2N/A/*
2N/A * CDDL HEADER START
2N/A *
2N/A * The contents of this file are subject to the terms of the
2N/A * Common Development and Distribution License (the "License").
2N/A * You may not use this file except in compliance with the License.
2N/A *
2N/A * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
2N/A * or http://www.opensolaris.org/os/licensing.
2N/A * See the License for the specific language governing permissions
2N/A * and limitations under the License.
2N/A *
2N/A * When distributing Covered Code, include this CDDL HEADER in each
2N/A * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
2N/A * If applicable, add the following below this CDDL HEADER, with the
2N/A * fields enclosed by brackets "[]" replaced with your own identifying
2N/A * information: Portions Copyright [yyyy] [name of copyright owner]
2N/A *
2N/A * CDDL HEADER END
2N/A */
2N/A/*
2N/A * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
2N/A */
2N/A
2N/A#include <pthread.h>
2N/A#include <security/cryptoki.h>
2N/A#include "softGlobal.h"
2N/A#include "softSession.h"
2N/A#include "softObject.h"
2N/A#include "softKeystore.h"
2N/A#include "softKeystoreUtil.h"
2N/A
2N/A
2N/ACK_RV
2N/AC_OpenSession(CK_SLOT_ID slotID, CK_FLAGS flags, CK_VOID_PTR pApplication,
2N/A CK_NOTIFY Notify, CK_SESSION_HANDLE_PTR phSession)
2N/A{
2N/A
2N/A CK_RV rv = CKR_OK;
2N/A
2N/A if (!softtoken_initialized)
2N/A return (CKR_CRYPTOKI_NOT_INITIALIZED);
2N/A
2N/A /*
2N/A * For legacy reasons, the CKF_SERIAL_SESSION bit must always
2N/A * be set.
2N/A */
2N/A if (!(flags & CKF_SERIAL_SESSION))
2N/A return (CKR_SESSION_PARALLEL_NOT_SUPPORTED);
2N/A
2N/A if (slotID != SOFTTOKEN_SLOTID)
2N/A return (CKR_SLOT_ID_INVALID);
2N/A
2N/A if (phSession == NULL)
2N/A return (CKR_ARGUMENTS_BAD);
2N/A
2N/A /*
2N/A * softtoken has no limit on the number of concurrent sessions
2N/A * that the token allows. No need to check to see if the
2N/A * token has too many sessions already open.
2N/A */
2N/A
2N/A /* Create a new session */
2N/A rv = soft_add_session(flags, pApplication, Notify, phSession);
2N/A
2N/A return (rv);
2N/A
2N/A}
2N/A
2N/ACK_RV
2N/AC_CloseSession(CK_SESSION_HANDLE hSession)
2N/A{
2N/A
2N/A CK_RV rv;
2N/A
2N/A soft_session_t *session_p;
2N/A boolean_t lock_held = B_TRUE;
2N/A
2N/A if (!softtoken_initialized)
2N/A return (CKR_CRYPTOKI_NOT_INITIALIZED);
2N/A
2N/A /*
2N/A * Obtain the session pointer. Also, increment the session
2N/A * reference count.
2N/A */
2N/A rv = handle2session(hSession, &session_p);
2N/A if (rv != CKR_OK)
2N/A return (rv);
2N/A
2N/A (void) pthread_mutex_lock(&session_p->session_mutex);
2N/A /*
2N/A * Set SESSION_IS_CLOSING flag so any access to this
2N/A * session will be rejected.
2N/A */
2N/A if (session_p->ses_close_sync & SESSION_IS_CLOSING) {
2N/A SES_REFRELE(session_p, lock_held);
2N/A return (CKR_SESSION_CLOSED);
2N/A }
2N/A session_p->ses_close_sync |= SESSION_IS_CLOSING;
2N/A
2N/A /*
2N/A * Decrement the session reference count.
2N/A * We hold the session lock, and SES_REFRELE()
2N/A * will release the session lock for us.
2N/A */
2N/A SES_REFRELE(session_p, lock_held);
2N/A
2N/A /*
2N/A * Delete a session by calling soft_delete_session() with
2N/A * a session pointer and a boolean arguments. Boolean
2N/A * value FALSE is used to indicate that the caller does not
2N/A * hold the lock on the global session list and also that
2N/A * this is not a forced session close but an explicit request.
2N/A *
2N/A * soft_delete_session() will reset SESSION_IS_CLOSING
2N/A * flag after it is done.
2N/A */
2N/A rv = soft_delete_session(session_p, B_FALSE, B_FALSE);
2N/A
2N/A if (soft_session_cnt == 0) {
2N/A /* Clean up private token objects from the token object list */
2N/A soft_delete_all_in_core_token_objects(PRIVATE_TOKEN);
2N/A /*
2N/A * Invalidate public token object handles instead of
2N/A * deleting them.
2N/A */
2N/A soft_validate_token_objects(B_FALSE);
2N/A (void) pthread_mutex_lock(&soft_giant_mutex);
2N/A soft_slot.authenticated = 0;
2N/A soft_slot.userpin_change_needed = 0;
2N/A (void) pthread_mutex_unlock(&soft_giant_mutex);
2N/A }
2N/A
2N/A return (rv);
2N/A}
2N/A
2N/A
2N/ACK_RV
2N/AC_CloseAllSessions(CK_SLOT_ID slotID)
2N/A{
2N/A
2N/A CK_RV rv = CKR_OK;
2N/A
2N/A if (!softtoken_initialized)
2N/A return (CKR_CRYPTOKI_NOT_INITIALIZED);
2N/A
2N/A if (slotID != SOFTTOKEN_SLOTID)
2N/A return (CKR_SLOT_ID_INVALID);
2N/A
2N/A /* Acquire the global session list lock */
2N/A (void) pthread_mutex_lock(&soft_sessionlist_mutex);
2N/A /*
2N/A * Set all_sessions_closing flag so any access to any
2N/A * existing sessions will be rejected.
2N/A */
2N/A all_sessions_closing = 1;
2N/A (void) pthread_mutex_unlock(&soft_sessionlist_mutex);
2N/A
2N/A /* Delete all the sessions and release the allocated resources */
2N/A rv = soft_delete_all_sessions(B_FALSE);
2N/A
2N/A /* Clean up private token objects from the token object list */
2N/A soft_delete_all_in_core_token_objects(PRIVATE_TOKEN);
2N/A
2N/A /* Invalidate public token object handles instead of deleting them */
2N/A soft_validate_token_objects(B_FALSE);
2N/A
2N/A (void) pthread_mutex_lock(&soft_giant_mutex);
2N/A soft_slot.authenticated = 0;
2N/A soft_slot.userpin_change_needed = 0;
2N/A (void) pthread_mutex_unlock(&soft_giant_mutex);
2N/A
2N/A (void) pthread_mutex_lock(&soft_sessionlist_mutex);
2N/A /* Reset all_sessions_closing flag. */
2N/A all_sessions_closing = 0;
2N/A (void) pthread_mutex_unlock(&soft_sessionlist_mutex);
2N/A
2N/A return (rv);
2N/A}
2N/A
2N/ACK_RV
2N/AC_GetSessionInfo(CK_SESSION_HANDLE hSession, CK_SESSION_INFO_PTR pInfo)
2N/A{
2N/A
2N/A soft_session_t *session_p;
2N/A CK_RV rv;
2N/A boolean_t lock_held = B_TRUE;
2N/A
2N/A if (!softtoken_initialized)
2N/A return (CKR_CRYPTOKI_NOT_INITIALIZED);
2N/A
2N/A /*
2N/A * Obtain the session pointer. Also, increment the session
2N/A * reference count.
2N/A */
2N/A rv = handle2session(hSession, &session_p);
2N/A if (rv != CKR_OK)
2N/A return (rv);
2N/A
2N/A if (pInfo == NULL) {
2N/A lock_held = B_FALSE;
2N/A rv = CKR_ARGUMENTS_BAD;
2N/A goto clean_exit;
2N/A }
2N/A
2N/A (void) pthread_mutex_lock(&session_p->session_mutex);
2N/A
2N/A /* Provide information for the specified session */
2N/A pInfo->slotID = SOFTTOKEN_SLOTID;
2N/A pInfo->state = session_p->state;
2N/A pInfo->flags = session_p->flags;
2N/A pInfo->ulDeviceError = 0;
2N/A
2N/Aclean_exit:
2N/A /*
2N/A * Decrement the session reference count.
2N/A * We hold the session lock, and SES_REFRELE()
2N/A * will release the session lock for us.
2N/A */
2N/A SES_REFRELE(session_p, lock_held);
2N/A
2N/A return (rv);
2N/A}
2N/A
2N/A
2N/ACK_RV
2N/AC_GetOperationState(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pOperationState,
2N/A CK_ULONG_PTR pulOperationStateLen)
2N/A{
2N/A soft_session_t *session_p;
2N/A CK_RV rv;
2N/A boolean_t lock_held = B_FALSE;
2N/A
2N/A if (!softtoken_initialized)
2N/A return (CKR_CRYPTOKI_NOT_INITIALIZED);
2N/A
2N/A /*
2N/A * Obtain the session pointer. Also, increment the session
2N/A * reference count.
2N/A */
2N/A rv = handle2session(hSession, &session_p);
2N/A if (rv != CKR_OK)
2N/A return (rv);
2N/A
2N/A /*
2N/A * Only check if pulOperationStateLen is NULL_PTR.
2N/A * No need to check if pOperationState is NULL_PTR because
2N/A * application might just ask for the length of buffer to hold
2N/A * the OperationState.
2N/A */
2N/A if (pulOperationStateLen == NULL_PTR) {
2N/A rv = CKR_ARGUMENTS_BAD;
2N/A goto clean_exit;
2N/A }
2N/A
2N/A rv = soft_get_operationstate(session_p, pOperationState,
2N/A pulOperationStateLen);
2N/A
2N/Aclean_exit:
2N/A SES_REFRELE(session_p, lock_held);
2N/A return (rv);
2N/A
2N/A}
2N/A
2N/A
2N/ACK_RV
2N/AC_SetOperationState(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pOperationState,
2N/A CK_ULONG ulOperationStateLen, CK_OBJECT_HANDLE hEncryptionKey,
2N/A CK_OBJECT_HANDLE hAuthenticationKey)
2N/A{
2N/A soft_session_t *session_p;
2N/A CK_RV rv;
2N/A boolean_t lock_held = B_FALSE;
2N/A
2N/A if (!softtoken_initialized)
2N/A return (CKR_CRYPTOKI_NOT_INITIALIZED);
2N/A
2N/A /*
2N/A * Obtain the session pointer. Also, increment the session
2N/A * reference count.
2N/A */
2N/A rv = handle2session(hSession, &session_p);
2N/A if (rv != CKR_OK)
2N/A return (rv);
2N/A
2N/A if ((pOperationState == NULL_PTR) ||
2N/A (ulOperationStateLen == 0)) {
2N/A rv = CKR_ARGUMENTS_BAD;
2N/A goto clean_exit;
2N/A }
2N/A
2N/A rv = soft_set_operationstate(session_p, pOperationState,
2N/A ulOperationStateLen, hEncryptionKey, hAuthenticationKey);
2N/A
2N/Aclean_exit:
2N/A SES_REFRELE(session_p, lock_held);
2N/A return (rv);
2N/A}
2N/A
2N/ACK_RV
2N/AC_Login(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType, CK_UTF8CHAR_PTR pPin,
2N/A CK_ULONG ulPinLen)
2N/A{
2N/A
2N/A soft_session_t *session_p, *sp;
2N/A CK_RV rv;
2N/A boolean_t lock_held = B_FALSE;
2N/A
2N/A if (!softtoken_initialized)
2N/A return (CKR_CRYPTOKI_NOT_INITIALIZED);
2N/A
2N/A /*
2N/A * Obtain the session pointer. Also, increment the session
2N/A * reference count.
2N/A */
2N/A rv = handle2session(hSession, &session_p);
2N/A if (rv != CKR_OK)
2N/A return (rv);
2N/A
2N/A /* Check the load status of keystore */
2N/A if (!soft_keystore_status(KEYSTORE_LOAD)) {
2N/A SES_REFRELE(session_p, lock_held);
2N/A return (CKR_DEVICE_REMOVED);
2N/A }
2N/A
2N/A if (userType != CKU_USER) {
2N/A SES_REFRELE(session_p, lock_held);
2N/A return (CKR_USER_TYPE_INVALID);
2N/A }
2N/A
2N/A if ((ulPinLen < MIN_PIN_LEN) || (ulPinLen > MAX_PIN_LEN)) {
2N/A SES_REFRELE(session_p, lock_held);
2N/A return (CKR_PIN_LEN_RANGE);
2N/A }
2N/A
2N/A if (pPin == NULL_PTR) {
2N/A /*
2N/A * We don't support CKF_PROTECTED_AUTHENTICATION_PATH
2N/A */
2N/A SES_REFRELE(session_p, lock_held);
2N/A return (CKR_ARGUMENTS_BAD);
2N/A }
2N/A
2N/A (void) pthread_mutex_lock(&soft_giant_mutex);
2N/A if (soft_slot.authenticated) {
2N/A (void) pthread_mutex_unlock(&soft_giant_mutex);
2N/A SES_REFRELE(session_p, lock_held);
2N/A return (CKR_USER_ALREADY_LOGGED_IN);
2N/A }
2N/A
2N/A rv = soft_login(pPin, ulPinLen);
2N/A if (rv == CKR_OK) {
2N/A if (soft_slot.userpin_change_needed) {
2N/A /*
2N/A * This is the special case when the PIN is never
2N/A * initialized in the keystore, which will always
2N/A * return CKR_OK with "userpin_change_needed" set.
2N/A */
2N/A (void) pthread_mutex_unlock(&soft_giant_mutex);
2N/A SES_REFRELE(session_p, lock_held);
2N/A return (rv);
2N/A }
2N/A
2N/A soft_slot.authenticated = 1;
2N/A (void) pthread_mutex_unlock(&soft_giant_mutex);
2N/A } else {
2N/A (void) pthread_mutex_unlock(&soft_giant_mutex);
2N/A SES_REFRELE(session_p, lock_held);
2N/A return (rv);
2N/A }
2N/A
2N/A /*
2N/A * Load all the private token objects from keystore.
2N/A */
2N/A rv = soft_get_token_objects_from_keystore(PRI_TOKENOBJS);
2N/A if (rv != CKR_OK) {
2N/A SES_REFRELE(session_p, lock_held);
2N/A return (rv);
2N/A }
2N/A
2N/A /* Acquire the global session list lock */
2N/A (void) pthread_mutex_lock(&soft_sessionlist_mutex);
2N/A
2N/A sp = soft_session_list;
2N/A
2N/A while (sp) {
2N/A (void) pthread_mutex_lock(&sp->session_mutex);
2N/A
2N/A if (sp->flags & CKF_RW_SESSION) {
2N/A sp->state = CKS_RW_USER_FUNCTIONS;
2N/A } else {
2N/A sp->state = CKS_RO_USER_FUNCTIONS;
2N/A }
2N/A (void) pthread_mutex_unlock(&sp->session_mutex);
2N/A sp = sp->next;
2N/A }
2N/A
2N/A (void) pthread_mutex_unlock(&soft_sessionlist_mutex);
2N/A
2N/A SES_REFRELE(session_p, lock_held);
2N/A return (rv);
2N/A
2N/A}
2N/A
2N/ACK_RV
2N/AC_Logout(CK_SESSION_HANDLE hSession)
2N/A{
2N/A
2N/A soft_session_t *session_p, *sp;
2N/A CK_RV rv;
2N/A boolean_t lock_held = B_FALSE;
2N/A
2N/A if (!softtoken_initialized)
2N/A return (CKR_CRYPTOKI_NOT_INITIALIZED);
2N/A
2N/A /*
2N/A * Obtain the session pointer. Also, increment the session
2N/A * reference count.
2N/A */
2N/A rv = handle2session(hSession, &session_p);
2N/A if (rv != CKR_OK)
2N/A return (rv);
2N/A
2N/A (void) pthread_mutex_lock(&soft_giant_mutex);
2N/A if (!soft_slot.authenticated) {
2N/A if (!soft_slot.userpin_change_needed) {
2N/A /*
2N/A * Only if the PIN has been initialized in the keystore.
2N/A */
2N/A (void) pthread_mutex_unlock(&soft_giant_mutex);
2N/A SES_REFRELE(session_p, lock_held);
2N/A return (CKR_USER_NOT_LOGGED_IN);
2N/A } else {
2N/A soft_slot.userpin_change_needed = 0;
2N/A (void) pthread_mutex_unlock(&soft_giant_mutex);
2N/A SES_REFRELE(session_p, lock_held);
2N/A return (CKR_OK);
2N/A }
2N/A }
2N/A
2N/A soft_logout();
2N/A soft_slot.authenticated = 0;
2N/A (void) pthread_mutex_unlock(&soft_giant_mutex);
2N/A
2N/A /* Acquire the global session list lock */
2N/A (void) pthread_mutex_lock(&soft_sessionlist_mutex);
2N/A
2N/A sp = soft_session_list;
2N/A
2N/A while (sp) {
2N/A (void) pthread_mutex_lock(&sp->session_mutex);
2N/A
2N/A if (sp->flags & CKF_RW_SESSION) {
2N/A sp->state = CKS_RW_PUBLIC_SESSION;
2N/A } else {
2N/A sp->state = CKS_RO_PUBLIC_SESSION;
2N/A }
2N/A (void) pthread_mutex_unlock(&sp->session_mutex);
2N/A sp = sp->next;
2N/A }
2N/A
2N/A (void) pthread_mutex_unlock(&soft_sessionlist_mutex);
2N/A
2N/A SES_REFRELE(session_p, lock_held);
2N/A return (rv);
2N/A
2N/A}