1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
24  */
25 
26 #include <pthread.h>
27 #include <stdlib.h>
28 #include <string.h>
29 #include <strings.h>
30 #include <sys/types.h>
31 #include <security/cryptoki.h>
32 #include <modes/modes.h>
33 #include <arcfour.h>
34 #include "softSession.h"
35 #include "softObject.h"
36 #include "softOps.h"
37 #include "softCrypt.h"
38 #include "softRSA.h"
39 
40 /*
41  * Remove padding bytes.
42  */
43 CK_RV
44 soft_remove_pkcs7_padding(CK_BYTE *pData, CK_ULONG padded_len,
45     CK_ULONG *pulDataLen)
46 {
47 	CK_RV	rv;
48 
49 #ifdef	__sparcv9
50 	if ((rv = pkcs7_decode(pData, (&padded_len))) != CKR_OK)
51 #else	/* !__sparcv9 */
52 	if ((rv = pkcs7_decode(pData, (size_t *)(&padded_len))) != CKR_OK)
53 #endif	/* __sparcv9 */
54 		return (rv);
55 
56 	*pulDataLen = padded_len;
57 	return (CKR_OK);
58 }
59 
60 
61 /*
62  * soft_decrypt_init()
63  *
64  * Arguments:
65  *	session_p:	pointer to soft_session_t struct
66  *	pMechanism:	pointer to CK_MECHANISM struct provided by application
67  *	key_p:		pointer to key soft_object_t struct
68  *
69  * Description:
70  *	called by C_DecryptInit(). This function calls the corresponding
71  *	decrypt init routine based on the mechanism.
72  *
73  * Returns:
74  *	CKR_OK: success
75  *	CKR_HOST_MEMORY: run out of system memory
76  *	CKR_MECHANISM_PARAM_INVALID: invalid parameters in mechanism
77  *	CKR_MECHANISM_INVALID: invalid mechanism type
78  *	CKR_KEY_TYPE_INCONSISTENT: incorrect type of key to use
79  *				   with the specified mechanism
80  */
81 CK_RV
82 soft_decrypt_init(soft_session_t *session_p, CK_MECHANISM_PTR pMechanism,
83     soft_object_t *key_p)
84 {
85 
86 	CK_RV rv;
87 
88 	switch (pMechanism->mechanism) {
89 
90 	case CKM_DES_ECB:
91 
92 		if (key_p->key_type != CKK_DES) {
93 			return (CKR_KEY_TYPE_INCONSISTENT);
94 		}
95 
96 		goto ecb_common;
97 
98 	case CKM_DES3_ECB:
99 
100 		if ((key_p->key_type != CKK_DES2) &&
101 		    (key_p->key_type != CKK_DES3)) {
102 			return (CKR_KEY_TYPE_INCONSISTENT);
103 		}
104 
105 ecb_common:
106 
107 		return (soft_des_crypt_init_common(session_p, pMechanism,
108 		    key_p, B_FALSE));
109 
110 	case CKM_DES_CBC:
111 	case CKM_DES_CBC_PAD:
112 
113 		if (key_p->key_type != CKK_DES) {
114 			return (CKR_KEY_TYPE_INCONSISTENT);
115 		}
116 
117 		goto cbc_common;
118 
119 	case CKM_DES3_CBC:
120 	case CKM_DES3_CBC_PAD:
121 	{
122 		soft_des_ctx_t *soft_des_ctx;
123 
124 		if ((key_p->key_type != CKK_DES2) &&
125 		    (key_p->key_type != CKK_DES3)) {
126 			return (CKR_KEY_TYPE_INCONSISTENT);
127 		}
128 
129 cbc_common:
130 		if ((pMechanism->pParameter == NULL) ||
131 		    (pMechanism->ulParameterLen != DES_BLOCK_LEN)) {
132 			return (CKR_MECHANISM_PARAM_INVALID);
133 		}
134 
135 		rv = soft_des_crypt_init_common(session_p, pMechanism,
136 		    key_p, B_FALSE);
137 
138 		if (rv != CKR_OK)
139 			return (rv);
140 
141 		(void) pthread_mutex_lock(&session_p->session_mutex);
142 
143 		soft_des_ctx = (soft_des_ctx_t *)session_p->decrypt.context;
144 		/* Save Initialization Vector (IV) in the context. */
145 		(void) memcpy(soft_des_ctx->ivec, pMechanism->pParameter,
146 		    DES_BLOCK_LEN);
147 
148 		/* Allocate a context for DES cipher-block chaining. */
149 		soft_des_ctx->des_cbc = (void *)des_cbc_ctx_init(
150 		    soft_des_ctx->key_sched, soft_des_ctx->keysched_len,
151 		    soft_des_ctx->ivec, key_p->key_type);
152 
153 		if (soft_des_ctx->des_cbc == NULL) {
154 			bzero(soft_des_ctx->key_sched,
155 			    soft_des_ctx->keysched_len);
156 			free(soft_des_ctx->key_sched);
157 			free(session_p->decrypt.context);
158 			session_p->decrypt.context = NULL;
159 			(void) pthread_mutex_unlock(&session_p->session_mutex);
160 			return (CKR_HOST_MEMORY);
161 		}
162 
163 		(void) pthread_mutex_unlock(&session_p->session_mutex);
164 
165 		return (rv);
166 	}
167 	case CKM_AES_ECB:
168 
169 		if (key_p->key_type != CKK_AES) {
170 			return (CKR_KEY_TYPE_INCONSISTENT);
171 		}
172 
173 		return (soft_aes_crypt_init_common(session_p, pMechanism,
174 		    key_p, B_FALSE));
175 
176 	case CKM_AES_CBC:
177 	case CKM_AES_CBC_PAD:
178 	{
179 		soft_aes_ctx_t *soft_aes_ctx;
180 
181 		if (key_p->key_type != CKK_AES) {
182 			return (CKR_KEY_TYPE_INCONSISTENT);
183 		}
184 
185 		if ((pMechanism->pParameter == NULL) ||
186 		    (pMechanism->ulParameterLen != AES_BLOCK_LEN)) {
187 			return (CKR_MECHANISM_PARAM_INVALID);
188 		}
189 
190 		rv = soft_aes_crypt_init_common(session_p, pMechanism,
191 		    key_p, B_FALSE);
192 
193 		if (rv != CKR_OK)
194 			return (rv);
195 
196 		(void) pthread_mutex_lock(&session_p->session_mutex);
197 
198 		soft_aes_ctx = (soft_aes_ctx_t *)session_p->decrypt.context;
199 
200 		/* Save Initialization Vector (IV) in the context. */
201 		(void) memcpy(soft_aes_ctx->ivec, pMechanism->pParameter,
202 		    AES_BLOCK_LEN);
203 
204 		/* Allocate a context for AES cipher-block chaining. */
205 		soft_aes_ctx->aes_cbc = (void *)aes_cbc_ctx_init(
206 		    soft_aes_ctx->key_sched, soft_aes_ctx->keysched_len,
207 		    soft_aes_ctx->ivec);
208 
209 		if (soft_aes_ctx->aes_cbc == NULL) {
210 			bzero(soft_aes_ctx->key_sched,
211 			    soft_aes_ctx->keysched_len);
212 			free(soft_aes_ctx->key_sched);
213 			free(session_p->decrypt.context);
214 			session_p->decrypt.context = NULL;
215 			(void) pthread_mutex_unlock(&session_p->session_mutex);
216 			return (CKR_HOST_MEMORY);
217 		}
218 
219 		(void) pthread_mutex_unlock(&session_p->session_mutex);
220 
221 		return (rv);
222 	}
223 	case CKM_AES_CTR:
224 	{
225 		soft_aes_ctx_t *soft_aes_ctx;
226 
227 		if (key_p->key_type != CKK_AES) {
228 			return (CKR_KEY_TYPE_INCONSISTENT);
229 		}
230 
231 		if (pMechanism->pParameter == NULL ||
232 		    pMechanism->ulParameterLen != sizeof (CK_AES_CTR_PARAMS)) {
233 			return (CKR_MECHANISM_PARAM_INVALID);
234 		}
235 
236 		rv = soft_aes_crypt_init_common(session_p, pMechanism,
237 		    key_p, B_FALSE);
238 
239 		if (rv != CKR_OK)
240 			return (rv);
241 
242 		(void) pthread_mutex_lock(&session_p->session_mutex);
243 
244 		soft_aes_ctx = (soft_aes_ctx_t *)session_p->decrypt.context;
245 		soft_aes_ctx->aes_cbc = aes_ctr_ctx_init(
246 		    soft_aes_ctx->key_sched, soft_aes_ctx->keysched_len,
247 		    pMechanism->pParameter);
248 
249 		if (soft_aes_ctx->aes_cbc == NULL) {
250 			bzero(soft_aes_ctx->key_sched,
251 			    soft_aes_ctx->keysched_len);
252 			free(soft_aes_ctx->key_sched);
253 			free(session_p->decrypt.context);
254 			session_p->decrypt.context = NULL;
255 			rv = CKR_HOST_MEMORY;
256 		}
257 
258 		(void) pthread_mutex_unlock(&session_p->session_mutex);
259 
260 		return (rv);
261 	}
262 	case CKM_BLOWFISH_CBC:
263 	{
264 		soft_blowfish_ctx_t *soft_blowfish_ctx;
265 
266 		if (key_p->key_type != CKK_BLOWFISH)
267 			return (CKR_KEY_TYPE_INCONSISTENT);
268 
269 		if ((pMechanism->pParameter == NULL) ||
270 		    (pMechanism->ulParameterLen != BLOWFISH_BLOCK_LEN))
271 			return (CKR_MECHANISM_PARAM_INVALID);
272 
273 		rv = soft_blowfish_crypt_init_common(session_p, pMechanism,
274 		    key_p, B_FALSE);
275 
276 		if (rv != CKR_OK)
277 			return (rv);
278 
279 		(void) pthread_mutex_lock(&session_p->session_mutex);
280 
281 		soft_blowfish_ctx =
282 		    (soft_blowfish_ctx_t *)session_p->decrypt.context;
283 
284 		/* Save Initialization Vector in the context. */
285 		(void) memcpy(soft_blowfish_ctx->ivec, pMechanism->pParameter,
286 		    BLOWFISH_BLOCK_LEN);
287 
288 		/* Allocate a context for CBC */
289 		soft_blowfish_ctx->blowfish_cbc =
290 		    (void *)blowfish_cbc_ctx_init(soft_blowfish_ctx->key_sched,
291 		    soft_blowfish_ctx->keysched_len,
292 		    soft_blowfish_ctx->ivec);
293 
294 		if (soft_blowfish_ctx->blowfish_cbc == NULL) {
295 			bzero(soft_blowfish_ctx->key_sched,
296 			    soft_blowfish_ctx->keysched_len);
297 			free(soft_blowfish_ctx->key_sched);
298 			free(session_p->decrypt.context = NULL);
299 			(void) pthread_mutex_unlock(&session_p->session_mutex);
300 			return (CKR_HOST_MEMORY);
301 		}
302 
303 		(void) pthread_mutex_unlock(&session_p->session_mutex);
304 		return (rv);
305 	}
306 
307 	case CKM_RC4:
308 
309 		if (key_p->key_type != CKK_RC4) {
310 			return (CKR_KEY_TYPE_INCONSISTENT);
311 		}
312 
313 		return (soft_arcfour_crypt_init(session_p, pMechanism, key_p,
314 		    B_FALSE));
315 
316 	case CKM_RSA_X_509:
317 	case CKM_RSA_PKCS:
318 
319 		if (key_p->key_type != CKK_RSA) {
320 			return (CKR_KEY_TYPE_INCONSISTENT);
321 		}
322 
323 		return (soft_rsa_crypt_init_common(session_p, pMechanism,
324 		    key_p, B_FALSE));
325 
326 	default:
327 		return (CKR_MECHANISM_INVALID);
328 	}
329 }
330 
331 
332 /*
333  * soft_decrypt_common()
334  *
335  * Arguments:
336  *      session_p:	pointer to soft_session_t struct
337  *	pEncrypted:	pointer to the encrypted data as input
338  *	ulEncryptedLen:	length of the input data
339  *	pData:		pointer to the output data contains plaintext
340  *	pulDataLen:	pointer to the length of the output data
341  *	Update:		boolean flag indicates caller is soft_decrypt
342  *			or soft_decrypt_update
343  *
344  * Description:
345  *      This function calls the corresponding decrypt routine based
346  *	on the mechanism.
347  *
348  * Returns:
349  *	see soft_decrypt_common().
350  */
351 CK_RV
352 soft_decrypt_common(soft_session_t *session_p, CK_BYTE_PTR pEncrypted,
353     CK_ULONG ulEncryptedLen, CK_BYTE_PTR pData,
354     CK_ULONG_PTR pulDataLen, boolean_t Update)
355 {
356 
357 	CK_MECHANISM_TYPE mechanism = session_p->decrypt.mech.mechanism;
358 
359 	switch (mechanism) {
360 
361 	case CKM_DES_ECB:
362 	case CKM_DES_CBC:
363 	case CKM_DES3_ECB:
364 	case CKM_DES3_CBC:
365 
366 		if (ulEncryptedLen == 0) {
367 			*pulDataLen = 0;
368 			return (CKR_OK);
369 		}
370 		/* FALLTHROUGH */
371 
372 	case CKM_DES_CBC_PAD:
373 	case CKM_DES3_CBC_PAD:
374 
375 		return (soft_des_decrypt_common(session_p, pEncrypted,
376 		    ulEncryptedLen, pData, pulDataLen, Update));
377 
378 	case CKM_AES_ECB:
379 	case CKM_AES_CBC:
380 	case CKM_AES_CTR:
381 
382 		if (ulEncryptedLen == 0) {
383 			*pulDataLen = 0;
384 			return (CKR_OK);
385 		}
386 		/* FALLTHROUGH */
387 
388 	case CKM_AES_CBC_PAD:
389 
390 		return (soft_aes_decrypt_common(session_p, pEncrypted,
391 		    ulEncryptedLen, pData, pulDataLen, Update));
392 
393 	case CKM_BLOWFISH_CBC:
394 
395 		if (ulEncryptedLen == 0) {
396 			*pulDataLen = 0;
397 			return (CKR_OK);
398 		}
399 
400 		return (soft_blowfish_decrypt_common(session_p, pEncrypted,
401 		    ulEncryptedLen, pData, pulDataLen, Update));
402 
403 	case CKM_RC4:
404 
405 		if (ulEncryptedLen == 0) {
406 			*pulDataLen = 0;
407 			return (CKR_OK);
408 		}
409 
410 
411 		return (soft_arcfour_crypt(&(session_p->decrypt), pEncrypted,
412 		    ulEncryptedLen, pData, pulDataLen));
413 
414 	case CKM_RSA_X_509:
415 	case CKM_RSA_PKCS:
416 
417 		return (soft_rsa_decrypt_common(session_p, pEncrypted,
418 		    ulEncryptedLen, pData, pulDataLen, mechanism));
419 
420 	default:
421 		return (CKR_MECHANISM_INVALID);
422 
423 	}
424 }
425 
426 
427 /*
428  * soft_decrypt()
429  *
430  * Arguments:
431  *      session_p:	pointer to soft_session_t struct
432  *	pEncryptedData: pointer to the encrypted data as input
433  *	ulEncryptedDataLen: length of the input data
434  *	pData:		pointer to the output data contains plaintext
435  *	pulDataLen:	pointer to the length of the output data
436  *
437  * Description:
438  *      called by C_Decrypt(). This function calls the soft_decrypt_common
439  *	routine.
440  *
441  * Returns:
442  *	see soft_decrypt_common().
443  */
444 CK_RV
445 soft_decrypt(soft_session_t *session_p, CK_BYTE_PTR pEncryptedData,
446     CK_ULONG ulEncryptedDataLen, CK_BYTE_PTR pData,
447     CK_ULONG_PTR pulDataLen)
448 {
449 
450 	return (soft_decrypt_common(session_p, pEncryptedData,
451 	    ulEncryptedDataLen, pData, pulDataLen, B_FALSE));
452 }
453 
454 
455 /*
456  * soft_decrypt_update()
457  *
458  * Arguments:
459  *      session_p:	pointer to soft_session_t struct
460  *	pEncryptedPart: pointer to the encrypted data as input
461  *	ulEncryptedPartLen: length of the input data
462  *	pPart:          pointer to the output data contains plaintext
463  *	pulPartLen:     pointer to the length of the output data
464  *
465  * Description:
466  *      called by C_DecryptUpdate(). This function calls the
467  *	soft_decrypt_common routine (with update flag on).
468  *
469  * Returns:
470  *	see soft_decrypt_common().
471  */
472 CK_RV
473 soft_decrypt_update(soft_session_t *session_p, CK_BYTE_PTR pEncryptedPart,
474 	CK_ULONG ulEncryptedPartLen, CK_BYTE_PTR pPart,
475 	CK_ULONG_PTR pulPartLen)
476 {
477 	CK_MECHANISM_TYPE mechanism = session_p->decrypt.mech.mechanism;
478 
479 	switch (mechanism) {
480 
481 	case CKM_DES_ECB:
482 	case CKM_DES_CBC:
483 	case CKM_DES_CBC_PAD:
484 	case CKM_DES3_ECB:
485 	case CKM_DES3_CBC:
486 	case CKM_DES3_CBC_PAD:
487 	case CKM_AES_ECB:
488 	case CKM_AES_CBC:
489 	case CKM_AES_CBC_PAD:
490 	case CKM_AES_CTR:
491 	case CKM_BLOWFISH_CBC:
492 	case CKM_RC4:
493 
494 		return (soft_decrypt_common(session_p, pEncryptedPart,
495 		    ulEncryptedPartLen, pPart, pulPartLen, B_TRUE));
496 
497 	default:
498 		/* PKCS11: The mechanism only supports single-part operation. */
499 		return (CKR_MECHANISM_INVALID);
500 	}
501 
502 }
503 
504 
505 /*
506  * soft_decrypt_final()
507  *
508  * Arguments:
509  *      session_p:	pointer to soft_session_t struct
510  *      pLastPart:	pointer to the last recovered data part
511  *      pulLastPartLen:	pointer to the length of the last recovered data part
512  *
513  * Description:
514  *      called by C_DecryptFinal().
515  *
516  * Returns:
517  *	CKR_OK: success
518  *	CKR_FUNCTION_FAILED: decrypt final function failed
519  *	CKR_ENCRYPTED_DATA_LEN_RANGE: remaining buffer contains bad length
520  */
521 CK_RV
522 soft_decrypt_final(soft_session_t *session_p, CK_BYTE_PTR pLastPart,
523 	CK_ULONG_PTR pulLastPartLen)
524 {
525 
526 	CK_MECHANISM_TYPE mechanism = session_p->decrypt.mech.mechanism;
527 	CK_ULONG out_len;
528 	CK_RV rv = CKR_OK;
529 	int rc;
530 
531 	(void) pthread_mutex_lock(&session_p->session_mutex);
532 
533 	if (session_p->decrypt.context == NULL) {
534 		rv = CKR_OPERATION_NOT_INITIALIZED;
535 		*pulLastPartLen = 0;
536 		goto clean2;
537 	}
538 	switch (mechanism) {
539 
540 	case CKM_DES_CBC_PAD:
541 	case CKM_DES3_CBC_PAD:
542 	{
543 
544 		soft_des_ctx_t *soft_des_ctx;
545 
546 		soft_des_ctx = (soft_des_ctx_t *)session_p->decrypt.context;
547 
548 		/*
549 		 * We should have only one block of data left in the
550 		 * remaining buffer.
551 		 */
552 		if (soft_des_ctx->remain_len != DES_BLOCK_LEN) {
553 			*pulLastPartLen = 0;
554 			rv = CKR_ENCRYPTED_DATA_LEN_RANGE;
555 			/* Cleanup memory space. */
556 			free(soft_des_ctx->des_cbc);
557 			bzero(soft_des_ctx->key_sched,
558 			    soft_des_ctx->keysched_len);
559 			free(soft_des_ctx->key_sched);
560 
561 			goto clean1;
562 		}
563 
564 		out_len = DES_BLOCK_LEN;
565 
566 		/*
567 		 * If application asks for the length of the output buffer
568 		 * to hold the plaintext?
569 		 */
570 		if (pLastPart == NULL) {
571 			*pulLastPartLen = out_len;
572 			rv = CKR_OK;
573 			goto clean2;
574 		} else {
575 			crypto_data_t out;
576 
577 			/* Copy remaining data to the output buffer. */
578 			(void) memcpy(pLastPart, soft_des_ctx->data,
579 			    DES_BLOCK_LEN);
580 
581 			out.cd_format = CRYPTO_DATA_RAW;
582 			out.cd_offset = 0;
583 			out.cd_length = DES_BLOCK_LEN;
584 			out.cd_raw.iov_base = (char *)pLastPart;
585 			out.cd_raw.iov_len = DES_BLOCK_LEN;
586 
587 			/* Decrypt final block of data. */
588 			rc = des_decrypt_contiguous_blocks(
589 			    (des_ctx_t *)soft_des_ctx->des_cbc,
590 			    (char *)pLastPart, DES_BLOCK_LEN, &out);
591 
592 			if (rc == 0) {
593 				/*
594 				 * Remove padding bytes after decryption of
595 				 * ciphertext block to produce the original
596 				 * plaintext.
597 				 */
598 				rv = soft_remove_pkcs7_padding(pLastPart,
599 				    DES_BLOCK_LEN, &out_len);
600 				if (rv != CKR_OK)
601 					*pulLastPartLen = 0;
602 				else
603 					*pulLastPartLen = out_len;
604 			} else {
605 				*pulLastPartLen = 0;
606 				rv = CKR_FUNCTION_FAILED;
607 			}
608 
609 			/* Cleanup memory space. */
610 			free(soft_des_ctx->des_cbc);
611 			bzero(soft_des_ctx->key_sched,
612 			    soft_des_ctx->keysched_len);
613 			free(soft_des_ctx->key_sched);
614 
615 		}
616 
617 		break;
618 	}
619 
620 	case CKM_DES_CBC:
621 	case CKM_DES_ECB:
622 	case CKM_DES3_CBC:
623 	case CKM_DES3_ECB:
624 	{
625 
626 		soft_des_ctx_t *soft_des_ctx;
627 
628 		soft_des_ctx = (soft_des_ctx_t *)session_p->decrypt.context;
629 		/*
630 		 * CKM_DES_CBC and CKM_DES_ECB does not do any padding,
631 		 * so when the final is called, the remaining buffer
632 		 * should not contain any more data.
633 		 */
634 		*pulLastPartLen = 0;
635 		if (soft_des_ctx->remain_len != 0) {
636 			rv = CKR_ENCRYPTED_DATA_LEN_RANGE;
637 		} else {
638 			if (pLastPart == NULL)
639 				goto clean2;
640 		}
641 
642 		/* Cleanup memory space. */
643 		free(soft_des_ctx->des_cbc);
644 		bzero(soft_des_ctx->key_sched, soft_des_ctx->keysched_len);
645 		free(soft_des_ctx->key_sched);
646 
647 		break;
648 	}
649 
650 	case CKM_AES_CBC_PAD:
651 	{
652 
653 		soft_aes_ctx_t *soft_aes_ctx;
654 
655 		soft_aes_ctx = (soft_aes_ctx_t *)session_p->decrypt.context;
656 
657 		/*
658 		 * We should have only one block of data left in the
659 		 * remaining buffer.
660 		 */
661 		if (soft_aes_ctx->remain_len != AES_BLOCK_LEN) {
662 			*pulLastPartLen = 0;
663 			rv = CKR_ENCRYPTED_DATA_LEN_RANGE;
664 			/* Cleanup memory space. */
665 			free(soft_aes_ctx->aes_cbc);
666 			bzero(soft_aes_ctx->key_sched,
667 			    soft_aes_ctx->keysched_len);
668 			free(soft_aes_ctx->key_sched);
669 
670 			goto clean1;
671 		}
672 
673 		out_len = AES_BLOCK_LEN;
674 
675 		/*
676 		 * If application asks for the length of the output buffer
677 		 * to hold the plaintext?
678 		 */
679 		if (pLastPart == NULL) {
680 			*pulLastPartLen = out_len;
681 			rv = CKR_OK;
682 			goto clean2;
683 		} else {
684 			crypto_data_t out;
685 
686 			/* Copy remaining data to the output buffer. */
687 			(void) memcpy(pLastPart, soft_aes_ctx->data,
688 			    AES_BLOCK_LEN);
689 
690 			out.cd_format = CRYPTO_DATA_RAW;
691 			out.cd_offset = 0;
692 			out.cd_length = AES_BLOCK_LEN;
693 			out.cd_raw.iov_base = (char *)pLastPart;
694 			out.cd_raw.iov_len = AES_BLOCK_LEN;
695 
696 			/* Decrypt final block of data. */
697 			rc = aes_decrypt_contiguous_blocks(
698 			    (aes_ctx_t *)soft_aes_ctx->aes_cbc,
699 			    (char *)pLastPart, AES_BLOCK_LEN, &out);
700 
701 			if (rc == 0) {
702 				/*
703 				 * Remove padding bytes after decryption of
704 				 * ciphertext block to produce the original
705 				 * plaintext.
706 				 */
707 				rv = soft_remove_pkcs7_padding(pLastPart,
708 				    AES_BLOCK_LEN, &out_len);
709 				if (rv != CKR_OK)
710 					*pulLastPartLen = 0;
711 				else
712 					*pulLastPartLen = out_len;
713 			} else {
714 				*pulLastPartLen = 0;
715 				rv = CKR_FUNCTION_FAILED;
716 			}
717 
718 			/* Cleanup memory space. */
719 			free(soft_aes_ctx->aes_cbc);
720 			bzero(soft_aes_ctx->key_sched,
721 			    soft_aes_ctx->keysched_len);
722 			free(soft_aes_ctx->key_sched);
723 
724 		}
725 
726 		break;
727 	}
728 
729 	case CKM_AES_CBC:
730 	case CKM_AES_ECB:
731 	{
732 		soft_aes_ctx_t *soft_aes_ctx;
733 
734 		soft_aes_ctx = (soft_aes_ctx_t *)session_p->decrypt.context;
735 		/*
736 		 * CKM_AES_CBC and CKM_AES_ECB does not do any padding,
737 		 * so when the final is called, the remaining buffer
738 		 * should not contain any more data.
739 		 */
740 		*pulLastPartLen = 0;
741 		if (soft_aes_ctx->remain_len != 0) {
742 			rv = CKR_ENCRYPTED_DATA_LEN_RANGE;
743 		} else {
744 			if (pLastPart == NULL)
745 				goto clean2;
746 		}
747 
748 		/* Cleanup memory space. */
749 		free(soft_aes_ctx->aes_cbc);
750 		bzero(soft_aes_ctx->key_sched, soft_aes_ctx->keysched_len);
751 		free(soft_aes_ctx->key_sched);
752 
753 		break;
754 	}
755 	case CKM_AES_CTR:
756 	{
757 		crypto_data_t out;
758 		soft_aes_ctx_t *soft_aes_ctx;
759 		ctr_ctx_t *ctr_ctx;
760 		size_t len;
761 
762 		soft_aes_ctx = (soft_aes_ctx_t *)session_p->decrypt.context;
763 		ctr_ctx = soft_aes_ctx->aes_cbc;
764 		len = ctr_ctx->ctr_remainder_len;
765 		if (pLastPart == NULL) {
766 			*pulLastPartLen = len;
767 			goto clean1;
768 		}
769 		if (len > 0) {
770 			out.cd_format = CRYPTO_DATA_RAW;
771 			out.cd_offset = 0;
772 			out.cd_length = len;
773 			out.cd_raw.iov_base = (char *)pLastPart;
774 			out.cd_raw.iov_len = len;
775 
776 			rv = ctr_mode_final(ctr_ctx, &out, aes_encrypt_block);
777 			if (rv == CRYPTO_DATA_LEN_RANGE)
778 				rv = CRYPTO_ENCRYPTED_DATA_LEN_RANGE;
779 		}
780 		if (rv == CRYPTO_BUFFER_TOO_SMALL) {
781 			*pulLastPartLen = len;
782 			goto clean1;
783 		}
784 
785 		/* Cleanup memory space. */
786 		free(ctr_ctx);
787 		bzero(soft_aes_ctx->key_sched, soft_aes_ctx->keysched_len);
788 		free(soft_aes_ctx->key_sched);
789 
790 		break;
791 	}
792 	case CKM_BLOWFISH_CBC:
793 	{
794 		soft_blowfish_ctx_t *soft_blowfish_ctx;
795 
796 		soft_blowfish_ctx =
797 		    (soft_blowfish_ctx_t *)session_p->decrypt.context;
798 
799 		*pulLastPartLen = 0;
800 		if (soft_blowfish_ctx->remain_len != 0)
801 			rv = CKR_ENCRYPTED_DATA_LEN_RANGE;
802 		else {
803 			if (pLastPart == NULL)
804 				goto clean2;
805 		}
806 
807 		free(soft_blowfish_ctx->blowfish_cbc);
808 		bzero(soft_blowfish_ctx->key_sched,
809 		    soft_blowfish_ctx->keysched_len);
810 		free(soft_blowfish_ctx->key_sched);
811 
812 		break;
813 	}
814 
815 	case CKM_RC4:
816 	{
817 		ARCFour_key *key = (ARCFour_key *)session_p->decrypt.context;
818 		bzero(key, sizeof (*key));
819 		*pulLastPartLen = 0;
820 		break;
821 	}
822 
823 	default:
824 		/* PKCS11: The mechanism only supports single-part operation. */
825 		rv = CKR_MECHANISM_INVALID;
826 		break;
827 	}
828 
829 clean1:
830 	free(session_p->decrypt.context);
831 	session_p->decrypt.context = NULL;
832 
833 clean2:
834 	(void) pthread_mutex_unlock(&session_p->session_mutex);
835 
836 	return (rv);
837 
838 }
839