summaryrefslogtreecommitdiff
path: root/security/nss/lib
diff options
context:
space:
mode:
authorjulien.pierre.boogz%sun.com <devnull@localhost>2008-02-05 05:33:37 +0000
committerjulien.pierre.boogz%sun.com <devnull@localhost>2008-02-05 05:33:37 +0000
commitf6541bf4ab6e689a13326b9565f6374b7dd0fdfb (patch)
tree8d2d0cfcf33d92a9c749659e5d116d596fce29b6 /security/nss/lib
parent45250ec7c7e5cd56d96db330a33726151aa248b6 (diff)
downloadnss-hg-f6541bf4ab6e689a13326b9565f6374b7dd0fdfb.tar.gz
Fix for bug 331096 . NSS softoken must detect forks on all unix-ish platforms. r=nelson
Diffstat (limited to 'security/nss/lib')
-rw-r--r--security/nss/lib/softoken/config.mk4
-rw-r--r--security/nss/lib/softoken/fipstokn.c149
-rw-r--r--security/nss/lib/softoken/pkcs11.c94
-rw-r--r--security/nss/lib/softoken/pkcs11c.c80
-rw-r--r--security/nss/lib/softoken/softoken.h18
5 files changed, 334 insertions, 11 deletions
diff --git a/security/nss/lib/softoken/config.mk b/security/nss/lib/softoken/config.mk
index 5252fb070..13455f300 100644
--- a/security/nss/lib/softoken/config.mk
+++ b/security/nss/lib/softoken/config.mk
@@ -94,6 +94,10 @@ EXTRA_SHARED_LIBS += \
$(NULL)
endif
+ifeq ($(OS_TARGET),AIX)
+OS_LIBS += -lpthread
+endif
+
ifeq ($(OS_TARGET),SunOS)
# The -R '$ORIGIN' linker option instructs this library to search for its
# dependencies in the same directory where it resides.
diff --git a/security/nss/lib/softoken/fipstokn.c b/security/nss/lib/softoken/fipstokn.c
index 3dd386b03..ca6aa34f2 100644
--- a/security/nss/lib/softoken/fipstokn.c
+++ b/security/nss/lib/softoken/fipstokn.c
@@ -431,6 +431,9 @@ sftk_LogAuditMessage(NSSAuditSeverity severity, const char *msg)
**********************************************************************/
/* return the function list */
CK_RV FC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList) {
+
+ CHECK_FORK();
+
*pFunctionList = &sftk_fipsTable;
return CKR_OK;
}
@@ -443,6 +446,8 @@ CK_RV FC_Initialize(CK_VOID_PTR pReserved) {
const char *envp;
CK_RV crv;
+ CHECK_FORK();
+
if (nsf_init) {
return CKR_CRYPTOKI_ALREADY_INITIALIZED;
}
@@ -483,6 +488,9 @@ CK_RV FC_Initialize(CK_VOID_PTR pReserved) {
/*FC_Finalize indicates that an application is done with the PKCS #11 library.*/
CK_RV FC_Finalize (CK_VOID_PTR pReserved) {
CK_RV crv;
+
+ CHECK_FORK();
+
if (!nsf_init) {
return CKR_OK;
}
@@ -494,18 +502,24 @@ CK_RV FC_Finalize (CK_VOID_PTR pReserved) {
/* FC_GetInfo returns general information about PKCS #11. */
CK_RV FC_GetInfo(CK_INFO_PTR pInfo) {
+ CHECK_FORK();
+
return NSC_GetInfo(pInfo);
}
/* FC_GetSlotList obtains a list of slots in the system. */
CK_RV FC_GetSlotList(CK_BBOOL tokenPresent,
CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount) {
+ CHECK_FORK();
+
return nsc_CommonGetSlotList(tokenPresent,pSlotList,pulCount,
NSC_FIPS_MODULE);
}
/* FC_GetSlotInfo obtains information about a particular slot in the system. */
CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
+ CHECK_FORK();
+
return NSC_GetSlotInfo(slotID,pInfo);
}
@@ -514,6 +528,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
CK_RV FC_GetTokenInfo(CK_SLOT_ID slotID,CK_TOKEN_INFO_PTR pInfo) {
CK_RV crv;
+ CHECK_FORK();
+
crv = NSC_GetTokenInfo(slotID,pInfo);
if (crv == CKR_OK)
pInfo->flags |= CKF_LOGIN_REQUIRED;
@@ -526,6 +542,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
/*FC_GetMechanismList obtains a list of mechanism types supported by a token.*/
CK_RV FC_GetMechanismList(CK_SLOT_ID slotID,
CK_MECHANISM_TYPE_PTR pMechanismList, CK_ULONG_PTR pusCount) {
+ CHECK_FORK();
+
SFTK_FIPSFATALCHECK();
if (slotID == FIPS_SLOT_ID) slotID = NETSCAPE_SLOT_ID;
/* FIPS Slot supports all functions */
@@ -537,6 +555,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
* possibly supported by a token. */
CK_RV FC_GetMechanismInfo(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type,
CK_MECHANISM_INFO_PTR pInfo) {
+ CHECK_FORK();
+
SFTK_FIPSFATALCHECK();
if (slotID == FIPS_SLOT_ID) slotID = NETSCAPE_SLOT_ID;
/* FIPS Slot supports all functions */
@@ -549,6 +569,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
CK_ULONG usPinLen,CK_CHAR_PTR pLabel) {
CK_RV crv;
+ CHECK_FORK();
+
crv = NSC_InitToken(slotID,pPin,usPinLen,pLabel);
if (sftk_audit_enabled) {
char msg[128];
@@ -568,6 +590,9 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
CK_RV FC_InitPIN(CK_SESSION_HANDLE hSession,
CK_CHAR_PTR pPin, CK_ULONG ulPinLen) {
CK_RV rv;
+
+ CHECK_FORK();
+
if (sftk_fatalError) return CKR_DEVICE_ERROR;
if ((rv = sftk_newPinCheck(pPin,ulPinLen)) == CKR_OK) {
rv = NSC_InitPIN(hSession,pPin,ulPinLen);
@@ -590,6 +615,9 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
CK_RV FC_SetPIN(CK_SESSION_HANDLE hSession, CK_CHAR_PTR pOldPin,
CK_ULONG usOldLen, CK_CHAR_PTR pNewPin, CK_ULONG usNewLen) {
CK_RV rv;
+
+ CHECK_FORK();
+
if ((rv = sftk_fipsCheck()) == CKR_OK &&
(rv = sftk_newPinCheck(pNewPin,usNewLen)) == CKR_OK) {
rv = NSC_SetPIN(hSession,pOldPin,usOldLen,pNewPin,usNewLen);
@@ -610,18 +638,26 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
CK_RV FC_OpenSession(CK_SLOT_ID slotID, CK_FLAGS flags,
CK_VOID_PTR pApplication,CK_NOTIFY Notify,CK_SESSION_HANDLE_PTR phSession) {
SFTK_FIPSFATALCHECK();
+
+ CHECK_FORK();
+
return NSC_OpenSession(slotID,flags,pApplication,Notify,phSession);
}
/* FC_CloseSession closes a session between an application and a token. */
CK_RV FC_CloseSession(CK_SESSION_HANDLE hSession) {
+ CHECK_FORK();
+
return NSC_CloseSession(hSession);
}
/* FC_CloseAllSessions closes all sessions with a token. */
CK_RV FC_CloseAllSessions (CK_SLOT_ID slotID) {
+
+ CHECK_FORK();
+
return NSC_CloseAllSessions (slotID);
}
@@ -632,6 +668,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
CK_RV rv;
SFTK_FIPSFATALCHECK();
+ CHECK_FORK();
+
rv = NSC_GetSessionInfo(hSession,pInfo);
if (rv == CKR_OK) {
if ((isLoggedIn) && (pInfo->state == CKS_RO_PUBLIC_SESSION)) {
@@ -669,6 +707,9 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
/* FC_Logout logs a user out from a token. */
CK_RV FC_Logout(CK_SESSION_HANDLE hSession) {
CK_RV rv;
+
+ CHECK_FORK();
+
if ((rv = sftk_fipsCheck()) == CKR_OK) {
rv = NSC_Logout(hSession);
isLoggedIn = PR_FALSE;
@@ -691,7 +732,10 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
CK_OBJECT_HANDLE_PTR phObject) {
CK_OBJECT_CLASS * classptr;
+
SFTK_FIPSCHECK();
+ CHECK_FORK();
+
classptr = (CK_OBJECT_CLASS *)fc_getAttribute(pTemplate,ulCount,CKA_CLASS);
if (classptr == NULL) return CKR_TEMPLATE_INCOMPLETE;
@@ -717,6 +761,9 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
CK_OBJECT_HANDLE_PTR phNewObject) {
CK_RV rv;
CK_OBJECT_CLASS objClass = CKO_NOT_A_KEY;
+
+ CHECK_FORK();
+
SFTK_FIPSFATALCHECK();
rv = sftk_get_object_class_and_fipsCheck(hSession, hObject, &objClass);
if (rv == CKR_OK) {
@@ -735,6 +782,9 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
CK_OBJECT_HANDLE hObject) {
CK_RV rv;
CK_OBJECT_CLASS objClass = CKO_NOT_A_KEY;
+
+ CHECK_FORK();
+
SFTK_FIPSFATALCHECK();
rv = sftk_get_object_class_and_fipsCheck(hSession, hObject, &objClass);
if (rv == CKR_OK) {
@@ -752,6 +802,9 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
CK_OBJECT_HANDLE hObject, CK_ULONG_PTR pulSize) {
CK_RV rv;
CK_OBJECT_CLASS objClass = CKO_NOT_A_KEY;
+
+ CHECK_FORK();
+
SFTK_FIPSFATALCHECK();
rv = sftk_get_object_class_and_fipsCheck(hSession, hObject, &objClass);
if (rv == CKR_OK) {
@@ -769,6 +822,9 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
CK_OBJECT_HANDLE hObject,CK_ATTRIBUTE_PTR pTemplate,CK_ULONG ulCount) {
CK_RV rv;
CK_OBJECT_CLASS objClass = CKO_NOT_A_KEY;
+
+ CHECK_FORK();
+
SFTK_FIPSFATALCHECK();
rv = sftk_get_object_class_and_fipsCheck(hSession, hObject, &objClass);
if (rv == CKR_OK) {
@@ -786,6 +842,9 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
CK_OBJECT_HANDLE hObject,CK_ATTRIBUTE_PTR pTemplate,CK_ULONG ulCount) {
CK_RV rv;
CK_OBJECT_CLASS objClass = CKO_NOT_A_KEY;
+
+ CHECK_FORK();
+
SFTK_FIPSFATALCHECK();
rv = sftk_get_object_class_and_fipsCheck(hSession, hObject, &objClass);
if (rv == CKR_OK) {
@@ -808,6 +867,9 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
CK_RV rv;
PRBool needLogin = PR_FALSE;
+
+ CHECK_FORK();
+
SFTK_FIPSFATALCHECK();
for (i=0; i < usCount; i++) {
@@ -839,6 +901,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
CK_RV FC_FindObjects(CK_SESSION_HANDLE hSession,
CK_OBJECT_HANDLE_PTR phObject,CK_ULONG usMaxObjectCount,
CK_ULONG_PTR pusObjectCount) {
+ CHECK_FORK();
+
/* let publically readable object be found */
SFTK_FIPSFATALCHECK();
return NSC_FindObjects(hSession,phObject,usMaxObjectCount,
@@ -854,6 +918,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
CK_RV FC_EncryptInit(CK_SESSION_HANDLE hSession,
CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) {
SFTK_FIPSCHECK();
+ CHECK_FORK();
+
rv = NSC_EncryptInit(hSession,pMechanism,hKey);
if (sftk_audit_enabled) {
sftk_AuditCryptInit("Encrypt",hSession,pMechanism,hKey,rv);
@@ -866,6 +932,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
CK_ULONG usDataLen, CK_BYTE_PTR pEncryptedData,
CK_ULONG_PTR pusEncryptedDataLen) {
SFTK_FIPSCHECK();
+ CHECK_FORK();
+
return NSC_Encrypt(hSession,pData,usDataLen,pEncryptedData,
pusEncryptedDataLen);
}
@@ -876,6 +944,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
CK_BYTE_PTR pPart, CK_ULONG usPartLen, CK_BYTE_PTR pEncryptedPart,
CK_ULONG_PTR pusEncryptedPartLen) {
SFTK_FIPSCHECK();
+ CHECK_FORK();
+
return NSC_EncryptUpdate(hSession,pPart,usPartLen,pEncryptedPart,
pusEncryptedPartLen);
}
@@ -884,8 +954,9 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
/* FC_EncryptFinal finishes a multiple-part encryption operation. */
CK_RV FC_EncryptFinal(CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pLastEncryptedPart, CK_ULONG_PTR pusLastEncryptedPartLen) {
-
SFTK_FIPSCHECK();
+ CHECK_FORK();
+
return NSC_EncryptFinal(hSession,pLastEncryptedPart,
pusLastEncryptedPartLen);
}
@@ -899,6 +970,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
CK_RV FC_DecryptInit( CK_SESSION_HANDLE hSession,
CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) {
SFTK_FIPSCHECK();
+ CHECK_FORK();
+
rv = NSC_DecryptInit(hSession,pMechanism,hKey);
if (sftk_audit_enabled) {
sftk_AuditCryptInit("Decrypt",hSession,pMechanism,hKey,rv);
@@ -911,6 +984,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
CK_BYTE_PTR pEncryptedData,CK_ULONG usEncryptedDataLen,CK_BYTE_PTR pData,
CK_ULONG_PTR pusDataLen) {
SFTK_FIPSCHECK();
+ CHECK_FORK();
+
return NSC_Decrypt(hSession,pEncryptedData,usEncryptedDataLen,pData,
pusDataLen);
}
@@ -921,6 +996,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
CK_BYTE_PTR pEncryptedPart, CK_ULONG usEncryptedPartLen,
CK_BYTE_PTR pPart, CK_ULONG_PTR pusPartLen) {
SFTK_FIPSCHECK();
+ CHECK_FORK();
+
return NSC_DecryptUpdate(hSession,pEncryptedPart,usEncryptedPartLen,
pPart,pusPartLen);
}
@@ -930,6 +1007,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
CK_RV FC_DecryptFinal(CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pLastPart, CK_ULONG_PTR pusLastPartLen) {
SFTK_FIPSCHECK();
+ CHECK_FORK();
+
return NSC_DecryptFinal(hSession,pLastPart,pusLastPartLen);
}
@@ -942,6 +1021,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
CK_RV FC_DigestInit(CK_SESSION_HANDLE hSession,
CK_MECHANISM_PTR pMechanism) {
SFTK_FIPSFATALCHECK();
+ CHECK_FORK();
+
return NSC_DigestInit(hSession, pMechanism);
}
@@ -951,6 +1032,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
CK_BYTE_PTR pData, CK_ULONG usDataLen, CK_BYTE_PTR pDigest,
CK_ULONG_PTR pusDigestLen) {
SFTK_FIPSFATALCHECK();
+ CHECK_FORK();
+
return NSC_Digest(hSession,pData,usDataLen,pDigest,pusDigestLen);
}
@@ -959,6 +1042,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
CK_RV FC_DigestUpdate(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pPart,
CK_ULONG usPartLen) {
SFTK_FIPSFATALCHECK();
+ CHECK_FORK();
+
return NSC_DigestUpdate(hSession,pPart,usPartLen);
}
@@ -967,6 +1052,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
CK_RV FC_DigestFinal(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pDigest,
CK_ULONG_PTR pusDigestLen) {
SFTK_FIPSFATALCHECK();
+ CHECK_FORK();
+
return NSC_DigestFinal(hSession,pDigest,pusDigestLen);
}
@@ -981,6 +1068,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
CK_RV FC_SignInit(CK_SESSION_HANDLE hSession,
CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) {
SFTK_FIPSCHECK();
+ CHECK_FORK();
+
rv = NSC_SignInit(hSession,pMechanism,hKey);
if (sftk_audit_enabled) {
sftk_AuditCryptInit("Sign",hSession,pMechanism,hKey,rv);
@@ -996,6 +1085,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
CK_BYTE_PTR pData,CK_ULONG usDataLen,CK_BYTE_PTR pSignature,
CK_ULONG_PTR pusSignatureLen) {
SFTK_FIPSCHECK();
+ CHECK_FORK();
+
return NSC_Sign(hSession,pData,usDataLen,pSignature,pusSignatureLen);
}
@@ -1006,6 +1097,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
CK_RV FC_SignUpdate(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pPart,
CK_ULONG usPartLen) {
SFTK_FIPSCHECK();
+ CHECK_FORK();
+
return NSC_SignUpdate(hSession,pPart,usPartLen);
}
@@ -1015,6 +1108,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
CK_RV FC_SignFinal(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pSignature,
CK_ULONG_PTR pusSignatureLen) {
SFTK_FIPSCHECK();
+ CHECK_FORK();
+
return NSC_SignFinal(hSession,pSignature,pusSignatureLen);
}
@@ -1027,6 +1122,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
CK_RV FC_SignRecoverInit(CK_SESSION_HANDLE hSession,
CK_MECHANISM_PTR pMechanism,CK_OBJECT_HANDLE hKey) {
SFTK_FIPSCHECK();
+ CHECK_FORK();
+
rv = NSC_SignRecoverInit(hSession,pMechanism,hKey);
if (sftk_audit_enabled) {
sftk_AuditCryptInit("SignRecover",hSession,pMechanism,hKey,rv);
@@ -1041,6 +1138,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
CK_RV FC_SignRecover(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
CK_ULONG usDataLen, CK_BYTE_PTR pSignature, CK_ULONG_PTR pusSignatureLen) {
SFTK_FIPSCHECK();
+ CHECK_FORK();
+
return NSC_SignRecover(hSession,pData,usDataLen,pSignature,pusSignatureLen);
}
@@ -1054,6 +1153,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
CK_RV FC_VerifyInit(CK_SESSION_HANDLE hSession,
CK_MECHANISM_PTR pMechanism,CK_OBJECT_HANDLE hKey) {
SFTK_FIPSCHECK();
+ CHECK_FORK();
+
rv = NSC_VerifyInit(hSession,pMechanism,hKey);
if (sftk_audit_enabled) {
sftk_AuditCryptInit("Verify",hSession,pMechanism,hKey,rv);
@@ -1069,6 +1170,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
CK_ULONG usDataLen, CK_BYTE_PTR pSignature, CK_ULONG usSignatureLen) {
/* make sure we're legal */
SFTK_FIPSCHECK();
+ CHECK_FORK();
+
return NSC_Verify(hSession,pData,usDataLen,pSignature,usSignatureLen);
}
@@ -1079,6 +1182,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
CK_RV FC_VerifyUpdate( CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
CK_ULONG usPartLen) {
SFTK_FIPSCHECK();
+ CHECK_FORK();
+
return NSC_VerifyUpdate(hSession,pPart,usPartLen);
}
@@ -1088,6 +1193,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
CK_RV FC_VerifyFinal(CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pSignature,CK_ULONG usSignatureLen) {
SFTK_FIPSCHECK();
+ CHECK_FORK();
+
return NSC_VerifyFinal(hSession,pSignature,usSignatureLen);
}
@@ -1101,6 +1208,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
CK_RV FC_VerifyRecoverInit(CK_SESSION_HANDLE hSession,
CK_MECHANISM_PTR pMechanism,CK_OBJECT_HANDLE hKey) {
SFTK_FIPSCHECK();
+ CHECK_FORK();
+
rv = NSC_VerifyRecoverInit(hSession,pMechanism,hKey);
if (sftk_audit_enabled) {
sftk_AuditCryptInit("VerifyRecover",hSession,pMechanism,hKey,rv);
@@ -1116,6 +1225,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
CK_BYTE_PTR pSignature,CK_ULONG usSignatureLen,
CK_BYTE_PTR pData,CK_ULONG_PTR pusDataLen) {
SFTK_FIPSCHECK();
+ CHECK_FORK();
+
return NSC_VerifyRecover(hSession,pSignature,usSignatureLen,pData,
pusDataLen);
}
@@ -1131,6 +1242,7 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
CK_BBOOL *boolptr;
SFTK_FIPSCHECK();
+ CHECK_FORK();
/* all secret keys must be sensitive, if the upper level code tries to say
* otherwise, reject it. */
@@ -1160,6 +1272,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
CK_RV crv;
SFTK_FIPSCHECK();
+ CHECK_FORK();
+
/* all private keys must be sensitive, if the upper level code tries to say
* otherwise, reject it. */
@@ -1192,6 +1306,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
CK_OBJECT_HANDLE hKey, CK_BYTE_PTR pWrappedKey,
CK_ULONG_PTR pulWrappedKeyLen) {
SFTK_FIPSCHECK();
+ CHECK_FORK();
+
rv = NSC_WrapKey(hSession,pMechanism,hWrappingKey,hKey,pWrappedKey,
pulWrappedKeyLen);
if (sftk_audit_enabled) {
@@ -1211,6 +1327,7 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
CK_BBOOL *boolptr;
SFTK_FIPSCHECK();
+ CHECK_FORK();
/* all secret keys must be sensitive, if the upper level code tries to say
* otherwise, reject it. */
@@ -1239,6 +1356,7 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
CK_BBOOL *boolptr;
SFTK_FIPSCHECK();
+ CHECK_FORK();
/* all secret keys must be sensitive, if the upper level code tries to say
* otherwise, reject it. */
@@ -1269,6 +1387,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
CK_RV crv;
SFTK_FIPSFATALCHECK();
+ CHECK_FORK();
+
crv = NSC_SeedRandom(hSession,pSeed,usSeedLen);
if (crv != CKR_OK) {
sftk_fatalError = PR_TRUE;
@@ -1282,6 +1402,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
CK_BYTE_PTR pRandomData, CK_ULONG ulRandomLen) {
CK_RV crv;
+ CHECK_FORK();
+
SFTK_FIPSFATALCHECK();
crv = NSC_GenerateRandom(hSession,pRandomData,ulRandomLen);
if (crv != CKR_OK) {
@@ -1305,6 +1427,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
* in parallel with an application. */
CK_RV FC_GetFunctionStatus(CK_SESSION_HANDLE hSession) {
SFTK_FIPSCHECK();
+ CHECK_FORK();
+
return NSC_GetFunctionStatus(hSession);
}
@@ -1312,6 +1436,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
/* FC_CancelFunction cancels a function running in parallel */
CK_RV FC_CancelFunction(CK_SESSION_HANDLE hSession) {
SFTK_FIPSCHECK();
+ CHECK_FORK();
+
return NSC_CancelFunction(hSession);
}
@@ -1324,6 +1450,8 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) {
CK_RV FC_GetOperationState(CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pOperationState, CK_ULONG_PTR pulOperationStateLen) {
SFTK_FIPSFATALCHECK();
+ CHECK_FORK();
+
return NSC_GetOperationState(hSession,pOperationState,pulOperationStateLen);
}
@@ -1334,6 +1462,8 @@ CK_RV FC_SetOperationState(CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pOperationState, CK_ULONG ulOperationStateLen,
CK_OBJECT_HANDLE hEncryptionKey, CK_OBJECT_HANDLE hAuthenticationKey) {
SFTK_FIPSFATALCHECK();
+ CHECK_FORK();
+
return NSC_SetOperationState(hSession,pOperationState,ulOperationStateLen,
hEncryptionKey,hAuthenticationKey);
}
@@ -1342,6 +1472,8 @@ CK_RV FC_SetOperationState(CK_SESSION_HANDLE hSession,
CK_RV FC_FindObjectsFinal(CK_SESSION_HANDLE hSession) {
/* let publically readable object be found */
SFTK_FIPSFATALCHECK();
+ CHECK_FORK();
+
return NSC_FindObjectsFinal(hSession);
}
@@ -1354,6 +1486,8 @@ CK_RV FC_DigestEncryptUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
CK_ULONG ulPartLen, CK_BYTE_PTR pEncryptedPart,
CK_ULONG_PTR pulEncryptedPartLen) {
SFTK_FIPSCHECK();
+ CHECK_FORK();
+
return NSC_DigestEncryptUpdate(hSession,pPart,ulPartLen,pEncryptedPart,
pulEncryptedPartLen);
}
@@ -1364,8 +1498,9 @@ CK_RV FC_DigestEncryptUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
CK_RV FC_DecryptDigestUpdate(CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pEncryptedPart, CK_ULONG ulEncryptedPartLen,
CK_BYTE_PTR pPart, CK_ULONG_PTR pulPartLen) {
-
SFTK_FIPSCHECK();
+ CHECK_FORK();
+
return NSC_DecryptDigestUpdate(hSession, pEncryptedPart,ulEncryptedPartLen,
pPart,pulPartLen);
}
@@ -1375,8 +1510,9 @@ CK_RV FC_DecryptDigestUpdate(CK_SESSION_HANDLE hSession,
CK_RV FC_SignEncryptUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
CK_ULONG ulPartLen, CK_BYTE_PTR pEncryptedPart,
CK_ULONG_PTR pulEncryptedPartLen) {
-
SFTK_FIPSCHECK();
+ CHECK_FORK();
+
return NSC_SignEncryptUpdate(hSession,pPart,ulPartLen,pEncryptedPart,
pulEncryptedPartLen);
}
@@ -1386,8 +1522,9 @@ CK_RV FC_SignEncryptUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
CK_RV FC_DecryptVerifyUpdate(CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pEncryptedData, CK_ULONG ulEncryptedDataLen,
CK_BYTE_PTR pData, CK_ULONG_PTR pulDataLen) {
-
SFTK_FIPSCHECK();
+ CHECK_FORK();
+
return NSC_DecryptVerifyUpdate(hSession,pEncryptedData,ulEncryptedDataLen,
pData,pulDataLen);
}
@@ -1398,6 +1535,8 @@ CK_RV FC_DecryptVerifyUpdate(CK_SESSION_HANDLE hSession,
*/
CK_RV FC_DigestKey(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hKey) {
SFTK_FIPSCHECK();
+ CHECK_FORK();
+
rv = NSC_DigestKey(hSession,hKey);
if (sftk_audit_enabled) {
sftk_AuditDigestKey(hSession,hKey,rv);
@@ -1409,5 +1548,7 @@ CK_RV FC_DigestKey(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hKey) {
CK_RV FC_WaitForSlotEvent(CK_FLAGS flags, CK_SLOT_ID_PTR pSlot,
CK_VOID_PTR pReserved)
{
+ CHECK_FORK();
+
return NSC_WaitForSlotEvent(flags, pSlot, pReserved);
}
diff --git a/security/nss/lib/softoken/pkcs11.c b/security/nss/lib/softoken/pkcs11.c
index 3c48a4506..c8d469792 100644
--- a/security/nss/lib/softoken/pkcs11.c
+++ b/security/nss/lib/softoken/pkcs11.c
@@ -460,6 +460,23 @@ static const struct mechanismList mechanisms[] = {
};
static const CK_ULONG mechanismCount = sizeof(mechanisms)/sizeof(mechanisms[0]);
+static PRBool nsc_init = PR_FALSE;
+
+#if defined(XP_UNIX) && !defined(NO_PTHREADS)
+
+#include <pthread.h>
+
+PRBool forked = PR_FALSE;
+
+void ForkedChild(void)
+{
+ if (nsc_init || nsf_init) {
+ forked = PR_TRUE;
+ }
+}
+
+#endif
+
static char *
sftk_setStringName(const char *inString, char *buffer, int buffer_length)
{
@@ -1821,6 +1838,8 @@ sftk_IsWeakKey(unsigned char *key,CK_KEY_TYPE key_type)
/* return the function list */
CK_RV NSC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList)
{
+ CHECK_FORK();
+
*pFunctionList = (CK_FUNCTION_LIST_PTR) &sftk_funcList;
return CKR_OK;
}
@@ -1828,6 +1847,8 @@ CK_RV NSC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList)
/* return the function list */
CK_RV C_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList)
{
+ CHECK_FORK();
+
return NSC_GetFunctionList(pFunctionList);
}
@@ -2333,6 +2354,10 @@ NSC_ModuleDBFunc(unsigned long function,char *parameters, void *args)
static char *success="Success";
char **rvstr = NULL;
+#if defined(XP_UNIX) && !defined(NO_PTHREADS)
+ if (forked) return NULL;
+#endif
+
secmod = sftk_getSecmodName(parameters, &dbType, &appName,&filename, &rw);
switch (function) {
@@ -2412,7 +2437,6 @@ sftk_closePeer(PRBool isFIPS)
return;
}
-static PRBool nsc_init = PR_FALSE;
extern SECStatus secoid_Init(void);
/* NSC_Initialize initializes the Cryptoki library. */
@@ -2424,7 +2448,6 @@ CK_RV nsc_CommonInitialize(CK_VOID_PTR pReserved, PRBool isFIPS)
int i;
int moduleIndex = isFIPS? NSC_FIPS_MODULE : NSC_NON_FIPS_MODULE;
-
if (isFIPS) {
loginWaitTime = PR_SecondsToInterval(1);
}
@@ -2511,12 +2534,20 @@ loser:
sftk_InitFreeLists();
}
+#if defined(XP_UNIX) && !defined(NO_PTHREADS)
+ if (CKR_OK == crv) {
+ pthread_atfork(NULL, NULL, ForkedChild);
+ }
+#endif
return crv;
}
CK_RV NSC_Initialize(CK_VOID_PTR pReserved)
{
CK_RV crv;
+
+ CHECK_FORK();
+
if (nsc_init) {
return CKR_CRYPTOKI_ALREADY_INITIALIZED;
}
@@ -2531,8 +2562,6 @@ extern SECStatus SECOID_Shutdown(void);
* Cryptoki library.*/
CK_RV nsc_CommonFinalize (CK_VOID_PTR pReserved, PRBool isFIPS)
{
-
-
nscFreeAllSlots(isFIPS ? NSC_FIPS_MODULE : NSC_NON_FIPS_MODULE);
/* don't muck with the globals is our peer is still initialized */
@@ -2566,6 +2595,8 @@ CK_RV NSC_Finalize (CK_VOID_PTR pReserved)
{
CK_RV crv;
+ CHECK_FORK();
+
if (!nsc_init) {
return CKR_OK;
}
@@ -2585,6 +2616,8 @@ CK_RV NSC_GetInfo(CK_INFO_PTR pInfo)
{
volatile char c; /* force a reference that won't get optimized away */
+ CHECK_FORK();
+
c = __nss_softokn_rcsid[0] + __nss_softokn_sccsid[0];
pInfo->cryptokiVersion.major = 2;
pInfo->cryptokiVersion.minor = 20;
@@ -2613,6 +2646,7 @@ CK_RV nsc_CommonGetSlotList(CK_BBOOL tokenPresent,
CK_RV NSC_GetSlotList(CK_BBOOL tokenPresent,
CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount)
{
+ CHECK_FORK();
return nsc_CommonGetSlotList(tokenPresent, pSlotList, pulCount,
NSC_NON_FIPS_MODULE);
}
@@ -2621,6 +2655,9 @@ CK_RV NSC_GetSlotList(CK_BBOOL tokenPresent,
CK_RV NSC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo)
{
SFTKSlot *slot = sftk_SlotFromID(slotID, PR_TRUE);
+
+ CHECK_FORK();
+
if (slot == NULL) return CKR_SLOT_ID_INVALID;
pInfo->firmwareVersion.major = 0;
@@ -2661,6 +2698,8 @@ CK_RV NSC_GetTokenInfo(CK_SLOT_ID slotID,CK_TOKEN_INFO_PTR pInfo)
SFTKSlot *slot;
SFTKDBHandle *handle;
+ CHECK_FORK();
+
if (!nsc_init && !nsf_init) return CKR_CRYPTOKI_NOT_INITIALIZED;
slot = sftk_SlotFromID(slotID, PR_FALSE);
if (slot == NULL) return CKR_SLOT_ID_INVALID;
@@ -2742,6 +2781,8 @@ CK_RV NSC_GetMechanismList(CK_SLOT_ID slotID,
{
CK_ULONG i;
+ CHECK_FORK();
+
switch (slotID) {
/* default: */
case NETSCAPE_SLOT_ID:
@@ -2776,6 +2817,8 @@ CK_RV NSC_GetMechanismInfo(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type,
PRBool isPrivateKey;
CK_ULONG i;
+ CHECK_FORK();
+
switch (slotID) {
case NETSCAPE_SLOT_ID:
isPrivateKey = PR_FALSE;
@@ -2833,6 +2876,8 @@ CK_RV NSC_InitToken(CK_SLOT_ID slotID,CK_CHAR_PTR pPin,
unsigned int i;
SFTKObject *object;
+ CHECK_FORK();
+
if (slot == NULL) return CKR_SLOT_ID_INVALID;
/* don't initialize the database if we aren't talking to a token
@@ -2897,6 +2942,7 @@ CK_RV NSC_InitPIN(CK_SESSION_HANDLE hSession,
SECStatus rv;
CK_RV crv = CKR_SESSION_HANDLE_INVALID;
+ CHECK_FORK();
sp = sftk_SessionFromHandle(hSession);
if (sp == NULL) {
@@ -2979,6 +3025,7 @@ CK_RV NSC_SetPIN(CK_SESSION_HANDLE hSession, CK_CHAR_PTR pOldPin,
SECStatus rv;
CK_RV crv = CKR_SESSION_HANDLE_INVALID;
+ CHECK_FORK();
sp = sftk_SessionFromHandle(hSession);
if (sp == NULL) {
@@ -3056,6 +3103,8 @@ CK_RV NSC_OpenSession(CK_SLOT_ID slotID, CK_FLAGS flags,
SFTKSession *session;
SFTKSession *sameID;
+ CHECK_FORK();
+
slot = sftk_SlotFromID(slotID, PR_FALSE);
if (slot == NULL) return CKR_SLOT_ID_INVALID;
@@ -3107,6 +3156,8 @@ CK_RV NSC_CloseSession(CK_SESSION_HANDLE hSession)
PRBool sessionFound;
PZLock *lock;
+ CHECK_FORK();
+
session = sftk_SessionFromHandle(hSession);
if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
slot = sftk_SlotFromSession(session);
@@ -3152,6 +3203,8 @@ CK_RV NSC_CloseAllSessions (CK_SLOT_ID slotID)
{
SFTKSlot *slot;
+ CHECK_FORK();
+
slot = sftk_SlotFromID(slotID, PR_FALSE);
if (slot == NULL) return CKR_SLOT_ID_INVALID;
@@ -3166,6 +3219,8 @@ CK_RV NSC_GetSessionInfo(CK_SESSION_HANDLE hSession,
{
SFTKSession *session;
+ CHECK_FORK();
+
session = sftk_SessionFromHandle(hSession);
if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
@@ -3186,6 +3241,7 @@ CK_RV NSC_Login(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType,
CK_RV crv;
char pinStr[SFTK_MAX_PIN+1];
+ CHECK_FORK();
/* get the slot */
slot = sftk_SlotFromSessionHandle(hSession);
@@ -3292,6 +3348,8 @@ CK_RV NSC_Logout(CK_SESSION_HANDLE hSession)
SFTKSession *session;
SFTKDBHandle *handle;
+ CHECK_FORK();
+
if (slot == NULL) {
return CKR_SESSION_HANDLE_INVALID;
}
@@ -3425,6 +3483,8 @@ CK_RV NSC_CreateObject(CK_SESSION_HANDLE hSession,
CK_RV crv;
int i;
+ CHECK_FORK();
+
*phObject = CK_INVALID_HANDLE;
if (slot == NULL) {
@@ -3492,6 +3552,8 @@ CK_RV NSC_CopyObject(CK_SESSION_HANDLE hSession,
SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession);
int i;
+ CHECK_FORK();
+
if (slot == NULL) {
return CKR_SESSION_HANDLE_INVALID;
}
@@ -3570,7 +3632,10 @@ CK_RV NSC_CopyObject(CK_SESSION_HANDLE hSession,
/* NSC_GetObjectSize gets the size of an object in bytes. */
CK_RV NSC_GetObjectSize(CK_SESSION_HANDLE hSession,
- CK_OBJECT_HANDLE hObject, CK_ULONG_PTR pulSize) {
+ CK_OBJECT_HANDLE hObject, CK_ULONG_PTR pulSize)
+{
+ CHECK_FORK();
+
*pulSize = 0;
return CKR_OK;
}
@@ -3578,7 +3643,8 @@ CK_RV NSC_GetObjectSize(CK_SESSION_HANDLE hSession,
/* NSC_GetAttributeValue obtains the value of one or more object attributes. */
CK_RV NSC_GetAttributeValue(CK_SESSION_HANDLE hSession,
- CK_OBJECT_HANDLE hObject,CK_ATTRIBUTE_PTR pTemplate,CK_ULONG ulCount) {
+ CK_OBJECT_HANDLE hObject,CK_ATTRIBUTE_PTR pTemplate,CK_ULONG ulCount)
+{
SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession);
SFTKSession *session;
SFTKObject *object;
@@ -3587,6 +3653,8 @@ CK_RV NSC_GetAttributeValue(CK_SESSION_HANDLE hSession,
CK_RV crv;
int i;
+ CHECK_FORK();
+
if (slot == NULL) {
return CKR_SESSION_HANDLE_INVALID;
}
@@ -3677,7 +3745,8 @@ CK_RV NSC_GetAttributeValue(CK_SESSION_HANDLE hSession,
/* NSC_SetAttributeValue modifies the value of one or more object attributes */
CK_RV NSC_SetAttributeValue (CK_SESSION_HANDLE hSession,
- CK_OBJECT_HANDLE hObject,CK_ATTRIBUTE_PTR pTemplate,CK_ULONG ulCount) {
+ CK_OBJECT_HANDLE hObject,CK_ATTRIBUTE_PTR pTemplate,CK_ULONG ulCount)
+{
SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession);
SFTKSession *session;
SFTKAttribute *attribute;
@@ -3687,6 +3756,8 @@ CK_RV NSC_SetAttributeValue (CK_SESSION_HANDLE hSession,
CK_BBOOL legal;
int i;
+ CHECK_FORK();
+
if (slot == NULL) {
return CKR_SESSION_HANDLE_INVALID;
}
@@ -3933,6 +4004,8 @@ CK_RV NSC_FindObjectsInit(CK_SESSION_HANDLE hSession,
PRBool tokenOnly = PR_FALSE;
CK_RV crv = CKR_OK;
PRBool isLoggedIn;
+
+ CHECK_FORK();
if (slot == NULL) {
return CKR_SESSION_HANDLE_INVALID;
@@ -4005,6 +4078,8 @@ CK_RV NSC_FindObjects(CK_SESSION_HANDLE hSession,
int transfer;
int left;
+ CHECK_FORK();
+
*pulObjectCount = 0;
session = sftk_SessionFromHandle(hSession);
if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
@@ -4038,6 +4113,8 @@ CK_RV NSC_FindObjectsFinal(CK_SESSION_HANDLE hSession)
SFTKSession *session;
SFTKSearchResults *search;
+ CHECK_FORK();
+
session = sftk_SessionFromHandle(hSession);
if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
search = session->search;
@@ -4054,5 +4131,8 @@ CK_RV NSC_FindObjectsFinal(CK_SESSION_HANDLE hSession)
CK_RV NSC_WaitForSlotEvent(CK_FLAGS flags, CK_SLOT_ID_PTR pSlot,
CK_VOID_PTR pReserved)
{
+ CHECK_FORK();
+
return CKR_FUNCTION_NOT_SUPPORTED;
}
+
diff --git a/security/nss/lib/softoken/pkcs11c.c b/security/nss/lib/softoken/pkcs11c.c
index 3a1fde282..18b3d92f7 100644
--- a/security/nss/lib/softoken/pkcs11c.c
+++ b/security/nss/lib/softoken/pkcs11c.c
@@ -183,6 +183,8 @@ NSC_DestroyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject)
SFTKObject *object;
SFTKFreeStatus status;
+ CHECK_FORK();
+
if (slot == NULL) {
return CKR_SESSION_HANDLE_INVALID;
}
@@ -739,6 +741,7 @@ finish_des:
CK_RV NSC_EncryptInit(CK_SESSION_HANDLE hSession,
CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey)
{
+ CHECK_FORK();
return sftk_CryptInit(hSession, pMechanism, hKey, CKA_ENCRYPT,
SFTK_ENCRYPT, PR_TRUE);
}
@@ -755,6 +758,8 @@ CK_RV NSC_EncryptUpdate(CK_SESSION_HANDLE hSession,
CK_RV crv;
SECStatus rv;
+ CHECK_FORK();
+
/* make sure we're legal */
crv = sftk_GetContext(hSession,&context,SFTK_ENCRYPT,PR_TRUE,NULL);
if (crv != CKR_OK) return crv;
@@ -832,6 +837,8 @@ CK_RV NSC_EncryptFinal(CK_SESSION_HANDLE hSession,
SECStatus rv = SECSuccess;
PRBool contextFinished = PR_TRUE;
+ CHECK_FORK();
+
/* make sure we're legal */
crv = sftk_GetContext(hSession,&context,SFTK_ENCRYPT,PR_TRUE,&session);
if (crv != CKR_OK) return crv;
@@ -886,6 +893,8 @@ CK_RV NSC_Encrypt (CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
pText.data = pData;
pText.len = ulDataLen;
+ CHECK_FORK();
+
/* make sure we're legal */
crv = sftk_GetContext(hSession,&context,SFTK_ENCRYPT,PR_FALSE,&session);
if (crv != CKR_OK) return crv;
@@ -958,6 +967,8 @@ finish:
CK_RV NSC_DecryptInit( CK_SESSION_HANDLE hSession,
CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey)
{
+ CHECK_FORK();
+
return sftk_CryptInit(hSession, pMechanism, hKey, CKA_DECRYPT,
SFTK_DECRYPT, PR_FALSE);
}
@@ -974,6 +985,8 @@ CK_RV NSC_DecryptUpdate(CK_SESSION_HANDLE hSession,
CK_RV crv;
SECStatus rv;
+ CHECK_FORK();
+
/* make sure we're legal */
crv = sftk_GetContext(hSession,&context,SFTK_DECRYPT,PR_TRUE,NULL);
if (crv != CKR_OK) return crv;
@@ -1042,6 +1055,8 @@ CK_RV NSC_DecryptFinal(CK_SESSION_HANDLE hSession,
CK_RV crv;
SECStatus rv = SECSuccess;
+ CHECK_FORK();
+
/* make sure we're legal */
crv = sftk_GetContext(hSession,&context,SFTK_DECRYPT,PR_TRUE,&session);
if (crv != CKR_OK) return crv;
@@ -1095,6 +1110,8 @@ CK_RV NSC_Decrypt(CK_SESSION_HANDLE hSession,
CK_RV crv2;
SECStatus rv = SECSuccess;
+ CHECK_FORK();
+
/* make sure we're legal */
crv = sftk_GetContext(hSession,&context,SFTK_DECRYPT,PR_FALSE,&session);
if (crv != CKR_OK) return crv;
@@ -1155,6 +1172,8 @@ CK_RV NSC_DigestInit(CK_SESSION_HANDLE hSession,
SFTKSessionContext *context;
CK_RV crv = CKR_OK;
+ CHECK_FORK();
+
session = sftk_SessionFromHandle(hSession);
if (session == NULL)
return CKR_SESSION_HANDLE_INVALID;
@@ -1217,6 +1236,8 @@ CK_RV NSC_Digest(CK_SESSION_HANDLE hSession,
unsigned int maxout = *pulDigestLen;
CK_RV crv;
+ CHECK_FORK();
+
/* make sure we're legal */
crv = sftk_GetContext(hSession,&context,SFTK_HASH,PR_FALSE,&session);
if (crv != CKR_OK) return crv;
@@ -1247,6 +1268,8 @@ CK_RV NSC_DigestUpdate(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pPart,
SFTKSessionContext *context;
CK_RV crv;
+ CHECK_FORK();
+
/* make sure we're legal */
crv = sftk_GetContext(hSession,&context,SFTK_HASH,PR_TRUE,NULL);
if (crv != CKR_OK) return crv;
@@ -1266,6 +1289,8 @@ CK_RV NSC_DigestFinal(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pDigest,
unsigned int digestLen;
CK_RV crv;
+ CHECK_FORK();
+
/* make sure we're legal */
crv = sftk_GetContext(hSession, &context, SFTK_HASH, PR_TRUE, &session);
if (crv != CKR_OK) return crv;
@@ -1814,6 +1839,8 @@ CK_RV NSC_SignInit(CK_SESSION_HANDLE hSession,
NSSLOWKEYPrivateKey *privKey;
SFTKHashSignInfo *info = NULL;
+ CHECK_FORK();
+
/* Block Cipher MACing Algorithms use a different Context init method..*/
crv = sftk_InitCBCMac(hSession, pMechanism, hKey, CKA_SIGN, SFTK_SIGN);
if (crv != CKR_FUNCTION_NOT_SUPPORTED) return crv;
@@ -2051,6 +2078,8 @@ sftk_MACUpdate(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pPart,
CK_RV NSC_SignUpdate(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pPart,
CK_ULONG ulPartLen)
{
+ CHECK_FORK();
+
return sftk_MACUpdate(hSession, pPart, ulPartLen, SFTK_SIGN);
}
@@ -2069,6 +2098,8 @@ CK_RV NSC_SignFinal(CK_SESSION_HANDLE hSession,CK_BYTE_PTR pSignature,
CK_RV crv;
SECStatus rv = SECSuccess;
+ CHECK_FORK();
+
/* make sure we're legal */
*pulSignatureLen = 0;
crv = sftk_GetContext(hSession,&context,SFTK_SIGN,PR_TRUE,&session);
@@ -2122,6 +2153,8 @@ CK_RV NSC_Sign(CK_SESSION_HANDLE hSession,
CK_RV crv,crv2;
SECStatus rv = SECSuccess;
+ CHECK_FORK();
+
/* make sure we're legal */
crv = sftk_GetContext(hSession,&context,SFTK_SIGN,PR_FALSE,&session);
if (crv != CKR_OK) return crv;
@@ -2163,6 +2196,8 @@ finish:
CK_RV NSC_SignRecoverInit(CK_SESSION_HANDLE hSession,
CK_MECHANISM_PTR pMechanism,CK_OBJECT_HANDLE hKey)
{
+ CHECK_FORK();
+
switch (pMechanism->mechanism) {
case CKM_RSA_PKCS:
case CKM_RSA_X_509:
@@ -2180,6 +2215,8 @@ CK_RV NSC_SignRecoverInit(CK_SESSION_HANDLE hSession,
CK_RV NSC_SignRecover(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, CK_ULONG_PTR pulSignatureLen)
{
+ CHECK_FORK();
+
return NSC_Sign(hSession,pData,ulDataLen,pSignature,pulSignatureLen);
}
@@ -2262,6 +2299,8 @@ CK_RV NSC_VerifyInit(CK_SESSION_HANDLE hSession,
NSSLOWKEYPublicKey *pubKey;
SFTKHashVerifyInfo *info = NULL;
+ CHECK_FORK();
+
/* Block Cipher MACing Algorithms use a different Context init method..*/
crv = sftk_InitCBCMac(hSession, pMechanism, hKey, CKA_VERIFY, SFTK_VERIFY);
if (crv != CKR_FUNCTION_NOT_SUPPORTED) return crv;
@@ -2412,6 +2451,8 @@ CK_RV NSC_Verify(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
CK_RV crv, crv2;
SECStatus rv;
+ CHECK_FORK();
+
/* make sure we're legal */
crv = sftk_GetContext(hSession,&context,SFTK_VERIFY,PR_FALSE,&session);
if (crv != CKR_OK) return crv;
@@ -2442,6 +2483,8 @@ CK_RV NSC_Verify(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
CK_RV NSC_VerifyUpdate( CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
CK_ULONG ulPartLen)
{
+ CHECK_FORK();
+
return sftk_MACUpdate(hSession, pPart, ulPartLen, SFTK_VERIFY);
}
@@ -2459,6 +2502,8 @@ CK_RV NSC_VerifyFinal(CK_SESSION_HANDLE hSession,
CK_RV crv;
SECStatus rv = SECSuccess;
+ CHECK_FORK();
+
/* make sure we're legal */
crv = sftk_GetContext(hSession,&context,SFTK_VERIFY,PR_TRUE,&session);
if (crv != CKR_OK) return crv;
@@ -2507,6 +2552,8 @@ CK_RV NSC_VerifyRecoverInit(CK_SESSION_HANDLE hSession,
CK_RV crv = CKR_OK;
NSSLOWKEYPublicKey *pubKey;
+ CHECK_FORK();
+
session = sftk_SessionFromHandle(hSession);
if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
crv = sftk_InitGeneric(session,&context,SFTK_VERIFY_RECOVER,
@@ -2565,6 +2612,8 @@ CK_RV NSC_VerifyRecover(CK_SESSION_HANDLE hSession,
CK_RV crv;
SECStatus rv;
+ CHECK_FORK();
+
/* make sure we're legal */
crv = sftk_GetContext(hSession,&context,SFTK_VERIFY_RECOVER,
PR_FALSE,&session);
@@ -2599,6 +2648,8 @@ CK_RV NSC_SeedRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSeed,
{
SECStatus rv;
+ CHECK_FORK();
+
rv = RNG_RandomUpdate(pSeed, ulSeedLen);
return (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR;
}
@@ -2609,6 +2660,8 @@ CK_RV NSC_GenerateRandom(CK_SESSION_HANDLE hSession,
{
SECStatus rv;
+ CHECK_FORK();
+
rv = RNG_GenerateGlobalRandomBytes(pRandomData, ulRandomLen);
return (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR;
}
@@ -2975,6 +3028,8 @@ CK_RV NSC_GenerateKey(CK_SESSION_HANDLE hSession,
*/
PRBool faultyPBE3DES = PR_FALSE;
+ CHECK_FORK();
+
if (!slot) {
return CKR_SESSION_HANDLE_INVALID;
}
@@ -3478,6 +3533,8 @@ CK_RV NSC_GenerateKeyPair (CK_SESSION_HANDLE hSession,
ECParams * ecParams;
#endif /* NSS_ENABLE_ECC */
+ CHECK_FORK();
+
if (!slot) {
return CKR_SESSION_HANDLE_INVALID;
}
@@ -4133,6 +4190,8 @@ CK_RV NSC_WrapKey(CK_SESSION_HANDLE hSession,
SFTKObject *key;
CK_RV crv;
+ CHECK_FORK();
+
session = sftk_SessionFromHandle(hSession);
if (session == NULL) {
return CKR_SESSION_HANDLE_INVALID;
@@ -4503,6 +4562,8 @@ CK_RV NSC_UnwrapKey(CK_SESSION_HANDLE hSession,
SECItem bpki;
CK_OBJECT_CLASS target_type = CKO_SECRET_KEY;
+ CHECK_FORK();
+
if (!slot) {
return CKR_SESSION_HANDLE_INVALID;
}
@@ -4827,6 +4888,7 @@ CK_RV NSC_DeriveKey( CK_SESSION_HANDLE hSession,
unsigned char key_block2[MD5_LENGTH];
PRBool isFIPS;
+ CHECK_FORK();
if (!slot) {
return CKR_SESSION_HANDLE_INVALID;
@@ -5803,12 +5865,16 @@ key_and_mac_derive_fail:
* in parallel with an application. */
CK_RV NSC_GetFunctionStatus(CK_SESSION_HANDLE hSession)
{
+ CHECK_FORK();
+
return CKR_FUNCTION_NOT_PARALLEL;
}
/* NSC_CancelFunction cancels a function running in parallel */
CK_RV NSC_CancelFunction(CK_SESSION_HANDLE hSession)
{
+ CHECK_FORK();
+
return CKR_FUNCTION_NOT_PARALLEL;
}
@@ -5825,6 +5891,8 @@ CK_RV NSC_GetOperationState(CK_SESSION_HANDLE hSession,
CK_RV crv;
CK_ULONG pOSLen = *pulOperationStateLen;
+ CHECK_FORK();
+
/* make sure we're legal */
crv = sftk_GetContext(hSession, &context, SFTK_HASH, PR_TRUE, &session);
if (crv != CKR_OK) return crv;
@@ -5867,6 +5935,8 @@ CK_RV NSC_SetOperationState(CK_SESSION_HANDLE hSession,
CK_MECHANISM mech;
CK_RV crv = CKR_OK;
+ CHECK_FORK();
+
while (ulOperationStateLen != 0) {
/* get what type of state we're dealing with... */
PORT_Memcpy(&type,pOperationState, sizeof(SFTKContextType));
@@ -5922,6 +5992,8 @@ CK_RV NSC_DigestEncryptUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
{
CK_RV crv;
+ CHECK_FORK();
+
crv = NSC_EncryptUpdate(hSession,pPart,ulPartLen, pEncryptedPart,
pulEncryptedPartLen);
if (crv != CKR_OK) return crv;
@@ -5939,6 +6011,8 @@ CK_RV NSC_DecryptDigestUpdate(CK_SESSION_HANDLE hSession,
{
CK_RV crv;
+ CHECK_FORK();
+
crv = NSC_DecryptUpdate(hSession,pEncryptedPart, ulEncryptedPartLen,
pPart, pulPartLen);
if (crv != CKR_OK) return crv;
@@ -5956,6 +6030,8 @@ CK_RV NSC_SignEncryptUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
{
CK_RV crv;
+ CHECK_FORK();
+
crv = NSC_EncryptUpdate(hSession,pPart,ulPartLen, pEncryptedPart,
pulEncryptedPartLen);
if (crv != CKR_OK) return crv;
@@ -5973,6 +6049,8 @@ CK_RV NSC_DecryptVerifyUpdate(CK_SESSION_HANDLE hSession,
{
CK_RV crv;
+ CHECK_FORK();
+
crv = NSC_DecryptUpdate(hSession,pEncryptedData, ulEncryptedDataLen,
pData, pulDataLen);
if (crv != CKR_OK) return crv;
@@ -5991,6 +6069,8 @@ CK_RV NSC_DigestKey(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hKey)
SFTKAttribute *att;
CK_RV crv;
+ CHECK_FORK();
+
session = sftk_SessionFromHandle(hSession);
if (session == NULL) return CKR_SESSION_HANDLE_INVALID;
diff --git a/security/nss/lib/softoken/softoken.h b/security/nss/lib/softoken/softoken.h
index c96c75f2f..35dabffaa 100644
--- a/security/nss/lib/softoken/softoken.h
+++ b/security/nss/lib/softoken/softoken.h
@@ -261,6 +261,24 @@ extern void sftk_AuditDigestKey(CK_SESSION_HANDLE hSession,
*/
extern PRBool sftk_fatalError;
+/*
+** macros to check for forked child after C_Initialize
+*/
+#if defined(XP_UNIX) && !defined(NO_PTHREADS)
+
+extern PRBool forked;
+
+extern void ForkedChild(void);
+
+#define CHECK_FORK() \
+ do { if (forked) return CKR_DEVICE_ERROR; } while (0)
+
+#else
+
+#define CHECK_FORK()
+
+#endif
+
SEC_END_PROTOS
#endif /* _SOFTOKEN_H_ */
View Lorry Controller Status