summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorcvs2hg <devnull@localhost>2002-12-11 17:56:50 +0000
committercvs2hg <devnull@localhost>2002-12-11 17:56:50 +0000
commit012e2d2eb9c759904b8ae0702acff9723ef3ac61 (patch)
tree158a48a42a36bd8b20577c32978c57e179d8dbd3
parent27160a588f621e0487ab0d0884d094c5255cbcfb (diff)
downloadnss-hg-012e2d2eb9c759904b8ae0702acff9723ef3ac61.tar.gz
fixup commit for branch 'NSS_3_7_BRANCH'
Diffstat
-rw-r--r--security/nss/lib/nss/nss.def728
-rw-r--r--security/nss/lib/pk11wrap/pk11func.h614
-rw-r--r--security/nss/lib/pk11wrap/pk11slot.c4656
-rw-r--r--security/nss/lib/pk11wrap/secmodt.h263
4 files changed, 6261 insertions, 0 deletions
diff --git a/security/nss/lib/nss/nss.def b/security/nss/lib/nss/nss.def
new file mode 100644
index 000000000..0bc28e972
--- /dev/null
+++ b/security/nss/lib/nss/nss.def
@@ -0,0 +1,728 @@
+;+#
+;+# The contents of this file are subject to the Mozilla Public
+;+# License Version 1.1 (the "License"); you may not use this file
+;+# except in compliance with the License. You may obtain a copy of
+;+# the License at http://www.mozilla.org/MPL/
+;+#
+;+# Software distributed under the License is distributed on an "AS
+;+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+;+# implied. See the License for the specific language governing
+;+# rights and limitations under the License.
+;+#
+;+# The Original Code is the Netscape security libraries.
+;+#
+;+# The Initial Developer of the Original Code is Netscape
+;+# Communications Corporation. Portions created by Netscape are
+;+# Copyright (C) 2000 Netscape Communications Corporation. All
+;+# Rights Reserved.
+;+#
+;+# Contributor(s):
+;+# Dr Stephen Henson <stephen.henson@gemplus.com>
+;+#
+;+# Alternatively, the contents of this file may be used under the
+;+# terms of the GNU General Public License Version 2 or later (the
+;+# "GPL"), in which case the provisions of the GPL are applicable
+;+# instead of those above. If you wish to allow use of your
+;+# version of this file only under the terms of the GPL and not to
+;+# allow others to use your version of this file under the MPL,
+;+# indicate your decision by deleting the provisions above and
+;+# replace them with the notice and other provisions required by
+;+# the GPL. If you do not delete the provisions above, a recipient
+;+# may use your version of this file under either the MPL or the
+;+# GPL.
+;+#
+;+#
+;+# OK, this file is meant to support SUN, LINUX, AIX and WINDOWS
+;+# 1. For all unix platforms, the string ";-" means "remove this line"
+;+# 2. For all unix platforms, the string " DATA " will be removed from any
+;+# line on which it occurs.
+;+# 3. Lines containing ";+" will have ";+" removed on SUN and LINUX.
+;+# On AIX, lines containing ";+" will be removed.
+;+# 4. For all unix platforms, the string ";;" will thave the ";;" removed.
+;+# 5. For all unix platforms, after the above processing has taken place,
+;+# all characters after the first ";" on the line will be removed.
+;+# And for AIX, the first ";" will also be removed.
+;+# This file is passed directly to windows. Since ';' is a comment, all UNIX
+;+# directives are hidden behind ";", ";+", and ";-"
+;+NSS_3.2 { # NSS 3.2 release
+;+ global:
+LIBRARY nss3 ;-
+EXPORTS ;-
+ATOB_AsciiToData;
+BTOA_ConvertItemToAscii;
+BTOA_DataToAscii;
+CERT_AsciiToName;
+CERT_CertTimesValid;
+CERT_CheckCertValidTimes;
+CERT_CreateCertificateRequest;
+CERT_ChangeCertTrust;
+CERT_DecodeDERCrl;
+CERT_DestroyCertificateRequest;
+CERT_DestroyCertList;
+CERT_DestroyName;
+CERT_EnableOCSPChecking;
+CERT_FormatName;
+CERT_DestroyCertificate;
+CERT_DupCertificate;
+CERT_FreeDistNames;
+CERT_FreeNicknames;
+CERT_GetAVATag;
+CERT_GetCertEmailAddress;
+CERT_GetCertNicknames;
+CERT_GetCertIssuerAndSN;
+CERT_GetCertTrust;
+CERT_GetCertUid;
+CERT_GetCommonName;
+CERT_GetCountryName;
+CERT_GetDBContentVersion;
+CERT_GetDefaultCertDB;
+CERT_GetDomainComponentName;
+CERT_GetLocalityName;
+CERT_GetOrgName;
+CERT_GetOrgUnitName;
+CERT_GetSSLCACerts;
+CERT_GetSlopTime;
+CERT_GetStateName;
+CERT_ImportCAChain;
+CERT_NameToAscii;
+CERT_RFC1485_EscapeAndQuote;
+CERT_SetSlopTime;
+CERT_VerifyCertName;
+CERT_VerifyCertNow;
+DER_UTCDayToAscii;
+DER_UTCTimeToAscii;
+DER_GeneralizedTimeToTime;
+NSS_Init;
+NSS_Initialize;
+NSS_InitReadWrite;
+NSS_NoDB_Init;
+NSS_Shutdown;
+NSS_VersionCheck;
+PK11_Authenticate;
+PK11_ChangePW;
+PK11_CheckUserPassword;
+PK11_CipherOp;
+PK11_CloneContext;
+PK11_ConfigurePKCS11;
+PK11_CreateContextBySymKey;
+PK11_CreateDigestContext;
+PK11_DestroyContext;
+PK11_DestroyTokenObject;
+PK11_DigestBegin;
+PK11_DigestOp;
+PK11_DigestFinal;
+PK11_DoesMechanism;
+PK11_FindCertFromNickname;
+PK11_FindCertFromDERCert;
+PK11_FindCertByIssuerAndSN;
+PK11_FindKeyByAnyCert;
+PK11_FindKeyByDERCert;
+PK11_FindSlotByName;
+PK11_Finalize;
+PK11_FortezzaHasKEA;
+PK11_FreeSlot;
+PK11_FreeSlotList;
+PK11_FreeSymKey;
+PK11_GenerateKeyPair;
+PK11_GenerateRandom;
+PK11_GenerateNewParam;
+PK11_GetAllTokens;
+PK11_GetBlockSize;
+PK11_GetFirstSafe;
+PK11_GetInternalKeySlot;
+PK11_GetInternalSlot;
+PK11_GetSlotName;
+PK11_GetTokenName;
+PK11_HashBuf;
+PK11_IsFIPS;
+PK11_IsFriendly;
+PK11_IsInternal;
+PK11_IsHW;
+PK11_IsPresent;
+PK11_IsReadOnly;
+PK11_KeyGen;
+PK11_ListCerts;
+PK11_NeedLogin;
+PK11_RandomUpdate;
+PK11_SetPasswordFunc;
+PK11_SetSlotPWValues;
+PORT_Alloc;
+PORT_Free;
+PORT_GetError;
+PORT_SetError;
+PORT_SetUCS4_UTF8ConversionFunction;
+PORT_SetUCS2_UTF8ConversionFunction;
+PORT_SetUCS2_ASCIIConversionFunction;
+SECITEM_CopyItem;
+SECITEM_DupItem;
+SECITEM_FreeItem;
+SECITEM_ZfreeItem;
+SECKEY_ConvertToPublicKey;
+SECKEY_CopyPrivateKey;
+SECKEY_CreateSubjectPublicKeyInfo;
+SECKEY_DestroyPrivateKey;
+SECKEY_DestroySubjectPublicKeyInfo;
+SECMOD_IsModulePresent;
+SECOID_FindOIDTagDescription;
+SECOID_GetAlgorithmTag;
+SEC_DeletePermCertificate;
+SEC_DeletePermCRL;
+SEC_DerSignData;
+SEC_DestroyCrl;
+SEC_FindCrlByDERCert;
+SEC_FindCrlByName;
+SEC_LookupCrls;
+SEC_NewCrl;
+;+#
+;+# The following symbols are exported only to make libssl3.so work.
+;+# These are still private!!!
+;+#
+__CERT_NewTempCertificate;
+__PK11_CreateContextByRawKey;
+__PK11_GetKeyData;
+__nss_InitLock;
+CERT_CertChainFromCert;
+CERT_DestroyCertificateList;
+CERT_DupCertList;
+CERT_ExtractPublicKey;
+CERT_FindCertByName;
+DER_Lengths;
+DSAU_DecodeDerSig;
+DSAU_EncodeDerSig;
+HASH_GetHashObject;
+NSSRWLock_Destroy;
+NSSRWLock_HaveWriteLock;
+NSSRWLock_LockRead;
+NSSRWLock_LockWrite;
+NSSRWLock_New;
+NSSRWLock_UnlockRead;
+NSSRWLock_UnlockWrite;
+NSS_PutEnv;
+PK11_Derive;
+PK11_DeriveWithFlags;
+PK11_DigestKey;
+PK11_FindBestKEAMatch;
+PK11_FindFixedKey;
+PK11_GenerateFortezzaIV;
+PK11_GetBestKeyLength;
+PK11_GetBestSlot;
+PK11_GetBestSlotMultiple;
+PK11_GetBestWrapMechanism;
+PK11_GetCurrentWrapIndex;
+PK11_GetMechanism;
+PK11_GetModuleID;
+PK11_GetPrivateModulusLen;
+PK11_GetSlotFromKey;
+PK11_GetSlotFromPrivateKey;
+PK11_GetSlotID;
+PK11_GetSlotSeries;
+PK11_GetTokenInfo;
+PK11_GetWindow;
+PK11_GetWrapKey;
+PK11_IVFromParam;
+PK11_MakeKEAPubKey;
+PK11_ParamFromIV;
+PK11_PubDecryptRaw;
+PK11_PubDerive;
+PK11_PubEncryptRaw;
+PK11_PubUnwrapSymKey;
+PK11_PubWrapSymKey;
+PK11_ReferenceSymKey;
+PK11_RestoreContext;
+PK11_SaveContext;
+PK11_SetFortezzaHack;
+PK11_SetWrapKey;
+PK11_Sign;
+PK11_SignatureLen;
+PK11_SymKeyFromHandle;
+PK11_TokenExists;
+PK11_UnwrapSymKey;
+PK11_UnwrapSymKeyWithFlags;
+PK11_Verify;
+PK11_VerifyKeyOK;
+PK11_WrapSymKey;
+PORT_ArenaAlloc;
+PORT_ArenaZAlloc;
+PORT_FreeArena;
+PORT_NewArena;
+PORT_Realloc;
+PORT_ZAlloc;
+PORT_ZFree;
+RSA_FormatBlock;
+SECITEM_CompareItem;
+SECKEY_CreateRSAPrivateKey;
+SECKEY_DestroyPublicKey;
+SECKEY_PublicKeyStrength;
+SECKEY_UpdateCertPQG;
+SECMOD_LookupSlot;
+SGN_Begin;
+SGN_DestroyContext;
+SGN_End;
+SGN_NewContext;
+SGN_Update;
+VFY_Begin;
+VFY_CreateContext;
+VFY_DestroyContext;
+VFY_End;
+VFY_Update;
+;+#
+;+# The following symbols are exported only to make libsmime3.so work.
+;+# These are still private!!!
+;+#
+__CERT_ClosePermCertDB;
+__CERT_DecodeDERCertificate;
+__CERT_TraversePermCertsForNickname;
+__CERT_TraversePermCertsForSubject;
+__PBE_CreateContext;
+__PBE_DestroyContext;
+__PBE_GenerateBits;
+ATOB_ConvertAsciiToItem;
+CERT_AddCertToListTail;
+CERT_CertListFromCert;
+CERT_DestroyCertArray;
+CERT_FindCertByDERCert;
+CERT_FindCertByIssuerAndSN;
+CERT_FindSMimeProfile;
+CERT_ImportCerts;
+CERT_NewCertList;
+CERT_OpenCertDBFilename;
+CERT_SaveSMimeProfile;
+CERT_VerifyCert;
+DER_GetInteger;
+DER_TimeToUTCTime;
+DER_UTCTimeToTime;
+PK11_AlgtagToMechanism;
+PK11_BlockData;
+PK11_CreatePBEAlgorithmID;
+PK11_DestroyObject;
+PK11_ExportEncryptedPrivateKeyInfo;
+PK11_ExportPrivateKeyInfo;
+PK11_FindCertAndKeyByRecipientList;
+PK11_FindCertAndKeyByRecipientListNew;
+PK11_FindCertInSlot;
+PK11_FindPrivateKeyFromCert;
+PK11_FortezzaMapSig;
+PK11_GetKeyLength;
+PK11_GetKeyStrength;
+PK11_ImportCertForKeyToSlot;
+PK11_ImportEncryptedPrivateKeyInfo;
+PK11_ImportPrivateKeyInfo;
+PK11_MapPBEMechanismToCryptoMechanism;
+PK11_PBEKeyGen;
+PK11_ParamFromAlgid;
+PK11_ParamToAlgid;
+PK11_TraverseCertsForNicknameInSlot;
+PK11_TraverseCertsForSubjectInSlot;
+PORT_ArenaGrow;
+PORT_ArenaMark;
+PORT_ArenaRelease;
+PORT_ArenaStrdup;
+PORT_ArenaUnmark;
+PORT_UCS2_ASCIIConversion;
+PORT_UCS2_UTF8Conversion;
+SECITEM_AllocItem;
+SECKEY_CopyEncryptedPrivateKeyInfo;
+SECKEY_CopyPrivateKeyInfo;
+SECKEY_DestroyEncryptedPrivateKeyInfo;
+SECKEY_DestroyPrivateKeyInfo;
+SECOID_CompareAlgorithmID;
+SECOID_CopyAlgorithmID;
+SECOID_DestroyAlgorithmID;
+SECOID_FindOID;
+SECOID_FindOIDByTag;
+SECOID_FindOIDTag;
+SECOID_SetAlgorithmID;
+SEC_ASN1DecodeInteger;
+SEC_ASN1DecodeItem;
+SEC_ASN1DecoderClearFilterProc;
+SEC_ASN1DecoderClearNotifyProc;
+SEC_ASN1DecoderFinish;
+SEC_ASN1DecoderSetFilterProc;
+SEC_ASN1DecoderSetNotifyProc;
+SEC_ASN1DecoderStart;
+SEC_ASN1DecoderUpdate;
+SEC_ASN1Encode;
+SEC_ASN1EncodeInteger;
+SEC_ASN1EncodeItem;
+SEC_ASN1EncoderClearNotifyProc;
+SEC_ASN1EncoderClearStreaming;
+SEC_ASN1EncoderClearTakeFromBuf;
+SEC_ASN1EncoderFinish;
+SEC_ASN1EncoderSetNotifyProc;
+SEC_ASN1EncoderSetStreaming;
+SEC_ASN1EncoderSetTakeFromBuf;
+SEC_ASN1EncoderStart;
+SEC_ASN1EncoderUpdate;
+SEC_ASN1LengthLength;
+SEC_PKCS5GetCryptoAlgorithm;
+SEC_PKCS5GetKeyLength;
+SEC_PKCS5GetPBEAlgorithm;
+SEC_PKCS5IsAlgorithmPBEAlg;
+SEC_SignData;
+SGN_CompareDigestInfo;
+SGN_CopyDigestInfo;
+SGN_CreateDigestInfo;
+SGN_DestroyDigestInfo;
+SGN_Digest;
+VFY_VerifyData;
+VFY_VerifyDigest;
+;+#
+;+# Data objects
+;+#
+;+# Don't export these DATA symbols on Windows because they don't work right.
+;;CERT_CrlTemplate DATA ;
+;;CERT_SignedDataTemplate DATA ;
+;;CERT_CertificateTemplate DATA ;
+;;CERT_CertificateRequestTemplate DATA ;
+;;CERT_IssuerAndSNTemplate DATA ;
+;;CERT_SetOfSignedCrlTemplate DATA ;
+;;SECKEY_DSAPublicKeyTemplate DATA ;
+;;SECKEY_EncryptedPrivateKeyInfoTemplate DATA ;
+;;SECKEY_PointerToEncryptedPrivateKeyInfoTemplate DATA ;
+;;SECKEY_PointerToPrivateKeyInfoTemplate DATA ;
+;;SECKEY_PrivateKeyInfoTemplate DATA ;
+;;SECKEY_RSAPublicKeyTemplate DATA ;
+;;SECOID_AlgorithmIDTemplate DATA ;
+;;SEC_AnyTemplate DATA ;
+;;SEC_BMPStringTemplate DATA ;
+;;SEC_BitStringTemplate DATA ;
+;;SEC_GeneralizedTimeTemplate DATA ;
+;;SEC_IA5StringTemplate DATA ;
+;;SEC_IntegerTemplate DATA ;
+;;SEC_ObjectIDTemplate DATA ;
+;;SEC_OctetStringTemplate DATA ;
+;;SEC_PointerToAnyTemplate DATA ;
+;;SEC_PointerToOctetStringTemplate DATA ;
+;;SEC_SetOfAnyTemplate DATA ;
+;;SEC_UTCTimeTemplate DATA ;
+;;sgn_DigestInfoTemplate DATA ;
+NSS_Get_CERT_CrlTemplate;
+NSS_Get_CERT_SignedDataTemplate;
+NSS_Get_CERT_CertificateTemplate;
+NSS_Get_CERT_CertificateRequestTemplate;
+NSS_Get_CERT_IssuerAndSNTemplate;
+NSS_Get_CERT_SetOfSignedCrlTemplate;
+NSS_Get_SECKEY_DSAPublicKeyTemplate;
+NSS_Get_SECKEY_EncryptedPrivateKeyInfoTemplate;
+NSS_Get_SECKEY_PointerToEncryptedPrivateKeyInfoTemplate;
+NSS_Get_SECKEY_PointerToPrivateKeyInfoTemplate;
+NSS_Get_SECKEY_PrivateKeyInfoTemplate;
+NSS_Get_SECKEY_RSAPublicKeyTemplate;
+NSS_Get_SECOID_AlgorithmIDTemplate;
+NSS_Get_SEC_AnyTemplate;
+NSS_Get_SEC_BMPStringTemplate;
+NSS_Get_SEC_BitStringTemplate;
+NSS_Get_SEC_GeneralizedTimeTemplate;
+NSS_Get_SEC_IA5StringTemplate;
+NSS_Get_SEC_IntegerTemplate;
+NSS_Get_SEC_ObjectIDTemplate;
+NSS_Get_SEC_OctetStringTemplate;
+NSS_Get_SEC_PointerToAnyTemplate;
+NSS_Get_SEC_PointerToOctetStringTemplate;
+NSS_Get_SEC_SetOfAnyTemplate;
+NSS_Get_SEC_UTCTimeTemplate;
+NSS_Get_sgn_DigestInfoTemplate;
+;+# commands
+CERT_DecodeBasicConstraintValue;
+CERT_DecodeOidSequence;
+CERT_DecodeUserNotice;
+CERT_DecodeCertificatePoliciesExtension;
+CERT_DestroyCertificatePoliciesExtension;
+CERT_FindCertByNicknameOrEmailAddr;
+CERT_FindCertByNickname;
+CERT_GenTime2FormattedAscii;
+CERT_Hexify;
+CERT_CompareName;
+PK11SDR_Encrypt;
+PK11SDR_Decrypt;
+NSSBase64Decoder_Create;
+NSSBase64Decoder_Destroy;
+NSSBase64Decoder_Update;
+NSSBase64Encoder_Create;
+NSSBase64Encoder_Destroy;
+NSSBase64Encoder_Update;
+;+#PK11_DoPassword;
+;+#PK11_FindKeyByKeyID;
+PK11_InitPin;
+PK11_NeedUserInit;
+;+ local:
+;+ *;
+;+};
+;+NSS_3.2.1 { # NSS 3.2.1 release
+;+ global:
+CERT_AddRDN;
+CERT_CreateRDN;
+CERT_CreateAVA;
+CERT_CreateName;
+;+ local:
+;+ *;
+;+};
+;+NSS_3.3 { # NSS 3.3. release
+;+ global:
+CERT_CheckCertUsage;
+CERT_FindCertIssuer;
+PK11_GetModule;
+SECKEY_CreateDHPrivateKey;
+SECKEY_GetPublicKeyType;
+SECMOD_AddNewModule;
+;+#
+;+# The following symbols are exported only to make JSS work.
+;+# These are still private!!!
+;+#
+CERT_DisableOCSPChecking;
+CERT_DisableOCSPDefaultResponder;
+CERT_EnableOCSPDefaultResponder;
+CERT_GetCertTimes;
+CERT_ImportCAChainTrusted;
+CERT_ImportCRL;
+CERT_IsCACert;
+CERT_IsCADERCert;
+CERT_SetOCSPDefaultResponder;
+PBE_CreateContext;
+PBE_DestroyContext;
+PBE_GenerateBits;
+PK11_CheckSSOPassword;
+PK11_CopySymKeyForSigning;
+PK11_DeleteTokenCertAndKey;
+PK11_DEREncodePublicKey;
+PK11_ExtractKeyValue;
+PK11_FindCertsFromNickname;
+PK11_FindKeyByKeyID;
+PK11_GetIVLength;
+PK11_GetKeyData;
+PK11_GetKeyType;
+PK11_GetLowLevelKeyIDForCert;
+PK11_GetLowLevelKeyIDForPrivateKey;
+PK11_GetSlotPWValues;
+PK11_ImportCertForKey;
+PK11_ImportDERCertForKey;
+PK11_ImportDERPrivateKeyInfo;
+PK11_ImportSymKey;
+PK11_IsLoggedIn;
+PK11_KeyForDERCertExists;
+PK11_KeyForCertExists;
+PK11_ListPrivateKeysInSlot;
+PK11_ListCertsInSlot;
+PK11_Logout;
+PK11_NeedPWInit;
+PK11_MakeIDFromPubKey;
+PK11_PQG_DestroyParams;
+PK11_PQG_DestroyVerify;
+PK11_PQG_GetBaseFromParams;
+PK11_PQG_GetCounterFromVerify;
+PK11_PQG_GetHFromVerify;
+PK11_PQG_GetPrimeFromParams;
+PK11_PQG_GetSeedFromVerify;
+PK11_PQG_GetSubPrimeFromParams;
+PK11_PQG_NewParams;
+PK11_PQG_NewVerify;
+PK11_PQG_ParamGen;
+PK11_PQG_ParamGenSeedLen;
+PK11_PQG_VerifyParams;
+PK11_ReferenceSlot;
+PK11_SeedRandom;
+PK11_UnwrapPrivKey;
+PK11_VerifyRecover;
+PK11_WrapPrivKey;
+SEC_CertNicknameConflict;
+SEC_PKCS5GetIV;
+SECMOD_DeleteInternalModule;
+SECMOD_DestroyModule;
+SECMOD_GetDefaultModuleList;
+SECMOD_GetDefaultModuleListLock;
+SECMOD_GetInternalModule;
+SECMOD_GetReadLock;
+SECMOD_ReferenceModule;
+SECMOD_ReleaseReadLock;
+SECKEY_AddPrivateKeyToListTail;
+SECKEY_EncodeDERSubjectPublicKeyInfo;
+SECKEY_ExtractPublicKey;
+SECKEY_DestroyPrivateKeyList;
+SECKEY_GetPrivateKeyType;
+SECKEY_HashPassword;
+SECKEY_ImportDERPublicKey;
+SECKEY_NewPrivateKeyList;
+SECKEY_RemovePrivateKeyListNode;
+VFY_EndWithSignature;
+;+ local:
+;+ *;
+;+};
+;+NSS_3.3.1 { # NSS 3.3.1 release
+;+ global:
+;+#
+;+# The following symbols are exported only to make libsmime3.so work.
+;+# These are still private!!!
+;+#
+PK11_CreatePBEParams;
+PK11_DestroyPBEParams;
+;+ local:
+;+ *;
+;+};
+;+NSS_3.4 { # NSS 3.4 release
+;+ global:
+SECMOD_AddNewModuleEx;
+SECMOD_DeleteModule;
+SECMOD_FreeModuleSpecList;
+SECMOD_GetModuleSpecList;
+SECMOD_LoadModule;
+SECMOD_LoadUserModule;
+SECMOD_UnloadUserModule;
+SECMOD_UpdateModule;
+;+# for PKCS #12
+PK11_RawPBEKeyGen;
+;+# for PSM
+__CERT_AddTempCertToPerm;
+CERT_AddOKDomainName;
+CERT_CopyName;
+CERT_CreateSubjectCertList;
+CERT_DecodeAVAValue;
+;+#CERT_DecodeCertFromPackage;
+CERT_DecodeGeneralName;
+CERT_DecodeTrustString;
+CERT_DerNameToAscii;
+CERT_EncodeGeneralName;
+CERT_FilterCertListByCANames;
+CERT_FilterCertListByUsage;
+CERT_FindCertExtension;
+CERT_FindKeyUsageExtension;
+CERT_FindUserCertByUsage;
+CERT_FindUserCertsByUsage;
+CERT_GetCertChainFromCert;
+CERT_GetOCSPAuthorityInfoAccessLocation;
+CERT_KeyFromDERCrl;
+CERT_MakeCANickname;
+CERT_NicknameStringsFromCertList;
+CERT_VerifySignedData;
+DER_Encode;
+HASH_Begin;
+HASH_Create;
+HASH_Destroy;
+HASH_End;
+HASH_ResultLen;
+HASH_Update;
+NSSBase64_DecodeBuffer; # from Stan
+NSSBase64_EncodeItem; # from Stan
+PK11_GetKeyGen;
+PK11_GetMinimumPwdLength;
+PK11_GetNextSafe;
+PK11_GetPadMechanism;
+PK11_GetSlotInfo;
+PK11_HasRootCerts;
+PK11_IsDisabled;
+PK11_LoadPrivKey;
+PK11_LogoutAll;
+PK11_MechanismToAlgtag;
+PK11_ResetToken;
+PK11_TraverseSlotCerts;
+SEC_ASN1Decode;
+SECKEY_CopySubjectPublicKeyInfo;
+SECMOD_CreateModule;
+SECMOD_FindModule;
+SECMOD_FindSlot;
+SECMOD_PubCipherFlagstoInternal;
+SECMOD_PubMechFlagstoInternal;
+;;CERT_NameTemplate DATA ;
+;;CERT_SubjectPublicKeyInfoTemplate DATA ;
+;;SEC_BooleanTemplate DATA ;
+;;SEC_NullTemplate DATA ;
+;;SEC_SignedCertificateTemplate DATA ;
+;;SEC_UTF8StringTemplate DATA ;
+NSS_Get_CERT_NameTemplate;
+NSS_Get_CERT_SubjectPublicKeyInfoTemplate;
+NSS_Get_SEC_BooleanTemplate;
+NSS_Get_SEC_NullTemplate;
+NSS_Get_SEC_SignedCertificateTemplate;
+NSS_Get_SEC_UTF8StringTemplate;
+;+# for JSS
+PK11_DeleteTokenPrivateKey;
+PK11_DeleteTokenPublicKey;
+PK11_DeleteTokenSymKey;
+PK11_GetNextSymKey;
+PK11_GetPQGParamsFromPrivateKey;
+PK11_GetPrivateKeyNickname;
+PK11_GetPublicKeyNickname;
+PK11_GetSymKeyNickname;
+PK11_ImportDERPrivateKeyInfoAndReturnKey;
+PK11_ImportPrivateKeyInfoAndReturnKey;
+PK11_ImportPublicKey;
+PK11_ImportSymKeyWithFlags;
+PK11_ListFixedKeysInSlot;
+PK11_ListPrivKeysInSlot;
+PK11_ListPublicKeysInSlot;
+PK11_ProtectedAuthenticationPath;
+PK11_SetPrivateKeyNickname;
+PK11_SetPublicKeyNickname;
+PK11_SetSymKeyNickname;
+SECKEY_DecodeDERSubjectPublicKeyInfo;
+SECKEY_DestroyPublicKeyList;
+;+# for debugging
+nss_DumpCertificateCacheInfo;
+;+ local:
+;+ *;
+;+};
+;+NSS_3.5 { # cert creation APIs used by certutil
+;+ global:
+CERT_AddExtension;
+CERT_CopyRDN;
+CERT_CreateCertificate;
+CERT_CreateValidity;
+CERT_DestroyValidity;
+CERT_EncodeAndAddBitStrExtension;
+CERT_EncodeAuthKeyID;
+CERT_EncodeBasicConstraintValue;
+CERT_EncodeCRLDistributionPoints;
+CERT_FinishExtensions;
+CERT_StartCertExtensions;
+DER_AsciiToTime;
+PK11_ImportCert;
+PORT_Strdup;
+SECMOD_CanDeleteInternalModule;
+;+ local:
+;+ *;
+;+};
+;+NSS_3.6 { # NSS 3.6 release
+;+ global:
+CERT_AddOCSPAcceptableResponses;
+CERT_CompleteCRLDecodeEntries;
+CERT_CreateOCSPCertID;
+CERT_CreateOCSPRequest;
+CERT_DecodeDERCrlWithFlags;
+CERT_DecodeOCSPResponse;
+CERT_DestroyOCSPCertID;
+CERT_DestroyOCSPRequest;
+CERT_EncodeOCSPRequest;
+CERT_FilterCertListForUserCerts;
+CERT_GetOCSPResponseStatus;
+CERT_GetOCSPStatusForCertID;
+CERT_IsUserCert;
+CERT_RemoveCertListNode;
+CERT_VerifyCACertForUsage;
+CERT_VerifyCertificate;
+CERT_VerifyCertificateNow;
+CERT_VerifyOCSPResponseSignature;
+PK11_ConvertSessionPrivKeyToTokenPrivKey;
+PK11_ConvertSessionSymKeyToTokenSymKey;
+PK11_GetModInfo;
+PK11_GetPBEIV;
+PK11_ImportCRL;
+PK11_ImportDERCert;
+PK11_PubUnwrapSymKeyWithFlags;
+PK11_SaveContextAlloc;
+PK11_TokenKeyGen;
+SEC_QuickDERDecodeItem;
+SECKEY_CopyPublicKey;
+;+ local:
+;+ *;
+;+};
+;+NSS_3.7 { # NSS 3.7 release
+;+ global:
+CERT_CRLCacheRefreshIssuer;
+CERT_EncodeAltNameExtension;
+CERT_GetFirstEmailAddress;
+CERT_GetNextEmailAddress;
+CERT_VerifySignedDataWithPubKeyInfo;
+CERT_VerifySignedDataWithPublicKey;
+PK11_WaitForTokenEvent;
+;+ local:
+;+ *;
+;+};
diff --git a/security/nss/lib/pk11wrap/pk11func.h b/security/nss/lib/pk11wrap/pk11func.h
new file mode 100644
index 000000000..0a450659c
--- /dev/null
+++ b/security/nss/lib/pk11wrap/pk11func.h
@@ -0,0 +1,614 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation. Portions created by Netscape are
+ * Copyright (C) 1994-2000 Netscape Communications Corporation. All
+ * Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above. If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL. If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * PKCS #11 Wrapper functions which handles authenticating to the card's
+ * choosing the best cards, etc.
+ */
+#ifndef _PK11FUNC_H_
+#define _PK11FUNC_H_
+#include "plarena.h"
+#include "seccomon.h"
+#include "secoidt.h"
+#include "secdert.h"
+#include "keyt.h"
+#include "certt.h"
+#include "pkcs11t.h"
+#include "secmodt.h"
+#include "seccomon.h"
+#include "pkcs7t.h"
+#include "cmsreclist.h"
+
+SEC_BEGIN_PROTOS
+
+/************************************************************
+ * Generic Slot Lists Management
+ ************************************************************/
+PK11SlotList * PK11_NewSlotList(void);
+void PK11_FreeSlotList(PK11SlotList *list);
+SECStatus PK11_AddSlotToList(PK11SlotList *list,PK11SlotInfo *slot);
+SECStatus PK11_DeleteSlotFromList(PK11SlotList *list,PK11SlotListElement *le);
+PK11SlotListElement * PK11_GetFirstSafe(PK11SlotList *list);
+PK11SlotListElement *PK11_GetNextSafe(PK11SlotList *list,
+ PK11SlotListElement *le, PRBool restart);
+PK11SlotListElement *PK11_FindSlotElement(PK11SlotList *list,
+ PK11SlotInfo *slot);
+
+/************************************************************
+ * Generic Slot Management
+ ************************************************************/
+PK11SlotInfo *PK11_ReferenceSlot(PK11SlotInfo *slot);
+PK11SlotInfo *PK11_FindSlotByID(SECMODModuleID modID,CK_SLOT_ID slotID);
+void PK11_FreeSlot(PK11SlotInfo *slot);
+SECStatus PK11_DestroyObject(PK11SlotInfo *slot,CK_OBJECT_HANDLE object);
+SECStatus PK11_DestroyTokenObject(PK11SlotInfo *slot,CK_OBJECT_HANDLE object);
+CK_OBJECT_HANDLE PK11_CopyKey(PK11SlotInfo *slot, CK_OBJECT_HANDLE srcObject);
+SECStatus PK11_ReadAttribute(PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
+ CK_ATTRIBUTE_TYPE type, PRArenaPool *arena, SECItem *result);
+CK_ULONG PK11_ReadULongAttribute(PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
+ CK_ATTRIBUTE_TYPE type);
+PK11SlotInfo *PK11_GetInternalKeySlot(void);
+PK11SlotInfo *PK11_GetInternalSlot(void);
+char * PK11_MakeString(PRArenaPool *arena,char *space,char *staticSring,
+ int stringLen);
+int PK11_MapError(CK_RV error);
+CK_SESSION_HANDLE PK11_GetRWSession(PK11SlotInfo *slot);
+void PK11_RestoreROSession(PK11SlotInfo *slot,CK_SESSION_HANDLE rwsession);
+PRBool PK11_RWSessionHasLock(PK11SlotInfo *slot,
+ CK_SESSION_HANDLE session_handle);
+PK11SlotInfo *PK11_NewSlotInfo(void);
+SECStatus PK11_Logout(PK11SlotInfo *slot);
+void PK11_LogoutAll(void);
+void PK11_EnterSlotMonitor(PK11SlotInfo *);
+void PK11_ExitSlotMonitor(PK11SlotInfo *);
+void PK11_CleanKeyList(PK11SlotInfo *slot);
+
+
+/************************************************************
+ * Slot Password Management
+ ************************************************************/
+void PK11_SetSlotPWValues(PK11SlotInfo *slot,int askpw, int timeout);
+void PK11_GetSlotPWValues(PK11SlotInfo *slot,int *askpw, int *timeout);
+SECStatus PK11_CheckSSOPassword(PK11SlotInfo *slot, char *ssopw);
+SECStatus PK11_CheckUserPassword(PK11SlotInfo *slot,char *pw);
+SECStatus PK11_DoPassword(PK11SlotInfo *slot, PRBool loadCerts, void *wincx);
+PRBool PK11_IsLoggedIn(PK11SlotInfo *slot, void *wincx);
+SECStatus PK11_VerifyPW(PK11SlotInfo *slot,char *pw);
+SECStatus PK11_InitPin(PK11SlotInfo *slot,char *ssopw, char *pk11_userpwd);
+SECStatus PK11_ChangePW(PK11SlotInfo *slot,char *oldpw, char *newpw);
+void PK11_HandlePasswordCheck(PK11SlotInfo *slot,void *wincx);
+void PK11_SetPasswordFunc(PK11PasswordFunc func);
+void PK11_SetVerifyPasswordFunc(PK11VerifyPasswordFunc func);
+void PK11_SetIsLoggedInFunc(PK11IsLoggedInFunc func);
+int PK11_GetMinimumPwdLength(PK11SlotInfo *slot);
+SECStatus PK11_ResetToken(PK11SlotInfo *slot, char *sso_pwd);
+
+/************************************************************
+ * Manage the built-In Slot Lists
+ ************************************************************/
+SECStatus PK11_InitSlotLists(void);
+void PK11_DestroySlotLists(void);
+PK11SlotList *PK11_GetSlotList(CK_MECHANISM_TYPE type);
+void PK11_LoadSlotList(PK11SlotInfo *slot, PK11PreSlotInfo *psi, int count);
+void PK11_ClearSlotList(PK11SlotInfo *slot);
+
+
+/******************************************************************
+ * Slot initialization
+ ******************************************************************/
+PRBool PK11_VerifyMechanism(PK11SlotInfo *slot,PK11SlotInfo *intern,
+ CK_MECHANISM_TYPE mech, SECItem *data, SECItem *iv);
+PRBool PK11_VerifySlotMechanisms(PK11SlotInfo *slot);
+SECStatus pk11_CheckVerifyTest(PK11SlotInfo *slot);
+SECStatus PK11_InitToken(PK11SlotInfo *slot, PRBool loadCerts);
+SECStatus PK11_Authenticate(PK11SlotInfo *slot, PRBool loadCerts, void *wincx);
+void PK11_InitSlot(SECMODModule *mod,CK_SLOT_ID slotID,PK11SlotInfo *slot);
+
+
+/******************************************************************
+ * Slot info functions
+ ******************************************************************/
+PK11SlotInfo *PK11_FindSlotByName(char *name);
+PK11SlotInfo *PK11_FindSlotBySerial(char *serial);
+PRBool PK11_IsReadOnly(PK11SlotInfo *slot);
+PRBool PK11_IsInternal(PK11SlotInfo *slot);
+char * PK11_GetTokenName(PK11SlotInfo *slot);
+char * PK11_GetSlotName(PK11SlotInfo *slot);
+PRBool PK11_NeedLogin(PK11SlotInfo *slot);
+PRBool PK11_IsFriendly(PK11SlotInfo *slot);
+PRBool PK11_IsHW(PK11SlotInfo *slot);
+PRBool PK11_NeedUserInit(PK11SlotInfo *slot);
+PRBool PK11_ProtectedAuthenticationPath(PK11SlotInfo *slot);
+int PK11_GetSlotSeries(PK11SlotInfo *slot);
+int PK11_GetCurrentWrapIndex(PK11SlotInfo *slot);
+unsigned long PK11_GetDefaultFlags(PK11SlotInfo *slot);
+CK_SLOT_ID PK11_GetSlotID(PK11SlotInfo *slot);
+SECMODModuleID PK11_GetModuleID(PK11SlotInfo *slot);
+SECStatus PK11_GetSlotInfo(PK11SlotInfo *slot, CK_SLOT_INFO *info);
+SECStatus PK11_GetTokenInfo(PK11SlotInfo *slot, CK_TOKEN_INFO *info);
+PRBool PK11_IsDisabled(PK11SlotInfo *slot);
+PRBool PK11_HasRootCerts(PK11SlotInfo *slot);
+PK11DisableReasons PK11_GetDisabledReason(PK11SlotInfo *slot);
+/* Prevents the slot from being used, and set disable reason to user-disable */
+/* NOTE: Mechanisms that were ON continue to stay ON */
+/* Therefore, when the slot is enabled, it will remember */
+/* what mechanisms needs to be turned on */
+PRBool PK11_UserDisableSlot(PK11SlotInfo *slot);
+/* Allow all mechanisms that are ON before UserDisableSlot() */
+/* was called to be available again */
+PRBool PK11_UserEnableSlot(PK11SlotInfo *slot);
+/*
+ * wait for a specific slot event.
+ * event is a specific event to wait for. Currently only
+ * PK11TokenChangeOrRemovalEvent and PK11TokenPresentEvents are defined.
+ * timeout can be an interval time to wait, PR_INTERVAL_NO_WAIT (meaning only
+ * poll once), or PR_INTERVAL_NO_TIMEOUT (meaning block until a change).
+ * pollInterval is a suggested pulling interval value. '0' means use the
+ * default. Future implementations that don't poll may ignore this value.
+ * series is the current series for the last slot. This should be the series
+ * value for the slot the last time you read persistant information from the
+ * slot. For instance, if you publish a cert from the slot, you should obtain
+ * the slot series at that time. Then PK11_WaitForTokenEvent can detect a
+ * a change in the slot between the time you publish and the time
+ * PK11_WaitForTokenEvent is called, elliminating potential race conditions.
+ *
+ * The current status that is returned is:
+ * PK11TokenNotRemovable - always returned for any non-removable token.
+ * PK11TokenPresent - returned when the token is present and we are waiting
+ * on a PK11TokenPresentEvent. Then next event to look for is a
+ * PK11TokenChangeOrRemovalEvent.
+ * PK11TokenChanged - returned when the old token has been removed and a new
+ * token ad been inserted, and we are waiting for a
+ * PK11TokenChangeOrRemovalEvent. The next event to look for is another
+ * PK11TokenChangeOrRemovalEvent.
+ * PK11TokenRemoved - returned when the token is not present and we are
+ * waiting for a PK11TokenChangeOrRemovalEvent. The next event to look for
+ * is a PK11TokenPresentEvent.
+ */
+PK11TokenStatus PK11_WaitForTokenEvent(PK11SlotInfo *slot, PK11TokenEvent event,
+ PRIntervalTime timeout, PRIntervalTime pollInterval, int series);
+
+PRBool PK11_NeedPWInit(void);
+PRBool PK11_NeedPWInitForSlot(PK11SlotInfo *slot);
+PRBool PK11_TokenExists(CK_MECHANISM_TYPE);
+SECStatus PK11_GetModInfo(SECMODModule *mod, CK_INFO *info);
+PRBool PK11_IsFIPS(void);
+SECMODModule *PK11_GetModule(PK11SlotInfo *slot);
+
+/*********************************************************************
+ * Slot mapping utility functions.
+ *********************************************************************/
+PRBool PK11_IsPresent(PK11SlotInfo *slot);
+PRBool PK11_DoesMechanism(PK11SlotInfo *slot, CK_MECHANISM_TYPE type);
+PK11SlotList * PK11_GetAllTokens(CK_MECHANISM_TYPE type,PRBool needRW,
+ PRBool loadCerts, void *wincx);
+PK11SlotList * PK11_GetPrivateKeyTokens(CK_MECHANISM_TYPE type,
+ PRBool needRW,void *wincx);
+PK11SlotInfo *PK11_GetBestSlotMultiple(CK_MECHANISM_TYPE *type, int count,
+ void *wincx);
+PK11SlotInfo *PK11_GetBestSlot(CK_MECHANISM_TYPE type, void *wincx);
+CK_MECHANISM_TYPE PK11_GetBestWrapMechanism(PK11SlotInfo *slot);
+int PK11_GetBestKeyLength(PK11SlotInfo *slot, CK_MECHANISM_TYPE type);
+
+/*********************************************************************
+ * Mechanism Mapping functions
+ *********************************************************************/
+void PK11_AddMechanismEntry(CK_MECHANISM_TYPE type, CK_KEY_TYPE key,
+ CK_MECHANISM_TYPE keygen, int ivLen, int blocksize);
+CK_MECHANISM_TYPE PK11_GetKeyType(CK_MECHANISM_TYPE type,unsigned long len);
+CK_MECHANISM_TYPE PK11_GetKeyGen(CK_MECHANISM_TYPE type);
+int PK11_GetBlockSize(CK_MECHANISM_TYPE type,SECItem *params);
+int PK11_GetIVLength(CK_MECHANISM_TYPE type);
+SECItem *PK11_ParamFromIV(CK_MECHANISM_TYPE type,SECItem *iv);
+unsigned char *PK11_IVFromParam(CK_MECHANISM_TYPE type,SECItem *param,int *len);
+SECItem * PK11_BlockData(SECItem *data,unsigned long size);
+
+/* PKCS #11 to DER mapping functions */
+SECItem *PK11_ParamFromAlgid(SECAlgorithmID *algid);
+SECItem *PK11_GenerateNewParam(CK_MECHANISM_TYPE, PK11SymKey *);
+CK_MECHANISM_TYPE PK11_AlgtagToMechanism(SECOidTag algTag);
+SECOidTag PK11_MechanismToAlgtag(CK_MECHANISM_TYPE type);
+SECOidTag PK11_FortezzaMapSig(SECOidTag algTag);
+SECStatus PK11_ParamToAlgid(SECOidTag algtag, SECItem *param,
+ PRArenaPool *arena, SECAlgorithmID *algid);
+SECStatus PK11_SeedRandom(PK11SlotInfo *,unsigned char *data,int len);
+SECStatus PK11_RandomUpdate(void *data, size_t bytes);
+SECStatus PK11_GenerateRandom(unsigned char *data,int len);
+CK_RV PK11_MapPBEMechanismToCryptoMechanism(CK_MECHANISM_PTR pPBEMechanism,
+ CK_MECHANISM_PTR pCryptoMechanism,
+ SECItem *pbe_pwd, PRBool bad3DES);
+CK_MECHANISM_TYPE PK11_GetPadMechanism(CK_MECHANISM_TYPE);
+
+/**********************************************************************
+ * Symetric, Public, and Private Keys
+ **********************************************************************/
+PK11SymKey *PK11_CreateSymKey(PK11SlotInfo *slot,
+ CK_MECHANISM_TYPE type, void *wincx);
+void PK11_FreeSymKey(PK11SymKey *key);
+PK11SymKey *PK11_ReferenceSymKey(PK11SymKey *symKey);
+PK11SymKey *PK11_ImportSymKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
+ PK11Origin origin, CK_ATTRIBUTE_TYPE operation, SECItem *key, void *wincx);
+PK11SymKey *PK11_ImportSymKeyWithFlags(PK11SlotInfo *slot,
+ CK_MECHANISM_TYPE type, PK11Origin origin, CK_ATTRIBUTE_TYPE operation,
+ SECItem *key, CK_FLAGS flags, PRBool isPerm, void *wincx);
+PK11SymKey *PK11_SymKeyFromHandle(PK11SlotInfo *slot, PK11SymKey *parent,
+ PK11Origin origin, CK_MECHANISM_TYPE type, CK_OBJECT_HANDLE keyID,
+ PRBool owner, void *wincx);
+PK11SymKey *PK11_GetWrapKey(PK11SlotInfo *slot, int wrap,
+ CK_MECHANISM_TYPE type,int series, void *wincx);
+void PK11_SetWrapKey(PK11SlotInfo *slot, int wrap, PK11SymKey *wrapKey);
+CK_MECHANISM_TYPE PK11_GetMechanism(PK11SymKey *symKey);
+CK_OBJECT_HANDLE PK11_ImportPublicKey(PK11SlotInfo *slot,
+ SECKEYPublicKey *pubKey, PRBool isToken);
+PK11SymKey *PK11_KeyGen(PK11SlotInfo *slot,CK_MECHANISM_TYPE type,
+ SECItem *param, int keySize,void *wincx);
+PK11SymKey *PK11_TokenKeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
+ SECItem *param, int keySize, SECItem *keyid,
+ PRBool isToken, void *wincx);
+PK11SymKey * PK11_ListFixedKeysInSlot(PK11SlotInfo *slot, char *nickname,
+ void *wincx);
+PK11SymKey *PK11_GetNextSymKey(PK11SymKey *symKey);
+
+/* Key Generation specialized for SDR (fixed DES3 key) */
+PK11SymKey *PK11_GenDES3TokenKey(PK11SlotInfo *slot, SECItem *keyid, void *cx);
+
+SECStatus PK11_PubWrapSymKey(CK_MECHANISM_TYPE type, SECKEYPublicKey *pubKey,
+ PK11SymKey *symKey, SECItem *wrappedKey);
+SECStatus PK11_WrapSymKey(CK_MECHANISM_TYPE type, SECItem *params,
+ PK11SymKey *wrappingKey, PK11SymKey *symKey, SECItem *wrappedKey);
+PK11SymKey *PK11_Derive(PK11SymKey *baseKey, CK_MECHANISM_TYPE mechanism,
+ SECItem *param, CK_MECHANISM_TYPE target,
+ CK_ATTRIBUTE_TYPE operation, int keySize);
+PK11SymKey *PK11_DeriveWithFlags( PK11SymKey *baseKey,
+ CK_MECHANISM_TYPE derive, SECItem *param, CK_MECHANISM_TYPE target,
+ CK_ATTRIBUTE_TYPE operation, int keySize, CK_FLAGS flags);
+PK11SymKey *PK11_PubDerive( SECKEYPrivateKey *privKey,
+ SECKEYPublicKey *pubKey, PRBool isSender, SECItem *randomA, SECItem *randomB,
+ CK_MECHANISM_TYPE derive, CK_MECHANISM_TYPE target,
+ CK_ATTRIBUTE_TYPE operation, int keySize,void *wincx) ;
+PK11SymKey *PK11_UnwrapSymKey(PK11SymKey *key,
+ CK_MECHANISM_TYPE wraptype, SECItem *param, SECItem *wrapppedKey,
+ CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize);
+PK11SymKey *PK11_UnwrapSymKeyWithFlags(PK11SymKey *wrappingKey,
+ CK_MECHANISM_TYPE wrapType, SECItem *param, SECItem *wrappedKey,
+ CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize,
+ CK_FLAGS flags);
+PK11SymKey *PK11_PubUnwrapSymKey(SECKEYPrivateKey *key, SECItem *wrapppedKey,
+ CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize);
+PK11SymKey *PK11_FindFixedKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
+ SECItem *keyID, void *wincx);
+SECStatus PK11_DeleteTokenPrivateKey(SECKEYPrivateKey *privKey,PRBool force);
+SECStatus PK11_DeleteTokenPublicKey(SECKEYPublicKey *pubKey);
+SECStatus PK11_DeleteTokenSymKey(PK11SymKey *symKey);
+SECStatus PK11_DeleteTokenCertAndKey(CERTCertificate *cert,void *wincx);
+SECKEYPrivateKey * PK11_LoadPrivKey(PK11SlotInfo *slot,
+ SECKEYPrivateKey *privKey, SECKEYPublicKey *pubKey,
+ PRBool token, PRBool sensitive);
+SECKEYPublicKey *PK11_ExtractPublicKey(PK11SlotInfo *slot, KeyType keyType,
+ CK_OBJECT_HANDLE id);
+char * PK11_GetSymKeyNickname(PK11SymKey *symKey);
+char * PK11_GetPrivateKeyNickname(SECKEYPrivateKey *privKey);
+char * PK11_GetPublicKeyNickname(SECKEYPublicKey *pubKey);
+SECStatus PK11_SetSymKeyNickname(PK11SymKey *symKey, const char *nickname);
+SECStatus PK11_SetPrivateKeyNickname(SECKEYPrivateKey *privKey,
+ const char *nickname);
+SECStatus PK11_SetPublicKeyNickname(SECKEYPublicKey *pubKey,
+ const char *nickname);
+
+/* size to hold key in bytes */
+unsigned int PK11_GetKeyLength(PK11SymKey *key);
+/* size of actual secret parts of key in bits */
+/* algid is because RC4 strength is determined by the effective bits as well
+ * as the key bits */
+unsigned int PK11_GetKeyStrength(PK11SymKey *key,SECAlgorithmID *algid);
+SECStatus PK11_ExtractKeyValue(PK11SymKey *symKey);
+SECItem * PK11_GetKeyData(PK11SymKey *symKey);
+PK11SlotInfo * PK11_GetSlotFromKey(PK11SymKey *symKey);
+void *PK11_GetWindow(PK11SymKey *symKey);
+SECKEYPrivateKey *PK11_GenerateKeyPair(PK11SlotInfo *slot,
+ CK_MECHANISM_TYPE type, void *param, SECKEYPublicKey **pubk,
+ PRBool isPerm, PRBool isSensitive, void *wincx);
+SECKEYPrivateKey *PK11_MakePrivKey(PK11SlotInfo *slot, KeyType keyType,
+ PRBool isTemp, CK_OBJECT_HANDLE privID, void *wincx);
+SECKEYPrivateKey * PK11_FindPrivateKeyFromCert(PK11SlotInfo *slot,
+ CERTCertificate *cert, void *wincx);
+SECKEYPrivateKey * PK11_FindKeyByAnyCert(CERTCertificate *cert, void *wincx);
+SECKEYPrivateKey * PK11_FindKeyByKeyID(PK11SlotInfo *slot, SECItem *keyID,
+ void *wincx);
+CK_OBJECT_HANDLE PK11_FindObjectForCert(CERTCertificate *cert,
+ void *wincx, PK11SlotInfo **pSlot);
+int PK11_GetPrivateModulusLen(SECKEYPrivateKey *key);
+SECStatus PK11_PubDecryptRaw(SECKEYPrivateKey *key, unsigned char *data,
+ unsigned *outLen, unsigned int maxLen, unsigned char *enc, unsigned encLen);
+/* The encrypt version of the above function */
+SECStatus PK11_PubEncryptRaw(SECKEYPublicKey *key, unsigned char *enc,
+ unsigned char *data, unsigned dataLen, void *wincx);
+SECStatus PK11_ImportPrivateKeyInfo(PK11SlotInfo *slot,
+ SECKEYPrivateKeyInfo *pki, SECItem *nickname,
+ SECItem *publicValue, PRBool isPerm, PRBool isPrivate,
+ unsigned int usage, void *wincx);
+SECStatus PK11_ImportPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot,
+ SECKEYPrivateKeyInfo *pki, SECItem *nickname,
+ SECItem *publicValue, PRBool isPerm, PRBool isPrivate,
+ unsigned int usage, SECKEYPrivateKey** privk, void *wincx);
+SECStatus PK11_ImportDERPrivateKeyInfo(PK11SlotInfo *slot,
+ SECItem *derPKI, SECItem *nickname,
+ SECItem *publicValue, PRBool isPerm, PRBool isPrivate,
+ unsigned int usage, void *wincx);
+SECStatus PK11_ImportDERPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot,
+ SECItem *derPKI, SECItem *nickname,
+ SECItem *publicValue, PRBool isPerm, PRBool isPrivate,
+ unsigned int usage, SECKEYPrivateKey** privk, void *wincx);
+SECStatus PK11_ImportEncryptedPrivateKeyInfo(PK11SlotInfo *slot,
+ SECKEYEncryptedPrivateKeyInfo *epki, SECItem *pwitem,
+ SECItem *nickname, SECItem *publicValue, PRBool isPerm,
+ PRBool isPrivate, KeyType type,
+ unsigned int usage, void *wincx);
+SECKEYPrivateKeyInfo *PK11_ExportPrivateKeyInfo(
+ CERTCertificate *cert, void *wincx);
+SECKEYEncryptedPrivateKeyInfo *PK11_ExportEncryptedPrivateKeyInfo(
+ PK11SlotInfo *slot, SECOidTag algTag, SECItem *pwitem,
+ CERTCertificate *cert, int iteration, void *wincx);
+SECKEYPrivateKey *PK11_FindKeyByDERCert(PK11SlotInfo *slot,
+ CERTCertificate *cert, void *wincx);
+SECKEYPublicKey *PK11_MakeKEAPubKey(unsigned char *data, int length);
+SECStatus PK11_DigestKey(PK11Context *context, PK11SymKey *key);
+PRBool PK11_VerifyKeyOK(PK11SymKey *key);
+SECKEYPrivateKey *PK11_UnwrapPrivKey(PK11SlotInfo *slot,
+ PK11SymKey *wrappingKey, CK_MECHANISM_TYPE wrapType,
+ SECItem *param, SECItem *wrappedKey, SECItem *label,
+ SECItem *publicValue, PRBool token, PRBool sensitive,
+ CK_KEY_TYPE keyType, CK_ATTRIBUTE_TYPE *usage, int usageCount,
+ void *wincx);
+SECStatus PK11_WrapPrivKey(PK11SlotInfo *slot, PK11SymKey *wrappingKey,
+ SECKEYPrivateKey *privKey, CK_MECHANISM_TYPE wrapType,
+ SECItem *param, SECItem *wrappedKey, void *wincx);
+PK11SymKey * pk11_CopyToSlot(PK11SlotInfo *slot,CK_MECHANISM_TYPE type,
+ CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey);
+SECItem *PK11_GetKeyIDFromCert(CERTCertificate *cert, void *wincx);
+SECItem * PK11_GetKeyIDFromPrivateKey(SECKEYPrivateKey *key, void *wincx);
+SECItem* PK11_DEREncodePublicKey(SECKEYPublicKey *pubk);
+PK11SymKey* PK11_CopySymKeyForSigning(PK11SymKey *originalKey,
+ CK_MECHANISM_TYPE mech);
+SECKEYPrivateKeyList* PK11_ListPrivKeysInSlot(PK11SlotInfo *slot,
+ char *nickname, void *wincx);
+SECKEYPublicKeyList* PK11_ListPublicKeysInSlot(PK11SlotInfo *slot,
+ char *nickname);
+SECKEYPQGParams *PK11_GetPQGParamsFromPrivateKey(SECKEYPrivateKey *privKey);
+/* depricated */
+SECKEYPrivateKeyList* PK11_ListPrivateKeysInSlot(PK11SlotInfo *slot);
+
+PK11SymKey *PK11_ConvertSessionSymKeyToTokenSymKey(PK11SymKey *symk,
+ void *wincx);
+SECKEYPrivateKey *PK11_ConvertSessionPrivKeyToTokenPrivKey(
+ SECKEYPrivateKey *privk, void* wincx);
+
+/**********************************************************************
+ * Certs
+ **********************************************************************/
+SECItem *PK11_MakeIDFromPubKey(SECItem *pubKeyData);
+CERTCertificate *PK11_GetCertFromPrivateKey(SECKEYPrivateKey *privKey);
+SECStatus PK11_TraverseSlotCerts(
+ SECStatus(* callback)(CERTCertificate*,SECItem *,void *),
+ void *arg, void *wincx);
+SECStatus PK11_TraversePrivateKeysInSlot( PK11SlotInfo *slot,
+ SECStatus(* callback)(SECKEYPrivateKey*, void*), void *arg);
+CERTCertificate * PK11_FindCertFromNickname(char *nickname, void *wincx);
+CERTCertList * PK11_FindCertsFromNickname(char *nickname, void *wincx);
+SECKEYPrivateKey * PK11_FindPrivateKeyFromNickname(char *nickname, void *wincx);
+SECStatus PK11_ImportCert(PK11SlotInfo *slot, CERTCertificate *cert,
+ CK_OBJECT_HANDLE key, char *nickname, PRBool includeTrust);
+SECStatus PK11_ImportDERCert(PK11SlotInfo *slot, SECItem *derCert,
+ CK_OBJECT_HANDLE key, char *nickname, PRBool includeTrust);
+PK11SlotInfo *PK11_ImportCertForKey(CERTCertificate *cert, char *nickname,
+ void *wincx);
+PK11SlotInfo *PK11_ImportDERCertForKey(SECItem *derCert, char *nickname,
+ void *wincx);
+CK_OBJECT_HANDLE * PK11_FindObjectsFromNickname(char *nickname,
+ PK11SlotInfo **slotptr, CK_OBJECT_CLASS objclass, int *returnCount,
+ void *wincx);
+PK11SlotInfo *PK11_KeyForCertExists(CERTCertificate *cert,
+ CK_OBJECT_HANDLE *keyPtr, void *wincx);
+PK11SlotInfo *PK11_KeyForDERCertExists(SECItem *derCert,
+ CK_OBJECT_HANDLE *keyPtr, void *wincx);
+CK_OBJECT_HANDLE PK11_MatchItem(PK11SlotInfo *slot,CK_OBJECT_HANDLE peer,
+ CK_OBJECT_CLASS o_class);
+CERTCertificate * PK11_FindCertByIssuerAndSN(PK11SlotInfo **slot,
+ CERTIssuerAndSN *sn, void *wincx);
+CERTCertificate * PK11_FindCertAndKeyByRecipientList(PK11SlotInfo **slot,
+ SEC_PKCS7RecipientInfo **array, SEC_PKCS7RecipientInfo **rip,
+ SECKEYPrivateKey**privKey, void *wincx);
+int PK11_FindCertAndKeyByRecipientListNew(NSSCMSRecipient **recipientlist,
+ void *wincx);
+CK_BBOOL PK11_HasAttributeSet( PK11SlotInfo *slot,
+ CK_OBJECT_HANDLE id,
+ CK_ATTRIBUTE_TYPE type );
+CK_RV PK11_GetAttributes(PRArenaPool *arena,PK11SlotInfo *slot,
+ CK_OBJECT_HANDLE obj,CK_ATTRIBUTE *attr, int count);
+int PK11_NumberCertsForCertSubject(CERTCertificate *cert);
+SECStatus PK11_TraverseCertsForSubject(CERTCertificate *cert,
+ SECStatus(*callback)(CERTCertificate *, void *), void *arg);
+SECStatus PK11_TraverseCertsForSubjectInSlot(CERTCertificate *cert,
+ PK11SlotInfo *slot, SECStatus(*callback)(CERTCertificate *, void *),
+ void *arg);
+CERTCertificate *PK11_FindCertFromDERCert(PK11SlotInfo *slot,
+ CERTCertificate *cert, void *wincx);
+CERTCertificate *PK11_FindCertFromDERSubjectAndNickname(
+ PK11SlotInfo *slot,
+ CERTCertificate *cert, char *nickname,
+ void *wincx);
+SECStatus PK11_ImportCertForKeyToSlot(PK11SlotInfo *slot, CERTCertificate *cert,
+ char *nickname, PRBool addUsage,
+ void *wincx);
+CERTCertificate *PK11_FindBestKEAMatch(CERTCertificate *serverCert,void *wincx);
+SECStatus PK11_GetKEAMatchedCerts(PK11SlotInfo *slot1,
+ PK11SlotInfo *slot2, CERTCertificate **cert1, CERTCertificate **cert2);
+PRBool PK11_FortezzaHasKEA(CERTCertificate *cert);
+CK_OBJECT_HANDLE PK11_FindCertInSlot(PK11SlotInfo *slot, CERTCertificate *cert,
+ void *wincx);
+SECStatus PK11_TraverseCertsForNicknameInSlot(SECItem *nickname,
+ PK11SlotInfo *slot, SECStatus(*callback)(CERTCertificate *, void *),
+ void *arg);
+SECStatus PK11_TraverseCertsInSlot(PK11SlotInfo *slot,
+ SECStatus(* callback)(CERTCertificate*, void *), void *arg);
+CERTCertList * PK11_ListCerts(PK11CertListType type, void *pwarg);
+CERTCertList * PK11_ListCertsInSlot(PK11SlotInfo *slot);
+SECStatus PK11_LookupCrls(CERTCrlHeadNode *nodes, int type, void *wincx);
+CERTSignedCrl* PK11_ImportCRL(PK11SlotInfo * slot, SECItem *derCRL, char *url,
+ int type, void *wincx, PRInt32 importOptions, PRArenaPool* arena, PRInt32 decodeOptions);
+/* import options */
+#define CRL_IMPORT_DEFAULT_OPTIONS 0x00000000
+#define CRL_IMPORT_BYPASS_CHECKS 0x00000001
+
+/**********************************************************************
+ * Sign/Verify
+ **********************************************************************/
+int PK11_SignatureLen(SECKEYPrivateKey *key);
+PK11SlotInfo * PK11_GetSlotFromPrivateKey(SECKEYPrivateKey *key);
+SECStatus PK11_Sign(SECKEYPrivateKey *key, SECItem *sig, SECItem *hash);
+SECStatus PK11_VerifyRecover(SECKEYPublicKey *key, SECItem *sig,
+ SECItem *dsig, void * wincx);
+SECStatus PK11_Verify(SECKEYPublicKey *key, SECItem *sig,
+ SECItem *hash, void *wincx);
+
+
+
+/**********************************************************************
+ * Crypto Contexts
+ **********************************************************************/
+void PK11_DestroyContext(PK11Context *context, PRBool freeit);
+PK11Context * PK11_CreateContextByRawKey(PK11SlotInfo *slot,
+ CK_MECHANISM_TYPE type, PK11Origin origin, CK_ATTRIBUTE_TYPE operation,
+ SECItem *key, SECItem *param, void *wincx);
+PK11Context *PK11_CreateContextBySymKey(CK_MECHANISM_TYPE type,
+ CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey, SECItem *param);
+PK11Context *PK11_CreateDigestContext(SECOidTag hashAlg);
+PK11Context *PK11_CloneContext(PK11Context *old);
+SECStatus PK11_DigestBegin(PK11Context *cx);
+SECStatus PK11_HashBuf(SECOidTag hashAlg, unsigned char *out, unsigned char *in,
+ int32 len);
+SECStatus PK11_DigestOp(PK11Context *context, const unsigned char *in,
+ unsigned len);
+SECStatus PK11_CipherOp(PK11Context *context, unsigned char * out, int *outlen,
+ int maxout, unsigned char *in, int inlen);
+SECStatus PK11_Finalize(PK11Context *context);
+SECStatus PK11_DigestFinal(PK11Context *context, unsigned char *data,
+ unsigned int *outLen, unsigned int length);
+PRBool PK11_HashOK(SECOidTag hashAlg);
+SECStatus PK11_SaveContext(PK11Context *cx,unsigned char *save,
+ int *len, int saveLength);
+
+/* Save the context's state, with possible allocation.
+ * The caller may supply an already allocated buffer in preAllocBuf,
+ * with length pabLen. If the buffer is large enough for the context's
+ * state, it will receive the state.
+ * If the buffer is not large enough (or NULL), then a new buffer will
+ * be allocated with PORT_Alloc.
+ * In either case, the state will be returned as a buffer, and the length
+ * of the state will be given in *stateLen.
+ */
+unsigned char *
+PK11_SaveContextAlloc(PK11Context *cx,
+ unsigned char *preAllocBuf, unsigned int pabLen,
+ unsigned int *stateLen);
+
+SECStatus PK11_RestoreContext(PK11Context *cx,unsigned char *save,int len);
+SECStatus PK11_GenerateFortezzaIV(PK11SymKey *symKey,unsigned char *iv,int len);
+SECStatus PK11_ReadSlotCerts(PK11SlotInfo *slot);
+void PK11_FreeSlotCerts(PK11SlotInfo *slot);
+void PK11_SetFortezzaHack(PK11SymKey *symKey) ;
+
+
+/**********************************************************************
+ * PBE functions
+ **********************************************************************/
+
+/* This function creates PBE parameters from the given inputs. The result
+ * can be used to create a password integrity key for PKCS#12, by sending
+ * the return value to PK11_KeyGen along with the appropriate mechanism.
+ */
+SECItem *
+PK11_CreatePBEParams(SECItem *salt, SECItem *pwd, unsigned int iterations);
+
+/* free params created above (can be called after keygen is done */
+void PK11_DestroyPBEParams(SECItem *params);
+
+SECAlgorithmID *
+PK11_CreatePBEAlgorithmID(SECOidTag algorithm, int iteration, SECItem *salt);
+PK11SymKey *
+PK11_PBEKeyGen(PK11SlotInfo *slot, SECAlgorithmID *algid, SECItem *pwitem,
+ PRBool faulty3DES, void *wincx);
+PK11SymKey *
+PK11_RawPBEKeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *params,
+ SECItem *pwitem, PRBool faulty3DES, void *wincx);
+SECItem *
+PK11_GetPBEIV(SECAlgorithmID *algid, SECItem *pwitem);
+
+/**********************************************************************
+ * New fucntions which are already depricated....
+ **********************************************************************/
+SECItem *
+PK11_GetLowLevelKeyIDForCert(PK11SlotInfo *slot,
+ CERTCertificate *cert, void *pwarg);
+SECItem *
+PK11_GetLowLevelKeyIDForPrivateKey(SECKEYPrivateKey *key);
+
+SECItem *
+PK11_FindCrlByName(PK11SlotInfo **slot, CK_OBJECT_HANDLE *handle,
+ SECItem *derName, int type, char **url);
+
+CK_OBJECT_HANDLE
+PK11_PutCrl(PK11SlotInfo *slot, SECItem *crl,
+ SECItem *name, char *url, int type);
+
+SECItem *
+PK11_FindSMimeProfile(PK11SlotInfo **slotp, char *emailAddr, SECItem *derSubj,
+ SECItem **profileTime);
+SECStatus
+PK11_SaveSMimeProfile(PK11SlotInfo *slot, char *emailAddr, SECItem *derSubj,
+ SECItem *emailProfile, SECItem *profileTime);
+
+PRBool SECMOD_HasRootCerts(void);
+
+PRBool PK11_IsPermObject(PK11SlotInfo *slot, CK_OBJECT_HANDLE handle);
+
+char * PK11_GetObjectNickname(PK11SlotInfo *slot, CK_OBJECT_HANDLE id) ;
+SECStatus PK11_SetObjectNickname(PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
+ const char *nickname) ;
+
+
+/* private */
+SECStatus pk11_TraverseAllSlots( SECStatus (*callback)(PK11SlotInfo *,void *),
+ void *cbArg, void *pwArg);
+
+SEC_END_PROTOS
+
+#endif
diff --git a/security/nss/lib/pk11wrap/pk11slot.c b/security/nss/lib/pk11wrap/pk11slot.c
new file mode 100644
index 000000000..c87e9400b
--- /dev/null
+++ b/security/nss/lib/pk11wrap/pk11slot.c
@@ -0,0 +1,4656 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation. Portions created by Netscape are
+ * Copyright (C) 1994-2000 Netscape Communications Corporation. All
+ * Rights Reserved.
+ *
+ * Contributor(s):
+ * Dr Stephen Henson <stephen.henson@gemplus.com>
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above. If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL. If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ */
+/*
+ * Deal with PKCS #11 Slots.
+ */
+#include "seccomon.h"
+#include "secmod.h"
+#include "nssilock.h"
+#include "secmodi.h"
+#include "pkcs11t.h"
+#include "pk11func.h"
+#include "cert.h"
+#include "key.h"
+#include "secitem.h"
+#include "secder.h"
+#include "secasn1.h"
+#include "secoid.h"
+#include "prtime.h"
+#include "prlong.h"
+#include "secerr.h"
+/*#include "secpkcs5.h" */
+
+#include "dev.h"
+#include "dev3hack.h"
+#include "pki3hack.h"
+#include "pkim.h"
+
+
+/*************************************************************
+ * local static and global data
+ *************************************************************/
+
+/*
+ * This array helps parsing between names, mechanisms, and flags.
+ * to make the config files understand more entries, add them
+ * to this table. (NOTE: we need function to export this table and it's size)
+ */
+PK11DefaultArrayEntry PK11_DefaultArray[] = {
+ { "RSA", SECMOD_RSA_FLAG, CKM_RSA_PKCS },
+ { "DSA", SECMOD_DSA_FLAG, CKM_DSA },
+ { "DH", SECMOD_DH_FLAG, CKM_DH_PKCS_DERIVE },
+ { "RC2", SECMOD_RC2_FLAG, CKM_RC2_CBC },
+ { "RC4", SECMOD_RC4_FLAG, CKM_RC4 },
+ { "DES", SECMOD_DES_FLAG, CKM_DES_CBC },
+ { "AES", SECMOD_AES_FLAG, CKM_AES_CBC },
+ { "RC5", SECMOD_RC5_FLAG, CKM_RC5_CBC },
+ { "SHA-1", SECMOD_SHA1_FLAG, CKM_SHA_1 },
+ { "MD5", SECMOD_MD5_FLAG, CKM_MD5 },
+ { "MD2", SECMOD_MD2_FLAG, CKM_MD2 },
+ { "SSL", SECMOD_SSL_FLAG, CKM_SSL3_PRE_MASTER_KEY_GEN },
+ { "TLS", SECMOD_TLS_FLAG, CKM_TLS_MASTER_KEY_DERIVE },
+ { "SKIPJACK", SECMOD_FORTEZZA_FLAG, CKM_SKIPJACK_CBC64 },
+ { "Publicly-readable certs", SECMOD_FRIENDLY_FLAG, CKM_INVALID_MECHANISM },
+ { "Random Num Generator", SECMOD_RANDOM_FLAG, CKM_FAKE_RANDOM },
+};
+int num_pk11_default_mechanisms = sizeof(PK11_DefaultArray) / sizeof(PK11_DefaultArray[0]);
+
+/*
+ * These slotlists are lists of modules which provide default support for
+ * a given algorithm or mechanism.
+ */
+static PK11SlotList pk11_aesSlotList,
+ pk11_desSlotList,
+ pk11_rc4SlotList,
+ pk11_rc2SlotList,
+ pk11_rc5SlotList,
+ pk11_sha1SlotList,
+ pk11_md5SlotList,
+ pk11_md2SlotList,
+ pk11_rsaSlotList,
+ pk11_dsaSlotList,
+ pk11_dhSlotList,
+ pk11_ideaSlotList,
+ pk11_sslSlotList,
+ pk11_tlsSlotList,
+ pk11_randomSlotList;
+
+/*
+ * Tables used for Extended mechanism mapping (currently not used)
+ */
+typedef struct {
+ CK_MECHANISM_TYPE keyGen;
+ CK_KEY_TYPE keyType;
+ CK_MECHANISM_TYPE type;
+ int blockSize;
+ int iv;
+} pk11MechanismData;
+
+static pk11MechanismData pk11_default =
+ { CKM_GENERIC_SECRET_KEY_GEN, CKK_GENERIC_SECRET, CKM_FAKE_RANDOM, 8, 8 };
+static pk11MechanismData *pk11_MechanismTable = NULL;
+static int pk11_MechTableSize = 0;
+static int pk11_MechEntrySize = 0;
+
+/*
+ * list of mechanisms we're willing to wrap secret keys with.
+ * This list is ordered by preference.
+ */
+CK_MECHANISM_TYPE wrapMechanismList[] = {
+ CKM_DES3_ECB,
+ CKM_CAST5_ECB,
+ CKM_AES_ECB,
+ CKM_CAST5_ECB,
+ CKM_DES_ECB,
+ CKM_KEY_WRAP_LYNKS,
+ CKM_IDEA_ECB,
+ CKM_CAST3_ECB,
+ CKM_CAST_ECB,
+ CKM_RC5_ECB,
+ CKM_RC2_ECB,
+ CKM_CDMF_ECB,
+ CKM_SKIPJACK_WRAP,
+};
+
+int wrapMechanismCount = sizeof(wrapMechanismList)/sizeof(wrapMechanismList[0]);
+
+/*
+ * This structure keeps track of status that spans all the Slots.
+ * NOTE: This is a global data structure. It semantics expect thread crosstalk
+ * be very careful when you see it used.
+ * It's major purpose in life is to allow the user to log in one PER
+ * Tranaction, even if a transaction spans threads. The problem is the user
+ * may have to enter a password one just to be able to look at the
+ * personalities/certificates (s)he can use. Then if Auth every is one, they
+ * may have to enter the password again to use the card. See PK11_StartTransac
+ * and PK11_EndTransaction.
+ */
+static struct PK11GlobalStruct {
+ int transaction;
+ PRBool inTransaction;
+ char *(PR_CALLBACK *getPass)(PK11SlotInfo *,PRBool,void *);
+ PRBool (PR_CALLBACK *verifyPass)(PK11SlotInfo *,void *);
+ PRBool (PR_CALLBACK *isLoggedIn)(PK11SlotInfo *,void *);
+} PK11_Global = { 1, PR_FALSE, NULL, NULL, NULL };
+
+/************************************************************
+ * Generic Slot List and Slot List element manipulations
+ ************************************************************/
+
+/*
+ * allocate a new list
+ */
+PK11SlotList *
+PK11_NewSlotList(void)
+{
+ PK11SlotList *list;
+
+ list = (PK11SlotList *)PORT_Alloc(sizeof(PK11SlotList));
+ if (list == NULL) return NULL;
+ list->head = NULL;
+ list->tail = NULL;
+#ifdef PKCS11_USE_THREADS
+ list->lock = PZ_NewLock(nssILockList);
+ if (list->lock == NULL) {
+ PORT_Free(list);
+ return NULL;
+ }
+#else
+ list->lock = NULL;
+#endif
+
+ return list;
+}
+
+/*
+ * free a list element when all the references go away.
+ */
+static void
+pk11_FreeListElement(PK11SlotList *list, PK11SlotListElement *le)
+{
+ PRBool freeit = PR_FALSE;
+
+ PK11_USE_THREADS(PZ_Lock((PZLock *)(list->lock));)
+ if (le->refCount-- == 1) {
+ freeit = PR_TRUE;
+ }
+ PK11_USE_THREADS(PZ_Unlock((PZLock *)(list->lock));)
+ if (freeit) {
+ PK11_FreeSlot(le->slot);
+ PORT_Free(le);
+ }
+}
+
+/*
+ * if we are freeing the list, we must be the only ones with a pointer
+ * to the list.
+ */
+void
+PK11_FreeSlotList(PK11SlotList *list)
+{
+ PK11SlotListElement *le, *next ;
+ if (list == NULL) return;
+
+ for (le = list->head ; le; le = next) {
+ next = le->next;
+ pk11_FreeListElement(list,le);
+ }
+ PK11_USE_THREADS(PZ_DestroyLock((PZLock *)(list->lock));)
+ PORT_Free(list);
+}
+
+/*
+ * add a slot to a list
+ */
+SECStatus
+PK11_AddSlotToList(PK11SlotList *list,PK11SlotInfo *slot)
+{
+ PK11SlotListElement *le;
+
+ le = (PK11SlotListElement *) PORT_Alloc(sizeof(PK11SlotListElement));
+ if (le == NULL) return SECFailure;
+
+ le->slot = PK11_ReferenceSlot(slot);
+ le->prev = NULL;
+ le->refCount = 1;
+ PK11_USE_THREADS(PZ_Lock((PZLock *)(list->lock));)
+ if (list->head) list->head->prev = le; else list->tail = le;
+ le->next = list->head;
+ list->head = le;
+ PK11_USE_THREADS(PZ_Unlock((PZLock *)(list->lock));)
+
+ return SECSuccess;
+}
+
+/*
+ * remove a slot entry from the list
+ */
+SECStatus
+PK11_DeleteSlotFromList(PK11SlotList *list,PK11SlotListElement *le)
+{
+ PK11_USE_THREADS(PZ_Lock((PZLock *)(list->lock));)
+ if (le->prev) le->prev->next = le->next; else list->head = le->next;
+ if (le->next) le->next->prev = le->prev; else list->tail = le->prev;
+ le->next = le->prev = NULL;
+ PK11_USE_THREADS(PZ_Unlock((PZLock *)(list->lock));)
+ pk11_FreeListElement(list,le);
+ return SECSuccess;
+}
+
+/*
+ * Move a list to the end of the target list. NOTE: There is no locking
+ * here... This assumes BOTH lists are private copy lists.
+ */
+SECStatus
+PK11_MoveListToList(PK11SlotList *target,PK11SlotList *src)
+{
+ if (src->head == NULL) return SECSuccess;
+
+ if (target->tail == NULL) {
+ target->head = src->head;
+ } else {
+ target->tail->next = src->head;
+ }
+ src->head->prev = target->tail;
+ target->tail = src->tail;
+ src->head = src->tail = NULL;
+ return SECSuccess;
+}
+
+/*
+ * get an element from the list with a reference. You must own the list.
+ */
+PK11SlotListElement *
+PK11_GetFirstRef(PK11SlotList *list)
+{
+ PK11SlotListElement *le;
+
+ le = list->head;
+ if (le != NULL) (le)->refCount++;
+ return le;
+}
+
+/*
+ * get the next element from the list with a reference. You must own the list.
+ */
+PK11SlotListElement *
+PK11_GetNextRef(PK11SlotList *list, PK11SlotListElement *le, PRBool restart)
+{
+ PK11SlotListElement *new_le;
+ new_le = le->next;
+ if (new_le) new_le->refCount++;
+ pk11_FreeListElement(list,le);
+ return new_le;
+}
+
+/*
+ * get an element safely from the list. This just makes sure that if
+ * this element is not deleted while we deal with it.
+ */
+PK11SlotListElement *
+PK11_GetFirstSafe(PK11SlotList *list)
+{
+ PK11SlotListElement *le;
+
+ PK11_USE_THREADS(PZ_Lock((PZLock *)(list->lock));)
+ le = list->head;
+ if (le != NULL) (le)->refCount++;
+ PK11_USE_THREADS(PZ_Unlock((PZLock *)(list->lock));)
+ return le;
+}
+
+/*
+ * NOTE: if this element gets deleted, we can no longer safely traverse using
+ * it's pointers. We can either terminate the loop, or restart from the
+ * beginning. This is controlled by the restart option.
+ */
+PK11SlotListElement *
+PK11_GetNextSafe(PK11SlotList *list, PK11SlotListElement *le, PRBool restart)
+{
+ PK11SlotListElement *new_le;
+ PK11_USE_THREADS(PZ_Lock((PZLock *)(list->lock));)
+ new_le = le->next;
+ if (le->next == NULL) {
+ /* if the prev and next fields are NULL then either this element
+ * has been removed and we need to walk the list again (if restart
+ * is true) or this was the only element on the list */
+ if ((le->prev == NULL) && restart && (list->head != le)) {
+ new_le = list->head;
+ }
+ }
+ if (new_le) new_le->refCount++;
+ PK11_USE_THREADS(PZ_Unlock((PZLock *)(list->lock));)
+ pk11_FreeListElement(list,le);
+ return new_le;
+}
+
+
+/*
+ * Find the element that holds this slot
+ */
+PK11SlotListElement *
+PK11_FindSlotElement(PK11SlotList *list,PK11SlotInfo *slot)
+{
+ PK11SlotListElement *le;
+
+ for (le = PK11_GetFirstSafe(list); le;
+ le = PK11_GetNextSafe(list,le,PR_TRUE)) {
+ if (le->slot == slot) return le;
+ }
+ return NULL;
+}
+
+/************************************************************
+ * Generic Slot Utilities
+ ************************************************************/
+/*
+ * Create a new slot structure
+ */
+PK11SlotInfo *
+PK11_NewSlotInfo(void)
+{
+ PK11SlotInfo *slot;
+
+ slot = (PK11SlotInfo *)PORT_Alloc(sizeof(PK11SlotInfo));
+ if (slot == NULL) return slot;
+
+#ifdef PKCS11_USE_THREADS
+ slot->refLock = PZ_NewLock(nssILockSlot);
+ if (slot->refLock == NULL) {
+ PORT_Free(slot);
+ return slot;
+ }
+ slot->sessionLock = PZ_NewLock(nssILockSession);
+ if (slot->sessionLock == NULL) {
+ PZ_DestroyLock(slot->refLock);
+ PORT_Free(slot);
+ return slot;
+ }
+ slot->freeListLock = PZ_NewLock(nssILockFreelist);
+ if (slot->freeListLock == NULL) {
+ PZ_DestroyLock(slot->sessionLock);
+ PZ_DestroyLock(slot->refLock);
+ PORT_Free(slot);
+ return slot;
+ }
+#else
+ slot->sessionLock = NULL;
+ slot->refLock = NULL;
+ slot->freeListLock = NULL;
+#endif
+ slot->freeSymKeysHead = NULL;
+ slot->keyCount = 0;
+ slot->maxKeyCount = 0;
+ slot->functionList = NULL;
+ slot->needTest = PR_TRUE;
+ slot->isPerm = PR_FALSE;
+ slot->isHW = PR_FALSE;
+ slot->isInternal = PR_FALSE;
+ slot->isThreadSafe = PR_FALSE;
+ slot->disabled = PR_FALSE;
+ slot->series = 1;
+ slot->wrapKey = 0;
+ slot->wrapMechanism = CKM_INVALID_MECHANISM;
+ slot->refKeys[0] = CK_INVALID_HANDLE;
+ slot->reason = PK11_DIS_NONE;
+ slot->readOnly = PR_TRUE;
+ slot->needLogin = PR_FALSE;
+ slot->hasRandom = PR_FALSE;
+ slot->defRWSession = PR_FALSE;
+ slot->protectedAuthPath = PR_FALSE;
+ slot->flags = 0;
+ slot->session = CK_INVALID_SESSION;
+ slot->slotID = 0;
+ slot->defaultFlags = 0;
+ slot->refCount = 1;
+ slot->askpw = 0;
+ slot->timeout = 0;
+ slot->mechanismList = NULL;
+ slot->mechanismCount = 0;
+ slot->cert_array = NULL;
+ slot->cert_count = 0;
+ slot->slot_name[0] = 0;
+ slot->token_name[0] = 0;
+ PORT_Memset(slot->serial,' ',sizeof(slot->serial));
+ slot->module = NULL;
+ slot->authTransact = 0;
+ slot->authTime = LL_ZERO;
+ slot->minPassword = 0;
+ slot->maxPassword = 0;
+ slot->hasRootCerts = PR_FALSE;
+ slot->nssToken = NULL;
+ return slot;
+}
+
+/* create a new reference to a slot so it doesn't go away */
+PK11SlotInfo *
+PK11_ReferenceSlot(PK11SlotInfo *slot)
+{
+ PK11_USE_THREADS(PZ_Lock(slot->refLock);)
+ slot->refCount++;
+ PK11_USE_THREADS(PZ_Unlock(slot->refLock);)
+ return slot;
+}
+
+/* Destroy all info on a slot we have built up */
+void
+PK11_DestroySlot(PK11SlotInfo *slot)
+{
+ /* first free up all the sessions on this slot */
+ if (slot->functionList) {
+ PK11_GETTAB(slot)->C_CloseAllSessions(slot->slotID);
+ }
+
+ /* free up the cached keys and sessions */
+ PK11_CleanKeyList(slot);
+
+ if (slot->mechanismList) {
+ PORT_Free(slot->mechanismList);
+ }
+
+ /* finally Tell our parent module that we've gone away so it can unload */
+ if (slot->module) {
+ SECMOD_SlotDestroyModule(slot->module,PR_TRUE);
+ }
+#ifdef PKCS11_USE_THREADS
+ if (slot->refLock) {
+ PZ_DestroyLock(slot->refLock);
+ slot->refLock = NULL;
+ }
+ if (slot->sessionLock) {
+ PZ_DestroyLock(slot->sessionLock);
+ slot->sessionLock = NULL;
+ }
+ if (slot->freeListLock) {
+ PZ_DestroyLock(slot->freeListLock);
+ slot->freeListLock = NULL;
+ }
+#endif
+
+ /* ok, well not quit finally... now we free the memory */
+ PORT_Free(slot);
+}
+
+
+/* We're all done with the slot, free it */
+void
+PK11_FreeSlot(PK11SlotInfo *slot)
+{
+ PRBool freeit = PR_FALSE;
+
+ PK11_USE_THREADS(PZ_Lock(slot->refLock);)
+ if (slot->refCount-- == 1) freeit = PR_TRUE;
+ PK11_USE_THREADS(PZ_Unlock(slot->refLock);)
+
+ if (freeit) PK11_DestroySlot(slot);
+}
+
+void
+PK11_EnterSlotMonitor(PK11SlotInfo *slot) {
+ PZ_Lock(slot->sessionLock);
+}
+
+void
+PK11_ExitSlotMonitor(PK11SlotInfo *slot) {
+ PZ_Unlock(slot->sessionLock);
+}
+
+/***********************************************************
+ * Functions to find specific slots.
+ ***********************************************************/
+PRBool
+SECMOD_HasRootCerts(void)
+{
+ SECMODModuleList *mlp;
+ SECMODModuleList *modules = SECMOD_GetDefaultModuleList();
+ SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
+ int i;
+ PRBool found = PR_FALSE;
+
+ /* work through all the slots */
+ SECMOD_GetReadLock(moduleLock);
+ for(mlp = modules; mlp != NULL; mlp = mlp->next) {
+ for (i=0; i < mlp->module->slotCount; i++) {
+ PK11SlotInfo *tmpSlot = mlp->module->slots[i];
+ if (PK11_IsPresent(tmpSlot)) {
+ if (tmpSlot->hasRootCerts) {
+ found = PR_TRUE;
+ break;
+ }
+ }
+ }
+ if (found) break;
+ }
+ SECMOD_ReleaseReadLock(moduleLock);
+
+ return found;
+}
+
+/***********************************************************
+ * Functions to find specific slots.
+ ***********************************************************/
+PK11SlotInfo *
+PK11_FindSlotByName(char *name)
+{
+ SECMODModuleList *mlp;
+ SECMODModuleList *modules = SECMOD_GetDefaultModuleList();
+ SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
+ int i;
+ PK11SlotInfo *slot = NULL;
+
+ if ((name == NULL) || (*name == 0)) {
+ return PK11_GetInternalKeySlot();
+ }
+
+ /* work through all the slots */
+ SECMOD_GetReadLock(moduleLock);
+ for(mlp = modules; mlp != NULL; mlp = mlp->next) {
+ for (i=0; i < mlp->module->slotCount; i++) {
+ PK11SlotInfo *tmpSlot = mlp->module->slots[i];
+ if (PK11_IsPresent(tmpSlot)) {
+ if (PORT_Strcmp(tmpSlot->token_name,name) == 0) {
+ slot = PK11_ReferenceSlot(tmpSlot);
+ break;
+ }
+ }
+ }
+ if (slot != NULL) break;
+ }
+ SECMOD_ReleaseReadLock(moduleLock);
+
+ if (slot == NULL) {
+ PORT_SetError(SEC_ERROR_NO_TOKEN);
+ }
+
+ return slot;
+}
+
+
+PK11SlotInfo *
+PK11_FindSlotBySerial(char *serial)
+{
+ SECMODModuleList *mlp;
+ SECMODModuleList *modules = SECMOD_GetDefaultModuleList();
+ SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
+ int i;
+ PK11SlotInfo *slot = NULL;
+
+ /* work through all the slots */
+ SECMOD_GetReadLock(moduleLock);
+ for(mlp = modules; mlp != NULL; mlp = mlp->next) {
+ for (i=0; i < mlp->module->slotCount; i++) {
+ PK11SlotInfo *tmpSlot = mlp->module->slots[i];
+ if (PK11_IsPresent(tmpSlot)) {
+ if (PORT_Memcmp(tmpSlot->serial,serial,
+ sizeof(tmpSlot->serial)) == 0) {
+ slot = PK11_ReferenceSlot(tmpSlot);
+ break;
+ }
+ }
+ }
+ if (slot != NULL) break;
+ }
+ SECMOD_ReleaseReadLock(moduleLock);
+
+ if (slot == NULL) {
+ PORT_SetError(SEC_ERROR_NO_TOKEN);
+ }
+
+ return slot;
+}
+
+
+
+
+/***********************************************************
+ * Password Utilities
+ ***********************************************************/
+/*
+ * Check the user's password. Log into the card if it's correct.
+ * succeed if the user is already logged in.
+ */
+SECStatus
+pk11_CheckPassword(PK11SlotInfo *slot,char *pw)
+{
+ int len = PORT_Strlen(pw);
+ CK_RV crv;
+ SECStatus rv;
+ int64 currtime = PR_Now();
+
+ if (slot->protectedAuthPath) {
+ len = 0;
+ pw = NULL;
+ }
+
+ PK11_EnterSlotMonitor(slot);
+ crv = PK11_GETTAB(slot)->C_Login(slot->session,CKU_USER,
+ (unsigned char *)pw,len);
+ slot->lastLoginCheck = 0;
+ PK11_ExitSlotMonitor(slot);
+ switch (crv) {
+ /* if we're already logged in, we're good to go */
+ case CKR_OK:
+ slot->authTransact = PK11_Global.transaction;
+ case CKR_USER_ALREADY_LOGGED_IN:
+ slot->authTime = currtime;
+ rv = SECSuccess;
+ break;
+ case CKR_PIN_INCORRECT:
+ PORT_SetError(SEC_ERROR_BAD_PASSWORD);
+ rv = SECWouldBlock; /* everything else is ok, only the pin is bad */
+ break;
+ default:
+ PORT_SetError(PK11_MapError(crv));
+ rv = SECFailure; /* some failure we can't fix by retrying */
+ }
+ return rv;
+}
+
+/*
+ * Check the user's password. Logout before hand to make sure that
+ * we are really checking the password.
+ */
+SECStatus
+PK11_CheckUserPassword(PK11SlotInfo *slot,char *pw)
+{
+ int len = PORT_Strlen(pw);
+ CK_RV crv;
+ SECStatus rv;
+ int64 currtime = PR_Now();
+
+ if (slot->protectedAuthPath) {
+ len = 0;
+ pw = NULL;
+ }
+
+ /* force a logout */
+ PK11_EnterSlotMonitor(slot);
+ PK11_GETTAB(slot)->C_Logout(slot->session);
+
+ crv = PK11_GETTAB(slot)->C_Login(slot->session,CKU_USER,
+ (unsigned char *)pw,len);
+ slot->lastLoginCheck = 0;
+ PK11_ExitSlotMonitor(slot);
+ switch (crv) {
+ /* if we're already logged in, we're good to go */
+ case CKR_OK:
+ slot->authTransact = PK11_Global.transaction;
+ slot->authTime = currtime;
+ rv = SECSuccess;
+ break;
+ case CKR_PIN_INCORRECT:
+ PORT_SetError(SEC_ERROR_BAD_PASSWORD);
+ rv = SECWouldBlock; /* everything else is ok, only the pin is bad */
+ break;
+ default:
+ PORT_SetError(PK11_MapError(crv));
+ rv = SECFailure; /* some failure we can't fix by retrying */
+ }
+ return rv;
+}
+
+SECStatus
+PK11_Logout(PK11SlotInfo *slot)
+{
+ CK_RV crv;
+
+ /* force a logout */
+ PK11_EnterSlotMonitor(slot);
+ crv = PK11_GETTAB(slot)->C_Logout(slot->session);
+ slot->lastLoginCheck = 0;
+ PK11_ExitSlotMonitor(slot);
+ if (crv != CKR_OK) {
+ PORT_SetError(PK11_MapError(crv));
+ return SECFailure;
+ }
+ return SECSuccess;
+}
+
+/*
+ * transaction stuff is for when we test for the need to do every
+ * time auth to see if we already did it for this slot/transaction
+ */
+void PK11_StartAuthTransaction(void)
+{
+PK11_Global.transaction++;
+PK11_Global.inTransaction = PR_TRUE;
+}
+
+void PK11_EndAuthTransaction(void)
+{
+PK11_Global.transaction++;
+PK11_Global.inTransaction = PR_FALSE;
+}
+
+/*
+ * before we do a private key op, we check to see if we
+ * need to reauthenticate.
+ */
+void
+PK11_HandlePasswordCheck(PK11SlotInfo *slot,void *wincx)
+{
+ int askpw = slot->askpw;
+ PRBool NeedAuth = PR_FALSE;
+
+ if (!slot->needLogin) return;
+
+ if ((slot->defaultFlags & PK11_OWN_PW_DEFAULTS) == 0) {
+ PK11SlotInfo *def_slot = PK11_GetInternalKeySlot();
+
+ if (def_slot) {
+ askpw = def_slot->askpw;
+ PK11_FreeSlot(def_slot);
+ }
+ }
+
+ /* timeouts are handled by isLoggedIn */
+ if (!PK11_IsLoggedIn(slot,wincx)) {
+ NeedAuth = PR_TRUE;
+ } else if (askpw == -1) {
+ if (!PK11_Global.inTransaction ||
+ (PK11_Global.transaction != slot->authTransact)) {
+ PK11_EnterSlotMonitor(slot);
+ PK11_GETTAB(slot)->C_Logout(slot->session);
+ slot->lastLoginCheck = 0;
+ PK11_ExitSlotMonitor(slot);
+ NeedAuth = PR_TRUE;
+ }
+ }
+ if (NeedAuth) PK11_DoPassword(slot,PR_TRUE,wincx);
+}
+
+void
+PK11_SlotDBUpdate(PK11SlotInfo *slot)
+{
+ SECMOD_UpdateModule(slot->module);
+}
+
+/*
+ * set new askpw and timeout values
+ */
+void
+PK11_SetSlotPWValues(PK11SlotInfo *slot,int askpw, int timeout)
+{
+ slot->askpw = askpw;
+ slot->timeout = timeout;
+ slot->defaultFlags |= PK11_OWN_PW_DEFAULTS;
+ PK11_SlotDBUpdate(slot);
+}
+
+/*
+ * Get the askpw and timeout values for this slot
+ */
+void
+PK11_GetSlotPWValues(PK11SlotInfo *slot,int *askpw, int *timeout)
+{
+ *askpw = slot->askpw;
+ *timeout = slot->timeout;
+
+ if ((slot->defaultFlags & PK11_OWN_PW_DEFAULTS) == 0) {
+ PK11SlotInfo *def_slot = PK11_GetInternalKeySlot();
+
+ if (def_slot) {
+ *askpw = def_slot->askpw;
+ *timeout = def_slot->timeout;
+ PK11_FreeSlot(def_slot);
+ }
+ }
+}
+
+/*
+ * make sure a slot is authenticated...
+ */
+SECStatus
+PK11_Authenticate(PK11SlotInfo *slot, PRBool loadCerts, void *wincx) {
+ if (slot->needLogin && !PK11_IsLoggedIn(slot,wincx)) {
+ return PK11_DoPassword(slot,loadCerts,wincx);
+ }
+ return SECSuccess;
+}
+
+/*
+ * notification stub. If we ever get interested in any events that
+ * the pkcs11 functions may pass back to use, we can catch them here...
+ * currently pdata is a slotinfo structure.
+ */
+CK_RV pk11_notify(CK_SESSION_HANDLE session, CK_NOTIFICATION event,
+ CK_VOID_PTR pdata)
+{
+ return CKR_OK;
+}
+
+
+/*
+ * grab a new RW session
+ * !!! has a side effect of grabbing the Monitor if either the slot's default
+ * session is RW or the slot is not thread safe. Monitor is release in function
+ * below
+ */
+CK_SESSION_HANDLE PK11_GetRWSession(PK11SlotInfo *slot)
+{
+ CK_SESSION_HANDLE rwsession;
+ CK_RV crv;
+
+ if (!slot->isThreadSafe || slot->defRWSession) PK11_EnterSlotMonitor(slot);
+ if (slot->defRWSession) return slot->session;
+
+ crv = PK11_GETTAB(slot)->C_OpenSession(slot->slotID,
+ CKF_RW_SESSION|CKF_SERIAL_SESSION,
+ slot, pk11_notify,&rwsession);
+ if (crv == CKR_SESSION_COUNT) {
+ PK11_GETTAB(slot)->C_CloseSession(slot->session);
+ slot->session = CK_INVALID_SESSION;
+ crv = PK11_GETTAB(slot)->C_OpenSession(slot->slotID,
+ CKF_RW_SESSION|CKF_SERIAL_SESSION,
+ slot,pk11_notify,&rwsession);
+ }
+ if (crv != CKR_OK) {
+ PORT_SetError(PK11_MapError(crv));
+ if (slot->session == CK_INVALID_SESSION) {
+ PK11_GETTAB(slot)->C_OpenSession(slot->slotID,CKF_SERIAL_SESSION,
+ slot,pk11_notify,&slot->session);
+ }
+ if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+ return CK_INVALID_SESSION;
+ }
+
+ return rwsession;
+}
+
+PRBool
+PK11_RWSessionHasLock(PK11SlotInfo *slot,CK_SESSION_HANDLE session_handle) {
+ return (PRBool)(!slot->isThreadSafe || slot->defRWSession);
+}
+
+/*
+ * close the rwsession and restore our readonly session
+ * !!! has a side effect of releasing the Monitor if either the slot's default
+ * session is RW or the slot is not thread safe.
+ */
+void
+PK11_RestoreROSession(PK11SlotInfo *slot,CK_SESSION_HANDLE rwsession)
+{
+ if (slot->defRWSession) {
+ PK11_ExitSlotMonitor(slot);
+ return;
+ }
+ PK11_GETTAB(slot)->C_CloseSession(rwsession);
+ if (slot->session == CK_INVALID_SESSION) {
+ PK11_GETTAB(slot)->C_OpenSession(slot->slotID,CKF_SERIAL_SESSION,
+ slot,pk11_notify,&slot->session);
+ }
+ if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+}
+
+/*
+ * NOTE: this assumes that we are logged out of the card before hand
+ */
+SECStatus
+PK11_CheckSSOPassword(PK11SlotInfo *slot, char *ssopw)
+{
+ CK_SESSION_HANDLE rwsession;
+ CK_RV crv;
+ SECStatus rv = SECFailure;
+ int len = PORT_Strlen(ssopw);
+
+ /* get a rwsession */
+ rwsession = PK11_GetRWSession(slot);
+ if (rwsession == CK_INVALID_SESSION) return rv;
+
+ if (slot->protectedAuthPath) {
+ len = 0;
+ ssopw = NULL;
+ }
+
+ /* check the password */
+ crv = PK11_GETTAB(slot)->C_Login(rwsession,CKU_SO,
+ (unsigned char *)ssopw,len);
+ slot->lastLoginCheck = 0;
+ switch (crv) {
+ /* if we're already logged in, we're good to go */
+ case CKR_OK:
+ rv = SECSuccess;
+ break;
+ case CKR_PIN_INCORRECT:
+ PORT_SetError(SEC_ERROR_BAD_PASSWORD);
+ rv = SECWouldBlock; /* everything else is ok, only the pin is bad */
+ break;
+ default:
+ PORT_SetError(PK11_MapError(crv));
+ rv = SECFailure; /* some failure we can't fix by retrying */
+ }
+ PK11_GETTAB(slot)->C_Logout(rwsession);
+ slot->lastLoginCheck = 0;
+
+ /* release rwsession */
+ PK11_RestoreROSession(slot,rwsession);
+ return rv;
+}
+
+/*
+ * make sure the password conforms to your token's requirements.
+ */
+SECStatus
+PK11_VerifyPW(PK11SlotInfo *slot,char *pw)
+{
+ int len = PORT_Strlen(pw);
+
+ if ((slot->minPassword > len) || (slot->maxPassword < len)) {
+ PORT_SetError(SEC_ERROR_BAD_DATA);
+ return SECFailure;
+ }
+ return SECSuccess;
+}
+
+/*
+ * initialize a user PIN Value
+ */
+SECStatus
+PK11_InitPin(PK11SlotInfo *slot,char *ssopw, char *userpw)
+{
+ CK_SESSION_HANDLE rwsession = CK_INVALID_SESSION;
+ CK_RV crv;
+ SECStatus rv = SECFailure;
+ int len;
+ int ssolen;
+
+ if (userpw == NULL) userpw = "";
+ if (ssopw == NULL) ssopw = "";
+
+ len = PORT_Strlen(userpw);
+ ssolen = PORT_Strlen(ssopw);
+
+ /* get a rwsession */
+ rwsession = PK11_GetRWSession(slot);
+ if (rwsession == CK_INVALID_SESSION) goto done;
+
+ if (slot->protectedAuthPath) {
+ len = 0;
+ ssolen = 0;
+ ssopw = NULL;
+ userpw = NULL;
+ }
+
+ /* check the password */
+ crv = PK11_GETTAB(slot)->C_Login(rwsession,CKU_SO,
+ (unsigned char *)ssopw,ssolen);
+ slot->lastLoginCheck = 0;
+ if (crv != CKR_OK) {
+ PORT_SetError(PK11_MapError(crv));
+ goto done;
+ }
+
+ crv = PK11_GETTAB(slot)->C_InitPIN(rwsession,(unsigned char *)userpw,len);
+ if (crv != CKR_OK) {
+ PORT_SetError(PK11_MapError(crv));
+ } else {
+ rv = SECSuccess;
+ }
+
+done:
+ PK11_GETTAB(slot)->C_Logout(rwsession);
+ slot->lastLoginCheck = 0;
+ PK11_RestoreROSession(slot,rwsession);
+ if (rv == SECSuccess) {
+ /* update our view of the world */
+ PK11_InitToken(slot,PR_TRUE);
+ PK11_EnterSlotMonitor(slot);
+ PK11_GETTAB(slot)->C_Login(slot->session,CKU_USER,
+ (unsigned char *)userpw,len);
+ slot->lastLoginCheck = 0;
+ PK11_ExitSlotMonitor(slot);
+ }
+ return rv;
+}
+
+/*
+ * Change an existing user password
+ */
+SECStatus
+PK11_ChangePW(PK11SlotInfo *slot,char *oldpw, char *newpw)
+{
+ CK_RV crv;
+ SECStatus rv = SECFailure;
+ int newLen;
+ int oldLen;
+ CK_SESSION_HANDLE rwsession;
+
+ if (newpw == NULL) newpw = "";
+ if (oldpw == NULL) oldpw = "";
+ newLen = PORT_Strlen(newpw);
+ oldLen = PORT_Strlen(oldpw);
+
+ /* get a rwsession */
+ rwsession = PK11_GetRWSession(slot);
+
+ crv = PK11_GETTAB(slot)->C_SetPIN(rwsession,
+ (unsigned char *)oldpw,oldLen,(unsigned char *)newpw,newLen);
+ if (crv == CKR_OK) {
+ rv = SECSuccess;
+ } else {
+ PORT_SetError(PK11_MapError(crv));
+ }
+
+ PK11_RestoreROSession(slot,rwsession);
+
+ /* update our view of the world */
+ PK11_InitToken(slot,PR_TRUE);
+ return rv;
+}
+
+static char *
+pk11_GetPassword(PK11SlotInfo *slot, PRBool retry, void * wincx)
+{
+ if (PK11_Global.getPass == NULL) return NULL;
+ return (*PK11_Global.getPass)(slot, retry, wincx);
+}
+
+void
+PK11_SetPasswordFunc(PK11PasswordFunc func)
+{
+ PK11_Global.getPass = func;
+}
+
+void
+PK11_SetVerifyPasswordFunc(PK11VerifyPasswordFunc func)
+{
+ PK11_Global.verifyPass = func;
+}
+
+void
+PK11_SetIsLoggedInFunc(PK11IsLoggedInFunc func)
+{
+ PK11_Global.isLoggedIn = func;
+}
+
+
+/*
+ * authenticate to a slot. This loops until we can't recover, the user
+ * gives up, or we succeed. If we're already logged in and this function
+ * is called we will still prompt for a password, but we will probably
+ * succeed no matter what the password was (depending on the implementation
+ * of the PKCS 11 module.
+ */
+SECStatus
+PK11_DoPassword(PK11SlotInfo *slot, PRBool loadCerts, void *wincx)
+{
+ SECStatus rv = SECFailure;
+ char * password;
+ PRBool attempt = PR_FALSE;
+
+ if (PK11_NeedUserInit(slot)) {
+ PORT_SetError(SEC_ERROR_IO);
+ return SECFailure;
+ }
+
+
+ /*
+ * Central server type applications which control access to multiple
+ * slave applications to single crypto devices need to virtuallize the
+ * login state. This is done by a callback out of PK11_IsLoggedIn and
+ * here. If we are actually logged in, then we got here because the
+ * higher level code told us that the particular client application may
+ * still need to be logged in. If that is the case, we simply tell the
+ * server code that it should now verify the clients password and tell us
+ * the results.
+ */
+ if (PK11_IsLoggedIn(slot,NULL) &&
+ (PK11_Global.verifyPass != NULL)) {
+ if (!PK11_Global.verifyPass(slot,wincx)) {
+ PORT_SetError(SEC_ERROR_BAD_PASSWORD);
+ return SECFailure;
+ }
+ return SECSuccess;
+ }
+
+ /* get the password. This can drop out of the while loop
+ * for the following reasons:
+ * (1) the user refused to enter a password.
+ * (return error to caller)
+ * (2) the token user password is disabled [usually due to
+ * too many failed authentication attempts].
+ * (return error to caller)
+ * (3) the password was successful.
+ */
+ while ((password = pk11_GetPassword(slot, attempt, wincx)) != NULL) {
+ attempt = PR_TRUE;
+ rv = pk11_CheckPassword(slot,password);
+ PORT_Memset(password, 0, PORT_Strlen(password));
+ PORT_Free(password);
+ if (rv != SECWouldBlock) break;
+ }
+ if (rv == SECSuccess) {
+ rv = pk11_CheckVerifyTest(slot);
+ if (!PK11_IsFriendly(slot)) {
+ nssTrustDomain_UpdateCachedTokenCerts(slot->nssToken->trustDomain,
+ slot->nssToken);
+ }
+ } else if (!attempt) PORT_SetError(SEC_ERROR_BAD_PASSWORD);
+ return rv;
+}
+
+void PK11_LogoutAll(void)
+{
+ SECMODListLock *lock = SECMOD_GetDefaultModuleListLock();
+ SECMODModuleList *modList = SECMOD_GetDefaultModuleList();
+ SECMODModuleList *mlp = NULL;
+ int i;
+
+ SECMOD_GetReadLock(lock);
+ /* find the number of entries */
+ for (mlp = modList; mlp != NULL; mlp = mlp->next) {
+ for (i=0; i < mlp->module->slotCount; i++) {
+ PK11_Logout(mlp->module->slots[i]);
+ }
+ }
+
+ SECMOD_ReleaseReadLock(lock);
+}
+
+int
+PK11_GetMinimumPwdLength(PK11SlotInfo *slot)
+{
+ return ((int)slot->minPassword);
+}
+
+/************************************************************
+ * Manage the built-In Slot Lists
+ ************************************************************/
+
+/* Init the static built int slot list (should actually integrate
+ * with PK11_NewSlotList */
+static void
+pk11_initSlotList(PK11SlotList *list)
+{
+#ifdef PKCS11_USE_THREADS
+ list->lock = PZ_NewLock(nssILockList);
+#else
+ list->lock = NULL;
+#endif
+ list->head = NULL;
+}
+
+static void
+pk11_freeSlotList(PK11SlotList *list)
+{
+ PK11SlotListElement *le, *next ;
+ if (list == NULL) return;
+
+ for (le = list->head ; le; le = next) {
+ next = le->next;
+ pk11_FreeListElement(list,le);
+ }
+#ifdef PK11_USE_THREADS
+ if (list->lock) {
+ PZ_DestroyLock((PZLock *)(list->lock));
+ }
+#endif
+ list->lock = NULL;
+ list->head = NULL;
+}
+
+/* initialize the system slotlists */
+SECStatus
+PK11_InitSlotLists(void)
+{
+ pk11_initSlotList(&pk11_aesSlotList);
+ pk11_initSlotList(&pk11_desSlotList);
+ pk11_initSlotList(&pk11_rc4SlotList);
+ pk11_initSlotList(&pk11_rc2SlotList);
+ pk11_initSlotList(&pk11_rc5SlotList);
+ pk11_initSlotList(&pk11_md5SlotList);
+ pk11_initSlotList(&pk11_md2SlotList);
+ pk11_initSlotList(&pk11_sha1SlotList);
+ pk11_initSlotList(&pk11_rsaSlotList);
+ pk11_initSlotList(&pk11_dsaSlotList);
+ pk11_initSlotList(&pk11_dhSlotList);
+ pk11_initSlotList(&pk11_ideaSlotList);
+ pk11_initSlotList(&pk11_sslSlotList);
+ pk11_initSlotList(&pk11_tlsSlotList);
+ pk11_initSlotList(&pk11_randomSlotList);
+ return SECSuccess;
+}
+
+void
+PK11_DestroySlotLists(void)
+{
+ pk11_freeSlotList(&pk11_aesSlotList);
+ pk11_freeSlotList(&pk11_desSlotList);
+ pk11_freeSlotList(&pk11_rc4SlotList);
+ pk11_freeSlotList(&pk11_rc2SlotList);
+ pk11_freeSlotList(&pk11_rc5SlotList);
+ pk11_freeSlotList(&pk11_md5SlotList);
+ pk11_freeSlotList(&pk11_md2SlotList);
+ pk11_freeSlotList(&pk11_sha1SlotList);
+ pk11_freeSlotList(&pk11_rsaSlotList);
+ pk11_freeSlotList(&pk11_dsaSlotList);
+ pk11_freeSlotList(&pk11_dhSlotList);
+ pk11_freeSlotList(&pk11_ideaSlotList);
+ pk11_freeSlotList(&pk11_sslSlotList);
+ pk11_freeSlotList(&pk11_tlsSlotList);
+ pk11_freeSlotList(&pk11_randomSlotList);
+ return;
+}
+
+/* return a system slot list based on mechanism */
+PK11SlotList *
+PK11_GetSlotList(CK_MECHANISM_TYPE type)
+{
+/* XXX a workaround for Bugzilla bug #55267 */
+#if defined(HPUX) && defined(__LP64__)
+ if (CKM_INVALID_MECHANISM == type)
+ return NULL;
+#endif
+ switch (type) {
+ case CKM_AES_CBC:
+ case CKM_AES_ECB:
+ return &pk11_aesSlotList;
+ case CKM_DES_CBC:
+ case CKM_DES_ECB:
+ case CKM_DES3_ECB:
+ case CKM_DES3_CBC:
+ return &pk11_desSlotList;
+ case CKM_RC4:
+ return &pk11_rc4SlotList;
+ case CKM_RC5_CBC:
+ return &pk11_rc5SlotList;
+ case CKM_SHA_1:
+ return &pk11_sha1SlotList;
+ case CKM_MD5:
+ return &pk11_md5SlotList;
+ case CKM_MD2:
+ return &pk11_md2SlotList;
+ case CKM_RC2_ECB:
+ case CKM_RC2_CBC:
+ return &pk11_rc2SlotList;
+ case CKM_RSA_PKCS:
+ case CKM_RSA_PKCS_KEY_PAIR_GEN:
+ case CKM_RSA_X_509:
+ return &pk11_rsaSlotList;
+ case CKM_DSA:
+ return &pk11_dsaSlotList;
+ case CKM_DH_PKCS_KEY_PAIR_GEN:
+ case CKM_DH_PKCS_DERIVE:
+ return &pk11_dhSlotList;
+ case CKM_SSL3_PRE_MASTER_KEY_GEN:
+ case CKM_SSL3_MASTER_KEY_DERIVE:
+ case CKM_SSL3_SHA1_MAC:
+ case CKM_SSL3_MD5_MAC:
+ return &pk11_sslSlotList;
+ case CKM_TLS_MASTER_KEY_DERIVE:
+ case CKM_TLS_KEY_AND_MAC_DERIVE:
+ return &pk11_tlsSlotList;
+ case CKM_IDEA_CBC:
+ case CKM_IDEA_ECB:
+ return &pk11_ideaSlotList;
+ case CKM_FAKE_RANDOM:
+ return &pk11_randomSlotList;
+ }
+ return NULL;
+}
+
+/*
+ * load the static SlotInfo structures used to select a PKCS11 slot.
+ * preSlotInfo has a list of all the default flags for the slots on this
+ * module.
+ */
+void
+PK11_LoadSlotList(PK11SlotInfo *slot, PK11PreSlotInfo *psi, int count)
+{
+ int i;
+
+ for (i=0; i < count; i++) {
+ if (psi[i].slotID == slot->slotID)
+ break;
+ }
+
+ if (i == count) return;
+
+ slot->defaultFlags = psi[i].defaultFlags;
+ slot->askpw = psi[i].askpw;
+ slot->timeout = psi[i].timeout;
+ slot->hasRootCerts = psi[i].hasRootCerts;
+
+ /* if the slot is already disabled, don't load them into the
+ * default slot lists. We get here so we can save the default
+ * list value. */
+ if (slot->disabled) return;
+
+ /* if the user has disabled us, don't load us in */
+ if (slot->defaultFlags & PK11_DISABLE_FLAG) {
+ slot->disabled = PR_TRUE;
+ slot->reason = PK11_DIS_USER_SELECTED;
+ /* free up sessions and things?? */
+ return;
+ }
+
+ for (i=0; i < sizeof(PK11_DefaultArray)/sizeof(PK11_DefaultArray[0]);
+ i++) {
+ if (slot->defaultFlags & PK11_DefaultArray[i].flag) {
+ CK_MECHANISM_TYPE mechanism = PK11_DefaultArray[i].mechanism;
+ PK11SlotList *slotList = PK11_GetSlotList(mechanism);
+
+ if (slotList) PK11_AddSlotToList(slotList,slot);
+ }
+ }
+
+ return;
+}
+
+
+/*
+ * update a slot to its new attribute according to the slot list
+ * returns: SECSuccess if nothing to do or add/delete is successful
+ */
+SECStatus
+PK11_UpdateSlotAttribute(PK11SlotInfo *slot, PK11DefaultArrayEntry *entry,
+ PRBool add)
+ /* add: PR_TRUE if want to turn on */
+{
+ SECStatus result = SECSuccess;
+ PK11SlotList *slotList = PK11_GetSlotList(entry->mechanism);
+
+ if (add) { /* trying to turn on a mechanism */
+
+ /* turn on the default flag in the slot */
+ slot->defaultFlags |= entry->flag;
+
+ /* add this slot to the list */
+ if (slotList!=NULL)
+ result = PK11_AddSlotToList(slotList, slot);
+
+ } else { /* trying to turn off */
+
+ /* turn OFF the flag in the slot */
+ slot->defaultFlags &= ~entry->flag;
+
+ if (slotList) {
+ /* find the element in the list & delete it */
+ PK11SlotListElement *le = PK11_FindSlotElement(slotList, slot);
+
+ /* remove the slot from the list */
+ if (le)
+ result = PK11_DeleteSlotFromList(slotList, le);
+ }
+ }
+ return result;
+}
+
+/*
+ * clear a slot off of all of it's default list
+ */
+void
+PK11_ClearSlotList(PK11SlotInfo *slot)
+{
+ int i;
+
+ if (slot->disabled) return;
+ if (slot->defaultFlags == 0) return;
+
+ for (i=0; i < sizeof(PK11_DefaultArray)/sizeof(PK11_DefaultArray[0]);
+ i++) {
+ if (slot->defaultFlags & PK11_DefaultArray[i].flag) {
+ CK_MECHANISM_TYPE mechanism = PK11_DefaultArray[i].mechanism;
+ PK11SlotList *slotList = PK11_GetSlotList(mechanism);
+ PK11SlotListElement *le = NULL;
+
+ if (slotList) le = PK11_FindSlotElement(slotList,slot);
+
+ if (le) {
+ PK11_DeleteSlotFromList(slotList,le);
+ pk11_FreeListElement(slotList,le);
+ }
+ }
+ }
+}
+
+
+/******************************************************************
+ * Slot initialization
+ ******************************************************************/
+/*
+ * turn a PKCS11 Static Label into a string
+ */
+char *
+PK11_MakeString(PRArenaPool *arena,char *space,
+ char *staticString,int stringLen)
+{
+ int i;
+ char *newString;
+ for(i=(stringLen-1); i >= 0; i--) {
+ if (staticString[i] != ' ') break;
+ }
+ /* move i to point to the last space */
+ i++;
+ if (arena) {
+ newString = (char*)PORT_ArenaAlloc(arena,i+1 /* space for NULL */);
+ } else if (space) {
+ newString = space;
+ } else {
+ newString = (char*)PORT_Alloc(i+1 /* space for NULL */);
+ }
+ if (newString == NULL) return NULL;
+
+ if (i) PORT_Memcpy(newString,staticString, i);
+ newString[i] = 0;
+
+ return newString;
+}
+
+/*
+ * verify that slot implements Mechanism mech properly by checking against
+ * our internal implementation
+ */
+PRBool
+PK11_VerifyMechanism(PK11SlotInfo *slot,PK11SlotInfo *intern,
+ CK_MECHANISM_TYPE mech, SECItem *data, SECItem *iv)
+{
+ PK11Context *test = NULL, *reference = NULL;
+ PK11SymKey *symKey = NULL, *testKey = NULL;
+ SECItem *param = NULL;
+ unsigned char encTest[8];
+ unsigned char encRef[8];
+ int outLenTest,outLenRef;
+ int key_size = 0;
+ PRBool verify = PR_FALSE;
+ SECStatus rv;
+
+ if ((mech == CKM_RC2_CBC) || (mech == CKM_RC2_ECB) || (mech == CKM_RC4)) {
+ key_size = 16;
+ }
+
+ /* initialize the mechanism parameter */
+ param = PK11_ParamFromIV(mech,iv);
+ if (param == NULL) goto loser;
+
+ /* load the keys and contexts */
+ symKey = PK11_KeyGen(intern,mech,NULL, key_size, NULL);
+ if (symKey == NULL) goto loser;
+
+ reference = PK11_CreateContextBySymKey(mech, CKA_ENCRYPT, symKey, param);
+ if (reference == NULL) goto loser;
+
+ testKey = pk11_CopyToSlot(slot, mech, CKA_ENCRYPT, symKey);
+ if (testKey == NULL) goto loser;
+
+ test = PK11_CreateContextBySymKey(mech, CKA_ENCRYPT, testKey, param);
+ if (test == NULL) goto loser;
+ SECITEM_FreeItem(param,PR_TRUE); param = NULL;
+
+ /* encrypt the test data */
+ rv = PK11_CipherOp(test,encTest,&outLenTest,sizeof(encTest),
+ data->data,data->len);
+ if (rv != SECSuccess) goto loser;
+ rv = PK11_CipherOp(reference,encRef,&outLenRef,sizeof(encRef),
+ data->data,data->len);
+ if (rv != SECSuccess) goto loser;
+
+ PK11_DestroyContext(reference,PR_TRUE); reference = NULL;
+ PK11_DestroyContext(test,PR_TRUE); test = NULL;
+
+ if (outLenTest != outLenRef) goto loser;
+ if (PORT_Memcmp(encTest, encRef, outLenTest) != 0) goto loser;
+
+ verify = PR_TRUE;
+
+loser:
+ if (test) PK11_DestroyContext(test,PR_TRUE);
+ if (symKey) PK11_FreeSymKey(symKey);
+ if (testKey) PK11_FreeSymKey(testKey);
+ if (reference) PK11_DestroyContext(reference,PR_TRUE);
+ if (param) SECITEM_FreeItem(param,PR_TRUE);
+
+ return verify;
+}
+
+/*
+ * this code verifies that the advertised mechanisms are what they
+ * seem to be.
+ */
+#define MAX_MECH_LIST_SIZE 30 /* we only know of about 30 odd mechanisms */
+PRBool
+PK11_VerifySlotMechanisms(PK11SlotInfo *slot)
+{
+ CK_MECHANISM_TYPE mechListArray[MAX_MECH_LIST_SIZE];
+ CK_MECHANISM_TYPE *mechList = mechListArray;
+ static SECItem data;
+ static SECItem iv;
+ static unsigned char dataV[8];
+ static unsigned char ivV[8];
+ static PRBool generated = PR_FALSE;
+ CK_ULONG count;
+ int i;
+ CK_RV crv;
+
+ PRBool alloced = PR_FALSE;
+ PK11SlotInfo *intern = PK11_GetInternalSlot();
+
+ /* if we couldn't initialize an internal module,
+ * we can't check external ones */
+ if (intern == NULL) return PR_FALSE;
+
+ /* first get the count of mechanisms */
+ if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
+ crv = PK11_GETTAB(slot)->C_GetMechanismList(slot->slotID,NULL,&count);
+ if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+ if (crv != CKR_OK) {
+ PK11_FreeSlot(intern);
+ return PR_FALSE;
+ }
+
+
+ /* don't blow up just because the card supports more mechanisms than
+ * we know about, just alloc space for them */
+ if (count > MAX_MECH_LIST_SIZE) {
+ mechList = (CK_MECHANISM_TYPE *)
+ PORT_Alloc(count *sizeof(CK_MECHANISM_TYPE));
+ alloced = PR_TRUE;
+ if (mechList == NULL) {
+ PK11_FreeSlot(intern);
+ return PR_FALSE;
+ }
+ }
+ /* get the list */
+ if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
+ crv =PK11_GETTAB(slot)->C_GetMechanismList(slot->slotID, mechList, &count);
+ if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+ if (crv != CKR_OK) {
+ if (alloced) PORT_Free(mechList);
+ PK11_FreeSlot(intern);
+ return PR_FALSE;
+ }
+
+ if (!generated) {
+ data.data = dataV;
+ data.len = sizeof(dataV);
+ iv.data = ivV;
+ iv.len = sizeof(ivV);
+ /* ok, this is a cheat, we know our internal random number generater
+ * is thread safe */
+ PK11_GETTAB(intern)->C_GenerateRandom(intern->session,
+ data.data, data.len);
+ PK11_GETTAB(intern)->C_GenerateRandom(intern->session,
+ iv.data, iv.len);
+ }
+ for (i=0; i < (int) count; i++) {
+ switch (mechList[i]) {
+ case CKM_DES_CBC:
+ case CKM_DES_ECB:
+ case CKM_RC4:
+ case CKM_RC2_CBC:
+ case CKM_RC2_ECB:
+ if (!PK11_VerifyMechanism(slot,intern,mechList[i],&data,&iv)){
+ if (alloced) PORT_Free(mechList);
+ PK11_FreeSlot(intern);
+ return PR_FALSE;
+ }
+ }
+ }
+ if (alloced) PORT_Free(mechList);
+ PK11_FreeSlot(intern);
+ return PR_TRUE;
+}
+
+/*
+ * See if we need to run the verify test, do so if necessary. If we fail,
+ * disable the slot.
+ */
+SECStatus
+pk11_CheckVerifyTest(PK11SlotInfo *slot)
+{
+ PK11_EnterSlotMonitor(slot);
+ if (slot->needTest) {
+ slot->needTest = PR_FALSE;
+ PK11_ExitSlotMonitor(slot);
+ if (!PK11_VerifySlotMechanisms(slot)) {
+ (void)PK11_GETTAB(slot)->C_CloseSession(slot->session);
+ slot->session = CK_INVALID_SESSION;
+ PK11_ClearSlotList(slot);
+ slot->disabled = PR_TRUE;
+ slot->reason = PK11_DIS_TOKEN_VERIFY_FAILED;
+ slot->needTest = PR_TRUE;
+ PORT_SetError(SEC_ERROR_IO);
+ return SECFailure;
+ }
+ } else {
+ PK11_ExitSlotMonitor(slot);
+ }
+ return SECSuccess;
+}
+
+/*
+ * Reads in the slots mechanism list for later use
+ */
+SECStatus
+PK11_ReadMechanismList(PK11SlotInfo *slot)
+{
+ CK_ULONG count;
+ CK_RV crv;
+
+ if (slot->mechanismList) {
+ PORT_Free(slot->mechanismList);
+ slot->mechanismList = NULL;
+ }
+ slot->mechanismCount = 0;
+
+ if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
+ crv = PK11_GETTAB(slot)->C_GetMechanismList(slot->slotID,NULL,&count);
+ if (crv != CKR_OK) {
+ if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+ PORT_SetError(PK11_MapError(crv));
+ return SECFailure;
+ }
+
+ slot->mechanismList = (CK_MECHANISM_TYPE *)
+ PORT_Alloc(count *sizeof(CK_MECHANISM_TYPE));
+ if (slot->mechanismList == NULL) {
+ if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+ return SECFailure;
+ }
+ crv = PK11_GETTAB(slot)->C_GetMechanismList(slot->slotID,
+ slot->mechanismList, &count);
+ if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+ if (crv != CKR_OK) {
+ PORT_Free(slot->mechanismList);
+ slot->mechanismList = NULL;
+ PORT_SetError(PK11_MapError(crv));
+ return SECSuccess;
+ }
+ slot->mechanismCount = count;
+ return SECSuccess;
+}
+
+/*
+ * initialize a new token
+ * unlike initialize slot, this can be called multiple times in the lifetime
+ * of NSS. It reads the information associated with a card or token,
+ * that is not going to change unless the card or token changes.
+ */
+SECStatus
+PK11_InitToken(PK11SlotInfo *slot, PRBool loadCerts)
+{
+ CK_TOKEN_INFO tokenInfo;
+ CK_RV crv;
+ char *tmp;
+ SECStatus rv;
+
+ /* set the slot flags to the current token values */
+ if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
+ crv = PK11_GETTAB(slot)->C_GetTokenInfo(slot->slotID,&tokenInfo);
+ if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+ if (crv != CKR_OK) {
+ PORT_SetError(PK11_MapError(crv));
+ return SECFailure;
+ }
+
+ /* set the slot flags to the current token values */
+ slot->series++; /* allow other objects to detect that the
+ * slot is different */
+ slot->flags = tokenInfo.flags;
+ slot->needLogin = ((tokenInfo.flags & CKF_LOGIN_REQUIRED) ?
+ PR_TRUE : PR_FALSE);
+ slot->readOnly = ((tokenInfo.flags & CKF_WRITE_PROTECTED) ?
+ PR_TRUE : PR_FALSE);
+ slot->hasRandom = ((tokenInfo.flags & CKF_RNG) ? PR_TRUE : PR_FALSE);
+ slot->protectedAuthPath =
+ ((tokenInfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH)
+ ? PR_TRUE : PR_FALSE);
+ slot->lastLoginCheck = 0;
+ slot->lastState = 0;
+ /* on some platforms Active Card incorrectly sets the
+ * CKF_PROTECTED_AUTHENTICATION_PATH bit when it doesn't mean to. */
+ if (slot->isActiveCard) {
+ slot->protectedAuthPath = PR_FALSE;
+ }
+ tmp = PK11_MakeString(NULL,slot->token_name,
+ (char *)tokenInfo.label, sizeof(tokenInfo.label));
+ slot->minPassword = tokenInfo.ulMinPinLen;
+ slot->maxPassword = tokenInfo.ulMaxPinLen;
+ PORT_Memcpy(slot->serial,tokenInfo.serialNumber,sizeof(slot->serial));
+
+ nssToken_UpdateName(slot->nssToken);
+
+ slot->defRWSession = (PRBool)((!slot->readOnly) &&
+ (tokenInfo.ulMaxSessionCount == 1));
+ rv = PK11_ReadMechanismList(slot);
+ if (rv != SECSuccess) return rv;
+
+ slot->hasRSAInfo = PR_FALSE;
+ slot->RSAInfoFlags = 0;
+
+ /* initialize the maxKeyCount value */
+ if (tokenInfo.ulMaxSessionCount == 0) {
+ slot->maxKeyCount = 800; /* should be #define or a config param */
+ } else if (tokenInfo.ulMaxSessionCount < 20) {
+ /* don't have enough sessions to keep that many keys around */
+ slot->maxKeyCount = 0;
+ } else {
+ slot->maxKeyCount = tokenInfo.ulMaxSessionCount/2;
+ }
+
+ /* Make sure our session handle is valid */
+ if (slot->session == CK_INVALID_SESSION) {
+ /* we know we don't have a valid session, go get one */
+ CK_SESSION_HANDLE session;
+
+ /* session should be Readonly, serial */
+ if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
+ crv = PK11_GETTAB(slot)->C_OpenSession(slot->slotID,
+ (slot->defRWSession ? CKF_RW_SESSION : 0) | CKF_SERIAL_SESSION,
+ slot,pk11_notify,&session);
+ if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+ if (crv != CKR_OK) {
+ PORT_SetError(PK11_MapError(crv));
+ return SECFailure;
+ }
+ slot->session = session;
+ } else {
+ /* The session we have may be defunct (the token associated with it)
+ * has been removed */
+ CK_SESSION_INFO sessionInfo;
+
+ if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
+ crv = PK11_GETTAB(slot)->C_GetSessionInfo(slot->session,&sessionInfo);
+ if (crv == CKR_DEVICE_ERROR) {
+ PK11_GETTAB(slot)->C_CloseSession(slot->session);
+ crv = CKR_SESSION_CLOSED;
+ }
+ if ((crv==CKR_SESSION_CLOSED) || (crv==CKR_SESSION_HANDLE_INVALID)) {
+ crv =PK11_GETTAB(slot)->C_OpenSession(slot->slotID,
+ (slot->defRWSession ? CKF_RW_SESSION : 0) | CKF_SERIAL_SESSION,
+ slot,pk11_notify,&slot->session);
+ if (crv != CKR_OK) {
+ PORT_SetError(PK11_MapError(crv));
+ slot->session = CK_INVALID_SESSION;
+ if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+ return SECFailure;
+ }
+ }
+ if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+ }
+
+ nssToken_Refresh(slot->nssToken);
+
+ if (!(slot->needLogin)) {
+ return pk11_CheckVerifyTest(slot);
+ }
+
+
+ if (!(slot->isInternal) && (slot->hasRandom)) {
+ /* if this slot has a random number generater, use it to add entropy
+ * to the internal slot. */
+ PK11SlotInfo *int_slot = PK11_GetInternalSlot();
+
+ if (int_slot) {
+ unsigned char random_bytes[32];
+
+ /* if this slot can issue random numbers, get some entropy from
+ * that random number generater and give it to our internal token.
+ */
+ PK11_EnterSlotMonitor(slot);
+ crv = PK11_GETTAB(slot)->C_GenerateRandom
+ (slot->session,random_bytes, sizeof(random_bytes));
+ PK11_ExitSlotMonitor(slot);
+ if (crv == CKR_OK) {
+ PK11_EnterSlotMonitor(int_slot);
+ PK11_GETTAB(int_slot)->C_SeedRandom(int_slot->session,
+ random_bytes, sizeof(random_bytes));
+ PK11_ExitSlotMonitor(int_slot);
+ }
+
+ /* Now return the favor and send entropy to the token's random
+ * number generater */
+ PK11_EnterSlotMonitor(int_slot);
+ crv = PK11_GETTAB(int_slot)->C_GenerateRandom(int_slot->session,
+ random_bytes, sizeof(random_bytes));
+ PK11_ExitSlotMonitor(int_slot);
+ if (crv == CKR_OK) {
+ PK11_EnterSlotMonitor(slot);
+ PK11_GETTAB(slot)->C_SeedRandom(slot->session,
+ random_bytes, sizeof(random_bytes));
+ PK11_ExitSlotMonitor(slot);
+ }
+ PK11_FreeSlot(int_slot);
+ }
+ }
+
+
+ return SECSuccess;
+}
+
+static PRBool
+pk11_isRootSlot(PK11SlotInfo *slot)
+{
+ CK_ATTRIBUTE findTemp[1];
+ CK_ATTRIBUTE *attrs;
+ CK_OBJECT_CLASS oclass = CKO_NETSCAPE_BUILTIN_ROOT_LIST;
+ int tsize;
+ CK_OBJECT_HANDLE handle;
+
+ attrs = findTemp;
+ PK11_SETATTRS(attrs, CKA_CLASS, &oclass, sizeof(oclass)); attrs++;
+ tsize = attrs - findTemp;
+ PORT_Assert(tsize <= sizeof(findTemp)/sizeof(CK_ATTRIBUTE));
+
+ handle = pk11_FindObjectByTemplate(slot,findTemp,tsize);
+ if (handle == CK_INVALID_HANDLE) {
+ return PR_FALSE;
+ }
+ return PR_TRUE;
+}
+
+/*
+ * Initialize the slot :
+ * This initialization code is called on each slot a module supports when
+ * it is loaded. It does the bringup initialization. The difference between
+ * this and InitToken is Init slot does those one time initialization stuff,
+ * usually associated with the reader, while InitToken may get called multiple
+ * times as tokens are removed and re-inserted.
+ */
+void
+PK11_InitSlot(SECMODModule *mod,CK_SLOT_ID slotID,PK11SlotInfo *slot)
+{
+ SECStatus rv;
+ char *tmp;
+ CK_SLOT_INFO slotInfo;
+
+ slot->functionList = mod->functionList;
+ slot->isInternal = mod->internal;
+ slot->slotID = slotID;
+ slot->isThreadSafe = mod->isThreadSafe;
+ slot->hasRSAInfo = PR_FALSE;
+
+ if (PK11_GETTAB(slot)->C_GetSlotInfo(slotID,&slotInfo) != CKR_OK) {
+ slot->disabled = PR_TRUE;
+ slot->reason = PK11_DIS_COULD_NOT_INIT_TOKEN;
+ return;
+ }
+
+ /* test to make sure claimed mechanism work */
+ slot->needTest = mod->internal ? PR_FALSE : PR_TRUE;
+ slot->module = mod; /* NOTE: we don't make a reference here because
+ * modules have references to their slots. This
+ * works because modules keep implicit references
+ * from their slots, and won't unload and disappear
+ * until all their slots have been freed */
+ tmp = PK11_MakeString(NULL,slot->slot_name,
+ (char *)slotInfo.slotDescription, sizeof(slotInfo.slotDescription));
+ slot->isHW = (PRBool)((slotInfo.flags & CKF_HW_SLOT) == CKF_HW_SLOT);
+#define ACTIVE_CARD "ActivCard SA"
+ slot->isActiveCard = (PRBool)(PORT_Strncmp((char *)slotInfo.manufacturerID,
+ ACTIVE_CARD, sizeof(ACTIVE_CARD)-1) == 0);
+ if ((slotInfo.flags & CKF_REMOVABLE_DEVICE) == 0) {
+ slot->isPerm = PR_TRUE;
+ /* permanment slots must have the token present always */
+ if ((slotInfo.flags & CKF_TOKEN_PRESENT) == 0) {
+ slot->disabled = PR_TRUE;
+ slot->reason = PK11_DIS_TOKEN_NOT_PRESENT;
+ return; /* nothing else to do */
+ }
+ }
+ /* if the token is present, initialize it */
+ if ((slotInfo.flags & CKF_TOKEN_PRESENT) != 0) {
+ rv = PK11_InitToken(slot,PR_TRUE);
+ /* the only hard failures are on permanent devices, or function
+ * verify failures... function verify failures are already handled
+ * by tokenInit */
+ if ((rv != SECSuccess) && (slot->isPerm) && (!slot->disabled)) {
+ slot->disabled = PR_TRUE;
+ slot->reason = PK11_DIS_COULD_NOT_INIT_TOKEN;
+ }
+ }
+ if (pk11_isRootSlot(slot)) {
+ if (!slot->hasRootCerts) {
+ slot->module->trustOrder = 100;
+ }
+ slot->hasRootCerts= PR_TRUE;
+ }
+}
+
+
+
+/*********************************************************************
+ * Slot mapping utility functions.
+ *********************************************************************/
+
+/*
+ * determine if the token is present. If the token is present, make sure
+ * we have a valid session handle. Also set the value of needLogin
+ * appropriately.
+ */
+static PRBool
+pk11_IsPresentCertLoad(PK11SlotInfo *slot, PRBool loadCerts)
+{
+ CK_SLOT_INFO slotInfo;
+ CK_SESSION_INFO sessionInfo;
+ CK_RV crv;
+
+ /* disabled slots are never present */
+ if (slot->disabled) {
+ return PR_FALSE;
+ }
+
+ /* permanent slots are always present */
+ if (slot->isPerm && (slot->session != CK_INVALID_SESSION)) {
+ return PR_TRUE;
+ }
+
+ if (slot->nssToken) {
+ return nssToken_IsPresent(slot->nssToken);
+ }
+
+ /* removable slots have a flag that says they are present */
+ if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
+ if (PK11_GETTAB(slot)->C_GetSlotInfo(slot->slotID,&slotInfo) != CKR_OK) {
+ if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+ return PR_FALSE;
+ }
+ if ((slotInfo.flags & CKF_TOKEN_PRESENT) == 0) {
+ /* if the slot is no longer present, close the session */
+ if (slot->session != CK_INVALID_SESSION) {
+ PK11_GETTAB(slot)->C_CloseSession(slot->session);
+ slot->session = CK_INVALID_SESSION;
+ /* force certs to be freed */
+ }
+ if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+ return PR_FALSE;
+ }
+
+ /* use the session Info to determine if the card has been removed and then
+ * re-inserted */
+ if (slot->session != CK_INVALID_SESSION) {
+ crv = PK11_GETTAB(slot)->C_GetSessionInfo(slot->session, &sessionInfo);
+ if (crv != CKR_OK) {
+ PK11_GETTAB(slot)->C_CloseSession(slot->session);
+ slot->session = CK_INVALID_SESSION;
+ }
+ }
+ if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+
+ /* card has not been removed, current token info is correct */
+ if (slot->session != CK_INVALID_SESSION) return PR_TRUE;
+
+ /* initialize the token info state */
+ if (PK11_InitToken(slot,loadCerts) != SECSuccess) {
+ return PR_FALSE;
+ }
+
+ return PR_TRUE;
+}
+
+/*
+ * old version of the routine
+ */
+PRBool
+PK11_IsPresent(PK11SlotInfo *slot) {
+ return pk11_IsPresentCertLoad(slot,PR_TRUE);
+}
+
+/* is the slot disabled? */
+PRBool
+PK11_IsDisabled(PK11SlotInfo *slot)
+{
+ return slot->disabled;
+}
+
+/* and why? */
+PK11DisableReasons
+PK11_GetDisabledReason(PK11SlotInfo *slot)
+{
+ return slot->reason;
+}
+
+/* returns PR_TRUE if successfully disable the slot */
+/* returns PR_FALSE otherwise */
+PRBool PK11_UserDisableSlot(PK11SlotInfo *slot) {
+
+ slot->defaultFlags |= PK11_DISABLE_FLAG;
+ slot->disabled = PR_TRUE;
+ slot->reason = PK11_DIS_USER_SELECTED;
+
+ return PR_TRUE;
+}
+
+PRBool PK11_UserEnableSlot(PK11SlotInfo *slot) {
+
+ slot->defaultFlags &= ~PK11_DISABLE_FLAG;
+ slot->disabled = PR_FALSE;
+ slot->reason = PK11_DIS_NONE;
+ return PR_TRUE;
+}
+
+PRBool PK11_HasRootCerts(PK11SlotInfo *slot) {
+ return slot->hasRootCerts;
+}
+
+/* Get the module this slot is attatched to */
+SECMODModule *
+PK11_GetModule(PK11SlotInfo *slot)
+{
+ return slot->module;
+}
+
+/* return the default flags of a slot */
+unsigned long
+PK11_GetDefaultFlags(PK11SlotInfo *slot)
+{
+ return slot->defaultFlags;
+}
+
+/* Does this slot have a protected pin path? */
+PRBool
+PK11_ProtectedAuthenticationPath(PK11SlotInfo *slot)
+{
+ return slot->protectedAuthPath;
+}
+
+/*
+ * we can initialize the password if 1) The toke is not inited
+ * (need login == true and see need UserInit) or 2) the token has
+ * a NULL password. (slot->needLogin = false & need user Init = false).
+ */
+PRBool PK11_NeedPWInitForSlot(PK11SlotInfo *slot)
+{
+ if (slot->needLogin && PK11_NeedUserInit(slot)) {
+ return PR_TRUE;
+ }
+ if (!slot->needLogin && !PK11_NeedUserInit(slot)) {
+ return PR_TRUE;
+ }
+ return PR_FALSE;
+}
+
+PRBool PK11_NeedPWInit()
+{
+ PK11SlotInfo *slot = PK11_GetInternalKeySlot();
+ PRBool ret = PK11_NeedPWInitForSlot(slot);
+
+ PK11_FreeSlot(slot);
+ return ret;
+}
+
+/*
+ * The following wrapper functions allow us to export an opaque slot
+ * function to the rest of libsec and the world... */
+PRBool
+PK11_IsReadOnly(PK11SlotInfo *slot)
+{
+ return slot->readOnly;
+}
+
+PRBool
+PK11_IsHW(PK11SlotInfo *slot)
+{
+ return slot->isHW;
+}
+
+PRBool
+PK11_IsInternal(PK11SlotInfo *slot)
+{
+ return slot->isInternal;
+}
+
+PRBool
+PK11_NeedLogin(PK11SlotInfo *slot)
+{
+ return slot->needLogin;
+}
+
+PRBool
+PK11_IsFriendly(PK11SlotInfo *slot)
+{
+ /* internal slot always has public readable certs */
+ return (PRBool)(slot->isInternal ||
+ ((slot->defaultFlags & SECMOD_FRIENDLY_FLAG) ==
+ SECMOD_FRIENDLY_FLAG));
+}
+
+char *
+PK11_GetTokenName(PK11SlotInfo *slot)
+{
+ return slot->token_name;
+}
+
+char *
+PK11_GetSlotName(PK11SlotInfo *slot)
+{
+ return slot->slot_name;
+}
+
+int
+PK11_GetSlotSeries(PK11SlotInfo *slot)
+{
+ return slot->series;
+}
+
+int
+PK11_GetCurrentWrapIndex(PK11SlotInfo *slot)
+{
+ return slot->wrapKey;
+}
+
+CK_SLOT_ID
+PK11_GetSlotID(PK11SlotInfo *slot)
+{
+ return slot->slotID;
+}
+
+SECMODModuleID
+PK11_GetModuleID(PK11SlotInfo *slot)
+{
+ return slot->module->moduleID;
+}
+
+static void
+pk11_zeroTerminatedToBlankPadded(CK_CHAR *buffer, size_t buffer_size)
+{
+ CK_CHAR *walk = buffer;
+ CK_CHAR *end = buffer + buffer_size;
+
+ /* find the NULL */
+ while (walk < end && *walk != '\0') {
+ walk++;
+ }
+
+ /* clear out the buffer */
+ while (walk < end) {
+ *walk++ = ' ';
+ }
+}
+
+/* return the slot info structure */
+SECStatus
+PK11_GetSlotInfo(PK11SlotInfo *slot, CK_SLOT_INFO *info)
+{
+ CK_RV crv;
+
+ if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
+ /*
+ * some buggy drivers do not fill the buffer completely,
+ * erase the buffer first
+ */
+ PORT_Memset(info->slotDescription,' ',sizeof(info->slotDescription));
+ PORT_Memset(info->manufacturerID,' ',sizeof(info->manufacturerID));
+ crv = PK11_GETTAB(slot)->C_GetSlotInfo(slot->slotID,info);
+ pk11_zeroTerminatedToBlankPadded(info->slotDescription,
+ sizeof(info->slotDescription));
+ pk11_zeroTerminatedToBlankPadded(info->manufacturerID,
+ sizeof(info->manufacturerID));
+ if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+ if (crv != CKR_OK) {
+ PORT_SetError(PK11_MapError(crv));
+ return SECFailure;
+ }
+ return SECSuccess;
+}
+
+/* return the token info structure */
+SECStatus
+PK11_GetTokenInfo(PK11SlotInfo *slot, CK_TOKEN_INFO *info)
+{
+ CK_RV crv;
+ if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
+ /*
+ * some buggy drivers do not fill the buffer completely,
+ * erase the buffer first
+ */
+ PORT_Memset(info->label,' ',sizeof(info->label));
+ PORT_Memset(info->manufacturerID,' ',sizeof(info->manufacturerID));
+ PORT_Memset(info->model,' ',sizeof(info->model));
+ PORT_Memset(info->serialNumber,' ',sizeof(info->serialNumber));
+ crv = PK11_GETTAB(slot)->C_GetTokenInfo(slot->slotID,info);
+ pk11_zeroTerminatedToBlankPadded(info->label,sizeof(info->label));
+ pk11_zeroTerminatedToBlankPadded(info->manufacturerID,
+ sizeof(info->manufacturerID));
+ pk11_zeroTerminatedToBlankPadded(info->model,sizeof(info->model));
+ pk11_zeroTerminatedToBlankPadded(info->serialNumber,
+ sizeof(info->serialNumber));
+ if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+ if (crv != CKR_OK) {
+ PORT_SetError(PK11_MapError(crv));
+ return SECFailure;
+ }
+ return SECSuccess;
+}
+
+/* Find out if we need to initialize the user's pin */
+PRBool
+PK11_NeedUserInit(PK11SlotInfo *slot)
+{
+ PRBool needUserInit = (PRBool) ((slot->flags & CKF_USER_PIN_INITIALIZED)
+ == 0);
+
+ if (needUserInit) {
+ CK_TOKEN_INFO info;
+ SECStatus rv;
+
+ /* see if token has been initialized off line */
+ rv = PK11_GetTokenInfo(slot, &info);
+ if (rv == SECSuccess) {
+ slot->flags = info.flags;
+ }
+ }
+ return (PRBool)((slot->flags & CKF_USER_PIN_INITIALIZED) == 0);
+}
+
+/* get the internal key slot. FIPS has only one slot for both key slots and
+ * default slots */
+PK11SlotInfo *
+PK11_GetInternalKeySlot(void)
+{
+ SECMODModule *mod = SECMOD_GetInternalModule();
+ PORT_Assert(mod != NULL);
+ if (!mod) {
+ PORT_SetError( SEC_ERROR_NO_MODULE );
+ return NULL;
+ }
+ return PK11_ReferenceSlot(mod->isFIPS ? mod->slots[0] : mod->slots[1]);
+}
+
+/* get the internal default slot */
+PK11SlotInfo *
+PK11_GetInternalSlot(void)
+{
+ SECMODModule * mod = SECMOD_GetInternalModule();
+ PORT_Assert(mod != NULL);
+ if (!mod) {
+ PORT_SetError( SEC_ERROR_NO_MODULE );
+ return NULL;
+ }
+ return PK11_ReferenceSlot(mod->slots[0]);
+}
+
+PRBool
+pk11_InDelayPeriod(PRIntervalTime lastTime, PRIntervalTime delayTime,
+ PRIntervalTime *retTime)
+{
+ PRIntervalTime time;
+
+ *retTime = time = PR_IntervalNow();
+ return (PRBool) (lastTime) && (time > lastTime) &&
+ ((time-lastTime) < delayTime);
+}
+
+/*
+ * Determine if the token is logged in. We have to actually query the token,
+ * because it's state can change without intervention from us.
+ */
+PRBool
+PK11_IsLoggedIn(PK11SlotInfo *slot,void *wincx)
+{
+ CK_SESSION_INFO sessionInfo;
+ int askpw = slot->askpw;
+ int timeout = slot->timeout;
+ CK_RV crv;
+ PRIntervalTime curTime;
+ static PRIntervalTime login_delay_time = 0;
+
+ if (login_delay_time == 0) {
+ login_delay_time = PR_SecondsToInterval(1);
+ }
+
+ /* If we don't have our own password default values, use the system
+ * ones */
+ if ((slot->defaultFlags & PK11_OWN_PW_DEFAULTS) == 0) {
+ PK11SlotInfo *def_slot = PK11_GetInternalKeySlot();
+
+ if (def_slot) {
+ askpw = def_slot->askpw;
+ timeout = def_slot->timeout;
+ PK11_FreeSlot(def_slot);
+ }
+ }
+
+ if ((wincx != NULL) && (PK11_Global.isLoggedIn != NULL) &&
+ (*PK11_Global.isLoggedIn)(slot, wincx) == PR_FALSE) { return PR_FALSE; }
+
+
+ /* forget the password if we've been inactive too long */
+ if (askpw == 1) {
+ int64 currtime = PR_Now();
+ int64 result;
+ int64 mult;
+
+ LL_I2L(result, timeout);
+ LL_I2L(mult, 60*1000*1000);
+ LL_MUL(result,result,mult);
+ LL_ADD(result, result, slot->authTime);
+ if (LL_CMP(result, <, currtime) ) {
+ PK11_EnterSlotMonitor(slot);
+ PK11_GETTAB(slot)->C_Logout(slot->session);
+ slot->lastLoginCheck = 0;
+ PK11_ExitSlotMonitor(slot);
+ } else {
+ slot->authTime = currtime;
+ }
+ }
+
+ PK11_EnterSlotMonitor(slot);
+ if (pk11_InDelayPeriod(slot->lastLoginCheck,login_delay_time, &curTime)) {
+ sessionInfo.state = slot->lastState;
+ crv = CKR_OK;
+ } else {
+ crv = PK11_GETTAB(slot)->C_GetSessionInfo(slot->session,&sessionInfo);
+ if (crv == CKR_OK) {
+ slot->lastState = sessionInfo.state;
+ slot->lastLoginCheck = curTime;
+ }
+ }
+ PK11_ExitSlotMonitor(slot);
+ /* if we can't get session info, something is really wrong */
+ if (crv != CKR_OK) {
+ slot->session = CK_INVALID_SESSION;
+ return PR_FALSE;
+ }
+
+ switch (sessionInfo.state) {
+ case CKS_RW_PUBLIC_SESSION:
+ case CKS_RO_PUBLIC_SESSION:
+ default:
+ break; /* fail */
+ case CKS_RW_USER_FUNCTIONS:
+ case CKS_RW_SO_FUNCTIONS:
+ case CKS_RO_USER_FUNCTIONS:
+ return PR_TRUE;
+ }
+ return PR_FALSE;
+}
+
+
+/*
+ * check if a given slot supports the requested mechanism
+ */
+PRBool
+PK11_DoesMechanism(PK11SlotInfo *slot, CK_MECHANISM_TYPE type)
+{
+ int i;
+
+ /* CKM_FAKE_RANDOM is not a real PKCS mechanism. It's a marker to
+ * tell us we're looking form someone that has implemented get
+ * random bits */
+ if (type == CKM_FAKE_RANDOM) {
+ return slot->hasRandom;
+ }
+
+ for (i=0; i < (int) slot->mechanismCount; i++) {
+ if (slot->mechanismList[i] == type) return PR_TRUE;
+ }
+ return PR_FALSE;
+}
+
+/*
+ * Return true if a token that can do the desired mechanism exists.
+ * This allows us to have hardware tokens that can do function XYZ magically
+ * allow SSL Ciphers to appear if they are plugged in.
+ */
+PRBool
+PK11_TokenExists(CK_MECHANISM_TYPE type)
+{
+ SECMODModuleList *mlp;
+ SECMODModuleList *modules = SECMOD_GetDefaultModuleList();
+ SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
+ PK11SlotInfo *slot;
+ PRBool found = PR_FALSE;
+ int i;
+
+ /* we only need to know if there is a token that does this mechanism.
+ * check the internal module first because it's fast, and supports
+ * almost everything. */
+ slot = PK11_GetInternalSlot();
+ if (slot) {
+ found = PK11_DoesMechanism(slot,type);
+ PK11_FreeSlot(slot);
+ }
+ if (found) return PR_TRUE; /* bypass getting module locks */
+
+ SECMOD_GetReadLock(moduleLock);
+ for(mlp = modules; mlp != NULL && (!found); mlp = mlp->next) {
+ for (i=0; i < mlp->module->slotCount; i++) {
+ slot = mlp->module->slots[i];
+ if (PK11_IsPresent(slot)) {
+ if (PK11_DoesMechanism(slot,type)) {
+ found = PR_TRUE;
+ break;
+ }
+ }
+ }
+ }
+ SECMOD_ReleaseReadLock(moduleLock);
+ return found;
+}
+
+/*
+ * get all the currently available tokens in a list.
+ * that can perform the given mechanism. If mechanism is CKM_INVALID_MECHANISM,
+ * get all the tokens. Make sure tokens that need authentication are put at
+ * the end of this list.
+ */
+PK11SlotList *
+PK11_GetAllTokens(CK_MECHANISM_TYPE type, PRBool needRW, PRBool loadCerts,
+ void *wincx)
+{
+ PK11SlotList * list = PK11_NewSlotList();
+ PK11SlotList * loginList = PK11_NewSlotList();
+ PK11SlotList * friendlyList = PK11_NewSlotList();
+ SECMODModuleList * mlp;
+ SECMODModuleList * modules = SECMOD_GetDefaultModuleList();
+ SECMODListLock * moduleLock = SECMOD_GetDefaultModuleListLock();
+ int i;
+#if defined( XP_WIN32 )
+ int j = 0;
+ PRInt32 waste[16];
+#endif
+
+ if ((list == NULL) || (loginList == NULL) || (friendlyList == NULL)) {
+ if (list) PK11_FreeSlotList(list);
+ if (loginList) PK11_FreeSlotList(loginList);
+ if (friendlyList) PK11_FreeSlotList(friendlyList);
+ return NULL;
+ }
+
+ SECMOD_GetReadLock(moduleLock);
+ for(mlp = modules; mlp != NULL; mlp = mlp->next) {
+
+#if defined( XP_WIN32 )
+ /* This is works around some horrible cache/page thrashing problems
+ ** on Win32. Without this, this loop can take up to 6 seconds at
+ ** 100% CPU on a Pentium-Pro 200. The thing this changes is to
+ ** increase the size of the stack frame and modify it.
+ ** Moving the loop code itself seems to have no effect.
+ ** Dunno why this combination makes a difference, but it does.
+ */
+ waste[ j & 0xf] = j++;
+#endif
+
+ for (i = 0; i < mlp->module->slotCount; i++) {
+ PK11SlotInfo *slot = mlp->module->slots[i];
+
+ if (pk11_IsPresentCertLoad(slot, loadCerts)) {
+ if (needRW && slot->readOnly) continue;
+ if ((type == CKM_INVALID_MECHANISM)
+ || PK11_DoesMechanism(slot, type)) {
+ if (slot->needLogin && !PK11_IsLoggedIn(slot, wincx)) {
+ if (PK11_IsFriendly(slot)) {
+ PK11_AddSlotToList(friendlyList, slot);
+ } else {
+ PK11_AddSlotToList(loginList, slot);
+ }
+ } else {
+ PK11_AddSlotToList(list, slot);
+ }
+ }
+ }
+ }
+ }
+ SECMOD_ReleaseReadLock(moduleLock);
+
+ PK11_MoveListToList(list,friendlyList);
+ PK11_FreeSlotList(friendlyList);
+ PK11_MoveListToList(list,loginList);
+ PK11_FreeSlotList(loginList);
+
+ return list;
+}
+
+/*
+ * NOTE: This routine is working from a private List generated by
+ * PK11_GetAllTokens. That is why it does not need to lock.
+ */
+PK11SlotList *
+PK11_GetPrivateKeyTokens(CK_MECHANISM_TYPE type,PRBool needRW,void *wincx)
+{
+ PK11SlotList *list = PK11_GetAllTokens(type,needRW,PR_TRUE,wincx);
+ PK11SlotListElement *le, *next ;
+ SECStatus rv;
+
+ if (list == NULL) return list;
+
+ for (le = list->head ; le; le = next) {
+ next = le->next; /* save the pointer here in case we have to
+ * free the element later */
+ rv = PK11_Authenticate(le->slot,PR_TRUE,wincx);
+ if (rv != SECSuccess) {
+ PK11_DeleteSlotFromList(list,le);
+ continue;
+ }
+ }
+ return list;
+}
+
+
+/*
+ * find the best slot which supports the given
+ * Mechanism. In normal cases this should grab the first slot on the list
+ * with no fuss.
+ */
+PK11SlotInfo *
+PK11_GetBestSlotMultiple(CK_MECHANISM_TYPE *type, int mech_count, void *wincx)
+{
+ PK11SlotList *list = NULL;
+ PK11SlotListElement *le ;
+ PK11SlotInfo *slot = NULL;
+ PRBool freeit = PR_FALSE;
+ PRBool listNeedLogin = PR_FALSE;
+ int i;
+ SECStatus rv;
+
+ list = PK11_GetSlotList(type[0]);
+
+ if ((list == NULL) || (list->head == NULL)) {
+ /* We need to look up all the tokens for the mechanism */
+ list = PK11_GetAllTokens(type[0],PR_FALSE,PR_TRUE,wincx);
+ freeit = PR_TRUE;
+ }
+
+ /* no one can do it! */
+ if (list == NULL) {
+ PORT_SetError(SEC_ERROR_NO_TOKEN);
+ return NULL;
+ }
+
+ PORT_SetError(0);
+
+
+ listNeedLogin = PR_FALSE;
+ for (i=0; i < mech_count; i++) {
+ if ((type[i] != CKM_FAKE_RANDOM) && (type[i] != CKM_SHA_1) &&
+ (type[i] != CKM_MD5) && (type[i] != CKM_MD2)) {
+ listNeedLogin = PR_TRUE;
+ break;
+ }
+ }
+
+ for (le = PK11_GetFirstSafe(list); le;
+ le = PK11_GetNextSafe(list,le,PR_TRUE)) {
+ if (PK11_IsPresent(le->slot)) {
+ PRBool doExit = PR_FALSE;
+ for (i=0; i < mech_count; i++) {
+ if (!PK11_DoesMechanism(le->slot,type[i])) {
+ doExit = PR_TRUE;
+ break;
+ }
+ }
+ if (doExit) continue;
+
+ if (listNeedLogin && le->slot->needLogin) {
+ rv = PK11_Authenticate(le->slot,PR_TRUE,wincx);
+ if (rv != SECSuccess) continue;
+ }
+ slot = le->slot;
+ PK11_ReferenceSlot(slot);
+ pk11_FreeListElement(list,le);
+ if (freeit) { PK11_FreeSlotList(list); }
+ return slot;
+ }
+ }
+ if (freeit) { PK11_FreeSlotList(list); }
+ if (PORT_GetError() == 0) {
+ PORT_SetError(SEC_ERROR_NO_TOKEN);
+ }
+ return NULL;
+}
+
+/* original get best slot now calls the multiple version with only one type */
+PK11SlotInfo *
+PK11_GetBestSlot(CK_MECHANISM_TYPE type, void *wincx)
+{
+ return PK11_GetBestSlotMultiple(&type, 1, wincx);
+}
+
+/*
+ * find the best key wrap mechanism for this slot.
+ */
+CK_MECHANISM_TYPE
+PK11_GetBestWrapMechanism(PK11SlotInfo *slot)
+{
+ int i;
+ for (i=0; i < wrapMechanismCount; i++) {
+ if (PK11_DoesMechanism(slot,wrapMechanismList[i])) {
+ return wrapMechanismList[i];
+ }
+ }
+ return CKM_INVALID_MECHANISM;
+}
+
+int
+PK11_GetBestKeyLength(PK11SlotInfo *slot,CK_MECHANISM_TYPE mechanism)
+{
+ CK_MECHANISM_INFO mechanism_info;
+ CK_RV crv;
+
+ if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot);
+ crv = PK11_GETTAB(slot)->C_GetMechanismInfo(slot->slotID,
+ mechanism,&mechanism_info);
+ if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot);
+ if (crv != CKR_OK) return 0;
+
+ if (mechanism_info.ulMinKeySize == mechanism_info.ulMaxKeySize)
+ return 0;
+ return mechanism_info.ulMaxKeySize;
+}
+
+
+/*********************************************************************
+ * Mechanism Mapping functions
+ *********************************************************************/
+
+/*
+ * lookup an entry in the mechanism table. If none found, return the
+ * default structure.
+ */
+static pk11MechanismData *
+pk11_lookup(CK_MECHANISM_TYPE type)
+{
+ int i;
+ for (i=0; i < pk11_MechEntrySize; i++) {
+ if (pk11_MechanismTable[i].type == type) {
+ return (&pk11_MechanismTable[i]);
+ }
+ }
+ return &pk11_default;
+}
+
+/*
+ * NOTE: This is not thread safe. Called at init time, and when loading
+ * a new Entry. It is reasonably safe as long as it is not re-entered
+ * (readers will always see a consistant table)
+ *
+ * This routine is called to add entries to the mechanism table, once there,
+ * they can not be removed.
+ */
+void
+PK11_AddMechanismEntry(CK_MECHANISM_TYPE type, CK_KEY_TYPE key,
+ CK_MECHANISM_TYPE keyGen, int ivLen, int blockSize)
+{
+ int tableSize = pk11_MechTableSize;
+ int size = pk11_MechEntrySize;
+ int entry = size++;
+ pk11MechanismData *old = pk11_MechanismTable;
+ pk11MechanismData *newt = pk11_MechanismTable;
+
+
+ if (size > tableSize) {
+ int oldTableSize = tableSize;
+ tableSize += 10;
+ newt = (pk11MechanismData *)
+ PORT_Alloc(tableSize*sizeof(pk11MechanismData));
+ if (newt == NULL) return;
+
+ if (old) PORT_Memcpy(newt,old,oldTableSize*sizeof(pk11MechanismData));
+ } else old = NULL;
+
+ newt[entry].type = type;
+ newt[entry].keyType = key;
+ newt[entry].keyGen = keyGen;
+ newt[entry].iv = ivLen;
+ newt[entry].blockSize = blockSize;
+
+ pk11_MechanismTable = newt;
+ pk11_MechTableSize = tableSize;
+ pk11_MechEntrySize = size;
+ if (old) PORT_Free(old);
+}
+
+/*
+ * Get the key type needed for the given mechanism
+ */
+CK_MECHANISM_TYPE
+PK11_GetKeyType(CK_MECHANISM_TYPE type,unsigned long len)
+{
+ switch (type) {
+ case CKM_AES_ECB:
+ case CKM_AES_CBC:
+ case CKM_AES_MAC:
+ case CKM_AES_MAC_GENERAL:
+ case CKM_AES_CBC_PAD:
+ case CKM_AES_KEY_GEN:
+ return CKK_AES;
+ case CKM_DES_ECB:
+ case CKM_DES_CBC:
+ case CKM_DES_MAC:
+ case CKM_DES_MAC_GENERAL:
+ case CKM_DES_CBC_PAD:
+ case CKM_DES_KEY_GEN:
+ case CKM_KEY_WRAP_LYNKS:
+ case CKM_PBE_MD2_DES_CBC:
+ case CKM_PBE_MD5_DES_CBC:
+ return CKK_DES;
+ case CKM_DES3_ECB:
+ case CKM_DES3_CBC:
+ case CKM_DES3_MAC:
+ case CKM_DES3_MAC_GENERAL:
+ case CKM_DES3_CBC_PAD:
+ return (len == 128) ? CKK_DES2 : CKK_DES3;
+ case CKM_DES2_KEY_GEN:
+ case CKM_PBE_SHA1_DES2_EDE_CBC:
+ return CKK_DES2;
+ case CKM_PBE_SHA1_DES3_EDE_CBC:
+ case CKM_DES3_KEY_GEN:
+ return CKK_DES3;
+ case CKM_CDMF_ECB:
+ case CKM_CDMF_CBC:
+ case CKM_CDMF_MAC:
+ case CKM_CDMF_MAC_GENERAL:
+ case CKM_CDMF_CBC_PAD:
+ case CKM_CDMF_KEY_GEN:
+ return CKK_CDMF;
+ case CKM_RC2_ECB:
+ case CKM_RC2_CBC:
+ case CKM_RC2_MAC:
+ case CKM_RC2_MAC_GENERAL:
+ case CKM_RC2_CBC_PAD:
+ case CKM_RC2_KEY_GEN:
+ case CKM_PBE_SHA1_RC2_128_CBC:
+ case CKM_PBE_SHA1_RC2_40_CBC:
+ return CKK_RC2;
+ case CKM_RC4:
+ case CKM_RC4_KEY_GEN:
+ return CKK_RC4;
+ case CKM_RC5_ECB:
+ case CKM_RC5_CBC:
+ case CKM_RC5_MAC:
+ case CKM_RC5_MAC_GENERAL:
+ case CKM_RC5_CBC_PAD:
+ case CKM_RC5_KEY_GEN:
+ return CKK_RC5;
+ case CKM_SKIPJACK_CBC64:
+ case CKM_SKIPJACK_ECB64:
+ case CKM_SKIPJACK_OFB64:
+ case CKM_SKIPJACK_CFB64:
+ case CKM_SKIPJACK_CFB32:
+ case CKM_SKIPJACK_CFB16:
+ case CKM_SKIPJACK_CFB8:
+ case CKM_SKIPJACK_KEY_GEN:
+ case CKM_SKIPJACK_WRAP:
+ case CKM_SKIPJACK_PRIVATE_WRAP:
+ return CKK_SKIPJACK;
+ case CKM_BATON_ECB128:
+ case CKM_BATON_ECB96:
+ case CKM_BATON_CBC128:
+ case CKM_BATON_COUNTER:
+ case CKM_BATON_SHUFFLE:
+ case CKM_BATON_WRAP:
+ case CKM_BATON_KEY_GEN:
+ return CKK_BATON;
+ case CKM_JUNIPER_ECB128:
+ case CKM_JUNIPER_CBC128:
+ case CKM_JUNIPER_COUNTER:
+ case CKM_JUNIPER_SHUFFLE:
+ case CKM_JUNIPER_WRAP:
+ case CKM_JUNIPER_KEY_GEN:
+ return CKK_JUNIPER;
+ case CKM_IDEA_CBC:
+ case CKM_IDEA_ECB:
+ case CKM_IDEA_MAC:
+ case CKM_IDEA_MAC_GENERAL:
+ case CKM_IDEA_CBC_PAD:
+ case CKM_IDEA_KEY_GEN:
+ return CKK_IDEA;
+ case CKM_CAST_ECB:
+ case CKM_CAST_CBC:
+ case CKM_CAST_MAC:
+ case CKM_CAST_MAC_GENERAL:
+ case CKM_CAST_CBC_PAD:
+ case CKM_CAST_KEY_GEN:
+ case CKM_PBE_MD5_CAST_CBC:
+ return CKK_CAST;
+ case CKM_CAST3_ECB:
+ case CKM_CAST3_CBC:
+ case CKM_CAST3_MAC:
+ case CKM_CAST3_MAC_GENERAL:
+ case CKM_CAST3_CBC_PAD:
+ case CKM_CAST3_KEY_GEN:
+ case CKM_PBE_MD5_CAST3_CBC:
+ return CKK_CAST3;
+ case CKM_CAST5_ECB:
+ case CKM_CAST5_CBC:
+ case CKM_CAST5_MAC:
+ case CKM_CAST5_MAC_GENERAL:
+ case CKM_CAST5_CBC_PAD:
+ case CKM_CAST5_KEY_GEN:
+ case CKM_PBE_MD5_CAST5_CBC:
+ return CKK_CAST5;
+ case CKM_RSA_PKCS:
+ case CKM_RSA_9796:
+ case CKM_RSA_X_509:
+ case CKM_MD2_RSA_PKCS:
+ case CKM_MD5_RSA_PKCS:
+ case CKM_SHA1_RSA_PKCS:
+ case CKM_KEY_WRAP_SET_OAEP:
+ case CKM_RSA_PKCS_KEY_PAIR_GEN:
+ return CKK_RSA;
+ case CKM_DSA:
+ case CKM_DSA_SHA1:
+ case CKM_DSA_KEY_PAIR_GEN:
+ return CKK_DSA;
+ case CKM_DH_PKCS_DERIVE:
+ case CKM_DH_PKCS_KEY_PAIR_GEN:
+ return CKK_DH;
+ case CKM_KEA_KEY_DERIVE:
+ case CKM_KEA_KEY_PAIR_GEN:
+ return CKK_KEA;
+ case CKM_ECDSA_KEY_PAIR_GEN:
+ case CKM_ECDSA:
+ case CKM_ECDSA_SHA1:
+ return CKK_ECDSA;
+ case CKM_SSL3_PRE_MASTER_KEY_GEN:
+ case CKM_GENERIC_SECRET_KEY_GEN:
+ case CKM_SSL3_MASTER_KEY_DERIVE:
+ case CKM_SSL3_MASTER_KEY_DERIVE_DH:
+ case CKM_SSL3_KEY_AND_MAC_DERIVE:
+ case CKM_SSL3_SHA1_MAC:
+ case CKM_SSL3_MD5_MAC:
+ case CKM_TLS_MASTER_KEY_DERIVE:
+ case CKM_TLS_MASTER_KEY_DERIVE_DH:
+ case CKM_TLS_KEY_AND_MAC_DERIVE:
+ case CKM_SHA_1_HMAC:
+ case CKM_SHA_1_HMAC_GENERAL:
+ case CKM_MD2_HMAC:
+ case CKM_MD2_HMAC_GENERAL:
+ case CKM_MD5_HMAC:
+ case CKM_MD5_HMAC_GENERAL:
+ case CKM_TLS_PRF_GENERAL:
+ return CKK_GENERIC_SECRET;
+ default:
+ return pk11_lookup(type)->keyType;
+ }
+}
+
+/*
+ * Get the Key Gen Mechanism needed for the given
+ * crypto mechanism
+ */
+CK_MECHANISM_TYPE
+PK11_GetKeyGen(CK_MECHANISM_TYPE type)
+{
+ switch (type) {
+ case CKM_AES_ECB:
+ case CKM_AES_CBC:
+ case CKM_AES_MAC:
+ case CKM_AES_MAC_GENERAL:
+ case CKM_AES_CBC_PAD:
+ case CKM_AES_KEY_GEN:
+ return CKM_AES_KEY_GEN;
+ case CKM_DES_ECB:
+ case CKM_DES_CBC:
+ case CKM_DES_MAC:
+ case CKM_DES_MAC_GENERAL:
+ case CKM_KEY_WRAP_LYNKS:
+ case CKM_DES_CBC_PAD:
+ case CKM_DES_KEY_GEN:
+ return CKM_DES_KEY_GEN;
+ case CKM_DES3_ECB:
+ case CKM_DES3_CBC:
+ case CKM_DES3_MAC:
+ case CKM_DES3_MAC_GENERAL:
+ case CKM_DES3_CBC_PAD:
+ case CKM_DES3_KEY_GEN:
+ return CKM_DES3_KEY_GEN;
+ case CKM_CDMF_ECB:
+ case CKM_CDMF_CBC:
+ case CKM_CDMF_MAC:
+ case CKM_CDMF_MAC_GENERAL:
+ case CKM_CDMF_CBC_PAD:
+ case CKM_CDMF_KEY_GEN:
+ return CKM_CDMF_KEY_GEN;
+ case CKM_RC2_ECB:
+ case CKM_RC2_CBC:
+ case CKM_RC2_MAC:
+ case CKM_RC2_MAC_GENERAL:
+ case CKM_RC2_CBC_PAD:
+ case CKM_RC2_KEY_GEN:
+ return CKM_RC2_KEY_GEN;
+ case CKM_RC4:
+ case CKM_RC4_KEY_GEN:
+ return CKM_RC4_KEY_GEN;
+ case CKM_RC5_ECB:
+ case CKM_RC5_CBC:
+ case CKM_RC5_MAC:
+ case CKM_RC5_MAC_GENERAL:
+ case CKM_RC5_CBC_PAD:
+ case CKM_RC5_KEY_GEN:
+ return CKM_RC5_KEY_GEN;
+ case CKM_SKIPJACK_CBC64:
+ case CKM_SKIPJACK_ECB64:
+ case CKM_SKIPJACK_OFB64:
+ case CKM_SKIPJACK_CFB64:
+ case CKM_SKIPJACK_CFB32:
+ case CKM_SKIPJACK_CFB16:
+ case CKM_SKIPJACK_CFB8:
+ case CKM_SKIPJACK_WRAP:
+ case CKM_SKIPJACK_KEY_GEN:
+ return CKM_SKIPJACK_KEY_GEN;
+ case CKM_BATON_ECB128:
+ case CKM_BATON_ECB96:
+ case CKM_BATON_CBC128:
+ case CKM_BATON_COUNTER:
+ case CKM_BATON_SHUFFLE:
+ case CKM_BATON_WRAP:
+ case CKM_BATON_KEY_GEN:
+ return CKM_BATON_KEY_GEN;
+ case CKM_JUNIPER_ECB128:
+ case CKM_JUNIPER_CBC128:
+ case CKM_JUNIPER_COUNTER:
+ case CKM_JUNIPER_SHUFFLE:
+ case CKM_JUNIPER_WRAP:
+ case CKM_JUNIPER_KEY_GEN:
+ return CKM_JUNIPER_KEY_GEN;
+ case CKM_IDEA_CBC:
+ case CKM_IDEA_ECB:
+ case CKM_IDEA_MAC:
+ case CKM_IDEA_MAC_GENERAL:
+ case CKM_IDEA_CBC_PAD:
+ case CKM_IDEA_KEY_GEN:
+ return CKM_IDEA_KEY_GEN;
+ case CKM_CAST_ECB:
+ case CKM_CAST_CBC:
+ case CKM_CAST_MAC:
+ case CKM_CAST_MAC_GENERAL:
+ case CKM_CAST_CBC_PAD:
+ case CKM_CAST_KEY_GEN:
+ return CKM_CAST_KEY_GEN;
+ case CKM_CAST3_ECB:
+ case CKM_CAST3_CBC:
+ case CKM_CAST3_MAC:
+ case CKM_CAST3_MAC_GENERAL:
+ case CKM_CAST3_CBC_PAD:
+ case CKM_CAST3_KEY_GEN:
+ return CKM_CAST3_KEY_GEN;
+ case CKM_CAST5_ECB:
+ case CKM_CAST5_CBC:
+ case CKM_CAST5_MAC:
+ case CKM_CAST5_MAC_GENERAL:
+ case CKM_CAST5_CBC_PAD:
+ case CKM_CAST5_KEY_GEN:
+ return CKM_CAST5_KEY_GEN;
+ case CKM_RSA_PKCS:
+ case CKM_RSA_9796:
+ case CKM_RSA_X_509:
+ case CKM_MD2_RSA_PKCS:
+ case CKM_MD5_RSA_PKCS:
+ case CKM_SHA1_RSA_PKCS:
+ case CKM_KEY_WRAP_SET_OAEP:
+ case CKM_RSA_PKCS_KEY_PAIR_GEN:
+ return CKM_RSA_PKCS_KEY_PAIR_GEN;
+ case CKM_DSA:
+ case CKM_DSA_SHA1:
+ case CKM_DSA_KEY_PAIR_GEN:
+ return CKM_DSA_KEY_PAIR_GEN;
+ case CKM_DH_PKCS_DERIVE:
+ case CKM_DH_PKCS_KEY_PAIR_GEN:
+ return CKM_DH_PKCS_KEY_PAIR_GEN;
+ case CKM_KEA_KEY_DERIVE:
+ case CKM_KEA_KEY_PAIR_GEN:
+ return CKM_KEA_KEY_PAIR_GEN;
+ case CKM_ECDSA:
+ case CKM_ECDSA_KEY_PAIR_GEN:
+ return CKM_ECDSA_KEY_PAIR_GEN;
+ case CKM_SSL3_PRE_MASTER_KEY_GEN:
+ case CKM_SSL3_MASTER_KEY_DERIVE:
+ case CKM_SSL3_KEY_AND_MAC_DERIVE:
+ case CKM_SSL3_SHA1_MAC:
+ case CKM_SSL3_MD5_MAC:
+ case CKM_TLS_MASTER_KEY_DERIVE:
+ case CKM_TLS_KEY_AND_MAC_DERIVE:
+ return CKM_SSL3_PRE_MASTER_KEY_GEN;
+ case CKM_SHA_1_HMAC:
+ case CKM_SHA_1_HMAC_GENERAL:
+ case CKM_MD2_HMAC:
+ case CKM_MD2_HMAC_GENERAL:
+ case CKM_MD5_HMAC:
+ case CKM_MD5_HMAC_GENERAL:
+ case CKM_TLS_PRF_GENERAL:
+ case CKM_GENERIC_SECRET_KEY_GEN:
+ return CKM_GENERIC_SECRET_KEY_GEN;
+ case CKM_PBE_MD2_DES_CBC:
+ case CKM_PBE_MD5_DES_CBC:
+ case CKM_PBA_SHA1_WITH_SHA1_HMAC:
+ case CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN:
+ case CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN:
+ case CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN:
+ case CKM_NETSCAPE_PBE_SHA1_DES_CBC:
+ case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC:
+ case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC:
+ case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4:
+ case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4:
+ case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC:
+ case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC:
+ case CKM_PBE_SHA1_RC2_40_CBC:
+ case CKM_PBE_SHA1_RC2_128_CBC:
+ case CKM_PBE_SHA1_RC4_40:
+ case CKM_PBE_SHA1_RC4_128:
+ case CKM_PBE_SHA1_DES3_EDE_CBC:
+ case CKM_PBE_SHA1_DES2_EDE_CBC:
+ return type;
+ default:
+ return pk11_lookup(type)->keyGen;
+ }
+}
+
+/*
+ * get the mechanism block size
+ */
+int
+PK11_GetBlockSize(CK_MECHANISM_TYPE type,SECItem *params)
+{
+ CK_RC5_PARAMS *rc5_params;
+ CK_RC5_CBC_PARAMS *rc5_cbc_params;
+ switch (type) {
+ case CKM_RC5_ECB:
+ if ((params) && (params->data)) {
+ rc5_params = (CK_RC5_PARAMS *) params->data;
+ return (rc5_params->ulWordsize)*2;
+ }
+ return 8;
+ case CKM_RC5_CBC:
+ case CKM_RC5_CBC_PAD:
+ if ((params) && (params->data)) {
+ rc5_cbc_params = (CK_RC5_CBC_PARAMS *) params->data;
+ return (rc5_cbc_params->ulWordsize)*2;
+ }
+ return 8;
+ case CKM_DES_ECB:
+ case CKM_DES3_ECB:
+ case CKM_RC2_ECB:
+ case CKM_IDEA_ECB:
+ case CKM_CAST_ECB:
+ case CKM_CAST3_ECB:
+ case CKM_CAST5_ECB:
+ case CKM_RC2_CBC:
+ case CKM_SKIPJACK_CBC64:
+ case CKM_SKIPJACK_ECB64:
+ case CKM_SKIPJACK_OFB64:
+ case CKM_SKIPJACK_CFB64:
+ case CKM_DES_CBC:
+ case CKM_DES3_CBC:
+ case CKM_IDEA_CBC:
+ case CKM_CAST_CBC:
+ case CKM_CAST3_CBC:
+ case CKM_CAST5_CBC:
+ case CKM_DES_CBC_PAD:
+ case CKM_DES3_CBC_PAD:
+ case CKM_RC2_CBC_PAD:
+ case CKM_IDEA_CBC_PAD:
+ case CKM_CAST_CBC_PAD:
+ case CKM_CAST3_CBC_PAD:
+ case CKM_CAST5_CBC_PAD:
+ case CKM_PBE_MD2_DES_CBC:
+ case CKM_PBE_MD5_DES_CBC:
+ case CKM_NETSCAPE_PBE_SHA1_DES_CBC:
+ case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC:
+ case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC:
+ case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC:
+ case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC:
+ case CKM_PBE_SHA1_RC2_40_CBC:
+ case CKM_PBE_SHA1_RC2_128_CBC:
+ case CKM_PBE_SHA1_DES3_EDE_CBC:
+ case CKM_PBE_SHA1_DES2_EDE_CBC:
+ return 8;
+ case CKM_SKIPJACK_CFB32:
+ case CKM_SKIPJACK_CFB16:
+ case CKM_SKIPJACK_CFB8:
+ return 4;
+ case CKM_AES_ECB:
+ case CKM_AES_CBC:
+ case CKM_AES_CBC_PAD:
+ case CKM_BATON_ECB128:
+ case CKM_BATON_CBC128:
+ case CKM_BATON_COUNTER:
+ case CKM_BATON_SHUFFLE:
+ case CKM_JUNIPER_ECB128:
+ case CKM_JUNIPER_CBC128:
+ case CKM_JUNIPER_COUNTER:
+ case CKM_JUNIPER_SHUFFLE:
+ return 16;
+ case CKM_BATON_ECB96:
+ return 12;
+ case CKM_RC4:
+ case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4:
+ case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4:
+ case CKM_PBE_SHA1_RC4_40:
+ case CKM_PBE_SHA1_RC4_128:
+ return 0;
+ case CKM_RSA_PKCS:
+ case CKM_RSA_9796:
+ case CKM_RSA_X_509:
+ /*actually it's the modulus length of the key!*/
+ return -1; /* failure */
+ default:
+ return pk11_lookup(type)->blockSize;
+ }
+}
+
+/*
+ * get the iv length
+ */
+int
+PK11_GetIVLength(CK_MECHANISM_TYPE type)
+{
+ switch (type) {
+ case CKM_AES_ECB:
+ case CKM_DES_ECB:
+ case CKM_DES3_ECB:
+ case CKM_RC2_ECB:
+ case CKM_IDEA_ECB:
+ case CKM_SKIPJACK_WRAP:
+ case CKM_BATON_WRAP:
+ case CKM_RC5_ECB:
+ case CKM_CAST_ECB:
+ case CKM_CAST3_ECB:
+ case CKM_CAST5_ECB:
+ return 0;
+ case CKM_RC2_CBC:
+ case CKM_DES_CBC:
+ case CKM_DES3_CBC:
+ case CKM_IDEA_CBC:
+ case CKM_PBE_MD2_DES_CBC:
+ case CKM_PBE_MD5_DES_CBC:
+ case CKM_NETSCAPE_PBE_SHA1_DES_CBC:
+ case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC:
+ case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC:
+ case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC:
+ case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC:
+ case CKM_PBE_SHA1_RC2_40_CBC:
+ case CKM_PBE_SHA1_RC2_128_CBC:
+ case CKM_PBE_SHA1_DES3_EDE_CBC:
+ case CKM_PBE_SHA1_DES2_EDE_CBC:
+ case CKM_RC5_CBC:
+ case CKM_CAST_CBC:
+ case CKM_CAST3_CBC:
+ case CKM_CAST5_CBC:
+ case CKM_RC2_CBC_PAD:
+ case CKM_DES_CBC_PAD:
+ case CKM_DES3_CBC_PAD:
+ case CKM_IDEA_CBC_PAD:
+ case CKM_RC5_CBC_PAD:
+ case CKM_CAST_CBC_PAD:
+ case CKM_CAST3_CBC_PAD:
+ case CKM_CAST5_CBC_PAD:
+ return 8;
+ case CKM_AES_CBC:
+ case CKM_AES_CBC_PAD:
+ return 16;
+ case CKM_SKIPJACK_CBC64:
+ case CKM_SKIPJACK_ECB64:
+ case CKM_SKIPJACK_OFB64:
+ case CKM_SKIPJACK_CFB64:
+ case CKM_SKIPJACK_CFB32:
+ case CKM_SKIPJACK_CFB16:
+ case CKM_SKIPJACK_CFB8:
+ case CKM_BATON_ECB128:
+ case CKM_BATON_ECB96:
+ case CKM_BATON_CBC128:
+ case CKM_BATON_COUNTER:
+ case CKM_BATON_SHUFFLE:
+ case CKM_JUNIPER_ECB128:
+ case CKM_JUNIPER_CBC128:
+ case CKM_JUNIPER_COUNTER:
+ case CKM_JUNIPER_SHUFFLE:
+ return 24;
+ case CKM_RC4:
+ case CKM_RSA_PKCS:
+ case CKM_RSA_9796:
+ case CKM_RSA_X_509:
+ case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4:
+ case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4:
+ case CKM_PBE_SHA1_RC4_40:
+ case CKM_PBE_SHA1_RC4_128:
+ return 0;
+ default:
+ return pk11_lookup(type)->iv;
+ }
+}
+
+
+/* These next two utilities are here to help facilitate future
+ * Dynamic Encrypt/Decrypt symetric key mechanisms, and to allow functions
+ * like SSL and S-MIME to automatically add them.
+ */
+SECItem *
+PK11_ParamFromIV(CK_MECHANISM_TYPE type,SECItem *iv)
+{
+ CK_RC2_CBC_PARAMS *rc2_params = NULL;
+ CK_RC2_PARAMS *rc2_ecb_params = NULL;
+ CK_RC5_PARAMS *rc5_params = NULL;
+ CK_RC5_CBC_PARAMS *rc5_cbc_params = NULL;
+ SECItem *param;
+
+ param = (SECItem *)PORT_Alloc(sizeof(SECItem));
+ if (param == NULL) return NULL;
+ param->data = NULL;
+ param->len = 0;
+ param->type = 0;
+ switch (type) {
+ case CKM_AES_ECB:
+ case CKM_DES_ECB:
+ case CKM_DES3_ECB:
+ case CKM_RSA_PKCS:
+ case CKM_RSA_X_509:
+ case CKM_RSA_9796:
+ case CKM_IDEA_ECB:
+ case CKM_CDMF_ECB:
+ case CKM_CAST_ECB:
+ case CKM_CAST3_ECB:
+ case CKM_CAST5_ECB:
+ case CKM_RC4:
+ break;
+ case CKM_RC2_ECB:
+ rc2_ecb_params = (CK_RC2_PARAMS *)PORT_Alloc(sizeof(CK_RC2_PARAMS));
+ if (rc2_ecb_params == NULL) break;
+ /* Maybe we should pass the key size in too to get this value? */
+ *rc2_ecb_params = 128;
+ param->data = (unsigned char *) rc2_ecb_params;
+ param->len = sizeof(CK_RC2_PARAMS);
+ break;
+ case CKM_RC2_CBC:
+ case CKM_RC2_CBC_PAD:
+ rc2_params = (CK_RC2_CBC_PARAMS *)PORT_Alloc(sizeof(CK_RC2_CBC_PARAMS));
+ if (rc2_params == NULL) break;
+ /* Maybe we should pass the key size in too to get this value? */
+ rc2_params->ulEffectiveBits = 128;
+ if (iv && iv->data)
+ PORT_Memcpy(rc2_params->iv,iv->data,sizeof(rc2_params->iv));
+ param->data = (unsigned char *) rc2_params;
+ param->len = sizeof(CK_RC2_CBC_PARAMS);
+ break;
+ case CKM_RC5_CBC:
+ case CKM_RC5_CBC_PAD:
+ rc5_cbc_params = (CK_RC5_CBC_PARAMS *)
+ PORT_Alloc(sizeof(CK_RC5_CBC_PARAMS) + ((iv) ? iv->len : 0));
+ if (rc5_cbc_params == NULL) break;
+ if (iv && iv->data) {
+ rc5_cbc_params->pIv = ((CK_BYTE_PTR) rc5_cbc_params)
+ + sizeof(CK_RC5_CBC_PARAMS);
+ PORT_Memcpy(rc5_cbc_params->pIv,iv->data,iv->len);
+ rc5_cbc_params->ulIvLen = iv->len;
+ rc5_cbc_params->ulWordsize = iv->len/2;
+ } else {
+ rc5_cbc_params->ulWordsize = 4;
+ rc5_cbc_params->pIv = NULL;
+ rc5_cbc_params->ulIvLen = iv->len;
+ }
+ rc5_cbc_params->ulRounds = 16;
+ param->data = (unsigned char *) rc5_cbc_params;
+ param->len = sizeof(CK_RC5_CBC_PARAMS);
+ break;
+ case CKM_RC5_ECB:
+ rc5_params = (CK_RC5_PARAMS *)PORT_Alloc(sizeof(CK_RC5_PARAMS));
+ if (rc5_params == NULL) break;
+ if (iv && iv->data && iv->len) {
+ rc5_params->ulWordsize = iv->len/2;
+ } else {
+ rc5_params->ulWordsize = 4;
+ }
+ rc5_params->ulRounds = 16;
+ param->data = (unsigned char *) rc5_params;
+ param->len = sizeof(CK_RC5_PARAMS);
+ break;
+ case CKM_AES_CBC:
+ case CKM_DES_CBC:
+ case CKM_DES3_CBC:
+ case CKM_IDEA_CBC:
+ case CKM_CDMF_CBC:
+ case CKM_CAST_CBC:
+ case CKM_CAST3_CBC:
+ case CKM_CAST5_CBC:
+ case CKM_AES_CBC_PAD:
+ case CKM_DES_CBC_PAD:
+ case CKM_DES3_CBC_PAD:
+ case CKM_IDEA_CBC_PAD:
+ case CKM_CDMF_CBC_PAD:
+ case CKM_CAST_CBC_PAD:
+ case CKM_CAST3_CBC_PAD:
+ case CKM_CAST5_CBC_PAD:
+ case CKM_SKIPJACK_CBC64:
+ case CKM_SKIPJACK_ECB64:
+ case CKM_SKIPJACK_OFB64:
+ case CKM_SKIPJACK_CFB64:
+ case CKM_SKIPJACK_CFB32:
+ case CKM_SKIPJACK_CFB16:
+ case CKM_SKIPJACK_CFB8:
+ case CKM_BATON_ECB128:
+ case CKM_BATON_ECB96:
+ case CKM_BATON_CBC128:
+ case CKM_BATON_COUNTER:
+ case CKM_BATON_SHUFFLE:
+ case CKM_JUNIPER_ECB128:
+ case CKM_JUNIPER_CBC128:
+ case CKM_JUNIPER_COUNTER:
+ case CKM_JUNIPER_SHUFFLE:
+ if ((iv == NULL) || (iv->data == NULL)) break;
+ param->data = (unsigned char*)PORT_Alloc(iv->len);
+ if (param->data != NULL) {
+ PORT_Memcpy(param->data,iv->data,iv->len);
+ param->len = iv->len;
+ }
+ break;
+ /* unknown mechanism, pass IV in if it's there */
+ default:
+ if (pk11_lookup(type)->iv == 0) {
+ break;
+ }
+ if ((iv == NULL) || (iv->data == NULL)) {
+ break;
+ }
+ param->data = (unsigned char*)PORT_Alloc(iv->len);
+ if (param->data != NULL) {
+ PORT_Memcpy(param->data,iv->data,iv->len);
+ param->len = iv->len;
+ }
+ break;
+ }
+ return param;
+}
+
+unsigned char *
+PK11_IVFromParam(CK_MECHANISM_TYPE type,SECItem *param,int *len)
+{
+ CK_RC2_CBC_PARAMS *rc2_params;
+ CK_RC5_CBC_PARAMS *rc5_cbc_params;
+
+ *len = 0;
+ switch (type) {
+ case CKM_AES_ECB:
+ case CKM_DES_ECB:
+ case CKM_DES3_ECB:
+ case CKM_RSA_PKCS:
+ case CKM_RSA_X_509:
+ case CKM_RSA_9796:
+ case CKM_IDEA_ECB:
+ case CKM_CDMF_ECB:
+ case CKM_CAST_ECB:
+ case CKM_CAST3_ECB:
+ case CKM_CAST5_ECB:
+ case CKM_RC4:
+ return NULL;
+ case CKM_RC2_ECB:
+ return NULL;
+ case CKM_RC2_CBC:
+ case CKM_RC2_CBC_PAD:
+ rc2_params = (CK_RC2_CBC_PARAMS *)param->data;
+ *len = sizeof(rc2_params->iv);
+ return &rc2_params->iv[0];
+ case CKM_RC5_CBC:
+ case CKM_RC5_CBC_PAD:
+ rc5_cbc_params = (CK_RC5_CBC_PARAMS *) param->data;
+ *len = rc5_cbc_params->ulIvLen;
+ return rc5_cbc_params->pIv;
+ case CKM_AES_CBC:
+ case CKM_DES_CBC:
+ case CKM_DES3_CBC:
+ case CKM_IDEA_CBC:
+ case CKM_CDMF_CBC:
+ case CKM_CAST_CBC:
+ case CKM_CAST3_CBC:
+ case CKM_CAST5_CBC:
+ case CKM_DES_CBC_PAD:
+ case CKM_DES3_CBC_PAD:
+ case CKM_IDEA_CBC_PAD:
+ case CKM_CDMF_CBC_PAD:
+ case CKM_CAST_CBC_PAD:
+ case CKM_CAST3_CBC_PAD:
+ case CKM_CAST5_CBC_PAD:
+ case CKM_SKIPJACK_CBC64:
+ case CKM_SKIPJACK_ECB64:
+ case CKM_SKIPJACK_OFB64:
+ case CKM_SKIPJACK_CFB64:
+ case CKM_SKIPJACK_CFB32:
+ case CKM_SKIPJACK_CFB16:
+ case CKM_SKIPJACK_CFB8:
+ case CKM_BATON_ECB128:
+ case CKM_BATON_ECB96:
+ case CKM_BATON_CBC128:
+ case CKM_BATON_COUNTER:
+ case CKM_BATON_SHUFFLE:
+ case CKM_JUNIPER_ECB128:
+ case CKM_JUNIPER_CBC128:
+ case CKM_JUNIPER_COUNTER:
+ case CKM_JUNIPER_SHUFFLE:
+ break;
+ /* unknown mechanism, pass IV in if it's there */
+ default:
+ break;
+ }
+ if (param->data) {
+ *len = param->len;
+ }
+ return param->data;
+}
+
+typedef struct sec_rc5cbcParameterStr {
+ SECItem version;
+ SECItem rounds;
+ SECItem blockSizeInBits;
+ SECItem iv;
+} sec_rc5cbcParameter;
+
+static const SEC_ASN1Template sec_rc5ecb_parameter_template[] = {
+ { SEC_ASN1_SEQUENCE,
+ 0, NULL, sizeof(sec_rc5cbcParameter) },
+ { SEC_ASN1_INTEGER,
+ offsetof(sec_rc5cbcParameter,version) },
+ { SEC_ASN1_INTEGER,
+ offsetof(sec_rc5cbcParameter,rounds) },
+ { SEC_ASN1_INTEGER,
+ offsetof(sec_rc5cbcParameter,blockSizeInBits) },
+ { 0 }
+};
+
+static const SEC_ASN1Template sec_rc5cbc_parameter_template[] = {
+ { SEC_ASN1_SEQUENCE,
+ 0, NULL, sizeof(sec_rc5cbcParameter) },
+ { SEC_ASN1_INTEGER,
+ offsetof(sec_rc5cbcParameter,version) },
+ { SEC_ASN1_INTEGER,
+ offsetof(sec_rc5cbcParameter,rounds) },
+ { SEC_ASN1_INTEGER,
+ offsetof(sec_rc5cbcParameter,blockSizeInBits) },
+ { SEC_ASN1_OCTET_STRING,
+ offsetof(sec_rc5cbcParameter,iv) },
+ { 0 }
+};
+
+typedef struct sec_rc2cbcParameterStr {
+ SECItem rc2ParameterVersion;
+ SECItem iv;
+} sec_rc2cbcParameter;
+
+static const SEC_ASN1Template sec_rc2cbc_parameter_template[] = {
+ { SEC_ASN1_SEQUENCE,
+ 0, NULL, sizeof(sec_rc2cbcParameter) },
+ { SEC_ASN1_INTEGER,
+ offsetof(sec_rc2cbcParameter,rc2ParameterVersion) },
+ { SEC_ASN1_OCTET_STRING,
+ offsetof(sec_rc2cbcParameter,iv) },
+ { 0 }
+};
+
+static const SEC_ASN1Template sec_rc2ecb_parameter_template[] = {
+ { SEC_ASN1_SEQUENCE,
+ 0, NULL, sizeof(sec_rc2cbcParameter) },
+ { SEC_ASN1_INTEGER,
+ offsetof(sec_rc2cbcParameter,rc2ParameterVersion) },
+ { 0 }
+};
+
+/* S/MIME picked id values to represent differnt keysizes */
+/* I do have a formula, but it ain't pretty, and it only works because you
+ * can always match three points to a parabola:) */
+static unsigned char rc2_map(SECItem *version)
+{
+ long x;
+
+ x = DER_GetInteger(version);
+
+ switch (x) {
+ case 58: return 128;
+ case 120: return 64;
+ case 160: return 40;
+ }
+ return 128;
+}
+
+static unsigned long rc2_unmap(unsigned long x)
+{
+ switch (x) {
+ case 128: return 58;
+ case 64: return 120;
+ case 40: return 160;
+ }
+ return 58;
+}
+
+
+
+/* Generate a mechaism param from a type, and iv. */
+SECItem *
+PK11_ParamFromAlgid(SECAlgorithmID *algid)
+{
+ CK_RC2_CBC_PARAMS *rc2_params = NULL;
+ CK_RC2_PARAMS *rc2_ecb_params = NULL;
+ CK_RC5_CBC_PARAMS *rc5_params_cbc;
+ CK_RC5_PARAMS *rc5_params_ecb;
+ SECItem iv;
+ sec_rc2cbcParameter rc2;
+ sec_rc5cbcParameter rc5;
+ SECItem *mech;
+ CK_MECHANISM_TYPE type;
+ SECOidTag algtag;
+ SECStatus rv;
+
+ algtag = SECOID_GetAlgorithmTag(algid);
+ type = PK11_AlgtagToMechanism(algtag);
+
+ mech = (SECItem *) PORT_Alloc(sizeof(SECItem));
+ if (mech == NULL) return NULL;
+ mech->type = siBuffer;
+
+
+ /* handle the complicated cases */
+ switch (type) {
+ case CKM_RC2_ECB:
+ rv = SEC_ASN1DecodeItem(NULL, &rc2 ,sec_rc2ecb_parameter_template,
+ &(algid->parameters));
+ if (rv != SECSuccess) {
+ PORT_Free(mech);
+ return NULL;
+ }
+ rc2_ecb_params = (CK_RC2_PARAMS *)PORT_Alloc(sizeof(CK_RC2_PARAMS));
+ if (rc2_ecb_params == NULL) {
+ PORT_Free(rc2.rc2ParameterVersion.data);
+ PORT_Free(mech);
+ return NULL;
+ }
+ *rc2_ecb_params = rc2_map(&rc2.rc2ParameterVersion);
+ PORT_Free(rc2.rc2ParameterVersion.data);
+ mech->data = (unsigned char *) rc2_ecb_params;
+ mech->len = sizeof(CK_RC2_PARAMS);
+ return mech;
+ case CKM_RC2_CBC:
+ case CKM_RC2_CBC_PAD:
+ rv = SEC_ASN1DecodeItem(NULL, &rc2 ,sec_rc2cbc_parameter_template,
+ &(algid->parameters));
+ if (rv != SECSuccess) {
+ PORT_Free(mech);
+ return NULL;
+ }
+ rc2_params = (CK_RC2_CBC_PARAMS *)PORT_Alloc(sizeof(CK_RC2_CBC_PARAMS));
+ if (rc2_params == NULL) {
+ PORT_Free(rc2.iv.data);
+ PORT_Free(rc2.rc2ParameterVersion.data);
+ PORT_Free(mech);
+ return NULL;
+ }
+ rc2_params->ulEffectiveBits = rc2_map(&rc2.rc2ParameterVersion);
+ PORT_Free(rc2.rc2ParameterVersion.data);
+ PORT_Memcpy(rc2_params->iv,rc2.iv.data,sizeof(rc2_params->iv));
+ PORT_Free(rc2.iv.data);
+ mech->data = (unsigned char *) rc2_params;
+ mech->len = sizeof(CK_RC2_CBC_PARAMS);
+ return mech;
+ case CKM_RC5_ECB:
+ rv = SEC_ASN1DecodeItem(NULL, &rc5 ,sec_rc5ecb_parameter_template,
+ &(algid->parameters));
+ if (rv != SECSuccess) {
+ PORT_Free(mech);
+ return NULL;
+ }
+ rc5_params_ecb=(CK_RC5_PARAMS *)PORT_Alloc(sizeof(CK_RC5_PARAMS));
+ PORT_Free(rc5.version.data);
+ if (rc5_params_ecb == NULL) {
+ PORT_Free(rc5.rounds.data);
+ PORT_Free(rc5.blockSizeInBits.data);
+ PORT_Free(mech);
+ return NULL;
+ }
+ rc5_params_ecb->ulRounds = DER_GetInteger(&rc5.rounds);
+ rc5_params_ecb->ulWordsize = DER_GetInteger(&rc5.blockSizeInBits)/8;
+ PORT_Free(rc5.rounds.data);
+ PORT_Free(rc5.blockSizeInBits.data);
+ mech->data = (unsigned char *) rc5_params_ecb;
+ mech->len = sizeof(CK_RC5_PARAMS);
+ return mech;
+ case CKM_RC5_CBC:
+ case CKM_RC5_CBC_PAD:
+ rv = SEC_ASN1DecodeItem(NULL, &rc5 ,sec_rc5cbc_parameter_template,
+ &(algid->parameters));
+ if (rv != SECSuccess) {
+ PORT_Free(mech);
+ return NULL;
+ }
+ rc5_params_cbc = (CK_RC5_CBC_PARAMS *)
+ PORT_Alloc(sizeof(CK_RC5_CBC_PARAMS) + rc5.iv.len);
+ PORT_Free(rc5.version.data);
+ if (rc2_params == NULL) {
+ PORT_Free(rc5.iv.data);
+ PORT_Free(rc5.rounds.data);
+ PORT_Free(rc5.blockSizeInBits.data);
+ PORT_Free(mech);
+ return NULL;
+ }
+ rc5_params_cbc->ulRounds = DER_GetInteger(&rc5.rounds);
+ rc5_params_cbc->ulWordsize = DER_GetInteger(&rc5.blockSizeInBits)/8;
+ PORT_Free(rc5.rounds.data);
+ PORT_Free(rc5.blockSizeInBits.data);
+ rc5_params_cbc->pIv = ((CK_BYTE_PTR)rc5_params_cbc)
+ + sizeof(CK_RC5_CBC_PARAMS);
+ PORT_Memcpy(rc5_params_cbc->pIv,rc5.iv.data,rc5.iv.len);
+ rc5_params_cbc->ulIvLen = rc5.iv.len;
+ PORT_Free(rc5.iv.data);
+ mech->data = (unsigned char *) rc5_params_cbc;
+ mech->len = sizeof(CK_RC5_CBC_PARAMS);
+ return mech;
+ case CKM_PBE_MD2_DES_CBC:
+ case CKM_PBE_MD5_DES_CBC:
+ case CKM_NETSCAPE_PBE_SHA1_DES_CBC:
+ case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC:
+ case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC:
+ case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC:
+ case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC:
+ case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4:
+ case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4:
+ case CKM_PBE_SHA1_DES2_EDE_CBC:
+ case CKM_PBE_SHA1_DES3_EDE_CBC:
+ case CKM_PBE_SHA1_RC2_40_CBC:
+ case CKM_PBE_SHA1_RC2_128_CBC:
+ case CKM_PBE_SHA1_RC4_40:
+ case CKM_PBE_SHA1_RC4_128:
+ rv = pbe_PK11AlgidToParam(algid,mech);
+ if (rv != SECSuccess) {
+ PORT_Free(mech);
+ return NULL;
+ }
+ return mech;
+ default:
+ /* must be a simple case */
+ break;
+ }
+
+ /* simple cases are simpley Octect encoded IV's */
+ rv = SEC_ASN1DecodeItem(NULL, &iv, SEC_OctetStringTemplate,
+ &(algid->parameters));
+ if (rv != SECSuccess) {
+ iv.data = NULL;
+ iv.len = 0;
+ }
+
+ rv = SECSuccess;
+ switch (type) {
+ case CKM_RC4:
+ case CKM_AES_ECB:
+ case CKM_DES_ECB:
+ case CKM_DES3_ECB:
+ case CKM_IDEA_ECB:
+ case CKM_CDMF_ECB:
+ case CKM_CAST_ECB:
+ case CKM_CAST3_ECB:
+ case CKM_CAST5_ECB:
+ mech->data = NULL;
+ mech->len = 0;
+ break;
+ default:
+ if (pk11_lookup(type)->iv == 0) {
+ mech->data = NULL;
+ mech->len = 0;
+ break;
+ }
+ case CKM_AES_CBC:
+ case CKM_DES_CBC:
+ case CKM_DES3_CBC:
+ case CKM_IDEA_CBC:
+ case CKM_CDMF_CBC:
+ case CKM_CAST_CBC:
+ case CKM_CAST3_CBC:
+ case CKM_CAST5_CBC:
+ case CKM_AES_CBC_PAD:
+ case CKM_DES_CBC_PAD:
+ case CKM_DES3_CBC_PAD:
+ case CKM_IDEA_CBC_PAD:
+ case CKM_CDMF_CBC_PAD:
+ case CKM_CAST_CBC_PAD:
+ case CKM_CAST3_CBC_PAD:
+ case CKM_CAST5_CBC_PAD:
+ case CKM_SKIPJACK_CBC64:
+ case CKM_SKIPJACK_ECB64:
+ case CKM_SKIPJACK_OFB64:
+ case CKM_SKIPJACK_CFB64:
+ case CKM_SKIPJACK_CFB32:
+ case CKM_SKIPJACK_CFB16:
+ case CKM_SKIPJACK_CFB8:
+ case CKM_BATON_ECB128:
+ case CKM_BATON_ECB96:
+ case CKM_BATON_CBC128:
+ case CKM_BATON_COUNTER:
+ case CKM_BATON_SHUFFLE:
+ case CKM_JUNIPER_ECB128:
+ case CKM_JUNIPER_CBC128:
+ case CKM_JUNIPER_COUNTER:
+ case CKM_JUNIPER_SHUFFLE:
+ if (iv.data == NULL) {
+ rv = SECFailure;
+ break;
+ }
+ mech->data = (unsigned char*)PORT_Alloc(iv.len);
+ if (mech->data == NULL) {
+ rv = SECFailure;
+ break;
+ }
+ PORT_Memcpy(mech->data,iv.data,iv.len);
+ mech->len = iv.len;
+ break;
+ }
+ if (iv.data) PORT_Free(iv.data);
+ if (rv != SECSuccess) {
+ SECITEM_FreeItem(mech,PR_TRUE);
+ return NULL;
+ }
+ return mech;
+}
+
+SECStatus
+PK11_SeedRandom(PK11SlotInfo *slot, unsigned char *data, int len) {
+ CK_RV crv;
+
+ PK11_EnterSlotMonitor(slot);
+ crv = PK11_GETTAB(slot)->C_SeedRandom(slot->session,data, (CK_ULONG)len);
+ PK11_ExitSlotMonitor(slot);
+ return (crv != CKR_OK) ? SECFailure : SECSuccess;
+}
+
+/* Attempts to update the Best Slot for "FAKE RANDOM" generation.
+** If that's not the internal slot, then it also attempts to update the
+** internal slot.
+** The return value indicates if the INTERNAL slot was updated OK.
+*/
+SECStatus
+PK11_RandomUpdate(void *data, size_t bytes)
+{
+ PK11SlotInfo *slot;
+ PRBool bestIsInternal;
+ SECStatus status;
+
+ slot = PK11_GetBestSlot(CKM_FAKE_RANDOM, NULL);
+ if (slot == NULL) {
+ slot = PK11_GetInternalSlot();
+ if (!slot)
+ return SECFailure;
+ }
+
+ bestIsInternal = PK11_IsInternal(slot);
+ status = PK11_SeedRandom(slot, data, bytes);
+ PK11_FreeSlot(slot);
+
+ if (!bestIsInternal) {
+ /* do internal slot, too. */
+ slot = PK11_GetInternalSlot(); /* can't fail */
+ status = PK11_SeedRandom(slot, data, bytes);
+ PK11_FreeSlot(slot);
+ }
+ return status;
+}
+
+
+SECStatus
+PK11_GenerateRandom(unsigned char *data,int len) {
+ PK11SlotInfo *slot;
+ CK_RV crv;
+
+ slot = PK11_GetBestSlot(CKM_FAKE_RANDOM,NULL);
+ if (slot == NULL) return SECFailure;
+
+ if (!slot->isInternal) PK11_EnterSlotMonitor(slot);
+ crv = PK11_GETTAB(slot)->C_GenerateRandom(slot->session,data,
+ (CK_ULONG)len);
+ if (!slot->isInternal) PK11_ExitSlotMonitor(slot);
+ PK11_FreeSlot(slot);
+ return (crv != CKR_OK) ? SECFailure : SECSuccess;
+}
+
+/*
+ * Generate an IV for the given mechanism
+ */
+static SECStatus
+pk11_GenIV(CK_MECHANISM_TYPE type, SECItem *iv) {
+ int iv_size = PK11_GetIVLength(type);
+ SECStatus rv;
+
+ iv->len = iv_size;
+ if (iv_size == 0) {
+ iv->data = NULL;
+ return SECSuccess;
+ }
+
+ iv->data = (unsigned char *) PORT_Alloc(iv_size);
+ if (iv->data == NULL) {
+ iv->len = 0;
+ return SECFailure;
+ }
+
+ rv = PK11_GenerateRandom(iv->data,iv->len);
+ if (rv != SECSuccess) {
+ PORT_Free(iv->data);
+ iv->data = NULL; iv->len = 0;
+ return SECFailure;
+ }
+ return SECSuccess;
+}
+
+
+/*
+ * create a new paramter block from the passed in MECHANISM and the
+ * key. Use Netscape's S/MIME Rules for the New param block.
+ */
+SECItem *
+PK11_GenerateNewParam(CK_MECHANISM_TYPE type, PK11SymKey *key) {
+ CK_RC2_CBC_PARAMS *rc2_params;
+ CK_RC2_PARAMS *rc2_ecb_params;
+ SECItem *mech;
+ SECItem iv;
+ SECStatus rv;
+
+
+ mech = (SECItem *) PORT_Alloc(sizeof(SECItem));
+ if (mech == NULL) return NULL;
+
+ rv = SECSuccess;
+ mech->type = siBuffer;
+ switch (type) {
+ case CKM_RC4:
+ case CKM_AES_ECB:
+ case CKM_DES_ECB:
+ case CKM_DES3_ECB:
+ case CKM_IDEA_ECB:
+ case CKM_CDMF_ECB:
+ case CKM_CAST_ECB:
+ case CKM_CAST3_ECB:
+ case CKM_CAST5_ECB:
+ mech->data = NULL;
+ mech->len = 0;
+ break;
+ case CKM_RC2_ECB:
+ rc2_ecb_params = (CK_RC2_PARAMS *)PORT_Alloc(sizeof(CK_RC2_PARAMS));
+ if (rc2_ecb_params == NULL) {
+ rv = SECFailure;
+ break;
+ }
+ /* NOTE PK11_GetKeyLength can return -1 if the key isn't and RC2, RC5,
+ * or RC4 key. Of course that wouldn't happen here doing RC2:).*/
+ *rc2_ecb_params = PK11_GetKeyLength(key)*8;
+ mech->data = (unsigned char *) rc2_ecb_params;
+ mech->len = sizeof(CK_RC2_PARAMS);
+ break;
+ case CKM_RC2_CBC:
+ case CKM_RC2_CBC_PAD:
+ rv = pk11_GenIV(type,&iv);
+ if (rv != SECSuccess) {
+ break;
+ }
+ rc2_params = (CK_RC2_CBC_PARAMS *)PORT_Alloc(sizeof(CK_RC2_CBC_PARAMS));
+ if (rc2_params == NULL) {
+ PORT_Free(iv.data);
+ rv = SECFailure;
+ break;
+ }
+ /* NOTE PK11_GetKeyLength can return -1 if the key isn't and RC2, RC5,
+ * or RC4 key. Of course that wouldn't happen here doing RC2:).*/
+ rc2_params->ulEffectiveBits = PK11_GetKeyLength(key)*8;
+ if (iv.data)
+ PORT_Memcpy(rc2_params->iv,iv.data,sizeof(rc2_params->iv));
+ mech->data = (unsigned char *) rc2_params;
+ mech->len = sizeof(CK_RC2_CBC_PARAMS);
+ PORT_Free(iv.data);
+ break;
+ case CKM_RC5_ECB:
+ PORT_Free(mech);
+ return PK11_ParamFromIV(type,NULL);
+ case CKM_RC5_CBC:
+ case CKM_RC5_CBC_PAD:
+ rv = pk11_GenIV(type,&iv);
+ if (rv != SECSuccess) {
+ break;
+ }
+ PORT_Free(mech);
+ return PK11_ParamFromIV(type,&iv);
+ default:
+ if (pk11_lookup(type)->iv == 0) {
+ mech->data = NULL;
+ mech->len = 0;
+ break;
+ }
+ case CKM_AES_CBC:
+ case CKM_DES_CBC:
+ case CKM_DES3_CBC:
+ case CKM_IDEA_CBC:
+ case CKM_CDMF_CBC:
+ case CKM_CAST_CBC:
+ case CKM_CAST3_CBC:
+ case CKM_CAST5_CBC:
+ case CKM_DES_CBC_PAD:
+ case CKM_DES3_CBC_PAD:
+ case CKM_IDEA_CBC_PAD:
+ case CKM_CDMF_CBC_PAD:
+ case CKM_CAST_CBC_PAD:
+ case CKM_CAST3_CBC_PAD:
+ case CKM_CAST5_CBC_PAD:
+ case CKM_SKIPJACK_CBC64:
+ case CKM_SKIPJACK_ECB64:
+ case CKM_SKIPJACK_OFB64:
+ case CKM_SKIPJACK_CFB64:
+ case CKM_SKIPJACK_CFB32:
+ case CKM_SKIPJACK_CFB16:
+ case CKM_SKIPJACK_CFB8:
+ case CKM_BATON_ECB128:
+ case CKM_BATON_ECB96:
+ case CKM_BATON_CBC128:
+ case CKM_BATON_COUNTER:
+ case CKM_BATON_SHUFFLE:
+ case CKM_JUNIPER_ECB128:
+ case CKM_JUNIPER_CBC128:
+ case CKM_JUNIPER_COUNTER:
+ case CKM_JUNIPER_SHUFFLE:
+ rv = pk11_GenIV(type,&iv);
+ if (rv != SECSuccess) {
+ break;
+ }
+ mech->data = (unsigned char*)PORT_Alloc(iv.len);
+ if (mech->data == NULL) {
+ PORT_Free(iv.data);
+ rv = SECFailure;
+ break;
+ }
+ PORT_Memcpy(mech->data,iv.data,iv.len);
+ mech->len = iv.len;
+ PORT_Free(iv.data);
+ break;
+ }
+ if (rv != SECSuccess) {
+ SECITEM_FreeItem(mech,PR_TRUE);
+ return NULL;
+ }
+ return mech;
+
+}
+
+#define RC5_V10 0x10
+
+/* turn a PKCS #11 parameter into a DER Encoded Algorithm ID */
+SECStatus
+PK11_ParamToAlgid(SECOidTag algTag, SECItem *param,
+ PRArenaPool *arena, SECAlgorithmID *algid) {
+ CK_RC2_CBC_PARAMS *rc2_params;
+ sec_rc2cbcParameter rc2;
+ CK_RC5_CBC_PARAMS *rc5_params;
+ sec_rc5cbcParameter rc5;
+ CK_MECHANISM_TYPE type = PK11_AlgtagToMechanism(algTag);
+ SECItem *newParams = NULL;
+ SECStatus rv = SECFailure;
+ unsigned long rc2version;
+
+ rv = SECSuccess;
+ switch (type) {
+ case CKM_RC4:
+ case CKM_AES_ECB:
+ case CKM_DES_ECB:
+ case CKM_DES3_ECB:
+ case CKM_IDEA_ECB:
+ case CKM_CDMF_ECB:
+ case CKM_CAST_ECB:
+ case CKM_CAST3_ECB:
+ case CKM_CAST5_ECB:
+ newParams = NULL;
+ rv = SECSuccess;
+ break;
+ case CKM_RC2_ECB:
+ break;
+ case CKM_RC2_CBC:
+ case CKM_RC2_CBC_PAD:
+ rc2_params = (CK_RC2_CBC_PARAMS *)param->data;
+ rc2version = rc2_unmap(rc2_params->ulEffectiveBits);
+ if (SEC_ASN1EncodeUnsignedInteger (NULL, &(rc2.rc2ParameterVersion),
+ rc2version) == NULL)
+ break;
+ rc2.iv.data = rc2_params->iv;
+ rc2.iv.len = sizeof(rc2_params->iv);
+ newParams = SEC_ASN1EncodeItem (NULL, NULL, &rc2,
+ sec_rc2cbc_parameter_template);
+ PORT_Free(rc2.rc2ParameterVersion.data);
+ if (newParams == NULL)
+ break;
+ rv = SECSuccess;
+ break;
+
+ case CKM_RC5_ECB: /* well not really... */
+ break;
+ case CKM_RC5_CBC:
+ case CKM_RC5_CBC_PAD:
+ rc5_params = (CK_RC5_CBC_PARAMS *)param->data;
+ if (SEC_ASN1EncodeUnsignedInteger (NULL, &rc5.version, RC5_V10) == NULL)
+ break;
+ if (SEC_ASN1EncodeUnsignedInteger (NULL, &rc5.blockSizeInBits,
+ rc5_params->ulWordsize*8) == NULL) {
+ PORT_Free(rc5.version.data);
+ break;
+ }
+ if (SEC_ASN1EncodeUnsignedInteger (NULL, &rc5.rounds,
+ rc5_params->ulWordsize*8) == NULL) {
+ PORT_Free(rc5.blockSizeInBits.data);
+ PORT_Free(rc5.version.data);
+ break;
+ }
+ rc5.iv.data = rc5_params->pIv;
+ rc5.iv.len = rc5_params->ulIvLen;
+ newParams = SEC_ASN1EncodeItem (NULL, NULL, &rc5,
+ sec_rc5cbc_parameter_template);
+ PORT_Free(rc5.version.data);
+ PORT_Free(rc5.blockSizeInBits.data);
+ PORT_Free(rc5.rounds.data);
+ if (newParams == NULL)
+ break;
+ rv = SECSuccess;
+ break;
+ case CKM_PBE_MD2_DES_CBC:
+ case CKM_PBE_MD5_DES_CBC:
+ case CKM_NETSCAPE_PBE_SHA1_DES_CBC:
+ case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC:
+ case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC:
+ case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC:
+ case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC:
+ case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4:
+ case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4:
+ case CKM_PBE_SHA1_DES3_EDE_CBC:
+ case CKM_PBE_SHA1_DES2_EDE_CBC:
+ case CKM_PBE_SHA1_RC2_40_CBC:
+ case CKM_PBE_SHA1_RC2_128_CBC:
+ case CKM_PBE_SHA1_RC4_40:
+ case CKM_PBE_SHA1_RC4_128:
+ return PBE_PK11ParamToAlgid(algTag, param, arena, algid);
+ default:
+ if (pk11_lookup(type)->iv == 0) {
+ rv = SECSuccess;
+ newParams = NULL;
+ break;
+ }
+ case CKM_AES_CBC:
+ case CKM_DES_CBC:
+ case CKM_DES3_CBC:
+ case CKM_IDEA_CBC:
+ case CKM_CDMF_CBC:
+ case CKM_CAST_CBC:
+ case CKM_CAST3_CBC:
+ case CKM_CAST5_CBC:
+ case CKM_DES_CBC_PAD:
+ case CKM_DES3_CBC_PAD:
+ case CKM_IDEA_CBC_PAD:
+ case CKM_CDMF_CBC_PAD:
+ case CKM_CAST_CBC_PAD:
+ case CKM_CAST3_CBC_PAD:
+ case CKM_CAST5_CBC_PAD:
+ case CKM_SKIPJACK_CBC64:
+ case CKM_SKIPJACK_ECB64:
+ case CKM_SKIPJACK_OFB64:
+ case CKM_SKIPJACK_CFB64:
+ case CKM_SKIPJACK_CFB32:
+ case CKM_SKIPJACK_CFB16:
+ case CKM_SKIPJACK_CFB8:
+ case CKM_BATON_ECB128:
+ case CKM_BATON_ECB96:
+ case CKM_BATON_CBC128:
+ case CKM_BATON_COUNTER:
+ case CKM_BATON_SHUFFLE:
+ case CKM_JUNIPER_ECB128:
+ case CKM_JUNIPER_CBC128:
+ case CKM_JUNIPER_COUNTER:
+ case CKM_JUNIPER_SHUFFLE:
+ newParams = SEC_ASN1EncodeItem(NULL,NULL,param,
+ SEC_OctetStringTemplate);
+ rv = SECSuccess;
+ break;
+ }
+
+ if (rv != SECSuccess) {
+ if (newParams) SECITEM_FreeItem(newParams,PR_TRUE);
+ return rv;
+ }
+
+ rv = SECOID_SetAlgorithmID(arena, algid, algTag, newParams);
+ SECITEM_FreeItem(newParams,PR_TRUE);
+ return rv;
+}
+
+/* turn an OID algorithm tag into a PKCS #11 mechanism. This allows us to
+ * map OID's directly into the PKCS #11 mechanism we want to call. We find
+ * this mapping in our standard OID table */
+CK_MECHANISM_TYPE
+PK11_AlgtagToMechanism(SECOidTag algTag) {
+ SECOidData *oid = SECOID_FindOIDByTag(algTag);
+
+ if (oid) return (CK_MECHANISM_TYPE) oid->mechanism;
+ return CKM_INVALID_MECHANISM;
+}
+
+/* turn a mechanism into an oid. */
+SECOidTag
+PK11_MechanismToAlgtag(CK_MECHANISM_TYPE type) {
+ SECOidData *oid = SECOID_FindOIDByMechanism((unsigned long)type);
+
+ if (oid) return oid->offset;
+ return SEC_OID_UNKNOWN;
+}
+
+/* Determine appropriate blocking mechanism, used when wrapping private keys
+ * which require PKCS padding. If the mechanism does not map to a padding
+ * mechanism, we simply return the mechanism.
+ */
+CK_MECHANISM_TYPE
+PK11_GetPadMechanism(CK_MECHANISM_TYPE type) {
+ switch(type) {
+ case CKM_AES_CBC:
+ return CKM_AES_CBC_PAD;
+ case CKM_DES_CBC:
+ return CKM_DES_CBC_PAD;
+ case CKM_DES3_CBC:
+ return CKM_DES3_CBC_PAD;
+ case CKM_RC2_CBC:
+ return CKM_RC2_CBC_PAD;
+ case CKM_CDMF_CBC:
+ return CKM_CDMF_CBC_PAD;
+ case CKM_CAST_CBC:
+ return CKM_CAST_CBC_PAD;
+ case CKM_CAST3_CBC:
+ return CKM_CAST3_CBC_PAD;
+ case CKM_CAST5_CBC:
+ return CKM_CAST5_CBC_PAD;
+ case CKM_RC5_CBC:
+ return CKM_RC5_CBC_PAD;
+ case CKM_IDEA_CBC:
+ return CKM_IDEA_CBC_PAD;
+ default:
+ break;
+ }
+
+ return type;
+}
+
+/*
+ * Build a block big enough to hold the data
+ */
+SECItem *
+PK11_BlockData(SECItem *data,unsigned long size) {
+ SECItem *newData;
+
+ newData = (SECItem *)PORT_Alloc(sizeof(SECItem));
+ if (newData == NULL) return NULL;
+
+ newData->len = (data->len + (size-1))/size;
+ newData->len *= size;
+
+ newData->data = (unsigned char *) PORT_ZAlloc(newData->len);
+ if (newData->data == NULL) {
+ PORT_Free(newData);
+ return NULL;
+ }
+ PORT_Memset(newData->data,newData->len-data->len,newData->len);
+ PORT_Memcpy(newData->data,data->data,data->len);
+ return newData;
+}
+
+
+SECStatus
+PK11_DestroyObject(PK11SlotInfo *slot,CK_OBJECT_HANDLE object) {
+ CK_RV crv;
+
+ PK11_EnterSlotMonitor(slot);
+ crv = PK11_GETTAB(slot)->C_DestroyObject(slot->session,object);
+ PK11_ExitSlotMonitor(slot);
+ if (crv != CKR_OK) {
+ return SECFailure;
+ }
+ return SECSuccess;
+}
+
+SECStatus
+PK11_DestroyTokenObject(PK11SlotInfo *slot,CK_OBJECT_HANDLE object) {
+ CK_RV crv;
+ SECStatus rv = SECSuccess;
+ CK_SESSION_HANDLE rwsession;
+
+
+ rwsession = PK11_GetRWSession(slot);
+
+ crv = PK11_GETTAB(slot)->C_DestroyObject(rwsession,object);
+ if (crv != CKR_OK) {
+ rv = SECFailure;
+ PORT_SetError(PK11_MapError(crv));
+ }
+ PK11_RestoreROSession(slot,rwsession);
+ return rv;
+}
+
+/*
+ * Read in a single attribute into a SECItem. Allocate space for it with
+ * PORT_Alloc unless an arena is supplied. In the latter case use the arena
+ * to allocate the space.
+ */
+SECStatus
+PK11_ReadAttribute(PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
+ CK_ATTRIBUTE_TYPE type, PRArenaPool *arena, SECItem *result) {
+ CK_ATTRIBUTE attr = { 0, NULL, 0 };
+ CK_RV crv;
+
+ attr.type = type;
+
+ PK11_EnterSlotMonitor(slot);
+ crv = PK11_GETTAB(slot)->C_GetAttributeValue(slot->session,id,&attr,1);
+ if (crv != CKR_OK) {
+ PK11_ExitSlotMonitor(slot);
+ PORT_SetError(PK11_MapError(crv));
+ return SECFailure;
+ }
+ if (arena) {
+ attr.pValue = PORT_ArenaAlloc(arena,attr.ulValueLen);
+ } else {
+ attr.pValue = PORT_Alloc(attr.ulValueLen);
+ }
+ if (attr.pValue == NULL) return SECFailure;
+ crv = PK11_GETTAB(slot)->C_GetAttributeValue(slot->session,id,&attr,1);
+ PK11_ExitSlotMonitor(slot);
+ if (crv != CKR_OK) {
+ PORT_SetError(PK11_MapError(crv));
+ if (!arena) PORT_Free(attr.pValue);
+ return SECFailure;
+ }
+
+ result->data = (unsigned char*)attr.pValue;
+ result->len = attr.ulValueLen;
+
+ return SECSuccess;
+}
+
+/*
+ * Read in a single attribute into As a Ulong.
+ */
+CK_ULONG
+PK11_ReadULongAttribute(PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
+ CK_ATTRIBUTE_TYPE type) {
+ CK_ATTRIBUTE attr;
+ CK_ULONG value = CK_UNAVAILABLE_INFORMATION;
+ CK_RV crv;
+
+ PK11_SETATTRS(&attr,type,&value,sizeof(value));
+
+ PK11_EnterSlotMonitor(slot);
+ crv = PK11_GETTAB(slot)->C_GetAttributeValue(slot->session,id,&attr,1);
+ PK11_ExitSlotMonitor(slot);
+ if (crv != CKR_OK) {
+ PORT_SetError(PK11_MapError(crv));
+ }
+ return value;
+}
+
+/*
+ * check to see if a bool has been set.
+ */
+CK_BBOOL
+PK11_HasAttributeSet( PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
+ CK_ATTRIBUTE_TYPE type )
+{
+ CK_BBOOL ckvalue = CK_FALSE;
+ CK_ATTRIBUTE theTemplate;
+ CK_RV crv;
+
+ /* Prepare to retrieve the attribute. */
+ PK11_SETATTRS( &theTemplate, type, &ckvalue, sizeof( CK_BBOOL ) );
+
+ /* Retrieve attribute value. */
+ PK11_EnterSlotMonitor(slot);
+ crv = PK11_GETTAB( slot )->C_GetAttributeValue( slot->session, id,
+ &theTemplate, 1 );
+ PK11_ExitSlotMonitor(slot);
+ if( crv != CKR_OK ) {
+ PORT_SetError( PK11_MapError( crv ) );
+ return CK_FALSE;
+ }
+
+ return ckvalue;
+}
+
+/*
+ * returns a full list of attributes. Allocate space for them. If an arena is
+ * provided, allocate space out of the arena.
+ */
+CK_RV
+PK11_GetAttributes(PRArenaPool *arena,PK11SlotInfo *slot,
+ CK_OBJECT_HANDLE obj,CK_ATTRIBUTE *attr, int count)
+{
+ int i;
+ /* make pedantic happy... note that it's only used arena != NULL */
+ void *mark = NULL;
+ CK_RV crv;
+
+ /*
+ * first get all the lengths of the parameters.
+ */
+ PK11_EnterSlotMonitor(slot);
+ crv = PK11_GETTAB(slot)->C_GetAttributeValue(slot->session,obj,attr,count);
+ if (crv != CKR_OK) {
+ PK11_ExitSlotMonitor(slot);
+ return crv;
+ }
+
+ if (arena) {
+ mark = PORT_ArenaMark(arena);
+ if (mark == NULL) return CKR_HOST_MEMORY;
+ }
+
+ /*
+ * now allocate space to store the results.
+ */
+ for (i=0; i < count; i++) {
+ if (arena) {
+ attr[i].pValue = PORT_ArenaAlloc(arena,attr[i].ulValueLen);
+ if (attr[i].pValue == NULL) {
+ /* arena failures, just release the mark */
+ PORT_ArenaRelease(arena,mark);
+ PK11_ExitSlotMonitor(slot);
+ return CKR_HOST_MEMORY;
+ }
+ } else {
+ attr[i].pValue = PORT_Alloc(attr[i].ulValueLen);
+ if (attr[i].pValue == NULL) {
+ /* Separate malloc failures, loop to release what we have
+ * so far */
+ int j;
+ for (j= 0; j < i; j++) {
+ PORT_Free(attr[j].pValue);
+ /* don't give the caller pointers to freed memory */
+ attr[j].pValue = NULL;
+ }
+ PK11_ExitSlotMonitor(slot);
+ return CKR_HOST_MEMORY;
+ }
+ }
+ }
+
+ /*
+ * finally get the results.
+ */
+ crv = PK11_GETTAB(slot)->C_GetAttributeValue(slot->session,obj,attr,count);
+ PK11_ExitSlotMonitor(slot);
+ if (crv != CKR_OK) {
+ if (arena) {
+ PORT_ArenaRelease(arena,mark);
+ } else {
+ for (i= 0; i < count; i++) {
+ PORT_Free(attr[i].pValue);
+ /* don't give the caller pointers to freed memory */
+ attr[i].pValue = NULL;
+ }
+ }
+ } else if (arena && mark) {
+ PORT_ArenaUnmark(arena,mark);
+ }
+ return crv;
+}
+
+/*
+ * Reset the token to it's initial state. For the internal module, this will
+ * Purge your keydb, and reset your cert db certs to USER_INIT.
+ */
+SECStatus
+PK11_ResetToken(PK11SlotInfo *slot, char *sso_pwd)
+{
+ unsigned char tokenName[32];
+ int tokenNameLen;
+ CK_RV crv;
+
+ /* reconstruct the token name */
+ tokenNameLen = PORT_Strlen(slot->token_name);
+ if (tokenNameLen > sizeof(tokenName)) {
+ tokenNameLen = sizeof(tokenName);
+ }
+
+ PORT_Memcpy(tokenName,slot->token_name,tokenNameLen);
+ if (tokenNameLen < sizeof(tokenName)) {
+ PORT_Memset(&tokenName[tokenNameLen],' ',
+ sizeof(tokenName)-tokenNameLen);
+ }
+
+ /* initialize the token */
+ PK11_EnterSlotMonitor(slot);
+
+ /* first shutdown the token. Existing sessions will get closed here */
+ PK11_GETTAB(slot)->C_CloseAllSessions(slot->slotID);
+ slot->session = CK_INVALID_SESSION;
+
+ /* now re-init the token */
+ crv = PK11_GETTAB(slot)->C_InitToken(slot->slotID,
+ (unsigned char *)sso_pwd, sso_pwd ? PORT_Strlen(sso_pwd): 0, tokenName);
+
+ /* finally bring the token back up */
+ PK11_InitToken(slot,PR_TRUE);
+ PK11_ExitSlotMonitor(slot);
+ if (crv != CKR_OK) {
+ PORT_SetError(PK11_MapError(crv));
+ return SECFailure;
+ }
+ return SECSuccess;
+}
+
+static PRBool
+pk11_isAllZero(unsigned char *data,int len) {
+ while (len--) {
+ if (*data++) {
+ return PR_FALSE;
+ }
+ }
+ return PR_TRUE;
+}
+
+CK_RV
+PK11_MapPBEMechanismToCryptoMechanism(CK_MECHANISM_PTR pPBEMechanism,
+ CK_MECHANISM_PTR pCryptoMechanism,
+ SECItem *pbe_pwd, PRBool faulty3DES)
+{
+ int iv_len = 0;
+ CK_PBE_PARAMS_PTR pPBEparams;
+ CK_RC2_CBC_PARAMS_PTR rc2_params;
+ CK_ULONG rc2_key_len;
+
+ if((pPBEMechanism == CK_NULL_PTR) || (pCryptoMechanism == CK_NULL_PTR)) {
+ return CKR_HOST_MEMORY;
+ }
+
+ pPBEparams = (CK_PBE_PARAMS_PTR)pPBEMechanism->pParameter;
+ iv_len = PK11_GetIVLength(pPBEMechanism->mechanism);
+
+ if (iv_len) {
+ if (pk11_isAllZero(pPBEparams->pInitVector,iv_len)) {
+ SECItem param;
+ PK11SymKey *symKey;
+ PK11SlotInfo *intSlot = PK11_GetInternalSlot();
+
+ if (intSlot == NULL) {
+ return CKR_DEVICE_ERROR;
+ }
+
+ param.data = pPBEMechanism->pParameter;
+ param.len = pPBEMechanism->ulParameterLen;
+
+ symKey = PK11_RawPBEKeyGen(intSlot,
+ pPBEMechanism->mechanism, &param, pbe_pwd, faulty3DES, NULL);
+ PK11_FreeSlot(intSlot);
+ if (symKey== NULL) {
+ return CKR_DEVICE_ERROR; /* sigh */
+ }
+ PK11_FreeSymKey(symKey);
+ }
+ }
+
+ switch(pPBEMechanism->mechanism) {
+ case CKM_PBE_MD2_DES_CBC:
+ case CKM_PBE_MD5_DES_CBC:
+ case CKM_NETSCAPE_PBE_SHA1_DES_CBC:
+ pCryptoMechanism->mechanism = CKM_DES_CBC;
+ goto have_crypto_mechanism;
+ case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC:
+ case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC:
+ case CKM_PBE_SHA1_DES3_EDE_CBC:
+ case CKM_PBE_SHA1_DES2_EDE_CBC:
+ pCryptoMechanism->mechanism = CKM_DES3_CBC;
+have_crypto_mechanism:
+ pCryptoMechanism->pParameter = PORT_Alloc(iv_len);
+ pCryptoMechanism->ulParameterLen = (CK_ULONG)iv_len;
+ if(pCryptoMechanism->pParameter == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+ PORT_Memcpy((unsigned char *)(pCryptoMechanism->pParameter),
+ (unsigned char *)(pPBEparams->pInitVector),
+ iv_len);
+ break;
+ case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4:
+ case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4:
+ case CKM_PBE_SHA1_RC4_40:
+ case CKM_PBE_SHA1_RC4_128:
+ pCryptoMechanism->mechanism = CKM_RC4;
+ pCryptoMechanism->ulParameterLen = 0;
+ pCryptoMechanism->pParameter = CK_NULL_PTR;
+ break;
+ case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC:
+ case CKM_PBE_SHA1_RC2_40_CBC:
+ rc2_key_len = 40;
+ goto have_key_len;
+ case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC:
+ rc2_key_len = 128;
+have_key_len:
+ pCryptoMechanism->mechanism = CKM_RC2_CBC;
+ pCryptoMechanism->ulParameterLen = (CK_ULONG)
+ sizeof(CK_RC2_CBC_PARAMS);
+ pCryptoMechanism->pParameter = (CK_RC2_CBC_PARAMS_PTR)
+ PORT_ZAlloc(sizeof(CK_RC2_CBC_PARAMS));
+ if(pCryptoMechanism->pParameter == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+ rc2_params = (CK_RC2_CBC_PARAMS_PTR)pCryptoMechanism->pParameter;
+ PORT_Memcpy((unsigned char *)rc2_params->iv,
+ (unsigned char *)pPBEparams->pInitVector,
+ iv_len);
+ rc2_params->ulEffectiveBits = rc2_key_len;
+ break;
+ default:
+ return CKR_MECHANISM_INVALID;
+ }
+
+ return CKR_OK;
+}
+
+PRBool
+PK11_IsPermObject(PK11SlotInfo *slot, CK_OBJECT_HANDLE handle)
+{
+ return (PRBool) PK11_HasAttributeSet(slot, handle, CKA_TOKEN);
+}
+
+char *
+PK11_GetObjectNickname(PK11SlotInfo *slot, CK_OBJECT_HANDLE id)
+{
+ char *nickname = NULL;
+ SECItem result;
+ SECStatus rv;
+
+ rv = PK11_ReadAttribute(slot,id,CKA_LABEL,NULL,&result);
+ if (rv != SECSuccess) {
+ return NULL;
+ }
+
+ nickname = PORT_ZAlloc(result.len+1);
+ if (nickname == NULL) {
+ PORT_Free(result.data);
+ return NULL;
+ }
+ PORT_Memcpy(nickname, result.data, result.len);
+ PORT_Free(result.data);
+ return nickname;
+}
+
+SECStatus
+PK11_SetObjectNickname(PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
+ const char *nickname)
+{
+ int len = PORT_Strlen(nickname);
+ CK_ATTRIBUTE setTemplate;
+ CK_RV crv;
+ CK_SESSION_HANDLE rwsession;
+
+ if (len < 0) {
+ return SECFailure;
+ }
+
+ PK11_SETATTRS(&setTemplate, CKA_LABEL, (CK_CHAR *) nickname, len);
+ rwsession = PK11_GetRWSession(slot);
+ crv = PK11_GETTAB(slot)->C_SetAttributeValue(rwsession, id,
+ &setTemplate, 1);
+ PK11_RestoreROSession(slot, rwsession);
+ if (crv != CKR_OK) {
+ PORT_SetError(PK11_MapError(crv));
+ return SECFailure;
+ }
+ return SECSuccess;
+}
+
+/*
+ * wait for a token to change it's state. The application passes in the expected
+ * new state in event.
+ */
+PK11TokenStatus
+PK11_WaitForTokenEvent(PK11SlotInfo *slot, PK11TokenEvent event,
+ PRIntervalTime timeout, PRIntervalTime latency, int series)
+{
+ PRIntervalTime first_time = 0;
+ PRBool first_time_set = PR_FALSE;
+ PRBool waitForRemoval;
+
+ if (slot->isPerm) {
+ return PK11TokenNotRemovable;
+ }
+ if (latency == 0) {
+ latency = PR_SecondsToInterval(5);
+ }
+ waitForRemoval = (PRBool) (event == PK11TokenRemovedOrChangedEvent);
+
+ if (series == 0) {
+ series = PK11_GetSlotSeries(slot);
+ }
+ while (PK11_IsPresent(slot) == waitForRemoval ) {
+ PRIntervalTime interval;
+
+ if (waitForRemoval && series != PK11_GetSlotSeries(slot)) {
+ return PK11TokenChanged;
+ }
+ if (timeout == PR_INTERVAL_NO_WAIT) {
+ return waitForRemoval ? PK11TokenPresent : PK11TokenRemoved;
+ }
+ if (timeout == PR_INTERVAL_NO_TIMEOUT ) {
+ interval = PR_IntervalNow();
+ if (!first_time_set) {
+ first_time = interval;
+ first_time_set = PR_TRUE;
+ }
+ if ((interval-first_time) > timeout) {
+ return waitForRemoval ? PK11TokenPresent : PK11TokenRemoved;
+ }
+ }
+ PR_Sleep(latency);
+ }
+ return waitForRemoval ? PK11TokenRemoved : PK11TokenPresent;
+}
+
diff --git a/security/nss/lib/pk11wrap/secmodt.h b/security/nss/lib/pk11wrap/secmodt.h
new file mode 100644
index 000000000..919d3bca3
--- /dev/null
+++ b/security/nss/lib/pk11wrap/secmodt.h
@@ -0,0 +1,263 @@
+/*
+ * The contents of this file are subject to the Mozilla Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation. Portions created by Netscape are
+ * Copyright (C) 1994-2000 Netscape Communications Corporation. All
+ * Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the
+ * terms of the GNU General Public License Version 2 or later (the
+ * "GPL"), in which case the provisions of the GPL are applicable
+ * instead of those above. If you wish to allow use of your
+ * version of this file only under the terms of the GPL and not to
+ * allow others to use your version of this file under the MPL,
+ * indicate your decision by deleting the provisions above and
+ * replace them with the notice and other provisions required by
+ * the GPL. If you do not delete the provisions above, a recipient
+ * may use your version of this file under either the MPL or the
+ * GPL.
+ *
+ * Definition of Security Module Data Structure. There is a separate data
+ * structure for each loaded PKCS #11 module.
+ */
+#ifndef _SECMODT_H_
+#define _SECMODT_H_ 1
+
+#include "secoid.h"
+#include "secasn1.h"
+
+/* find a better home for these... */
+extern const SEC_ASN1Template SECKEY_PointerToEncryptedPrivateKeyInfoTemplate[];
+extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_PointerToEncryptedPrivateKeyInfoTemplate;
+extern const SEC_ASN1Template SECKEY_EncryptedPrivateKeyInfoTemplate[];
+extern const SEC_ASN1Template SECKEY_PrivateKeyInfoTemplate[];
+extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_PrivateKeyInfoTemplate;
+extern const SEC_ASN1Template SECKEY_PointerToPrivateKeyInfoTemplate[];
+extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_PointerToPrivateKeyInfoTemplate;
+
+/* PKCS11 needs to be included */
+typedef struct SECMODModuleStr SECMODModule;
+typedef struct SECMODModuleListStr SECMODModuleList;
+typedef struct SECMODListLockStr SECMODListLock; /* defined in secmodi.h */
+typedef struct PK11SlotInfoStr PK11SlotInfo; /* defined in secmodti.h */
+typedef struct PK11PreSlotInfoStr PK11PreSlotInfo; /* defined in secmodti.h */
+typedef struct PK11SymKeyStr PK11SymKey; /* defined in secmodti.h */
+typedef struct PK11ContextStr PK11Context; /* defined in secmodti.h */
+typedef struct PK11SlotListStr PK11SlotList;
+typedef struct PK11SlotListElementStr PK11SlotListElement;
+typedef struct PK11RSAGenParamsStr PK11RSAGenParams;
+typedef unsigned long SECMODModuleID;
+typedef struct PK11DefaultArrayEntryStr PK11DefaultArrayEntry;
+
+struct SECMODModuleStr {
+ PRArenaPool *arena;
+ PRBool internal; /* true of internally linked modules, false
+ * for the loaded modules */
+ PRBool loaded; /* Set to true if module has been loaded */
+ PRBool isFIPS; /* Set to true if module is finst internal */
+ char *dllName; /* name of the shared library which implements
+ * this module */
+ char *commonName; /* name of the module to display to the user */
+ void *library; /* pointer to the library. opaque. used only by
+ * pk11load.c */
+ void *functionList; /* The PKCS #11 function table */
+ void *refLock; /* only used pk11db.c */
+ int refCount; /* Module reference count */
+ PK11SlotInfo **slots; /* array of slot points attatched to this mod*/
+ int slotCount; /* count of slot in above array */
+ PK11PreSlotInfo *slotInfo; /* special info about slots default settings */
+ int slotInfoCount; /* count */
+ SECMODModuleID moduleID; /* ID so we can find this module again */
+ PRBool isThreadSafe;
+ unsigned long ssl[2]; /* SSL cipher enable flags */
+ char *libraryParams; /* Module specific parameters */
+ void *moduleDBFunc; /* function to return module configuration data*/
+ SECMODModule *parent; /* module that loaded us */
+ PRBool isCritical; /* This module must load successfully */
+ PRBool isModuleDB; /* this module has lists of PKCS #11 modules */
+ PRBool moduleDBOnly; /* this module only has lists of PKCS #11 modules */
+ int trustOrder; /* order for this module's certificate trust rollup */
+ int cipherOrder; /* order for cipher operations */
+};
+
+struct SECMODModuleListStr {
+ SECMODModuleList *next;
+ SECMODModule *module;
+};
+
+struct PK11SlotListStr {
+ PK11SlotListElement *head;
+ PK11SlotListElement *tail;
+ void *lock;
+};
+
+struct PK11SlotListElementStr {
+ PK11SlotListElement *next;
+ PK11SlotListElement *prev;
+ PK11SlotInfo *slot;
+ int refCount;
+};
+
+struct PK11RSAGenParamsStr {
+ int keySizeInBits;
+ unsigned long pe;
+};
+
+typedef enum {
+ PK11CertListUnique = 0,
+ PK11CertListUser = 1,
+ PK11CertListRootUnique = 2,
+ PK11CertListCA = 3
+} PK11CertListType;
+
+/*
+ * Entry into the Array which lists all the legal bits for the default flags
+ * in the slot, their definition, and the PKCS #11 mechanism the represent
+ * Always Statically allocated.
+ */
+struct PK11DefaultArrayEntryStr {
+ char *name;
+ unsigned long flag;
+ unsigned long mechanism; /* this is a long so we don't include the
+ * whole pkcs 11 world to use this header */
+};
+
+
+#define SECMOD_RSA_FLAG 0x00000001L
+#define SECMOD_DSA_FLAG 0x00000002L
+#define SECMOD_RC2_FLAG 0x00000004L
+#define SECMOD_RC4_FLAG 0x00000008L
+#define SECMOD_DES_FLAG 0x00000010L
+#define SECMOD_DH_FLAG 0x00000020L
+#define SECMOD_FORTEZZA_FLAG 0x00000040L
+#define SECMOD_RC5_FLAG 0x00000080L
+#define SECMOD_SHA1_FLAG 0x00000100L
+#define SECMOD_MD5_FLAG 0x00000200L
+#define SECMOD_MD2_FLAG 0x00000400L
+#define SECMOD_SSL_FLAG 0x00000800L
+#define SECMOD_TLS_FLAG 0x00001000L
+#define SECMOD_AES_FLAG 0x00002000L
+/* reserved bit for future, do not use */
+#define SECMOD_RESERVED_FLAG 0X08000000L
+#define SECMOD_FRIENDLY_FLAG 0x10000000L
+#define SECMOD_RANDOM_FLAG 0x80000000L
+
+/* need to make SECMOD and PK11 prefixes consistant. */
+#define PK11_OWN_PW_DEFAULTS 0x20000000L
+#define PK11_DISABLE_FLAG 0x40000000L
+
+/* FAKE PKCS #11 defines */
+#define CKM_FAKE_RANDOM 0x80000efeL
+#define CKM_INVALID_MECHANISM 0xffffffffL
+#define CKA_DIGEST 0x81000000L
+
+/* Cryptographic module types */
+#define SECMOD_EXTERNAL 0 /* external module */
+#define SECMOD_INTERNAL 1 /* internal default module */
+#define SECMOD_FIPS 2 /* internal fips module */
+
+/* default module configuration strings */
+#define SECMOD_SLOT_FLAGS "slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES]"
+
+#define SECMOD_MAKE_NSS_FLAGS(fips,slot) \
+"Flags=internal,critical"fips" slotparams=("#slot"={"SECMOD_SLOT_FLAGS"})"
+
+#define SECMOD_INT_NAME "NSS Internal PKCS #11 Module"
+#define SECMOD_INT_FLAGS SECMOD_MAKE_NSS_FLAGS("",1)
+#define SECMOD_FIPS_NAME "NSS Internal FIPS PKCS #11 Module"
+#define SECMOD_FIPS_FLAGS SECMOD_MAKE_NSS_FLAGS(",fips",3)
+
+
+/*
+ * What is the origin of a given Key. Normally this doesn't matter, but
+ * the fortezza code needs to know if it needs to invoke the SSL3 fortezza
+ * hack.
+ */
+typedef enum {
+ PK11_OriginNULL = 0, /* There is not key, it's a null SymKey */
+ PK11_OriginDerive = 1, /* Key was derived from some other key */
+ PK11_OriginGenerated = 2, /* Key was generated (also PBE keys) */
+ PK11_OriginFortezzaHack = 3,/* Key was marked for fortezza hack */
+ PK11_OriginUnwrap = 4 /* Key was unwrapped or decrypted */
+} PK11Origin;
+
+/* PKCS #11 disable reasons */
+typedef enum {
+ PK11_DIS_NONE = 0,
+ PK11_DIS_USER_SELECTED = 1,
+ PK11_DIS_COULD_NOT_INIT_TOKEN = 2,
+ PK11_DIS_TOKEN_VERIFY_FAILED = 3,
+ PK11_DIS_TOKEN_NOT_PRESENT = 4
+} PK11DisableReasons;
+
+/* function pointer type for password callback function.
+ * This type is passed in to PK11_SetPasswordFunc()
+ */
+typedef char *(PR_CALLBACK *PK11PasswordFunc)(PK11SlotInfo *slot, PRBool retry, void *arg);
+typedef PRBool (PR_CALLBACK *PK11VerifyPasswordFunc)(PK11SlotInfo *slot, void *arg);
+typedef PRBool (PR_CALLBACK *PK11IsLoggedInFunc)(PK11SlotInfo *slot, void *arg);
+
+/*
+ * PKCS #11 key structures
+ */
+
+/*
+** Attributes
+*/
+struct SECKEYAttributeStr {
+ SECItem attrType;
+ SECItem **attrValue;
+};
+typedef struct SECKEYAttributeStr SECKEYAttribute;
+
+/*
+** A PKCS#8 private key info object
+*/
+struct SECKEYPrivateKeyInfoStr {
+ PLArenaPool *arena;
+ SECItem version;
+ SECAlgorithmID algorithm;
+ SECItem privateKey;
+ SECKEYAttribute **attributes;
+};
+typedef struct SECKEYPrivateKeyInfoStr SECKEYPrivateKeyInfo;
+
+/*
+** A PKCS#8 private key info object
+*/
+struct SECKEYEncryptedPrivateKeyInfoStr {
+ PLArenaPool *arena;
+ SECAlgorithmID algorithm;
+ SECItem encryptedData;
+};
+typedef struct SECKEYEncryptedPrivateKeyInfoStr SECKEYEncryptedPrivateKeyInfo;
+
+/*
+ * token removal detection
+ */
+typedef enum {
+ PK11TokenNotRemovable = 0,
+ PK11TokenPresent = 1,
+ PK11TokenChanged = 2,
+ PK11TokenRemoved = 3
+} PK11TokenStatus;
+
+typedef enum {
+ PK11TokenRemovedOrChangedEvent = 0,
+ PK11TokenPresentEvent = 1
+} PK11TokenEvent;
+
+#endif /*_SECMODT_H_ */
View Lorry Controller Status