--- a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softBlowfishCrypt.c	Tue Oct 17 12:33:42 2006 -0700
+++ b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softBlowfishCrypt.c	Tue Oct 17 14:57:56 2006 -0700
@@ -1,5 +1,25 @@
 /*
- * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+/*
+ * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -264,14 +284,14 @@
 				    (ulDataLen - remain), remain);
 
 			soft_blowfish_ctx->remain_len = remain;
+			return (CKR_OK);
 		}
 
-		return (CKR_OK);
+	} else {
+		*pulEncryptedLen = 0;
+		rv = CKR_FUNCTION_FAILED;
 	}
 
-	*pulEncryptedLen = 0;
-	rv = CKR_FUNCTION_FAILED;
-
 cleanup:
 	(void) pthread_mutex_lock(&session_p->session_mutex);
 	blowfish_ctx = (blowfish_ctx_t *)soft_blowfish_ctx->blowfish_cbc;
@@ -321,7 +341,7 @@
 		}
 
 		/*
-		 * If application asks for the length of the putput buffer
+		 * If application asks for the length of the output buffer
 		 * to hold the plaintext?
 		 */
 		if (pData == NULL) {

--- a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softDecrypt.c	Tue Oct 17 12:33:42 2006 -0700
+++ b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softDecrypt.c	Tue Oct 17 14:57:56 2006 -0700
@@ -181,20 +181,9 @@
 		return (rv);
 	}
 
-	/*
-	 * Normal exit.
-	 * Terminates the active encrypt operation.
-	 * Application needs to call C_EncryptInit again for next
-	 * encrypt operation.
-	 */
-	(void) pthread_mutex_lock(&session_p->session_mutex);
-	session_p->decrypt.flags = 0;
-	lock_held = B_TRUE;
-	SES_REFRELE(session_p, lock_held);
-	return (rv);
-
 clean_exit:
-	soft_crypt_cleanup(session_p, B_FALSE, lock_held);
+	/* Clear context, free key, and release session counter */
+	soft_crypt_cleanup(session_p, B_FALSE, B_FALSE);
 
 	return (rv);
 }

--- a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softEncrypt.c	Tue Oct 17 12:33:42 2006 -0700
+++ b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softEncrypt.c	Tue Oct 17 14:57:56 2006 -0700
@@ -183,21 +183,9 @@
 		return (rv);
 	}
 
-	/*
-	 * Normal exit.
-	 * Terminates the active encrypt operation.
-	 * Application needs to call C_EncryptInit again for next
-	 * encrypt operation.
-	 */
-	(void) pthread_mutex_lock(&session_p->session_mutex);
-	session_p->encrypt.flags = 0;
-	lock_held = B_TRUE;
-	SES_REFRELE(session_p, lock_held);
-	return (rv);
-
 clean_exit:
-	soft_crypt_cleanup(session_p, B_TRUE, lock_held);
-
+	/* Clear context, free key, and release session counter */
+	soft_crypt_cleanup(session_p, B_TRUE, B_FALSE);
 	return (rv);
 }
 

--- a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softEncryptUtil.c	Tue Oct 17 12:33:42 2006 -0700
+++ b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softEncryptUtil.c	Tue Oct 17 14:57:56 2006 -0700
@@ -868,7 +868,18 @@
 
 	case CKM_RSA_X_509:
 	case CKM_RSA_PKCS:
+	{
+		soft_rsa_ctx_t *rsa_ctx =
+		    (soft_rsa_ctx_t *)active_op->context;
+
+		if (rsa_ctx != NULL)
+			if (rsa_ctx->key != NULL) {
+				soft_cleanup_object(rsa_ctx->key);
+				free(rsa_ctx->key);
+			}
+
 		break;
+	}
 
 	} /* switch */
 

--- a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softKeys.c	Tue Oct 17 12:33:42 2006 -0700
+++ b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softKeys.c	Tue Oct 17 14:57:56 2006 -0700
@@ -2,9 +2,8 @@
  * CDDL HEADER START
  *
  * The contents of this file are subject to the terms of the
- * Common Development and Distribution License, Version 1.0 only
- * (the "License").  You may not use this file except in compliance
- * with the License.
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
  *
  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
  * or http://www.opensolaris.org/os/licensing.
@@ -20,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -201,8 +200,13 @@
 	    hkey_p, pWrappedKey, pulWrappedKeyLen);
 
 	(void) pthread_mutex_lock(&session_p->session_mutex);
+
+	lock_held = B_TRUE;
 	session_p->encrypt.flags = 0;
-	lock_held = B_TRUE;
+
+	if ((rv == CKR_OK && pWrappedKey == NULL) ||
+	    rv == CKR_BUFFER_TOO_SMALL)
+		soft_crypt_cleanup(session_p, B_TRUE, lock_held);
 
 clean_exit2:
 	OBJ_REFRELE(hkey_p);
@@ -297,6 +301,11 @@
 	    phKey);
 
 	(void) pthread_mutex_lock(&session_p->session_mutex);
+
+	if ((rv == CKR_OK && pWrappedKey == NULL) ||
+	    rv == CKR_BUFFER_TOO_SMALL)
+		soft_crypt_cleanup(session_p, B_TRUE, lock_held);
+
 	session_p->decrypt.flags = 0;
 	lock_held = B_TRUE;
 

--- a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softKeystoreUtil.c	Tue Oct 17 12:33:42 2006 -0700
+++ b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softKeystoreUtil.c	Tue Oct 17 14:57:56 2006 -0700
@@ -3030,7 +3030,7 @@
 			else {
 				soft_slot.keystore_load_status =
 				    KEYSTORE_UNAVAILABLE;
-				cryptoerror(LOG_ERR,
+				cryptoerror(LOG_DEBUG,
 				    "pkcs11_softtoken: "
 				    "Cannot create keystore.");
 				break;
@@ -3044,8 +3044,8 @@
 		if (soft_keystore_get_version(&soft_slot.ks_version, B_FALSE)
 		    != 0) {
 			soft_slot.keystore_load_status = KEYSTORE_UNAVAILABLE;
-			cryptoerror(LOG_ERR,
-			    "pkcs11_softtoken: Keystore version failure.");
+			cryptoerror(LOG_DEBUG,
+			    "pkcs11_softtoken: Keystore access failed.");
 			break;
 		}
 
@@ -3060,7 +3060,7 @@
 		    != CKR_OK) {
 			(void) soft_destroy_token_session();
 			soft_slot.keystore_load_status = KEYSTORE_UNAVAILABLE;
-			cryptoerror(LOG_ERR,
+			cryptoerror(LOG_DEBUG,
 			    "pkcs11_softtoken: Cannot initialize keystore.");
 			break;
 		}

--- a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softSign.c	Tue Oct 17 12:33:42 2006 -0700
+++ b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softSign.c	Tue Oct 17 14:57:56 2006 -0700
@@ -2,9 +2,8 @@
  * CDDL HEADER START
  *
  * The contents of this file are subject to the terms of the
- * Common Development and Distribution License, Version 1.0 only
- * (the "License").  You may not use this file except in compliance
- * with the License.
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
  *
  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
  * or http://www.opensolaris.org/os/licensing.
@@ -20,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -167,18 +166,8 @@
 		return (rv);
 	}
 
-	/*
-	 * Terminates the active sign operation.
-	 * Application needs to call C_SignInit again for next
-	 * sign operation.
-	 */
-	(void) pthread_mutex_lock(&session_p->session_mutex);
-	session_p->sign.flags = 0;
-	lock_held = B_TRUE;
-	SES_REFRELE(session_p, lock_held);
-	return (rv);
-
 clean_exit:
+	/* Clear contexts, free key, and release session counter */
 	soft_sign_verify_cleanup(session_p, B_TRUE, B_FALSE);
 	return (rv);
 }
@@ -236,10 +225,7 @@
 	}
 
 clean_exit:
-	/*
-	 * After an error occurred, terminate the current sign
-	 * operation by resetting the active and update flags.
-	 */
+	/* After error, clear context, free key, & release session counter */
 	soft_sign_verify_cleanup(session_p, B_TRUE, B_FALSE);
 	return (rv);
 
@@ -296,14 +282,9 @@
 		SES_REFRELE(session_p, lock_held);
 		return (rv);
 	}
-	/* Terminates the active sign operation */
-	(void) pthread_mutex_lock(&session_p->session_mutex);
-	session_p->sign.flags = 0;
-	lock_held = B_TRUE;
-	SES_REFRELE(session_p, lock_held);
-	return (rv);
 
 clean_exit:
+	/* Clear contexts, free key, and release session counter */
 	soft_sign_verify_cleanup(session_p, B_TRUE, B_FALSE);
 	return (rv);
 }
@@ -428,20 +409,7 @@
 	}
 
 clean_exit:
-	(void) pthread_mutex_lock(&session_p->session_mutex);
-	lock_held = B_TRUE;
-	session_p->sign.flags = 0;
-	/*
-	 * Free the active context right here. We don't need to call
-	 * soft_sign_verify_cleanup() because this function is only
-	 * applicable to CKM_RSA_PKCS and CKM_RSA_X_509 that only has
-	 * one active context.
-	 */
-	if (session_p->sign.context != NULL) {
-		free(session_p->sign.context);
-		session_p->sign.context = NULL;
-	}
-	SES_REFRELE(session_p, lock_held);
-
+	/* Clear contexts, free key, and release session counter */
+	soft_sign_verify_cleanup(session_p, B_TRUE, B_FALSE);
 	return (rv);
 }

--- a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softSignUtil.c	Tue Oct 17 12:33:42 2006 -0700
+++ b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softSignUtil.c	Tue Oct 17 14:57:56 2006 -0700
@@ -2,9 +2,8 @@
  * CDDL HEADER START
  *
  * The contents of this file are subject to the terms of the
- * Common Development and Distribution License, Version 1.0 only
- * (the "License").  You may not use this file except in compliance
- * with the License.
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
  *
  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
  * or http://www.opensolaris.org/os/licensing.
@@ -20,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -437,19 +436,46 @@
 	case CKM_SHA256_RSA_PKCS:
 	case CKM_SHA384_RSA_PKCS:
 	case CKM_SHA512_RSA_PKCS:
+		if (session_p->digest.context != NULL) {
+			free(session_p->digest.context);
+			session_p->digest.context = NULL;
+			session_p->digest.flags = 0;
+		}
+		/* FALLTHRU */
+
+	case CKM_RSA_PKCS:
+	case CKM_RSA_X_509:
+	{
+		soft_rsa_ctx_t *rsa_ctx =
+		    (soft_rsa_ctx_t *)active_op->context;
+
+		if (rsa_ctx != NULL && rsa_ctx->key != NULL) {
+			soft_cleanup_object(rsa_ctx->key);
+			free(rsa_ctx->key);
+		}
+		break;
+
+	}
 	case CKM_DSA_SHA1:
 		if (session_p->digest.context != NULL) {
 			free(session_p->digest.context);
 			session_p->digest.context = NULL;
 			session_p->digest.flags = 0;
 		}
+
+		/* FALLTHRU */
+	case CKM_DSA:
+	{
+		soft_dsa_ctx_t *dsa_ctx =
+		    (soft_dsa_ctx_t *)active_op->context;
+
+		if (dsa_ctx != NULL && dsa_ctx->key != NULL) {
+			soft_cleanup_object(dsa_ctx->key);
+			free(dsa_ctx->key);
+		}
 		break;
 
-	case CKM_RSA_PKCS:
-	case CKM_RSA_X_509:
-	case CKM_DSA:
-		break;
-
+	}
 	case CKM_SSL3_MD5_MAC:
 	case CKM_SSL3_SHA1_MAC:
 	case CKM_MD5_HMAC_GENERAL:

--- a/usr/src/lib/pkcs11/pkcs11_softtoken/common/softVerify.c	Tue Oct 17 12:33:42 2006 -0700
+++ b/usr/src/lib/pkcs11/pkcs11_softtoken/common/softVerify.c	Tue Oct 17 14:57:56 2006 -0700
@@ -2,9 +2,8 @@
  * CDDL HEADER START
  *
  * The contents of this file are subject to the terms of the
- * Common Development and Distribution License, Version 1.0 only
- * (the "License").  You may not use this file except in compliance
- * with the License.
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
  *
  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
  * or http://www.opensolaris.org/os/licensing.
@@ -20,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -154,18 +153,9 @@
 
 	rv = soft_verify(session_p, pData, ulDataLen, pSignature,
 	    ulSignatureLen);
-	/*
-	 * Always terminate the active verify operation.
-	 * Application needs to call C_VerifyInit again for next
-	 * verify operation.
-	 */
-	(void) pthread_mutex_lock(&session_p->session_mutex);
-	session_p->verify.flags = 0;
-	lock_held = B_TRUE;
-	SES_REFRELE(session_p, lock_held);
-	return (rv);
 
 clean_exit:
+	/* Clear context, free key, and release session counter */
 	soft_sign_verify_cleanup(session_p, B_FALSE, B_FALSE);
 	return (rv);
 }
@@ -223,10 +213,7 @@
 	}
 
 clean_exit:
-	/*
-	 * After an error occurred, terminate the current verify
-	 * operation by resetting the active and update flags.
-	 */
+	/* After error, clear context, free key, & release session counter */
 	soft_sign_verify_cleanup(session_p, B_FALSE, B_FALSE);
 
 	return (rv);
@@ -268,12 +255,8 @@
 	rv = soft_verify_final(session_p, pSignature, ulSignatureLen);
 
 clean_exit:
-	/* Always terminate the active verify operation */
-	(void) pthread_mutex_lock(&session_p->session_mutex);
-	session_p->verify.flags = 0;
-	lock_held = B_TRUE;
-	SES_REFRELE(session_p, lock_held);
-
+	/* Clear contexts, free key, and release session counter */
+	soft_sign_verify_cleanup(session_p, B_FALSE, B_FALSE);
 	return (rv);
 }
 
@@ -396,20 +379,7 @@
 	}
 
 clean_exit:
-	(void) pthread_mutex_lock(&session_p->session_mutex);
-	lock_held = B_TRUE;
-	session_p->verify.flags = 0;
-	/*
-	 * Free the active context right here. We don't need to call
-	 * soft_sign_verify_cleanup() because this function is only
-	 * applicable to CKM_RSA_PKCS and CKM_RSA_X_509 that only has
-	 * one active context.
-	 */
-	if (session_p->verify.context != NULL) {
-		free(session_p->verify.context);
-		session_p->verify.context = NULL;
-	}
-	SES_REFRELE(session_p, lock_held);
-
+	/* Clear context, free key, and release session counter */
+	soft_sign_verify_cleanup(session_p, B_FALSE, B_FALSE);
 	return (rv);
 }