/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* or http://www.opensolaris.org/os/licensing.
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright (c) 2004, 2012, Oracle and/or its affiliates. All rights reserved.
*/
/*
* Object Management Functions
* (as defined in PKCS#11 spec section 11.7)
*/
#include <strings.h>
#include "metaGlobal.h"
#include <stdio.h>
#define FIND_OBJ_BUF_SIZE 512 /* size of buf used for C_FindObjects */
/*
* Argument related return codes. Will return to the caller immediately,
* and not try the operation on another slot.
*/
static CK_RV stop_rv[] = {
CKR_ARGUMENTS_BAD,
CKR_ATTRIBUTE_TYPE_INVALID,
CKR_DOMAIN_PARAMS_INVALID,
CKR_TEMPLATE_INCOMPLETE
};
static int num_stop_rv = sizeof (stop_rv) / sizeof (CK_RV);
/*
* Return codes that are related to a specific slot.
* Will try to perform the operation in the next available slot.
* If all attempts failed, will return the error code from the first slot.
*
* This list is here for reference only, it is commented out because
* it doesn't need to be used by the code at this point.
*
* static CK_RV try_again_rv[] = {
* CKR_DEVICE_ERROR,
* CKR_DEVICE_MEMORY,
* CKR_DEVICE_REMOVED,
* CKR_FUNCTION_FAILED,
* CKR_GENERAL_ERROR,
* CKR_HOST_MEMORY,
* CKR_TEMPLATE_INCONSISTENT,
* CKR_ATTRIBUTE_READ_ONLY,
* CKR_ATTRIBUTE_VALUE_INVALID
* };
* static int num_try_again_rv = sizeof (try_again_rv) / sizeof (CK_RV);
*/
/*
* We should never get these return codes because
* MetaSlot is the one that actually created the
* sessions. When we get these errors in C_CreateObject,
* will try to create the object in the next available slot.
* If all attempts failed, will return CKR_FUNCTION_FAILED
* to the caller.
*/
static CK_RV other_rv[] = {
CKR_CRYPTOKI_NOT_INITIALIZED,
CKR_SESSION_CLOSED,
CKR_SESSION_HANDLE_INVALID,
CKR_SESSION_READ_ONLY
};
static int num_other_rv = sizeof (other_rv) / sizeof (CK_RV);
/*
* This function is only used by the C_CreateObject and C_CopyObject.
*
* It is used to determine if the operation should be tried on another slot
* based on the return code
*/
static boolean_t
try_again(CK_RV rv)
{
int i;
for (i = 0; i < num_stop_rv; i++) {
if (rv == stop_rv[i]) {
return (B_FALSE);
}
}
return (B_TRUE);
}
/*
* meta_CreateObject
*
*/
CK_RV
meta_CreateObject(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate,
CK_ULONG ulCount, CK_OBJECT_HANDLE_PTR phObject)
{
CK_RV rv;
meta_session_t *session;
slot_session_t *slot_session = NULL;
meta_object_t *object = NULL;
slot_object_t *slot_object = NULL;
CK_OBJECT_HANDLE hNewObject;
CK_ULONG slot_num, keystore_slotnum;
CK_RV first_rv;
if (pTemplate == NULL || ulCount < 1 || phObject == NULL)
return (CKR_ARGUMENTS_BAD);
rv = meta_handle2session(hSession, &session);
if (rv != CKR_OK)
return (rv);
rv = meta_object_alloc(session, &object);
if (rv != CKR_OK)
goto cleanup;
/*
* Create a clone of the object
*/
rv = meta_slot_object_alloc(&slot_object);
if (rv != CKR_OK)
goto cleanup;
/*
* Set to true (token object) if template has CKA_TOKEN=true;
* otherwise, it is false (session object).
*/
(void) get_template_boolean(CKA_TOKEN, pTemplate, ulCount,
&(object->isToken));
/* Can't create token objects in a read-only session. */
if ((IS_READ_ONLY_SESSION(session->session_flags)) && object->isToken) {
rv = CKR_SESSION_READ_ONLY;
goto cleanup;
}
/*
* Set to true (private object) if template has CKA_PRIVATE=true;
* otherwise, it is false (public object).
*/
(void) get_template_boolean(CKA_PRIVATE, pTemplate, ulCount,
&(object->isPrivate));
/* Assume object is extractable unless template has otherwise */
object->isExtractable = B_TRUE;
(void) get_template_boolean(CKA_EXTRACTABLE, pTemplate, ulCount,
&(object->isExtractable));
/*
* Set to true (sensitive object) if template has CKA_SENSITIVE=true;
* otherwise, it is false.
*/
(void) get_template_boolean(CKA_SENSITIVE, pTemplate, ulCount,
&(object->isSensitive));
/*
* Check if this can be a FreeObject.
*
* For creating objects, this check is mostly for preventing
* non-keystore hardware from creating CKA_PRIVATE objects without
* logging in.
*/
if (meta_freeobject_check(session, object, NULL, pTemplate, ulCount,
NULL)) {
/*
* Make sure we are logged into the keystore if this is a
* private freetoken object.
*/
if (object->isPrivate && !metaslot_logged_in()) {
rv = CKR_USER_NOT_LOGGED_IN;
goto cleanup;
}
if (!meta_freeobject_set(object, pTemplate, ulCount, B_TRUE)) {
rv = CKR_FUNCTION_FAILED;
goto cleanup;
}
}
keystore_slotnum = get_keystore_slotnum();
if (object->isToken || object->isFreeToken == FREE_ENABLED) {
/*
* If this is a token object or a FreeToken then create it
* on the keystore slot.
*/
slot_num = keystore_slotnum;
rv = meta_get_slot_session(slot_num, &slot_session,
session->session_flags);
if (rv != CKR_OK)
goto cleanup;
object->tried_create_clone[slot_num] = B_TRUE;
rv = FUNCLIST(slot_session->fw_st_id)->C_CreateObject(
slot_session->hSession, pTemplate, ulCount, &hNewObject);
if (rv != CKR_OK)
goto cleanup;
} else {
/*
* Create a clone of the object in the first available slot.
*
* If creating a clone in a specific slot failed, it will
* either stop and return the error to the user, or try
* again in the next available slot until it succeeds. The
* decision to stop or continue is made based on the return
* code.
*/
CK_ULONG num_slots = meta_slotManager_get_slotcount();
for (slot_num = 0; slot_num < num_slots; slot_num++) {
/*
* If this is a free token and we are on the keystore
* slot, bypass this because it was already created
*/
rv = meta_get_slot_session(slot_num, &slot_session,
session->session_flags);
if (rv != CKR_OK)
goto cleanup;
object->tried_create_clone[slot_num] = B_TRUE;
rv = FUNCLIST(slot_session->fw_st_id)->C_CreateObject(
slot_session->hSession, pTemplate, ulCount,
&hNewObject);
if (rv == CKR_OK)
break;
if (!try_again(rv))
goto cleanup;
/* save first rv for other errors */
if (slot_num == 0)
first_rv = rv;
meta_release_slot_session(slot_session);
slot_session = NULL;
}
}
if (rv == CKR_OK) {
slot_object->hObject = hNewObject;
object->clones[slot_num] = slot_object;
object->master_clone_slotnum = slot_num;
/* Allow FreeToken to activate onto token obj list */
if (object->isFreeToken == FREE_ENABLED)
object->isToken = B_TRUE;
meta_slot_object_activate(slot_object, slot_session,
object->isToken);
slot_object = NULL;
meta_release_slot_session(slot_session);
slot_session = NULL;
} else {
/*
* return either first error code or
* CKR_FUNCTION_FAILED depending on the failure
*/
int i;
for (i = 0; i < num_other_rv; i++) {
if (rv == other_rv[i]) {
rv = CKR_FUNCTION_FAILED;
goto cleanup;
}
}
/* need to return first rv */
rv = first_rv;
goto cleanup;
}
/*
* always keep a copy of the template for C_CreateObject,
* so clones can be created on other slots if necessary.
* This is done even when the CKA_EXTRACTABLE=FALSE flag
* is set for the object. The supplied template is
* "owned" by metaslot. The application should not be
* penalized just because metaslot choose to try creating
* the object in a slot that's not capable of performing
* any future operation.
*/
rv = get_master_attributes_by_template(pTemplate, ulCount,
&object->attributes, &object->num_attributes);
if (rv == CKR_OK) {
CK_ULONG i;
for (i = 0; i < ulCount; i++) {
rv = attribute_set_value(&(pTemplate[i]),
object->attributes, object->num_attributes);
}
}
meta_object_activate(object);
*phObject = (CK_OBJECT_HANDLE) object;
REFRELEASE(session);
return (CKR_OK);
cleanup:
if (slot_object)
meta_slot_object_dealloc(slot_object);
if (slot_session)
meta_release_slot_session(slot_session);
if (object)
(void) meta_object_dealloc(session, object, B_TRUE);
REFRELEASE(session);
return (rv);
}
/*
* meta_CopyObject
*
*/
CK_RV
meta_CopyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject,
CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
CK_OBJECT_HANDLE_PTR phNewObject)
{
CK_RV rv, first_rv;
meta_session_t *session;
meta_object_t *src_object, *dst_object = NULL;
slot_session_t *slot_session = NULL;
slot_object_t *dst_slot_object = NULL;
CK_ULONG i;
slot_object_t *src_slot_object;
CK_ULONG slotnum, num_slots;
boolean_t found;
if (pTemplate == NULL && ulCount != 0)
return (CKR_ARGUMENTS_BAD);
if (phNewObject == NULL)
return (CKR_ARGUMENTS_BAD);
rv = meta_handle2session(hSession, &session);
if (rv != CKR_OK)
return (rv);
rv = meta_handle2object(hObject, &src_object);
if (rv != CKR_OK) {
REFRELEASE(session);
return (rv);
}
rv = meta_object_alloc(session, &dst_object);
if (rv != CKR_OK)
goto finish;
found = get_template_boolean(CKA_TOKEN,
pTemplate, ulCount, &(dst_object->isToken));
if (!found) {
dst_object->isToken = src_object->isToken;
if (src_object->isFreeToken == FREE_ENABLED)
dst_object->isToken = TRUE;
else
dst_object->isToken = src_object->isToken;
}
/* Can't create token objects in a read-only session. */
if ((IS_READ_ONLY_SESSION(session->session_flags)) &&
(dst_object->isToken)) {
rv = CKR_SESSION_READ_ONLY;
goto finish;
}
if (dst_object->isToken) {
/*
* if the dst object is a token object, and the source
* object is not, the source object needs to be extractable.
* Otherwise, the source object needs to reside in the
* token object slot
*/
if ((!src_object->isExtractable) &&
(src_object->master_clone_slotnum
!= get_keystore_slotnum())) {
rv = CKR_FUNCTION_FAILED;
goto finish;
}
/* determine if dst is going to be private object or not */
found = get_template_boolean(CKA_PRIVATE,
pTemplate, ulCount, &(dst_object->isPrivate));
if (!found) {
/* will be the same as the source object */
dst_object->isPrivate = src_object->isPrivate;
}
slotnum = get_keystore_slotnum();
} else {
/* try create the obj in the same slot as the source obj */
slotnum = src_object->master_clone_slotnum;
}
rv = meta_slot_object_alloc(&dst_slot_object);
if (rv != CKR_OK)
goto finish;
rv = meta_get_slot_session(slotnum, &slot_session,
session->session_flags);
if (rv != CKR_OK)
goto finish;
rv = meta_object_get_clone(src_object, slotnum,
slot_session, &src_slot_object);
if (rv != CKR_OK)
goto finish;
dst_object->tried_create_clone[slotnum] = B_TRUE;
rv = FUNCLIST(slot_session->fw_st_id)->C_CopyObject(
slot_session->hSession, src_slot_object->hObject, pTemplate,
ulCount, &(dst_slot_object->hObject));
if (rv != CKR_OK) {
if (dst_object->isToken) {
/*
* token obj can only be created in the
* token slot. No need to try anywhere else
*/
goto finish;
}
if ((!src_object->isExtractable) ||
((src_object->isSensitive) && (src_object->isToken) &&
(!metaslot_auto_key_migrate))) {
/* source object isn't clonable in another slot */
goto finish;
}
if (!try_again(rv)) {
goto finish;
}
first_rv = rv;
meta_release_slot_session(slot_session);
slot_session = NULL;
num_slots = meta_slotManager_get_slotcount();
/* Try operation on other slots if the object is clonable */
for (slotnum = 0; slotnum < num_slots; slotnum++) {
if (slotnum == src_object->master_clone_slotnum) {
/* already tried, don't need to try again */
continue;
}
rv = meta_get_slot_session(slotnum, &slot_session,
session->session_flags);
if (rv != CKR_OK) {
goto finish;
}
rv = meta_object_get_clone(src_object, slotnum,
slot_session, &src_slot_object);
if (rv != CKR_OK)
goto finish;
dst_object->tried_create_clone[slotnum] = B_TRUE;
rv = FUNCLIST(slot_session->fw_st_id)->C_CopyObject(
slot_session->hSession, src_slot_object->hObject,
pTemplate, ulCount, &dst_slot_object->hObject);
if (rv == CKR_OK) {
break;
}
if (!try_again(rv)) {
goto finish;
}
meta_release_slot_session(slot_session);
slot_session = NULL;
}
}
if (rv == CKR_OK) {
rv = meta_object_get_attr(slot_session,
dst_slot_object->hObject, dst_object);
if (rv != CKR_OK) {
goto finish;
}
if (src_object->attributes != NULL) {
/* Keep a copy of the template for the future */
/*
* Don't allow attributes to change while
* we look at them.
*/
(void) pthread_rwlock_rdlock(
&src_object->attribute_lock);
rv = get_master_attributes_by_duplication(
src_object->attributes,
src_object->num_attributes,
&dst_object->attributes,
&dst_object->num_attributes);
(void) pthread_rwlock_unlock(
&src_object->attribute_lock);
if (rv != CKR_OK)
goto finish;
for (i = 0; i < ulCount; i++) {
rv = attribute_set_value(pTemplate + i,
dst_object->attributes,
dst_object->num_attributes);
if (rv != CKR_OK)
goto finish;
}
}
/* Allow FreeToken to activate onto token obj list */
if (dst_object->isFreeToken == FREE_ENABLED)
dst_object->isToken = TRUE;
meta_slot_object_activate(dst_slot_object,
slot_session, dst_object->isToken);
dst_object->clones[slotnum] = dst_slot_object;
dst_object->master_clone_slotnum = slotnum;
dst_slot_object = NULL; /* for error cleanup */
meta_release_slot_session(slot_session);
slot_session = NULL; /* for error cleanup */
} else {
/*
* return either first error code or
* CKR_FUNCTION_FAILED depending on the failure
*/
int j;
for (j = 0; j < num_other_rv; j++) {
if (rv == other_rv[j]) {
rv = CKR_FUNCTION_FAILED;
goto finish;
}
}
/* need to return first rv */
rv = first_rv;
goto finish;
}
meta_object_activate(dst_object);
*phNewObject = (CK_OBJECT_HANDLE) dst_object;
finish:
if (rv != CKR_OK) {
if (dst_slot_object)
meta_slot_object_dealloc(dst_slot_object);
if (dst_object)
(void) meta_object_dealloc(session, dst_object,
B_TRUE);
if (slot_session)
meta_release_slot_session(slot_session);
}
OBJRELEASE(src_object);
REFRELEASE(session);
return (rv);
}
/*
* meta_DestroyObject
*
* This function destroys an object by first removing it from the
* list of valid objects for a given session (if session object) or
* the global token object list. And then, calling C_DestroyObject
* on all the slots on which we have created a clone of this object.
*/
CK_RV
meta_DestroyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject)
{
CK_RV rv;
meta_session_t *session;
meta_object_t *object;
rv = meta_handle2session(hSession, &session);
if (rv != CKR_OK)
return (rv);
rv = meta_handle2object(hObject, &object);
if (rv != CKR_OK) {
REFRELEASE(session);
return (rv);
}
/* Can't delete token objects from a read-only session. */
if ((IS_READ_ONLY_SESSION(session->session_flags)) &&
(object->isToken || object->isFreeToken == FREE_ENABLED)) {
OBJRELEASE(object);
REFRELEASE(session);
return (CKR_SESSION_READ_ONLY);
}
/* Remove object from list of valid meta_objects */
rv = meta_object_deactivate(object, B_FALSE, B_TRUE);
/*
* Actually call C_DestroyObject on all the slots on which we have
* created a clone of this object.
*/
if (rv == CKR_OK)
rv = meta_object_dealloc(session, object, B_TRUE);
REFRELEASE(session);
return (rv);
}
/*
* meta_GetObjectSize
*
* NOTES:
* 1) Because the "size" is so poorly defined in the spec, we have deemed
* it useless and won't support it. This is especially true for the
* metaslot, because the multiple providers it uses may each interpret
* the size differently.
*/
/* ARGSUSED */
CK_RV
meta_GetObjectSize(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject,
CK_ULONG_PTR pulSize)
{
return (CKR_FUNCTION_NOT_SUPPORTED);
}
/*
* meta_GetAttributeValue
*
*/
CK_RV
meta_GetAttributeValue(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject,
CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount)
{
CK_RV rv;
meta_session_t *session;
meta_object_t *object;
CK_ULONG slotnum;
slot_session_t *slot_session;
if (pTemplate == NULL || ulCount < 1)
return (CKR_ARGUMENTS_BAD);
rv = meta_handle2session(hSession, &session);
if (rv != CKR_OK)
return (rv);
rv = meta_handle2object(hObject, &object);
if (rv != CKR_OK) {
REFRELEASE(session);
return (rv);
}
slotnum = object->master_clone_slotnum;
rv = meta_get_slot_session(slotnum, &slot_session,
session->session_flags);
if (rv == CKR_OK) {
rv = FUNCLIST(slot_session->fw_st_id)->C_GetAttributeValue(
slot_session->hSession, object->clones[slotnum]->hObject,
pTemplate, ulCount);
meta_release_slot_session(slot_session);
}
OBJRELEASE(object);
REFRELEASE(session);
return (rv);
}
/*
* meta_SetAttributeValue
*
* Call C_SetAttributeValue on all the clones. If the operation fails on
* all clones, return the failure.
*
* If the operation fails on some clones and not the others, delete all the
* clones that have failed the operation. If any of the deleted clone is the
* master clone, use one of the remaining clone as the master clone.
*
* If the operation is successful and the master template already exists,
* update the master template with new values.
*/
CK_RV
meta_SetAttributeValue(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject,
CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount)
{
CK_RV rv = CKR_OK, save_rv = CKR_OK;
meta_session_t *session;
meta_object_t *object;
CK_ULONG slotnum, num_slots;
/* Keep track of which slot's SetAttributeValue failed */
boolean_t *clone_failed_op = NULL;
int num_clones = 0, num_clones_failed = 0;
slot_session_t *slot_session;
slot_object_t *slot_object;
boolean_t need_update_master_clone = B_FALSE;
if (pTemplate == NULL || ulCount < 1)
return (CKR_ARGUMENTS_BAD);
rv = meta_handle2session(hSession, &session);
if (rv != CKR_OK)
return (rv);
rv = meta_handle2object(hObject, &object);
if (rv != CKR_OK) {
REFRELEASE(session);
return (rv);
}
if ((IS_READ_ONLY_SESSION(session->session_flags)) &&
(object->isToken || object->isFreeToken == FREE_ENABLED)) {
rv = CKR_SESSION_READ_ONLY;
goto finish;
}
if ((!object->isExtractable) && (object->attributes == NULL)) {
/*
* object has no clone, just need to do the operation
* in the master clone slot
*/
slot_session_t *slot_session;
slotnum = object->master_clone_slotnum;
rv = meta_get_slot_session(slotnum, &slot_session,
session->session_flags);
if (rv == CKR_OK) {
rv = FUNCLIST(slot_session->fw_st_id)->\
C_SetAttributeValue(slot_session->hSession,
object->clones[slotnum]->hObject, pTemplate,
ulCount);
meta_release_slot_session(slot_session);
}
goto finish;
}
num_slots = meta_slotManager_get_slotcount();
/*
* object might have clones, need to do operation in all clones
*
* If the C_SetAttributeValue() call fails in a clone, the
* clone that failed the operation can not be deleted right
* away. The clone with the failed operation is recorded, and
* the deletion will happen in a separate loop.
*
* This is necessary because if ALL the clones failed
* C_SetAttributeVAlue(), then, the app's call to C_SetAttributeValue()
* is considered failed, and there shouldn't be any changes to the
* object, none of the clones should be deleted.
* On the other hand, if C_SetAttributeValue() fails in some clones
* and succeeds in other clones, the C_SetAttributeValue() operation
* is considered successful, and those clones that failed the
* operation is deleted.
*/
clone_failed_op = calloc(num_slots, sizeof (boolean_t));
if (clone_failed_op == NULL) {
rv = CKR_HOST_MEMORY;
goto finish;
}
for (slotnum = 0; slotnum < num_slots; slotnum++) {
if (object->clones[slotnum] != NULL) {
num_clones++;
rv = meta_get_slot_session(slotnum, &slot_session,
session->session_flags);
if (rv != CKR_OK) {
goto finish;
}
rv = FUNCLIST(slot_session->fw_st_id)->\
C_SetAttributeValue(slot_session->hSession,
object->clones[slotnum]->hObject, pTemplate,
ulCount);
if (rv != CKR_OK) {
num_clones_failed++;
clone_failed_op[slotnum] = B_TRUE;
if (save_rv == CKR_OK) {
save_rv = rv;
}
}
meta_release_slot_session(slot_session);
}
}
if (num_clones_failed == num_clones) {
/* all operations failed */
rv = save_rv;
goto finish;
}
if (num_clones_failed > 0) {
/*
* C_SetAttributeValue in some of the clones failed.
* Find out which ones failed, and delete the clones
* in those failed slots
*/
for (slotnum = 0; slotnum < num_slots; slotnum++) {
if (clone_failed_op[slotnum]) {
slot_object_t *clone = object->clones[slotnum];
rv = meta_get_slot_session(slotnum,
&slot_session, session->session_flags);
if (rv == CKR_OK) {
(void) FUNCLIST(
slot_session->fw_st_id)->
C_DestroyObject(
slot_session->hSession,
clone->hObject);
meta_release_slot_session(slot_session);
}
meta_slot_object_deactivate(clone);
meta_slot_object_dealloc(clone);
object->clones[slotnum] = NULL;
if (slotnum == object->master_clone_slotnum) {
need_update_master_clone = B_TRUE;
}
}
}
if (need_update_master_clone) {
/* make first available clone the master */
for (slotnum = 0; slotnum < num_slots; slotnum++) {
if (object->clones[slotnum]) {
object->master_clone_slotnum = slotnum;
need_update_master_clone = B_FALSE;
break;
}
}
}
if (need_update_master_clone) {
/*
* something is very wrong, can't continue
* it should never be this case.
*/
rv = CKR_FUNCTION_FAILED;
goto finish;
}
rv = CKR_OK;
}
/*
* Update the attribute information we keep in our metaslot object
*/
slot_object = object->clones[object->master_clone_slotnum];
rv = meta_get_slot_session(object->master_clone_slotnum,
&slot_session, session->session_flags);
if (rv == CKR_OK) {
(void) meta_object_get_attr(slot_session,
slot_object->hObject, object);
meta_release_slot_session(slot_session);
}
/* if there's a copy of the attributes, keep it up to date */
if (object->attributes != NULL) {
CK_ULONG i;
/* Make sure no one else is looking at attributes. */
(void) pthread_rwlock_wrlock(&object->attribute_lock);
for (i = 0; i < ulCount; i++) {
(void) attribute_set_value(pTemplate + i,
object->attributes, object->num_attributes);
}
(void) pthread_rwlock_unlock(&object->attribute_lock);
}
finish:
if (clone_failed_op) {
free(clone_failed_op);
}
OBJRELEASE(object);
REFRELEASE(session);
return (rv);
}
static boolean_t
meta_object_in_list(meta_object_t *obj, meta_object_t **objs_list, int num_objs)
{
int i;
for (i = 0; i < num_objs; i++) {
if (objs_list[i] == obj) {
return (B_TRUE);
}
}
return (B_FALSE);
}
static CK_RV
add_to_search_result(meta_object_t *object, find_objs_info_t *info,
int *num_results_alloc)
{
/*
* allocate space for storing results if the currently
* allocated space is not enough
*/
if (*num_results_alloc <= info->num_matched_objs) {
*num_results_alloc += FIND_OBJ_BUF_SIZE;
info->matched_objs = realloc(info->matched_objs,
sizeof (meta_object_t *) * (*num_results_alloc));
if (info->matched_objs == NULL) {
return (CKR_HOST_MEMORY);
}
}
(info->matched_objs)[(info->num_matched_objs)++] = object;
return (CKR_OK);
}
static CK_RV
process_find_results(CK_OBJECT_HANDLE *results, CK_ULONG num_results,
int *num_results_allocated, find_objs_info_t *info, CK_ULONG slotnum,
boolean_t token_only, slot_session_t *slot_session,
meta_session_t *session)
{
CK_ULONG i;
meta_object_t *object;
CK_RV rv;
for (i = 0; i < num_results; i++) {
object = meta_object_find_by_handle(results[i], slotnum,
token_only);
/*
* a token object is found from the keystore,
* need to create a meta object for it
*/
if (object == NULL) {
slot_object_t *slot_object;
rv = meta_object_alloc(session, &object);
if (rv != CKR_OK) {
return (rv);
}
rv = meta_slot_object_alloc(&slot_object);
if (rv != CKR_OK) {
(void) meta_object_dealloc(session, object,
B_TRUE);
return (rv);
}
slot_object->hObject = results[i];
object->master_clone_slotnum = slotnum;
object->clones[slotnum] = slot_object;
/* get in the attributes we keep in meta_object */
rv = meta_object_get_attr(slot_session,
slot_object->hObject, object);
if (rv != CKR_OK) {
(void) meta_object_dealloc(session, object,
B_TRUE);
return (rv);
}
meta_slot_object_activate(slot_object, slot_session,
B_TRUE);
meta_object_activate(object);
slot_object = NULL;
}
if (!meta_object_in_list(object, info->matched_objs,
info->num_matched_objs)) {
rv = add_to_search_result(object, info,
num_results_allocated);
if (rv != CKR_OK) {
return (rv);
}
}
}
return (CKR_OK);
}
static CK_RV
meta_search_for_objects(meta_session_t *session, find_objs_info_t *info,
slot_session_t *slot_session, CK_ATTRIBUTE_PTR pTemplate,
CK_ULONG ulCount, CK_ULONG slotnum, boolean_t token_only,
int *num_results_alloc)
{
CK_ULONG tmp_num_results;
CK_OBJECT_HANDLE tmp_results[FIND_OBJ_BUF_SIZE];
CK_SESSION_HANDLE hSession = slot_session->hSession;
CK_RV rv;
CK_SLOT_ID fw_st_id = slot_session->fw_st_id;
rv = FUNCLIST(fw_st_id)->C_FindObjectsInit(hSession,
pTemplate, ulCount);
if (rv != CKR_OK) {
return (rv);
}
tmp_num_results = 0;
rv = FUNCLIST(fw_st_id)->C_FindObjects(hSession, tmp_results,
FIND_OBJ_BUF_SIZE, &tmp_num_results);
if (rv != CKR_OK) {
return (rv);
}
rv = process_find_results(tmp_results, tmp_num_results,
num_results_alloc, info, slotnum, token_only,
slot_session, session);
if (rv != CKR_OK) {
return (rv);
}
while (tmp_num_results == FIND_OBJ_BUF_SIZE) {
/* might be more results, need to call C_FindObjects again */
rv = FUNCLIST(fw_st_id)->C_FindObjects(hSession, tmp_results,
FIND_OBJ_BUF_SIZE, &tmp_num_results);
if (rv != CKR_OK) {
return (rv);
}
rv = process_find_results(tmp_results, tmp_num_results,
num_results_alloc, info, slotnum, token_only,
slot_session, session);
if (rv != CKR_OK) {
return (rv);
}
}
rv = FUNCLIST(fw_st_id)->C_FindObjectsFinal(hSession);
return (rv);
}
/*
* meta_FindObjectsInit
*
* This function actually will do ALL the work of searching for objects
* that match all requirements specified in the template.
*
* Objects that matched the template will be stored in the
* session's data structure. When the subsequent C_FindObjects()
* calls are made, results saved will be returned.
*
*/
CK_RV
meta_FindObjectsInit(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate,
CK_ULONG ulCount)
{
CK_RV rv;
meta_session_t *session;
CK_ULONG slot_num = 0;
boolean_t have_token_attr, tokenTrue = B_FALSE;
slot_session_t *slot_find_session = NULL;
int num_results_allocated = 0;
CK_ULONG keystore_slotnum;
rv = meta_handle2session(hSession, &session);
if (rv != CKR_OK)
return (rv);
if ((session->find_objs_info).op_active) {
REFRELEASE(session);
return (CKR_OPERATION_ACTIVE);
}
(session->find_objs_info).op_active = B_TRUE;
REFRELEASE(session);
/* see if the template indicates token object only or not */
have_token_attr = get_template_boolean(CKA_TOKEN, pTemplate, ulCount,
&tokenTrue);
keystore_slotnum = get_keystore_slotnum();
if (have_token_attr && tokenTrue) {
/*
* only interested in token objects, just need to search
* token object slot
*/
rv = meta_get_slot_session(keystore_slotnum,
&slot_find_session, session->session_flags);
if (rv != CKR_OK) {
goto finish;
}
rv = meta_search_for_objects(session,
&(session->find_objs_info), slot_find_session, pTemplate,
ulCount, keystore_slotnum, B_TRUE, &num_results_allocated);
if (rv != CKR_OK) {
goto finish;
}
} else {
CK_ULONG num_slots = meta_slotManager_get_slotcount();
for (slot_num = 0; slot_num < num_slots; slot_num++) {
rv = meta_get_slot_session(slot_num,
&slot_find_session, session->session_flags);
if (rv != CKR_OK) {
goto finish;
}
/*
* if the slot is NOT the token object slot, and
* CKA_TOKEN is not specified, need to specified
* it to be false explicitly. This will prevent
* us from using token objects that doesn't
* belong to the token slot in the case that
* more than one slot supports token objects.
*/
if ((slot_num != keystore_slotnum) &&
(!have_token_attr)) {
CK_BBOOL false = FALSE;
CK_ATTRIBUTE_PTR newTemplate;
newTemplate = malloc((ulCount + 1) *
sizeof (CK_ATTRIBUTE));
if (newTemplate == NULL) {
rv = CKR_HOST_MEMORY;
goto finish;
}
(void) memcpy(newTemplate + 1, pTemplate,
ulCount * sizeof (CK_ATTRIBUTE));
newTemplate[0].type = CKA_TOKEN;
newTemplate[0].pValue = &false;
newTemplate[0].ulValueLen = sizeof (false);
rv = meta_search_for_objects(session,
&(session->find_objs_info),
slot_find_session, newTemplate,
ulCount+1, slot_num, B_FALSE,
&num_results_allocated);
free(newTemplate);
} else {
rv = meta_search_for_objects(session,
&(session->find_objs_info),
slot_find_session, pTemplate, ulCount,
slot_num, B_FALSE,
&num_results_allocated);
}
if (rv != CKR_OK) {
goto finish;
}
meta_release_slot_session(slot_find_session);
slot_find_session = NULL;
}
}
finish:
if (slot_find_session != NULL) {
meta_release_slot_session(slot_find_session);
}
if (rv != CKR_OK) {
(void) pthread_rwlock_wrlock(&session->session_lock);
if (((session->find_objs_info).matched_objs) != NULL) {
free((session->find_objs_info).matched_objs);
}
bzero(&(session->find_objs_info), sizeof (find_objs_info_t));
(void) pthread_rwlock_unlock(&(session->session_lock));
}
return (rv);
}
/*
* meta_FindObjects
*
* This function actually doesn't do any real work in search for the
* matching object. All the work is done in FindObjectsInit(). This
* function will only return the matching objects store in the session's
* "find_objs_info" variable.
*
*/
CK_RV
meta_FindObjects(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE_PTR phObject,
CK_ULONG ulMaxObjectCount, CK_ULONG_PTR pulObjectCount)
{
CK_RV rv;
find_objs_info_t *info;
CK_ULONG num_objs_found = 0;
meta_object_t *obj;
meta_session_t *session;
int i;
rv = meta_handle2session(hSession, &session);
if (rv != CKR_OK)
return (rv);
info = &(session->find_objs_info);
if (!(info->op_active)) {
REFRELEASE(session);
return (CKR_OPERATION_NOT_INITIALIZED);
}
for (i = info->next_result_index;
((num_objs_found < ulMaxObjectCount) &&
(i < info->num_matched_objs));
i++) {
obj = info->matched_objs[i];
if (obj != NULL) {
/* sanity check to see if object is still valid */
(void) pthread_rwlock_rdlock(&obj->object_lock);
if (obj->magic_marker == METASLOT_OBJECT_MAGIC) {
phObject[num_objs_found++] =
(CK_OBJECT_HANDLE)obj;
}
(void) pthread_rwlock_unlock(&obj->object_lock);
}
}
info->next_result_index = i;
*pulObjectCount = num_objs_found;
REFRELEASE(session);
return (rv);
}
/*
* meta_FindObjectsFinal
*
*/
CK_RV
meta_FindObjectsFinal(CK_SESSION_HANDLE hSession)
{
CK_RV rv;
find_objs_info_t *info;
meta_session_t *session;
rv = meta_handle2session(hSession, &session);
if (rv != CKR_OK)
return (rv);
info = &(session->find_objs_info);
if (!info->op_active) {
REFRELEASE(session);
return (CKR_OPERATION_NOT_INITIALIZED);
}
if (info->matched_objs) {
free(info->matched_objs);
}
bzero(info, sizeof (find_objs_info_t));
REFRELEASE(session);
return (rv);
}