diff -urNp openssh-4.4p1/authfd.c openssh-4.4p1+pkcs11-0.17/authfd.c
 --- openssh-4.4p1/authfd.c  2006-09-01 08:38:36.000000000 +0300
 +++ openssh-4.4p1+pkcs11-0.17/authfd.c  2006-10-12 13:59:59.000000000 +0200
 @@ -669,3 +669,79 @@ decode_reply(int type)
     /* NOTREACHED */
     return 0;
  }
 +
 +#ifndef SSH_PKCS11_DISABLED
 +
 +int
 +ssh_pkcs11_add_provider (AuthenticationConnection *auth, const char *provider,
 +   int protected_authentication, const char *sign_mode, int cert_private)
 +{
 +   Buffer msg;
 +   int type;
 +   int code;
 +
 +   code = SSH_AGENTC_PKCS11_ADD_PROVIDER;
 +
 +   buffer_init(&msg);
 +   buffer_put_char(&msg, code);
 +   buffer_put_cstring(&msg, provider);
 +   buffer_put_int(&msg, protected_authentication);
 +   buffer_put_cstring(&msg, sign_mode == NULL ? "auto" : sign_mode);
 +   buffer_put_int(&msg, cert_private);
 +
 +   if (ssh_request_reply(auth, &msg, &msg) == 0) {
 +       buffer_free(&msg);
 +       return 0;
 +   }
 +   type = buffer_get_char(&msg);
 +   buffer_free(&msg);
 +   return decode_reply(type);
 +}
 +
 +int
 +ssh_pkcs11_id (AuthenticationConnection *auth, const pkcs11_identity *id, int remove)
 +{
 +   Buffer msg;
 +   int type;
 +   int code;
 +
 +   code = remove ? SSH_AGENTC_PKCS11_REMOVE_ID : SSH_AGENTC_PKCS11_ADD_ID;
 +
 +   buffer_init(&msg);
 +   buffer_put_char(&msg, code);
 +   buffer_put_cstring(&msg, id->id);
 +   buffer_put_int(&msg, id->pin_cache_period);
 +   buffer_put_cstring(&msg, id->cert_file == NULL ? "" : id->cert_file);
 +
 +   if (ssh_request_reply(auth, &msg, &msg) == 0) {
 +       buffer_free(&msg);
 +       return 0;
 +   }
 +   type = buffer_get_char(&msg);
 +   buffer_free(&msg);
 +   return decode_reply(type);
 +}
 +
 +int
 +ssh_pkcs11_set_ask_pin (AuthenticationConnection *auth, const char *pin_prog)
 +{
 +   Buffer msg;
 +   int type;
 +   int code;
 +
 +   code = SSH_AGENTC_PKCS11_SET_ASK_PIN;
 +
 +   buffer_init(&msg);
 +   buffer_put_char(&msg, code);
 +   buffer_put_cstring(&msg, pin_prog);
 +
 +   if (ssh_request_reply(auth, &msg, &msg) == 0) {
 +       buffer_free(&msg);
 +       return 0;
 +   }
 +   type = buffer_get_char(&msg);
 +   buffer_free(&msg);
 +   return decode_reply(type);
 +}
 +
 +#endif /* SSH_PKCS11_DISABLED */
 diff -urNp openssh-4.4p1/authfd.h openssh-4.4p1+pkcs11-0.17/authfd.h
 --- openssh-4.4p1/authfd.h  2006-08-05 05:39:39.000000000 +0300
 +++ openssh-4.4p1+pkcs11-0.17/authfd.h  2006-10-12 13:57:49.000000000 +0200
 @@ -16,6 +16,8 @@
  #ifndef AUTHFD_H
  #define AUTHFD_H
  
 +#include "pkcs11.h"
 +
  /* Messages for the authentication agent connection. */
  #define SSH_AGENTC_REQUEST_RSA_IDENTITIES  1
  #define SSH_AGENT_RSA_IDENTITIES_ANSWER        2
 @@ -49,6 +51,11 @@
  #define SSH2_AGENTC_ADD_ID_CONSTRAINED     25
  #define SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED 26
  
 +#define SSH_AGENTC_PKCS11_ADD_PROVIDER     27
 +#define SSH_AGENTC_PKCS11_ADD_ID       28
 +#define SSH_AGENTC_PKCS11_REMOVE_ID        29
 +#define SSH_AGENTC_PKCS11_SET_ASK_PIN      30
 +
  #define    SSH_AGENT_CONSTRAIN_LIFETIME        1
  #define    SSH_AGENT_CONSTRAIN_CONFIRM     2
  
 @@ -92,4 +99,11 @@ int
  ssh_agent_sign(AuthenticationConnection *, Key *, u_char **, u_int *, u_char *,
      u_int);
  
 +#ifndef SSH_PKCS11_DISABLED
 +int    ssh_pkcs11_add_provider (AuthenticationConnection *, const char *,
 +    int, const char *, int);
 +int    ssh_pkcs11_id (AuthenticationConnection *, const pkcs11_identity *, int remove);
 +int    ssh_pkcs11_set_ask_pin (AuthenticationConnection *, const char *);
 +#endif /* SSH_PKCS11_DISABLED */
 +
  #endif             /* AUTHFD_H */
 diff -urNp openssh-4.4p1/ChangeLog.pkcs11 openssh-4.4p1+pkcs11-0.17/ChangeLog.pkcs11
 --- openssh-4.4p1/ChangeLog.pkcs11  1970-01-01 02:00:00.000000000 +0200
 +++ openssh-4.4p1+pkcs11-0.17/ChangeLog.pkcs11  2006-10-23 17:36:52.000000000 +0200
 @@ -0,0 +1,49 @@
 +20061023
 + - (alonbl) Removed logit from ssh-agent, thanks to Denniston, Todd.
 + - (alonbl) Release 0.17
 +
 +20061020
 + - (alonbl) Major modification of ssh-add command-line parameters.
 +   Now, a complete serialized certificate needs to be specified, this
 +   in order to allow people to add id without forcing card to be available.
 +   But to allow complete silent addition a certificate file also needed.
 +   --pkcs11-show-ids is used in order to get a list of resources.
 +   --pkcs11-add-id --pkcs11-id <serialized id> \
 +      [--pkcs11-cert-file <cert_file>]
 + - (alonbl) PKCS#11 release 0.16
 +
 +20061012
 + - (alonbl) OpenSC bug workaround.
 + - (alonbl) PKCS#11 release 0.15
 +
 +20060930
 + - (alonbl) Some pkcs11-helper updates.
 + - (alonbl) Rebase against 4.4p1.
 + - (alonbl) PKCS#11 release 0.14
 +
 +20060709
 + - (alonbl) PKCS#11 fixed handling multiproviders.
 + - (alonbl) PKCS#11 release 0.13
 +
 +20060608
 + - (alonbl) PKCS#11 modifed to match X.509-5.5 patch, works OK with focing
 +   ssh-rsa id.
 + - (alonbl) PKCS#11 removed --pkcs11-x509-force-ssh argument.
 + - (alonbl) PKCS#11 release 0.12
 +
 +20060527
 + - (alonbl) PKCS#11 fix issues with gcc-2
 + - (alonbl) PKCS#11 fix issues with openssl-0.9.6 (first) version.
 + - (alonbl) PKCS#11 modified to match X.509-5.4 patch.
 + - (alonbl) PKCS#11 add --pkcs11-x509-force-ssh argument to force ssh id out
 +   of X.509 certificate.
 + - (alonbl) PKCS#11 release 0.11
 +
 +20060419
 + - (alonbl) PKCS#11 fix handling empty attributes.
 + - (alonbl) PKCS#11 release 0.10
 +
 +20060404
 + - (alonbl) PKCS#11 code sync.
 + - (alonbl) PKCS#11 release 0.09
 +
 diff -urNp openssh-4.4p1/config.h.in openssh-4.4p1+pkcs11-0.17/config.h.in
 --- openssh-4.4p1/config.h.in   2006-09-26 14:03:33.000000000 +0300
 +++ openssh-4.4p1+pkcs11-0.17/config.h.in   2006-09-28 16:31:03.000000000 +0300
 @@ -1217,6 +1217,12 @@
  /* Use audit debugging module */
  #undef SSH_AUDIT_EVENTS
  
 +/* Define if you don't want use PKCS#11 */
 +#undef SSH_PKCS11_DISABLED
 +
 +/* Define if you don't want use X509 with PKCS#11 */
 +#undef SSH_PKCS11_X509_DISABLED
 +
  /* non-privileged user for privilege separation */
  #undef SSH_PRIVSEP_USER
  
 diff -urNp openssh-4.4p1/configure openssh-4.4p1+pkcs11-0.17/configure
 --- openssh-4.4p1/configure 2006-09-26 14:03:41.000000000 +0300
 +++ openssh-4.4p1+pkcs11-0.17/configure 2006-09-28 16:33:53.000000000 +0300
 @@ -1307,6 +1307,7 @@ Optional Features:
    --disable-libutil       disable use of libutil (login() etc.) no
    --disable-pututline     disable use of pututline() etc. (uwtmp) no
    --disable-pututxline    disable use of pututxline() etc. (uwtmpx) no
 +  --disable-pkcs11        Disable PKCS#11 support
  
  Optional Packages:
    --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
 @@ -32163,6 +32164,33 @@ if test ! -z "$blibpath" ; then
  echo "$as_me: WARNING: Please check and edit blibpath in LDFLAGS in Makefile" >&2;}
  fi
  
 +ssh_pkcs11="yes"
 +ssh_pkcs11_x509="yes"
 +# Check whether --enable-pkcs11 was given.
 +if test "${enable_pkcs11+set}" = set; then
 +  enableval=$enable_pkcs11;
 +   if test "x$enableval" = "xno"; then
 +       ssh_pkcs11="no"
 +   fi
 +
 +
 +fi
 +
 +if test "x$ssh_pkcs11" = "xno"; then
 +
 +cat >>confdefs.h <<_ACEOF
 +#define SSH_PKCS11_DISABLED 1
 +_ACEOF
 +
 +fi
 +if test "x$ssh_x509" = "x"; then
 +
 +cat >>confdefs.h <<_ACEOF
 +#define SSH_PKCS11_X509_DISABLED 1
 +_ACEOF
 +
 +fi
 +
  CFLAGS="$CFLAGS $werror_flags"
  
  
 @@ -33415,6 +33443,7 @@ echo "       IP address in \$DISPLAY hac
  echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
  echo "                  BSD Auth support: $BSD_AUTH_MSG"
  echo "              Random number source: $RAND_MSG"
 +echo "                   PKCS#11 support: $ssh_pkcs11"
  if test ! -z "$USE_RAND_HELPER" ; then
  echo "     ssh-rand-helper collects from: $RAND_HELPER_MSG"
  fi
 diff -urNp openssh-4.4p1/configure.ac openssh-4.4p1+pkcs11-0.17/configure.ac
 --- openssh-4.4p1/configure.ac  2006-09-24 22:08:59.000000000 +0300
 +++ openssh-4.4p1+pkcs11-0.17/configure.ac  2006-09-28 08:05:35.000000000 +0300
 @@ -3912,6 +3912,27 @@ if test ! -z "$blibpath" ; then
     AC_MSG_WARN([Please check and edit blibpath in LDFLAGS in Makefile])
  fi
  
 +ssh_pkcs11="yes"
 +ssh_pkcs11_x509="yes"
 +AC_ARG_ENABLE(pkcs11,
 +   [  --disable-pkcs11        Disable PKCS#11 support],
 +   [
 +   if test "x$enableval" = "xno"; then
 +       ssh_pkcs11="no"
 +   fi
 +   ]
 +)
 +if test "x$ssh_pkcs11" = "xno"; then
 +   AC_DEFINE_UNQUOTED(
 +       SSH_PKCS11_DISABLED, 1,
 +       [Define if you don't want use PKCS#11])
 +fi
 +if test "x$ssh_x509" = "x"; then
 +   AC_DEFINE_UNQUOTED(
 +       SSH_PKCS11_X509_DISABLED, 1,
 +       [Define if you don't want use X509 with PKCS#11])
 +fi
 +
  dnl Adding -Werror to CFLAGS early prevents configure tests from running.
  dnl Add now.
  CFLAGS="$CFLAGS $werror_flags"
 @@ -3973,6 +3994,7 @@ echo "       IP address in \$DISPLAY hac
  echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
  echo "                  BSD Auth support: $BSD_AUTH_MSG"
  echo "              Random number source: $RAND_MSG"
 +echo "                   PKCS#11 support: $ssh_pkcs11"
  if test ! -z "$USE_RAND_HELPER" ; then
  echo "     ssh-rand-helper collects from: $RAND_HELPER_MSG"
  fi
 diff -urNp openssh-4.4p1/cryptoki.h openssh-4.4p1+pkcs11-0.17/cryptoki.h
 --- openssh-4.4p1/cryptoki.h    1970-01-01 02:00:00.000000000 +0200
 +++ openssh-4.4p1+pkcs11-0.17/cryptoki.h    2006-09-28 08:05:35.000000000 +0300
 @@ -0,0 +1,35 @@
 +/* cryptoki.h include file for PKCS #11. */
 +/* $Revision: 1.4 $ */
 +
 +/* License to copy and use this software is granted provided that it is
 + * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
 + * (Cryptoki)" in all material mentioning or referencing this software.
 +
 + * License is also granted to make and use derivative works provided that
 + * such works are identified as "derived from the RSA Security Inc. PKCS #11
 + * Cryptographic Token Interface (Cryptoki)" in all material mentioning or 
 + * referencing the derived work.
 +
 + * RSA Security Inc. makes no representations concerning either the 
 + * merchantability of this software or the suitability of this software for
 + * any particular purpose. It is provided "as is" without express or implied
 + * warranty of any kind.
 + */
 +
 +#ifndef ___CRYPTOKI_H_INC___
 +#define ___CRYPTOKI_H_INC___
 +
 +#define CK_PTR *
 +
 +#define CK_DEFINE_FUNCTION(returnType, name) returnType name
 +#define CK_DECLARE_FUNCTION(returnType, name) returnType name
 +#define CK_DECLARE_FUNCTION_POINTER(returnType, name) returnType (* name)
 +#define CK_CALLBACK_FUNCTION(returnType, name) returnType (* name)
 +
 +#ifndef NULL_PTR
 +#define NULL_PTR 0
 +#endif
 +
 +#include "pkcs11-headers/pkcs11.h"
 +
 +#endif /* ___CRYPTOKI_H_INC___ */
 diff -urNp openssh-4.4p1/cryptoki-win32.h openssh-4.4p1+pkcs11-0.17/cryptoki-win32.h
 --- openssh-4.4p1/cryptoki-win32.h  1970-01-01 02:00:00.000000000 +0200
 +++ openssh-4.4p1+pkcs11-0.17/cryptoki-win32.h  2006-09-28 08:05:35.000000000 +0300
 @@ -0,0 +1,66 @@
 +/* cryptoki.h include file for PKCS #11. */
 +/* $Revision: 1.4 $ */
 +
 +/* License to copy and use this software is granted provided that it is
 + * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
 + * (Cryptoki)" in all material mentioning or referencing this software.
 +
 + * License is also granted to make and use derivative works provided that
 + * such works are identified as "derived from the RSA Security Inc. PKCS #11
 + * Cryptographic Token Interface (Cryptoki)" in all material mentioning or 
 + * referencing the derived work.
 +
 + * RSA Security Inc. makes no representations concerning either the 
 + * merchantability of this software or the suitability of this software for
 + * any particular purpose. It is provided "as is" without express or implied
 + * warranty of any kind.
 + */
 +
 +/* This is a sample file containing the top level include directives
 + * for building Win32 Cryptoki libraries and applications.
 + */
 +
 +#ifndef ___CRYPTOKI_H_INC___
 +#define ___CRYPTOKI_H_INC___
 +
 +#pragma pack(push, cryptoki, 1)
 +
 +/* Specifies that the function is a DLL entry point. */
 +#define CK_IMPORT_SPEC __declspec(dllimport)
 +
 +/* Define CRYPTOKI_EXPORTS during the build of cryptoki libraries. Do
 + * not define it in applications.
 + */
 +#ifdef CRYPTOKI_EXPORTS
 +/* Specified that the function is an exported DLL entry point. */
 +#define CK_EXPORT_SPEC __declspec(dllexport) 
 +#else
 +#define CK_EXPORT_SPEC CK_IMPORT_SPEC 
 +#endif
 +
 +/* Ensures the calling convention for Win32 builds */
 +#define CK_CALL_SPEC __cdecl
 +
 +#define CK_PTR *
 +
 +#define CK_DEFINE_FUNCTION(returnType, name) \
 +  returnType CK_EXPORT_SPEC CK_CALL_SPEC name
 +
 +#define CK_DECLARE_FUNCTION(returnType, name) \
 +  returnType CK_EXPORT_SPEC CK_CALL_SPEC name
 +
 +#define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
 +  returnType CK_IMPORT_SPEC (CK_CALL_SPEC CK_PTR name)
 +
 +#define CK_CALLBACK_FUNCTION(returnType, name) \
 +  returnType (CK_CALL_SPEC CK_PTR name)
 +
 +#ifndef NULL_PTR
 +#define NULL_PTR 0
 +#endif
 +
 +#include "pkcs11-headers/pkcs11.h"
 +
 +#pragma pack(pop, cryptoki)
 +
 +#endif /* ___CRYPTOKI_H_INC___ */
 diff -urNp openssh-4.4p1/LICENCE openssh-4.4p1+pkcs11-0.17/LICENCE
 --- openssh-4.4p1/LICENCE   2006-08-30 20:24:41.000000000 +0300
 +++ openssh-4.4p1+pkcs11-0.17/LICENCE   2006-09-28 08:05:35.000000000 +0300
 @@ -332,6 +332,9 @@ OpenSSH contains no GPL code.
     * authorization.                                                           *
     ****************************************************************************/
  
 +    d) PKCS #11: Cryptographic Token Interface Standard
 +
 +   This software uses RSA Security Inc. PKCS #11 Cryptographic Token Interface (Cryptoki).
  
  ------
  $OpenBSD: LICENCE,v 1.19 2004/08/30 09:18:08 markus Exp $
 diff -urNp openssh-4.4p1/Makefile.in openssh-4.4p1+pkcs11-0.17/Makefile.in
 --- openssh-4.4p1/Makefile.in   2006-09-12 14:54:10.000000000 +0300
 +++ openssh-4.4p1+pkcs11-0.17/Makefile.in   2006-09-28 08:05:35.000000000 +0300
 @@ -66,6 +66,7 @@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-a
  
  LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \
     canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \
 +   pkcs11.o pkcs11-helper.o \
     cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
     compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
     log.o match.o md-sha256.o moduli.o nchan.o packet.o \
 diff -urNp openssh-4.4p1/pkcs11.c openssh-4.4p1+pkcs11-0.17/pkcs11.c
 --- openssh-4.4p1/pkcs11.c  1970-01-01 02:00:00.000000000 +0200
 +++ openssh-4.4p1+pkcs11-0.17/pkcs11.c  2006-10-23 17:35:54.000000000 +0200
 @@ -0,0 +1,1139 @@
 +/*
 + * Copyright (c) 2005-2006 Alon Bar-Lev.  All rights reserved.
 + *
 + * Redistribution and use in source and binary forms, with or without
 + * modification, are permitted provided that the following conditions
 + * are met:
 + * 1. Redistributions of source code must retain the above copyright
 + *    notice, this list of conditions and the following disclaimer.
 + * 2. Redistributions in binary form must reproduce the above copyright
 + *    notice, this list of conditions and the following disclaimer in the
 + *    documentation and/or other materials provided with the distribution.
 + *
 + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 + */
 +
 +/*
 + * The routines in this file deal with providing private key cryptography
 + * using RSA Security Inc. PKCS #11 Cryptographic Token Interface (Cryptoki).
 + *
 + */
 +
 +#include "includes.h"
 +#include <sys/wait.h>
 +#include <errno.h>
 +
 +#if !defined(SSH_PKCS11_DISABLED)
 +
 +#include "pkcs11-helper.h"
 +#include "pkcs11.h"
 +#include "openssl/pem.h"
 +#include "misc.h"
 +
 +static
 +char *
 +ssh_from_x509 (X509 *x509);
 +
 +static char *s_szSetPINProg = NULL;
 +
 +static
 +unsigned
 +_pkcs11_msg_pkcs112openssh (
 +   IN const unsigned flags
 +) {
 +   unsigned openssh_flags;
 +
 +   switch (flags) {
 +       case PKCS11H_LOG_DEBUG2:
 +           openssh_flags = SYSLOG_LEVEL_DEBUG3;
 +       break;
 +       case PKCS11H_LOG_DEBUG1:
 +           openssh_flags = SYSLOG_LEVEL_DEBUG2;
 +       break;
 +       case PKCS11H_LOG_INFO:
 +           openssh_flags = SYSLOG_LEVEL_INFO;
 +       break;
 +       case PKCS11H_LOG_WARN:
 +           openssh_flags = SYSLOG_LEVEL_ERROR;
 +       break;
 +       case PKCS11H_LOG_ERROR:
 +           openssh_flags = SYSLOG_LEVEL_FATAL;
 +       break;
 +       default:
 +           openssh_flags = SYSLOG_LEVEL_FATAL;
 +       break;
 +   }
 +
 +   return openssh_flags;
 +}
 +
 +static
 +unsigned
 +_pkcs11_msg_openssh2pkcs11 (
 +   IN const unsigned flags
 +) {
 +   unsigned pkcs11_flags;
 +
 +   switch (flags) {
 +       case SYSLOG_LEVEL_DEBUG3:
 +           pkcs11_flags = PKCS11H_LOG_DEBUG2;
 +       break;
 +       case SYSLOG_LEVEL_DEBUG2:
 +           pkcs11_flags = PKCS11H_LOG_DEBUG1;
 +       break;
 +       case SYSLOG_LEVEL_INFO:
 +           pkcs11_flags = PKCS11H_LOG_INFO;
 +       break;
 +       case SYSLOG_LEVEL_ERROR:
 +           pkcs11_flags = PKCS11H_LOG_WARN;
 +       break;
 +       case SYSLOG_LEVEL_FATAL:
 +           pkcs11_flags = PKCS11H_LOG_ERROR;
 +       break;
 +       default:
 +           pkcs11_flags = PKCS11H_LOG_ERROR;
 +       break;
 +   }
 +
 +   return pkcs11_flags;
 +}
 +
 +static
 +void
 +_pkcs11_openssh_log (
 +   IN void * const pData,
 +   IN unsigned flags,
 +   IN const char * const szFormat,
 +   IN va_list args
 +) {
 +   do_log (_pkcs11_msg_pkcs112openssh (flags), szFormat, args);
 +}
 +
 +static
 +int
 +_pkcs11_ssh_prompt (
 +   IN const char * const szType,
 +   IN const char * const szPrompt,
 +   OUT char * const szInput,
 +   IN const int nMaxInput
 +) {
 +   pid_t pid = -1;
 +   int fds[2] = {-1, -1};
 +   int fOK = TRUE;
 +
 +   /*
 +    * Make sure we don't reuse PIN
 +    */
 +   if (fOK) {
 +       memset (szInput, 0, nMaxInput);
 +   }
 +
 +   if (fOK && s_szSetPINProg == NULL) {
 +       fOK = FALSE;
 +   }
 +
 +   if (fOK && pipe (fds) == -1) {
 +       fOK = FALSE;
 +   }
 +
 +   if (fOK && (pid = fork ()) == -1) {
 +       fOK = FALSE;
 +   }
 +
 +   if (fOK) {
 +       if (pid == 0) {
 +           close (fds[0]);
 +           fds[0] = -1;
 +
 +           if (fOK && dup2 (fds[1], 1) == -1) {
 +               fOK = FALSE;
 +           }
 +           if (fOK) {
 +               close (fds[1]);
 +               fds[1] = -1;
 +           }
 +
 +           if (fOK) {
 +               execl (
 +                   s_szSetPINProg,
 +                   s_szSetPINProg,
 +                   "-t",
 +                   szType,
 +                   szPrompt,
 +                   NULL
 +               );
 +           }
 +
 +           exit (1);
 +       }
 +       else {
 +           int status;
 +           int r = 0;
 +           
 +           close (fds[1]);
 +           fds[1] = -1;
 +
 +           if (fOK) {
 +               while (
 +                   (r=waitpid (pid, &status, 0)) == 0 ||
 +                   (r == -1 && errno == EINTR)
 +               );
 +
 +               if (r == -1) {
 +                   fOK = FALSE;
 +               }
 +           }
 +
 +           if (fOK && !WIFEXITED (status)) {
 +               fOK = FALSE;
 +           }
 +
 +           if (fOK && WEXITSTATUS (status) != 0) {
 +               fOK = FALSE;
 +           }
 +           
 +           if (fOK) {
 +               if (!strcmp (szType, "password")) {
 +                   if ((r = read (fds[0], szInput, nMaxInput)) == -1) {
 +                       fOK = FALSE;
 +                       r = 0;
 +                   }
 +               }
 +               else {
 +                   r = 0;
 +               }
 +               szInput[r] = '\0';
 +           }
 +
 +           if (fOK) {
 +               if (strlen (szInput) > 0 && szInput[strlen (szInput)-1] == '\n') {
 +                   szInput[strlen (szInput)-1] = '\0';
 +               }
 +               /*
 +                * for DOS compatability
 +                */
 +               if (strlen (szInput) > 0 && szInput[strlen (szInput)-1] == '\r') {
 +                   szInput[strlen (szInput)-1] = '\0';
 +               }
 +           }
 +       }
 +   }
 +
 +   if (fds[0] != -1) {
 +       close (fds[0]);
 +       fds[0] = -1;
 +   }
 +
 +   if (fds[1] != -1) {
 +       close (fds[1]);
 +       fds[1] = -1;
 +   }
 +
 +   return fOK;
 +}
 +
 +static
 +void
 +_pkcs11_ssh_print (
 +   IN void * const pData,
 +   IN const char * const szFormat,
 +   IN ...
 +) {
 +   va_list args;
 +
 +   va_start (args, szFormat);
 +   vprintf (szFormat, args);
 +   va_end (args);
 +}
 +
 +static
 +PKCS11H_BOOL
 +_pkcs11_ssh_token_prompt (
 +   IN void * const pData1,
 +   IN void * const pData2,
 +   IN const pkcs11h_token_id_t token,
 +   IN const unsigned retry
 +) {
 +   char szPrompt[1024];
 +   char szPIN[1024];
 +   
 +   snprintf (szPrompt, sizeof (szPrompt), "Please insert token '%s' or cancel", token->display);
 +   return _pkcs11_ssh_prompt ("okcancel", szPrompt, szPIN, sizeof (szPIN));
 +}
 +
 +static
 +PKCS11H_BOOL
 +_pkcs11_ssh_pin_prompt (
 +   IN void * const pData1,
 +   IN void * const pData2,
 +   IN const pkcs11h_token_id_t token,
 +   IN const unsigned retry,
 +   OUT char * const szPIN,
 +   IN const size_t nMaxPIN
 +) {
 +   char szPrompt[1024];
 +
 +   snprintf (szPrompt, sizeof (szPrompt), "Please enter PIN for token '%s'", token->display);
 +   return _pkcs11_ssh_prompt ("password", szPrompt, szPIN, nMaxPIN);
 +}
 +
 +static
 +PKCS11H_BOOL
 +_pkcs11_ssh_pin_prompt_cli (
 +   IN void * const pData1,
 +   IN void * const pData2,
 +   IN const pkcs11h_token_id_t token,
 +   IN const unsigned retry,
 +   OUT char * const szPIN,
 +   IN const size_t nMaxPIN
 +) {
 +   char szPrompt[1024];
 +   snprintf (szPrompt, sizeof (szPrompt), "Please enter '%s' PIN or 'cancel': ", token->display);
 +   char *p = getpass (szPrompt);
 +
 +   strncpy (szPIN, p, nMaxPIN);
 +   szPIN[nMaxPIN-1] = '\0';
 +
 +   return strcmp (szPIN, "cancel") != 0;
 +}
 +
 +void
 +_pkcs11_do_log (
 +   IN LogLevel l,
 +   IN const char *f,
 +   IN ...
 +) {
 +   va_list args;
 +   va_start (args, f);
 +   do_log (l, f, args);
 +   va_end (args);
 +}
 +
 +int
 +pkcs11_initialize (
 +   const int fProtectedAuthentication,
 +   const int nPINCachePeriod
 +) {
 +   CK_RV rv = CKR_OK;
 +
 +   debug3 (
 +       "PKCS#11: pkcs11_initialize - entered fProtectedAuthentication=%d, nPINCachePeriod=%d",
 +       fProtectedAuthentication,
 +       nPINCachePeriod
 +   );
 +
 +   if (
 +       rv == CKR_OK &&
 +       (rv = pkcs11h_initialize ()) != CKR_OK
 +   ) {
 +       error ("PKCS#11: Cannot initialize %ld-'%s'", rv, pkcs11h_getMessage (rv));
 +   }
 +
 +   if (
 +       rv == CKR_OK &&
 +       (rv = pkcs11h_setLogHook (_pkcs11_openssh_log, NULL)) != CKR_OK
 +   ) {
 +       error ("PKCS#11: Cannot set hooks %ld-'%s'", rv, pkcs11h_getMessage (rv));
 +   }
 +
 +   /*
 +    * WARNING!!!
 +    * There is no way to get log level,
 +    * so set to minimum.
 +    * After fix in log.c it can be fixed.
 +    */
 +   if (rv == CKR_OK) {
 +       pkcs11h_setLogLevel (_pkcs11_msg_openssh2pkcs11 (SYSLOG_LEVEL_DEBUG3));
 +   }
 +
 +   if (
 +       rv == CKR_OK &&
 +       (rv = pkcs11h_setTokenPromptHook (_pkcs11_ssh_token_prompt, NULL)) != CKR_OK
 +   ) {
 +       error ("PKCS#11: Cannot set hooks %ld-'%s'", rv, pkcs11h_getMessage (rv));
 +   }
 +
 +   if (
 +       rv == CKR_OK &&
 +       (rv = pkcs11h_setPINPromptHook (_pkcs11_ssh_pin_prompt, NULL)) != CKR_OK
 +   ) {
 +       error ("PKCS#11: Cannot set hooks %ld-'%s'", rv, pkcs11h_getMessage (rv));
 +   }
 +
 +   if (
 +       rv == CKR_OK &&
 +       (rv = pkcs11h_setProtectedAuthentication (fProtectedAuthentication)) != CKR_OK
 +   ) {
 +       error ("PKCS#11: Cannot set protected authentication mode %ld-'%s'", rv, pkcs11h_getMessage (rv));
 +   }
 +
 +   if (
 +       rv == CKR_OK &&
 +       (rv = pkcs11h_setPINCachePeriod (nPINCachePeriod)) != CKR_OK
 +   ) {
 +       error ("PKCS#11: Cannot set PIN cache period %ld-'%s'", rv, pkcs11h_getMessage (rv));
 +   }
 +
 +   debug3 (
 +       "PKCS#11: pkcs11_initialize - return rv=%ld-'%s'",
 +       rv,
 +       pkcs11h_getMessage (rv)
 +   );
 +
 +   return rv == CKR_OK;
 +}
 +
 +void
 +pkcs11_terminate () {
 +   debug3 ("PKCS#11: pkcs11_terminate - entered");
 +
 +   pkcs11h_terminate ();
 +
 +   debug3 ("PKCS#11: pkcs11_terminate - return");
 +}
 +
 +void
 +pkcs11_forkFix () {
 +   pkcs11h_forkFixup ();
 +}
 +
 +int
 +pkcs11_setAskPIN (
 +   const char * const pin_prog
 +) {
 +   if (pin_prog != NULL) {
 +       if (s_szSetPINProg != NULL) {
 +           xfree (s_szSetPINProg);
 +           s_szSetPINProg = NULL;
 +       }
 +
 +       s_szSetPINProg = xstrdup (pin_prog);
 +   }
 +
 +   return 1;
 +}
 +
 +int
 +pkcs11_addProvider (
 +   const char * const provider,
 +   const int fProtectedAuthentication,
 +   const char * const sign_mode,
 +   const int fCertIsPrivate
 +) {
 +   unsigned maskSignMode = 0;
 +   CK_RV rv = CKR_OK;
 +
 +   PKCS11H_ASSERT (provider != NULL);
 +   PKCS11H_ASSERT (sign_mode != NULL);
 +
 +   debug3 (
 +       "PKCS#11: pkcs11_addProvider - entered - provider='%s', fProtectedAuthentication=%d, sign_mode='%s',
	fCertIsPrivate=%d",
 +       provider,
 +       fProtectedAuthentication ? 1 : 0,
 +       sign_mode == NULL ? "default" : sign_mode,
 +       fCertIsPrivate ? 1 : 0
 +   );
 +
 +   debug (
 +       "PKCS#11: Adding PKCS#11 provider '%s'",
 +       provider
 +   );
 +
 +   if (rv == CKR_OK) {
 +       if (sign_mode == NULL || !strcmp (sign_mode, "auto")) {
 +           maskSignMode = 0;
 +       }
 +       else if (!strcmp (sign_mode, "sign")) {
 +           maskSignMode = PKCS11H_SIGNMODE_MASK_SIGN;
 +       }
 +       else if (!strcmp (sign_mode, "recover")) {
 +           maskSignMode = PKCS11H_SIGNMODE_MASK_RECOVER;
 +       }
 +       else if (!strcmp (sign_mode, "any")) {
 +           maskSignMode = (
 +               PKCS11H_SIGNMODE_MASK_SIGN |
 +               PKCS11H_SIGNMODE_MASK_RECOVER
 +           );
 +       }
 +       else {
 +           error ("PKCS#11: Invalid sign mode '%s'", sign_mode);
 +           rv = CKR_ARGUMENTS_BAD;
 +       }
 +   }
 +
 +   if (
 +       rv == CKR_OK &&
 +       (rv = pkcs11h_addProvider (
 +           provider,
 +           provider,
 +           fProtectedAuthentication,
 +           maskSignMode,
 +           PKCS11H_SLOTEVENT_METHOD_AUTO,
 +           0,
 +           fCertIsPrivate
 +       )) != CKR_OK
 +   ) {
 +       error ("PKCS#11: Cannot initialize provider '%s' %ld-'%s'", provider, rv, pkcs11h_getMessage (rv));
 +   }
 +
 +   debug3 (
 +       "PKCS#11: pkcs11_addProvider - return rv=%ld-'%s'",
 +       rv,
 +       pkcs11h_getMessage (rv)
 +   );
 +
 +   return rv == CKR_OK;
 +}
 +
 +pkcs11_identity *
 +pkcs11_identity_new () {
 +   pkcs11_identity *id = xmalloc (sizeof (struct pkcs11_identity_s));
 +   if (id != NULL) {
 +       memset (id, 0, sizeof (struct pkcs11_identity_s));
 +   }
 +   return id;
 +}
 +
 +void
 +pkcs11_identity_free (
 +   const pkcs11_identity * const id
 +) {
 +   if (id != NULL) {
 +       xfree ((void *)id);
 +   }
 +}
 +
 +void
 +pkcs11_getKey (
 +   IN const pkcs11_identity * const id,
 +   OUT Key ** const sshkey,
 +   OUT char * const szComment,
 +   IN const int nCommentMax
 +) {
 +   X509 *x509 = NULL;
 +   RSA *rsa = NULL;
 +   pkcs11h_certificate_id_t certificate_id = NULL;
 +   pkcs11h_certificate_t certificate = NULL;
 +   pkcs11h_openssl_session_t openssl_session = NULL;
 +   size_t temp;
 +   CK_RV rv = CKR_OK;
 +
 +   int fOK = TRUE;
 +
 +   debug3 (
 +       "PKCS#11: pkcs11_getKey - entered - id=%p, sshkey=%p, szComment=%p, nCommentMax=%d",
 +       (void *)id,
 +       (void *)sshkey,
 +       (void *)szComment,
 +       nCommentMax
 +   );
 +
 +   PKCS11H_ASSERT (id != NULL);
 +   PKCS11H_ASSERT (sshkey!=NULL);
 +   PKCS11H_ASSERT (szComment!=NULL);
 +
 +   debug3 (
 +       "PKCS#11: pkcs11_getKey - id - id=%s, pin_cache_period=%d, cert_file=%s",
 +       id->id,
 +       id->pin_cache_period,
 +       id->cert_file
 +   );
 +
 +   PKCS11H_ASSERT (id->id);
 +
 +   if (
 +       fOK &&
 +       pkcs11h_certificate_deserializeCertificateId (&certificate_id, id->id)
 +   ) {
 +       fOK = FALSE;
 +       error ("PKCS#11: Cannot deserialize id %ld-'%s'", rv, pkcs11h_getMessage (rv));
 +   }
 +
 +   if (
 +       fOK &&
 +       id->cert_file != NULL &&
 +       id->cert_file[0] != '\x0' 
 +   ) {
 +       X509 *x509 = NULL;
 +       unsigned char *p = NULL;
 +       unsigned char *certificate_blob = NULL;
 +       size_t certificate_blob_size = 0;
 +       FILE *fp = NULL;
 +
 +       if (
 +           fOK &&
 +           (fp = fopen (id->cert_file, "r")) == NULL
 +       ) {
 +           fOK = FALSE;
 +           error ("PKCS#11: Cannot open file '%s'", id->cert_file);
 +       }
 +
 +       if (
 +           fOK &&
 +           !PEM_read_X509 (
 +               fp,
 +               &x509,
 +               NULL,
 +               0
 +           )
 +       ) {
 +           x509 = NULL;
 +           fOK = FALSE;
 +           error ("PKCS#11: Cannot read PEM from file '%s'", id->cert_file);
 +       }
 +
 +       if (
 +           fOK &&
 +           (certificate_blob_size = i2d_X509 (x509, NULL)) < 0
 +       ) {
 +           fOK = FALSE;
 +           error ("PKCS#11: Cannot read decode certificate");
 +       }
 +
 +       if (
 +           fOK &&
 +           (certificate_blob = (unsigned char *)xmalloc (certificate_blob_size)) == NULL
 +       ) {
 +           fOK = FALSE;
 +           error ("PKCS#11: Cannot allocate memory");
 +       }
 +
 +       /*
 +        * i2d_X509 increments p!!!
 +        */
 +       p = certificate_blob;
 +
 +       if (
 +           fOK &&
 +           (certificate_blob_size = i2d_X509 (x509, &p)) < 0
 +       ) {
 +           fOK = FALSE;
 +           error ("PKCS#11: Cannot read decode certificate");
 +       }
 +
 +       if (
 +           fOK &&
 +           pkcs11h_certificate_setCertificateIdCertificateBlob (
 +               certificate_id,
 +               certificate_blob,
 +               certificate_blob_size
 +           ) != CKR_OK
 +       ) {
 +           fOK = FALSE;
 +           error ("PKCS#11: Cannot set certificate blob %ld-'%s'", rv, pkcs11h_getMessage (rv));
 +       }
 +
 +       if (x509 != NULL) {
 +           X509_free (x509);
 +           x509 = NULL;
 +       }
 +
 +       if (certificate_blob != NULL) {
 +           xfree (certificate_blob);
 +           certificate_blob = NULL;
 +       }
 +
 +       if (fp != NULL) {
 +           fclose (fp);
 +           fp = NULL;
 +       }
 +   }
 +
 +   if (
 +       fOK &&
 +       (rv = pkcs11h_certificate_create (
 +           certificate_id,
 +           NULL,
 +           PKCS11H_PROMPT_MASK_ALLOW_ALL,
 +           id->pin_cache_period,
 +           &certificate
 +       )) != CKR_OK
 +   ) {
 +       fOK = FALSE;
 +       error ("PKCS#11: Cannot get certificate %ld-'%s'", rv, pkcs11h_getMessage (rv));
 +   }
 +
 +   if (certificate_id != NULL){
 +       pkcs11h_certificate_freeCertificateId (certificate_id);
 +       certificate_id = NULL;
 +   }
 +
 +   /*
 +    * Is called so next certificate_id will
 +    * contain a proper description
 +    */
 +   if (
 +       fOK &&
 +       (rv = pkcs11h_certificate_getCertificateBlob (
 +           certificate,
 +           NULL,
 +           &temp
 +       )) != CKR_OK
 +   ) {
 +       fOK = FALSE;
 +       error ("PKCS#11: Cannot get certificate blob %ld-'%s'", rv, pkcs11h_getMessage (rv));
 +   }
 +
 +   if (
 +       fOK &&
 +       (rv = pkcs11h_certificate_getCertificateId (
 +           certificate,
 +           &certificate_id
 +       )) != CKR_OK
 +   ) {
 +       fOK = FALSE;
 +       error ("PKCS#11: Cannot get certificate_id %ld-'%s'", rv, pkcs11h_getMessage (rv));
 +   }
 +
 +   if (fOK) {
 +       strncpy (szComment, certificate_id->displayName, nCommentMax);
 +       szComment[nCommentMax - 1] = '\0';
 +   }
 +
 +   if (
 +       fOK &&
 +       (openssl_session = pkcs11h_openssl_createSession (certificate)) == NULL
 +   ) {
 +       fOK = FALSE;
 +       error ("PKCS#11: Cannot initialize openssl session");
 +   }
 +
 +   if (fOK) {
 +       /*
 +        * will be release by openssl_session
 +        */
 +       certificate = NULL;
 +   }
 +
 +   if (
 +       fOK &&
 +       (rsa = pkcs11h_openssl_session_getRSA (openssl_session)) == NULL
 +   ) {
 +       fOK = FALSE;
 +       error ("PKCS#11: Unable get rsa object");
 +   }
 +
 +   if (
 +       fOK &&
 +       (x509 = pkcs11h_openssl_session_getX509 (openssl_session)) == NULL
 +   ) {
 +       fOK = FALSE;
 +       error ("PKCS#11: Unable get certificate object");
 +   }
 +
 +   if (fOK) {
 +       *sshkey = key_new_private (KEY_UNSPEC);
 +       (*sshkey)->rsa = rsa;
 +       rsa = NULL;
 +#if defined(SSH_PKCS11_X509_DISABLED)
 +       (*sshkey)->type = KEY_RSA;
 +#else
 +       (*sshkey)->type = KEY_X509_RSA;
 +       (*sshkey)->x509 = x509;
 +       x509 = NULL;
 +#endif
 +   }
 +
 +   if (x509 != NULL) {
 +       X509_free (x509);
 +       x509 = NULL;
 +   }
 +
 +   if (openssl_session != NULL) {
 +       pkcs11h_openssl_freeSession (openssl_session);
 +       openssl_session = NULL;
 +   }
 +
 +   if (certificate != NULL) {
 +       pkcs11h_certificate_freeCertificate (certificate);
 +       certificate = NULL;
 +   }
 +
 +   if (certificate_id != NULL) {
 +       pkcs11h_certificate_freeCertificateId (certificate_id);
 +       certificate_id = NULL;
 +   }
 +
 +   debug3 (
 +       "PKCS#11: pkcs11_getKey - return fOK=%d, rv=%ld",
 +       fOK ? 1 : 0,
 +       rv
 +   );
 +}
 +
 +void
 +pkcs11_show_ids (
 +   const char * const provider,
 +   int allow_protected_auth,
 +   int cert_is_private
 +) {
 +   pkcs11h_certificate_id_list_t user_certificates = NULL;
 +   pkcs11h_certificate_id_list_t current = NULL;
 +   CK_RV rv = CKR_OK;
 +
 +   if (rv == CKR_OK) {
 +       rv = pkcs11h_initialize ();
 +   }
 +
 +   if (rv == CKR_OK) {
 +       rv = pkcs11h_setLogHook (_pkcs11_openssh_log, NULL);
 +   }
 +
 +   if (rv == CKR_OK) {
 +       pkcs11h_setLogLevel (_pkcs11_msg_openssh2pkcs11 (SYSLOG_LEVEL_DEBUG3));
 +   }
 +
 +   if (rv == CKR_OK) {
 +       rv = pkcs11h_setPINPromptHook (_pkcs11_ssh_pin_prompt_cli, NULL);
 +   }
 +
 +   if (rv == CKR_OK) {
 +       rv = pkcs11h_setProtectedAuthentication (TRUE);
 +   }
 +
 +   if (rv == CKR_OK) {
 +       rv = pkcs11h_addProvider (
 +           provider,
 +           provider,
 +           allow_protected_auth ? TRUE : FALSE,
 +           0,
 +           FALSE,
 +           0,
 +           cert_is_private ? TRUE : FALSE
 +       );
 +   }
 +
 +   if (rv == CKR_OK) {
 +       rv = pkcs11h_certificate_enumCertificateIds (
 +           PKCS11H_ENUM_METHOD_CACHE_EXIST,
 +           NULL,
 +           PKCS11H_PROMPT_MASK_ALLOW_ALL,
 +           NULL,
 +           &user_certificates
 +       );
 +   }
 +
 +   for (current = user_certificates; rv == CKR_OK && current != NULL; current = current->next) {
 +       pkcs11h_certificate_t certificate = NULL;
 +       X509 *x509 = NULL;
 +       char dn[1024] = {0};
 +       char *ser = NULL;
 +       char *ssh_key = NULL;
 +       size_t ser_len = 0;
 +
 +       if (rv == CKR_OK) {
 +           rv = pkcs11h_certificate_serializeCertificateId (NULL, &ser_len, current->certificate_id);
 +       }
 +
 +       if (
 +           rv == CKR_OK &&
 +           (ser = (char *)xmalloc (ser_len)) == NULL
 +       ) {
 +           rv = CKR_HOST_MEMORY;
 +       }
 +
 +       if (rv == CKR_OK) {
 +           rv = pkcs11h_certificate_serializeCertificateId (ser, &ser_len, current->certificate_id);
 +       }
 +
 +       if (rv == CKR_OK) {
 +           rv = pkcs11h_certificate_create (
 +               current->certificate_id,
 +               NULL,
 +               PKCS11H_PROMPT_MASK_ALLOW_ALL,
 +               PKCS11H_PIN_CACHE_INFINITE,
 +               &certificate
 +           );
 +       }
 +
 +       if (
 +           rv == CKR_OK &&
 +           (x509 = pkcs11h_openssl_getX509 (certificate)) == NULL
 +       ) {
 +           rv = CKR_FUNCTION_FAILED;
 +       }
 +
 +       if (rv == CKR_OK) {
 +           X509_NAME_oneline (
 +               X509_get_subject_name (x509),
 +               dn,
 +               sizeof (dn)
 +           );
 +           printf (
 +               (
 +                   "\n"
 +                   "********************************************\n"
 +                   "IDENTITY:\n"
 +                   "        DN:            %s\n"
 +                   "        Serialized id: %s\n"
 +                   "\n"
 +                   "        Certificate:\n"
 +               ),
 +               dn,
 +               ser
 +           );
 +           PEM_write_X509 (stdout, x509);
 +       }
 +
 +       if (
 +           rv == CKR_OK &&
 +           (ssh_key = ssh_from_x509 (x509)) != NULL
 +       ) {
 +           printf (
 +               (
 +                   "\n"
 +                   "        SSH:\n"
 +                   "%s\n"
 +               ),
 +               ssh_key
 +           );
 +
 +           xfree (ssh_key);
 +       }
 +
 +       if (x509 != NULL) {
 +           X509_free (x509);
 +           x509 = NULL;
 +       }
 +
 +       if (certificate != NULL) {
 +           pkcs11h_certificate_freeCertificate (certificate);
 +           certificate = NULL;
 +       }
 +
 +       if (ser != NULL) {
 +           xfree (ser);
 +           ser = NULL;
 +       }
 +
 +       /*
 +        * Ignore error
 +        */
 +       if (rv != CKR_OK) {
 +           error ("PKCS#11: Failed to get id %ld-'%s'", rv, pkcs11h_getMessage (rv));
 +           rv = CKR_OK;
 +       }
 +   }
 +
 +   if (user_certificates != NULL) {
 +       pkcs11h_certificate_freeCertificateIdList (user_certificates);
 +       user_certificates = NULL;
 +   }
 +
 +   pkcs11h_terminate ();
 +}
 +
 +void
 +pkcs11_dump_slots (
 +   const char * const provider
 +) {
 +   pkcs11h_standalone_dump_slots (
 +       _pkcs11_ssh_print,
 +       NULL,
 +       provider
 +   );
 +}
 +
 +void
 +pkcs11_dump_objects (
 +   const char * const provider,
 +   const char * const slot,
 +   const char * const pin
 +) {
 +   pkcs11h_standalone_dump_objects (
 +       _pkcs11_ssh_print,
 +       NULL,
 +       provider,
 +       slot,
 +       pin
 +   );
 +}
 +
 +/*
 + * The ssh_from_x509 is dirived of Tatu and Markus work.
 + *
 + * Copyright (c) 2006 Alon bar-Lev <alon.barlev@gmail.com>.  All rights reserved.
 + * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
 + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
 + */
 +
 +#define PUT_32BIT(cp, value) ( \
 +   (cp)[0] = (value) >> 24, \
 +   (cp)[1] = (value) >> 16, \
 +   (cp)[2] = (value) >> 8, \
 +   (cp)[3] = (value) )
 +
 +static
 +char *
 +ssh_from_x509 (X509 *x509) {
 +
 +   EVP_PKEY *pubkey = NULL;
 +   BIO *bio = NULL, *bio2 = NULL, *bio64 = NULL;
 +   unsigned char *blob = NULL, *buffer = NULL;
 +   char *ret = NULL;
 +   int blobsize = 0, retsize = 0;
 +   int bytes_name = 0, bytes_exponent = 0, bytes_modulus = 0;
 +   unsigned char *bp;
 +   char *p;
 +   int n;
 +   const char *keyname = NULL;
 +   int ok = 1;
 +
 +   if (ok && (pubkey = X509_get_pubkey (x509)) == NULL) {
 +       ok = 0;
 +   }
 +
 +   if (ok && (bio64 = BIO_new (BIO_f_base64 ())) == NULL) {
 +       ok = 0;
 +   }
 +
 +   if (ok && (bio = BIO_new (BIO_s_mem ())) == NULL) {
 +       ok = 0;
 +   }
 +
 +   if (ok && (bio2 = BIO_push (bio64, bio)) == NULL) {
 +       ok = 0;
 +   }
 +
 +   if (ok && pubkey->type != EVP_PKEY_RSA) {
 +       ok = 0;
 +   }
 +
 +   if (ok) {
 +       keyname = "ssh-rsa";
 +   }
 +
 +   if (ok) {
 +       bytes_name = strlen (keyname);
 +       bytes_exponent = BN_num_bytes (pubkey->pkey.rsa->e);
 +       bytes_modulus = BN_num_bytes (pubkey->pkey.rsa->n);
 +       
 +       blobsize = (
 +           4 + bytes_name +
 +           4 + (bytes_exponent + 1) +
 +           4 + (bytes_modulus + 1) +
 +           1
 +       );
 +   }
 + 
 +   if (ok && (blob = (unsigned char *)xmalloc (blobsize)) == NULL) {
 +       ok = 0;
 +   }
 +
 +   if (ok && (buffer = (unsigned char *)xmalloc (blobsize)) == NULL) {
 +       ok = 0;
 +   }
 +
 +   if (ok) {
 +       bp = blob;
 +       
 +       PUT_32BIT (bp, bytes_name), bp += 4;
 +       memcpy (bp, keyname, bytes_name), bp += bytes_name;
 +
 +       BN_bn2bin (pubkey->pkey.rsa->e, buffer);
 +       if (buffer[0] & 0x80) {
 +           // highest bit set would indicate a negative number.
 +           // to avoid this, we have to spend an extra byte:
 +           PUT_32BIT (bp, bytes_exponent+1), bp += 4;
 +           *(bp++) = 0;
 +       } else {
 +           PUT_32BIT (bp, bytes_exponent), bp += 4;
 +       }
 +       memcpy (bp, buffer, bytes_exponent), bp += bytes_exponent;
 +           
 +       BN_bn2bin (pubkey->pkey.rsa->n, buffer);
 +       if (buffer[0] & 0x80) {
 +           PUT_32BIT (bp, bytes_modulus+1), bp += 4;
 +           *(bp++) = 0;
 +       } else {
 +           PUT_32BIT( bp, bytes_modulus ), bp += 4;
 +       }
 +       memcpy (bp, buffer, bytes_modulus), bp += bytes_modulus;
 +   }
 +
 +
 +   if (ok && BIO_write (bio2, blob, bp-blob) == -1) {
 +       ok = 0;
 +   }
 +
 +   if (ok && BIO_flush (bio2) == -1) {
 +       ok = 0;
 +   }
 +
 +   /*
 +    * Allocate the newline too... We will remove them later
 +    * For MS, allocate return as well.
 +    */
 +   if (ok) {
 +       retsize = strlen (keyname) + 1 + (blobsize * 4 / 3) + (blobsize * 2 / 50) + 10 + 1;
 +   }
 +
 +   if (ok && (ret = xmalloc (retsize)) == NULL) {
 +       ok = 0;
 +   }
 +   
 +   if (ok) {
 +       strcpy (ret, keyname);
 +       strcat (ret, " ");
 +   }
 +
 +   if (ok && (n = BIO_read (bio, ret + strlen (ret), retsize - strlen (ret) - 1)) == -1) {
 +       ok = 0;
 +   }
 +
 +   if (ok) {
 +       ret[strlen (keyname) + 1 + n] = '\x0';
 +   }
 +
 +   if (ok) {
 +       while ((p = strchr (ret, '\n')) != NULL) {
 +           memmove (p, p+1, strlen (p)+1);
 +       }
 +       while ((p = strchr (ret, '\r')) != NULL) {
 +           memmove (p, p+1, strlen (p)+1);
 +       }
 +
 +   }
 +
 +   if (bio != NULL) {
 +       BIO_free_all (bio);
 +       bio = NULL;
 +   }
 +
 +   if (pubkey != NULL) {
 +       EVP_PKEY_free (pubkey);
 +       pubkey = NULL;
 +   }
 +
 +   if (buffer != NULL) {
 +       xfree (buffer);
 +       buffer = NULL;
 +   }
 +
 +   if (blob != NULL) {
 +       xfree (blob);
 +       blob = NULL;
 +   }
 +
 +   if (!ok) {
 +       if (ret != NULL) {
 +           xfree (ret);
 +           ret = NULL;
 +       }
 +   }
 +   
 +   return ret;
 +}
 +
 +#else
 +static void dummy (void) {}
 +#endif /* SSH_PKCS11_DISABLED */
 diff -urNp openssh-4.4p1/pkcs11.h openssh-4.4p1+pkcs11-0.17/pkcs11.h
 --- openssh-4.4p1/pkcs11.h  1970-01-01 02:00:00.000000000 +0200
 +++ openssh-4.4p1+pkcs11-0.17/pkcs11.h  2006-10-12 13:55:28.000000000 +0200
 @@ -0,0 +1,100 @@
 +/*
 + * Copyright (c) 2005-2006 Alon Bar-Lev.  All rights reserved.
 + *
 + * Redistribution and use in source and binary forms, with or without
 + * modification, are permitted provided that the following conditions
 + * are met:
 + * 1. Redistributions of source code must retain the above copyright
 + *    notice, this list of conditions and the following disclaimer.
 + * 2. Redistributions in binary form must reproduce the above copyright
 + *    notice, this list of conditions and the following disclaimer in the
 + *    documentation and/or other materials provided with the distribution.
 + *
 + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 + */
 +
 +#ifndef SSH_PKCS11_H
 +#define SSH_PKCS11_H
 +
 +#if !defined(SSH_PKCS11_DISABLED)
 +
 +#include "key.h"
 +
 +typedef struct pkcs11_identity_s {
 +   char *id;
 +   int pin_cache_period;
 +   char *cert_file;
 +} pkcs11_identity;
 +
 +int
 +pkcs11_initialize (
 +   const int fProtectedAuthentication,
 +   const int nPINCachePeriod
 +);
 +
 +void
 +pkcs11_terminate ();
 +
 +void
 +pkcs11_forkFix ();
 +
 +int
 +pkcs11_setAskPIN (
 +   const char * const pin_prog
 +);
 +
 +int
 +pkcs11_addProvider (
 +   const char * const provider,
 +   const int fProtectedAuthentication,
 +   const char * const sign_mode,
 +   const int fCertIsPrivate
 +);
 +
 +pkcs11_identity *
 +pkcs11_identity_new ();
 +
 +void
 +pkcs11_identity_free (
 +   const pkcs11_identity * const id
 +);
 +
 +void
 +pkcs11_getKey (
 +   const pkcs11_identity * const id,
 +   Key ** const sshkey,
 +   char * const szComment,
 +   const int nCommentMax
 +);
 +
 +void
 +pkcs11_show_ids (
 +   const char * const provider,
 +   int allow_protected_auth,
 +   int cert_is_private
 +);
 +
 +void
 +pkcs11_dump_slots (
 +   const char * const provider
 +);
 +
 +void
 +pkcs11_dump_objects (
 +   const char * const provider,
 +   const char * const slot,
 +   const char * const pin
 +);
 +   
 +#endif         /* SSH_PKCS11_DISABLED */
 +
 +#endif         /* OPENSSH_PKCS11_H */
 diff -urNp openssh-4.4p1/pkcs11-headers/pkcs11f.h openssh-4.4p1+pkcs11-0.17/pkcs11-headers/pkcs11f.h
 --- openssh-4.4p1/pkcs11-headers/pkcs11f.h  1970-01-01 02:00:00.000000000 +0200
 +++ openssh-4.4p1+pkcs11-0.17/pkcs11-headers/pkcs11f.h  2006-09-28 08:05:35.000000000 +0300
 @@ -0,0 +1,912 @@
 +/* pkcs11f.h include file for PKCS #11. */
 +/* $Revision: 1.4 $ */
 +
 +/* License to copy and use this software is granted provided that it is
 + * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
 + * (Cryptoki)" in all material mentioning or referencing this software.
 +
 + * License is also granted to make and use derivative works provided that
 + * such works are identified as "derived from the RSA Security Inc. PKCS #11
 + * Cryptographic Token Interface (Cryptoki)" in all material mentioning or 
 + * referencing the derived work.
 +
 + * RSA Security Inc. makes no representations concerning either the 
 + * merchantability of this software or the suitability of this software for
 + * any particular purpose. It is provided "as is" without express or implied
 + * warranty of any kind.
 + */
 +
 +/* This header file contains pretty much everything about all the */
 +/* Cryptoki function prototypes.  Because this information is */
 +/* used for more than just declaring function prototypes, the */
 +/* order of the functions appearing herein is important, and */
 +/* should not be altered. */
 +
 +/* General-purpose */
 +
 +/* C_Initialize initializes the Cryptoki library. */
 +CK_PKCS11_FUNCTION_INFO(C_Initialize)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_VOID_PTR   pInitArgs  /* if this is not NULL_PTR, it gets
 +                            * cast to CK_C_INITIALIZE_ARGS_PTR
 +                            * and dereferenced */
 +);
 +#endif
 +
 +
 +/* C_Finalize indicates that an application is done with the
 + * Cryptoki library. */
 +CK_PKCS11_FUNCTION_INFO(C_Finalize)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_VOID_PTR   pReserved  /* reserved.  Should be NULL_PTR */
 +);
 +#endif
 +
 +
 +/* C_GetInfo returns general information about Cryptoki. */
 +CK_PKCS11_FUNCTION_INFO(C_GetInfo)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_INFO_PTR   pInfo  /* location that receives information */
 +);
 +#endif
 +
 +
 +/* C_GetFunctionList returns the function list. */
 +CK_PKCS11_FUNCTION_INFO(C_GetFunctionList)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_FUNCTION_LIST_PTR_PTR ppFunctionList  /* receives pointer to
 +                                            * function list */
 +);
 +#endif
 +
 +
 +
 +/* Slot and token management */
 +
 +/* C_GetSlotList obtains a list of slots in the system. */
 +CK_PKCS11_FUNCTION_INFO(C_GetSlotList)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_BBOOL       tokenPresent,  /* only slots with tokens? */
 +  CK_SLOT_ID_PTR pSlotList,     /* receives array of slot IDs */
 +  CK_ULONG_PTR   pulCount       /* receives number of slots */
 +);
 +#endif
 +
 +
 +/* C_GetSlotInfo obtains information about a particular slot in
 + * the system. */
 +CK_PKCS11_FUNCTION_INFO(C_GetSlotInfo)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SLOT_ID       slotID,  /* the ID of the slot */
 +  CK_SLOT_INFO_PTR pInfo    /* receives the slot information */
 +);
 +#endif
 +
 +
 +/* C_GetTokenInfo obtains information about a particular token
 + * in the system. */
 +CK_PKCS11_FUNCTION_INFO(C_GetTokenInfo)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SLOT_ID        slotID,  /* ID of the token's slot */
 +  CK_TOKEN_INFO_PTR pInfo    /* receives the token information */
 +);
 +#endif
 +
 +
 +/* C_GetMechanismList obtains a list of mechanism types
 + * supported by a token. */
 +CK_PKCS11_FUNCTION_INFO(C_GetMechanismList)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SLOT_ID            slotID,          /* ID of token's slot */
 +  CK_MECHANISM_TYPE_PTR pMechanismList,  /* gets mech. array */
 +  CK_ULONG_PTR          pulCount         /* gets # of mechs. */
 +);
 +#endif
 +
 +
 +/* C_GetMechanismInfo obtains information about a particular
 + * mechanism possibly supported by a token. */
 +CK_PKCS11_FUNCTION_INFO(C_GetMechanismInfo)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SLOT_ID            slotID,  /* ID of the token's slot */
 +  CK_MECHANISM_TYPE     type,    /* type of mechanism */
 +  CK_MECHANISM_INFO_PTR pInfo    /* receives mechanism info */
 +);
 +#endif
 +
 +
 +/* C_InitToken initializes a token. */
 +CK_PKCS11_FUNCTION_INFO(C_InitToken)
 +#ifdef CK_NEED_ARG_LIST
 +/* pLabel changed from CK_CHAR_PTR to CK_UTF8CHAR_PTR for v2.10 */
 +(
 +  CK_SLOT_ID      slotID,    /* ID of the token's slot */
 +  CK_UTF8CHAR_PTR pPin,      /* the SO's initial PIN */
 +  CK_ULONG        ulPinLen,  /* length in bytes of the PIN */
 +  CK_UTF8CHAR_PTR pLabel     /* 32-byte token label (blank padded) */
 +);
 +#endif
 +
 +
 +/* C_InitPIN initializes the normal user's PIN. */
 +CK_PKCS11_FUNCTION_INFO(C_InitPIN)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE hSession,  /* the session's handle */
 +  CK_UTF8CHAR_PTR   pPin,      /* the normal user's PIN */
 +  CK_ULONG          ulPinLen   /* length in bytes of the PIN */
 +);
 +#endif
 +
 +
 +/* C_SetPIN modifies the PIN of the user who is logged in. */
 +CK_PKCS11_FUNCTION_INFO(C_SetPIN)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE hSession,  /* the session's handle */
 +  CK_UTF8CHAR_PTR   pOldPin,   /* the old PIN */
 +  CK_ULONG          ulOldLen,  /* length of the old PIN */
 +  CK_UTF8CHAR_PTR   pNewPin,   /* the new PIN */
 +  CK_ULONG          ulNewLen   /* length of the new PIN */
 +);
 +#endif
 +
 +
 +
 +/* Session management */
 +
 +/* C_OpenSession opens a session between an application and a
 + * token. */
 +CK_PKCS11_FUNCTION_INFO(C_OpenSession)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SLOT_ID            slotID,        /* the slot's ID */
 +  CK_FLAGS              flags,         /* from CK_SESSION_INFO */
 +  CK_VOID_PTR           pApplication,  /* passed to callback */
 +  CK_NOTIFY             Notify,        /* callback function */
 +  CK_SESSION_HANDLE_PTR phSession      /* gets session handle */
 +);
 +#endif
 +
 +
 +/* C_CloseSession closes a session between an application and a
 + * token. */
 +CK_PKCS11_FUNCTION_INFO(C_CloseSession)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE hSession  /* the session's handle */
 +);
 +#endif
 +
 +
 +/* C_CloseAllSessions closes all sessions with a token. */
 +CK_PKCS11_FUNCTION_INFO(C_CloseAllSessions)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SLOT_ID     slotID  /* the token's slot */
 +);
 +#endif
 +
 +
 +/* C_GetSessionInfo obtains information about the session. */
 +CK_PKCS11_FUNCTION_INFO(C_GetSessionInfo)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE   hSession,  /* the session's handle */
 +  CK_SESSION_INFO_PTR pInfo      /* receives session info */
 +);
 +#endif
 +
 +
 +/* C_GetOperationState obtains the state of the cryptographic operation
 + * in a session. */
 +CK_PKCS11_FUNCTION_INFO(C_GetOperationState)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE hSession,             /* session's handle */
 +  CK_BYTE_PTR       pOperationState,      /* gets state */
 +  CK_ULONG_PTR      pulOperationStateLen  /* gets state length */
 +);
 +#endif
 +
 +
 +/* C_SetOperationState restores the state of the cryptographic
 + * operation in a session. */
 +CK_PKCS11_FUNCTION_INFO(C_SetOperationState)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE hSession,            /* session's handle */
 +  CK_BYTE_PTR      pOperationState,      /* holds state */
 +  CK_ULONG         ulOperationStateLen,  /* holds state length */
 +  CK_OBJECT_HANDLE hEncryptionKey,       /* en/decryption key */
 +  CK_OBJECT_HANDLE hAuthenticationKey    /* sign/verify key */
 +);
 +#endif
 +
 +
 +/* C_Login logs a user into a token. */
 +CK_PKCS11_FUNCTION_INFO(C_Login)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE hSession,  /* the session's handle */
 +  CK_USER_TYPE      userType,  /* the user type */
 +  CK_UTF8CHAR_PTR   pPin,      /* the user's PIN */
 +  CK_ULONG          ulPinLen   /* the length of the PIN */
 +);
 +#endif
 +
 +
 +/* C_Logout logs a user out from a token. */
 +CK_PKCS11_FUNCTION_INFO(C_Logout)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE hSession  /* the session's handle */
 +);
 +#endif
 +
 +
 +
 +/* Object management */
 +
 +/* C_CreateObject creates a new object. */
 +CK_PKCS11_FUNCTION_INFO(C_CreateObject)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE hSession,    /* the session's handle */
 +  CK_ATTRIBUTE_PTR  pTemplate,   /* the object's template */
 +  CK_ULONG          ulCount,     /* attributes in template */
 +  CK_OBJECT_HANDLE_PTR phObject  /* gets new object's handle. */
 +);
 +#endif
 +
 +
 +/* C_CopyObject copies an object, creating a new object for the
 + * copy. */
 +CK_PKCS11_FUNCTION_INFO(C_CopyObject)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE    hSession,    /* the session's handle */
 +  CK_OBJECT_HANDLE     hObject,     /* the object's handle */
 +  CK_ATTRIBUTE_PTR     pTemplate,   /* template for new object */
 +  CK_ULONG             ulCount,     /* attributes in template */
 +  CK_OBJECT_HANDLE_PTR phNewObject  /* receives handle of copy */
 +);
 +#endif
 +
 +
 +/* C_DestroyObject destroys an object. */
 +CK_PKCS11_FUNCTION_INFO(C_DestroyObject)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE hSession,  /* the session's handle */
 +  CK_OBJECT_HANDLE  hObject    /* the object's handle */
 +);
 +#endif
 +
 +
 +/* C_GetObjectSize gets the size of an object in bytes. */
 +CK_PKCS11_FUNCTION_INFO(C_GetObjectSize)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE hSession,  /* the session's handle */
 +  CK_OBJECT_HANDLE  hObject,   /* the object's handle */
 +  CK_ULONG_PTR      pulSize    /* receives size of object */
 +);
 +#endif
 +
 +
 +/* C_GetAttributeValue obtains the value of one or more object
 + * attributes. */
 +CK_PKCS11_FUNCTION_INFO(C_GetAttributeValue)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE hSession,   /* the session's handle */
 +  CK_OBJECT_HANDLE  hObject,    /* the object's handle */
 +  CK_ATTRIBUTE_PTR  pTemplate,  /* specifies attrs; gets vals */
 +  CK_ULONG          ulCount     /* attributes in template */
 +);
 +#endif
 +
 +
 +/* C_SetAttributeValue modifies the value of one or more object
 + * attributes */
 +CK_PKCS11_FUNCTION_INFO(C_SetAttributeValue)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE hSession,   /* the session's handle */
 +  CK_OBJECT_HANDLE  hObject,    /* the object's handle */
 +  CK_ATTRIBUTE_PTR  pTemplate,  /* specifies attrs and values */
 +  CK_ULONG          ulCount     /* attributes in template */
 +);
 +#endif
 +
 +
 +/* C_FindObjectsInit initializes a search for token and session
 + * objects that match a template. */
 +CK_PKCS11_FUNCTION_INFO(C_FindObjectsInit)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE hSession,   /* the session's handle */
 +  CK_ATTRIBUTE_PTR  pTemplate,  /* attribute values to match */
 +  CK_ULONG          ulCount     /* attrs in search template */
 +);
 +#endif
 +
 +
 +/* C_FindObjects continues a search for token and session
 + * objects that match a template, obtaining additional object
 + * handles. */
 +CK_PKCS11_FUNCTION_INFO(C_FindObjects)
 +#ifdef CK_NEED_ARG_LIST
 +(
 + CK_SESSION_HANDLE    hSession,          /* session's handle */
 + CK_OBJECT_HANDLE_PTR phObject,          /* gets obj. handles */
 + CK_ULONG             ulMaxObjectCount,  /* max handles to get */
 + CK_ULONG_PTR         pulObjectCount     /* actual # returned */
 +);
 +#endif
 +
 +
 +/* C_FindObjectsFinal finishes a search for token and session
 + * objects. */
 +CK_PKCS11_FUNCTION_INFO(C_FindObjectsFinal)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE hSession  /* the session's handle */
 +);
 +#endif
 +
 +
 +
 +/* Encryption and decryption */
 +
 +/* C_EncryptInit initializes an encryption operation. */
 +CK_PKCS11_FUNCTION_INFO(C_EncryptInit)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE hSession,    /* the session's handle */
 +  CK_MECHANISM_PTR  pMechanism,  /* the encryption mechanism */
 +  CK_OBJECT_HANDLE  hKey         /* handle of encryption key */
 +);
 +#endif
 +
 +
 +/* C_Encrypt encrypts single-part data. */
 +CK_PKCS11_FUNCTION_INFO(C_Encrypt)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE hSession,            /* session's handle */
 +  CK_BYTE_PTR       pData,               /* the plaintext data */
 +  CK_ULONG          ulDataLen,           /* bytes of plaintext */
 +  CK_BYTE_PTR       pEncryptedData,      /* gets ciphertext */
 +  CK_ULONG_PTR      pulEncryptedDataLen  /* gets c-text size */
 +);
 +#endif
 +
 +
 +/* C_EncryptUpdate continues a multiple-part encryption
 + * operation. */
 +CK_PKCS11_FUNCTION_INFO(C_EncryptUpdate)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE hSession,           /* session's handle */
 +  CK_BYTE_PTR       pPart,              /* the plaintext data */
 +  CK_ULONG          ulPartLen,          /* plaintext data len */
 +  CK_BYTE_PTR       pEncryptedPart,     /* gets ciphertext */
 +  CK_ULONG_PTR      pulEncryptedPartLen /* gets c-text size */
 +);
 +#endif
 +
 +
 +/* C_EncryptFinal finishes a multiple-part encryption
 + * operation. */
 +CK_PKCS11_FUNCTION_INFO(C_EncryptFinal)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE hSession,                /* session handle */
 +  CK_BYTE_PTR       pLastEncryptedPart,      /* last c-text */
 +  CK_ULONG_PTR      pulLastEncryptedPartLen  /* gets last size */
 +);
 +#endif
 +
 +
 +/* C_DecryptInit initializes a decryption operation. */
 +CK_PKCS11_FUNCTION_INFO(C_DecryptInit)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE hSession,    /* the session's handle */
 +  CK_MECHANISM_PTR  pMechanism,  /* the decryption mechanism */
 +  CK_OBJECT_HANDLE  hKey         /* handle of decryption key */
 +);
 +#endif
 +
 +
 +/* C_Decrypt decrypts encrypted data in a single part. */
 +CK_PKCS11_FUNCTION_INFO(C_Decrypt)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE hSession,           /* session's handle */
 +  CK_BYTE_PTR       pEncryptedData,     /* ciphertext */
 +  CK_ULONG          ulEncryptedDataLen, /* ciphertext length */
 +  CK_BYTE_PTR       pData,              /* gets plaintext */
 +  CK_ULONG_PTR      pulDataLen          /* gets p-text size */
 +);
 +#endif
 +
 +
 +/* C_DecryptUpdate continues a multiple-part decryption
 + * operation. */
 +CK_PKCS11_FUNCTION_INFO(C_DecryptUpdate)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE hSession,            /* session's handle */
 +  CK_BYTE_PTR       pEncryptedPart,      /* encrypted data */
 +  CK_ULONG          ulEncryptedPartLen,  /* input length */
 +  CK_BYTE_PTR       pPart,               /* gets plaintext */
 +  CK_ULONG_PTR      pulPartLen           /* p-text size */
 +);
 +#endif
 +
 +
 +/* C_DecryptFinal finishes a multiple-part decryption
 + * operation. */
 +CK_PKCS11_FUNCTION_INFO(C_DecryptFinal)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE hSession,       /* the session's handle */
 +  CK_BYTE_PTR       pLastPart,      /* gets plaintext */
 +  CK_ULONG_PTR      pulLastPartLen  /* p-text size */
 +);
 +#endif
 +
 +
 +
 +/* Message digesting */
 +
 +/* C_DigestInit initializes a message-digesting operation. */
 +CK_PKCS11_FUNCTION_INFO(C_DigestInit)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE hSession,   /* the session's handle */
 +  CK_MECHANISM_PTR  pMechanism  /* the digesting mechanism */
 +);
 +#endif
 +
 +
 +/* C_Digest digests data in a single part. */
 +CK_PKCS11_FUNCTION_INFO(C_Digest)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE hSession,     /* the session's handle */
 +  CK_BYTE_PTR       pData,        /* data to be digested */
 +  CK_ULONG          ulDataLen,    /* bytes of data to digest */
 +  CK_BYTE_PTR       pDigest,      /* gets the message digest */
 +  CK_ULONG_PTR      pulDigestLen  /* gets digest length */
 +);
 +#endif
 +
 +
 +/* C_DigestUpdate continues a multiple-part message-digesting
 + * operation. */
 +CK_PKCS11_FUNCTION_INFO(C_DigestUpdate)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE hSession,  /* the session's handle */
 +  CK_BYTE_PTR       pPart,     /* data to be digested */
 +  CK_ULONG          ulPartLen  /* bytes of data to be digested */
 +);
 +#endif
 +
 +
 +/* C_DigestKey continues a multi-part message-digesting
 + * operation, by digesting the value of a secret key as part of
 + * the data already digested. */
 +CK_PKCS11_FUNCTION_INFO(C_DigestKey)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE hSession,  /* the session's handle */
 +  CK_OBJECT_HANDLE  hKey       /* secret key to digest */
 +);
 +#endif
 +
 +
 +/* C_DigestFinal finishes a multiple-part message-digesting
 + * operation. */
 +CK_PKCS11_FUNCTION_INFO(C_DigestFinal)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE hSession,     /* the session's handle */
 +  CK_BYTE_PTR       pDigest,      /* gets the message digest */
 +  CK_ULONG_PTR      pulDigestLen  /* gets byte count of digest */
 +);
 +#endif
 +
 +
 +
 +/* Signing and MACing */
 +
 +/* C_SignInit initializes a signature (private key encryption)
 + * operation, where the signature is (will be) an appendix to
 + * the data, and plaintext cannot be recovered from the
 + *signature. */
 +CK_PKCS11_FUNCTION_INFO(C_SignInit)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE hSession,    /* the session's handle */
 +  CK_MECHANISM_PTR  pMechanism,  /* the signature mechanism */
 +  CK_OBJECT_HANDLE  hKey         /* handle of signature key */
 +);
 +#endif
 +
 +
 +/* C_Sign signs (encrypts with private key) data in a single
 + * part, where the signature is (will be) an appendix to the
 + * data, and plaintext cannot be recovered from the signature. */
 +CK_PKCS11_FUNCTION_INFO(C_Sign)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE hSession,        /* the session's handle */
 +  CK_BYTE_PTR       pData,           /* the data to sign */
 +  CK_ULONG          ulDataLen,       /* count of bytes to sign */
 +  CK_BYTE_PTR       pSignature,      /* gets the signature */
 +  CK_ULONG_PTR      pulSignatureLen  /* gets signature length */
 +);
 +#endif
 +
 +
 +/* C_SignUpdate continues a multiple-part signature operation,
 + * where the signature is (will be) an appendix to the data, 
 + * and plaintext cannot be recovered from the signature. */
 +CK_PKCS11_FUNCTION_INFO(C_SignUpdate)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE hSession,  /* the session's handle */
 +  CK_BYTE_PTR       pPart,     /* the data to sign */
 +  CK_ULONG          ulPartLen  /* count of bytes to sign */
 +);
 +#endif
 +
 +
 +/* C_SignFinal finishes a multiple-part signature operation, 
 + * returning the signature. */
 +CK_PKCS11_FUNCTION_INFO(C_SignFinal)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE hSession,        /* the session's handle */
 +  CK_BYTE_PTR       pSignature,      /* gets the signature */
 +  CK_ULONG_PTR      pulSignatureLen  /* gets signature length */
 +);
 +#endif
 +
 +
 +/* C_SignRecoverInit initializes a signature operation, where
 + * the data can be recovered from the signature. */
 +CK_PKCS11_FUNCTION_INFO(C_SignRecoverInit)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE hSession,   /* the session's handle */
 +  CK_MECHANISM_PTR  pMechanism, /* the signature mechanism */
 +  CK_OBJECT_HANDLE  hKey        /* handle of the signature key */
 +);
 +#endif
 +
 +
 +/* C_SignRecover signs data in a single operation, where the
 + * data can be recovered from the signature. */
 +CK_PKCS11_FUNCTION_INFO(C_SignRecover)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE hSession,        /* the session's handle */
 +  CK_BYTE_PTR       pData,           /* the data to sign */
 +  CK_ULONG          ulDataLen,       /* count of bytes to sign */
 +  CK_BYTE_PTR       pSignature,      /* gets the signature */
 +  CK_ULONG_PTR      pulSignatureLen  /* gets signature length */
 +);
 +#endif
 +
 +
 +
 +/* Verifying signatures and MACs */
 +
 +/* C_VerifyInit initializes a verification operation, where the
 + * signature is an appendix to the data, and plaintext cannot
 + *  cannot be recovered from the signature (e.g. DSA). */
 +CK_PKCS11_FUNCTION_INFO(C_VerifyInit)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE hSession,    /* the session's handle */
 +  CK_MECHANISM_PTR  pMechanism,  /* the verification mechanism */
 +  CK_OBJECT_HANDLE  hKey         /* verification key */ 
 +);
 +#endif
 +
 +
 +/* C_Verify verifies a signature in a single-part operation, 
 + * where the signature is an appendix to the data, and plaintext
 + * cannot be recovered from the signature. */
 +CK_PKCS11_FUNCTION_INFO(C_Verify)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE hSession,       /* the session's handle */
 +  CK_BYTE_PTR       pData,          /* signed data */
 +  CK_ULONG          ulDataLen,      /* length of signed data */
 +  CK_BYTE_PTR       pSignature,     /* signature */
 +  CK_ULONG          ulSignatureLen  /* signature length*/
 +);
 +#endif
 +
 +
 +/* C_VerifyUpdate continues a multiple-part verification
 + * operation, where the signature is an appendix to the data, 
 + * and plaintext cannot be recovered from the signature. */
 +CK_PKCS11_FUNCTION_INFO(C_VerifyUpdate)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE hSession,  /* the session's handle */
 +  CK_BYTE_PTR       pPart,     /* signed data */
 +  CK_ULONG          ulPartLen  /* length of signed data */
 +);
 +#endif
 +
 +
 +/* C_VerifyFinal finishes a multiple-part verification
 + * operation, checking the signature. */
 +CK_PKCS11_FUNCTION_INFO(C_VerifyFinal)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE hSession,       /* the session's handle */
 +  CK_BYTE_PTR       pSignature,     /* signature to verify */
 +  CK_ULONG          ulSignatureLen  /* signature length */
 +);
 +#endif
 +
 +
 +/* C_VerifyRecoverInit initializes a signature verification
 + * operation, where the data is recovered from the signature. */
 +CK_PKCS11_FUNCTION_INFO(C_VerifyRecoverInit)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE hSession,    /* the session's handle */
 +  CK_MECHANISM_PTR  pMechanism,  /* the verification mechanism */
 +  CK_OBJECT_HANDLE  hKey         /* verification key */
 +);
 +#endif
 +
 +
 +/* C_VerifyRecover verifies a signature in a single-part
 + * operation, where the data is recovered from the signature. */
 +CK_PKCS11_FUNCTION_INFO(C_VerifyRecover)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE hSession,        /* the session's handle */
 +  CK_BYTE_PTR       pSignature,      /* signature to verify */
 +  CK_ULONG          ulSignatureLen,  /* signature length */
 +  CK_BYTE_PTR       pData,           /* gets signed data */
 +  CK_ULONG_PTR      pulDataLen       /* gets signed data len */
 +);
 +#endif
 +
 +
 +
 +/* Dual-function cryptographic operations */
 +
 +/* C_DigestEncryptUpdate continues a multiple-part digesting
 + * and encryption operation. */
 +CK_PKCS11_FUNCTION_INFO(C_DigestEncryptUpdate)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE hSession,            /* session's handle */
 +  CK_BYTE_PTR       pPart,               /* the plaintext data */
 +  CK_ULONG          ulPartLen,           /* plaintext length */
 +  CK_BYTE_PTR       pEncryptedPart,      /* gets ciphertext */
 +  CK_ULONG_PTR      pulEncryptedPartLen  /* gets c-text length */
 +);
 +#endif
 +
 +
 +/* C_DecryptDigestUpdate continues a multiple-part decryption and
 + * digesting operation. */
 +CK_PKCS11_FUNCTION_INFO(C_DecryptDigestUpdate)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE hSession,            /* session's handle */
 +  CK_BYTE_PTR       pEncryptedPart,      /* ciphertext */
 +  CK_ULONG          ulEncryptedPartLen,  /* ciphertext length */
 +  CK_BYTE_PTR       pPart,               /* gets plaintext */
 +  CK_ULONG_PTR      pulPartLen           /* gets plaintext len */
 +);
 +#endif
 +
 +
 +/* C_SignEncryptUpdate continues a multiple-part signing and
 + * encryption operation. */
 +CK_PKCS11_FUNCTION_INFO(C_SignEncryptUpdate)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE hSession,            /* session's handle */
 +  CK_BYTE_PTR       pPart,               /* the plaintext data */
 +  CK_ULONG          ulPartLen,           /* plaintext length */
 +  CK_BYTE_PTR       pEncryptedPart,      /* gets ciphertext */
 +  CK_ULONG_PTR      pulEncryptedPartLen  /* gets c-text length */
 +);
 +#endif
 +
 +
 +/* C_DecryptVerifyUpdate continues a multiple-part decryption and
 + * verify operation. */
 +CK_PKCS11_FUNCTION_INFO(C_DecryptVerifyUpdate)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE hSession,            /* session's handle */
 +  CK_BYTE_PTR       pEncryptedPart,      /* ciphertext */
 +  CK_ULONG          ulEncryptedPartLen,  /* ciphertext length */
 +  CK_BYTE_PTR       pPart,               /* gets plaintext */
 +  CK_ULONG_PTR      pulPartLen           /* gets p-text length */
 +);
 +#endif
 +
 +
 +
 +/* Key management */
 +
 +/* C_GenerateKey generates a secret key, creating a new key
 + * object. */
 +CK_PKCS11_FUNCTION_INFO(C_GenerateKey)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE    hSession,    /* the session's handle */
 +  CK_MECHANISM_PTR     pMechanism,  /* key generation mech. */
 +  CK_ATTRIBUTE_PTR     pTemplate,   /* template for new key */
 +  CK_ULONG             ulCount,     /* # of attrs in template */
 +  CK_OBJECT_HANDLE_PTR phKey        /* gets handle of new key */
 +);
 +#endif
 +
 +
 +/* C_GenerateKeyPair generates a public-key/private-key pair, 
 + * creating new key objects. */
 +CK_PKCS11_FUNCTION_INFO(C_GenerateKeyPair)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE    hSession,                    /* session
 +                                                     * handle */
 +  CK_MECHANISM_PTR     pMechanism,                  /* key-gen
 +                                                     * mech. */
 +  CK_ATTRIBUTE_PTR     pPublicKeyTemplate,          /* template
 +                                                     * for pub.
 +                                                     * key */
 +  CK_ULONG             ulPublicKeyAttributeCount,   /* # pub.
 +                                                     * attrs. */
 +  CK_ATTRIBUTE_PTR     pPrivateKeyTemplate,         /* template
 +                                                     * for priv.
 +                                                     * key */
 +  CK_ULONG             ulPrivateKeyAttributeCount,  /* # priv.
 +                                                     * attrs. */
 +  CK_OBJECT_HANDLE_PTR phPublicKey,                 /* gets pub.
 +                                                     * key
 +                                                     * handle */
 +  CK_OBJECT_HANDLE_PTR phPrivateKey                 /* gets
 +                                                     * priv. key
 +                                                     * handle */
 +);
 +#endif
 +
 +
 +/* C_WrapKey wraps (i.e., encrypts) a key. */
 +CK_PKCS11_FUNCTION_INFO(C_WrapKey)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE hSession,        /* the session's handle */
 +  CK_MECHANISM_PTR  pMechanism,      /* the wrapping mechanism */
 +  CK_OBJECT_HANDLE  hWrappingKey,    /* wrapping key */
 +  CK_OBJECT_HANDLE  hKey,            /* key to be wrapped */
 +  CK_BYTE_PTR       pWrappedKey,     /* gets wrapped key */
 +  CK_ULONG_PTR      pulWrappedKeyLen /* gets wrapped key size */
 +);
 +#endif
 +
 +
 +/* C_UnwrapKey unwraps (decrypts) a wrapped key, creating a new
 + * key object. */
 +CK_PKCS11_FUNCTION_INFO(C_UnwrapKey)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE    hSession,          /* session's handle */
 +  CK_MECHANISM_PTR     pMechanism,        /* unwrapping mech. */
 +  CK_OBJECT_HANDLE     hUnwrappingKey,    /* unwrapping key */
 +  CK_BYTE_PTR          pWrappedKey,       /* the wrapped key */
 +  CK_ULONG             ulWrappedKeyLen,   /* wrapped key len */
 +  CK_ATTRIBUTE_PTR     pTemplate,         /* new key template */
 +  CK_ULONG             ulAttributeCount,  /* template length */
 +  CK_OBJECT_HANDLE_PTR phKey              /* gets new handle */
 +);
 +#endif
 +
 +
 +/* C_DeriveKey derives a key from a base key, creating a new key
 + * object. */
 +CK_PKCS11_FUNCTION_INFO(C_DeriveKey)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE    hSession,          /* session's handle */
 +  CK_MECHANISM_PTR     pMechanism,        /* key deriv. mech. */
 +  CK_OBJECT_HANDLE     hBaseKey,          /* base key */
 +  CK_ATTRIBUTE_PTR     pTemplate,         /* new key template */
 +  CK_ULONG             ulAttributeCount,  /* template length */
 +  CK_OBJECT_HANDLE_PTR phKey              /* gets new handle */
 +);
 +#endif
 +
 +
 +
 +/* Random number generation */
 +
 +/* C_SeedRandom mixes additional seed material into the token's
 + * random number generator. */
 +CK_PKCS11_FUNCTION_INFO(C_SeedRandom)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE hSession,  /* the session's handle */
 +  CK_BYTE_PTR       pSeed,     /* the seed material */
 +  CK_ULONG          ulSeedLen  /* length of seed material */
 +);
 +#endif
 +
 +
 +/* C_GenerateRandom generates random data. */
 +CK_PKCS11_FUNCTION_INFO(C_GenerateRandom)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE hSession,    /* the session's handle */
 +  CK_BYTE_PTR       RandomData,  /* receives the random data */
 +  CK_ULONG          ulRandomLen  /* # of bytes to generate */
 +);
 +#endif
 +
 +
 +
 +/* Parallel function management */
 +
 +/* C_GetFunctionStatus is a legacy function; it obtains an
 + * updated status of a function running in parallel with an
 + * application. */
 +CK_PKCS11_FUNCTION_INFO(C_GetFunctionStatus)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE hSession  /* the session's handle */
 +);
 +#endif
 +
 +
 +/* C_CancelFunction is a legacy function; it cancels a function
 + * running in parallel. */
 +CK_PKCS11_FUNCTION_INFO(C_CancelFunction)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_SESSION_HANDLE hSession  /* the session's handle */
 +);
 +#endif
 +
 +
 +
 +/* Functions added in for Cryptoki Version 2.01 or later */
 +
 +/* C_WaitForSlotEvent waits for a slot event (token insertion,
 + * removal, etc.) to occur. */
 +CK_PKCS11_FUNCTION_INFO(C_WaitForSlotEvent)
 +#ifdef CK_NEED_ARG_LIST
 +(
 +  CK_FLAGS flags,        /* blocking/nonblocking flag */
 +  CK_SLOT_ID_PTR pSlot,  /* location that receives the slot ID */
 +  CK_VOID_PTR pRserved   /* reserved.  Should be NULL_PTR */
 +);
 +#endif
 diff -urNp openssh-4.4p1/pkcs11-headers/pkcs11.h openssh-4.4p1+pkcs11-0.17/pkcs11-headers/pkcs11.h
 --- openssh-4.4p1/pkcs11-headers/pkcs11.h   1970-01-01 02:00:00.000000000 +0200
 +++ openssh-4.4p1+pkcs11-0.17/pkcs11-headers/pkcs11.h   2006-09-28 08:05:35.000000000 +0300
 @@ -0,0 +1,299 @@
 +/* pkcs11.h include file for PKCS #11. */
 +/* $Revision: 1.4 $ */
 +
 +/* License to copy and use this software is granted provided that it is
 + * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
 + * (Cryptoki)" in all material mentioning or referencing this software.
 +
 + * License is also granted to make and use derivative works provided that
 + * such works are identified as "derived from the RSA Security Inc. PKCS #11
 + * Cryptographic Token Interface (Cryptoki)" in all material mentioning or 
 + * referencing the derived work.
 +
 + * RSA Security Inc. makes no representations concerning either the 
 + * merchantability of this software or the suitability of this software for
 + * any particular purpose. It is provided "as is" without express or implied
 + * warranty of any kind.
 + */
 +
 +#ifndef _PKCS11_H_
 +#define _PKCS11_H_ 1
 +
 +#ifdef __cplusplus
 +extern "C" {
 +#endif
 +
 +/* Before including this file (pkcs11.h) (or pkcs11t.h by
 + * itself), 6 platform-specific macros must be defined.  These
 + * macros are described below, and typical definitions for them
 + * are also given.  Be advised that these definitions can depend
 + * on both the platform and the compiler used (and possibly also
 + * on whether a Cryptoki library is linked statically or
 + * dynamically).
 + *
 + * In addition to defining these 6 macros, the packing convention
 + * for Cryptoki structures should be set.  The Cryptoki
 + * convention on packing is that structures should be 1-byte
 + * aligned.
 + *
 + * If you're using Microsoft Developer Studio 5.0 to produce
 + * Win32 stuff, this might be done by using the following
 + * preprocessor directive before including pkcs11.h or pkcs11t.h:
 + *
 + * #pragma pack(push, cryptoki, 1)
 + *
 + * and using the following preprocessor directive after including
 + * pkcs11.h or pkcs11t.h:
 + *
 + * #pragma pack(pop, cryptoki)
 + *
 + * If you're using an earlier version of Microsoft Developer
 + * Studio to produce Win16 stuff, this might be done by using
 + * the following preprocessor directive before including
 + * pkcs11.h or pkcs11t.h:
 + *
 + * #pragma pack(1)
 + *
 + * In a UNIX environment, you're on your own for this.  You might
 + * not need to do (or be able to do!) anything.
 + *
 + *
 + * Now for the macros:
 + *
 + *
 + * 1. CK_PTR: The indirection string for making a pointer to an
 + * object.  It can be used like this:
 + *
 + * typedef CK_BYTE CK_PTR CK_BYTE_PTR;
 + *
 + * If you're using Microsoft Developer Studio 5.0 to produce
 + * Win32 stuff, it might be defined by:
 + *
 + * #define CK_PTR *
 + *
 + * If you're using an earlier version of Microsoft Developer
 + * Studio to produce Win16 stuff, it might be defined by:
 + *
 + * #define CK_PTR far *
 + *
 + * In a typical UNIX environment, it might be defined by:
 + *
 + * #define CK_PTR *
 + *
 + *
 + * 2. CK_DEFINE_FUNCTION(returnType, name): A macro which makes
 + * an exportable Cryptoki library function definition out of a
 + * return type and a function name.  It should be used in the
 + * following fashion to define the exposed Cryptoki functions in
 + * a Cryptoki library:
 + *
 + * CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(
 + *   CK_VOID_PTR pReserved
 + * )
 + * {
 + *   ...
 + * }
 + *
 + * If you're using Microsoft Developer Studio 5.0 to define a
 + * function in a Win32 Cryptoki .dll, it might be defined by:
 + *
 + * #define CK_DEFINE_FUNCTION(returnType, name) \
 + *   returnType __declspec(dllexport) name
 + *
 + * If you're using an earlier version of Microsoft Developer
 + * Studio to define a function in a Win16 Cryptoki .dll, it
 + * might be defined by:
 + *
 + * #define CK_DEFINE_FUNCTION(returnType, name) \
 + *   returnType __export _far _pascal name
 + *
 + * In a UNIX environment, it might be defined by:
 + *
 + * #define CK_DEFINE_FUNCTION(returnType, name) \
 + *   returnType name
 + *
 + *
 + * 3. CK_DECLARE_FUNCTION(returnType, name): A macro which makes
 + * an importable Cryptoki library function declaration out of a
 + * return type and a function name.  It should be used in the
 + * following fashion:
 + *
 + * extern CK_DECLARE_FUNCTION(CK_RV, C_Initialize)(
 + *   CK_VOID_PTR pReserved
 + * );
 + *
 + * If you're using Microsoft Developer Studio 5.0 to declare a
 + * function in a Win32 Cryptoki .dll, it might be defined by:
 + *
 + * #define CK_DECLARE_FUNCTION(returnType, name) \
 + *   returnType __declspec(dllimport) name
 + *
 + * If you're using an earlier version of Microsoft Developer
 + * Studio to declare a function in a Win16 Cryptoki .dll, it
 + * might be defined by:
 + *
 + * #define CK_DECLARE_FUNCTION(returnType, name) \
 + *   returnType __export _far _pascal name
 + *
 + * In a UNIX environment, it might be defined by:
 + *
 + * #define CK_DECLARE_FUNCTION(returnType, name) \
 + *   returnType name
 + *
 + *
 + * 4. CK_DECLARE_FUNCTION_POINTER(returnType, name): A macro
 + * which makes a Cryptoki API function pointer declaration or
 + * function pointer type declaration out of a return type and a
 + * function name.  It should be used in the following fashion:
 + *
 + * // Define funcPtr to be a pointer to a Cryptoki API function
 + * // taking arguments args and returning CK_RV.
 + * CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtr)(args);
 + *
 + * or
 + *
 + * // Define funcPtrType to be the type of a pointer to a
 + * // Cryptoki API function taking arguments args and returning
 + * // CK_RV, and then define funcPtr to be a variable of type
 + * // funcPtrType.
 + * typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtrType)(args);
 + * funcPtrType funcPtr;
 + *
 + * If you're using Microsoft Developer Studio 5.0 to access
 + * functions in a Win32 Cryptoki .dll, in might be defined by:
 + *
 + * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
 + *   returnType __declspec(dllimport) (* name)
 + *
 + * If you're using an earlier version of Microsoft Developer
 + * Studio to access functions in a Win16 Cryptoki .dll, it might
 + * be defined by:
 + *
 + * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
 + *   returnType __export _far _pascal (* name)
 + *
 + * In a UNIX environment, it might be defined by:
 + *
 + * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
 + *   returnType (* name)
 + *
 + *
 + * 5. CK_CALLBACK_FUNCTION(returnType, name): A macro which makes
 + * a function pointer type for an application callback out of
 + * a return type for the callback and a name for the callback.
 + * It should be used in the following fashion:
 + *
 + * CK_CALLBACK_FUNCTION(CK_RV, myCallback)(args);
 + *
 + * to declare a function pointer, myCallback, to a callback
 + * which takes arguments args and returns a CK_RV.  It can also
 + * be used like this:
 + *
 + * typedef CK_CALLBACK_FUNCTION(CK_RV, myCallbackType)(args);
 + * myCallbackType myCallback;
 + *
 + * If you're using Microsoft Developer Studio 5.0 to do Win32
 + * Cryptoki development, it might be defined by:
 + *
 + * #define CK_CALLBACK_FUNCTION(returnType, name) \
 + *   returnType (* name)
 + *
 + * If you're using an earlier version of Microsoft Developer
 + * Studio to do Win16 development, it might be defined by:
 + *
 + * #define CK_CALLBACK_FUNCTION(returnType, name) \
 + *   returnType _far _pascal (* name)
 + *
 + * In a UNIX environment, it might be defined by:
 + *
 + * #define CK_CALLBACK_FUNCTION(returnType, name) \
 + *   returnType (* name)
 + *
 + *
 + * 6. NULL_PTR: This macro is the value of a NULL pointer.
 + *
 + * In any ANSI/ISO C environment (and in many others as well),
 + * this should best be defined by
 + *
 + * #ifndef NULL_PTR
 + * #define NULL_PTR 0
 + * #endif
 + */
 +
 +
 +/* All the various Cryptoki types and #define'd values are in the
 + * file pkcs11t.h. */
 +#include "pkcs11t.h"
 +
 +#define __PASTE(x,y)      x##y
 +
 +
 +/* ==============================================================
 + * Define the "extern" form of all the entry points.
 + * ==============================================================
 + */
 +
 +#define CK_NEED_ARG_LIST  1
 +#define CK_PKCS11_FUNCTION_INFO(name) \
 +  extern CK_DECLARE_FUNCTION(CK_RV, name)
 +
 +/* pkcs11f.h has all the information about the Cryptoki
 + * function prototypes. */
 +#include "pkcs11f.h"
 +
 +#undef CK_NEED_ARG_LIST
 +#undef CK_PKCS11_FUNCTION_INFO
 +
 +
 +/* ==============================================================
 + * Define the typedef form of all the entry points.  That is, for
 + * each Cryptoki function C_XXX, define a type CK_C_XXX which is
 + * a pointer to that kind of function.
 + * ==============================================================
 + */
 +
 +#define CK_NEED_ARG_LIST  1
 +#define CK_PKCS11_FUNCTION_INFO(name) \
 +  typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, __PASTE(CK_,name))
 +
 +/* pkcs11f.h has all the information about the Cryptoki
 + * function prototypes. */
 +#include "pkcs11f.h"
 +
 +#undef CK_NEED_ARG_LIST
 +#undef CK_PKCS11_FUNCTION_INFO
 +
 +
 +/* ==============================================================
 + * Define structed vector of entry points.  A CK_FUNCTION_LIST
 + * contains a CK_VERSION indicating a library's Cryptoki version
 + * and then a whole slew of function pointers to the routines in
 + * the library.  This type was declared, but not defined, in
 + * pkcs11t.h.
 + * ==============================================================
 + */
 +
 +#define CK_PKCS11_FUNCTION_INFO(name) \
 +  __PASTE(CK_,name) name;
 +  
 +struct CK_FUNCTION_LIST {
 +
 +  CK_VERSION    version;  /* Cryptoki version */
 +
 +/* Pile all the function pointers into the CK_FUNCTION_LIST. */
 +/* pkcs11f.h has all the information about the Cryptoki
 + * function prototypes. */
 +#include "pkcs11f.h"
 +
 +};
 +
 +#undef CK_PKCS11_FUNCTION_INFO
 +
 +
 +#undef __PASTE
 +
 +#ifdef __cplusplus
 +}
 +#endif
 +
 +#endif
 diff -urNp openssh-4.4p1/pkcs11-headers/pkcs11t.h openssh-4.4p1+pkcs11-0.17/pkcs11-headers/pkcs11t.h
 --- openssh-4.4p1/pkcs11-headers/pkcs11t.h  1970-01-01 02:00:00.000000000 +0200
 +++ openssh-4.4p1+pkcs11-0.17/pkcs11-headers/pkcs11t.h  2006-09-28 08:05:35.000000000 +0300
 @@ -0,0 +1,1685 @@
 +/* pkcs11t.h include file for PKCS #11. */
 +/* $Revision: 1.6 $ */
 +
 +/* License to copy and use this software is granted provided that it is
 + * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
 + * (Cryptoki)" in all material mentioning or referencing this software.
 +
 + * License is also granted to make and use derivative works provided that
 + * such works are identified as "derived from the RSA Security Inc. PKCS #11
 + * Cryptographic Token Interface (Cryptoki)" in all material mentioning or
 + * referencing the derived work.
 +
 + * RSA Security Inc. makes no representations concerning either the
 + * merchantability of this software or the suitability of this software for
 + * any particular purpose. It is provided "as is" without express or implied
 + * warranty of any kind.
 + */
 +
 +/* See top of pkcs11.h for information about the macros that
 + * must be defined and the structure-packing conventions that
 + * must be set before including this file. */
 +
 +#ifndef _PKCS11T_H_
 +#define _PKCS11T_H_ 1
 +
 +#define CK_TRUE 1
 +#define CK_FALSE 0
 +
 +#ifndef CK_DISABLE_TRUE_FALSE
 +#ifndef FALSE
 +#define FALSE CK_FALSE
 +#endif
 +
 +#ifndef TRUE
 +#define TRUE CK_TRUE
 +#endif
 +#endif
 +
 +/* an unsigned 8-bit value */
 +typedef unsigned char     CK_BYTE;
 +
 +/* an unsigned 8-bit character */
 +typedef CK_BYTE           CK_CHAR;
 +
 +/* an 8-bit UTF-8 character */
 +typedef CK_BYTE           CK_UTF8CHAR;
 +
 +/* a BYTE-sized Boolean flag */
 +typedef CK_BYTE           CK_BBOOL;
 +
 +/* an unsigned value, at least 32 bits long */
 +typedef unsigned long int CK_ULONG;
 +
 +/* a signed value, the same size as a CK_ULONG */
 +/* CK_LONG is new for v2.0 */
 +typedef long int          CK_LONG;
 +
 +/* at least 32 bits; each bit is a Boolean flag */
 +typedef CK_ULONG          CK_FLAGS;
 +
 +
 +/* some special values for certain CK_ULONG variables */
 +#define CK_UNAVAILABLE_INFORMATION (~0UL)
 +#define CK_EFFECTIVELY_INFINITE    0
 +
 +
 +typedef CK_BYTE     CK_PTR   CK_BYTE_PTR;
 +typedef CK_CHAR     CK_PTR   CK_CHAR_PTR;
 +typedef CK_UTF8CHAR CK_PTR   CK_UTF8CHAR_PTR;
 +typedef CK_ULONG    CK_PTR   CK_ULONG_PTR;
 +typedef void        CK_PTR   CK_VOID_PTR;
 +
 +/* Pointer to a CK_VOID_PTR-- i.e., pointer to pointer to void */
 +typedef CK_VOID_PTR CK_PTR CK_VOID_PTR_PTR;
 +
 +
 +/* The following value is always invalid if used as a session */
 +/* handle or object handle */
 +#define CK_INVALID_HANDLE 0
 +
 +
 +typedef struct CK_VERSION {
 +  CK_BYTE       major;  /* integer portion of version number */
 +  CK_BYTE       minor;  /* 1/100ths portion of version number */
 +} CK_VERSION;
 +
 +typedef CK_VERSION CK_PTR CK_VERSION_PTR;
 +
 +
 +typedef struct CK_INFO {
 +  /* manufacturerID and libraryDecription have been changed from
 +   * CK_CHAR to CK_UTF8CHAR for v2.10 */
 +  CK_VERSION    cryptokiVersion;     /* Cryptoki interface ver */
 +  CK_UTF8CHAR   manufacturerID[32];  /* blank padded */
 +  CK_FLAGS      flags;               /* must be zero */
 +
 +  /* libraryDescription and libraryVersion are new for v2.0 */
 +  CK_UTF8CHAR   libraryDescription[32];  /* blank padded */
 +  CK_VERSION    libraryVersion;          /* version of library */
 +} CK_INFO;
 +
 +typedef CK_INFO CK_PTR    CK_INFO_PTR;
 +
 +
 +/* CK_NOTIFICATION enumerates the types of notifications that
 + * Cryptoki provides to an application */
 +/* CK_NOTIFICATION has been changed from an enum to a CK_ULONG
 + * for v2.0 */
 +typedef CK_ULONG CK_NOTIFICATION;
 +#define CKN_SURRENDER       0
 +
 +
 +typedef CK_ULONG          CK_SLOT_ID;
 +
 +typedef CK_SLOT_ID CK_PTR CK_SLOT_ID_PTR;
 +
 +
 +/* CK_SLOT_INFO provides information about a slot */
 +typedef struct CK_SLOT_INFO {
 +  /* slotDescription and manufacturerID have been changed from
 +   * CK_CHAR to CK_UTF8CHAR for v2.10 */
 +  CK_UTF8CHAR   slotDescription[64];  /* blank padded */
 +  CK_UTF8CHAR   manufacturerID[32];   /* blank padded */
 +  CK_FLAGS      flags;
 +
 +  /* hardwareVersion and firmwareVersion are new for v2.0 */
 +  CK_VERSION    hardwareVersion;  /* version of hardware */
 +  CK_VERSION    firmwareVersion;  /* version of firmware */
 +} CK_SLOT_INFO;
 +
 +/* flags: bit flags that provide capabilities of the slot
 + *      Bit Flag              Mask        Meaning
 + */
 +#define CKF_TOKEN_PRESENT     0x00000001  /* a token is there */
 +#define CKF_REMOVABLE_DEVICE  0x00000002  /* removable devices*/
 +#define CKF_HW_SLOT           0x00000004  /* hardware slot */
 +
 +typedef CK_SLOT_INFO CK_PTR CK_SLOT_INFO_PTR;
 +
 +
 +/* CK_TOKEN_INFO provides information about a token */
 +typedef struct CK_TOKEN_INFO {
 +  /* label, manufacturerID, and model have been changed from
 +   * CK_CHAR to CK_UTF8CHAR for v2.10 */
 +  CK_UTF8CHAR   label[32];           /* blank padded */
 +  CK_UTF8CHAR   manufacturerID[32];  /* blank padded */
 +  CK_UTF8CHAR   model[16];           /* blank padded */
 +  CK_CHAR       serialNumber[16];    /* blank padded */
 +  CK_FLAGS      flags;               /* see below */
 +
 +  /* ulMaxSessionCount, ulSessionCount, ulMaxRwSessionCount,
 +   * ulRwSessionCount, ulMaxPinLen, and ulMinPinLen have all been
 +   * changed from CK_USHORT to CK_ULONG for v2.0 */
 +  CK_ULONG      ulMaxSessionCount;     /* max open sessions */
 +  CK_ULONG      ulSessionCount;        /* sess. now open */
 +  CK_ULONG      ulMaxRwSessionCount;   /* max R/W sessions */
 +  CK_ULONG      ulRwSessionCount;      /* R/W sess. now open */
 +  CK_ULONG      ulMaxPinLen;           /* in bytes */
 +  CK_ULONG      ulMinPinLen;           /* in bytes */
 +  CK_ULONG      ulTotalPublicMemory;   /* in bytes */
 +  CK_ULONG      ulFreePublicMemory;    /* in bytes */
 +  CK_ULONG      ulTotalPrivateMemory;  /* in bytes */
 +  CK_ULONG      ulFreePrivateMemory;   /* in bytes */
 +
 +  /* hardwareVersion, firmwareVersion, and time are new for
 +   * v2.0 */
 +  CK_VERSION    hardwareVersion;       /* version of hardware */
 +  CK_VERSION    firmwareVersion;       /* version of firmware */
 +  CK_CHAR       utcTime[16];           /* time */
 +} CK_TOKEN_INFO;
 +
 +/* The flags parameter is defined as follows:
 + *      Bit Flag                    Mask        Meaning
 + */
 +#define CKF_RNG                     0x00000001  /* has random #
 +                                                 * generator */
 +#define CKF_WRITE_PROTECTED         0x00000002  /* token is
 +                                                 * write-
 +                                                 * protected */
 +#define CKF_LOGIN_REQUIRED          0x00000004  /* user must
 +                                                 * login */
 +#define CKF_USER_PIN_INITIALIZED    0x00000008  /* normal user's
 +                                                 * PIN is set */
 +
 +/* CKF_RESTORE_KEY_NOT_NEEDED is new for v2.0.  If it is set,
 + * that means that *every* time the state of cryptographic
 + * operations of a session is successfully saved, all keys
 + * needed to continue those operations are stored in the state */
 +#define CKF_RESTORE_KEY_NOT_NEEDED  0x00000020
 +
 +/* CKF_CLOCK_ON_TOKEN is new for v2.0.  If it is set, that means
 + * that the token has some sort of clock.  The time on that
 + * clock is returned in the token info structure */
 +#define CKF_CLOCK_ON_TOKEN          0x00000040
 +
 +/* CKF_PROTECTED_AUTHENTICATION_PATH is new for v2.0.  If it is
 + * set, that means that there is some way for the user to login
 + * without sending a PIN through the Cryptoki library itself */
 +#define CKF_PROTECTED_AUTHENTICATION_PATH 0x00000100
 +
 +/* CKF_DUAL_CRYPTO_OPERATIONS is new for v2.0.  If it is true,
 + * that means that a single session with the token can perform
 + * dual simultaneous cryptographic operations (digest and
 + * encrypt; decrypt and digest; sign and encrypt; and decrypt
 + * and sign) */
 +#define CKF_DUAL_CRYPTO_OPERATIONS  0x00000200
 +
 +/* CKF_TOKEN_INITIALIZED if new for v2.10. If it is true, the
 + * token has been initialized using C_InitializeToken or an
 + * equivalent mechanism outside the scope of PKCS #11.
 + * Calling C_InitializeToken when this flag is set will cause
 + * the token to be reinitialized. */
 +#define CKF_TOKEN_INITIALIZED       0x00000400
 +
 +/* CKF_SECONDARY_AUTHENTICATION if new for v2.10. If it is
 + * true, the token supports secondary authentication for
 + * private key objects. This flag is deprecated in v2.11 and
 +   onwards. */
 +#define CKF_SECONDARY_AUTHENTICATION  0x00000800
 +
 +/* CKF_USER_PIN_COUNT_LOW if new for v2.10. If it is true, an
 + * incorrect user login PIN has been entered at least once
 + * since the last successful authentication. */
 +#define CKF_USER_PIN_COUNT_LOW       0x00010000
 +
 +/* CKF_USER_PIN_FINAL_TRY if new for v2.10. If it is true,
 + * supplying an incorrect user PIN will it to become locked. */
 +#define CKF_USER_PIN_FINAL_TRY       0x00020000
 +
 +/* CKF_USER_PIN_LOCKED if new for v2.10. If it is true, the
 + * user PIN has been locked. User login to the token is not
 + * possible. */
 +#define CKF_USER_PIN_LOCKED          0x00040000
 +
 +/* CKF_USER_PIN_TO_BE_CHANGED if new for v2.10. If it is true,
 + * the user PIN value is the default value set by token
 + * initialization or manufacturing, or the PIN has been
 + * expired by the card. */
 +#define CKF_USER_PIN_TO_BE_CHANGED   0x00080000
 +
 +/* CKF_SO_PIN_COUNT_LOW if new for v2.10. If it is true, an
 + * incorrect SO login PIN has been entered at least once since
 + * the last successful authentication. */
 +#define CKF_SO_PIN_COUNT_LOW         0x00100000
 +
 +/* CKF_SO_PIN_FINAL_TRY if new for v2.10. If it is true,
 + * supplying an incorrect SO PIN will it to become locked. */
 +#define CKF_SO_PIN_FINAL_TRY         0x00200000
 +
 +/* CKF_SO_PIN_LOCKED if new for v2.10. If it is true, the SO
 + * PIN has been locked. SO login to the token is not possible.
 + */
 +#define CKF_SO_PIN_LOCKED            0x00400000
 +
 +/* CKF_SO_PIN_TO_BE_CHANGED if new for v2.10. If it is true,
 + * the SO PIN value is the default value set by token
 + * initialization or manufacturing, or the PIN has been
 + * expired by the card. */
 +#define CKF_SO_PIN_TO_BE_CHANGED     0x00800000
 +
 +typedef CK_TOKEN_INFO CK_PTR CK_TOKEN_INFO_PTR;
 +
 +
 +/* CK_SESSION_HANDLE is a Cryptoki-assigned value that
 + * identifies a session */
 +typedef CK_ULONG          CK_SESSION_HANDLE;
 +
 +typedef CK_SESSION_HANDLE CK_PTR CK_SESSION_HANDLE_PTR;
 +
 +
 +/* CK_USER_TYPE enumerates the types of Cryptoki users */
 +/* CK_USER_TYPE has been changed from an enum to a CK_ULONG for
 + * v2.0 */
 +typedef CK_ULONG          CK_USER_TYPE;
 +/* Security Officer */
 +#define CKU_SO    0
 +/* Normal user */
 +#define CKU_USER  1
 +/* Context specific (added in v2.20) */
 +#define CKU_CONTEXT_SPECIFIC   2
 +
 +/* CK_STATE enumerates the session states */
 +/* CK_STATE has been changed from an enum to a CK_ULONG for
 + * v2.0 */
 +typedef CK_ULONG          CK_STATE;
 +#define CKS_RO_PUBLIC_SESSION  0
 +#define CKS_RO_USER_FUNCTIONS  1
 +#define CKS_RW_PUBLIC_SESSION  2
 +#define CKS_RW_USER_FUNCTIONS  3
 +#define CKS_RW_SO_FUNCTIONS    4
 +
 +
 +/* CK_SESSION_INFO provides information about a session */
 +typedef struct CK_SESSION_INFO {
 +  CK_SLOT_ID    slotID;
 +  CK_STATE      state;
 +  CK_FLAGS      flags;          /* see below */
 +
 +  /* ulDeviceError was changed from CK_USHORT to CK_ULONG for
 +   * v2.0 */
 +  CK_ULONG      ulDeviceError;  /* device-dependent error code */
 +} CK_SESSION_INFO;
 +
 +/* The flags are defined in the following table:
 + *      Bit Flag                Mask        Meaning
 + */
 +#define CKF_RW_SESSION          0x00000002  /* session is r/w */
 +#define CKF_SERIAL_SESSION      0x00000004  /* no parallel */
 +
 +typedef CK_SESSION_INFO CK_PTR CK_SESSION_INFO_PTR;
 +
 +
 +/* CK_OBJECT_HANDLE is a token-specific identifier for an
 + * object  */
 +typedef CK_ULONG          CK_OBJECT_HANDLE;
 +
 +typedef CK_OBJECT_HANDLE CK_PTR CK_OBJECT_HANDLE_PTR;
 +
 +
 +/* CK_OBJECT_CLASS is a value that identifies the classes (or
 + * types) of objects that Cryptoki recognizes.  It is defined
 + * as follows: */
 +/* CK_OBJECT_CLASS was changed from CK_USHORT to CK_ULONG for
 + * v2.0 */
 +typedef CK_ULONG          CK_OBJECT_CLASS;
 +
 +/* The following classes of objects are defined: */
 +/* CKO_HW_FEATURE is new for v2.10 */
 +/* CKO_DOMAIN_PARAMETERS is new for v2.11 */
 +/* CKO_MECHANISM is new for v2.20 */
 +#define CKO_DATA              0x00000000
 +#define CKO_CERTIFICATE       0x00000001
 +#define CKO_PUBLIC_KEY        0x00000002
 +#define CKO_PRIVATE_KEY       0x00000003
 +#define CKO_SECRET_KEY        0x00000004
 +#define CKO_HW_FEATURE        0x00000005
 +#define CKO_DOMAIN_PARAMETERS 0x00000006
 +#define CKO_MECHANISM         0x00000007
 +#define CKO_VENDOR_DEFINED    0x80000000
 +
 +typedef CK_OBJECT_CLASS CK_PTR CK_OBJECT_CLASS_PTR;
 +
 +/* CK_HW_FEATURE_TYPE is new for v2.10. CK_HW_FEATURE_TYPE is a
 + * value that identifies the hardware feature type of an object
 + * with CK_OBJECT_CLASS equal to CKO_HW_FEATURE. */
 +typedef CK_ULONG          CK_HW_FEATURE_TYPE;
 +
 +/* The following hardware feature types are defined */
 +/* CKH_USER_INTERFACE is new for v2.20 */
 +#define CKH_MONOTONIC_COUNTER  0x00000001
 +#define CKH_CLOCK           0x00000002
 +#define CKH_USER_INTERFACE  0x00000003
 +#define CKH_VENDOR_DEFINED  0x80000000
 +
 +/* CK_KEY_TYPE is a value that identifies a key type */
 +/* CK_KEY_TYPE was changed from CK_USHORT to CK_ULONG for v2.0 */
 +typedef CK_ULONG          CK_KEY_TYPE;
 +
 +/* the following key types are defined: */
 +#define CKK_RSA             0x00000000
 +#define CKK_DSA             0x00000001
 +#define CKK_DH              0x00000002
 +
 +/* CKK_ECDSA and CKK_KEA are new for v2.0 */
 +/* CKK_ECDSA is deprecated in v2.11, CKK_EC is preferred. */
 +#define CKK_ECDSA           0x00000003
 +#define CKK_EC              0x00000003
 +#define CKK_X9_42_DH        0x00000004
 +#define CKK_KEA             0x00000005
 +
 +#define CKK_GENERIC_SECRET  0x00000010
 +#define CKK_RC2             0x00000011
 +#define CKK_RC4             0x00000012
 +#define CKK_DES             0x00000013
 +#define CKK_DES2            0x00000014
 +#define CKK_DES3            0x00000015
 +
 +/* all these key types are new for v2.0 */
 +#define CKK_CAST            0x00000016
 +#define CKK_CAST3           0x00000017
 +/* CKK_CAST5 is deprecated in v2.11, CKK_CAST128 is preferred. */
 +#define CKK_CAST5           0x00000018
 +#define CKK_CAST128         0x00000018
 +#define CKK_RC5             0x00000019
 +#define CKK_IDEA            0x0000001A
 +#define CKK_SKIPJACK        0x0000001B
 +#define CKK_BATON           0x0000001C
 +#define CKK_JUNIPER         0x0000001D
 +#define CKK_CDMF            0x0000001E
 +#define CKK_AES             0x0000001F
 +
 +/* BlowFish and TwoFish are new for v2.20 */
 +#define CKK_BLOWFISH        0x00000020
 +#define CKK_TWOFISH         0x00000021
 +
 +#define CKK_VENDOR_DEFINED  0x80000000
 +
 +
 +/* CK_CERTIFICATE_TYPE is a value that identifies a certificate
 + * type */
 +/* CK_CERTIFICATE_TYPE was changed from CK_USHORT to CK_ULONG
 + * for v2.0 */
 +typedef CK_ULONG          CK_CERTIFICATE_TYPE;
 +
 +/* The following certificate types are defined: */
 +/* CKC_X_509_ATTR_CERT is new for v2.10 */
 +/* CKC_WTLS is new for v2.20 */
 +#define CKC_X_509           0x00000000
 +#define CKC_X_509_ATTR_CERT 0x00000001
 +#define CKC_WTLS            0x00000002
 +#define CKC_VENDOR_DEFINED  0x80000000
 +
 +
 +/* CK_ATTRIBUTE_TYPE is a value that identifies an attribute
 + * type */
 +/* CK_ATTRIBUTE_TYPE was changed from CK_USHORT to CK_ULONG for
 + * v2.0 */
 +typedef CK_ULONG          CK_ATTRIBUTE_TYPE;
 +
 +/* The CKF_ARRAY_ATTRIBUTE flag identifies an attribute which
 +   consists of an array of values. */
 +#define CKF_ARRAY_ATTRIBUTE    0x40000000
 +
 +/* The following attribute types are defined: */
 +#define CKA_CLASS              0x00000000
 +#define CKA_TOKEN              0x00000001
 +#define CKA_PRIVATE            0x00000002
 +#define CKA_LABEL              0x00000003
 +#define CKA_APPLICATION        0x00000010
 +#define CKA_VALUE              0x00000011
 +
 +/* CKA_OBJECT_ID is new for v2.10 */
 +#define CKA_OBJECT_ID          0x00000012
 +
 +#define CKA_CERTIFICATE_TYPE   0x00000080
 +#define CKA_ISSUER             0x00000081
 +#define CKA_SERIAL_NUMBER      0x00000082
 +
 +/* CKA_AC_ISSUER, CKA_OWNER, and CKA_ATTR_TYPES are new
 + * for v2.10 */
 +#define CKA_AC_ISSUER          0x00000083
 +#define CKA_OWNER              0x00000084
 +#define CKA_ATTR_TYPES         0x00000085
 +
 +/* CKA_TRUSTED is new for v2.11 */
 +#define CKA_TRUSTED            0x00000086
 +
 +/* CKA_CERTIFICATE_CATEGORY ...
 + * CKA_CHECK_VALUE are new for v2.20 */
 +#define CKA_CERTIFICATE_CATEGORY        0x00000087
 +#define CKA_JAVA_MIDP_SECURITY_DOMAIN   0x00000088
 +#define CKA_URL                         0x00000089
 +#define CKA_HASH_OF_SUBJECT_PUBLIC_KEY  0x0000008A
 +#define CKA_HASH_OF_ISSUER_PUBLIC_KEY   0x0000008B
 +#define CKA_CHECK_VALUE                 0x00000090
 +
 +#define CKA_KEY_TYPE           0x00000100
 +#define CKA_SUBJECT            0x00000101
 +#define CKA_ID                 0x00000102
 +#define CKA_SENSITIVE          0x00000103
 +#define CKA_ENCRYPT            0x00000104
 +#define CKA_DECRYPT            0x00000105
 +#define CKA_WRAP               0x00000106
 +#define CKA_UNWRAP             0x00000107
 +#define CKA_SIGN               0x00000108
 +#define CKA_SIGN_RECOVER       0x00000109
 +#define CKA_VERIFY             0x0000010A
 +#define CKA_VERIFY_RECOVER     0x0000010B
 +#define CKA_DERIVE             0x0000010C
 +#define CKA_START_DATE         0x00000110
 +#define CKA_END_DATE           0x00000111
 +#define CKA_MODULUS            0x00000120
 +#define CKA_MODULUS_BITS       0x00000121
 +#define CKA_PUBLIC_EXPONENT    0x00000122
 +#define CKA_PRIVATE_EXPONENT   0x00000123
 +#define CKA_PRIME_1            0x00000124
 +#define CKA_PRIME_2            0x00000125
 +#define CKA_EXPONENT_1         0x00000126
 +#define CKA_EXPONENT_2         0x00000127
 +#define CKA_COEFFICIENT        0x00000128
 +#define CKA_PRIME              0x00000130
 +#define CKA_SUBPRIME           0x00000131
 +#define CKA_BASE               0x00000132
 +
 +/* CKA_PRIME_BITS and CKA_SUB_PRIME_BITS are new for v2.11 */
 +#define CKA_PRIME_BITS         0x00000133
 +#define CKA_SUBPRIME_BITS      0x00000134
 +#define CKA_SUB_PRIME_BITS     CKA_SUBPRIME_BITS
 +/* (To retain backwards-compatibility) */
 +
 +#define CKA_VALUE_BITS         0x00000160
 +#define CKA_VALUE_LEN          0x00000161
 +
 +/* CKA_EXTRACTABLE, CKA_LOCAL, CKA_NEVER_EXTRACTABLE,
 + * CKA_ALWAYS_SENSITIVE, CKA_MODIFIABLE, CKA_ECDSA_PARAMS,
 + * and CKA_EC_POINT are new for v2.0 */
 +#define CKA_EXTRACTABLE        0x00000162
 +#define CKA_LOCAL              0x00000163
 +#define CKA_NEVER_EXTRACTABLE  0x00000164
 +#define CKA_ALWAYS_SENSITIVE   0x00000165
 +
 +/* CKA_KEY_GEN_MECHANISM is new for v2.11 */
 +#define CKA_KEY_GEN_MECHANISM  0x00000166
 +
 +#define CKA_MODIFIABLE         0x00000170
 +
 +/* CKA_ECDSA_PARAMS is deprecated in v2.11,
 + * CKA_EC_PARAMS is preferred. */
 +#define CKA_ECDSA_PARAMS       0x00000180
 +#define CKA_EC_PARAMS          0x00000180
 +
 +#define CKA_EC_POINT           0x00000181
 +
 +/* CKA_SECONDARY_AUTH, CKA_AUTH_PIN_FLAGS,
 + * are new for v2.10. Deprecated in v2.11 and onwards. */
 +#define CKA_SECONDARY_AUTH     0x00000200
 +#define CKA_AUTH_PIN_FLAGS     0x00000201
 +
 +/* CKA_ALWAYS_AUTHENTICATE ...
 + * CKA_UNWRAP_TEMPLATE are new for v2.20 */
 +#define CKA_ALWAYS_AUTHENTICATE  0x00000202
 +
 +#define CKA_WRAP_WITH_TRUSTED    0x00000210
 +#define CKA_WRAP_TEMPLATE        (CKF_ARRAY_ATTRIBUTE|0x00000211)
 +#define CKA_UNWRAP_TEMPLATE      (CKF_ARRAY_ATTRIBUTE|0x00000212)
 +
 +/* CKA_HW_FEATURE_TYPE, CKA_RESET_ON_INIT, and CKA_HAS_RESET
 + * are new for v2.10 */
 +#define CKA_HW_FEATURE_TYPE    0x00000300
 +#define CKA_RESET_ON_INIT      0x00000301
 +#define CKA_HAS_RESET          0x00000302
 +
 +/* The following attributes are new for v2.20 */
 +#define CKA_PIXEL_X                     0x00000400
 +#define CKA_PIXEL_Y                     0x00000401
 +#define CKA_RESOLUTION                  0x00000402
 +#define CKA_CHAR_ROWS                   0x00000403
 +#define CKA_CHAR_COLUMNS                0x00000404
 +#define CKA_COLOR                       0x00000405
 +#define CKA_BITS_PER_PIXEL              0x00000406
 +#define CKA_CHAR_SETS                   0x00000480
 +#define CKA_ENCODING_METHODS            0x00000481
 +#define CKA_MIME_TYPES                  0x00000482
 +#define CKA_MECHANISM_TYPE              0x00000500
 +#define CKA_REQUIRED_CMS_ATTRIBUTES     0x00000501
 +#define CKA_DEFAULT_CMS_ATTRIBUTES      0x00000502
 +#define CKA_SUPPORTED_CMS_ATTRIBUTES    0x00000503
 +#define CKA_ALLOWED_MECHANISMS          (CKF_ARRAY_ATTRIBUTE|0x00000600)
 +
 +#define CKA_VENDOR_DEFINED     0x80000000
 +
 +
 +/* CK_ATTRIBUTE is a structure that includes the type, length
 + * and value of an attribute */
 +typedef struct CK_ATTRIBUTE {
 +  CK_ATTRIBUTE_TYPE type;
 +  CK_VOID_PTR       pValue;
 +
 +  /* ulValueLen went from CK_USHORT to CK_ULONG for v2.0 */
 +  CK_ULONG          ulValueLen;  /* in bytes */
 +} CK_ATTRIBUTE;
 +
 +typedef CK_ATTRIBUTE CK_PTR CK_ATTRIBUTE_PTR;
 +
 +
 +/* CK_DATE is a structure that defines a date */
 +typedef struct CK_DATE{
 +  CK_CHAR       year[4];   /* the year ("1900" - "9999") */
 +  CK_CHAR       month[2];  /* the month ("01" - "12") */
 +  CK_CHAR       day[2];    /* the day   ("01" - "31") */
 +} CK_DATE;
 +
 +
 +/* CK_MECHANISM_TYPE is a value that identifies a mechanism
 + * type */
 +/* CK_MECHANISM_TYPE was changed from CK_USHORT to CK_ULONG for
 + * v2.0 */
 +typedef CK_ULONG          CK_MECHANISM_TYPE;
 +
 +/* the following mechanism types are defined: */
 +#define CKM_RSA_PKCS_KEY_PAIR_GEN      0x00000000
 +#define CKM_RSA_PKCS                   0x00000001
 +#define CKM_RSA_9796                   0x00000002
 +#define CKM_RSA_X_509                  0x00000003
 +
 +/* CKM_MD2_RSA_PKCS, CKM_MD5_RSA_PKCS, and CKM_SHA1_RSA_PKCS
 + * are new for v2.0.  They are mechanisms which hash and sign */
 +#define CKM_MD2_RSA_PKCS               0x00000004
 +#define CKM_MD5_RSA_PKCS               0x00000005
 +#define CKM_SHA1_RSA_PKCS              0x00000006
 +
 +/* CKM_RIPEMD128_RSA_PKCS, CKM_RIPEMD160_RSA_PKCS, and
 + * CKM_RSA_PKCS_OAEP are new for v2.10 */
 +#define CKM_RIPEMD128_RSA_PKCS         0x00000007
 +#define CKM_RIPEMD160_RSA_PKCS         0x00000008
 +#define CKM_RSA_PKCS_OAEP              0x00000009
 +
 +/* CKM_RSA_X9_31_KEY_PAIR_GEN, CKM_RSA_X9_31, CKM_SHA1_RSA_X9_31,
 + * CKM_RSA_PKCS_PSS, and CKM_SHA1_RSA_PKCS_PSS are new for v2.11 */
 +#define CKM_RSA_X9_31_KEY_PAIR_GEN     0x0000000A
 +#define CKM_RSA_X9_31                  0x0000000B
 +#define CKM_SHA1_RSA_X9_31             0x0000000C
 +#define CKM_RSA_PKCS_PSS               0x0000000D
 +#define CKM_SHA1_RSA_PKCS_PSS          0x0000000E
 +
 +#define CKM_DSA_KEY_PAIR_GEN           0x00000010
 +#define CKM_DSA                        0x00000011
 +#define CKM_DSA_SHA1                   0x00000012
 +#define CKM_DH_PKCS_KEY_PAIR_GEN       0x00000020
 +#define CKM_DH_PKCS_DERIVE             0x00000021
 +
 +/* CKM_X9_42_DH_KEY_PAIR_GEN, CKM_X9_42_DH_DERIVE,
 + * CKM_X9_42_DH_HYBRID_DERIVE, and CKM_X9_42_MQV_DERIVE are new for
 + * v2.11 */
 +#define CKM_X9_42_DH_KEY_PAIR_GEN      0x00000030
 +#define CKM_X9_42_DH_DERIVE            0x00000031
 +#define CKM_X9_42_DH_HYBRID_DERIVE     0x00000032
 +#define CKM_X9_42_MQV_DERIVE           0x00000033
 +
 +/* CKM_SHA256/384/512 are new for v2.20 */
 +#define CKM_SHA256_RSA_PKCS            0x00000040
 +#define CKM_SHA384_RSA_PKCS            0x00000041
 +#define CKM_SHA512_RSA_PKCS            0x00000042
 +#define CKM_SHA256_RSA_PKCS_PSS        0x00000043
 +#define CKM_SHA384_RSA_PKCS_PSS        0x00000044
 +#define CKM_SHA512_RSA_PKCS_PSS        0x00000045
 +
 +#define CKM_RC2_KEY_GEN                0x00000100
 +#define CKM_RC2_ECB                    0x00000101
 +#define CKM_RC2_CBC                    0x00000102
 +#define CKM_RC2_MAC                    0x00000103
 +
 +/* CKM_RC2_MAC_GENERAL and CKM_RC2_CBC_PAD are new for v2.0 */
 +#define CKM_RC2_MAC_GENERAL            0x00000104
 +#define CKM_RC2_CBC_PAD                0x00000105
 +
 +#define CKM_RC4_KEY_GEN                0x00000110
 +#define CKM_RC4                        0x00000111
 +#define CKM_DES_KEY_GEN                0x00000120
 +#define CKM_DES_ECB                    0x00000121
 +#define CKM_DES_CBC                    0x00000122
 +#define CKM_DES_MAC                    0x00000123
 +
 +/* CKM_DES_MAC_GENERAL and CKM_DES_CBC_PAD are new for v2.0 */
 +#define CKM_DES_MAC_GENERAL            0x00000124
 +#define CKM_DES_CBC_PAD                0x00000125
 +
 +#define CKM_DES2_KEY_GEN               0x00000130
 +#define CKM_DES3_KEY_GEN               0x00000131
 +#define CKM_DES3_ECB                   0x00000132
 +#define CKM_DES3_CBC                   0x00000133
 +#define CKM_DES3_MAC                   0x00000134
 +
 +/* CKM_DES3_MAC_GENERAL, CKM_DES3_CBC_PAD, CKM_CDMF_KEY_GEN,
 + * CKM_CDMF_ECB, CKM_CDMF_CBC, CKM_CDMF_MAC,
 + * CKM_CDMF_MAC_GENERAL, and CKM_CDMF_CBC_PAD are new for v2.0 */
 +#define CKM_DES3_MAC_GENERAL           0x00000135
 +#define CKM_DES3_CBC_PAD               0x00000136
 +#define CKM_CDMF_KEY_GEN               0x00000140
 +#define CKM_CDMF_ECB                   0x00000141
 +#define CKM_CDMF_CBC                   0x00000142
 +#define CKM_CDMF_MAC                   0x00000143
 +#define CKM_CDMF_MAC_GENERAL           0x00000144
 +#define CKM_CDMF_CBC_PAD               0x00000145
 +
 +/* the following four DES mechanisms are new for v2.20 */
 +#define CKM_DES_OFB64                  0x00000150
 +#define CKM_DES_OFB8                   0x00000151
 +#define CKM_DES_CFB64                  0x00000152
 +#define CKM_DES_CFB8                   0x00000153
 +
 +#define CKM_MD2                        0x00000200
 +
 +/* CKM_MD2_HMAC and CKM_MD2_HMAC_GENERAL are new for v2.0 */
 +#define CKM_MD2_HMAC                   0x00000201
 +#define CKM_MD2_HMAC_GENERAL           0x00000202
 +
 +#define CKM_MD5                        0x00000210
 +
 +/* CKM_MD5_HMAC and CKM_MD5_HMAC_GENERAL are new for v2.0 */
 +#define CKM_MD5_HMAC                   0x00000211
 +#define CKM_MD5_HMAC_GENERAL           0x00000212
 +
 +#define CKM_SHA_1                      0x00000220
 +
 +/* CKM_SHA_1_HMAC and CKM_SHA_1_HMAC_GENERAL are new for v2.0 */
 +#define CKM_SHA_1_HMAC                 0x00000221
 +#define CKM_SHA_1_HMAC_GENERAL         0x00000222
 +
 +/* CKM_RIPEMD128, CKM_RIPEMD128_HMAC,
 + * CKM_RIPEMD128_HMAC_GENERAL, CKM_RIPEMD160, CKM_RIPEMD160_HMAC,
 + * and CKM_RIPEMD160_HMAC_GENERAL are new for v2.10 */
 +#define CKM_RIPEMD128                  0x00000230
 +#define CKM_RIPEMD128_HMAC             0x00000231
 +#define CKM_RIPEMD128_HMAC_GENERAL     0x00000232
 +#define CKM_RIPEMD160                  0x00000240
 +#define CKM_RIPEMD160_HMAC             0x00000241
 +#define CKM_RIPEMD160_HMAC_GENERAL     0x00000242
 +
 +/* CKM_SHA256/384/512 are new for v2.20 */
 +#define CKM_SHA256                     0x00000250
 +#define CKM_SHA256_HMAC                0x00000251
 +#define CKM_SHA256_HMAC_GENERAL        0x00000252
 +#define CKM_SHA384                     0x00000260
 +#define CKM_SHA384_HMAC                0x00000261
 +#define CKM_SHA384_HMAC_GENERAL        0x00000262
 +#define CKM_SHA512                     0x00000270
 +#define CKM_SHA512_HMAC                0x00000271
 +#define CKM_SHA512_HMAC_GENERAL        0x00000272
 +
 +/* All of the following mechanisms are new for v2.0 */
 +/* Note that CAST128 and CAST5 are the same algorithm */
 +#define CKM_CAST_KEY_GEN               0x00000300
 +#define CKM_CAST_ECB                   0x00000301
 +#define CKM_CAST_CBC                   0x00000302
 +#define CKM_CAST_MAC                   0x00000303
 +#define CKM_CAST_MAC_GENERAL           0x00000304
 +#define CKM_CAST_CBC_PAD               0x00000305
 +#define CKM_CAST3_KEY_GEN              0x00000310
 +#define CKM_CAST3_ECB                  0x00000311
 +#define CKM_CAST3_CBC                  0x00000312
 +#define CKM_CAST3_MAC                  0x00000313
 +#define CKM_CAST3_MAC_GENERAL          0x00000314
 +#define CKM_CAST3_CBC_PAD              0x00000315
 +#define CKM_CAST5_KEY_GEN              0x00000320
 +#define CKM_CAST128_KEY_GEN            0x00000320
 +#define CKM_CAST5_ECB                  0x00000321
 +#define CKM_CAST128_ECB                0x00000321
 +#define CKM_CAST5_CBC                  0x00000322
 +#define CKM_CAST128_CBC                0x00000322
 +#define CKM_CAST5_MAC                  0x00000323
 +#define CKM_CAST128_MAC                0x00000323
 +#define CKM_CAST5_MAC_GENERAL          0x00000324
 +#define CKM_CAST128_MAC_GENERAL        0x00000324
 +#define CKM_CAST5_CBC_PAD              0x00000325
 +#define CKM_CAST128_CBC_PAD            0x00000325
 +#define CKM_RC5_KEY_GEN                0x00000330
 +#define CKM_RC5_ECB                    0x00000331
 +#define CKM_RC5_CBC                    0x00000332
 +#define CKM_RC5_MAC                    0x00000333
 +#define CKM_RC5_MAC_GENERAL            0x00000334
 +#define CKM_RC5_CBC_PAD                0x00000335
 +#define CKM_IDEA_KEY_GEN               0x00000340
 +#define CKM_IDEA_ECB                   0x00000341
 +#define CKM_IDEA_CBC                   0x00000342
 +#define CKM_IDEA_MAC                   0x00000343
 +#define CKM_IDEA_MAC_GENERAL           0x00000344
 +#define CKM_IDEA_CBC_PAD               0x00000345
 +#define CKM_GENERIC_SECRET_KEY_GEN     0x00000350
 +#define CKM_CONCATENATE_BASE_AND_KEY   0x00000360
 +#define CKM_CONCATENATE_BASE_AND_DATA  0x00000362
 +#define CKM_CONCATENATE_DATA_AND_BASE  0x00000363
 +#define CKM_XOR_BASE_AND_DATA          0x00000364
 +#define CKM_EXTRACT_KEY_FROM_KEY       0x00000365
 +#define CKM_SSL3_PRE_MASTER_KEY_GEN    0x00000370
 +#define CKM_SSL3_MASTER_KEY_DERIVE     0x00000371
 +#define CKM_SSL3_KEY_AND_MAC_DERIVE    0x00000372
 +
 +/* CKM_SSL3_MASTER_KEY_DERIVE_DH, CKM_TLS_PRE_MASTER_KEY_GEN,
 + * CKM_TLS_MASTER_KEY_DERIVE, CKM_TLS_KEY_AND_MAC_DERIVE, and
 + * CKM_TLS_MASTER_KEY_DERIVE_DH are new for v2.11 */
 +#define CKM_SSL3_MASTER_KEY_DERIVE_DH  0x00000373
 +#define CKM_TLS_PRE_MASTER_KEY_GEN     0x00000374
 +#define CKM_TLS_MASTER_KEY_DERIVE      0x00000375
 +#define CKM_TLS_KEY_AND_MAC_DERIVE     0x00000376
 +#define CKM_TLS_MASTER_KEY_DERIVE_DH   0x00000377
 +
 +/* CKM_TLS_PRF is new for v2.20 */
 +#define CKM_TLS_PRF                    0x00000378
 +
 +#define CKM_SSL3_MD5_MAC               0x00000380
 +#define CKM_SSL3_SHA1_MAC              0x00000381
 +#define CKM_MD5_KEY_DERIVATION         0x00000390
 +#define CKM_MD2_KEY_DERIVATION         0x00000391
 +#define CKM_SHA1_KEY_DERIVATION        0x00000392
 +
 +/* CKM_SHA256/384/512 are new for v2.20 */
 +#define CKM_SHA256_KEY_DERIVATION      0x00000393
 +#define CKM_SHA384_KEY_DERIVATION      0x00000394
 +#define CKM_SHA512_KEY_DERIVATION      0x00000395
 +
 +#define CKM_PBE_MD2_DES_CBC            0x000003A0
 +#define CKM_PBE_MD5_DES_CBC            0x000003A1
 +#define CKM_PBE_MD5_CAST_CBC           0x000003A2
 +#define CKM_PBE_MD5_CAST3_CBC          0x000003A3
 +#define CKM_PBE_MD5_CAST5_CBC          0x000003A4
 +#define CKM_PBE_MD5_CAST128_CBC        0x000003A4
 +#define CKM_PBE_SHA1_CAST5_CBC         0x000003A5
 +#define CKM_PBE_SHA1_CAST128_CBC       0x000003A5
 +#define CKM_PBE_SHA1_RC4_128           0x000003A6
 +#define CKM_PBE_SHA1_RC4_40            0x000003A7
 +#define CKM_PBE_SHA1_DES3_EDE_CBC      0x000003A8
 +#define CKM_PBE_SHA1_DES2_EDE_CBC      0x000003A9
 +#define CKM_PBE_SHA1_RC2_128_CBC       0x000003AA
 +#define CKM_PBE_SHA1_RC2_40_CBC        0x000003AB
 +
 +/* CKM_PKCS5_PBKD2 is new for v2.10 */
 +#define CKM_PKCS5_PBKD2                0x000003B0
 +
 +#define CKM_PBA_SHA1_WITH_SHA1_HMAC    0x000003C0
 +
 +/* WTLS mechanisms are new for v2.20 */
 +#define CKM_WTLS_PRE_MASTER_KEY_GEN         0x000003D0
 +#define CKM_WTLS_MASTER_KEY_DERIVE          0x000003D1
 +#define CKM_WTLS_MASTER_KEY_DERIVE_DH_ECC   0x000003D2
 +#define CKM_WTLS_PRF                        0x000003D3
 +#define CKM_WTLS_SERVER_KEY_AND_MAC_DERIVE  0x000003D4
 +#define CKM_WTLS_CLIENT_KEY_AND_MAC_DERIVE  0x000003D5
 +
 +#define CKM_KEY_WRAP_LYNKS             0x00000400
 +#define CKM_KEY_WRAP_SET_OAEP          0x00000401
 +
 +/* CKM_CMS_SIG is new for v2.20 */
 +#define CKM_CMS_SIG                    0x00000500
 +
 +/* Fortezza mechanisms */
 +#define CKM_SKIPJACK_KEY_GEN           0x00001000
 +#define CKM_SKIPJACK_ECB64             0x00001001
 +#define CKM_SKIPJACK_CBC64             0x00001002
 +#define CKM_SKIPJACK_OFB64             0x00001003
 +#define CKM_SKIPJACK_CFB64             0x00001004
 +#define CKM_SKIPJACK_CFB32             0x00001005
 +#define CKM_SKIPJACK_CFB16             0x00001006
 +#define CKM_SKIPJACK_CFB8              0x00001007
 +#define CKM_SKIPJACK_WRAP              0x00001008
 +#define CKM_SKIPJACK_PRIVATE_WRAP      0x00001009
 +#define CKM_SKIPJACK_RELAYX            0x0000100a
 +#define CKM_KEA_KEY_PAIR_GEN           0x00001010
 +#define CKM_KEA_KEY_DERIVE             0x00001011
 +#define CKM_FORTEZZA_TIMESTAMP         0x00001020
 +#define CKM_BATON_KEY_GEN              0x00001030
 +#define CKM_BATON_ECB128               0x00001031
 +#define CKM_BATON_ECB96                0x00001032
 +#define CKM_BATON_CBC128               0x00001033
 +#define CKM_BATON_COUNTER              0x00001034
 +#define CKM_BATON_SHUFFLE              0x00001035
 +#define CKM_BATON_WRAP                 0x00001036
 +
 +/* CKM_ECDSA_KEY_PAIR_GEN is deprecated in v2.11,
 + * CKM_EC_KEY_PAIR_GEN is preferred */
 +#define CKM_ECDSA_KEY_PAIR_GEN         0x00001040
 +#define CKM_EC_KEY_PAIR_GEN            0x00001040
 +
 +#define CKM_ECDSA                      0x00001041
 +#define CKM_ECDSA_SHA1                 0x00001042
 +
 +/* CKM_ECDH1_DERIVE, CKM_ECDH1_COFACTOR_DERIVE, and CKM_ECMQV_DERIVE
 + * are new for v2.11 */
 +#define CKM_ECDH1_DERIVE               0x00001050
 +#define CKM_ECDH1_COFACTOR_DERIVE      0x00001051
 +#define CKM_ECMQV_DERIVE               0x00001052
 +
 +#define CKM_JUNIPER_KEY_GEN            0x00001060
 +#define CKM_JUNIPER_ECB128             0x00001061
 +#define CKM_JUNIPER_CBC128             0x00001062
 +#define CKM_JUNIPER_COUNTER            0x00001063
 +#define CKM_JUNIPER_SHUFFLE            0x00001064
 +#define CKM_JUNIPER_WRAP               0x00001065
 +#define CKM_FASTHASH                   0x00001070
 +
 +/* CKM_AES_KEY_GEN, CKM_AES_ECB, CKM_AES_CBC, CKM_AES_MAC,
 + * CKM_AES_MAC_GENERAL, CKM_AES_CBC_PAD, CKM_DSA_PARAMETER_GEN,
 + * CKM_DH_PKCS_PARAMETER_GEN, and CKM_X9_42_DH_PARAMETER_GEN are
 + * new for v2.11 */
 +#define CKM_AES_KEY_GEN                0x00001080
 +#define CKM_AES_ECB                    0x00001081
 +#define CKM_AES_CBC                    0x00001082
 +#define CKM_AES_MAC                    0x00001083
 +#define CKM_AES_MAC_GENERAL            0x00001084
 +#define CKM_AES_CBC_PAD                0x00001085
 +
 +/* BlowFish and TwoFish are new for v2.20 */
 +#define CKM_BLOWFISH_KEY_GEN           0x00001090
 +#define CKM_BLOWFISH_CBC               0x00001091
 +#define CKM_TWOFISH_KEY_GEN            0x00001092
 +#define CKM_TWOFISH_CBC                0x00001093
 +
 +
 +/* CKM_xxx_ENCRYPT_DATA mechanisms are new for v2.20 */
 +#define CKM_DES_ECB_ENCRYPT_DATA       0x00001100
 +#define CKM_DES_CBC_ENCRYPT_DATA       0x00001101
 +#define CKM_DES3_ECB_ENCRYPT_DATA      0x00001102
 +#define CKM_DES3_CBC_ENCRYPT_DATA      0x00001103
 +#define CKM_AES_ECB_ENCRYPT_DATA       0x00001104
 +#define CKM_AES_CBC_ENCRYPT_DATA       0x00001105
 +
 +#define CKM_DSA_PARAMETER_GEN          0x00002000
 +#define CKM_DH_PKCS_PARAMETER_GEN      0x00002001
 +#define CKM_X9_42_DH_PARAMETER_GEN     0x00002002
 +
 +#define CKM_VENDOR_DEFINED             0x80000000
 +
 +typedef CK_MECHANISM_TYPE CK_PTR CK_MECHANISM_TYPE_PTR;
 +
 +
 +/* CK_MECHANISM is a structure that specifies a particular
 + * mechanism  */
 +typedef struct CK_MECHANISM {
 +  CK_MECHANISM_TYPE mechanism;
 +  CK_VOID_PTR       pParameter;
 +
 +  /* ulParameterLen was changed from CK_USHORT to CK_ULONG for
 +   * v2.0 */
 +  CK_ULONG          ulParameterLen;  /* in bytes */
 +} CK_MECHANISM;
 +
 +typedef CK_MECHANISM CK_PTR CK_MECHANISM_PTR;
 +
 +
 +/* CK_MECHANISM_INFO provides information about a particular
 + * mechanism */
 +typedef struct CK_MECHANISM_INFO {
 +    CK_ULONG    ulMinKeySize;
 +    CK_ULONG    ulMaxKeySize;
 +    CK_FLAGS    flags;
 +} CK_MECHANISM_INFO;
 +
 +/* The flags are defined as follows:
 + *      Bit Flag               Mask        Meaning */
 +#define CKF_HW                 0x00000001  /* performed by HW */
 +
 +/* The flags CKF_ENCRYPT, CKF_DECRYPT, CKF_DIGEST, CKF_SIGN,
 + * CKG_SIGN_RECOVER, CKF_VERIFY, CKF_VERIFY_RECOVER,
 + * CKF_GENERATE, CKF_GENERATE_KEY_PAIR, CKF_WRAP, CKF_UNWRAP,
 + * and CKF_DERIVE are new for v2.0.  They specify whether or not
 + * a mechanism can be used for a particular task */
 +#define CKF_ENCRYPT            0x00000100
 +#define CKF_DECRYPT            0x00000200
 +#define CKF_DIGEST             0x00000400
 +#define CKF_SIGN               0x00000800
 +#define CKF_SIGN_RECOVER       0x00001000
 +#define CKF_VERIFY             0x00002000
 +#define CKF_VERIFY_RECOVER     0x00004000
 +#define CKF_GENERATE           0x00008000
 +#define CKF_GENERATE_KEY_PAIR  0x00010000
 +#define CKF_WRAP               0x00020000
 +#define CKF_UNWRAP             0x00040000
 +#define CKF_DERIVE             0x00080000
 +
 +/* CKF_EC_F_P, CKF_EC_F_2M, CKF_EC_ECPARAMETERS, CKF_EC_NAMEDCURVE,
 + * CKF_EC_UNCOMPRESS, and CKF_EC_COMPRESS are new for v2.11. They
 + * describe a token's EC capabilities not available in mechanism
 + * information. */
 +#define CKF_EC_F_P             0x00100000
 +#define CKF_EC_F_2M            0x00200000
 +#define CKF_EC_ECPARAMETERS    0x00400000
 +#define CKF_EC_NAMEDCURVE      0x00800000
 +#define CKF_EC_UNCOMPRESS      0x01000000
 +#define CKF_EC_COMPRESS        0x02000000
 +
 +#define CKF_EXTENSION          0x80000000 /* FALSE for this version */
 +
 +typedef CK_MECHANISM_INFO CK_PTR CK_MECHANISM_INFO_PTR;
 +
 +
 +/* CK_RV is a value that identifies the return value of a
 + * Cryptoki function */
 +/* CK_RV was changed from CK_USHORT to CK_ULONG for v2.0 */
 +typedef CK_ULONG          CK_RV;
 +
 +#define CKR_OK                                0x00000000
 +#define CKR_CANCEL                            0x00000001
 +#define CKR_HOST_MEMORY                       0x00000002
 +#define CKR_SLOT_ID_INVALID                   0x00000003
 +
 +/* CKR_FLAGS_INVALID was removed for v2.0 */
 +
 +/* CKR_GENERAL_ERROR and CKR_FUNCTION_FAILED are new for v2.0 */
 +#define CKR_GENERAL_ERROR                     0x00000005
 +#define CKR_FUNCTION_FAILED                   0x00000006
 +
 +/* CKR_ARGUMENTS_BAD, CKR_NO_EVENT, CKR_NEED_TO_CREATE_THREADS,
 + * and CKR_CANT_LOCK are new for v2.01 */
 +#define CKR_ARGUMENTS_BAD                     0x00000007
 +#define CKR_NO_EVENT                          0x00000008
 +#define CKR_NEED_TO_CREATE_THREADS            0x00000009
 +#define CKR_CANT_LOCK                         0x0000000A
 +
 +#define CKR_ATTRIBUTE_READ_ONLY               0x00000010
 +#define CKR_ATTRIBUTE_SENSITIVE               0x00000011
 +#define CKR_ATTRIBUTE_TYPE_INVALID            0x00000012
 +#define CKR_ATTRIBUTE_VALUE_INVALID           0x00000013
 +#define CKR_DATA_INVALID                      0x00000020
 +#define CKR_DATA_LEN_RANGE                    0x00000021
 +#define CKR_DEVICE_ERROR                      0x00000030
 +#define CKR_DEVICE_MEMORY                     0x00000031
 +#define CKR_DEVICE_REMOVED                    0x00000032
 +#define CKR_ENCRYPTED_DATA_INVALID            0x00000040
 +#define CKR_ENCRYPTED_DATA_LEN_RANGE          0x00000041
 +#define CKR_FUNCTION_CANCELED                 0x00000050
 +#define CKR_FUNCTION_NOT_PARALLEL             0x00000051
 +
 +/* CKR_FUNCTION_NOT_SUPPORTED is new for v2.0 */
 +#define CKR_FUNCTION_NOT_SUPPORTED            0x00000054
 +
 +#define CKR_KEY_HANDLE_INVALID                0x00000060
 +
 +/* CKR_KEY_SENSITIVE was removed for v2.0 */
 +
 +#define CKR_KEY_SIZE_RANGE                    0x00000062
 +#define CKR_KEY_TYPE_INCONSISTENT             0x00000063
 +
 +/* CKR_KEY_NOT_NEEDED, CKR_KEY_CHANGED, CKR_KEY_NEEDED,
 + * CKR_KEY_INDIGESTIBLE, CKR_KEY_FUNCTION_NOT_PERMITTED,
 + * CKR_KEY_NOT_WRAPPABLE, and CKR_KEY_UNEXTRACTABLE are new for
 + * v2.0 */
 +#define CKR_KEY_NOT_NEEDED                    0x00000064
 +#define CKR_KEY_CHANGED                       0x00000065
 +#define CKR_KEY_NEEDED                        0x00000066
 +#define CKR_KEY_INDIGESTIBLE                  0x00000067
 +#define CKR_KEY_FUNCTION_NOT_PERMITTED        0x00000068
 +#define CKR_KEY_NOT_WRAPPABLE                 0x00000069
 +#define CKR_KEY_UNEXTRACTABLE                 0x0000006A
 +
 +#define CKR_MECHANISM_INVALID                 0x00000070
 +#define CKR_MECHANISM_PARAM_INVALID           0x00000071
 +
 +/* CKR_OBJECT_CLASS_INCONSISTENT and CKR_OBJECT_CLASS_INVALID
 + * were removed for v2.0 */
 +#define CKR_OBJECT_HANDLE_INVALID             0x00000082
 +#define CKR_OPERATION_ACTIVE                  0x00000090
 +#define CKR_OPERATION_NOT_INITIALIZED         0x00000091
 +#define CKR_PIN_INCORRECT                     0x000000A0
 +#define CKR_PIN_INVALID                       0x000000A1
 +#define CKR_PIN_LEN_RANGE                     0x000000A2
 +
 +/* CKR_PIN_EXPIRED and CKR_PIN_LOCKED are new for v2.0 */
 +#define CKR_PIN_EXPIRED                       0x000000A3
 +#define CKR_PIN_LOCKED                        0x000000A4
 +
 +#define CKR_SESSION_CLOSED                    0x000000B0
 +#define CKR_SESSION_COUNT                     0x000000B1
 +#define CKR_SESSION_HANDLE_INVALID            0x000000B3
 +#define CKR_SESSION_PARALLEL_NOT_SUPPORTED    0x000000B4
 +#define CKR_SESSION_READ_ONLY                 0x000000B5
 +#define CKR_SESSION_EXISTS                    0x000000B6
 +
 +/* CKR_SESSION_READ_ONLY_EXISTS and
 + * CKR_SESSION_READ_WRITE_SO_EXISTS are new for v2.0 */
 +#define CKR_SESSION_READ_ONLY_EXISTS          0x000000B7
 +#define CKR_SESSION_READ_WRITE_SO_EXISTS      0x000000B8
 +
 +#define CKR_SIGNATURE_INVALID                 0x000000C0
 +#define CKR_SIGNATURE_LEN_RANGE               0x000000C1
 +#define CKR_TEMPLATE_INCOMPLETE               0x000000D0
 +#define CKR_TEMPLATE_INCONSISTENT             0x000000D1
 +#define CKR_TOKEN_NOT_PRESENT                 0x000000E0
 +#define CKR_TOKEN_NOT_RECOGNIZED              0x000000E1
 +#define CKR_TOKEN_WRITE_PROTECTED             0x000000E2
 +#define CKR_UNWRAPPING_KEY_HANDLE_INVALID     0x000000F0
 +#define CKR_UNWRAPPING_KEY_SIZE_RANGE         0x000000F1
 +#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT  0x000000F2
 +#define CKR_USER_ALREADY_LOGGED_IN            0x00000100
 +#define CKR_USER_NOT_LOGGED_IN                0x00000101
 +#define CKR_USER_PIN_NOT_INITIALIZED          0x00000102
 +#define CKR_USER_TYPE_INVALID                 0x00000103
 +
 +/* CKR_USER_ANOTHER_ALREADY_LOGGED_IN and CKR_USER_TOO_MANY_TYPES
 + * are new to v2.01 */
 +#define CKR_USER_ANOTHER_ALREADY_LOGGED_IN    0x00000104
 +#define CKR_USER_TOO_MANY_TYPES               0x00000105
 +
 +#define CKR_WRAPPED_KEY_INVALID               0x00000110
 +#define CKR_WRAPPED_KEY_LEN_RANGE             0x00000112
 +#define CKR_WRAPPING_KEY_HANDLE_INVALID       0x00000113
 +#define CKR_WRAPPING_KEY_SIZE_RANGE           0x00000114
 +#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT    0x00000115
 +#define CKR_RANDOM_SEED_NOT_SUPPORTED         0x00000120
 +
 +/* These are new to v2.0 */
 +#define CKR_RANDOM_NO_RNG                     0x00000121
 +
 +/* These are new to v2.11 */
 +#define CKR_DOMAIN_PARAMS_INVALID             0x00000130
 +
 +/* These are new to v2.0 */
 +#define CKR_BUFFER_TOO_SMALL                  0x00000150
 +#define CKR_SAVED_STATE_INVALID               0x00000160
 +#define CKR_INFORMATION_SENSITIVE             0x00000170
 +#define CKR_STATE_UNSAVEABLE                  0x00000180
 +
 +/* These are new to v2.01 */
 +#define CKR_CRYPTOKI_NOT_INITIALIZED          0x00000190
 +#define CKR_CRYPTOKI_ALREADY_INITIALIZED      0x00000191
 +#define CKR_MUTEX_BAD                         0x000001A0
 +#define CKR_MUTEX_NOT_LOCKED                  0x000001A1
 +
 +/* This is new to v2.20 */
 +#define CKR_FUNCTION_REJECTED                 0x00000200
 +
 +#define CKR_VENDOR_DEFINED                    0x80000000
 +
 +
 +/* CK_NOTIFY is an application callback that processes events */
 +typedef CK_CALLBACK_FUNCTION(CK_RV, CK_NOTIFY)(
 +  CK_SESSION_HANDLE hSession,     /* the session's handle */
 +  CK_NOTIFICATION   event,
 +  CK_VOID_PTR       pApplication  /* passed to C_OpenSession */
 +);
 +
 +
 +/* CK_FUNCTION_LIST is a structure holding a Cryptoki spec
 + * version and pointers of appropriate types to all the
 + * Cryptoki functions */
 +/* CK_FUNCTION_LIST is new for v2.0 */
 +typedef struct CK_FUNCTION_LIST CK_FUNCTION_LIST;
 +
 +typedef CK_FUNCTION_LIST CK_PTR CK_FUNCTION_LIST_PTR;
 +
 +typedef CK_FUNCTION_LIST_PTR CK_PTR CK_FUNCTION_LIST_PTR_PTR;
 +
 +
 +/* CK_CREATEMUTEX is an application callback for creating a
 + * mutex object */
 +typedef CK_CALLBACK_FUNCTION(CK_RV, CK_CREATEMUTEX)(
 +  CK_VOID_PTR_PTR ppMutex  /* location to receive ptr to mutex */
 +);
 +
 +
 +/* CK_DESTROYMUTEX is an application callback for destroying a
 + * mutex object */
 +typedef CK_CALLBACK_FUNCTION(CK_RV, CK_DESTROYMUTEX)(
 +  CK_VOID_PTR pMutex  /* pointer to mutex */
 +);
 +
 +
 +/* CK_LOCKMUTEX is an application callback for locking a mutex */
 +typedef CK_CALLBACK_FUNCTION(CK_RV, CK_LOCKMUTEX)(
 +  CK_VOID_PTR pMutex  /* pointer to mutex */
 +);
 +
 +
 +/* CK_UNLOCKMUTEX is an application callback for unlocking a
 + * mutex */
 +typedef CK_CALLBACK_FUNCTION(CK_RV, CK_UNLOCKMUTEX)(
 +  CK_VOID_PTR pMutex  /* pointer to mutex */
 +);
 +
 +
 +/* CK_C_INITIALIZE_ARGS provides the optional arguments to
 + * C_Initialize */
 +typedef struct CK_C_INITIALIZE_ARGS {
 +  CK_CREATEMUTEX CreateMutex;
 +  CK_DESTROYMUTEX DestroyMutex;
 +  CK_LOCKMUTEX LockMutex;
 +  CK_UNLOCKMUTEX UnlockMutex;
 +  CK_FLAGS flags;
 +  CK_VOID_PTR pReserved;
 +} CK_C_INITIALIZE_ARGS;
 +
 +/* flags: bit flags that provide capabilities of the slot
 + *      Bit Flag                           Mask       Meaning
 + */
 +#define CKF_LIBRARY_CANT_CREATE_OS_THREADS 0x00000001
 +#define CKF_OS_LOCKING_OK                  0x00000002
 +
 +typedef CK_C_INITIALIZE_ARGS CK_PTR CK_C_INITIALIZE_ARGS_PTR;
 +
 +
 +/* additional flags for parameters to functions */
 +
 +/* CKF_DONT_BLOCK is for the function C_WaitForSlotEvent */
 +#define CKF_DONT_BLOCK     1
 +
 +/* CK_RSA_PKCS_OAEP_MGF_TYPE is new for v2.10.
 + * CK_RSA_PKCS_OAEP_MGF_TYPE  is used to indicate the Message
 + * Generation Function (MGF) applied to a message block when
 + * formatting a message block for the PKCS #1 OAEP encryption
 + * scheme. */
 +typedef CK_ULONG CK_RSA_PKCS_MGF_TYPE;
 +
 +typedef CK_RSA_PKCS_MGF_TYPE CK_PTR CK_RSA_PKCS_MGF_TYPE_PTR;
 +
 +/* The following MGFs are defined */
 +/* CKG_MGF1_SHA256, CKG_MGF1_SHA384, and CKG_MGF1_SHA512
 + * are new for v2.20 */
 +#define CKG_MGF1_SHA1         0x00000001
 +#define CKG_MGF1_SHA256       0x00000002
 +#define CKG_MGF1_SHA384       0x00000003
 +#define CKG_MGF1_SHA512       0x00000004
 +
 +/* CK_RSA_PKCS_OAEP_SOURCE_TYPE is new for v2.10.
 + * CK_RSA_PKCS_OAEP_SOURCE_TYPE  is used to indicate the source
 + * of the encoding parameter when formatting a message block
 + * for the PKCS #1 OAEP encryption scheme. */
 +typedef CK_ULONG CK_RSA_PKCS_OAEP_SOURCE_TYPE;
 +
 +typedef CK_RSA_PKCS_OAEP_SOURCE_TYPE CK_PTR CK_RSA_PKCS_OAEP_SOURCE_TYPE_PTR;
 +
 +/* The following encoding parameter sources are defined */
 +#define CKZ_DATA_SPECIFIED    0x00000001
 +
 +/* CK_RSA_PKCS_OAEP_PARAMS is new for v2.10.
 + * CK_RSA_PKCS_OAEP_PARAMS provides the parameters to the
 + * CKM_RSA_PKCS_OAEP mechanism. */
 +typedef struct CK_RSA_PKCS_OAEP_PARAMS {
 +        CK_MECHANISM_TYPE hashAlg;
 +        CK_RSA_PKCS_MGF_TYPE mgf;
 +        CK_RSA_PKCS_OAEP_SOURCE_TYPE source;
 +        CK_VOID_PTR pSourceData;
 +        CK_ULONG ulSourceDataLen;
 +} CK_RSA_PKCS_OAEP_PARAMS;
 +
 +typedef CK_RSA_PKCS_OAEP_PARAMS CK_PTR CK_RSA_PKCS_OAEP_PARAMS_PTR;
 +
 +/* CK_RSA_PKCS_PSS_PARAMS is new for v2.11.
 + * CK_RSA_PKCS_PSS_PARAMS provides the parameters to the
 + * CKM_RSA_PKCS_PSS mechanism(s). */
 +typedef struct CK_RSA_PKCS_PSS_PARAMS {
 +        CK_MECHANISM_TYPE    hashAlg;
 +        CK_RSA_PKCS_MGF_TYPE mgf;
 +        CK_ULONG             sLen;
 +} CK_RSA_PKCS_PSS_PARAMS;
 +
 +typedef CK_RSA_PKCS_PSS_PARAMS CK_PTR CK_RSA_PKCS_PSS_PARAMS_PTR;
 +
 +/* CK_EC_KDF_TYPE is new for v2.11. */
 +typedef CK_ULONG CK_EC_KDF_TYPE;
 +
 +/* The following EC Key Derivation Functions are defined */
 +#define CKD_NULL                 0x00000001
 +#define CKD_SHA1_KDF             0x00000002
 +
 +/* CK_ECDH1_DERIVE_PARAMS is new for v2.11.
 + * CK_ECDH1_DERIVE_PARAMS provides the parameters to the
 + * CKM_ECDH1_DERIVE and CKM_ECDH1_COFACTOR_DERIVE mechanisms,
 + * where each party contributes one key pair.
 + */
 +typedef struct CK_ECDH1_DERIVE_PARAMS {
 +  CK_EC_KDF_TYPE kdf;
 +  CK_ULONG ulSharedDataLen;
 +  CK_BYTE_PTR pSharedData;
 +  CK_ULONG ulPublicDataLen;
 +  CK_BYTE_PTR pPublicData;
 +} CK_ECDH1_DERIVE_PARAMS;
 +
 +typedef CK_ECDH1_DERIVE_PARAMS CK_PTR CK_ECDH1_DERIVE_PARAMS_PTR;
 +
 +
 +/* CK_ECDH2_DERIVE_PARAMS is new for v2.11.
 + * CK_ECDH2_DERIVE_PARAMS provides the parameters to the
 + * CKM_ECMQV_DERIVE mechanism, where each party contributes two key pairs. */
 +typedef struct CK_ECDH2_DERIVE_PARAMS {
 +  CK_EC_KDF_TYPE kdf;
 +  CK_ULONG ulSharedDataLen;
 +  CK_BYTE_PTR pSharedData;
 +  CK_ULONG ulPublicDataLen;
 +  CK_BYTE_PTR pPublicData;
 +  CK_ULONG ulPrivateDataLen;
 +  CK_OBJECT_HANDLE hPrivateData;
 +  CK_ULONG ulPublicDataLen2;
 +  CK_BYTE_PTR pPublicData2;
 +} CK_ECDH2_DERIVE_PARAMS;
 +
 +typedef CK_ECDH2_DERIVE_PARAMS CK_PTR CK_ECDH2_DERIVE_PARAMS_PTR;
 +
 +typedef struct CK_ECMQV_DERIVE_PARAMS {
 +  CK_EC_KDF_TYPE kdf;
 +  CK_ULONG ulSharedDataLen;
 +  CK_BYTE_PTR pSharedData;
 +  CK_ULONG ulPublicDataLen;
 +  CK_BYTE_PTR pPublicData;
 +  CK_ULONG ulPrivateDataLen;
 +  CK_OBJECT_HANDLE hPrivateData;
 +  CK_ULONG ulPublicDataLen2;
 +  CK_BYTE_PTR pPublicData2;
 +  CK_OBJECT_HANDLE publicKey;
 +} CK_ECMQV_DERIVE_PARAMS;
 +
 +typedef CK_ECMQV_DERIVE_PARAMS CK_PTR CK_ECMQV_DERIVE_PARAMS_PTR;
 +
 +/* Typedefs and defines for the CKM_X9_42_DH_KEY_PAIR_GEN and the
 + * CKM_X9_42_DH_PARAMETER_GEN mechanisms (new for PKCS #11 v2.11) */
 +typedef CK_ULONG CK_X9_42_DH_KDF_TYPE;
 +typedef CK_X9_42_DH_KDF_TYPE CK_PTR CK_X9_42_DH_KDF_TYPE_PTR;
 +
 +/* The following X9.42 DH key derivation functions are defined
 +   (besides CKD_NULL already defined : */
 +#define CKD_SHA1_KDF_ASN1        0x00000003
 +#define CKD_SHA1_KDF_CONCATENATE 0x00000004
 +
 +/* CK_X9_42_DH1_DERIVE_PARAMS is new for v2.11.
 + * CK_X9_42_DH1_DERIVE_PARAMS provides the parameters to the
 + * CKM_X9_42_DH_DERIVE key derivation mechanism, where each party
 + * contributes one key pair */
 +typedef struct CK_X9_42_DH1_DERIVE_PARAMS {
 +  CK_X9_42_DH_KDF_TYPE kdf;
 +  CK_ULONG ulOtherInfoLen;
 +  CK_BYTE_PTR pOtherInfo;
 +  CK_ULONG ulPublicDataLen;
 +  CK_BYTE_PTR pPublicData;
 +} CK_X9_42_DH1_DERIVE_PARAMS;
 +
 +typedef struct CK_X9_42_DH1_DERIVE_PARAMS CK_PTR CK_X9_42_DH1_DERIVE_PARAMS_PTR;
 +
 +/* CK_X9_42_DH2_DERIVE_PARAMS is new for v2.11.
 + * CK_X9_42_DH2_DERIVE_PARAMS provides the parameters to the
 + * CKM_X9_42_DH_HYBRID_DERIVE and CKM_X9_42_MQV_DERIVE key derivation
 + * mechanisms, where each party contributes two key pairs */
 +typedef struct CK_X9_42_DH2_DERIVE_PARAMS {
 +  CK_X9_42_DH_KDF_TYPE kdf;
 +  CK_ULONG ulOtherInfoLen;
 +  CK_BYTE_PTR pOtherInfo;
 +  CK_ULONG ulPublicDataLen;
 +  CK_BYTE_PTR pPublicData;
 +  CK_ULONG ulPrivateDataLen;
 +  CK_OBJECT_HANDLE hPrivateData;
 +  CK_ULONG ulPublicDataLen2;
 +  CK_BYTE_PTR pPublicData2;
 +} CK_X9_42_DH2_DERIVE_PARAMS;
 +
 +typedef CK_X9_42_DH2_DERIVE_PARAMS CK_PTR CK_X9_42_DH2_DERIVE_PARAMS_PTR;
 +
 +typedef struct CK_X9_42_MQV_DERIVE_PARAMS {
 +  CK_X9_42_DH_KDF_TYPE kdf;
 +  CK_ULONG ulOtherInfoLen;
 +  CK_BYTE_PTR pOtherInfo;
 +  CK_ULONG ulPublicDataLen;
 +  CK_BYTE_PTR pPublicData;
 +  CK_ULONG ulPrivateDataLen;
 +  CK_OBJECT_HANDLE hPrivateData;
 +  CK_ULONG ulPublicDataLen2;
 +  CK_BYTE_PTR pPublicData2;
 +  CK_OBJECT_HANDLE publicKey;
 +} CK_X9_42_MQV_DERIVE_PARAMS;
 +
 +typedef CK_X9_42_MQV_DERIVE_PARAMS CK_PTR CK_X9_42_MQV_DERIVE_PARAMS_PTR;
 +
 +/* CK_KEA_DERIVE_PARAMS provides the parameters to the
 + * CKM_KEA_DERIVE mechanism */
 +/* CK_KEA_DERIVE_PARAMS is new for v2.0 */
 +typedef struct CK_KEA_DERIVE_PARAMS {
 +  CK_BBOOL      isSender;
 +  CK_ULONG      ulRandomLen;
 +  CK_BYTE_PTR   pRandomA;
 +  CK_BYTE_PTR   pRandomB;
 +  CK_ULONG      ulPublicDataLen;
 +  CK_BYTE_PTR   pPublicData;
 +} CK_KEA_DERIVE_PARAMS;
 +
 +typedef CK_KEA_DERIVE_PARAMS CK_PTR CK_KEA_DERIVE_PARAMS_PTR;
 +
 +
 +/* CK_RC2_PARAMS provides the parameters to the CKM_RC2_ECB and
 + * CKM_RC2_MAC mechanisms.  An instance of CK_RC2_PARAMS just
 + * holds the effective keysize */
 +typedef CK_ULONG          CK_RC2_PARAMS;
 +
 +typedef CK_RC2_PARAMS CK_PTR CK_RC2_PARAMS_PTR;
 +
 +
 +/* CK_RC2_CBC_PARAMS provides the parameters to the CKM_RC2_CBC
 + * mechanism */
 +typedef struct CK_RC2_CBC_PARAMS {
 +  /* ulEffectiveBits was changed from CK_USHORT to CK_ULONG for
 +   * v2.0 */
 +  CK_ULONG      ulEffectiveBits;  /* effective bits (1-1024) */
 +
 +  CK_BYTE       iv[8];            /* IV for CBC mode */
 +} CK_RC2_CBC_PARAMS;
 +
 +typedef CK_RC2_CBC_PARAMS CK_PTR CK_RC2_CBC_PARAMS_PTR;
 +
 +
 +/* CK_RC2_MAC_GENERAL_PARAMS provides the parameters for the
 + * CKM_RC2_MAC_GENERAL mechanism */
 +/* CK_RC2_MAC_GENERAL_PARAMS is new for v2.0 */
 +typedef struct CK_RC2_MAC_GENERAL_PARAMS {
 +  CK_ULONG      ulEffectiveBits;  /* effective bits (1-1024) */
 +  CK_ULONG      ulMacLength;      /* Length of MAC in bytes */
 +} CK_RC2_MAC_GENERAL_PARAMS;
 +
 +typedef CK_RC2_MAC_GENERAL_PARAMS CK_PTR \
 +  CK_RC2_MAC_GENERAL_PARAMS_PTR;
 +
 +
 +/* CK_RC5_PARAMS provides the parameters to the CKM_RC5_ECB and
 + * CKM_RC5_MAC mechanisms */
 +/* CK_RC5_PARAMS is new for v2.0 */
 +typedef struct CK_RC5_PARAMS {
 +  CK_ULONG      ulWordsize;  /* wordsize in bits */
 +  CK_ULONG      ulRounds;    /* number of rounds */
 +} CK_RC5_PARAMS;
 +
 +typedef CK_RC5_PARAMS CK_PTR CK_RC5_PARAMS_PTR;
 +
 +
 +/* CK_RC5_CBC_PARAMS provides the parameters to the CKM_RC5_CBC
 + * mechanism */
 +/* CK_RC5_CBC_PARAMS is new for v2.0 */
 +typedef struct CK_RC5_CBC_PARAMS {
 +  CK_ULONG      ulWordsize;  /* wordsize in bits */
 +  CK_ULONG      ulRounds;    /* number of rounds */
 +  CK_BYTE_PTR   pIv;         /* pointer to IV */
 +  CK_ULONG      ulIvLen;     /* length of IV in bytes */
 +} CK_RC5_CBC_PARAMS;
 +
 +typedef CK_RC5_CBC_PARAMS CK_PTR CK_RC5_CBC_PARAMS_PTR;
 +
 +
 +/* CK_RC5_MAC_GENERAL_PARAMS provides the parameters for the
 + * CKM_RC5_MAC_GENERAL mechanism */
 +/* CK_RC5_MAC_GENERAL_PARAMS is new for v2.0 */
 +typedef struct CK_RC5_MAC_GENERAL_PARAMS {
 +  CK_ULONG      ulWordsize;   /* wordsize in bits */
 +  CK_ULONG      ulRounds;     /* number of rounds */
 +  CK_ULONG      ulMacLength;  /* Length of MAC in bytes */
 +} CK_RC5_MAC_GENERAL_PARAMS;
 +
 +typedef CK_RC5_MAC_GENERAL_PARAMS CK_PTR \
 +  CK_RC5_MAC_GENERAL_PARAMS_PTR;
 +
 +
 +/* CK_MAC_GENERAL_PARAMS provides the parameters to most block
 + * ciphers' MAC_GENERAL mechanisms.  Its value is the length of
 + * the MAC */
 +/* CK_MAC_GENERAL_PARAMS is new for v2.0 */
 +typedef CK_ULONG          CK_MAC_GENERAL_PARAMS;
 +
 +typedef CK_MAC_GENERAL_PARAMS CK_PTR CK_MAC_GENERAL_PARAMS_PTR;
 +
 +/* CK_DES/AES_ECB/CBC_ENCRYPT_DATA_PARAMS are new for v2.20 */
 +typedef struct CK_DES_CBC_ENCRYPT_DATA_PARAMS {
 +  CK_BYTE      iv[8];
 +  CK_BYTE_PTR  pData;
 +  CK_ULONG     length;
 +} CK_DES_CBC_ENCRYPT_DATA_PARAMS;
 +
 +typedef CK_DES_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_DES_CBC_ENCRYPT_DATA_PARAMS_PTR;
 +
 +typedef struct CK_AES_CBC_ENCRYPT_DATA_PARAMS {
 +  CK_BYTE      iv[16];
 +  CK_BYTE_PTR  pData;
 +  CK_ULONG     length;
 +} CK_AES_CBC_ENCRYPT_DATA_PARAMS;
 +
 +typedef CK_AES_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_AES_CBC_ENCRYPT_DATA_PARAMS_PTR;
 +
 +/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS provides the parameters to the
 + * CKM_SKIPJACK_PRIVATE_WRAP mechanism */
 +/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS is new for v2.0 */
 +typedef struct CK_SKIPJACK_PRIVATE_WRAP_PARAMS {
 +  CK_ULONG      ulPasswordLen;
 +  CK_BYTE_PTR   pPassword;
 +  CK_ULONG      ulPublicDataLen;
 +  CK_BYTE_PTR   pPublicData;
 +  CK_ULONG      ulPAndGLen;
 +  CK_ULONG      ulQLen;
 +  CK_ULONG      ulRandomLen;
 +  CK_BYTE_PTR   pRandomA;
 +  CK_BYTE_PTR   pPrimeP;
 +  CK_BYTE_PTR   pBaseG;
 +  CK_BYTE_PTR   pSubprimeQ;
 +} CK_SKIPJACK_PRIVATE_WRAP_PARAMS;
 +
 +typedef CK_SKIPJACK_PRIVATE_WRAP_PARAMS CK_PTR \
 +  CK_SKIPJACK_PRIVATE_WRAP_PTR;
 +
 +
 +/* CK_SKIPJACK_RELAYX_PARAMS provides the parameters to the
 + * CKM_SKIPJACK_RELAYX mechanism */
 +/* CK_SKIPJACK_RELAYX_PARAMS is new for v2.0 */
 +typedef struct CK_SKIPJACK_RELAYX_PARAMS {
 +  CK_ULONG      ulOldWrappedXLen;
 +  CK_BYTE_PTR   pOldWrappedX;
 +  CK_ULONG      ulOldPasswordLen;
 +  CK_BYTE_PTR   pOldPassword;
 +  CK_ULONG      ulOldPublicDataLen;
 +  CK_BYTE_PTR   pOldPublicData;
 +  CK_ULONG      ulOldRandomLen;
 +  CK_BYTE_PTR   pOldRandomA;
 +  CK_ULONG      ulNewPasswordLen;
 +  CK_BYTE_PTR   pNewPassword;
 +  CK_ULONG      ulNewPublicDataLen;
 +  CK_BYTE_PTR   pNewPublicData;
 +  CK_ULONG      ulNewRandomLen;
 +  CK_BYTE_PTR   pNewRandomA;
 +} CK_SKIPJACK_RELAYX_PARAMS;
 +
 +typedef CK_SKIPJACK_RELAYX_PARAMS CK_PTR \
 +  CK_SKIPJACK_RELAYX_PARAMS_PTR;
 +
 +
 +typedef struct CK_PBE_PARAMS {
 +  CK_BYTE_PTR      pInitVector;
 +  CK_UTF8CHAR_PTR  pPassword;
 +  CK_ULONG         ulPasswordLen;
 +  CK_BYTE_PTR      pSalt;
 +  CK_ULONG         ulSaltLen;
 +  CK_ULONG         ulIteration;
 +} CK_PBE_PARAMS;
 +
 +typedef CK_PBE_PARAMS CK_PTR CK_PBE_PARAMS_PTR;
 +
 +
 +/* CK_KEY_WRAP_SET_OAEP_PARAMS provides the parameters to the
 + * CKM_KEY_WRAP_SET_OAEP mechanism */
 +/* CK_KEY_WRAP_SET_OAEP_PARAMS is new for v2.0 */
 +typedef struct CK_KEY_WRAP_SET_OAEP_PARAMS {
 +  CK_BYTE       bBC;     /* block contents byte */
 +  CK_BYTE_PTR   pX;      /* extra data */
 +  CK_ULONG      ulXLen;  /* length of extra data in bytes */
 +} CK_KEY_WRAP_SET_OAEP_PARAMS;
 +
 +typedef CK_KEY_WRAP_SET_OAEP_PARAMS CK_PTR \
 +  CK_KEY_WRAP_SET_OAEP_PARAMS_PTR;
 +
 +
 +typedef struct CK_SSL3_RANDOM_DATA {
 +  CK_BYTE_PTR  pClientRandom;
 +  CK_ULONG     ulClientRandomLen;
 +  CK_BYTE_PTR  pServerRandom;
 +  CK_ULONG     ulServerRandomLen;
 +} CK_SSL3_RANDOM_DATA;
 +
 +
 +typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS {
 +  CK_SSL3_RANDOM_DATA RandomInfo;
 +  CK_VERSION_PTR pVersion;
 +} CK_SSL3_MASTER_KEY_DERIVE_PARAMS;
 +
 +typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS CK_PTR \
 +  CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR;
 +
 +
 +typedef struct CK_SSL3_KEY_MAT_OUT {
 +  CK_OBJECT_HANDLE hClientMacSecret;
 +  CK_OBJECT_HANDLE hServerMacSecret;
 +  CK_OBJECT_HANDLE hClientKey;
 +  CK_OBJECT_HANDLE hServerKey;
 +  CK_BYTE_PTR      pIVClient;
 +  CK_BYTE_PTR      pIVServer;
 +} CK_SSL3_KEY_MAT_OUT;
 +
 +typedef CK_SSL3_KEY_MAT_OUT CK_PTR CK_SSL3_KEY_MAT_OUT_PTR;
 +
 +
 +typedef struct CK_SSL3_KEY_MAT_PARAMS {
 +  CK_ULONG                ulMacSizeInBits;
 +  CK_ULONG                ulKeySizeInBits;
 +  CK_ULONG                ulIVSizeInBits;
 +  CK_BBOOL                bIsExport;
 +  CK_SSL3_RANDOM_DATA     RandomInfo;
 +  CK_SSL3_KEY_MAT_OUT_PTR pReturnedKeyMaterial;
 +} CK_SSL3_KEY_MAT_PARAMS;
 +
 +typedef CK_SSL3_KEY_MAT_PARAMS CK_PTR CK_SSL3_KEY_MAT_PARAMS_PTR;
 +
 +/* CK_TLS_PRF_PARAMS is new for version 2.20 */
 +typedef struct CK_TLS_PRF_PARAMS {
 +  CK_BYTE_PTR  pSeed;
 +  CK_ULONG     ulSeedLen;
 +  CK_BYTE_PTR  pLabel;
 +  CK_ULONG     ulLabelLen;
 +  CK_BYTE_PTR  pOutput;
 +  CK_ULONG_PTR pulOutputLen;
 +} CK_TLS_PRF_PARAMS;
 +
 +typedef CK_TLS_PRF_PARAMS CK_PTR CK_TLS_PRF_PARAMS_PTR;
 +
 +/* WTLS is new for version 2.20 */
 +typedef struct CK_WTLS_RANDOM_DATA {
 +  CK_BYTE_PTR pClientRandom;
 +  CK_ULONG    ulClientRandomLen;
 +  CK_BYTE_PTR pServerRandom;
 +  CK_ULONG    ulServerRandomLen;
 +} CK_WTLS_RANDOM_DATA;
 +
 +typedef CK_WTLS_RANDOM_DATA CK_PTR CK_WTLS_RANDOM_DATA_PTR;
 +
 +typedef struct CK_WTLS_MASTER_KEY_DERIVE_PARAMS {
 +  CK_MECHANISM_TYPE   DigestMechanism;
 +  CK_WTLS_RANDOM_DATA RandomInfo;
 +  CK_BYTE_PTR         pVersion;
 +} CK_WTLS_MASTER_KEY_DERIVE_PARAMS;
 +
 +typedef CK_WTLS_MASTER_KEY_DERIVE_PARAMS CK_PTR \
 +  CK_WTLS_MASTER_KEY_DERIVE_PARAMS_PTR;
 +
 +typedef struct CK_WTLS_PRF_PARAMS {
 +  CK_MECHANISM_TYPE DigestMechanism;
 +  CK_BYTE_PTR       pSeed;
 +  CK_ULONG          ulSeedLen;
 +  CK_BYTE_PTR       pLabel;
 +  CK_ULONG          ulLabelLen;
 +  CK_BYTE_PTR       pOutput;
 +  CK_ULONG_PTR      pulOutputLen;
 +} CK_WTLS_PRF_PARAMS;
 +
 +typedef CK_WTLS_PRF_PARAMS CK_PTR CK_WTLS_PRF_PARAMS_PTR;
 +
 +typedef struct CK_WTLS_KEY_MAT_OUT {
 +  CK_OBJECT_HANDLE hMacSecret;
 +  CK_OBJECT_HANDLE hKey;
 +  CK_BYTE_PTR      pIV;
 +} CK_WTLS_KEY_MAT_OUT;
 +
 +typedef CK_WTLS_KEY_MAT_OUT CK_PTR CK_WTLS_KEY_MAT_OUT_PTR;
 +
 +typedef struct CK_WTLS_KEY_MAT_PARAMS {
 +  CK_MECHANISM_TYPE       DigestMechanism;
 +  CK_ULONG                ulMacSizeInBits;
 +  CK_ULONG                ulKeySizeInBits;
 +  CK_ULONG                ulIVSizeInBits;
 +  CK_ULONG                ulSequenceNumber;
 +  CK_BBOOL                bIsExport;
 +  CK_WTLS_RANDOM_DATA     RandomInfo;
 +  CK_WTLS_KEY_MAT_OUT_PTR pReturnedKeyMaterial;
 +} CK_WTLS_KEY_MAT_PARAMS;
 +
 +typedef CK_WTLS_KEY_MAT_PARAMS CK_PTR CK_WTLS_KEY_MAT_PARAMS_PTR;
 +
 +/* CMS is new for version 2.20 */
 +typedef struct CK_CMS_SIG_PARAMS {
 +  CK_OBJECT_HANDLE      certificateHandle;
 +  CK_MECHANISM_PTR      pSigningMechanism;
 +  CK_MECHANISM_PTR      pDigestMechanism;
 +  CK_UTF8CHAR_PTR       pContentType;
 +  CK_BYTE_PTR           pRequestedAttributes;
 +  CK_ULONG              ulRequestedAttributesLen;
 +  CK_BYTE_PTR           pRequiredAttributes;
 +  CK_ULONG              ulRequiredAttributesLen;
 +} CK_CMS_SIG_PARAMS;
 +
 +typedef CK_CMS_SIG_PARAMS CK_PTR CK_CMS_SIG_PARAMS_PTR;
 +
 +typedef struct CK_KEY_DERIVATION_STRING_DATA {
 +  CK_BYTE_PTR pData;
 +  CK_ULONG    ulLen;
 +} CK_KEY_DERIVATION_STRING_DATA;
 +
 +typedef CK_KEY_DERIVATION_STRING_DATA CK_PTR \
 +  CK_KEY_DERIVATION_STRING_DATA_PTR;
 +
 +
 +/* The CK_EXTRACT_PARAMS is used for the
 + * CKM_EXTRACT_KEY_FROM_KEY mechanism.  It specifies which bit
 + * of the base key should be used as the first bit of the
 + * derived key */
 +/* CK_EXTRACT_PARAMS is new for v2.0 */
 +typedef CK_ULONG CK_EXTRACT_PARAMS;
 +
 +typedef CK_EXTRACT_PARAMS CK_PTR CK_EXTRACT_PARAMS_PTR;
 +
 +/* CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE is new for v2.10.
 + * CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE is used to
 + * indicate the Pseudo-Random Function (PRF) used to generate
 + * key bits using PKCS #5 PBKDF2. */
 +typedef CK_ULONG CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE;
 +
 +typedef CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE CK_PTR CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE_PTR;
 +
 +/* The following PRFs are defined in PKCS #5 v2.0. */
 +#define CKP_PKCS5_PBKD2_HMAC_SHA1 0x00000001
 +
 +
 +/* CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE is new for v2.10.
 + * CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE is used to indicate the
 + * source of the salt value when deriving a key using PKCS #5
 + * PBKDF2. */
 +typedef CK_ULONG CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE;
 +
 +typedef CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE CK_PTR CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE_PTR;
 +
 +/* The following salt value sources are defined in PKCS #5 v2.0. */
 +#define CKZ_SALT_SPECIFIED        0x00000001
 +
 +/* CK_PKCS5_PBKD2_PARAMS is new for v2.10.
 + * CK_PKCS5_PBKD2_PARAMS is a structure that provides the
 + * parameters to the CKM_PKCS5_PBKD2 mechanism. */
 +typedef struct CK_PKCS5_PBKD2_PARAMS {
 +        CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE           saltSource;
 +        CK_VOID_PTR                                pSaltSourceData;
 +        CK_ULONG                                   ulSaltSourceDataLen;
 +        CK_ULONG                                   iterations;
 +        CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
 +        CK_VOID_PTR                                pPrfData;
 +        CK_ULONG                                   ulPrfDataLen;
 +        CK_UTF8CHAR_PTR                            pPassword;
 +        CK_ULONG_PTR                               ulPasswordLen;
 +} CK_PKCS5_PBKD2_PARAMS;
 +
 +typedef CK_PKCS5_PBKD2_PARAMS CK_PTR CK_PKCS5_PBKD2_PARAMS_PTR;
 +
 +#endif
 diff -urNp openssh-4.4p1/pkcs11-helper.c openssh-4.4p1+pkcs11-0.17/pkcs11-helper.c
 --- openssh-4.4p1/pkcs11-helper.c   1970-01-01 02:00:00.000000000 +0200
 +++ openssh-4.4p1+pkcs11-0.17/pkcs11-helper.c   2006-10-22 17:11:50.000000000 +0200
 @@ -0,0 +1,11337 @@
 +/*
 + * Copyright (c) 2005-2006 Alon Bar-Lev <alon.barlev@gmail.com>
 + * All rights reserved.
 + *
 + * This software is available to you under a choice of one of two
 + * licenses.  You may choose to be licensed under the terms of the GNU
 + * General Public License (GPL) Version 2, or the OpenIB.org BSD license.
 + *
 + * GNU General Public License (GPL) Version 2
 + * ===========================================
 + *  This program is free software; you can redistribute it and/or modify
 + *  it under the terms of the GNU General Public License version 2
 + *  as published by the Free Software Foundation.
 + *
 + *  This program is distributed in the hope that it will be useful,
 + *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 + *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 + *  GNU General Public License for more details.
 + *
 + *  You should have received a copy of the GNU General Public License
 + *  along with this program (see the file COPYING[.GPL2] included with this
 + *  distribution); if not, write to the Free Software Foundation, Inc.,
 + *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 + *
 + * OpenIB.org BSD license
 + * =======================
 + * Redistribution and use in source and binary forms, with or without modifi-
 + * cation, are permitted provided that the following conditions are met:
 + *
 + *   o  Redistributions of source code must retain the above copyright notice,
 + *      this list of conditions and the following disclaimer.
 + *
 + *   o  Redistributions in binary form must reproduce the above copyright no-
 + *      tice, this list of conditions and the following disclaimer in the do-
 + *      cumentation and/or other materials provided with the distribution.
 + *
 + *   o  The names of the contributors may not be used to endorse or promote
 + *      products derived from this software without specific prior written
 + *      permission.
 + *
 + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
 + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LI-
 + * ABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUEN-
 + * TIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEV-
 + * ER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABI-
 + * LITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
 + * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 + */
 +
 +/*
 + * The routines in this file deal with providing private key cryptography
 + * using RSA Security Inc. PKCS #11 Cryptographic Token Interface (Cryptoki).
 + *
 + */
 +
 +/*
 + * Changelog
 + *
 + * 2006.09.24
 + *     - (alonbl) Fix invalid certificate max size handling (Zeljko Vrba).
 + *     - (alonbl) Added object serialization.
 + *     - (alonbl) Added user data to hooks.
 + *     - (alonbl) Added a force login method.
 + *     - (alonbl) Added support for gnutls in addition to openssl.
 + *     - (alonbl) Fixup threading lock issues.
 + *     - (alonbl) Added support for duplicate serial tokens, based on label.
 + *     - (alonbl) Added workaround for OpenSC cards, OpenSC bug#108, thanks to Kaupo Arulo.
 + *     - (alonbl) Added a methods to lock session between two sign/decrypt operations.
 + *     - (alonbl) Modified openssl interface.
 + *     - (alonbl) Release 01.02.
 + *
 + * 2006.06.26
 + *     - (alonbl) Fix handling mutiple providers.
 + *     - (alonbl) Release 01.01.
 + *
 + * 2006.05.14
 + *     - (alonbl) First stable release.
 + *     - (alonbl) Release 01.00.
 + *
 + */
 +
 +#include "pkcs11-helper-config.h"
 +
 +#if defined(ENABLE_PKCS11H_HELPER)
 +
 +#include "pkcs11-helper.h"
 +
 +/*===========================================
 + * Constants
 + */
 +
 +#if defined(USE_PKCS11H_OPENSSL)
 +
 +#if OPENSSL_VERSION_NUMBER < 0x00907000L && defined(CRYPTO_LOCK_ENGINE)
 +# define RSA_get_default_method RSA_get_default_openssl_method
 +#else
 +# ifdef HAVE_ENGINE_GET_DEFAULT_RSA
 +#  include <openssl/engine.h>
 +#  if OPENSSL_VERSION_NUMBER < 0x0090704fL
 +#   define BROKEN_OPENSSL_ENGINE
 +#  endif
 +# endif
 +#endif
 +
 +#if OPENSSL_VERSION_NUMBER < 0x00907000L
 +#if !defined(RSA_PKCS1_PADDING_SIZE)
 +#define RSA_PKCS1_PADDING_SIZE 11
 +#endif
 +#endif
 +
 +#endif
 +
 +#define PKCS11H_INVALID_SLOT_ID        ((CK_SLOT_ID)-1)
 +#define PKCS11H_INVALID_SESSION_HANDLE ((CK_SESSION_HANDLE)-1)
 +#define PKCS11H_INVALID_OBJECT_HANDLE  ((CK_OBJECT_HANDLE)-1)
 +
 +#define PKCS11H_DEFAULT_SLOTEVENT_POLL     5000
 +#define PKCS11H_DEFAULT_MAX_LOGIN_RETRY        3
 +#define PKCS11H_DEFAULT_PIN_CACHE_PERIOD   PKCS11H_PIN_CACHE_INFINITE
 +
 +#define PKCS11H_SERIALIZE_INVALID_CHARS    "\\/\"'%&#@!?$* <>{}[]()`|"
 +
 +enum _pkcs11h_private_op_e {
 +   _pkcs11h_private_op_sign=0,
 +   _pkcs11h_private_op_sign_recover,
 +   _pkcs11h_private_op_decrypt
 +};
 +
 +/*===========================================
 + * Macros
 + */
 +
 +#define PKCS11H_MSG_LEVEL_TEST(flags) (((unsigned int)flags) <= s_pkcs11h_loglevel)
 +
 +#if defined(HAVE_CPP_VARARG_MACRO_ISO) && !defined(__LCLINT__)
 +# define PKCS11H_LOG(flags, ...) do { if (PKCS11H_MSG_LEVEL_TEST(flags)) _pkcs11h_log((flags), __VA_ARGS__); } while
	(FALSE)
 +# ifdef ENABLE_PKCS11H_DEBUG
 +#  define PKCS11H_DEBUG(flags, ...) do { if (PKCS11H_MSG_LEVEL_TEST(flags)) _pkcs11h_log((flags), __VA_ARGS__); } while
	(FALSE)
 +# else
 +#  define PKCS11H_DEBUG(flags, ...)
 +# endif
 +#elif defined(HAVE_CPP_VARARG_MACRO_GCC) && !defined(__LCLINT__)
 +# define PKCS11H_LOG(flags, args...) do { if (PKCS11H_MSG_LEVEL_TEST(flags)) _pkcs11h_log((flags), args); } while
	(FALSE)
 +# ifdef ENABLE_PKCS11H_DEBUG
 +#  define PKCS11H_DEBUG(flags, args...) do { if (PKCS11H_MSG_LEVEL_TEST(flags)) _pkcs11h_log((flags), args); } while
	(FALSE)
 +# else
 +#  define PKCS11H_DEBUG(flags, args...)
 +# endif
 +#else
 +# define PKCS11H_LOG _pkcs11h_log
 +# define PKCS11H_DEBUG _pkcs11h_log
 +#endif
 +
 +/*===========================================
 + * Types
 + */
 +
 +struct pkcs11h_provider_s;
 +struct pkcs11h_session_s;
 +struct pkcs11h_data_s;
 +typedef struct pkcs11h_provider_s *pkcs11h_provider_t;
 +typedef struct pkcs11h_session_s *pkcs11h_session_t;
 +typedef struct pkcs11h_data_s *pkcs11h_data_t;
 +
 +#if defined(USE_PKCS11H_OPENSSL)
 +
 +#if OPENSSL_VERSION_NUMBER < 0x00908000L
 +typedef unsigned char *pkcs11_openssl_d2i_t;
 +#else
 +typedef const unsigned char *pkcs11_openssl_d2i_t;
 +#endif
 +
 +#endif
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +
 +#define PKCS11H_COND_INFINITE  0xffffffff
 +
 +#if defined(WIN32)
 +#define PKCS11H_THREAD_NULL    NULL
 +typedef HANDLE pkcs11h_cond_t;
 +typedef HANDLE pkcs11h_mutex_t;
 +typedef HANDLE pkcs11h_thread_t;
 +#else
 +#define PKCS11H_THREAD_NULL    0l
 +typedef pthread_mutex_t pkcs11h_mutex_t;
 +typedef pthread_t pkcs11h_thread_t;
 +
 +typedef struct {
 +   pthread_cond_t cond;
 +   pthread_mutex_t mut;
 +} pkcs11h_cond_t;
 +
 +typedef struct __pkcs11h_threading_mutex_entry_s {
 +   struct __pkcs11h_threading_mutex_entry_s *next;
 +   pkcs11h_mutex_t *p_mutex;
 +   PKCS11H_BOOL locked;
 +} *__pkcs11h_threading_mutex_entry_t;
 +#endif
 +
 +typedef void * (*pkcs11h_thread_start_t)(void *);
 +
 +typedef struct {
 +   pkcs11h_thread_start_t start;
 +   void *data;
 +} __pkcs11h_thread_data_t;
 +
 +#endif             /* ENABLE_PKCS11H_THREADING */
 +
 +struct pkcs11h_provider_s {
 +   pkcs11h_provider_t next;
 +
 +   PKCS11H_BOOL enabled;
 +   char reference[1024];
 +   char manufacturerID[sizeof (((CK_TOKEN_INFO *)NULL)->manufacturerID)+1];
 +   
 +#if defined(WIN32)
 +   HANDLE handle;
 +#else
 +   void *handle;
 +#endif
 +
 +   CK_FUNCTION_LIST_PTR f;
 +   PKCS11H_BOOL should_finalize;
 +   PKCS11H_BOOL allow_protected_auth;
 +   PKCS11H_BOOL cert_is_private;
 +   unsigned mask_sign_mode;
 +   int slot_event_method;
 +   int slot_poll_interval;
 +
 +#if defined(ENABLE_PKCS11H_SLOTEVENT)
 +   pkcs11h_thread_t slotevent_thread;
 +#endif
 +};
 +
 +struct pkcs11h_session_s {
 +   pkcs11h_session_t next;
 +
 +   int reference_count;
 +   PKCS11H_BOOL valid;
 +
 +   pkcs11h_provider_t provider;
 +
 +   pkcs11h_token_id_t token_id;
 +
 +   CK_SESSION_HANDLE session_handle;
 +
 +   PKCS11H_BOOL allow_protected_auth_supported;
 +   int pin_cache_period;
 +   time_t pin_expire_time;
 +
 +#if defined(ENABLE_PKCS11H_ENUM)
 +#if defined(ENABLE_PKCS11H_CERTIFICATE)
 +   pkcs11h_certificate_id_list_t cached_certs;
 +   PKCS11H_BOOL touch;
 +#endif
 +#endif
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   pkcs11h_mutex_t mutex;
 +#endif
 +};
 +
 +#if defined (ENABLE_PKCS11H_CERTIFICATE)
 +
 +struct pkcs11h_certificate_s {
 +
 +   pkcs11h_certificate_id_t id;
 +   int pin_cache_period;
 +   PKCS11H_BOOL pin_cache_populated_to_session;
 +
 +   unsigned mask_sign_mode;
 +
 +   pkcs11h_session_t session;
 +   CK_OBJECT_HANDLE key_handle;
 +
 +   PKCS11H_BOOL operation_active;
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   pkcs11h_mutex_t mutex;
 +#endif
 +
 +   unsigned mask_prompt;
 +   void * user_data;
 +};
 +
 +#endif             /* ENABLE_PKCS11H_CERTIFICATE */
 +
 +struct pkcs11h_data_s {
 +   PKCS11H_BOOL initialized;
 +   int pin_cache_period;
 +
 +   pkcs11h_provider_t providers;
 +   pkcs11h_session_t sessions;
 +
 +   struct {
 +       void * log_data;
 +       void * slotevent_data;
 +       void * token_prompt_data;
 +       void * pin_prompt_data;
 +       pkcs11h_hook_log_t log;
 +       pkcs11h_hook_slotevent_t slotevent;
 +       pkcs11h_hook_token_prompt_t token_prompt;
 +       pkcs11h_hook_pin_prompt_t pin_prompt;
 +   } hooks;
 +
 +   PKCS11H_BOOL allow_protected_auth;
 +   unsigned max_retries;
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   struct {
 +       pkcs11h_mutex_t global;
 +       pkcs11h_mutex_t session;
 +       pkcs11h_mutex_t cache;
 +   } mutexes;
 +#endif
 +
 +#if defined(ENABLE_PKCS11H_SLOTEVENT)
 +   struct {
 +       PKCS11H_BOOL initialized;
 +       PKCS11H_BOOL should_terminate;
 +       PKCS11H_BOOL skip_event;
 +       pkcs11h_cond_t cond_event;
 +       pkcs11h_thread_t thread;
 +   } slotevent;
 +#endif
 +};
 +
 +#if defined(ENABLE_PKCS11H_OPENSSL)
 +struct pkcs11h_openssl_session_s {
 +   int reference_count;
 +   PKCS11H_BOOL initialized;
 +   X509 *x509;
 +   RSA_METHOD smart_rsa;
 +   int (*orig_finish)(RSA *rsa);
 +   pkcs11h_certificate_t certificate;
 +   pkcs11h_hook_openssl_cleanup_t cleanup_hook;
 +};
 +#endif
 +
 +/*======================================================================*
 + * MEMORY INTERFACE
 + *======================================================================*/
 +
 +static
 +CK_RV
 +_pkcs11h_mem_malloc (
 +   OUT const void * * const p,
 +   IN const size_t s
 +);
 +static
 +CK_RV
 +_pkcs11h_mem_free (
 +   IN const void * * const p
 +);
 +static
 +CK_RV
 +_pkcs11h_mem_strdup (
 +   OUT const char * * const dest,
 +   IN const char * const src
 +);
 +static
 +CK_RV
 +_pkcs11h_mem_duplicate (
 +   OUT const void * * const dest,
 +   OUT size_t * const dest_size,
 +   IN const void * const src,
 +   IN const size_t mem_size
 +);
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +/*======================================================================*
 + * THREADING INTERFACE
 + *======================================================================*/
 +
 +static
 +void
 +_pkcs11h_threading_sleep (
 +   IN const unsigned milli
 +);
 +static
 +CK_RV
 +_pkcs11h_threading_mutexInit (
 +   OUT pkcs11h_mutex_t * const mutex
 +);
 +static
 +CK_RV
 +_pkcs11h_threading_mutexLock (
 +   IN OUT pkcs11h_mutex_t *const mutex
 +);
 +static
 +CK_RV
 +_pkcs11h_threading_mutexRelease (
 +   IN OUT pkcs11h_mutex_t *const mutex
 +);
 +static
 +CK_RV
 +_pkcs11h_threading_mutexFree (
 +   IN OUT pkcs11h_mutex_t *const mutex
 +);
 +#if !defined(WIN32)
 +static
 +void
 +__pkcs1h_threading_mutexLockAll ();
 +static
 +void
 +__pkcs1h_threading_mutexReleaseAll ();
 +#endif
 +static
 +CK_RV
 +_pkcs11h_threading_condSignal (
 +   IN OUT pkcs11h_cond_t *const cond
 +);
 +static
 +CK_RV
 +_pkcs11h_threading_condInit (
 +   OUT pkcs11h_cond_t * const cond
 +);
 +static
 +CK_RV
 +_pkcs11h_threading_condWait (
 +   IN OUT pkcs11h_cond_t *const cond,
 +   IN const unsigned milli
 +);
 +static
 +CK_RV
 +_pkcs11h_threading_condFree (
 +   IN OUT pkcs11h_cond_t *const cond
 +);
 +static
 +CK_RV
 +_pkcs11h_threading_threadStart (
 +   OUT pkcs11h_thread_t * const thread,
 +   IN pkcs11h_thread_start_t const start,
 +   IN void * data
 +);
 +static
 +CK_RV
 +_pkcs11h_threading_threadJoin (
 +   IN pkcs11h_thread_t * const thread
 +);
 +#endif             /* ENABLE_PKCS11H_THREADING */
 +
 +/*======================================================================*
 + * COMMON INTERNAL INTERFACE
 + *======================================================================*/
 +
 +static
 +void
 +_pkcs11h_util_fixupFixedString (
 +   OUT char * const target,            /* MUST BE >= length+1 */
 +   IN const char * const source,
 +   IN const size_t length              /* FIXED STRING LENGTH */
 +);
 +static
 +CK_RV
 +_pkcs11h_util_hexToBinary (
 +   OUT unsigned char * const target,
 +   IN const char * const source,
 +   IN OUT size_t * const p_target_size
 +);
 +static
 +CK_RV
 +_pkcs11h_util_binaryToHex (
 +   OUT char * const target,
 +   IN const size_t target_size,
 +   IN const unsigned char * const source,
 +   IN const size_t source_size
 +);
 +CK_RV
 +_pkcs11h_util_escapeString (
 +   IN OUT char * const target,
 +   IN const char * const source,
 +   IN size_t * const max,
 +   IN const char * const invalid_chars
 +);
 +static
 +CK_RV
 +_pkcs11h_util_unescapeString (
 +   IN OUT char * const target,
 +   IN const char * const source,
 +   IN size_t * const max
 +);
 +static
 +void
 +_pkcs11h_log (
 +   IN const unsigned flags,
 +   IN const char * const format,
 +   IN ...
 +)
 +#ifdef __GNUC__
 +    __attribute__ ((format (printf, 2, 3)))
 +#endif
 +    ;
 +
 +static
 +CK_RV
 +_pkcs11h_session_getSlotList (
 +   IN const pkcs11h_provider_t provider,
 +   IN const CK_BBOOL token_present,
 +   OUT CK_SLOT_ID_PTR * const pSlotList,
 +   OUT CK_ULONG_PTR pulCount
 +);
 +static
 +CK_RV
 +_pkcs11h_session_getObjectAttributes (
 +   IN const pkcs11h_session_t session,
 +   IN const CK_OBJECT_HANDLE object,
 +   IN OUT const CK_ATTRIBUTE_PTR attrs,
 +   IN const unsigned count
 +);
 +static
 +CK_RV
 +_pkcs11h_session_freeObjectAttributes (
 +   IN OUT const CK_ATTRIBUTE_PTR attrs,
 +   IN const unsigned count
 +);
 +static
 +CK_RV
 +_pkcs11h_session_findObjects (
 +   IN const pkcs11h_session_t session,
 +   IN const CK_ATTRIBUTE * const filter,
 +   IN const CK_ULONG filter_attrs,
 +   OUT CK_OBJECT_HANDLE **const p_objects,
 +   OUT CK_ULONG *p_objects_found
 +);
 +static
 +CK_RV
 +_pkcs11h_token_getTokenId (
 +   IN const CK_TOKEN_INFO_PTR info,
 +   OUT pkcs11h_token_id_t * const p_token_id
 +);
 +static
 +CK_RV
 +_pkcs11h_token_newTokenId (
 +   OUT pkcs11h_token_id_t * const token_id
 +);
 +static
 +CK_RV
 +_pkcs11h_session_getSessionByTokenId (
 +   IN const pkcs11h_token_id_t token_id,
 +   OUT pkcs11h_session_t * const p_session
 +);
 +static
 +CK_RV
 +_pkcs11h_session_release (
 +   IN const pkcs11h_session_t session
 +);
 +static
 +CK_RV
 +_pkcs11h_session_reset (
 +   IN const pkcs11h_session_t session,
 +   IN void * const user_data,
 +   IN const unsigned mask_prompt,
 +   OUT CK_SLOT_ID * const p_slot
 +);
 +static
 +CK_RV
 +_pkcs11h_session_getObjectById (
 +   IN const pkcs11h_session_t session,
 +   IN const CK_OBJECT_CLASS class,
 +   IN const CK_BYTE_PTR id,
 +   IN const size_t id_size,
 +   OUT CK_OBJECT_HANDLE * const p_handle
 +);
 +static
 +CK_RV
 +_pkcs11h_session_validate (
 +   IN const pkcs11h_session_t session
 +);
 +static
 +CK_RV
 +_pkcs11h_session_touch (
 +   IN const pkcs11h_session_t session
 +);
 +static
 +CK_RV
 +_pkcs11h_session_login (
 +   IN const pkcs11h_session_t session,
 +   IN const PKCS11H_BOOL public_only,
 +   IN const PKCS11H_BOOL readonly,
 +   IN void * const user_data,
 +   IN const unsigned mask_prompt
 +);
 +static
 +CK_RV
 +_pkcs11h_session_logout (
 +   IN const pkcs11h_session_t session
 +);
 +
 +static
 +void
 +_pkcs11h_hooks_default_log (
 +   IN void * const global_data,
 +   IN const unsigned flags,
 +   IN const char * const format,
 +   IN va_list args
 +);
 +
 +static
 +PKCS11H_BOOL
 +_pkcs11h_hooks_default_token_prompt (
 +   IN void * const global_data,
 +   IN void * const user_data,
 +   IN const pkcs11h_token_id_t token,
 +   IN const unsigned retry
 +);
 +
 +static
 +PKCS11H_BOOL
 +_pkcs11h_hooks_default_pin_prompt (
 +   IN void * const global_data,
 +   IN void * const user_data,
 +   IN const pkcs11h_token_id_t token,
 +   IN const unsigned retry,
 +   OUT char * const pin,
 +   IN const size_t pin_max
 +);
 +
 +#if !defined(WIN32)
 +#if defined(ENABLE_PKCS11H_THREADING)
 +static
 +void
 +__pkcs11h_threading_atfork_prepare  ();
 +static
 +void
 +__pkcs11h_threading_atfork_parent ();
 +static
 +void
 +__pkcs11h_threading_atfork_child ();
 +#endif
 +static
 +CK_RV
 +_pkcs11h_forkFixup ();
 +#endif
 +
 +#if defined(ENABLE_PKCS11H_CERTIFICATE)
 +/*======================================================================*
 + * CERTIFICATE INTERFACE
 + *======================================================================*/
 +
 +static
 +time_t
 +_pkcs11h_certificate_getExpiration (
 +   IN const unsigned char * const certificate,
 +   IN const size_t certificate_size
 +);
 +static
 +PKCS11H_BOOL
 +_pkcs11h_certificate_isBetterCertificate (
 +   IN const unsigned char * const current,
 +   IN const size_t current_size,
 +   IN const unsigned char * const newone,
 +   IN const size_t newone_size
 +);
 +static
 +CK_RV
 +_pkcs11h_certificate_newCertificateId (
 +   OUT pkcs11h_certificate_id_t * const certificate_id
 +);
 +static
 +CK_RV
 +_pkcs11h_certificate_getDN (
 +   IN const unsigned char * const blob,
 +   IN const size_t blob_size,
 +   OUT char * const dn,
 +   IN const size_t dn_size
 +);
 +static
 +CK_RV
 +_pkcs11h_certificate_loadCertificate (
 +   IN const pkcs11h_certificate_t certificate
 +);
 +static
 +CK_RV
 +_pkcs11h_certificate_updateCertificateIdDescription (
 +   IN OUT pkcs11h_certificate_id_t certificate_id
 +);
 +static
 +CK_RV
 +_pkcs11h_certificate_getKeyAttributes (
 +   IN const pkcs11h_certificate_t certificate
 +);
 +static
 +CK_RV
 +_pkcs11h_certificate_validateSession (
 +   IN const pkcs11h_certificate_t certificate
 +);
 +static
 +CK_RV
 +_pkcs11h_certificate_resetSession (
 +   IN const pkcs11h_certificate_t certificate,
 +   IN const PKCS11H_BOOL public_only,
 +   IN const PKCS11H_BOOL session_mutex_locked
 +);
 +static
 +CK_RV
 +_pkcs11h_certificate_doPrivateOperation (
 +   IN const pkcs11h_certificate_t certificate,
 +   IN const enum _pkcs11h_private_op_e op,
 +   IN const CK_MECHANISM_TYPE mech_type,
 +   IN const unsigned char * const source,
 +   IN const size_t source_size,
 +   OUT unsigned char * const target,
 +   IN OUT size_t * const p_target_size
 +);
 +#endif             /* ENABLE_PKCS11H_CERTIFICATE */
 +
 +#if defined(ENABLE_PKCS11H_LOCATE)
 +/*======================================================================*
 + * LOCATE INTERFACE
 + *======================================================================*/
 +
 +static
 +CK_RV
 +_pkcs11h_locate_getTokenIdBySlotId (
 +   IN const char * const slot,
 +   OUT pkcs11h_token_id_t * const p_token_id
 +);
 +static
 +CK_RV
 +_pkcs11h_locate_getTokenIdBySlotName (
 +   IN const char * const name,
 +   OUT pkcs11h_token_id_t * const p_token_id
 +);
 +static
 +CK_RV
 +_pkcs11h_locate_getTokenIdByLabel (
 +   IN const char * const label,
 +   OUT pkcs11h_token_id_t * const p_token_id
 +);
 +
 +#if defined(ENABLE_PKCS11H_CERTIFICATE)
 +
 +static
 +CK_RV
 +_pkcs11h_locate_getCertificateIdByLabel (
 +   IN const pkcs11h_session_t session,
 +   IN OUT const pkcs11h_certificate_id_t certificate_id,
 +   IN const char * const label
 +);
 +static
 +CK_RV
 +_pkcs11h_locate_getCertificateIdBySubject (
 +   IN const pkcs11h_session_t session,
 +   IN OUT const pkcs11h_certificate_id_t certificate_id,
 +   IN const char * const subject
 +);
 +
 +#endif             /* ENABLE_PKCS11H_CERTIFICATE */
 +#endif             /* ENABLE_PKCS11H_LOCATE */
 +
 +#if defined(ENABLE_PKCS11H_ENUM)
 +/*======================================================================*
 + * ENUM INTERFACE
 + *======================================================================*/
 +
 +#if defined(ENABLE_PKCS11H_CERTIFICATE)
 +
 +static
 +CK_RV
 +_pkcs11h_certificate_enumSessionCertificates (
 +   IN const pkcs11h_session_t session,
 +   IN void * const user_data,
 +   IN const unsigned mask_prompt
 +);
 +static
 +CK_RV
 +_pkcs11h_certificate_splitCertificateIdList (
 +   IN const pkcs11h_certificate_id_list_t cert_id_all,
 +   OUT pkcs11h_certificate_id_list_t * const p_cert_id_issuers_list,
 +   OUT pkcs11h_certificate_id_list_t * const p_cert_id_end_list
 +);
 +
 +#endif             /* ENABLE_PKCS11H_CERTIFICATE */
 +
 +#endif             /* ENABLE_PKCS11H_ENUM */
 +
 +#if defined(ENABLE_PKCS11H_SLOTEVENT)
 +/*======================================================================*
 + * SLOTEVENT INTERFACE
 + *======================================================================*/
 +
 +static
 +unsigned long
 +_pkcs11h_slotevent_checksum (
 +   IN const unsigned char * const p,
 +   IN const size_t s
 +);
 +static
 +void *
 +_pkcs11h_slotevent_provider (
 +   IN void *p
 +);
 +static
 +void *
 +_pkcs11h_slotevent_manager (
 +   IN void *p
 +);
 +static
 +CK_RV
 +_pkcs11h_slotevent_init ();
 +static
 +CK_RV
 +_pkcs11h_slotevent_notify ();
 +static
 +CK_RV
 +_pkcs11h_slotevent_terminate ();
 +
 +#endif             /* ENABLE_PKCS11H_SLOTEVENT */
 +
 +#if defined(ENABLE_PKCS11H_OPENSSL)
 +/*======================================================================*
 + * OPENSSL INTERFACE
 + *======================================================================*/
 +
 +static
 +int
 +_pkcs11h_openssl_finish (
 +   IN OUT RSA *rsa
 +);
 +#if OPENSSL_VERSION_NUMBER < 0x00907000L
 +static
 +int
 +_pkcs11h_openssl_dec (
 +   IN int flen,
 +   IN unsigned char *from,
 +   OUT unsigned char *to,
 +   IN OUT RSA *rsa,
 +   IN int padding
 +);
 +static
 +int
 +_pkcs11h_openssl_sign (
 +   IN int type,
 +   IN unsigned char *m,
 +   IN unsigned int m_len,
 +   OUT unsigned char *sigret,
 +   OUT unsigned int *siglen,
 +   IN OUT RSA *rsa
 +);
 +#else
 +static
 +int
 +_pkcs11h_openssl_dec (
 +   IN int flen,
 +   IN const unsigned char *from,
 +   OUT unsigned char *to,
 +   IN OUT RSA *rsa,
 +   IN int padding
 +);
 +static
 +int
 +_pkcs11h_openssl_sign (
 +   IN int type,
 +   IN const unsigned char *m,
 +   IN unsigned int m_len,
 +   OUT unsigned char *sigret,
 +   OUT unsigned int *siglen,
 +   IN OUT const RSA *rsa
 +);
 +#endif
 +static
 +pkcs11h_openssl_session_t
 +_pkcs11h_openssl_get_openssl_session (
 +   IN OUT const RSA *rsa
 +);  
 +static
 +pkcs11h_certificate_t
 +_pkcs11h_openssl_get_pkcs11h_certificate (
 +   IN OUT const RSA *rsa
 +);  
 +#endif             /* ENABLE_PKCS11H_OPENSSL */
 +
 +/*==========================================
 + * Static data
 + */
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +#if !defined(WIN32)
 +static struct {
 +   pkcs11h_mutex_t mutex;
 +   __pkcs11h_threading_mutex_entry_t head;
 +} __s_pkcs11h_threading_mutex_list = {
 +   PTHREAD_MUTEX_INITIALIZER,
 +   NULL
 +};
 +#endif
 +#endif
 +
 +pkcs11h_data_t s_pkcs11h_data = NULL;
 +unsigned int s_pkcs11h_loglevel = PKCS11H_LOG_INFO;
 +
 +/*======================================================================*
 + * PUBLIC INTERFACE
 + *======================================================================*/
 +
 +const char *
 +pkcs11h_getMessage (
 +   IN const CK_RV rv
 +) {
 +   switch (rv) {
 +       case CKR_OK: return "CKR_OK";
 +       case CKR_CANCEL: return "CKR_CANCEL";
 +       case CKR_HOST_MEMORY: return "CKR_HOST_MEMORY";
 +       case CKR_SLOT_ID_INVALID: return "CKR_SLOT_ID_INVALID";
 +       case CKR_GENERAL_ERROR: return "CKR_GENERAL_ERROR";
 +       case CKR_FUNCTION_FAILED: return "CKR_FUNCTION_FAILED";
 +       case CKR_ARGUMENTS_BAD: return "CKR_ARGUMENTS_BAD";
 +       case CKR_NO_EVENT: return "CKR_NO_EVENT";
 +       case CKR_NEED_TO_CREATE_THREADS: return "CKR_NEED_TO_CREATE_THREADS";
 +       case CKR_CANT_LOCK: return "CKR_CANT_LOCK";
 +       case CKR_ATTRIBUTE_READ_ONLY: return "CKR_ATTRIBUTE_READ_ONLY";
 +       case CKR_ATTRIBUTE_SENSITIVE: return "CKR_ATTRIBUTE_SENSITIVE";
 +       case CKR_ATTRIBUTE_TYPE_INVALID: return "CKR_ATTRIBUTE_TYPE_INVALID";
 +       case CKR_ATTRIBUTE_VALUE_INVALID: return "CKR_ATTRIBUTE_VALUE_INVALID";
 +       case CKR_DATA_INVALID: return "CKR_DATA_INVALID";
 +       case CKR_DATA_LEN_RANGE: return "CKR_DATA_LEN_RANGE";
 +       case CKR_DEVICE_ERROR: return "CKR_DEVICE_ERROR";
 +       case CKR_DEVICE_MEMORY: return "CKR_DEVICE_MEMORY";
 +       case CKR_DEVICE_REMOVED: return "CKR_DEVICE_REMOVED";
 +       case CKR_ENCRYPTED_DATA_INVALID: return "CKR_ENCRYPTED_DATA_INVALID";
 +       case CKR_ENCRYPTED_DATA_LEN_RANGE: return "CKR_ENCRYPTED_DATA_LEN_RANGE";
 +       case CKR_FUNCTION_CANCELED: return "CKR_FUNCTION_CANCELED";
 +       case CKR_FUNCTION_NOT_PARALLEL: return "CKR_FUNCTION_NOT_PARALLEL";
 +       case CKR_FUNCTION_NOT_SUPPORTED: return "CKR_FUNCTION_NOT_SUPPORTED";
 +       case CKR_KEY_HANDLE_INVALID: return "CKR_KEY_HANDLE_INVALID";
 +       case CKR_KEY_SIZE_RANGE: return "CKR_KEY_SIZE_RANGE";
 +       case CKR_KEY_TYPE_INCONSISTENT: return "CKR_KEY_TYPE_INCONSISTENT";
 +       case CKR_KEY_NOT_NEEDED: return "CKR_KEY_NOT_NEEDED";
 +       case CKR_KEY_CHANGED: return "CKR_KEY_CHANGED";
 +       case CKR_KEY_NEEDED: return "CKR_KEY_NEEDED";
 +       case CKR_KEY_INDIGESTIBLE: return "CKR_KEY_INDIGESTIBLE";
 +       case CKR_KEY_FUNCTION_NOT_PERMITTED: return "CKR_KEY_FUNCTION_NOT_PERMITTED";
 +       case CKR_KEY_NOT_WRAPPABLE: return "CKR_KEY_NOT_WRAPPABLE";
 +       case CKR_KEY_UNEXTRACTABLE: return "CKR_KEY_UNEXTRACTABLE";
 +       case CKR_MECHANISM_INVALID: return "CKR_MECHANISM_INVALID";
 +       case CKR_MECHANISM_PARAM_INVALID: return "CKR_MECHANISM_PARAM_INVALID";
 +       case CKR_OBJECT_HANDLE_INVALID: return "CKR_OBJECT_HANDLE_INVALID";
 +       case CKR_OPERATION_ACTIVE: return "CKR_OPERATION_ACTIVE";
 +       case CKR_OPERATION_NOT_INITIALIZED: return "CKR_OPERATION_NOT_INITIALIZED";
 +       case CKR_PIN_INCORRECT: return "CKR_PIN_INCORRECT";
 +       case CKR_PIN_INVALID: return "CKR_PIN_INVALID";
 +       case CKR_PIN_LEN_RANGE: return "CKR_PIN_LEN_RANGE";
 +       case CKR_PIN_EXPIRED: return "CKR_PIN_EXPIRED";
 +       case CKR_PIN_LOCKED: return "CKR_PIN_LOCKED";
 +       case CKR_SESSION_CLOSED: return "CKR_SESSION_CLOSED";
 +       case CKR_SESSION_COUNT: return "CKR_SESSION_COUNT";
 +       case CKR_SESSION_HANDLE_INVALID: return "CKR_SESSION_HANDLE_INVALID";
 +       case CKR_SESSION_PARALLEL_NOT_SUPPORTED: return "CKR_SESSION_PARALLEL_NOT_SUPPORTED";
 +       case CKR_SESSION_READ_ONLY: return "CKR_SESSION_READ_ONLY";
 +       case CKR_SESSION_EXISTS: return "CKR_SESSION_EXISTS";
 +       case CKR_SESSION_READ_ONLY_EXISTS: return "CKR_SESSION_READ_ONLY_EXISTS";
 +       case CKR_SESSION_READ_WRITE_SO_EXISTS: return "CKR_SESSION_READ_WRITE_SO_EXISTS";
 +       case CKR_SIGNATURE_INVALID: return "CKR_SIGNATURE_INVALID";
 +       case CKR_SIGNATURE_LEN_RANGE: return "CKR_SIGNATURE_LEN_RANGE";
 +       case CKR_TEMPLATE_INCOMPLETE: return "CKR_TEMPLATE_INCOMPLETE";
 +       case CKR_TEMPLATE_INCONSISTENT: return "CKR_TEMPLATE_INCONSISTENT";
 +       case CKR_TOKEN_NOT_PRESENT: return "CKR_TOKEN_NOT_PRESENT";
 +       case CKR_TOKEN_NOT_RECOGNIZED: return "CKR_TOKEN_NOT_RECOGNIZED";
 +       case CKR_TOKEN_WRITE_PROTECTED: return "CKR_TOKEN_WRITE_PROTECTED";
 +       case CKR_UNWRAPPING_KEY_HANDLE_INVALID: return "CKR_UNWRAPPING_KEY_HANDLE_INVALID";
 +       case CKR_UNWRAPPING_KEY_SIZE_RANGE: return "CKR_UNWRAPPING_KEY_SIZE_RANGE";
 +       case CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT: return "CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT";
 +       case CKR_USER_ALREADY_LOGGED_IN: return "CKR_USER_ALREADY_LOGGED_IN";
 +       case CKR_USER_NOT_LOGGED_IN: return "CKR_USER_NOT_LOGGED_IN";
 +       case CKR_USER_PIN_NOT_INITIALIZED: return "CKR_USER_PIN_NOT_INITIALIZED";
 +       case CKR_USER_TYPE_INVALID: return "CKR_USER_TYPE_INVALID";
 +       case CKR_USER_ANOTHER_ALREADY_LOGGED_IN: return "CKR_USER_ANOTHER_ALREADY_LOGGED_IN";
 +       case CKR_USER_TOO_MANY_TYPES: return "CKR_USER_TOO_MANY_TYPES";
 +       case CKR_WRAPPED_KEY_INVALID: return "CKR_WRAPPED_KEY_INVALID";
 +       case CKR_WRAPPED_KEY_LEN_RANGE: return "CKR_WRAPPED_KEY_LEN_RANGE";
 +       case CKR_WRAPPING_KEY_HANDLE_INVALID: return "CKR_WRAPPING_KEY_HANDLE_INVALID";
 +       case CKR_WRAPPING_KEY_SIZE_RANGE: return "CKR_WRAPPING_KEY_SIZE_RANGE";
 +       case CKR_WRAPPING_KEY_TYPE_INCONSISTENT: return "CKR_WRAPPING_KEY_TYPE_INCONSISTENT";
 +       case CKR_RANDOM_SEED_NOT_SUPPORTED: return "CKR_RANDOM_SEED_NOT_SUPPORTED";
 +       case CKR_RANDOM_NO_RNG: return "CKR_RANDOM_NO_RNG";
 +       case CKR_DOMAIN_PARAMS_INVALID: return "CKR_DOMAIN_PARAMS_INVALID";
 +       case CKR_BUFFER_TOO_SMALL: return "CKR_BUFFER_TOO_SMALL";
 +       case CKR_SAVED_STATE_INVALID: return "CKR_SAVED_STATE_INVALID";
 +       case CKR_INFORMATION_SENSITIVE: return "CKR_INFORMATION_SENSITIVE";
 +       case CKR_STATE_UNSAVEABLE: return "CKR_STATE_UNSAVEABLE";
 +       case CKR_CRYPTOKI_NOT_INITIALIZED: return "CKR_CRYPTOKI_NOT_INITIALIZED";
 +       case CKR_CRYPTOKI_ALREADY_INITIALIZED: return "CKR_CRYPTOKI_ALREADY_INITIALIZED";
 +       case CKR_MUTEX_BAD: return "CKR_MUTEX_BAD";
 +       case CKR_MUTEX_NOT_LOCKED: return "CKR_MUTEX_NOT_LOCKED";
 +       case CKR_FUNCTION_REJECTED: return "CKR_FUNCTION_REJECTED";
 +       case CKR_VENDOR_DEFINED: return "CKR_VENDOR_DEFINED";
 +       default: return "Unknown PKCS#11 error";
 +   }
 +}
 +
 +CK_RV
 +pkcs11h_initialize () {
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   PKCS11H_BOOL mutex_locked = FALSE;
 +#endif
 +   CK_RV rv = CKR_OK;
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_initialize entry"
 +   );
 +
 +   pkcs11h_terminate ();
 +
 +   if (rv == CKR_OK) {
 +       rv = _pkcs11h_mem_malloc ((void*)&s_pkcs11h_data, sizeof (struct pkcs11h_data_s));
 +   }
 +
 +#if defined(USE_PKCS11H_OPENSSL) || defined(ENABLE_PKCS11H_OPENSSL)
 +   OpenSSL_add_all_digests ();
 +#endif
 +#if defined(USE_PKCS11H_GNUTLS)
 +   if (
 +       rv == CKR_OK &&
 +       gnutls_global_init () != GNUTLS_E_SUCCESS
 +   ) {
 +       rv = CKR_FUNCTION_FAILED;
 +   }
 +#endif
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   if (rv == CKR_OK) {
 +       rv = _pkcs11h_threading_mutexInit (&s_pkcs11h_data->mutexes.global); 
 +   }
 +   if (rv == CKR_OK) {
 +       rv = _pkcs11h_threading_mutexInit (&s_pkcs11h_data->mutexes.session); 
 +   }
 +   if (rv == CKR_OK) {
 +       rv = _pkcs11h_threading_mutexInit (&s_pkcs11h_data->mutexes.cache); 
 +   }
 +#if !defined(WIN32)
 +   if (
 +       rv == CKR_OK &&
 +       pthread_atfork (
 +           __pkcs11h_threading_atfork_prepare,
 +           __pkcs11h_threading_atfork_parent,
 +           __pkcs11h_threading_atfork_child
 +       )
 +   ) {
 +       rv = CKR_FUNCTION_FAILED;
 +   }
 +#endif
 +   if (
 +       rv == CKR_OK &&
 +       (rv = _pkcs11h_threading_mutexLock (&s_pkcs11h_data->mutexes.global)) == CKR_OK
 +   ) {
 +       mutex_locked = TRUE;
 +   }
 +#endif
 +
 +   if (rv == CKR_OK) {
 +       s_pkcs11h_data->max_retries = PKCS11H_DEFAULT_MAX_LOGIN_RETRY;
 +       s_pkcs11h_data->allow_protected_auth = TRUE;
 +       s_pkcs11h_data->pin_cache_period = PKCS11H_DEFAULT_PIN_CACHE_PERIOD;
 +       s_pkcs11h_data->initialized = TRUE;
 +   }
 +
 +   if (rv == CKR_OK) {
 +       pkcs11h_setLogHook (_pkcs11h_hooks_default_log, NULL);
 +       pkcs11h_setTokenPromptHook (_pkcs11h_hooks_default_token_prompt, NULL);
 +       pkcs11h_setPINPromptHook (_pkcs11h_hooks_default_pin_prompt, NULL);
 +   }
 +   
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   if (mutex_locked) {
 +       _pkcs11h_threading_mutexRelease (&s_pkcs11h_data->mutexes.global);
 +       mutex_locked = FALSE;
 +   }
 +#endif
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_initialize return rv=%ld-'%s'",
 +       rv,
 +       pkcs11h_getMessage (rv)
 +   );
 +
 +   return rv;
 +}
 +
 +CK_RV
 +pkcs11h_terminate () {
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_terminate entry"
 +   );
 +
 +   if (s_pkcs11h_data != NULL) {
 +       pkcs11h_provider_t current_provider = NULL;
 +
 +       PKCS11H_DEBUG (
 +           PKCS11H_LOG_DEBUG1,
 +           "PKCS#11: Removing providers"
 +       );
 +
 +       for (
 +           current_provider = s_pkcs11h_data->providers;
 +           current_provider != NULL;
 +           current_provider = current_provider->next
 +       ) {
 +           pkcs11h_removeProvider (current_provider->reference);
 +       }
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +       _pkcs11h_threading_mutexLock (&s_pkcs11h_data->mutexes.cache);
 +       _pkcs11h_threading_mutexLock (&s_pkcs11h_data->mutexes.session);
 +       _pkcs11h_threading_mutexLock (&s_pkcs11h_data->mutexes.global);
 +#endif
 +
 +       PKCS11H_DEBUG (
 +           PKCS11H_LOG_DEBUG1,
 +           "PKCS#11: Releasing sessions"
 +       );
 +
 +       while (s_pkcs11h_data->sessions != NULL) {
 +           pkcs11h_session_t current = s_pkcs11h_data->sessions;
 +           s_pkcs11h_data->sessions = s_pkcs11h_data->sessions->next;
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +           _pkcs11h_threading_mutexLock (&current->mutex);
 +#endif
 +
 +           current->valid = FALSE;
 +
 +           if (current->reference_count != 0) {
 +               PKCS11H_DEBUG (
 +                   PKCS11H_LOG_DEBUG1,
 +                   "PKCS#11: Warning: Found session with references"
 +               );
 +           }
 +
 +           if (current->token_id != NULL) {
 +               pkcs11h_token_freeTokenId (current->token_id);
 +               current->token_id = NULL;
 +           }
 +
 +#if defined(ENABLE_PKCS11H_ENUM)
 +#if defined(ENABLE_PKCS11H_CERTIFICATE)
 +           pkcs11h_certificate_freeCertificateIdList (current->cached_certs);
 +#endif
 +#endif
 +
 +           current->provider = NULL;
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +           _pkcs11h_threading_mutexFree (&current->mutex);
 +#endif
 +
 +           _pkcs11h_mem_free ((void *)&current);
 +       }
 +
 +#if defined(ENABLE_PKCS11H_SLOTEVENT)
 +       PKCS11H_DEBUG (
 +           PKCS11H_LOG_DEBUG1,
 +           "PKCS#11: Terminating slotevent"
 +       );
 +
 +       _pkcs11h_slotevent_terminate ();
 +#endif
 +       PKCS11H_DEBUG (
 +           PKCS11H_LOG_DEBUG1,
 +           "PKCS#11: Marking as uninitialized"
 +       );
 +       
 +       s_pkcs11h_data->initialized = FALSE;
 +
 +       while (s_pkcs11h_data->providers != NULL) {
 +           pkcs11h_provider_t current = s_pkcs11h_data->providers;
 +           s_pkcs11h_data->providers = s_pkcs11h_data->providers->next;
 +
 +           _pkcs11h_mem_free ((void *)&current);
 +       }
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +       _pkcs11h_threading_mutexFree (&s_pkcs11h_data->mutexes.cache);
 +       _pkcs11h_threading_mutexFree (&s_pkcs11h_data->mutexes.global); 
 +       _pkcs11h_threading_mutexFree (&s_pkcs11h_data->mutexes.session); 
 +#endif
 +
 +#if defined(USE_PKCS11H_GNUTLS)
 +       gnutls_global_deinit ();
 +#endif
 +
 +       _pkcs11h_mem_free ((void *)&s_pkcs11h_data);
 +   }
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_terminate return"
 +   );
 +
 +   return CKR_OK;
 +}
 +
 +void
 +pkcs11h_setLogLevel (
 +   IN const unsigned flags
 +) {
 +   s_pkcs11h_loglevel = flags;
 +}
 +
 +unsigned
 +pkcs11h_getLogLevel () {
 +   PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
 +   PKCS11H_ASSERT (s_pkcs11h_data->initialized);
 +
 +   return s_pkcs11h_loglevel;
 +}
 +
 +CK_RV
 +pkcs11h_setLogHook (
 +   IN const pkcs11h_hook_log_t hook,
 +   IN void * const global_data
 +) {
 +   PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
 +   PKCS11H_ASSERT (s_pkcs11h_data->initialized);
 +   PKCS11H_ASSERT (hook!=NULL);
 +
 +   s_pkcs11h_data->hooks.log = hook;
 +   s_pkcs11h_data->hooks.log_data = global_data;
 +
 +   return CKR_OK;
 +}
 +
 +CK_RV
 +pkcs11h_setSlotEventHook (
 +   IN const pkcs11h_hook_slotevent_t hook,
 +   IN void * const global_data
 +) {
 +   PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
 +   PKCS11H_ASSERT (s_pkcs11h_data->initialized);
 +   PKCS11H_ASSERT (hook!=NULL);
 +
 +#if defined(ENABLE_PKCS11H_SLOTEVENT)
 +   s_pkcs11h_data->hooks.slotevent = hook;
 +   s_pkcs11h_data->hooks.slotevent_data = global_data;
 +
 +   return _pkcs11h_slotevent_init ();
 +#else
 +   (void)global_data;
 +
 +   return CKR_FUNCTION_NOT_SUPPORTED;
 +#endif
 +}
 +
 +CK_RV
 +pkcs11h_setPINPromptHook (
 +   IN const pkcs11h_hook_pin_prompt_t hook,
 +   IN void * const global_data
 +) {
 +   PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
 +   PKCS11H_ASSERT (s_pkcs11h_data->initialized);
 +   PKCS11H_ASSERT (hook!=NULL);
 +
 +   s_pkcs11h_data->hooks.pin_prompt = hook;
 +   s_pkcs11h_data->hooks.pin_prompt_data = global_data;
 +
 +   return CKR_OK;
 +}
 +
 +CK_RV
 +pkcs11h_setTokenPromptHook (
 +   IN const pkcs11h_hook_token_prompt_t hook,
 +   IN void * const global_data
 +) {
 +   PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
 +   PKCS11H_ASSERT (s_pkcs11h_data->initialized);
 +   PKCS11H_ASSERT (hook!=NULL);
 +
 +   s_pkcs11h_data->hooks.token_prompt = hook;
 +   s_pkcs11h_data->hooks.token_prompt_data = global_data;
 +
 +   return CKR_OK;
 +}
 +
 +CK_RV
 +pkcs11h_setPINCachePeriod (
 +   IN const int pin_cache_period
 +) {
 +   PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
 +   PKCS11H_ASSERT (s_pkcs11h_data->initialized);
 +
 +   s_pkcs11h_data->pin_cache_period = pin_cache_period;
 +
 +   return CKR_OK;
 +}
 +
 +CK_RV
 +pkcs11h_setMaxLoginRetries (
 +   IN const unsigned max_retries
 +) {
 +   PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
 +   PKCS11H_ASSERT (s_pkcs11h_data->initialized);
 +
 +   s_pkcs11h_data->max_retries = max_retries;
 +
 +   return CKR_OK;
 +}
 +
 +CK_RV
 +pkcs11h_setProtectedAuthentication (
 +   IN const PKCS11H_BOOL allow_protected_auth
 +) {
 +   PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
 +   PKCS11H_ASSERT (s_pkcs11h_data->initialized);
 +
 +   s_pkcs11h_data->allow_protected_auth = allow_protected_auth;
 +
 +   return CKR_OK;
 +}
 +
 +CK_RV
 +pkcs11h_addProvider (
 +   IN const char * const reference,
 +   IN const char * const provider_location,
 +   IN const PKCS11H_BOOL allow_protected_auth,
 +   IN const unsigned mask_sign_mode,
 +   IN const int slot_event_method,
 +   IN const int slot_poll_interval,
 +   IN const PKCS11H_BOOL cert_is_private
 +) {
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   PKCS11H_BOOL mutex_locked = FALSE;
 +#endif
 +#if defined(WIN32)
 +   int mypid = 0;
 +#else
 +   pid_t mypid = getpid ();
 +#endif
 +   pkcs11h_provider_t provider = NULL;
 +   CK_C_GetFunctionList gfl = NULL;
 +   CK_INFO info;
 +   CK_RV rv = CKR_OK;
 +
 +   PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
 +   PKCS11H_ASSERT (s_pkcs11h_data->initialized);
 +   PKCS11H_ASSERT (provider_location!=NULL);
 +   /*PKCS11H_ASSERT (szSignMode!=NULL); NOT NEEDED*/
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_addProvider entry pid=%d, reference='%s', provider_location='%s', allow_protected_auth=%d,
	mask_sign_mode=%08x, cert_is_private=%d",
 +       mypid,
 +       reference,
 +       provider_location,
 +       allow_protected_auth ? 1 : 0,
 +       mask_sign_mode,
 +       cert_is_private ? 1 : 0
 +   );
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG1,
 +       "PKCS#11: Adding provider '%s'-'%s'",
 +       reference,
 +       provider_location
 +   );
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   if (
 +       rv == CKR_OK &&
 +       (rv = _pkcs11h_threading_mutexLock (&s_pkcs11h_data->mutexes.global)) == CKR_OK
 +   ) {
 +       mutex_locked = TRUE;
 +   }
 +#endif
 +
 +   if (
 +       rv == CKR_OK &&
 +       (rv = _pkcs11h_mem_malloc ((void *)&provider, sizeof (struct pkcs11h_provider_s))) == CKR_OK
 +   ) {
 +       strncpy (
 +           provider->reference,
 +           reference,
 +           sizeof (provider->reference)-1
 +       );
 +       provider->reference[sizeof (provider->reference)-1] = '\x0';
 +       strncpy (
 +           provider->manufacturerID,
 +           (
 +               strlen (provider_location) < sizeof (provider->manufacturerID) ?
 +               provider_location :
 +               provider_location+strlen (provider_location)-sizeof (provider->manufacturerID)+1
 +           ),
 +           sizeof (provider->manufacturerID)-1
 +       );
 +       provider->manufacturerID[sizeof (provider->manufacturerID)-1] = '\x0';
 +       provider->allow_protected_auth = allow_protected_auth;
 +       provider->mask_sign_mode = mask_sign_mode;
 +       provider->slot_event_method = slot_event_method;
 +       provider->slot_poll_interval = slot_poll_interval;
 +       provider->cert_is_private = cert_is_private;
 +   }
 +       
 +   if (rv == CKR_OK) {
 +#if defined(WIN32)
 +       provider->handle = LoadLibraryA (provider_location);
 +#else
 +       provider->handle = dlopen (provider_location, RTLD_NOW);
 +#endif
 +       if (provider->handle == NULL) {
 +           rv = CKR_FUNCTION_FAILED;
 +       }
 +   }
 +
 +   if (rv == CKR_OK) {
 +#if defined(WIN32)
 +       gfl = (CK_C_GetFunctionList)GetProcAddress (
 +           provider->handle,
 +           "C_GetFunctionList"
 +       );
 +#else
 +       /*
 +        * Make compiler happy!
 +        */
 +       void *p = dlsym (
 +           provider->handle,
 +           "C_GetFunctionList"
 +       );
 +       memmove (
 +           &gfl, 
 +           &p,
 +           sizeof (void *)
 +       );
 +#endif
 +       if (gfl == NULL) {
 +           rv = CKR_FUNCTION_FAILED;
 +       }
 +   }
 +
 +   if (rv == CKR_OK) {
 +       rv = gfl (&provider->f);
 +   }
 +
 +   if (rv == CKR_OK) {
 +       if ((rv = provider->f->C_Initialize (NULL)) != CKR_OK) {
 +           if (rv == CKR_CRYPTOKI_ALREADY_INITIALIZED) {
 +               rv = CKR_OK;
 +           }
 +       }
 +       else {
 +           provider->should_finalize = TRUE;
 +       }
 +   }
 +
 +   if (
 +       rv == CKR_OK &&
 +       (rv = provider->f->C_GetInfo (&info)) == CKR_OK
 +   ) {
 +       _pkcs11h_util_fixupFixedString (
 +           provider->manufacturerID,
 +           (char *)info.manufacturerID,
 +           sizeof (info.manufacturerID)
 +       );
 +   }
 +
 +   if (rv == CKR_OK) {
 +       provider->enabled = TRUE;
 +   }
 +
 +   if (provider != NULL) {
 +       if (s_pkcs11h_data->providers == NULL) {
 +           s_pkcs11h_data->providers = provider;
 +       }
 +       else {
 +           pkcs11h_provider_t last = NULL;
 +   
 +           for (
 +               last = s_pkcs11h_data->providers;
 +               last->next != NULL;
 +               last = last->next
 +           );
 +           last->next = provider;
 +       }
 +   }
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   if (mutex_locked) {
 +       _pkcs11h_threading_mutexRelease (&s_pkcs11h_data->mutexes.global);
 +       mutex_locked = FALSE;
 +   }
 +#endif
 +
 +#if defined(ENABLE_PKCS11H_SLOTEVENT)
 +   _pkcs11h_slotevent_notify ();
 +#endif
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG1,
 +       "PKCS#11: Provider '%s' added rv=%ld-'%s'",
 +       reference,
 +       rv,
 +       pkcs11h_getMessage (rv)
 +   );
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_addProvider return rv=%ld-'%s'",
 +       rv,
 +       pkcs11h_getMessage (rv)
 +   );
 +
 +   return rv;
 +}
 +
 +CK_RV
 +pkcs11h_removeProvider (
 +   IN const char * const reference
 +) {
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   pkcs11h_session_t current_session = NULL;
 +#endif
 +   pkcs11h_provider_t provider = NULL;
 +   CK_RV rv = CKR_OK;
 +
 +   PKCS11H_ASSERT (reference!=NULL);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_removeProvider entry reference='%s'",
 +       reference
 +   );
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG1,
 +       "PKCS#11: Removing provider '%s'",
 +       reference
 +   );
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   _pkcs11h_threading_mutexLock (&s_pkcs11h_data->mutexes.cache);
 +   _pkcs11h_threading_mutexLock (&s_pkcs11h_data->mutexes.session);
 +   _pkcs11h_threading_mutexLock (&s_pkcs11h_data->mutexes.global);
 +
 +   for (
 +       current_session = s_pkcs11h_data->sessions;
 +       current_session != NULL;
 +       current_session = current_session->next
 +   ) {
 +       _pkcs11h_threading_mutexLock (&current_session->mutex);
 +   }
 +#endif
 +
 +   provider = s_pkcs11h_data->providers;
 +   while (
 +       rv == CKR_OK &&
 +       provider != NULL &&
 +       strcmp (reference, provider->reference)
 +   ) {
 +       provider = provider->next;
 +   }
 +
 +   if (rv == CKR_OK && provider == NULL) {
 +       rv = CKR_OBJECT_HANDLE_INVALID;
 +   }
 +
 +   if (rv == CKR_OK) {
 +       provider->enabled = FALSE;
 +       provider->reference[0] = '\0';
 +
 +       if (provider->should_finalize) {
 +           provider->f->C_Finalize (NULL);
 +           provider->should_finalize = FALSE;
 +       }
 +
 +#if defined(ENABLE_PKCS11H_SLOTEVENT)
 +       _pkcs11h_slotevent_notify ();
 +       
 +       /*
 +        * Wait until manager join this thread
 +        * this happens saldom so I can poll
 +        */
 +       while (provider->slotevent_thread != PKCS11H_THREAD_NULL) {
 +           _pkcs11h_threading_sleep (500);
 +       }
 +#endif
 +
 +       if (provider->f != NULL) {
 +           provider->f = NULL;
 +       }
 +
 +       if (provider->handle != NULL) {
 +#if defined(WIN32)
 +           FreeLibrary (provider->handle);
 +#else
 +           dlclose (provider->handle);
 +#endif
 +           provider->handle = NULL;
 +       }
 +   }
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   for (
 +       current_session = s_pkcs11h_data->sessions;
 +       current_session != NULL;
 +       current_session = current_session->next
 +   ) {
 +       _pkcs11h_threading_mutexRelease (&current_session->mutex);
 +   }
 +
 +   _pkcs11h_threading_mutexRelease (&s_pkcs11h_data->mutexes.cache);
 +   _pkcs11h_threading_mutexRelease (&s_pkcs11h_data->mutexes.session);
 +   _pkcs11h_threading_mutexRelease (&s_pkcs11h_data->mutexes.global);
 +#endif
 +   
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_removeProvider return rv=%ld-'%s'",
 +       rv,
 +       pkcs11h_getMessage (rv)
 +   );
 +
 +   return rv;
 +}
 +
 +CK_RV
 +pkcs11h_forkFixup () {
 +#if defined(WIN32)
 +   return CKR_OK;
 +#else
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   return CKR_OK;
 +#else
 +   return _pkcs11h_forkFixup ();
 +#endif
 +#endif
 +}
 +
 +CK_RV
 +pkcs11h_plugAndPlay () {
 +#if defined(WIN32)
 +   int mypid = 0;
 +#else
 +   pid_t mypid = getpid ();
 +#endif
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_forkFixup entry pid=%d",
 +       mypid
 +   );
 +
 +   if (s_pkcs11h_data != NULL && s_pkcs11h_data->initialized) {
 +       pkcs11h_provider_t current;
 +#if defined(ENABLE_PKCS11H_SLOTEVENT)
 +       PKCS11H_BOOL slot_event_active = FALSE;
 +#endif
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +       _pkcs11h_threading_mutexLock (&s_pkcs11h_data->mutexes.global);
 +#endif
 +       for (
 +           current = s_pkcs11h_data->providers;
 +           current != NULL;
 +           current = current->next
 +       ) {
 +           if (current->enabled) {
 +               current->f->C_Finalize (NULL);
 +           }
 +       }
 +
 +#if defined(ENABLE_PKCS11H_SLOTEVENT)
 +       if (s_pkcs11h_data->slotevent.initialized) {
 +           slot_event_active = TRUE;
 +           _pkcs11h_slotevent_terminate ();
 +       }
 +#endif
 +
 +       for (
 +           current = s_pkcs11h_data->providers;
 +           current != NULL;
 +           current = current->next
 +       ) {
 +           if (current->enabled) {
 +               current->f->C_Initialize (NULL);
 +           }
 +       }
 +
 +#if defined(ENABLE_PKCS11H_SLOTEVENT)
 +       if (slot_event_active) {
 +           _pkcs11h_slotevent_init ();
 +       }
 +#endif
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +       _pkcs11h_threading_mutexRelease (&s_pkcs11h_data->mutexes.global);
 +#endif
 +   }
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_forkFixup return"
 +   );
 +
 +   return CKR_OK;
 +}
 +
 +CK_RV
 +pkcs11h_token_freeTokenId (
 +   IN pkcs11h_token_id_t token_id
 +) {
 +   PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
 +   PKCS11H_ASSERT (s_pkcs11h_data->initialized);
 +   PKCS11H_ASSERT (token_id!=NULL);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=%p",
 +       (void *)token_id
 +   );
 +
 +   _pkcs11h_mem_free ((void *)&token_id);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_token_freeTokenId return"
 +   );
 +
 +   return CKR_OK;
 +}
 +
 +CK_RV
 +pkcs11h_token_duplicateTokenId (
 +   OUT pkcs11h_token_id_t * const to,
 +   IN const pkcs11h_token_id_t from
 +) {
 +   CK_RV rv = CKR_OK;
 +
 +   PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
 +   PKCS11H_ASSERT (s_pkcs11h_data->initialized);
 +   PKCS11H_ASSERT (to!=NULL);
 +   PKCS11H_ASSERT (from!=NULL);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_token_duplicateTokenId entry to=%p form=%p",
 +       (void *)to,
 +       (void *)from
 +   );
 +
 +   *to = NULL;
 +
 +   if (rv == CKR_OK) {
 +       rv = _pkcs11h_mem_duplicate (
 +           (void*)to,
 +           NULL,
 +           from,
 +           sizeof (struct pkcs11h_token_id_s)
 +       );
 +   }
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_token_duplicateTokenId return rv=%ld-'%s', *to=%p",
 +       rv,
 +       pkcs11h_getMessage (rv),
 +       (void *)*to
 +   );
 +   
 +   return rv;
 +}
 +
 +PKCS11H_BOOL
 +pkcs11h_token_sameTokenId (
 +   IN const pkcs11h_token_id_t a,
 +   IN const pkcs11h_token_id_t b
 +) {
 +   PKCS11H_ASSERT (a!=NULL);
 +   PKCS11H_ASSERT (b!=NULL);
 +
 +   return (
 +       !strcmp (a->manufacturerID, b->manufacturerID) &&
 +       !strcmp (a->model, b->model) &&
 +       !strcmp (a->serialNumber, b->serialNumber) &&
 +       !strcmp (a->label, b->label)
 +   );
 +}
 +
 +#if defined(ENABLE_PKCS11H_SERIALIZATION)
 +
 +CK_RV
 +pkcs11h_token_serializeTokenId (
 +   OUT char * const sz,
 +   IN OUT size_t *max,
 +   IN const pkcs11h_token_id_t token_id
 +) {
 +   const char *sources[5];
 +   CK_RV rv = CKR_OK;
 +   size_t n;
 +   int e;
 +
 +   /*PKCS11H_ASSERT (sz!=NULL); Not required*/
 +   PKCS11H_ASSERT (max!=NULL);
 +   PKCS11H_ASSERT (token_id!=NULL);
 +
 +   { /* Must be after assert */
 +       sources[0] = token_id->manufacturerID;
 +       sources[1] = token_id->model;
 +       sources[2] = token_id->serialNumber;
 +       sources[3] = token_id->label;
 +       sources[4] = NULL;
 +   }
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_token_serializeTokenId entry sz=%p, *max=%u, token_id=%p",
 +       sz,
 +       sz != NULL ? *max : 0,
 +       (void *)token_id
 +   );
 +
 +   n = 0;
 +   for (e=0;rv == CKR_OK && sources[e] != NULL;e++) {
 +       size_t t;
 +       rv = _pkcs11h_util_escapeString (NULL, sources[e], &t, PKCS11H_SERIALIZE_INVALID_CHARS);
 +       n+=t;
 +   }
 +
 +   if (sz != NULL) {
 +       if (*max < n) {
 +           rv = CKR_ATTRIBUTE_VALUE_INVALID;
 +       }
 +       else {
 +           n = 0;
 +           for (e=0;sources[e] != NULL;e++) {
 +               size_t t = *max-n;
 +               _pkcs11h_util_escapeString (sz+n, sources[e], &t, PKCS11H_SERIALIZE_INVALID_CHARS);
 +               n+=t;
 +               sz[n-1] = '/';
 +           }
 +           sz[n-1] = '\x0';
 +       }
 +   }
 +
 +   *max = n;
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_token_serializeTokenId return rv=%ld-'%s', *max=%u, sz='%s'",
 +       rv,
 +       pkcs11h_getMessage (rv),
 +       *max,
 +       sz
 +   );
 +
 +   return rv;
 +}
 +
 +CK_RV
 +pkcs11h_token_deserializeTokenId (
 +   OUT pkcs11h_token_id_t *p_token_id,
 +   IN const char * const sz
 +) {
 +#define __PKCS11H_TARGETS_NUMBER 4
 +   struct {
 +       char *p;
 +       size_t s;
 +   } targets[__PKCS11H_TARGETS_NUMBER];
 +
 +   pkcs11h_token_id_t token_id = NULL;
 +   char *p1 = NULL;
 +   char *_sz = NULL;
 +   int e;
 +   CK_RV rv = CKR_OK;
 +
 +   PKCS11H_ASSERT (p_token_id!=NULL);
 +   PKCS11H_ASSERT (sz!=NULL);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_token_deserializeTokenId entry p_token_id=%p, sz='%s'",
 +       (void *)p_token_id,
 +       sz
 +   );
 +
 +   *p_token_id = NULL;
 +
 +   if (rv == CKR_OK) {
 +       rv = _pkcs11h_mem_strdup (
 +           (void *)&_sz,
 +           sz
 +       );
 +   }
 +
 +   if (rv == CKR_OK) {
 +       p1 = _sz;
 +   }
 +
 +   if (
 +       rv == CKR_OK &&
 +       (rv = _pkcs11h_token_newTokenId (&token_id)) == CKR_OK
 +   ) {
 +       targets[0].p = token_id->manufacturerID;
 +       targets[0].s = sizeof (token_id->manufacturerID);
 +       targets[1].p = token_id->model;
 +       targets[1].s = sizeof (token_id->model);
 +       targets[2].p = token_id->serialNumber;
 +       targets[2].s = sizeof (token_id->serialNumber);
 +       targets[3].p = token_id->label;
 +       targets[3].s = sizeof (token_id->label);
 +   }
 +
 +   for (e=0;rv == CKR_OK && e < __PKCS11H_TARGETS_NUMBER;e++) {
 +       size_t l;
 +       char *p2 = NULL;
 +
 +       /*
 +        * Don't search for last
 +        * separator
 +        */
 +       if (rv == CKR_OK) {
 +           if (e != __PKCS11H_TARGETS_NUMBER-1) {
 +               p2 = strchr (p1, '/');
 +               if (p2 == NULL) {
 +                   rv = CKR_ATTRIBUTE_VALUE_INVALID;
 +               }
 +               else {
 +                   *p2 = '\x0';
 +               }
 +           }
 +       }
 +
 +       if (rv == CKR_OK) {
 +           _pkcs11h_util_unescapeString (
 +               NULL,
 +               p1,
 +               &l
 +           );
 +       }
 +
 +       if (rv == CKR_OK) {
 +           if (l > targets[e].s) {
 +               rv = CKR_ATTRIBUTE_VALUE_INVALID;
 +           }
 +       }
 +
 +       if (rv == CKR_OK) {
 +           l = targets[e].s;
 +           _pkcs11h_util_unescapeString (
 +               targets[e].p,
 +               p1,
 +               &l
 +           );
 +       }
 +
 +       if (rv == CKR_OK) {
 +           p1 = p2+1;
 +       }
 +   }
 +
 +   if (rv == CKR_OK) {
 +       strncpy (
 +           token_id->display,
 +           token_id->label,
 +           sizeof (token_id->display)
 +       );
 +   }
 +
 +   if (rv == CKR_OK) {
 +       *p_token_id = token_id;
 +       token_id = NULL;
 +   }
 +
 +   if (_sz != NULL) {
 +       _pkcs11h_mem_free ((void *)&_sz);
 +   }
 +
 +   if (token_id != NULL) {
 +       pkcs11h_token_freeTokenId (token_id);
 +   }
 +
 +   return rv;
 +#undef __PKCS11H_TARGETS_NUMBER
 +}
 +
 +#endif             /* ENABLE_PKCS11H_SERIALIZATION */
 +
 +/*======================================================================*
 + * MEMORY INTERFACE
 + *======================================================================*/
 +
 +static
 +CK_RV
 +_pkcs11h_mem_malloc (
 +   OUT const void * * const p,
 +   IN const size_t s
 +) {
 +   CK_RV rv = CKR_OK;
 +
 +   PKCS11H_ASSERT (p!=NULL);
 +   PKCS11H_ASSERT (s!=0);
 +
 +   *p = NULL;
 +
 +   if (s > 0) {
 +       if (
 +           (*p = (void *)PKCS11H_MALLOC (s)) == NULL
 +       ) {
 +           rv = CKR_HOST_MEMORY;
 +       }
 +       else {
 +           memset ((void *)*p, 0, s);
 +       }
 +   }
 +
 +   return rv;
 +}
 +
 +static
 +CK_RV
 +_pkcs11h_mem_free (
 +   IN const void * * const  p
 +) {
 +   PKCS11H_ASSERT (p!=NULL);
 +
 +   PKCS11H_FREE ((void *)*p);
 +   *p = NULL;
 +
 +   return CKR_OK;
 +}
 +
 +static
 +CK_RV
 +_pkcs11h_mem_strdup (
 +   OUT const char * * const dest,
 +   IN const char * const src
 +) {
 +   return _pkcs11h_mem_duplicate (
 +       (void *)dest,
 +       NULL,
 +       src,
 +       strlen (src)+1
 +   );
 +}
 +
 +static
 +CK_RV
 +_pkcs11h_mem_duplicate (
 +   OUT const void * * const dest,
 +   OUT size_t * const p_dest_size,
 +   IN const void * const src,
 +   IN const size_t mem_size
 +) {
 +   CK_RV rv = CKR_OK;
 +
 +   PKCS11H_ASSERT (dest!=NULL);
 +   /*PKCS11H_ASSERT (dest_size!=NULL); NOT NEEDED*/
 +   PKCS11H_ASSERT (!(mem_size!=0&&src==NULL));
 +
 +   *dest = NULL;
 +   if (p_dest_size != NULL) {
 +       *p_dest_size = 0;
 +   }
 +
 +   if (src != NULL) {
 +       if (
 +           rv == CKR_OK &&
 +           (rv = _pkcs11h_mem_malloc (dest, mem_size)) == CKR_OK
 +       ) {
 +           if (p_dest_size != NULL) {
 +               *p_dest_size = mem_size;
 +           }
 +           memmove ((void*)*dest, src, mem_size);
 +       }
 +   }
 +
 +   return rv;
 +}
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +/*======================================================================*
 + * THREADING INTERFACE
 + *======================================================================*/
 +
 +static
 +void
 +_pkcs11h_threading_sleep (
 +   IN const unsigned milli
 +) {
 +#if defined(WIN32)
 +   Sleep (milli);
 +#else
 +   usleep (milli*1000);
 +#endif
 +}
 +
 +static
 +CK_RV
 +_pkcs11h_threading_mutexInit (
 +   OUT pkcs11h_mutex_t * const mutex
 +) {
 +   CK_RV rv = CKR_OK;
 +#if defined(WIN32)
 +   if (
 +       rv == CKR_OK &&
 +       (*mutex = CreateMutex (NULL, FALSE, NULL)) == NULL
 +   ) {
 +       rv = CKR_FUNCTION_FAILED;
 +   }
 +#else
 +   {
 +       __pkcs11h_threading_mutex_entry_t entry = NULL;
 +       PKCS11H_BOOL mutex_locked = FALSE;
 +
 +       if (
 +           rv == CKR_OK &&
 +           (rv = _pkcs11h_threading_mutexLock (&__s_pkcs11h_threading_mutex_list.mutex)) == CKR_OK
 +       ) {
 +           mutex_locked = TRUE;
 +       }
 +       
 +       if (rv == CKR_OK) {
 +           rv = _pkcs11h_mem_malloc (
 +               (void *)&entry,
 +               sizeof (struct __pkcs11h_threading_mutex_entry_s)
 +           );
 +       }
 +
 +       if (
 +           rv == CKR_OK &&
 +           pthread_mutex_init (mutex, NULL)
 +       ) {
 +           rv = CKR_FUNCTION_FAILED;
 +       }
 +
 +       if (rv == CKR_OK) {
 +           entry->p_mutex = mutex;
 +           entry->next = __s_pkcs11h_threading_mutex_list.head;
 +           __s_pkcs11h_threading_mutex_list.head = entry;
 +           entry = NULL;
 +       }
 +
 +       if (entry != NULL) {
 +           _pkcs11h_mem_free ((void *)&entry);
 +       }
 +
 +       if (mutex_locked) {
 +           _pkcs11h_threading_mutexRelease (&__s_pkcs11h_threading_mutex_list.mutex);
 +           mutex_locked = FALSE;
 +       }
 +   }
 +#endif
 +   return rv;
 +}
 +
 +static
 +CK_RV
 +_pkcs11h_threading_mutexLock (
 +   IN OUT pkcs11h_mutex_t *const mutex
 +) {
 +   CK_RV rv = CKR_OK;
 +#if defined(WIN32)
 +   if (
 +       rv == CKR_OK &&
 +       WaitForSingleObject (*mutex, INFINITE) == WAIT_FAILED
 +   ) {
 +       rv = CKR_FUNCTION_FAILED;
 +   }
 +#else
 +   if (
 +       rv == CKR_OK &&
 +       pthread_mutex_lock (mutex)
 +   ) {
 +       rv = CKR_FUNCTION_FAILED;
 +   }
 +#endif
 +   return rv;
 +}
 +
 +static
 +CK_RV
 +_pkcs11h_threading_mutexRelease (
 +   IN OUT pkcs11h_mutex_t *const mutex
 +) {
 +   CK_RV rv = CKR_OK;
 +#if defined(WIN32)
 +   if (
 +       rv == CKR_OK &&
 +       !ReleaseMutex (*mutex)
 +   ) {
 +       rv = CKR_FUNCTION_FAILED;
 +   }
 +#else
 +   if (
 +       rv == CKR_OK &&
 +       pthread_mutex_unlock (mutex)
 +   ) {
 +       rv = CKR_FUNCTION_FAILED;
 +   }
 +#endif
 +   return rv;
 +}
 +
 +static
 +CK_RV
 +_pkcs11h_threading_mutexFree (
 +   IN OUT pkcs11h_mutex_t *const mutex
 +) {
 +#if defined(WIN32)
 +   if (*mutex != NULL) {
 +       CloseHandle (*mutex);
 +       *mutex = NULL;
 +   }
 +#else
 +   {
 +       __pkcs11h_threading_mutex_entry_t last = NULL;
 +       __pkcs11h_threading_mutex_entry_t entry = NULL;
 +       PKCS11H_BOOL mutex_locked = FALSE;
 +
 +       if (_pkcs11h_threading_mutexLock (&__s_pkcs11h_threading_mutex_list.mutex) == CKR_OK) {
 +           mutex_locked = TRUE;
 +       }
 +
 +       entry =  __s_pkcs11h_threading_mutex_list.head;
 +       while (
 +           entry != NULL &&
 +           entry->p_mutex != mutex
 +       ) {
 +           last = entry;
 +           entry = entry->next;
 +       }
 +
 +       if (entry != NULL) {
 +           if (last == NULL) {
 +               __s_pkcs11h_threading_mutex_list.head = entry->next;
 +           }
 +           else {
 +               last->next = entry->next;
 +           }
 +           _pkcs11h_mem_free ((void *)&entry);
 +       }
 +
 +       pthread_mutex_destroy (mutex);
 +
 +       if (mutex_locked) {
 +           _pkcs11h_threading_mutexRelease (&__s_pkcs11h_threading_mutex_list.mutex);
 +           mutex_locked = FALSE;
 +       }
 +   }
 +#endif
 +   return CKR_OK;
 +}
 +
 +#if !defined(WIN32)
 +/*
 + * This function is required in order
 + * to lock all mutexes before fork is called,
 + * and to avoid dedlocks.
 + * The loop is required because there is no
 + * way to lock all mutex in one system call...
 + */
 +static
 +void
 +__pkcs1h_threading_mutexLockAll () {
 +   __pkcs11h_threading_mutex_entry_t entry = NULL;
 +   PKCS11H_BOOL mutex_locked = FALSE;
 +   PKCS11H_BOOL all_mutexes_locked = FALSE;
 +
 +   if (_pkcs11h_threading_mutexLock (&__s_pkcs11h_threading_mutex_list.mutex) == CKR_OK) {
 +       mutex_locked = TRUE;
 +   }
 +
 +   for (
 +       entry = __s_pkcs11h_threading_mutex_list.head;
 +       entry != NULL;
 +       entry = entry->next
 +   ) {
 +       entry->locked = FALSE;
 +   }
 +
 +   while (!all_mutexes_locked) {
 +       PKCS11H_BOOL ok = TRUE;
 +       
 +       for (
 +           entry = __s_pkcs11h_threading_mutex_list.head;
 +           entry != NULL && ok;
 +           entry = entry->next
 +       ) {
 +           if (!pthread_mutex_trylock (entry->p_mutex)) {
 +               entry->locked = TRUE;
 +           }
 +           else {
 +               ok = FALSE;
 +           }
 +       }
 +
 +       if (!ok) {
 +           for (
 +               entry = __s_pkcs11h_threading_mutex_list.head;
 +               entry != NULL;
 +               entry = entry->next
 +           ) {
 +               if (entry->locked == TRUE) {
 +                   pthread_mutex_unlock (entry->p_mutex);
 +                   entry->locked = FALSE;
 +               }
 +           }
 +
 +           _pkcs11h_threading_mutexRelease (&__s_pkcs11h_threading_mutex_list.mutex);
 +           _pkcs11h_threading_sleep (1000);
 +           _pkcs11h_threading_mutexLock (&__s_pkcs11h_threading_mutex_list.mutex);
 +       }
 +       else {
 +           all_mutexes_locked  = TRUE;
 +       }
 +   }
 +
 +   if (mutex_locked) {
 +       _pkcs11h_threading_mutexRelease (&__s_pkcs11h_threading_mutex_list.mutex);
 +       mutex_locked = FALSE;
 +   }
 +}
 +
 +static
 +void
 +__pkcs1h_threading_mutexReleaseAll () {
 +   __pkcs11h_threading_mutex_entry_t entry = NULL;
 +   PKCS11H_BOOL mutex_locked = FALSE;
 +
 +   if (_pkcs11h_threading_mutexLock (&__s_pkcs11h_threading_mutex_list.mutex) == CKR_OK) {
 +       mutex_locked = TRUE;
 +   }
 +
 +   for (
 +       entry = __s_pkcs11h_threading_mutex_list.head;
 +       entry != NULL;
 +       entry = entry->next
 +   ) {
 +       pthread_mutex_unlock (entry->p_mutex);
 +       entry->locked = FALSE;
 +   }
 +
 +   if (mutex_locked) {
 +       _pkcs11h_threading_mutexRelease (&__s_pkcs11h_threading_mutex_list.mutex);
 +       mutex_locked = FALSE;
 +   }
 +}
 +#endif
 +
 +CK_RV
 +_pkcs11h_threading_condSignal (
 +   IN OUT pkcs11h_cond_t *const cond
 +) {
 +   CK_RV rv = CKR_OK;
 +#if defined(WIN32)
 +   if (
 +       rv == CKR_OK &&
 +       !SetEvent (*cond)
 +   ) {
 +       rv = CKR_FUNCTION_FAILED;
 +   }
 +#else
 +   if (
 +       rv == CKR_OK &&
 +       (
 +           pthread_mutex_lock (&cond->mut) ||
 +           pthread_cond_signal (&cond->cond) ||
 +           pthread_mutex_unlock (&cond->mut)
 +       )
 +   ) {
 +       rv = CKR_FUNCTION_FAILED;
 +   }
 +#endif
 +
 +   return rv;
 +}
 +
 +static
 +CK_RV
 +_pkcs11h_threading_condInit (
 +   OUT pkcs11h_cond_t * const cond
 +) {
 +   CK_RV rv = CKR_OK;
 +#if defined(WIN32)
 +   if (
 +       rv == CKR_OK &&
 +       (*cond = CreateEvent (NULL, FALSE, FALSE, NULL)) == NULL
 +   ) {
 +       rv = CKR_FUNCTION_FAILED;
 +   }
 +#else
 +   if (
 +       rv == CKR_OK &&
 +       (
 +           pthread_mutex_init (&cond->mut, NULL) ||
 +           pthread_cond_init (&cond->cond, NULL) ||
 +           pthread_mutex_lock (&cond->mut)
 +       )
 +   ) {
 +       rv = CKR_FUNCTION_FAILED;
 +   }
 +#endif
 +   return rv;
 +}
 +
 +static
 +CK_RV
 +_pkcs11h_threading_condWait (
 +   IN OUT pkcs11h_cond_t *const cond,
 +   IN const unsigned milli
 +) {
 +   CK_RV rv = CKR_OK;
 +
 +#if defined(WIN32)
 +   DWORD dwMilli;
 +
 +   if (milli == PKCS11H_COND_INFINITE) {
 +       dwMilli = INFINITE;
 +   }
 +   else {
 +       dwMilli = milli;
 +   }
 +
 +   if (
 +       rv == CKR_OK &&
 +       WaitForSingleObject (*cond, dwMilli) == WAIT_FAILED
 +   ) {
 +       rv = CKR_FUNCTION_FAILED;
 +   }
 +#else
 +   if (milli == PKCS11H_COND_INFINITE) {
 +       if (
 +           rv == CKR_OK &&
 +           pthread_cond_wait (&cond->cond, &cond->mut)
 +       ) {
 +           rv = CKR_FUNCTION_FAILED;
 +       }
 +   }
 +   else {
 +       struct timeval now;
 +       struct timespec timeout;
 +
 +       if (
 +           rv == CKR_OK &&
 +           gettimeofday (&now, NULL)
 +       ) {
 +           rv = CKR_FUNCTION_FAILED;
 +       }
 +       
 +       if (rv == CKR_OK) {
 +           timeout.tv_sec = now.tv_sec + milli/1000;
 +           timeout.tv_nsec = now.tv_usec*1000 + milli%1000;
 +       }
 +       
 +       if (
 +           rv == CKR_OK &&
 +           pthread_cond_timedwait (&cond->cond, &cond->mut, &timeout)
 +       ) {
 +           rv = CKR_FUNCTION_FAILED;
 +       }
 +   }
 +#endif
 +   return rv;
 +}
 +
 +static
 +CK_RV
 +_pkcs11h_threading_condFree (
 +   IN OUT pkcs11h_cond_t *const cond
 +) {
 +#if defined(WIN32)
 +   CloseHandle (*cond);
 +   *cond = NULL;
 +#else
 +   pthread_mutex_unlock (&cond->mut);
 +#endif
 +   return CKR_OK;
 +}
 +
 +#if defined(WIN32)
 +static
 +unsigned
 +__stdcall
 +__pkcs11h_thread_start (void *p) {
 +   __pkcs11h_thread_data_t *_data = (__pkcs11h_thread_data_t *)p;
 +   unsigned ret;
 +
 +   ret = (unsigned)_data->start (_data->data);
 +
 +   _pkcs11h_mem_free ((void *)&_data);
 +
 +   return ret;
 +}
 +#else
 +static
 +void *
 +__pkcs11h_thread_start (void *p) {
 +   __pkcs11h_thread_data_t *_data = (__pkcs11h_thread_data_t *)p;
 +   void *ret;
 +   int i;
 +
 +   /*
 +    * Ignore any signal in
 +    * this thread
 +    */
 +   for (i=1;i<16;i++) {
 +       signal (i, SIG_IGN);
 +   }
 +
 +   ret = _data->start (_data->data);
 +
 +   _pkcs11h_mem_free ((void *)&_data);
 +
 +   return ret;
 +}
 +#endif
 +
 +static
 +CK_RV
 +_pkcs11h_threading_threadStart (
 +   OUT pkcs11h_thread_t * const thread,
 +   IN pkcs11h_thread_start_t const start,
 +   IN void * data
 +) {
 +   __pkcs11h_thread_data_t *_data = NULL;
 +   CK_RV rv = CKR_OK;
 +
 +   if (rv == CKR_OK) {
 +       rv = _pkcs11h_mem_malloc (
 +           (void *)&_data,
 +           sizeof (__pkcs11h_thread_data_t)
 +       );
 +   }
 +
 +   if (rv == CKR_OK) {
 +       _data->start = start;
 +       _data->data = data;
 +   }
 +
 +#if defined(WIN32)
 +   {
 +       unsigned tmp;
 +
 +       if (
 +           rv == CKR_OK &&
 +           (*thread = (HANDLE)_beginthreadex (
 +               NULL,
 +               0,
 +               __pkcs11h_thread_start,
 +               _data,
 +               0,
 +               &tmp
 +           )) == NULL
 +       ) {
 +           rv = CKR_FUNCTION_FAILED;
 +       }
 +   }
 +#else
 +   if (
 +       rv == CKR_OK &&
 +       pthread_create (thread, NULL, __pkcs11h_thread_start, _data)
 +   ) {
 +       rv = CKR_FUNCTION_FAILED;
 +   }
 +#endif
 +   return rv;
 +}
 +
 +static
 +CK_RV
 +_pkcs11h_threading_threadJoin (
 +   IN pkcs11h_thread_t * const thread
 +) {
 +#if defined(WIN32)
 +   WaitForSingleObject (*thread, INFINITE);
 +   CloseHandle (*thread);
 +   *thread = NULL;
 +#else
 +   pthread_join (*thread, NULL);
 +   *thread = 0l;
 +#endif
 +   return CKR_OK;
 +}
 +
 +#endif     /* ENABLE_PKCS11H_THREADING */
 +
 +/*======================================================================*
 + * COMMON INTERNAL INTERFACE
 + *======================================================================*/
 +
 +static
 +void
 +_pkcs11h_util_fixupFixedString (
 +   OUT char * const target,            /* MUST BE >= length+1 */
 +   IN const char * const source,
 +   IN const size_t length              /* FIXED STRING LENGTH */
 +) {
 +   char *p;
 +
 +   PKCS11H_ASSERT (source!=NULL);
 +   PKCS11H_ASSERT (target!=NULL);
 +   
 +   p = target+length;
 +   memmove (target, source, length);
 +   *p = '\0';
 +   p--;
 +   while (p >= target && *p == ' ') {
 +       *p = '\0';
 +       p--;
 +   }
 +}
 +
 +static
 +CK_RV
 +_pkcs11h_util_hexToBinary (
 +   OUT unsigned char * const target,
 +   IN const char * const source,
 +   IN OUT size_t * const p_target_size
 +) {
 +   size_t target_max_size;
 +   const char *p;
 +   char buf[3] = {'\0', '\0', '\0'};
 +   int i = 0;
 +
 +   PKCS11H_ASSERT (source!=NULL);
 +   PKCS11H_ASSERT (target!=NULL);
 +   PKCS11H_ASSERT (p_target_size!=NULL);
 +
 +   target_max_size = *p_target_size;
 +   p = source;
 +   *p_target_size = 0;
 +
 +   while (*p != '\x0' && *p_target_size < target_max_size) {
 +       if (isxdigit ((unsigned char)*p)) {
 +           buf[i%2] = *p;
 +
 +           if ((i%2) == 1) {
 +               unsigned v;
 +               if (sscanf (buf, "%x", &v) != 1) {
 +                   v = 0;
 +               }
 +               target[*p_target_size] = v & 0xff;
 +               (*p_target_size)++;
 +           }
 +
 +           i++;
 +       }
 +       p++;
 +   }
 +
 +   if (*p != '\x0') {
 +       return CKR_ATTRIBUTE_VALUE_INVALID;
 +   }
 +   else {
 +       return CKR_OK;
 +   }
 +}
 +
 +static
 +CK_RV
 +_pkcs11h_util_binaryToHex (
 +   OUT char * const target,
 +   IN const size_t target_size,
 +   IN const unsigned char * const source,
 +   IN const size_t source_size
 +) {
 +   static const char *x = "0123456789ABCDEF";
 +   size_t i;
 +
 +   PKCS11H_ASSERT (target!=NULL);
 +   PKCS11H_ASSERT (source!=NULL);
 +
 +   if (target_size < source_size * 2 + 1) {
 +       return CKR_ATTRIBUTE_VALUE_INVALID;
 +   }
 +
 +   for (i=0;i<source_size;i++) {
 +       target[i*2] =   x[(source[i]&0xf0)>>4];
 +       target[i*2+1] = x[(source[i]&0x0f)>>0];
 +   }
 +   target[source_size*2] = '\x0';
 +
 +   return CKR_OK;
 +}
 +
 +CK_RV
 +_pkcs11h_util_escapeString (
 +   IN OUT char * const target,
 +   IN const char * const source,
 +   IN size_t * const max,
 +   IN const char * const invalid_chars
 +) {
 +   static const char *x = "0123456789ABCDEF";
 +   CK_RV rv = CKR_OK;
 +   const char *s = source;
 +   char *t = target;
 +   size_t n = 0;
 +
 +   /*PKCS11H_ASSERT (target!=NULL); Not required*/
 +   PKCS11H_ASSERT (source!=NULL);
 +   PKCS11H_ASSERT (max!=NULL);
 +
 +   while (rv == CKR_OK && *s != '\x0') {
 +
 +       if (*s == '\\' || strchr (invalid_chars, *s) || !isgraph (*s)) {
 +           if (t != NULL) {
 +               if (n+4 > *max) {
 +                   rv = CKR_ATTRIBUTE_VALUE_INVALID;
 +               }
 +               else {
 +                   t[0] = '\\';
 +                   t[1] = 'x';
 +                   t[2] = x[(*s&0xf0)>>4];
 +                   t[3] = x[(*s&0x0f)>>0];
 +                   t+=4;
 +               }
 +           }
 +           n+=4;
 +       }
 +       else {
 +           if (t != NULL) {
 +               if (n+1 > *max) {
 +                   rv = CKR_ATTRIBUTE_VALUE_INVALID;
 +               }
 +               else {
 +                   *t = *s;
 +                   t++;
 +               }
 +           }
 +           n+=1;
 +       }
 +
 +       s++;
 +   }
 +
 +   if (t != NULL) {
 +       if (n+1 > *max) {
 +           rv = CKR_ATTRIBUTE_VALUE_INVALID;
 +       }
 +       else {
 +           *t = '\x0';
 +           t++;
 +       }
 +   }
 +   n++;
 +
 +   *max = n;
 +
 +   return rv;
 +}
 +
 +static
 +CK_RV
 +_pkcs11h_util_unescapeString (
 +   IN OUT char * const target,
 +   IN const char * const source,
 +   IN size_t * const max
 +) {
 +   CK_RV rv = CKR_OK;
 +   const char *s = source;
 +   char *t = target;
 +   size_t n = 0;
 +
 +   /*PKCS11H_ASSERT (target!=NULL); Not required*/
 +   PKCS11H_ASSERT (source!=NULL);
 +   PKCS11H_ASSERT (max!=NULL);
 +
 +   while (rv == CKR_OK && *s != '\x0') {
 +       if (*s == '\\') {
 +           if (t != NULL) {
 +               if (n+1 > *max) {
 +                   rv = CKR_ATTRIBUTE_VALUE_INVALID;
 +               }
 +               else {
 +                   char b[3];
 +                   unsigned u;
 +                   b[0] = s[2];
 +                   b[1] = s[3];
 +                   b[2] = '\x0';
 +                   sscanf (b, "%08x", &u);
 +                   *t = u&0xff;
 +                   t++;
 +               }
 +           }
 +           s+=4;
 +       }
 +       else {
 +           if (t != NULL) {
 +               if (n+1 > *max) {
 +                   rv = CKR_ATTRIBUTE_VALUE_INVALID;
 +               }
 +               else {
 +                   *t = *s;
 +                   t++;
 +               }
 +           }
 +           s++;
 +       }
 +
 +       n+=1;
 +   }
 +
 +   if (t != NULL) {
 +       if (n+1 > *max) {
 +           rv = CKR_ATTRIBUTE_VALUE_INVALID;
 +       }
 +       else {
 +           *t = '\x0';
 +           t++;
 +       }
 +   }
 +   n++;
 +
 +   *max = n;
 +
 +   return rv;
 +}
 +
 +static
 +void
 +_pkcs11h_log (
 +   IN const unsigned flags,
 +   IN const char * const format,
 +   IN ...
 +) {
 +   va_list args;
 +
 +   PKCS11H_ASSERT (format!=NULL);
 +
 +   va_start (args, format);
 +
 +   if (
 +       s_pkcs11h_data != NULL &&
 +       s_pkcs11h_data->initialized
 +   ) { 
 +       if (PKCS11H_MSG_LEVEL_TEST (flags)) {
 +           if (s_pkcs11h_data->hooks.log == NULL) {
 +               _pkcs11h_hooks_default_log (
 +                   NULL,
 +                   flags,
 +                   format,
 +                   args
 +               );
 +           }
 +           else {
 +               s_pkcs11h_data->hooks.log (
 +                   s_pkcs11h_data->hooks.log_data,
 +                   flags,
 +                   format,
 +                   args
 +               );
 +           }
 +       }
 +   }
 +
 +   va_end (args);
 +}
 +
 +static
 +CK_RV
 +_pkcs11h_session_getSlotList (
 +   IN const pkcs11h_provider_t provider,
 +   IN const CK_BBOOL token_present,
 +   OUT CK_SLOT_ID_PTR * const pSlotList,
 +   OUT CK_ULONG_PTR pulCount
 +) {
 +   CK_SLOT_ID_PTR _slots = NULL;
 +   CK_ULONG _slotnum = 0;
 +   CK_RV rv = CKR_OK;
 +
 +   PKCS11H_ASSERT (provider!=NULL);
 +   PKCS11H_ASSERT (pSlotList!=NULL);
 +   PKCS11H_ASSERT (pulCount!=NULL);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_session_getSlotList entry provider=%p, token_present=%d, pSlotList=%p, pulCount=%p",
 +       (void *)provider,
 +       token_present,
 +       (void *)pSlotList,
 +       (void *)pulCount
 +   );
 +
 +   *pSlotList = NULL;
 +   *pulCount = 0;
 +
 +   if (
 +       rv == CKR_OK &&
 +       !provider->enabled
 +   ) {
 +       rv = CKR_CRYPTOKI_NOT_INITIALIZED;
 +   }
 +
 +   if (rv == CKR_OK) {
 +       rv = provider->f->C_GetSlotList (
 +           token_present,
 +           NULL_PTR,
 +           &_slotnum
 +       );
 +   }
 +
 +   if (rv == CKR_OK && _slotnum > 0) {
 +       rv = _pkcs11h_mem_malloc ((void *)&_slots, _slotnum * sizeof (CK_SLOT_ID));
 +   }
 +
 +   if (rv == CKR_OK && _slotnum > 0) {
 +       rv = provider->f->C_GetSlotList (
 +           token_present,
 +           _slots,
 +           &_slotnum
 +       );
 +   }
 +
 +   if (rv == CKR_OK) {
 +       *pSlotList = _slots;
 +       _slots = NULL;
 +       *pulCount = _slotnum;
 +   }
 +
 +   if (_slots != NULL) {
 +       _pkcs11h_mem_free ((void *)&_slots);
 +   }
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_session_getSlotList return rv=%ld-'%s' *pulCount=%ld",
 +       rv,
 +       pkcs11h_getMessage (rv),
 +       *pulCount
 +   );
 +
 +   return rv;
 +}
 +
 +static
 +CK_RV
 +_pkcs11h_session_getObjectAttributes (
 +   IN const pkcs11h_session_t session,
 +   IN const CK_OBJECT_HANDLE object,
 +   IN OUT const CK_ATTRIBUTE_PTR attrs,
 +   IN const unsigned count
 +) {
 +   /*
 +    * THREADING:
 +    * session->mutex must be locked
 +    */
 +   CK_RV rv = CKR_OK;
 +
 +   PKCS11H_ASSERT (session!=NULL);
 +   PKCS11H_ASSERT (attrs!=NULL);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_session_getObjectAttributes entry session=%p, object=%ld, attrs=%p, count=%u",
 +       (void *)session,
 +       object,
 +       (void *)attrs,
 +       count
 +   );
 +
 +   if (
 +       rv == CKR_OK &&
 +       (rv = session->provider->f->C_GetAttributeValue (
 +           session->session_handle,
 +           object,
 +           attrs,
 +           count
 +       )) == CKR_OK
 +   ) {
 +       unsigned i;
 +       for (i=0;rv == CKR_OK && i<count;i++) {
 +           if (attrs[i].ulValueLen == (CK_ULONG)-1) {
 +               rv = CKR_ATTRIBUTE_VALUE_INVALID;
 +           }
 +           else if (attrs[i].ulValueLen == 0) {
 +               attrs[i].pValue = NULL;
 +           }
 +           else {
 +               rv = _pkcs11h_mem_malloc (
 +                   (void *)&attrs[i].pValue,
 +                   attrs[i].ulValueLen
 +               );
 +           }
 +       }
 +   }
 +
 +   if (rv == CKR_OK) {
 +       rv = session->provider->f->C_GetAttributeValue (
 +           session->session_handle,
 +           object,
 +           attrs,
 +           count
 +       );
 +   }
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_session_getObjectAttributes return rv=%ld-'%s'",
 +       rv,
 +       pkcs11h_getMessage (rv)
 +   );
 +
 +   return rv;
 +}
 +
 +static
 +CK_RV
 +_pkcs11h_session_freeObjectAttributes (
 +   IN OUT const CK_ATTRIBUTE_PTR attrs,
 +   IN const unsigned count
 +) {
 +   unsigned i;
 +
 +   CK_RV rv = CKR_OK;
 +
 +   PKCS11H_ASSERT (attrs!=NULL);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_session_freeObjectAttributes entry attrs=%p, count=%u",
 +       (void *)attrs,
 +       count
 +   );
 +
 +   for (i=0;i<count;i++) {
 +       if (attrs[i].pValue != NULL) {
 +           _pkcs11h_mem_free ((void *)&attrs[i].pValue);
 +           attrs[i].pValue = NULL;
 +       }
 +   }
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_session_freeObjectAttributes return rv=%ld-'%s'",
 +       rv,
 +       pkcs11h_getMessage (rv)
 +   );
 +
 +   return rv;
 +}
 +
 +static
 +CK_RV
 +_pkcs11h_session_findObjects (
 +   IN const pkcs11h_session_t session,
 +   IN const CK_ATTRIBUTE * const filter,
 +   IN const CK_ULONG filter_attrs,
 +   OUT CK_OBJECT_HANDLE **const p_objects,
 +   OUT CK_ULONG *p_objects_found
 +) {
 +   /*
 +    * THREADING:
 +    * session->mutex must be locked
 +    */
 +   PKCS11H_BOOL should_FindObjectsFinal = FALSE;
 +
 +   CK_OBJECT_HANDLE *objects = NULL;
 +   CK_ULONG objects_size = 0;
 +   CK_OBJECT_HANDLE objects_buffer[100];
 +   CK_ULONG objects_found;
 +   CK_OBJECT_HANDLE oLast = PKCS11H_INVALID_OBJECT_HANDLE;
 +   CK_RV rv = CKR_OK;
 +
 +   PKCS11H_ASSERT (session!=NULL);
 +   PKCS11H_ASSERT (!(filter==NULL && filter_attrs!=0) || filter!=NULL);
 +   PKCS11H_ASSERT (p_objects!=NULL);
 +   PKCS11H_ASSERT (p_objects_found!=NULL);
 +   
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_session_findObjects entry session=%p, filter=%p, filter_attrs=%ld, p_objects=%p,
	p_objects_found=%p",
 +       (void *)session,
 +       (void *)filter,
 +       filter_attrs,
 +       (void *)p_objects,
 +       (void *)p_objects_found
 +   );
 +
 +   *p_objects = NULL;
 +   *p_objects_found = 0;
 +
 +   if (
 +       rv == CKR_OK &&
 +       (rv = session->provider->f->C_FindObjectsInit (
 +           session->session_handle,
 +           (CK_ATTRIBUTE *)filter,
 +           filter_attrs
 +       )) == CKR_OK
 +   ) {
 +       should_FindObjectsFinal = TRUE;
 +   }
 +
 +   while (
 +       rv == CKR_OK &&
 +       (rv = session->provider->f->C_FindObjects (
 +           session->session_handle,
 +           objects_buffer,
 +           sizeof (objects_buffer) / sizeof (CK_OBJECT_HANDLE),
 +           &objects_found
 +       )) == CKR_OK &&
 +       objects_found > 0
 +   ) { 
 +       CK_OBJECT_HANDLE *temp = NULL;
 +       
 +       /*
 +        * Begin workaround
 +        *
 +        * Workaround iKey bug
 +        * It returns the same objects over and over
 +        */
 +       if (oLast == objects_buffer[0]) {
 +           PKCS11H_LOG (
 +               PKCS11H_LOG_WARN,
 +               "PKCS#11: Bad PKCS#11 C_FindObjects implementation detected, workaround applied"
 +           );
 +           break;
 +       }
 +       oLast = objects_buffer[0];
 +       /* End workaround */
 +       
 +       if (
 +           (rv = _pkcs11h_mem_malloc (
 +               (void *)&temp,
 +               (objects_size+objects_found) * sizeof (CK_OBJECT_HANDLE)
 +           )) == CKR_OK
 +       ) {
 +           if (objects != NULL) {
 +               memmove (
 +                   temp,
 +                   objects,
 +                   objects_size * sizeof (CK_OBJECT_HANDLE)
 +               );
 +           }
 +           memmove (
 +               temp + objects_size,
 +               objects_buffer,
 +               objects_found * sizeof (CK_OBJECT_HANDLE)
 +           );
 +       }
 +
 +       if (objects != NULL) {
 +           _pkcs11h_mem_free ((void *)&objects);
 +           objects = NULL;
 +       }
 +
 +       if (rv == CKR_OK) {
 +           objects = temp;
 +           objects_size += objects_found;
 +           temp = NULL;
 +       }
 +
 +       if (temp != NULL) {
 +           _pkcs11h_mem_free ((void *)&temp);
 +           temp = NULL;
 +       }
 +   }
 +
 +   if (should_FindObjectsFinal) {
 +       session->provider->f->C_FindObjectsFinal (
 +           session->session_handle
 +       );
 +       should_FindObjectsFinal = FALSE;
 +   }
 +   
 +   if (rv == CKR_OK) {
 +       *p_objects = objects;
 +       *p_objects_found = objects_size;
 +       objects = NULL;
 +       objects_size = 0;
 +   }
 +
 +   if (objects != NULL) {
 +       _pkcs11h_mem_free ((void *)&objects);
 +       objects = NULL;
 +       objects_size = 0;
 +   }
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_session_findObjects return rv=%ld-'%s', *p_objects_found=%ld",
 +       rv,
 +       pkcs11h_getMessage (rv),
 +       *p_objects_found
 +   );
 +
 +   return rv;
 +}
 +
 +static
 +CK_RV
 +_pkcs11h_token_getTokenId (
 +   IN const CK_TOKEN_INFO_PTR info,
 +   OUT pkcs11h_token_id_t * const p_token_id
 +) {
 +   pkcs11h_token_id_t token_id;
 +   CK_RV rv = CKR_OK;
 +   
 +   PKCS11H_ASSERT (info!=NULL);
 +   PKCS11H_ASSERT (p_token_id!=NULL);
 +   
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_token_getTokenId entry p_token_id=%p",
 +       (void *)p_token_id
 +   );
 +
 +   *p_token_id = NULL;
 +
 +   if (
 +       rv == CKR_OK &&
 +       (rv = _pkcs11h_token_newTokenId (&token_id)) == CKR_OK
 +   ) {
 +       _pkcs11h_util_fixupFixedString (
 +           token_id->label,
 +           (char *)info->label,
 +           sizeof (info->label)
 +       );
 +       _pkcs11h_util_fixupFixedString (
 +           token_id->manufacturerID,
 +           (char *)info->manufacturerID,
 +           sizeof (info->manufacturerID)
 +       );
 +       _pkcs11h_util_fixupFixedString (
 +           token_id->model,
 +           (char *)info->model,
 +           sizeof (info->model)
 +       );
 +       _pkcs11h_util_fixupFixedString (
 +           token_id->serialNumber,
 +           (char *)info->serialNumber,
 +           sizeof (info->serialNumber)
 +       );
 +       strncpy (
 +           token_id->display,
 +           token_id->label,
 +           sizeof (token_id->display)
 +       );
 +   }
 +
 +   if (rv == CKR_OK) {
 +       *p_token_id = token_id;
 +       token_id = NULL;
 +   }
 +
 +   if (token_id != NULL) {
 +       _pkcs11h_mem_free ((void *)&token_id);
 +   }
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_token_getTokenId return rv=%ld-'%s', *p_token_id=%p",
 +       rv,
 +       pkcs11h_getMessage (rv),
 +       (void *)*p_token_id
 +   );
 +
 +   return rv;
 +}
 +
 +static
 +CK_RV
 +_pkcs11h_token_newTokenId (
 +   OUT pkcs11h_token_id_t * const p_token_id
 +) {
 +   CK_RV rv = CKR_OK;
 +
 +   PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
 +   PKCS11H_ASSERT (s_pkcs11h_data->initialized);
 +   PKCS11H_ASSERT (p_token_id!=NULL);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_token_newTokenId entry p_token_id=%p",
 +       (void *)p_token_id
 +   );
 +
 +   *p_token_id = NULL;
 +
 +   if (rv == CKR_OK) {
 +       rv = _pkcs11h_mem_malloc ((void *)p_token_id, sizeof (struct pkcs11h_token_id_s));
 +   }
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_token_newTokenId return rv=%ld-'%s', *p_token_id=%p",
 +       rv,
 +       pkcs11h_getMessage (rv),
 +       (void *)*p_token_id
 +   );
 +
 +   return rv;
 +}
 +
 +static
 +CK_RV
 +_pkcs11h_session_getSessionByTokenId (
 +   IN const pkcs11h_token_id_t token_id,
 +   OUT pkcs11h_session_t * const p_session
 +) {
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   PKCS11H_BOOL mutex_locked = FALSE;
 +#endif
 +   pkcs11h_session_t session = NULL;
 +   PKCS11H_BOOL is_new_session = FALSE;
 +   CK_RV rv = CKR_OK;
 +
 +   PKCS11H_ASSERT (token_id!=NULL);
 +   PKCS11H_ASSERT (p_session!=NULL);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_session_getSessionByTokenId entry token_id=%p, p_session=%p",
 +       (void *)token_id,
 +       (void *)p_session
 +   );
 +
 +   *p_session = NULL;
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   if (
 +       rv == CKR_OK &&
 +       (rv = _pkcs11h_threading_mutexLock (&s_pkcs11h_data->mutexes.session)) == CKR_OK
 +   ) {
 +       mutex_locked = TRUE;
 +   }
 +#endif
 +
 +   if (rv == CKR_OK) {
 +       pkcs11h_session_t current_session;
 +
 +       for (
 +           current_session = s_pkcs11h_data->sessions;
 +           current_session != NULL && session == NULL;
 +           current_session = current_session->next
 +       ) {
 +           if (
 +               pkcs11h_token_sameTokenId (
 +                   current_session->token_id,
 +                   token_id
 +               )
 +           ) {
 +               PKCS11H_DEBUG (
 +                   PKCS11H_LOG_DEBUG1,
 +                   "PKCS#11: Using cached session"
 +               );
 +               session = current_session;
 +               session->reference_count++;
 +           }
 +       }
 +   }
 +
 +   if (
 +       rv == CKR_OK &&
 +       session == NULL
 +   ) {
 +       is_new_session = TRUE;
 +   }
 +
 +   if (is_new_session) {
 +       PKCS11H_DEBUG (
 +           PKCS11H_LOG_DEBUG1,
 +           "PKCS#11: Creating a new session"
 +       );
 +
 +       if (
 +           rv == CKR_OK &&
 +           (rv = _pkcs11h_mem_malloc ((void *)&session, sizeof (struct pkcs11h_session_s))) == CKR_OK
 +       ) {
 +           session->reference_count = 1;
 +           session->session_handle = PKCS11H_INVALID_SESSION_HANDLE;
 +           
 +           session->pin_cache_period = s_pkcs11h_data->pin_cache_period;
 +
 +       }
 +
 +       if (rv == CKR_OK) {
 +           rv = pkcs11h_token_duplicateTokenId (
 +               &session->token_id,
 +               token_id
 +           );
 +       }
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +       if (rv == CKR_OK) {
 +           rv = _pkcs11h_threading_mutexInit (&session->mutex);
 +       }
 +#endif
 +
 +       if (rv == CKR_OK) {
 +           session->valid = TRUE;
 +           session->next = s_pkcs11h_data->sessions;
 +           s_pkcs11h_data->sessions = session;
 +       }
 +       else {
 +#if defined(ENABLE_PKCS11H_THREADING)
 +           _pkcs11h_threading_mutexFree (&session->mutex);
 +#endif
 +           _pkcs11h_mem_free ((void *)&session);
 +       }
 +   }
 +
 +   if (rv == CKR_OK) {
 +       *p_session = session;
 +       session = NULL;
 +   }
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   if (mutex_locked) {
 +       _pkcs11h_threading_mutexRelease (&s_pkcs11h_data->mutexes.session);
 +       mutex_locked = FALSE;
 +   }
 +#endif
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_session_getSessionByTokenId return rv=%ld-'%s', *p_session=%p",
 +       rv,
 +       pkcs11h_getMessage (rv),
 +       (void *)*p_session
 +   );
 +
 +   return rv;
 +}
 +
 +static
 +CK_RV
 +_pkcs11h_session_release (
 +   IN const pkcs11h_session_t session
 +) {
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   PKCS11H_BOOL mutex_locked = FALSE;
 +#endif
 +   CK_RV rv = CKR_OK;
 +
 +   PKCS11H_ASSERT (session!=NULL);
 +   PKCS11H_ASSERT (session->reference_count>=0);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_session_release entry session=%p",
 +       (void *)session
 +   );
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   if (
 +       rv == CKR_OK &&
 +       (rv = _pkcs11h_threading_mutexLock (&session->mutex)) == CKR_OK
 +   ) {
 +       mutex_locked = TRUE;
 +   }
 +#endif
 +
 +   /*
 +    * Never logout for now
 +    */
 +   if (rv == CKR_OK) {
 +       if (session->reference_count > 0) {
 +           session->reference_count--;
 +       }
 +   }
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   if (mutex_locked) {
 +       _pkcs11h_threading_mutexRelease (&session->mutex);
 +       mutex_locked = FALSE;
 +   }
 +#endif
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_session_release return rv=%ld-'%s'",
 +       rv,
 +       pkcs11h_getMessage (rv)
 +   );
 +
 +   return rv;
 +}
 +
 +static
 +CK_RV
 +_pkcs11h_session_reset (
 +   IN const pkcs11h_session_t session,
 +   IN void * const user_data,
 +   IN const unsigned mask_prompt,
 +   OUT CK_SLOT_ID * const p_slot
 +) {
 +   PKCS11H_BOOL found = FALSE;
 +
 +   CK_RV rv = CKR_OK;
 +
 +   unsigned nRetry = 0;
 +
 +   PKCS11H_ASSERT (session!=NULL);
 +   /*PKCS11H_ASSERT (user_data) NOT NEEDED */
 +   PKCS11H_ASSERT (p_slot!=NULL);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_session_reset entry session=%p, user_data=%p, mask_prompt=%08x, p_slot=%p",
 +       (void *)session,
 +       user_data,
 +       mask_prompt,
 +       (void *)p_slot
 +   );
 +
 +   *p_slot = PKCS11H_INVALID_SLOT_ID;
 +
 +   while (
 +       rv == CKR_OK &&
 +       !found
 +   ) {
 +       pkcs11h_provider_t current_provider = NULL;
 +
 +       for (
 +           current_provider = s_pkcs11h_data->providers;
 +           (
 +               rv == CKR_OK &&
 +               current_provider != NULL &&
 +               !found
 +           );
 +           current_provider = current_provider->next
 +       ) {
 +           CK_SLOT_ID_PTR slots = NULL;
 +           CK_ULONG slotnum;
 +           CK_SLOT_ID slot_index;
 +
 +           /*
 +            * Skip all other providers,
 +            * if one was set in the past
 +            */
 +           if (
 +               session->provider != NULL &&
 +               session->provider != current_provider
 +           ) {
 +               rv = CKR_CANCEL;
 +           }
 +       
 +           if (rv == CKR_OK) {
 +               rv = _pkcs11h_session_getSlotList (
 +                   current_provider,
 +                   CK_TRUE,
 +                   &slots,
 +                   &slotnum
 +               );
 +           }
 +
 +           for (
 +               slot_index=0;
 +               (
 +                   slot_index < slotnum &&
 +                   rv == CKR_OK && 
 +                   !found
 +               );
 +               slot_index++
 +           ) {
 +               pkcs11h_token_id_t token_id = NULL;
 +               CK_TOKEN_INFO info;
 +
 +               if (rv == CKR_OK) {
 +                   rv = current_provider->f->C_GetTokenInfo (
 +                       slots[slot_index],
 +                       &info
 +                   );
 +               }
 +
 +               if (
 +                   rv == CKR_OK &&
 +                   (rv = _pkcs11h_token_getTokenId (
 +                       &info,
 +                       &token_id
 +                   )) == CKR_OK &&
 +                   pkcs11h_token_sameTokenId (
 +                       session->token_id,
 +                       token_id
 +                   )
 +               ) {
 +                   found = TRUE;
 +                   *p_slot = slots[slot_index];
 +                   if (session->provider == NULL) {
 +                       session->provider = current_provider;
 +                       session->allow_protected_auth_supported = (info.flags & CKF_PROTECTED_AUTHENTICATION_PATH) != 0;
 +                   }
 +               }
 +
 +               if (rv != CKR_OK) {
 +                   PKCS11H_DEBUG (
 +                       PKCS11H_LOG_DEBUG1,
 +                       "PKCS#11: Cannot get token information for provider '%s' slot %ld rv=%ld-'%s'",
 +                       current_provider->manufacturerID,
 +                       slots[slot_index],
 +                       rv,
 +                       pkcs11h_getMessage (rv)
 +                   );
 +
 +                   /*
 +                    * Ignore error
 +                    */
 +                   rv = CKR_OK;
 +               }
 +
 +               if (token_id != NULL) {
 +                   pkcs11h_token_freeTokenId (token_id);
 +               }
 +           }
 +
 +           if (rv != CKR_OK) {
 +               PKCS11H_DEBUG (
 +                   PKCS11H_LOG_DEBUG1,
 +                   "PKCS#11: Cannot get slot list for provider '%s' rv=%ld-'%s'",
 +                   current_provider->manufacturerID,
 +                   rv,
 +                   pkcs11h_getMessage (rv)
 +               );
 +
 +               /*
 +                * Ignore error
 +                */
 +               rv = CKR_OK;
 +           }
 +
 +           if (slots != NULL) {
 +               _pkcs11h_mem_free ((void *)&slots);
 +               slots = NULL;
 +           }
 +       }
 +
 +       if (rv == CKR_OK && !found && (mask_prompt & PKCS11H_PROMPT_MAST_ALLOW_CARD_PROMPT) == 0) {
 +           rv = CKR_TOKEN_NOT_PRESENT;
 +       }
 +
 +       if (
 +           rv == CKR_OK &&
 +           !found
 +       ) {
 +           PKCS11H_DEBUG (
 +               PKCS11H_LOG_DEBUG1,
 +               "PKCS#11: Calling token_prompt hook for '%s'",
 +               session->token_id->display
 +           );
 +   
 +           if (
 +               !s_pkcs11h_data->hooks.token_prompt (
 +                   s_pkcs11h_data->hooks.token_prompt_data,
 +                   user_data,
 +                   session->token_id,
 +                   nRetry++
 +               )
 +           ) {
 +               rv = CKR_CANCEL;
 +           }
 +
 +           PKCS11H_DEBUG (
 +               PKCS11H_LOG_DEBUG1,
 +               "PKCS#11: token_prompt returned %ld",
 +               rv
 +           );
 +       }
 +   }
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_session_reset return rv=%ld-'%s', *p_slot=%ld",
 +       rv,
 +       pkcs11h_getMessage (rv),
 +       *p_slot
 +   );
 +
 +   return rv;
 +}
 +
 +static
 +CK_RV
 +_pkcs11h_session_getObjectById (
 +   IN const pkcs11h_session_t session,
 +   IN const CK_OBJECT_CLASS class,
 +   IN const CK_BYTE_PTR id,
 +   IN const size_t id_size,
 +   OUT CK_OBJECT_HANDLE * const p_handle
 +) {
 +   /*
 +    * THREADING:
 +    * session->mutex must be locked
 +    */
 +   CK_ATTRIBUTE filter[] = {
 +       {CKA_CLASS, (void *)&class, sizeof (class)},
 +       {CKA_ID, (void *)id, id_size}
 +   };
 +   CK_OBJECT_HANDLE *objects = NULL;
 +   CK_ULONG objects_found = 0;
 +   CK_RV rv = CKR_OK;
 +   
 +   /*PKCS11H_ASSERT (session!=NULL); NOT NEEDED*/
 +   PKCS11H_ASSERT (id!=NULL);
 +   PKCS11H_ASSERT (p_handle!=NULL);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_session_getObjectById entry session=%p, class=%ld, id=%p, id_size=%u, p_handle=%p",
 +       (void *)session,
 +       class,
 +       id,
 +       id_size,
 +       (void *)p_handle
 +   );
 +
 +   *p_handle = PKCS11H_INVALID_OBJECT_HANDLE;
 +
 +   if (rv == CKR_OK) {
 +       rv = _pkcs11h_session_validate (session);
 +   }
 +
 +   if (rv == CKR_OK) { 
 +       rv = _pkcs11h_session_findObjects (
 +           session,
 +           filter,
 +           sizeof (filter) / sizeof (CK_ATTRIBUTE),
 +           &objects,
 +           &objects_found
 +       );
 +   }
 +
 +   if (
 +       rv == CKR_OK &&
 +       objects_found == 0
 +   ) {
 +       rv = CKR_FUNCTION_REJECTED;
 +   }
 +
 +   if (rv == CKR_OK) {
 +       *p_handle = objects[0];
 +   }
 +
 +   if (objects != NULL) {
 +       _pkcs11h_mem_free ((void *)&objects);
 +   }
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_session_getObjectById return rv=%ld-'%s', *p_handle=%p",
 +       rv,
 +       pkcs11h_getMessage (rv),
 +       (void *)*p_handle
 +   );
 +
 +   return rv;
 +}
 +
 +static
 +CK_RV
 +_pkcs11h_session_validate (
 +   IN const pkcs11h_session_t session
 +) {
 +   CK_RV rv = CKR_OK;
 +
 +   /*PKCS11H_ASSERT (session!=NULL); NOT NEEDED*/
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_session_validate entry session=%p",
 +       (void *)session
 +   );
 +
 +   if (
 +       rv == CKR_OK &&
 +       session == NULL
 +   ) {
 +       rv = CKR_SESSION_HANDLE_INVALID;
 +   }
 +
 +   if (
 +       rv == CKR_OK &&
 +       (
 +           session->provider == NULL ||
 +           !session->provider->enabled ||
 +           session->session_handle == PKCS11H_INVALID_SESSION_HANDLE
 +       )
 +   ) {
 +       rv = CKR_SESSION_HANDLE_INVALID;
 +   }
 +
 +   if (
 +       rv == CKR_OK &&
 +       session->pin_expire_time != (time_t)0 &&
 +       session->pin_expire_time < PKCS11H_TIME (NULL)
 +   ) {
 +       PKCS11H_DEBUG (
 +           PKCS11H_LOG_DEBUG1,
 +           "PKCS#11: Forcing logout due to pin timeout"
 +       );
 +       _pkcs11h_session_logout (session);
 +       rv = CKR_SESSION_HANDLE_INVALID;
 +   }
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_session_validate return rv=%ld-'%s'",
 +       rv,
 +       pkcs11h_getMessage (rv)
 +   );
 +
 +   return rv;
 +}
 +
 +static
 +CK_RV
 +_pkcs11h_session_touch (
 +   IN const pkcs11h_session_t session
 +) {
 +   /*
 +    * THREADING:
 +    * session->mutex must be locked
 +    */
 +   PKCS11H_ASSERT (session!=NULL);
 +
 +   if (session->pin_cache_period == PKCS11H_PIN_CACHE_INFINITE) {
 +       session->pin_expire_time = 0;
 +   }
 +   else {
 +       session->pin_expire_time = (
 +           PKCS11H_TIME (NULL) +
 +           (time_t)session->pin_cache_period
 +       );
 +   }
 +
 +   return CKR_OK;
 +}
 +
 +CK_RV
 +pkcs11h_token_login (
 +   IN const pkcs11h_token_id_t token_id,
 +   IN const PKCS11H_BOOL readonly,
 +   IN const char * const pin
 +) {
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   PKCS11H_BOOL mutex_locked = FALSE;
 +#endif
 +   CK_SLOT_ID slot = PKCS11H_INVALID_SLOT_ID;
 +   CK_ULONG pin_size = 0;
 +   CK_RV rv = CKR_OK;
 +
 +   pkcs11h_session_t session = NULL;
 +
 +   PKCS11H_ASSERT (token_id!=NULL);
 +   /*PKCS11H_ASSERT (pin!=NULL); NOT NEEDED*/
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_token_login entry token_id=%p, readonly=%d\n", 
 +       (void *)token_id,
 +       readonly ? 1 : 0
 +   );
 +
 +   if (pin != NULL) {
 +       pin_size = strlen (pin);
 +   }
 +
 +   if (rv == CKR_OK) {
 +       rv = _pkcs11h_session_getSessionByTokenId (
 +           token_id,
 +           &session
 +       );
 +   }
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   if (
 +       rv == CKR_OK &&
 +       (rv = _pkcs11h_threading_mutexLock (&session->mutex)) == CKR_OK
 +   ) {
 +       mutex_locked = TRUE;
 +   }
 +#endif
 +
 +   if (rv == CKR_OK) {
 +       rv = _pkcs11h_session_logout (session);
 +   }
 +
 +   if (rv == CKR_OK) {
 +       rv = _pkcs11h_session_reset (session, NULL, 0, &slot);
 +   }
 +
 +   if (rv == CKR_OK) {
 +       rv = _pkcs11h_session_touch (session);
 +   }
 +
 +   if (rv == CKR_OK) {
 +       rv = session->provider->f->C_OpenSession (
 +           slot,
 +           (
 +               CKF_SERIAL_SESSION |
 +               (readonly ? 0 : CKF_RW_SESSION)
 +           ),
 +           NULL_PTR,
 +           NULL_PTR,
 +           &session->session_handle
 +       );
 +   }
 +
 +   if (
 +       rv == CKR_OK &&
 +       (rv = session->provider->f->C_Login (
 +           session->session_handle,
 +           CKU_USER,
 +           (CK_UTF8CHAR_PTR)pin,
 +           pin_size
 +       )) != CKR_OK
 +   ) {
 +       if (rv == CKR_USER_ALREADY_LOGGED_IN) {
 +           rv = CKR_OK;
 +       }
 +   }
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   if (mutex_locked) {
 +       _pkcs11h_threading_mutexRelease (&session->mutex);
 +       mutex_locked = FALSE;
 +   }
 +#endif
 +
 +   if (session != NULL) {
 +       _pkcs11h_session_release (session);
 +       session = NULL;
 +   }
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_token_login return rv=%ld-'%s'",
 +       rv,
 +       pkcs11h_getMessage (rv)
 +   );
 +
 +   return rv;
 +}
 +
 +static
 +CK_RV
 +_pkcs11h_session_login (
 +   IN const pkcs11h_session_t session,
 +   IN const PKCS11H_BOOL is_publicOnly,
 +   IN const PKCS11H_BOOL readonly,
 +   IN void * const user_data,
 +   IN const unsigned mask_prompt
 +) {
 +   /*
 +    * THREADING:
 +    * session->mutex must be locked
 +    */
 +   CK_SLOT_ID slot = PKCS11H_INVALID_SLOT_ID;
 +   CK_RV rv = CKR_OK;
 +
 +   PKCS11H_ASSERT (session!=NULL);
 +   /*PKCS11H_ASSERT (user_data) NOT NEEDED */
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_session_login entry session=%p, is_publicOnly=%d, readonly=%d, user_data=%p,
	mask_prompt=%08x",
 +       (void *)session,
 +       is_publicOnly ? 1 : 0,
 +       readonly ? 1 : 0,
 +       user_data,
 +       mask_prompt
 +   );
 +
 +   if (rv == CKR_OK) {
 +       rv = _pkcs11h_session_logout (session);
 +   }
 +
 +   if (rv == CKR_OK) {
 +       rv = _pkcs11h_session_reset (session, user_data, mask_prompt, &slot);
 +   }
 +
 +   if (rv == CKR_OK) {
 +       rv = session->provider->f->C_OpenSession (
 +           slot,
 +           (
 +               CKF_SERIAL_SESSION |
 +               (readonly ? 0 : CKF_RW_SESSION)
 +           ),
 +           NULL_PTR,
 +           NULL_PTR,
 +           &session->session_handle
 +       );
 +   }
 +
 +   if (
 +       rv == CKR_OK &&
 +       (
 +           !is_publicOnly ||
 +           session->provider->cert_is_private
 +       )
 +   ) {
 +       PKCS11H_BOOL login_succeeded = FALSE;
 +       unsigned nRetryCount = 0;
 +
 +       if ((mask_prompt & PKCS11H_PROMPT_MASK_ALLOW_PIN_PROMPT) == 0) {
 +           rv = CKR_USER_NOT_LOGGED_IN;
 +
 +           PKCS11H_DEBUG (
 +               PKCS11H_LOG_DEBUG1,
 +               "PKCS#11: Calling pin_prompt hook denied because of prompt mask"
 +           );
 +       }
 +
 +       while (
 +           rv == CKR_OK &&
 +           !login_succeeded &&
 +           nRetryCount < s_pkcs11h_data->max_retries 
 +       ) {
 +           CK_UTF8CHAR_PTR utfPIN = NULL;
 +           CK_ULONG lPINLength = 0;
 +           char pin[1024];
 +
 +           if (
 +               rv == CKR_OK &&
 +               !(
 +                   s_pkcs11h_data->allow_protected_auth  &&
 +                   session->provider->allow_protected_auth &&
 +                   session->allow_protected_auth_supported
 +               )
 +           ) {
 +               PKCS11H_DEBUG (
 +                   PKCS11H_LOG_DEBUG1,
 +                   "PKCS#11: Calling pin_prompt hook for '%s'",
 +                   session->token_id->display
 +               );
 +
 +               if (
 +                   !s_pkcs11h_data->hooks.pin_prompt (
 +                       s_pkcs11h_data->hooks.pin_prompt_data,
 +                       user_data,
 +                       session->token_id,
 +                       nRetryCount,
 +                       pin,
 +                       sizeof (pin)
 +                   )
 +               ) {
 +                   rv = CKR_CANCEL;
 +               }
 +               else {
 +                   utfPIN = (CK_UTF8CHAR_PTR)pin;
 +                   lPINLength = strlen (pin);
 +               }
 +
 +               PKCS11H_DEBUG (
 +                   PKCS11H_LOG_DEBUG1,
 +                   "PKCS#11: pin_prompt hook return rv=%ld",
 +                   rv
 +               );
 +           }
 +
 +           if (rv == CKR_OK) {
 +               rv = _pkcs11h_session_touch (session);
 +           }
 +
 +           if (
 +               rv == CKR_OK &&
 +               (rv = session->provider->f->C_Login (
 +                   session->session_handle,
 +                   CKU_USER,
 +                   utfPIN,
 +                   lPINLength
 +               )) != CKR_OK
 +           ) {
 +               if (rv == CKR_USER_ALREADY_LOGGED_IN) {
 +                   rv = CKR_OK;
 +               }
 +           }
 +
 +           /*
 +            * Clean PIN buffer
 +            */
 +           memset (pin, 0, sizeof (pin));
 +
 +           if (rv == CKR_OK) {
 +               login_succeeded = TRUE;
 +           }
 +           else if (
 +               rv == CKR_PIN_INCORRECT ||
 +               rv == CKR_PIN_INVALID
 +           ) {
 +               /*
 +                * Ignore these errors
 +                * so retry can be performed
 +                */
 +               rv = CKR_OK;
 +           }
 +
 +           nRetryCount++;
 +       }
 +
 +       /*
 +        * Retry limit
 +        */
 +       if (!login_succeeded && rv == CKR_OK) {
 +           rv = CKR_PIN_INCORRECT;
 +       }
 +   }
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_session_login return rv=%ld-'%s'",
 +       rv,
 +       pkcs11h_getMessage (rv)
 +   );
 +
 +   return rv;
 +}
 +
 +static
 +CK_RV
 +_pkcs11h_session_logout (
 +   IN const pkcs11h_session_t session
 +) {
 +   /*
 +    * THREADING:
 +    * session->mutex must be locked
 +    */
 +   /*PKCS11H_ASSERT (session!=NULL); NOT NEEDED*/
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_session_logout entry session=%p",
 +       (void *)session
 +   );
 +
 +   if (
 +       session != NULL &&
 +       session->session_handle != PKCS11H_INVALID_SESSION_HANDLE
 +   ) {
 +       CK_RV rv = CKR_OK;
 +
 +       if (rv == CKR_OK) {
 +           if (session->provider != NULL) {
 +               session->provider->f->C_Logout (session->session_handle);
 +               session->provider->f->C_CloseSession (session->session_handle);
 +           }
 +           session->session_handle = PKCS11H_INVALID_SESSION_HANDLE;
 +       }
 +   }
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_session_logout return"
 +   );
 +
 +   return CKR_OK;
 +}
 +
 +static
 +void
 +_pkcs11h_hooks_default_log (
 +   IN void * const global_data,
 +   IN const unsigned flags,
 +   IN const char * const format,
 +   IN va_list args
 +) {
 +   (void)global_data;
 +   (void)flags;
 +   (void)format;
 +   (void)args;
 +}
 +
 +static
 +PKCS11H_BOOL
 +_pkcs11h_hooks_default_token_prompt (
 +   IN void * const global_data,
 +   IN void * const user_data,
 +   IN const pkcs11h_token_id_t token,
 +   IN const unsigned retry
 +) {
 +   /*PKCS11H_ASSERT (global_data) NOT NEEDED */
 +   /*PKCS11H_ASSERT (user_data) NOT NEEDED */
 +   PKCS11H_ASSERT (token!=NULL);
 +
 +   (void)global_data;
 +   (void)user_data;
 +   (void)retry;
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_hooks_default_token_prompt global_data=%p, user_data=%p, display='%s'",
 +       global_data,
 +       user_data,
 +       token->display
 +   );
 +
 +   return FALSE;
 +}
 +
 +static
 +PKCS11H_BOOL
 +_pkcs11h_hooks_default_pin_prompt (
 +   IN void * const global_data,
 +   IN void * const user_data,
 +   IN const pkcs11h_token_id_t token,
 +   IN const unsigned retry,
 +   OUT char * const pin,
 +   IN const size_t pin_max
 +) {
 +   /*PKCS11H_ASSERT (global_data) NOT NEEDED */
 +   /*PKCS11H_ASSERT (user_data) NOT NEEDED */
 +   PKCS11H_ASSERT (token!=NULL);
 +
 +   (void)global_data;
 +   (void)user_data;
 +   (void)retry;
 +   (void)pin;
 +   (void)pin_max;
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_hooks_default_pin_prompt global_data=%p, user_data=%p, display='%s'",
 +       global_data,
 +       user_data,
 +       token->display
 +   );
 +   
 +   return FALSE;
 +}
 +
 +#if !defined(WIN32)
 +#if defined(ENABLE_PKCS11H_THREADING)
 +
 +static
 +void
 +__pkcs11h_threading_atfork_prepare  () {
 +   __pkcs1h_threading_mutexLockAll ();
 +}
 +static
 +void
 +__pkcs11h_threading_atfork_parent () {
 +   __pkcs1h_threading_mutexReleaseAll ();
 +}
 +static
 +void
 +__pkcs11h_threading_atfork_child () {
 +   __pkcs1h_threading_mutexReleaseAll ();
 +   _pkcs11h_forkFixup ();
 +}
 +
 +#endif             /* ENABLE_PKCS11H_THREADING */
 +
 +static
 +CK_RV
 +_pkcs11h_forkFixup () {
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   PKCS11H_BOOL mutex_locked = FALSE;
 +#endif
 +   pid_t mypid = getpid ();
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_forkFixup entry pid=%d",
 +       mypid
 +   );
 +
 +   if (s_pkcs11h_data != NULL && s_pkcs11h_data->initialized) {
 +       pkcs11h_provider_t current;
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +       if (_pkcs11h_threading_mutexLock (&s_pkcs11h_data->mutexes.global) == CKR_OK) {
 +           mutex_locked = TRUE;
 +       }
 +#endif
 +
 +       for (
 +           current = s_pkcs11h_data->providers;
 +           current != NULL;
 +           current = current->next
 +       ) {
 +           if (current->enabled) {
 +               current->f->C_Initialize (NULL);
 +           }
 +
 +#if defined(ENABLE_PKCS11H_SLOTEVENT)
 +           /*
 +            * After fork we have no threads...
 +            * So just initialized.
 +            */
 +           if (s_pkcs11h_data->slotevent.initialized) {
 +               s_pkcs11h_data->slotevent.initialized = FALSE;
 +               _pkcs11h_slotevent_init ();
 +           }
 +#endif
 +       }
 +   }
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   if (mutex_locked) {
 +       _pkcs11h_threading_mutexRelease (&s_pkcs11h_data->mutexes.global);
 +       mutex_locked = FALSE;
 +   }
 +#endif
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_forkFixup return"
 +   );
 +
 +   return CKR_OK;
 +}
 +
 +#endif             /* !WIN32 */
 +
 +#if defined(ENABLE_PKCS11H_TOKEN)
 +/*======================================================================*
 + * TOKEN INTERFACE
 + *======================================================================*/
 +
 +CK_RV
 +pkcs11h_token_ensureAccess (
 +   IN const pkcs11h_token_id_t token_id,
 +   IN void * const user_data,
 +   IN const unsigned mask_prompt
 +) {
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   PKCS11H_BOOL mutex_locked = FALSE;
 +#endif
 +   pkcs11h_session_t session = NULL;
 +   CK_RV rv = CKR_OK;
 +
 +   PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
 +   PKCS11H_ASSERT (s_pkcs11h_data->initialized);
 +   PKCS11H_ASSERT (token_id!=NULL);
 +   /*PKCS11H_ASSERT (user_data) NOT NEEDED */
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_token_ensureAccess entry token_id=%p, user_data=%p, mask_prompt=%08x",
 +       (void *)token_id,
 +       user_data,
 +       mask_prompt
 +   );
 +
 +   if (rv == CKR_OK) {
 +       rv = _pkcs11h_session_getSessionByTokenId (
 +           token_id,
 +           &session
 +       );
 +   }
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   if (
 +       rv == CKR_OK &&
 +       (rv = _pkcs11h_threading_mutexLock (&session->mutex)) == CKR_OK
 +   ) {
 +       mutex_locked = TRUE;
 +   }
 +#endif
 +
 +   if (rv == CKR_OK) {
 +       CK_SLOT_ID slot;
 +
 +       rv = _pkcs11h_session_reset (
 +           session,
 +           user_data,
 +           mask_prompt,
 +           &slot
 +       );
 +   }
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   if (mutex_locked) {
 +       _pkcs11h_threading_mutexRelease (&session->mutex);
 +       mutex_locked = FALSE;
 +   }
 +#endif
 +
 +   if (session != NULL) {
 +       _pkcs11h_session_release (session);
 +       session = NULL;
 +   }
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_token_ensureAccess return rv=%ld-'%s'",
 +       rv,
 +       pkcs11h_getMessage (rv)
 +   );
 +
 +   return rv;
 +}
 +
 +#endif             /* ENABLE_PKCS11H_TOKEN */
 +
 +#if defined(ENABLE_PKCS11H_DATA)
 +/*======================================================================*
 + * DATA INTERFACE
 + *======================================================================*/
 +
 +static
 +CK_RV
 +_pkcs11h_data_getObject (
 +   IN const pkcs11h_session_t session,
 +   IN const char * const application,
 +   IN const char * const label,
 +   OUT CK_OBJECT_HANDLE * const p_handle
 +) {
 +   CK_OBJECT_CLASS class = CKO_DATA;
 +   CK_ATTRIBUTE filter[] = {
 +       {CKA_CLASS, (void *)&class, sizeof (class)},
 +       {CKA_APPLICATION, (void *)application, application == NULL ? 0 : strlen (application)},
 +       {CKA_LABEL, (void *)label, label == NULL ? 0 : strlen (label)}
 +   };
 +   CK_OBJECT_HANDLE *objects = NULL;
 +   CK_ULONG objects_found = 0;
 +   CK_RV rv = CKR_OK;
 +   
 +   PKCS11H_ASSERT (session!=NULL);
 +   PKCS11H_ASSERT (application!=NULL);
 +   PKCS11H_ASSERT (label!=NULL);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_data_getObject entry session=%p, application='%s', label='%s', p_handle=%p",
 +       (void *)session,
 +       application,
 +       label,
 +       (void *)p_handle
 +   );
 +
 +   *p_handle = PKCS11H_INVALID_OBJECT_HANDLE;
 +
 +   if (rv == CKR_OK) {
 +       rv = _pkcs11h_session_validate (session);
 +   }
 +
 +   if (rv == CKR_OK) {
 +       rv = _pkcs11h_session_findObjects (
 +           session,
 +           filter,
 +           sizeof (filter) / sizeof (CK_ATTRIBUTE),
 +           &objects,
 +           &objects_found
 +       );
 +   }
 +
 +   if (
 +       rv == CKR_OK &&
 +       objects_found == 0
 +   ) {
 +       rv = CKR_FUNCTION_REJECTED;
 +   }
 +
 +   if (rv == CKR_OK) {
 +       *p_handle = objects[0];
 +   }
 +
 +   if (objects != NULL) {
 +       _pkcs11h_mem_free ((void *)&objects);
 +   }
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_data_getObject return rv=%ld-'%s', *p_handle=%p",
 +       rv,
 +       pkcs11h_getMessage (rv),
 +       (void *)*p_handle
 +   );
 +
 +   return rv;
 +}
 +
 +CK_RV
 +pkcs11h_data_get (
 +   IN const pkcs11h_token_id_t token_id,
 +   IN const PKCS11H_BOOL is_public,
 +   IN const char * const application,
 +   IN const char * const label,
 +   IN void * const user_data,
 +   IN const unsigned mask_prompt,
 +   OUT unsigned char * const blob,
 +   IN OUT size_t * const p_blob_size
 +) {
 +   CK_ATTRIBUTE attrs[] = {
 +       {CKA_VALUE, NULL, 0}
 +   };
 +   CK_OBJECT_HANDLE handle = PKCS11H_INVALID_OBJECT_HANDLE;
 +   CK_RV rv = CKR_OK;
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   PKCS11H_BOOL mutex_locked = FALSE;
 +#endif
 +   pkcs11h_session_t session = NULL;
 +   PKCS11H_BOOL op_succeed = FALSE;
 +   PKCS11H_BOOL login_retry = FALSE;
 +   size_t blob_size_max = 0;
 +
 +   PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
 +   PKCS11H_ASSERT (s_pkcs11h_data->initialized);
 +   PKCS11H_ASSERT (token_id!=NULL);
 +   PKCS11H_ASSERT (application!=NULL);
 +   PKCS11H_ASSERT (label!=NULL);
 +   /*PKCS11H_ASSERT (user_data) NOT NEEDED */
 +   /*PKCS11H_ASSERT (blob!=NULL); NOT NEEDED*/
 +   PKCS11H_ASSERT (p_blob_size!=NULL);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_data_get entry token_id=%p, application='%s', label='%s', user_data=%p, mask_prompt=%08x,
	blob=%p, *p_blob_size=%u",
 +       (void *)token_id,
 +       application,
 +       label,
 +       user_data,
 +       mask_prompt,
 +       blob,
 +       blob != NULL ? *p_blob_size : 0
 +   );
 +
 +   if (blob != NULL) {
 +       blob_size_max = *p_blob_size;
 +   }
 +   *p_blob_size = 0;
 +
 +   if (rv == CKR_OK) {
 +       rv = _pkcs11h_session_getSessionByTokenId (
 +           token_id,
 +           &session
 +       );
 +   }
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   if (
 +       rv == CKR_OK &&
 +       (rv = _pkcs11h_threading_mutexLock (&session->mutex)) == CKR_OK
 +   ) {
 +       mutex_locked = TRUE;
 +   }
 +#endif
 +
 +   while (rv == CKR_OK && !op_succeed) {
 +
 +       if (rv == CKR_OK) {
 +           rv = _pkcs11h_session_validate (session);
 +       }
 +
 +       if (rv == CKR_OK) {
 +           rv = _pkcs11h_data_getObject (
 +               session,
 +               application,
 +               label,
 +               &handle
 +           );
 +       }
 +
 +       if (rv == CKR_OK) {
 +           rv = _pkcs11h_session_getObjectAttributes (
 +               session,
 +               handle,
 +               attrs,
 +               sizeof (attrs)/sizeof (CK_ATTRIBUTE)
 +           );
 +       }
 +
 +       if (rv == CKR_OK) {
 +           op_succeed = TRUE;
 +       }
 +       else {
 +           if (!login_retry) {
 +               PKCS11H_DEBUG (
 +                   PKCS11H_LOG_DEBUG1,
 +                   "PKCS#11: Read data object failed rv=%ld-'%s'",
 +                   rv,
 +                   pkcs11h_getMessage (rv)
 +               );
 +               login_retry = TRUE;
 +               rv = _pkcs11h_session_login (
 +                   session,
 +                   is_public,
 +                   TRUE,
 +                   user_data,
 +                   mask_prompt
 +               );
 +           }
 +       }
 +   }
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   if (mutex_locked) {
 +       _pkcs11h_threading_mutexRelease (&session->mutex);
 +       mutex_locked = FALSE;
 +   }
 +#endif
 +
 +   if (rv == CKR_OK) {
 +       *p_blob_size = attrs[0].ulValueLen;
 +   }
 +
 +   if (rv == CKR_OK) {
 +       if (blob != NULL) {
 +           if (*p_blob_size > blob_size_max) {
 +               rv = CKR_BUFFER_TOO_SMALL;
 +           }
 +           else {
 +               memmove (blob, attrs[0].pValue, *p_blob_size);
 +           }
 +       }
 +   }
 +
 +   _pkcs11h_session_freeObjectAttributes (
 +       attrs,
 +       sizeof (attrs)/sizeof (CK_ATTRIBUTE)
 +   );
 +
 +   if (session != NULL) {
 +       _pkcs11h_session_release (session);
 +       session = NULL;
 +   }
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_data_get return rv=%ld-'%s', *p_blob_size=%u",
 +       rv,
 +       pkcs11h_getMessage (rv),
 +       *p_blob_size
 +   );
 +
 +   return rv;
 +}
 +
 +CK_RV
 +pkcs11h_data_put (
 +   IN const pkcs11h_token_id_t token_id,
 +   IN const PKCS11H_BOOL is_public,
 +   IN const char * const application,
 +   IN const char * const label,
 +   IN void * const user_data,
 +   IN const unsigned mask_prompt,
 +   OUT unsigned char * const blob,
 +   IN const size_t blob_size
 +) {
 +   CK_OBJECT_CLASS class = CKO_DATA;
 +   CK_BBOOL ck_true = CK_TRUE;
 +   CK_BBOOL ck_false = CK_FALSE;
 +
 +   CK_ATTRIBUTE attrs[] = {
 +       {CKA_CLASS, &class, sizeof (class)},
 +       {CKA_TOKEN, &ck_true, sizeof (ck_true)},
 +       {CKA_PRIVATE, is_public ? &ck_false : &ck_true, sizeof (CK_BBOOL)},
 +       {CKA_APPLICATION, (void *)application, strlen (application)},
 +       {CKA_LABEL, (void *)label, strlen (label)},
 +       {CKA_VALUE, blob, blob_size}
 +   };
 +
 +   CK_OBJECT_HANDLE handle = PKCS11H_INVALID_OBJECT_HANDLE;
 +   CK_RV rv = CKR_OK;
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   PKCS11H_BOOL mutex_locked = FALSE;
 +#endif
 +   pkcs11h_session_t session = NULL;
 +   PKCS11H_BOOL op_succeed = FALSE;
 +   PKCS11H_BOOL login_retry = FALSE;
 +
 +   PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
 +   PKCS11H_ASSERT (s_pkcs11h_data->initialized);
 +   PKCS11H_ASSERT (token_id!=NULL);
 +   PKCS11H_ASSERT (application!=NULL);
 +   PKCS11H_ASSERT (label!=NULL);
 +   /*PKCS11H_ASSERT (user_data) NOT NEEDED */
 +   PKCS11H_ASSERT (blob!=NULL);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_data_put entry token_id=%p, application='%s', label='%s', user_data=%p, mask_prompt=%08x,
	blob=%p, blob_size=%u",
 +       (void *)token_id,
 +       application,
 +       label,
 +       user_data,
 +       mask_prompt,
 +       blob,
 +       blob != NULL ? blob_size : 0
 +   );
 +
 +   if (rv == CKR_OK) {
 +       rv = _pkcs11h_session_getSessionByTokenId (
 +           token_id,
 +           &session
 +       );
 +   }
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   if (
 +       rv == CKR_OK &&
 +       (rv = _pkcs11h_threading_mutexLock (&session->mutex)) == CKR_OK
 +   ) {
 +       mutex_locked = TRUE;
 +   }
 +#endif
 +
 +   while (rv == CKR_OK && !op_succeed) {
 +
 +       if (rv == CKR_OK) {
 +           rv = _pkcs11h_session_validate (session);
 +       }
 +
 +       if (rv == CKR_OK) {
 +           rv = session->provider->f->C_CreateObject (
 +               session->session_handle,
 +               attrs,
 +               sizeof (attrs)/sizeof (CK_ATTRIBUTE),
 +               &handle
 +           );
 +       }
 +
 +       if (rv == CKR_OK) {
 +           op_succeed = TRUE;
 +       }
 +       else {
 +           if (!login_retry) {
 +               PKCS11H_DEBUG (
 +                   PKCS11H_LOG_DEBUG1,
 +                   "PKCS#11: Write data object failed rv=%ld-'%s'",
 +                   rv,
 +                   pkcs11h_getMessage (rv)
 +               );
 +               login_retry = TRUE;
 +               rv = _pkcs11h_session_login (
 +                   session,
 +                   is_public,
 +                   FALSE,
 +                   user_data,
 +                   mask_prompt
 +               );
 +           }
 +       }
 +   }
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   if (mutex_locked) {
 +       _pkcs11h_threading_mutexRelease (&session->mutex);
 +       mutex_locked = FALSE;
 +   }
 +#endif
 +
 +   if (session != NULL) {
 +       _pkcs11h_session_release (session);
 +       session = NULL;
 +   }
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_data_put return rv=%ld-'%s'",
 +       rv,
 +       pkcs11h_getMessage (rv)
 +   );
 +
 +   return rv;
 +}
 +
 +CK_RV
 +pkcs11h_data_del (
 +   IN const pkcs11h_token_id_t token_id,
 +   IN const PKCS11H_BOOL is_public,
 +   IN const char * const application,
 +   IN const char * const label,
 +   IN void * const user_data,
 +   IN const unsigned mask_prompt
 +) {
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   PKCS11H_BOOL mutex_locked = FALSE;
 +#endif
 +   pkcs11h_session_t session = NULL;
 +   PKCS11H_BOOL op_succeed = FALSE;
 +   PKCS11H_BOOL login_retry = FALSE;
 +   CK_OBJECT_HANDLE handle = PKCS11H_INVALID_OBJECT_HANDLE;
 +   CK_RV rv = CKR_OK;
 +
 +   PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
 +   PKCS11H_ASSERT (s_pkcs11h_data->initialized);
 +   PKCS11H_ASSERT (token_id!=NULL);
 +   PKCS11H_ASSERT (application!=NULL);
 +   PKCS11H_ASSERT (label!=NULL);
 +   /*PKCS11H_ASSERT (user_data) NOT NEEDED */
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_data_del entry token_id=%p, application='%s', label='%s', user_data=%p, mask_prompt=%08x",
 +       (void *)token_id,
 +       application,
 +       label,
 +       user_data,
 +       mask_prompt
 +   );
 +
 +   if (rv == CKR_OK) {
 +       rv = _pkcs11h_session_getSessionByTokenId (
 +           token_id,
 +           &session
 +       );
 +   }
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   if (
 +       rv == CKR_OK &&
 +       (rv = _pkcs11h_threading_mutexLock (&session->mutex)) == CKR_OK
 +   ) {
 +       mutex_locked = TRUE;
 +   }
 +#endif
 +
 +   while (rv == CKR_OK && !op_succeed) {
 +
 +       if (rv == CKR_OK) {
 +           rv = _pkcs11h_session_validate (session);
 +       }
 +
 +       if (rv == CKR_OK) {
 +           rv = _pkcs11h_data_getObject (
 +               session,
 +               application,
 +               label,
 +               &handle
 +           );
 +       }
 +
 +       if (rv == CKR_OK) {
 +           rv = session->provider->f->C_DestroyObject (
 +               session->session_handle,
 +               handle
 +           );
 +       }
 +
 +       if (rv == CKR_OK) {
 +           op_succeed = TRUE;
 +       }
 +       else {
 +           if (!login_retry) {
 +               PKCS11H_DEBUG (
 +                   PKCS11H_LOG_DEBUG1,
 +                   "PKCS#11: Remove data object failed rv=%ld-'%s'",
 +                   rv,
 +                   pkcs11h_getMessage (rv)
 +               );
 +               login_retry = TRUE;
 +               rv = _pkcs11h_session_login (
 +                   session,
 +                   is_public,
 +                   FALSE,
 +                   user_data,
 +                   mask_prompt
 +               );
 +           }
 +       }
 +   }
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +       if (mutex_locked) {
 +           _pkcs11h_threading_mutexRelease (&session->mutex);
 +           mutex_locked = FALSE;
 +       }
 +#endif
 +
 +   if (session != NULL) {
 +       _pkcs11h_session_release (session);
 +       session = NULL;
 +   }
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_data_del return rv=%ld-'%s'",
 +       rv,
 +       pkcs11h_getMessage (rv)
 +   );
 +
 +   return rv;
 +}
 +
 +#endif             /* ENABLE_PKCS11H_DATA */
 +
 +#if defined(ENABLE_PKCS11H_CERTIFICATE)
 +/*======================================================================*
 + * CERTIFICATE INTERFACE
 + *======================================================================*/
 +
 +static
 +time_t
 +_pkcs11h_certificate_getExpiration (
 +   IN const unsigned char * const certificate,
 +   IN const size_t certificate_size
 +) {
 +   /*
 +    * This function compare the notAfter
 +    * and select the most recent certificate
 +    */
 +
 +#if defined(USE_PKCS11H_OPENSSL)
 +   X509 *x509 = NULL;
 +#elif defined(USE_PKCS11H_GNUTLS)
 +   gnutls_x509_crt_t cert = NULL;
 +#endif
 +   time_t expire = (time_t)0;
 +
 +   PKCS11H_ASSERT (certificate!=NULL);
 +
 +#if defined(USE_PKCS11H_OPENSSL)
 +   x509 = X509_new ();
 +
 +   if (x509 != NULL) {
 +       pkcs11_openssl_d2i_t d2i = (pkcs11_openssl_d2i_t)certificate;
 +
 +       if (
 +           d2i_X509 (&x509, &d2i, certificate_size)
 +       ) {
 +           ASN1_TIME *notBefore = X509_get_notBefore (x509);
 +           ASN1_TIME *notAfter = X509_get_notAfter (x509);
 +
 +           if (
 +               notBefore != NULL &&
 +               notAfter != NULL &&
 +               X509_cmp_current_time (notBefore) <= 0 &&
 +               X509_cmp_current_time (notAfter) >= 0 &&
 +               notAfter->length >= 12
 +           ) {
 +               struct tm tm1;
 +               time_t now = time (NULL);
 +
 +               memset (&tm1, 0, sizeof (tm1));
 +               tm1.tm_year = (notAfter->data[ 0] - '0') * 10 + (notAfter->data[ 1] - '0') + 100;
 +               tm1.tm_mon  = (notAfter->data[ 2] - '0') * 10 + (notAfter->data[ 3] - '0') - 1;
 +               tm1.tm_mday = (notAfter->data[ 4] - '0') * 10 + (notAfter->data[ 5] - '0');
 +               tm1.tm_hour = (notAfter->data[ 6] - '0') * 10 + (notAfter->data[ 7] - '0');
 +               tm1.tm_min  = (notAfter->data[ 8] - '0') * 10 + (notAfter->data[ 9] - '0');
 +               tm1.tm_sec  = (notAfter->data[10] - '0') * 10 + (notAfter->data[11] - '0');
 +
 +               tm1.tm_sec += (int)(mktime (localtime (&now)) - mktime (gmtime (&now)));
 +
 +               expire = mktime (&tm1);
 +           }
 +       }
 +   }
 +
 +   if (x509 != NULL) {
 +       X509_free (x509);
 +       x509 = NULL;
 +   }
 +#elif defined(USE_PKCS11H_GNUTLS)
 +   if (gnutls_x509_crt_init (&cert) == GNUTLS_E_SUCCESS) {
 +       gnutls_datum_t datum = {(unsigned char *)certificate, certificate_size};
 +
 +       if (gnutls_x509_crt_import (cert, &datum, GNUTLS_X509_FMT_DER) == GNUTLS_E_SUCCESS) {
 +
 +           time_t activation_time = gnutls_x509_crt_get_activation_time (cert);
 +           time_t expiration_time = gnutls_x509_crt_get_expiration_time (cert);
 +           time_t now = time (NULL);
 +
 +           if (
 +               now >= activation_time &&
 +               now <= expiration_time
 +           ) {
 +               expire = expiration_time;
 +           }
 +       }
 +       gnutls_x509_crt_deinit (cert);
 +   }
 +#else
 +#error Invalid configuration
 +#endif
 +
 +   return expire;
 +}
 +
 +static
 +PKCS11H_BOOL
 +_pkcs11h_certificate_isBetterCertificate (
 +   IN const unsigned char * const current,
 +   IN const size_t current_size,
 +   IN const unsigned char * const newone,
 +   IN const size_t newone_size
 +) {
 +   PKCS11H_BOOL is_better = FALSE;
 +
 +   /*PKCS11H_ASSERT (current!=NULL); NOT NEEDED */
 +   PKCS11H_ASSERT (newone!=NULL);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_certificate_isBetterCertificate entry current=%p, current_size=%u, newone=%p,
	newone_size=%u",
 +       current,
 +       current_size,
 +       newone,
 +       newone_size
 +   );
 +
 +   /*
 +    * First certificae
 +    * always select
 +    */
 +   if (current_size == 0 || current == NULL) {
 +       is_better = TRUE;
 +   }
 +   else {
 +       time_t notAfterCurrent, notAfterNew;
 +
 +       notAfterCurrent = _pkcs11h_certificate_getExpiration (
 +           current,
 +           current_size
 +       );
 +       notAfterNew = _pkcs11h_certificate_getExpiration (
 +           newone,
 +           newone_size
 +       );
 +
 +       PKCS11H_DEBUG (
 +           PKCS11H_LOG_DEBUG2,
 +           "PKCS#11: _pkcs11h_certificate_isBetterCertificate notAfterCurrent='%s', notAfterNew='%s'",
 +           asctime (localtime (&notAfterCurrent)),
 +           asctime (localtime (&notAfterNew))
 +       );
 +
 +       is_better = notAfterNew > notAfterCurrent;
 +   }
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_certificate_isBetterCertificate return is_better=%d",
 +       is_better ? 1 : 0
 +   );
 +   
 +   return is_better;
 +}
 +
 +static
 +CK_RV
 +_pkcs11h_certificate_newCertificateId (
 +   OUT pkcs11h_certificate_id_t * const p_certificate_id
 +) {
 +   CK_RV rv = CKR_OK;
 +
 +   PKCS11H_ASSERT (p_certificate_id!=NULL);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_certificate_newCertificateId entry p_certificate_id=%p",
 +       (void *)p_certificate_id
 +   );
 +
 +   *p_certificate_id = NULL;
 +
 +   if (rv == CKR_OK) {
 +       rv = _pkcs11h_mem_malloc ((void *)p_certificate_id, sizeof (struct pkcs11h_certificate_id_s));
 +   }
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_certificate_newCertificateId return rv=%ld-'%s', *p_certificate_id=%p",
 +       rv,
 +       pkcs11h_getMessage (rv),
 +       (void *)*p_certificate_id
 +   );
 +
 +   return rv;
 +}
 +
 +static
 +CK_RV
 +_pkcs11h_certificate_getDN (
 +   IN const unsigned char * const blob,
 +   IN const size_t blob_size,
 +   OUT char * const dn,
 +   IN const size_t dn_size
 +) {
 +#if defined(USE_PKCS11H_OPENSSL)
 +   X509 *x509 = NULL;
 +   pkcs11_openssl_d2i_t d2i1;
 +#elif defined(USE_PKCS11H_GNUTLS)
 +   gnutls_x509_crt_t cert = NULL;
 +#endif
 +
 +   PKCS11H_ASSERT (blob_size==0||blob!=NULL);
 +   PKCS11H_ASSERT (dn!=NULL);
 +
 +   dn[0] = '\x0';
 +
 +#if defined(USE_PKCS11H_OPENSSL)
 +
 +   if (blob_size > 0) {
 +       x509 = X509_new ();
 +
 +       d2i1 = (pkcs11_openssl_d2i_t)blob;
 +       if (d2i_X509 (&x509, &d2i1, blob_size)) {
 +           X509_NAME_oneline (
 +               X509_get_subject_name (x509),
 +               dn,
 +               dn_size
 +           );
 +       }
 +
 +       if (x509 != NULL) {
 +           X509_free (x509);
 +           x509 = NULL;
 +       }
 +   }
 +
 +#elif defined(USE_PKCS11H_GNUTLS)
 +
 +   if (blob_size > 0) {
 +       if (gnutls_x509_crt_init (&cert) == GNUTLS_E_SUCCESS) {
 +           gnutls_datum_t datum = {(unsigned char *)blob, blob_size};
 +
 +           if (gnutls_x509_crt_import (cert, &datum, GNUTLS_X509_FMT_DER) == GNUTLS_E_SUCCESS) {
 +               size_t s = dn_size;
 +               if (
 +                   gnutls_x509_crt_get_dn (
 +                       cert,
 +                       dn,
 +                       &s
 +                   ) != GNUTLS_E_SUCCESS
 +               ) {
 +                   /* gnutls sets output parameters */
 +                   dn[0] = '\x0';
 +               }
 +           }
 +           gnutls_x509_crt_deinit (cert);
 +       }
 +   }
 +
 +#else
 +#error Invalid configuration
 +#endif
 +
 +   return CKR_OK;
 +}
 +
 +static
 +CK_RV
 +_pkcs11h_certificate_loadCertificate (
 +   IN const pkcs11h_certificate_t certificate
 +) {
 +   /*
 +    * THREADING:
 +    * certificate->mutex must be locked
 +    */
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   PKCS11H_BOOL mutex_locked = FALSE;
 +#endif
 +   CK_OBJECT_CLASS cert_filter_class = CKO_CERTIFICATE;
 +   CK_ATTRIBUTE cert_filter[] = {
 +       {CKA_CLASS, &cert_filter_class, sizeof (cert_filter_class)},
 +       {CKA_ID, NULL, 0}
 +   };
 +
 +   CK_OBJECT_HANDLE *objects = NULL;
 +   CK_ULONG objects_found = 0;
 +   CK_RV rv = CKR_OK;
 +
 +   CK_ULONG i;
 +
 +   PKCS11H_ASSERT (certificate!=NULL);
 +   PKCS11H_ASSERT (certificate->id!=NULL);
 +   
 +   /* Must be after assert */
 +   cert_filter[1].pValue = certificate->id->attrCKA_ID;
 +   cert_filter[1].ulValueLen = certificate->id->attrCKA_ID_size;
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_certificate_loadCertificate entry certificate=%p",
 +       (void *)certificate
 +   );
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   if (
 +       rv == CKR_OK &&
 +       (rv = _pkcs11h_threading_mutexLock (&certificate->session->mutex)) == CKR_OK
 +   ) {
 +       mutex_locked = TRUE;
 +   }
 +#endif
 +
 +   if (rv == CKR_OK) {
 +       rv = _pkcs11h_session_validate (certificate->session);
 +   }
 +
 +   if (rv == CKR_OK) {
 +       rv = _pkcs11h_session_findObjects (
 +           certificate->session,
 +           cert_filter,
 +           sizeof (cert_filter) / sizeof (CK_ATTRIBUTE),
 +           &objects,
 +           &objects_found
 +       );
 +   }
 +
 +   for (i=0;rv == CKR_OK && i < objects_found;i++) {
 +       CK_ATTRIBUTE attrs[] = {
 +           {CKA_VALUE, NULL, 0}
 +       };
 +
 +       if (
 +           rv == CKR_OK &&
 +           (rv = _pkcs11h_session_getObjectAttributes (
 +               certificate->session,
 +               objects[i],
 +               attrs,
 +               sizeof (attrs) / sizeof (CK_ATTRIBUTE)
 +           )) == CKR_OK
 +       ) {
 +           if (
 +               _pkcs11h_certificate_isBetterCertificate (
 +                   certificate->id->certificate_blob,
 +                   certificate->id->certificate_blob_size,
 +                   attrs[0].pValue,
 +                   attrs[0].ulValueLen
 +               )
 +           ) {
 +               if (certificate->id->certificate_blob != NULL) {
 +                   _pkcs11h_mem_free ((void *)&certificate->id->certificate_blob);
 +               }
 +
 +               rv = _pkcs11h_mem_duplicate (
 +                   (void*)&certificate->id->certificate_blob,
 +                   &certificate->id->certificate_blob_size,
 +                   attrs[0].pValue,
 +                   attrs[0].ulValueLen
 +               );
 +           }
 +       }
 +
 +       if (rv != CKR_OK) {
 +           PKCS11H_DEBUG (
 +               PKCS11H_LOG_DEBUG1,
 +               "PKCS#11: Cannot get object attribute for provider '%s' object %ld rv=%ld-'%s'",
 +               certificate->session->provider->manufacturerID,
 +               objects[i],
 +               rv,
 +               pkcs11h_getMessage (rv)
 +           );
 +
 +           /*
 +            * Ignore error
 +            */
 +           rv = CKR_OK;
 +       }
 +
 +       _pkcs11h_session_freeObjectAttributes (
 +           attrs,
 +           sizeof (attrs) / sizeof (CK_ATTRIBUTE)
 +       );
 +   }
 +   
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   if (mutex_locked) {
 +       _pkcs11h_threading_mutexRelease (&certificate->session->mutex);
 +       mutex_locked = FALSE;
 +   }
 +#endif
 +
 +   if (
 +       rv == CKR_OK &&
 +       certificate->id->certificate_blob == NULL
 +   ) {
 +       rv = CKR_ATTRIBUTE_VALUE_INVALID;
 +   }
 +
 +   if (objects != NULL) {
 +       _pkcs11h_mem_free ((void *)&objects);
 +   }
 +
 +   /*
 +    * No need to free allocated objects
 +    * on error, since the certificate_id
 +    * should be free by caller.
 +    */
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_certificate_loadCertificate return rv=%ld-'%s'",
 +       rv,
 +       pkcs11h_getMessage (rv)
 +   );
 +
 +   return rv;
 +}
 +
 +static
 +CK_RV
 +_pkcs11h_certificate_updateCertificateIdDescription (
 +   IN OUT pkcs11h_certificate_id_t certificate_id
 +) {
 +   static const char * separator = " on ";
 +   static const char * unknown = "UNKNOWN";
 +
 +   PKCS11H_ASSERT (certificate_id!=NULL);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_certificate_updateCertificateIdDescription entry certificate_id=%p",
 +       (void *)certificate_id
 +   );
 +
 +   certificate_id->displayName[0] = '\x0';
 +
 +   _pkcs11h_certificate_getDN (
 +       certificate_id->certificate_blob,
 +       certificate_id->certificate_blob_size,
 +       certificate_id->displayName,
 +       sizeof (certificate_id->displayName)
 +   );
 +
 +   if (strlen (certificate_id->displayName) == 0) {
 +       strncpy (
 +           certificate_id->displayName,
 +           unknown,
 +           sizeof (certificate_id->displayName)-1
 +       );
 +   }
 +
 +   /*
 +    * Try to avoid using snprintf,
 +    * may be unavailable
 +    */
 +   strncat (
 +       certificate_id->displayName,
 +       separator,
 +       sizeof (certificate_id->displayName)-1-strlen (certificate_id->displayName)
 +   );
 +   strncat (
 +       certificate_id->displayName,
 +       certificate_id->token_id->display,
 +       sizeof (certificate_id->displayName)-1-strlen (certificate_id->displayName)
 +   );
 +   certificate_id->displayName[sizeof (certificate_id->displayName) - 1] = '\0';
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_certificate_updateCertificateIdDescription return displayName='%s'",
 +       certificate_id->displayName
 +   );
 +
 +   return CKR_OK;
 +}
 +
 +static
 +CK_RV
 +_pkcs11h_certificate_getKeyAttributes (
 +   IN const pkcs11h_certificate_t certificate
 +) {
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   PKCS11H_BOOL mutex_locked = FALSE;
 +#endif
 +   CK_RV rv = CKR_OK;
 +
 +   PKCS11H_BOOL op_succeed = FALSE;
 +   PKCS11H_BOOL login_retry = FALSE;
 +
 +   PKCS11H_ASSERT (certificate!=NULL);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_certificate_getKeyAttributes entry certificate=%p",
 +       (void *)certificate
 +   );
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   if (
 +       rv == CKR_OK &&
 +       (rv = _pkcs11h_threading_mutexLock (&certificate->mutex)) == CKR_OK
 +   ) {
 +       mutex_locked = TRUE;
 +   }
 +#endif
 +
 +   certificate->mask_sign_mode = 0;
 +
 +   while (rv == CKR_OK && !op_succeed) {
 +       CK_ATTRIBUTE key_attrs[] = {
 +           {CKA_SIGN, NULL, 0},
 +           {CKA_SIGN_RECOVER, NULL, 0}
 +       };
 +
 +       /*
 +        * Don't try invalid object
 +        */
 +       if (
 +           rv == CKR_OK &&
 +           certificate->key_handle == PKCS11H_INVALID_OBJECT_HANDLE
 +       ) {
 +           rv = CKR_OBJECT_HANDLE_INVALID;
 +       }
 +
 +       if (rv == CKR_OK) {
 +           if (certificate->session->provider->mask_sign_mode != 0) {
 +               certificate->mask_sign_mode = certificate->session->provider->mask_sign_mode;
 +               op_succeed = TRUE;
 +               PKCS11H_DEBUG (
 +                   PKCS11H_LOG_DEBUG1,
 +                   "PKCS#11: Key attributes enforced by provider (%08x)",
 +                   certificate->mask_sign_mode
 +               );
 +           }
 +       }
 +
 +       if (rv == CKR_OK && !op_succeed) {
 +           rv = _pkcs11h_session_getObjectAttributes (
 +               certificate->session,
 +               certificate->key_handle,
 +               key_attrs,
 +               sizeof (key_attrs) / sizeof (CK_ATTRIBUTE)
 +           );
 +       }
 +
 +       if (rv == CKR_OK && !op_succeed) {
 +           CK_BBOOL *key_attrs_sign = (CK_BBOOL *)key_attrs[0].pValue;
 +           CK_BBOOL *key_attrs_sign_recover = (CK_BBOOL *)key_attrs[1].pValue;
 +
 +           if (key_attrs_sign != NULL && *key_attrs_sign != CK_FALSE) {
 +               certificate->mask_sign_mode |= PKCS11H_SIGNMODE_MASK_SIGN;
 +           }
 +           if (key_attrs_sign_recover != NULL && *key_attrs_sign_recover != CK_FALSE) {
 +               certificate->mask_sign_mode |= PKCS11H_SIGNMODE_MASK_RECOVER;
 +           }
 +           if (certificate->mask_sign_mode == 0) {
 +               rv = CKR_KEY_TYPE_INCONSISTENT;
 +           }
 +           PKCS11H_DEBUG (
 +               PKCS11H_LOG_DEBUG1,
 +               "PKCS#11: Key attributes loaded (%08x)",
 +               certificate->mask_sign_mode
 +           );
 +       }
 +
 +       _pkcs11h_session_freeObjectAttributes (
 +           key_attrs,
 +           sizeof (key_attrs) / sizeof (CK_ATTRIBUTE)
 +       );
 +
 +       if (rv == CKR_OK) {
 +           op_succeed = TRUE;
 +       }
 +       else {
 +           if (!login_retry) {
 +               PKCS11H_DEBUG (
 +                   PKCS11H_LOG_DEBUG1,
 +                   "PKCS#11: Get private key attributes failed: %ld:'%s'",
 +                   rv,
 +                   pkcs11h_getMessage (rv)
 +               );
 +
 +               rv = _pkcs11h_certificate_resetSession (
 +                   certificate,
 +                   FALSE,
 +                   TRUE
 +               );
 +
 +               login_retry = TRUE;
 +           }
 +       }
 +   }
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   if (mutex_locked) {
 +       _pkcs11h_threading_mutexRelease (&certificate->mutex);
 +       mutex_locked = FALSE;
 +   }
 +#endif
 +   
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_certificate_getKeyAttributes return rv=%ld-'%s'",
 +       rv,
 +       pkcs11h_getMessage (rv)
 +   );
 +
 +   return rv;
 +}
 +
 +static
 +CK_RV
 +_pkcs11h_certificate_validateSession (
 +   IN const pkcs11h_certificate_t certificate
 +) {
 +   /*
 +    * THREADING:
 +    * certificate->mutex must be locked
 +    * certificate->session->mutex must be locked
 +    */
 +   CK_RV rv = CKR_OK;
 +
 +   PKCS11H_ASSERT (certificate!=NULL);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_certificate_validateSession entry certificate=%p",
 +       (void *)certificate
 +   );
 +
 +   if (certificate->session == NULL) {
 +       rv = CKR_SESSION_HANDLE_INVALID;
 +   }
 +
 +   if (rv == CKR_OK) {
 +       rv = _pkcs11h_session_validate (certificate->session);
 +   }
 +
 +   if (rv == CKR_OK) {
 +       if (certificate->key_handle == PKCS11H_INVALID_OBJECT_HANDLE) {
 +           rv = CKR_OBJECT_HANDLE_INVALID;
 +       }
 +   }
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_certificate_validateSession return rv=%ld-'%s'",
 +       rv,
 +       pkcs11h_getMessage (rv)
 +   );
 +
 +   return rv;
 +}
 +
 +CK_RV
 +_pkcs11h_certificate_resetSession (
 +   IN const pkcs11h_certificate_t certificate,
 +   IN const PKCS11H_BOOL public_only,
 +   IN const PKCS11H_BOOL session_mutex_locked
 +) {
 +   /*
 +    * THREADING:
 +    * certificate->mutex must be locked
 +    */
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   PKCS11H_BOOL mutex_locked = FALSE;
 +#endif
 +   PKCS11H_BOOL is_key_valid = FALSE;
 +   CK_RV rv = CKR_OK;
 +
 +   PKCS11H_ASSERT (certificate!=NULL);
 +   
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_certificate_resetSession entry certificate=%p, public_only=%d, session_mutex_locked=%d",
 +       (void *)certificate,
 +       public_only ? 1 : 0,
 +       session_mutex_locked ? 1 : 0
 +   );
 +
 +   if (rv == CKR_OK && certificate->session == NULL) {
 +       rv = _pkcs11h_session_getSessionByTokenId (certificate->id->token_id, &certificate->session);
 +   }
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   if (
 +       rv == CKR_OK &&
 +       !session_mutex_locked &&
 +       (rv = _pkcs11h_threading_mutexLock (&certificate->session->mutex)) == CKR_OK
 +   ) {
 +       mutex_locked = TRUE;
 +   }
 +#endif
 +
 +   if (
 +       rv == CKR_OK &&
 +       !certificate->pin_cache_populated_to_session
 +   ) {
 +       certificate->pin_cache_populated_to_session = TRUE;
 +
 +       if (certificate->pin_cache_period != PKCS11H_PIN_CACHE_INFINITE) {
 +           if (certificate->session->pin_cache_period != PKCS11H_PIN_CACHE_INFINITE) {
 +               if (certificate->session->pin_cache_period > certificate->pin_cache_period) {
 +                   certificate->session->pin_expire_time = (
 +                       certificate->session->pin_expire_time -
 +                       (time_t)certificate->session->pin_cache_period +
 +                       (time_t)certificate->pin_cache_period
 +                   );
 +                   certificate->session->pin_cache_period = certificate->pin_cache_period;
 +               }
 +           }
 +           else {
 +               certificate->session->pin_expire_time = (
 +                   PKCS11H_TIME (NULL) +
 +                   (time_t)certificate->pin_cache_period
 +               );
 +               certificate->session->pin_cache_period = certificate->pin_cache_period;
 +           }
 +       }   
 +   }
 +
 +   /*
 +    * First, if session seems to be valid
 +    * and key handle is invalid (hard-set),
 +    * try to fetch key handle,
 +    * maybe the token is already logged in
 +    */
 +   if (rv == CKR_OK) {
 +       if (
 +           certificate->session->session_handle != PKCS11H_INVALID_SESSION_HANDLE &&
 +           certificate->key_handle == PKCS11H_INVALID_OBJECT_HANDLE
 +       ) {
 +           if (!public_only || certificate->session->provider->cert_is_private) {
 +               if (
 +                   (rv = _pkcs11h_session_getObjectById (
 +                       certificate->session,
 +                       CKO_PRIVATE_KEY,
 +                       certificate->id->attrCKA_ID,
 +                       certificate->id->attrCKA_ID_size,
 +                       &certificate->key_handle
 +                   )) == CKR_OK
 +               ) {
 +                   is_key_valid = TRUE;
 +               }
 +               else {
 +                   /*
 +                    * Ignore error
 +                    */
 +                   rv = CKR_OK;
 +                   certificate->key_handle = PKCS11H_INVALID_OBJECT_HANDLE;
 +               }
 +           }
 +       }
 +   }
 +
 +   if (
 +       !is_key_valid &&
 +       rv == CKR_OK &&
 +       (rv = _pkcs11h_session_login (
 +           certificate->session,
 +           public_only,
 +           TRUE,
 +           certificate->user_data,
 +           certificate->mask_prompt
 +       )) == CKR_OK
 +   ) {
 +       rv = _pkcs11h_certificate_updateCertificateIdDescription (certificate->id);
 +   }
 +
 +   if (
 +       !is_key_valid &&
 +       rv == CKR_OK &&
 +       !public_only &&
 +       (rv = _pkcs11h_session_getObjectById (
 +           certificate->session,
 +           CKO_PRIVATE_KEY,
 +           certificate->id->attrCKA_ID,
 +           certificate->id->attrCKA_ID_size,
 +           &certificate->key_handle
 +       )) == CKR_OK
 +   ) {
 +       is_key_valid = TRUE;
 +   }
 +
 +   if (
 +       rv == CKR_OK &&
 +       !public_only &&
 +       !is_key_valid
 +   ) {
 +       rv = CKR_FUNCTION_REJECTED;
 +   }
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   if (mutex_locked) {
 +       _pkcs11h_threading_mutexRelease (&certificate->session->mutex);
 +       mutex_locked = FALSE;
 +   }
 +#endif
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_certificate_resetSession return rv=%ld-'%s'",
 +       rv,
 +       pkcs11h_getMessage (rv)
 +   );
 +
 +   return rv;
 +}
 +
 +static
 +CK_RV
 +_pkcs11h_certificate_doPrivateOperation (
 +   IN const pkcs11h_certificate_t certificate,
 +   IN const enum _pkcs11h_private_op_e op,
 +   IN const CK_MECHANISM_TYPE mech_type,
 +   IN const unsigned char * const source,
 +   IN const size_t source_size,
 +   OUT unsigned char * const target,
 +   IN OUT size_t * const p_target_size
 +) {
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   PKCS11H_BOOL mutex_locked = FALSE;
 +#endif
 +   CK_MECHANISM mech = {
 +       mech_type, NULL, 0
 +   };
 +   
 +   CK_RV rv = CKR_OK;
 +   PKCS11H_BOOL login_retry = FALSE;
 +   PKCS11H_BOOL op_succeed = FALSE;
 +
 +   PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
 +   PKCS11H_ASSERT (s_pkcs11h_data->initialized);
 +   PKCS11H_ASSERT (certificate!=NULL);
 +   PKCS11H_ASSERT (source!=NULL);
 +   /*PKCS11H_ASSERT (target); NOT NEEDED*/
 +   PKCS11H_ASSERT (p_target_size!=NULL);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_certificate_doPrivateOperation entry certificate=%p, op=%d, mech_type=%ld, source=%p,
	source_size=%u, target=%p, *p_target_size=%u",
 +       (void *)certificate,
 +       op,
 +       mech_type,
 +       source,
 +       source_size,
 +       target,
 +       target != NULL ? *p_target_size : 0
 +   );
 +
 +   if (target == NULL) {
 +       *p_target_size = 0;
 +   }
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   if (
 +       rv == CKR_OK &&
 +       (rv = _pkcs11h_threading_mutexLock (&certificate->mutex)) == CKR_OK
 +   ) {
 +       mutex_locked = TRUE;
 +   }
 +#endif
 +
 +   while (rv == CKR_OK && !op_succeed) {
 +       if (rv == CKR_OK && !certificate->operation_active) {
 +           rv = _pkcs11h_certificate_validateSession (certificate);
 +       }
 +
 +       if (rv == CKR_OK && !certificate->operation_active) {
 +           switch (op) {
 +               case _pkcs11h_private_op_sign:
 +                   rv = certificate->session->provider->f->C_SignInit (
 +                       certificate->session->session_handle,
 +                       &mech,
 +                       certificate->key_handle
 +                   );
 +               break;
 +               case _pkcs11h_private_op_sign_recover:
 +                   rv = certificate->session->provider->f->C_SignRecoverInit (
 +                       certificate->session->session_handle,
 +                       &mech,
 +                       certificate->key_handle
 +                   );
 +               break;
 +               case _pkcs11h_private_op_decrypt:
 +                   rv = certificate->session->provider->f->C_DecryptInit (
 +                       certificate->session->session_handle,
 +                       &mech,
 +                       certificate->key_handle
 +                   );
 +               break;
 +               default:
 +                   rv = CKR_ARGUMENTS_BAD;
 +               break;
 +           }
 +
 +           PKCS11H_DEBUG (
 +               PKCS11H_LOG_DEBUG2,
 +               "PKCS#11: _pkcs11h_certificate_doPrivateOperation init rv=%ld",
 +               rv
 +           );
 +       }
 +
 +       if (rv == CKR_OK) {
 +           CK_ULONG size = *p_target_size;
 +
 +           switch (op) {
 +               case _pkcs11h_private_op_sign:
 +                   rv = certificate->session->provider->f->C_Sign (
 +                       certificate->session->session_handle,
 +                       (CK_BYTE_PTR)source,
 +                       source_size,
 +                       (CK_BYTE_PTR)target,
 +                       &size
 +                   );
 +               break;
 +               case _pkcs11h_private_op_sign_recover:
 +                   rv = certificate->session->provider->f->C_SignRecover (
 +                       certificate->session->session_handle,
 +                       (CK_BYTE_PTR)source,
 +                       source_size,
 +                       (CK_BYTE_PTR)target,
 +                       &size
 +                   );
 +               break;
 +               case _pkcs11h_private_op_decrypt:
 +                   rv = certificate->session->provider->f->C_Decrypt (
 +                       certificate->session->session_handle,
 +                       (CK_BYTE_PTR)source,
 +                       source_size,
 +                       (CK_BYTE_PTR)target,
 +                       &size
 +                   );
 +               break;
 +               default:
 +                   rv = CKR_ARGUMENTS_BAD;
 +               break;
 +           }
 +
 +           *p_target_size = size;
 +
 +           PKCS11H_DEBUG (
 +               PKCS11H_LOG_DEBUG2,
 +               "PKCS#11: _pkcs11h_certificate_doPrivateOperation op rv=%ld",
 +               rv
 +           );
 +       }
 +       
 +       if (
 +           target == NULL &&
 +           (
 +               rv == CKR_BUFFER_TOO_SMALL ||
 +               rv == CKR_OK
 +           )
 +       ) {
 +           certificate->operation_active = TRUE;
 +           rv = CKR_OK;
 +       }
 +       else {
 +           certificate->operation_active = FALSE;
 +       }
 +
 +       if (rv == CKR_OK) {
 +           op_succeed = TRUE;
 +       }
 +       else {
 +           /*
 +            * OpenSC workaround
 +            * It still allows C_FindObjectsInit when
 +            * token is removed/inserted but fails
 +            * private key operation.
 +            * So we force logout.
 +            * bug#108 at OpenSC trac
 +            */
 +           if (login_retry && rv == CKR_DEVICE_REMOVED) {
 +               login_retry = FALSE;
 +               _pkcs11h_session_logout (certificate->session);
 +           }
 +
 +           if (!login_retry) {
 +               PKCS11H_DEBUG (
 +                   PKCS11H_LOG_DEBUG1,
 +                   "PKCS#11: Private key operation failed rv=%ld-'%s'",
 +                   rv,
 +                   pkcs11h_getMessage (rv)
 +               );
 +               login_retry = TRUE;
 +               rv = _pkcs11h_certificate_resetSession (
 +                   certificate,
 +                   FALSE,
 +                   TRUE
 +               );
 +           }
 +       }
 +
 +   }
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   if (mutex_locked) {
 +       _pkcs11h_threading_mutexRelease (&certificate->mutex);
 +       mutex_locked = FALSE;
 +   }
 +#endif
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_certificate_doPrivateOperation return rv=%ld-'%s', *p_target_size=%u",
 +       rv,
 +       pkcs11h_getMessage (rv),
 +       *p_target_size
 +   );
 +   
 +   return rv;
 +}
 +
 +CK_RV
 +pkcs11h_certificate_freeCertificateId (
 +   IN pkcs11h_certificate_id_t certificate_id
 +) {
 +   PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
 +   PKCS11H_ASSERT (s_pkcs11h_data->initialized);
 +   PKCS11H_ASSERT (certificate_id!=NULL);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_certificate_freeCertificateId entry certificate_id=%p",
 +       (void *)certificate_id
 +   );
 +
 +   if (certificate_id->attrCKA_ID != NULL) {
 +       _pkcs11h_mem_free ((void *)&certificate_id->attrCKA_ID);
 +   }
 +   if (certificate_id->certificate_blob != NULL) {
 +       _pkcs11h_mem_free ((void *)&certificate_id->certificate_blob);
 +   }
 +   if (certificate_id->token_id != NULL) {
 +       pkcs11h_token_freeTokenId (certificate_id->token_id);
 +       certificate_id->token_id = NULL;
 +   }
 +   _pkcs11h_mem_free ((void *)&certificate_id);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_certificate_freeCertificateId return"
 +   );
 +
 +   return CKR_OK;
 +}
 +
 +CK_RV
 +pkcs11h_certificate_duplicateCertificateId (
 +   OUT pkcs11h_certificate_id_t * const to,
 +   IN const pkcs11h_certificate_id_t from
 +) {
 +   CK_RV rv = CKR_OK;
 +
 +   PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
 +   PKCS11H_ASSERT (s_pkcs11h_data->initialized);
 +   PKCS11H_ASSERT (to!=NULL);
 +   PKCS11H_ASSERT (from!=NULL);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_certificate_duplicateCertificateId entry to=%p form=%p",
 +       (void *)to,
 +       (void *)from
 +   );
 +
 +   *to = NULL;
 +
 +   if (rv == CKR_OK) {
 +       rv = _pkcs11h_mem_duplicate (
 +           (void*)to,
 +           NULL,
 +           from,
 +           sizeof (struct pkcs11h_certificate_id_s)
 +       );
 +   }
 +
 +   if (rv == CKR_OK) {
 +       rv = _pkcs11h_mem_duplicate (
 +           (void*)&(*to)->token_id,
 +           NULL,
 +           from->token_id,
 +           sizeof (struct pkcs11h_token_id_s)
 +       );
 +   }
 +
 +   if (rv == CKR_OK) {
 +       rv = _pkcs11h_mem_duplicate (
 +           (void*)&(*to)->attrCKA_ID,
 +           &(*to)->attrCKA_ID_size,
 +           from->attrCKA_ID,
 +           from->attrCKA_ID_size
 +       );
 +   }
 +
 +   if (rv == CKR_OK) {
 +       rv = _pkcs11h_mem_duplicate (
 +           (void*)&(*to)->certificate_blob,
 +           &(*to)->certificate_blob_size,
 +           from->certificate_blob,
 +           from->certificate_blob_size
 +       );
 +   }
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_certificate_duplicateCertificateId return rv=%ld-'%s', *to=%p",
 +       rv,
 +       pkcs11h_getMessage (rv),
 +       (void *)*to
 +   );
 +   
 +   return rv;
 +}
 +
 +CK_RV
 +pkcs11h_certificate_setCertificateIdCertificateBlob (
 +   IN const pkcs11h_certificate_id_t certificate_id,
 +   IN const unsigned char * const blob,
 +   IN const size_t blob_size
 +) {
 +   CK_RV rv = CKR_OK;
 +
 +   PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
 +   PKCS11H_ASSERT (s_pkcs11h_data->initialized);
 +   PKCS11H_ASSERT (certificate_id!=NULL);
 +   PKCS11H_ASSERT (blob!=NULL);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_certificate_setCertificateIdCertificateBlob entry certificate_id=%p",
 +       (void *)certificate_id
 +   );
 +
 +   if (rv == CKR_OK && certificate_id->certificate_blob != NULL) {
 +       rv = _pkcs11h_mem_free ((void *)&certificate_id->certificate_blob);
 +   }
 +
 +   if (rv == CKR_OK) {
 +       rv = _pkcs11h_mem_duplicate (
 +           (void *)&certificate_id->certificate_blob,
 +           &certificate_id->certificate_blob_size,
 +           blob,
 +           blob_size
 +       );
 +   }
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_certificate_setCertificateIdCertificateBlob return rv=%ld-'%s'",
 +       rv,
 +       pkcs11h_getMessage (rv)
 +   );
 +   
 +   return rv;
 +}
 +
 +CK_RV
 +pkcs11h_certificate_freeCertificate (
 +   IN pkcs11h_certificate_t certificate
 +) {
 +   PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
 +   PKCS11H_ASSERT (s_pkcs11h_data->initialized);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_certificate_freeCertificate entry certificate=%p",
 +       (void *)certificate
 +   );
 +
 +   if (certificate != NULL) {
 +       if (certificate->session != NULL) {
 +           _pkcs11h_session_release (certificate->session);
 +       }
 +       pkcs11h_certificate_freeCertificateId (certificate->id);
 +       certificate->id = NULL;
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +       _pkcs11h_threading_mutexFree (&certificate->mutex);
 +#endif
 +
 +       _pkcs11h_mem_free ((void *)&certificate);
 +   }
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_certificate_freeCertificate return"
 +   );
 +
 +   return CKR_OK;
 +}
 +
 +CK_RV
 +pkcs11h_certificate_lockSession (
 +   IN const pkcs11h_certificate_t certificate
 +) {
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   CK_RV rv = CKR_OK;
 +
 +   PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
 +   PKCS11H_ASSERT (s_pkcs11h_data->initialized);
 +   PKCS11H_ASSERT (certificate!=NULL);
 +
 +   if (rv == CKR_OK && certificate->session == NULL) {
 +       rv = _pkcs11h_session_getSessionByTokenId (certificate->id->token_id, &certificate->session);
 +   }
 +
 +   if (rv == CKR_OK) {
 +       rv = _pkcs11h_threading_mutexLock (&certificate->session->mutex);
 +   }
 +
 +   return rv;
 +#else
 +   return CKR_OK;
 +#endif
 +}
 +
 +CK_RV
 +pkcs11h_certificate_releaseSession (
 +   IN const pkcs11h_certificate_t certificate
 +) {
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   CK_RV rv = CKR_OK;
 +
 +   PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
 +   PKCS11H_ASSERT (s_pkcs11h_data->initialized);
 +   PKCS11H_ASSERT (certificate!=NULL);
 +
 +   if (certificate->session != NULL) {
 +       rv = _pkcs11h_threading_mutexRelease (&certificate->session->mutex);
 +   }
 +
 +   return rv;
 +#else
 +   return CKR_OK;
 +#endif
 +}
 +
 +CK_RV
 +pkcs11h_certificate_sign (
 +   IN const pkcs11h_certificate_t certificate,
 +   IN const CK_MECHANISM_TYPE mech_type,
 +   IN const unsigned char * const source,
 +   IN const size_t source_size,
 +   OUT unsigned char * const target,
 +   IN OUT size_t * const p_target_size
 +) {
 +   CK_RV rv = CKR_OK;
 +
 +   PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
 +   PKCS11H_ASSERT (s_pkcs11h_data->initialized);
 +   PKCS11H_ASSERT (certificate!=NULL);
 +   PKCS11H_ASSERT (source!=NULL);
 +   /*PKCS11H_ASSERT (target); NOT NEEDED*/
 +   PKCS11H_ASSERT (p_target_size!=NULL);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_certificate_sign entry certificate=%p, mech_type=%ld, source=%p, source_size=%u, target=%p,
	*p_target_size=%u",
 +       (void *)certificate,
 +       mech_type,
 +       source,
 +       source_size,
 +       target,
 +       target != NULL ? *p_target_size : 0
 +   );
 +
 +   if (target == NULL) {
 +       *p_target_size = 0;
 +   }
 +
 +   if (rv == CKR_OK) {
 +       rv = _pkcs11h_certificate_doPrivateOperation (
 +           certificate,
 +           _pkcs11h_private_op_sign,
 +           mech_type,
 +           source,
 +           source_size,
 +           target,
 +           p_target_size
 +       );
 +   }
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_certificate_sign return rv=%ld-'%s', *p_target_size=%u",
 +       rv,
 +       pkcs11h_getMessage (rv),
 +       *p_target_size
 +   );
 +   
 +   return rv;
 +}
 +
 +CK_RV
 +pkcs11h_certificate_signRecover (
 +   IN const pkcs11h_certificate_t certificate,
 +   IN const CK_MECHANISM_TYPE mech_type,
 +   IN const unsigned char * const source,
 +   IN const size_t source_size,
 +   OUT unsigned char * const target,
 +   IN OUT size_t * const p_target_size
 +) {
 +   CK_RV rv = CKR_OK;
 +
 +   PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
 +   PKCS11H_ASSERT (s_pkcs11h_data->initialized);
 +   PKCS11H_ASSERT (certificate!=NULL);
 +   PKCS11H_ASSERT (source!=NULL);
 +   /*PKCS11H_ASSERT (target); NOT NEEDED*/
 +   PKCS11H_ASSERT (p_target_size!=NULL);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_certificate_signRecover entry certificate=%p, mech_type=%ld, source=%p, source_size=%u,
	target=%p, *p_target_size=%u",
 +       (void *)certificate,
 +       mech_type,
 +       source,
 +       source_size,
 +       target,
 +       target != NULL ? *p_target_size : 0
 +   );
 +
 +   if (target == NULL) {
 +       *p_target_size = 0;
 +   }
 +
 +   if (rv == CKR_OK) {
 +       rv = _pkcs11h_certificate_doPrivateOperation (
 +           certificate,
 +           _pkcs11h_private_op_sign_recover,
 +           mech_type,
 +           source,
 +           source_size,
 +           target,
 +           p_target_size
 +       );
 +   }
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_certificate_signRecover return rv=%ld-'%s', *p_target_size=%u",
 +       rv,
 +       pkcs11h_getMessage (rv),
 +       *p_target_size
 +   );
 +
 +   return rv;
 +}
 +
 +CK_RV
 +pkcs11h_certificate_signAny (
 +   IN const pkcs11h_certificate_t certificate,
 +   IN const CK_MECHANISM_TYPE mech_type,
 +   IN const unsigned char * const source,
 +   IN const size_t source_size,
 +   OUT unsigned char * const target,
 +   IN OUT size_t * const p_target_size
 +) {
 +   CK_RV rv = CKR_OK;
 +   PKCS11H_BOOL fSigned = FALSE;
 +
 +   PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
 +   PKCS11H_ASSERT (s_pkcs11h_data->initialized);
 +   PKCS11H_ASSERT (certificate!=NULL);
 +   PKCS11H_ASSERT (source!=NULL);
 +   /*PKCS11H_ASSERT (target); NOT NEEDED*/
 +   PKCS11H_ASSERT (p_target_size!=NULL);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_certificate_signAny entry certificate=%p, mech_type=%ld, source=%p, source_size=%u, target=%p,
	*p_target_size=%u",
 +       (void *)certificate,
 +       mech_type,
 +       source,
 +       source_size,
 +       target,
 +       target != NULL ? *p_target_size : 0
 +   );
 +
 +   if (
 +       rv == CKR_OK &&
 +       certificate->mask_sign_mode == 0
 +   ) {
 +       PKCS11H_DEBUG (
 +           PKCS11H_LOG_DEBUG1,
 +           "PKCS#11: Getting key attributes"
 +       );
 +       rv = _pkcs11h_certificate_getKeyAttributes (certificate);
 +   }
 +
 +   if (
 +       rv == CKR_OK &&
 +       !fSigned &&
 +       (certificate->mask_sign_mode & PKCS11H_SIGNMODE_MASK_SIGN) != 0
 +   ) {
 +       rv = pkcs11h_certificate_sign (
 +           certificate,
 +           mech_type,
 +           source,
 +           source_size,
 +           target,
 +           p_target_size
 +       );
 +
 +       if (rv == CKR_OK) {
 +           fSigned = TRUE;
 +       }
 +       else if (
 +           rv == CKR_FUNCTION_NOT_SUPPORTED ||
 +           rv == CKR_KEY_FUNCTION_NOT_PERMITTED
 +       ) {
 +           certificate->mask_sign_mode &= ~PKCS11H_SIGNMODE_MASK_SIGN;
 +           rv = CKR_OK;
 +       }
 +   }
 +   
 +   if (
 +       rv == CKR_OK &&
 +       !fSigned &&
 +       (certificate->mask_sign_mode & PKCS11H_SIGNMODE_MASK_RECOVER) != 0
 +   ) {
 +       rv = pkcs11h_certificate_signRecover (
 +           certificate,
 +           mech_type,
 +           source,
 +           source_size,
 +           target,
 +           p_target_size
 +       );
 +
 +       if (rv == CKR_OK) {
 +           fSigned = TRUE;
 +       }
 +       else if (
 +           rv == CKR_FUNCTION_NOT_SUPPORTED ||
 +           rv == CKR_KEY_FUNCTION_NOT_PERMITTED
 +       ) {
 +           certificate->mask_sign_mode &= ~PKCS11H_SIGNMODE_MASK_RECOVER;
 +           rv = CKR_OK;
 +       }
 +   }
 +
 +   if (rv == CKR_OK && !fSigned) {
 +       rv = CKR_FUNCTION_FAILED;
 +   }
 +   
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_certificate_signAny return rv=%ld-'%s', *p_target_size=%p",
 +       rv,
 +       pkcs11h_getMessage (rv),
 +       (void *)*p_target_size
 +   );
 +
 +   return rv;
 +}
 +
 +CK_RV
 +pkcs11h_certificate_decrypt (
 +   IN const pkcs11h_certificate_t certificate,
 +   IN const CK_MECHANISM_TYPE mech_type,
 +   IN const unsigned char * const source,
 +   IN const size_t source_size,
 +   OUT unsigned char * const target,
 +   IN OUT size_t * const p_target_size
 +) {
 +   CK_RV rv = CKR_OK;
 +
 +   PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
 +   PKCS11H_ASSERT (s_pkcs11h_data->initialized);
 +   PKCS11H_ASSERT (certificate!=NULL);
 +   PKCS11H_ASSERT (source!=NULL);
 +   /*PKCS11H_ASSERT (target); NOT NEEDED*/
 +   PKCS11H_ASSERT (p_target_size!=NULL);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_decrypt entry certificate=%p, mech_type=%ld, source=%p, source_size=%u, target=%p,
	*p_target_size=%u",
 +       (void *)certificate,
 +       mech_type,
 +       source,
 +       source_size,
 +       target,
 +       target != NULL ? *p_target_size : 0
 +   );
 +
 +   if (target == NULL) {
 +       *p_target_size = 0;
 +   }
 +
 +   if (rv == CKR_OK) {
 +       rv = _pkcs11h_certificate_doPrivateOperation (
 +           certificate,
 +           _pkcs11h_private_op_decrypt,
 +           mech_type,
 +           source,
 +           source_size,
 +           target,
 +           p_target_size
 +       );
 +   }
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_decrypt return rv=%ld-'%s', *p_target_size=%u",
 +       rv,
 +       pkcs11h_getMessage (rv),
 +       *p_target_size
 +   );
 +
 +   return rv;
 +}
 +
 +CK_RV
 +pkcs11h_certificate_create (
 +   IN const pkcs11h_certificate_id_t certificate_id,
 +   IN void * const user_data,
 +   IN const unsigned mask_prompt,
 +   IN const int pin_cache_period,
 +   OUT pkcs11h_certificate_t * const p_certificate
 +) {
 +   pkcs11h_certificate_t certificate = NULL;
 +   CK_RV rv = CKR_OK;
 +
 +   PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
 +   PKCS11H_ASSERT (s_pkcs11h_data->initialized);
 +   /*PKCS11H_ASSERT (user_data!=NULL); NOT NEEDED */
 +   PKCS11H_ASSERT (p_certificate!=NULL);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_certificate_create entry certificate_id=%p, user_data=%p, mask_prompt=%08x,
	pin_cache_period=%d, p_certificate=%p",
 +       (void *)certificate_id,
 +       user_data,
 +       mask_prompt,
 +       pin_cache_period,
 +       (void *)p_certificate
 +   );
 +
 +   *p_certificate = NULL;
 +
 +   if (
 +       rv == CKR_OK &&
 +       (rv = _pkcs11h_mem_malloc ((void*)&certificate, sizeof (struct pkcs11h_certificate_s))) == CKR_OK
 +   ) {
 +       certificate->user_data = user_data;
 +       certificate->mask_prompt = mask_prompt;
 +       certificate->key_handle = PKCS11H_INVALID_OBJECT_HANDLE;
 +       certificate->pin_cache_period = pin_cache_period;
 +   }
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   if (rv == CKR_OK) {
 +       rv = _pkcs11h_threading_mutexInit (&certificate->mutex);
 +   }
 +#endif
 +
 +   if (rv == CKR_OK) {
 +       rv = pkcs11h_certificate_duplicateCertificateId (&certificate->id, certificate_id);
 +   }
 +
 +   if (rv == CKR_OK) {
 +       *p_certificate = certificate;
 +       certificate = NULL;
 +   }
 +
 +   if (certificate != NULL) {
 +#if defined(ENABLE_PKCS11H_THREADING)
 +       _pkcs11h_threading_mutexFree (&certificate->mutex);
 +#endif
 +       _pkcs11h_mem_free ((void *)&certificate);
 +   }
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_certificate_create return rv=%ld-'%s' *p_certificate=%p",
 +       rv,
 +       pkcs11h_getMessage (rv),
 +       (void *)*p_certificate
 +   );
 +   
 +   return rv;
 +}
 +
 +unsigned
 +pkcs11h_certificate_getPromptMask (
 +   IN const pkcs11h_certificate_t certificate
 +) {
 +   PKCS11H_ASSERT (certificate!=NULL);
 +
 +   return certificate->mask_prompt;
 +}
 +
 +void
 +pkcs11h_certificate_setPromptMask (
 +   IN const pkcs11h_certificate_t certificate,
 +   IN const unsigned mask_prompt
 +) {
 +   PKCS11H_ASSERT (certificate!=NULL);
 +
 +   certificate->mask_prompt = mask_prompt;
 +}
 +
 +void *
 +pkcs11h_certificate_getUserData (
 +   IN const pkcs11h_certificate_t certificate
 +) {
 +   PKCS11H_ASSERT (certificate!=NULL);
 +
 +   return certificate->user_data;
 +}
 +
 +void
 +pkcs11h_certificate_setUserData (
 +   IN const pkcs11h_certificate_t certificate,
 +   IN void * const user_data
 +) {
 +   PKCS11H_ASSERT (certificate!=NULL);
 +
 +   certificate->user_data = user_data;
 +}
 +
 +CK_RV
 +pkcs11h_certificate_getCertificateId (
 +   IN const pkcs11h_certificate_t certificate,
 +   OUT pkcs11h_certificate_id_t * const p_certificate_id
 +) {
 +   CK_RV rv = CKR_OK;
 +
 +   PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
 +   PKCS11H_ASSERT (s_pkcs11h_data->initialized);
 +   PKCS11H_ASSERT (certificate!=NULL);
 +   PKCS11H_ASSERT (p_certificate_id!=NULL);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_certificate_getCertificateId entry certificate=%p, certificate_id=%p",
 +       (void *)certificate,
 +       (void *)p_certificate_id
 +   );
 +
 +   if (rv == CKR_OK) {
 +       rv = pkcs11h_certificate_duplicateCertificateId (
 +           p_certificate_id,
 +           certificate->id
 +       );
 +   }
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_certificate_getCertificateId return rv=%ld-'%s'",
 +       rv,
 +       pkcs11h_getMessage (rv)
 +   );
 +
 +   return rv;
 +}
 +
 +CK_RV
 +pkcs11h_certificate_getCertificateBlob (
 +   IN const pkcs11h_certificate_t certificate,
 +   OUT unsigned char * const certificate_blob,
 +   IN OUT size_t * const p_certificate_blob_size
 +) {
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   PKCS11H_BOOL mutex_locked = FALSE;
 +#endif
 +   CK_RV rv = CKR_OK;
 +   size_t certifiate_blob_size_max = 0;
 +   
 +   PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
 +   PKCS11H_ASSERT (s_pkcs11h_data->initialized);
 +   PKCS11H_ASSERT (certificate!=NULL);
 +   /*PKCS11H_ASSERT (certificate_blob!=NULL); NOT NEEDED */
 +   PKCS11H_ASSERT (p_certificate_blob_size!=NULL);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_certificate_getCertificateBlob entry certificate=%p, certificate_blob=%p,
	*p_certificate_blob_size=%u",
 +       (void *)certificate,
 +       certificate_blob,
 +       certificate_blob != NULL ? *p_certificate_blob_size : 0
 +   );
 +
 +   if (certificate_blob != NULL) {
 +       certifiate_blob_size_max = *p_certificate_blob_size;
 +   }
 +   *p_certificate_blob_size = 0;
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   if (
 +       rv == CKR_OK &&
 +       (rv = _pkcs11h_threading_mutexLock (&certificate->mutex)) == CKR_OK
 +   ) {
 +       mutex_locked = TRUE;
 +   }
 +#endif
 +
 +   if (rv == CKR_OK && certificate->id->certificate_blob == NULL) {
 +       PKCS11H_BOOL op_succeed = FALSE;
 +       PKCS11H_BOOL login_retry = FALSE;
 +       while (rv == CKR_OK && !op_succeed) {
 +           if (certificate->session == NULL) {
 +               rv = CKR_SESSION_HANDLE_INVALID;
 +           }
 +
 +           if (rv == CKR_OK) {
 +               rv = _pkcs11h_certificate_loadCertificate (certificate);
 +           }
 +
 +           if (rv == CKR_OK) {
 +               op_succeed = TRUE;
 +           }
 +           else {
 +               if (!login_retry) {
 +                   login_retry = TRUE;
 +                   rv = _pkcs11h_certificate_resetSession (
 +                       certificate,
 +                       TRUE,
 +                       FALSE
 +                   );
 +               }
 +           }
 +       }
 +   }
 +   
 +   if (
 +       rv == CKR_OK &&
 +       certificate->id->certificate_blob == NULL
 +   ) {
 +       rv = CKR_FUNCTION_REJECTED;
 +   }
 +
 +   if (rv == CKR_OK) {
 +       _pkcs11h_certificate_updateCertificateIdDescription (certificate->id);
 +   }
 +
 +   if (rv == CKR_OK) {
 +       *p_certificate_blob_size = certificate->id->certificate_blob_size;
 +   }
 +
 +   if (certificate_blob != NULL) {
 +       if (
 +           rv == CKR_OK &&
 +           certificate->id->certificate_blob_size > certifiate_blob_size_max
 +       ) {
 +           rv = CKR_BUFFER_TOO_SMALL;
 +       }
 +   
 +       if (rv == CKR_OK) {
 +           memmove (
 +               certificate_blob,
 +               certificate->id->certificate_blob,
 +               *p_certificate_blob_size
 +           );
 +       }
 +   }
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   if (mutex_locked) {
 +       _pkcs11h_threading_mutexRelease (&certificate->mutex);
 +       mutex_locked = FALSE;
 +   }
 +#endif
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_certificate_getCertificateBlob return rv=%ld-'%s'",
 +       rv,
 +       pkcs11h_getMessage (rv)
 +   );
 +
 +   return rv;
 +}
 +
 +#if defined(ENABLE_PKCS11H_SERIALIZATION)
 +
 +CK_RV
 +pkcs11h_certificate_serializeCertificateId (
 +   OUT char * const sz,
 +   IN OUT size_t *max,
 +   IN const pkcs11h_certificate_id_t certificate_id
 +) {
 +   CK_RV rv = CKR_OK;
 +   size_t saved_max = 0;
 +   size_t n = 0;
 +   size_t _max = 0;
 +
 +   /*PKCS11H_ASSERT (sz!=NULL); Not required */
 +   PKCS11H_ASSERT (max!=NULL);
 +   PKCS11H_ASSERT (certificate_id!=NULL);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_certificate_serializeCertificateId entry sz=%p, *max=%u, certificate_id=%p",
 +       sz,
 +       sz != NULL ? *max : 0,
 +       (void *)certificate_id
 +   );
 +
 +   if (sz != NULL) {
 +       saved_max = n = *max;
 +   }
 +   *max = 0;
 +
 +   if (rv == CKR_OK) {
 +       rv = pkcs11h_token_serializeTokenId (
 +           sz,
 +           &n,
 +           certificate_id->token_id
 +       );
 +   }
 +
 +   if (rv == CKR_OK) {
 +       _max = n + certificate_id->attrCKA_ID_size*2 + 1;
 +   }
 +
 +   if (sz != NULL) {
 +       if (saved_max < _max) {
 +           rv = CKR_ATTRIBUTE_VALUE_INVALID;
 +       }
 +
 +       if (rv == CKR_OK) {
 +           sz[n-1] = '/';
 +           rv = _pkcs11h_util_binaryToHex (
 +               sz+n,
 +               saved_max-n,
 +               certificate_id->attrCKA_ID,
 +               certificate_id->attrCKA_ID_size
 +           );
 +
 +       }
 +   }
 +
 +   *max = _max;
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_certificate_serializeCertificateId return rv=%ld-'%s', *max=%u, sz='%s'",
 +       rv,
 +       pkcs11h_getMessage (rv),
 +       *max,
 +       sz
 +   );
 +
 +   return rv;
 +}
 +
 +CK_RV
 +pkcs11h_certificate_deserializeCertificateId (
 +   OUT pkcs11h_certificate_id_t * const p_certificate_id,
 +   IN const char * const sz
 +) {
 +   pkcs11h_certificate_id_t certificate_id = NULL;
 +   CK_RV rv = CKR_OK;
 +   char *p = NULL;
 +   char *_sz = NULL;
 +
 +   PKCS11H_ASSERT (p_certificate_id!=NULL);
 +   PKCS11H_ASSERT (sz!=NULL);
 +
 +   *p_certificate_id = NULL;
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_certificate_deserializeCertificateId entry p_certificate_id=%p, sz='%s'",
 +       (void *)p_certificate_id,
 +       sz
 +   );
 +
 +   if (rv == CKR_OK) {
 +       rv = _pkcs11h_mem_strdup (
 +           (void *)&_sz,
 +           sz
 +       );
 +   }
 +
 +   if (rv == CKR_OK) {
 +       p = _sz;
 +   }
 +
 +   if (rv == CKR_OK) {
 +       rv = _pkcs11h_certificate_newCertificateId (&certificate_id);
 +   }
 +
 +   if (
 +       rv == CKR_OK &&
 +       (p = strrchr (_sz, '/')) == NULL
 +   ) {
 +       rv = CKR_ATTRIBUTE_VALUE_INVALID;
 +   }
 +
 +   if (rv == CKR_OK) {
 +       *p = '\x0';
 +       p++;
 +   }
 +
 +   if (rv == CKR_OK) {
 +       rv = pkcs11h_token_deserializeTokenId (
 +           &certificate_id->token_id,
 +           _sz
 +       );
 +   }
 +
 +   if (rv == CKR_OK) {
 +       certificate_id->attrCKA_ID_size = strlen (p)/2;
 +   }
 +
 +   if (
 +       rv == CKR_OK &&
 +       (rv = _pkcs11h_mem_malloc (
 +           (void *)&certificate_id->attrCKA_ID,
 +           certificate_id->attrCKA_ID_size)
 +       ) == CKR_OK
 +   ) {
 +       rv = _pkcs11h_util_hexToBinary (
 +           certificate_id->attrCKA_ID,
 +           p,
 +           &certificate_id->attrCKA_ID_size
 +       );
 +   }
 +
 +   if (rv == CKR_OK) {
 +       *p_certificate_id = certificate_id;
 +       certificate_id = NULL;
 +   }
 +
 +   if (certificate_id != NULL) {
 +       pkcs11h_certificate_freeCertificateId (certificate_id);
 +       certificate_id = NULL;
 +   }
 +
 +   if (_sz != NULL) {
 +       _pkcs11h_mem_free ((void *)&_sz);
 +   }
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_certificate_deserializeCertificateId return rv=%ld-'%s'",
 +       rv,
 +       pkcs11h_getMessage (rv)
 +   );
 +
 +   return rv;
 +
 +}
 +
 +#endif             /* ENABLE_PKCS11H_SERIALIZATION */
 +
 +CK_RV
 +pkcs11h_certificate_ensureCertificateAccess (
 +   IN const pkcs11h_certificate_t certificate
 +) {
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   PKCS11H_BOOL mutex_locked_cert = FALSE;
 +   PKCS11H_BOOL mutex_locked_sess = FALSE;
 +#endif
 +   PKCS11H_BOOL validCert = FALSE;
 +   CK_RV rv = CKR_OK;
 +
 +   PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
 +   PKCS11H_ASSERT (s_pkcs11h_data->initialized);
 +   PKCS11H_ASSERT (certificate!=NULL);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_certificate_ensureCertificateAccess entry certificate=%p",
 +       (void *)certificate
 +   );
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   if (
 +       rv == CKR_OK &&
 +       (rv = _pkcs11h_threading_mutexLock (&certificate->mutex)) == CKR_OK
 +   ) {
 +       mutex_locked_cert = TRUE;
 +   }
 +#endif
 +
 +   if (!validCert && rv == CKR_OK) {
 +       CK_OBJECT_HANDLE h = PKCS11H_INVALID_OBJECT_HANDLE;
 +
 +       if (certificate->session == NULL) {
 +           rv = CKR_SESSION_HANDLE_INVALID;
 +       }
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +       if (
 +           rv == CKR_OK &&
 +           (rv = _pkcs11h_threading_mutexLock (&certificate->session->mutex)) == CKR_OK
 +       ) {
 +           mutex_locked_sess = TRUE;
 +       }
 +#endif
 +
 +       if (
 +           (rv = _pkcs11h_session_getObjectById (
 +               certificate->session,
 +               CKO_CERTIFICATE,
 +               certificate->id->attrCKA_ID,
 +               certificate->id->attrCKA_ID_size,
 +               &h
 +           )) == CKR_OK
 +       ) {
 +           validCert = TRUE;
 +       }
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +       if (mutex_locked_sess) {
 +           _pkcs11h_threading_mutexRelease (&certificate->session->mutex);
 +           mutex_locked_sess = FALSE;
 +       }
 +#endif
 +
 +       if (rv != CKR_OK) {
 +           PKCS11H_DEBUG (
 +               PKCS11H_LOG_DEBUG1,
 +               "PKCS#11: Cannot access existing object rv=%ld-'%s'",
 +               rv,
 +               pkcs11h_getMessage (rv)
 +           );
 +
 +           /*
 +            * Ignore error
 +            */
 +           rv = CKR_OK;
 +       }
 +   }
 +
 +   if (!validCert && rv == CKR_OK) {
 +       if (
 +           (rv = _pkcs11h_certificate_resetSession (
 +               certificate,
 +               TRUE,
 +               FALSE
 +           )) == CKR_OK
 +       ) {
 +           validCert = TRUE;
 +       }
 +   }
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   if (mutex_locked_cert) {
 +       _pkcs11h_threading_mutexRelease (&certificate->mutex);
 +       mutex_locked_cert = FALSE;
 +   }
 +#endif
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_certificate_ensureCertificateAccess return rv=%ld-'%s'",
 +       rv,
 +       pkcs11h_getMessage (rv)
 +   );
 +   
 +   return rv;
 +}
 +
 +CK_RV
 +pkcs11h_certificate_ensureKeyAccess (
 +   IN const pkcs11h_certificate_t certificate
 +) {
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   PKCS11H_BOOL mutex_locked_cert = FALSE;
 +   PKCS11H_BOOL mutex_locked_sess = FALSE;
 +#endif
 +   CK_RV rv = CKR_OK;
 +   PKCS11H_BOOL valid_key = FALSE;
 +
 +   PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
 +   PKCS11H_ASSERT (s_pkcs11h_data->initialized);
 +   PKCS11H_ASSERT (certificate!=NULL);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_certificate_ensureKeyAccess entry certificate=%p",
 +       (void *)certificate
 +   );
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   if (
 +       rv == CKR_OK &&
 +       (rv = _pkcs11h_threading_mutexLock (&certificate->mutex)) == CKR_OK
 +   ) {
 +       mutex_locked_cert = TRUE;
 +   }
 +#endif
 +
 +   if (!valid_key && rv == CKR_OK) {
 +
 +       if (certificate->session == NULL) {
 +           rv = CKR_SESSION_HANDLE_INVALID;
 +       }
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +       if (
 +           rv == CKR_OK &&
 +           (rv = _pkcs11h_threading_mutexLock (&certificate->session->mutex)) == CKR_OK
 +       ) {
 +           mutex_locked_sess = TRUE;
 +       }
 +#endif
 +
 +       if (
 +           (rv = _pkcs11h_session_getObjectById (
 +               certificate->session,
 +               CKO_PRIVATE_KEY,
 +               certificate->id->attrCKA_ID,
 +               certificate->id->attrCKA_ID_size,
 +               &certificate->key_handle
 +           )) == CKR_OK
 +       ) {
 +           valid_key = TRUE;
 +       }
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +       if (mutex_locked_sess) {
 +           _pkcs11h_threading_mutexRelease (&certificate->session->mutex);
 +           mutex_locked_sess = FALSE;
 +       }
 +#endif
 +
 +       if (rv != CKR_OK) {
 +           PKCS11H_DEBUG (
 +               PKCS11H_LOG_DEBUG1,
 +               "PKCS#11: Cannot access existing object rv=%ld-'%s'",
 +               rv,
 +               pkcs11h_getMessage (rv)
 +           );
 +
 +           /*
 +            * Ignore error
 +            */
 +           rv = CKR_OK;
 +           certificate->key_handle = PKCS11H_INVALID_OBJECT_HANDLE;
 +       }
 +   }
 +
 +   if (!valid_key && rv == CKR_OK) {
 +       if (
 +           (rv = _pkcs11h_certificate_resetSession (
 +               certificate,
 +               FALSE,
 +               FALSE
 +           )) == CKR_OK
 +       ) {
 +           valid_key = TRUE;
 +       }
 +   }
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   if (mutex_locked_sess) {
 +       _pkcs11h_threading_mutexRelease (&certificate->session->mutex);
 +       mutex_locked_sess = FALSE;
 +   }
 +#endif
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_certificate_ensureKeyAccess return rv=%ld-'%s'",
 +       rv,
 +       pkcs11h_getMessage (rv)
 +   );
 +   
 +   return rv;
 +}
 +
 +#endif             /* ENABLE_PKCS11H_CERTIFICATE */
 +
 +#if defined(ENABLE_PKCS11H_LOCATE)
 +/*======================================================================*
 + * LOCATE INTERFACE
 + *======================================================================*/
 +
 +#if defined(ENABLE_PKCS11H_TOKEN) || defined(ENABLE_PKCS11H_CERTIFICATE)
 +
 +static
 +CK_RV
 +_pkcs11h_locate_getTokenIdBySlotId (
 +   IN const char * const slot,
 +   OUT pkcs11h_token_id_t * const p_token_id
 +) {
 +   pkcs11h_provider_t current_provider = NULL;
 +   char reference[sizeof (((pkcs11h_provider_t)NULL)->reference)];
 +
 +   CK_SLOT_ID selected_slot = PKCS11H_INVALID_SLOT_ID;
 +   CK_TOKEN_INFO info;
 +   CK_RV rv = CKR_OK;
 +
 +   PKCS11H_ASSERT (slot!=NULL);
 +   PKCS11H_ASSERT (p_token_id!=NULL);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_locate_getTokenIdBySlotId entry slot='%s', p_token_id=%p",
 +       slot,
 +       (void *)p_token_id
 +   );
 +
 +   *p_token_id = NULL;
 +
 +   if (rv == CKR_OK) {
 +       if (strchr (slot, ':') == NULL) {
 +           reference[0] = '\0';
 +           selected_slot = atol (slot);
 +       }
 +       else {
 +           char *p;
 +
 +           strncpy (reference, slot, sizeof (reference));
 +           reference[sizeof (reference)-1] = '\0';
 +
 +           p = strchr (reference, ':');
 +
 +           *p = '\0';
 +           p++;
 +           selected_slot = atol (p);
 +       }
 +   }
 +   
 +   if (rv == CKR_OK) {
 +       current_provider=s_pkcs11h_data->providers;
 +       while (
 +           current_provider != NULL &&
 +           reference[0] != '\0' &&     /* So first provider will be selected */
 +           strcmp (current_provider->reference, reference)
 +       ) {
 +           current_provider = current_provider->next;
 +       }
 +   
 +       if (
 +           current_provider == NULL ||
 +           (
 +               current_provider != NULL &&
 +               !current_provider->enabled
 +           )
 +       ) {
 +           rv = CKR_SLOT_ID_INVALID;
 +       }
 +   }
 +
 +   if (
 +       rv == CKR_OK &&
 +       (rv = current_provider->f->C_GetTokenInfo (selected_slot, &info)) == CKR_OK
 +   ) {
 +       rv = _pkcs11h_token_getTokenId (
 +           &info,
 +           p_token_id
 +       );
 +   }
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_locate_getTokenIdBySlotId return rv=%ld-'%s', *p_token_id=%p",
 +       rv,
 +       pkcs11h_getMessage (rv),
 +       (void *)*p_token_id
 +   );
 +
 +   return rv;
 +}
 +
 +static
 +CK_RV
 +_pkcs11h_locate_getTokenIdBySlotName (
 +   IN const char * const name,
 +   OUT pkcs11h_token_id_t * const p_token_id
 +) {
 +   pkcs11h_provider_t current_provider = NULL;
 +
 +   CK_SLOT_ID selected_slot = PKCS11H_INVALID_SLOT_ID;
 +   CK_TOKEN_INFO info;
 +   CK_RV rv = CKR_OK;
 +
 +   PKCS11H_BOOL found = FALSE;
 +
 +   PKCS11H_ASSERT (name!=NULL);
 +   PKCS11H_ASSERT (p_token_id!=NULL);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_locate_getTokenIdBySlotName entry name='%s', p_token_id=%p",
 +       name,
 +       (void *)p_token_id
 +   );
 +
 +   *p_token_id = NULL;
 +
 +   current_provider = s_pkcs11h_data->providers;
 +   while (
 +       current_provider != NULL &&
 +       rv == CKR_OK &&
 +       !found
 +   ) {
 +       CK_SLOT_ID_PTR slots = NULL;
 +       CK_ULONG slotnum;
 +       CK_SLOT_ID slot_index;
 +
 +       if (!current_provider->enabled) {
 +           rv = CKR_CRYPTOKI_NOT_INITIALIZED;
 +       }
 +
 +       if (rv == CKR_OK) {
 +           rv = _pkcs11h_session_getSlotList (
 +               current_provider,
 +               CK_TRUE,
 +               &slots,
 +               &slotnum
 +           );
 +       }
 +
 +       for (
 +           slot_index=0;
 +           (
 +               slot_index < slotnum &&
 +               rv == CKR_OK &&
 +               !found
 +           );
 +           slot_index++
 +       ) {
 +           CK_SLOT_INFO info;
 +
 +           if (
 +               (rv = current_provider->f->C_GetSlotInfo (
 +                   slots[slot_index],
 +                   &info
 +               )) == CKR_OK
 +           ) {
 +               char current_name[sizeof (info.slotDescription)+1];
 +
 +               _pkcs11h_util_fixupFixedString (
 +                   current_name,
 +                   (char *)info.slotDescription,
 +                   sizeof (info.slotDescription)
 +               );
 +
 +               if (!strcmp (current_name, name)) {
 +                   found = TRUE;
 +                   selected_slot = slots[slot_index];
 +               }
 +           }
 +
 +           if (rv != CKR_OK) {
 +               PKCS11H_DEBUG (
 +                   PKCS11H_LOG_DEBUG1,
 +                   "PKCS#11: Cannot get slot information for provider '%s' slot %ld rv=%ld-'%s'",
 +                   current_provider->manufacturerID,
 +                   slots[slot_index],
 +                   rv,
 +                   pkcs11h_getMessage (rv)
 +               );
 +
 +               /*
 +                * Ignore error
 +                */
 +               rv = CKR_OK;
 +           }
 +       }
 +
 +       if (rv != CKR_OK) {
 +           PKCS11H_DEBUG (
 +               PKCS11H_LOG_DEBUG1,
 +               "PKCS#11: Cannot get slot list for provider '%s' rv=%ld-'%s'",
 +               current_provider->manufacturerID,
 +               rv,
 +               pkcs11h_getMessage (rv)
 +           );
 +
 +           /*
 +            * Ignore error
 +            */
 +           rv = CKR_OK;
 +       }
 +
 +       if (slots != NULL) {
 +           _pkcs11h_mem_free ((void *)&slots);
 +           slots = NULL;
 +       }
 +
 +       if (!found) {
 +           current_provider = current_provider->next;
 +       }
 +   }
 +
 +   if (rv == CKR_OK && !found) {
 +       rv = CKR_SLOT_ID_INVALID;
 +   }
 +
 +   if (
 +       rv == CKR_OK &&
 +       (rv = current_provider->f->C_GetTokenInfo (selected_slot, &info)) == CKR_OK
 +   ) {
 +       rv = _pkcs11h_token_getTokenId (
 +           &info,
 +           p_token_id
 +       );
 +   }
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_locate_getTokenIdBySlotName return rv=%ld-'%s' *p_token_id=%p",
 +       rv,
 +       pkcs11h_getMessage (rv),
 +       (void *)*p_token_id
 +   );
 +
 +   return rv; 
 +}
 +
 +static
 +CK_RV
 +_pkcs11h_locate_getTokenIdByLabel (
 +   IN const char * const label,
 +   OUT pkcs11h_token_id_t * const p_token_id
 +) {
 +   pkcs11h_provider_t current_provider = NULL;
 +
 +   CK_SLOT_ID selected_slot = PKCS11H_INVALID_SLOT_ID;
 +   CK_TOKEN_INFO info;
 +   CK_RV rv = CKR_OK;
 +
 +   PKCS11H_BOOL found = FALSE;
 +
 +   PKCS11H_ASSERT (label!=NULL);
 +   PKCS11H_ASSERT (p_token_id!=NULL);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_locate_getTokenIdByLabel entry label='%s', p_token_id=%p",
 +       label,
 +       (void *)p_token_id
 +   );
 +
 +   *p_token_id = NULL;
 +
 +   current_provider = s_pkcs11h_data->providers;
 +   while (
 +       current_provider != NULL &&
 +       rv == CKR_OK &&
 +       !found
 +   ) {
 +       CK_SLOT_ID_PTR slots = NULL;
 +       CK_ULONG slotnum;
 +       CK_SLOT_ID slot_index;
 +
 +       if (!current_provider->enabled) {
 +           rv = CKR_CRYPTOKI_NOT_INITIALIZED;
 +       }
 +
 +       if (rv == CKR_OK) {
 +           rv = _pkcs11h_session_getSlotList (
 +               current_provider,
 +               CK_TRUE,
 +               &slots,
 +               &slotnum
 +           );
 +       }
 +
 +       for (
 +           slot_index=0;
 +           (
 +               slot_index < slotnum &&
 +               rv == CKR_OK &&
 +               !found
 +           );
 +           slot_index++
 +       ) {
 +           CK_TOKEN_INFO info;
 +
 +           if (rv == CKR_OK) {
 +               rv = current_provider->f->C_GetTokenInfo (
 +                   slots[slot_index],
 +                   &info
 +               );
 +           }
 +
 +           if (rv == CKR_OK) {
 +               char current_label[sizeof (info.label)+1];
 +       
 +               _pkcs11h_util_fixupFixedString (
 +                   current_label,
 +                   (char *)info.label,
 +                   sizeof (info.label)
 +               );
 +
 +               if (!strcmp (current_label, label)) {
 +                   found = TRUE;
 +                   selected_slot = slots[slot_index];
 +               }
 +           }
 +
 +           if (rv != CKR_OK) {
 +               PKCS11H_DEBUG (
 +                   PKCS11H_LOG_DEBUG1,
 +                   "PKCS#11: Cannot get token information for provider '%s' slot %ld rv=%ld-'%s'",
 +                   current_provider->manufacturerID,
 +                   slots[slot_index],
 +                   rv,
 +                   pkcs11h_getMessage (rv)
 +               );
 +
 +               /*
 +                * Ignore error
 +                */
 +               rv = CKR_OK;
 +           }
 +       }
 +
 +       if (rv != CKR_OK) {
 +           PKCS11H_DEBUG (
 +               PKCS11H_LOG_DEBUG1,
 +               "PKCS#11: Cannot get slot list for provider '%s' rv=%ld-'%s'",
 +               current_provider->manufacturerID,
 +               rv,
 +               pkcs11h_getMessage (rv)
 +           );
 +
 +           /*
 +            * Ignore error
 +            */
 +           rv = CKR_OK;
 +       }
 +
 +       if (slots != NULL) {
 +           _pkcs11h_mem_free ((void *)&slots);
 +           slots = NULL;
 +       }
 +
 +       if (!found) {
 +           current_provider = current_provider->next;
 +       }
 +   }
 +
 +   if (rv == CKR_OK && !found) {
 +       rv = CKR_SLOT_ID_INVALID;
 +   }
 +
 +   if (
 +       rv == CKR_OK &&
 +       (rv = current_provider->f->C_GetTokenInfo (selected_slot, &info)) == CKR_OK
 +   ) {
 +       rv = _pkcs11h_token_getTokenId (
 +           &info,
 +           p_token_id
 +       );
 +   }
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_locate_getTokenIdByLabel return rv=%ld-'%s', *p_token_id=%p",
 +       rv,
 +       pkcs11h_getMessage (rv),
 +       (void *)*p_token_id
 +   );
 +
 +   return rv;
 +}
 +
 +CK_RV
 +pkcs11h_locate_token (
 +   IN const char * const slot_type,
 +   IN const char * const slot,
 +   IN void * const user_data,
 +   IN const unsigned mask_prompt,
 +   OUT pkcs11h_token_id_t * const p_token_id
 +) {
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   PKCS11H_BOOL mutex_locked = FALSE;
 +#endif
 +
 +   pkcs11h_token_id_t dummy_token_id = NULL;
 +   pkcs11h_token_id_t token_id = NULL;
 +   PKCS11H_BOOL found = FALSE;
 +   
 +   CK_RV rv = CKR_OK;
 +
 +   unsigned nRetry = 0;
 +
 +   PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
 +   PKCS11H_ASSERT (s_pkcs11h_data->initialized);
 +   PKCS11H_ASSERT (slot_type!=NULL);
 +   PKCS11H_ASSERT (slot!=NULL);
 +   /*PKCS11H_ASSERT (user_data) NOT NEEDED */
 +   PKCS11H_ASSERT (p_token_id!=NULL);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_locate_token entry slot_type='%s', slot='%s', user_data=%p, p_token_id=%p",
 +       slot_type,
 +       slot,
 +       user_data,
 +       (void *)p_token_id
 +   );
 +
 +   *p_token_id = NULL;
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   if (
 +       rv == CKR_OK &&
 +       (rv = _pkcs11h_threading_mutexLock (&s_pkcs11h_data->mutexes.global)) == CKR_OK
 +   ) {
 +       mutex_locked = TRUE;
 +   }
 +#endif
 +
 +   if (
 +       rv == CKR_OK &&
 +       (rv = _pkcs11h_token_newTokenId (&dummy_token_id)) == CKR_OK
 +   ) {
 +       /*
 +        * Temperary slot id
 +        */
 +       strcpy (dummy_token_id->display, "SLOT(");
 +       strncat (dummy_token_id->display, slot_type, sizeof (dummy_token_id->display)-1-strlen
	(dummy_token_id->display));
 +       strncat (dummy_token_id->display, "=", sizeof (dummy_token_id->display)-1-strlen (dummy_token_id->display));
 +       strncat (dummy_token_id->display, slot, sizeof (dummy_token_id->display)-1-strlen (dummy_token_id->display));
 +       strncat (dummy_token_id->display, ")", sizeof (dummy_token_id->display)-1-strlen (dummy_token_id->display));
 +       dummy_token_id->display[sizeof (dummy_token_id->display)-1] = 0;
 +   }
 +
 +   while (rv == CKR_OK && !found) {
 +       if (!strcmp (slot_type, "id")) {
 +           rv = _pkcs11h_locate_getTokenIdBySlotId (
 +               slot,
 +               &token_id
 +           );
 +       }
 +       else if (!strcmp (slot_type, "name")) {
 +           rv = _pkcs11h_locate_getTokenIdBySlotName (
 +               slot,
 +               &token_id
 +           );
 +       }
 +       else if (!strcmp (slot_type, "label")) {
 +           rv = _pkcs11h_locate_getTokenIdByLabel (
 +               slot,
 +               &token_id
 +           );
 +       }
 +       else {
 +           rv = CKR_ARGUMENTS_BAD;
 +       }
 +
 +       if (rv == CKR_OK) {
 +           found = TRUE;
 +       }
 +
 +       /*
 +        * Ignore error, since we have what we
 +        * want in found.
 +        */
 +       if (rv != CKR_OK && rv != CKR_ARGUMENTS_BAD) {
 +           PKCS11H_DEBUG (
 +               PKCS11H_LOG_DEBUG1,
 +               "PKCS#11: pkcs11h_locate_token failed rv=%ld-'%s'",
 +               rv,
 +               pkcs11h_getMessage (rv)
 +           );
 +
 +           rv = CKR_OK;
 +       }
 +
 +       if (rv == CKR_OK && !found && (mask_prompt & PKCS11H_PROMPT_MAST_ALLOW_CARD_PROMPT) == 0) {
 +           rv = CKR_TOKEN_NOT_PRESENT;
 +       }
 +
 +       if (rv == CKR_OK && !found) {
 +
 +           PKCS11H_DEBUG (
 +               PKCS11H_LOG_DEBUG1,
 +               "PKCS#11: Calling token_prompt hook for '%s'",
 +               dummy_token_id->display
 +           );
 +   
 +           if (
 +               !s_pkcs11h_data->hooks.token_prompt (
 +                   s_pkcs11h_data->hooks.token_prompt_data,
 +                   user_data,
 +                   dummy_token_id,
 +                   nRetry++
 +               )
 +           ) {
 +               rv = CKR_CANCEL;
 +           }
 +
 +           PKCS11H_DEBUG (
 +               PKCS11H_LOG_DEBUG1,
 +               "PKCS#11: token_prompt returned %ld",
 +               rv
 +           );
 +       }
 +   }
 +
 +   if (rv == CKR_OK && !found) {
 +       rv = CKR_SLOT_ID_INVALID;
 +   }
 +
 +   if (rv == CKR_OK) {
 +       *p_token_id = token_id;
 +       token_id = NULL;
 +   }
 +
 +   if (dummy_token_id != NULL) {
 +       pkcs11h_token_freeTokenId (dummy_token_id);
 +       dummy_token_id = NULL;
 +   }
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   if (mutex_locked) {
 +       _pkcs11h_threading_mutexRelease (&s_pkcs11h_data->mutexes.global);
 +       mutex_locked = FALSE;
 +   }
 +#endif
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_locate_token return rv=%ld-'%s', *p_token_id=%p",
 +       rv,
 +       pkcs11h_getMessage (rv),
 +       (void *)*p_token_id
 +   );
 +
 +   return rv;
 +}
 +
 +#endif             /* ENABLE_PKCS11H_TOKEN || ENABLE_PKCS11H_CERTIFICATE */
 +
 +#if defined(ENABLE_PKCS11H_CERTIFICATE)
 +
 +static
 +CK_RV
 +_pkcs11h_locate_getCertificateIdByLabel (
 +   IN const pkcs11h_session_t session,
 +   IN OUT const pkcs11h_certificate_id_t certificate_id,
 +   IN const char * const label
 +) {
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   PKCS11H_BOOL mutex_locked = FALSE;
 +#endif
 +   CK_OBJECT_CLASS cert_filter_class = CKO_CERTIFICATE;
 +   CK_ATTRIBUTE cert_filter[] = {
 +       {CKA_CLASS, &cert_filter_class, sizeof (cert_filter_class)},
 +       {CKA_LABEL, (CK_BYTE_PTR)label, strlen (label)}
 +   };
 +
 +   CK_OBJECT_HANDLE *objects = NULL;
 +   CK_ULONG objects_found = 0;
 +   CK_RV rv = CKR_OK;
 +
 +   CK_ULONG i;
 +
 +   PKCS11H_ASSERT (session!=NULL);
 +   PKCS11H_ASSERT (certificate_id!=NULL);
 +   PKCS11H_ASSERT (label!=NULL);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_locate_getCertificateIdByLabel entry session=%p, certificate_id=%p, label='%s'",
 +       (void *)session,
 +       (void *)certificate_id,
 +       label
 +   );
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   if (
 +       rv == CKR_OK &&
 +       (rv = _pkcs11h_threading_mutexLock (&session->mutex)) == CKR_OK
 +   ) {
 +       mutex_locked = TRUE;
 +   }
 +#endif
 +
 +   if (rv == CKR_OK) {
 +       rv = _pkcs11h_session_validate (session);
 +   }
 +
 +   if (rv == CKR_OK) {
 +       rv = _pkcs11h_session_findObjects (
 +           session,
 +           cert_filter,
 +           sizeof (cert_filter) / sizeof (CK_ATTRIBUTE),
 +           &objects,
 +           &objects_found
 +       );
 +   }
 +
 +   for (i=0;rv == CKR_OK && i < objects_found;i++) {
 +       CK_ATTRIBUTE attrs[] = {
 +           {CKA_ID, NULL, 0},
 +           {CKA_VALUE, NULL, 0}
 +       };
 +
 +       if (rv == CKR_OK) {
 +           rv = _pkcs11h_session_getObjectAttributes (
 +               session,
 +               objects[i],
 +               attrs,
 +               sizeof (attrs) / sizeof (CK_ATTRIBUTE)
 +           );
 +       }
 +
 +       if (
 +           rv == CKR_OK &&
 +           _pkcs11h_certificate_isBetterCertificate (
 +               certificate_id->certificate_blob,
 +               certificate_id->certificate_blob_size,
 +               attrs[1].pValue,
 +               attrs[1].ulValueLen
 +           )
 +       ) {
 +           if (certificate_id->attrCKA_ID != NULL) {
 +               _pkcs11h_mem_free ((void *)&certificate_id->attrCKA_ID);
 +           }
 +           if (certificate_id->certificate_blob != NULL) {
 +               _pkcs11h_mem_free ((void *)&certificate_id->certificate_blob);
 +           }
 +           rv = _pkcs11h_mem_duplicate (
 +               (void *)&certificate_id->attrCKA_ID,
 +               &certificate_id->attrCKA_ID_size,
 +               attrs[0].pValue,
 +               attrs[0].ulValueLen
 +           );
 +           rv = _pkcs11h_mem_duplicate (
 +               (void *)&certificate_id->certificate_blob,
 +               &certificate_id->certificate_blob_size,
 +               attrs[1].pValue,
 +               attrs[1].ulValueLen
 +           );
 +       }
 +
 +       if (rv != CKR_OK) {
 +           PKCS11H_DEBUG (
 +               PKCS11H_LOG_DEBUG1,
 +               "PKCS#11: Cannot get object attribute for provider '%s' object %ld rv=%ld-'%s'",
 +               session->provider->manufacturerID,
 +               objects[i],
 +               rv,
 +               pkcs11h_getMessage (rv)
 +           );
 +
 +           /*
 +            * Ignore error
 +            */
 +           rv = CKR_OK;
 +       }
 +
 +       _pkcs11h_session_freeObjectAttributes (
 +           attrs,
 +           sizeof (attrs) / sizeof (CK_ATTRIBUTE)
 +       );
 +   }
 +   
 +   if (
 +       rv == CKR_OK &&
 +       certificate_id->certificate_blob == NULL
 +   ) {
 +       rv = CKR_ATTRIBUTE_VALUE_INVALID;
 +   }
 +
 +   if (objects != NULL) {
 +       _pkcs11h_mem_free ((void *)&objects);
 +   }
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   if (mutex_locked) {
 +       _pkcs11h_threading_mutexRelease (&session->mutex);
 +       mutex_locked = FALSE;
 +   }
 +#endif
 +
 +   /*
 +    * No need to free allocated objects
 +    * on error, since the certificate_id
 +    * should be free by caller.
 +    */
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_locate_getCertificateIdByLabel return rv=%ld-'%s'",
 +       rv,
 +       pkcs11h_getMessage (rv)
 +   );
 +
 +   return rv;
 +}
 +
 +static
 +CK_RV
 +_pkcs11h_locate_getCertificateIdBySubject (
 +   IN const pkcs11h_session_t session,
 +   IN OUT const pkcs11h_certificate_id_t certificate_id,
 +   IN const char * const subject
 +) {
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   PKCS11H_BOOL mutex_locked = FALSE;
 +#endif
 +   CK_OBJECT_CLASS cert_filter_class = CKO_CERTIFICATE;
 +   CK_ATTRIBUTE cert_filter[] = {
 +       {CKA_CLASS, &cert_filter_class, sizeof (cert_filter_class)}
 +   };
 +
 +   CK_OBJECT_HANDLE *objects = NULL;
 +   CK_ULONG objects_found = 0;
 +   CK_RV rv = CKR_OK;
 +
 +   CK_ULONG i;
 +
 +   PKCS11H_ASSERT (session!=NULL);
 +   PKCS11H_ASSERT (certificate_id!=NULL);
 +   PKCS11H_ASSERT (subject!=NULL);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_locate_getCertificateIdBySubject entry session=%p, certificate_id=%p, subject='%s'",
 +       (void *)session,
 +       (void *)certificate_id,
 +       subject
 +   );
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   if (
 +       rv == CKR_OK &&
 +       (rv = _pkcs11h_threading_mutexLock (&session->mutex)) == CKR_OK
 +   ) {
 +       mutex_locked = TRUE;
 +   }
 +#endif
 +
 +   if (rv == CKR_OK) {
 +       rv = _pkcs11h_session_validate (session);
 +   }
 +
 +   if (rv == CKR_OK) {
 +       rv = _pkcs11h_session_findObjects (
 +           session,
 +           cert_filter,
 +           sizeof (cert_filter) / sizeof (CK_ATTRIBUTE),
 +           &objects,
 +           &objects_found
 +       );
 +   }
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   if (mutex_locked) {
 +       _pkcs11h_threading_mutexRelease (&session->mutex);
 +       mutex_locked = FALSE;
 +   }
 +#endif
 +
 +   for (i=0;rv == CKR_OK && i < objects_found;i++) {
 +       CK_ATTRIBUTE attrs[] = {
 +           {CKA_ID, NULL, 0},
 +           {CKA_VALUE, NULL, 0}
 +       };
 +       char current_subject[1024];
 +       current_subject[0] = '\0';
 +
 +       if (rv == CKR_OK) {
 +           rv = _pkcs11h_session_getObjectAttributes (
 +               session,
 +               objects[i],
 +               attrs,
 +               sizeof (attrs) / sizeof (CK_ATTRIBUTE)
 +           );
 +       }
 +
 +       if (rv == CKR_OK) {
 +           rv = _pkcs11h_certificate_getDN (
 +               attrs[1].pValue,
 +               attrs[1].ulValueLen,
 +               current_subject,
 +               sizeof (current_subject)
 +           );
 +       }
 +
 +       if (
 +           rv == CKR_OK &&
 +           !strcmp (subject, current_subject) &&
 +           _pkcs11h_certificate_isBetterCertificate (
 +               certificate_id->certificate_blob,
 +               certificate_id->certificate_blob_size,
 +               attrs[1].pValue,
 +               attrs[1].ulValueLen
 +           )
 +       ) {
 +           if (certificate_id->attrCKA_ID != NULL) {
 +               _pkcs11h_mem_free ((void *)&certificate_id->attrCKA_ID);
 +           }
 +           if (certificate_id->certificate_blob != NULL) {
 +               _pkcs11h_mem_free ((void *)&certificate_id->certificate_blob);
 +           }
 +           rv = _pkcs11h_mem_duplicate (
 +               (void *)&certificate_id->attrCKA_ID,
 +               &certificate_id->attrCKA_ID_size,
 +               attrs[0].pValue,
 +               attrs[0].ulValueLen
 +           );
 +           rv = _pkcs11h_mem_duplicate (
 +               (void *)&certificate_id->certificate_blob,
 +               &certificate_id->certificate_blob_size,
 +               attrs[1].pValue,
 +               attrs[1].ulValueLen
 +           );
 +       }
 +
 +       if (rv != CKR_OK) {
 +           PKCS11H_DEBUG (
 +               PKCS11H_LOG_DEBUG1,
 +               "PKCS#11: Cannot get object attribute for provider '%s' object %ld rv=%ld-'%s'",
 +               session->provider->manufacturerID,
 +               objects[i],
 +               rv,
 +               pkcs11h_getMessage (rv)
 +           );
 +
 +           /*
 +            * Ignore error
 +            */
 +           rv = CKR_OK;
 +       }
 +
 +       _pkcs11h_session_freeObjectAttributes (
 +           attrs,
 +           sizeof (attrs) / sizeof (CK_ATTRIBUTE)
 +       );
 +   }
 +   
 +   if (
 +       rv == CKR_OK &&
 +       certificate_id->certificate_blob == NULL
 +   ) {
 +       rv = CKR_ATTRIBUTE_VALUE_INVALID;
 +   }
 +
 +   if (objects != NULL) {
 +       _pkcs11h_mem_free ((void *)&objects);
 +   }
 +
 +   /*
 +    * No need to free allocated objects
 +    * on error, since the certificate_id
 +    * should be free by caller.
 +    */
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_locate_getCertificateIdBySubject return rv=%ld-'%s'",
 +       rv,
 +       pkcs11h_getMessage (rv)
 +   );
 +
 +   return rv;
 +}
 +
 +CK_RV
 +pkcs11h_locate_certificate (
 +   IN const char * const slot_type,
 +   IN const char * const slot,
 +   IN const char * const id_type,
 +   IN const char * const id,
 +   IN void * const user_data,
 +   IN const unsigned mask_prompt,
 +   OUT pkcs11h_certificate_id_t * const p_certificate_id
 +) {
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   PKCS11H_BOOL mutex_locked = FALSE;
 +#endif
 +   pkcs11h_certificate_id_t certificate_id = NULL;
 +   pkcs11h_session_t session = NULL;
 +   PKCS11H_BOOL op_succeed = FALSE;
 +   PKCS11H_BOOL login_retry = FALSE;
 +   
 +   CK_RV rv = CKR_OK;
 +
 +   PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
 +   PKCS11H_ASSERT (s_pkcs11h_data->initialized);
 +   PKCS11H_ASSERT (slot_type!=NULL);
 +   PKCS11H_ASSERT (slot!=NULL);
 +   PKCS11H_ASSERT (id_type!=NULL);
 +   PKCS11H_ASSERT (id!=NULL);
 +   /*PKCS11H_ASSERT (user_data) NOT NEEDED */
 +   PKCS11H_ASSERT (p_certificate_id!=NULL);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_locateCertificate entry slot_type='%s', slot='%s', id_type='%s', id='%s', user_data=%p,
	mask_prompt=%08x, p_certificate_id=%p",
 +       slot_type,
 +       slot,
 +       id_type,
 +       id,
 +       user_data,
 +       mask_prompt,
 +       (void *)p_certificate_id
 +   );
 +
 +   *p_certificate_id = NULL;
 +
 +   if (rv == CKR_OK) {
 +       rv = _pkcs11h_certificate_newCertificateId (&certificate_id);
 +   }
 +
 +   if (rv == CKR_OK) {
 +       rv = pkcs11h_locate_token (
 +           slot_type,
 +           slot,
 +           user_data,
 +           mask_prompt,
 +           &certificate_id->token_id
 +       );
 +   }
 +
 +   if (rv == CKR_OK) {
 +       rv = _pkcs11h_session_getSessionByTokenId (
 +           certificate_id->token_id,
 +           &session
 +       );
 +   }
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   if (
 +       rv == CKR_OK &&
 +       (rv = _pkcs11h_threading_mutexLock (&s_pkcs11h_data->mutexes.global)) == CKR_OK
 +   ) {
 +       mutex_locked = TRUE;
 +   }
 +#endif
 +
 +   while (rv == CKR_OK && !op_succeed) {
 +       if (!strcmp (id_type, "id")) {
 +           certificate_id->attrCKA_ID_size = strlen (id)/2;
 +
 +           if (certificate_id->attrCKA_ID_size == 0) {
 +               rv = CKR_FUNCTION_FAILED;
 +           }
 +
 +           if (
 +               rv == CKR_OK &&
 +               (rv = _pkcs11h_mem_malloc (
 +                   (void*)&certificate_id->attrCKA_ID,
 +                   certificate_id->attrCKA_ID_size
 +               )) == CKR_OK
 +           ) {
 +               _pkcs11h_util_hexToBinary (
 +                   certificate_id->attrCKA_ID,
 +                   id,
 +                   &certificate_id->attrCKA_ID_size
 +               );
 +           }
 +       }
 +       else if (!strcmp (id_type, "label")) {
 +           rv = _pkcs11h_locate_getCertificateIdByLabel (
 +               session,
 +               certificate_id,
 +               id
 +           );
 +       }
 +       else if (!strcmp (id_type, "subject")) {
 +           rv = _pkcs11h_locate_getCertificateIdBySubject (
 +               session,
 +               certificate_id,
 +               id
 +           );
 +       }
 +       else {
 +           rv = CKR_ARGUMENTS_BAD;
 +       }
 +
 +       if (rv == CKR_OK) {
 +           op_succeed = TRUE;
 +       }
 +       else {
 +           if (!login_retry) {
 +               PKCS11H_DEBUG (
 +                   PKCS11H_LOG_DEBUG1,
 +                   "PKCS#11: Get certificate failed: %ld:'%s'",
 +                   rv,
 +                   pkcs11h_getMessage (rv)
 +               );
 +
 +               rv = _pkcs11h_session_login (
 +                   session,
 +                   TRUE,
 +                   TRUE,
 +                   user_data,
 +                   mask_prompt
 +               );
 +
 +               login_retry = TRUE;
 +           }
 +       }
 +   }
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   if (mutex_locked) {
 +       _pkcs11h_threading_mutexRelease (&s_pkcs11h_data->mutexes.global);
 +       mutex_locked = FALSE;
 +   }
 +#endif
 +
 +   if (rv == CKR_OK) {
 +       *p_certificate_id = certificate_id;
 +       certificate_id = NULL;
 +   }
 +
 +   if (certificate_id != NULL) {
 +       pkcs11h_certificate_freeCertificateId (certificate_id);
 +       certificate_id = NULL;
 +   }
 +
 +   if (session != NULL) {
 +       _pkcs11h_session_release (session);
 +       session = NULL;
 +   }
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_locateCertificate return rv=%ld-'%s' *p_certificate_id=%p",
 +       rv,
 +       pkcs11h_getMessage (rv),
 +       (void *)*p_certificate_id
 +   );
 +   
 +   return rv;
 +}
 +
 +#endif             /* ENABLE_PKCS11H_CERTIFICATE */
 +
 +#endif             /* ENABLE_PKCS11H_LOCATE */
 +
 +#if defined(ENABLE_PKCS11H_ENUM)
 +/*======================================================================*
 + * ENUM INTERFACE
 + *======================================================================*/
 +
 +#if defined(ENABLE_PKCS11H_TOKEN)
 +
 +CK_RV
 +pkcs11h_token_freeTokenIdList (
 +   IN const pkcs11h_token_id_list_t token_id_list
 +) {
 +   pkcs11h_token_id_list_t _id = token_id_list;
 +
 +   PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
 +   PKCS11H_ASSERT (s_pkcs11h_data->initialized);
 +   /*PKCS11H_ASSERT (token_id_list!=NULL); NOT NEEDED*/
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_token_freeTokenIdList entry token_id_list=%p",
 +       (void *)token_id_list
 +   );
 +
 +   while (_id != NULL) {
 +       pkcs11h_token_id_list_t x = _id;
 +       _id = _id->next;
 +       if (x->token_id != NULL) {
 +           pkcs11h_token_freeTokenId (x->token_id);
 +       }
 +       x->next = NULL;
 +       _pkcs11h_mem_free ((void *)&x);
 +   }
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_token_freeTokenIdList return"
 +   );
 +
 +   return CKR_OK;
 +}
 +
 +CK_RV
 +pkcs11h_token_enumTokenIds (
 +   IN const int method,
 +   OUT pkcs11h_token_id_list_t * const p_token_id_list
 +) {
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   PKCS11H_BOOL mutex_locked = FALSE;
 +#endif
 +
 +   pkcs11h_token_id_list_t token_id_list = NULL;
 +   pkcs11h_provider_t current_provider;
 +   CK_RV rv = CKR_OK;
 +
 +   PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
 +   PKCS11H_ASSERT (s_pkcs11h_data->initialized);
 +   PKCS11H_ASSERT (p_token_id_list!=NULL);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_token_enumTokenIds entry p_token_id_list=%p",
 +       (void *)p_token_id_list
 +   );
 +
 +   *p_token_id_list = NULL;
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   if (
 +       rv == CKR_OK &&
 +       (rv = _pkcs11h_threading_mutexLock (&s_pkcs11h_data->mutexes.global)) == CKR_OK
 +   ) {
 +       mutex_locked = TRUE;
 +   }
 +#endif
 +
 +   for (
 +       current_provider = s_pkcs11h_data->providers;
 +       (
 +           current_provider != NULL &&
 +           rv == CKR_OK
 +       );
 +       current_provider = current_provider->next
 +   ) {
 +       CK_SLOT_ID_PTR slots = NULL;
 +       CK_ULONG slotnum;
 +       CK_SLOT_ID slot_index;
 +
 +       if (!current_provider->enabled) {
 +           rv = CKR_CRYPTOKI_NOT_INITIALIZED;
 +       }
 +
 +       if (rv == CKR_OK) {
 +           rv = _pkcs11h_session_getSlotList (
 +               current_provider,
 +               CK_TRUE,
 +               &slots,
 +               &slotnum
 +           );
 +       }
 +
 +       for (
 +           slot_index=0;
 +           (
 +               slot_index < slotnum &&
 +               rv == CKR_OK
 +           );
 +           slot_index++
 +       ) {
 +           pkcs11h_token_id_list_t entry = NULL;
 +           CK_TOKEN_INFO info;
 +
 +           if (rv == CKR_OK) {
 +               rv = _pkcs11h_mem_malloc ((void *)&entry, sizeof (struct pkcs11h_token_id_list_s));
 +           }
 +
 +           if (rv == CKR_OK) {
 +               rv = current_provider->f->C_GetTokenInfo (
 +                   slots[slot_index],
 +                   &info
 +               );
 +           }
 +
 +           if (rv == CKR_OK) {
 +               rv = _pkcs11h_token_getTokenId (
 +                   &info,
 +                   &entry->token_id
 +               );
 +           }
 +
 +           if (rv == CKR_OK) {
 +               entry->next = token_id_list;
 +               token_id_list = entry;
 +               entry = NULL;
 +           }
 +
 +           if (entry != NULL) {
 +               pkcs11h_token_freeTokenIdList (entry);
 +               entry = NULL;
 +           }
 +       }
 +
 +       if (rv != CKR_OK) {
 +           PKCS11H_DEBUG (
 +               PKCS11H_LOG_DEBUG1,
 +               "PKCS#11: Cannot get slot list for provider '%s' rv=%ld-'%s'",
 +               current_provider->manufacturerID,
 +               rv,
 +               pkcs11h_getMessage (rv)
 +           );
 +
 +           /*
 +            * Ignore error
 +            */
 +           rv = CKR_OK;
 +       }
 +
 +       if (slots != NULL) {
 +           _pkcs11h_mem_free ((void *)&slots);
 +           slots = NULL;
 +       }
 +   }
 +
 +   if (rv == CKR_OK && method == PKCS11H_ENUM_METHOD_CACHE) {
 +       pkcs11h_session_t session = NULL;
 +
 +       for (
 +           session = s_pkcs11h_data->sessions;
 +           session != NULL && rv == CKR_OK;
 +           session = session->next
 +       ) {
 +           pkcs11h_token_id_list_t entry = NULL;
 +           PKCS11H_BOOL found = FALSE;
 +
 +           for (
 +               entry = token_id_list;
 +               entry != NULL && !found;
 +               entry = entry->next
 +           ) {
 +               if (
 +                   pkcs11h_token_sameTokenId (
 +                       session->token_id,
 +                       entry->token_id
 +                   )
 +               ) {
 +                   found = TRUE;
 +               }
 +           }
 +
 +           if (!found) {
 +               entry = NULL;
 +
 +               if (rv == CKR_OK) {
 +                   rv = _pkcs11h_mem_malloc (
 +                       (void *)&entry,
 +                       sizeof (struct pkcs11h_token_id_list_s)
 +                   );
 +               }
 +
 +               if (rv == CKR_OK) {
 +                   rv = pkcs11h_token_duplicateTokenId (
 +                       &entry->token_id,
 +                       session->token_id
 +                   );
 +               }
 +
 +               if (rv == CKR_OK) {
 +                   entry->next = token_id_list;
 +                   token_id_list = entry;
 +                   entry = NULL;
 +               }
 +
 +               if (entry != NULL) {
 +                   if (entry->token_id != NULL) {
 +                       pkcs11h_token_freeTokenId (entry->token_id);
 +                   }
 +                   _pkcs11h_mem_free ((void *)&entry);
 +               }
 +           }
 +       }
 +   }
 +
 +   if (rv == CKR_OK) {
 +       *p_token_id_list = token_id_list;
 +       token_id_list = NULL;
 +   }
 +
 +   if (token_id_list != NULL) {
 +       pkcs11h_token_freeTokenIdList (token_id_list);
 +       token_id_list = NULL;
 +   }
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   if (mutex_locked) {
 +       rv = _pkcs11h_threading_mutexRelease (&s_pkcs11h_data->mutexes.global);
 +       mutex_locked = FALSE;
 +   }
 +#endif
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_token_enumTokenIds return rv=%ld-'%s', *p_token_id_list=%p",
 +       rv,
 +       pkcs11h_getMessage (rv),
 +       (void *)p_token_id_list
 +   );
 +   
 +   return rv;
 +}
 +
 +#endif
 +
 +#if defined(ENABLE_PKCS11H_DATA)
 +
 +CK_RV
 +pkcs11h_data_freeDataIdList (
 +   IN const pkcs11h_data_id_list_t data_id_list
 +) {
 +   pkcs11h_data_id_list_t _id = data_id_list;
 +
 +   PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
 +   PKCS11H_ASSERT (s_pkcs11h_data->initialized);
 +   /*PKCS11H_ASSERT (data_id_list!=NULL); NOT NEEDED*/
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_freeDataIdList entry token_id_list=%p",
 +       (void *)data_id_list
 +   );
 +
 +   while (_id != NULL) {
 +       pkcs11h_data_id_list_t x = _id;
 +       _id = _id->next;
 +
 +       if (x->application != NULL) {
 +           _pkcs11h_mem_free ((void *)&x->application);
 +       }
 +       if (x->label != NULL) {
 +           _pkcs11h_mem_free ((void *)&x->label);
 +       }
 +       _pkcs11h_mem_free ((void *)&x);
 +   }
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_token_freeDataIdList return"
 +   );
 +
 +   return CKR_OK;
 +}
 +
 +CK_RV
 +pkcs11h_data_enumDataObjects (
 +   IN const pkcs11h_token_id_t token_id,
 +   IN const PKCS11H_BOOL is_public,
 +   IN void * const user_data,
 +   IN const unsigned mask_prompt,
 +   OUT pkcs11h_data_id_list_t * const p_data_id_list
 +) {
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   PKCS11H_BOOL mutex_locked = FALSE;
 +#endif
 +   pkcs11h_session_t session = NULL;
 +   pkcs11h_data_id_list_t data_id_list = NULL;
 +   CK_RV rv = CKR_OK;
 +
 +   PKCS11H_BOOL op_succeed = FALSE;
 +   PKCS11H_BOOL login_retry = FALSE;
 +
 +   PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
 +   PKCS11H_ASSERT (s_pkcs11h_data->initialized);
 +   PKCS11H_ASSERT (p_data_id_list!=NULL);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_data_enumDataObjects entry token_id=%p, is_public=%d, user_data=%p, mask_prompt=%08x,
	p_data_id_list=%p",
 +       (void *)token_id,
 +       is_public ? 1 : 0,
 +       user_data,
 +       mask_prompt,
 +       (void *)p_data_id_list
 +   );
 +
 +   *p_data_id_list = NULL;
 +
 +   if (rv == CKR_OK) {
 +       rv = _pkcs11h_session_getSessionByTokenId (
 +           token_id,
 +           &session
 +       );
 +   }
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   if (
 +       rv == CKR_OK &&
 +       (rv = _pkcs11h_threading_mutexLock (&session->mutex)) == CKR_OK
 +   ) {
 +       mutex_locked = TRUE;
 +   }
 +#endif
 +
 +   while (rv == CKR_OK && !op_succeed) {
 +
 +       CK_OBJECT_CLASS class = CKO_DATA;
 +       CK_ATTRIBUTE filter[] = {
 +           {CKA_CLASS, (void *)&class, sizeof (class)}
 +       };
 +       CK_OBJECT_HANDLE *objects = NULL;
 +       CK_ULONG objects_found = 0;
 +
 +       CK_ULONG i;
 +
 +       if (rv == CKR_OK) {
 +           rv = _pkcs11h_session_validate (session);
 +       }
 +
 +       if (rv == CKR_OK) {
 +           rv = _pkcs11h_session_findObjects (
 +               session,
 +               filter,
 +               sizeof (filter) / sizeof (CK_ATTRIBUTE),
 +               &objects,
 +               &objects_found
 +           );
 +       }
 +
 +       for (i = 0;rv == CKR_OK && i < objects_found;i++) {
 +           pkcs11h_data_id_list_t entry = NULL;
 +
 +           CK_ATTRIBUTE attrs[] = {
 +               {CKA_APPLICATION, NULL, 0},
 +               {CKA_LABEL, NULL, 0}
 +           };
 +
 +           if (rv == CKR_OK) {
 +               rv = _pkcs11h_session_getObjectAttributes (
 +                   session,
 +                   objects[i],
 +                   attrs,
 +                   sizeof (attrs) / sizeof (CK_ATTRIBUTE)
 +               );
 +           }
 +           
 +           if (rv == CKR_OK) {
 +               rv = _pkcs11h_mem_malloc (
 +                   (void *)&entry,
 +                   sizeof (struct pkcs11h_data_id_list_s)
 +               );
 +           }
 +
 +           if (
 +               rv == CKR_OK &&
 +               (rv = _pkcs11h_mem_malloc (
 +                   (void *)&entry->application,
 +                   attrs[0].ulValueLen+1
 +               )) == CKR_OK
 +           ) {
 +               memmove (entry->application, attrs[0].pValue, attrs[0].ulValueLen);
 +               entry->application[attrs[0].ulValueLen] = '\0';
 +           }
 +
 +           if (
 +               rv == CKR_OK &&
 +               (rv = _pkcs11h_mem_malloc (
 +                   (void *)&entry->label,
 +                   attrs[1].ulValueLen+1
 +               )) == CKR_OK
 +           ) {
 +               memmove (entry->label, attrs[1].pValue, attrs[1].ulValueLen);
 +               entry->label[attrs[1].ulValueLen] = '\0';
 +           }
 +
 +           if (rv == CKR_OK) {
 +               entry->next = data_id_list;
 +               data_id_list = entry;
 +               entry = NULL;
 +           }
 +
 +           _pkcs11h_session_freeObjectAttributes (
 +               attrs,
 +               sizeof (attrs) / sizeof (CK_ATTRIBUTE)
 +           );
 +
 +           if (entry != NULL) {
 +               if (entry->application != NULL) {
 +                   _pkcs11h_mem_free ((void *)&entry->application);
 +               }
 +               if (entry->label != NULL) {
 +                   _pkcs11h_mem_free ((void *)&entry->label);
 +               }
 +               _pkcs11h_mem_free ((void *)&entry);
 +           }
 +       }
 +
 +       if (objects != NULL) {
 +           _pkcs11h_mem_free ((void *)&objects);
 +       }
 +
 +       if (rv == CKR_OK) {
 +           op_succeed = TRUE;
 +       }
 +       else {
 +           if (!login_retry) {
 +               PKCS11H_DEBUG (
 +                   PKCS11H_LOG_DEBUG1,
 +                   "PKCS#11: Enumerate data objects failed rv=%ld-'%s'",
 +                   rv,
 +                   pkcs11h_getMessage (rv)
 +               );
 +               login_retry = TRUE;
 +               rv = _pkcs11h_session_login (
 +                   session,
 +                   is_public,
 +                   TRUE,
 +                   user_data,
 +                   mask_prompt
 +               );
 +           }
 +       }
 +   }
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   if (mutex_locked) {
 +       _pkcs11h_threading_mutexRelease (&session->mutex);
 +       mutex_locked = FALSE;
 +   }
 +#endif
 +
 +   if (rv == CKR_OK) {
 +       *p_data_id_list = data_id_list;
 +       data_id_list = NULL;
 +   }
 +
 +   if (session != NULL) {
 +       _pkcs11h_session_release (session);
 +       session = NULL;
 +   }
 +
 +   if (data_id_list != NULL) {
 +       pkcs11h_data_freeDataIdList (data_id_list);
 +       data_id_list = NULL;
 +   }
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_data_enumDataObjects return rv=%ld-'%s', *p_data_id_list=%p",
 +       rv,
 +       pkcs11h_getMessage (rv),
 +       (void *)*p_data_id_list
 +   );
 +   
 +   return rv;
 +}
 +
 +#endif             /* ENABLE_PKCS11H_DATA */
 +
 +#if defined(ENABLE_PKCS11H_CERTIFICATE)
 +
 +static
 +CK_RV
 +_pkcs11h_certificate_enumSessionCertificates (
 +   IN const pkcs11h_session_t session,
 +   IN void * const user_data,
 +   IN const unsigned mask_prompt
 +) {
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   PKCS11H_BOOL mutex_locked = FALSE;
 +#endif
 +   PKCS11H_BOOL op_succeed = FALSE;
 +   PKCS11H_BOOL login_retry = FALSE;
 +
 +   CK_RV rv = CKR_OK;
 +
 +   PKCS11H_ASSERT (session!=NULL);
 +   /*PKCS11H_ASSERT (user_data) NOT NEEDED */
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_certificate_enumSessionCertificates entry session=%p, user_data=%p, mask_prompt=%08x",
 +       (void *)session,
 +       user_data,
 +       mask_prompt
 +   );
 +   
 +   /* THREADS: NO NEED TO LOCK, GLOBAL CACHE IS LOCKED */
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   if (
 +       rv == CKR_OK &&
 +       (rv = _pkcs11h_threading_mutexLock (&session->mutex)) == CKR_OK
 +   ) {
 +       mutex_locked = TRUE;
 +   }
 +#endif
 +
 +   while (rv == CKR_OK && !op_succeed) {
 +       CK_OBJECT_CLASS cert_filter_class = CKO_CERTIFICATE;
 +       CK_ATTRIBUTE cert_filter[] = {
 +           {CKA_CLASS, &cert_filter_class, sizeof (cert_filter_class)}
 +       };
 +
 +       CK_OBJECT_HANDLE *objects = NULL;
 +       CK_ULONG objects_found = 0;
 +
 +       CK_ULONG i;
 +
 +       if (rv == CKR_OK) {
 +           rv = _pkcs11h_session_validate (session);
 +       }
 +
 +       if (rv == CKR_OK) {
 +           rv = _pkcs11h_session_findObjects (
 +               session,
 +               cert_filter,
 +               sizeof (cert_filter) / sizeof (CK_ATTRIBUTE),
 +               &objects,
 +               &objects_found
 +           );
 +       }
 +           
 +       for (i=0;rv == CKR_OK && i < objects_found;i++) {
 +           pkcs11h_certificate_id_t certificate_id = NULL;
 +           pkcs11h_certificate_id_list_t new_element = NULL;
 +           
 +           CK_ATTRIBUTE attrs[] = {
 +               {CKA_ID, NULL, 0},
 +               {CKA_VALUE, NULL, 0}
 +           };
 +
 +           if (rv == CKR_OK) {
 +               rv = _pkcs11h_session_getObjectAttributes (
 +                   session,
 +                   objects[i],
 +                   attrs,
 +                   sizeof (attrs) / sizeof (CK_ATTRIBUTE)
 +               );
 +           }
 +
 +           if (
 +               rv == CKR_OK &&
 +               (rv = _pkcs11h_certificate_newCertificateId (&certificate_id)) == CKR_OK
 +           ) {
 +               rv = pkcs11h_token_duplicateTokenId (
 +                   &certificate_id->token_id,
 +                   session->token_id
 +               );
 +           }
 +
 +           if (rv == CKR_OK) {
 +               rv = _pkcs11h_mem_duplicate (
 +                   (void*)&certificate_id->attrCKA_ID,
 +                   &certificate_id->attrCKA_ID_size,
 +                   attrs[0].pValue,
 +                   attrs[0].ulValueLen
 +               );
 +           }
 +
 +           if (rv == CKR_OK) {
 +               rv = _pkcs11h_mem_duplicate (
 +                   (void*)&certificate_id->certificate_blob,
 +                   &certificate_id->certificate_blob_size,
 +                   attrs[1].pValue,
 +                   attrs[1].ulValueLen
 +               );
 +           }
 +
 +           if (rv == CKR_OK) {
 +               rv = _pkcs11h_certificate_updateCertificateIdDescription (certificate_id);
 +           }
 +
 +           if (
 +               rv == CKR_OK &&
 +               (rv = _pkcs11h_mem_malloc (
 +                   (void *)&new_element,
 +                   sizeof (struct pkcs11h_certificate_id_list_s)
 +               )) == CKR_OK
 +           ) {
 +               new_element->next = session->cached_certs;
 +               new_element->certificate_id = certificate_id;
 +               certificate_id = NULL;
 +
 +               session->cached_certs = new_element;
 +               new_element = NULL;
 +           }
 +
 +           if (certificate_id != NULL) {
 +               pkcs11h_certificate_freeCertificateId (certificate_id);
 +               certificate_id = NULL;
 +           }
 +
 +           if (new_element != NULL) {
 +               _pkcs11h_mem_free ((void *)&new_element);
 +               new_element = NULL;
 +           }
 +
 +           _pkcs11h_session_freeObjectAttributes (
 +               attrs,
 +               sizeof (attrs) / sizeof (CK_ATTRIBUTE)
 +           );
 +
 +           if (rv != CKR_OK) {
 +               PKCS11H_DEBUG (
 +                   PKCS11H_LOG_DEBUG1,
 +                   "PKCS#11: Cannot get object attribute for provider '%s' object %ld rv=%ld-'%s'",
 +                   session->provider->manufacturerID,
 +                   objects[i],
 +                   rv,
 +                   pkcs11h_getMessage (rv)
 +               );
 +
 +               /*
 +                * Ignore error
 +                */
 +               rv = CKR_OK;
 +           }
 +       }
 +
 +       if (objects != NULL) {
 +           _pkcs11h_mem_free ((void *)&objects);
 +       }
 +
 +       if (rv == CKR_OK) {
 +           op_succeed = TRUE;
 +       }
 +       else {
 +           if (!login_retry) {
 +               PKCS11H_DEBUG (
 +                   PKCS11H_LOG_DEBUG1,
 +                   "PKCS#11: Get certificate attributes failed: %ld:'%s'",
 +                   rv,
 +                   pkcs11h_getMessage (rv)
 +               );
 +
 +               rv = _pkcs11h_session_login (
 +                   session,
 +                   TRUE,
 +                   TRUE,
 +                   user_data,
 +                   (mask_prompt & PKCS11H_PROMPT_MASK_ALLOW_PIN_PROMPT)
 +               );
 +
 +               login_retry = TRUE;
 +           }
 +       }
 +   }
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   if (mutex_locked) {
 +       _pkcs11h_threading_mutexRelease (&session->mutex);
 +       mutex_locked = FALSE;
 +   }
 +#endif
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_certificate_enumSessionCertificates return rv=%ld-'%s'",
 +       rv,
 +       pkcs11h_getMessage (rv)
 +   );
 +
 +   return rv;
 +}
 +
 +static
 +CK_RV
 +_pkcs11h_certificate_splitCertificateIdList (
 +   IN const pkcs11h_certificate_id_list_t cert_id_all,
 +   OUT pkcs11h_certificate_id_list_t * const p_cert_id_issuers_list,
 +   OUT pkcs11h_certificate_id_list_t * const p_cert_id_end_list
 +) {
 +   typedef struct info_s {
 +       struct info_s *next;
 +       pkcs11h_certificate_id_t e;
 +#if defined(USE_PKCS11H_OPENSSL)
 +       X509 *x509;
 +#elif defined(USE_PKCS11H_GNUTLS)
 +       gnutls_x509_crt_t cert;
 +#endif
 +       PKCS11H_BOOL is_issuer;
 +   } *info_t;
 +
 +   pkcs11h_certificate_id_list_t cert_id_issuers_list = NULL;
 +   pkcs11h_certificate_id_list_t cert_id_end_list = NULL;
 +
 +   info_t head = NULL;
 +   info_t info = NULL;
 +
 +   CK_RV rv = CKR_OK;
 +
 +   /*PKCS11H_ASSERT (cert_id_all!=NULL); NOT NEEDED */
 +   /*PKCS11H_ASSERT (p_cert_id_issuers_list!=NULL); NOT NEEDED*/
 +   PKCS11H_ASSERT (p_cert_id_end_list!=NULL);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_certificate_splitCertificateIdList entry cert_id_all=%p, p_cert_id_issuers_list=%p,
	p_cert_id_end_list=%p",
 +       (void *)cert_id_all,
 +       (void *)p_cert_id_issuers_list,
 +       (void *)p_cert_id_end_list
 +   );
 +
 +   if (p_cert_id_issuers_list != NULL) {
 +       *p_cert_id_issuers_list = NULL;
 +   }
 +   *p_cert_id_end_list = NULL;
 +
 +   if (rv == CKR_OK) {
 +       pkcs11h_certificate_id_list_t entry = NULL;
 +
 +       for (
 +           entry = cert_id_all;
 +           entry != NULL && rv == CKR_OK;
 +           entry = entry->next
 +       ) {
 +           info_t new_info = NULL;
 +
 +           if (
 +               rv == CKR_OK &&
 +               (rv = _pkcs11h_mem_malloc ((void *)&new_info, sizeof (struct info_s))) == CKR_OK &&
 +               entry->certificate_id->certificate_blob != NULL
 +           ) {
 +#if defined(USE_PKCS11H_OPENSSL)
 +               pkcs11_openssl_d2i_t d2i = (pkcs11_openssl_d2i_t)entry->certificate_id->certificate_blob;
 +#endif
 +
 +               new_info->next = head;
 +               new_info->e = entry->certificate_id;
 +#if defined(USE_PKCS11H_OPENSSL)
 +               new_info->x509 = X509_new ();
 +               if (
 +                   new_info->x509 != NULL &&
 +                   !d2i_X509 (
 +                       &new_info->x509,
 +                       &d2i,
 +                       entry->certificate_id->certificate_blob_size
 +                   )
 +               ) {
 +                   X509_free (new_info->x509);
 +                   new_info->x509 = NULL;
 +               }
 +#elif defined(USE_PKCS11H_GNUTLS)
 +               if (gnutls_x509_crt_init (&new_info->cert) != GNUTLS_E_SUCCESS) {
 +                   /* gnutls sets output */
 +                   new_info->cert = NULL;
 +               }
 +               else {
 +                   gnutls_datum_t datum = {
 +                       entry->certificate_id->certificate_blob,
 +                       entry->certificate_id->certificate_blob_size
 +                   };
 +
 +                   if (
 +                       gnutls_x509_crt_import (
 +                           new_info->cert,
 +                           &datum,
 +                           GNUTLS_X509_FMT_DER
 +                       ) != GNUTLS_E_SUCCESS
 +                   ) {
 +                       gnutls_x509_crt_deinit (new_info->cert);
 +                       new_info->cert = NULL;
 +                   }
 +               }
 +#else
 +#error Invalid configuration.
 +#endif
 +               head = new_info;
 +               new_info = NULL;
 +           }
 +       }
 +
 +   }
 +
 +   if (rv == CKR_OK) {
 +       for (
 +           info = head;
 +           info != NULL;
 +           info = info->next
 +       ) {
 +           info_t info2 = NULL;
 +#if defined(USE_PKCS11H_OPENSSL)
 +           EVP_PKEY *pub = X509_get_pubkey (info->x509);
 +#endif
 +
 +           for (
 +               info2 = head;
 +               info2 != NULL && !info->is_issuer;
 +               info2 = info2->next
 +           ) {
 +               if (info != info2) {
 +#if defined(USE_PKCS11H_OPENSSL)
 +                   if (
 +                       info->x509 != NULL &&
 +                       info2->x509 != NULL &&
 +                       !X509_NAME_cmp (
 +                           X509_get_subject_name (info->x509),
 +                           X509_get_issuer_name (info2->x509)
 +                       ) &&
 +                       X509_verify (info2->x509, pub) == 1
 +                   ) {
 +                       info->is_issuer = TRUE;
 +                   }
 +#elif defined(USE_PKCS11H_GNUTLS)
 +                   unsigned result;
 +
 +                   if (
 +                       info->cert != NULL &&
 +                       info2->cert != NULL &&
 +                       gnutls_x509_crt_verify (
 +                           info2->cert,
 +                           &info->cert,
 +                           1,
 +                           0,
 +                           &result
 +                       ) &&
 +                       (result & GNUTLS_CERT_INVALID) == 0
 +                   ) {
 +                       info->is_issuer = TRUE;
 +                   }
 +#else
 +#error Invalid configuration.
 +#endif
 +               }
 +
 +           }
 +
 +#if defined(USE_PKCS11H_OPENSSL)
 +           if (pub != NULL) {
 +               EVP_PKEY_free (pub);
 +               pub = NULL;
 +           }
 +#endif
 +       }
 +   }
 +
 +   if (rv == CKR_OK) {
 +       for (
 +           info = head;
 +           info != NULL && rv == CKR_OK;
 +           info = info->next
 +       ) {
 +           pkcs11h_certificate_id_list_t new_entry = NULL;
 +
 +           if (rv == CKR_OK) {
 +               rv = _pkcs11h_mem_malloc (
 +                   (void *)&new_entry,
 +                   sizeof (struct pkcs11h_certificate_id_list_s)
 +               );
 +           }
 +
 +           if (
 +               rv == CKR_OK &&
 +               (rv = pkcs11h_certificate_duplicateCertificateId (
 +                   &new_entry->certificate_id,
 +                   info->e
 +               )) == CKR_OK
 +           ) {
 +               /*
 +                * Should not free base list
 +                */
 +               info->e = NULL;
 +           }
 +
 +           if (rv == CKR_OK) {
 +               if (info->is_issuer) {
 +                   new_entry->next = cert_id_issuers_list;
 +                   cert_id_issuers_list = new_entry;
 +                   new_entry = NULL;
 +               }
 +               else {
 +                   new_entry->next = cert_id_end_list;
 +                   cert_id_end_list = new_entry;
 +                   new_entry = NULL;
 +               }
 +           }
 +
 +           if (new_entry != NULL) {
 +               if (new_entry->certificate_id != NULL) {
 +                   pkcs11h_certificate_freeCertificateId (new_entry->certificate_id);
 +               }
 +               _pkcs11h_mem_free ((void *)&new_entry);
 +           }
 +       }
 +   }
 +
 +   if (rv == CKR_OK) {
 +       while (head != NULL) {
 +           info_t entry = head;
 +           head = head->next;
 +
 +#if defined(USE_PKCS11H_OPENSSL)
 +           if (entry->x509 != NULL) {
 +               X509_free (entry->x509);
 +               entry->x509 = NULL;
 +           }
 +#elif defined(USE_PKCS11H_GNUTLS)
 +           if (entry->cert != NULL) {
 +               gnutls_x509_crt_deinit (entry->cert);
 +               entry->cert = NULL;
 +           }
 +#else
 +#error Invalid configuration.
 +#endif
 +
 +           _pkcs11h_mem_free ((void *)&entry);
 +       }
 +   }
 +
 +   if (rv == CKR_OK && p_cert_id_issuers_list != NULL ) {
 +       *p_cert_id_issuers_list = cert_id_issuers_list;
 +       cert_id_issuers_list = NULL;
 +   }
 +
 +   if (rv == CKR_OK) {
 +       *p_cert_id_end_list = cert_id_end_list;
 +       cert_id_end_list = NULL;
 +   }
 +
 +   if (cert_id_issuers_list != NULL) {
 +       pkcs11h_certificate_freeCertificateIdList (cert_id_issuers_list);
 +   }
 +
 +   if (cert_id_end_list != NULL) {
 +       pkcs11h_certificate_freeCertificateIdList (cert_id_end_list);
 +   }
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_certificate_splitCertificateIdList return rv=%ld-'%s'",
 +       rv,
 +       pkcs11h_getMessage (rv)
 +   );
 +
 +   return rv;
 +}
 +
 +CK_RV
 +pkcs11h_certificate_freeCertificateIdList (
 +   IN const pkcs11h_certificate_id_list_t cert_id_list
 +) {
 +   pkcs11h_certificate_id_list_t _id = cert_id_list;
 +
 +   PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
 +   PKCS11H_ASSERT (s_pkcs11h_data->initialized);
 +   /*PKCS11H_ASSERT (cert_id_list!=NULL); NOT NEEDED*/
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_certificate_freeCertificateIdList entry cert_id_list=%p",
 +       (void *)cert_id_list
 +   );
 +
 +   while (_id != NULL) {
 +       pkcs11h_certificate_id_list_t x = _id;
 +       _id = _id->next;
 +       if (x->certificate_id != NULL) {
 +           pkcs11h_certificate_freeCertificateId (x->certificate_id);
 +       }
 +       x->next = NULL;
 +       _pkcs11h_mem_free ((void *)&x);
 +   }
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_certificate_freeCertificateIdList return"
 +   );
 +
 +   return CKR_OK;
 +}
 +
 +CK_RV
 +pkcs11h_certificate_enumTokenCertificateIds (
 +   IN const pkcs11h_token_id_t token_id,
 +   IN const int method,
 +   IN void * const user_data,
 +   IN const unsigned mask_prompt,
 +   OUT pkcs11h_certificate_id_list_t * const p_cert_id_issuers_list,
 +   OUT pkcs11h_certificate_id_list_t * const p_cert_id_end_list
 +) {
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   PKCS11H_BOOL mutex_locked = FALSE;
 +#endif
 +   pkcs11h_session_t session = NULL;
 +   CK_RV rv = CKR_OK;
 +
 +   PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
 +   PKCS11H_ASSERT (s_pkcs11h_data->initialized);
 +   PKCS11H_ASSERT (token_id!=NULL);
 +   /*PKCS11H_ASSERT (user_data) NOT NEEDED */
 +   /*PKCS11H_ASSERT (p_cert_id_issuers_list!=NULL); NOT NEEDED*/
 +   PKCS11H_ASSERT (p_cert_id_end_list!=NULL);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_certificate_enumTokenCertificateIds entry token_id=%p, method=%d, user_data=%p,
	mask_prompt=%08x, p_cert_id_issuers_list=%p, p_cert_id_end_list=%p",
 +       (void *)token_id,
 +       method,
 +       user_data,
 +       mask_prompt,
 +       (void *)p_cert_id_issuers_list,
 +       (void *)p_cert_id_end_list
 +   );
 +
 +   if (p_cert_id_issuers_list != NULL) {
 +       *p_cert_id_issuers_list = NULL;
 +   }
 +   *p_cert_id_end_list = NULL;
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   if (
 +       rv == CKR_OK &&
 +       (rv = _pkcs11h_threading_mutexLock (&s_pkcs11h_data->mutexes.cache)) == CKR_OK
 +   ) {
 +       mutex_locked = TRUE;
 +   }
 +#endif
 +
 +   if (
 +       rv == CKR_OK &&
 +       (rv = _pkcs11h_session_getSessionByTokenId (
 +           token_id,
 +           &session
 +       )) == CKR_OK
 +   ) {
 +       if (method == PKCS11H_ENUM_METHOD_RELOAD) {
 +           pkcs11h_certificate_freeCertificateIdList (session->cached_certs);
 +           session->cached_certs = NULL;
 +       }
 +
 +       if (session->cached_certs == NULL) {
 +           rv = _pkcs11h_certificate_enumSessionCertificates (session, user_data, mask_prompt);
 +       }
 +   }
 +
 +   if (rv == CKR_OK) {
 +       rv = _pkcs11h_certificate_splitCertificateIdList (
 +           session->cached_certs,
 +           p_cert_id_issuers_list,
 +           p_cert_id_end_list
 +       );
 +   }
 +
 +   if (session != NULL) {
 +       _pkcs11h_session_release (session);
 +   }
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   if (mutex_locked) {
 +       _pkcs11h_threading_mutexRelease (&s_pkcs11h_data->mutexes.cache);
 +       mutex_locked = FALSE;
 +   }
 +#endif
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_certificate_enumTokenCertificateIds return rv=%ld-'%s'",
 +       rv,
 +       pkcs11h_getMessage (rv)
 +   );
 +   
 +   return rv;
 +}
 +
 +CK_RV
 +pkcs11h_certificate_enumCertificateIds (
 +   IN const int method,
 +   IN void * const user_data,
 +   IN const unsigned mask_prompt,
 +   OUT pkcs11h_certificate_id_list_t * const p_cert_id_issuers_list,
 +   OUT pkcs11h_certificate_id_list_t * const p_cert_id_end_list
 +) {
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   PKCS11H_BOOL mutex_locked = FALSE;
 +#endif
 +   pkcs11h_certificate_id_list_t cert_id_list = NULL;
 +   pkcs11h_provider_t current_provider;
 +   pkcs11h_session_t current_session;
 +   CK_RV rv = CKR_OK;
 +
 +   PKCS11H_ASSERT (s_pkcs11h_data!=NULL);
 +   PKCS11H_ASSERT (s_pkcs11h_data->initialized);
 +   /*PKCS11H_ASSERT (user_data!=NULL); NOT NEEDED*/
 +   /*PKCS11H_ASSERT (p_cert_id_issuers_list!=NULL); NOT NEEDED*/
 +   PKCS11H_ASSERT (p_cert_id_end_list!=NULL);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_certificate_enumCertificateIds entry method=%d, mask_prompt=%08x, p_cert_id_issuers_list=%p,
	p_cert_id_end_list=%p",
 +       method,
 +       mask_prompt,
 +       (void *)p_cert_id_issuers_list,
 +       (void *)p_cert_id_end_list
 +   );
 +
 +   if (p_cert_id_issuers_list != NULL) {
 +       *p_cert_id_issuers_list = NULL;
 +   }
 +   *p_cert_id_end_list = NULL;
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   if (
 +       rv == CKR_OK &&
 +       (rv = _pkcs11h_threading_mutexLock (&s_pkcs11h_data->mutexes.cache)) == CKR_OK
 +   ) {
 +       mutex_locked = TRUE;
 +   }
 +#endif
 +
 +   for (
 +       current_session = s_pkcs11h_data->sessions;
 +       current_session != NULL;
 +       current_session = current_session->next
 +   ) {
 +       current_session->touch = FALSE;
 +       if (method == PKCS11H_ENUM_METHOD_RELOAD) {
 +           pkcs11h_certificate_freeCertificateIdList (current_session->cached_certs);
 +           current_session->cached_certs = NULL;
 +       }
 +   }
 +
 +   for (
 +       current_provider = s_pkcs11h_data->providers;
 +       (
 +           current_provider != NULL &&
 +           rv == CKR_OK
 +       );
 +       current_provider = current_provider->next
 +   ) {
 +       CK_SLOT_ID_PTR slots = NULL;
 +       CK_ULONG slotnum;
 +       CK_SLOT_ID slot_index;
 +
 +       if (!current_provider->enabled) {
 +           rv = CKR_CRYPTOKI_NOT_INITIALIZED;
 +       }
 +
 +       if (rv == CKR_OK) {
 +           rv = _pkcs11h_session_getSlotList (
 +               current_provider,
 +               CK_TRUE,
 +               &slots,
 +               &slotnum
 +           );
 +       }
 +
 +       for (
 +           slot_index=0;
 +           (
 +               slot_index < slotnum &&
 +               rv == CKR_OK
 +           );
 +           slot_index++
 +       ) {
 +           pkcs11h_session_t session = NULL;
 +           pkcs11h_token_id_t token_id = NULL;
 +           CK_TOKEN_INFO info;
 +
 +           if (rv == CKR_OK) {
 +               rv = current_provider->f->C_GetTokenInfo (
 +                   slots[slot_index],
 +                   &info
 +               );
 +           }
 +
 +           if (
 +               rv == CKR_OK &&
 +               (rv = _pkcs11h_token_getTokenId (
 +                   &info,
 +                   &token_id
 +               )) == CKR_OK &&
 +               (rv = _pkcs11h_session_getSessionByTokenId (
 +                   token_id,
 +                   &session
 +               )) == CKR_OK
 +           ) {
 +               session->touch = TRUE;
 +
 +               if (session->cached_certs == NULL) {
 +                   rv = _pkcs11h_certificate_enumSessionCertificates (session, user_data, mask_prompt);
 +               }
 +           }
 +
 +           if (rv != CKR_OK) {
 +               PKCS11H_DEBUG (
 +                   PKCS11H_LOG_DEBUG1,
 +                   "PKCS#11: Cannot get token information for provider '%s' slot %ld rv=%ld-'%s'",
 +                   current_provider->manufacturerID,
 +                   slots[slot_index],
 +                   rv,
 +                   pkcs11h_getMessage (rv)
 +               );
 +
 +               /*
 +                * Ignore error
 +                */
 +               rv = CKR_OK;
 +           }
 +
 +           if (session != NULL) {
 +               _pkcs11h_session_release (session);
 +               session = NULL;
 +           }
 +
 +           if (token_id != NULL) {
 +               pkcs11h_token_freeTokenId (token_id);
 +               token_id = NULL;
 +           }
 +       }
 +
 +       if (rv != CKR_OK) {
 +           PKCS11H_DEBUG (
 +               PKCS11H_LOG_DEBUG1,
 +               "PKCS#11: Cannot get slot list for provider '%s' rv=%ld-'%s'",
 +               current_provider->manufacturerID,
 +               rv,
 +               pkcs11h_getMessage (rv)
 +           );
 +
 +           /*
 +            * Ignore error
 +            */
 +           rv = CKR_OK;
 +       }
 +
 +       if (slots != NULL) {
 +           _pkcs11h_mem_free ((void *)&slots);
 +           slots = NULL;
 +       }
 +   }
 +
 +   for (
 +       current_session = s_pkcs11h_data->sessions;
 +       (
 +           current_session != NULL &&
 +           rv == CKR_OK
 +       );
 +       current_session = current_session->next
 +   ) {
 +       if (
 +           method == PKCS11H_ENUM_METHOD_CACHE ||
 +           (
 +               (
 +                   method == PKCS11H_ENUM_METHOD_RELOAD ||
 +                   method == PKCS11H_ENUM_METHOD_CACHE_EXIST
 +               ) &&
 +               current_session->touch
 +           )
 +       ) {
 +           pkcs11h_certificate_id_list_t entry = NULL;
 +
 +           for (
 +               entry = current_session->cached_certs;
 +               (
 +                   entry != NULL &&
 +                   rv == CKR_OK
 +               );
 +               entry = entry->next
 +           ) {
 +               pkcs11h_certificate_id_list_t new_entry = NULL;
 +
 +               if (
 +                   rv == CKR_OK &&
 +                   (rv = _pkcs11h_mem_malloc (
 +                       (void *)&new_entry,
 +                       sizeof (struct pkcs11h_certificate_id_list_s)
 +                   )) == CKR_OK &&
 +                   (rv = pkcs11h_certificate_duplicateCertificateId (
 +                       &new_entry->certificate_id,
 +                       entry->certificate_id
 +                   )) == CKR_OK
 +               ) {
 +                   new_entry->next = cert_id_list;
 +                   cert_id_list = new_entry;
 +                   new_entry = NULL;
 +               }
 +
 +               if (new_entry != NULL) {
 +                   new_entry->next = NULL;
 +                   pkcs11h_certificate_freeCertificateIdList (new_entry);
 +                   new_entry = NULL;
 +               }
 +           }
 +       }
 +   }
 +
 +   if (rv == CKR_OK) {
 +       rv = _pkcs11h_certificate_splitCertificateIdList (
 +           cert_id_list,
 +           p_cert_id_issuers_list,
 +           p_cert_id_end_list
 +       );
 +   }
 +
 +   if (cert_id_list != NULL) {
 +       pkcs11h_certificate_freeCertificateIdList (cert_id_list);
 +       cert_id_list = NULL;
 +   }
 +
 +
 +#if defined(ENABLE_PKCS11H_THREADING)
 +   if (mutex_locked) {
 +       _pkcs11h_threading_mutexRelease (&s_pkcs11h_data->mutexes.cache);
 +       mutex_locked = FALSE;
 +   }
 +#endif
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_certificate_enumCertificateIds return rv=%ld-'%s'",
 +       rv,
 +       pkcs11h_getMessage (rv)
 +   );
 +   
 +   return rv;
 +}
 +
 +#endif             /* ENABLE_PKCS11H_CERTIFICATE */
 +
 +#endif             /* ENABLE_PKCS11H_ENUM */
 +
 +#if defined(ENABLE_PKCS11H_SLOTEVENT)
 +/*======================================================================*
 + * SLOTEVENT INTERFACE
 + *======================================================================*/
 +
 +static
 +unsigned long
 +_pkcs11h_slotevent_checksum (
 +   IN const unsigned char * const p,
 +   IN const size_t s
 +) {
 +   unsigned long r = 0;
 +   size_t i;
 +   for (i=0;i<s;i++) {
 +       r += p[i];
 +   }
 +   return r;
 +}
 +
 +static
 +void *
 +_pkcs11h_slotevent_provider (
 +   IN void *p
 +) {
 +   pkcs11h_provider_t provider = (pkcs11h_provider_t)p;
 +   CK_SLOT_ID slot;
 +   CK_RV rv = CKR_OK;
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_slotevent_provider provider='%s' entry",
 +       provider->manufacturerID
 +   );
 +
 +   if (rv == CKR_OK && !provider->enabled) {
 +       rv = CKR_OPERATION_NOT_INITIALIZED;
 +   }
 +
 +   if (rv == CKR_OK) {
 +
 +       if (provider->slot_poll_interval == 0) {
 +           provider->slot_poll_interval = PKCS11H_DEFAULT_SLOTEVENT_POLL;
 +       }
 +
 +       /*
 +        * If we cannot finalize, we cannot cause
 +        * WaitForSlotEvent to terminate
 +        */
 +       if (!provider->should_finalize) {
 +           PKCS11H_DEBUG (
 +               PKCS11H_LOG_DEBUG1,
 +               "PKCS#11: Setup slotevent provider='%s' mode hardset to poll",
 +               provider->manufacturerID
 +           );
 +           provider->slot_event_method = PKCS11H_SLOTEVENT_METHOD_POLL;
 +       }
 +
 +       if (
 +           provider->slot_event_method == PKCS11H_SLOTEVENT_METHOD_AUTO ||
 +           provider->slot_event_method == PKCS11H_SLOTEVENT_METHOD_TRIGGER
 +       ) { 
 +           if (
 +               provider->f->C_WaitForSlotEvent (
 +                   CKF_DONT_BLOCK,
 +                   &slot,
 +                   NULL_PTR
 +               ) == CKR_FUNCTION_NOT_SUPPORTED
 +           ) {
 +               PKCS11H_DEBUG (
 +                   PKCS11H_LOG_DEBUG1,
 +                   "PKCS#11: Setup slotevent provider='%s' mode is poll",
 +                   provider->manufacturerID
 +               );
 +
 +               provider->slot_event_method = PKCS11H_SLOTEVENT_METHOD_POLL;
 +           }
 +           else {
 +               PKCS11H_DEBUG (
 +                   PKCS11H_LOG_DEBUG1,
 +                   "PKCS#11: Setup slotevent provider='%s' mode is trigger",
 +                   provider->manufacturerID
 +               );
 +
 +               provider->slot_event_method = PKCS11H_SLOTEVENT_METHOD_TRIGGER;
 +           }
 +       }
 +   }
 +
 +   if (provider->slot_event_method == PKCS11H_SLOTEVENT_METHOD_TRIGGER) {
 +       while (
 +           !s_pkcs11h_data->slotevent.should_terminate &&
 +           provider->enabled &&
 +           rv == CKR_OK &&
 +           (rv = provider->f->C_WaitForSlotEvent (
 +               0,
 +               &slot,
 +               NULL_PTR
 +           )) == CKR_OK
 +       ) {
 +           PKCS11H_DEBUG (
 +               PKCS11H_LOG_DEBUG1,
 +               "PKCS#11: Slotevent provider='%s' event",
 +               provider->manufacturerID
 +           );
 +
 +           _pkcs11h_threading_condSignal (&s_pkcs11h_data->slotevent.cond_event);
 +       }
 +   }
 +   else {
 +       unsigned long ulLastChecksum = 0;
 +       PKCS11H_BOOL is_first_time = TRUE;
 +
 +       while (
 +           !s_pkcs11h_data->slotevent.should_terminate &&
 +           provider->enabled &&
 +           rv == CKR_OK
 +       ) {
 +           unsigned long ulCurrentChecksum = 0;
 +
 +           CK_SLOT_ID_PTR slots = NULL;
 +           CK_ULONG slotnum;
 +
 +           PKCS11H_DEBUG (
 +               PKCS11H_LOG_DEBUG1,
 +               "PKCS#11: Slotevent provider='%s' poll",
 +               provider->manufacturerID
 +           );
 +
 +           if (
 +               rv == CKR_OK &&
 +               (rv = _pkcs11h_session_getSlotList (
 +                   provider,
 +                   TRUE,
 +                   &slots,
 +                   &slotnum
 +               )) == CKR_OK
 +           ) {
 +               CK_ULONG i;
 +               
 +               for (i=0;i<slotnum;i++) {
 +                   CK_TOKEN_INFO info;
 +
 +                   if (provider->f->C_GetTokenInfo (slots[i], &info) == CKR_OK) {
 +                       ulCurrentChecksum += (
 +                           _pkcs11h_slotevent_checksum (
 +                               info.label,
 +                               sizeof (info.label)
 +                           ) +
 +                           _pkcs11h_slotevent_checksum (
 +                               info.manufacturerID,
 +                               sizeof (info.manufacturerID)
 +                           ) +
 +                           _pkcs11h_slotevent_checksum (
 +                               info.model,
 +                               sizeof (info.model)
 +                           ) +
 +                           _pkcs11h_slotevent_checksum (
 +                               info.serialNumber,
 +                               sizeof (info.serialNumber)
 +                           )
 +                       );
 +                   }
 +               }
 +           }
 +           
 +           if (rv == CKR_OK) {
 +               if (is_first_time) {
 +                   is_first_time = FALSE;
 +               }
 +               else {
 +                   if (ulLastChecksum != ulCurrentChecksum) {
 +                       PKCS11H_DEBUG (
 +                           PKCS11H_LOG_DEBUG1,
 +                           "PKCS#11: Slotevent provider='%s' event",
 +                           provider->manufacturerID
 +                       );
 +
 +                       _pkcs11h_threading_condSignal (&s_pkcs11h_data->slotevent.cond_event);
 +                   }
 +               }
 +               ulLastChecksum = ulCurrentChecksum;
 +           }
 +
 +           if (slots != NULL) {
 +               _pkcs11h_mem_free ((void *)&slots);
 +           }
 +           
 +           if (!s_pkcs11h_data->slotevent.should_terminate) {
 +               _pkcs11h_threading_sleep (provider->slot_poll_interval);
 +           }
 +       }
 +   }
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_slotevent_provider provider='%s' return",
 +       provider->manufacturerID
 +   );
 +
 +   return NULL;
 +}
 +
 +static
 +void *
 +_pkcs11h_slotevent_manager (
 +   IN void *p
 +) {
 +   PKCS11H_BOOL first_time = TRUE;
 +
 +   (void)p;
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_slotevent_manager entry"
 +   );
 +
 +   /*
 +    * Trigger hook, so application may
 +    * depend on initial slot change
 +    */
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG1,
 +       "PKCS#11: Calling slotevent hook"
 +   );
 +   s_pkcs11h_data->hooks.slotevent (s_pkcs11h_data->hooks.slotevent_data);
 +
 +   while (
 +       first_time ||   /* Must enter wait or mutex will never be free */
 +       !s_pkcs11h_data->slotevent.should_terminate
 +   ) {
 +       pkcs11h_provider_t current_provider;
 +
 +       first_time = FALSE;
 +
 +       /*
 +        * Start each provider thread
 +        * if not already started.
 +        * This is required in order to allow
 +        * adding new providers.
 +        */
 +       for (
 +           current_provider = s_pkcs11h_data->providers;
 +           current_provider != NULL;
 +           current_provider = current_provider->next
 +       ) {
 +           if (!current_provider->enabled) {
 +               if (current_provider->slotevent_thread == PKCS11H_THREAD_NULL) {
 +                   _pkcs11h_threading_threadStart (
 +                       &current_provider->slotevent_thread,
 +                       _pkcs11h_slotevent_provider,
 +                       current_provider
 +                   );
 +               }
 +           }
 +           else {
 +               if (current_provider->slotevent_thread != PKCS11H_THREAD_NULL) {
 +                   _pkcs11h_threading_threadJoin (&current_provider->slotevent_thread);
 +               }
 +           }
 +       }
 +
 +       PKCS11H_DEBUG (
 +           PKCS11H_LOG_DEBUG2,
 +           "PKCS#11: _pkcs11h_slotevent_manager waiting for slotevent"
 +       );
 +       _pkcs11h_threading_condWait (&s_pkcs11h_data->slotevent.cond_event, PKCS11H_COND_INFINITE);
 +
 +       if (s_pkcs11h_data->slotevent.skip_event) {
 +           PKCS11H_DEBUG (
 +               PKCS11H_LOG_DEBUG1,
 +               "PKCS#11: Slotevent skipping event"
 +           );
 +           s_pkcs11h_data->slotevent.skip_event = FALSE;
 +       }
 +       else {
 +           PKCS11H_DEBUG (
 +               PKCS11H_LOG_DEBUG1,
 +               "PKCS#11: Calling slotevent hook"
 +           );
 +           s_pkcs11h_data->hooks.slotevent (s_pkcs11h_data->hooks.slotevent_data);
 +       }
 +   }
 +
 +   {
 +       pkcs11h_provider_t current_provider;
 +
 +       PKCS11H_DEBUG (
 +           PKCS11H_LOG_DEBUG2,
 +           "PKCS#11: _pkcs11h_slotevent_manager joining threads"
 +       );
 +
 +
 +       for (
 +           current_provider = s_pkcs11h_data->providers;
 +           current_provider != NULL;
 +           current_provider = current_provider->next
 +       ) {
 +           if (current_provider->slotevent_thread != PKCS11H_THREAD_NULL) {
 +               _pkcs11h_threading_threadJoin (&current_provider->slotevent_thread);
 +           }
 +       }
 +   }
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_slotevent_manager return"
 +   );
 +
 +   return NULL;
 +}
 +
 +static
 +CK_RV
 +_pkcs11h_slotevent_init () {
 +   CK_RV rv = CKR_OK;
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_slotevent_init entry"
 +   );
 +
 +   if (!s_pkcs11h_data->slotevent.initialized) {
 +       if (rv == CKR_OK) {
 +           rv = _pkcs11h_threading_condInit (&s_pkcs11h_data->slotevent.cond_event);
 +       }
 +       
 +       if (rv == CKR_OK) {
 +           rv = _pkcs11h_threading_threadStart (
 +               &s_pkcs11h_data->slotevent.thread,
 +               _pkcs11h_slotevent_manager,
 +               NULL
 +           );
 +       }
 +       
 +       if (rv == CKR_OK) {
 +           s_pkcs11h_data->slotevent.initialized = TRUE;
 +       }
 +   }
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_slotevent_init return rv=%ld-'%s'",
 +       rv,
 +       pkcs11h_getMessage (rv)
 +   );
 +
 +   return rv;
 +}
 +
 +static
 +CK_RV
 +_pkcs11h_slotevent_notify () {
 +   
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_slotevent_notify entry"
 +   );
 +
 +   if (s_pkcs11h_data->slotevent.initialized) {
 +       s_pkcs11h_data->slotevent.skip_event = TRUE;
 +       _pkcs11h_threading_condSignal (&s_pkcs11h_data->slotevent.cond_event);
 +   }
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_slotevent_notify return"
 +   );
 +
 +   return CKR_OK;
 +}
 +
 +static
 +CK_RV
 +_pkcs11h_slotevent_terminate () {
 +   
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_slotevent_terminate entry"
 +   );
 +
 +   if (s_pkcs11h_data->slotevent.initialized) {
 +       s_pkcs11h_data->slotevent.should_terminate = TRUE;
 +
 +       _pkcs11h_slotevent_notify ();
 +
 +       if (s_pkcs11h_data->slotevent.thread != PKCS11H_THREAD_NULL) {
 +           _pkcs11h_threading_threadJoin (&s_pkcs11h_data->slotevent.thread);
 +       }
 +
 +       _pkcs11h_threading_condFree (&s_pkcs11h_data->slotevent.cond_event);
 +       s_pkcs11h_data->slotevent.initialized = FALSE;
 +   }
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_slotevent_terminate return"
 +   );
 +
 +   return CKR_OK;
 +}
 +
 +#endif
 +
 +#if defined(ENABLE_PKCS11H_OPENSSL)
 +/*======================================================================*
 + * OPENSSL INTERFACE
 + *======================================================================*/
 +
 +static
 +pkcs11h_openssl_session_t
 +_pkcs11h_openssl_get_openssl_session (
 +   IN OUT const RSA *rsa
 +) {
 +   pkcs11h_openssl_session_t session;
 +       
 +   PKCS11H_ASSERT (rsa!=NULL);
 +#if OPENSSL_VERSION_NUMBER < 0x00907000L
 +   session = (pkcs11h_openssl_session_t)RSA_get_app_data ((RSA *)rsa);
 +#else
 +   session = (pkcs11h_openssl_session_t)RSA_get_app_data (rsa);
 +#endif
 +   PKCS11H_ASSERT (session!=NULL);
 +
 +   return session;
 +}
 +
 +static
 +pkcs11h_certificate_t
 +_pkcs11h_openssl_get_pkcs11h_certificate (
 +   IN OUT const RSA *rsa
 +) {
 +   pkcs11h_openssl_session_t session = _pkcs11h_openssl_get_openssl_session (rsa);
 +   
 +   PKCS11H_ASSERT (session!=NULL);
 +   PKCS11H_ASSERT (session->certificate!=NULL);
 +
 +   return session->certificate;
 +}
 +
 +#if OPENSSL_VERSION_NUMBER < 0x00907000L
 +static
 +int
 +_pkcs11h_openssl_dec (
 +   IN int flen,
 +   IN unsigned char *from,
 +   OUT unsigned char *to,
 +   IN OUT RSA *rsa,
 +   IN int padding
 +) {
 +#else
 +static
 +int
 +_pkcs11h_openssl_dec (
 +   IN int flen,
 +   IN const unsigned char *from,
 +   OUT unsigned char *to,
 +   IN OUT RSA *rsa,
 +   IN int padding
 +) {
 +#endif
 +   PKCS11H_ASSERT (from!=NULL);
 +   PKCS11H_ASSERT (to!=NULL);
 +   PKCS11H_ASSERT (rsa!=NULL);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_openssl_dec entered - flen=%d, from=%p, to=%p, rsa=%p, padding=%d",
 +       flen,
 +       from,
 +       to,
 +       (void *)rsa,
 +       padding
 +   );
 +
 +   PKCS11H_LOG (
 +       PKCS11H_LOG_ERROR,
 +       "PKCS#11: Private key decryption is not supported"
 +   );
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_openssl_dec return"
 +   );
 +
 +   return -1;
 +}
 +
 +#if OPENSSL_VERSION_NUMBER < 0x00907000L
 +static
 +int
 +_pkcs11h_openssl_sign (
 +   IN int type,
 +   IN unsigned char *m,
 +   IN unsigned int m_len,
 +   OUT unsigned char *sigret,
 +   OUT unsigned int *siglen,
 +   IN OUT RSA *rsa
 +) {
 +#else
 +static
 +int
 +_pkcs11h_openssl_sign (
 +   IN int type,
 +   IN const unsigned char *m,
 +   IN unsigned int m_len,
 +   OUT unsigned char *sigret,
 +   OUT unsigned int *siglen,
 +   IN OUT const RSA *rsa
 +) {
 +#endif
 +   pkcs11h_certificate_t certificate = _pkcs11h_openssl_get_pkcs11h_certificate (rsa);
 +   PKCS11H_BOOL session_locked = FALSE;
 +   CK_RV rv = CKR_OK;
 +
 +   int myrsa_size = 0;
 +   
 +   unsigned char *enc_alloc = NULL;
 +   unsigned char *enc = NULL;
 +   int enc_len = 0;
 +
 +   PKCS11H_ASSERT (m!=NULL);
 +   PKCS11H_ASSERT (sigret!=NULL);
 +   PKCS11H_ASSERT (siglen!=NULL);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_openssl_sign entered - type=%d, m=%p, m_len=%u, signret=%p, *signlen=%u, rsa=%p",
 +       type,
 +       m,
 +       m_len,
 +       sigret,
 +       sigret != NULL ? *siglen : 0,
 +       (void *)rsa
 +   );
 +
 +   if (rv == CKR_OK) {
 +       myrsa_size=RSA_size(rsa);
 +   }
 +
 +   if (type == NID_md5_sha1) {
 +       if (rv == CKR_OK) {
 +           enc = (unsigned char *)m;
 +           enc_len = m_len;
 +       }
 +   }
 +   else {
 +       X509_SIG sig;
 +       ASN1_TYPE parameter;
 +       X509_ALGOR algor;
 +       ASN1_OCTET_STRING digest;
 +       unsigned char *p = NULL;
 +
 +       if (
 +           rv == CKR_OK &&
 +           (rv = _pkcs11h_mem_malloc ((void*)&enc, myrsa_size+1)) == CKR_OK
 +       ) {
 +           enc_alloc = enc;
 +       }
 +       
 +       if (rv == CKR_OK) {
 +           sig.algor = &algor;
 +       }
 +
 +       if (
 +           rv == CKR_OK &&
 +           (sig.algor->algorithm = OBJ_nid2obj (type)) == NULL
 +       ) {
 +           rv = CKR_FUNCTION_FAILED;
 +       }
 +   
 +       if (
 +           rv == CKR_OK &&
 +           sig.algor->algorithm->length == 0
 +       ) {
 +           rv = CKR_KEY_SIZE_RANGE;
 +       }
 +   
 +       if (rv == CKR_OK) {
 +           parameter.type = V_ASN1_NULL;
 +           parameter.value.ptr = NULL;
 +   
 +           sig.algor->parameter = &parameter;
 +
 +           sig.digest = &digest;
 +           sig.digest->data = (unsigned char *)m;
 +           sig.digest->length = m_len;
 +       }
 +   
 +       if (
 +           rv == CKR_OK &&
 +           (enc_len=i2d_X509_SIG (&sig, NULL)) < 0
 +       ) {
 +           rv = CKR_FUNCTION_FAILED;
 +       }
 +
 +       /*
 +        * d_X509_SIG increments pointer!
 +        */
 +       p = enc;
 +   
 +       if (
 +           rv == CKR_OK &&
 +           (enc_len=i2d_X509_SIG (&sig, &p)) < 0
 +       ) {
 +           rv = CKR_FUNCTION_FAILED;
 +       }
 +   }
 +
 +   if (
 +       rv == CKR_OK &&
 +       enc_len > (myrsa_size-RSA_PKCS1_PADDING_SIZE)
 +   ) {
 +       rv = CKR_KEY_SIZE_RANGE;
 +   }
 +
 +   if (
 +       rv == CKR_OK &&
 +       (rv = pkcs11h_certificate_lockSession (certificate)) == CKR_OK
 +   ) {
 +       session_locked = TRUE;
 +   }
 +
 +   if (rv == CKR_OK) {
 +       PKCS11H_DEBUG (
 +           PKCS11H_LOG_DEBUG1,
 +           "PKCS#11: Performing signature"
 +       );
 +
 +       *siglen = myrsa_size;
 +
 +       if (
 +           (rv = pkcs11h_certificate_signAny (
 +               certificate,
 +               CKM_RSA_PKCS,
 +               enc,
 +               enc_len,
 +               sigret,
 +               siglen
 +           )) != CKR_OK
 +       ) {
 +           PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: Cannot perform signature %ld:'%s'", rv, pkcs11h_getMessage (rv));
 +       }
 +   }
 +
 +   if (session_locked) {
 +       pkcs11h_certificate_releaseSession (certificate);
 +       session_locked = FALSE;
 +   }
 +
 +   if (enc_alloc != NULL) {
 +       _pkcs11h_mem_free ((void *)&enc_alloc);
 +   }
 +   
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_openssl_sign - return rv=%ld-'%s'",
 +       rv,
 +       pkcs11h_getMessage (rv)
 +   );
 +
 +   return rv == CKR_OK ? 1 : -1; 
 +}
 +
 +static
 +int
 +_pkcs11h_openssl_finish (
 +   IN OUT RSA *rsa
 +) {
 +   pkcs11h_openssl_session_t openssl_session = _pkcs11h_openssl_get_openssl_session (rsa);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_openssl_finish - entered rsa=%p",
 +       (void *)rsa
 +   );
 +
 +   RSA_set_app_data (rsa, NULL);
 +   
 +   if (openssl_session->orig_finish != NULL) {
 +       openssl_session->orig_finish (rsa);
 +
 +#ifdef BROKEN_OPENSSL_ENGINE
 +       {
 +           /* We get called TWICE here, once for
 +            * releasing the key and also for
 +            * releasing the engine.
 +            * To prevent endless recursion, FIRST
 +            * clear rsa->engine, THEN call engine->finish
 +            */
 +           ENGINE *e = rsa->engine;
 +           rsa->engine = NULL;
 +           if (e) {
 +               ENGINE_finish(e);
 +           }
 +       }
 +#endif
 +   }
 +
 +   pkcs11h_openssl_freeSession (openssl_session);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: _pkcs11h_openssl_finish - return"
 +   );
 +   
 +   return 1;
 +}
 +
 +X509 *
 +pkcs11h_openssl_getX509 (
 +   IN const pkcs11h_certificate_t certificate
 +) {
 +   unsigned char *certificate_blob = NULL;
 +   size_t certificate_blob_size = 0;
 +   X509 *x509 = NULL;
 +   CK_RV rv = CKR_OK;
 +
 +   pkcs11_openssl_d2i_t d2i1 = NULL;
 +   PKCS11H_BOOL ok = TRUE;
 +
 +   PKCS11H_ASSERT (certificate!=NULL);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_openssl_getX509 - entry certificate=%p",
 +       (void *)certificate
 +   );
 +
 +   if (
 +       ok &&
 +       (x509 = X509_new ()) == NULL
 +   ) {
 +       ok = FALSE;
 +       PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: Unable to allocate certificate object");
 +   }
 +
 +   if (
 +       ok &&
 +       pkcs11h_certificate_getCertificateBlob (
 +           certificate,
 +           NULL,
 +           &certificate_blob_size
 +       ) != CKR_OK
 +   ) {
 +       ok = FALSE;
 +       PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: Cannot read X.509 certificate from token %ld-'%s'", rv,
	pkcs11h_getMessage (rv));
 +   }
 +
 +   if (
 +       ok &&
 +       (rv = _pkcs11h_mem_malloc ((void *)&certificate_blob, certificate_blob_size)) != CKR_OK
 +   ) {
 +       ok = FALSE;
 +       PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: Cannot allocate X.509 memory %ld-'%s'", rv, pkcs11h_getMessage (rv));
 +   }
 +
 +   if (
 +       ok &&
 +       pkcs11h_certificate_getCertificateBlob (
 +           certificate,
 +           certificate_blob,
 +           &certificate_blob_size
 +       ) != CKR_OK
 +   ) {
 +       ok = FALSE;
 +       PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: Cannot read X.509 certificate from token %ld-'%s'", rv,
	pkcs11h_getMessage (rv));
 +   }
 +
 +   d2i1 = (pkcs11_openssl_d2i_t)certificate_blob;
 +   if (
 +       ok &&
 +       !d2i_X509 (&x509, &d2i1, certificate_blob_size)
 +   ) {
 +       ok = FALSE;
 +       PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: Unable to parse X.509 certificate");
 +   }
 +
 +   if (!ok) {
 +       X509_free (x509);
 +       x509 = NULL;
 +   }
 +   
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_openssl_getX509 - return x509=%p",
 +       (void *)x509
 +   );
 +
 +   return x509;
 +}
 +
 +pkcs11h_openssl_session_t
 +pkcs11h_openssl_createSession (
 +   IN const pkcs11h_certificate_t certificate
 +) {
 +   pkcs11h_openssl_session_t openssl_session = NULL;
 +   PKCS11H_BOOL ok = TRUE;
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_openssl_createSession - entry"
 +   );
 +
 +   if (
 +       ok &&
 +       _pkcs11h_mem_malloc (
 +           (void*)&openssl_session,
 +           sizeof (struct pkcs11h_openssl_session_s)) != CKR_OK
 +   ) {
 +       ok = FALSE;
 +       PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: Cannot allocate memory");
 +   }
 +
 +   if (ok) {
 +       const RSA_METHOD *def = RSA_get_default_method();
 +
 +       memmove (&openssl_session->smart_rsa, def, sizeof(RSA_METHOD));
 +
 +       openssl_session->orig_finish = def->finish;
 +
 +       openssl_session->smart_rsa.name = "pkcs11";
 +       openssl_session->smart_rsa.rsa_priv_dec = _pkcs11h_openssl_dec;
 +       openssl_session->smart_rsa.rsa_sign = _pkcs11h_openssl_sign;
 +       openssl_session->smart_rsa.finish = _pkcs11h_openssl_finish;
 +       openssl_session->smart_rsa.flags  = RSA_METHOD_FLAG_NO_CHECK | RSA_FLAG_EXT_PKEY;
 +       openssl_session->certificate = certificate;
 +       openssl_session->reference_count = 1;
 +   }
 +
 +   if (!ok) {
 +       _pkcs11h_mem_free ((void *)&openssl_session);
 +   }
 +   
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_openssl_createSession - return openssl_session=%p",
 +       (void *)openssl_session
 +   );
 +
 +   return openssl_session;
 +}
 +
 +pkcs11h_hook_openssl_cleanup_t
 +pkcs11h_openssl_getCleanupHook (
 +   IN const pkcs11h_openssl_session_t openssl_session
 +) {
 +   PKCS11H_ASSERT (openssl_session!=NULL);
 +
 +   return openssl_session->cleanup_hook;
 +}
 +
 +void
 +pkcs11h_openssl_setCleanupHook (
 +   IN const pkcs11h_openssl_session_t openssl_session,
 +   IN const pkcs11h_hook_openssl_cleanup_t cleanup
 +) {
 +   PKCS11H_ASSERT (openssl_session!=NULL);
 +
 +   openssl_session->cleanup_hook = cleanup;
 +}
 +
 +void
 +pkcs11h_openssl_freeSession (
 +   IN const pkcs11h_openssl_session_t openssl_session
 +) {
 +   PKCS11H_ASSERT (openssl_session!=NULL);
 +   PKCS11H_ASSERT (openssl_session->reference_count>0);
 +   
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_openssl_freeSession - entry openssl_session=%p, count=%d",
 +       (void *)openssl_session,
 +       openssl_session->reference_count
 +   );
 +
 +   openssl_session->reference_count--;
 +   
 +   if (openssl_session->reference_count == 0) {
 +       if (openssl_session->cleanup_hook != NULL) {
 +           openssl_session->cleanup_hook (openssl_session->certificate);
 +       }
 +
 +       if (openssl_session->x509 != NULL) {
 +           X509_free (openssl_session->x509);
 +           openssl_session->x509 = NULL;
 +       }
 +       if (openssl_session->certificate != NULL) {
 +           pkcs11h_certificate_freeCertificate (openssl_session->certificate);
 +           openssl_session->certificate = NULL;
 +       }
 +       
 +       _pkcs11h_mem_free ((void *)&openssl_session);
 +   }
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_openssl_freeSession - return"
 +   );
 +}
 +
 +RSA *
 +pkcs11h_openssl_session_getRSA (
 +   IN const pkcs11h_openssl_session_t openssl_session
 +) {
 +   X509 *x509 = NULL;
 +   RSA *rsa = NULL;
 +   EVP_PKEY *pubkey = NULL;
 +   PKCS11H_BOOL ok = TRUE;
 +
 +   PKCS11H_ASSERT (openssl_session!=NULL);
 +   PKCS11H_ASSERT (!openssl_session->initialized);
 +   PKCS11H_ASSERT (openssl_session!=NULL);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_openssl_session_getRSA - entry openssl_session=%p",
 +       (void *)openssl_session
 +   );
 +   
 +   /*
 +    * Dup x509 so RSA will not hold session x509
 +    */
 +   if (
 +       ok &&
 +       (x509 = pkcs11h_openssl_session_getX509 (openssl_session)) == NULL
 +   ) {
 +       ok = FALSE;
 +       PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: Cannot get certificate object");
 +   }
 +
 +   if (
 +       ok &&
 +       (pubkey = X509_get_pubkey (x509)) == NULL
 +   ) {
 +       ok = FALSE;
 +       PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: Cannot get public key");
 +   }
 +   
 +   if (
 +       ok &&
 +       pubkey->type != EVP_PKEY_RSA
 +   ) {
 +       ok = FALSE;
 +       PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: Invalid public key algorithm");
 +   }
 +
 +   if (
 +       ok &&
 +       (rsa = EVP_PKEY_get1_RSA (pubkey)) == NULL
 +   ) {
 +       ok = FALSE;
 +       PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: Cannot get RSA key");
 +   }
 +
 +   if (ok) {
 +       RSA_set_method (rsa, &openssl_session->smart_rsa);
 +       RSA_set_app_data (rsa, openssl_session);
 +       openssl_session->reference_count++;
 +   }
 +   
 +#ifdef BROKEN_OPENSSL_ENGINE
 +   if (ok) {
 +       if (!rsa->engine) {
 +           rsa->engine = ENGINE_get_default_RSA();
 +       }
 +
 +       ENGINE_set_RSA(ENGINE_get_default_RSA(), &openssl_session->smart_rsa);
 +       PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: OpenSSL engine support is broken! Workaround enabled");
 +   }
 +#endif
 +       
 +   if (ok) {
 +       rsa->flags |= RSA_FLAG_SIGN_VER;
 +       openssl_session->initialized = TRUE;
 +   }
 +   else {
 +       if (rsa != NULL) {
 +           RSA_free (rsa);
 +           rsa = NULL;
 +       }
 +   }
 +
 +   /*
 +    * openssl objects have reference
 +    * count, so release them
 +    */
 +   if (pubkey != NULL) {
 +       EVP_PKEY_free (pubkey);
 +       pubkey = NULL;
 +   }
 +
 +   if (x509 != NULL) {
 +       X509_free (x509);
 +       x509 = NULL;
 +   }
 +   
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_openssl_session_getRSA - return rsa=%p",
 +       (void *)rsa
 +   );
 +
 +   return rsa;
 +}
 +
 +X509 *
 +pkcs11h_openssl_session_getX509 (
 +   IN const pkcs11h_openssl_session_t openssl_session
 +) {
 +   X509 *x509 = NULL;
 +   PKCS11H_BOOL ok = TRUE;
 +   
 +   PKCS11H_ASSERT (openssl_session!=NULL);
 +
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_openssl_session_getX509 - entry openssl_session=%p",
 +       (void *)openssl_session
 +   );
 +
 +   if (
 +       ok &&
 +       openssl_session->x509 == NULL &&
 +       (openssl_session->x509 = pkcs11h_openssl_getX509 (openssl_session->certificate)) == NULL
 +   ) { 
 +       ok = FALSE;
 +       PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: Cannot get certificate object");
 +   }
 +
 +   if (
 +       ok &&
 +       (x509 = X509_dup (openssl_session->x509)) == NULL
 +   ) {
 +       ok = FALSE;
 +       PKCS11H_LOG (PKCS11H_LOG_WARN, "PKCS#11: Cannot duplicate certificate object");
 +   }
 +   
 +   PKCS11H_DEBUG (
 +       PKCS11H_LOG_DEBUG2,
 +       "PKCS#11: pkcs11h_openssl_session_getX509 - return x509=%p",
 +       (void *)x509
 +   );
 +
 +   return x509;
 +}
 +
 +#endif             /* ENABLE_PKCS11H_OPENSSL */
 +
 +#if defined(ENABLE_PKCS11H_STANDALONE)
 +/*======================================================================*
 + * STANDALONE INTERFACE
 + *======================================================================*/
 +
 +void
 +pkcs11h_standalone_dump_slots (
 +   IN const pkcs11h_output_print_t my_output,
 +   IN void * const global_data,
 +   IN const char * const provider
 +) {
 +   CK_RV rv = CKR_OK;
 +
 +   pkcs11h_provider_t pkcs11h_provider;
 +
 +   PKCS11H_ASSERT (my_output!=NULL);
 +   /*PKCS11H_ASSERT (global_data) NOT NEEDED */
 +   PKCS11H_ASSERT (provider!=NULL);
 +
 +   if (
 +       rv == CKR_OK &&
 +       (rv = pkcs11h_initialize ()) != CKR_OK
 +   ) {
 +       my_output (global_data, "PKCS#11: Cannot initialize interface %ld-'%s'\n", rv, pkcs11h_getMessage (rv));
 +   }
 +
 +   if (
 +       rv == CKR_OK &&
 +       (rv = pkcs11h_addProvider (
 +           provider,
 +           provider,
 +           FALSE,
 +           (
 +               PKCS11H_SIGNMODE_MASK_SIGN |
 +               PKCS11H_SIGNMODE_MASK_RECOVER
 +           ),
 +           PKCS11H_SLOTEVENT_METHOD_AUTO,
 +           0,
 +           FALSE
 +       )) != CKR_OK
 +   ) {
 +       my_output (global_data, "PKCS#11: Cannot initialize provider %ld-'%s'\n", rv, pkcs11h_getMessage (rv));
 +   }
 +
 +   /*
 +    * our provider is head
 +    */
 +   if (rv == CKR_OK) {
 +       pkcs11h_provider = s_pkcs11h_data->providers;
 +       if (pkcs11h_provider == NULL || !pkcs11h_provider->enabled) {
 +           my_output (global_data, "PKCS#11: Cannot get provider %ld-'%s'\n", rv, pkcs11h_getMessage (rv));
 +           rv = CKR_GENERAL_ERROR;
 +       }
 +   }
 +
 +   if (rv == CKR_OK) {
 +       CK_INFO info;
 +       
 +       if ((rv = pkcs11h_provider->f->C_GetInfo (&info)) != CKR_OK) {
 +           my_output (global_data, "PKCS#11: Cannot get PKCS#11 provider information %ld-'%s'\n", rv,
	pkcs11h_getMessage (rv));
 +           rv = CKR_OK;
 +       }
 +       else {
 +           char manufacturerID[sizeof (info.manufacturerID)+1];
 +   
 +           _pkcs11h_util_fixupFixedString (
 +               manufacturerID,
 +               (char *)info.manufacturerID,
 +               sizeof (info.manufacturerID)
 +           );
 +   
 +           my_output (
 +               global_data,
 +               (
 +                   "Provider Information:\n"
 +                   "\tcryptokiVersion:\t%u.%u\n"
 +                   "\tmanufacturerID:\t\t%s\n"
 +                   "\tflags:\t\t\t%08x\n"
 +                   "\n"
 +               ),
 +               info.cryptokiVersion.major,
 +               info.cryptokiVersion.minor,
 +               manufacturerID,
 +               (unsigned)info.flags
 +           );
 +       }
 +   }
 +   
 +   if (rv == CKR_OK) {
 +       CK_SLOT_ID_PTR slots = NULL;
 +       CK_ULONG slotnum;
 +       CK_SLOT_ID slot_index;
 +       
 +       if (
 +            _pkcs11h_session_getSlotList (
 +               pkcs11h_provider,
 +               CK_FALSE,
 +               &slots,
 +               &slotnum
 +           ) != CKR_OK
 +       ) {
 +           my_output (global_data, "PKCS#11: Cannot get slot list %ld-'%s'\n", rv, pkcs11h_getMessage (rv));
 +       }
 +       else {
 +           my_output (
 +               global_data,
 +               "The following slots are available for use with this provider.\n"
 +           );
 +
 +#if defined(PKCS11H_PRM_SLOT_TYPE)
 +           my_output (
 +               global_data,
 +               (
 +                   "Each slot shown below may be used as a parameter to a\n"
 +                   "%s and %s options.\n"
 +               ),
 +               PKCS11H_PRM_SLOT_TYPE,
 +               PKCS11H_PRM_SLOT_ID
 +           );
 +#endif
 +
 +           my_output (
 +               global_data,
 +               (
 +                   "\n"
 +                   "Slots: (id - name)\n"
 +               )
 +           );
 +
 +           for (slot_index=0;slot_index < slotnum;slot_index++) {
 +               CK_SLOT_INFO info;
 +   
 +               if (
 +                   (rv = pkcs11h_provider->f->C_GetSlotInfo (
 +                       slots[slot_index],
 +                       &info
 +                   )) == CKR_OK
 +               ) {
 +                   char current_name[sizeof (info.slotDescription)+1];
 +               
 +                   _pkcs11h_util_fixupFixedString (
 +                       current_name,
 +                       (char *)info.slotDescription,
 +                       sizeof (info.slotDescription)
 +                   );
 +   
 +                   my_output (global_data, "\t%lu - %s\n", slots[slot_index], current_name);
 +               }
 +           }
 +       }
 +
 +       if (slots != NULL) {
 +           _pkcs11h_mem_free ((void *)&slots);
 +       }
 +   }
 +   
 +   pkcs11h_terminate ();
 +}
 +
 +static
 +PKCS11H_BOOL
 +_pkcs11h_standalone_dump_objects_pin_prompt (
 +   IN void * const global_data,
 +   IN void * const user_data,
 +   IN const pkcs11h_token_id_t token,
 +   IN const unsigned retry,
 +   OUT char * const pin,
 +   IN const size_t pin_max
 +) {
 +   (void)user_data;
 +   (void)token;
 +
 +   /*
 +    * Don't lock card
 +    */
 +   if (retry == 0) {
 +       strncpy (pin, (char *)global_data, pin_max);
 +       return TRUE;
 +   }
 +   else {
 +       return FALSE;
 +   }
 +}
 +
 +void
 +_pkcs11h_standalone_dump_objects_hex (
 +   IN const unsigned char * const p,
 +   IN const size_t p_size,
 +   OUT char * const sz,
 +   IN const size_t max,
 +   IN const char * const prefix
 +) {
 +   size_t j;
 +
 +   sz[0] = '\0';
 +
 +   for (j=0;j<p_size;j+=16) {
 +       char line[3*16+1];
 +       size_t k;
 +
 +       line[0] = '\0';
 +       for (k=0;k<16 && j+k<p_size;k++) {
 +           sprintf (line+strlen (line), "%02x ", p[j+k]);
 +       }
 +
 +       strncat (
 +           sz,
 +           prefix,
 +           max-1-strlen (sz)
 +       );
 +       strncat (
 +           sz,
 +           line,
 +           max-1-strlen (sz)
 +       );
 +       strncat (
 +           sz,
 +           "\n",
 +           max-1-strlen (sz)
 +       );
 +   }
 +
 +   sz[max-1] = '\0';
 +}
 +   
 +void
 +pkcs11h_standalone_dump_objects (
 +   IN const pkcs11h_output_print_t my_output,
 +   IN void * const global_data,
 +   IN const char * const provider,
 +   IN const char * const slot,
 +   IN const char * const pin
 +) {
 +   CK_SLOT_ID s;
 +   CK_RV rv = CKR_OK;
 +
 +   pkcs11h_provider_t pkcs11h_provider = NULL;
 +   pkcs11h_token_id_t token_id = NULL;
 +   pkcs11h_session_t session = NULL;
 +
 +   PKCS11H_ASSERT (my_output!=NULL);
 +   /*PKCS11H_ASSERT (global_data) NOT NEEDED */
 +   PKCS11H_ASSERT (provider!=NULL);
 +   PKCS11H_ASSERT (slot!=NULL);
 +   PKCS11H_ASSERT (pin!=NULL);
 +
 +   s = atoi (slot);
 +
 +   if (
 +       rv == CKR_OK &&
 +       (rv = pkcs11h_initialize ()) != CKR_OK
 +   ) {
 +       my_output (global_data, "PKCS#11: Cannot initialize interface %ld-'%s'\n", rv, pkcs11h_getMessage (rv));
 +   }
 +
 +   if (
 +       rv == CKR_OK &&
 +       (rv = pkcs11h_setPINPromptHook (_pkcs11h_standalone_dump_objects_pin_prompt, (void *)pin)) != CKR_OK
 +   ) {
 +       my_output (global_data, "PKCS#11: Cannot set hooks %ld-'%s'\n", rv, pkcs11h_getMessage (rv));
 +   }
 +
 +   if (
 +       rv == CKR_OK &&
 +       (rv = pkcs11h_addProvider (
 +           provider,
 +           provider,
 +           FALSE,
 +           (
 +               PKCS11H_SIGNMODE_MASK_SIGN |
 +               PKCS11H_SIGNMODE_MASK_RECOVER
 +           ),
 +           PKCS11H_SLOTEVENT_METHOD_AUTO,
 +           0,
 +           FALSE
 +       )) != CKR_OK
 +   ) {
 +       my_output (global_data, "PKCS#11: Cannot initialize provider %ld-'%s'\n", rv, pkcs11h_getMessage (rv));
 +   }
 +
 +   /*
 +    * our provider is head
 +    */
 +   if (rv == CKR_OK) {
 +       pkcs11h_provider = s_pkcs11h_data->providers;
 +       if (pkcs11h_provider == NULL || !pkcs11h_provider->enabled) {
 +           my_output (global_data, "PKCS#11: Cannot get provider %ld-'%s'\n", rv, pkcs11h_getMessage (rv));
 +           rv = CKR_GENERAL_ERROR;
 +       }
 +   }
 +
 +   if (rv == CKR_OK) {
 +       CK_TOKEN_INFO info;
 +       
 +       if (
 +           (rv = pkcs11h_provider->f->C_GetTokenInfo (
 +               s,
 +               &info
 +           )) != CKR_OK
 +       ) {
 +           my_output (global_data, "PKCS#11: Cannot get token information for slot %ld %ld-'%s'\n", s, rv,
	pkcs11h_getMessage (rv));
 +           /* Ignore this error */
 +           rv = CKR_OK;
 +       }
 +       else {
 +           char label[sizeof (info.label)+1];
 +           char manufacturerID[sizeof (info.manufacturerID)+1];
 +           char model[sizeof (info.model)+1];
 +           char serialNumberNumber[sizeof (info.serialNumber)+1];
 +           
 +           _pkcs11h_util_fixupFixedString (
 +               label,
 +               (char *)info.label,
 +               sizeof (info.label)
 +           );
 +           _pkcs11h_util_fixupFixedString (
 +               manufacturerID,
 +               (char *)info.manufacturerID,
 +               sizeof (info.manufacturerID)
 +           );
 +           _pkcs11h_util_fixupFixedString (
 +               model,
 +               (char *)info.model,
 +               sizeof (info.model)
 +           );
 +           _pkcs11h_util_fixupFixedString (
 +               serialNumberNumber,
 +               (char *)info.serialNumber,
 +               sizeof (info.serialNumber)
 +           );
 +   
 +           my_output (
 +               global_data,
 +               (
 +                   "Token Information:\n"
 +                   "\tlabel:\t\t%s\n"
 +                   "\tmanufacturerID:\t%s\n"
 +                   "\tmodel:\t\t%s\n"
 +                   "\tserialNumber:\t%s\n"
 +                   "\tflags:\t\t%08x\n"
 +                   "\n"
 +               ),
 +               label,
 +               manufacturerID,
 +               model,
 +               serialNumberNumber,
 +               (unsigned)info.flags
 +           );
 +
 +#if defined(PKCS11H_PRM_SLOT_TYPE)
 +           my_output (
 +               global_data,
 +               (
 +                   "You can access this token using\n"
 +                   "%s \"label\" %s \"%s\" options.\n"
 +                   "\n"
 +               ),
 +               PKCS11H_PRM_SLOT_TYPE,
 +               PKCS11H_PRM_SLOT_ID,
 +               label
 +           );
 +#endif
 +
 +           if (
 +               rv == CKR_OK &&
 +               (rv = _pkcs11h_token_getTokenId (
 +                   &info,
 +                   &token_id
 +               )) != CKR_OK
 +           ) {
 +               my_output (global_data, "PKCS#11: Cannot get token id for slot %ld %ld-'%s'\n", s, rv,
	pkcs11h_getMessage (rv));        
 +               rv = CKR_OK;
 +           }
 +       }
 +   }
 +
 +   if (token_id != NULL) {
 +       if (
 +           (rv = _pkcs11h_session_getSessionByTokenId (
 +               token_id,
 +               &session
 +           )) != CKR_OK
 +       ) {
 +           my_output (global_data, "PKCS#11: Cannot session for token '%s' %ld-'%s'\n", token_id->display, rv,
	pkcs11h_getMessage (rv));       
 +           rv = CKR_OK;
 +       }
 +   }
 +
 +   if (session != NULL) {
 +       CK_OBJECT_HANDLE *objects = NULL;
 +       CK_ULONG objects_found = 0;
 +       CK_ULONG i;
 +
 +       if (
 +           (rv = _pkcs11h_session_login (
 +               session,
 +               FALSE,
 +               TRUE,
 +               NULL,
 +               PKCS11H_PROMPT_MASK_ALLOW_PIN_PROMPT
 +           )) != CKR_OK
 +       ) {
 +           my_output (global_data, "PKCS#11: Cannot open session to token '%s' %ld-'%s'\n", session->token_id->display,
	rv, pkcs11h_getMessage (rv));
 +       }
 +   
 +       my_output (
 +           global_data,
 +           "The following objects are available for use with this token.\n"
 +       );
 +
 +#if defined(PKCS11H_PRM_OBJ_TYPE)
 +       my_output (
 +           global_data,
 +           (
 +               "Each object shown below may be used as a parameter to\n"
 +               "%s and %s options.\n"
 +           ),
 +           PKCS11H_PRM_OBJ_TYPE,
 +           PKCS11H_PRM_OBJ_ID
 +       );
 +#endif
 +
 +       my_output (
 +           global_data,
 +           "\n"
 +       );
 +
 +       if (
 +           rv == CKR_OK &&
 +           (rv = _pkcs11h_session_findObjects (
 +               session,
 +               NULL,
 +               0,
 +               &objects,
 +               &objects_found
 +           )) != CKR_OK
 +       ) {
 +           my_output (global_data, "PKCS#11: Cannot query objects for token '%s' %ld-'%s'\n",
	session->token_id->display, rv, pkcs11h_getMessage (rv));
 +       }
 +   
 +       for (i=0;rv == CKR_OK && i < objects_found;i++) {
 +           CK_OBJECT_CLASS attrs_class = 0;
 +           CK_ATTRIBUTE attrs[] = {
 +               {CKA_CLASS, &attrs_class, sizeof (attrs_class)}
 +           };
 +
 +           if (
 +               _pkcs11h_session_getObjectAttributes (
 +                   session,
 +                   objects[i],
 +                   attrs,
 +                   sizeof (attrs) / sizeof (CK_ATTRIBUTE)
 +               ) == CKR_OK
 +           ) {
 +               if (attrs_class == CKO_CERTIFICATE) {
 +                   CK_ATTRIBUTE attrs_cert[] = {
 +                       {CKA_ID, NULL, 0},
 +                       {CKA_LABEL, NULL, 0},
 +                       {CKA_VALUE, NULL, 0}
 +                   };
 +                   unsigned char *attrs_id = NULL;
 +                   int attrs_id_size = 0;
 +                   unsigned char *attrs_value = NULL;
 +                   int attrs_value_size = 0;
 +                   char *attrs_label = NULL;
 +                   char hex_id[1024];
 +                   char subject[1024];
 +                   char serialNumber[1024];
 +                   time_t notAfter = 0;
 +
 +                   subject[0] = '\0';
 +                   serialNumber[0] = '\0';
 +
 +
 +                   if (
 +                       _pkcs11h_session_getObjectAttributes (
 +                           session,
 +                           objects[i],
 +                           attrs_cert,
 +                           sizeof (attrs_cert) / sizeof (CK_ATTRIBUTE)
 +                       ) == CKR_OK &&
 +                       _pkcs11h_mem_malloc (
 +                           (void *)&attrs_label,
 +                           attrs_cert[1].ulValueLen+1
 +                       ) == CKR_OK
 +                   ) {
 +                       attrs_id = (unsigned char *)attrs_cert[0].pValue;
 +                       attrs_id_size = attrs_cert[0].ulValueLen;
 +                       attrs_value = (unsigned char *)attrs_cert[2].pValue;
 +                       attrs_value_size = attrs_cert[2].ulValueLen;
 +
 +                       memset (attrs_label, 0, attrs_cert[1].ulValueLen+1);
 +                       memmove (attrs_label, attrs_cert[1].pValue, attrs_cert[1].ulValueLen);
 +                       _pkcs11h_standalone_dump_objects_hex (
 +                           attrs_id,
 +                           attrs_id_size,
 +                           hex_id,
 +                           sizeof (hex_id),
 +                           "\t\t"
 +                       );
 +                   }
 +
 +                   if (attrs_value != NULL) {
 +#if defined(USE_PKCS11H_OPENSSL)
 +                       X509 *x509 = NULL;
 +                       BIO *bioSerial = NULL;
 +#elif defined(USE_PKCS11H_GNUTLS)
 +                       gnutls_x509_crt_t cert = NULL;
 +#endif
 +
 +                       _pkcs11h_certificate_getDN (
 +                           attrs_value,
 +                           attrs_value_size,
 +                           subject,
 +                           sizeof (subject)
 +                       );
 +                       notAfter = _pkcs11h_certificate_getExpiration (
 +                           attrs_value,
 +                           attrs_value_size
 +                       );
 +#if defined(USE_PKCS11H_OPENSSL)
 +                       if ((x509 = X509_new ()) == NULL) {
 +                           my_output (global_data, "Cannot create x509 context\n");
 +                       }
 +                       else {
 +                           pkcs11_openssl_d2i_t d2i1 = (pkcs11_openssl_d2i_t)attrs_value;
 +                           if (d2i_X509 (&x509, &d2i1, attrs_value_size)) {
 +                               if ((bioSerial = BIO_new (BIO_s_mem ())) == NULL) {
 +                                   my_output (global_data, "Cannot create BIO context\n");
 +                               }
 +                               else {
 +                                   int n;
 +
 +                                   i2a_ASN1_INTEGER(bioSerial, X509_get_serialNumber (x509));
 +                                   n = BIO_read (bioSerial, serialNumber, sizeof (serialNumber)-1);
 +                                   if (n<0) {
 +                                       serialNumber[0] = '\0';
 +                                   }
 +                                   else {
 +                                       serialNumber[n] = '\0';
 +                                   }
 +                               }
 +                           }
 +                       }
 +
 +
 +                       if (bioSerial != NULL) {
 +                           BIO_free_all (bioSerial);
 +                           bioSerial = NULL;
 +                       }
 +                       if (x509 != NULL) {
 +                           X509_free (x509);
 +                           x509 = NULL;
 +                       }
 +#elif defined(USE_PKCS11H_GNUTLS)
 +                       if (gnutls_x509_crt_init (&cert) == GNUTLS_E_SUCCESS) {
 +                           gnutls_datum_t datum = {attrs_value, attrs_value_size};
 +
 +                           if (gnutls_x509_crt_import (cert, &datum, GNUTLS_X509_FMT_DER) == GNUTLS_E_SUCCESS) {
 +                               unsigned char ser[1024];
 +                               size_t ser_size = sizeof (ser);
 +                               if (gnutls_x509_crt_get_serial (cert, ser, &ser_size) == GNUTLS_E_SUCCESS) {
 +                                   _pkcs11h_util_binaryToHex (
 +                                       serialNumber,
 +                                       sizeof (serialNumber),
 +                                       ser,
 +                                       ser_size
 +                                   );
 +                               }
 +                           }
 +                           gnutls_x509_crt_deinit (cert);
 +                       }
 +#else
 +#error Invalid configuration.
 +#endif
 +                   }
 +
 +                   my_output (
 +                       global_data,
 +                       (
 +                           "Object\n"
 +                           "\tType:\t\t\tCertificate\n"
 +                           "\tCKA_ID:\n"
 +                           "%s"
 +                           "\tCKA_LABEL:\t\t%s\n"
 +                           "\tsubject:\t\t%s\n"
 +                           "\tserialNumber:\t\t%s\n"
 +                           "\tnotAfter:\t\t%s\n"
 +                       ),
 +                       hex_id,
 +                       attrs_label,
 +                       subject,
 +                       serialNumber,
 +                       asctime (localtime (&notAfter))
 +                   );
 +
 +                   _pkcs11h_mem_free ((void *)&attrs_label);
 +
 +                   _pkcs11h_session_freeObjectAttributes (
 +                       attrs_cert,
 +                       sizeof (attrs_cert) / sizeof (CK_ATTRIBUTE)
 +                   );
 +               }
 +               else if (attrs_class == CKO_PRIVATE_KEY) {
 +                   CK_BBOOL sign_recover = CK_FALSE;
 +                   CK_BBOOL sign = CK_FALSE;
 +                   CK_ATTRIBUTE attrs_key[] = {
 +                       {CKA_SIGN, &sign, sizeof (sign)},
 +                       {CKA_SIGN_RECOVER, &sign_recover, sizeof (sign_recover)}
 +                   };
 +                   CK_ATTRIBUTE attrs_key_common[] = {
 +                       {CKA_ID, NULL, 0},
 +                       {CKA_LABEL, NULL, 0}
 +                   };
 +                   unsigned char *attrs_id = NULL;
 +                   int attrs_id_size = 0;
 +                   char *attrs_label = NULL;
 +                   char hex_id[1024];
 +
 +                   pkcs11h_provider->f->C_GetAttributeValue (
 +                       session->session_handle,
 +                       objects[i],
 +                       attrs_key,
 +                       sizeof (attrs_key) / sizeof (CK_ATTRIBUTE)
 +                   );
 +
 +                   if (
 +                       _pkcs11h_session_getObjectAttributes (
 +                           session,
 +                           objects[i],
 +                           attrs_key_common,
 +                           sizeof (attrs_key_common) / sizeof (CK_ATTRIBUTE)
 +                       ) == CKR_OK &&
 +                       _pkcs11h_mem_malloc (
 +                           (void *)&attrs_label,
 +                           attrs_key_common[1].ulValueLen+1
 +                       ) == CKR_OK
 +                   ) {
 +                       attrs_id = (unsigned char *)attrs_key_common[0].pValue;
 +                       attrs_id_size = attrs_key_common[0].ulValueLen;
 +
 +                       memset (attrs_label, 0, attrs_key_common[1].ulValueLen+1);
 +                       memmove (attrs_label, attrs_key_common[1].pValue, attrs_key_common[1].ulValueLen);
 +
 +                       _pkcs11h_standalone_dump_objects_hex (
 +                           attrs_id,
 +                           attrs_id_size,
 +                           hex_id,
 +                           sizeof (hex_id),
 +                           "\t\t"
 +                       );
 +                           
 +                   }
 +
 +                   my_output (
 +                       global_data,
 +                       (
 +                           "Object\n"
 +                           "\tType:\t\t\tPrivate Key\n"
 +                           "\tCKA_ID:\n"
 +                           "%s"
 +                           "\tCKA_LABEL:\t\t%s\n"
 +                           "\tCKA_SIGN:\t\t%s\n"
 +                           "\tCKA_SIGN_RECOVER:\t%s\n"
 +                       ),
 +                       hex_id,
 +                       attrs_label,
 +                       sign ? "TRUE" : "FALSE",
 +                       sign_recover ? "TRUE" : "FALSE"
 +                   );
 +
 +                   _pkcs11h_mem_free ((void *)&attrs_label);
 +
 +                   _pkcs11h_session_freeObjectAttributes (
 +                       attrs_key_common,
 +                       sizeof (attrs_key_common) / sizeof (CK_ATTRIBUTE)
 +                   );
 +               }
 +               else if (attrs_class == CKO_PUBLIC_KEY) {
 +                   CK_ATTRIBUTE attrs_key_common[] = {
 +                       {CKA_ID, NULL, 0},
 +                       {CKA_LABEL, NULL, 0}
 +                   };
 +                   unsigned char *attrs_id = NULL;
 +                   int attrs_id_size = 0;
 +                   char *attrs_label = NULL;
 +                   char hex_id[1024];
 +
 +                   if (
 +                       _pkcs11h_session_getObjectAttributes (
 +                           session,
 +                           objects[i],
 +                           attrs_key_common,
 +                           sizeof (attrs_key_common) / sizeof (CK_ATTRIBUTE)
 +                       ) == CKR_OK &&
 +                       _pkcs11h_mem_malloc (
 +                           (void *)&attrs_label,
 +                           attrs_key_common[1].ulValueLen+1
 +                       ) == CKR_OK
 +                   ) {
 +                       attrs_id = (unsigned char *)attrs_key_common[0].pValue;
 +                       attrs_id_size = attrs_key_common[0].ulValueLen;
 +
 +                       memset (attrs_label, 0, attrs_key_common[1].ulValueLen+1);
 +                       memmove (attrs_label, attrs_key_common[1].pValue, attrs_key_common[1].ulValueLen);
 +
 +                       _pkcs11h_standalone_dump_objects_hex (
 +                           attrs_id,
 +                           attrs_id_size,
 +                           hex_id,
 +                           sizeof (hex_id),
 +                           "\t\t"
 +                       );
 +                           
 +                   }
 +
 +                   my_output (
 +                       global_data,
 +                       (
 +                           "Object\n"
 +                           "\tType:\t\t\tPublic Key\n"
 +                           "\tCKA_ID:\n"
 +                           "%s"
 +                           "\tCKA_LABEL:\t\t%s\n"
 +                       ),
 +                       hex_id,
 +                       attrs_label
 +                   );
 +
 +                   _pkcs11h_mem_free ((void *)&attrs_label);
 +
 +                   _pkcs11h_session_freeObjectAttributes (
 +                       attrs_key_common,
 +                       sizeof (attrs_key_common) / sizeof (CK_ATTRIBUTE)
 +                   );
 +               }
 +               else if (attrs_class == CKO_DATA) {
 +                   CK_ATTRIBUTE attrs_key_common[] = {
 +                       {CKA_APPLICATION, NULL, 0},
 +                       {CKA_LABEL, NULL, 0}
 +                   };
 +                   char *attrs_application = NULL;
 +                   char *attrs_label = NULL;
 +
 +                   if (
 +                       _pkcs11h_session_getObjectAttributes (
 +                           session,
 +                           objects[i],
 +                           attrs_key_common,
 +                           sizeof (attrs_key_common) / sizeof (CK_ATTRIBUTE)
 +                       ) == CKR_OK &&
 +                       _pkcs11h_mem_malloc (
 +                           (void *)&attrs_application,
 +                           attrs_key_common[0].ulValueLen+1
 +                       ) == CKR_OK &&
 +                       _pkcs11h_mem_malloc (
 +                           (void *)&attrs_label,
 +                           attrs_key_common[1].ulValueLen+1
 +                       ) == CKR_OK
 +                   ) {
 +                       memset (attrs_application, 0, attrs_key_common[0].ulValueLen+1);
 +                       memmove (attrs_application, attrs_key_common[0].pValue, attrs_key_common[0].ulValueLen);
 +                       memset (attrs_label, 0, attrs_key_common[1].ulValueLen+1);
 +                       memmove (attrs_label, attrs_key_common[1].pValue, attrs_key_common[1].ulValueLen);
 +                   }
 +
 +                   my_output (
 +                       global_data,
 +                       (
 +                           "Object\n"
 +                           "\tType:\t\t\tData\n"
 +                           "\tCKA_APPLICATION\t\t%s\n"
 +                           "\tCKA_LABEL:\t\t%s\n"
 +                       ),
 +                       attrs_application,
 +                       attrs_label
 +                   );
 +
 +                   _pkcs11h_mem_free ((void *)&attrs_application);
 +                   _pkcs11h_mem_free ((void *)&attrs_label);
 +
 +                   _pkcs11h_session_freeObjectAttributes (
 +                       attrs_key_common,
 +                       sizeof (attrs_key_common) / sizeof (CK_ATTRIBUTE)
 +                   );
 +               }
 +               else {
 +                   my_output (
 +                       global_data,
 +                       (
 +                           "Object\n"
 +                           "\tType:\t\t\tUnsupported\n"
 +                       )
 +                   );
 +               }
 +           }
 +
 +           _pkcs11h_session_freeObjectAttributes (
 +               attrs,
 +               sizeof (attrs) / sizeof (CK_ATTRIBUTE)
 +           );
 +
 +           /*
 +            * Ignore any error and
 +            * perform next iteration
 +            */
 +           rv = CKR_OK;
 +       }
 +   
 +       if (objects != NULL) {
 +           _pkcs11h_mem_free ((void *)&objects);
 +       }
 +
 +       /*
 +        * Ignore this error
 +        */
 +       rv = CKR_OK;
 +   }
 +
 +   if (session != NULL) {
 +       _pkcs11h_session_release (session);
 +       session = NULL;
 +   }
 +
 +   if (token_id != NULL) {
 +       pkcs11h_token_freeTokenId (token_id);
 +       token_id = NULL;
 +   }
 +   
 +   pkcs11h_terminate ();
 +}
 +
 +#endif             /* ENABLE_PKCS11H_STANDALONE */
 +
 +#ifdef BROKEN_OPENSSL_ENGINE
 +static void broken_openssl_init() __attribute__ ((constructor));
 +static void  broken_openssl_init()
 +{
 +   SSL_library_init();
 +   ENGINE_load_openssl();
 +   ENGINE_register_all_RSA();
 +}
 +#endif
 +
 +#else
 +static void dummy (void) {}
 +#endif             /* PKCS11H_HELPER_ENABLE */
 +
 diff -urNp openssh-4.4p1/pkcs11-helper-config.h openssh-4.4p1+pkcs11-0.17/pkcs11-helper-config.h
 --- openssh-4.4p1/pkcs11-helper-config.h    1970-01-01 02:00:00.000000000 +0200
 +++ openssh-4.4p1+pkcs11-0.17/pkcs11-helper-config.h    2006-10-12 16:43:38.000000000 +0200
 @@ -0,0 +1,103 @@
 +/*
 + * Copyright (c) 2005-2006 Alon Bar-Lev.  All rights reserved.
 + *
 + * Redistribution and use in source and binary forms, with or without
 + * modification, are permitted provided that the following conditions
 + * are met:
 + * 1. Redistributions of source code must retain the above copyright
 + *    notice, this list of conditions and the following disclaimer.
 + * 2. Redistributions in binary form must reproduce the above copyright
 + *    notice, this list of conditions and the following disclaimer in the
 + *    documentation and/or other materials provided with the distribution.
 + *
 + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 + */
 +
 +#ifndef __PKCS11H_HELPER_CONFIG_H
 +#define __PKCS11H_HELPER_CONFIG_H
 +
 +#if !defined(PKCS11H_NO_NEED_INCLUDE_CONFIG)
 +
 +#include "includes.h"
 +
 +#endif /* PKCS11H_NO_NEED_INCLUDE_CONFIG */
 +
 +#ifndef SSH_PKCS11H_DISABLED
 +#define ENABLE_PKCS11H_HELPER
 +#endif
 +
 +#include <assert.h>
 +#include <string.h>
 +#include <ctype.h>
 +#if !defined(WIN32)
 +#include <unistd.h>
 +#include <dlfcn.h>
 +#endif
 +
 +#include "log.h"
 +#include "xmalloc.h"
 +#include "openssl/x509.h"
 +
 +#if defined(HAVE_CYGWIN)
 +#define PKCS11H_USE_CYGWIN
 +#endif
 +
 +#if !defined(FALSE)
 +#define FALSE 0
 +#endif
 +#if !defined(TRUE)
 +#define TRUE (!FALSE)
 +#endif
 +
 +typedef int PKCS11H_BOOL;
 +
 +#if !defined(IN)
 +#define IN
 +#endif
 +#if !defined(OUT)
 +#define OUT
 +#endif
 +
 +#define USE_PKCS11H_OPENSSL
 +#define ENABLE_PKCS11H_DEBUG
 +#undef  ENABLE_PKCS11H_THREADING
 +#undef  ENABLE_PKCS11H_TOKEN
 +#undef  ENABLE_PKCS11H_DATA
 +#define ENABLE_PKCS11H_CERTIFICATE
 +#undef  ENABLE_PKCS11H_LOCATE
 +#define ENABLE_PKCS11H_ENUM
 +#define ENABLE_PKCS11H_SERIALIZATION
 +#undef  ENABLE_PKCS11H_SLOTEVENT
 +#define ENABLE_PKCS11H_OPENSSL
 +#define ENABLE_PKCS11H_STANDALONE
 +
 +/*
 +#define PKCS11H_PRM_SLOT_TYPE  "--pkcs11-slot-type"
 +#define PKCS11H_PRM_SLOT_ID    "--pkcs11-slot"
 +#define PKCS11H_PRM_OBJ_TYPE   "--pkcs11-id-type"
 +#define PKCS11H_PRM_OBJ_ID "--pkcs11-id"
 +*/
 +
 +#define PKCS11H_ASSERT     assert
 +#define PKCS11H_TIME       time
 +#define PKCS11H_MALLOC     xmalloc
 +#define PKCS11H_FREE       xfree
 +
 +#ifdef ENABLE_PKCS11H_HELPER
 +#if defined(WIN32) || defined(PKCS11H_USE_CYGWIN)
 +#include "cryptoki-win32.h"
 +#else
 +#include "cryptoki.h"
 +#endif
 +
 +#endif     /* ENABLE_PKCS11H_HELPER */
 +#endif     /* __PKCS11H_HELPER_CONFIG_H */
 diff -urNp openssh-4.4p1/pkcs11-helper.h openssh-4.4p1+pkcs11-0.17/pkcs11-helper.h
 --- openssh-4.4p1/pkcs11-helper.h   1970-01-01 02:00:00.000000000 +0200
 +++ openssh-4.4p1+pkcs11-0.17/pkcs11-helper.h   2006-10-22 17:11:14.000000000 +0200
 @@ -0,0 +1,1303 @@
 +/*
 + * Copyright (c) 2005-2006 Alon Bar-Lev <alon.barlev@gmail.com>
 + * All rights reserved.
 + *
 + * This software is available to you under a choice of one of two
 + * licenses.  You may choose to be licensed under the terms of the GNU
 + * General Public License (GPL) Version 2, or the OpenIB.org BSD license.
 + *
 + * GNU General Public License (GPL) Version 2
 + * ===========================================
 + *  This program is free software; you can redistribute it and/or modify
 + *  it under the terms of the GNU General Public License version 2
 + *  as published by the Free Software Foundation.
 + *
 + *  This program is distributed in the hope that it will be useful,
 + *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 + *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 + *  GNU General Public License for more details.
 + *
 + *  You should have received a copy of the GNU General Public License
 + *  along with this program (see the file COPYING[.GPL2] included with this
 + *  distribution); if not, write to the Free Software Foundation, Inc.,
 + *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 + *
 + * OpenIB.org BSD license
 + * =======================
 + * Redistribution and use in source and binary forms, with or without modifi-
 + * cation, are permitted provided that the following conditions are met:
 + *
 + *   o  Redistributions of source code must retain the above copyright notice,
 + *      this list of conditions and the following disclaimer.
 + *
 + *   o  Redistributions in binary form must reproduce the above copyright no-
 + *      tice, this list of conditions and the following disclaimer in the do-
 + *      cumentation and/or other materials provided with the distribution.
 + *
 + *   o  The names of the contributors may not be used to endorse or promote
 + *      products derived from this software without specific prior written
 + *      permission.
 + *
 + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
 + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LI-
 + * ABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUEN-
 + * TIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEV-
 + * ER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABI-
 + * LITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
 + * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 + */
 +
 +/*
 + * The routines in this file deal with providing private key cryptography
 + * using RSA Security Inc. PKCS #11 Cryptographic Token Interface (Cryptoki).
 + *
 + */
 +
 +#ifndef __PKCS11H_HELPER_H
 +#define __PKCS11H_HELPER_H
 +
 +#if defined(__cplusplus)
 +extern "C" {
 +#endif
 +
 +#include "pkcs11-helper-config.h"
 +
 +#if !defined(USE_PKCS11H_OPENSSL) && !defined(USE_PKCS11H_GNUTLS)
 +#error PKCS#11: USE_PKCS11H_OPENSSL or USE_PKCS11H_GNUTLS must be defined
 +#endif
 +
 +#if defined(ENABLE_PKCS11H_SLOTEVENT) && !defined(ENABLE_PKCS11H_THREADING)
 +#error PKCS#11: ENABLE_PKCS11H_SLOTEVENT requires ENABLE_PKCS11H_THREADING
 +#endif
 +#if defined(ENABLE_PKCS11H_OPENSSL) && !defined(ENABLE_PKCS11H_CERTIFICATE)
 +#error PKCS#11: ENABLE_PKCS11H_OPENSSL requires ENABLE_PKCS11H_CERTIFICATE
 +#endif
 +
 +#define PKCS11H_LOG_DEBUG2 5
 +#define PKCS11H_LOG_DEBUG1 4
 +#define PKCS11H_LOG_INFO   3
 +#define PKCS11H_LOG_WARN   2
 +#define PKCS11H_LOG_ERROR  1
 +#define PKCS11H_LOG_QUITE  0
 +
 +#define PKCS11H_PIN_CACHE_INFINITE -1
 +
 +#define PKCS11H_SIGNMODE_MASK_SIGN (1<<0)
 +#define PKCS11H_SIGNMODE_MASK_RECOVER  (1<<1)
 +
 +#define PKCS11H_PROMPT_MASK_ALLOW_PIN_PROMPT   (1<<0)
 +#define PKCS11H_PROMPT_MAST_ALLOW_CARD_PROMPT  (1<<1)
 +#define PKCS11H_PROMPT_MASK_ALLOW_ALL ( \
 +       PKCS11H_PROMPT_MASK_ALLOW_PIN_PROMPT | \
 +       PKCS11H_PROMPT_MAST_ALLOW_CARD_PROMPT \
 +   )
 +
 +#define PKCS11H_SLOTEVENT_METHOD_AUTO      0
 +#define PKCS11H_SLOTEVENT_METHOD_TRIGGER   1
 +#define PKCS11H_SLOTEVENT_METHOD_POLL      2
 +
 +#define PKCS11H_ENUM_METHOD_CACHE      0
 +#define PKCS11H_ENUM_METHOD_CACHE_EXIST        1
 +#define PKCS11H_ENUM_METHOD_RELOAD     2
 +
 +typedef void (*pkcs11h_output_print_t)(
 +   IN void * const global_data,
 +   IN const char * const format,
 +   IN ...
 +)
 +#if __GNUC__ > 2
 +    __attribute__ ((format (printf, 2, 3)))
 +#endif
 + ;
 +
 +struct pkcs11h_token_id_s;
 +typedef struct pkcs11h_token_id_s *pkcs11h_token_id_t;
 +
 +#if defined(ENABLE_PKCS11H_CERTIFICATE)
 +
 +struct pkcs11h_certificate_id_s;
 +struct pkcs11h_certificate_s;
 +typedef struct pkcs11h_certificate_id_s *pkcs11h_certificate_id_t;
 +typedef struct pkcs11h_certificate_s *pkcs11h_certificate_t;
 +
 +#endif             /* ENABLE_PKCS11H_CERTIFICATE */
 +
 +#if defined(ENABLE_PKCS11H_ENUM)
 +
 +struct pkcs11h_token_id_list_s;
 +typedef struct pkcs11h_token_id_list_s *pkcs11h_token_id_list_t;
 +
 +#if defined(ENABLE_PKCS11H_DATA)
 +
 +struct pkcs11h_data_id_list_s;
 +typedef struct pkcs11h_data_id_list_s *pkcs11h_data_id_list_t;
 +
 +#endif             /* ENABLE_PKCS11H_DATA */
 +
 +#if defined(ENABLE_PKCS11H_CERTIFICATE)
 +
 +struct pkcs11h_certificate_id_list_s;
 +typedef struct pkcs11h_certificate_id_list_s *pkcs11h_certificate_id_list_t;
 +
 +#endif             /* ENABLE_PKCS11H_CERTIFICATE */
 +
 +#endif             /* ENABLE_PKCS11H_ENUM */
 +
 +typedef void (*pkcs11h_hook_log_t)(
 +   IN void * const global_data,
 +   IN const unsigned flags,
 +   IN const char * const format,
 +   IN va_list args
 +);
 +
 +typedef void (*pkcs11h_hook_slotevent_t)(
 +   IN void * const global_data
 +);
 +
 +typedef PKCS11H_BOOL (*pkcs11h_hook_token_prompt_t)(
 +   IN void * const global_data,
 +   IN void * const user_data,
 +   IN const pkcs11h_token_id_t token,
 +   IN const unsigned retry
 +);
 +
 +typedef PKCS11H_BOOL (*pkcs11h_hook_pin_prompt_t)(
 +   IN void * const global_data,
 +   IN void * const user_data,
 +   IN const pkcs11h_token_id_t token,
 +   IN const unsigned retry,
 +   OUT char * const pin,
 +   IN const size_t pin_max
 +);
 +
 +struct pkcs11h_token_id_s {
 +   char display[1024];
 +   char manufacturerID[sizeof (((CK_TOKEN_INFO *)NULL)->manufacturerID)+1];
 +   char model[sizeof (((CK_TOKEN_INFO *)NULL)->model)+1];
 +   char serialNumber[sizeof (((CK_TOKEN_INFO *)NULL)->serialNumber)+1];
 +   char label[sizeof (((CK_TOKEN_INFO *)NULL)->label)+1];
 +};
 +
 +#if defined(ENABLE_PKCS11H_CERTIFICATE)
 +
 +struct pkcs11h_certificate_id_s {
 +   pkcs11h_token_id_t token_id;
 +
 +   char displayName[1024];
 +   CK_BYTE_PTR attrCKA_ID;
 +   size_t attrCKA_ID_size;
 +
 +   unsigned char *certificate_blob;
 +   size_t certificate_blob_size;
 +};
 +
 +#endif
 +
 +#if defined(ENABLE_PKCS11H_ENUM)
 +
 +struct pkcs11h_token_id_list_s {
 +   pkcs11h_token_id_list_t next;
 +   pkcs11h_token_id_t token_id;
 +};
 +
 +#if defined(ENABLE_PKCS11H_DATA)
 +
 +struct pkcs11h_data_id_list_s {
 +   pkcs11h_data_id_list_t next;
 +
 +   char *application;
 +   char *label;
 +};
 +
 +#endif             /* ENABLE_PKCS11H_DATA */
 +
 +#if defined(ENABLE_PKCS11H_CERTIFICATE)
 +
 +struct pkcs11h_certificate_id_list_s {
 +   pkcs11h_certificate_id_list_t next;
 +   pkcs11h_certificate_id_t certificate_id;
 +};
 +
 +#endif             /* ENABLE_PKCS11H_CERTIFICATE */
 +
 +#endif             /* ENABLE_PKCS11H_CERTIFICATE */
 +
 +#if defined(ENABLE_PKCS11H_OPENSSL)
 +
 +typedef void (*pkcs11h_hook_openssl_cleanup_t) (
 +   IN const pkcs11h_certificate_t certificate
 +);
 +
 +struct pkcs11h_openssl_session_s;
 +typedef struct pkcs11h_openssl_session_s *pkcs11h_openssl_session_t;
 +
 +#endif             /* ENABLE_PKCS11H_OPENSSL */
 +
 +/*
 + * pkcs11h_getMessage - Get message by return value.
 + *
 + * Parameters:
 + *     rv      - Return value.
 + */
 +const char *
 +pkcs11h_getMessage (
 +   IN const CK_RV rv
 +);
 +
 +/*
 + * pkcs11h_initialize - Inititalize helper interface.
 + *
 + * Must be called once, from main thread.
 + * Defaults:
 + *     Protected authentication enabled.
 + *     PIN cached is infinite.
 + */
 +CK_RV
 +pkcs11h_initialize ();
 +
 +/*
 + * pkcs11h_terminate - Terminate helper interface.
 + *
 + * Must be called once, from main thread, after all
 + * related resources freed.
 + */
 +CK_RV
 +pkcs11h_terminate ();
 +
 +/*
 + * pkcs11h_setLogLevel - Set current log level of the helper.
 + *
 + * Parameters:
 + *     flags       - current log level.
 + *
 + * The log level can be set to maximum, but setting it to lower
 + * level will improve performance.
 + */
 +void
 +pkcs11h_setLogLevel (
 +   IN const unsigned flags
 +);
 +
 +/*
 + * pkcs11h_getLogLevel - Get current log level.
 + */
 +unsigned
 +pkcs11h_getLogLevel ();
 +
 +/*
 + * pkcs11h_setLogHook - Set a log callback.
 + *
 + * Parameters:
 + *     hook        - Callback.
 + *     pData       - Data to send to callback.
 + */
 +CK_RV
 +pkcs11h_setLogHook (
 +   IN const pkcs11h_hook_log_t hook,
 +   IN void * const global_data
 +);
 +
 +/*
 + * pkcs11h_setSlotEventHook - Set a slot event callback.
 + *
 + * Parameters:
 + *     hook        - Callback.
 + *     pData       - Data to send to callback.
 + *
 + * Calling this function initialize slot event notifications, these
 + * notifications can be started, but never terminate due to PKCS#11 limitation.
 + *
 + * In order to use slot events you must have threading enabled.
 + */
 +CK_RV
 +pkcs11h_setSlotEventHook (
 +   IN const pkcs11h_hook_slotevent_t hook,
 +   IN void * const global_data
 +);
 +
 +/*
 + * pkcs11h_setTokenPromptHook - Set a token prompt callback.
 + *
 + * Parameters:
 + *     hook        - Callback.
 + *     pData       - Data to send to callback.
 + */
 +CK_RV
 +pkcs11h_setTokenPromptHook (
 +   IN const pkcs11h_hook_token_prompt_t hook,
 +   IN void * const global_data
 +);
 +
 +/*
 + * pkcs11h_setPINPromptHook - Set a pin prompt callback.
 + *
 + * Parameters:
 + *     hook        - Callback.
 + *     pData       - Data to send to callback.
 + */
 +CK_RV
 +pkcs11h_setPINPromptHook (
 +   IN const pkcs11h_hook_pin_prompt_t hook,
 +   IN void * const global_data
 +);
 +
 +/*
 + * pkcs11h_setProtectedAuthentication - Set global protected authentication mode.
 + *
 + * Parameters:
 + *     allow_protected_auth    - Allow protected authentication if enabled by token.
 + */
 +CK_RV
 +pkcs11h_setProtectedAuthentication (
 +   IN const PKCS11H_BOOL allow_protected_auth
 +);
 +
 +/*
 + * pkcs11h_setPINCachePeriod - Set global PIN cache timeout.
 + *
 + * Parameters:
 + *     pin_cache_period    - Cache period in seconds, or PKCS11H_PIN_CACHE_INFINITE.
 + */
 +CK_RV
 +pkcs11h_setPINCachePeriod (
 +   IN const int pin_cache_period
 +);
 +
 +/*
 + * pkcs11h_setMaxLoginRetries - Set global login retries attempts.
 + *
 + * Parameters:
 + *     max_retries     - Login retries handled by the helper.
 + */
 +CK_RV
 +pkcs11h_setMaxLoginRetries (
 +   IN const unsigned max_retries
 +);
 +
 +/*
 + * pkcs11h_addProvider - Add a PKCS#11 provider.
 + *
 + * Parameters:
 + *     reference       - Reference name for this provider.
 + *     provider        - Provider library location.
 + *     allow_protected_auth    - Allow this provider to use protected authentication.
 + *     mask_sign_mode      - Provider signmode override.
 + *     slot_event_method   - Provider slot event method.
 + *     slot_poll_interval  - Slot event poll interval (If in polling mode).
 + *     cert_is_private     - Provider's certificate access should be done after login.
 + *
 + * This function must be called from the main thread.
 + *
 + * The global allow_protected_auth must be enabled in order to allow provider specific.
 + * The mask_sign_mode can be 0 in order to automatically detect key sign mode.
 + */
 +CK_RV
 +pkcs11h_addProvider (
 +   IN const char * const reference,
 +   IN const char * const provider_location,
 +   IN const PKCS11H_BOOL allow_protected_auth,
 +   IN const unsigned mask_sign_mode,
 +   IN const int slot_event_method,
 +   IN const int slot_poll_interval,
 +   IN const PKCS11H_BOOL cert_is_private
 +);
 +
 +/*
 + * pkcs11h_delProvider - Delete a PKCS#11 provider.
 + *
 + * Parameters:
 + *     reference       - Reference name for this provider.
 + *
 + * This function must be called from the main thread.
 + */
 +CK_RV
 +pkcs11h_removeProvider (
 +   IN const char * const reference
 +);
 +
 +/*
 + * pkcs11h_forkFixup - Handle special case of Unix fork()
 + *
 + * This function should be called after fork is called. This is required
 + * due to a limitation of the PKCS#11 standard.
 + *
 + * This function must be called from the main thread.
 + *
 + * The helper library handles fork automatically if ENABLE_PKCS11H_THREADING
 + * is set on configuration file, by use of pthread_atfork.
 + */
 +CK_RV
 +pkcs11h_forkFixup ();
 +
 +/*
 + * pkcs11h_plugAndPlay - Handle slot rescan.
 + *
 + * This function must be called from the main thread.
 + *
 + * PKCS#11 providers do not allow plug&play, plug&play can be established by
 + * finalizing all providers and initializing them again.
 + *
 + * The cost of this process is invalidating all sessions, and require user
 + * login at the next access.
 + */
 +CK_RV
 +pkcs11h_plugAndPlay ();
 +
 +/*
 + * pkcs11h_token_freeTokenId - Free token_id object.
 + *
 + * Parameters:
 + *     token_id        - token_id.
 + */
 +CK_RV
 +pkcs11h_token_freeTokenId (
 +   IN pkcs11h_token_id_t token_id
 +);
 +
 +/*
 + * pkcs11h_duplicateTokenId - Duplicate token_id object.
 + *
 + * Parameters:
 + *     to          - target.
 + *     from            - source.
 + */
 +CK_RV
 +pkcs11h_token_duplicateTokenId (
 +   OUT pkcs11h_token_id_t * const to,
 +   IN const pkcs11h_token_id_t from
 +);
 +
 +/*
 + * pkcs11h_sameTokenId - Returns TRUE if same token id
 + *
 + * Parameters:
 + *     a           - a.
 + *     b           - b.
 + */
 +PKCS11H_BOOL
 +pkcs11h_token_sameTokenId (
 +   IN const pkcs11h_token_id_t a,
 +   IN const pkcs11h_token_id_t b
 +);
 +
 +/*
 + * pkcs11h_token_login - Force login, avoid hooks.
 + *
 + * Parameters:
 + *     token_id        - Token to login into.
 + *     readonly        - Should session be readonly.
 + *     pin         - PIN to login, NULL for protected authentication
 + */
 +CK_RV
 +pkcs11h_token_login (
 +   IN const pkcs11h_token_id_t token_id,
 +   IN const PKCS11H_BOOL readonly,
 +   IN const char * const pin
 +);
 +
 +#if defined(ENABLE_PKCS11H_SERIALIZATION)
 +
 +/*
 + * pkcs11h_serializeTokenId - Serialize token_id into string.
 + *
 + * Parameters:
 + *     sz          - Output string.
 + *     max         - Maximum string size.
 + *     token_id        - id to serialize
 + *
 + * sz may be NULL to get size
 + */
 +CK_RV
 +pkcs11h_token_serializeTokenId (
 +   OUT char * const sz,
 +   IN OUT size_t *max,
 +   IN const pkcs11h_token_id_t token_id
 +);
 +
 +/*
 + * pkcs11h_deserializeTokenId - Deserialize token_id from string.
 + *
 + * Parameters:
 + *     p_token_id      - id.
 + *     sz          - Input string
 + */
 +CK_RV
 +pkcs11h_token_deserializeTokenId (
 +   OUT pkcs11h_token_id_t *p_token_id,
 +   IN const char * const sz
 +);
 +
 +#endif             /* ENABLE_PKCS11H_SERIALIZATION */
 +
 +#if defined(ENABLE_PKCS11H_TOKEN)
 +
 +/*
 + * pkcs11h_token_ensureAccess - Ensure token is accessible.
 + *
 + * Parameters:
 + *     token_id        - Token id object.
 + *     user_data       - Optional user data, to be passed to hooks.
 + *     mask_prompt     - Allow prompt.
 + */
 +CK_RV
 +pkcs11h_token_ensureAccess (
 +   IN const pkcs11h_token_id_t token_id,
 +   IN void * const user_data,
 +   IN const unsigned mask_prompt
 +);
 +
 +#endif             /* ENABLE_PKCS11H_TOKEN */
 +
 +#if defined(ENABLE_PKCS11H_DATA)
 +
 +/*
 + * pkcs11h_data_get - get data object.
 + *
 + * Parameters:
 + *     token_id        - Token id object.
 + *     is_public       - Object is public.
 + *     application     - Object application attribute.
 + *     label           - Object label attribute.
 + *     user_data       - Optional user data, to be passed to hooks.
 + *     mask_prompt     - Allow prompt.
 + *     blob            - blob, set to NULL to get size.
 + *     p_blob_size     - blob size.
 + */
 +CK_RV
 +pkcs11h_data_get (
 +   IN const pkcs11h_token_id_t token_id,
 +   IN const PKCS11H_BOOL is_public,
 +   IN const char * const application,
 +   IN const char * const label,
 +   IN void * const user_data,
 +   IN const unsigned mask_prompt,
 +   OUT unsigned char * const blob,
 +   IN OUT size_t * const p_blob_size
 +);
 +
 +/*
 + * pkcs11h_data_put - put data object.
 + *
 + * Parameters:
 + *     token_id        - Token id object.
 + *     is_public       - Object is public.
 + *     application     - Object application attribute.
 + *     label           - Object label attribute.
 + *     user_data       - Optional user data, to be passed to hooks.
 + *     mask_prompt     - Allow prompt.
 + *     blob            - blob.
 + *     blob_size       - blob size.
 + */
 +CK_RV
 +pkcs11h_data_put (
 +   IN const pkcs11h_token_id_t token_id,
 +   IN const PKCS11H_BOOL is_public,
 +   IN const char * const application,
 +   IN const char * const label,
 +   IN void * const user_data,
 +   IN const unsigned mask_prompt,
 +   OUT unsigned char * const blob,
 +   IN const size_t blob_size
 +);
 +
 +/*
 + * pkcs11h_data_del - delete data object.
 + *
 + * Parameters:
 + *     token_id        - Token id object.
 + *     is_public       - Object is public.
 + *     application     - Object application attribute.
 + *     label           - Object label attribute.
 + *     user_data       - Optional user data, to be passed to hooks.
 + *     mask_prompt     - Allow prompt.
 + */
 +CK_RV
 +pkcs11h_data_del (
 +   IN const pkcs11h_token_id_t token_id,
 +   IN const PKCS11H_BOOL is_public,
 +   IN const char * const application,
 +   IN const char * const label,
 +   IN void * const user_data,
 +   IN const unsigned mask_prompt
 +);
 +
 +#endif             /* ENABLE_PKCS11H_DATA */
 +
 +#if defined(ENABLE_PKCS11H_CERTIFICATE)
 +/*======================================================================*
 + * CERTIFICATE INTERFACE
 + *======================================================================*/
 +
 +/*
 + * pkcs11h_certificate_freeCertificateId - Free certificate_id object.
 + */
 +CK_RV
 +pkcs11h_certificate_freeCertificateId (
 +   IN pkcs11h_certificate_id_t certificate_id
 +);
 +
 +/*
 + * pkcs11h_duplicateCertificateId - Duplicate certificate_id object.
 + */
 +CK_RV
 +pkcs11h_certificate_duplicateCertificateId (
 +   OUT pkcs11h_certificate_id_t * const to,
 +   IN const pkcs11h_certificate_id_t from
 +);
 +
 +/*
 + * pkcs11h_certificate_setCertificateIdCertificateBlob - Sets internal certificate_id blob.
 + *
 + * Parameters:
 + *     certificate_id      - Certificate id ojbect.
 + *     blob            - blob.
 + *     blob_size       - blob size.
 + *
 + * Useful to set after deserialization so certificate is available and not read from token.
 + */
 +CK_RV
 +pkcs11h_certificate_setCertificateIdCertificateBlob (
 +   IN const pkcs11h_certificate_id_t certificate_id,
 +   IN const unsigned char * const blob,
 +   IN const size_t blob_size
 +);
 +
 +/*
 + * pkcs11h_certificate_freeCertificate - Free certificate object.
 + *
 + * Parameters:
 + *     certificate     - Certificate ojbect.
 + */
 +CK_RV
 +pkcs11h_certificate_freeCertificate (
 +   IN pkcs11h_certificate_t certificate
 +);
 +
 +/*
 + * pkcs11h_certificate_create - Create a certificate object out of certificate_id.
 + *
 + * Parameters:
 + * certificate_id      - Certificate id object to be based on.
 + *     user_data       - Optional user data, to be passed to hooks.
 + *     mask_prompt     - Allow prompt.
 + * pin_cache_period    - Session specific cache period.
 + * p_certificate       - Receives certificate object.
 + *
 + * The certificate id object may not specify the full certificate.
 + * The certificate object must be freed by caller.
 + */    
 +CK_RV
 +pkcs11h_certificate_create (
 +   IN const pkcs11h_certificate_id_t certificate_id,
 +   IN void * const user_data,
 +   IN const unsigned mask_prompt,
 +   IN const int pin_cache_period,
 +   OUT pkcs11h_certificate_t * const p_certificate
 +);
 +
 +/*
 + * pkcs11h_certificate_getPromptMask - Extract user data out of certificate.
 + *
 + * Parameters:
 + *     certificate     - Certificate ojbect.
 + *
 + * Returns:
 + *     mask_prompt     - Allow prompt.
 + *
 + */
 +unsigned
 +pkcs11h_certificate_getPromptMask (
 +   IN const pkcs11h_certificate_t certificate
 +);
 +
 +/*
 + * pkcs11h_certificate_setPromptMask - Extract user data out of certificate.
 + *
 + * Parameters:
 + *     certificate     - Certificate ojbect.
 + *     mask_prompt     - Allow prompt.
 + */
 +void
 +pkcs11h_certificate_setPromptMask (
 +   IN const pkcs11h_certificate_t certificate,
 +   IN const unsigned ask_prompt
 +);
 +
 +/*
 + * pkcs11h_certificate_getUserData - Extract user data out of certificate.
 + *
 + * Parameters:
 + *     certificate     - Certificate ojbect.
 + *
 + * Returns:
 + *     user_data       - Optional user data, to be passed to hooks.
 + */
 +void *
 +pkcs11h_certificate_getUserData (
 +   IN const pkcs11h_certificate_t certificate
 +);
 +
 +/*
 + * pkcs11h_certificate_setUserData - Extract user data out of certificate.
 + *
 + * Parameters:
 + *     certificate     - Certificate ojbect.
 + *     user_data       - Optional user data, to be passed to hooks.
 + */
 +void
 +pkcs11h_certificate_setUserData (
 +   IN const pkcs11h_certificate_t certificate,
 +   IN void * const user_data
 +);
 +
 +/*
 + * pkcs11h_certificate_getCertificateId - Get certifiate id object out of a certifiate
 + *
 + * Parameters:
 + *     certificate     - Certificate object.
 + *     p_certificate_id    - Certificate id object pointer.
 + *
 + * The certificate id must be freed by caller.
 + */
 +CK_RV
 +pkcs11h_certificate_getCertificateId (
 +   IN const pkcs11h_certificate_t certificate,
 +   OUT pkcs11h_certificate_id_t * const p_certificate_id
 +);
 +
 +/*
 + * pkcs11h_certificate_getCertificateBlob - Get the certificate blob out of the certificate object.
 + *
 + * Parameters:
 + *     certificate     - Certificate object.
 + *     certificate_blob    - Buffer.
 + *     certificate_blob_size   - Buffer size.
 + *
 + * Buffer may be NULL in order to get size.
 + */
 +CK_RV
 +pkcs11h_certificate_getCertificateBlob (
 +   IN const pkcs11h_certificate_t certificate,
 +   OUT unsigned char * const certificate_blob,
 +   IN OUT size_t * const p_certificate_blob_size
 +);
 +
 +#if defined(ENABLE_PKCS11H_SERIALIZATION)
 +
 +/*
 + * pkcs11h_certificate_serializeCertificateId - Serialize certificate_id into a string
 + *
 + * Parametrs:
 + *     sz          - Output string.
 + * max         - Max buffer size.
 + * certificate_id      - id to serialize
 + *
 + * sz may be NULL in order to get size.
 + */
 +CK_RV
 +pkcs11h_certificate_serializeCertificateId (
 +   OUT char * const sz,
 +   IN OUT size_t *max,
 +   IN const pkcs11h_certificate_id_t certificate_id
 +);
 +
 +/*
 + * pkcs11h_certificate_deserializeCertificateId - Deserialize certificate_id out of string.
 + *
 + * Parameters:
 + *     p_certificate_id    - id.
 + *     sz          - Inut string
 + */
 +CK_RV
 +pkcs11h_certificate_deserializeCertificateId (
 +   OUT pkcs11h_certificate_id_t * const p_certificate_id,
 +   IN const char * const sz
 +);
 +
 +#endif             /* ENABLE_PKCS11H_SERIALIZATION */
 +
 +/*
 + * pkcs11h_certificate_ensureCertificateAccess - Ensure certificate is accessible.
 + *
 + * Parameters:
 + *     certificate     - Certificate object.
 + */
 +CK_RV
 +pkcs11h_certificate_ensureCertificateAccess (
 +   IN const pkcs11h_certificate_t certificate
 +);
 +
 +/*
 + * pkcs11h_certificate_ensureKeyAccess - Ensure key is accessible.
 + *
 + * Parameters:
 + *     certificate     - Certificate object.
 + */
 +CK_RV
 +pkcs11h_certificate_ensureKeyAccess (
 +   IN const pkcs11h_certificate_t certificate
 +);
 +
 +/*
 + * pkcs11h_certificate_lockSession - Lock session for threded environment
 + *
 + * Parameters:
 + *     certificate     - Certificate object.
 + *
 + * This must be called on threaded environment, so both calls to _sign and
 + * _signRecover and _decrypt will be from the same source.
 + * Failing to lock session, will result with CKR_OPERATION_ACTIVE if
 + * provider is good, or unexpected behaviour for others.
 + *
 + * It is save to call this also in none threaded environment, it will do nothing.
 + * Call this also if you are doing one stage operation, since locking is not
 + * done by method.
 + */
 +CK_RV
 +pkcs11h_certificate_lockSession (
 +   IN const pkcs11h_certificate_t certificate
 +);
 +
 +/*
 + * pkcs11h_certificate_releaseSession - Releases session lock.
 + *
 + * Parameters:
 + *     certificate     - Certificate object.
 + *
 + * See pkcs11h_certificate_lockSession.
 + */
 +CK_RV
 +pkcs11h_certificate_releaseSession (
 +   IN const pkcs11h_certificate_t certificate
 +);
 +
 +/*
 + * pkcs11h_certificate_sign - Sign data.
 + *
 + * Parameters:
 + *     certificate     - Certificate object.
 + *     mech_type       - PKCS#11 mechanism.
 + * source          - Buffer to sign.
 + * source_size     - Buffer size.
 + * target          - Target buffer, can be NULL to get size.
 + * target_size     - Target buffer size.
 + */
 +CK_RV
 +pkcs11h_certificate_sign (
 +   IN const pkcs11h_certificate_t certificate,
 +   IN const CK_MECHANISM_TYPE mech_type,
 +   IN const unsigned char * const source,
 +   IN const size_t source_size,
 +   OUT unsigned char * const target,
 +   IN OUT size_t * const p_target_size
 +);
 +
 +/*
 + * pkcs11h_certificate_signRecover - Sign data.
 + *
 + * Parameters:
 + *     certificate     - Certificate object.
 + *     mech_type       - PKCS#11 mechanism.
 + * source          - Buffer to sign.
 + * source_size     - Buffer size.
 + * target          - Target buffer, can be NULL to get size.
 + * target_size     - Target buffer size.
 + */
 +CK_RV
 +pkcs11h_certificate_signRecover (
 +   IN const pkcs11h_certificate_t certificate,
 +   IN const CK_MECHANISM_TYPE mech_type,
 +   IN const unsigned char * const source,
 +   IN const size_t source_size,
 +   OUT unsigned char * const target,
 +   IN OUT size_t * const p_target_size
 +);
 +
 +/*
 + * pkcs11h_certificate_signAny - Sign data mechanism determined by key attributes.
 + *
 + * Parameters:
 + *     certificate     - Certificate object.
 + *     mech_type       - PKCS#11 mechanism.
 + * source          - Buffer to sign.
 + * source_size     - Buffer size.
 + * target          - Target buffer, can be NULL to get size.
 + * target_size     - Target buffer size.
 + */
 +CK_RV
 +pkcs11h_certificate_signAny (
 +   IN const pkcs11h_certificate_t certificate,
 +   IN const CK_MECHANISM_TYPE mech_type,
 +   IN const unsigned char * const source,
 +   IN const size_t source_size,
 +   OUT unsigned char * const target,
 +   IN OUT size_t * const p_target_size
 +);
 +
 +/*
 + * pkcs11h_certificate_decrypt - Decrypt data.
 + *
 + * Parameters:
 + *     certificate     - Certificate object.
 + *     mech_type       - PKCS#11 mechanism.
 + * source          - Buffer to sign.
 + * source_size     - Buffer size.
 + * target          - Target buffer, can be NULL to get size.
 + * target_size     - Target buffer size.
 + */
 +CK_RV
 +pkcs11h_certificate_decrypt (
 +   IN const pkcs11h_certificate_t certificate,
 +   IN const CK_MECHANISM_TYPE mech_type,
 +   IN const unsigned char * const source,
 +   IN const size_t source_size,
 +   OUT unsigned char * const target,
 +   IN OUT size_t * const p_target_size
 +);
 +
 +#endif             /* ENABLE_PKCS11H_CERTIFICATE */
 +
 +#if defined(ENABLE_PKCS11H_LOCATE)
 +/*======================================================================*
 + * LOCATE INTERFACE
 + *======================================================================*/
 +
 +#if defined(ENABLE_PKCS11H_TOKEN) || defined(ENABLE_PKCS11H_CERTIFICATE)
 +
 +/*
 + * pkcs11h_locate_token - Locate token based on atributes.
 + *
 + * Parameters:
 + *     slot_type       - How to locate slot.
 + *     slot            - Slot name.
 + *     user_data       - Optional user data, to be passed to hooks.
 + *     mask_prompt     - Allow prompt.
 + *     p_token_id      - Token object.
 + *
 + * Slot:
 + *     id  - Slot number.
 + *     name    - Slot name.
 + *     label   - Available token label.
 + *
 + * Caller must free token id.
 + */
 +CK_RV
 +pkcs11h_locate_token (
 +   IN const char * const slot_type,
 +   IN const char * const slot,
 +   IN void * const user_data,
 +   IN const unsigned mask_prompt,
 +   OUT pkcs11h_token_id_t * const p_token_id
 +);
 +
 +#endif             /* ENABLE_PKCS11H_TOKEN || ENABLE_PKCS11H_CERTIFICATE */
 +
 +#if defined(ENABLE_PKCS11H_CERTIFICATE)
 +
 +/*
 + * pkcs11h_locate_certificate - Locate certificate based on atributes.
 + *
 + * Parameters:
 + *     slot_type       - How to locate slot.
 + *     slot            - Slot name.
 + *     id_type         - How to locate object.
 + *     id          - Object name.
 + *     user_data       - Optional user data, to be passed to hooks.
 + *     mask_prompt     - Allow prompt.
 + *     p_certificate_id    - Certificate object.
 + *
 + * Slot:
 + * Same as pkcs11h_locate_token.
 + *
 + * Object:
 + *     id  - Certificate CKA_ID (hex string) (Fastest).
 + *     label   - Certificate CKA_LABEL (string).
 + *     subject - Certificate subject (OpenSSL or gnutls DN).
 + *
 + * Caller must free certificate id.
 + */
 +CK_RV
 +pkcs11h_locate_certificate (
 +   IN const char * const slot_type,
 +   IN const char * const slot,
 +   IN const char * const id_type,
 +   IN const char * const id,
 +   IN void * const user_data,
 +   IN const unsigned mask_prompt,
 +   OUT pkcs11h_certificate_id_t * const p_certificate_id
 +);
 +
 +#endif             /* ENABLE_PKCS11H_CERTIFICATE */
 +
 +#endif             /* ENABLE_PKCS11H_LOCATE */
 +
 +#if defined(ENABLE_PKCS11H_ENUM)
 +/*======================================================================*
 + * ENUM INTERFACE
 + *======================================================================*/
 +
 +#if defined(ENABLE_PKCS11H_TOKEN)
 +
 +/*
 + * pkcs11h_freeTokenIdList - Free certificate_id list.
 + */
 +CK_RV
 +pkcs11h_token_freeTokenIdList (
 +   IN const pkcs11h_token_id_list_t token_id_list
 +);
 +
 +/*
 + * pkcs11h_token_enumTokenIds - Enumerate available tokens
 + *
 + * Parameters:
 + *     p_token_id_list     - A list of token ids.
 + *     
 + * Caller must free the list.
 + */
 +CK_RV
 +pkcs11h_token_enumTokenIds (
 +   IN const int method,
 +   OUT pkcs11h_token_id_list_t * const p_token_id_list
 +);
 +
 +#endif             /* ENABLE_PKCS11H_TOKEN */
 +
 +#if defined(ENABLE_PKCS11H_DATA)
 +
 +/*
 + * pkcs11h_data_freeDataIdList - free data object list..
 + *
 + * Parameters:
 + *     data_id_list        - list to free.
 + */
 +CK_RV
 +pkcs11h_data_freeDataIdList (
 +   IN const pkcs11h_data_id_list_t data_id_list
 +);
 +
 +/*
 + * pkcs11h_data_enumDataObjects - get list of data objects.
 + *
 + * Parameters:
 + *     token_id        - token id.
 + *     is_public       - Get a list of public objects.
 + *     user_data       - Optional user data, to be passed to hooks.
 + *     mask_prompt     - Allow prompt.
 + *     p_data_id_list      - List location.
 + */
 +CK_RV
 +pkcs11h_data_enumDataObjects (
 +   IN const pkcs11h_token_id_t token_id,
 +   IN const PKCS11H_BOOL is_public,
 +   IN void * const user_data,
 +   IN const unsigned mask_prompt,
 +   OUT pkcs11h_data_id_list_t * const p_data_id_list
 +);
 +
 +#endif             /* ENABLE_PKCS11H_DATA */
 +
 +#if defined(ENABLE_PKCS11H_CERTIFICATE)
 +
 +/*
 + * pkcs11h_certificate_freeCertificateIdList - Free certificate_id list.
 + */
 +CK_RV
 +pkcs11h_certificate_freeCertificateIdList (
 +   IN const pkcs11h_certificate_id_list_t cert_id_list
 +);
 +
 +/*
 + * pkcs11h_certificate_enumTokenCertificateIds - Enumerate available certificates on specific token
 + *
 + * Parameters:
 + *     token_id        - Token id to enum.
 + *     method          - How to fetch certificates.
 + *     user_data       - Some user specific data.
 + *     mask_prompt     - Allow prompt.
 + *     p_cert_id_issuers_list  - Receives issues list, can be NULL.
 + *     p_cert_id_end_list  - Receives end certificates list.
 + *
 + * This function will likely take long time.
 + *
 + * Method can be one of the following:
 + * PKCS11H_ENUM_METHOD_CACHE
 + *     Return available certificates, even if token was once detected and
 + *     was removed.
 + * PKCS11H_ENUM_METHOD_CACHE_EXIST
 + *     Return available certificates for available tokens only, don't
 + *     read the contents of the token if already read, even if this token
 + *     removed and inserted.
 + * PKCS11H_ENUM_METHOD_RELOAD
 + *     Clear all caches and then enum.
 + *
 + * Caller must free the lists.
 + */
 +CK_RV
 +pkcs11h_certificate_enumTokenCertificateIds (
 +   IN const pkcs11h_token_id_t token_id,
 +   IN const int method,
 +   IN void * const user_data,
 +   IN const unsigned mask_prompt,
 +   OUT pkcs11h_certificate_id_list_t * const p_cert_id_issuers_list,
 +   OUT pkcs11h_certificate_id_list_t * const p_cert_id_end_list
 +);
 +
 +/*
 + * pkcs11h_enum_getCertificateIds - Enumerate available certificates.
 + *
 + * Parameters:
 + *     method          - How to fetch certificates.
 + *     user_data       - Some user specific data.
 + *     mask_prompt     - Allow prompt.
 + *     p_cert_id_issuers_list  - Receives issues list, can be NULL.
 + *     p_cert_id_end_list  - Receives end certificates list.
 + *
 + * This function will likely take long time.
 + *
 + * Method can be one of the following:
 + * PKCS11H_ENUM_METHOD_CACHE
 + *     Return available certificates, even if token was once detected and
 + *     was removed.
 + * PKCS11H_ENUM_METHOD_CACHE_EXIST
 + *     Return available certificates for available tokens only, don't
 + *     read the contents of the token if already read, even if this token
 + *     removed and inserted.
 + * PKCS11H_ENUM_METHOD_RELOAD
 + *     Clear all caches and then enum.
 + *
 + * Caller must free lists.
 + */
 +CK_RV
 +pkcs11h_certificate_enumCertificateIds (
 +   IN const int method,
 +   IN void * const user_data,
 +   IN const unsigned mask_prompt,
 +   OUT pkcs11h_certificate_id_list_t * const p_cert_id_issuers_list,
 +   OUT pkcs11h_certificate_id_list_t * const p_cert_id_end_list
 +);
 +
 +#endif             /* ENABLE_PKCS11H_CERTIFICATE */
 +
 +#endif             /* ENABLE_PKCS11H_ENUM */
 +
 +#if defined(ENABLE_PKCS11H_OPENSSL)
 +/*======================================================================*
 + * OPENSSL INTERFACE
 + *======================================================================*/
 +
 +/*
 + * pkcs11h_openssl_getX509 - Returns an X509 object out of the openssl_session object.
 + *
 + * Parameters:
 + *     certificate     - Certificate object.
 + */
 +X509 *
 +pkcs11h_openssl_getX509 (
 +   IN const pkcs11h_certificate_t certificate
 +);
 +
 +/*
 + * pkcs11h_openssl_createSession - Create OpenSSL session based on a certificate object.
 + *
 + * Parameters:
 + *     certificate     - Certificate object.
 + *
 + * The certificate object will be freed by the OpenSSL interface on session end.
 + */
 +pkcs11h_openssl_session_t
 +pkcs11h_openssl_createSession (
 +   IN const pkcs11h_certificate_t certificate
 +);
 +
 +/*
 + * pkcs11h_openssl_getCleanupHook - Sets cleanup hook
 + *
 + * Parameters:
 + *     openssl_session     - session.
 + */
 +pkcs11h_hook_openssl_cleanup_t
 +pkcs11h_openssl_getCleanupHook (
 +   IN const pkcs11h_openssl_session_t openssl_session
 +);
 +
 +/*
 + * pkcs11h_openssl_setCleanupHook - Sets cleanup hook
 + *
 + * Parameters:
 + *     openssl_session     - session.
 + *     cleanup         - hook.
 + */
 +void
 +pkcs11h_openssl_setCleanupHook (
 +   IN const pkcs11h_openssl_session_t openssl_session,
 +   IN const pkcs11h_hook_openssl_cleanup_t cleanup
 +);
 +
 +/*
 + * pkcs11h_openssl_freeSession - Free OpenSSL session.
 + *
 + * Parameters:
 + *     openssl_session     - Session to free.
 + *
 + * The openssl_session object has a reference count just like other OpenSSL objects.
 + */
 +void
 +pkcs11h_openssl_freeSession (
 +   IN const pkcs11h_openssl_session_t openssl_session
 +);
 +
 +/*
 + * pkcs11h_openssl_session_getRSA - Returns an RSA object out of the openssl_session object.
 + *
 + * Parameters:
 + *     openssl_session     - Session.
 + */
 +RSA *
 +pkcs11h_openssl_session_getRSA (
 +   IN const pkcs11h_openssl_session_t openssl_session
 +);
 +
 +/*
 + * pkcs11h_openssl_session_getX509 - Returns an X509 object out of the openssl_session object.
 + *
 + * Parameters:
 + *     openssl_session     - Session.
 + */
 +X509 *
 +pkcs11h_openssl_session_getX509 (
 +   IN const pkcs11h_openssl_session_t openssl_session
 +);
 +
 +#endif             /* ENABLE_PKCS11H_OPENSSL */
 +
 +#if defined(ENABLE_PKCS11H_STANDALONE)
 +/*======================================================================*
 + * STANDALONE INTERFACE
 + *======================================================================*/
 +
 +void
 +pkcs11h_standalone_dump_slots (
 +   IN const pkcs11h_output_print_t my_output,
 +   IN void * const global_data,
 +   IN const char * const provider
 +);
 +
 +void
 +pkcs11h_standalone_dump_objects (
 +   IN const pkcs11h_output_print_t my_output,
 +   IN void * const global_data,
 +   IN const char * const provider,
 +   IN const char * const slot,
 +   IN const char * const pin
 +);
 +
 +#endif             /* ENABLE_PKCS11H_STANDALONE */
 +
 +#ifdef __cplusplus
 +}
 +#endif
 +
 +#endif             /* __PKCS11H_HELPER_H */
 diff -urNp openssh-4.4p1/README.pkcs11 openssh-4.4p1+pkcs11-0.17/README.pkcs11
 --- openssh-4.4p1/README.pkcs11 1970-01-01 02:00:00.000000000 +0200
 +++ openssh-4.4p1+pkcs11-0.17/README.pkcs11 2006-10-18 20:22:08.000000000 +0200
 @@ -0,0 +1,49 @@
 +The PKCS#11 patch modify ssh-add and ssh-agent to support PKCS#11 private keys
 +and certificates (http://alon.barlev.googlepages.com/openssh-pkcs11).
 +
 +It allows using multiple PKCS#11 providers at the same time, selecting keys by
 +id, label or certificate subject, handling card removal and card insert events,
 +handling card re-insert to a different slot, supporting session expiration.
 +
 +A valid X.509 certificate should exist on the token, without X.509 support it is
 +exported as regular RSA key. Self-signed certificates are treated as RSA key and
 +not as X.509 RSA key.
 +
 +If you like X.509 (http://roumenpetrov.info/openssh) support apply the X.509
 +patch AFTER the PKCS#11 patch. You can use -o PubkeyAlgorithms=ssh-rsa in order to
 +authenticate to none X.509 servers.
 +
 +One significant change is that the ssh-agent prompts for passwords now... So you
 +need to configure it with a program that asks for card insert or PIN, a program
 +such as x11-ssh-askpass. Current implementation (ssh-add asks for passwords) is
 +not valid for dynamic smartcard environment.
 +
 +Current implementation uses the askpin program also for prompting card insert...
 +Don't be confused, it only expects ok or cancel, some simple scripts available
 +at http://alon.barlev.googlepages.com/openssh-pkcs11 that uses KDE, Gnome and .NET
 +in order to display these dialogs.
 +
 +You can view full usage by:
 +$ ssh-agent /bin/sh
 +$ ssh-add -h
 +
 +A common scenario is the following:
 +$ ssh-agent /bin/sh
 +$ ssh-add --pkcs11-ask-pin `which openssh-kde-dialogs.sh`
 +$ ssh-add --pkcs11-add-provider --pkcs11-provider /usr/lib/pkcs11/MyProvider.so
 +$ ssh-add --pkcs11-add-id --pkcs11-id "serialized id"
 +$ ssh myhost
 +
 +In order to see available objects, you can use:
 +$ ssh-add --pkcs11-show-ids --pkcs11-provider /usr/lib/pkcs11/MyProvider.so
 +
 +In order to add id without accessing the token, you must put the certificate in
 +a PEM file and use:
 +$ ssh-add --pkcs11-add-id --pkcs11-id "serialized id" --pkcs11-cert-file my.pem
 +
 +In order to debug open two shells:
 +1$ rm -fr /tmp/s; ssh-agent -d -d -d -a /tmp/s
 +
 +2$ SSH_AUTH_SOCK=/tmp/s; export SSH_AUTH_SOCK;
 +2$ [ssh-add]...
 +
 diff -urNp openssh-4.4p1/ssh-add.c openssh-4.4p1+pkcs11-0.17/ssh-add.c
 --- openssh-4.4p1/ssh-add.c 2006-09-01 08:38:37.000000000 +0300
 +++ openssh-4.4p1+pkcs11-0.17/ssh-add.c 2006-10-12 15:10:42.000000000 +0200
 @@ -56,12 +56,15 @@
  #include "rsa.h"
  #include "log.h"
  #include "key.h"
 +#include "pkcs11.h"
  #include "buffer.h"
  #include "authfd.h"
  #include "authfile.h"
  #include "pathnames.h"
  #include "misc.h"
  
 +static void usage (void);
 +
  /* argv0 */
  extern char *__progname;
  
 @@ -306,6 +309,261 @@ do_file(AuthenticationConnection *ac, in
     return 0;
  }
  
 +#ifndef SSH_PKCS11_DISABLED
 +
 +static
 +int
 +do_pkcs11 (AuthenticationConnection *ac, int argc, char *argv[])
 +{
 +   /*
 +    * TEMP TEMP TEMP TEMP
 +    *
 +    * This should be fixed if another mechanism
 +    * will be propsed.
 +    */
 +   pkcs11_identity *id = NULL;
 +   char *szPKCS11Provider = NULL;
 +   char *szPKCS11Id = NULL;
 +   char *szPKCS11SignMode = NULL;
 +   char *szPKCS11AskPIN = NULL;
 +   char *szPKCS11SlotId = NULL;
 +   char *szPKCS11CertFile = NULL;
 +   int fDebug = 0;
 +   int fPKCS11AddProvider = 0;
 +   int fPKCS11AddId = 0;
 +   int fPKCS11RemoveId = 0;
 +   int fPKCS11ShowIds = 0;
 +   int fPKCS11DumpSlots = 0;
 +   int fPKCS11DumpObjects = 0;
 +   int fPKCS11ProtectedAuthentication = 0;
 +   int fPKCS11CertPrivate = 0;
 +   int nPKCS11PINCachePeriod = -1;
 +   int fBadUsage = 0;
 +   int ret = 0;
 +   int nSkipPrmCount;
 +   int i;
 +
 +   for (i=0,nSkipPrmCount=0;i<argc;i++) {
 +       if (!strcmp (argv[i], "--pkcs11-provider")) {
 +           szPKCS11Provider = argv[i+1];
 +           i++;
 +       }
 +       else if (!strcmp (argv[i], "--pkcs11-id")) {
 +           szPKCS11Id = argv[i+1];
 +           i++;
 +       }
 +       else if (!strcmp (argv[i], "--pkcs11-pin-cache")) {
 +           nPKCS11PINCachePeriod = atoi (argv[i+1]);
 +           i++;
 +       }
 +       else if (!strcmp (argv[i], "--pkcs11-sign-mode")) {
 +           szPKCS11SignMode = argv[i+1];
 +           i++;
 +       }
 +       else if (!strcmp (argv[i], "--pkcs11-ask-pin")) {
 +           szPKCS11AskPIN = argv[i+1];
 +           i++;
 +       }
 +       else if (!strcmp (argv[i], "--pkcs11-slot")) {
 +           szPKCS11SlotId = argv[i+1];
 +           i++;
 +       }
 +       else if (!strcmp (argv[i], "--pkcs11-cert-file")) {
 +           szPKCS11CertFile = argv[i+1];
 +           i++;
 +       }
 +       else if (!strcmp (argv[i], "--pkcs11-add-provider")) {
 +           fPKCS11AddProvider = 1;
 +       }
 +       else if (!strcmp (argv[i], "--pkcs11-remove-id")) {
 +           fPKCS11RemoveId = 1;
 +       }
 +       else if (!strcmp (argv[i], "--pkcs11-add-id")) {
 +           fPKCS11AddId = 1;
 +       }
 +       else if (!strcmp (argv[i], "--pkcs11-show-ids")) {
 +           fPKCS11ShowIds = 1;
 +       }
 +       else if (!strcmp (argv[i], "--pkcs11-dump-slots")) {
 +           fPKCS11DumpSlots = 1;
 +       }
 +       else if (!strcmp (argv[i], "--pkcs11-dump-objects")) {
 +           fPKCS11DumpObjects = 1;
 +       }
 +       else if (!strcmp (argv[i], "--pkcs11-protected-authentication")) {
 +           fPKCS11ProtectedAuthentication = 1;
 +       }
 +       else if (!strcmp (argv[i], "--pkcs11-cert-private")) {
 +           fPKCS11CertPrivate = 1;
 +       }
 +       else if (!strcmp (argv[i], "-d")) {
 +           fDebug = 1;
 +       }
 +       else {
 +           nSkipPrmCount++;
 +       }
 +   }
 +
 +   if (nSkipPrmCount == argc) {
 +       /* no pkcs#11 arguments */
 +       ret = -2;
 +   }
 +
 +   if (ret == 0) {
 +       if (
 +           !fBadUsage &&
 +           fPKCS11AddProvider &&
 +           szPKCS11Provider == NULL
 +       ) {
 +           fBadUsage = 1;
 +       }
 +
 +       if (
 +           !fBadUsage &&
 +           fPKCS11AddId &&
 +           (
 +               szPKCS11Id == NULL
 +           )
 +       ) {
 +           fBadUsage = 1;
 +       }
 +
 +       if (
 +           !fBadUsage &&
 +           fPKCS11RemoveId &&
 +           (
 +               szPKCS11Id == NULL
 +           )
 +       ) {
 +           fBadUsage = 1;
 +       }
 +
 +       if (
 +           !fBadUsage &&
 +           fPKCS11ShowIds &&
 +           szPKCS11Provider == NULL
 +       ) {
 +           fBadUsage = 1;
 +       }
 +
 +       if (
 +           !fBadUsage &&
 +           fPKCS11DumpSlots &&
 +           szPKCS11Provider == NULL
 +       ) {
 +           fBadUsage = 1;
 +       }
 +
 +       if (
 +           !fBadUsage &&
 +           fPKCS11DumpObjects &&
 +           (
 +               szPKCS11Provider == NULL ||
 +               szPKCS11SlotId == NULL
 +           )
 +       ) {
 +           fBadUsage = 1;
 +       }
 +
 +       if (fBadUsage) {
 +           usage ();
 +           ret = 1;
 +       }
 +   }
 +   
 +   if (ret == 0) {
 +       if (fPKCS11AddId || fPKCS11RemoveId) {
 +           id = pkcs11_identity_new ();
 +           if (id == NULL) {
 +               ret = 1;
 +           }
 +           else {
 +               id->id = strdup (szPKCS11Id);
 +               id->pin_cache_period = nPKCS11PINCachePeriod;
 +               id->cert_file = szPKCS11CertFile;
 +           }
 +       }
 +   }
 +
 +   if (ret == 0) {
 +       if (fDebug) {
 +           log_init(__progname, SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 1);
 +       }
 +
 +       if (fPKCS11ShowIds) {
 +           pkcs11_show_ids (szPKCS11Provider, fPKCS11ProtectedAuthentication, fPKCS11CertPrivate);
 +           ret = 0;
 +       }
 +       else if (fPKCS11DumpSlots) {
 +           pkcs11_dump_slots (szPKCS11Provider);
 +           ret = 0;
 +       }
 +       else if (fPKCS11DumpObjects) {
 +           char *szPIN = read_passphrase("PIN: ", RP_ALLOW_STDIN);
 +           if (szPIN[0] != '\0') {
 +               pkcs11_dump_objects (szPKCS11Provider, szPKCS11SlotId, szPIN);
 +           }
 +           memset (szPIN, 0, strlen (szPIN));
 +           xfree (szPIN);
 +           ret = 0;
 +       }
 +       else if (szPKCS11AskPIN != NULL) {
 +           ret = !ssh_pkcs11_set_ask_pin (ac, szPKCS11AskPIN);
 +
 +           if (ret) {
 +               fprintf (stderr, "Failed\n");
 +           }
 +           else {
 +               fprintf (stderr, "Success\n");
 +           }
 +       }
 +       else if (fPKCS11AddProvider) {
 +           ret = !ssh_pkcs11_add_provider (
 +               ac,
 +               szPKCS11Provider,
 +               fPKCS11ProtectedAuthentication,
 +               szPKCS11SignMode,
 +               fPKCS11CertPrivate
 +           );
 +
 +           if (ret) {
 +               fprintf (stderr, "Cannot add provider %s\n", szPKCS11Provider);
 +           }
 +           else {
 +               fprintf (stderr, "Provider %s added successfully\n", szPKCS11Provider);
 +           }
 +       }
 +       else if (fPKCS11AddId) {
 +           ret = !ssh_pkcs11_id (ac, id, 0);
 +
 +           if (ret) {
 +               fprintf (stderr, "Cannot add identity\n");
 +           }
 +           else {
 +               fprintf (stderr, "Identity added successfully\n");
 +           }
 +       }
 +       else if (fPKCS11RemoveId) {
 +           ret = !ssh_pkcs11_id (ac, id, 1);
 +
 +           if (ret) {
 +               fprintf (stderr, "Cannot remove identity\n");
 +           }
 +           else {
 +               fprintf (stderr, "Identity removed successfully\n");
 +           }
 +       }
 +   }
 +
 +   if (id != NULL) {
 +       pkcs11_identity_free (id);
 +   }
 +
 +   return ret;
 +}
 +
 +#endif /* SSH_PKCS11_DISABLED */
 +
  static void
  usage(void)
  {
 @@ -323,6 +581,50 @@ usage(void)
     fprintf(stderr, "  -s reader   Add key in smartcard reader.\n");
     fprintf(stderr, "  -e reader   Remove key in smartcard reader.\n");
  #endif
 +#ifndef SSH_PKCS11_DISABLED
 +   fprintf(
 +       stderr,
 +       (
 +           "\n"
 +               "  PKCS#11 Options:\n"
 +           "  --pkcs11-ask-pin prog          Set ask-pin program\n"
 +           "\n"
 +           "  --pkcs11-add-provider          Add PKCS#11 provider\n"
 +           "    --pkcs11-provider provider   PKCS#11 provider library\n"
 +           "    [--pkcs11-protected-authentication] Use PKCS#11 protected authentication\n"
 +           "    [--pkcs11-sign-mode mode]    Provider signature mode\n"
 +           "                                  auto    - determine automatically\n"
 +           "                                  sign    - perform sign\n"
 +           "                                  recover - perform sign recover\n"
 +           "                                  any     - perform sign and then sign recover\n"
 +           "    [--pkcs11-cert-private]       Login required in order to access certificate\n"
 +           "\n"
 +           "  --pkcs11-show-ids              Show available identities\n"
 +           "    --pkcs11-provider provider   PKCS#11 provider library\n"
 +           "    [--pkcs11-protected-authentication] Use PKCS#11 protected authentication\n"
 +           "    [--pkcs11-cert-private]       Login required in order to access certificate\n"
 +           "    [-d]                         debug\n"  
 +           "\n"
 +           "  --pkcs11-add-id                Add PKCS#11 identity\n"
 +           "    --pkcs11-id id                Serialized string\n"
 +           "    [--pkcs11-cert-file file]     Use this PEM file, don't access token\n"
 +           "    [--pkcs11-pin-cache period]   PIN cache period (seconds)\n"
 +           "\n"
 +           "  --pkcs11-remove-id             Remove PKCS#11 identity\n"
 +           "    --pkcs11-id id                Serialized string\n"
 +           "    [--pkcs11-cert-file file]     Use this PEM file, don't access token\n"
 +           "\n"
 +           " PKCS#11 Debugging Options:\n"
 +           "  --pkcs11-dump-slots            Dump available PKCS#11 slots\n"
 +           "    --pkcs11-provider provider   PKCS#11 provider library\n"
 +           "\n"
 +           "  --pkcs11-dump-objects          Dump available PKCS#11 objects\n"
 +           "    --pkcs11-provider provider   PKCS#11 provider library\n"
 +           "    --pkcs11-slot slot           Slot numeric id\n"
 +           "\n"
 +       )
 +   );
 +#endif  /* SSH_PKCS11_DISABLED */
  }
  
  int
 @@ -350,6 +652,17 @@ main(int argc, char **argv)
             "Could not open a connection to your authentication agent.\n");
         exit(2);
     }
 +
 +#ifndef SSH_PKCS11_DISABLED
 +   {
 +       int r = do_pkcs11 (ac, argc, argv);
 +       if (r != -2) {
 +           ret = r;
 +           goto done;
 +       }
 +   }
 +#endif /* SSH_PKCS11_DISABLED */
 +
     while ((ch = getopt(argc, argv, "lLcdDxXe:s:t:")) != -1) {
         switch (ch) {
         case 'l':
 diff -urNp openssh-4.4p1/ssh-agent.c openssh-4.4p1+pkcs11-0.17/ssh-agent.c
 --- openssh-4.4p1/ssh-agent.c   2006-09-01 08:38:37.000000000 +0300
 +++ openssh-4.4p1+pkcs11-0.17/ssh-agent.c   2006-10-12 14:00:53.000000000 +0200
 @@ -71,6 +71,7 @@
  #include "buffer.h"
  #include "key.h"
  #include "authfd.h"
 +#include "pkcs11.h"
  #include "compat.h"
  #include "log.h"
  #include "misc.h"
 @@ -690,6 +691,157 @@ send:
  }
  #endif /* SMARTCARD */
  
 +#ifndef SSH_PKCS11_DISABLED
 +
 +static
 +void
 +process_pkcs11_set_ask_pin (SocketEntry *e)
 +{
 +   char *szAskPIN = NULL;
 +   int success = 0;
 +
 +   szAskPIN = buffer_get_string(&e->request, NULL);
 +
 +   success = pkcs11_setAskPIN (szAskPIN);
 +
 +   buffer_put_int(&e->output, 1);
 +   buffer_put_char(&e->output,
 +       success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
 +}
 +
 +static void
 +process_pkcs11_add_provider (SocketEntry *e)
 +{
 +   char *szProvider = NULL;
 +   int fProtectedAuthentication = 0;
 +   char *szSignMode = NULL;
 +   int fCertIsPrivate = 0;
 +   int success = 0;
 +
 +   szProvider = buffer_get_string(&e->request, NULL);
 +   fProtectedAuthentication = buffer_get_int (&e->request);
 +   szSignMode = buffer_get_string(&e->request, NULL);
 +   fCertIsPrivate = buffer_get_int (&e->request);
 +
 +   success = pkcs11_addProvider (szProvider, fProtectedAuthentication, szSignMode, fCertIsPrivate);
 +
 +   buffer_put_int(&e->output, 1);
 +   buffer_put_char(&e->output,
 +       success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
 +}
 +
 +static
 +void
 +process_pkcs11_add_id (SocketEntry *e)
 +{
 +   int success = 0;
 +   int version = 2;
 +   char szComment[1024];
 +   Key *k = NULL;
 +   pkcs11_identity *pkcs11_id = NULL;
 +
 +   pkcs11_id = pkcs11_identity_new ();
 +   if (pkcs11_id != NULL) {
 +       pkcs11_id->id = strdup (buffer_get_string(&e->request, NULL));
 +       pkcs11_id->pin_cache_period = buffer_get_int(&e->request);
 +       pkcs11_id->cert_file = strdup (buffer_get_string(&e->request, NULL));
 +
 +       pkcs11_getKey (
 +           pkcs11_id,
 +           &k,
 +           szComment,
 +           sizeof (szComment)
 +       );
 +
 +       if (k != NULL) {
 +           if (lookup_identity(k, version) == NULL) {
 +               Identity *id = xmalloc(sizeof(Identity));
 +               Idtab *tab = NULL;
 +   
 +               id->key = k;
 +               k = NULL;
 +               id->comment = xstrdup (szComment);
 +               id->death = 0;      /* handled by pkcs#11 helper */
 +               id->confirm = 0;
 +   
 +               tab = idtab_lookup(version);
 +               TAILQ_INSERT_TAIL(&tab->idlist, id, next);
 +               /* Increment the number of identities. */
 +               tab->nentries++;
 +               success = 1;
 +           }
 +       }
 +   }
 +
 +   if (k != NULL) {
 +       key_free (k);
 +   }
 +
 +   if (pkcs11_id != NULL) {
 +       pkcs11_identity_free (pkcs11_id);
 +   }
 +
 +   buffer_put_int(&e->output, 1);
 +   buffer_put_char(&e->output,
 +       success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
 +}
 +
 +static
 +void
 +process_pkcs11_remove_id (SocketEntry *e)
 +{
 +   int success = 0;
 +   Identity *id = NULL;
 +   int version = 2;
 +   char szComment[1024];
 +   Key *k = NULL;
 +
 +   pkcs11_identity *pkcs11_id = NULL;
 +
 +   pkcs11_id = pkcs11_identity_new ();
 +   if (pkcs11_id != NULL) {
 +       pkcs11_id->id = strdup (buffer_get_string(&e->request, NULL));
 +       pkcs11_id->pin_cache_period = buffer_get_int(&e->request);
 +       pkcs11_id->cert_file = strdup (buffer_get_string(&e->request, NULL));
 +
 +       pkcs11_getKey (
 +           pkcs11_id,
 +           &k,
 +           szComment,
 +           sizeof (szComment)
 +       );
 +
 +       if (k != NULL) {
 +           id = lookup_identity (k, version);
 +       }
 +
 +       if (id != NULL) {
 +           Idtab *tab = NULL;
 +
 +           tab = idtab_lookup(version);
 +           TAILQ_REMOVE(&tab->idlist, id, next);
 +           tab->nentries--;
 +           free_identity(id);
 +           id = NULL;
 +           success = 1;
 +       }
 +   }
 +
 +   if (k != NULL) {
 +       key_free (k);
 +   }
 +
 +   if (pkcs11_id != NULL) {
 +       pkcs11_identity_free (pkcs11_id);
 +   }
 +
 +   buffer_put_int(&e->output, 1);
 +   buffer_put_char(&e->output,
 +       success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
 +}
 +
 +#endif /* SSH_PKCS11_DISABLED */
 +
  /* dispatch incoming messages */
  
  static void
 @@ -785,6 +937,21 @@ process_message(SocketEntry *e)
         process_remove_smartcard_key(e);
         break;
  #endif /* SMARTCARD */
 +
 +#ifndef SSH_PKCS11_DISABLED
 +   case SSH_AGENTC_PKCS11_SET_ASK_PIN:
 +       process_pkcs11_set_ask_pin (e);
 +       break;
 +   case SSH_AGENTC_PKCS11_ADD_PROVIDER:
 +       process_pkcs11_add_provider (e);
 +       break;
 +   case SSH_AGENTC_PKCS11_ADD_ID:
 +       process_pkcs11_add_id (e);
 +       break;
 +   case SSH_AGENTC_PKCS11_REMOVE_ID:
 +       process_pkcs11_remove_id (e);
 +       break;
 +#endif /* SSH_PKCS11_DISABLED */
     default:
         /* Unknown message.  Respond with failure. */
         error("Unknown message %d", type);
 @@ -1064,7 +1231,7 @@ main(int ac, char **av)
             s_flag++;
             break;
         case 'd':
 -           if (d_flag)
 +           if (d_flag > 3)
                 usage();
             d_flag++;
             break;
 @@ -1167,7 +1334,7 @@ main(int ac, char **av)
      * the socket data.  The child continues as the authentication agent.
      */
     if (d_flag) {
 -       log_init(__progname, SYSLOG_LEVEL_DEBUG1, SYSLOG_FACILITY_AUTH, 1);
 +       log_init(__progname, SYSLOG_LEVEL_DEBUG1+d_flag-1, SYSLOG_FACILITY_AUTH, 1);
         format = c_flag ? "setenv %s %s;\n" : "%s=%s; export %s;\n";
         printf(format, SSH_AUTHSOCKET_ENV_NAME, socket_name,
             SSH_AUTHSOCKET_ENV_NAME);
 @@ -1228,6 +1395,11 @@ main(int ac, char **av)
  #endif
  
  skip:
 +
 +#ifndef SSH_PKCS11_DISABLED
 +   pkcs11_initialize (1, -1);
 +#endif /* SSH_PKCS11_DISABLED */
 +
     new_socket(AUTH_SOCKET, sock);
     if (ac > 0) {
         mysignal(SIGALRM, check_parent_exists);
 @@ -1251,4 +1423,8 @@ skip:
         after_select(readsetp, writesetp);
     }
     /* NOTREACHED */
 +
 +#ifndef SSH_PKCS11_DISABLED
 +   pkcs11_terminate ();
 +#endif /* SSH_PKCS11_DISABLED */
  }