encryption/decryption: Workaround tokens finalizing operation when there is nothing to return

Jakuje · Jakuje · commit 62260d80b8bd · 2025-05-26T17:18:51.000+02:00
The NSS softokn finalizes the multipart operation even though the NULL
return argument was passed.

Signed-off-by: Jakub Jelen &lt;jjelen@redhat.com&gt;
diff --git a/cryptoki/src/session/decryption.rs b/cryptoki/src/session/decryption.rs
@@ -125,6 +125,12 @@ impl Session {
             .into_result(Function::DecryptFinal)?;
         }
 
+        // Some pkcs11 modules might finalize the operation when there
+        // no more output even if we pass in NULL.
+        if data_len == 0 {
+            return Ok(Vec::new());
+        }
+
         let mut data = vec![0; data_len.try_into()?];
 
         unsafe {
diff --git a/cryptoki/src/session/encryption.rs b/cryptoki/src/session/encryption.rs
@@ -124,6 +124,12 @@ impl Session {
             .into_result(Function::EncryptFinal)?;
         }
 
+        // Some pkcs11 modules might finalize the operation when there
+        // no more output even if we pass in NULL.
+        if encrypted_data_len == 0 {
+            return Ok(Vec::new());
+        }
+
         let mut encrypted_data = vec![0; encrypted_data_len.try_into()?];
 
         unsafe {
