Wouter, Jason,
Jason emphasized the important part of the Base Specification: if pBuf != NULL and the buffer is too small, then the _exact_ buffer length required for
the output must be returned. In contrast, if pBuf == NULL you can return a size which is a little bit larger.
The latter you can perfectly estimate from the mechanism and from the ciphertext size. The former is really only known after decryption.
Thus, yes: you need to rollback to the state before the C_Decrypt operation. For some mechanisms, itâs even required to store internal state on success. For
example, for CKM_AES_GCM the Current Mechanisms Specification says: âNote: since CKM_AES_GCM is an AEAD cipher, no data should be returned until C_Decrypt() or C_DecryptFinal().â
Fortunately, the User Guide says in section 2.6.7: âIn general, a single session can perform only one operation at a timeâ. Thus, you donât have to support multiple
en/decryption operations at the same time and store all their internal states since there can be only one.
Regards,
Daniel
From: pkcs11-comment@lists.oasis-open.org <pkcs11-comment@lists.oasis-open.org>
On Behalf Of Wouter Verhelst
Sent: Freitag, 14. Juni 2019 13:34
To: pkcs11-comment@lists.oasis-open.org
Subject: Re: [pkcs11-comment] C_Decrypt / C_DecryptFinal behavior
Jason King schreef op do 13-06-2019 om 22:17 [-0700]:
Itâs not for any application Iâm writing â I have a PKCS#11 provider and have to deal with applications that are using the provider, but are perhaps doing things in a less
than sane manner, but arguably compliant with the spec.
The PKCS11-base section 5.2 explains the expected behavior for output buffers:
if pBuf == NULL, *pulBufLen is set to a value big enough to hold the output (but possible a bit larger) and CKR_OK is returned, and the operation can be retried.
If pBuf != NULL, if *pulBufLen is too small, *pulBufLen is set to the _exact_ value required for the output and CKR_BUFFER_TOO_SMALL is returned (emphasis in the spec).
In PKCS11-base section 5.8 for C_Decrypt, it says âa call to C_Decrypt always terminates the active decryption operation _unless_ it returns CKR_BUFFER_TOO_SMALL or is a
successful call (i.e. one which returns CKR_OK) to determine the length of the buffer needed to hold the plaintext' (emphasis mine). That means in my example, C_Decrypt is supposed to return CKR_BUFFER_TOO_SMALL, and the decrypt operation is not terminated.
What does it mean if the active decryption operation is not terminated? My understanding is that it means C_Decrypt can be called again until the operation is terminated (i.e. pData != NULL or returns an error other than CKR_BUFFER_TOO_SMALL). Iâm not sure
what else it could mean.
It also doesn't say that you need to have performed a (partial) decrypt operation, nor that you can't return CKR_BUFFER_TOO_SMALL even when after the decrypt operation it
turns out that things could have fit after all.
So what you want to do is:
- If the buffer is less than the maximum expected possible size of the decrypted data: return CKR_BUFFER_TOO_SMALL immediately, don't decrypt anything.
- If the buffer is
not less than that value: decrypt, store things in the buffer, return CKR_OK (unless the decrypt operation failed for other reasons, of course).