1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License, Version 1.0 only
6  * (the "License").  You may not use this file except in compliance
7  * with the License.
8  *
9  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10  * or http://www.opensolaris.org/os/licensing.
11  * See the License for the specific language governing permissions
12  * and limitations under the License.
13  *
14  * When distributing Covered Code, include this CDDL HEADER in each
15  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16  * If applicable, add the following below this CDDL HEADER, with the
17  * fields enclosed by brackets "[]" replaced with your own identifying
18  * information: Portions Copyright [yyyy] [name of copyright owner]
19  *
20  * CDDL HEADER END
21  */
22 /*
23  * Copyright 2003 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 #include <security/cryptoki.h>
28 #include "pkcs11Global.h"
29 #include "pkcs11Conf.h"
30 #include "pkcs11Session.h"
31 #include "pkcs11Slot.h"
32 
33 /*
34  * C_VerifyInit will verify that the session handle is valid within the
35  * framework, that the mechanism is not disabled for the slot
36  * associated with this session, and then redirect to the underlying
37  * provider.  Policy is only checked for C_VerifyInit, since it is
38  * required to be called before C_Verify and C_VerifyUpdate.
39  */
40 CK_RV
C_VerifyInit(CK_SESSION_HANDLE hSession,CK_MECHANISM_PTR pMechanism,CK_OBJECT_HANDLE hKey)41 C_VerifyInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
42     CK_OBJECT_HANDLE hKey)
43 {
44 	CK_RV rv;
45 	pkcs11_session_t *sessp;
46 	CK_SLOT_ID slotid;
47 
48 	/* Check for a fastpath */
49 	if (purefastpath || policyfastpath) {
50 		if (policyfastpath &&
51 		    pkcs11_is_dismech(fast_slot, pMechanism->mechanism)) {
52 			return (CKR_MECHANISM_INVALID);
53 		}
54 		return (fast_funcs->C_VerifyInit(hSession, pMechanism, hKey));
55 	}
56 
57 	if (!pkcs11_initialized) {
58 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
59 	}
60 
61 	/* Obtain the session pointer */
62 	HANDLE2SESSION(hSession, sessp, rv);
63 
64 	if (rv != CKR_OK) {
65 		return (rv);
66 	}
67 
68 	slotid = sessp->se_slotid;
69 
70 	/* Make sure this is not a disabled mechanism */
71 	if (pkcs11_is_dismech(slotid, pMechanism->mechanism)) {
72 		return (CKR_MECHANISM_INVALID);
73 	}
74 
75 	/* Initialize the digest with the underlying provider */
76 	rv = FUNCLIST(slotid)->C_VerifyInit(sessp->se_handle,
77 	    pMechanism, hKey);
78 
79 	/* Present consistent interface to the application */
80 	if (rv == CKR_FUNCTION_NOT_SUPPORTED) {
81 		return (CKR_FUNCTION_FAILED);
82 	}
83 
84 	return (rv);
85 
86 }
87 
88 /*
89  * C_Verify is a pure wrapper to the underlying provider.
90  * The only argument checked is whether or not hSession is valid.
91  */
92 CK_RV
C_Verify(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pData,CK_ULONG ulDataLen,CK_BYTE_PTR pSignature,CK_ULONG ulSignatureLen)93 C_Verify(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, CK_ULONG ulDataLen,
94     CK_BYTE_PTR pSignature, CK_ULONG ulSignatureLen)
95 {
96 	CK_RV rv;
97 	pkcs11_session_t *sessp;
98 
99 	/* Check for a fastpath */
100 	if (purefastpath || policyfastpath) {
101 		return (fast_funcs->C_Verify(hSession, pData, ulDataLen,
102 			    pSignature, ulSignatureLen));
103 	}
104 
105 	if (!pkcs11_initialized) {
106 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
107 	}
108 
109 	/* Obtain the session pointer */
110 	HANDLE2SESSION(hSession, sessp, rv);
111 
112 	if (rv != CKR_OK) {
113 		return (rv);
114 	}
115 
116 	/* Pass data to the provider */
117 	rv = FUNCLIST(sessp->se_slotid)->C_Verify(sessp->se_handle, pData,
118 	    ulDataLen, pSignature, ulSignatureLen);
119 
120 	/* Present consistent interface to the application */
121 	if (rv == CKR_FUNCTION_NOT_SUPPORTED) {
122 		return (CKR_FUNCTION_FAILED);
123 	}
124 
125 	return (rv);
126 
127 }
128 
129 /*
130  * C_VerifyUpdate is a pure wrapper to the underlying provider.
131  * The only argument checked is whether or not hSession is valid.
132  */
133 CK_RV
C_VerifyUpdate(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pPart,CK_ULONG ulPartLen)134 C_VerifyUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
135     CK_ULONG ulPartLen)
136 {
137 	CK_RV rv;
138 	pkcs11_session_t *sessp;
139 
140 	/* Check for a fastpath */
141 	if (purefastpath || policyfastpath) {
142 		return (fast_funcs->C_VerifyUpdate(hSession, pPart,
143 			    ulPartLen));
144 	}
145 
146 	if (!pkcs11_initialized) {
147 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
148 	}
149 
150 	/* Obtain the session pointer */
151 	HANDLE2SESSION(hSession, sessp, rv);
152 
153 	if (rv != CKR_OK) {
154 		return (rv);
155 	}
156 
157 	/* Pass data to the provider */
158 	rv = FUNCLIST(sessp->se_slotid)->C_VerifyUpdate(sessp->se_handle,
159 	    pPart, ulPartLen);
160 
161 	/* Present consistent interface to the application */
162 	if (rv == CKR_FUNCTION_NOT_SUPPORTED) {
163 		return (CKR_FUNCTION_FAILED);
164 	}
165 
166 	return (rv);
167 }
168 
169 /*
170  * C_VerifyFinal is a pure wrapper to the underlying provider.
171  * The only argument checked is whether or not hSession is valid.
172  */
173 CK_RV
C_VerifyFinal(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pSignature,CK_ULONG ulSignatureLen)174 C_VerifyFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature,
175     CK_ULONG ulSignatureLen)
176 {
177 	CK_RV rv;
178 	pkcs11_session_t *sessp;
179 
180 	/* Check for a fastpath */
181 	if (purefastpath || policyfastpath) {
182 		return (fast_funcs->C_VerifyFinal(hSession, pSignature,
183 			    ulSignatureLen));
184 	}
185 	if (!pkcs11_initialized) {
186 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
187 	}
188 
189 	/* Obtain the session pointer */
190 	HANDLE2SESSION(hSession, sessp, rv);
191 
192 	if (rv != CKR_OK) {
193 		return (rv);
194 	}
195 
196 	/* Pass data to the provider */
197 	rv = FUNCLIST(sessp->se_slotid)->C_VerifyFinal(sessp->se_handle,
198 	    pSignature, ulSignatureLen);
199 
200 	/* Present consistent interface to the application */
201 	if (rv == CKR_FUNCTION_NOT_SUPPORTED) {
202 		return (CKR_FUNCTION_FAILED);
203 	}
204 
205 	return (rv);
206 
207 }
208 
209 /*
210  * C_VerifyRecoverInit will verify that the session handle is valid within
211  * the framework, that the mechanism is not disabled for the slot
212  * associated with this session, and then redirect to the underlying
213  * provider.  Policy is only checked for C_VerifyRecoverInit, since it is
214  * required to be called before C_VerifyRecover.
215  */
216 CK_RV
C_VerifyRecoverInit(CK_SESSION_HANDLE hSession,CK_MECHANISM_PTR pMechanism,CK_OBJECT_HANDLE hKey)217 C_VerifyRecoverInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
218     CK_OBJECT_HANDLE hKey)
219 {
220 	CK_RV rv;
221 	pkcs11_session_t *sessp;
222 	CK_SLOT_ID slotid;
223 
224 	/* Check for a fastpath */
225 	if (purefastpath || policyfastpath) {
226 		if (policyfastpath &&
227 		    pkcs11_is_dismech(fast_slot, pMechanism->mechanism)) {
228 			return (CKR_MECHANISM_INVALID);
229 		}
230 		return (fast_funcs->C_VerifyRecoverInit(hSession, pMechanism,
231 			    hKey));
232 	}
233 
234 	if (!pkcs11_initialized) {
235 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
236 	}
237 
238 	/* Obtain the session pointer */
239 	HANDLE2SESSION(hSession, sessp, rv);
240 
241 	if (rv != CKR_OK) {
242 		return (rv);
243 	}
244 
245 	slotid = sessp->se_slotid;
246 
247 	/* Make sure this is not a disabled mechanism */
248 	if (pkcs11_is_dismech(slotid, pMechanism->mechanism)) {
249 		return (CKR_MECHANISM_INVALID);
250 	}
251 
252 	/* Initialize the digest with the underlying provider */
253 	rv = FUNCLIST(slotid)->C_VerifyRecoverInit(sessp->se_handle,
254 	    pMechanism, hKey);
255 
256 	/* Present consistent interface to the application */
257 	if (rv == CKR_FUNCTION_NOT_SUPPORTED) {
258 		return (CKR_FUNCTION_FAILED);
259 	}
260 
261 	return (rv);
262 
263 
264 }
265 
266 /*
267  * C_VerifyRecover is a pure wrapper to the underlying provider.
268  * The only argument checked is whether or not hSession is valid.
269  */
270 CK_RV
C_VerifyRecover(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pSignature,CK_ULONG ulSignatureLen,CK_BYTE_PTR pData,CK_ULONG_PTR pulDataLen)271 C_VerifyRecover(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature,
272     CK_ULONG ulSignatureLen, CK_BYTE_PTR pData, CK_ULONG_PTR pulDataLen)
273 {
274 	CK_RV rv;
275 	pkcs11_session_t *sessp;
276 
277 	/* Check for a fastpath */
278 	if (purefastpath || policyfastpath) {
279 		return (fast_funcs->C_VerifyRecover(hSession, pSignature,
280 			    ulSignatureLen, pData, pulDataLen));
281 	}
282 
283 	if (!pkcs11_initialized) {
284 		return (CKR_CRYPTOKI_NOT_INITIALIZED);
285 	}
286 
287 	/* Obtain the session pointer */
288 	HANDLE2SESSION(hSession, sessp, rv);
289 
290 	if (rv != CKR_OK) {
291 		return (rv);
292 	}
293 
294 	/* Pass data to the provider */
295 	rv = FUNCLIST(sessp->se_slotid)->C_VerifyRecover(sessp->se_handle,
296 	    pSignature, ulSignatureLen, pData, pulDataLen);
297 
298 	/* Present consistent interface to the application */
299 	if (rv == CKR_FUNCTION_NOT_SUPPORTED) {
300 		return (CKR_FUNCTION_FAILED);
301 	}
302 
303 	return (rv);
304 }
305