCur = (Anchor ? Anchor->SessListBeg : NULL);
414 	while (pCur) {
415 		/*
416 		 * Session owned by the slot we are working on
417 		 * There is a basic problem here.  We are using th pCur
418 		 * to point to the current one, however we delete it from
419 		 * the linked list and can no longer go Forward.  So we
420 		 * have to use the fact that this is a doubly linked list
421 		 * and get the previous pointer.  After deletion, the next
422 		 * pointer of this block will point to the next one in the
423 		 * list.
424 		 * If the value is Null, then this was the first one in
425 		 * the list and we just set pCur to the SessListBeg.
426 		 */
427 		if (pCur->SltId == slotID) {
428 			pPrev = pCur->Previous;
429 			rv = C_CloseSession((CK_SESSION_HANDLE)pCur);
430 			if (rv == CKR_OK ||
431 			    rv == CKR_SESSION_CLOSED ||
432 			    rv == CKR_SESSION_HANDLE_INVALID) {
433 				if (pPrev == NULL) {
434 					pCur = Anchor->SessListBeg;
435 				} else {
436 					pCur = pPrev->Next;
437 				}
438 			} else {
439 				return (rv);
440 			}
441 		} else {
442 			pCur = pCur->Next;
443 		}
444 	}
445 	LOG("CloseAllSessions OK");
446 	return (CKR_OK);
447 }
448 CK_RV
449 C_CloseSession(CK_SESSION_HANDLE hSession)
450 {
451 	CK_RV rv;
452 	Session_Struct_t *sessp;
453 	ST_SESSION_T rSession;
454 	LOG("C_CloseSession");
455 	if (API_Initialized() == FALSE) {
456 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
457 	}
458 	/* Validate Session */
459 	if (! Valid_Session((Session_Struct_t *)hSession, &rSession)) {
460 		return (CKR_SESSION_HANDLE_INVALID);
461 	}
462 
463 	if (FuncList.ST_CloseSession) {
464 		/* Map the Session to the slot session */
465 		rv = FuncList.ST_CloseSession(rSession);
466 
467 		if (rv == CKR_OK) {
468 			sessp = (Session_Struct_t *)hSession;
469 			RemoveFromSessionList(sessp);
470 		}
471 	} else {
472 		rv = CKR_FUNCTION_NOT_SUPPORTED;
473 	}
474 	return (rv);
475 }
476 
477 CK_RV
478 C_CopyObject(
479 	CK_SESSION_HANDLE	hSession,
480 	CK_OBJECT_HANDLE	hObject,
481 	CK_ATTRIBUTE_PTR	pTemplate,
482 	CK_ULONG		ulCount,
483 	CK_OBJECT_HANDLE_PTR	phNewObject)
484 {
485 	CK_RV rv;
486 	ST_SESSION_T rSession;
487 	LOG("C_CopyObject");
488 	if (API_Initialized() == FALSE) {
489 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
490 	}
491 	if (!Valid_Session((Session_Struct_t *)hSession, &rSession)) {
492 		return (CKR_SESSION_HANDLE_INVALID);
493 	}
494 	if (!phNewObject) {
495 		return (CKR_ARGUMENTS_BAD);
496 	}
497 	/*
498 	 * A null template with a count will cause the lower layer
499 	 * to have problems.
500 	 * Template with 0 count is not a problem.
501 	 */
502 	if (!pTemplate && ulCount) {
503 		return (CKR_ARGUMENTS_BAD);
504 	}
505 	if (FuncList.ST_CopyObject) {
506 		rv = FuncList.ST_CopyObject(rSession, hObject, pTemplate,
507 		    ulCount, phNewObject);
508 	} else {
509 		rv = CKR_FUNCTION_NOT_SUPPORTED;
510 	}
511 	return (rv);
512 }
513 
514 CK_RV
515 C_CreateObject(
516 	CK_SESSION_HANDLE	hSession,
517 	CK_ATTRIBUTE_PTR	pTemplate,
518 	CK_ULONG		ulCount,
519 	CK_OBJECT_HANDLE_PTR	phObject)
520 {
521 	CK_RV	rv;
522 	ST_SESSION_T rSession;
523 
524 	if (API_Initialized() == FALSE) {
525 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
526 	}
527 	if (! Valid_Session((Session_Struct_t *)hSession, &rSession)) {
528 		return (CKR_SESSION_HANDLE_INVALID);
529 	}
530 	if (! pTemplate) {
531 		return (CKR_TEMPLATE_INCOMPLETE);
532 	}
533 	if (ulCount == 0) {
534 		return (CKR_TEMPLATE_INCOMPLETE);
535 	}
536 	if (! phObject) {
537 		return (CKR_ARGUMENTS_BAD);
538 	}
539 	if (FuncList.ST_CreateObject) {
540 		// Map the Session to the slot session
541 		rv = FuncList.ST_CreateObject(rSession, pTemplate,
542 		    ulCount, phObject);
543 	} else {
544 		rv = CKR_FUNCTION_NOT_SUPPORTED;
545 	}
546 	return (rv);
547 }
548 
549 CK_RV
550 C_Decrypt(CK_SESSION_HANDLE hSession,
551 	CK_BYTE_PTR	pEncryptedData,
552 	CK_ULONG	ulEncryptedDataLen,
553 	CK_BYTE_PTR	pData,
554 	CK_ULONG_PTR	pulDataLen)
555 {
556 	CK_RV	rv;
557 	ST_SESSION_T rSession;
558 
559 	if (API_Initialized() == FALSE) {
560 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
561 	}
562 	if (!Valid_Session((Session_Struct_t *)hSession, &rSession)) {
563 		return (CKR_SESSION_HANDLE_INVALID);
564 	}
565 	if (FuncList.ST_Decrypt) {
566 		rv = FuncList.ST_Decrypt(rSession, pEncryptedData,
567 		    ulEncryptedDataLen, pData, pulDataLen);
568 	} else {
569 		rv = CKR_FUNCTION_NOT_SUPPORTED;
570 	}
571 	return (rv);
572 }
573 
574 CK_RV
575 C_DecryptDigestUpdate(
576 	CK_SESSION_HANDLE hSession,
577 	CK_BYTE_PTR	pEncryptedPart,
578 	CK_ULONG	ulEncryptedPartLen,
579 	CK_BYTE_PTR	pPart,
580 	CK_ULONG_PTR	pulPartLen)
581 {
582 	CK_RV	rv;
583 	ST_SESSION_T rSession;
584 
585 	if (API_Initialized() == FALSE) {
586 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
587 	}
588 	if (! Valid_Session((Session_Struct_t *)hSession, &rSession)) {
589 		return (CKR_SESSION_HANDLE_INVALID);
590 	}
591 	if (! pEncryptedPart || ! pulPartLen) {
592 		return (CKR_ARGUMENTS_BAD);
593 	}
594 	if (FuncList.ST_DecryptDigestUpdate) {
595 		rv = FuncList.ST_DecryptDigestUpdate(rSession, pEncryptedPart,
596 		    ulEncryptedPartLen, pPart, pulPartLen);
597 	} else {
598 		rv = CKR_FUNCTION_NOT_SUPPORTED;
599 	}
600 	return (rv);
601 }
602 
603 CK_RV
604 C_DecryptFinal(CK_SESSION_HANDLE hSession,
605 	CK_BYTE_PTR	pLastPart,
606 	CK_ULONG_PTR	pulLastPartLen)
607 {
608 	CK_RV	rv;
609 	ST_SESSION_T rSession;
610 
611 	if (API_Initialized() == FALSE) {
612 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
613 	}
614 	if (! Valid_Session((Session_Struct_t *)hSession, &rSession)) {
615 		return (CKR_SESSION_HANDLE_INVALID);
616 	}
617 	/*
618 	 * It is acceptable to have a Null pointer for the data since
619 	 * it is trying to get the length of the last part....
620 	 * The spec is unclear if a second call to Final is needed
621 	 * if there is no data in the last part.
622 	 */
623 	if (! pulLastPartLen) {
624 		return (CKR_ARGUMENTS_BAD);
625 	}
626 	if (FuncList.ST_DecryptFinal) {
627 		rv = FuncList.ST_DecryptFinal(rSession, pLastPart,
628 		    pulLastPartLen);
629 	} else {
630 		rv = CKR_FUNCTION_NOT_SUPPORTED;
631 	}
632 	return (rv);
633 }
634 
635 CK_RV
636 C_DecryptInit(CK_SESSION_HANDLE hSession,
637 	CK_MECHANISM_PTR pMechanism,
638 	CK_OBJECT_HANDLE hKey)
639 {
640 	CK_RV rv;
641 	ST_SESSION_T rSession;
642 
643 	if (API_Initialized() == FALSE) {
644 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
645 	}
646 	if (! Valid_Session((Session_Struct_t *)hSession, &rSession)) {
647 		return (CKR_SESSION_HANDLE_INVALID);
648 	}
649 	if (! pMechanism) {
650 		return (CKR_MECHANISM_INVALID);
651 	}
652 	if (FuncList.ST_DecryptInit) {
653 		rv = FuncList.ST_DecryptInit(rSession, pMechanism, hKey);
654 	} else {
655 		rv = CKR_FUNCTION_NOT_SUPPORTED;
656 	}
657 	return (rv);
658 }
659 
660 CK_RV
661 C_DecryptUpdate(CK_SESSION_HANDLE hSession,
662 	CK_BYTE_PTR	pEncryptedPart,
663 	CK_ULONG	ulEncryptedPartLen,
664 	CK_BYTE_PTR	pPart,
665 	CK_ULONG_PTR	pulPartLen)
666 {
667 	CK_RV	rv;
668 	ST_SESSION_T rSession;
669 
670 	if (API_Initialized() == FALSE) {
671 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
672 	}
673 	if (!Valid_Session((Session_Struct_t *)hSession, &rSession)) {
674 		return (CKR_SESSION_HANDLE_INVALID);
675 	}
676 	if (!pEncryptedPart || !pulPartLen) {
677 		return (CKR_ARGUMENTS_BAD);
678 	}
679 	if (FuncList.ST_DecryptUpdate) {
680 		rv = FuncList.ST_DecryptUpdate(rSession, pEncryptedPart,
681 		    ulEncryptedPartLen, pPart, pulPartLen);
682 	} else {
683 		rv = CKR_FUNCTION_NOT_SUPPORTED;
684 	}
685 	return (rv);
686 }
687 
688 CK_RV
689 C_DecryptVerifyUpdate(CK_SESSION_HANDLE hSession,
690 	CK_BYTE_PTR	pEncryptedPart,
691 	CK_ULONG	ulEncryptedPartLen,
692 	CK_BYTE_PTR	pPart,
693 	CK_ULONG_PTR	pulPartLen)
694 {
695 	CK_RV	rv;
696 	ST_SESSION_T rSession;
697 
698 	if (API_Initialized() == FALSE) {
699 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
700 	}
701 	// Validate Session
702 	if (! Valid_Session((Session_Struct_t *)hSession, &rSession)) {
703 		return (CKR_SESSION_HANDLE_INVALID);
704 	}
705 	// May have to let these go through and let the STDLL handle them
706 	if (! pEncryptedPart || ! pulPartLen) {
707 		return (CKR_ARGUMENTS_BAD);
708 	}
709 	// Get local pointers to session
710 	if (FuncList.ST_DecryptVerifyUpdate) {
711 		// Map the Session to the slot session
712 		rv = FuncList.ST_DecryptVerifyUpdate(rSession,
713 		    pEncryptedPart, ulEncryptedPartLen, pPart, pulPartLen);
714 	} else {
715 		rv = CKR_FUNCTION_NOT_SUPPORTED;
716 	}
717 	return (rv);
718 }
719 
720 CK_RV
721 C_DeriveKey(CK_SESSION_HANDLE	hSession,
722 	CK_MECHANISM_PTR	pMechanism,
723 	CK_OBJECT_HANDLE	hBaseKey,
724 	CK_ATTRIBUTE_PTR	pTemplate,
725 	CK_ULONG		ulAttributeCount,
726 	CK_OBJECT_HANDLE_PTR	phKey)
727 {
728 	CK_RV	rv;
729 	ST_SESSION_T rSession;
730 
731 	if (API_Initialized() == FALSE) {
732 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
733 	}
734 	if (!Valid_Session((Session_Struct_t *)hSession, &rSession)) {
735 		return (CKR_SESSION_HANDLE_INVALID);
736 	}
737 
738 	if (!pMechanism) {
739 		return (CKR_MECHANISM_INVALID);
740 	}
741 	if (!pTemplate && ulAttributeCount) {
742 		return (CKR_ARGUMENTS_BAD);
743 	}
744 	if (FuncList.ST_DeriveKey) {
745 		rv = FuncList.ST_DeriveKey(rSession, pMechanism,
746 		    hBaseKey, pTemplate, ulAttributeCount, phKey);
747 	} else {
748 		rv = CKR_FUNCTION_NOT_SUPPORTED;
749 	}
750 	return (rv);
751 }
752 
753 CK_RV
754 C_DestroyObject(CK_SESSION_HANDLE hSession,
755 	CK_OBJECT_HANDLE hObject)
756 {
757 	CK_RV rv;
758 	ST_SESSION_T rSession;
759 
760 	if (API_Initialized() == FALSE) {
761 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
762 	}
763 	if (!Valid_Session((Session_Struct_t *)hSession, &rSession)) {
764 		return (CKR_SESSION_HANDLE_INVALID);
765 	}
766 	if (FuncList.ST_DestroyObject) {
767 		rv = FuncList.ST_DestroyObject(rSession, hObject);
768 	} else {
769 		rv = CKR_FUNCTION_NOT_SUPPORTED;
770 	}
771 	return (rv);
772 }
773 
774 CK_RV
775 C_Digest(CK_SESSION_HANDLE hSession,
776 	CK_BYTE_PTR	pData,
777 	CK_ULONG	ulDataLen,
778 	CK_BYTE_PTR	pDigest,
779 	CK_ULONG_PTR	pulDigestLen)
780 {
781 	CK_RV	rv;
782 	ST_SESSION_T rSession;
783 
784 	if (API_Initialized() == FALSE) {
785 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
786 	}
787 	if (!Valid_Session((Session_Struct_t *)hSession, &rSession)) {
788 		return (CKR_SESSION_HANDLE_INVALID);
789 	}
790 	if (FuncList.ST_Digest) {
791 		rv = FuncList.ST_Digest(rSession, pData, ulDataLen,
792 		    pDigest, pulDigestLen);
793 	} else {
794 		rv = CKR_FUNCTION_NOT_SUPPORTED;
795 	}
796 	return (rv);
797 }
798 
799 CK_RV
800 C_DigestEncryptUpdate(CK_SESSION_HANDLE hSession,
801 	CK_BYTE_PTR	pPart,
802 	CK_ULONG	ulPartLen,
803 	CK_BYTE_PTR	pEncryptedPart,
804 	CK_ULONG_PTR	pulEncryptedPartLen)
805 {
806 	CK_RV rv;
807 	ST_SESSION_T rSession;
808 
809 	if (API_Initialized() == FALSE) {
810 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
811 	}
812 	if (! pPart || ! pulEncryptedPartLen) {
813 		return (CKR_ARGUMENTS_BAD);
814 	}
815 	if (! Valid_Session((Session_Struct_t *)hSession, &rSession)) {
816 		return (CKR_SESSION_HANDLE_INVALID);
817 	}
818 	if (FuncList.ST_DigestEncryptUpdate) {
819 		rv = FuncList.ST_DigestEncryptUpdate(rSession, pPart,
820 		    ulPartLen, pEncryptedPart, pulEncryptedPartLen);
821 	} else {
822 		rv = CKR_FUNCTION_NOT_SUPPORTED;
823 	}
824 	return (rv);
825 }
826 
827 CK_RV
828 C_DigestFinal(CK_SESSION_HANDLE hSession,
829 	CK_BYTE_PTR	pDigest,
830 	CK_ULONG_PTR	pulDigestLen)
831 {
832 	CK_RV rv;
833 	ST_SESSION_T rSession;
834 
835 	if (API_Initialized() == FALSE) {
836 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
837 	}
838 	if (! pulDigestLen) {
839 		return (CKR_ARGUMENTS_BAD);
840 	}
841 	if (! Valid_Session((Session_Struct_t *)hSession, &rSession)) {
842 		return (CKR_SESSION_HANDLE_INVALID);
843 	}
844 	if (FuncList.ST_DigestFinal) {
845 		rv = FuncList.ST_DigestFinal(rSession, pDigest, pulDigestLen);
846 	} else {
847 		rv = CKR_FUNCTION_NOT_SUPPORTED;
848 	}
849 	return (rv);
850 }
851 
852 CK_RV
853 C_DigestInit(CK_SESSION_HANDLE hSession,
854 	CK_MECHANISM_PTR pMechanism)
855 {
856 	CK_RV rv;
857 	ST_SESSION_T rSession;
858 
859 	if (API_Initialized() == FALSE) {
860 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
861 	}
862 	if (! pMechanism) {
863 		return (CKR_MECHANISM_INVALID);
864 	}
865 	if (! Valid_Session((Session_Struct_t *)hSession, &rSession)) {
866 		return (CKR_SESSION_HANDLE_INVALID);
867 	}
868 	if (FuncList.ST_DigestInit) {
869 		rv = FuncList.ST_DigestInit(rSession, pMechanism);
870 	} else {
871 		rv = CKR_FUNCTION_NOT_SUPPORTED;
872 	}
873 	return (rv);
874 }
875 
876 CK_RV
877 C_DigestKey(CK_SESSION_HANDLE hSession,
878 	CK_OBJECT_HANDLE hKey)
879 {
880 	CK_RV rv;
881 	ST_SESSION_T rSession;
882 
883 	if (API_Initialized() == FALSE) {
884 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
885 	}
886 	if (! Valid_Session((Session_Struct_t *)hSession, &rSession)) {
887 		return (CKR_SESSION_HANDLE_INVALID);
888 	}
889 	if (FuncList.ST_DigestKey) {
890 		rv = FuncList.ST_DigestKey(rSession, hKey);
891 	} else {
892 		rv = CKR_FUNCTION_NOT_SUPPORTED;
893 	}
894 	return (rv);
895 }
896 
897 CK_RV
898 C_DigestUpdate(CK_SESSION_HANDLE hSession,
899 	CK_BYTE_PTR pPart,
900 	CK_ULONG ulPartLen)
901 {
902 	CK_RV rv;
903 	ST_SESSION_T rSession;
904 	if (API_Initialized() == FALSE) {
905 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
906 	}
907 	if (! Valid_Session((Session_Struct_t *)hSession, &rSession)) {
908 		return (CKR_SESSION_HANDLE_INVALID);
909 	}
910 	if (FuncList.ST_DigestUpdate) {
911 		rv = FuncList.ST_DigestUpdate(rSession, pPart, ulPartLen);
912 	} else {
913 		rv = CKR_FUNCTION_NOT_SUPPORTED;
914 	}
915 	return (rv);
916 }
917 
918 CK_RV
919 C_Encrypt(CK_SESSION_HANDLE hSession,
920 	CK_BYTE_PTR pData,
921 	CK_ULONG ulDataLen,
922 	CK_BYTE_PTR pEncryptedData,
923 	CK_ULONG_PTR pulEncryptedDataLen)
924 {
925 	CK_RV rv;
926 	ST_SESSION_T rSession;
927 
928 	if (API_Initialized() == FALSE) {
929 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
930 	}
931 	if (! Valid_Session((Session_Struct_t *)hSession, &rSession)) {
932 		return (CKR_SESSION_HANDLE_INVALID);
933 	}
934 	// Get local pointers to session
935 	if (FuncList.ST_Encrypt) {
936 		// Map the Session to the slot session
937 		rv = FuncList.ST_Encrypt(rSession, pData, ulDataLen,
938 		    pEncryptedData, pulEncryptedDataLen);
939 	} else {
940 		rv = CKR_FUNCTION_NOT_SUPPORTED;
941 	}
942 	return (rv);
943 }
944 
945 CK_RV
946 C_EncryptFinal(CK_SESSION_HANDLE hSession,
947 	CK_BYTE_PTR pLastEncryptedPart,
948 	CK_ULONG_PTR pulLastEncryptedPartLen)
949 {
950 	CK_RV rv;
951 	ST_SESSION_T rSession;
952 
953 	if (API_Initialized() == FALSE) {
954 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
955 	}
956 	if (! Valid_Session((Session_Struct_t *)hSession, &rSession)) {
957 		return (CKR_SESSION_HANDLE_INVALID);
958 	}
959 	if (FuncList.ST_EncryptFinal) {
960 		rv = FuncList.ST_EncryptFinal(rSession,
961 		    pLastEncryptedPart, pulLastEncryptedPartLen);
962 	} else {
963 		rv = CKR_FUNCTION_NOT_SUPPORTED;
964 	}
965 	return (rv);
966 }
967 
968 CK_RV
969 C_EncryptInit(CK_SESSION_HANDLE hSession,
970 	CK_MECHANISM_PTR pMechanism,
971 	CK_OBJECT_HANDLE hKey)
972 {
973 	CK_RV rv;
974 	ST_SESSION_T rSession;
975 
976 	if (API_Initialized() == FALSE) {
977 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
978 	}
979 	if (! pMechanism) {
980 		return (CKR_MECHANISM_INVALID);
981 	}
982 	if (! Valid_Session((Session_Struct_t *)hSession, &rSession)) {
983 		return (CKR_SESSION_HANDLE_INVALID);
984 	}
985 	if (FuncList.ST_EncryptInit) {
986 		rv = FuncList.ST_EncryptInit(rSession, pMechanism, hKey);
987 	} else {
988 		rv = CKR_FUNCTION_NOT_SUPPORTED;
989 	}
990 	return (rv);
991 }
992 
993 CK_RV
994 C_EncryptUpdate(CK_SESSION_HANDLE hSession,
995 	CK_BYTE_PTR pPart,
996 	CK_ULONG ulPartLen,
997 	CK_BYTE_PTR pEncryptedPart,
998 	CK_ULONG_PTR pulEncryptedPartLen)
999 {
1000 	CK_RV rv;
1001 	ST_SESSION_T rSession;
1002 
1003 	if (API_Initialized() == FALSE) {
1004 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
1005 	}
1006 	if (!pPart || !pulEncryptedPartLen) {
1007 		return (CKR_ARGUMENTS_BAD);
1008 	}
1009 	if (!Valid_Session((Session_Struct_t *)hSession, &rSession)) {
1010 		return (CKR_SESSION_HANDLE_INVALID);
1011 	}
1012 	if (FuncList.ST_EncryptUpdate) {
1013 		rv = FuncList.ST_EncryptUpdate(rSession, pPart, ulPartLen,
1014 		    pEncryptedPart, pulEncryptedPartLen);
1015 	} else {
1016 		rv = CKR_FUNCTION_NOT_SUPPORTED;
1017 	}
1018 	return (rv);
1019 }
1020 
1021 CK_RV
1022 do_finalize(CK_VOID_PTR pReserved)
1023 {
1024 	if (API_Initialized() == FALSE) {
1025 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
1026 	}
1027 	if (pReserved != NULL) {
1028 		return (CKR_ARGUMENTS_BAD);
1029 	}
1030 	(void) pthread_mutex_lock(&global_mutex);
1031 	if (Anchor)
1032 		Terminate_All_Process_Sessions();
1033 
1034 	if (FuncList.ST_Finalize)
1035 		FuncList.ST_Finalize(0);
1036 
1037 	free(Anchor);
1038 	Anchor = NULL;
1039 
1040 	(void) pthread_mutex_unlock(&global_mutex);
1041 	return (CKR_OK);
1042 }
1043 
1044 CK_RV
1045 C_Finalize(CK_VOID_PTR pReserved) {
1046 	return (do_finalize(pReserved));
1047 }
1048 
1049 CK_RV
1050 C_FindObjects(CK_SESSION_HANDLE    hSession,
1051 	CK_OBJECT_HANDLE_PTR phObject,
1052 	CK_ULONG ulMaxObjectCount,
1053 	CK_ULONG_PTR pulObjectCount)
1054 {
1055 	CK_RV rv;
1056 	ST_SESSION_T rSession;
1057 
1058 	if (API_Initialized() == FALSE) {
1059 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
1060 	}
1061 	if (! phObject || ! pulObjectCount) {
1062 		return (CKR_ARGUMENTS_BAD);
1063 	}
1064 	if (! Valid_Session((Session_Struct_t *)hSession, &rSession)) {
1065 		return (CKR_SESSION_HANDLE_INVALID);
1066 	}
1067 	if (FuncList.ST_FindObjects) {
1068 		rv = FuncList.ST_FindObjects(rSession, phObject,
1069 		    ulMaxObjectCount, pulObjectCount);
1070 	} else {
1071 		rv = CKR_FUNCTION_NOT_SUPPORTED;
1072 	}
1073 	return (rv);
1074 }
1075 
1076 CK_RV
1077 C_FindObjectsFinal(CK_SESSION_HANDLE hSession)
1078 {
1079 	CK_RV rv;
1080 	ST_SESSION_T rSession;
1081 
1082 	if (API_Initialized() == FALSE) {
1083 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
1084 	}
1085 	if (! Valid_Session((Session_Struct_t *)hSession, &rSession)) {
1086 		return (CKR_SESSION_HANDLE_INVALID);
1087 	}
1088 	if (FuncList.ST_FindObjectsFinal) {
1089 		rv = FuncList.ST_FindObjectsFinal(rSession);
1090 	} else {
1091 		rv = CKR_FUNCTION_NOT_SUPPORTED;
1092 	}
1093 	return (rv);
1094 }
1095 
1096 CK_RV
1097 C_FindObjectsInit(CK_SESSION_HANDLE hSession,
1098 	CK_ATTRIBUTE_PTR pTemplate,
1099 	CK_ULONG ulCount)
1100 {
1101 	CK_RV rv;
1102 	ST_SESSION_T rSession;
1103 
1104 	if (API_Initialized() == FALSE) {
1105 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
1106 	}
1107 	if (! Valid_Session((Session_Struct_t *)hSession, &rSession)) {
1108 		return (CKR_SESSION_HANDLE_INVALID);
1109 	}
1110 	if (FuncList.ST_FindObjectsInit) {
1111 		rv = FuncList.ST_FindObjectsInit(rSession, pTemplate, ulCount);
1112 	} else {
1113 		rv = CKR_FUNCTION_NOT_SUPPORTED;
1114 	}
1115 	return (rv);
1116 }
1117 
1118 CK_RV
1119 C_GenerateKey(CK_SESSION_HANDLE    hSession,
1120 	CK_MECHANISM_PTR pMechanism,
1121 	CK_ATTRIBUTE_PTR pTemplate,
1122 	CK_ULONG ulCount,
1123 	CK_OBJECT_HANDLE_PTR phKey)
1124 {
1125 	CK_RV rv;
1126 	ST_SESSION_T rSession;
1127 
1128 	if (API_Initialized() == FALSE) {
1129 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
1130 	}
1131 	if (! pMechanism) {
1132 		return (CKR_MECHANISM_INVALID);
1133 	}
1134 	if (! phKey) {
1135 		return (CKR_ARGUMENTS_BAD);
1136 	}
1137 	if (! Valid_Session((Session_Struct_t *)hSession, &rSession)) {
1138 		return (CKR_SESSION_HANDLE_INVALID);
1139 	}
1140 	if (FuncList.ST_GenerateKey) {
1141 		rv = FuncList.ST_GenerateKey(rSession, pMechanism,
1142 		    pTemplate, ulCount, phKey);
1143 	} else {
1144 		rv = CKR_FUNCTION_NOT_SUPPORTED;
1145 	}
1146 	return (rv);
1147 }
1148 
1149 CK_RV
1150 C_GenerateKeyPair(CK_SESSION_HANDLE    hSession,
1151 	CK_MECHANISM_PTR pMechanism,
1152 	CK_ATTRIBUTE_PTR pPublicKeyTemplate,
1153 	CK_ULONG ulPublicKeyAttributeCount,
1154 	CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
1155 	CK_ULONG ulPrivateKeyAttributeCount,
1156 	CK_OBJECT_HANDLE_PTR phPublicKey,
1157 	CK_OBJECT_HANDLE_PTR phPrivateKey)
1158 {
1159 	CK_RV rv;
1160 	ST_SESSION_T rSession;
1161 
1162 	if (API_Initialized() == FALSE) {
1163 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
1164 	}
1165 	if (! pMechanism) {
1166 		return (CKR_MECHANISM_INVALID);
1167 	}
1168 	if (! phPublicKey || ! phPrivateKey) {
1169 		return (CKR_ARGUMENTS_BAD);
1170 	}
1171 	if (! Valid_Session((Session_Struct_t *)hSession, &rSession)) {
1172 		return (CKR_SESSION_HANDLE_INVALID);
1173 	}
1174 	if (FuncList.ST_GenerateKeyPair) {
1175 		rv = FuncList.ST_GenerateKeyPair(rSession,
1176 		    pMechanism, pPublicKeyTemplate,
1177 		    ulPublicKeyAttributeCount, pPrivateKeyTemplate,
1178 		    ulPrivateKeyAttributeCount, phPublicKey, phPrivateKey);
1179 	} else {
1180 		rv = CKR_FUNCTION_NOT_SUPPORTED;
1181 	}
1182 	return (rv);
1183 }
1184 
1185 CK_RV
1186 C_GenerateRandom(CK_SESSION_HANDLE hSession,
1187 	CK_BYTE_PTR RandomData,
1188 	CK_ULONG ulRandomLen)
1189 {
1190 	CK_RV rv;
1191 	ST_SESSION_T rSession;
1192 
1193 	if (API_Initialized() == FALSE) {
1194 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
1195 	}
1196 	if (! RandomData)
1197 		return (CKR_ARGUMENTS_BAD);
1198 
1199 	if (! Valid_Session((Session_Struct_t *)hSession, &rSession)) {
1200 		return (CKR_SESSION_HANDLE_INVALID);
1201 	}
1202 	if (FuncList.ST_GenerateRandom) {
1203 		rv = FuncList.ST_GenerateRandom(rSession, RandomData,
1204 		    ulRandomLen);
1205 	} else {
1206 		rv = CKR_FUNCTION_NOT_SUPPORTED;
1207 	}
1208 	return (rv);
1209 }
1210 
1211 CK_RV
1212 C_GetAttributeValue(CK_SESSION_HANDLE hSession,
1213 	CK_OBJECT_HANDLE hObject,
1214 	CK_ATTRIBUTE_PTR pTemplate,
1215 	CK_ULONG ulCount)
1216 {
1217 	CK_RV rv;
1218 	ST_SESSION_T rSession;
1219 
1220 	if (API_Initialized() == FALSE) {
1221 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
1222 	}
1223 	if (! pTemplate) {
1224 		return (CKR_TEMPLATE_INCOMPLETE);
1225 	}
1226 	if (ulCount == 0) {
1227 		return (CKR_TEMPLATE_INCOMPLETE);
1228 	}
1229 	if (! Valid_Session((Session_Struct_t *)hSession, &rSession)) {
1230 		return (CKR_SESSION_HANDLE_INVALID);
1231 	}
1232 	if (FuncList.ST_GetAttributeValue) {
1233 		rv = FuncList.ST_GetAttributeValue(rSession, hObject,
1234 		    pTemplate, ulCount);
1235 	} else {
1236 		rv = CKR_FUNCTION_NOT_SUPPORTED;
1237 	}
1238 	return (rv);
1239 }
1240 
1241 CK_RV
1242 C_GetFunctionList(CK_FUNCTION_LIST_PTR_PTR ppFunctionList)
1243 {
1244 	_init();
1245 
1246 	PK11_Functions.version.major = VERSION_MAJOR;
1247 	PK11_Functions.version.minor = VERSION_MINOR;
1248 	PK11_Functions.C_Initialize = C_Initialize;
1249 	PK11_Functions.C_Finalize = C_Finalize;
1250 	PK11_Functions.C_GetInfo = C_GetInfo;
1251 	PK11_Functions.C_GetFunctionList = C_GetFunctionList;
1252 	PK11_Functions.C_GetSlotList = C_GetSlotList;
1253 	PK11_Functions.C_GetSlotInfo = C_GetSlotInfo;
1254 	PK11_Functions.C_GetTokenInfo = C_GetTokenInfo;
1255 	PK11_Functions.C_GetMechanismList = C_GetMechanismList;
1256 	PK11_Functions.C_GetMechanismInfo = C_GetMechanismInfo;
1257 	PK11_Functions.C_InitToken = C_InitToken;
1258 	PK11_Functions.C_InitPIN = C_InitPIN;
1259 	PK11_Functions.C_SetPIN = C_SetPIN;
1260 	PK11_Functions.C_OpenSession = C_OpenSession;
1261 	PK11_Functions.C_CloseSession = C_CloseSession;
1262 	PK11_Functions.C_CloseAllSessions = C_CloseAllSessions;
1263 	PK11_Functions.C_GetSessionInfo = C_GetSessionInfo;
1264 	PK11_Functions.C_GetOperationState = C_GetOperationState;
1265 	PK11_Functions.C_SetOperationState = C_SetOperationState;
1266 	PK11_Functions.C_Login = C_Login;
1267 	PK11_Functions.C_Logout = C_Logout;
1268 	PK11_Functions.C_CreateObject = C_CreateObject;
1269 	PK11_Functions.C_CopyObject = C_CopyObject;
1270 	PK11_Functions.C_DestroyObject = C_DestroyObject;
1271 	PK11_Functions.C_GetObjectSize = C_GetObjectSize;
1272 	PK11_Functions.C_GetAttributeValue = C_GetAttributeValue;
1273 	PK11_Functions.C_SetAttributeValue = C_SetAttributeValue;
1274 	PK11_Functions.C_FindObjectsInit = C_FindObjectsInit;
1275 	PK11_Functions.C_FindObjects = C_FindObjects;
1276 	PK11_Functions.C_FindObjectsFinal = C_FindObjectsFinal;
1277 	PK11_Functions.C_EncryptInit = C_EncryptInit;
1278 	PK11_Functions.C_Encrypt = C_Encrypt;
1279 	PK11_Functions.C_EncryptUpdate = C_EncryptUpdate;
1280 	PK11_Functions.C_EncryptFinal = C_EncryptFinal;
1281 	PK11_Functions.C_DecryptInit = C_DecryptInit;
1282 	PK11_Functions.C_Decrypt = C_Decrypt;
1283 	PK11_Functions.C_DecryptUpdate = C_DecryptUpdate;
1284 	PK11_Functions.C_DecryptFinal = C_DecryptFinal;
1285 	PK11_Functions.C_DigestInit = C_DigestInit;
1286 	PK11_Functions.C_Digest = C_Digest;
1287 	PK11_Functions.C_DigestUpdate = C_DigestUpdate;
1288 	PK11_Functions.C_DigestKey = C_DigestKey;
1289 	PK11_Functions.C_DigestFinal = C_DigestFinal;
1290 	PK11_Functions.C_SignInit = C_SignInit;
1291 	PK11_Functions.C_Sign = C_Sign;
1292 	PK11_Functions.C_SignUpdate = C_SignUpdate;
1293 	PK11_Functions.C_SignFinal = C_SignFinal;
1294 	PK11_Functions.C_SignRecoverInit = C_SignRecoverInit;
1295 	PK11_Functions.C_SignRecover = C_SignRecover;
1296 	PK11_Functions.C_VerifyInit = C_VerifyInit;
1297 	PK11_Functions.C_Verify = C_Verify;
1298 	PK11_Functions.C_VerifyUpdate = C_VerifyUpdate;
1299 	PK11_Functions.C_VerifyFinal = C_VerifyFinal;
1300 	PK11_Functions.C_VerifyRecoverInit = C_VerifyRecoverInit;
1301 	PK11_Functions.C_VerifyRecover = C_VerifyRecover;
1302 	PK11_Functions.C_DigestEncryptUpdate = C_DigestEncryptUpdate;
1303 	PK11_Functions.C_DecryptDigestUpdate = C_DecryptDigestUpdate;
1304 	PK11_Functions.C_SignEncryptUpdate = C_SignEncryptUpdate;
1305 	PK11_Functions.C_DecryptVerifyUpdate = C_DecryptVerifyUpdate;
1306 	PK11_Functions.C_GenerateKey = C_GenerateKey;
1307 	PK11_Functions.C_GenerateKeyPair = C_GenerateKeyPair;
1308 	PK11_Functions.C_WrapKey = C_WrapKey;
1309 	PK11_Functions.C_UnwrapKey = C_UnwrapKey;
1310 	PK11_Functions.C_DeriveKey = C_DeriveKey;
1311 	PK11_Functions.C_SeedRandom = C_SeedRandom;
1312 	PK11_Functions.C_GenerateRandom = C_GenerateRandom;
1313 	PK11_Functions.C_GetFunctionStatus = C_GetFunctionStatus;
1314 	PK11_Functions.C_CancelFunction = C_CancelFunction;
1315 	PK11_Functions.C_WaitForSlotEvent = C_WaitForSlotEvent;
1316 	if (ppFunctionList) {
1317 		(*ppFunctionList) = &PK11_Functions;
1318 		return (CKR_OK);
1319 	} else {
1320 		return (CKR_ARGUMENTS_BAD);
1321 	}
1322 }
1323 
1324 /*ARGSUSED*/
1325 CK_RV
1326 C_GetFunctionStatus(CK_SESSION_HANDLE hSession)
1327 {
1328 	if (API_Initialized() == FALSE) {
1329 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
1330 	}
1331 	return (CKR_FUNCTION_NOT_PARALLEL); // PER Specification PG 170
1332 }
1333 
1334 CK_RV
1335 C_GetInfo(CK_INFO_PTR pInfo)
1336 {
1337 	TOKEN_DATA td;
1338 	TSS_HCONTEXT hContext;
1339 
1340 	if (! API_Initialized()) {
1341 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
1342 	}
1343 	if (! pInfo) {
1344 		return (CKR_FUNCTION_FAILED);
1345 	}
1346 	(void) memset(pInfo, 0, sizeof (*pInfo));
1347 	pInfo->cryptokiVersion.major = 2;
1348 	pInfo->cryptokiVersion.minor = 20;
1349 
1350 	if (open_tss_context(&hContext) == 0) {
1351 		/*
1352 		 * Only populate the TPM info if we can establish
1353 		 * a context, but don't return failure because
1354 		 * the framework needs to know some of the info.
1355 		 */
1356 		(void) token_get_tpm_info(hContext, &td);
1357 
1358 		(void) Tspi_Context_Close(hContext);
1359 
1360 		(void) memcpy(pInfo->manufacturerID,
1361 		    &(td.token_info.manufacturerID),
1362 		    sizeof (pInfo->manufacturerID) - 1);
1363 
1364 		pInfo->flags = td.token_info.flags;
1365 	}
1366 	(void) strcpy((char *)pInfo->libraryDescription,
1367 	    "PKCS11 Interface for TPM");
1368 
1369 	pInfo->libraryVersion.major = 1;
1370 	pInfo->libraryVersion.minor = 0;
1371 
1372 	return (CKR_OK);
1373 }
1374 
1375 CK_RV
1376 C_GetMechanismInfo(CK_SLOT_ID	slotID,
1377 	CK_MECHANISM_TYPE	type,
1378 	CK_MECHANISM_INFO_PTR	pInfo)
1379 {
1380 	CK_RV rv;
1381 	if (API_Initialized() == FALSE)
1382 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
1383 
1384 	if (!global_shm->token_available || (slotID > NUMBER_SLOTS_MANAGED))
1385 		return (CKR_SLOT_ID_INVALID);
1386 
1387 	if (FuncList.ST_GetMechanismInfo) {
1388 		rv = FuncList.ST_GetMechanismInfo(slotID, type, pInfo);
1389 	} else {
1390 		rv = CKR_FUNCTION_NOT_SUPPORTED;
1391 	}
1392 	return (rv);
1393 }
1394 
1395 CK_RV
1396 C_GetMechanismList(CK_SLOT_ID slotID,
1397 	CK_MECHANISM_TYPE_PTR pMechanismList,
1398 	CK_ULONG_PTR pulCount)
1399 {
1400 	CK_RV rv;
1401 
1402 	if (API_Initialized() == FALSE)
1403 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
1404 
1405 	if (! pulCount)
1406 		return (CKR_ARGUMENTS_BAD);
1407 
1408 	if (!global_shm->token_available || (slotID > NUMBER_SLOTS_MANAGED))
1409 		return (CKR_SLOT_ID_INVALID);
1410 
1411 	if (FuncList.ST_GetMechanismList) {
1412 		rv = FuncList.ST_GetMechanismList(slotID,
1413 		    pMechanismList, pulCount);
1414 	} else {
1415 		rv = CKR_FUNCTION_NOT_SUPPORTED;
1416 	}
1417 	if (rv == CKR_OK) {
1418 		if (pMechanismList) {
1419 			unsigned long i;
1420 			for (i = 0; i < *pulCount; i++) {
1421 				logit(LOG_DEBUG, "Mechanism[%d] 0x%08X ",
1422 				    i, pMechanismList[i]);
1423 			}
1424 		}
1425 	}
1426 	return (rv);
1427 }
1428 
1429 CK_RV
1430 C_GetObjectSize(CK_SESSION_HANDLE hSession,
1431 	CK_OBJECT_HANDLE hObject,
1432 	CK_ULONG_PTR pulSize)
1433 {
1434 	CK_RV rv;
1435 	ST_SESSION_T rSession;
1436 
1437 	if (API_Initialized() == FALSE) {
1438 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
1439 	}
1440 	if (! pulSize) {
1441 		return (CKR_ARGUMENTS_BAD);
1442 	}
1443 	if (! Valid_Session((Session_Struct_t *)hSession, &rSession)) {
1444 		return (CKR_SESSION_HANDLE_INVALID);
1445 	}
1446 	if (FuncList.ST_GetObjectSize) {
1447 		rv = FuncList.ST_GetObjectSize(rSession, hObject, pulSize);
1448 	} else {
1449 		rv = CKR_FUNCTION_NOT_SUPPORTED;
1450 	}
1451 	return (rv);
1452 }
1453 
1454 CK_RV
1455 C_GetOperationState(CK_SESSION_HANDLE hSession,
1456 	CK_BYTE_PTR pOperationState,
1457 	CK_ULONG_PTR pulOperationStateLen)
1458 {
1459 	CK_RV rv;
1460 	ST_SESSION_T rSession;
1461 
1462 	if (API_Initialized() == FALSE) {
1463 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
1464 	}
1465 	if (! pulOperationStateLen) {
1466 		return (CKR_ARGUMENTS_BAD);
1467 	}
1468 	if (! Valid_Session((Session_Struct_t *)hSession, &rSession)) {
1469 		return (CKR_SESSION_HANDLE_INVALID);
1470 	}
1471 	if (FuncList.ST_GetOperationState) {
1472 		rv = FuncList.ST_GetOperationState(rSession,
1473 		    pOperationState, pulOperationStateLen);
1474 	} else {
1475 		rv = CKR_FUNCTION_NOT_SUPPORTED;
1476 	}
1477 	return (rv);
1478 }
1479 
1480 CK_RV
1481 C_GetSessionInfo(CK_SESSION_HANDLE hSession,
1482 	CK_SESSION_INFO_PTR pInfo)
1483 {
1484 	CK_RV rv;
1485 	ST_SESSION_T rSession;
1486 
1487 	if (API_Initialized() == FALSE) {
1488 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
1489 	}
1490 	if (! pInfo) {
1491 		return (CKR_ARGUMENTS_BAD);
1492 	}
1493 	if (! Valid_Session((Session_Struct_t *)hSession, &rSession)) {
1494 		return (CKR_SESSION_HANDLE_INVALID);
1495 	}
1496 	if (FuncList.ST_GetSessionInfo) {
1497 		rv = FuncList.ST_GetSessionInfo(rSession, pInfo);
1498 	} else {
1499 		rv = CKR_FUNCTION_NOT_SUPPORTED;
1500 	}
1501 	return (rv);
1502 }
1503 
1504 CK_RV
1505 C_GetSlotInfo(CK_SLOT_ID slotID,
1506 	CK_SLOT_INFO_PTR pInfo)
1507 {
1508 	if (API_Initialized() == FALSE)
1509 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
1510 
1511 	if (!pInfo)
1512 		return (CKR_FUNCTION_FAILED);
1513 
1514 	if (!global_shm->token_available || (slotID > NUMBER_SLOTS_MANAGED))
1515 		return (CKR_SLOT_ID_INVALID);
1516 
1517 	copy_slot_info(slotID, pInfo);
1518 	return (CKR_OK);
1519 }
1520 
1521 /*ARGSUSED*/
1522 CK_RV
1523 C_GetSlotList(CK_BBOOL tokenPresent,
1524 	CK_SLOT_ID_PTR pSlotList,
1525 	CK_ULONG_PTR pulCount)
1526 {
1527 	CK_ULONG count;
1528 	CK_SLOT_INFO slotInfo;
1529 
1530 	if (API_Initialized() == FALSE)
1531 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
1532 
1533 	if (pulCount == NULL)
1534 		return (CKR_FUNCTION_FAILED);
1535 
1536 	count = 0;
1537 	/*
1538 	 * If we can't talk to the TPM, present no slots
1539 	 */
1540 	if (!global_shm->token_available) {
1541 		*pulCount = 0;
1542 		return (CKR_OK);
1543 	}
1544 
1545 	copy_slot_info(TPM_SLOTID, &slotInfo);
1546 	if ((slotInfo.flags & CKF_TOKEN_PRESENT))
1547 		count++;
1548 
1549 	*pulCount = count;
1550 
1551 	if (pSlotList == NULL) {
1552 		return (CKR_OK);
1553 	} else {
1554 		if (*pulCount < count)
1555 			return (CKR_BUFFER_TOO_SMALL);
1556 		pSlotList[0] = TPM_SLOTID;
1557 	}
1558 	return (CKR_OK);
1559 }
1560 
1561 CK_RV
1562 C_GetTokenInfo(CK_SLOT_ID slotID,
1563 	CK_TOKEN_INFO_PTR pInfo)
1564 {
1565 	CK_RV rv;
1566 
1567 	if (API_Initialized() == FALSE)
1568 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
1569 
1570 	if (!pInfo)
1571 		return (CKR_ARGUMENTS_BAD);
1572 
1573 	if (!global_shm->token_available || (slotID > NUMBER_SLOTS_MANAGED))
1574 		return (CKR_SLOT_ID_INVALID);
1575 
1576 	slotID = TPM_SLOTID;
1577 	if (FuncList.ST_GetTokenInfo) {
1578 		rv = FuncList.ST_GetTokenInfo(slotID, pInfo);
1579 	} else {
1580 		rv = CKR_FUNCTION_NOT_SUPPORTED;
1581 	}
1582 	return (rv);
1583 }
1584 
1585 CK_RV
1586 C_Initialize(CK_VOID_PTR pVoid)
1587 {
1588 	CK_RV rv = CKR_OK;
1589 	CK_C_INITIALIZE_ARGS *pArg;
1590 	extern CK_RV ST_Initialize(void *,
1591 	    CK_SLOT_ID, unsigned char *);
1592 
1593 	(void) pthread_mutex_lock(&global_mutex);
1594 	if (! Anchor) {
1595 		Anchor = (API_Proc_Struct_t *)malloc(
1596 		    sizeof (API_Proc_Struct_t));
1597 		if (Anchor == NULL) {
1598 			(void) pthread_mutex_unlock(&global_mutex);
1599 			return (CKR_HOST_MEMORY);
1600 		}
1601 	} else {
1602 		(void) pthread_mutex_unlock(&global_mutex);
1603 		return (CKR_CRYPTOKI_ALREADY_INITIALIZED);
1604 	}
1605 	/*
1606 	 * if pVoid is NULL, then everything is OK.  The applicaiton
1607 	 * will not be doing multi thread accesses.  We can use the OS
1608 	 * locks anyhow.
1609 	 */
1610 	if (pVoid != NULL) {
1611 		int supplied_ok;
1612 		pArg = (CK_C_INITIALIZE_ARGS *)pVoid;
1613 
1614 		/*
1615 		 * ALL supplied function pointers need to have the value
1616 		 * either NULL or no - NULL.
1617 		 */
1618 		supplied_ok = (pArg->CreateMutex == NULL &&
1619 		    pArg->DestroyMutex == NULL &&
1620 		    pArg->LockMutex == NULL &&
1621 		    pArg->UnlockMutex == NULL) ||
1622 		    (pArg->CreateMutex != NULL &&
1623 		    pArg->DestroyMutex != NULL &&
1624 		    pArg->LockMutex != NULL &&
1625 		    pArg->UnlockMutex != NULL);
1626 
1627 		if (!supplied_ok) {
1628 			(void) pthread_mutex_unlock(&global_mutex);
1629 			return (CKR_ARGUMENTS_BAD);
1630 		}
1631 		/* Check for a pReserved set */
1632 		if (pArg->pReserved != NULL) {
1633 			free(Anchor);
1634 			Anchor = NULL;
1635 			(void) pthread_mutex_unlock(&global_mutex);
1636 			return (CKR_ARGUMENTS_BAD);
1637 		}
1638 		/*
1639 		 * When the CKF_OS_LOCKING_OK flag isn't set and mutex
1640 		 * function pointers are supplied by an application,
1641 		 * return (an error.  We must be able to use our own primitives.
1642 		 */
1643 		if (!(pArg->flags & CKF_OS_LOCKING_OK) &&
1644 		    (pArg->CreateMutex != NULL)) {
1645 			(void) pthread_mutex_unlock(&global_mutex);
1646 			return (CKR_CANT_LOCK);
1647 		}
1648 	}
1649 	(void) memset((char *)Anchor, 0, sizeof (API_Proc_Struct_t));
1650 	(void) pthread_mutex_init(&(Anchor->ProcMutex), NULL);
1651 	(void) pthread_mutex_init(&(Anchor->SessListMutex), NULL);
1652 	Anchor->Pid = getpid();
1653 
1654 	rv = ST_Initialize((void *)&FuncList, 0, NULL);
1655 	(void) pthread_mutex_unlock(&global_mutex);
1656 	return (rv);
1657 }
1658 
1659 CK_RV
1660 C_InitPIN(CK_SESSION_HANDLE hSession,
1661 	CK_CHAR_PTR pPin,
1662 	CK_ULONG ulPinLen)
1663 {
1664 	CK_RV rv;
1665 	ST_SESSION_T rSession;
1666 
1667 	if (API_Initialized() == FALSE)
1668 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
1669 
1670 	if (! pPin && ulPinLen)
1671 		return (CKR_ARGUMENTS_BAD);
1672 
1673 	if (! Valid_Session((Session_Struct_t *)hSession, &rSession))
1674 		return (CKR_SESSION_HANDLE_INVALID);
1675 
1676 	if (rSession.slotID > NUMBER_SLOTS_MANAGED)
1677 		return (CKR_SLOT_ID_INVALID);
1678 
1679 	if (FuncList.ST_InitPIN)
1680 		rv = FuncList.ST_InitPIN(rSession, pPin, ulPinLen);
1681 	else
1682 		rv = CKR_FUNCTION_NOT_SUPPORTED;
1683 
1684 	return (rv);
1685 }
1686 
1687 CK_RV
1688 C_InitToken(CK_SLOT_ID  slotID,
1689 	CK_CHAR_PTR pPin,
1690 	CK_ULONG    ulPinLen,
1691 	CK_CHAR_PTR pLabel)
1692 {
1693 	CK_RV rv;
1694 
1695 	if (API_Initialized() == FALSE)
1696 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
1697 
1698 	if (! pPin && ulPinLen)
1699 		return (CKR_ARGUMENTS_BAD);
1700 
1701 	if (! pLabel)
1702 		return (CKR_ARGUMENTS_BAD);
1703 
1704 	if (!global_shm->token_available)
1705 		return (CKR_SLOT_ID_INVALID);
1706 
1707 	if (FuncList.ST_InitToken)
1708 		rv = FuncList.ST_InitToken(slotID, pPin, ulPinLen, pLabel);
1709 	else
1710 		rv = CKR_FUNCTION_NOT_SUPPORTED;
1711 
1712 	return (rv);
1713 }
1714 
1715 CK_RV
1716 C_Login(CK_SESSION_HANDLE hSession,
1717 	CK_USER_TYPE userType,
1718 	CK_CHAR_PTR pPin,
1719 	CK_ULONG ulPinLen)
1720 {
1721 	CK_RV rv;
1722 	ST_SESSION_T rSession;
1723 
1724 	if (API_Initialized() == FALSE) {
1725 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
1726 	}
1727 	if (! Valid_Session((Session_Struct_t *)hSession, &rSession)) {
1728 		return (CKR_SESSION_HANDLE_INVALID);
1729 	}
1730 	if (FuncList.ST_Login) {
1731 		rv = FuncList.ST_Login(rSession, userType, pPin, ulPinLen);
1732 	} else {
1733 		rv = CKR_FUNCTION_NOT_SUPPORTED;
1734 	}
1735 	return (rv);
1736 }
1737 
1738 CK_RV
1739 C_Logout(CK_SESSION_HANDLE hSession)
1740 {
1741 	CK_RV rv;
1742 	ST_SESSION_T rSession;
1743 
1744 	if (API_Initialized() == FALSE) {
1745 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
1746 	}
1747 	if (! Valid_Session((Session_Struct_t *)hSession, &rSession)) {
1748 		return (CKR_SESSION_HANDLE_INVALID);
1749 	}
1750 	if (FuncList.ST_Logout) {
1751 		rv = FuncList.ST_Logout(rSession);
1752 	} else {
1753 		rv = CKR_FUNCTION_NOT_SUPPORTED;
1754 	}
1755 	return (rv);
1756 }
1757 
1758 /*ARGSUSED*/
1759 CK_RV
1760 C_OpenSession(
1761 	CK_SLOT_ID slotID,
1762 	CK_FLAGS flags,
1763 	CK_VOID_PTR pApplication,
1764 	CK_NOTIFY Notify,
1765 	CK_SESSION_HANDLE_PTR phSession)
1766 {
1767 	CK_RV rv;
1768 	Session_Struct_t  *apiSessp;
1769 
1770 	if (API_Initialized() == FALSE)
1771 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
1772 
1773 	if (!global_shm->token_available || (slotID > NUMBER_SLOTS_MANAGED))
1774 		return (CKR_SLOT_ID_INVALID);
1775 
1776 	if (! phSession)
1777 		return (CKR_FUNCTION_FAILED);
1778 
1779 	if ((flags & CKF_SERIAL_SESSION) == 0)
1780 		return (CKR_SESSION_PARALLEL_NOT_SUPPORTED);
1781 
1782 	if ((apiSessp = (Session_Struct_t *)malloc(
1783 	    sizeof (Session_Struct_t))) == NULL)
1784 		return (CKR_HOST_MEMORY);
1785 
1786 	if (FuncList.ST_OpenSession) {
1787 		rv = FuncList.ST_OpenSession(slotID, flags,
1788 		    &(apiSessp->RealHandle));
1789 
1790 		if (rv == CKR_OK) {
1791 			*phSession = (CK_SESSION_HANDLE)apiSessp;
1792 			apiSessp->SltId = slotID;
1793 
1794 			AddToSessionList(apiSessp);
1795 		} else {
1796 			free(apiSessp);
1797 		}
1798 	} else {
1799 		rv = CKR_FUNCTION_NOT_SUPPORTED;
1800 	}
1801 	return (rv);
1802 }
1803 
1804 CK_RV
1805 C_SeedRandom(CK_SESSION_HANDLE hSession,
1806 	CK_BYTE_PTR pSeed,
1807 	CK_ULONG ulSeedLen)
1808 {
1809 	CK_RV rv;
1810 	ST_SESSION_T rSession;
1811 
1812 	if (API_Initialized() == FALSE) {
1813 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
1814 	}
1815 	if (! pSeed && ulSeedLen) {
1816 		return (CKR_ARGUMENTS_BAD);
1817 	}
1818 	if (! Valid_Session((Session_Struct_t *)hSession, &rSession)) {
1819 		return (CKR_SESSION_HANDLE_INVALID);
1820 	}
1821 	if (FuncList.ST_SeedRandom) {
1822 		rv = FuncList.ST_SeedRandom(rSession, pSeed, ulSeedLen);
1823 	} else {
1824 		rv = CKR_FUNCTION_NOT_SUPPORTED;
1825 	}
1826 	return (rv);
1827 }
1828 
1829 CK_RV
1830 C_SetAttributeValue(CK_SESSION_HANDLE hSession,
1831 	CK_OBJECT_HANDLE hObject,
1832 	CK_ATTRIBUTE_PTR pTemplate,
1833 	CK_ULONG ulCount)
1834 {
1835 	CK_RV rv;
1836 	ST_SESSION_T rSession;
1837 
1838 	if (API_Initialized() == FALSE) {
1839 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
1840 	}
1841 	if (! Valid_Session((Session_Struct_t *)hSession, &rSession)) {
1842 		return (CKR_SESSION_HANDLE_INVALID);
1843 	}
1844 	if (! pTemplate) {
1845 		return (CKR_TEMPLATE_INCOMPLETE);
1846 	}
1847 	if (! ulCount) {
1848 		return (CKR_TEMPLATE_INCOMPLETE);
1849 	}
1850 	// Get local pointers to session
1851 	if (FuncList.ST_SetAttributeValue) {
1852 		rv = FuncList.ST_SetAttributeValue(rSession, hObject,
1853 		    pTemplate, ulCount);
1854 	} else {
1855 		rv = CKR_FUNCTION_NOT_SUPPORTED;
1856 	}
1857 	return (rv);
1858 }
1859 
1860 CK_RV
1861 C_SetOperationState(CK_SESSION_HANDLE hSession,
1862 	CK_BYTE_PTR pOperationState,
1863 	CK_ULONG ulOperationStateLen,
1864 	CK_OBJECT_HANDLE hEncryptionKey,
1865 	CK_OBJECT_HANDLE hAuthenticationKey)
1866 {
1867 	CK_RV rv;
1868 	ST_SESSION_T rSession;
1869 
1870 	if (API_Initialized() == FALSE) {
1871 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
1872 	}
1873 	if (! Valid_Session((Session_Struct_t *)hSession, &rSession)) {
1874 		return (CKR_SESSION_HANDLE_INVALID);
1875 	}
1876 	if (! pOperationState || ulOperationStateLen == 0) {
1877 		return (CKR_ARGUMENTS_BAD);
1878 	}
1879 	if (FuncList.ST_SetOperationState) {
1880 		rv = FuncList.ST_SetOperationState(rSession, pOperationState,
1881 		    ulOperationStateLen, hEncryptionKey, hAuthenticationKey);
1882 	} else {
1883 		rv = CKR_FUNCTION_NOT_SUPPORTED;
1884 	}
1885 	return (rv);
1886 }
1887 
1888 CK_RV
1889 C_SetPIN(CK_SESSION_HANDLE hSession,
1890 	CK_CHAR_PTR pOldPin,
1891 	CK_ULONG ulOldLen,
1892 	CK_CHAR_PTR pNewPin,
1893 	CK_ULONG ulNewLen)
1894 {
1895 	CK_RV rv;
1896 	ST_SESSION_T rSession;
1897 
1898 	if (API_Initialized() == FALSE) {
1899 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
1900 	}
1901 	if (! pOldPin || ! pNewPin)
1902 		return (CKR_PIN_INVALID);
1903 	if (! Valid_Session((Session_Struct_t *)hSession, &rSession)) {
1904 		return (CKR_SESSION_HANDLE_INVALID);
1905 	}
1906 	if (FuncList.ST_SetPIN) {
1907 		rv = FuncList.ST_SetPIN(rSession, pOldPin, ulOldLen,
1908 		    pNewPin, ulNewLen);
1909 	} else {
1910 		rv = CKR_FUNCTION_NOT_SUPPORTED;
1911 	}
1912 	return (rv);
1913 }
1914 
1915 CK_RV
1916 C_Sign(CK_SESSION_HANDLE hSession,
1917 	CK_BYTE_PTR pData,
1918 	CK_ULONG ulDataLen,
1919 	CK_BYTE_PTR pSignature,
1920 	CK_ULONG_PTR pulSignatureLen)
1921 {
1922 	CK_RV rv;
1923 	ST_SESSION_T rSession;
1924 
1925 	if (API_Initialized() == FALSE) {
1926 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
1927 	}
1928 	if (! Valid_Session((Session_Struct_t *)hSession, &rSession)) {
1929 		return (CKR_SESSION_HANDLE_INVALID);
1930 	}
1931 	if (FuncList.ST_Sign) {
1932 		rv = FuncList.ST_Sign(rSession, pData, ulDataLen,
1933 		    pSignature, pulSignatureLen);
1934 	} else {
1935 		rv = CKR_FUNCTION_NOT_SUPPORTED;
1936 	}
1937 	return (rv);
1938 }
1939 
1940 CK_RV
1941 C_SignEncryptUpdate(CK_SESSION_HANDLE hSession,
1942 	CK_BYTE_PTR pPart,
1943 	CK_ULONG ulPartLen,
1944 	CK_BYTE_PTR pEncryptedPart,
1945 	CK_ULONG_PTR pulEncryptedPartLen)
1946 {
1947 	CK_RV rv;
1948 	ST_SESSION_T rSession;
1949 	if (API_Initialized() == FALSE) {
1950 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
1951 	}
1952 	if (! pPart || ! pulEncryptedPartLen) {
1953 		return (CKR_ARGUMENTS_BAD);
1954 	}
1955 	if (! Valid_Session((Session_Struct_t *)hSession, &rSession)) {
1956 		return (CKR_SESSION_HANDLE_INVALID);
1957 	}
1958 	if (FuncList.ST_SignEncryptUpdate) {
1959 		rv = FuncList.ST_SignEncryptUpdate(rSession, pPart,
1960 		    ulPartLen, pEncryptedPart, pulEncryptedPartLen);
1961 	} else {
1962 		rv = CKR_FUNCTION_NOT_SUPPORTED;
1963 	}
1964 	return (rv);
1965 }
1966 
1967 CK_RV
1968 C_SignFinal(CK_SESSION_HANDLE hSession,
1969 	CK_BYTE_PTR pSignature,
1970 	CK_ULONG_PTR pulSignatureLen)
1971 {
1972 	CK_RV rv;
1973 	ST_SESSION_T rSession;
1974 
1975 	if (API_Initialized() == FALSE) {
1976 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
1977 	}
1978 	if (! pulSignatureLen) {
1979 		return (CKR_ARGUMENTS_BAD);
1980 	}
1981 	if (! Valid_Session((Session_Struct_t *)hSession, &rSession)) {
1982 		return (CKR_SESSION_HANDLE_INVALID);
1983 	}
1984 	if (FuncList.ST_SignFinal) {
1985 		rv = FuncList.ST_SignFinal(rSession, pSignature,
1986 		    pulSignatureLen);
1987 	} else {
1988 		rv = CKR_FUNCTION_NOT_SUPPORTED;
1989 	}
1990 	return (rv);
1991 }
1992 
1993 CK_RV
1994 C_SignInit(CK_SESSION_HANDLE hSession,
1995 	CK_MECHANISM_PTR pMechanism,
1996 	CK_OBJECT_HANDLE hKey)
1997 {
1998 	CK_RV rv;
1999 	ST_SESSION_T rSession;
2000 
2001 	if (API_Initialized() == FALSE) {
2002 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
2003 	}
2004 	if (! pMechanism) {
2005 		return (CKR_MECHANISM_INVALID);
2006 	}
2007 	if (! Valid_Session((Session_Struct_t *)hSession, &rSession)) {
2008 		return (CKR_SESSION_HANDLE_INVALID);
2009 	}
2010 	if (FuncList.ST_SignInit) {
2011 		rv = FuncList.ST_SignInit(rSession, pMechanism, hKey);
2012 	} else {
2013 		rv = CKR_FUNCTION_NOT_SUPPORTED;
2014 	}
2015 	return (rv);
2016 }
2017 
2018 CK_RV
2019 C_SignRecover(CK_SESSION_HANDLE hSession,
2020 	CK_BYTE_PTR pData,
2021 	CK_ULONG ulDataLen,
2022 	CK_BYTE_PTR pSignature,
2023 	CK_ULONG_PTR pulSignatureLen)
2024 {
2025 	CK_RV rv;
2026 	ST_SESSION_T rSession;
2027 
2028 	if (API_Initialized() == FALSE) {
2029 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
2030 	}
2031 	if (! Valid_Session((Session_Struct_t *)hSession, &rSession)) {
2032 		return (CKR_SESSION_HANDLE_INVALID);
2033 	}
2034 	if (FuncList.ST_SignRecover) {
2035 		rv = FuncList.ST_SignRecover(rSession, pData,
2036 		    ulDataLen, pSignature, pulSignatureLen);
2037 	} else {
2038 		rv = CKR_FUNCTION_NOT_SUPPORTED;
2039 	}
2040 	return (rv);
2041 }
2042 
2043 CK_RV
2044 C_SignRecoverInit(CK_SESSION_HANDLE hSession,
2045 	CK_MECHANISM_PTR pMechanism,
2046 	CK_OBJECT_HANDLE hKey)
2047 {
2048 	CK_RV rv;
2049 	ST_SESSION_T rSession;
2050 
2051 	if (API_Initialized() == FALSE) {
2052 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
2053 	}
2054 	if (! pMechanism) {
2055 		return (CKR_MECHANISM_INVALID);
2056 	}
2057 	if (! Valid_Session((Session_Struct_t *)hSession, &rSession)) {
2058 		return (CKR_SESSION_HANDLE_INVALID);
2059 	}
2060 	if (FuncList.ST_SignRecoverInit) {
2061 		rv = FuncList.ST_SignRecoverInit(rSession, pMechanism, hKey);
2062 	} else {
2063 		rv = CKR_FUNCTION_NOT_SUPPORTED;
2064 	}
2065 	return (rv);
2066 }
2067 
2068 CK_RV
2069 C_SignUpdate(CK_SESSION_HANDLE hSession,
2070 	CK_BYTE_PTR pPart,
2071 	CK_ULONG ulPartLen)
2072 {
2073 	CK_RV rv;
2074 	ST_SESSION_T rSession;
2075 
2076 	if (API_Initialized() == FALSE) {
2077 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
2078 	}
2079 	if (! Valid_Session((Session_Struct_t *)hSession, &rSession)) {
2080 		return (CKR_SESSION_HANDLE_INVALID);
2081 	}
2082 	if (FuncList.ST_SignUpdate) {
2083 		rv = FuncList.ST_SignUpdate(rSession, pPart, ulPartLen);
2084 	} else {
2085 		rv = CKR_FUNCTION_NOT_SUPPORTED;
2086 	}
2087 	return (rv);
2088 }
2089 
2090 CK_RV
2091 C_UnwrapKey(CK_SESSION_HANDLE hSession,
2092 	CK_MECHANISM_PTR pMechanism,
2093 	CK_OBJECT_HANDLE hUnwrappingKey,
2094 	CK_BYTE_PTR pWrappedKey,
2095 	CK_ULONG ulWrappedKeyLen,
2096 	CK_ATTRIBUTE_PTR pTemplate,
2097 	CK_ULONG ulAttributeCount,
2098 	CK_OBJECT_HANDLE_PTR phKey)
2099 {
2100 	CK_RV rv;
2101 	ST_SESSION_T rSession;
2102 
2103 	if (API_Initialized() == FALSE) {
2104 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
2105 	}
2106 	if (!pMechanism) {
2107 		return (CKR_MECHANISM_INVALID);
2108 	}
2109 	if (! Valid_Session((Session_Struct_t *)hSession, &rSession)) {
2110 		return (CKR_SESSION_HANDLE_INVALID);
2111 	}
2112 	if (FuncList.ST_UnwrapKey) {
2113 		rv = FuncList.ST_UnwrapKey(rSession, pMechanism,
2114 		    hUnwrappingKey, pWrappedKey, ulWrappedKeyLen,
2115 		    pTemplate, ulAttributeCount, phKey);
2116 	} else {
2117 		rv = CKR_FUNCTION_NOT_SUPPORTED;
2118 	}
2119 	return (rv);
2120 }
2121 
2122 CK_RV
2123 C_Verify(CK_SESSION_HANDLE hSession,
2124 	CK_BYTE_PTR pData,
2125 	CK_ULONG ulDataLen,
2126 	CK_BYTE_PTR pSignature,
2127 	CK_ULONG ulSignatureLen)
2128 {
2129 	CK_RV rv;
2130 	ST_SESSION_T rSession;
2131 
2132 	if (API_Initialized() == FALSE) {
2133 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
2134 	}
2135 	if (! Valid_Session((Session_Struct_t *)hSession, &rSession)) {
2136 		return (CKR_SESSION_HANDLE_INVALID);
2137 	}
2138 	if (FuncList.ST_Verify) {
2139 		rv = FuncList.ST_Verify(rSession, pData, ulDataLen,
2140 		    pSignature, ulSignatureLen);
2141 	} else {
2142 		rv = CKR_FUNCTION_NOT_SUPPORTED;
2143 	}
2144 	return (rv);
2145 }
2146 
2147 CK_RV
2148 C_VerifyFinal(CK_SESSION_HANDLE hSession,
2149 	CK_BYTE_PTR pSignature,
2150 	CK_ULONG ulSignatureLen)
2151 {
2152 	CK_RV rv;
2153 	ST_SESSION_T rSession;
2154 
2155 	if (API_Initialized() == FALSE) {
2156 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
2157 	}
2158 	if (! pSignature) {
2159 		return (CKR_ARGUMENTS_BAD);
2160 	}
2161 
2162 	if (! Valid_Session((Session_Struct_t *)hSession, &rSession)) {
2163 		return (CKR_SESSION_HANDLE_INVALID);
2164 	}
2165 	if (FuncList.ST_VerifyFinal) {
2166 		rv = FuncList.ST_VerifyFinal(rSession, pSignature,
2167 		    ulSignatureLen);
2168 	} else {
2169 		rv = CKR_FUNCTION_NOT_SUPPORTED;
2170 	}
2171 	return (rv);
2172 }
2173 
2174 CK_RV
2175 C_VerifyInit(CK_SESSION_HANDLE hSession,
2176 	CK_MECHANISM_PTR pMechanism,
2177 	CK_OBJECT_HANDLE hKey)
2178 {
2179 	CK_RV rv;
2180 	ST_SESSION_T rSession;
2181 
2182 	if (API_Initialized() == FALSE) {
2183 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
2184 	}
2185 	if (! pMechanism) {
2186 		return (CKR_MECHANISM_INVALID);
2187 	}
2188 	if (! Valid_Session((Session_Struct_t *)hSession, &rSession)) {
2189 		return (CKR_SESSION_HANDLE_INVALID);
2190 	}
2191 
2192 	if (FuncList.ST_VerifyInit) {
2193 		rv = FuncList.ST_VerifyInit(rSession, pMechanism, hKey);
2194 	} else {
2195 		rv = CKR_FUNCTION_NOT_SUPPORTED;
2196 	}
2197 	return (rv);
2198 }
2199 
2200 CK_RV
2201 C_VerifyRecover(CK_SESSION_HANDLE hSession,
2202 	CK_BYTE_PTR pSignature,
2203 	CK_ULONG ulSignatureLen,
2204 	CK_BYTE_PTR pData,
2205 	CK_ULONG_PTR pulDataLen)
2206 {
2207 	CK_RV rv;
2208 	ST_SESSION_T rSession;
2209 
2210 	if (API_Initialized() == FALSE) {
2211 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
2212 	}
2213 	if (! Valid_Session((Session_Struct_t *)hSession, &rSession)) {
2214 		return (CKR_SESSION_HANDLE_INVALID);
2215 	}
2216 	if (FuncList.ST_VerifyRecover) {
2217 		rv = FuncList.ST_VerifyRecover(rSession, pSignature,
2218 		    ulSignatureLen, pData, pulDataLen);
2219 	} else {
2220 		rv = CKR_FUNCTION_NOT_SUPPORTED;
2221 	}
2222 	return (rv);
2223 }
2224 
2225 CK_RV
2226 C_VerifyRecoverInit(CK_SESSION_HANDLE hSession,
2227 	CK_MECHANISM_PTR pMechanism,
2228 	CK_OBJECT_HANDLE hKey)
2229 {
2230 	CK_RV rv;
2231 	ST_SESSION_T rSession;
2232 
2233 	if (API_Initialized() == FALSE) {
2234 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
2235 	}
2236 	if (! pMechanism) {
2237 		return (CKR_MECHANISM_INVALID);
2238 	}
2239 	if (! Valid_Session((Session_Struct_t *)hSession, &rSession)) {
2240 		return (CKR_SESSION_HANDLE_INVALID);
2241 	}
2242 	if (FuncList.ST_VerifyRecoverInit) {
2243 		rv = FuncList.ST_VerifyRecoverInit(rSession, pMechanism, hKey);
2244 	} else {
2245 		rv = CKR_FUNCTION_NOT_SUPPORTED;
2246 	}
2247 	return (rv);
2248 }
2249 
2250 CK_RV
2251 C_VerifyUpdate(CK_SESSION_HANDLE hSession,
2252 	CK_BYTE_PTR pPart,
2253 	CK_ULONG ulPartLen)
2254 {
2255 	CK_RV rv;
2256 	ST_SESSION_T rSession;
2257 
2258 	if (API_Initialized() == FALSE) {
2259 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
2260 	}
2261 	if (! Valid_Session((Session_Struct_t *)hSession, &rSession)) {
2262 		return (CKR_SESSION_HANDLE_INVALID);
2263 	}
2264 	if (FuncList.ST_VerifyUpdate) {
2265 		rv = FuncList.ST_VerifyUpdate(rSession, pPart, ulPartLen);
2266 	} else {
2267 		rv = CKR_FUNCTION_NOT_SUPPORTED;
2268 	}
2269 	return (rv);
2270 }
2271 
2272 /*ARGSUSED*/
2273 CK_RV
2274 C_WaitForSlotEvent(CK_FLAGS flags,
2275 	CK_SLOT_ID_PTR pSlot,
2276 	CK_VOID_PTR pReserved)
2277 {
2278 	if (API_Initialized() == FALSE) {
2279 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
2280 	}
2281 	return (CKR_FUNCTION_NOT_SUPPORTED);
2282 }
2283 
2284 CK_RV
2285 C_WrapKey(CK_SESSION_HANDLE hSession,
2286 	CK_MECHANISM_PTR pMechanism,
2287 	CK_OBJECT_HANDLE hWrappingKey,
2288 	CK_OBJECT_HANDLE hKey,
2289 	CK_BYTE_PTR pWrappedKey,
2290 	CK_ULONG_PTR pulWrappedKeyLen)
2291 {
2292 	CK_RV rv;
2293 	ST_SESSION_T rSession;
2294 
2295 	if (API_Initialized() == FALSE) {
2296 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
2297 	}
2298 	if (! pMechanism) {
2299 		return (CKR_MECHANISM_INVALID);
2300 	}
2301 	if (! Valid_Session((Session_Struct_t *)hSession, &rSession)) {
2302 		return (CKR_SESSION_HANDLE_INVALID);
2303 	}
2304 	if (FuncList.ST_WrapKey) {
2305 		rv = FuncList.ST_WrapKey(rSession, pMechanism, hWrappingKey,
2306 		    hKey, pWrappedKey, pulWrappedKeyLen);
2307 	} else {
2308 		rv = CKR_FUNCTION_NOT_SUPPORTED;
2309 	}
2310 	return (rv);
2311 }
2312 
2313 #pragma init(api_init)
2314 #pragma fini(api_fini)
2315 
2316 static void
2317 api_init(void)
2318 {
2319 	loginit();
2320 	if (! Initialized) {
2321 		(void) pthread_atfork(tpmtoken_fork_prepare,
2322 		    tpmtoken_fork_parent, tpmtoken_fork_child);
2323 		Initialized = 1;
2324 	}
2325 }
2326 
2327 static void
2328 api_fini()
2329 {
2330 	logterm();
2331 	if (API_Initialized() == TRUE) {
2332 		(void) do_finalize(NULL);
2333 	}
2334 }
2335