1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License, Version 1.0 only 6 * (the "License"). You may not use this file except in compliance 7 * with the License. 8 * 9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10 * or http://www.opensolaris.org/os/licensing. 11 * See the License for the specific language governing permissions 12 * and limitations under the License. 13 * 14 * When distributing Covered Code, include this CDDL HEADER in each 15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16 * If applicable, add the following below this CDDL HEADER, with the 17 * fields enclosed by brackets "[]" replaced with your own identifying 18 * information: Portions Copyright [yyyy] [name of copyright owner] 19 * 20 * CDDL HEADER END 21 */ 22 /* 23 * Copyright 2005 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 #pragma ident "%Z%%M% %I% %E% SMI" 28 29 #include <strings.h> 30 #include <cryptoutil.h> 31 #include <security/cryptoki.h> 32 #include <arcfour.h> 33 #include "softGlobal.h" 34 #include "softSession.h" 35 #include <des_impl.h> 36 #include <aes_impl.h> 37 #include <blowfish_impl.h> 38 #include "softDH.h" 39 #include "softObject.h" 40 #include "softKeystore.h" 41 #include "softKeystoreUtil.h" 42 43 44 static CK_MECHANISM_TYPE soft_mechanisms[] = { 45 CKM_DES_CBC, 46 CKM_DES_CBC_PAD, 47 CKM_DES_ECB, 48 CKM_DES_KEY_GEN, 49 CKM_DES_MAC_GENERAL, 50 CKM_DES_MAC, 51 CKM_DES3_CBC, 52 CKM_DES3_CBC_PAD, 53 CKM_DES3_ECB, 54 CKM_DES3_KEY_GEN, 55 CKM_AES_CBC, 56 CKM_AES_CBC_PAD, 57 CKM_AES_ECB, 58 CKM_AES_KEY_GEN, 59 CKM_BLOWFISH_CBC, 60 CKM_BLOWFISH_KEY_GEN, 61 CKM_SHA_1, 62 CKM_SHA_1_HMAC, 63 CKM_SHA_1_HMAC_GENERAL, 64 CKM_SHA256, 65 CKM_SHA256_HMAC, 66 CKM_SHA256_HMAC_GENERAL, 67 CKM_SHA384, 68 CKM_SHA384_HMAC, 69 CKM_SHA384_HMAC_GENERAL, 70 CKM_SHA512, 71 CKM_SHA512_HMAC, 72 CKM_SHA512_HMAC_GENERAL, 73 CKM_SSL3_SHA1_MAC, 74 CKM_MD5, 75 CKM_MD5_HMAC, 76 CKM_MD5_HMAC_GENERAL, 77 CKM_SSL3_MD5_MAC, 78 CKM_RC4, 79 CKM_RC4_KEY_GEN, 80 CKM_DSA, 81 CKM_DSA_SHA1, 82 CKM_DSA_KEY_PAIR_GEN, 83 CKM_RSA_PKCS, 84 CKM_RSA_PKCS_KEY_PAIR_GEN, 85 CKM_RSA_X_509, 86 CKM_MD5_RSA_PKCS, 87 CKM_SHA1_RSA_PKCS, 88 CKM_SHA256_RSA_PKCS, 89 CKM_SHA384_RSA_PKCS, 90 CKM_SHA512_RSA_PKCS, 91 CKM_DH_PKCS_KEY_PAIR_GEN, 92 CKM_DH_PKCS_DERIVE, 93 CKM_MD5_KEY_DERIVATION, 94 CKM_SHA1_KEY_DERIVATION, 95 CKM_SHA256_KEY_DERIVATION, 96 CKM_SHA384_KEY_DERIVATION, 97 CKM_SHA512_KEY_DERIVATION, 98 CKM_PBE_SHA1_RC4_128, 99 CKM_PKCS5_PBKD2, 100 CKM_SSL3_PRE_MASTER_KEY_GEN, 101 CKM_TLS_PRE_MASTER_KEY_GEN, 102 CKM_SSL3_MASTER_KEY_DERIVE, 103 CKM_TLS_MASTER_KEY_DERIVE, 104 CKM_SSL3_MASTER_KEY_DERIVE_DH, 105 CKM_TLS_MASTER_KEY_DERIVE_DH, 106 CKM_SSL3_KEY_AND_MAC_DERIVE, 107 CKM_TLS_KEY_AND_MAC_DERIVE, 108 CKM_TLS_PRF 109 }; 110 111 /* 112 * This is the table of CK_MECHANISM_INFO structs for the supported mechanisms. 113 * The index for this table is the same as the one above for the same 114 * mechanism. 115 * The minimum and maximum sizes of the key for the mechanism can be measured 116 * in bits or in bytes (i.e. mechanism-dependent). This table specifies the 117 * supported range of key sizes in bytes; unless noted as in bits. 118 */ 119 static CK_MECHANISM_INFO soft_mechanism_info[] = { 120 {DES_MINBYTES, DES_MAXBYTES, 121 CKF_ENCRYPT|CKF_DECRYPT| 122 CKF_WRAP|CKF_UNWRAP}, /* CKM_DES_CBC */ 123 {DES_MINBYTES, DES_MAXBYTES, 124 CKF_ENCRYPT|CKF_DECRYPT| 125 CKF_WRAP|CKF_UNWRAP}, /* CKM_DES_CBC_PAD */ 126 {DES_MINBYTES, DES_MAXBYTES, 127 CKF_ENCRYPT|CKF_DECRYPT| 128 CKF_WRAP|CKF_UNWRAP}, /* CKM_DES_ECB */ 129 {DES_MINBYTES, DES_MAXBYTES, 130 CKF_GENERATE}, /* CKM_DES_KEY_GEN */ 131 {DES_MINBYTES, DES_MAXBYTES, 132 CKF_SIGN|CKF_VERIFY}, /* CKM_DES_MAC_GENERAL */ 133 {DES_MINBYTES, DES_MAXBYTES, 134 CKF_SIGN|CKF_VERIFY}, /* CKM_DES_MAC */ 135 /* 136 * Note that DES3 is allowed even if CRYPTO_UNLIMITED is not specified. 137 * This is because 3DES has an exception to the Solaris PAC enforced 138 * no crypto greater than 128 bit in core Solaris rule. 139 * The actual key length of 3DES is 192, but most cryptographers regard 140 * it to be effectively 112. 141 */ 142 {DES3_MINBYTES, DES3_MAXBYTES, 143 CKF_ENCRYPT|CKF_DECRYPT| 144 CKF_WRAP|CKF_UNWRAP}, /* CKM_DES3_CBC */ 145 {DES3_MINBYTES, DES3_MAXBYTES, 146 CKF_ENCRYPT|CKF_DECRYPT| 147 CKF_WRAP|CKF_UNWRAP}, /* CKM_DES3_CBC_PAD */ 148 {DES3_MINBYTES, DES3_MAXBYTES, 149 CKF_ENCRYPT|CKF_DECRYPT| 150 CKF_WRAP|CKF_UNWRAP}, /* CKM_DES3_ECB */ 151 {DES3_MINBYTES, DES3_MAXBYTES, 152 CKF_GENERATE}, /* CKM_DES3_KEY_GEN */ 153 {AES_MINBYTES, AES_MAXBYTES, 154 CKF_ENCRYPT|CKF_DECRYPT| 155 CKF_WRAP|CKF_UNWRAP}, /* CKM_AES_CBC */ 156 {AES_MINBYTES, AES_MAXBYTES, 157 CKF_ENCRYPT|CKF_DECRYPT| 158 CKF_WRAP|CKF_UNWRAP}, /* CKM_AES_CBC_PAD */ 159 {AES_MINBYTES, AES_MAXBYTES, 160 CKF_ENCRYPT|CKF_DECRYPT| 161 CKF_WRAP|CKF_UNWRAP}, /* CKM_AES_ECB */ 162 {AES_MINBYTES, AES_MAXBYTES, 163 CKF_GENERATE}, /* CKM_AES_KEY_GEN */ 164 {BLOWFISH_MINBYTES, BLOWFISH_MAXBYTES, 165 CKF_ENCRYPT|CKF_DECRYPT| 166 CKF_WRAP|CKF_UNWRAP}, /* CKM_BLOWFISH_ECB */ 167 {BLOWFISH_MINBYTES, BLOWFISH_MAXBYTES, 168 CKF_GENERATE}, /* CKM_BLOWFISH_KEY_GEN */ 169 {0, 0, CKF_DIGEST}, /* CKM_SHA_1 */ 170 {1, 64, CKF_SIGN|CKF_VERIFY}, /* CKM_SHA_1_HMAC */ 171 {1, 64, CKF_SIGN|CKF_VERIFY}, /* CKM_SHA_1_HMAC_GENERAL */ 172 {0, 0, CKF_DIGEST}, /* CKM_SHA256 */ 173 {1, 64, CKF_SIGN|CKF_VERIFY}, /* CKM_SHA256_HMAC */ 174 {1, 64, CKF_SIGN|CKF_VERIFY}, /* CKM_SHA256_HMAC_GENERAL */ 175 {0, 0, CKF_DIGEST}, /* CKM_SHA384 */ 176 {1, 128, CKF_SIGN|CKF_VERIFY}, /* CKM_SHA384_HMAC */ 177 {1, 128, CKF_SIGN|CKF_VERIFY}, /* CKM_SHA384_HMAC_GENERAL */ 178 {0, 0, CKF_DIGEST}, /* CKM_SHA512 */ 179 {1, 128, CKF_SIGN|CKF_VERIFY}, /* CKM_SHA512_HMAC */ 180 {1, 128, CKF_SIGN|CKF_VERIFY}, /* CKM_SHA512_HMAC_GENERAL */ 181 {1, 512, CKF_SIGN|CKF_VERIFY}, /* CKM_SSL3_SHA1_MAC */ 182 {0, 0, CKF_DIGEST}, /* CKM_MD5 */ 183 {1, 64, CKF_SIGN|CKF_VERIFY}, /* CKM_MD5_HMAC */ 184 {1, 64, CKF_SIGN|CKF_VERIFY}, /* CKM_MD5_HMAC_GENERAL */ 185 {1, 512, CKF_SIGN|CKF_VERIFY}, /* CKM_SSL3_MD5_MAC */ 186 {8, ARCFOUR_MAX_KEY_BITS, CKF_ENCRYPT|CKF_DECRYPT}, /* CKM_RC4; */ 187 /* in bits */ 188 {8, ARCFOUR_MAX_KEY_BITS, CKF_GENERATE }, /* CKM_RC4_KEY_GEN; in bits */ 189 {512, 1024, CKF_SIGN|CKF_VERIFY}, /* CKM_DSA; in bits */ 190 {512, 1024, CKF_SIGN|CKF_VERIFY}, /* CKM_DSA_SHA1; in bits */ 191 {512, 1024, CKF_GENERATE_KEY_PAIR}, /* CKM_DSA_KEY_PAIR_GEN; */ 192 /* in bits */ 193 {256, 4096, CKF_ENCRYPT|CKF_DECRYPT| 194 CKF_SIGN|CKF_SIGN_RECOVER| 195 CKF_WRAP|CKF_UNWRAP| 196 CKF_VERIFY|CKF_VERIFY_RECOVER}, /* CKM_RSA_PKCS; in bits */ 197 {256, 4096, CKF_GENERATE_KEY_PAIR}, /* CKM_RSA_PKCS_KEY_PAIR_GEN; */ 198 /* in bits */ 199 {256, 4096, CKF_ENCRYPT|CKF_DECRYPT| 200 CKF_SIGN|CKF_SIGN_RECOVER| 201 CKF_WRAP|CKF_UNWRAP| 202 CKF_VERIFY|CKF_VERIFY_RECOVER}, /* CKM_RSA_X_509 in bits */ 203 {256, 4096, CKF_SIGN|CKF_VERIFY}, /* CKM_MD5_RSA_PKCS in bits */ 204 {256, 4096, CKF_SIGN|CKF_VERIFY}, /* CKM_SHA1_RSA_PKCS in bits */ 205 {256, 4096, CKF_SIGN|CKF_VERIFY}, /* CKM_SHA256_RSA_PKCS in bits */ 206 {256, 4096, CKF_SIGN|CKF_VERIFY}, /* CKM_SHA384_RSA_PKCS in bits */ 207 {256, 4096, CKF_SIGN|CKF_VERIFY}, /* CKM_SHA512_RSA_PKCS in bits */ 208 {MIN_DH_KEYLENGTH, MAX_DH_KEYLENGTH, CKF_GENERATE_KEY_PAIR}, 209 /* CKM_DH_PKCS_KEY_PAIR_GEN */ 210 /* in bits */ 211 {MIN_DH_KEYLENGTH, MAX_DH_KEYLENGTH, CKF_DERIVE}, 212 /* CKM_DH_PKCS_DERIVE; */ 213 /* in bits */ 214 {1, 16, CKF_DERIVE}, /* CKM_MD5_KEY_DERIVATION */ 215 {1, 20, CKF_DERIVE}, /* CKM_SHA1_KEY_DERIVATION */ 216 {1, 32, CKF_DERIVE}, /* CKM_SHA256_KEY_DERIVATION */ 217 {1, 48, CKF_DERIVE}, /* CKM_SHA384_KEY_DERIVATION */ 218 {1, 64, CKF_DERIVE}, /* CKM_SHA512_KEY_DERIVATION */ 219 {0, 0, CKF_GENERATE}, /* CKM_PBE_SHA1_RC4_128 */ 220 {0, 0, CKF_GENERATE}, /* CKM_PKCS5_PBKD2 */ 221 {48, 48, CKF_GENERATE}, /* CKM_SSL3_PRE_MASTER_KEY_GEN */ 222 {48, 48, CKF_GENERATE}, /* CKM_TLS_PRE_MASTER_KEY_GEN */ 223 {48, 48, CKF_DERIVE}, /* CKM_SSL3_MASTER_KEY_DERIVE */ 224 {48, 48, CKF_DERIVE}, /* CKM_TLS_MASTER_KEY_DERIVE */ 225 {48, 48, CKF_DERIVE}, /* CKM_SSL3_MASTER_KEY_DERIVE_DH */ 226 {48, 48, CKF_DERIVE}, /* CKM_TLS_MASTER_KEY_DERIVE_DH */ 227 {0, 0, CKF_DERIVE}, /* CKM_SSL3_KEY_AND_MAC_DERIVE */ 228 {0, 0, CKF_DERIVE}, /* CKM_TLS_KEY_AND_MAC_DERIVE */ 229 {0, 0, CKF_DERIVE} /* CKM_TLS_PRF */ 230 }; 231 232 /* 233 * Slot ID for softtoken is always 1. tokenPresent is ignored. 234 * Also, only one slot is used. 235 */ 236 /*ARGSUSED*/ 237 CK_RV 238 C_GetSlotList(CK_BBOOL tokenPresent, CK_SLOT_ID_PTR pSlotList, 239 CK_ULONG_PTR pulCount) 240 { 241 242 CK_RV rv; 243 244 if (!softtoken_initialized) 245 return (CKR_CRYPTOKI_NOT_INITIALIZED); 246 247 if (pulCount == NULL) { 248 return (CKR_ARGUMENTS_BAD); 249 } 250 251 if (pSlotList == NULL) { 252 /* 253 * Application only wants to know the number of slots. 254 */ 255 *pulCount = 1; 256 return (CKR_OK); 257 } 258 259 if ((*pulCount < 1) && (pSlotList != NULL)) { 260 rv = CKR_BUFFER_TOO_SMALL; 261 } else { 262 pSlotList[0] = SOFTTOKEN_SLOTID; 263 rv = CKR_OK; 264 } 265 266 *pulCount = 1; 267 return (rv); 268 } 269 270 271 CK_RV 272 C_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) 273 { 274 275 if (!softtoken_initialized) 276 return (CKR_CRYPTOKI_NOT_INITIALIZED); 277 278 if (pInfo == NULL) 279 return (CKR_ARGUMENTS_BAD); 280 281 /* Make sure the slot ID is valid */ 282 if (slotID != SOFTTOKEN_SLOTID) 283 return (CKR_SLOT_ID_INVALID); 284 285 /* Provide information about the slot in the provided buffer */ 286 (void) strncpy((char *)pInfo->slotDescription, SOFT_SLOT_DESCRIPTION, 287 64); 288 (void) strncpy((char *)pInfo->manufacturerID, SOFT_MANUFACTURER_ID, 32); 289 pInfo->flags = 0; 290 if (soft_token_present) { 291 pInfo->flags |= CKF_TOKEN_PRESENT; 292 } 293 pInfo->hardwareVersion.major = HARDWARE_VERSION_MAJOR; 294 pInfo->hardwareVersion.minor = HARDWARE_VERSION_MINOR; 295 pInfo->firmwareVersion.major = FIRMWARE_VERSION_MAJOR; 296 pInfo->firmwareVersion.minor = FIRMWARE_VERSION_MINOR; 297 298 return (CKR_OK); 299 } 300 301 302 CK_RV 303 C_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo) 304 { 305 306 ulong_t token_flag = 0; 307 boolean_t pin_initialized = B_FALSE; 308 char *ks_cryptpin = NULL; 309 CK_RV rv = CKR_OK; 310 311 if (!softtoken_initialized) 312 return (CKR_CRYPTOKI_NOT_INITIALIZED); 313 314 /* Make sure the slot ID is valid */ 315 if (slotID != SOFTTOKEN_SLOTID) 316 return (CKR_SLOT_ID_INVALID); 317 318 if (pInfo == NULL) 319 return (CKR_ARGUMENTS_BAD); 320 321 if (!soft_token_present) 322 return (CKR_DEVICE_REMOVED); 323 324 /* Provide information about a token in the provided buffer */ 325 (void) strncpy((char *)pInfo->label, SOFT_TOKEN_LABEL, 32); 326 (void) strncpy((char *)pInfo->manufacturerID, SOFT_MANUFACTURER_ID, 32); 327 (void) strncpy((char *)pInfo->model, TOKEN_MODEL, 16); 328 (void) strncpy((char *)pInfo->serialNumber, SOFT_TOKEN_SERIAL, 16); 329 330 rv = soft_keystore_pin_initialized(&pin_initialized, &ks_cryptpin, 331 B_FALSE); 332 if (rv != CKR_OK) 333 return (rv); 334 if (!pin_initialized) 335 token_flag = CKF_USER_PIN_TO_BE_CHANGED; 336 if (ks_cryptpin) 337 free(ks_cryptpin); 338 339 pInfo->flags = SOFT_TOKEN_FLAGS | token_flag; 340 pInfo->ulMaxSessionCount = CK_EFFECTIVELY_INFINITE; 341 pInfo->ulSessionCount = soft_session_cnt; 342 pInfo->ulMaxRwSessionCount = CK_EFFECTIVELY_INFINITE; 343 pInfo->ulRwSessionCount = soft_session_rw_cnt; 344 pInfo->ulMaxPinLen = MAX_PIN_LEN; 345 pInfo->ulMinPinLen = MIN_PIN_LEN; 346 pInfo->ulTotalPublicMemory = CK_UNAVAILABLE_INFORMATION; 347 pInfo->ulFreePublicMemory = CK_UNAVAILABLE_INFORMATION; 348 pInfo->ulTotalPrivateMemory = CK_UNAVAILABLE_INFORMATION; 349 pInfo->ulFreePrivateMemory = CK_UNAVAILABLE_INFORMATION; 350 pInfo->hardwareVersion.major = HARDWARE_VERSION_MAJOR; 351 pInfo->hardwareVersion.minor = HARDWARE_VERSION_MINOR; 352 pInfo->firmwareVersion.major = FIRMWARE_VERSION_MAJOR; 353 pInfo->firmwareVersion.minor = FIRMWARE_VERSION_MINOR; 354 (void) memset(pInfo->utcTime, ' ', 16); 355 356 return (CKR_OK); 357 } 358 359 /*ARGSUSED*/ 360 CK_RV 361 C_WaitForSlotEvent(CK_FLAGS flags, CK_SLOT_ID_PTR pSlot, CK_VOID_PTR pReserved) 362 { 363 if (!softtoken_initialized) 364 return (CKR_CRYPTOKI_NOT_INITIALIZED); 365 366 /* 367 * This is currently not implemented, however we could cause this 368 * to wait for the token files to appear if soft_token_present is 369 * false. 370 * However there is currently no polite and portable way to do that 371 * because we might not even be able to get to an fd to the 372 * parent directory, so instead we don't support any slot events. 373 */ 374 return (CKR_FUNCTION_NOT_SUPPORTED); 375 } 376 377 378 CK_RV 379 C_GetMechanismList(CK_SLOT_ID slotID, CK_MECHANISM_TYPE_PTR pMechanismList, 380 CK_ULONG_PTR pulCount) 381 { 382 383 ulong_t i; 384 ulong_t mechnum; 385 386 if (!softtoken_initialized) 387 return (CKR_CRYPTOKI_NOT_INITIALIZED); 388 389 if (slotID != SOFTTOKEN_SLOTID) 390 return (CKR_SLOT_ID_INVALID); 391 392 mechnum = sizeof (soft_mechanisms) / sizeof (CK_MECHANISM_TYPE); 393 394 if (pMechanismList == NULL) { 395 /* 396 * Application only wants to know the number of 397 * supported mechanism types. 398 */ 399 *pulCount = mechnum; 400 return (CKR_OK); 401 } 402 403 if (*pulCount < mechnum) { 404 *pulCount = mechnum; 405 return (CKR_BUFFER_TOO_SMALL); 406 } 407 408 for (i = 0; i < mechnum; i++) { 409 pMechanismList[i] = soft_mechanisms[i]; 410 } 411 412 *pulCount = mechnum; 413 414 return (CKR_OK); 415 } 416 417 418 CK_RV 419 C_GetMechanismInfo(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type, 420 CK_MECHANISM_INFO_PTR pInfo) 421 { 422 423 ulong_t i; 424 ulong_t mechnum; 425 426 if (!softtoken_initialized) 427 return (CKR_CRYPTOKI_NOT_INITIALIZED); 428 429 if (slotID != SOFTTOKEN_SLOTID) 430 return (CKR_SLOT_ID_INVALID); 431 432 if (pInfo == NULL) { 433 return (CKR_ARGUMENTS_BAD); 434 } 435 436 mechnum = sizeof (soft_mechanisms) / sizeof (CK_MECHANISM_TYPE); 437 for (i = 0; i < mechnum; i++) { 438 if (soft_mechanisms[i] == type) 439 break; 440 } 441 442 if (i == mechnum) 443 /* unsupported mechanism */ 444 return (CKR_MECHANISM_INVALID); 445 446 pInfo->ulMinKeySize = soft_mechanism_info[i].ulMinKeySize; 447 pInfo->ulMaxKeySize = soft_mechanism_info[i].ulMaxKeySize; 448 pInfo->flags = soft_mechanism_info[i].flags; 449 450 return (CKR_OK); 451 } 452 453 454 /*ARGSUSED*/ 455 CK_RV 456 C_InitToken(CK_SLOT_ID slotID, CK_UTF8CHAR_PTR pPin, CK_ULONG ulPinLen, 457 CK_UTF8CHAR_PTR pLabel) 458 { 459 if (!softtoken_initialized) 460 return (CKR_CRYPTOKI_NOT_INITIALIZED); 461 462 return (CKR_FUNCTION_NOT_SUPPORTED); 463 } 464 465 /*ARGSUSED*/ 466 CK_RV 467 C_InitPIN(CK_SESSION_HANDLE hSession, CK_UTF8CHAR_PTR pPin, CK_ULONG ulPinLen) 468 { 469 if (!softtoken_initialized) 470 return (CKR_CRYPTOKI_NOT_INITIALIZED); 471 472 return (CKR_FUNCTION_NOT_SUPPORTED); 473 } 474 475 476 CK_RV 477 C_SetPIN(CK_SESSION_HANDLE hSession, CK_UTF8CHAR_PTR pOldPin, 478 CK_ULONG ulOldPinLen, CK_UTF8CHAR_PTR pNewPin, CK_ULONG ulNewPinLen) 479 { 480 481 soft_session_t *session_p; 482 CK_RV rv; 483 boolean_t lock_held = B_FALSE; 484 485 if (!softtoken_initialized) 486 return (CKR_CRYPTOKI_NOT_INITIALIZED); 487 488 /* 489 * Obtain the session pointer. Also, increment the session 490 * reference count. 491 */ 492 rv = handle2session(hSession, &session_p); 493 if (rv != CKR_OK) 494 return (rv); 495 496 if (!soft_token_present) { 497 SES_REFRELE(session_p, lock_held); 498 return (CKR_DEVICE_REMOVED); 499 } 500 501 if ((ulOldPinLen < MIN_PIN_LEN) || (ulOldPinLen > MAX_PIN_LEN) || 502 (ulNewPinLen < MIN_PIN_LEN) ||(ulNewPinLen > MAX_PIN_LEN)) { 503 SES_REFRELE(session_p, lock_held); 504 return (CKR_PIN_LEN_RANGE); 505 } 506 507 if ((pOldPin == NULL_PTR) || (pNewPin == NULL_PTR)) { 508 /* 509 * We don't support CKF_PROTECTED_AUTHENTICATION_PATH 510 */ 511 SES_REFRELE(session_p, lock_held); 512 return (CKR_ARGUMENTS_BAD); 513 } 514 515 /* check the state of the session */ 516 if ((session_p->state != CKS_RW_PUBLIC_SESSION) && 517 (session_p->state != CKS_RW_USER_FUNCTIONS)) { 518 SES_REFRELE(session_p, lock_held); 519 return (CKR_SESSION_READ_ONLY); 520 } 521 522 rv = soft_setpin(pOldPin, ulOldPinLen, pNewPin, ulNewPinLen); 523 524 SES_REFRELE(session_p, lock_held); 525 return (rv); 526 } 527