Dan, >> I am suggesting the >> following code - >> encrypt_update.eu_flags = >> ((pPart == pEncryptedPart) || >> (INPLACE_MECHANISM(session_p->encrypt.mech.mechanism) && >> (pEncryptedPart != NULL) && >> (encrypt_update.eu_encrlen == encrypt_update.eu_datalen)) ? >> CRYPTO_INPLACE_OPERATION : 0; >> The same check can be done for the single part routines, C_Encrypt() and >> C_Decrypt(). >> > > ACCEPTED, with a variation. > > I tried what you suggested and it failed the STC2 EF testbed.
This seems to indicate a bug in the test suite or the PKCS #11 libraries. > However, this minor variation worked OK: > encrypt_update.eu_flags = > (((session_p->encrypt.flags & CRYPTO_OPERATION_INPLACE_OK) != 0) > && > ((pEncryptedPart != NULL) || (pPart == pEncryptedPart)) && > (encrypt_update.eu_encrlen == encrypt_update.eu_datalen)) ? > CRYPTO_INPLACE_OPERATION : 0; > That is, pEncryptedPart has to be either NULL or equal to pPart (cleartext). > No shortcutting the mechanism or length checks as done above. > I am afraid this makes it useless. The PKCS #11 inplace check is needed to help clients such as encrypt(1) which use mechanisms like CKM_AES_CBC_PAD that fail the INPLACE_MECHANISM() test. So, the check needs to be standalone. -Krishna -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.opensolaris.org/pipermail/crypto-discuss/attachments/20091104/f791645c/attachment.html>
