diff options
author | cvs2hg <devnull@localhost> | 2002-12-11 17:56:50 +0000 |
---|---|---|
committer | cvs2hg <devnull@localhost> | 2002-12-11 17:56:50 +0000 |
commit | 012e2d2eb9c759904b8ae0702acff9723ef3ac61 (patch) | |
tree | 158a48a42a36bd8b20577c32978c57e179d8dbd3 | |
parent | 27160a588f621e0487ab0d0884d094c5255cbcfb (diff) | |
download | nss-hg-012e2d2eb9c759904b8ae0702acff9723ef3ac61.tar.gz |
fixup commit for branch 'NSS_3_7_BRANCH'
-rw-r--r-- | security/nss/lib/nss/nss.def | 728 | ||||
-rw-r--r-- | security/nss/lib/pk11wrap/pk11func.h | 614 | ||||
-rw-r--r-- | security/nss/lib/pk11wrap/pk11slot.c | 4656 | ||||
-rw-r--r-- | security/nss/lib/pk11wrap/secmodt.h | 263 |
4 files changed, 6261 insertions, 0 deletions
diff --git a/security/nss/lib/nss/nss.def b/security/nss/lib/nss/nss.def new file mode 100644 index 000000000..0bc28e972 --- /dev/null +++ b/security/nss/lib/nss/nss.def @@ -0,0 +1,728 @@ +;+# +;+# The contents of this file are subject to the Mozilla Public +;+# License Version 1.1 (the "License"); you may not use this file +;+# except in compliance with the License. You may obtain a copy of +;+# the License at http://www.mozilla.org/MPL/ +;+# +;+# Software distributed under the License is distributed on an "AS +;+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or +;+# implied. See the License for the specific language governing +;+# rights and limitations under the License. +;+# +;+# The Original Code is the Netscape security libraries. +;+# +;+# The Initial Developer of the Original Code is Netscape +;+# Communications Corporation. Portions created by Netscape are +;+# Copyright (C) 2000 Netscape Communications Corporation. All +;+# Rights Reserved. +;+# +;+# Contributor(s): +;+# Dr Stephen Henson <stephen.henson@gemplus.com> +;+# +;+# Alternatively, the contents of this file may be used under the +;+# terms of the GNU General Public License Version 2 or later (the +;+# "GPL"), in which case the provisions of the GPL are applicable +;+# instead of those above. If you wish to allow use of your +;+# version of this file only under the terms of the GPL and not to +;+# allow others to use your version of this file under the MPL, +;+# indicate your decision by deleting the provisions above and +;+# replace them with the notice and other provisions required by +;+# the GPL. If you do not delete the provisions above, a recipient +;+# may use your version of this file under either the MPL or the +;+# GPL. +;+# +;+# +;+# OK, this file is meant to support SUN, LINUX, AIX and WINDOWS +;+# 1. For all unix platforms, the string ";-" means "remove this line" +;+# 2. For all unix platforms, the string " DATA " will be removed from any +;+# line on which it occurs. +;+# 3. Lines containing ";+" will have ";+" removed on SUN and LINUX. +;+# On AIX, lines containing ";+" will be removed. +;+# 4. For all unix platforms, the string ";;" will thave the ";;" removed. +;+# 5. For all unix platforms, after the above processing has taken place, +;+# all characters after the first ";" on the line will be removed. +;+# And for AIX, the first ";" will also be removed. +;+# This file is passed directly to windows. Since ';' is a comment, all UNIX +;+# directives are hidden behind ";", ";+", and ";-" +;+NSS_3.2 { # NSS 3.2 release +;+ global: +LIBRARY nss3 ;- +EXPORTS ;- +ATOB_AsciiToData; +BTOA_ConvertItemToAscii; +BTOA_DataToAscii; +CERT_AsciiToName; +CERT_CertTimesValid; +CERT_CheckCertValidTimes; +CERT_CreateCertificateRequest; +CERT_ChangeCertTrust; +CERT_DecodeDERCrl; +CERT_DestroyCertificateRequest; +CERT_DestroyCertList; +CERT_DestroyName; +CERT_EnableOCSPChecking; +CERT_FormatName; +CERT_DestroyCertificate; +CERT_DupCertificate; +CERT_FreeDistNames; +CERT_FreeNicknames; +CERT_GetAVATag; +CERT_GetCertEmailAddress; +CERT_GetCertNicknames; +CERT_GetCertIssuerAndSN; +CERT_GetCertTrust; +CERT_GetCertUid; +CERT_GetCommonName; +CERT_GetCountryName; +CERT_GetDBContentVersion; +CERT_GetDefaultCertDB; +CERT_GetDomainComponentName; +CERT_GetLocalityName; +CERT_GetOrgName; +CERT_GetOrgUnitName; +CERT_GetSSLCACerts; +CERT_GetSlopTime; +CERT_GetStateName; +CERT_ImportCAChain; +CERT_NameToAscii; +CERT_RFC1485_EscapeAndQuote; +CERT_SetSlopTime; +CERT_VerifyCertName; +CERT_VerifyCertNow; +DER_UTCDayToAscii; +DER_UTCTimeToAscii; +DER_GeneralizedTimeToTime; +NSS_Init; +NSS_Initialize; +NSS_InitReadWrite; +NSS_NoDB_Init; +NSS_Shutdown; +NSS_VersionCheck; +PK11_Authenticate; +PK11_ChangePW; +PK11_CheckUserPassword; +PK11_CipherOp; +PK11_CloneContext; +PK11_ConfigurePKCS11; +PK11_CreateContextBySymKey; +PK11_CreateDigestContext; +PK11_DestroyContext; +PK11_DestroyTokenObject; +PK11_DigestBegin; +PK11_DigestOp; +PK11_DigestFinal; +PK11_DoesMechanism; +PK11_FindCertFromNickname; +PK11_FindCertFromDERCert; +PK11_FindCertByIssuerAndSN; +PK11_FindKeyByAnyCert; +PK11_FindKeyByDERCert; +PK11_FindSlotByName; +PK11_Finalize; +PK11_FortezzaHasKEA; +PK11_FreeSlot; +PK11_FreeSlotList; +PK11_FreeSymKey; +PK11_GenerateKeyPair; +PK11_GenerateRandom; +PK11_GenerateNewParam; +PK11_GetAllTokens; +PK11_GetBlockSize; +PK11_GetFirstSafe; +PK11_GetInternalKeySlot; +PK11_GetInternalSlot; +PK11_GetSlotName; +PK11_GetTokenName; +PK11_HashBuf; +PK11_IsFIPS; +PK11_IsFriendly; +PK11_IsInternal; +PK11_IsHW; +PK11_IsPresent; +PK11_IsReadOnly; +PK11_KeyGen; +PK11_ListCerts; +PK11_NeedLogin; +PK11_RandomUpdate; +PK11_SetPasswordFunc; +PK11_SetSlotPWValues; +PORT_Alloc; +PORT_Free; +PORT_GetError; +PORT_SetError; +PORT_SetUCS4_UTF8ConversionFunction; +PORT_SetUCS2_UTF8ConversionFunction; +PORT_SetUCS2_ASCIIConversionFunction; +SECITEM_CopyItem; +SECITEM_DupItem; +SECITEM_FreeItem; +SECITEM_ZfreeItem; +SECKEY_ConvertToPublicKey; +SECKEY_CopyPrivateKey; +SECKEY_CreateSubjectPublicKeyInfo; +SECKEY_DestroyPrivateKey; +SECKEY_DestroySubjectPublicKeyInfo; +SECMOD_IsModulePresent; +SECOID_FindOIDTagDescription; +SECOID_GetAlgorithmTag; +SEC_DeletePermCertificate; +SEC_DeletePermCRL; +SEC_DerSignData; +SEC_DestroyCrl; +SEC_FindCrlByDERCert; +SEC_FindCrlByName; +SEC_LookupCrls; +SEC_NewCrl; +;+# +;+# The following symbols are exported only to make libssl3.so work. +;+# These are still private!!! +;+# +__CERT_NewTempCertificate; +__PK11_CreateContextByRawKey; +__PK11_GetKeyData; +__nss_InitLock; +CERT_CertChainFromCert; +CERT_DestroyCertificateList; +CERT_DupCertList; +CERT_ExtractPublicKey; +CERT_FindCertByName; +DER_Lengths; +DSAU_DecodeDerSig; +DSAU_EncodeDerSig; +HASH_GetHashObject; +NSSRWLock_Destroy; +NSSRWLock_HaveWriteLock; +NSSRWLock_LockRead; +NSSRWLock_LockWrite; +NSSRWLock_New; +NSSRWLock_UnlockRead; +NSSRWLock_UnlockWrite; +NSS_PutEnv; +PK11_Derive; +PK11_DeriveWithFlags; +PK11_DigestKey; +PK11_FindBestKEAMatch; +PK11_FindFixedKey; +PK11_GenerateFortezzaIV; +PK11_GetBestKeyLength; +PK11_GetBestSlot; +PK11_GetBestSlotMultiple; +PK11_GetBestWrapMechanism; +PK11_GetCurrentWrapIndex; +PK11_GetMechanism; +PK11_GetModuleID; +PK11_GetPrivateModulusLen; +PK11_GetSlotFromKey; +PK11_GetSlotFromPrivateKey; +PK11_GetSlotID; +PK11_GetSlotSeries; +PK11_GetTokenInfo; +PK11_GetWindow; +PK11_GetWrapKey; +PK11_IVFromParam; +PK11_MakeKEAPubKey; +PK11_ParamFromIV; +PK11_PubDecryptRaw; +PK11_PubDerive; +PK11_PubEncryptRaw; +PK11_PubUnwrapSymKey; +PK11_PubWrapSymKey; +PK11_ReferenceSymKey; +PK11_RestoreContext; +PK11_SaveContext; +PK11_SetFortezzaHack; +PK11_SetWrapKey; +PK11_Sign; +PK11_SignatureLen; +PK11_SymKeyFromHandle; +PK11_TokenExists; +PK11_UnwrapSymKey; +PK11_UnwrapSymKeyWithFlags; +PK11_Verify; +PK11_VerifyKeyOK; +PK11_WrapSymKey; +PORT_ArenaAlloc; +PORT_ArenaZAlloc; +PORT_FreeArena; +PORT_NewArena; +PORT_Realloc; +PORT_ZAlloc; +PORT_ZFree; +RSA_FormatBlock; +SECITEM_CompareItem; +SECKEY_CreateRSAPrivateKey; +SECKEY_DestroyPublicKey; +SECKEY_PublicKeyStrength; +SECKEY_UpdateCertPQG; +SECMOD_LookupSlot; +SGN_Begin; +SGN_DestroyContext; +SGN_End; +SGN_NewContext; +SGN_Update; +VFY_Begin; +VFY_CreateContext; +VFY_DestroyContext; +VFY_End; +VFY_Update; +;+# +;+# The following symbols are exported only to make libsmime3.so work. +;+# These are still private!!! +;+# +__CERT_ClosePermCertDB; +__CERT_DecodeDERCertificate; +__CERT_TraversePermCertsForNickname; +__CERT_TraversePermCertsForSubject; +__PBE_CreateContext; +__PBE_DestroyContext; +__PBE_GenerateBits; +ATOB_ConvertAsciiToItem; +CERT_AddCertToListTail; +CERT_CertListFromCert; +CERT_DestroyCertArray; +CERT_FindCertByDERCert; +CERT_FindCertByIssuerAndSN; +CERT_FindSMimeProfile; +CERT_ImportCerts; +CERT_NewCertList; +CERT_OpenCertDBFilename; +CERT_SaveSMimeProfile; +CERT_VerifyCert; +DER_GetInteger; +DER_TimeToUTCTime; +DER_UTCTimeToTime; +PK11_AlgtagToMechanism; +PK11_BlockData; +PK11_CreatePBEAlgorithmID; +PK11_DestroyObject; +PK11_ExportEncryptedPrivateKeyInfo; +PK11_ExportPrivateKeyInfo; +PK11_FindCertAndKeyByRecipientList; +PK11_FindCertAndKeyByRecipientListNew; +PK11_FindCertInSlot; +PK11_FindPrivateKeyFromCert; +PK11_FortezzaMapSig; +PK11_GetKeyLength; +PK11_GetKeyStrength; +PK11_ImportCertForKeyToSlot; +PK11_ImportEncryptedPrivateKeyInfo; +PK11_ImportPrivateKeyInfo; +PK11_MapPBEMechanismToCryptoMechanism; +PK11_PBEKeyGen; +PK11_ParamFromAlgid; +PK11_ParamToAlgid; +PK11_TraverseCertsForNicknameInSlot; +PK11_TraverseCertsForSubjectInSlot; +PORT_ArenaGrow; +PORT_ArenaMark; +PORT_ArenaRelease; +PORT_ArenaStrdup; +PORT_ArenaUnmark; +PORT_UCS2_ASCIIConversion; +PORT_UCS2_UTF8Conversion; +SECITEM_AllocItem; +SECKEY_CopyEncryptedPrivateKeyInfo; +SECKEY_CopyPrivateKeyInfo; +SECKEY_DestroyEncryptedPrivateKeyInfo; +SECKEY_DestroyPrivateKeyInfo; +SECOID_CompareAlgorithmID; +SECOID_CopyAlgorithmID; +SECOID_DestroyAlgorithmID; +SECOID_FindOID; +SECOID_FindOIDByTag; +SECOID_FindOIDTag; +SECOID_SetAlgorithmID; +SEC_ASN1DecodeInteger; +SEC_ASN1DecodeItem; +SEC_ASN1DecoderClearFilterProc; +SEC_ASN1DecoderClearNotifyProc; +SEC_ASN1DecoderFinish; +SEC_ASN1DecoderSetFilterProc; +SEC_ASN1DecoderSetNotifyProc; +SEC_ASN1DecoderStart; +SEC_ASN1DecoderUpdate; +SEC_ASN1Encode; +SEC_ASN1EncodeInteger; +SEC_ASN1EncodeItem; +SEC_ASN1EncoderClearNotifyProc; +SEC_ASN1EncoderClearStreaming; +SEC_ASN1EncoderClearTakeFromBuf; +SEC_ASN1EncoderFinish; +SEC_ASN1EncoderSetNotifyProc; +SEC_ASN1EncoderSetStreaming; +SEC_ASN1EncoderSetTakeFromBuf; +SEC_ASN1EncoderStart; +SEC_ASN1EncoderUpdate; +SEC_ASN1LengthLength; +SEC_PKCS5GetCryptoAlgorithm; +SEC_PKCS5GetKeyLength; +SEC_PKCS5GetPBEAlgorithm; +SEC_PKCS5IsAlgorithmPBEAlg; +SEC_SignData; +SGN_CompareDigestInfo; +SGN_CopyDigestInfo; +SGN_CreateDigestInfo; +SGN_DestroyDigestInfo; +SGN_Digest; +VFY_VerifyData; +VFY_VerifyDigest; +;+# +;+# Data objects +;+# +;+# Don't export these DATA symbols on Windows because they don't work right. +;;CERT_CrlTemplate DATA ; +;;CERT_SignedDataTemplate DATA ; +;;CERT_CertificateTemplate DATA ; +;;CERT_CertificateRequestTemplate DATA ; +;;CERT_IssuerAndSNTemplate DATA ; +;;CERT_SetOfSignedCrlTemplate DATA ; +;;SECKEY_DSAPublicKeyTemplate DATA ; +;;SECKEY_EncryptedPrivateKeyInfoTemplate DATA ; +;;SECKEY_PointerToEncryptedPrivateKeyInfoTemplate DATA ; +;;SECKEY_PointerToPrivateKeyInfoTemplate DATA ; +;;SECKEY_PrivateKeyInfoTemplate DATA ; +;;SECKEY_RSAPublicKeyTemplate DATA ; +;;SECOID_AlgorithmIDTemplate DATA ; +;;SEC_AnyTemplate DATA ; +;;SEC_BMPStringTemplate DATA ; +;;SEC_BitStringTemplate DATA ; +;;SEC_GeneralizedTimeTemplate DATA ; +;;SEC_IA5StringTemplate DATA ; +;;SEC_IntegerTemplate DATA ; +;;SEC_ObjectIDTemplate DATA ; +;;SEC_OctetStringTemplate DATA ; +;;SEC_PointerToAnyTemplate DATA ; +;;SEC_PointerToOctetStringTemplate DATA ; +;;SEC_SetOfAnyTemplate DATA ; +;;SEC_UTCTimeTemplate DATA ; +;;sgn_DigestInfoTemplate DATA ; +NSS_Get_CERT_CrlTemplate; +NSS_Get_CERT_SignedDataTemplate; +NSS_Get_CERT_CertificateTemplate; +NSS_Get_CERT_CertificateRequestTemplate; +NSS_Get_CERT_IssuerAndSNTemplate; +NSS_Get_CERT_SetOfSignedCrlTemplate; +NSS_Get_SECKEY_DSAPublicKeyTemplate; +NSS_Get_SECKEY_EncryptedPrivateKeyInfoTemplate; +NSS_Get_SECKEY_PointerToEncryptedPrivateKeyInfoTemplate; +NSS_Get_SECKEY_PointerToPrivateKeyInfoTemplate; +NSS_Get_SECKEY_PrivateKeyInfoTemplate; +NSS_Get_SECKEY_RSAPublicKeyTemplate; +NSS_Get_SECOID_AlgorithmIDTemplate; +NSS_Get_SEC_AnyTemplate; +NSS_Get_SEC_BMPStringTemplate; +NSS_Get_SEC_BitStringTemplate; +NSS_Get_SEC_GeneralizedTimeTemplate; +NSS_Get_SEC_IA5StringTemplate; +NSS_Get_SEC_IntegerTemplate; +NSS_Get_SEC_ObjectIDTemplate; +NSS_Get_SEC_OctetStringTemplate; +NSS_Get_SEC_PointerToAnyTemplate; +NSS_Get_SEC_PointerToOctetStringTemplate; +NSS_Get_SEC_SetOfAnyTemplate; +NSS_Get_SEC_UTCTimeTemplate; +NSS_Get_sgn_DigestInfoTemplate; +;+# commands +CERT_DecodeBasicConstraintValue; +CERT_DecodeOidSequence; +CERT_DecodeUserNotice; +CERT_DecodeCertificatePoliciesExtension; +CERT_DestroyCertificatePoliciesExtension; +CERT_FindCertByNicknameOrEmailAddr; +CERT_FindCertByNickname; +CERT_GenTime2FormattedAscii; +CERT_Hexify; +CERT_CompareName; +PK11SDR_Encrypt; +PK11SDR_Decrypt; +NSSBase64Decoder_Create; +NSSBase64Decoder_Destroy; +NSSBase64Decoder_Update; +NSSBase64Encoder_Create; +NSSBase64Encoder_Destroy; +NSSBase64Encoder_Update; +;+#PK11_DoPassword; +;+#PK11_FindKeyByKeyID; +PK11_InitPin; +PK11_NeedUserInit; +;+ local: +;+ *; +;+}; +;+NSS_3.2.1 { # NSS 3.2.1 release +;+ global: +CERT_AddRDN; +CERT_CreateRDN; +CERT_CreateAVA; +CERT_CreateName; +;+ local: +;+ *; +;+}; +;+NSS_3.3 { # NSS 3.3. release +;+ global: +CERT_CheckCertUsage; +CERT_FindCertIssuer; +PK11_GetModule; +SECKEY_CreateDHPrivateKey; +SECKEY_GetPublicKeyType; +SECMOD_AddNewModule; +;+# +;+# The following symbols are exported only to make JSS work. +;+# These are still private!!! +;+# +CERT_DisableOCSPChecking; +CERT_DisableOCSPDefaultResponder; +CERT_EnableOCSPDefaultResponder; +CERT_GetCertTimes; +CERT_ImportCAChainTrusted; +CERT_ImportCRL; +CERT_IsCACert; +CERT_IsCADERCert; +CERT_SetOCSPDefaultResponder; +PBE_CreateContext; +PBE_DestroyContext; +PBE_GenerateBits; +PK11_CheckSSOPassword; +PK11_CopySymKeyForSigning; +PK11_DeleteTokenCertAndKey; +PK11_DEREncodePublicKey; +PK11_ExtractKeyValue; +PK11_FindCertsFromNickname; +PK11_FindKeyByKeyID; +PK11_GetIVLength; +PK11_GetKeyData; +PK11_GetKeyType; +PK11_GetLowLevelKeyIDForCert; +PK11_GetLowLevelKeyIDForPrivateKey; +PK11_GetSlotPWValues; +PK11_ImportCertForKey; +PK11_ImportDERCertForKey; +PK11_ImportDERPrivateKeyInfo; +PK11_ImportSymKey; +PK11_IsLoggedIn; +PK11_KeyForDERCertExists; +PK11_KeyForCertExists; +PK11_ListPrivateKeysInSlot; +PK11_ListCertsInSlot; +PK11_Logout; +PK11_NeedPWInit; +PK11_MakeIDFromPubKey; +PK11_PQG_DestroyParams; +PK11_PQG_DestroyVerify; +PK11_PQG_GetBaseFromParams; +PK11_PQG_GetCounterFromVerify; +PK11_PQG_GetHFromVerify; +PK11_PQG_GetPrimeFromParams; +PK11_PQG_GetSeedFromVerify; +PK11_PQG_GetSubPrimeFromParams; +PK11_PQG_NewParams; +PK11_PQG_NewVerify; +PK11_PQG_ParamGen; +PK11_PQG_ParamGenSeedLen; +PK11_PQG_VerifyParams; +PK11_ReferenceSlot; +PK11_SeedRandom; +PK11_UnwrapPrivKey; +PK11_VerifyRecover; +PK11_WrapPrivKey; +SEC_CertNicknameConflict; +SEC_PKCS5GetIV; +SECMOD_DeleteInternalModule; +SECMOD_DestroyModule; +SECMOD_GetDefaultModuleList; +SECMOD_GetDefaultModuleListLock; +SECMOD_GetInternalModule; +SECMOD_GetReadLock; +SECMOD_ReferenceModule; +SECMOD_ReleaseReadLock; +SECKEY_AddPrivateKeyToListTail; +SECKEY_EncodeDERSubjectPublicKeyInfo; +SECKEY_ExtractPublicKey; +SECKEY_DestroyPrivateKeyList; +SECKEY_GetPrivateKeyType; +SECKEY_HashPassword; +SECKEY_ImportDERPublicKey; +SECKEY_NewPrivateKeyList; +SECKEY_RemovePrivateKeyListNode; +VFY_EndWithSignature; +;+ local: +;+ *; +;+}; +;+NSS_3.3.1 { # NSS 3.3.1 release +;+ global: +;+# +;+# The following symbols are exported only to make libsmime3.so work. +;+# These are still private!!! +;+# +PK11_CreatePBEParams; +PK11_DestroyPBEParams; +;+ local: +;+ *; +;+}; +;+NSS_3.4 { # NSS 3.4 release +;+ global: +SECMOD_AddNewModuleEx; +SECMOD_DeleteModule; +SECMOD_FreeModuleSpecList; +SECMOD_GetModuleSpecList; +SECMOD_LoadModule; +SECMOD_LoadUserModule; +SECMOD_UnloadUserModule; +SECMOD_UpdateModule; +;+# for PKCS #12 +PK11_RawPBEKeyGen; +;+# for PSM +__CERT_AddTempCertToPerm; +CERT_AddOKDomainName; +CERT_CopyName; +CERT_CreateSubjectCertList; +CERT_DecodeAVAValue; +;+#CERT_DecodeCertFromPackage; +CERT_DecodeGeneralName; +CERT_DecodeTrustString; +CERT_DerNameToAscii; +CERT_EncodeGeneralName; +CERT_FilterCertListByCANames; +CERT_FilterCertListByUsage; +CERT_FindCertExtension; +CERT_FindKeyUsageExtension; +CERT_FindUserCertByUsage; +CERT_FindUserCertsByUsage; +CERT_GetCertChainFromCert; +CERT_GetOCSPAuthorityInfoAccessLocation; +CERT_KeyFromDERCrl; +CERT_MakeCANickname; +CERT_NicknameStringsFromCertList; +CERT_VerifySignedData; +DER_Encode; +HASH_Begin; +HASH_Create; +HASH_Destroy; +HASH_End; +HASH_ResultLen; +HASH_Update; +NSSBase64_DecodeBuffer; # from Stan +NSSBase64_EncodeItem; # from Stan +PK11_GetKeyGen; +PK11_GetMinimumPwdLength; +PK11_GetNextSafe; +PK11_GetPadMechanism; +PK11_GetSlotInfo; +PK11_HasRootCerts; +PK11_IsDisabled; +PK11_LoadPrivKey; +PK11_LogoutAll; +PK11_MechanismToAlgtag; +PK11_ResetToken; +PK11_TraverseSlotCerts; +SEC_ASN1Decode; +SECKEY_CopySubjectPublicKeyInfo; +SECMOD_CreateModule; +SECMOD_FindModule; +SECMOD_FindSlot; +SECMOD_PubCipherFlagstoInternal; +SECMOD_PubMechFlagstoInternal; +;;CERT_NameTemplate DATA ; +;;CERT_SubjectPublicKeyInfoTemplate DATA ; +;;SEC_BooleanTemplate DATA ; +;;SEC_NullTemplate DATA ; +;;SEC_SignedCertificateTemplate DATA ; +;;SEC_UTF8StringTemplate DATA ; +NSS_Get_CERT_NameTemplate; +NSS_Get_CERT_SubjectPublicKeyInfoTemplate; +NSS_Get_SEC_BooleanTemplate; +NSS_Get_SEC_NullTemplate; +NSS_Get_SEC_SignedCertificateTemplate; +NSS_Get_SEC_UTF8StringTemplate; +;+# for JSS +PK11_DeleteTokenPrivateKey; +PK11_DeleteTokenPublicKey; +PK11_DeleteTokenSymKey; +PK11_GetNextSymKey; +PK11_GetPQGParamsFromPrivateKey; +PK11_GetPrivateKeyNickname; +PK11_GetPublicKeyNickname; +PK11_GetSymKeyNickname; +PK11_ImportDERPrivateKeyInfoAndReturnKey; +PK11_ImportPrivateKeyInfoAndReturnKey; +PK11_ImportPublicKey; +PK11_ImportSymKeyWithFlags; +PK11_ListFixedKeysInSlot; +PK11_ListPrivKeysInSlot; +PK11_ListPublicKeysInSlot; +PK11_ProtectedAuthenticationPath; +PK11_SetPrivateKeyNickname; +PK11_SetPublicKeyNickname; +PK11_SetSymKeyNickname; +SECKEY_DecodeDERSubjectPublicKeyInfo; +SECKEY_DestroyPublicKeyList; +;+# for debugging +nss_DumpCertificateCacheInfo; +;+ local: +;+ *; +;+}; +;+NSS_3.5 { # cert creation APIs used by certutil +;+ global: +CERT_AddExtension; +CERT_CopyRDN; +CERT_CreateCertificate; +CERT_CreateValidity; +CERT_DestroyValidity; +CERT_EncodeAndAddBitStrExtension; +CERT_EncodeAuthKeyID; +CERT_EncodeBasicConstraintValue; +CERT_EncodeCRLDistributionPoints; +CERT_FinishExtensions; +CERT_StartCertExtensions; +DER_AsciiToTime; +PK11_ImportCert; +PORT_Strdup; +SECMOD_CanDeleteInternalModule; +;+ local: +;+ *; +;+}; +;+NSS_3.6 { # NSS 3.6 release +;+ global: +CERT_AddOCSPAcceptableResponses; +CERT_CompleteCRLDecodeEntries; +CERT_CreateOCSPCertID; +CERT_CreateOCSPRequest; +CERT_DecodeDERCrlWithFlags; +CERT_DecodeOCSPResponse; +CERT_DestroyOCSPCertID; +CERT_DestroyOCSPRequest; +CERT_EncodeOCSPRequest; +CERT_FilterCertListForUserCerts; +CERT_GetOCSPResponseStatus; +CERT_GetOCSPStatusForCertID; +CERT_IsUserCert; +CERT_RemoveCertListNode; +CERT_VerifyCACertForUsage; +CERT_VerifyCertificate; +CERT_VerifyCertificateNow; +CERT_VerifyOCSPResponseSignature; +PK11_ConvertSessionPrivKeyToTokenPrivKey; +PK11_ConvertSessionSymKeyToTokenSymKey; +PK11_GetModInfo; +PK11_GetPBEIV; +PK11_ImportCRL; +PK11_ImportDERCert; +PK11_PubUnwrapSymKeyWithFlags; +PK11_SaveContextAlloc; +PK11_TokenKeyGen; +SEC_QuickDERDecodeItem; +SECKEY_CopyPublicKey; +;+ local: +;+ *; +;+}; +;+NSS_3.7 { # NSS 3.7 release +;+ global: +CERT_CRLCacheRefreshIssuer; +CERT_EncodeAltNameExtension; +CERT_GetFirstEmailAddress; +CERT_GetNextEmailAddress; +CERT_VerifySignedDataWithPubKeyInfo; +CERT_VerifySignedDataWithPublicKey; +PK11_WaitForTokenEvent; +;+ local: +;+ *; +;+}; diff --git a/security/nss/lib/pk11wrap/pk11func.h b/security/nss/lib/pk11wrap/pk11func.h new file mode 100644 index 000000000..0a450659c --- /dev/null +++ b/security/nss/lib/pk11wrap/pk11func.h @@ -0,0 +1,614 @@ +/* + * The contents of this file are subject to the Mozilla Public + * License Version 1.1 (the "License"); you may not use this file + * except in compliance with the License. You may obtain a copy of + * the License at http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS + * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or + * implied. See the License for the specific language governing + * rights and limitations under the License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is Netscape + * Communications Corporation. Portions created by Netscape are + * Copyright (C) 1994-2000 Netscape Communications Corporation. All + * Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the + * terms of the GNU General Public License Version 2 or later (the + * "GPL"), in which case the provisions of the GPL are applicable + * instead of those above. If you wish to allow use of your + * version of this file only under the terms of the GPL and not to + * allow others to use your version of this file under the MPL, + * indicate your decision by deleting the provisions above and + * replace them with the notice and other provisions required by + * the GPL. If you do not delete the provisions above, a recipient + * may use your version of this file under either the MPL or the + * GPL. + * + * PKCS #11 Wrapper functions which handles authenticating to the card's + * choosing the best cards, etc. + */ +#ifndef _PK11FUNC_H_ +#define _PK11FUNC_H_ +#include "plarena.h" +#include "seccomon.h" +#include "secoidt.h" +#include "secdert.h" +#include "keyt.h" +#include "certt.h" +#include "pkcs11t.h" +#include "secmodt.h" +#include "seccomon.h" +#include "pkcs7t.h" +#include "cmsreclist.h" + +SEC_BEGIN_PROTOS + +/************************************************************ + * Generic Slot Lists Management + ************************************************************/ +PK11SlotList * PK11_NewSlotList(void); +void PK11_FreeSlotList(PK11SlotList *list); +SECStatus PK11_AddSlotToList(PK11SlotList *list,PK11SlotInfo *slot); +SECStatus PK11_DeleteSlotFromList(PK11SlotList *list,PK11SlotListElement *le); +PK11SlotListElement * PK11_GetFirstSafe(PK11SlotList *list); +PK11SlotListElement *PK11_GetNextSafe(PK11SlotList *list, + PK11SlotListElement *le, PRBool restart); +PK11SlotListElement *PK11_FindSlotElement(PK11SlotList *list, + PK11SlotInfo *slot); + +/************************************************************ + * Generic Slot Management + ************************************************************/ +PK11SlotInfo *PK11_ReferenceSlot(PK11SlotInfo *slot); +PK11SlotInfo *PK11_FindSlotByID(SECMODModuleID modID,CK_SLOT_ID slotID); +void PK11_FreeSlot(PK11SlotInfo *slot); +SECStatus PK11_DestroyObject(PK11SlotInfo *slot,CK_OBJECT_HANDLE object); +SECStatus PK11_DestroyTokenObject(PK11SlotInfo *slot,CK_OBJECT_HANDLE object); +CK_OBJECT_HANDLE PK11_CopyKey(PK11SlotInfo *slot, CK_OBJECT_HANDLE srcObject); +SECStatus PK11_ReadAttribute(PK11SlotInfo *slot, CK_OBJECT_HANDLE id, + CK_ATTRIBUTE_TYPE type, PRArenaPool *arena, SECItem *result); +CK_ULONG PK11_ReadULongAttribute(PK11SlotInfo *slot, CK_OBJECT_HANDLE id, + CK_ATTRIBUTE_TYPE type); +PK11SlotInfo *PK11_GetInternalKeySlot(void); +PK11SlotInfo *PK11_GetInternalSlot(void); +char * PK11_MakeString(PRArenaPool *arena,char *space,char *staticSring, + int stringLen); +int PK11_MapError(CK_RV error); +CK_SESSION_HANDLE PK11_GetRWSession(PK11SlotInfo *slot); +void PK11_RestoreROSession(PK11SlotInfo *slot,CK_SESSION_HANDLE rwsession); +PRBool PK11_RWSessionHasLock(PK11SlotInfo *slot, + CK_SESSION_HANDLE session_handle); +PK11SlotInfo *PK11_NewSlotInfo(void); +SECStatus PK11_Logout(PK11SlotInfo *slot); +void PK11_LogoutAll(void); +void PK11_EnterSlotMonitor(PK11SlotInfo *); +void PK11_ExitSlotMonitor(PK11SlotInfo *); +void PK11_CleanKeyList(PK11SlotInfo *slot); + + +/************************************************************ + * Slot Password Management + ************************************************************/ +void PK11_SetSlotPWValues(PK11SlotInfo *slot,int askpw, int timeout); +void PK11_GetSlotPWValues(PK11SlotInfo *slot,int *askpw, int *timeout); +SECStatus PK11_CheckSSOPassword(PK11SlotInfo *slot, char *ssopw); +SECStatus PK11_CheckUserPassword(PK11SlotInfo *slot,char *pw); +SECStatus PK11_DoPassword(PK11SlotInfo *slot, PRBool loadCerts, void *wincx); +PRBool PK11_IsLoggedIn(PK11SlotInfo *slot, void *wincx); +SECStatus PK11_VerifyPW(PK11SlotInfo *slot,char *pw); +SECStatus PK11_InitPin(PK11SlotInfo *slot,char *ssopw, char *pk11_userpwd); +SECStatus PK11_ChangePW(PK11SlotInfo *slot,char *oldpw, char *newpw); +void PK11_HandlePasswordCheck(PK11SlotInfo *slot,void *wincx); +void PK11_SetPasswordFunc(PK11PasswordFunc func); +void PK11_SetVerifyPasswordFunc(PK11VerifyPasswordFunc func); +void PK11_SetIsLoggedInFunc(PK11IsLoggedInFunc func); +int PK11_GetMinimumPwdLength(PK11SlotInfo *slot); +SECStatus PK11_ResetToken(PK11SlotInfo *slot, char *sso_pwd); + +/************************************************************ + * Manage the built-In Slot Lists + ************************************************************/ +SECStatus PK11_InitSlotLists(void); +void PK11_DestroySlotLists(void); +PK11SlotList *PK11_GetSlotList(CK_MECHANISM_TYPE type); +void PK11_LoadSlotList(PK11SlotInfo *slot, PK11PreSlotInfo *psi, int count); +void PK11_ClearSlotList(PK11SlotInfo *slot); + + +/****************************************************************** + * Slot initialization + ******************************************************************/ +PRBool PK11_VerifyMechanism(PK11SlotInfo *slot,PK11SlotInfo *intern, + CK_MECHANISM_TYPE mech, SECItem *data, SECItem *iv); +PRBool PK11_VerifySlotMechanisms(PK11SlotInfo *slot); +SECStatus pk11_CheckVerifyTest(PK11SlotInfo *slot); +SECStatus PK11_InitToken(PK11SlotInfo *slot, PRBool loadCerts); +SECStatus PK11_Authenticate(PK11SlotInfo *slot, PRBool loadCerts, void *wincx); +void PK11_InitSlot(SECMODModule *mod,CK_SLOT_ID slotID,PK11SlotInfo *slot); + + +/****************************************************************** + * Slot info functions + ******************************************************************/ +PK11SlotInfo *PK11_FindSlotByName(char *name); +PK11SlotInfo *PK11_FindSlotBySerial(char *serial); +PRBool PK11_IsReadOnly(PK11SlotInfo *slot); +PRBool PK11_IsInternal(PK11SlotInfo *slot); +char * PK11_GetTokenName(PK11SlotInfo *slot); +char * PK11_GetSlotName(PK11SlotInfo *slot); +PRBool PK11_NeedLogin(PK11SlotInfo *slot); +PRBool PK11_IsFriendly(PK11SlotInfo *slot); +PRBool PK11_IsHW(PK11SlotInfo *slot); +PRBool PK11_NeedUserInit(PK11SlotInfo *slot); +PRBool PK11_ProtectedAuthenticationPath(PK11SlotInfo *slot); +int PK11_GetSlotSeries(PK11SlotInfo *slot); +int PK11_GetCurrentWrapIndex(PK11SlotInfo *slot); +unsigned long PK11_GetDefaultFlags(PK11SlotInfo *slot); +CK_SLOT_ID PK11_GetSlotID(PK11SlotInfo *slot); +SECMODModuleID PK11_GetModuleID(PK11SlotInfo *slot); +SECStatus PK11_GetSlotInfo(PK11SlotInfo *slot, CK_SLOT_INFO *info); +SECStatus PK11_GetTokenInfo(PK11SlotInfo *slot, CK_TOKEN_INFO *info); +PRBool PK11_IsDisabled(PK11SlotInfo *slot); +PRBool PK11_HasRootCerts(PK11SlotInfo *slot); +PK11DisableReasons PK11_GetDisabledReason(PK11SlotInfo *slot); +/* Prevents the slot from being used, and set disable reason to user-disable */ +/* NOTE: Mechanisms that were ON continue to stay ON */ +/* Therefore, when the slot is enabled, it will remember */ +/* what mechanisms needs to be turned on */ +PRBool PK11_UserDisableSlot(PK11SlotInfo *slot); +/* Allow all mechanisms that are ON before UserDisableSlot() */ +/* was called to be available again */ +PRBool PK11_UserEnableSlot(PK11SlotInfo *slot); +/* + * wait for a specific slot event. + * event is a specific event to wait for. Currently only + * PK11TokenChangeOrRemovalEvent and PK11TokenPresentEvents are defined. + * timeout can be an interval time to wait, PR_INTERVAL_NO_WAIT (meaning only + * poll once), or PR_INTERVAL_NO_TIMEOUT (meaning block until a change). + * pollInterval is a suggested pulling interval value. '0' means use the + * default. Future implementations that don't poll may ignore this value. + * series is the current series for the last slot. This should be the series + * value for the slot the last time you read persistant information from the + * slot. For instance, if you publish a cert from the slot, you should obtain + * the slot series at that time. Then PK11_WaitForTokenEvent can detect a + * a change in the slot between the time you publish and the time + * PK11_WaitForTokenEvent is called, elliminating potential race conditions. + * + * The current status that is returned is: + * PK11TokenNotRemovable - always returned for any non-removable token. + * PK11TokenPresent - returned when the token is present and we are waiting + * on a PK11TokenPresentEvent. Then next event to look for is a + * PK11TokenChangeOrRemovalEvent. + * PK11TokenChanged - returned when the old token has been removed and a new + * token ad been inserted, and we are waiting for a + * PK11TokenChangeOrRemovalEvent. The next event to look for is another + * PK11TokenChangeOrRemovalEvent. + * PK11TokenRemoved - returned when the token is not present and we are + * waiting for a PK11TokenChangeOrRemovalEvent. The next event to look for + * is a PK11TokenPresentEvent. + */ +PK11TokenStatus PK11_WaitForTokenEvent(PK11SlotInfo *slot, PK11TokenEvent event, + PRIntervalTime timeout, PRIntervalTime pollInterval, int series); + +PRBool PK11_NeedPWInit(void); +PRBool PK11_NeedPWInitForSlot(PK11SlotInfo *slot); +PRBool PK11_TokenExists(CK_MECHANISM_TYPE); +SECStatus PK11_GetModInfo(SECMODModule *mod, CK_INFO *info); +PRBool PK11_IsFIPS(void); +SECMODModule *PK11_GetModule(PK11SlotInfo *slot); + +/********************************************************************* + * Slot mapping utility functions. + *********************************************************************/ +PRBool PK11_IsPresent(PK11SlotInfo *slot); +PRBool PK11_DoesMechanism(PK11SlotInfo *slot, CK_MECHANISM_TYPE type); +PK11SlotList * PK11_GetAllTokens(CK_MECHANISM_TYPE type,PRBool needRW, + PRBool loadCerts, void *wincx); +PK11SlotList * PK11_GetPrivateKeyTokens(CK_MECHANISM_TYPE type, + PRBool needRW,void *wincx); +PK11SlotInfo *PK11_GetBestSlotMultiple(CK_MECHANISM_TYPE *type, int count, + void *wincx); +PK11SlotInfo *PK11_GetBestSlot(CK_MECHANISM_TYPE type, void *wincx); +CK_MECHANISM_TYPE PK11_GetBestWrapMechanism(PK11SlotInfo *slot); +int PK11_GetBestKeyLength(PK11SlotInfo *slot, CK_MECHANISM_TYPE type); + +/********************************************************************* + * Mechanism Mapping functions + *********************************************************************/ +void PK11_AddMechanismEntry(CK_MECHANISM_TYPE type, CK_KEY_TYPE key, + CK_MECHANISM_TYPE keygen, int ivLen, int blocksize); +CK_MECHANISM_TYPE PK11_GetKeyType(CK_MECHANISM_TYPE type,unsigned long len); +CK_MECHANISM_TYPE PK11_GetKeyGen(CK_MECHANISM_TYPE type); +int PK11_GetBlockSize(CK_MECHANISM_TYPE type,SECItem *params); +int PK11_GetIVLength(CK_MECHANISM_TYPE type); +SECItem *PK11_ParamFromIV(CK_MECHANISM_TYPE type,SECItem *iv); +unsigned char *PK11_IVFromParam(CK_MECHANISM_TYPE type,SECItem *param,int *len); +SECItem * PK11_BlockData(SECItem *data,unsigned long size); + +/* PKCS #11 to DER mapping functions */ +SECItem *PK11_ParamFromAlgid(SECAlgorithmID *algid); +SECItem *PK11_GenerateNewParam(CK_MECHANISM_TYPE, PK11SymKey *); +CK_MECHANISM_TYPE PK11_AlgtagToMechanism(SECOidTag algTag); +SECOidTag PK11_MechanismToAlgtag(CK_MECHANISM_TYPE type); +SECOidTag PK11_FortezzaMapSig(SECOidTag algTag); +SECStatus PK11_ParamToAlgid(SECOidTag algtag, SECItem *param, + PRArenaPool *arena, SECAlgorithmID *algid); +SECStatus PK11_SeedRandom(PK11SlotInfo *,unsigned char *data,int len); +SECStatus PK11_RandomUpdate(void *data, size_t bytes); +SECStatus PK11_GenerateRandom(unsigned char *data,int len); +CK_RV PK11_MapPBEMechanismToCryptoMechanism(CK_MECHANISM_PTR pPBEMechanism, + CK_MECHANISM_PTR pCryptoMechanism, + SECItem *pbe_pwd, PRBool bad3DES); +CK_MECHANISM_TYPE PK11_GetPadMechanism(CK_MECHANISM_TYPE); + +/********************************************************************** + * Symetric, Public, and Private Keys + **********************************************************************/ +PK11SymKey *PK11_CreateSymKey(PK11SlotInfo *slot, + CK_MECHANISM_TYPE type, void *wincx); +void PK11_FreeSymKey(PK11SymKey *key); +PK11SymKey *PK11_ReferenceSymKey(PK11SymKey *symKey); +PK11SymKey *PK11_ImportSymKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, + PK11Origin origin, CK_ATTRIBUTE_TYPE operation, SECItem *key, void *wincx); +PK11SymKey *PK11_ImportSymKeyWithFlags(PK11SlotInfo *slot, + CK_MECHANISM_TYPE type, PK11Origin origin, CK_ATTRIBUTE_TYPE operation, + SECItem *key, CK_FLAGS flags, PRBool isPerm, void *wincx); +PK11SymKey *PK11_SymKeyFromHandle(PK11SlotInfo *slot, PK11SymKey *parent, + PK11Origin origin, CK_MECHANISM_TYPE type, CK_OBJECT_HANDLE keyID, + PRBool owner, void *wincx); +PK11SymKey *PK11_GetWrapKey(PK11SlotInfo *slot, int wrap, + CK_MECHANISM_TYPE type,int series, void *wincx); +void PK11_SetWrapKey(PK11SlotInfo *slot, int wrap, PK11SymKey *wrapKey); +CK_MECHANISM_TYPE PK11_GetMechanism(PK11SymKey *symKey); +CK_OBJECT_HANDLE PK11_ImportPublicKey(PK11SlotInfo *slot, + SECKEYPublicKey *pubKey, PRBool isToken); +PK11SymKey *PK11_KeyGen(PK11SlotInfo *slot,CK_MECHANISM_TYPE type, + SECItem *param, int keySize,void *wincx); +PK11SymKey *PK11_TokenKeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, + SECItem *param, int keySize, SECItem *keyid, + PRBool isToken, void *wincx); +PK11SymKey * PK11_ListFixedKeysInSlot(PK11SlotInfo *slot, char *nickname, + void *wincx); +PK11SymKey *PK11_GetNextSymKey(PK11SymKey *symKey); + +/* Key Generation specialized for SDR (fixed DES3 key) */ +PK11SymKey *PK11_GenDES3TokenKey(PK11SlotInfo *slot, SECItem *keyid, void *cx); + +SECStatus PK11_PubWrapSymKey(CK_MECHANISM_TYPE type, SECKEYPublicKey *pubKey, + PK11SymKey *symKey, SECItem *wrappedKey); +SECStatus PK11_WrapSymKey(CK_MECHANISM_TYPE type, SECItem *params, + PK11SymKey *wrappingKey, PK11SymKey *symKey, SECItem *wrappedKey); +PK11SymKey *PK11_Derive(PK11SymKey *baseKey, CK_MECHANISM_TYPE mechanism, + SECItem *param, CK_MECHANISM_TYPE target, + CK_ATTRIBUTE_TYPE operation, int keySize); +PK11SymKey *PK11_DeriveWithFlags( PK11SymKey *baseKey, + CK_MECHANISM_TYPE derive, SECItem *param, CK_MECHANISM_TYPE target, + CK_ATTRIBUTE_TYPE operation, int keySize, CK_FLAGS flags); +PK11SymKey *PK11_PubDerive( SECKEYPrivateKey *privKey, + SECKEYPublicKey *pubKey, PRBool isSender, SECItem *randomA, SECItem *randomB, + CK_MECHANISM_TYPE derive, CK_MECHANISM_TYPE target, + CK_ATTRIBUTE_TYPE operation, int keySize,void *wincx) ; +PK11SymKey *PK11_UnwrapSymKey(PK11SymKey *key, + CK_MECHANISM_TYPE wraptype, SECItem *param, SECItem *wrapppedKey, + CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize); +PK11SymKey *PK11_UnwrapSymKeyWithFlags(PK11SymKey *wrappingKey, + CK_MECHANISM_TYPE wrapType, SECItem *param, SECItem *wrappedKey, + CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize, + CK_FLAGS flags); +PK11SymKey *PK11_PubUnwrapSymKey(SECKEYPrivateKey *key, SECItem *wrapppedKey, + CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize); +PK11SymKey *PK11_FindFixedKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, + SECItem *keyID, void *wincx); +SECStatus PK11_DeleteTokenPrivateKey(SECKEYPrivateKey *privKey,PRBool force); +SECStatus PK11_DeleteTokenPublicKey(SECKEYPublicKey *pubKey); +SECStatus PK11_DeleteTokenSymKey(PK11SymKey *symKey); +SECStatus PK11_DeleteTokenCertAndKey(CERTCertificate *cert,void *wincx); +SECKEYPrivateKey * PK11_LoadPrivKey(PK11SlotInfo *slot, + SECKEYPrivateKey *privKey, SECKEYPublicKey *pubKey, + PRBool token, PRBool sensitive); +SECKEYPublicKey *PK11_ExtractPublicKey(PK11SlotInfo *slot, KeyType keyType, + CK_OBJECT_HANDLE id); +char * PK11_GetSymKeyNickname(PK11SymKey *symKey); +char * PK11_GetPrivateKeyNickname(SECKEYPrivateKey *privKey); +char * PK11_GetPublicKeyNickname(SECKEYPublicKey *pubKey); +SECStatus PK11_SetSymKeyNickname(PK11SymKey *symKey, const char *nickname); +SECStatus PK11_SetPrivateKeyNickname(SECKEYPrivateKey *privKey, + const char *nickname); +SECStatus PK11_SetPublicKeyNickname(SECKEYPublicKey *pubKey, + const char *nickname); + +/* size to hold key in bytes */ +unsigned int PK11_GetKeyLength(PK11SymKey *key); +/* size of actual secret parts of key in bits */ +/* algid is because RC4 strength is determined by the effective bits as well + * as the key bits */ +unsigned int PK11_GetKeyStrength(PK11SymKey *key,SECAlgorithmID *algid); +SECStatus PK11_ExtractKeyValue(PK11SymKey *symKey); +SECItem * PK11_GetKeyData(PK11SymKey *symKey); +PK11SlotInfo * PK11_GetSlotFromKey(PK11SymKey *symKey); +void *PK11_GetWindow(PK11SymKey *symKey); +SECKEYPrivateKey *PK11_GenerateKeyPair(PK11SlotInfo *slot, + CK_MECHANISM_TYPE type, void *param, SECKEYPublicKey **pubk, + PRBool isPerm, PRBool isSensitive, void *wincx); +SECKEYPrivateKey *PK11_MakePrivKey(PK11SlotInfo *slot, KeyType keyType, + PRBool isTemp, CK_OBJECT_HANDLE privID, void *wincx); +SECKEYPrivateKey * PK11_FindPrivateKeyFromCert(PK11SlotInfo *slot, + CERTCertificate *cert, void *wincx); +SECKEYPrivateKey * PK11_FindKeyByAnyCert(CERTCertificate *cert, void *wincx); +SECKEYPrivateKey * PK11_FindKeyByKeyID(PK11SlotInfo *slot, SECItem *keyID, + void *wincx); +CK_OBJECT_HANDLE PK11_FindObjectForCert(CERTCertificate *cert, + void *wincx, PK11SlotInfo **pSlot); +int PK11_GetPrivateModulusLen(SECKEYPrivateKey *key); +SECStatus PK11_PubDecryptRaw(SECKEYPrivateKey *key, unsigned char *data, + unsigned *outLen, unsigned int maxLen, unsigned char *enc, unsigned encLen); +/* The encrypt version of the above function */ +SECStatus PK11_PubEncryptRaw(SECKEYPublicKey *key, unsigned char *enc, + unsigned char *data, unsigned dataLen, void *wincx); +SECStatus PK11_ImportPrivateKeyInfo(PK11SlotInfo *slot, + SECKEYPrivateKeyInfo *pki, SECItem *nickname, + SECItem *publicValue, PRBool isPerm, PRBool isPrivate, + unsigned int usage, void *wincx); +SECStatus PK11_ImportPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot, + SECKEYPrivateKeyInfo *pki, SECItem *nickname, + SECItem *publicValue, PRBool isPerm, PRBool isPrivate, + unsigned int usage, SECKEYPrivateKey** privk, void *wincx); +SECStatus PK11_ImportDERPrivateKeyInfo(PK11SlotInfo *slot, + SECItem *derPKI, SECItem *nickname, + SECItem *publicValue, PRBool isPerm, PRBool isPrivate, + unsigned int usage, void *wincx); +SECStatus PK11_ImportDERPrivateKeyInfoAndReturnKey(PK11SlotInfo *slot, + SECItem *derPKI, SECItem *nickname, + SECItem *publicValue, PRBool isPerm, PRBool isPrivate, + unsigned int usage, SECKEYPrivateKey** privk, void *wincx); +SECStatus PK11_ImportEncryptedPrivateKeyInfo(PK11SlotInfo *slot, + SECKEYEncryptedPrivateKeyInfo *epki, SECItem *pwitem, + SECItem *nickname, SECItem *publicValue, PRBool isPerm, + PRBool isPrivate, KeyType type, + unsigned int usage, void *wincx); +SECKEYPrivateKeyInfo *PK11_ExportPrivateKeyInfo( + CERTCertificate *cert, void *wincx); +SECKEYEncryptedPrivateKeyInfo *PK11_ExportEncryptedPrivateKeyInfo( + PK11SlotInfo *slot, SECOidTag algTag, SECItem *pwitem, + CERTCertificate *cert, int iteration, void *wincx); +SECKEYPrivateKey *PK11_FindKeyByDERCert(PK11SlotInfo *slot, + CERTCertificate *cert, void *wincx); +SECKEYPublicKey *PK11_MakeKEAPubKey(unsigned char *data, int length); +SECStatus PK11_DigestKey(PK11Context *context, PK11SymKey *key); +PRBool PK11_VerifyKeyOK(PK11SymKey *key); +SECKEYPrivateKey *PK11_UnwrapPrivKey(PK11SlotInfo *slot, + PK11SymKey *wrappingKey, CK_MECHANISM_TYPE wrapType, + SECItem *param, SECItem *wrappedKey, SECItem *label, + SECItem *publicValue, PRBool token, PRBool sensitive, + CK_KEY_TYPE keyType, CK_ATTRIBUTE_TYPE *usage, int usageCount, + void *wincx); +SECStatus PK11_WrapPrivKey(PK11SlotInfo *slot, PK11SymKey *wrappingKey, + SECKEYPrivateKey *privKey, CK_MECHANISM_TYPE wrapType, + SECItem *param, SECItem *wrappedKey, void *wincx); +PK11SymKey * pk11_CopyToSlot(PK11SlotInfo *slot,CK_MECHANISM_TYPE type, + CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey); +SECItem *PK11_GetKeyIDFromCert(CERTCertificate *cert, void *wincx); +SECItem * PK11_GetKeyIDFromPrivateKey(SECKEYPrivateKey *key, void *wincx); +SECItem* PK11_DEREncodePublicKey(SECKEYPublicKey *pubk); +PK11SymKey* PK11_CopySymKeyForSigning(PK11SymKey *originalKey, + CK_MECHANISM_TYPE mech); +SECKEYPrivateKeyList* PK11_ListPrivKeysInSlot(PK11SlotInfo *slot, + char *nickname, void *wincx); +SECKEYPublicKeyList* PK11_ListPublicKeysInSlot(PK11SlotInfo *slot, + char *nickname); +SECKEYPQGParams *PK11_GetPQGParamsFromPrivateKey(SECKEYPrivateKey *privKey); +/* depricated */ +SECKEYPrivateKeyList* PK11_ListPrivateKeysInSlot(PK11SlotInfo *slot); + +PK11SymKey *PK11_ConvertSessionSymKeyToTokenSymKey(PK11SymKey *symk, + void *wincx); +SECKEYPrivateKey *PK11_ConvertSessionPrivKeyToTokenPrivKey( + SECKEYPrivateKey *privk, void* wincx); + +/********************************************************************** + * Certs + **********************************************************************/ +SECItem *PK11_MakeIDFromPubKey(SECItem *pubKeyData); +CERTCertificate *PK11_GetCertFromPrivateKey(SECKEYPrivateKey *privKey); +SECStatus PK11_TraverseSlotCerts( + SECStatus(* callback)(CERTCertificate*,SECItem *,void *), + void *arg, void *wincx); +SECStatus PK11_TraversePrivateKeysInSlot( PK11SlotInfo *slot, + SECStatus(* callback)(SECKEYPrivateKey*, void*), void *arg); +CERTCertificate * PK11_FindCertFromNickname(char *nickname, void *wincx); +CERTCertList * PK11_FindCertsFromNickname(char *nickname, void *wincx); +SECKEYPrivateKey * PK11_FindPrivateKeyFromNickname(char *nickname, void *wincx); +SECStatus PK11_ImportCert(PK11SlotInfo *slot, CERTCertificate *cert, + CK_OBJECT_HANDLE key, char *nickname, PRBool includeTrust); +SECStatus PK11_ImportDERCert(PK11SlotInfo *slot, SECItem *derCert, + CK_OBJECT_HANDLE key, char *nickname, PRBool includeTrust); +PK11SlotInfo *PK11_ImportCertForKey(CERTCertificate *cert, char *nickname, + void *wincx); +PK11SlotInfo *PK11_ImportDERCertForKey(SECItem *derCert, char *nickname, + void *wincx); +CK_OBJECT_HANDLE * PK11_FindObjectsFromNickname(char *nickname, + PK11SlotInfo **slotptr, CK_OBJECT_CLASS objclass, int *returnCount, + void *wincx); +PK11SlotInfo *PK11_KeyForCertExists(CERTCertificate *cert, + CK_OBJECT_HANDLE *keyPtr, void *wincx); +PK11SlotInfo *PK11_KeyForDERCertExists(SECItem *derCert, + CK_OBJECT_HANDLE *keyPtr, void *wincx); +CK_OBJECT_HANDLE PK11_MatchItem(PK11SlotInfo *slot,CK_OBJECT_HANDLE peer, + CK_OBJECT_CLASS o_class); +CERTCertificate * PK11_FindCertByIssuerAndSN(PK11SlotInfo **slot, + CERTIssuerAndSN *sn, void *wincx); +CERTCertificate * PK11_FindCertAndKeyByRecipientList(PK11SlotInfo **slot, + SEC_PKCS7RecipientInfo **array, SEC_PKCS7RecipientInfo **rip, + SECKEYPrivateKey**privKey, void *wincx); +int PK11_FindCertAndKeyByRecipientListNew(NSSCMSRecipient **recipientlist, + void *wincx); +CK_BBOOL PK11_HasAttributeSet( PK11SlotInfo *slot, + CK_OBJECT_HANDLE id, + CK_ATTRIBUTE_TYPE type ); +CK_RV PK11_GetAttributes(PRArenaPool *arena,PK11SlotInfo *slot, + CK_OBJECT_HANDLE obj,CK_ATTRIBUTE *attr, int count); +int PK11_NumberCertsForCertSubject(CERTCertificate *cert); +SECStatus PK11_TraverseCertsForSubject(CERTCertificate *cert, + SECStatus(*callback)(CERTCertificate *, void *), void *arg); +SECStatus PK11_TraverseCertsForSubjectInSlot(CERTCertificate *cert, + PK11SlotInfo *slot, SECStatus(*callback)(CERTCertificate *, void *), + void *arg); +CERTCertificate *PK11_FindCertFromDERCert(PK11SlotInfo *slot, + CERTCertificate *cert, void *wincx); +CERTCertificate *PK11_FindCertFromDERSubjectAndNickname( + PK11SlotInfo *slot, + CERTCertificate *cert, char *nickname, + void *wincx); +SECStatus PK11_ImportCertForKeyToSlot(PK11SlotInfo *slot, CERTCertificate *cert, + char *nickname, PRBool addUsage, + void *wincx); +CERTCertificate *PK11_FindBestKEAMatch(CERTCertificate *serverCert,void *wincx); +SECStatus PK11_GetKEAMatchedCerts(PK11SlotInfo *slot1, + PK11SlotInfo *slot2, CERTCertificate **cert1, CERTCertificate **cert2); +PRBool PK11_FortezzaHasKEA(CERTCertificate *cert); +CK_OBJECT_HANDLE PK11_FindCertInSlot(PK11SlotInfo *slot, CERTCertificate *cert, + void *wincx); +SECStatus PK11_TraverseCertsForNicknameInSlot(SECItem *nickname, + PK11SlotInfo *slot, SECStatus(*callback)(CERTCertificate *, void *), + void *arg); +SECStatus PK11_TraverseCertsInSlot(PK11SlotInfo *slot, + SECStatus(* callback)(CERTCertificate*, void *), void *arg); +CERTCertList * PK11_ListCerts(PK11CertListType type, void *pwarg); +CERTCertList * PK11_ListCertsInSlot(PK11SlotInfo *slot); +SECStatus PK11_LookupCrls(CERTCrlHeadNode *nodes, int type, void *wincx); +CERTSignedCrl* PK11_ImportCRL(PK11SlotInfo * slot, SECItem *derCRL, char *url, + int type, void *wincx, PRInt32 importOptions, PRArenaPool* arena, PRInt32 decodeOptions); +/* import options */ +#define CRL_IMPORT_DEFAULT_OPTIONS 0x00000000 +#define CRL_IMPORT_BYPASS_CHECKS 0x00000001 + +/********************************************************************** + * Sign/Verify + **********************************************************************/ +int PK11_SignatureLen(SECKEYPrivateKey *key); +PK11SlotInfo * PK11_GetSlotFromPrivateKey(SECKEYPrivateKey *key); +SECStatus PK11_Sign(SECKEYPrivateKey *key, SECItem *sig, SECItem *hash); +SECStatus PK11_VerifyRecover(SECKEYPublicKey *key, SECItem *sig, + SECItem *dsig, void * wincx); +SECStatus PK11_Verify(SECKEYPublicKey *key, SECItem *sig, + SECItem *hash, void *wincx); + + + +/********************************************************************** + * Crypto Contexts + **********************************************************************/ +void PK11_DestroyContext(PK11Context *context, PRBool freeit); +PK11Context * PK11_CreateContextByRawKey(PK11SlotInfo *slot, + CK_MECHANISM_TYPE type, PK11Origin origin, CK_ATTRIBUTE_TYPE operation, + SECItem *key, SECItem *param, void *wincx); +PK11Context *PK11_CreateContextBySymKey(CK_MECHANISM_TYPE type, + CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey, SECItem *param); +PK11Context *PK11_CreateDigestContext(SECOidTag hashAlg); +PK11Context *PK11_CloneContext(PK11Context *old); +SECStatus PK11_DigestBegin(PK11Context *cx); +SECStatus PK11_HashBuf(SECOidTag hashAlg, unsigned char *out, unsigned char *in, + int32 len); +SECStatus PK11_DigestOp(PK11Context *context, const unsigned char *in, + unsigned len); +SECStatus PK11_CipherOp(PK11Context *context, unsigned char * out, int *outlen, + int maxout, unsigned char *in, int inlen); +SECStatus PK11_Finalize(PK11Context *context); +SECStatus PK11_DigestFinal(PK11Context *context, unsigned char *data, + unsigned int *outLen, unsigned int length); +PRBool PK11_HashOK(SECOidTag hashAlg); +SECStatus PK11_SaveContext(PK11Context *cx,unsigned char *save, + int *len, int saveLength); + +/* Save the context's state, with possible allocation. + * The caller may supply an already allocated buffer in preAllocBuf, + * with length pabLen. If the buffer is large enough for the context's + * state, it will receive the state. + * If the buffer is not large enough (or NULL), then a new buffer will + * be allocated with PORT_Alloc. + * In either case, the state will be returned as a buffer, and the length + * of the state will be given in *stateLen. + */ +unsigned char * +PK11_SaveContextAlloc(PK11Context *cx, + unsigned char *preAllocBuf, unsigned int pabLen, + unsigned int *stateLen); + +SECStatus PK11_RestoreContext(PK11Context *cx,unsigned char *save,int len); +SECStatus PK11_GenerateFortezzaIV(PK11SymKey *symKey,unsigned char *iv,int len); +SECStatus PK11_ReadSlotCerts(PK11SlotInfo *slot); +void PK11_FreeSlotCerts(PK11SlotInfo *slot); +void PK11_SetFortezzaHack(PK11SymKey *symKey) ; + + +/********************************************************************** + * PBE functions + **********************************************************************/ + +/* This function creates PBE parameters from the given inputs. The result + * can be used to create a password integrity key for PKCS#12, by sending + * the return value to PK11_KeyGen along with the appropriate mechanism. + */ +SECItem * +PK11_CreatePBEParams(SECItem *salt, SECItem *pwd, unsigned int iterations); + +/* free params created above (can be called after keygen is done */ +void PK11_DestroyPBEParams(SECItem *params); + +SECAlgorithmID * +PK11_CreatePBEAlgorithmID(SECOidTag algorithm, int iteration, SECItem *salt); +PK11SymKey * +PK11_PBEKeyGen(PK11SlotInfo *slot, SECAlgorithmID *algid, SECItem *pwitem, + PRBool faulty3DES, void *wincx); +PK11SymKey * +PK11_RawPBEKeyGen(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *params, + SECItem *pwitem, PRBool faulty3DES, void *wincx); +SECItem * +PK11_GetPBEIV(SECAlgorithmID *algid, SECItem *pwitem); + +/********************************************************************** + * New fucntions which are already depricated.... + **********************************************************************/ +SECItem * +PK11_GetLowLevelKeyIDForCert(PK11SlotInfo *slot, + CERTCertificate *cert, void *pwarg); +SECItem * +PK11_GetLowLevelKeyIDForPrivateKey(SECKEYPrivateKey *key); + +SECItem * +PK11_FindCrlByName(PK11SlotInfo **slot, CK_OBJECT_HANDLE *handle, + SECItem *derName, int type, char **url); + +CK_OBJECT_HANDLE +PK11_PutCrl(PK11SlotInfo *slot, SECItem *crl, + SECItem *name, char *url, int type); + +SECItem * +PK11_FindSMimeProfile(PK11SlotInfo **slotp, char *emailAddr, SECItem *derSubj, + SECItem **profileTime); +SECStatus +PK11_SaveSMimeProfile(PK11SlotInfo *slot, char *emailAddr, SECItem *derSubj, + SECItem *emailProfile, SECItem *profileTime); + +PRBool SECMOD_HasRootCerts(void); + +PRBool PK11_IsPermObject(PK11SlotInfo *slot, CK_OBJECT_HANDLE handle); + +char * PK11_GetObjectNickname(PK11SlotInfo *slot, CK_OBJECT_HANDLE id) ; +SECStatus PK11_SetObjectNickname(PK11SlotInfo *slot, CK_OBJECT_HANDLE id, + const char *nickname) ; + + +/* private */ +SECStatus pk11_TraverseAllSlots( SECStatus (*callback)(PK11SlotInfo *,void *), + void *cbArg, void *pwArg); + +SEC_END_PROTOS + +#endif diff --git a/security/nss/lib/pk11wrap/pk11slot.c b/security/nss/lib/pk11wrap/pk11slot.c new file mode 100644 index 000000000..c87e9400b --- /dev/null +++ b/security/nss/lib/pk11wrap/pk11slot.c @@ -0,0 +1,4656 @@ +/* + * The contents of this file are subject to the Mozilla Public + * License Version 1.1 (the "License"); you may not use this file + * except in compliance with the License. You may obtain a copy of + * the License at http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS + * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or + * implied. See the License for the specific language governing + * rights and limitations under the License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is Netscape + * Communications Corporation. Portions created by Netscape are + * Copyright (C) 1994-2000 Netscape Communications Corporation. All + * Rights Reserved. + * + * Contributor(s): + * Dr Stephen Henson <stephen.henson@gemplus.com> + * + * Alternatively, the contents of this file may be used under the + * terms of the GNU General Public License Version 2 or later (the + * "GPL"), in which case the provisions of the GPL are applicable + * instead of those above. If you wish to allow use of your + * version of this file only under the terms of the GPL and not to + * allow others to use your version of this file under the MPL, + * indicate your decision by deleting the provisions above and + * replace them with the notice and other provisions required by + * the GPL. If you do not delete the provisions above, a recipient + * may use your version of this file under either the MPL or the + * GPL. + */ +/* + * Deal with PKCS #11 Slots. + */ +#include "seccomon.h" +#include "secmod.h" +#include "nssilock.h" +#include "secmodi.h" +#include "pkcs11t.h" +#include "pk11func.h" +#include "cert.h" +#include "key.h" +#include "secitem.h" +#include "secder.h" +#include "secasn1.h" +#include "secoid.h" +#include "prtime.h" +#include "prlong.h" +#include "secerr.h" +/*#include "secpkcs5.h" */ + +#include "dev.h" +#include "dev3hack.h" +#include "pki3hack.h" +#include "pkim.h" + + +/************************************************************* + * local static and global data + *************************************************************/ + +/* + * This array helps parsing between names, mechanisms, and flags. + * to make the config files understand more entries, add them + * to this table. (NOTE: we need function to export this table and it's size) + */ +PK11DefaultArrayEntry PK11_DefaultArray[] = { + { "RSA", SECMOD_RSA_FLAG, CKM_RSA_PKCS }, + { "DSA", SECMOD_DSA_FLAG, CKM_DSA }, + { "DH", SECMOD_DH_FLAG, CKM_DH_PKCS_DERIVE }, + { "RC2", SECMOD_RC2_FLAG, CKM_RC2_CBC }, + { "RC4", SECMOD_RC4_FLAG, CKM_RC4 }, + { "DES", SECMOD_DES_FLAG, CKM_DES_CBC }, + { "AES", SECMOD_AES_FLAG, CKM_AES_CBC }, + { "RC5", SECMOD_RC5_FLAG, CKM_RC5_CBC }, + { "SHA-1", SECMOD_SHA1_FLAG, CKM_SHA_1 }, + { "MD5", SECMOD_MD5_FLAG, CKM_MD5 }, + { "MD2", SECMOD_MD2_FLAG, CKM_MD2 }, + { "SSL", SECMOD_SSL_FLAG, CKM_SSL3_PRE_MASTER_KEY_GEN }, + { "TLS", SECMOD_TLS_FLAG, CKM_TLS_MASTER_KEY_DERIVE }, + { "SKIPJACK", SECMOD_FORTEZZA_FLAG, CKM_SKIPJACK_CBC64 }, + { "Publicly-readable certs", SECMOD_FRIENDLY_FLAG, CKM_INVALID_MECHANISM }, + { "Random Num Generator", SECMOD_RANDOM_FLAG, CKM_FAKE_RANDOM }, +}; +int num_pk11_default_mechanisms = sizeof(PK11_DefaultArray) / sizeof(PK11_DefaultArray[0]); + +/* + * These slotlists are lists of modules which provide default support for + * a given algorithm or mechanism. + */ +static PK11SlotList pk11_aesSlotList, + pk11_desSlotList, + pk11_rc4SlotList, + pk11_rc2SlotList, + pk11_rc5SlotList, + pk11_sha1SlotList, + pk11_md5SlotList, + pk11_md2SlotList, + pk11_rsaSlotList, + pk11_dsaSlotList, + pk11_dhSlotList, + pk11_ideaSlotList, + pk11_sslSlotList, + pk11_tlsSlotList, + pk11_randomSlotList; + +/* + * Tables used for Extended mechanism mapping (currently not used) + */ +typedef struct { + CK_MECHANISM_TYPE keyGen; + CK_KEY_TYPE keyType; + CK_MECHANISM_TYPE type; + int blockSize; + int iv; +} pk11MechanismData; + +static pk11MechanismData pk11_default = + { CKM_GENERIC_SECRET_KEY_GEN, CKK_GENERIC_SECRET, CKM_FAKE_RANDOM, 8, 8 }; +static pk11MechanismData *pk11_MechanismTable = NULL; +static int pk11_MechTableSize = 0; +static int pk11_MechEntrySize = 0; + +/* + * list of mechanisms we're willing to wrap secret keys with. + * This list is ordered by preference. + */ +CK_MECHANISM_TYPE wrapMechanismList[] = { + CKM_DES3_ECB, + CKM_CAST5_ECB, + CKM_AES_ECB, + CKM_CAST5_ECB, + CKM_DES_ECB, + CKM_KEY_WRAP_LYNKS, + CKM_IDEA_ECB, + CKM_CAST3_ECB, + CKM_CAST_ECB, + CKM_RC5_ECB, + CKM_RC2_ECB, + CKM_CDMF_ECB, + CKM_SKIPJACK_WRAP, +}; + +int wrapMechanismCount = sizeof(wrapMechanismList)/sizeof(wrapMechanismList[0]); + +/* + * This structure keeps track of status that spans all the Slots. + * NOTE: This is a global data structure. It semantics expect thread crosstalk + * be very careful when you see it used. + * It's major purpose in life is to allow the user to log in one PER + * Tranaction, even if a transaction spans threads. The problem is the user + * may have to enter a password one just to be able to look at the + * personalities/certificates (s)he can use. Then if Auth every is one, they + * may have to enter the password again to use the card. See PK11_StartTransac + * and PK11_EndTransaction. + */ +static struct PK11GlobalStruct { + int transaction; + PRBool inTransaction; + char *(PR_CALLBACK *getPass)(PK11SlotInfo *,PRBool,void *); + PRBool (PR_CALLBACK *verifyPass)(PK11SlotInfo *,void *); + PRBool (PR_CALLBACK *isLoggedIn)(PK11SlotInfo *,void *); +} PK11_Global = { 1, PR_FALSE, NULL, NULL, NULL }; + +/************************************************************ + * Generic Slot List and Slot List element manipulations + ************************************************************/ + +/* + * allocate a new list + */ +PK11SlotList * +PK11_NewSlotList(void) +{ + PK11SlotList *list; + + list = (PK11SlotList *)PORT_Alloc(sizeof(PK11SlotList)); + if (list == NULL) return NULL; + list->head = NULL; + list->tail = NULL; +#ifdef PKCS11_USE_THREADS + list->lock = PZ_NewLock(nssILockList); + if (list->lock == NULL) { + PORT_Free(list); + return NULL; + } +#else + list->lock = NULL; +#endif + + return list; +} + +/* + * free a list element when all the references go away. + */ +static void +pk11_FreeListElement(PK11SlotList *list, PK11SlotListElement *le) +{ + PRBool freeit = PR_FALSE; + + PK11_USE_THREADS(PZ_Lock((PZLock *)(list->lock));) + if (le->refCount-- == 1) { + freeit = PR_TRUE; + } + PK11_USE_THREADS(PZ_Unlock((PZLock *)(list->lock));) + if (freeit) { + PK11_FreeSlot(le->slot); + PORT_Free(le); + } +} + +/* + * if we are freeing the list, we must be the only ones with a pointer + * to the list. + */ +void +PK11_FreeSlotList(PK11SlotList *list) +{ + PK11SlotListElement *le, *next ; + if (list == NULL) return; + + for (le = list->head ; le; le = next) { + next = le->next; + pk11_FreeListElement(list,le); + } + PK11_USE_THREADS(PZ_DestroyLock((PZLock *)(list->lock));) + PORT_Free(list); +} + +/* + * add a slot to a list + */ +SECStatus +PK11_AddSlotToList(PK11SlotList *list,PK11SlotInfo *slot) +{ + PK11SlotListElement *le; + + le = (PK11SlotListElement *) PORT_Alloc(sizeof(PK11SlotListElement)); + if (le == NULL) return SECFailure; + + le->slot = PK11_ReferenceSlot(slot); + le->prev = NULL; + le->refCount = 1; + PK11_USE_THREADS(PZ_Lock((PZLock *)(list->lock));) + if (list->head) list->head->prev = le; else list->tail = le; + le->next = list->head; + list->head = le; + PK11_USE_THREADS(PZ_Unlock((PZLock *)(list->lock));) + + return SECSuccess; +} + +/* + * remove a slot entry from the list + */ +SECStatus +PK11_DeleteSlotFromList(PK11SlotList *list,PK11SlotListElement *le) +{ + PK11_USE_THREADS(PZ_Lock((PZLock *)(list->lock));) + if (le->prev) le->prev->next = le->next; else list->head = le->next; + if (le->next) le->next->prev = le->prev; else list->tail = le->prev; + le->next = le->prev = NULL; + PK11_USE_THREADS(PZ_Unlock((PZLock *)(list->lock));) + pk11_FreeListElement(list,le); + return SECSuccess; +} + +/* + * Move a list to the end of the target list. NOTE: There is no locking + * here... This assumes BOTH lists are private copy lists. + */ +SECStatus +PK11_MoveListToList(PK11SlotList *target,PK11SlotList *src) +{ + if (src->head == NULL) return SECSuccess; + + if (target->tail == NULL) { + target->head = src->head; + } else { + target->tail->next = src->head; + } + src->head->prev = target->tail; + target->tail = src->tail; + src->head = src->tail = NULL; + return SECSuccess; +} + +/* + * get an element from the list with a reference. You must own the list. + */ +PK11SlotListElement * +PK11_GetFirstRef(PK11SlotList *list) +{ + PK11SlotListElement *le; + + le = list->head; + if (le != NULL) (le)->refCount++; + return le; +} + +/* + * get the next element from the list with a reference. You must own the list. + */ +PK11SlotListElement * +PK11_GetNextRef(PK11SlotList *list, PK11SlotListElement *le, PRBool restart) +{ + PK11SlotListElement *new_le; + new_le = le->next; + if (new_le) new_le->refCount++; + pk11_FreeListElement(list,le); + return new_le; +} + +/* + * get an element safely from the list. This just makes sure that if + * this element is not deleted while we deal with it. + */ +PK11SlotListElement * +PK11_GetFirstSafe(PK11SlotList *list) +{ + PK11SlotListElement *le; + + PK11_USE_THREADS(PZ_Lock((PZLock *)(list->lock));) + le = list->head; + if (le != NULL) (le)->refCount++; + PK11_USE_THREADS(PZ_Unlock((PZLock *)(list->lock));) + return le; +} + +/* + * NOTE: if this element gets deleted, we can no longer safely traverse using + * it's pointers. We can either terminate the loop, or restart from the + * beginning. This is controlled by the restart option. + */ +PK11SlotListElement * +PK11_GetNextSafe(PK11SlotList *list, PK11SlotListElement *le, PRBool restart) +{ + PK11SlotListElement *new_le; + PK11_USE_THREADS(PZ_Lock((PZLock *)(list->lock));) + new_le = le->next; + if (le->next == NULL) { + /* if the prev and next fields are NULL then either this element + * has been removed and we need to walk the list again (if restart + * is true) or this was the only element on the list */ + if ((le->prev == NULL) && restart && (list->head != le)) { + new_le = list->head; + } + } + if (new_le) new_le->refCount++; + PK11_USE_THREADS(PZ_Unlock((PZLock *)(list->lock));) + pk11_FreeListElement(list,le); + return new_le; +} + + +/* + * Find the element that holds this slot + */ +PK11SlotListElement * +PK11_FindSlotElement(PK11SlotList *list,PK11SlotInfo *slot) +{ + PK11SlotListElement *le; + + for (le = PK11_GetFirstSafe(list); le; + le = PK11_GetNextSafe(list,le,PR_TRUE)) { + if (le->slot == slot) return le; + } + return NULL; +} + +/************************************************************ + * Generic Slot Utilities + ************************************************************/ +/* + * Create a new slot structure + */ +PK11SlotInfo * +PK11_NewSlotInfo(void) +{ + PK11SlotInfo *slot; + + slot = (PK11SlotInfo *)PORT_Alloc(sizeof(PK11SlotInfo)); + if (slot == NULL) return slot; + +#ifdef PKCS11_USE_THREADS + slot->refLock = PZ_NewLock(nssILockSlot); + if (slot->refLock == NULL) { + PORT_Free(slot); + return slot; + } + slot->sessionLock = PZ_NewLock(nssILockSession); + if (slot->sessionLock == NULL) { + PZ_DestroyLock(slot->refLock); + PORT_Free(slot); + return slot; + } + slot->freeListLock = PZ_NewLock(nssILockFreelist); + if (slot->freeListLock == NULL) { + PZ_DestroyLock(slot->sessionLock); + PZ_DestroyLock(slot->refLock); + PORT_Free(slot); + return slot; + } +#else + slot->sessionLock = NULL; + slot->refLock = NULL; + slot->freeListLock = NULL; +#endif + slot->freeSymKeysHead = NULL; + slot->keyCount = 0; + slot->maxKeyCount = 0; + slot->functionList = NULL; + slot->needTest = PR_TRUE; + slot->isPerm = PR_FALSE; + slot->isHW = PR_FALSE; + slot->isInternal = PR_FALSE; + slot->isThreadSafe = PR_FALSE; + slot->disabled = PR_FALSE; + slot->series = 1; + slot->wrapKey = 0; + slot->wrapMechanism = CKM_INVALID_MECHANISM; + slot->refKeys[0] = CK_INVALID_HANDLE; + slot->reason = PK11_DIS_NONE; + slot->readOnly = PR_TRUE; + slot->needLogin = PR_FALSE; + slot->hasRandom = PR_FALSE; + slot->defRWSession = PR_FALSE; + slot->protectedAuthPath = PR_FALSE; + slot->flags = 0; + slot->session = CK_INVALID_SESSION; + slot->slotID = 0; + slot->defaultFlags = 0; + slot->refCount = 1; + slot->askpw = 0; + slot->timeout = 0; + slot->mechanismList = NULL; + slot->mechanismCount = 0; + slot->cert_array = NULL; + slot->cert_count = 0; + slot->slot_name[0] = 0; + slot->token_name[0] = 0; + PORT_Memset(slot->serial,' ',sizeof(slot->serial)); + slot->module = NULL; + slot->authTransact = 0; + slot->authTime = LL_ZERO; + slot->minPassword = 0; + slot->maxPassword = 0; + slot->hasRootCerts = PR_FALSE; + slot->nssToken = NULL; + return slot; +} + +/* create a new reference to a slot so it doesn't go away */ +PK11SlotInfo * +PK11_ReferenceSlot(PK11SlotInfo *slot) +{ + PK11_USE_THREADS(PZ_Lock(slot->refLock);) + slot->refCount++; + PK11_USE_THREADS(PZ_Unlock(slot->refLock);) + return slot; +} + +/* Destroy all info on a slot we have built up */ +void +PK11_DestroySlot(PK11SlotInfo *slot) +{ + /* first free up all the sessions on this slot */ + if (slot->functionList) { + PK11_GETTAB(slot)->C_CloseAllSessions(slot->slotID); + } + + /* free up the cached keys and sessions */ + PK11_CleanKeyList(slot); + + if (slot->mechanismList) { + PORT_Free(slot->mechanismList); + } + + /* finally Tell our parent module that we've gone away so it can unload */ + if (slot->module) { + SECMOD_SlotDestroyModule(slot->module,PR_TRUE); + } +#ifdef PKCS11_USE_THREADS + if (slot->refLock) { + PZ_DestroyLock(slot->refLock); + slot->refLock = NULL; + } + if (slot->sessionLock) { + PZ_DestroyLock(slot->sessionLock); + slot->sessionLock = NULL; + } + if (slot->freeListLock) { + PZ_DestroyLock(slot->freeListLock); + slot->freeListLock = NULL; + } +#endif + + /* ok, well not quit finally... now we free the memory */ + PORT_Free(slot); +} + + +/* We're all done with the slot, free it */ +void +PK11_FreeSlot(PK11SlotInfo *slot) +{ + PRBool freeit = PR_FALSE; + + PK11_USE_THREADS(PZ_Lock(slot->refLock);) + if (slot->refCount-- == 1) freeit = PR_TRUE; + PK11_USE_THREADS(PZ_Unlock(slot->refLock);) + + if (freeit) PK11_DestroySlot(slot); +} + +void +PK11_EnterSlotMonitor(PK11SlotInfo *slot) { + PZ_Lock(slot->sessionLock); +} + +void +PK11_ExitSlotMonitor(PK11SlotInfo *slot) { + PZ_Unlock(slot->sessionLock); +} + +/*********************************************************** + * Functions to find specific slots. + ***********************************************************/ +PRBool +SECMOD_HasRootCerts(void) +{ + SECMODModuleList *mlp; + SECMODModuleList *modules = SECMOD_GetDefaultModuleList(); + SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock(); + int i; + PRBool found = PR_FALSE; + + /* work through all the slots */ + SECMOD_GetReadLock(moduleLock); + for(mlp = modules; mlp != NULL; mlp = mlp->next) { + for (i=0; i < mlp->module->slotCount; i++) { + PK11SlotInfo *tmpSlot = mlp->module->slots[i]; + if (PK11_IsPresent(tmpSlot)) { + if (tmpSlot->hasRootCerts) { + found = PR_TRUE; + break; + } + } + } + if (found) break; + } + SECMOD_ReleaseReadLock(moduleLock); + + return found; +} + +/*********************************************************** + * Functions to find specific slots. + ***********************************************************/ +PK11SlotInfo * +PK11_FindSlotByName(char *name) +{ + SECMODModuleList *mlp; + SECMODModuleList *modules = SECMOD_GetDefaultModuleList(); + SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock(); + int i; + PK11SlotInfo *slot = NULL; + + if ((name == NULL) || (*name == 0)) { + return PK11_GetInternalKeySlot(); + } + + /* work through all the slots */ + SECMOD_GetReadLock(moduleLock); + for(mlp = modules; mlp != NULL; mlp = mlp->next) { + for (i=0; i < mlp->module->slotCount; i++) { + PK11SlotInfo *tmpSlot = mlp->module->slots[i]; + if (PK11_IsPresent(tmpSlot)) { + if (PORT_Strcmp(tmpSlot->token_name,name) == 0) { + slot = PK11_ReferenceSlot(tmpSlot); + break; + } + } + } + if (slot != NULL) break; + } + SECMOD_ReleaseReadLock(moduleLock); + + if (slot == NULL) { + PORT_SetError(SEC_ERROR_NO_TOKEN); + } + + return slot; +} + + +PK11SlotInfo * +PK11_FindSlotBySerial(char *serial) +{ + SECMODModuleList *mlp; + SECMODModuleList *modules = SECMOD_GetDefaultModuleList(); + SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock(); + int i; + PK11SlotInfo *slot = NULL; + + /* work through all the slots */ + SECMOD_GetReadLock(moduleLock); + for(mlp = modules; mlp != NULL; mlp = mlp->next) { + for (i=0; i < mlp->module->slotCount; i++) { + PK11SlotInfo *tmpSlot = mlp->module->slots[i]; + if (PK11_IsPresent(tmpSlot)) { + if (PORT_Memcmp(tmpSlot->serial,serial, + sizeof(tmpSlot->serial)) == 0) { + slot = PK11_ReferenceSlot(tmpSlot); + break; + } + } + } + if (slot != NULL) break; + } + SECMOD_ReleaseReadLock(moduleLock); + + if (slot == NULL) { + PORT_SetError(SEC_ERROR_NO_TOKEN); + } + + return slot; +} + + + + +/*********************************************************** + * Password Utilities + ***********************************************************/ +/* + * Check the user's password. Log into the card if it's correct. + * succeed if the user is already logged in. + */ +SECStatus +pk11_CheckPassword(PK11SlotInfo *slot,char *pw) +{ + int len = PORT_Strlen(pw); + CK_RV crv; + SECStatus rv; + int64 currtime = PR_Now(); + + if (slot->protectedAuthPath) { + len = 0; + pw = NULL; + } + + PK11_EnterSlotMonitor(slot); + crv = PK11_GETTAB(slot)->C_Login(slot->session,CKU_USER, + (unsigned char *)pw,len); + slot->lastLoginCheck = 0; + PK11_ExitSlotMonitor(slot); + switch (crv) { + /* if we're already logged in, we're good to go */ + case CKR_OK: + slot->authTransact = PK11_Global.transaction; + case CKR_USER_ALREADY_LOGGED_IN: + slot->authTime = currtime; + rv = SECSuccess; + break; + case CKR_PIN_INCORRECT: + PORT_SetError(SEC_ERROR_BAD_PASSWORD); + rv = SECWouldBlock; /* everything else is ok, only the pin is bad */ + break; + default: + PORT_SetError(PK11_MapError(crv)); + rv = SECFailure; /* some failure we can't fix by retrying */ + } + return rv; +} + +/* + * Check the user's password. Logout before hand to make sure that + * we are really checking the password. + */ +SECStatus +PK11_CheckUserPassword(PK11SlotInfo *slot,char *pw) +{ + int len = PORT_Strlen(pw); + CK_RV crv; + SECStatus rv; + int64 currtime = PR_Now(); + + if (slot->protectedAuthPath) { + len = 0; + pw = NULL; + } + + /* force a logout */ + PK11_EnterSlotMonitor(slot); + PK11_GETTAB(slot)->C_Logout(slot->session); + + crv = PK11_GETTAB(slot)->C_Login(slot->session,CKU_USER, + (unsigned char *)pw,len); + slot->lastLoginCheck = 0; + PK11_ExitSlotMonitor(slot); + switch (crv) { + /* if we're already logged in, we're good to go */ + case CKR_OK: + slot->authTransact = PK11_Global.transaction; + slot->authTime = currtime; + rv = SECSuccess; + break; + case CKR_PIN_INCORRECT: + PORT_SetError(SEC_ERROR_BAD_PASSWORD); + rv = SECWouldBlock; /* everything else is ok, only the pin is bad */ + break; + default: + PORT_SetError(PK11_MapError(crv)); + rv = SECFailure; /* some failure we can't fix by retrying */ + } + return rv; +} + +SECStatus +PK11_Logout(PK11SlotInfo *slot) +{ + CK_RV crv; + + /* force a logout */ + PK11_EnterSlotMonitor(slot); + crv = PK11_GETTAB(slot)->C_Logout(slot->session); + slot->lastLoginCheck = 0; + PK11_ExitSlotMonitor(slot); + if (crv != CKR_OK) { + PORT_SetError(PK11_MapError(crv)); + return SECFailure; + } + return SECSuccess; +} + +/* + * transaction stuff is for when we test for the need to do every + * time auth to see if we already did it for this slot/transaction + */ +void PK11_StartAuthTransaction(void) +{ +PK11_Global.transaction++; +PK11_Global.inTransaction = PR_TRUE; +} + +void PK11_EndAuthTransaction(void) +{ +PK11_Global.transaction++; +PK11_Global.inTransaction = PR_FALSE; +} + +/* + * before we do a private key op, we check to see if we + * need to reauthenticate. + */ +void +PK11_HandlePasswordCheck(PK11SlotInfo *slot,void *wincx) +{ + int askpw = slot->askpw; + PRBool NeedAuth = PR_FALSE; + + if (!slot->needLogin) return; + + if ((slot->defaultFlags & PK11_OWN_PW_DEFAULTS) == 0) { + PK11SlotInfo *def_slot = PK11_GetInternalKeySlot(); + + if (def_slot) { + askpw = def_slot->askpw; + PK11_FreeSlot(def_slot); + } + } + + /* timeouts are handled by isLoggedIn */ + if (!PK11_IsLoggedIn(slot,wincx)) { + NeedAuth = PR_TRUE; + } else if (askpw == -1) { + if (!PK11_Global.inTransaction || + (PK11_Global.transaction != slot->authTransact)) { + PK11_EnterSlotMonitor(slot); + PK11_GETTAB(slot)->C_Logout(slot->session); + slot->lastLoginCheck = 0; + PK11_ExitSlotMonitor(slot); + NeedAuth = PR_TRUE; + } + } + if (NeedAuth) PK11_DoPassword(slot,PR_TRUE,wincx); +} + +void +PK11_SlotDBUpdate(PK11SlotInfo *slot) +{ + SECMOD_UpdateModule(slot->module); +} + +/* + * set new askpw and timeout values + */ +void +PK11_SetSlotPWValues(PK11SlotInfo *slot,int askpw, int timeout) +{ + slot->askpw = askpw; + slot->timeout = timeout; + slot->defaultFlags |= PK11_OWN_PW_DEFAULTS; + PK11_SlotDBUpdate(slot); +} + +/* + * Get the askpw and timeout values for this slot + */ +void +PK11_GetSlotPWValues(PK11SlotInfo *slot,int *askpw, int *timeout) +{ + *askpw = slot->askpw; + *timeout = slot->timeout; + + if ((slot->defaultFlags & PK11_OWN_PW_DEFAULTS) == 0) { + PK11SlotInfo *def_slot = PK11_GetInternalKeySlot(); + + if (def_slot) { + *askpw = def_slot->askpw; + *timeout = def_slot->timeout; + PK11_FreeSlot(def_slot); + } + } +} + +/* + * make sure a slot is authenticated... + */ +SECStatus +PK11_Authenticate(PK11SlotInfo *slot, PRBool loadCerts, void *wincx) { + if (slot->needLogin && !PK11_IsLoggedIn(slot,wincx)) { + return PK11_DoPassword(slot,loadCerts,wincx); + } + return SECSuccess; +} + +/* + * notification stub. If we ever get interested in any events that + * the pkcs11 functions may pass back to use, we can catch them here... + * currently pdata is a slotinfo structure. + */ +CK_RV pk11_notify(CK_SESSION_HANDLE session, CK_NOTIFICATION event, + CK_VOID_PTR pdata) +{ + return CKR_OK; +} + + +/* + * grab a new RW session + * !!! has a side effect of grabbing the Monitor if either the slot's default + * session is RW or the slot is not thread safe. Monitor is release in function + * below + */ +CK_SESSION_HANDLE PK11_GetRWSession(PK11SlotInfo *slot) +{ + CK_SESSION_HANDLE rwsession; + CK_RV crv; + + if (!slot->isThreadSafe || slot->defRWSession) PK11_EnterSlotMonitor(slot); + if (slot->defRWSession) return slot->session; + + crv = PK11_GETTAB(slot)->C_OpenSession(slot->slotID, + CKF_RW_SESSION|CKF_SERIAL_SESSION, + slot, pk11_notify,&rwsession); + if (crv == CKR_SESSION_COUNT) { + PK11_GETTAB(slot)->C_CloseSession(slot->session); + slot->session = CK_INVALID_SESSION; + crv = PK11_GETTAB(slot)->C_OpenSession(slot->slotID, + CKF_RW_SESSION|CKF_SERIAL_SESSION, + slot,pk11_notify,&rwsession); + } + if (crv != CKR_OK) { + PORT_SetError(PK11_MapError(crv)); + if (slot->session == CK_INVALID_SESSION) { + PK11_GETTAB(slot)->C_OpenSession(slot->slotID,CKF_SERIAL_SESSION, + slot,pk11_notify,&slot->session); + } + if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); + return CK_INVALID_SESSION; + } + + return rwsession; +} + +PRBool +PK11_RWSessionHasLock(PK11SlotInfo *slot,CK_SESSION_HANDLE session_handle) { + return (PRBool)(!slot->isThreadSafe || slot->defRWSession); +} + +/* + * close the rwsession and restore our readonly session + * !!! has a side effect of releasing the Monitor if either the slot's default + * session is RW or the slot is not thread safe. + */ +void +PK11_RestoreROSession(PK11SlotInfo *slot,CK_SESSION_HANDLE rwsession) +{ + if (slot->defRWSession) { + PK11_ExitSlotMonitor(slot); + return; + } + PK11_GETTAB(slot)->C_CloseSession(rwsession); + if (slot->session == CK_INVALID_SESSION) { + PK11_GETTAB(slot)->C_OpenSession(slot->slotID,CKF_SERIAL_SESSION, + slot,pk11_notify,&slot->session); + } + if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); +} + +/* + * NOTE: this assumes that we are logged out of the card before hand + */ +SECStatus +PK11_CheckSSOPassword(PK11SlotInfo *slot, char *ssopw) +{ + CK_SESSION_HANDLE rwsession; + CK_RV crv; + SECStatus rv = SECFailure; + int len = PORT_Strlen(ssopw); + + /* get a rwsession */ + rwsession = PK11_GetRWSession(slot); + if (rwsession == CK_INVALID_SESSION) return rv; + + if (slot->protectedAuthPath) { + len = 0; + ssopw = NULL; + } + + /* check the password */ + crv = PK11_GETTAB(slot)->C_Login(rwsession,CKU_SO, + (unsigned char *)ssopw,len); + slot->lastLoginCheck = 0; + switch (crv) { + /* if we're already logged in, we're good to go */ + case CKR_OK: + rv = SECSuccess; + break; + case CKR_PIN_INCORRECT: + PORT_SetError(SEC_ERROR_BAD_PASSWORD); + rv = SECWouldBlock; /* everything else is ok, only the pin is bad */ + break; + default: + PORT_SetError(PK11_MapError(crv)); + rv = SECFailure; /* some failure we can't fix by retrying */ + } + PK11_GETTAB(slot)->C_Logout(rwsession); + slot->lastLoginCheck = 0; + + /* release rwsession */ + PK11_RestoreROSession(slot,rwsession); + return rv; +} + +/* + * make sure the password conforms to your token's requirements. + */ +SECStatus +PK11_VerifyPW(PK11SlotInfo *slot,char *pw) +{ + int len = PORT_Strlen(pw); + + if ((slot->minPassword > len) || (slot->maxPassword < len)) { + PORT_SetError(SEC_ERROR_BAD_DATA); + return SECFailure; + } + return SECSuccess; +} + +/* + * initialize a user PIN Value + */ +SECStatus +PK11_InitPin(PK11SlotInfo *slot,char *ssopw, char *userpw) +{ + CK_SESSION_HANDLE rwsession = CK_INVALID_SESSION; + CK_RV crv; + SECStatus rv = SECFailure; + int len; + int ssolen; + + if (userpw == NULL) userpw = ""; + if (ssopw == NULL) ssopw = ""; + + len = PORT_Strlen(userpw); + ssolen = PORT_Strlen(ssopw); + + /* get a rwsession */ + rwsession = PK11_GetRWSession(slot); + if (rwsession == CK_INVALID_SESSION) goto done; + + if (slot->protectedAuthPath) { + len = 0; + ssolen = 0; + ssopw = NULL; + userpw = NULL; + } + + /* check the password */ + crv = PK11_GETTAB(slot)->C_Login(rwsession,CKU_SO, + (unsigned char *)ssopw,ssolen); + slot->lastLoginCheck = 0; + if (crv != CKR_OK) { + PORT_SetError(PK11_MapError(crv)); + goto done; + } + + crv = PK11_GETTAB(slot)->C_InitPIN(rwsession,(unsigned char *)userpw,len); + if (crv != CKR_OK) { + PORT_SetError(PK11_MapError(crv)); + } else { + rv = SECSuccess; + } + +done: + PK11_GETTAB(slot)->C_Logout(rwsession); + slot->lastLoginCheck = 0; + PK11_RestoreROSession(slot,rwsession); + if (rv == SECSuccess) { + /* update our view of the world */ + PK11_InitToken(slot,PR_TRUE); + PK11_EnterSlotMonitor(slot); + PK11_GETTAB(slot)->C_Login(slot->session,CKU_USER, + (unsigned char *)userpw,len); + slot->lastLoginCheck = 0; + PK11_ExitSlotMonitor(slot); + } + return rv; +} + +/* + * Change an existing user password + */ +SECStatus +PK11_ChangePW(PK11SlotInfo *slot,char *oldpw, char *newpw) +{ + CK_RV crv; + SECStatus rv = SECFailure; + int newLen; + int oldLen; + CK_SESSION_HANDLE rwsession; + + if (newpw == NULL) newpw = ""; + if (oldpw == NULL) oldpw = ""; + newLen = PORT_Strlen(newpw); + oldLen = PORT_Strlen(oldpw); + + /* get a rwsession */ + rwsession = PK11_GetRWSession(slot); + + crv = PK11_GETTAB(slot)->C_SetPIN(rwsession, + (unsigned char *)oldpw,oldLen,(unsigned char *)newpw,newLen); + if (crv == CKR_OK) { + rv = SECSuccess; + } else { + PORT_SetError(PK11_MapError(crv)); + } + + PK11_RestoreROSession(slot,rwsession); + + /* update our view of the world */ + PK11_InitToken(slot,PR_TRUE); + return rv; +} + +static char * +pk11_GetPassword(PK11SlotInfo *slot, PRBool retry, void * wincx) +{ + if (PK11_Global.getPass == NULL) return NULL; + return (*PK11_Global.getPass)(slot, retry, wincx); +} + +void +PK11_SetPasswordFunc(PK11PasswordFunc func) +{ + PK11_Global.getPass = func; +} + +void +PK11_SetVerifyPasswordFunc(PK11VerifyPasswordFunc func) +{ + PK11_Global.verifyPass = func; +} + +void +PK11_SetIsLoggedInFunc(PK11IsLoggedInFunc func) +{ + PK11_Global.isLoggedIn = func; +} + + +/* + * authenticate to a slot. This loops until we can't recover, the user + * gives up, or we succeed. If we're already logged in and this function + * is called we will still prompt for a password, but we will probably + * succeed no matter what the password was (depending on the implementation + * of the PKCS 11 module. + */ +SECStatus +PK11_DoPassword(PK11SlotInfo *slot, PRBool loadCerts, void *wincx) +{ + SECStatus rv = SECFailure; + char * password; + PRBool attempt = PR_FALSE; + + if (PK11_NeedUserInit(slot)) { + PORT_SetError(SEC_ERROR_IO); + return SECFailure; + } + + + /* + * Central server type applications which control access to multiple + * slave applications to single crypto devices need to virtuallize the + * login state. This is done by a callback out of PK11_IsLoggedIn and + * here. If we are actually logged in, then we got here because the + * higher level code told us that the particular client application may + * still need to be logged in. If that is the case, we simply tell the + * server code that it should now verify the clients password and tell us + * the results. + */ + if (PK11_IsLoggedIn(slot,NULL) && + (PK11_Global.verifyPass != NULL)) { + if (!PK11_Global.verifyPass(slot,wincx)) { + PORT_SetError(SEC_ERROR_BAD_PASSWORD); + return SECFailure; + } + return SECSuccess; + } + + /* get the password. This can drop out of the while loop + * for the following reasons: + * (1) the user refused to enter a password. + * (return error to caller) + * (2) the token user password is disabled [usually due to + * too many failed authentication attempts]. + * (return error to caller) + * (3) the password was successful. + */ + while ((password = pk11_GetPassword(slot, attempt, wincx)) != NULL) { + attempt = PR_TRUE; + rv = pk11_CheckPassword(slot,password); + PORT_Memset(password, 0, PORT_Strlen(password)); + PORT_Free(password); + if (rv != SECWouldBlock) break; + } + if (rv == SECSuccess) { + rv = pk11_CheckVerifyTest(slot); + if (!PK11_IsFriendly(slot)) { + nssTrustDomain_UpdateCachedTokenCerts(slot->nssToken->trustDomain, + slot->nssToken); + } + } else if (!attempt) PORT_SetError(SEC_ERROR_BAD_PASSWORD); + return rv; +} + +void PK11_LogoutAll(void) +{ + SECMODListLock *lock = SECMOD_GetDefaultModuleListLock(); + SECMODModuleList *modList = SECMOD_GetDefaultModuleList(); + SECMODModuleList *mlp = NULL; + int i; + + SECMOD_GetReadLock(lock); + /* find the number of entries */ + for (mlp = modList; mlp != NULL; mlp = mlp->next) { + for (i=0; i < mlp->module->slotCount; i++) { + PK11_Logout(mlp->module->slots[i]); + } + } + + SECMOD_ReleaseReadLock(lock); +} + +int +PK11_GetMinimumPwdLength(PK11SlotInfo *slot) +{ + return ((int)slot->minPassword); +} + +/************************************************************ + * Manage the built-In Slot Lists + ************************************************************/ + +/* Init the static built int slot list (should actually integrate + * with PK11_NewSlotList */ +static void +pk11_initSlotList(PK11SlotList *list) +{ +#ifdef PKCS11_USE_THREADS + list->lock = PZ_NewLock(nssILockList); +#else + list->lock = NULL; +#endif + list->head = NULL; +} + +static void +pk11_freeSlotList(PK11SlotList *list) +{ + PK11SlotListElement *le, *next ; + if (list == NULL) return; + + for (le = list->head ; le; le = next) { + next = le->next; + pk11_FreeListElement(list,le); + } +#ifdef PK11_USE_THREADS + if (list->lock) { + PZ_DestroyLock((PZLock *)(list->lock)); + } +#endif + list->lock = NULL; + list->head = NULL; +} + +/* initialize the system slotlists */ +SECStatus +PK11_InitSlotLists(void) +{ + pk11_initSlotList(&pk11_aesSlotList); + pk11_initSlotList(&pk11_desSlotList); + pk11_initSlotList(&pk11_rc4SlotList); + pk11_initSlotList(&pk11_rc2SlotList); + pk11_initSlotList(&pk11_rc5SlotList); + pk11_initSlotList(&pk11_md5SlotList); + pk11_initSlotList(&pk11_md2SlotList); + pk11_initSlotList(&pk11_sha1SlotList); + pk11_initSlotList(&pk11_rsaSlotList); + pk11_initSlotList(&pk11_dsaSlotList); + pk11_initSlotList(&pk11_dhSlotList); + pk11_initSlotList(&pk11_ideaSlotList); + pk11_initSlotList(&pk11_sslSlotList); + pk11_initSlotList(&pk11_tlsSlotList); + pk11_initSlotList(&pk11_randomSlotList); + return SECSuccess; +} + +void +PK11_DestroySlotLists(void) +{ + pk11_freeSlotList(&pk11_aesSlotList); + pk11_freeSlotList(&pk11_desSlotList); + pk11_freeSlotList(&pk11_rc4SlotList); + pk11_freeSlotList(&pk11_rc2SlotList); + pk11_freeSlotList(&pk11_rc5SlotList); + pk11_freeSlotList(&pk11_md5SlotList); + pk11_freeSlotList(&pk11_md2SlotList); + pk11_freeSlotList(&pk11_sha1SlotList); + pk11_freeSlotList(&pk11_rsaSlotList); + pk11_freeSlotList(&pk11_dsaSlotList); + pk11_freeSlotList(&pk11_dhSlotList); + pk11_freeSlotList(&pk11_ideaSlotList); + pk11_freeSlotList(&pk11_sslSlotList); + pk11_freeSlotList(&pk11_tlsSlotList); + pk11_freeSlotList(&pk11_randomSlotList); + return; +} + +/* return a system slot list based on mechanism */ +PK11SlotList * +PK11_GetSlotList(CK_MECHANISM_TYPE type) +{ +/* XXX a workaround for Bugzilla bug #55267 */ +#if defined(HPUX) && defined(__LP64__) + if (CKM_INVALID_MECHANISM == type) + return NULL; +#endif + switch (type) { + case CKM_AES_CBC: + case CKM_AES_ECB: + return &pk11_aesSlotList; + case CKM_DES_CBC: + case CKM_DES_ECB: + case CKM_DES3_ECB: + case CKM_DES3_CBC: + return &pk11_desSlotList; + case CKM_RC4: + return &pk11_rc4SlotList; + case CKM_RC5_CBC: + return &pk11_rc5SlotList; + case CKM_SHA_1: + return &pk11_sha1SlotList; + case CKM_MD5: + return &pk11_md5SlotList; + case CKM_MD2: + return &pk11_md2SlotList; + case CKM_RC2_ECB: + case CKM_RC2_CBC: + return &pk11_rc2SlotList; + case CKM_RSA_PKCS: + case CKM_RSA_PKCS_KEY_PAIR_GEN: + case CKM_RSA_X_509: + return &pk11_rsaSlotList; + case CKM_DSA: + return &pk11_dsaSlotList; + case CKM_DH_PKCS_KEY_PAIR_GEN: + case CKM_DH_PKCS_DERIVE: + return &pk11_dhSlotList; + case CKM_SSL3_PRE_MASTER_KEY_GEN: + case CKM_SSL3_MASTER_KEY_DERIVE: + case CKM_SSL3_SHA1_MAC: + case CKM_SSL3_MD5_MAC: + return &pk11_sslSlotList; + case CKM_TLS_MASTER_KEY_DERIVE: + case CKM_TLS_KEY_AND_MAC_DERIVE: + return &pk11_tlsSlotList; + case CKM_IDEA_CBC: + case CKM_IDEA_ECB: + return &pk11_ideaSlotList; + case CKM_FAKE_RANDOM: + return &pk11_randomSlotList; + } + return NULL; +} + +/* + * load the static SlotInfo structures used to select a PKCS11 slot. + * preSlotInfo has a list of all the default flags for the slots on this + * module. + */ +void +PK11_LoadSlotList(PK11SlotInfo *slot, PK11PreSlotInfo *psi, int count) +{ + int i; + + for (i=0; i < count; i++) { + if (psi[i].slotID == slot->slotID) + break; + } + + if (i == count) return; + + slot->defaultFlags = psi[i].defaultFlags; + slot->askpw = psi[i].askpw; + slot->timeout = psi[i].timeout; + slot->hasRootCerts = psi[i].hasRootCerts; + + /* if the slot is already disabled, don't load them into the + * default slot lists. We get here so we can save the default + * list value. */ + if (slot->disabled) return; + + /* if the user has disabled us, don't load us in */ + if (slot->defaultFlags & PK11_DISABLE_FLAG) { + slot->disabled = PR_TRUE; + slot->reason = PK11_DIS_USER_SELECTED; + /* free up sessions and things?? */ + return; + } + + for (i=0; i < sizeof(PK11_DefaultArray)/sizeof(PK11_DefaultArray[0]); + i++) { + if (slot->defaultFlags & PK11_DefaultArray[i].flag) { + CK_MECHANISM_TYPE mechanism = PK11_DefaultArray[i].mechanism; + PK11SlotList *slotList = PK11_GetSlotList(mechanism); + + if (slotList) PK11_AddSlotToList(slotList,slot); + } + } + + return; +} + + +/* + * update a slot to its new attribute according to the slot list + * returns: SECSuccess if nothing to do or add/delete is successful + */ +SECStatus +PK11_UpdateSlotAttribute(PK11SlotInfo *slot, PK11DefaultArrayEntry *entry, + PRBool add) + /* add: PR_TRUE if want to turn on */ +{ + SECStatus result = SECSuccess; + PK11SlotList *slotList = PK11_GetSlotList(entry->mechanism); + + if (add) { /* trying to turn on a mechanism */ + + /* turn on the default flag in the slot */ + slot->defaultFlags |= entry->flag; + + /* add this slot to the list */ + if (slotList!=NULL) + result = PK11_AddSlotToList(slotList, slot); + + } else { /* trying to turn off */ + + /* turn OFF the flag in the slot */ + slot->defaultFlags &= ~entry->flag; + + if (slotList) { + /* find the element in the list & delete it */ + PK11SlotListElement *le = PK11_FindSlotElement(slotList, slot); + + /* remove the slot from the list */ + if (le) + result = PK11_DeleteSlotFromList(slotList, le); + } + } + return result; +} + +/* + * clear a slot off of all of it's default list + */ +void +PK11_ClearSlotList(PK11SlotInfo *slot) +{ + int i; + + if (slot->disabled) return; + if (slot->defaultFlags == 0) return; + + for (i=0; i < sizeof(PK11_DefaultArray)/sizeof(PK11_DefaultArray[0]); + i++) { + if (slot->defaultFlags & PK11_DefaultArray[i].flag) { + CK_MECHANISM_TYPE mechanism = PK11_DefaultArray[i].mechanism; + PK11SlotList *slotList = PK11_GetSlotList(mechanism); + PK11SlotListElement *le = NULL; + + if (slotList) le = PK11_FindSlotElement(slotList,slot); + + if (le) { + PK11_DeleteSlotFromList(slotList,le); + pk11_FreeListElement(slotList,le); + } + } + } +} + + +/****************************************************************** + * Slot initialization + ******************************************************************/ +/* + * turn a PKCS11 Static Label into a string + */ +char * +PK11_MakeString(PRArenaPool *arena,char *space, + char *staticString,int stringLen) +{ + int i; + char *newString; + for(i=(stringLen-1); i >= 0; i--) { + if (staticString[i] != ' ') break; + } + /* move i to point to the last space */ + i++; + if (arena) { + newString = (char*)PORT_ArenaAlloc(arena,i+1 /* space for NULL */); + } else if (space) { + newString = space; + } else { + newString = (char*)PORT_Alloc(i+1 /* space for NULL */); + } + if (newString == NULL) return NULL; + + if (i) PORT_Memcpy(newString,staticString, i); + newString[i] = 0; + + return newString; +} + +/* + * verify that slot implements Mechanism mech properly by checking against + * our internal implementation + */ +PRBool +PK11_VerifyMechanism(PK11SlotInfo *slot,PK11SlotInfo *intern, + CK_MECHANISM_TYPE mech, SECItem *data, SECItem *iv) +{ + PK11Context *test = NULL, *reference = NULL; + PK11SymKey *symKey = NULL, *testKey = NULL; + SECItem *param = NULL; + unsigned char encTest[8]; + unsigned char encRef[8]; + int outLenTest,outLenRef; + int key_size = 0; + PRBool verify = PR_FALSE; + SECStatus rv; + + if ((mech == CKM_RC2_CBC) || (mech == CKM_RC2_ECB) || (mech == CKM_RC4)) { + key_size = 16; + } + + /* initialize the mechanism parameter */ + param = PK11_ParamFromIV(mech,iv); + if (param == NULL) goto loser; + + /* load the keys and contexts */ + symKey = PK11_KeyGen(intern,mech,NULL, key_size, NULL); + if (symKey == NULL) goto loser; + + reference = PK11_CreateContextBySymKey(mech, CKA_ENCRYPT, symKey, param); + if (reference == NULL) goto loser; + + testKey = pk11_CopyToSlot(slot, mech, CKA_ENCRYPT, symKey); + if (testKey == NULL) goto loser; + + test = PK11_CreateContextBySymKey(mech, CKA_ENCRYPT, testKey, param); + if (test == NULL) goto loser; + SECITEM_FreeItem(param,PR_TRUE); param = NULL; + + /* encrypt the test data */ + rv = PK11_CipherOp(test,encTest,&outLenTest,sizeof(encTest), + data->data,data->len); + if (rv != SECSuccess) goto loser; + rv = PK11_CipherOp(reference,encRef,&outLenRef,sizeof(encRef), + data->data,data->len); + if (rv != SECSuccess) goto loser; + + PK11_DestroyContext(reference,PR_TRUE); reference = NULL; + PK11_DestroyContext(test,PR_TRUE); test = NULL; + + if (outLenTest != outLenRef) goto loser; + if (PORT_Memcmp(encTest, encRef, outLenTest) != 0) goto loser; + + verify = PR_TRUE; + +loser: + if (test) PK11_DestroyContext(test,PR_TRUE); + if (symKey) PK11_FreeSymKey(symKey); + if (testKey) PK11_FreeSymKey(testKey); + if (reference) PK11_DestroyContext(reference,PR_TRUE); + if (param) SECITEM_FreeItem(param,PR_TRUE); + + return verify; +} + +/* + * this code verifies that the advertised mechanisms are what they + * seem to be. + */ +#define MAX_MECH_LIST_SIZE 30 /* we only know of about 30 odd mechanisms */ +PRBool +PK11_VerifySlotMechanisms(PK11SlotInfo *slot) +{ + CK_MECHANISM_TYPE mechListArray[MAX_MECH_LIST_SIZE]; + CK_MECHANISM_TYPE *mechList = mechListArray; + static SECItem data; + static SECItem iv; + static unsigned char dataV[8]; + static unsigned char ivV[8]; + static PRBool generated = PR_FALSE; + CK_ULONG count; + int i; + CK_RV crv; + + PRBool alloced = PR_FALSE; + PK11SlotInfo *intern = PK11_GetInternalSlot(); + + /* if we couldn't initialize an internal module, + * we can't check external ones */ + if (intern == NULL) return PR_FALSE; + + /* first get the count of mechanisms */ + if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); + crv = PK11_GETTAB(slot)->C_GetMechanismList(slot->slotID,NULL,&count); + if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); + if (crv != CKR_OK) { + PK11_FreeSlot(intern); + return PR_FALSE; + } + + + /* don't blow up just because the card supports more mechanisms than + * we know about, just alloc space for them */ + if (count > MAX_MECH_LIST_SIZE) { + mechList = (CK_MECHANISM_TYPE *) + PORT_Alloc(count *sizeof(CK_MECHANISM_TYPE)); + alloced = PR_TRUE; + if (mechList == NULL) { + PK11_FreeSlot(intern); + return PR_FALSE; + } + } + /* get the list */ + if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); + crv =PK11_GETTAB(slot)->C_GetMechanismList(slot->slotID, mechList, &count); + if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); + if (crv != CKR_OK) { + if (alloced) PORT_Free(mechList); + PK11_FreeSlot(intern); + return PR_FALSE; + } + + if (!generated) { + data.data = dataV; + data.len = sizeof(dataV); + iv.data = ivV; + iv.len = sizeof(ivV); + /* ok, this is a cheat, we know our internal random number generater + * is thread safe */ + PK11_GETTAB(intern)->C_GenerateRandom(intern->session, + data.data, data.len); + PK11_GETTAB(intern)->C_GenerateRandom(intern->session, + iv.data, iv.len); + } + for (i=0; i < (int) count; i++) { + switch (mechList[i]) { + case CKM_DES_CBC: + case CKM_DES_ECB: + case CKM_RC4: + case CKM_RC2_CBC: + case CKM_RC2_ECB: + if (!PK11_VerifyMechanism(slot,intern,mechList[i],&data,&iv)){ + if (alloced) PORT_Free(mechList); + PK11_FreeSlot(intern); + return PR_FALSE; + } + } + } + if (alloced) PORT_Free(mechList); + PK11_FreeSlot(intern); + return PR_TRUE; +} + +/* + * See if we need to run the verify test, do so if necessary. If we fail, + * disable the slot. + */ +SECStatus +pk11_CheckVerifyTest(PK11SlotInfo *slot) +{ + PK11_EnterSlotMonitor(slot); + if (slot->needTest) { + slot->needTest = PR_FALSE; + PK11_ExitSlotMonitor(slot); + if (!PK11_VerifySlotMechanisms(slot)) { + (void)PK11_GETTAB(slot)->C_CloseSession(slot->session); + slot->session = CK_INVALID_SESSION; + PK11_ClearSlotList(slot); + slot->disabled = PR_TRUE; + slot->reason = PK11_DIS_TOKEN_VERIFY_FAILED; + slot->needTest = PR_TRUE; + PORT_SetError(SEC_ERROR_IO); + return SECFailure; + } + } else { + PK11_ExitSlotMonitor(slot); + } + return SECSuccess; +} + +/* + * Reads in the slots mechanism list for later use + */ +SECStatus +PK11_ReadMechanismList(PK11SlotInfo *slot) +{ + CK_ULONG count; + CK_RV crv; + + if (slot->mechanismList) { + PORT_Free(slot->mechanismList); + slot->mechanismList = NULL; + } + slot->mechanismCount = 0; + + if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); + crv = PK11_GETTAB(slot)->C_GetMechanismList(slot->slotID,NULL,&count); + if (crv != CKR_OK) { + if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); + PORT_SetError(PK11_MapError(crv)); + return SECFailure; + } + + slot->mechanismList = (CK_MECHANISM_TYPE *) + PORT_Alloc(count *sizeof(CK_MECHANISM_TYPE)); + if (slot->mechanismList == NULL) { + if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); + return SECFailure; + } + crv = PK11_GETTAB(slot)->C_GetMechanismList(slot->slotID, + slot->mechanismList, &count); + if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); + if (crv != CKR_OK) { + PORT_Free(slot->mechanismList); + slot->mechanismList = NULL; + PORT_SetError(PK11_MapError(crv)); + return SECSuccess; + } + slot->mechanismCount = count; + return SECSuccess; +} + +/* + * initialize a new token + * unlike initialize slot, this can be called multiple times in the lifetime + * of NSS. It reads the information associated with a card or token, + * that is not going to change unless the card or token changes. + */ +SECStatus +PK11_InitToken(PK11SlotInfo *slot, PRBool loadCerts) +{ + CK_TOKEN_INFO tokenInfo; + CK_RV crv; + char *tmp; + SECStatus rv; + + /* set the slot flags to the current token values */ + if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); + crv = PK11_GETTAB(slot)->C_GetTokenInfo(slot->slotID,&tokenInfo); + if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); + if (crv != CKR_OK) { + PORT_SetError(PK11_MapError(crv)); + return SECFailure; + } + + /* set the slot flags to the current token values */ + slot->series++; /* allow other objects to detect that the + * slot is different */ + slot->flags = tokenInfo.flags; + slot->needLogin = ((tokenInfo.flags & CKF_LOGIN_REQUIRED) ? + PR_TRUE : PR_FALSE); + slot->readOnly = ((tokenInfo.flags & CKF_WRITE_PROTECTED) ? + PR_TRUE : PR_FALSE); + slot->hasRandom = ((tokenInfo.flags & CKF_RNG) ? PR_TRUE : PR_FALSE); + slot->protectedAuthPath = + ((tokenInfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH) + ? PR_TRUE : PR_FALSE); + slot->lastLoginCheck = 0; + slot->lastState = 0; + /* on some platforms Active Card incorrectly sets the + * CKF_PROTECTED_AUTHENTICATION_PATH bit when it doesn't mean to. */ + if (slot->isActiveCard) { + slot->protectedAuthPath = PR_FALSE; + } + tmp = PK11_MakeString(NULL,slot->token_name, + (char *)tokenInfo.label, sizeof(tokenInfo.label)); + slot->minPassword = tokenInfo.ulMinPinLen; + slot->maxPassword = tokenInfo.ulMaxPinLen; + PORT_Memcpy(slot->serial,tokenInfo.serialNumber,sizeof(slot->serial)); + + nssToken_UpdateName(slot->nssToken); + + slot->defRWSession = (PRBool)((!slot->readOnly) && + (tokenInfo.ulMaxSessionCount == 1)); + rv = PK11_ReadMechanismList(slot); + if (rv != SECSuccess) return rv; + + slot->hasRSAInfo = PR_FALSE; + slot->RSAInfoFlags = 0; + + /* initialize the maxKeyCount value */ + if (tokenInfo.ulMaxSessionCount == 0) { + slot->maxKeyCount = 800; /* should be #define or a config param */ + } else if (tokenInfo.ulMaxSessionCount < 20) { + /* don't have enough sessions to keep that many keys around */ + slot->maxKeyCount = 0; + } else { + slot->maxKeyCount = tokenInfo.ulMaxSessionCount/2; + } + + /* Make sure our session handle is valid */ + if (slot->session == CK_INVALID_SESSION) { + /* we know we don't have a valid session, go get one */ + CK_SESSION_HANDLE session; + + /* session should be Readonly, serial */ + if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); + crv = PK11_GETTAB(slot)->C_OpenSession(slot->slotID, + (slot->defRWSession ? CKF_RW_SESSION : 0) | CKF_SERIAL_SESSION, + slot,pk11_notify,&session); + if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); + if (crv != CKR_OK) { + PORT_SetError(PK11_MapError(crv)); + return SECFailure; + } + slot->session = session; + } else { + /* The session we have may be defunct (the token associated with it) + * has been removed */ + CK_SESSION_INFO sessionInfo; + + if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); + crv = PK11_GETTAB(slot)->C_GetSessionInfo(slot->session,&sessionInfo); + if (crv == CKR_DEVICE_ERROR) { + PK11_GETTAB(slot)->C_CloseSession(slot->session); + crv = CKR_SESSION_CLOSED; + } + if ((crv==CKR_SESSION_CLOSED) || (crv==CKR_SESSION_HANDLE_INVALID)) { + crv =PK11_GETTAB(slot)->C_OpenSession(slot->slotID, + (slot->defRWSession ? CKF_RW_SESSION : 0) | CKF_SERIAL_SESSION, + slot,pk11_notify,&slot->session); + if (crv != CKR_OK) { + PORT_SetError(PK11_MapError(crv)); + slot->session = CK_INVALID_SESSION; + if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); + return SECFailure; + } + } + if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); + } + + nssToken_Refresh(slot->nssToken); + + if (!(slot->needLogin)) { + return pk11_CheckVerifyTest(slot); + } + + + if (!(slot->isInternal) && (slot->hasRandom)) { + /* if this slot has a random number generater, use it to add entropy + * to the internal slot. */ + PK11SlotInfo *int_slot = PK11_GetInternalSlot(); + + if (int_slot) { + unsigned char random_bytes[32]; + + /* if this slot can issue random numbers, get some entropy from + * that random number generater and give it to our internal token. + */ + PK11_EnterSlotMonitor(slot); + crv = PK11_GETTAB(slot)->C_GenerateRandom + (slot->session,random_bytes, sizeof(random_bytes)); + PK11_ExitSlotMonitor(slot); + if (crv == CKR_OK) { + PK11_EnterSlotMonitor(int_slot); + PK11_GETTAB(int_slot)->C_SeedRandom(int_slot->session, + random_bytes, sizeof(random_bytes)); + PK11_ExitSlotMonitor(int_slot); + } + + /* Now return the favor and send entropy to the token's random + * number generater */ + PK11_EnterSlotMonitor(int_slot); + crv = PK11_GETTAB(int_slot)->C_GenerateRandom(int_slot->session, + random_bytes, sizeof(random_bytes)); + PK11_ExitSlotMonitor(int_slot); + if (crv == CKR_OK) { + PK11_EnterSlotMonitor(slot); + PK11_GETTAB(slot)->C_SeedRandom(slot->session, + random_bytes, sizeof(random_bytes)); + PK11_ExitSlotMonitor(slot); + } + PK11_FreeSlot(int_slot); + } + } + + + return SECSuccess; +} + +static PRBool +pk11_isRootSlot(PK11SlotInfo *slot) +{ + CK_ATTRIBUTE findTemp[1]; + CK_ATTRIBUTE *attrs; + CK_OBJECT_CLASS oclass = CKO_NETSCAPE_BUILTIN_ROOT_LIST; + int tsize; + CK_OBJECT_HANDLE handle; + + attrs = findTemp; + PK11_SETATTRS(attrs, CKA_CLASS, &oclass, sizeof(oclass)); attrs++; + tsize = attrs - findTemp; + PORT_Assert(tsize <= sizeof(findTemp)/sizeof(CK_ATTRIBUTE)); + + handle = pk11_FindObjectByTemplate(slot,findTemp,tsize); + if (handle == CK_INVALID_HANDLE) { + return PR_FALSE; + } + return PR_TRUE; +} + +/* + * Initialize the slot : + * This initialization code is called on each slot a module supports when + * it is loaded. It does the bringup initialization. The difference between + * this and InitToken is Init slot does those one time initialization stuff, + * usually associated with the reader, while InitToken may get called multiple + * times as tokens are removed and re-inserted. + */ +void +PK11_InitSlot(SECMODModule *mod,CK_SLOT_ID slotID,PK11SlotInfo *slot) +{ + SECStatus rv; + char *tmp; + CK_SLOT_INFO slotInfo; + + slot->functionList = mod->functionList; + slot->isInternal = mod->internal; + slot->slotID = slotID; + slot->isThreadSafe = mod->isThreadSafe; + slot->hasRSAInfo = PR_FALSE; + + if (PK11_GETTAB(slot)->C_GetSlotInfo(slotID,&slotInfo) != CKR_OK) { + slot->disabled = PR_TRUE; + slot->reason = PK11_DIS_COULD_NOT_INIT_TOKEN; + return; + } + + /* test to make sure claimed mechanism work */ + slot->needTest = mod->internal ? PR_FALSE : PR_TRUE; + slot->module = mod; /* NOTE: we don't make a reference here because + * modules have references to their slots. This + * works because modules keep implicit references + * from their slots, and won't unload and disappear + * until all their slots have been freed */ + tmp = PK11_MakeString(NULL,slot->slot_name, + (char *)slotInfo.slotDescription, sizeof(slotInfo.slotDescription)); + slot->isHW = (PRBool)((slotInfo.flags & CKF_HW_SLOT) == CKF_HW_SLOT); +#define ACTIVE_CARD "ActivCard SA" + slot->isActiveCard = (PRBool)(PORT_Strncmp((char *)slotInfo.manufacturerID, + ACTIVE_CARD, sizeof(ACTIVE_CARD)-1) == 0); + if ((slotInfo.flags & CKF_REMOVABLE_DEVICE) == 0) { + slot->isPerm = PR_TRUE; + /* permanment slots must have the token present always */ + if ((slotInfo.flags & CKF_TOKEN_PRESENT) == 0) { + slot->disabled = PR_TRUE; + slot->reason = PK11_DIS_TOKEN_NOT_PRESENT; + return; /* nothing else to do */ + } + } + /* if the token is present, initialize it */ + if ((slotInfo.flags & CKF_TOKEN_PRESENT) != 0) { + rv = PK11_InitToken(slot,PR_TRUE); + /* the only hard failures are on permanent devices, or function + * verify failures... function verify failures are already handled + * by tokenInit */ + if ((rv != SECSuccess) && (slot->isPerm) && (!slot->disabled)) { + slot->disabled = PR_TRUE; + slot->reason = PK11_DIS_COULD_NOT_INIT_TOKEN; + } + } + if (pk11_isRootSlot(slot)) { + if (!slot->hasRootCerts) { + slot->module->trustOrder = 100; + } + slot->hasRootCerts= PR_TRUE; + } +} + + + +/********************************************************************* + * Slot mapping utility functions. + *********************************************************************/ + +/* + * determine if the token is present. If the token is present, make sure + * we have a valid session handle. Also set the value of needLogin + * appropriately. + */ +static PRBool +pk11_IsPresentCertLoad(PK11SlotInfo *slot, PRBool loadCerts) +{ + CK_SLOT_INFO slotInfo; + CK_SESSION_INFO sessionInfo; + CK_RV crv; + + /* disabled slots are never present */ + if (slot->disabled) { + return PR_FALSE; + } + + /* permanent slots are always present */ + if (slot->isPerm && (slot->session != CK_INVALID_SESSION)) { + return PR_TRUE; + } + + if (slot->nssToken) { + return nssToken_IsPresent(slot->nssToken); + } + + /* removable slots have a flag that says they are present */ + if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); + if (PK11_GETTAB(slot)->C_GetSlotInfo(slot->slotID,&slotInfo) != CKR_OK) { + if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); + return PR_FALSE; + } + if ((slotInfo.flags & CKF_TOKEN_PRESENT) == 0) { + /* if the slot is no longer present, close the session */ + if (slot->session != CK_INVALID_SESSION) { + PK11_GETTAB(slot)->C_CloseSession(slot->session); + slot->session = CK_INVALID_SESSION; + /* force certs to be freed */ + } + if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); + return PR_FALSE; + } + + /* use the session Info to determine if the card has been removed and then + * re-inserted */ + if (slot->session != CK_INVALID_SESSION) { + crv = PK11_GETTAB(slot)->C_GetSessionInfo(slot->session, &sessionInfo); + if (crv != CKR_OK) { + PK11_GETTAB(slot)->C_CloseSession(slot->session); + slot->session = CK_INVALID_SESSION; + } + } + if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); + + /* card has not been removed, current token info is correct */ + if (slot->session != CK_INVALID_SESSION) return PR_TRUE; + + /* initialize the token info state */ + if (PK11_InitToken(slot,loadCerts) != SECSuccess) { + return PR_FALSE; + } + + return PR_TRUE; +} + +/* + * old version of the routine + */ +PRBool +PK11_IsPresent(PK11SlotInfo *slot) { + return pk11_IsPresentCertLoad(slot,PR_TRUE); +} + +/* is the slot disabled? */ +PRBool +PK11_IsDisabled(PK11SlotInfo *slot) +{ + return slot->disabled; +} + +/* and why? */ +PK11DisableReasons +PK11_GetDisabledReason(PK11SlotInfo *slot) +{ + return slot->reason; +} + +/* returns PR_TRUE if successfully disable the slot */ +/* returns PR_FALSE otherwise */ +PRBool PK11_UserDisableSlot(PK11SlotInfo *slot) { + + slot->defaultFlags |= PK11_DISABLE_FLAG; + slot->disabled = PR_TRUE; + slot->reason = PK11_DIS_USER_SELECTED; + + return PR_TRUE; +} + +PRBool PK11_UserEnableSlot(PK11SlotInfo *slot) { + + slot->defaultFlags &= ~PK11_DISABLE_FLAG; + slot->disabled = PR_FALSE; + slot->reason = PK11_DIS_NONE; + return PR_TRUE; +} + +PRBool PK11_HasRootCerts(PK11SlotInfo *slot) { + return slot->hasRootCerts; +} + +/* Get the module this slot is attatched to */ +SECMODModule * +PK11_GetModule(PK11SlotInfo *slot) +{ + return slot->module; +} + +/* return the default flags of a slot */ +unsigned long +PK11_GetDefaultFlags(PK11SlotInfo *slot) +{ + return slot->defaultFlags; +} + +/* Does this slot have a protected pin path? */ +PRBool +PK11_ProtectedAuthenticationPath(PK11SlotInfo *slot) +{ + return slot->protectedAuthPath; +} + +/* + * we can initialize the password if 1) The toke is not inited + * (need login == true and see need UserInit) or 2) the token has + * a NULL password. (slot->needLogin = false & need user Init = false). + */ +PRBool PK11_NeedPWInitForSlot(PK11SlotInfo *slot) +{ + if (slot->needLogin && PK11_NeedUserInit(slot)) { + return PR_TRUE; + } + if (!slot->needLogin && !PK11_NeedUserInit(slot)) { + return PR_TRUE; + } + return PR_FALSE; +} + +PRBool PK11_NeedPWInit() +{ + PK11SlotInfo *slot = PK11_GetInternalKeySlot(); + PRBool ret = PK11_NeedPWInitForSlot(slot); + + PK11_FreeSlot(slot); + return ret; +} + +/* + * The following wrapper functions allow us to export an opaque slot + * function to the rest of libsec and the world... */ +PRBool +PK11_IsReadOnly(PK11SlotInfo *slot) +{ + return slot->readOnly; +} + +PRBool +PK11_IsHW(PK11SlotInfo *slot) +{ + return slot->isHW; +} + +PRBool +PK11_IsInternal(PK11SlotInfo *slot) +{ + return slot->isInternal; +} + +PRBool +PK11_NeedLogin(PK11SlotInfo *slot) +{ + return slot->needLogin; +} + +PRBool +PK11_IsFriendly(PK11SlotInfo *slot) +{ + /* internal slot always has public readable certs */ + return (PRBool)(slot->isInternal || + ((slot->defaultFlags & SECMOD_FRIENDLY_FLAG) == + SECMOD_FRIENDLY_FLAG)); +} + +char * +PK11_GetTokenName(PK11SlotInfo *slot) +{ + return slot->token_name; +} + +char * +PK11_GetSlotName(PK11SlotInfo *slot) +{ + return slot->slot_name; +} + +int +PK11_GetSlotSeries(PK11SlotInfo *slot) +{ + return slot->series; +} + +int +PK11_GetCurrentWrapIndex(PK11SlotInfo *slot) +{ + return slot->wrapKey; +} + +CK_SLOT_ID +PK11_GetSlotID(PK11SlotInfo *slot) +{ + return slot->slotID; +} + +SECMODModuleID +PK11_GetModuleID(PK11SlotInfo *slot) +{ + return slot->module->moduleID; +} + +static void +pk11_zeroTerminatedToBlankPadded(CK_CHAR *buffer, size_t buffer_size) +{ + CK_CHAR *walk = buffer; + CK_CHAR *end = buffer + buffer_size; + + /* find the NULL */ + while (walk < end && *walk != '\0') { + walk++; + } + + /* clear out the buffer */ + while (walk < end) { + *walk++ = ' '; + } +} + +/* return the slot info structure */ +SECStatus +PK11_GetSlotInfo(PK11SlotInfo *slot, CK_SLOT_INFO *info) +{ + CK_RV crv; + + if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); + /* + * some buggy drivers do not fill the buffer completely, + * erase the buffer first + */ + PORT_Memset(info->slotDescription,' ',sizeof(info->slotDescription)); + PORT_Memset(info->manufacturerID,' ',sizeof(info->manufacturerID)); + crv = PK11_GETTAB(slot)->C_GetSlotInfo(slot->slotID,info); + pk11_zeroTerminatedToBlankPadded(info->slotDescription, + sizeof(info->slotDescription)); + pk11_zeroTerminatedToBlankPadded(info->manufacturerID, + sizeof(info->manufacturerID)); + if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); + if (crv != CKR_OK) { + PORT_SetError(PK11_MapError(crv)); + return SECFailure; + } + return SECSuccess; +} + +/* return the token info structure */ +SECStatus +PK11_GetTokenInfo(PK11SlotInfo *slot, CK_TOKEN_INFO *info) +{ + CK_RV crv; + if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); + /* + * some buggy drivers do not fill the buffer completely, + * erase the buffer first + */ + PORT_Memset(info->label,' ',sizeof(info->label)); + PORT_Memset(info->manufacturerID,' ',sizeof(info->manufacturerID)); + PORT_Memset(info->model,' ',sizeof(info->model)); + PORT_Memset(info->serialNumber,' ',sizeof(info->serialNumber)); + crv = PK11_GETTAB(slot)->C_GetTokenInfo(slot->slotID,info); + pk11_zeroTerminatedToBlankPadded(info->label,sizeof(info->label)); + pk11_zeroTerminatedToBlankPadded(info->manufacturerID, + sizeof(info->manufacturerID)); + pk11_zeroTerminatedToBlankPadded(info->model,sizeof(info->model)); + pk11_zeroTerminatedToBlankPadded(info->serialNumber, + sizeof(info->serialNumber)); + if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); + if (crv != CKR_OK) { + PORT_SetError(PK11_MapError(crv)); + return SECFailure; + } + return SECSuccess; +} + +/* Find out if we need to initialize the user's pin */ +PRBool +PK11_NeedUserInit(PK11SlotInfo *slot) +{ + PRBool needUserInit = (PRBool) ((slot->flags & CKF_USER_PIN_INITIALIZED) + == 0); + + if (needUserInit) { + CK_TOKEN_INFO info; + SECStatus rv; + + /* see if token has been initialized off line */ + rv = PK11_GetTokenInfo(slot, &info); + if (rv == SECSuccess) { + slot->flags = info.flags; + } + } + return (PRBool)((slot->flags & CKF_USER_PIN_INITIALIZED) == 0); +} + +/* get the internal key slot. FIPS has only one slot for both key slots and + * default slots */ +PK11SlotInfo * +PK11_GetInternalKeySlot(void) +{ + SECMODModule *mod = SECMOD_GetInternalModule(); + PORT_Assert(mod != NULL); + if (!mod) { + PORT_SetError( SEC_ERROR_NO_MODULE ); + return NULL; + } + return PK11_ReferenceSlot(mod->isFIPS ? mod->slots[0] : mod->slots[1]); +} + +/* get the internal default slot */ +PK11SlotInfo * +PK11_GetInternalSlot(void) +{ + SECMODModule * mod = SECMOD_GetInternalModule(); + PORT_Assert(mod != NULL); + if (!mod) { + PORT_SetError( SEC_ERROR_NO_MODULE ); + return NULL; + } + return PK11_ReferenceSlot(mod->slots[0]); +} + +PRBool +pk11_InDelayPeriod(PRIntervalTime lastTime, PRIntervalTime delayTime, + PRIntervalTime *retTime) +{ + PRIntervalTime time; + + *retTime = time = PR_IntervalNow(); + return (PRBool) (lastTime) && (time > lastTime) && + ((time-lastTime) < delayTime); +} + +/* + * Determine if the token is logged in. We have to actually query the token, + * because it's state can change without intervention from us. + */ +PRBool +PK11_IsLoggedIn(PK11SlotInfo *slot,void *wincx) +{ + CK_SESSION_INFO sessionInfo; + int askpw = slot->askpw; + int timeout = slot->timeout; + CK_RV crv; + PRIntervalTime curTime; + static PRIntervalTime login_delay_time = 0; + + if (login_delay_time == 0) { + login_delay_time = PR_SecondsToInterval(1); + } + + /* If we don't have our own password default values, use the system + * ones */ + if ((slot->defaultFlags & PK11_OWN_PW_DEFAULTS) == 0) { + PK11SlotInfo *def_slot = PK11_GetInternalKeySlot(); + + if (def_slot) { + askpw = def_slot->askpw; + timeout = def_slot->timeout; + PK11_FreeSlot(def_slot); + } + } + + if ((wincx != NULL) && (PK11_Global.isLoggedIn != NULL) && + (*PK11_Global.isLoggedIn)(slot, wincx) == PR_FALSE) { return PR_FALSE; } + + + /* forget the password if we've been inactive too long */ + if (askpw == 1) { + int64 currtime = PR_Now(); + int64 result; + int64 mult; + + LL_I2L(result, timeout); + LL_I2L(mult, 60*1000*1000); + LL_MUL(result,result,mult); + LL_ADD(result, result, slot->authTime); + if (LL_CMP(result, <, currtime) ) { + PK11_EnterSlotMonitor(slot); + PK11_GETTAB(slot)->C_Logout(slot->session); + slot->lastLoginCheck = 0; + PK11_ExitSlotMonitor(slot); + } else { + slot->authTime = currtime; + } + } + + PK11_EnterSlotMonitor(slot); + if (pk11_InDelayPeriod(slot->lastLoginCheck,login_delay_time, &curTime)) { + sessionInfo.state = slot->lastState; + crv = CKR_OK; + } else { + crv = PK11_GETTAB(slot)->C_GetSessionInfo(slot->session,&sessionInfo); + if (crv == CKR_OK) { + slot->lastState = sessionInfo.state; + slot->lastLoginCheck = curTime; + } + } + PK11_ExitSlotMonitor(slot); + /* if we can't get session info, something is really wrong */ + if (crv != CKR_OK) { + slot->session = CK_INVALID_SESSION; + return PR_FALSE; + } + + switch (sessionInfo.state) { + case CKS_RW_PUBLIC_SESSION: + case CKS_RO_PUBLIC_SESSION: + default: + break; /* fail */ + case CKS_RW_USER_FUNCTIONS: + case CKS_RW_SO_FUNCTIONS: + case CKS_RO_USER_FUNCTIONS: + return PR_TRUE; + } + return PR_FALSE; +} + + +/* + * check if a given slot supports the requested mechanism + */ +PRBool +PK11_DoesMechanism(PK11SlotInfo *slot, CK_MECHANISM_TYPE type) +{ + int i; + + /* CKM_FAKE_RANDOM is not a real PKCS mechanism. It's a marker to + * tell us we're looking form someone that has implemented get + * random bits */ + if (type == CKM_FAKE_RANDOM) { + return slot->hasRandom; + } + + for (i=0; i < (int) slot->mechanismCount; i++) { + if (slot->mechanismList[i] == type) return PR_TRUE; + } + return PR_FALSE; +} + +/* + * Return true if a token that can do the desired mechanism exists. + * This allows us to have hardware tokens that can do function XYZ magically + * allow SSL Ciphers to appear if they are plugged in. + */ +PRBool +PK11_TokenExists(CK_MECHANISM_TYPE type) +{ + SECMODModuleList *mlp; + SECMODModuleList *modules = SECMOD_GetDefaultModuleList(); + SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock(); + PK11SlotInfo *slot; + PRBool found = PR_FALSE; + int i; + + /* we only need to know if there is a token that does this mechanism. + * check the internal module first because it's fast, and supports + * almost everything. */ + slot = PK11_GetInternalSlot(); + if (slot) { + found = PK11_DoesMechanism(slot,type); + PK11_FreeSlot(slot); + } + if (found) return PR_TRUE; /* bypass getting module locks */ + + SECMOD_GetReadLock(moduleLock); + for(mlp = modules; mlp != NULL && (!found); mlp = mlp->next) { + for (i=0; i < mlp->module->slotCount; i++) { + slot = mlp->module->slots[i]; + if (PK11_IsPresent(slot)) { + if (PK11_DoesMechanism(slot,type)) { + found = PR_TRUE; + break; + } + } + } + } + SECMOD_ReleaseReadLock(moduleLock); + return found; +} + +/* + * get all the currently available tokens in a list. + * that can perform the given mechanism. If mechanism is CKM_INVALID_MECHANISM, + * get all the tokens. Make sure tokens that need authentication are put at + * the end of this list. + */ +PK11SlotList * +PK11_GetAllTokens(CK_MECHANISM_TYPE type, PRBool needRW, PRBool loadCerts, + void *wincx) +{ + PK11SlotList * list = PK11_NewSlotList(); + PK11SlotList * loginList = PK11_NewSlotList(); + PK11SlotList * friendlyList = PK11_NewSlotList(); + SECMODModuleList * mlp; + SECMODModuleList * modules = SECMOD_GetDefaultModuleList(); + SECMODListLock * moduleLock = SECMOD_GetDefaultModuleListLock(); + int i; +#if defined( XP_WIN32 ) + int j = 0; + PRInt32 waste[16]; +#endif + + if ((list == NULL) || (loginList == NULL) || (friendlyList == NULL)) { + if (list) PK11_FreeSlotList(list); + if (loginList) PK11_FreeSlotList(loginList); + if (friendlyList) PK11_FreeSlotList(friendlyList); + return NULL; + } + + SECMOD_GetReadLock(moduleLock); + for(mlp = modules; mlp != NULL; mlp = mlp->next) { + +#if defined( XP_WIN32 ) + /* This is works around some horrible cache/page thrashing problems + ** on Win32. Without this, this loop can take up to 6 seconds at + ** 100% CPU on a Pentium-Pro 200. The thing this changes is to + ** increase the size of the stack frame and modify it. + ** Moving the loop code itself seems to have no effect. + ** Dunno why this combination makes a difference, but it does. + */ + waste[ j & 0xf] = j++; +#endif + + for (i = 0; i < mlp->module->slotCount; i++) { + PK11SlotInfo *slot = mlp->module->slots[i]; + + if (pk11_IsPresentCertLoad(slot, loadCerts)) { + if (needRW && slot->readOnly) continue; + if ((type == CKM_INVALID_MECHANISM) + || PK11_DoesMechanism(slot, type)) { + if (slot->needLogin && !PK11_IsLoggedIn(slot, wincx)) { + if (PK11_IsFriendly(slot)) { + PK11_AddSlotToList(friendlyList, slot); + } else { + PK11_AddSlotToList(loginList, slot); + } + } else { + PK11_AddSlotToList(list, slot); + } + } + } + } + } + SECMOD_ReleaseReadLock(moduleLock); + + PK11_MoveListToList(list,friendlyList); + PK11_FreeSlotList(friendlyList); + PK11_MoveListToList(list,loginList); + PK11_FreeSlotList(loginList); + + return list; +} + +/* + * NOTE: This routine is working from a private List generated by + * PK11_GetAllTokens. That is why it does not need to lock. + */ +PK11SlotList * +PK11_GetPrivateKeyTokens(CK_MECHANISM_TYPE type,PRBool needRW,void *wincx) +{ + PK11SlotList *list = PK11_GetAllTokens(type,needRW,PR_TRUE,wincx); + PK11SlotListElement *le, *next ; + SECStatus rv; + + if (list == NULL) return list; + + for (le = list->head ; le; le = next) { + next = le->next; /* save the pointer here in case we have to + * free the element later */ + rv = PK11_Authenticate(le->slot,PR_TRUE,wincx); + if (rv != SECSuccess) { + PK11_DeleteSlotFromList(list,le); + continue; + } + } + return list; +} + + +/* + * find the best slot which supports the given + * Mechanism. In normal cases this should grab the first slot on the list + * with no fuss. + */ +PK11SlotInfo * +PK11_GetBestSlotMultiple(CK_MECHANISM_TYPE *type, int mech_count, void *wincx) +{ + PK11SlotList *list = NULL; + PK11SlotListElement *le ; + PK11SlotInfo *slot = NULL; + PRBool freeit = PR_FALSE; + PRBool listNeedLogin = PR_FALSE; + int i; + SECStatus rv; + + list = PK11_GetSlotList(type[0]); + + if ((list == NULL) || (list->head == NULL)) { + /* We need to look up all the tokens for the mechanism */ + list = PK11_GetAllTokens(type[0],PR_FALSE,PR_TRUE,wincx); + freeit = PR_TRUE; + } + + /* no one can do it! */ + if (list == NULL) { + PORT_SetError(SEC_ERROR_NO_TOKEN); + return NULL; + } + + PORT_SetError(0); + + + listNeedLogin = PR_FALSE; + for (i=0; i < mech_count; i++) { + if ((type[i] != CKM_FAKE_RANDOM) && (type[i] != CKM_SHA_1) && + (type[i] != CKM_MD5) && (type[i] != CKM_MD2)) { + listNeedLogin = PR_TRUE; + break; + } + } + + for (le = PK11_GetFirstSafe(list); le; + le = PK11_GetNextSafe(list,le,PR_TRUE)) { + if (PK11_IsPresent(le->slot)) { + PRBool doExit = PR_FALSE; + for (i=0; i < mech_count; i++) { + if (!PK11_DoesMechanism(le->slot,type[i])) { + doExit = PR_TRUE; + break; + } + } + if (doExit) continue; + + if (listNeedLogin && le->slot->needLogin) { + rv = PK11_Authenticate(le->slot,PR_TRUE,wincx); + if (rv != SECSuccess) continue; + } + slot = le->slot; + PK11_ReferenceSlot(slot); + pk11_FreeListElement(list,le); + if (freeit) { PK11_FreeSlotList(list); } + return slot; + } + } + if (freeit) { PK11_FreeSlotList(list); } + if (PORT_GetError() == 0) { + PORT_SetError(SEC_ERROR_NO_TOKEN); + } + return NULL; +} + +/* original get best slot now calls the multiple version with only one type */ +PK11SlotInfo * +PK11_GetBestSlot(CK_MECHANISM_TYPE type, void *wincx) +{ + return PK11_GetBestSlotMultiple(&type, 1, wincx); +} + +/* + * find the best key wrap mechanism for this slot. + */ +CK_MECHANISM_TYPE +PK11_GetBestWrapMechanism(PK11SlotInfo *slot) +{ + int i; + for (i=0; i < wrapMechanismCount; i++) { + if (PK11_DoesMechanism(slot,wrapMechanismList[i])) { + return wrapMechanismList[i]; + } + } + return CKM_INVALID_MECHANISM; +} + +int +PK11_GetBestKeyLength(PK11SlotInfo *slot,CK_MECHANISM_TYPE mechanism) +{ + CK_MECHANISM_INFO mechanism_info; + CK_RV crv; + + if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); + crv = PK11_GETTAB(slot)->C_GetMechanismInfo(slot->slotID, + mechanism,&mechanism_info); + if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); + if (crv != CKR_OK) return 0; + + if (mechanism_info.ulMinKeySize == mechanism_info.ulMaxKeySize) + return 0; + return mechanism_info.ulMaxKeySize; +} + + +/********************************************************************* + * Mechanism Mapping functions + *********************************************************************/ + +/* + * lookup an entry in the mechanism table. If none found, return the + * default structure. + */ +static pk11MechanismData * +pk11_lookup(CK_MECHANISM_TYPE type) +{ + int i; + for (i=0; i < pk11_MechEntrySize; i++) { + if (pk11_MechanismTable[i].type == type) { + return (&pk11_MechanismTable[i]); + } + } + return &pk11_default; +} + +/* + * NOTE: This is not thread safe. Called at init time, and when loading + * a new Entry. It is reasonably safe as long as it is not re-entered + * (readers will always see a consistant table) + * + * This routine is called to add entries to the mechanism table, once there, + * they can not be removed. + */ +void +PK11_AddMechanismEntry(CK_MECHANISM_TYPE type, CK_KEY_TYPE key, + CK_MECHANISM_TYPE keyGen, int ivLen, int blockSize) +{ + int tableSize = pk11_MechTableSize; + int size = pk11_MechEntrySize; + int entry = size++; + pk11MechanismData *old = pk11_MechanismTable; + pk11MechanismData *newt = pk11_MechanismTable; + + + if (size > tableSize) { + int oldTableSize = tableSize; + tableSize += 10; + newt = (pk11MechanismData *) + PORT_Alloc(tableSize*sizeof(pk11MechanismData)); + if (newt == NULL) return; + + if (old) PORT_Memcpy(newt,old,oldTableSize*sizeof(pk11MechanismData)); + } else old = NULL; + + newt[entry].type = type; + newt[entry].keyType = key; + newt[entry].keyGen = keyGen; + newt[entry].iv = ivLen; + newt[entry].blockSize = blockSize; + + pk11_MechanismTable = newt; + pk11_MechTableSize = tableSize; + pk11_MechEntrySize = size; + if (old) PORT_Free(old); +} + +/* + * Get the key type needed for the given mechanism + */ +CK_MECHANISM_TYPE +PK11_GetKeyType(CK_MECHANISM_TYPE type,unsigned long len) +{ + switch (type) { + case CKM_AES_ECB: + case CKM_AES_CBC: + case CKM_AES_MAC: + case CKM_AES_MAC_GENERAL: + case CKM_AES_CBC_PAD: + case CKM_AES_KEY_GEN: + return CKK_AES; + case CKM_DES_ECB: + case CKM_DES_CBC: + case CKM_DES_MAC: + case CKM_DES_MAC_GENERAL: + case CKM_DES_CBC_PAD: + case CKM_DES_KEY_GEN: + case CKM_KEY_WRAP_LYNKS: + case CKM_PBE_MD2_DES_CBC: + case CKM_PBE_MD5_DES_CBC: + return CKK_DES; + case CKM_DES3_ECB: + case CKM_DES3_CBC: + case CKM_DES3_MAC: + case CKM_DES3_MAC_GENERAL: + case CKM_DES3_CBC_PAD: + return (len == 128) ? CKK_DES2 : CKK_DES3; + case CKM_DES2_KEY_GEN: + case CKM_PBE_SHA1_DES2_EDE_CBC: + return CKK_DES2; + case CKM_PBE_SHA1_DES3_EDE_CBC: + case CKM_DES3_KEY_GEN: + return CKK_DES3; + case CKM_CDMF_ECB: + case CKM_CDMF_CBC: + case CKM_CDMF_MAC: + case CKM_CDMF_MAC_GENERAL: + case CKM_CDMF_CBC_PAD: + case CKM_CDMF_KEY_GEN: + return CKK_CDMF; + case CKM_RC2_ECB: + case CKM_RC2_CBC: + case CKM_RC2_MAC: + case CKM_RC2_MAC_GENERAL: + case CKM_RC2_CBC_PAD: + case CKM_RC2_KEY_GEN: + case CKM_PBE_SHA1_RC2_128_CBC: + case CKM_PBE_SHA1_RC2_40_CBC: + return CKK_RC2; + case CKM_RC4: + case CKM_RC4_KEY_GEN: + return CKK_RC4; + case CKM_RC5_ECB: + case CKM_RC5_CBC: + case CKM_RC5_MAC: + case CKM_RC5_MAC_GENERAL: + case CKM_RC5_CBC_PAD: + case CKM_RC5_KEY_GEN: + return CKK_RC5; + case CKM_SKIPJACK_CBC64: + case CKM_SKIPJACK_ECB64: + case CKM_SKIPJACK_OFB64: + case CKM_SKIPJACK_CFB64: + case CKM_SKIPJACK_CFB32: + case CKM_SKIPJACK_CFB16: + case CKM_SKIPJACK_CFB8: + case CKM_SKIPJACK_KEY_GEN: + case CKM_SKIPJACK_WRAP: + case CKM_SKIPJACK_PRIVATE_WRAP: + return CKK_SKIPJACK; + case CKM_BATON_ECB128: + case CKM_BATON_ECB96: + case CKM_BATON_CBC128: + case CKM_BATON_COUNTER: + case CKM_BATON_SHUFFLE: + case CKM_BATON_WRAP: + case CKM_BATON_KEY_GEN: + return CKK_BATON; + case CKM_JUNIPER_ECB128: + case CKM_JUNIPER_CBC128: + case CKM_JUNIPER_COUNTER: + case CKM_JUNIPER_SHUFFLE: + case CKM_JUNIPER_WRAP: + case CKM_JUNIPER_KEY_GEN: + return CKK_JUNIPER; + case CKM_IDEA_CBC: + case CKM_IDEA_ECB: + case CKM_IDEA_MAC: + case CKM_IDEA_MAC_GENERAL: + case CKM_IDEA_CBC_PAD: + case CKM_IDEA_KEY_GEN: + return CKK_IDEA; + case CKM_CAST_ECB: + case CKM_CAST_CBC: + case CKM_CAST_MAC: + case CKM_CAST_MAC_GENERAL: + case CKM_CAST_CBC_PAD: + case CKM_CAST_KEY_GEN: + case CKM_PBE_MD5_CAST_CBC: + return CKK_CAST; + case CKM_CAST3_ECB: + case CKM_CAST3_CBC: + case CKM_CAST3_MAC: + case CKM_CAST3_MAC_GENERAL: + case CKM_CAST3_CBC_PAD: + case CKM_CAST3_KEY_GEN: + case CKM_PBE_MD5_CAST3_CBC: + return CKK_CAST3; + case CKM_CAST5_ECB: + case CKM_CAST5_CBC: + case CKM_CAST5_MAC: + case CKM_CAST5_MAC_GENERAL: + case CKM_CAST5_CBC_PAD: + case CKM_CAST5_KEY_GEN: + case CKM_PBE_MD5_CAST5_CBC: + return CKK_CAST5; + case CKM_RSA_PKCS: + case CKM_RSA_9796: + case CKM_RSA_X_509: + case CKM_MD2_RSA_PKCS: + case CKM_MD5_RSA_PKCS: + case CKM_SHA1_RSA_PKCS: + case CKM_KEY_WRAP_SET_OAEP: + case CKM_RSA_PKCS_KEY_PAIR_GEN: + return CKK_RSA; + case CKM_DSA: + case CKM_DSA_SHA1: + case CKM_DSA_KEY_PAIR_GEN: + return CKK_DSA; + case CKM_DH_PKCS_DERIVE: + case CKM_DH_PKCS_KEY_PAIR_GEN: + return CKK_DH; + case CKM_KEA_KEY_DERIVE: + case CKM_KEA_KEY_PAIR_GEN: + return CKK_KEA; + case CKM_ECDSA_KEY_PAIR_GEN: + case CKM_ECDSA: + case CKM_ECDSA_SHA1: + return CKK_ECDSA; + case CKM_SSL3_PRE_MASTER_KEY_GEN: + case CKM_GENERIC_SECRET_KEY_GEN: + case CKM_SSL3_MASTER_KEY_DERIVE: + case CKM_SSL3_MASTER_KEY_DERIVE_DH: + case CKM_SSL3_KEY_AND_MAC_DERIVE: + case CKM_SSL3_SHA1_MAC: + case CKM_SSL3_MD5_MAC: + case CKM_TLS_MASTER_KEY_DERIVE: + case CKM_TLS_MASTER_KEY_DERIVE_DH: + case CKM_TLS_KEY_AND_MAC_DERIVE: + case CKM_SHA_1_HMAC: + case CKM_SHA_1_HMAC_GENERAL: + case CKM_MD2_HMAC: + case CKM_MD2_HMAC_GENERAL: + case CKM_MD5_HMAC: + case CKM_MD5_HMAC_GENERAL: + case CKM_TLS_PRF_GENERAL: + return CKK_GENERIC_SECRET; + default: + return pk11_lookup(type)->keyType; + } +} + +/* + * Get the Key Gen Mechanism needed for the given + * crypto mechanism + */ +CK_MECHANISM_TYPE +PK11_GetKeyGen(CK_MECHANISM_TYPE type) +{ + switch (type) { + case CKM_AES_ECB: + case CKM_AES_CBC: + case CKM_AES_MAC: + case CKM_AES_MAC_GENERAL: + case CKM_AES_CBC_PAD: + case CKM_AES_KEY_GEN: + return CKM_AES_KEY_GEN; + case CKM_DES_ECB: + case CKM_DES_CBC: + case CKM_DES_MAC: + case CKM_DES_MAC_GENERAL: + case CKM_KEY_WRAP_LYNKS: + case CKM_DES_CBC_PAD: + case CKM_DES_KEY_GEN: + return CKM_DES_KEY_GEN; + case CKM_DES3_ECB: + case CKM_DES3_CBC: + case CKM_DES3_MAC: + case CKM_DES3_MAC_GENERAL: + case CKM_DES3_CBC_PAD: + case CKM_DES3_KEY_GEN: + return CKM_DES3_KEY_GEN; + case CKM_CDMF_ECB: + case CKM_CDMF_CBC: + case CKM_CDMF_MAC: + case CKM_CDMF_MAC_GENERAL: + case CKM_CDMF_CBC_PAD: + case CKM_CDMF_KEY_GEN: + return CKM_CDMF_KEY_GEN; + case CKM_RC2_ECB: + case CKM_RC2_CBC: + case CKM_RC2_MAC: + case CKM_RC2_MAC_GENERAL: + case CKM_RC2_CBC_PAD: + case CKM_RC2_KEY_GEN: + return CKM_RC2_KEY_GEN; + case CKM_RC4: + case CKM_RC4_KEY_GEN: + return CKM_RC4_KEY_GEN; + case CKM_RC5_ECB: + case CKM_RC5_CBC: + case CKM_RC5_MAC: + case CKM_RC5_MAC_GENERAL: + case CKM_RC5_CBC_PAD: + case CKM_RC5_KEY_GEN: + return CKM_RC5_KEY_GEN; + case CKM_SKIPJACK_CBC64: + case CKM_SKIPJACK_ECB64: + case CKM_SKIPJACK_OFB64: + case CKM_SKIPJACK_CFB64: + case CKM_SKIPJACK_CFB32: + case CKM_SKIPJACK_CFB16: + case CKM_SKIPJACK_CFB8: + case CKM_SKIPJACK_WRAP: + case CKM_SKIPJACK_KEY_GEN: + return CKM_SKIPJACK_KEY_GEN; + case CKM_BATON_ECB128: + case CKM_BATON_ECB96: + case CKM_BATON_CBC128: + case CKM_BATON_COUNTER: + case CKM_BATON_SHUFFLE: + case CKM_BATON_WRAP: + case CKM_BATON_KEY_GEN: + return CKM_BATON_KEY_GEN; + case CKM_JUNIPER_ECB128: + case CKM_JUNIPER_CBC128: + case CKM_JUNIPER_COUNTER: + case CKM_JUNIPER_SHUFFLE: + case CKM_JUNIPER_WRAP: + case CKM_JUNIPER_KEY_GEN: + return CKM_JUNIPER_KEY_GEN; + case CKM_IDEA_CBC: + case CKM_IDEA_ECB: + case CKM_IDEA_MAC: + case CKM_IDEA_MAC_GENERAL: + case CKM_IDEA_CBC_PAD: + case CKM_IDEA_KEY_GEN: + return CKM_IDEA_KEY_GEN; + case CKM_CAST_ECB: + case CKM_CAST_CBC: + case CKM_CAST_MAC: + case CKM_CAST_MAC_GENERAL: + case CKM_CAST_CBC_PAD: + case CKM_CAST_KEY_GEN: + return CKM_CAST_KEY_GEN; + case CKM_CAST3_ECB: + case CKM_CAST3_CBC: + case CKM_CAST3_MAC: + case CKM_CAST3_MAC_GENERAL: + case CKM_CAST3_CBC_PAD: + case CKM_CAST3_KEY_GEN: + return CKM_CAST3_KEY_GEN; + case CKM_CAST5_ECB: + case CKM_CAST5_CBC: + case CKM_CAST5_MAC: + case CKM_CAST5_MAC_GENERAL: + case CKM_CAST5_CBC_PAD: + case CKM_CAST5_KEY_GEN: + return CKM_CAST5_KEY_GEN; + case CKM_RSA_PKCS: + case CKM_RSA_9796: + case CKM_RSA_X_509: + case CKM_MD2_RSA_PKCS: + case CKM_MD5_RSA_PKCS: + case CKM_SHA1_RSA_PKCS: + case CKM_KEY_WRAP_SET_OAEP: + case CKM_RSA_PKCS_KEY_PAIR_GEN: + return CKM_RSA_PKCS_KEY_PAIR_GEN; + case CKM_DSA: + case CKM_DSA_SHA1: + case CKM_DSA_KEY_PAIR_GEN: + return CKM_DSA_KEY_PAIR_GEN; + case CKM_DH_PKCS_DERIVE: + case CKM_DH_PKCS_KEY_PAIR_GEN: + return CKM_DH_PKCS_KEY_PAIR_GEN; + case CKM_KEA_KEY_DERIVE: + case CKM_KEA_KEY_PAIR_GEN: + return CKM_KEA_KEY_PAIR_GEN; + case CKM_ECDSA: + case CKM_ECDSA_KEY_PAIR_GEN: + return CKM_ECDSA_KEY_PAIR_GEN; + case CKM_SSL3_PRE_MASTER_KEY_GEN: + case CKM_SSL3_MASTER_KEY_DERIVE: + case CKM_SSL3_KEY_AND_MAC_DERIVE: + case CKM_SSL3_SHA1_MAC: + case CKM_SSL3_MD5_MAC: + case CKM_TLS_MASTER_KEY_DERIVE: + case CKM_TLS_KEY_AND_MAC_DERIVE: + return CKM_SSL3_PRE_MASTER_KEY_GEN; + case CKM_SHA_1_HMAC: + case CKM_SHA_1_HMAC_GENERAL: + case CKM_MD2_HMAC: + case CKM_MD2_HMAC_GENERAL: + case CKM_MD5_HMAC: + case CKM_MD5_HMAC_GENERAL: + case CKM_TLS_PRF_GENERAL: + case CKM_GENERIC_SECRET_KEY_GEN: + return CKM_GENERIC_SECRET_KEY_GEN; + case CKM_PBE_MD2_DES_CBC: + case CKM_PBE_MD5_DES_CBC: + case CKM_PBA_SHA1_WITH_SHA1_HMAC: + case CKM_NETSCAPE_PBE_SHA1_HMAC_KEY_GEN: + case CKM_NETSCAPE_PBE_MD5_HMAC_KEY_GEN: + case CKM_NETSCAPE_PBE_MD2_HMAC_KEY_GEN: + case CKM_NETSCAPE_PBE_SHA1_DES_CBC: + case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC: + case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC: + case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4: + case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4: + case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC: + case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC: + case CKM_PBE_SHA1_RC2_40_CBC: + case CKM_PBE_SHA1_RC2_128_CBC: + case CKM_PBE_SHA1_RC4_40: + case CKM_PBE_SHA1_RC4_128: + case CKM_PBE_SHA1_DES3_EDE_CBC: + case CKM_PBE_SHA1_DES2_EDE_CBC: + return type; + default: + return pk11_lookup(type)->keyGen; + } +} + +/* + * get the mechanism block size + */ +int +PK11_GetBlockSize(CK_MECHANISM_TYPE type,SECItem *params) +{ + CK_RC5_PARAMS *rc5_params; + CK_RC5_CBC_PARAMS *rc5_cbc_params; + switch (type) { + case CKM_RC5_ECB: + if ((params) && (params->data)) { + rc5_params = (CK_RC5_PARAMS *) params->data; + return (rc5_params->ulWordsize)*2; + } + return 8; + case CKM_RC5_CBC: + case CKM_RC5_CBC_PAD: + if ((params) && (params->data)) { + rc5_cbc_params = (CK_RC5_CBC_PARAMS *) params->data; + return (rc5_cbc_params->ulWordsize)*2; + } + return 8; + case CKM_DES_ECB: + case CKM_DES3_ECB: + case CKM_RC2_ECB: + case CKM_IDEA_ECB: + case CKM_CAST_ECB: + case CKM_CAST3_ECB: + case CKM_CAST5_ECB: + case CKM_RC2_CBC: + case CKM_SKIPJACK_CBC64: + case CKM_SKIPJACK_ECB64: + case CKM_SKIPJACK_OFB64: + case CKM_SKIPJACK_CFB64: + case CKM_DES_CBC: + case CKM_DES3_CBC: + case CKM_IDEA_CBC: + case CKM_CAST_CBC: + case CKM_CAST3_CBC: + case CKM_CAST5_CBC: + case CKM_DES_CBC_PAD: + case CKM_DES3_CBC_PAD: + case CKM_RC2_CBC_PAD: + case CKM_IDEA_CBC_PAD: + case CKM_CAST_CBC_PAD: + case CKM_CAST3_CBC_PAD: + case CKM_CAST5_CBC_PAD: + case CKM_PBE_MD2_DES_CBC: + case CKM_PBE_MD5_DES_CBC: + case CKM_NETSCAPE_PBE_SHA1_DES_CBC: + case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC: + case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC: + case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC: + case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC: + case CKM_PBE_SHA1_RC2_40_CBC: + case CKM_PBE_SHA1_RC2_128_CBC: + case CKM_PBE_SHA1_DES3_EDE_CBC: + case CKM_PBE_SHA1_DES2_EDE_CBC: + return 8; + case CKM_SKIPJACK_CFB32: + case CKM_SKIPJACK_CFB16: + case CKM_SKIPJACK_CFB8: + return 4; + case CKM_AES_ECB: + case CKM_AES_CBC: + case CKM_AES_CBC_PAD: + case CKM_BATON_ECB128: + case CKM_BATON_CBC128: + case CKM_BATON_COUNTER: + case CKM_BATON_SHUFFLE: + case CKM_JUNIPER_ECB128: + case CKM_JUNIPER_CBC128: + case CKM_JUNIPER_COUNTER: + case CKM_JUNIPER_SHUFFLE: + return 16; + case CKM_BATON_ECB96: + return 12; + case CKM_RC4: + case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4: + case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4: + case CKM_PBE_SHA1_RC4_40: + case CKM_PBE_SHA1_RC4_128: + return 0; + case CKM_RSA_PKCS: + case CKM_RSA_9796: + case CKM_RSA_X_509: + /*actually it's the modulus length of the key!*/ + return -1; /* failure */ + default: + return pk11_lookup(type)->blockSize; + } +} + +/* + * get the iv length + */ +int +PK11_GetIVLength(CK_MECHANISM_TYPE type) +{ + switch (type) { + case CKM_AES_ECB: + case CKM_DES_ECB: + case CKM_DES3_ECB: + case CKM_RC2_ECB: + case CKM_IDEA_ECB: + case CKM_SKIPJACK_WRAP: + case CKM_BATON_WRAP: + case CKM_RC5_ECB: + case CKM_CAST_ECB: + case CKM_CAST3_ECB: + case CKM_CAST5_ECB: + return 0; + case CKM_RC2_CBC: + case CKM_DES_CBC: + case CKM_DES3_CBC: + case CKM_IDEA_CBC: + case CKM_PBE_MD2_DES_CBC: + case CKM_PBE_MD5_DES_CBC: + case CKM_NETSCAPE_PBE_SHA1_DES_CBC: + case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC: + case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC: + case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC: + case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC: + case CKM_PBE_SHA1_RC2_40_CBC: + case CKM_PBE_SHA1_RC2_128_CBC: + case CKM_PBE_SHA1_DES3_EDE_CBC: + case CKM_PBE_SHA1_DES2_EDE_CBC: + case CKM_RC5_CBC: + case CKM_CAST_CBC: + case CKM_CAST3_CBC: + case CKM_CAST5_CBC: + case CKM_RC2_CBC_PAD: + case CKM_DES_CBC_PAD: + case CKM_DES3_CBC_PAD: + case CKM_IDEA_CBC_PAD: + case CKM_RC5_CBC_PAD: + case CKM_CAST_CBC_PAD: + case CKM_CAST3_CBC_PAD: + case CKM_CAST5_CBC_PAD: + return 8; + case CKM_AES_CBC: + case CKM_AES_CBC_PAD: + return 16; + case CKM_SKIPJACK_CBC64: + case CKM_SKIPJACK_ECB64: + case CKM_SKIPJACK_OFB64: + case CKM_SKIPJACK_CFB64: + case CKM_SKIPJACK_CFB32: + case CKM_SKIPJACK_CFB16: + case CKM_SKIPJACK_CFB8: + case CKM_BATON_ECB128: + case CKM_BATON_ECB96: + case CKM_BATON_CBC128: + case CKM_BATON_COUNTER: + case CKM_BATON_SHUFFLE: + case CKM_JUNIPER_ECB128: + case CKM_JUNIPER_CBC128: + case CKM_JUNIPER_COUNTER: + case CKM_JUNIPER_SHUFFLE: + return 24; + case CKM_RC4: + case CKM_RSA_PKCS: + case CKM_RSA_9796: + case CKM_RSA_X_509: + case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4: + case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4: + case CKM_PBE_SHA1_RC4_40: + case CKM_PBE_SHA1_RC4_128: + return 0; + default: + return pk11_lookup(type)->iv; + } +} + + +/* These next two utilities are here to help facilitate future + * Dynamic Encrypt/Decrypt symetric key mechanisms, and to allow functions + * like SSL and S-MIME to automatically add them. + */ +SECItem * +PK11_ParamFromIV(CK_MECHANISM_TYPE type,SECItem *iv) +{ + CK_RC2_CBC_PARAMS *rc2_params = NULL; + CK_RC2_PARAMS *rc2_ecb_params = NULL; + CK_RC5_PARAMS *rc5_params = NULL; + CK_RC5_CBC_PARAMS *rc5_cbc_params = NULL; + SECItem *param; + + param = (SECItem *)PORT_Alloc(sizeof(SECItem)); + if (param == NULL) return NULL; + param->data = NULL; + param->len = 0; + param->type = 0; + switch (type) { + case CKM_AES_ECB: + case CKM_DES_ECB: + case CKM_DES3_ECB: + case CKM_RSA_PKCS: + case CKM_RSA_X_509: + case CKM_RSA_9796: + case CKM_IDEA_ECB: + case CKM_CDMF_ECB: + case CKM_CAST_ECB: + case CKM_CAST3_ECB: + case CKM_CAST5_ECB: + case CKM_RC4: + break; + case CKM_RC2_ECB: + rc2_ecb_params = (CK_RC2_PARAMS *)PORT_Alloc(sizeof(CK_RC2_PARAMS)); + if (rc2_ecb_params == NULL) break; + /* Maybe we should pass the key size in too to get this value? */ + *rc2_ecb_params = 128; + param->data = (unsigned char *) rc2_ecb_params; + param->len = sizeof(CK_RC2_PARAMS); + break; + case CKM_RC2_CBC: + case CKM_RC2_CBC_PAD: + rc2_params = (CK_RC2_CBC_PARAMS *)PORT_Alloc(sizeof(CK_RC2_CBC_PARAMS)); + if (rc2_params == NULL) break; + /* Maybe we should pass the key size in too to get this value? */ + rc2_params->ulEffectiveBits = 128; + if (iv && iv->data) + PORT_Memcpy(rc2_params->iv,iv->data,sizeof(rc2_params->iv)); + param->data = (unsigned char *) rc2_params; + param->len = sizeof(CK_RC2_CBC_PARAMS); + break; + case CKM_RC5_CBC: + case CKM_RC5_CBC_PAD: + rc5_cbc_params = (CK_RC5_CBC_PARAMS *) + PORT_Alloc(sizeof(CK_RC5_CBC_PARAMS) + ((iv) ? iv->len : 0)); + if (rc5_cbc_params == NULL) break; + if (iv && iv->data) { + rc5_cbc_params->pIv = ((CK_BYTE_PTR) rc5_cbc_params) + + sizeof(CK_RC5_CBC_PARAMS); + PORT_Memcpy(rc5_cbc_params->pIv,iv->data,iv->len); + rc5_cbc_params->ulIvLen = iv->len; + rc5_cbc_params->ulWordsize = iv->len/2; + } else { + rc5_cbc_params->ulWordsize = 4; + rc5_cbc_params->pIv = NULL; + rc5_cbc_params->ulIvLen = iv->len; + } + rc5_cbc_params->ulRounds = 16; + param->data = (unsigned char *) rc5_cbc_params; + param->len = sizeof(CK_RC5_CBC_PARAMS); + break; + case CKM_RC5_ECB: + rc5_params = (CK_RC5_PARAMS *)PORT_Alloc(sizeof(CK_RC5_PARAMS)); + if (rc5_params == NULL) break; + if (iv && iv->data && iv->len) { + rc5_params->ulWordsize = iv->len/2; + } else { + rc5_params->ulWordsize = 4; + } + rc5_params->ulRounds = 16; + param->data = (unsigned char *) rc5_params; + param->len = sizeof(CK_RC5_PARAMS); + break; + case CKM_AES_CBC: + case CKM_DES_CBC: + case CKM_DES3_CBC: + case CKM_IDEA_CBC: + case CKM_CDMF_CBC: + case CKM_CAST_CBC: + case CKM_CAST3_CBC: + case CKM_CAST5_CBC: + case CKM_AES_CBC_PAD: + case CKM_DES_CBC_PAD: + case CKM_DES3_CBC_PAD: + case CKM_IDEA_CBC_PAD: + case CKM_CDMF_CBC_PAD: + case CKM_CAST_CBC_PAD: + case CKM_CAST3_CBC_PAD: + case CKM_CAST5_CBC_PAD: + case CKM_SKIPJACK_CBC64: + case CKM_SKIPJACK_ECB64: + case CKM_SKIPJACK_OFB64: + case CKM_SKIPJACK_CFB64: + case CKM_SKIPJACK_CFB32: + case CKM_SKIPJACK_CFB16: + case CKM_SKIPJACK_CFB8: + case CKM_BATON_ECB128: + case CKM_BATON_ECB96: + case CKM_BATON_CBC128: + case CKM_BATON_COUNTER: + case CKM_BATON_SHUFFLE: + case CKM_JUNIPER_ECB128: + case CKM_JUNIPER_CBC128: + case CKM_JUNIPER_COUNTER: + case CKM_JUNIPER_SHUFFLE: + if ((iv == NULL) || (iv->data == NULL)) break; + param->data = (unsigned char*)PORT_Alloc(iv->len); + if (param->data != NULL) { + PORT_Memcpy(param->data,iv->data,iv->len); + param->len = iv->len; + } + break; + /* unknown mechanism, pass IV in if it's there */ + default: + if (pk11_lookup(type)->iv == 0) { + break; + } + if ((iv == NULL) || (iv->data == NULL)) { + break; + } + param->data = (unsigned char*)PORT_Alloc(iv->len); + if (param->data != NULL) { + PORT_Memcpy(param->data,iv->data,iv->len); + param->len = iv->len; + } + break; + } + return param; +} + +unsigned char * +PK11_IVFromParam(CK_MECHANISM_TYPE type,SECItem *param,int *len) +{ + CK_RC2_CBC_PARAMS *rc2_params; + CK_RC5_CBC_PARAMS *rc5_cbc_params; + + *len = 0; + switch (type) { + case CKM_AES_ECB: + case CKM_DES_ECB: + case CKM_DES3_ECB: + case CKM_RSA_PKCS: + case CKM_RSA_X_509: + case CKM_RSA_9796: + case CKM_IDEA_ECB: + case CKM_CDMF_ECB: + case CKM_CAST_ECB: + case CKM_CAST3_ECB: + case CKM_CAST5_ECB: + case CKM_RC4: + return NULL; + case CKM_RC2_ECB: + return NULL; + case CKM_RC2_CBC: + case CKM_RC2_CBC_PAD: + rc2_params = (CK_RC2_CBC_PARAMS *)param->data; + *len = sizeof(rc2_params->iv); + return &rc2_params->iv[0]; + case CKM_RC5_CBC: + case CKM_RC5_CBC_PAD: + rc5_cbc_params = (CK_RC5_CBC_PARAMS *) param->data; + *len = rc5_cbc_params->ulIvLen; + return rc5_cbc_params->pIv; + case CKM_AES_CBC: + case CKM_DES_CBC: + case CKM_DES3_CBC: + case CKM_IDEA_CBC: + case CKM_CDMF_CBC: + case CKM_CAST_CBC: + case CKM_CAST3_CBC: + case CKM_CAST5_CBC: + case CKM_DES_CBC_PAD: + case CKM_DES3_CBC_PAD: + case CKM_IDEA_CBC_PAD: + case CKM_CDMF_CBC_PAD: + case CKM_CAST_CBC_PAD: + case CKM_CAST3_CBC_PAD: + case CKM_CAST5_CBC_PAD: + case CKM_SKIPJACK_CBC64: + case CKM_SKIPJACK_ECB64: + case CKM_SKIPJACK_OFB64: + case CKM_SKIPJACK_CFB64: + case CKM_SKIPJACK_CFB32: + case CKM_SKIPJACK_CFB16: + case CKM_SKIPJACK_CFB8: + case CKM_BATON_ECB128: + case CKM_BATON_ECB96: + case CKM_BATON_CBC128: + case CKM_BATON_COUNTER: + case CKM_BATON_SHUFFLE: + case CKM_JUNIPER_ECB128: + case CKM_JUNIPER_CBC128: + case CKM_JUNIPER_COUNTER: + case CKM_JUNIPER_SHUFFLE: + break; + /* unknown mechanism, pass IV in if it's there */ + default: + break; + } + if (param->data) { + *len = param->len; + } + return param->data; +} + +typedef struct sec_rc5cbcParameterStr { + SECItem version; + SECItem rounds; + SECItem blockSizeInBits; + SECItem iv; +} sec_rc5cbcParameter; + +static const SEC_ASN1Template sec_rc5ecb_parameter_template[] = { + { SEC_ASN1_SEQUENCE, + 0, NULL, sizeof(sec_rc5cbcParameter) }, + { SEC_ASN1_INTEGER, + offsetof(sec_rc5cbcParameter,version) }, + { SEC_ASN1_INTEGER, + offsetof(sec_rc5cbcParameter,rounds) }, + { SEC_ASN1_INTEGER, + offsetof(sec_rc5cbcParameter,blockSizeInBits) }, + { 0 } +}; + +static const SEC_ASN1Template sec_rc5cbc_parameter_template[] = { + { SEC_ASN1_SEQUENCE, + 0, NULL, sizeof(sec_rc5cbcParameter) }, + { SEC_ASN1_INTEGER, + offsetof(sec_rc5cbcParameter,version) }, + { SEC_ASN1_INTEGER, + offsetof(sec_rc5cbcParameter,rounds) }, + { SEC_ASN1_INTEGER, + offsetof(sec_rc5cbcParameter,blockSizeInBits) }, + { SEC_ASN1_OCTET_STRING, + offsetof(sec_rc5cbcParameter,iv) }, + { 0 } +}; + +typedef struct sec_rc2cbcParameterStr { + SECItem rc2ParameterVersion; + SECItem iv; +} sec_rc2cbcParameter; + +static const SEC_ASN1Template sec_rc2cbc_parameter_template[] = { + { SEC_ASN1_SEQUENCE, + 0, NULL, sizeof(sec_rc2cbcParameter) }, + { SEC_ASN1_INTEGER, + offsetof(sec_rc2cbcParameter,rc2ParameterVersion) }, + { SEC_ASN1_OCTET_STRING, + offsetof(sec_rc2cbcParameter,iv) }, + { 0 } +}; + +static const SEC_ASN1Template sec_rc2ecb_parameter_template[] = { + { SEC_ASN1_SEQUENCE, + 0, NULL, sizeof(sec_rc2cbcParameter) }, + { SEC_ASN1_INTEGER, + offsetof(sec_rc2cbcParameter,rc2ParameterVersion) }, + { 0 } +}; + +/* S/MIME picked id values to represent differnt keysizes */ +/* I do have a formula, but it ain't pretty, and it only works because you + * can always match three points to a parabola:) */ +static unsigned char rc2_map(SECItem *version) +{ + long x; + + x = DER_GetInteger(version); + + switch (x) { + case 58: return 128; + case 120: return 64; + case 160: return 40; + } + return 128; +} + +static unsigned long rc2_unmap(unsigned long x) +{ + switch (x) { + case 128: return 58; + case 64: return 120; + case 40: return 160; + } + return 58; +} + + + +/* Generate a mechaism param from a type, and iv. */ +SECItem * +PK11_ParamFromAlgid(SECAlgorithmID *algid) +{ + CK_RC2_CBC_PARAMS *rc2_params = NULL; + CK_RC2_PARAMS *rc2_ecb_params = NULL; + CK_RC5_CBC_PARAMS *rc5_params_cbc; + CK_RC5_PARAMS *rc5_params_ecb; + SECItem iv; + sec_rc2cbcParameter rc2; + sec_rc5cbcParameter rc5; + SECItem *mech; + CK_MECHANISM_TYPE type; + SECOidTag algtag; + SECStatus rv; + + algtag = SECOID_GetAlgorithmTag(algid); + type = PK11_AlgtagToMechanism(algtag); + + mech = (SECItem *) PORT_Alloc(sizeof(SECItem)); + if (mech == NULL) return NULL; + mech->type = siBuffer; + + + /* handle the complicated cases */ + switch (type) { + case CKM_RC2_ECB: + rv = SEC_ASN1DecodeItem(NULL, &rc2 ,sec_rc2ecb_parameter_template, + &(algid->parameters)); + if (rv != SECSuccess) { + PORT_Free(mech); + return NULL; + } + rc2_ecb_params = (CK_RC2_PARAMS *)PORT_Alloc(sizeof(CK_RC2_PARAMS)); + if (rc2_ecb_params == NULL) { + PORT_Free(rc2.rc2ParameterVersion.data); + PORT_Free(mech); + return NULL; + } + *rc2_ecb_params = rc2_map(&rc2.rc2ParameterVersion); + PORT_Free(rc2.rc2ParameterVersion.data); + mech->data = (unsigned char *) rc2_ecb_params; + mech->len = sizeof(CK_RC2_PARAMS); + return mech; + case CKM_RC2_CBC: + case CKM_RC2_CBC_PAD: + rv = SEC_ASN1DecodeItem(NULL, &rc2 ,sec_rc2cbc_parameter_template, + &(algid->parameters)); + if (rv != SECSuccess) { + PORT_Free(mech); + return NULL; + } + rc2_params = (CK_RC2_CBC_PARAMS *)PORT_Alloc(sizeof(CK_RC2_CBC_PARAMS)); + if (rc2_params == NULL) { + PORT_Free(rc2.iv.data); + PORT_Free(rc2.rc2ParameterVersion.data); + PORT_Free(mech); + return NULL; + } + rc2_params->ulEffectiveBits = rc2_map(&rc2.rc2ParameterVersion); + PORT_Free(rc2.rc2ParameterVersion.data); + PORT_Memcpy(rc2_params->iv,rc2.iv.data,sizeof(rc2_params->iv)); + PORT_Free(rc2.iv.data); + mech->data = (unsigned char *) rc2_params; + mech->len = sizeof(CK_RC2_CBC_PARAMS); + return mech; + case CKM_RC5_ECB: + rv = SEC_ASN1DecodeItem(NULL, &rc5 ,sec_rc5ecb_parameter_template, + &(algid->parameters)); + if (rv != SECSuccess) { + PORT_Free(mech); + return NULL; + } + rc5_params_ecb=(CK_RC5_PARAMS *)PORT_Alloc(sizeof(CK_RC5_PARAMS)); + PORT_Free(rc5.version.data); + if (rc5_params_ecb == NULL) { + PORT_Free(rc5.rounds.data); + PORT_Free(rc5.blockSizeInBits.data); + PORT_Free(mech); + return NULL; + } + rc5_params_ecb->ulRounds = DER_GetInteger(&rc5.rounds); + rc5_params_ecb->ulWordsize = DER_GetInteger(&rc5.blockSizeInBits)/8; + PORT_Free(rc5.rounds.data); + PORT_Free(rc5.blockSizeInBits.data); + mech->data = (unsigned char *) rc5_params_ecb; + mech->len = sizeof(CK_RC5_PARAMS); + return mech; + case CKM_RC5_CBC: + case CKM_RC5_CBC_PAD: + rv = SEC_ASN1DecodeItem(NULL, &rc5 ,sec_rc5cbc_parameter_template, + &(algid->parameters)); + if (rv != SECSuccess) { + PORT_Free(mech); + return NULL; + } + rc5_params_cbc = (CK_RC5_CBC_PARAMS *) + PORT_Alloc(sizeof(CK_RC5_CBC_PARAMS) + rc5.iv.len); + PORT_Free(rc5.version.data); + if (rc2_params == NULL) { + PORT_Free(rc5.iv.data); + PORT_Free(rc5.rounds.data); + PORT_Free(rc5.blockSizeInBits.data); + PORT_Free(mech); + return NULL; + } + rc5_params_cbc->ulRounds = DER_GetInteger(&rc5.rounds); + rc5_params_cbc->ulWordsize = DER_GetInteger(&rc5.blockSizeInBits)/8; + PORT_Free(rc5.rounds.data); + PORT_Free(rc5.blockSizeInBits.data); + rc5_params_cbc->pIv = ((CK_BYTE_PTR)rc5_params_cbc) + + sizeof(CK_RC5_CBC_PARAMS); + PORT_Memcpy(rc5_params_cbc->pIv,rc5.iv.data,rc5.iv.len); + rc5_params_cbc->ulIvLen = rc5.iv.len; + PORT_Free(rc5.iv.data); + mech->data = (unsigned char *) rc5_params_cbc; + mech->len = sizeof(CK_RC5_CBC_PARAMS); + return mech; + case CKM_PBE_MD2_DES_CBC: + case CKM_PBE_MD5_DES_CBC: + case CKM_NETSCAPE_PBE_SHA1_DES_CBC: + case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC: + case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC: + case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC: + case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC: + case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4: + case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4: + case CKM_PBE_SHA1_DES2_EDE_CBC: + case CKM_PBE_SHA1_DES3_EDE_CBC: + case CKM_PBE_SHA1_RC2_40_CBC: + case CKM_PBE_SHA1_RC2_128_CBC: + case CKM_PBE_SHA1_RC4_40: + case CKM_PBE_SHA1_RC4_128: + rv = pbe_PK11AlgidToParam(algid,mech); + if (rv != SECSuccess) { + PORT_Free(mech); + return NULL; + } + return mech; + default: + /* must be a simple case */ + break; + } + + /* simple cases are simpley Octect encoded IV's */ + rv = SEC_ASN1DecodeItem(NULL, &iv, SEC_OctetStringTemplate, + &(algid->parameters)); + if (rv != SECSuccess) { + iv.data = NULL; + iv.len = 0; + } + + rv = SECSuccess; + switch (type) { + case CKM_RC4: + case CKM_AES_ECB: + case CKM_DES_ECB: + case CKM_DES3_ECB: + case CKM_IDEA_ECB: + case CKM_CDMF_ECB: + case CKM_CAST_ECB: + case CKM_CAST3_ECB: + case CKM_CAST5_ECB: + mech->data = NULL; + mech->len = 0; + break; + default: + if (pk11_lookup(type)->iv == 0) { + mech->data = NULL; + mech->len = 0; + break; + } + case CKM_AES_CBC: + case CKM_DES_CBC: + case CKM_DES3_CBC: + case CKM_IDEA_CBC: + case CKM_CDMF_CBC: + case CKM_CAST_CBC: + case CKM_CAST3_CBC: + case CKM_CAST5_CBC: + case CKM_AES_CBC_PAD: + case CKM_DES_CBC_PAD: + case CKM_DES3_CBC_PAD: + case CKM_IDEA_CBC_PAD: + case CKM_CDMF_CBC_PAD: + case CKM_CAST_CBC_PAD: + case CKM_CAST3_CBC_PAD: + case CKM_CAST5_CBC_PAD: + case CKM_SKIPJACK_CBC64: + case CKM_SKIPJACK_ECB64: + case CKM_SKIPJACK_OFB64: + case CKM_SKIPJACK_CFB64: + case CKM_SKIPJACK_CFB32: + case CKM_SKIPJACK_CFB16: + case CKM_SKIPJACK_CFB8: + case CKM_BATON_ECB128: + case CKM_BATON_ECB96: + case CKM_BATON_CBC128: + case CKM_BATON_COUNTER: + case CKM_BATON_SHUFFLE: + case CKM_JUNIPER_ECB128: + case CKM_JUNIPER_CBC128: + case CKM_JUNIPER_COUNTER: + case CKM_JUNIPER_SHUFFLE: + if (iv.data == NULL) { + rv = SECFailure; + break; + } + mech->data = (unsigned char*)PORT_Alloc(iv.len); + if (mech->data == NULL) { + rv = SECFailure; + break; + } + PORT_Memcpy(mech->data,iv.data,iv.len); + mech->len = iv.len; + break; + } + if (iv.data) PORT_Free(iv.data); + if (rv != SECSuccess) { + SECITEM_FreeItem(mech,PR_TRUE); + return NULL; + } + return mech; +} + +SECStatus +PK11_SeedRandom(PK11SlotInfo *slot, unsigned char *data, int len) { + CK_RV crv; + + PK11_EnterSlotMonitor(slot); + crv = PK11_GETTAB(slot)->C_SeedRandom(slot->session,data, (CK_ULONG)len); + PK11_ExitSlotMonitor(slot); + return (crv != CKR_OK) ? SECFailure : SECSuccess; +} + +/* Attempts to update the Best Slot for "FAKE RANDOM" generation. +** If that's not the internal slot, then it also attempts to update the +** internal slot. +** The return value indicates if the INTERNAL slot was updated OK. +*/ +SECStatus +PK11_RandomUpdate(void *data, size_t bytes) +{ + PK11SlotInfo *slot; + PRBool bestIsInternal; + SECStatus status; + + slot = PK11_GetBestSlot(CKM_FAKE_RANDOM, NULL); + if (slot == NULL) { + slot = PK11_GetInternalSlot(); + if (!slot) + return SECFailure; + } + + bestIsInternal = PK11_IsInternal(slot); + status = PK11_SeedRandom(slot, data, bytes); + PK11_FreeSlot(slot); + + if (!bestIsInternal) { + /* do internal slot, too. */ + slot = PK11_GetInternalSlot(); /* can't fail */ + status = PK11_SeedRandom(slot, data, bytes); + PK11_FreeSlot(slot); + } + return status; +} + + +SECStatus +PK11_GenerateRandom(unsigned char *data,int len) { + PK11SlotInfo *slot; + CK_RV crv; + + slot = PK11_GetBestSlot(CKM_FAKE_RANDOM,NULL); + if (slot == NULL) return SECFailure; + + if (!slot->isInternal) PK11_EnterSlotMonitor(slot); + crv = PK11_GETTAB(slot)->C_GenerateRandom(slot->session,data, + (CK_ULONG)len); + if (!slot->isInternal) PK11_ExitSlotMonitor(slot); + PK11_FreeSlot(slot); + return (crv != CKR_OK) ? SECFailure : SECSuccess; +} + +/* + * Generate an IV for the given mechanism + */ +static SECStatus +pk11_GenIV(CK_MECHANISM_TYPE type, SECItem *iv) { + int iv_size = PK11_GetIVLength(type); + SECStatus rv; + + iv->len = iv_size; + if (iv_size == 0) { + iv->data = NULL; + return SECSuccess; + } + + iv->data = (unsigned char *) PORT_Alloc(iv_size); + if (iv->data == NULL) { + iv->len = 0; + return SECFailure; + } + + rv = PK11_GenerateRandom(iv->data,iv->len); + if (rv != SECSuccess) { + PORT_Free(iv->data); + iv->data = NULL; iv->len = 0; + return SECFailure; + } + return SECSuccess; +} + + +/* + * create a new paramter block from the passed in MECHANISM and the + * key. Use Netscape's S/MIME Rules for the New param block. + */ +SECItem * +PK11_GenerateNewParam(CK_MECHANISM_TYPE type, PK11SymKey *key) { + CK_RC2_CBC_PARAMS *rc2_params; + CK_RC2_PARAMS *rc2_ecb_params; + SECItem *mech; + SECItem iv; + SECStatus rv; + + + mech = (SECItem *) PORT_Alloc(sizeof(SECItem)); + if (mech == NULL) return NULL; + + rv = SECSuccess; + mech->type = siBuffer; + switch (type) { + case CKM_RC4: + case CKM_AES_ECB: + case CKM_DES_ECB: + case CKM_DES3_ECB: + case CKM_IDEA_ECB: + case CKM_CDMF_ECB: + case CKM_CAST_ECB: + case CKM_CAST3_ECB: + case CKM_CAST5_ECB: + mech->data = NULL; + mech->len = 0; + break; + case CKM_RC2_ECB: + rc2_ecb_params = (CK_RC2_PARAMS *)PORT_Alloc(sizeof(CK_RC2_PARAMS)); + if (rc2_ecb_params == NULL) { + rv = SECFailure; + break; + } + /* NOTE PK11_GetKeyLength can return -1 if the key isn't and RC2, RC5, + * or RC4 key. Of course that wouldn't happen here doing RC2:).*/ + *rc2_ecb_params = PK11_GetKeyLength(key)*8; + mech->data = (unsigned char *) rc2_ecb_params; + mech->len = sizeof(CK_RC2_PARAMS); + break; + case CKM_RC2_CBC: + case CKM_RC2_CBC_PAD: + rv = pk11_GenIV(type,&iv); + if (rv != SECSuccess) { + break; + } + rc2_params = (CK_RC2_CBC_PARAMS *)PORT_Alloc(sizeof(CK_RC2_CBC_PARAMS)); + if (rc2_params == NULL) { + PORT_Free(iv.data); + rv = SECFailure; + break; + } + /* NOTE PK11_GetKeyLength can return -1 if the key isn't and RC2, RC5, + * or RC4 key. Of course that wouldn't happen here doing RC2:).*/ + rc2_params->ulEffectiveBits = PK11_GetKeyLength(key)*8; + if (iv.data) + PORT_Memcpy(rc2_params->iv,iv.data,sizeof(rc2_params->iv)); + mech->data = (unsigned char *) rc2_params; + mech->len = sizeof(CK_RC2_CBC_PARAMS); + PORT_Free(iv.data); + break; + case CKM_RC5_ECB: + PORT_Free(mech); + return PK11_ParamFromIV(type,NULL); + case CKM_RC5_CBC: + case CKM_RC5_CBC_PAD: + rv = pk11_GenIV(type,&iv); + if (rv != SECSuccess) { + break; + } + PORT_Free(mech); + return PK11_ParamFromIV(type,&iv); + default: + if (pk11_lookup(type)->iv == 0) { + mech->data = NULL; + mech->len = 0; + break; + } + case CKM_AES_CBC: + case CKM_DES_CBC: + case CKM_DES3_CBC: + case CKM_IDEA_CBC: + case CKM_CDMF_CBC: + case CKM_CAST_CBC: + case CKM_CAST3_CBC: + case CKM_CAST5_CBC: + case CKM_DES_CBC_PAD: + case CKM_DES3_CBC_PAD: + case CKM_IDEA_CBC_PAD: + case CKM_CDMF_CBC_PAD: + case CKM_CAST_CBC_PAD: + case CKM_CAST3_CBC_PAD: + case CKM_CAST5_CBC_PAD: + case CKM_SKIPJACK_CBC64: + case CKM_SKIPJACK_ECB64: + case CKM_SKIPJACK_OFB64: + case CKM_SKIPJACK_CFB64: + case CKM_SKIPJACK_CFB32: + case CKM_SKIPJACK_CFB16: + case CKM_SKIPJACK_CFB8: + case CKM_BATON_ECB128: + case CKM_BATON_ECB96: + case CKM_BATON_CBC128: + case CKM_BATON_COUNTER: + case CKM_BATON_SHUFFLE: + case CKM_JUNIPER_ECB128: + case CKM_JUNIPER_CBC128: + case CKM_JUNIPER_COUNTER: + case CKM_JUNIPER_SHUFFLE: + rv = pk11_GenIV(type,&iv); + if (rv != SECSuccess) { + break; + } + mech->data = (unsigned char*)PORT_Alloc(iv.len); + if (mech->data == NULL) { + PORT_Free(iv.data); + rv = SECFailure; + break; + } + PORT_Memcpy(mech->data,iv.data,iv.len); + mech->len = iv.len; + PORT_Free(iv.data); + break; + } + if (rv != SECSuccess) { + SECITEM_FreeItem(mech,PR_TRUE); + return NULL; + } + return mech; + +} + +#define RC5_V10 0x10 + +/* turn a PKCS #11 parameter into a DER Encoded Algorithm ID */ +SECStatus +PK11_ParamToAlgid(SECOidTag algTag, SECItem *param, + PRArenaPool *arena, SECAlgorithmID *algid) { + CK_RC2_CBC_PARAMS *rc2_params; + sec_rc2cbcParameter rc2; + CK_RC5_CBC_PARAMS *rc5_params; + sec_rc5cbcParameter rc5; + CK_MECHANISM_TYPE type = PK11_AlgtagToMechanism(algTag); + SECItem *newParams = NULL; + SECStatus rv = SECFailure; + unsigned long rc2version; + + rv = SECSuccess; + switch (type) { + case CKM_RC4: + case CKM_AES_ECB: + case CKM_DES_ECB: + case CKM_DES3_ECB: + case CKM_IDEA_ECB: + case CKM_CDMF_ECB: + case CKM_CAST_ECB: + case CKM_CAST3_ECB: + case CKM_CAST5_ECB: + newParams = NULL; + rv = SECSuccess; + break; + case CKM_RC2_ECB: + break; + case CKM_RC2_CBC: + case CKM_RC2_CBC_PAD: + rc2_params = (CK_RC2_CBC_PARAMS *)param->data; + rc2version = rc2_unmap(rc2_params->ulEffectiveBits); + if (SEC_ASN1EncodeUnsignedInteger (NULL, &(rc2.rc2ParameterVersion), + rc2version) == NULL) + break; + rc2.iv.data = rc2_params->iv; + rc2.iv.len = sizeof(rc2_params->iv); + newParams = SEC_ASN1EncodeItem (NULL, NULL, &rc2, + sec_rc2cbc_parameter_template); + PORT_Free(rc2.rc2ParameterVersion.data); + if (newParams == NULL) + break; + rv = SECSuccess; + break; + + case CKM_RC5_ECB: /* well not really... */ + break; + case CKM_RC5_CBC: + case CKM_RC5_CBC_PAD: + rc5_params = (CK_RC5_CBC_PARAMS *)param->data; + if (SEC_ASN1EncodeUnsignedInteger (NULL, &rc5.version, RC5_V10) == NULL) + break; + if (SEC_ASN1EncodeUnsignedInteger (NULL, &rc5.blockSizeInBits, + rc5_params->ulWordsize*8) == NULL) { + PORT_Free(rc5.version.data); + break; + } + if (SEC_ASN1EncodeUnsignedInteger (NULL, &rc5.rounds, + rc5_params->ulWordsize*8) == NULL) { + PORT_Free(rc5.blockSizeInBits.data); + PORT_Free(rc5.version.data); + break; + } + rc5.iv.data = rc5_params->pIv; + rc5.iv.len = rc5_params->ulIvLen; + newParams = SEC_ASN1EncodeItem (NULL, NULL, &rc5, + sec_rc5cbc_parameter_template); + PORT_Free(rc5.version.data); + PORT_Free(rc5.blockSizeInBits.data); + PORT_Free(rc5.rounds.data); + if (newParams == NULL) + break; + rv = SECSuccess; + break; + case CKM_PBE_MD2_DES_CBC: + case CKM_PBE_MD5_DES_CBC: + case CKM_NETSCAPE_PBE_SHA1_DES_CBC: + case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC: + case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC: + case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC: + case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC: + case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4: + case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4: + case CKM_PBE_SHA1_DES3_EDE_CBC: + case CKM_PBE_SHA1_DES2_EDE_CBC: + case CKM_PBE_SHA1_RC2_40_CBC: + case CKM_PBE_SHA1_RC2_128_CBC: + case CKM_PBE_SHA1_RC4_40: + case CKM_PBE_SHA1_RC4_128: + return PBE_PK11ParamToAlgid(algTag, param, arena, algid); + default: + if (pk11_lookup(type)->iv == 0) { + rv = SECSuccess; + newParams = NULL; + break; + } + case CKM_AES_CBC: + case CKM_DES_CBC: + case CKM_DES3_CBC: + case CKM_IDEA_CBC: + case CKM_CDMF_CBC: + case CKM_CAST_CBC: + case CKM_CAST3_CBC: + case CKM_CAST5_CBC: + case CKM_DES_CBC_PAD: + case CKM_DES3_CBC_PAD: + case CKM_IDEA_CBC_PAD: + case CKM_CDMF_CBC_PAD: + case CKM_CAST_CBC_PAD: + case CKM_CAST3_CBC_PAD: + case CKM_CAST5_CBC_PAD: + case CKM_SKIPJACK_CBC64: + case CKM_SKIPJACK_ECB64: + case CKM_SKIPJACK_OFB64: + case CKM_SKIPJACK_CFB64: + case CKM_SKIPJACK_CFB32: + case CKM_SKIPJACK_CFB16: + case CKM_SKIPJACK_CFB8: + case CKM_BATON_ECB128: + case CKM_BATON_ECB96: + case CKM_BATON_CBC128: + case CKM_BATON_COUNTER: + case CKM_BATON_SHUFFLE: + case CKM_JUNIPER_ECB128: + case CKM_JUNIPER_CBC128: + case CKM_JUNIPER_COUNTER: + case CKM_JUNIPER_SHUFFLE: + newParams = SEC_ASN1EncodeItem(NULL,NULL,param, + SEC_OctetStringTemplate); + rv = SECSuccess; + break; + } + + if (rv != SECSuccess) { + if (newParams) SECITEM_FreeItem(newParams,PR_TRUE); + return rv; + } + + rv = SECOID_SetAlgorithmID(arena, algid, algTag, newParams); + SECITEM_FreeItem(newParams,PR_TRUE); + return rv; +} + +/* turn an OID algorithm tag into a PKCS #11 mechanism. This allows us to + * map OID's directly into the PKCS #11 mechanism we want to call. We find + * this mapping in our standard OID table */ +CK_MECHANISM_TYPE +PK11_AlgtagToMechanism(SECOidTag algTag) { + SECOidData *oid = SECOID_FindOIDByTag(algTag); + + if (oid) return (CK_MECHANISM_TYPE) oid->mechanism; + return CKM_INVALID_MECHANISM; +} + +/* turn a mechanism into an oid. */ +SECOidTag +PK11_MechanismToAlgtag(CK_MECHANISM_TYPE type) { + SECOidData *oid = SECOID_FindOIDByMechanism((unsigned long)type); + + if (oid) return oid->offset; + return SEC_OID_UNKNOWN; +} + +/* Determine appropriate blocking mechanism, used when wrapping private keys + * which require PKCS padding. If the mechanism does not map to a padding + * mechanism, we simply return the mechanism. + */ +CK_MECHANISM_TYPE +PK11_GetPadMechanism(CK_MECHANISM_TYPE type) { + switch(type) { + case CKM_AES_CBC: + return CKM_AES_CBC_PAD; + case CKM_DES_CBC: + return CKM_DES_CBC_PAD; + case CKM_DES3_CBC: + return CKM_DES3_CBC_PAD; + case CKM_RC2_CBC: + return CKM_RC2_CBC_PAD; + case CKM_CDMF_CBC: + return CKM_CDMF_CBC_PAD; + case CKM_CAST_CBC: + return CKM_CAST_CBC_PAD; + case CKM_CAST3_CBC: + return CKM_CAST3_CBC_PAD; + case CKM_CAST5_CBC: + return CKM_CAST5_CBC_PAD; + case CKM_RC5_CBC: + return CKM_RC5_CBC_PAD; + case CKM_IDEA_CBC: + return CKM_IDEA_CBC_PAD; + default: + break; + } + + return type; +} + +/* + * Build a block big enough to hold the data + */ +SECItem * +PK11_BlockData(SECItem *data,unsigned long size) { + SECItem *newData; + + newData = (SECItem *)PORT_Alloc(sizeof(SECItem)); + if (newData == NULL) return NULL; + + newData->len = (data->len + (size-1))/size; + newData->len *= size; + + newData->data = (unsigned char *) PORT_ZAlloc(newData->len); + if (newData->data == NULL) { + PORT_Free(newData); + return NULL; + } + PORT_Memset(newData->data,newData->len-data->len,newData->len); + PORT_Memcpy(newData->data,data->data,data->len); + return newData; +} + + +SECStatus +PK11_DestroyObject(PK11SlotInfo *slot,CK_OBJECT_HANDLE object) { + CK_RV crv; + + PK11_EnterSlotMonitor(slot); + crv = PK11_GETTAB(slot)->C_DestroyObject(slot->session,object); + PK11_ExitSlotMonitor(slot); + if (crv != CKR_OK) { + return SECFailure; + } + return SECSuccess; +} + +SECStatus +PK11_DestroyTokenObject(PK11SlotInfo *slot,CK_OBJECT_HANDLE object) { + CK_RV crv; + SECStatus rv = SECSuccess; + CK_SESSION_HANDLE rwsession; + + + rwsession = PK11_GetRWSession(slot); + + crv = PK11_GETTAB(slot)->C_DestroyObject(rwsession,object); + if (crv != CKR_OK) { + rv = SECFailure; + PORT_SetError(PK11_MapError(crv)); + } + PK11_RestoreROSession(slot,rwsession); + return rv; +} + +/* + * Read in a single attribute into a SECItem. Allocate space for it with + * PORT_Alloc unless an arena is supplied. In the latter case use the arena + * to allocate the space. + */ +SECStatus +PK11_ReadAttribute(PK11SlotInfo *slot, CK_OBJECT_HANDLE id, + CK_ATTRIBUTE_TYPE type, PRArenaPool *arena, SECItem *result) { + CK_ATTRIBUTE attr = { 0, NULL, 0 }; + CK_RV crv; + + attr.type = type; + + PK11_EnterSlotMonitor(slot); + crv = PK11_GETTAB(slot)->C_GetAttributeValue(slot->session,id,&attr,1); + if (crv != CKR_OK) { + PK11_ExitSlotMonitor(slot); + PORT_SetError(PK11_MapError(crv)); + return SECFailure; + } + if (arena) { + attr.pValue = PORT_ArenaAlloc(arena,attr.ulValueLen); + } else { + attr.pValue = PORT_Alloc(attr.ulValueLen); + } + if (attr.pValue == NULL) return SECFailure; + crv = PK11_GETTAB(slot)->C_GetAttributeValue(slot->session,id,&attr,1); + PK11_ExitSlotMonitor(slot); + if (crv != CKR_OK) { + PORT_SetError(PK11_MapError(crv)); + if (!arena) PORT_Free(attr.pValue); + return SECFailure; + } + + result->data = (unsigned char*)attr.pValue; + result->len = attr.ulValueLen; + + return SECSuccess; +} + +/* + * Read in a single attribute into As a Ulong. + */ +CK_ULONG +PK11_ReadULongAttribute(PK11SlotInfo *slot, CK_OBJECT_HANDLE id, + CK_ATTRIBUTE_TYPE type) { + CK_ATTRIBUTE attr; + CK_ULONG value = CK_UNAVAILABLE_INFORMATION; + CK_RV crv; + + PK11_SETATTRS(&attr,type,&value,sizeof(value)); + + PK11_EnterSlotMonitor(slot); + crv = PK11_GETTAB(slot)->C_GetAttributeValue(slot->session,id,&attr,1); + PK11_ExitSlotMonitor(slot); + if (crv != CKR_OK) { + PORT_SetError(PK11_MapError(crv)); + } + return value; +} + +/* + * check to see if a bool has been set. + */ +CK_BBOOL +PK11_HasAttributeSet( PK11SlotInfo *slot, CK_OBJECT_HANDLE id, + CK_ATTRIBUTE_TYPE type ) +{ + CK_BBOOL ckvalue = CK_FALSE; + CK_ATTRIBUTE theTemplate; + CK_RV crv; + + /* Prepare to retrieve the attribute. */ + PK11_SETATTRS( &theTemplate, type, &ckvalue, sizeof( CK_BBOOL ) ); + + /* Retrieve attribute value. */ + PK11_EnterSlotMonitor(slot); + crv = PK11_GETTAB( slot )->C_GetAttributeValue( slot->session, id, + &theTemplate, 1 ); + PK11_ExitSlotMonitor(slot); + if( crv != CKR_OK ) { + PORT_SetError( PK11_MapError( crv ) ); + return CK_FALSE; + } + + return ckvalue; +} + +/* + * returns a full list of attributes. Allocate space for them. If an arena is + * provided, allocate space out of the arena. + */ +CK_RV +PK11_GetAttributes(PRArenaPool *arena,PK11SlotInfo *slot, + CK_OBJECT_HANDLE obj,CK_ATTRIBUTE *attr, int count) +{ + int i; + /* make pedantic happy... note that it's only used arena != NULL */ + void *mark = NULL; + CK_RV crv; + + /* + * first get all the lengths of the parameters. + */ + PK11_EnterSlotMonitor(slot); + crv = PK11_GETTAB(slot)->C_GetAttributeValue(slot->session,obj,attr,count); + if (crv != CKR_OK) { + PK11_ExitSlotMonitor(slot); + return crv; + } + + if (arena) { + mark = PORT_ArenaMark(arena); + if (mark == NULL) return CKR_HOST_MEMORY; + } + + /* + * now allocate space to store the results. + */ + for (i=0; i < count; i++) { + if (arena) { + attr[i].pValue = PORT_ArenaAlloc(arena,attr[i].ulValueLen); + if (attr[i].pValue == NULL) { + /* arena failures, just release the mark */ + PORT_ArenaRelease(arena,mark); + PK11_ExitSlotMonitor(slot); + return CKR_HOST_MEMORY; + } + } else { + attr[i].pValue = PORT_Alloc(attr[i].ulValueLen); + if (attr[i].pValue == NULL) { + /* Separate malloc failures, loop to release what we have + * so far */ + int j; + for (j= 0; j < i; j++) { + PORT_Free(attr[j].pValue); + /* don't give the caller pointers to freed memory */ + attr[j].pValue = NULL; + } + PK11_ExitSlotMonitor(slot); + return CKR_HOST_MEMORY; + } + } + } + + /* + * finally get the results. + */ + crv = PK11_GETTAB(slot)->C_GetAttributeValue(slot->session,obj,attr,count); + PK11_ExitSlotMonitor(slot); + if (crv != CKR_OK) { + if (arena) { + PORT_ArenaRelease(arena,mark); + } else { + for (i= 0; i < count; i++) { + PORT_Free(attr[i].pValue); + /* don't give the caller pointers to freed memory */ + attr[i].pValue = NULL; + } + } + } else if (arena && mark) { + PORT_ArenaUnmark(arena,mark); + } + return crv; +} + +/* + * Reset the token to it's initial state. For the internal module, this will + * Purge your keydb, and reset your cert db certs to USER_INIT. + */ +SECStatus +PK11_ResetToken(PK11SlotInfo *slot, char *sso_pwd) +{ + unsigned char tokenName[32]; + int tokenNameLen; + CK_RV crv; + + /* reconstruct the token name */ + tokenNameLen = PORT_Strlen(slot->token_name); + if (tokenNameLen > sizeof(tokenName)) { + tokenNameLen = sizeof(tokenName); + } + + PORT_Memcpy(tokenName,slot->token_name,tokenNameLen); + if (tokenNameLen < sizeof(tokenName)) { + PORT_Memset(&tokenName[tokenNameLen],' ', + sizeof(tokenName)-tokenNameLen); + } + + /* initialize the token */ + PK11_EnterSlotMonitor(slot); + + /* first shutdown the token. Existing sessions will get closed here */ + PK11_GETTAB(slot)->C_CloseAllSessions(slot->slotID); + slot->session = CK_INVALID_SESSION; + + /* now re-init the token */ + crv = PK11_GETTAB(slot)->C_InitToken(slot->slotID, + (unsigned char *)sso_pwd, sso_pwd ? PORT_Strlen(sso_pwd): 0, tokenName); + + /* finally bring the token back up */ + PK11_InitToken(slot,PR_TRUE); + PK11_ExitSlotMonitor(slot); + if (crv != CKR_OK) { + PORT_SetError(PK11_MapError(crv)); + return SECFailure; + } + return SECSuccess; +} + +static PRBool +pk11_isAllZero(unsigned char *data,int len) { + while (len--) { + if (*data++) { + return PR_FALSE; + } + } + return PR_TRUE; +} + +CK_RV +PK11_MapPBEMechanismToCryptoMechanism(CK_MECHANISM_PTR pPBEMechanism, + CK_MECHANISM_PTR pCryptoMechanism, + SECItem *pbe_pwd, PRBool faulty3DES) +{ + int iv_len = 0; + CK_PBE_PARAMS_PTR pPBEparams; + CK_RC2_CBC_PARAMS_PTR rc2_params; + CK_ULONG rc2_key_len; + + if((pPBEMechanism == CK_NULL_PTR) || (pCryptoMechanism == CK_NULL_PTR)) { + return CKR_HOST_MEMORY; + } + + pPBEparams = (CK_PBE_PARAMS_PTR)pPBEMechanism->pParameter; + iv_len = PK11_GetIVLength(pPBEMechanism->mechanism); + + if (iv_len) { + if (pk11_isAllZero(pPBEparams->pInitVector,iv_len)) { + SECItem param; + PK11SymKey *symKey; + PK11SlotInfo *intSlot = PK11_GetInternalSlot(); + + if (intSlot == NULL) { + return CKR_DEVICE_ERROR; + } + + param.data = pPBEMechanism->pParameter; + param.len = pPBEMechanism->ulParameterLen; + + symKey = PK11_RawPBEKeyGen(intSlot, + pPBEMechanism->mechanism, ¶m, pbe_pwd, faulty3DES, NULL); + PK11_FreeSlot(intSlot); + if (symKey== NULL) { + return CKR_DEVICE_ERROR; /* sigh */ + } + PK11_FreeSymKey(symKey); + } + } + + switch(pPBEMechanism->mechanism) { + case CKM_PBE_MD2_DES_CBC: + case CKM_PBE_MD5_DES_CBC: + case CKM_NETSCAPE_PBE_SHA1_DES_CBC: + pCryptoMechanism->mechanism = CKM_DES_CBC; + goto have_crypto_mechanism; + case CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC: + case CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC: + case CKM_PBE_SHA1_DES3_EDE_CBC: + case CKM_PBE_SHA1_DES2_EDE_CBC: + pCryptoMechanism->mechanism = CKM_DES3_CBC; +have_crypto_mechanism: + pCryptoMechanism->pParameter = PORT_Alloc(iv_len); + pCryptoMechanism->ulParameterLen = (CK_ULONG)iv_len; + if(pCryptoMechanism->pParameter == NULL) { + return CKR_HOST_MEMORY; + } + PORT_Memcpy((unsigned char *)(pCryptoMechanism->pParameter), + (unsigned char *)(pPBEparams->pInitVector), + iv_len); + break; + case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC4: + case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC4: + case CKM_PBE_SHA1_RC4_40: + case CKM_PBE_SHA1_RC4_128: + pCryptoMechanism->mechanism = CKM_RC4; + pCryptoMechanism->ulParameterLen = 0; + pCryptoMechanism->pParameter = CK_NULL_PTR; + break; + case CKM_NETSCAPE_PBE_SHA1_40_BIT_RC2_CBC: + case CKM_PBE_SHA1_RC2_40_CBC: + rc2_key_len = 40; + goto have_key_len; + case CKM_NETSCAPE_PBE_SHA1_128_BIT_RC2_CBC: + rc2_key_len = 128; +have_key_len: + pCryptoMechanism->mechanism = CKM_RC2_CBC; + pCryptoMechanism->ulParameterLen = (CK_ULONG) + sizeof(CK_RC2_CBC_PARAMS); + pCryptoMechanism->pParameter = (CK_RC2_CBC_PARAMS_PTR) + PORT_ZAlloc(sizeof(CK_RC2_CBC_PARAMS)); + if(pCryptoMechanism->pParameter == NULL) { + return CKR_HOST_MEMORY; + } + rc2_params = (CK_RC2_CBC_PARAMS_PTR)pCryptoMechanism->pParameter; + PORT_Memcpy((unsigned char *)rc2_params->iv, + (unsigned char *)pPBEparams->pInitVector, + iv_len); + rc2_params->ulEffectiveBits = rc2_key_len; + break; + default: + return CKR_MECHANISM_INVALID; + } + + return CKR_OK; +} + +PRBool +PK11_IsPermObject(PK11SlotInfo *slot, CK_OBJECT_HANDLE handle) +{ + return (PRBool) PK11_HasAttributeSet(slot, handle, CKA_TOKEN); +} + +char * +PK11_GetObjectNickname(PK11SlotInfo *slot, CK_OBJECT_HANDLE id) +{ + char *nickname = NULL; + SECItem result; + SECStatus rv; + + rv = PK11_ReadAttribute(slot,id,CKA_LABEL,NULL,&result); + if (rv != SECSuccess) { + return NULL; + } + + nickname = PORT_ZAlloc(result.len+1); + if (nickname == NULL) { + PORT_Free(result.data); + return NULL; + } + PORT_Memcpy(nickname, result.data, result.len); + PORT_Free(result.data); + return nickname; +} + +SECStatus +PK11_SetObjectNickname(PK11SlotInfo *slot, CK_OBJECT_HANDLE id, + const char *nickname) +{ + int len = PORT_Strlen(nickname); + CK_ATTRIBUTE setTemplate; + CK_RV crv; + CK_SESSION_HANDLE rwsession; + + if (len < 0) { + return SECFailure; + } + + PK11_SETATTRS(&setTemplate, CKA_LABEL, (CK_CHAR *) nickname, len); + rwsession = PK11_GetRWSession(slot); + crv = PK11_GETTAB(slot)->C_SetAttributeValue(rwsession, id, + &setTemplate, 1); + PK11_RestoreROSession(slot, rwsession); + if (crv != CKR_OK) { + PORT_SetError(PK11_MapError(crv)); + return SECFailure; + } + return SECSuccess; +} + +/* + * wait for a token to change it's state. The application passes in the expected + * new state in event. + */ +PK11TokenStatus +PK11_WaitForTokenEvent(PK11SlotInfo *slot, PK11TokenEvent event, + PRIntervalTime timeout, PRIntervalTime latency, int series) +{ + PRIntervalTime first_time = 0; + PRBool first_time_set = PR_FALSE; + PRBool waitForRemoval; + + if (slot->isPerm) { + return PK11TokenNotRemovable; + } + if (latency == 0) { + latency = PR_SecondsToInterval(5); + } + waitForRemoval = (PRBool) (event == PK11TokenRemovedOrChangedEvent); + + if (series == 0) { + series = PK11_GetSlotSeries(slot); + } + while (PK11_IsPresent(slot) == waitForRemoval ) { + PRIntervalTime interval; + + if (waitForRemoval && series != PK11_GetSlotSeries(slot)) { + return PK11TokenChanged; + } + if (timeout == PR_INTERVAL_NO_WAIT) { + return waitForRemoval ? PK11TokenPresent : PK11TokenRemoved; + } + if (timeout == PR_INTERVAL_NO_TIMEOUT ) { + interval = PR_IntervalNow(); + if (!first_time_set) { + first_time = interval; + first_time_set = PR_TRUE; + } + if ((interval-first_time) > timeout) { + return waitForRemoval ? PK11TokenPresent : PK11TokenRemoved; + } + } + PR_Sleep(latency); + } + return waitForRemoval ? PK11TokenRemoved : PK11TokenPresent; +} + diff --git a/security/nss/lib/pk11wrap/secmodt.h b/security/nss/lib/pk11wrap/secmodt.h new file mode 100644 index 000000000..919d3bca3 --- /dev/null +++ b/security/nss/lib/pk11wrap/secmodt.h @@ -0,0 +1,263 @@ +/* + * The contents of this file are subject to the Mozilla Public + * License Version 1.1 (the "License"); you may not use this file + * except in compliance with the License. You may obtain a copy of + * the License at http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS + * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or + * implied. See the License for the specific language governing + * rights and limitations under the License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is Netscape + * Communications Corporation. Portions created by Netscape are + * Copyright (C) 1994-2000 Netscape Communications Corporation. All + * Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the + * terms of the GNU General Public License Version 2 or later (the + * "GPL"), in which case the provisions of the GPL are applicable + * instead of those above. If you wish to allow use of your + * version of this file only under the terms of the GPL and not to + * allow others to use your version of this file under the MPL, + * indicate your decision by deleting the provisions above and + * replace them with the notice and other provisions required by + * the GPL. If you do not delete the provisions above, a recipient + * may use your version of this file under either the MPL or the + * GPL. + * + * Definition of Security Module Data Structure. There is a separate data + * structure for each loaded PKCS #11 module. + */ +#ifndef _SECMODT_H_ +#define _SECMODT_H_ 1 + +#include "secoid.h" +#include "secasn1.h" + +/* find a better home for these... */ +extern const SEC_ASN1Template SECKEY_PointerToEncryptedPrivateKeyInfoTemplate[]; +extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_PointerToEncryptedPrivateKeyInfoTemplate; +extern const SEC_ASN1Template SECKEY_EncryptedPrivateKeyInfoTemplate[]; +extern const SEC_ASN1Template SECKEY_PrivateKeyInfoTemplate[]; +extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_PrivateKeyInfoTemplate; +extern const SEC_ASN1Template SECKEY_PointerToPrivateKeyInfoTemplate[]; +extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_PointerToPrivateKeyInfoTemplate; + +/* PKCS11 needs to be included */ +typedef struct SECMODModuleStr SECMODModule; +typedef struct SECMODModuleListStr SECMODModuleList; +typedef struct SECMODListLockStr SECMODListLock; /* defined in secmodi.h */ +typedef struct PK11SlotInfoStr PK11SlotInfo; /* defined in secmodti.h */ +typedef struct PK11PreSlotInfoStr PK11PreSlotInfo; /* defined in secmodti.h */ +typedef struct PK11SymKeyStr PK11SymKey; /* defined in secmodti.h */ +typedef struct PK11ContextStr PK11Context; /* defined in secmodti.h */ +typedef struct PK11SlotListStr PK11SlotList; +typedef struct PK11SlotListElementStr PK11SlotListElement; +typedef struct PK11RSAGenParamsStr PK11RSAGenParams; +typedef unsigned long SECMODModuleID; +typedef struct PK11DefaultArrayEntryStr PK11DefaultArrayEntry; + +struct SECMODModuleStr { + PRArenaPool *arena; + PRBool internal; /* true of internally linked modules, false + * for the loaded modules */ + PRBool loaded; /* Set to true if module has been loaded */ + PRBool isFIPS; /* Set to true if module is finst internal */ + char *dllName; /* name of the shared library which implements + * this module */ + char *commonName; /* name of the module to display to the user */ + void *library; /* pointer to the library. opaque. used only by + * pk11load.c */ + void *functionList; /* The PKCS #11 function table */ + void *refLock; /* only used pk11db.c */ + int refCount; /* Module reference count */ + PK11SlotInfo **slots; /* array of slot points attatched to this mod*/ + int slotCount; /* count of slot in above array */ + PK11PreSlotInfo *slotInfo; /* special info about slots default settings */ + int slotInfoCount; /* count */ + SECMODModuleID moduleID; /* ID so we can find this module again */ + PRBool isThreadSafe; + unsigned long ssl[2]; /* SSL cipher enable flags */ + char *libraryParams; /* Module specific parameters */ + void *moduleDBFunc; /* function to return module configuration data*/ + SECMODModule *parent; /* module that loaded us */ + PRBool isCritical; /* This module must load successfully */ + PRBool isModuleDB; /* this module has lists of PKCS #11 modules */ + PRBool moduleDBOnly; /* this module only has lists of PKCS #11 modules */ + int trustOrder; /* order for this module's certificate trust rollup */ + int cipherOrder; /* order for cipher operations */ +}; + +struct SECMODModuleListStr { + SECMODModuleList *next; + SECMODModule *module; +}; + +struct PK11SlotListStr { + PK11SlotListElement *head; + PK11SlotListElement *tail; + void *lock; +}; + +struct PK11SlotListElementStr { + PK11SlotListElement *next; + PK11SlotListElement *prev; + PK11SlotInfo *slot; + int refCount; +}; + +struct PK11RSAGenParamsStr { + int keySizeInBits; + unsigned long pe; +}; + +typedef enum { + PK11CertListUnique = 0, + PK11CertListUser = 1, + PK11CertListRootUnique = 2, + PK11CertListCA = 3 +} PK11CertListType; + +/* + * Entry into the Array which lists all the legal bits for the default flags + * in the slot, their definition, and the PKCS #11 mechanism the represent + * Always Statically allocated. + */ +struct PK11DefaultArrayEntryStr { + char *name; + unsigned long flag; + unsigned long mechanism; /* this is a long so we don't include the + * whole pkcs 11 world to use this header */ +}; + + +#define SECMOD_RSA_FLAG 0x00000001L +#define SECMOD_DSA_FLAG 0x00000002L +#define SECMOD_RC2_FLAG 0x00000004L +#define SECMOD_RC4_FLAG 0x00000008L +#define SECMOD_DES_FLAG 0x00000010L +#define SECMOD_DH_FLAG 0x00000020L +#define SECMOD_FORTEZZA_FLAG 0x00000040L +#define SECMOD_RC5_FLAG 0x00000080L +#define SECMOD_SHA1_FLAG 0x00000100L +#define SECMOD_MD5_FLAG 0x00000200L +#define SECMOD_MD2_FLAG 0x00000400L +#define SECMOD_SSL_FLAG 0x00000800L +#define SECMOD_TLS_FLAG 0x00001000L +#define SECMOD_AES_FLAG 0x00002000L +/* reserved bit for future, do not use */ +#define SECMOD_RESERVED_FLAG 0X08000000L +#define SECMOD_FRIENDLY_FLAG 0x10000000L +#define SECMOD_RANDOM_FLAG 0x80000000L + +/* need to make SECMOD and PK11 prefixes consistant. */ +#define PK11_OWN_PW_DEFAULTS 0x20000000L +#define PK11_DISABLE_FLAG 0x40000000L + +/* FAKE PKCS #11 defines */ +#define CKM_FAKE_RANDOM 0x80000efeL +#define CKM_INVALID_MECHANISM 0xffffffffL +#define CKA_DIGEST 0x81000000L + +/* Cryptographic module types */ +#define SECMOD_EXTERNAL 0 /* external module */ +#define SECMOD_INTERNAL 1 /* internal default module */ +#define SECMOD_FIPS 2 /* internal fips module */ + +/* default module configuration strings */ +#define SECMOD_SLOT_FLAGS "slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES]" + +#define SECMOD_MAKE_NSS_FLAGS(fips,slot) \ +"Flags=internal,critical"fips" slotparams=("#slot"={"SECMOD_SLOT_FLAGS"})" + +#define SECMOD_INT_NAME "NSS Internal PKCS #11 Module" +#define SECMOD_INT_FLAGS SECMOD_MAKE_NSS_FLAGS("",1) +#define SECMOD_FIPS_NAME "NSS Internal FIPS PKCS #11 Module" +#define SECMOD_FIPS_FLAGS SECMOD_MAKE_NSS_FLAGS(",fips",3) + + +/* + * What is the origin of a given Key. Normally this doesn't matter, but + * the fortezza code needs to know if it needs to invoke the SSL3 fortezza + * hack. + */ +typedef enum { + PK11_OriginNULL = 0, /* There is not key, it's a null SymKey */ + PK11_OriginDerive = 1, /* Key was derived from some other key */ + PK11_OriginGenerated = 2, /* Key was generated (also PBE keys) */ + PK11_OriginFortezzaHack = 3,/* Key was marked for fortezza hack */ + PK11_OriginUnwrap = 4 /* Key was unwrapped or decrypted */ +} PK11Origin; + +/* PKCS #11 disable reasons */ +typedef enum { + PK11_DIS_NONE = 0, + PK11_DIS_USER_SELECTED = 1, + PK11_DIS_COULD_NOT_INIT_TOKEN = 2, + PK11_DIS_TOKEN_VERIFY_FAILED = 3, + PK11_DIS_TOKEN_NOT_PRESENT = 4 +} PK11DisableReasons; + +/* function pointer type for password callback function. + * This type is passed in to PK11_SetPasswordFunc() + */ +typedef char *(PR_CALLBACK *PK11PasswordFunc)(PK11SlotInfo *slot, PRBool retry, void *arg); +typedef PRBool (PR_CALLBACK *PK11VerifyPasswordFunc)(PK11SlotInfo *slot, void *arg); +typedef PRBool (PR_CALLBACK *PK11IsLoggedInFunc)(PK11SlotInfo *slot, void *arg); + +/* + * PKCS #11 key structures + */ + +/* +** Attributes +*/ +struct SECKEYAttributeStr { + SECItem attrType; + SECItem **attrValue; +}; +typedef struct SECKEYAttributeStr SECKEYAttribute; + +/* +** A PKCS#8 private key info object +*/ +struct SECKEYPrivateKeyInfoStr { + PLArenaPool *arena; + SECItem version; + SECAlgorithmID algorithm; + SECItem privateKey; + SECKEYAttribute **attributes; +}; +typedef struct SECKEYPrivateKeyInfoStr SECKEYPrivateKeyInfo; + +/* +** A PKCS#8 private key info object +*/ +struct SECKEYEncryptedPrivateKeyInfoStr { + PLArenaPool *arena; + SECAlgorithmID algorithm; + SECItem encryptedData; +}; +typedef struct SECKEYEncryptedPrivateKeyInfoStr SECKEYEncryptedPrivateKeyInfo; + +/* + * token removal detection + */ +typedef enum { + PK11TokenNotRemovable = 0, + PK11TokenPresent = 1, + PK11TokenChanged = 2, + PK11TokenRemoved = 3 +} PK11TokenStatus; + +typedef enum { + PK11TokenRemovedOrChangedEvent = 0, + PK11TokenPresentEvent = 1 +} PK11TokenEvent; + +#endif /*_SECMODT_H_ */ |