File: | s/lib/pk11wrap/pk11slot.c |
Warning: | line 1430, column 17 Value stored to 'crv' is never read |
Press '?' to see keyboard shortcuts
Keyboard shortcuts:
1 | /* This Source Code Form is subject to the terms of the Mozilla Public |
2 | * License, v. 2.0. If a copy of the MPL was not distributed with this |
3 | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
4 | /* |
5 | * Deal with PKCS #11 Slots. |
6 | */ |
7 | |
8 | #include <stddef.h> |
9 | |
10 | #include "seccomon.h" |
11 | #include "secmod.h" |
12 | #include "nssilock.h" |
13 | #include "secmodi.h" |
14 | #include "secmodti.h" |
15 | #include "pkcs11t.h" |
16 | #include "pk11func.h" |
17 | #include "secitem.h" |
18 | #include "secerr.h" |
19 | |
20 | #include "dev.h" |
21 | #include "dev3hack.h" |
22 | #include "pkim.h" |
23 | #include "utilpars.h" |
24 | #include "pkcs11uri.h" |
25 | |
26 | /************************************************************* |
27 | * local static and global data |
28 | *************************************************************/ |
29 | |
30 | /* |
31 | * This array helps parsing between names, mechanisms, and flags. |
32 | * to make the config files understand more entries, add them |
33 | * to this table. |
34 | */ |
35 | const PK11DefaultArrayEntry PK11_DefaultArray[] = { |
36 | { "RSA", SECMOD_RSA_FLAG0x00000001L, CKM_RSA_PKCS0x00000001UL }, |
37 | { "DSA", SECMOD_DSA_FLAG0x00000002L, CKM_DSA0x00000011UL }, |
38 | { "ECC", SECMOD_ECC_FLAG0x00040000L, CKM_ECDSA0x00001041UL }, |
39 | { "EDDSA", SECMOD_ECC_FLAG0x00040000L, CKM_EDDSA0x00001057UL }, |
40 | { "DH", SECMOD_DH_FLAG0x00000020L, CKM_DH_PKCS_DERIVE0x00000021UL }, |
41 | { "RC2", SECMOD_RC2_FLAG0x00000004L, CKM_RC2_CBC0x00000102UL }, |
42 | { "RC4", SECMOD_RC4_FLAG0x00000008L, CKM_RC40x00000111UL }, |
43 | { "DES", SECMOD_DES_FLAG0x00000010L, CKM_DES_CBC0x00000122UL }, |
44 | { "AES", SECMOD_AES_FLAG0x00002000L, CKM_AES_CBC0x00001082UL }, |
45 | { "Camellia", SECMOD_CAMELLIA_FLAG0x00010000L, CKM_CAMELLIA_CBC0x00000552UL }, |
46 | { "SEED", SECMOD_SEED_FLAG0x00020000L, CKM_SEED_CBC0x00000652UL }, |
47 | { "RC5", SECMOD_RC5_FLAG0x00000080L, CKM_RC5_CBC0x00000332UL }, |
48 | { "SHA-1", SECMOD_SHA1_FLAG0x00000100L, CKM_SHA_10x00000220UL }, |
49 | /* { "SHA224", SECMOD_SHA256_FLAG, CKM_SHA224 }, */ |
50 | { "SHA256", SECMOD_SHA256_FLAG0x00004000L, CKM_SHA2560x00000250UL }, |
51 | /* { "SHA384", SECMOD_SHA512_FLAG, CKM_SHA384 }, */ |
52 | { "SHA512", SECMOD_SHA512_FLAG0x00008000L, CKM_SHA5120x00000270UL }, |
53 | { "MD5", SECMOD_MD5_FLAG0x00000200L, CKM_MD50x00000210UL }, |
54 | { "MD2", SECMOD_MD2_FLAG0x00000400L, CKM_MD20x00000200UL }, |
55 | { "SSL", SECMOD_SSL_FLAG0x00000800L, CKM_SSL3_PRE_MASTER_KEY_GEN0x00000370UL }, |
56 | { "TLS", SECMOD_TLS_FLAG0x00001000L, CKM_TLS_MASTER_KEY_DERIVE0x00000375UL }, |
57 | { "SKIPJACK", SECMOD_FORTEZZA_FLAG0x00000040L, CKM_SKIPJACK_CBC640x00001002UL }, |
58 | { "Publicly-readable certs", SECMOD_FRIENDLY_FLAG0x10000000L, CKM_INVALID_MECHANISM0xffffffffUL }, |
59 | { "Random Num Generator", SECMOD_RANDOM_FLAG0x80000000L, CKM_FAKE_RANDOM0x80000efeUL }, |
60 | }; |
61 | const int num_pk11_default_mechanisms = |
62 | sizeof(PK11_DefaultArray) / sizeof(PK11_DefaultArray[0]); |
63 | |
64 | const PK11DefaultArrayEntry * |
65 | PK11_GetDefaultArray(int *size) |
66 | { |
67 | if (size) { |
68 | *size = num_pk11_default_mechanisms; |
69 | } |
70 | return PK11_DefaultArray; |
71 | } |
72 | |
73 | /* |
74 | * These slotlists are lists of modules which provide default support for |
75 | * a given algorithm or mechanism. |
76 | */ |
77 | static PK11SlotList |
78 | pk11_seedSlotList, |
79 | pk11_camelliaSlotList, |
80 | pk11_aesSlotList, |
81 | pk11_desSlotList, |
82 | pk11_rc4SlotList, |
83 | pk11_rc2SlotList, |
84 | pk11_rc5SlotList, |
85 | pk11_sha1SlotList, |
86 | pk11_md5SlotList, |
87 | pk11_md2SlotList, |
88 | pk11_rsaSlotList, |
89 | pk11_dsaSlotList, |
90 | pk11_dhSlotList, |
91 | pk11_ecSlotList, |
92 | pk11_ideaSlotList, |
93 | pk11_sslSlotList, |
94 | pk11_tlsSlotList, |
95 | pk11_randomSlotList, |
96 | pk11_sha256SlotList, |
97 | pk11_sha512SlotList; /* slots do SHA512 and SHA384 */ |
98 | |
99 | /************************************************************ |
100 | * Generic Slot List and Slot List element manipulations |
101 | ************************************************************/ |
102 | |
103 | /* |
104 | * allocate a new list |
105 | */ |
106 | PK11SlotList * |
107 | PK11_NewSlotList(void) |
108 | { |
109 | PK11SlotList *list; |
110 | |
111 | list = (PK11SlotList *)PORT_AllocPORT_Alloc_Util(sizeof(PK11SlotList)); |
112 | if (list == NULL((void*)0)) |
113 | return NULL((void*)0); |
114 | list->head = NULL((void*)0); |
115 | list->tail = NULL((void*)0); |
116 | list->lock = PZ_NewLock(nssILockList)PR_NewLock(); |
117 | if (list->lock == NULL((void*)0)) { |
118 | PORT_FreePORT_Free_Util(list); |
119 | return NULL((void*)0); |
120 | } |
121 | |
122 | return list; |
123 | } |
124 | |
125 | /* |
126 | * free a list element when all the references go away. |
127 | */ |
128 | SECStatus |
129 | PK11_FreeSlotListElement(PK11SlotList *list, PK11SlotListElement *le) |
130 | { |
131 | PRBool freeit = PR_FALSE0; |
132 | |
133 | if (list == NULL((void*)0) || le == NULL((void*)0)) { |
134 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
135 | return SECFailure; |
136 | } |
137 | |
138 | PZ_Lock(list->lock)PR_Lock((list->lock)); |
139 | if (le->refCount-- == 1) { |
140 | freeit = PR_TRUE1; |
141 | } |
142 | PZ_Unlock(list->lock)PR_Unlock((list->lock)); |
143 | if (freeit) { |
144 | PK11_FreeSlot(le->slot); |
145 | PORT_FreePORT_Free_Util(le); |
146 | } |
147 | return SECSuccess; |
148 | } |
149 | |
150 | static void |
151 | pk11_FreeSlotListStatic(PK11SlotList *list) |
152 | { |
153 | PK11SlotListElement *le, *next; |
154 | if (list == NULL((void*)0)) |
155 | return; |
156 | |
157 | for (le = list->head; le; le = next) { |
158 | next = le->next; |
159 | PK11_FreeSlotListElement(list, le); |
160 | } |
161 | if (list->lock) { |
162 | PZ_DestroyLock(list->lock)PR_DestroyLock((list->lock)); |
163 | } |
164 | list->lock = NULL((void*)0); |
165 | list->head = NULL((void*)0); |
166 | } |
167 | |
168 | /* |
169 | * if we are freeing the list, we must be the only ones with a pointer |
170 | * to the list. |
171 | */ |
172 | void |
173 | PK11_FreeSlotList(PK11SlotList *list) |
174 | { |
175 | pk11_FreeSlotListStatic(list); |
176 | PORT_FreePORT_Free_Util(list); |
177 | } |
178 | |
179 | /* |
180 | * add a slot to a list |
181 | * "slot" is the slot to be added. Ownership is not transferred. |
182 | * "sorted" indicates whether or not the slot should be inserted according to |
183 | * cipherOrder of the associated module. PR_FALSE indicates that the slot |
184 | * should be inserted to the head of the list. |
185 | */ |
186 | SECStatus |
187 | PK11_AddSlotToList(PK11SlotList *list, PK11SlotInfo *slot, PRBool sorted) |
188 | { |
189 | PK11SlotListElement *le; |
190 | PK11SlotListElement *element; |
191 | |
192 | le = (PK11SlotListElement *)PORT_AllocPORT_Alloc_Util(sizeof(PK11SlotListElement)); |
193 | if (le == NULL((void*)0)) |
194 | return SECFailure; |
195 | |
196 | le->slot = PK11_ReferenceSlot(slot); |
197 | le->prev = NULL((void*)0); |
198 | le->refCount = 1; |
199 | PZ_Lock(list->lock)PR_Lock((list->lock)); |
200 | element = list->head; |
201 | /* Insertion sort, with higher cipherOrders are sorted first in the list */ |
202 | while (element && sorted && (element->slot->module->cipherOrder > le->slot->module->cipherOrder)) { |
203 | element = element->next; |
204 | } |
205 | if (element) { |
206 | le->prev = element->prev; |
207 | element->prev = le; |
208 | le->next = element; |
209 | } else { |
210 | le->prev = list->tail; |
211 | le->next = NULL((void*)0); |
212 | list->tail = le; |
213 | } |
214 | if (le->prev) |
215 | le->prev->next = le; |
216 | if (list->head == element) |
217 | list->head = le; |
218 | PZ_Unlock(list->lock)PR_Unlock((list->lock)); |
219 | |
220 | return SECSuccess; |
221 | } |
222 | |
223 | /* |
224 | * remove a slot entry from the list |
225 | */ |
226 | SECStatus |
227 | PK11_DeleteSlotFromList(PK11SlotList *list, PK11SlotListElement *le) |
228 | { |
229 | PZ_Lock(list->lock)PR_Lock((list->lock)); |
230 | if (le->prev) |
231 | le->prev->next = le->next; |
232 | else |
233 | list->head = le->next; |
234 | if (le->next) |
235 | le->next->prev = le->prev; |
236 | else |
237 | list->tail = le->prev; |
238 | le->next = le->prev = NULL((void*)0); |
239 | PZ_Unlock(list->lock)PR_Unlock((list->lock)); |
240 | PK11_FreeSlotListElement(list, le); |
241 | return SECSuccess; |
242 | } |
243 | |
244 | /* |
245 | * Move a list to the end of the target list. |
246 | * NOTE: There is no locking here... This assumes BOTH lists are private copy |
247 | * lists. It also does not re-sort the target list. |
248 | */ |
249 | SECStatus |
250 | pk11_MoveListToList(PK11SlotList *target, PK11SlotList *src) |
251 | { |
252 | if (src->head == NULL((void*)0)) |
253 | return SECSuccess; |
254 | |
255 | if (target->tail == NULL((void*)0)) { |
256 | target->head = src->head; |
257 | } else { |
258 | target->tail->next = src->head; |
259 | } |
260 | src->head->prev = target->tail; |
261 | target->tail = src->tail; |
262 | src->head = src->tail = NULL((void*)0); |
263 | return SECSuccess; |
264 | } |
265 | |
266 | /* |
267 | * get an element from the list with a reference. You must own the list. |
268 | */ |
269 | PK11SlotListElement * |
270 | PK11_GetFirstRef(PK11SlotList *list) |
271 | { |
272 | PK11SlotListElement *le; |
273 | |
274 | le = list->head; |
275 | if (le != NULL((void*)0)) |
276 | (le)->refCount++; |
277 | return le; |
278 | } |
279 | |
280 | /* |
281 | * get the next element from the list with a reference. You must own the list. |
282 | */ |
283 | PK11SlotListElement * |
284 | PK11_GetNextRef(PK11SlotList *list, PK11SlotListElement *le, PRBool restart) |
285 | { |
286 | PK11SlotListElement *new_le; |
287 | new_le = le->next; |
288 | if (new_le) |
289 | new_le->refCount++; |
290 | PK11_FreeSlotListElement(list, le); |
291 | return new_le; |
292 | } |
293 | |
294 | /* |
295 | * get an element safely from the list. This just makes sure that if |
296 | * this element is not deleted while we deal with it. |
297 | */ |
298 | PK11SlotListElement * |
299 | PK11_GetFirstSafe(PK11SlotList *list) |
300 | { |
301 | PK11SlotListElement *le; |
302 | |
303 | PZ_Lock(list->lock)PR_Lock((list->lock)); |
304 | le = list->head; |
305 | if (le != NULL((void*)0)) |
306 | (le)->refCount++; |
307 | PZ_Unlock(list->lock)PR_Unlock((list->lock)); |
308 | return le; |
309 | } |
310 | |
311 | /* |
312 | * NOTE: if this element gets deleted, we can no longer safely traverse using |
313 | * it's pointers. We can either terminate the loop, or restart from the |
314 | * beginning. This is controlled by the restart option. |
315 | */ |
316 | PK11SlotListElement * |
317 | PK11_GetNextSafe(PK11SlotList *list, PK11SlotListElement *le, PRBool restart) |
318 | { |
319 | PK11SlotListElement *new_le; |
320 | PZ_Lock(list->lock)PR_Lock((list->lock)); |
321 | new_le = le->next; |
322 | if (le->next == NULL((void*)0)) { |
323 | /* if the prev and next fields are NULL then either this element |
324 | * has been removed and we need to walk the list again (if restart |
325 | * is true) or this was the only element on the list */ |
326 | if ((le->prev == NULL((void*)0)) && restart && (list->head != le)) { |
327 | new_le = list->head; |
328 | } |
329 | } |
330 | if (new_le) |
331 | new_le->refCount++; |
332 | PZ_Unlock(list->lock)PR_Unlock((list->lock)); |
333 | PK11_FreeSlotListElement(list, le); |
334 | return new_le; |
335 | } |
336 | |
337 | /* |
338 | * Find the element that holds this slot |
339 | */ |
340 | PK11SlotListElement * |
341 | PK11_FindSlotElement(PK11SlotList *list, PK11SlotInfo *slot) |
342 | { |
343 | PK11SlotListElement *le; |
344 | |
345 | for (le = PK11_GetFirstSafe(list); le; |
346 | le = PK11_GetNextSafe(list, le, PR_TRUE1)) { |
347 | if (le->slot == slot) |
348 | return le; |
349 | } |
350 | return NULL((void*)0); |
351 | } |
352 | |
353 | /************************************************************ |
354 | * Generic Slot Utilities |
355 | ************************************************************/ |
356 | /* |
357 | * Create a new slot structure |
358 | */ |
359 | PK11SlotInfo * |
360 | PK11_NewSlotInfo(SECMODModule *mod) |
361 | { |
362 | PK11SlotInfo *slot; |
363 | |
364 | slot = (PK11SlotInfo *)PORT_AllocPORT_Alloc_Util(sizeof(PK11SlotInfo)); |
365 | if (slot == NULL((void*)0)) { |
366 | return slot; |
367 | } |
368 | slot->freeListLock = PZ_NewLock(nssILockFreelist)PR_NewLock(); |
369 | if (slot->freeListLock == NULL((void*)0)) { |
370 | PORT_FreePORT_Free_Util(slot); |
371 | return NULL((void*)0); |
372 | } |
373 | slot->nssTokenLock = PZ_NewLock(nssILockOther)PR_NewLock(); |
374 | if (slot->nssTokenLock == NULL((void*)0)) { |
375 | PZ_DestroyLock(slot->freeListLock)PR_DestroyLock((slot->freeListLock)); |
376 | PORT_FreePORT_Free_Util(slot); |
377 | return NULL((void*)0); |
378 | } |
379 | slot->sessionLock = mod->isThreadSafe ? PZ_NewLock(nssILockSession)PR_NewLock() : mod->refLock; |
380 | if (slot->sessionLock == NULL((void*)0)) { |
381 | PZ_DestroyLock(slot->nssTokenLock)PR_DestroyLock((slot->nssTokenLock)); |
382 | PZ_DestroyLock(slot->freeListLock)PR_DestroyLock((slot->freeListLock)); |
383 | PORT_FreePORT_Free_Util(slot); |
384 | return NULL((void*)0); |
385 | } |
386 | slot->freeSymKeysWithSessionHead = NULL((void*)0); |
387 | slot->freeSymKeysHead = NULL((void*)0); |
388 | slot->keyCount = 0; |
389 | slot->maxKeyCount = 0; |
390 | slot->functionList = NULL((void*)0); |
391 | slot->needTest = PR_TRUE1; |
392 | slot->isPerm = PR_FALSE0; |
393 | slot->isHW = PR_FALSE0; |
394 | slot->isInternal = PR_FALSE0; |
395 | slot->isThreadSafe = PR_FALSE0; |
396 | slot->disabled = PR_FALSE0; |
397 | slot->series = 1; |
398 | slot->flagSeries = 0; |
399 | slot->flagState = PR_FALSE0; |
400 | slot->wrapKey = 0; |
401 | slot->wrapMechanism = CKM_INVALID_MECHANISM0xffffffffUL; |
402 | slot->refKeys[0] = CK_INVALID_HANDLE0; |
403 | slot->reason = PK11_DIS_NONE; |
404 | slot->readOnly = PR_TRUE1; |
405 | slot->needLogin = PR_FALSE0; |
406 | slot->hasRandom = PR_FALSE0; |
407 | slot->defRWSession = PR_FALSE0; |
408 | slot->protectedAuthPath = PR_FALSE0; |
409 | slot->flags = 0; |
410 | slot->session = CK_INVALID_HANDLE0; |
411 | slot->slotID = 0; |
412 | slot->defaultFlags = 0; |
413 | slot->refCount = 1; |
414 | slot->askpw = 0; |
415 | slot->timeout = 0; |
416 | slot->mechanismList = NULL((void*)0); |
417 | slot->mechanismCount = 0; |
418 | slot->cert_array = NULL((void*)0); |
419 | slot->cert_count = 0; |
420 | slot->slot_name[0] = 0; |
421 | slot->token_name[0] = 0; |
422 | PORT_Memsetmemset(slot->serial, ' ', sizeof(slot->serial)); |
423 | PORT_Memsetmemset(&slot->tokenInfo, 0, sizeof(slot->tokenInfo)); |
424 | slot->module = NULL((void*)0); |
425 | slot->authTransact = 0; |
426 | slot->authTime = LL_ZERO0L; |
427 | slot->minPassword = 0; |
428 | slot->maxPassword = 0; |
429 | slot->hasRootCerts = PR_FALSE0; |
430 | slot->hasRootTrust = PR_FALSE0; |
431 | slot->nssToken = NULL((void*)0); |
432 | slot->profileList = NULL((void*)0); |
433 | slot->profileCount = 0; |
434 | return slot; |
435 | } |
436 | |
437 | /* create a new reference to a slot so it doesn't go away */ |
438 | PK11SlotInfo * |
439 | PK11_ReferenceSlot(PK11SlotInfo *slot) |
440 | { |
441 | PR_ATOMIC_INCREMENT(&slot->refCount)__sync_add_and_fetch(&slot->refCount, 1); |
442 | return slot; |
443 | } |
444 | |
445 | /* Destroy all info on a slot we have built up */ |
446 | void |
447 | PK11_DestroySlot(PK11SlotInfo *slot) |
448 | { |
449 | /* free up the cached keys and sessions */ |
450 | PK11_CleanKeyList(slot); |
451 | |
452 | /* free up all the sessions on this slot */ |
453 | if (slot->functionList) { |
454 | PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList)) |
455 | ->C_CloseAllSessions(slot->slotID); |
456 | } |
457 | |
458 | if (slot->mechanismList) { |
459 | PORT_FreePORT_Free_Util(slot->mechanismList); |
460 | } |
461 | if (slot->profileList) { |
462 | PORT_FreePORT_Free_Util(slot->profileList); |
463 | } |
464 | if (slot->isThreadSafe && slot->sessionLock) { |
465 | PZ_DestroyLock(slot->sessionLock)PR_DestroyLock((slot->sessionLock)); |
466 | } |
467 | slot->sessionLock = NULL((void*)0); |
468 | if (slot->freeListLock) { |
469 | PZ_DestroyLock(slot->freeListLock)PR_DestroyLock((slot->freeListLock)); |
470 | slot->freeListLock = NULL((void*)0); |
471 | } |
472 | if (slot->nssTokenLock) { |
473 | PZ_DestroyLock(slot->nssTokenLock)PR_DestroyLock((slot->nssTokenLock)); |
474 | slot->nssTokenLock = NULL((void*)0); |
475 | } |
476 | |
477 | /* finally Tell our parent module that we've gone away so it can unload */ |
478 | if (slot->module) { |
479 | SECMOD_SlotDestroyModule(slot->module, PR_TRUE1); |
480 | } |
481 | |
482 | /* ok, well not quit finally... now we free the memory */ |
483 | PORT_FreePORT_Free_Util(slot); |
484 | } |
485 | |
486 | /* We're all done with the slot, free it */ |
487 | void |
488 | PK11_FreeSlot(PK11SlotInfo *slot) |
489 | { |
490 | if (PR_ATOMIC_DECREMENT(&slot->refCount)__sync_sub_and_fetch(&slot->refCount, 1) == 0) { |
491 | PK11_DestroySlot(slot); |
492 | } |
493 | } |
494 | |
495 | void |
496 | PK11_EnterSlotMonitor(PK11SlotInfo *slot) |
497 | { |
498 | PZ_Lock(slot->sessionLock)PR_Lock((slot->sessionLock)); |
499 | } |
500 | |
501 | void |
502 | PK11_ExitSlotMonitor(PK11SlotInfo *slot) |
503 | { |
504 | PZ_Unlock(slot->sessionLock)PR_Unlock((slot->sessionLock)); |
505 | } |
506 | |
507 | /*********************************************************** |
508 | * Functions to find specific slots. |
509 | ***********************************************************/ |
510 | PRBool |
511 | SECMOD_HasRootCerts(void) |
512 | { |
513 | SECMODModuleList *mlp; |
514 | SECMODModuleList *modules; |
515 | SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock(); |
516 | int i; |
517 | PRBool found = PR_FALSE0; |
518 | |
519 | if (!moduleLock) { |
520 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_NOT_INITIALIZED); |
521 | return found; |
522 | } |
523 | |
524 | /* work through all the slots */ |
525 | SECMOD_GetReadLock(moduleLock); |
526 | modules = SECMOD_GetDefaultModuleList(); |
527 | for (mlp = modules; mlp != NULL((void*)0); mlp = mlp->next) { |
528 | for (i = 0; i < mlp->module->slotCount; i++) { |
529 | PK11SlotInfo *tmpSlot = mlp->module->slots[i]; |
530 | if (PK11_IsPresent(tmpSlot)) { |
531 | if (tmpSlot->hasRootCerts) { |
532 | found = PR_TRUE1; |
533 | break; |
534 | } |
535 | } |
536 | } |
537 | if (found) |
538 | break; |
539 | } |
540 | SECMOD_ReleaseReadLock(moduleLock); |
541 | |
542 | return found; |
543 | } |
544 | |
545 | /*********************************************************** |
546 | * Functions to find specific slots. |
547 | ***********************************************************/ |
548 | PK11SlotList * |
549 | PK11_FindSlotsByNames(const char *dllName, const char *slotName, |
550 | const char *tokenName, PRBool presentOnly) |
551 | { |
552 | SECMODModuleList *mlp; |
553 | SECMODModuleList *modules; |
554 | SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock(); |
555 | int i; |
556 | PK11SlotList *slotList = NULL((void*)0); |
557 | PRUint32 slotcount = 0; |
558 | SECStatus rv = SECSuccess; |
559 | |
560 | if (!moduleLock) { |
561 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_NOT_INITIALIZED); |
562 | return slotList; |
563 | } |
564 | |
565 | slotList = PK11_NewSlotList(); |
566 | if (!slotList) { |
567 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_NO_MEMORY); |
568 | return slotList; |
569 | } |
570 | |
571 | if (((NULL((void*)0) == dllName) || (0 == *dllName)) && |
572 | ((NULL((void*)0) == slotName) || (0 == *slotName)) && |
573 | ((NULL((void*)0) == tokenName) || (0 == *tokenName))) { |
574 | /* default to softoken */ |
575 | /* PK11_GetInternalKeySlot increments the refcount on the internal slot, |
576 | * but so does PK11_AddSlotToList. To avoid erroneously increasing the |
577 | * refcount twice, we get our own reference to the internal slot and |
578 | * decrement its refcount when we're done with it. */ |
579 | PK11SlotInfo *internalKeySlot = PK11_GetInternalKeySlot(); |
580 | PK11_AddSlotToList(slotList, internalKeySlot, PR_TRUE1); |
581 | PK11_FreeSlot(internalKeySlot); |
582 | return slotList; |
583 | } |
584 | |
585 | /* work through all the slots */ |
586 | SECMOD_GetReadLock(moduleLock); |
587 | modules = SECMOD_GetDefaultModuleList(); |
588 | for (mlp = modules; mlp != NULL((void*)0); mlp = mlp->next) { |
589 | PORT_Assert(mlp->module)((mlp->module)?((void)0):PR_Assert("mlp->module","pk11slot.c" ,589)); |
590 | if (!mlp->module) { |
591 | rv = SECFailure; |
592 | break; |
593 | } |
594 | if ((!dllName) || (mlp->module->dllName && |
595 | (0 == PORT_Strcmpstrcmp(mlp->module->dllName, dllName)))) { |
596 | for (i = 0; i < mlp->module->slotCount; i++) { |
597 | PK11SlotInfo *tmpSlot = (mlp->module->slots ? mlp->module->slots[i] : NULL((void*)0)); |
598 | PORT_Assert(tmpSlot)((tmpSlot)?((void)0):PR_Assert("tmpSlot","pk11slot.c",598)); |
599 | if (!tmpSlot) { |
600 | rv = SECFailure; |
601 | break; |
602 | } |
603 | if ((PR_FALSE0 == presentOnly || PK11_IsPresent(tmpSlot)) && |
604 | ((!tokenName) || |
605 | (0 == PORT_Strcmpstrcmp(tmpSlot->token_name, tokenName))) && |
606 | ((!slotName) || |
607 | (0 == PORT_Strcmpstrcmp(tmpSlot->slot_name, slotName)))) { |
608 | PK11_AddSlotToList(slotList, tmpSlot, PR_TRUE1); |
609 | slotcount++; |
610 | } |
611 | } |
612 | } |
613 | } |
614 | SECMOD_ReleaseReadLock(moduleLock); |
615 | |
616 | if ((0 == slotcount) || (SECFailure == rv)) { |
617 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_NO_TOKEN); |
618 | PK11_FreeSlotList(slotList); |
619 | slotList = NULL((void*)0); |
620 | } |
621 | |
622 | if (SECFailure == rv) { |
623 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); |
624 | } |
625 | |
626 | return slotList; |
627 | } |
628 | |
629 | typedef PRBool (*PK11SlotMatchFunc)(PK11SlotInfo *slot, const void *arg); |
630 | |
631 | static PRBool |
632 | pk11_MatchSlotByTokenName(PK11SlotInfo *slot, const void *arg) |
633 | { |
634 | return PORT_Strcmpstrcmp(slot->token_name, arg) == 0; |
635 | } |
636 | |
637 | static PRBool |
638 | pk11_MatchSlotBySerial(PK11SlotInfo *slot, const void *arg) |
639 | { |
640 | return PORT_Memcmpmemcmp(slot->serial, arg, sizeof(slot->serial)) == 0; |
641 | } |
642 | |
643 | static PRBool |
644 | pk11_MatchSlotByTokenURI(PK11SlotInfo *slot, const void *arg) |
645 | { |
646 | return pk11_MatchUriTokenInfo(slot, (PK11URI *)arg); |
647 | } |
648 | |
649 | static PK11SlotInfo * |
650 | pk11_FindSlot(const void *arg, PK11SlotMatchFunc func) |
651 | { |
652 | SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock(); |
653 | SECMODModuleList *mlp; |
654 | SECMODModuleList *modules; |
655 | int i; |
656 | PK11SlotInfo *slot = NULL((void*)0); |
657 | |
658 | if (!moduleLock) { |
659 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_NOT_INITIALIZED); |
660 | return slot; |
661 | } |
662 | /* work through all the slots */ |
663 | SECMOD_GetReadLock(moduleLock); |
664 | modules = SECMOD_GetDefaultModuleList(); |
665 | for (mlp = modules; mlp != NULL((void*)0); mlp = mlp->next) { |
666 | for (i = 0; i < mlp->module->slotCount; i++) { |
667 | PK11SlotInfo *tmpSlot = mlp->module->slots[i]; |
668 | if (PK11_IsPresent(tmpSlot)) { |
669 | if (func(tmpSlot, arg)) { |
670 | slot = PK11_ReferenceSlot(tmpSlot); |
671 | break; |
672 | } |
673 | } |
674 | } |
675 | if (slot != NULL((void*)0)) |
676 | break; |
677 | } |
678 | SECMOD_ReleaseReadLock(moduleLock); |
679 | |
680 | if (slot == NULL((void*)0)) { |
681 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_NO_TOKEN); |
682 | } |
683 | |
684 | return slot; |
685 | } |
686 | |
687 | static PK11SlotInfo * |
688 | pk11_FindSlotByTokenURI(const char *uriString) |
689 | { |
690 | PK11SlotInfo *slot = NULL((void*)0); |
691 | PK11URI *uri; |
692 | |
693 | uri = PK11URI_ParseURI(uriString); |
694 | if (!uri) { |
695 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
696 | return slot; |
697 | } |
698 | |
699 | slot = pk11_FindSlot(uri, pk11_MatchSlotByTokenURI); |
700 | PK11URI_DestroyURI(uri); |
701 | return slot; |
702 | } |
703 | |
704 | PK11SlotInfo * |
705 | PK11_FindSlotByName(const char *name) |
706 | { |
707 | if ((name == NULL((void*)0)) || (*name == 0)) { |
708 | return PK11_GetInternalKeySlot(); |
709 | } |
710 | |
711 | if (!PORT_StrncasecmpPL_strncasecmp(name, "pkcs11:", strlen("pkcs11:"))) { |
712 | return pk11_FindSlotByTokenURI(name); |
713 | } |
714 | |
715 | return pk11_FindSlot(name, pk11_MatchSlotByTokenName); |
716 | } |
717 | |
718 | PK11SlotInfo * |
719 | PK11_FindSlotBySerial(char *serial) |
720 | { |
721 | return pk11_FindSlot(serial, pk11_MatchSlotBySerial); |
722 | } |
723 | |
724 | /* |
725 | * notification stub. If we ever get interested in any events that |
726 | * the pkcs11 functions may pass back to use, we can catch them here... |
727 | * currently pdata is a slotinfo structure. |
728 | */ |
729 | CK_RV |
730 | pk11_notify(CK_SESSION_HANDLE session, CK_NOTIFICATION event, |
731 | CK_VOID_PTR pdata) |
732 | { |
733 | return CKR_OK0x00000000UL; |
734 | } |
735 | |
736 | /* |
737 | * grab a new RW session |
738 | * !!! has a side effect of grabbing the Monitor if either the slot's default |
739 | * session is RW or the slot is not thread safe. Monitor is release in function |
740 | * below |
741 | */ |
742 | CK_SESSION_HANDLE |
743 | PK11_GetRWSession(PK11SlotInfo *slot) |
744 | { |
745 | CK_SESSION_HANDLE rwsession; |
746 | CK_RV crv; |
747 | PRBool haveMonitor = PR_FALSE0; |
748 | |
749 | if (!slot->isThreadSafe || slot->defRWSession) { |
750 | PK11_EnterSlotMonitor(slot); |
751 | haveMonitor = PR_TRUE1; |
752 | } |
753 | if (slot->defRWSession) { |
754 | PORT_Assert(slot->session != CK_INVALID_HANDLE)((slot->session != 0)?((void)0):PR_Assert("slot->session != CK_INVALID_HANDLE" ,"pk11slot.c",754)); |
755 | if (slot->session != CK_INVALID_HANDLE0) |
756 | return slot->session; |
757 | } |
758 | |
759 | crv = PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList))->C_OpenSession(slot->slotID, |
760 | CKF_RW_SESSION0x00000002UL | CKF_SERIAL_SESSION0x00000004UL, |
761 | slot, pk11_notify, &rwsession); |
762 | PORT_Assert(rwsession != CK_INVALID_HANDLE || crv != CKR_OK)((rwsession != 0 || crv != 0x00000000UL)?((void)0):PR_Assert( "rwsession != CK_INVALID_HANDLE || crv != CKR_OK","pk11slot.c" ,762)); |
763 | if (crv != CKR_OK0x00000000UL || rwsession == CK_INVALID_HANDLE0) { |
764 | if (crv == CKR_OK0x00000000UL) |
765 | crv = CKR_DEVICE_ERROR0x00000030UL; |
766 | if (haveMonitor) |
767 | PK11_ExitSlotMonitor(slot); |
768 | PORT_SetErrorPORT_SetError_Util(PK11_MapError(crv)); |
769 | return CK_INVALID_HANDLE0; |
770 | } |
771 | if (slot->defRWSession) { /* we have the monitor */ |
772 | slot->session = rwsession; |
773 | } |
774 | return rwsession; |
775 | } |
776 | |
777 | PRBool |
778 | PK11_RWSessionHasLock(PK11SlotInfo *slot, CK_SESSION_HANDLE session_handle) |
779 | { |
780 | PRBool hasLock; |
781 | hasLock = (PRBool)(!slot->isThreadSafe || |
782 | (slot->defRWSession && slot->session != CK_INVALID_HANDLE0)); |
783 | return hasLock; |
784 | } |
785 | |
786 | static PRBool |
787 | pk11_RWSessionIsDefault(PK11SlotInfo *slot, CK_SESSION_HANDLE rwsession) |
788 | { |
789 | PRBool isDefault; |
790 | isDefault = (PRBool)(slot->session == rwsession && |
791 | slot->defRWSession && |
792 | slot->session != CK_INVALID_HANDLE0); |
793 | return isDefault; |
794 | } |
795 | |
796 | /* |
797 | * close the rwsession and restore our readonly session |
798 | * !!! has a side effect of releasing the Monitor if either the slot's default |
799 | * session is RW or the slot is not thread safe. |
800 | */ |
801 | void |
802 | PK11_RestoreROSession(PK11SlotInfo *slot, CK_SESSION_HANDLE rwsession) |
803 | { |
804 | PORT_Assert(rwsession != CK_INVALID_HANDLE)((rwsession != 0)?((void)0):PR_Assert("rwsession != CK_INVALID_HANDLE" ,"pk11slot.c",804)); |
805 | if (rwsession != CK_INVALID_HANDLE0) { |
806 | PRBool doExit = PK11_RWSessionHasLock(slot, rwsession); |
807 | if (!pk11_RWSessionIsDefault(slot, rwsession)) |
808 | PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList)) |
809 | ->C_CloseSession(rwsession); |
810 | if (doExit) |
811 | PK11_ExitSlotMonitor(slot); |
812 | } |
813 | } |
814 | |
815 | /************************************************************ |
816 | * Manage the built-In Slot Lists |
817 | ************************************************************/ |
818 | |
819 | /* Init the static built int slot list (should actually integrate |
820 | * with PK11_NewSlotList */ |
821 | static void |
822 | pk11_InitSlotListStatic(PK11SlotList *list) |
823 | { |
824 | list->lock = PZ_NewLock(nssILockList)PR_NewLock(); |
825 | list->head = NULL((void*)0); |
826 | } |
827 | |
828 | /* initialize the system slotlists */ |
829 | SECStatus |
830 | PK11_InitSlotLists(void) |
831 | { |
832 | pk11_InitSlotListStatic(&pk11_seedSlotList); |
833 | pk11_InitSlotListStatic(&pk11_camelliaSlotList); |
834 | pk11_InitSlotListStatic(&pk11_aesSlotList); |
835 | pk11_InitSlotListStatic(&pk11_desSlotList); |
836 | pk11_InitSlotListStatic(&pk11_rc4SlotList); |
837 | pk11_InitSlotListStatic(&pk11_rc2SlotList); |
838 | pk11_InitSlotListStatic(&pk11_rc5SlotList); |
839 | pk11_InitSlotListStatic(&pk11_md5SlotList); |
840 | pk11_InitSlotListStatic(&pk11_md2SlotList); |
841 | pk11_InitSlotListStatic(&pk11_sha1SlotList); |
842 | pk11_InitSlotListStatic(&pk11_rsaSlotList); |
843 | pk11_InitSlotListStatic(&pk11_dsaSlotList); |
844 | pk11_InitSlotListStatic(&pk11_dhSlotList); |
845 | pk11_InitSlotListStatic(&pk11_ecSlotList); |
846 | pk11_InitSlotListStatic(&pk11_ideaSlotList); |
847 | pk11_InitSlotListStatic(&pk11_sslSlotList); |
848 | pk11_InitSlotListStatic(&pk11_tlsSlotList); |
849 | pk11_InitSlotListStatic(&pk11_randomSlotList); |
850 | pk11_InitSlotListStatic(&pk11_sha256SlotList); |
851 | pk11_InitSlotListStatic(&pk11_sha512SlotList); |
852 | return SECSuccess; |
853 | } |
854 | |
855 | void |
856 | PK11_DestroySlotLists(void) |
857 | { |
858 | pk11_FreeSlotListStatic(&pk11_seedSlotList); |
859 | pk11_FreeSlotListStatic(&pk11_camelliaSlotList); |
860 | pk11_FreeSlotListStatic(&pk11_aesSlotList); |
861 | pk11_FreeSlotListStatic(&pk11_desSlotList); |
862 | pk11_FreeSlotListStatic(&pk11_rc4SlotList); |
863 | pk11_FreeSlotListStatic(&pk11_rc2SlotList); |
864 | pk11_FreeSlotListStatic(&pk11_rc5SlotList); |
865 | pk11_FreeSlotListStatic(&pk11_md5SlotList); |
866 | pk11_FreeSlotListStatic(&pk11_md2SlotList); |
867 | pk11_FreeSlotListStatic(&pk11_sha1SlotList); |
868 | pk11_FreeSlotListStatic(&pk11_rsaSlotList); |
869 | pk11_FreeSlotListStatic(&pk11_dsaSlotList); |
870 | pk11_FreeSlotListStatic(&pk11_dhSlotList); |
871 | pk11_FreeSlotListStatic(&pk11_ecSlotList); |
872 | pk11_FreeSlotListStatic(&pk11_ideaSlotList); |
873 | pk11_FreeSlotListStatic(&pk11_sslSlotList); |
874 | pk11_FreeSlotListStatic(&pk11_tlsSlotList); |
875 | pk11_FreeSlotListStatic(&pk11_randomSlotList); |
876 | pk11_FreeSlotListStatic(&pk11_sha256SlotList); |
877 | pk11_FreeSlotListStatic(&pk11_sha512SlotList); |
878 | return; |
879 | } |
880 | |
881 | /* return a system slot list based on mechanism */ |
882 | PK11SlotList * |
883 | PK11_GetSlotList(CK_MECHANISM_TYPE type) |
884 | { |
885 | /* XXX a workaround for Bugzilla bug #55267 */ |
886 | #if defined(HPUX) && defined(__LP64__1) |
887 | if (CKM_INVALID_MECHANISM0xffffffffUL == type) |
888 | return NULL((void*)0); |
889 | #endif |
890 | switch (type) { |
891 | case CKM_SEED_CBC0x00000652UL: |
892 | case CKM_SEED_ECB0x00000651UL: |
893 | return &pk11_seedSlotList; |
894 | case CKM_CAMELLIA_CBC0x00000552UL: |
895 | case CKM_CAMELLIA_ECB0x00000551UL: |
896 | return &pk11_camelliaSlotList; |
897 | case CKM_AES_CBC0x00001082UL: |
898 | case CKM_AES_CCM0x00001088UL: |
899 | case CKM_AES_CTR0x00001086UL: |
900 | case CKM_AES_CTS0x00001089UL: |
901 | case CKM_AES_GCM0x00001087UL: |
902 | case CKM_AES_ECB0x00001081UL: |
903 | return &pk11_aesSlotList; |
904 | case CKM_DES_CBC0x00000122UL: |
905 | case CKM_DES_ECB0x00000121UL: |
906 | case CKM_DES3_ECB0x00000132UL: |
907 | case CKM_DES3_CBC0x00000133UL: |
908 | return &pk11_desSlotList; |
909 | case CKM_RC40x00000111UL: |
910 | return &pk11_rc4SlotList; |
911 | case CKM_RC5_CBC0x00000332UL: |
912 | return &pk11_rc5SlotList; |
913 | case CKM_SHA_10x00000220UL: |
914 | return &pk11_sha1SlotList; |
915 | case CKM_SHA2240x00000255UL: |
916 | case CKM_SHA2560x00000250UL: |
917 | case CKM_SHA3_2240x000002B5UL: |
918 | case CKM_SHA3_2560x000002B0UL: |
919 | return &pk11_sha256SlotList; |
920 | case CKM_SHA3840x00000260UL: |
921 | case CKM_SHA5120x00000270UL: |
922 | case CKM_SHA3_3840x000002C0UL: |
923 | case CKM_SHA3_5120x000002D0UL: |
924 | return &pk11_sha512SlotList; |
925 | case CKM_MD50x00000210UL: |
926 | return &pk11_md5SlotList; |
927 | case CKM_MD20x00000200UL: |
928 | return &pk11_md2SlotList; |
929 | case CKM_RC2_ECB0x00000101UL: |
930 | case CKM_RC2_CBC0x00000102UL: |
931 | return &pk11_rc2SlotList; |
932 | case CKM_RSA_PKCS0x00000001UL: |
933 | case CKM_RSA_PKCS_KEY_PAIR_GEN0x00000000UL: |
934 | case CKM_RSA_X_5090x00000003UL: |
935 | return &pk11_rsaSlotList; |
936 | case CKM_DSA0x00000011UL: |
937 | return &pk11_dsaSlotList; |
938 | case CKM_DH_PKCS_KEY_PAIR_GEN0x00000020UL: |
939 | case CKM_DH_PKCS_DERIVE0x00000021UL: |
940 | return &pk11_dhSlotList; |
941 | case CKM_EDDSA0x00001057UL: |
942 | case CKM_EC_EDWARDS_KEY_PAIR_GEN0x00001055UL: |
943 | case CKM_ECDSA0x00001041UL: |
944 | case CKM_ECDSA_SHA10x00001042UL: |
945 | case CKM_EC_KEY_PAIR_GEN0x00001040UL: /* aka CKM_ECDSA_KEY_PAIR_GEN */ |
946 | case CKM_ECDH1_DERIVE0x00001050UL: |
947 | case CKM_NSS_KYBER_KEY_PAIR_GEN((0x80000000UL | 0x4E534350) + 45): /* Bug 1893029 */ |
948 | case CKM_NSS_KYBER((0x80000000UL | 0x4E534350) + 46): |
949 | return &pk11_ecSlotList; |
950 | case CKM_SSL3_PRE_MASTER_KEY_GEN0x00000370UL: |
951 | case CKM_SSL3_MASTER_KEY_DERIVE0x00000371UL: |
952 | case CKM_SSL3_SHA1_MAC0x00000381UL: |
953 | case CKM_SSL3_MD5_MAC0x00000380UL: |
954 | return &pk11_sslSlotList; |
955 | case CKM_TLS_MASTER_KEY_DERIVE0x00000375UL: |
956 | case CKM_TLS_KEY_AND_MAC_DERIVE0x00000376UL: |
957 | case CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256((0x80000000UL | 0x4E534350) + 23): |
958 | return &pk11_tlsSlotList; |
959 | case CKM_IDEA_CBC0x00000342UL: |
960 | case CKM_IDEA_ECB0x00000341UL: |
961 | return &pk11_ideaSlotList; |
962 | case CKM_FAKE_RANDOM0x80000efeUL: |
963 | return &pk11_randomSlotList; |
964 | } |
965 | return NULL((void*)0); |
966 | } |
967 | |
968 | /* |
969 | * load the static SlotInfo structures used to select a PKCS11 slot. |
970 | * preSlotInfo has a list of all the default flags for the slots on this |
971 | * module. |
972 | */ |
973 | void |
974 | PK11_LoadSlotList(PK11SlotInfo *slot, PK11PreSlotInfo *psi, int count) |
975 | { |
976 | int i; |
977 | |
978 | for (i = 0; i < count; i++) { |
979 | if (psi[i].slotID == slot->slotID) |
980 | break; |
981 | } |
982 | |
983 | if (i == count) |
984 | return; |
985 | |
986 | slot->defaultFlags = psi[i].defaultFlags; |
987 | slot->askpw = psi[i].askpw; |
988 | slot->timeout = psi[i].timeout; |
989 | slot->hasRootCerts = psi[i].hasRootCerts; |
990 | |
991 | /* if the slot is already disabled, don't load them into the |
992 | * default slot lists. We get here so we can save the default |
993 | * list value. */ |
994 | if (slot->disabled) |
995 | return; |
996 | |
997 | /* if the user has disabled us, don't load us in */ |
998 | if (slot->defaultFlags & PK11_DISABLE_FLAG0x40000000L) { |
999 | slot->disabled = PR_TRUE1; |
1000 | slot->reason = PK11_DIS_USER_SELECTED; |
1001 | /* free up sessions and things?? */ |
1002 | return; |
1003 | } |
1004 | |
1005 | for (i = 0; i < num_pk11_default_mechanisms; i++) { |
1006 | if (slot->defaultFlags & PK11_DefaultArray[i].flag) { |
1007 | CK_MECHANISM_TYPE mechanism = PK11_DefaultArray[i].mechanism; |
1008 | PK11SlotList *slotList = PK11_GetSlotList(mechanism); |
1009 | |
1010 | if (slotList) |
1011 | PK11_AddSlotToList(slotList, slot, PR_FALSE0); |
1012 | } |
1013 | } |
1014 | |
1015 | return; |
1016 | } |
1017 | |
1018 | /* |
1019 | * update a slot to its new attribute according to the slot list |
1020 | * returns: SECSuccess if nothing to do or add/delete is successful |
1021 | */ |
1022 | SECStatus |
1023 | PK11_UpdateSlotAttribute(PK11SlotInfo *slot, |
1024 | const PK11DefaultArrayEntry *entry, |
1025 | PRBool add) |
1026 | /* add: PR_TRUE if want to turn on */ |
1027 | { |
1028 | SECStatus result = SECSuccess; |
1029 | PK11SlotList *slotList = PK11_GetSlotList(entry->mechanism); |
1030 | |
1031 | if (add) { /* trying to turn on a mechanism */ |
1032 | |
1033 | /* turn on the default flag in the slot */ |
1034 | slot->defaultFlags |= entry->flag; |
1035 | |
1036 | /* add this slot to the list */ |
1037 | if (slotList != NULL((void*)0)) |
1038 | result = PK11_AddSlotToList(slotList, slot, PR_FALSE0); |
1039 | |
1040 | } else { /* trying to turn off */ |
1041 | |
1042 | /* turn OFF the flag in the slot */ |
1043 | slot->defaultFlags &= ~entry->flag; |
1044 | |
1045 | if (slotList) { |
1046 | /* find the element in the list & delete it */ |
1047 | PK11SlotListElement *le = PK11_FindSlotElement(slotList, slot); |
1048 | |
1049 | /* remove the slot from the list */ |
1050 | if (le) |
1051 | result = PK11_DeleteSlotFromList(slotList, le); |
1052 | } |
1053 | } |
1054 | return result; |
1055 | } |
1056 | |
1057 | /* |
1058 | * clear a slot off of all of it's default list |
1059 | */ |
1060 | void |
1061 | PK11_ClearSlotList(PK11SlotInfo *slot) |
1062 | { |
1063 | int i; |
1064 | |
1065 | if (slot->disabled) |
1066 | return; |
1067 | if (slot->defaultFlags == 0) |
1068 | return; |
1069 | |
1070 | for (i = 0; i < num_pk11_default_mechanisms; i++) { |
1071 | if (slot->defaultFlags & PK11_DefaultArray[i].flag) { |
1072 | CK_MECHANISM_TYPE mechanism = PK11_DefaultArray[i].mechanism; |
1073 | PK11SlotList *slotList = PK11_GetSlotList(mechanism); |
1074 | PK11SlotListElement *le = NULL((void*)0); |
1075 | |
1076 | if (slotList) |
1077 | le = PK11_FindSlotElement(slotList, slot); |
1078 | |
1079 | if (le) { |
1080 | PK11_DeleteSlotFromList(slotList, le); |
1081 | PK11_FreeSlotListElement(slotList, le); |
1082 | } |
1083 | } |
1084 | } |
1085 | } |
1086 | |
1087 | /****************************************************************** |
1088 | * Slot initialization |
1089 | ******************************************************************/ |
1090 | /* |
1091 | * turn a PKCS11 Static Label into a string |
1092 | */ |
1093 | char * |
1094 | PK11_MakeString(PLArenaPool *arena, char *space, |
1095 | char *staticString, int stringLen) |
1096 | { |
1097 | int i; |
1098 | char *newString; |
1099 | for (i = (stringLen - 1); i >= 0; i--) { |
1100 | if (staticString[i] != ' ') |
1101 | break; |
1102 | } |
1103 | /* move i to point to the last space */ |
1104 | i++; |
1105 | if (arena) { |
1106 | newString = (char *)PORT_ArenaAllocPORT_ArenaAlloc_Util(arena, i + 1 /* space for NULL */); |
1107 | } else if (space) { |
1108 | newString = space; |
1109 | } else { |
1110 | newString = (char *)PORT_AllocPORT_Alloc_Util(i + 1 /* space for NULL */); |
1111 | } |
1112 | if (newString == NULL((void*)0)) |
1113 | return NULL((void*)0); |
1114 | |
1115 | if (i) |
1116 | PORT_Memcpymemcpy(newString, staticString, i); |
1117 | newString[i] = 0; |
1118 | |
1119 | return newString; |
1120 | } |
1121 | |
1122 | /* |
1123 | * check if a null-terminated string matches with a PKCS11 Static Label |
1124 | */ |
1125 | PRBool |
1126 | pk11_MatchString(const char *string, |
1127 | const char *staticString, size_t staticStringLen) |
1128 | { |
1129 | size_t i = staticStringLen; |
1130 | |
1131 | /* move i to point to the last space */ |
1132 | while (i > 0) { |
1133 | if (staticString[i - 1] != ' ') |
1134 | break; |
1135 | i--; |
1136 | } |
1137 | |
1138 | if (strlen(string) == i && memcmp(string, staticString, i) == 0) { |
1139 | return PR_TRUE1; |
1140 | } |
1141 | |
1142 | return PR_FALSE0; |
1143 | } |
1144 | |
1145 | /* |
1146 | * Reads in the slots mechanism list for later use |
1147 | */ |
1148 | SECStatus |
1149 | PK11_ReadMechanismList(PK11SlotInfo *slot) |
1150 | { |
1151 | CK_ULONG count; |
1152 | CK_RV crv; |
1153 | PRUint32 i; |
1154 | |
1155 | if (slot->mechanismList) { |
1156 | PORT_FreePORT_Free_Util(slot->mechanismList); |
1157 | slot->mechanismList = NULL((void*)0); |
1158 | } |
1159 | slot->mechanismCount = 0; |
1160 | |
1161 | if (!slot->isThreadSafe) |
1162 | PK11_EnterSlotMonitor(slot); |
1163 | crv = PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList))->C_GetMechanismList(slot->slotID, NULL((void*)0), &count); |
1164 | if (crv != CKR_OK0x00000000UL) { |
1165 | if (!slot->isThreadSafe) |
1166 | PK11_ExitSlotMonitor(slot); |
1167 | PORT_SetErrorPORT_SetError_Util(PK11_MapError(crv)); |
1168 | return SECFailure; |
1169 | } |
1170 | |
1171 | slot->mechanismList = (CK_MECHANISM_TYPE *) |
1172 | PORT_AllocPORT_Alloc_Util(count * sizeof(CK_MECHANISM_TYPE)); |
1173 | if (slot->mechanismList == NULL((void*)0)) { |
1174 | if (!slot->isThreadSafe) |
1175 | PK11_ExitSlotMonitor(slot); |
1176 | return SECFailure; |
1177 | } |
1178 | crv = PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList))->C_GetMechanismList(slot->slotID, |
1179 | slot->mechanismList, &count); |
1180 | if (!slot->isThreadSafe) |
1181 | PK11_ExitSlotMonitor(slot); |
1182 | if (crv != CKR_OK0x00000000UL) { |
1183 | PORT_FreePORT_Free_Util(slot->mechanismList); |
1184 | slot->mechanismList = NULL((void*)0); |
1185 | PORT_SetErrorPORT_SetError_Util(PK11_MapError(crv)); |
1186 | return SECSuccess; |
1187 | } |
1188 | slot->mechanismCount = count; |
1189 | PORT_Memsetmemset(slot->mechanismBits, 0, sizeof(slot->mechanismBits)); |
1190 | |
1191 | for (i = 0; i < count; i++) { |
1192 | CK_MECHANISM_TYPE mech = slot->mechanismList[i]; |
1193 | if (mech < 0x7ff) { |
1194 | slot->mechanismBits[mech & 0xff] |= 1 << (mech >> 8); |
1195 | } |
1196 | } |
1197 | return SECSuccess; |
1198 | } |
1199 | |
1200 | static SECStatus |
1201 | pk11_ReadProfileList(PK11SlotInfo *slot) |
1202 | { |
1203 | CK_ATTRIBUTE findTemp[2]; |
1204 | CK_ATTRIBUTE *attrs; |
1205 | CK_BBOOL cktrue = CK_TRUE1; |
1206 | CK_OBJECT_CLASS oclass = CKO_PROFILE0x00000009UL; |
1207 | size_t tsize; |
1208 | int objCount; |
1209 | CK_OBJECT_HANDLE *handles = NULL((void*)0); |
1210 | int i; |
1211 | |
1212 | attrs = findTemp; |
1213 | PK11_SETATTRS(attrs, CKA_TOKEN, &cktrue, sizeof(cktrue))(attrs)->type = (0x00000001UL); (attrs)->pValue = (& cktrue); (attrs)->ulValueLen = (sizeof(cktrue));; |
1214 | attrs++; |
1215 | PK11_SETATTRS(attrs, CKA_CLASS, &oclass, sizeof(oclass))(attrs)->type = (0x00000000UL); (attrs)->pValue = (& oclass); (attrs)->ulValueLen = (sizeof(oclass));; |
1216 | attrs++; |
1217 | tsize = attrs - findTemp; |
1218 | PORT_Assert(tsize <= sizeof(findTemp) / sizeof(CK_ATTRIBUTE))((tsize <= sizeof(findTemp) / sizeof(CK_ATTRIBUTE))?((void )0):PR_Assert("tsize <= sizeof(findTemp) / sizeof(CK_ATTRIBUTE)" ,"pk11slot.c",1218)); |
1219 | |
1220 | if (slot->profileList) { |
1221 | PORT_FreePORT_Free_Util(slot->profileList); |
1222 | slot->profileList = NULL((void*)0); |
1223 | } |
1224 | slot->profileCount = 0; |
1225 | |
1226 | objCount = 0; |
1227 | handles = pk11_FindObjectsByTemplate(slot, findTemp, tsize, &objCount); |
1228 | if (handles == NULL((void*)0)) { |
1229 | if (objCount < 0) { |
1230 | return SECFailure; /* error code is set */ |
1231 | } |
1232 | PORT_Assert(objCount == 0)((objCount == 0)?((void)0):PR_Assert("objCount == 0","pk11slot.c" ,1232)); |
1233 | return SECSuccess; |
1234 | } |
1235 | |
1236 | slot->profileList = (CK_PROFILE_ID *) |
1237 | PORT_AllocPORT_Alloc_Util(objCount * sizeof(CK_PROFILE_ID)); |
1238 | if (slot->profileList == NULL((void*)0)) { |
1239 | PORT_FreePORT_Free_Util(handles); |
1240 | return SECFailure; /* error code is set */ |
1241 | } |
1242 | |
1243 | for (i = 0; i < objCount; i++) { |
1244 | CK_ULONG value; |
1245 | |
1246 | value = PK11_ReadULongAttribute(slot, handles[i], CKA_PROFILE_ID0x00000601UL); |
1247 | if (value == CK_UNAVAILABLE_INFORMATION(~0UL)) { |
1248 | continue; |
1249 | } |
1250 | slot->profileList[slot->profileCount++] = value; |
1251 | } |
1252 | |
1253 | PORT_FreePORT_Free_Util(handles); |
1254 | return SECSuccess; |
1255 | } |
1256 | |
1257 | static PRBool |
1258 | pk11_HasProfile(PK11SlotInfo *slot, CK_PROFILE_ID id) |
1259 | { |
1260 | int i; |
1261 | |
1262 | for (i = 0; i < slot->profileCount; i++) { |
1263 | if (slot->profileList[i] == id) { |
1264 | return PR_TRUE1; |
1265 | } |
1266 | } |
1267 | return PR_FALSE0; |
1268 | } |
1269 | |
1270 | /* |
1271 | * initialize a new token |
1272 | * unlike initialize slot, this can be called multiple times in the lifetime |
1273 | * of NSS. It reads the information associated with a card or token, |
1274 | * that is not going to change unless the card or token changes. |
1275 | */ |
1276 | SECStatus |
1277 | PK11_InitToken(PK11SlotInfo *slot, PRBool loadCerts) |
1278 | { |
1279 | CK_RV crv; |
1280 | SECStatus rv; |
1281 | PRStatus status; |
1282 | NSSToken *nssToken; |
1283 | |
1284 | /* set the slot flags to the current token values */ |
1285 | if (!slot->isThreadSafe) |
1286 | PK11_EnterSlotMonitor(slot); |
1287 | crv = PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList))->C_GetTokenInfo(slot->slotID, &slot->tokenInfo); |
1288 | if (!slot->isThreadSafe) |
1289 | PK11_ExitSlotMonitor(slot); |
1290 | if (crv != CKR_OK0x00000000UL) { |
1291 | PORT_SetErrorPORT_SetError_Util(PK11_MapError(crv)); |
1292 | return SECFailure; |
1293 | } |
1294 | |
1295 | /* set the slot flags to the current token values */ |
1296 | slot->series++; /* allow other objects to detect that the |
1297 | * slot is different */ |
1298 | slot->flags = slot->tokenInfo.flags; |
1299 | slot->needLogin = ((slot->tokenInfo.flags & CKF_LOGIN_REQUIRED0x00000004UL) ? PR_TRUE1 : PR_FALSE0); |
1300 | slot->readOnly = ((slot->tokenInfo.flags & CKF_WRITE_PROTECTED0x00000002UL) ? PR_TRUE1 : PR_FALSE0); |
1301 | |
1302 | slot->hasRandom = ((slot->tokenInfo.flags & CKF_RNG0x00000001UL) ? PR_TRUE1 : PR_FALSE0); |
1303 | slot->protectedAuthPath = |
1304 | ((slot->tokenInfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH0x00000100UL) |
1305 | ? PR_TRUE1 |
1306 | : PR_FALSE0); |
1307 | slot->lastLoginCheck = 0; |
1308 | slot->lastState = 0; |
1309 | /* on some platforms Active Card incorrectly sets the |
1310 | * CKF_PROTECTED_AUTHENTICATION_PATH bit when it doesn't mean to. */ |
1311 | if (slot->isActiveCard) { |
1312 | slot->protectedAuthPath = PR_FALSE0; |
1313 | } |
1314 | (void)PK11_MakeString(NULL((void*)0), slot->token_name, |
1315 | (char *)slot->tokenInfo.label, sizeof(slot->tokenInfo.label)); |
1316 | slot->minPassword = slot->tokenInfo.ulMinPinLen; |
1317 | slot->maxPassword = slot->tokenInfo.ulMaxPinLen; |
1318 | PORT_Memcpymemcpy(slot->serial, slot->tokenInfo.serialNumber, sizeof(slot->serial)); |
1319 | |
1320 | nssToken = PK11Slot_GetNSSToken(slot); |
1321 | nssToken_UpdateName(nssToken); /* null token is OK */ |
1322 | (void)nssToken_Destroy(nssToken); |
1323 | |
1324 | slot->defRWSession = (PRBool)((!slot->readOnly) && |
1325 | (slot->tokenInfo.ulMaxSessionCount == 1)); |
1326 | rv = PK11_ReadMechanismList(slot); |
1327 | if (rv != SECSuccess) |
1328 | return rv; |
1329 | |
1330 | slot->hasRSAInfo = PR_FALSE0; |
1331 | slot->RSAInfoFlags = 0; |
1332 | |
1333 | /* initialize the maxKeyCount value */ |
1334 | if (slot->tokenInfo.ulMaxSessionCount == 0) { |
1335 | slot->maxKeyCount = 800; /* should be #define or a config param */ |
1336 | } else if (slot->tokenInfo.ulMaxSessionCount < 20) { |
1337 | /* don't have enough sessions to keep that many keys around */ |
1338 | slot->maxKeyCount = 0; |
1339 | } else { |
1340 | slot->maxKeyCount = slot->tokenInfo.ulMaxSessionCount / 2; |
1341 | } |
1342 | |
1343 | /* Make sure our session handle is valid */ |
1344 | if (slot->session == CK_INVALID_HANDLE0) { |
1345 | /* we know we don't have a valid session, go get one */ |
1346 | CK_SESSION_HANDLE session; |
1347 | |
1348 | /* session should be Readonly, serial */ |
1349 | if (!slot->isThreadSafe) |
1350 | PK11_EnterSlotMonitor(slot); |
1351 | crv = PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList))->C_OpenSession(slot->slotID, |
1352 | (slot->defRWSession ? CKF_RW_SESSION0x00000002UL : 0) | CKF_SERIAL_SESSION0x00000004UL, |
1353 | slot, pk11_notify, &session); |
1354 | if (!slot->isThreadSafe) |
1355 | PK11_ExitSlotMonitor(slot); |
1356 | if (crv != CKR_OK0x00000000UL) { |
1357 | PORT_SetErrorPORT_SetError_Util(PK11_MapError(crv)); |
1358 | return SECFailure; |
1359 | } |
1360 | slot->session = session; |
1361 | } else { |
1362 | /* The session we have may be defunct (the token associated with it) |
1363 | * has been removed */ |
1364 | CK_SESSION_INFO sessionInfo; |
1365 | |
1366 | if (!slot->isThreadSafe) |
1367 | PK11_EnterSlotMonitor(slot); |
1368 | crv = PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList))->C_GetSessionInfo(slot->session, &sessionInfo); |
1369 | if (crv == CKR_DEVICE_ERROR0x00000030UL) { |
1370 | PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList)) |
1371 | ->C_CloseSession(slot->session); |
1372 | crv = CKR_SESSION_CLOSED0x000000B0UL; |
1373 | } |
1374 | if ((crv == CKR_SESSION_CLOSED0x000000B0UL) || (crv == CKR_SESSION_HANDLE_INVALID0x000000B3UL)) { |
1375 | crv = PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList))->C_OpenSession(slot->slotID, |
1376 | (slot->defRWSession ? CKF_RW_SESSION0x00000002UL : 0) | CKF_SERIAL_SESSION0x00000004UL, |
1377 | slot, pk11_notify, &slot->session); |
1378 | if (crv != CKR_OK0x00000000UL) { |
1379 | PORT_SetErrorPORT_SetError_Util(PK11_MapError(crv)); |
1380 | slot->session = CK_INVALID_HANDLE0; |
1381 | if (!slot->isThreadSafe) |
1382 | PK11_ExitSlotMonitor(slot); |
1383 | return SECFailure; |
1384 | } |
1385 | } |
1386 | if (!slot->isThreadSafe) |
1387 | PK11_ExitSlotMonitor(slot); |
1388 | } |
1389 | |
1390 | nssToken = PK11Slot_GetNSSToken(slot); |
1391 | status = nssToken_Refresh(nssToken); /* null token is OK */ |
1392 | (void)nssToken_Destroy(nssToken); |
1393 | if (status != PR_SUCCESS) |
1394 | return SECFailure; |
1395 | |
1396 | /* Not all tokens have profile objects or even recognize what profile |
1397 | * objects are it's OK for pk11_ReadProfileList to fail */ |
1398 | (void)pk11_ReadProfileList(slot); |
1399 | |
1400 | if (!(slot->isInternal) && (slot->hasRandom)) { |
1401 | /* if this slot has a random number generater, use it to add entropy |
1402 | * to the internal slot. */ |
1403 | PK11SlotInfo *int_slot = PK11_GetInternalSlot(); |
1404 | |
1405 | if (int_slot) { |
1406 | unsigned char random_bytes[32]; |
1407 | |
1408 | /* if this slot can issue random numbers, get some entropy from |
1409 | * that random number generater and give it to our internal token. |
1410 | */ |
1411 | PK11_EnterSlotMonitor(slot); |
1412 | crv = PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList))->C_GenerateRandom(slot->session, random_bytes, sizeof(random_bytes)); |
1413 | PK11_ExitSlotMonitor(slot); |
1414 | if (crv == CKR_OK0x00000000UL) { |
1415 | PK11_EnterSlotMonitor(int_slot); |
1416 | PK11_GETTAB(int_slot)((CK_FUNCTION_LIST_3_0_PTR)((int_slot)->functionList)) |
1417 | ->C_SeedRandom(int_slot->session, |
1418 | random_bytes, sizeof(random_bytes)); |
1419 | PK11_ExitSlotMonitor(int_slot); |
1420 | } |
1421 | |
1422 | /* Now return the favor and send entropy to the token's random |
1423 | * number generater */ |
1424 | PK11_EnterSlotMonitor(int_slot); |
1425 | crv = PK11_GETTAB(int_slot)((CK_FUNCTION_LIST_3_0_PTR)((int_slot)->functionList))->C_GenerateRandom(int_slot->session, |
1426 | random_bytes, sizeof(random_bytes)); |
1427 | PK11_ExitSlotMonitor(int_slot); |
1428 | if (crv == CKR_OK0x00000000UL) { |
1429 | PK11_EnterSlotMonitor(slot); |
1430 | crv = PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList))->C_SeedRandom(slot->session, |
Value stored to 'crv' is never read | |
1431 | random_bytes, sizeof(random_bytes)); |
1432 | PK11_ExitSlotMonitor(slot); |
1433 | } |
1434 | PK11_FreeSlot(int_slot); |
1435 | } |
1436 | } |
1437 | /* work around a problem in softoken where it incorrectly |
1438 | * reports databases opened read only as read/write. */ |
1439 | if (slot->isInternal && !slot->readOnly) { |
1440 | CK_SESSION_HANDLE session = CK_INVALID_HANDLE0; |
1441 | |
1442 | /* try to open a R/W session */ |
1443 | crv = PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList))->C_OpenSession(slot->slotID, |
1444 | CKF_RW_SESSION0x00000002UL | CKF_SERIAL_SESSION0x00000004UL, slot, pk11_notify, &session); |
1445 | /* what a well behaved token should return if you open |
1446 | * a RW session on a read only token */ |
1447 | if (crv == CKR_TOKEN_WRITE_PROTECTED0x000000E2UL) { |
1448 | slot->readOnly = PR_TRUE1; |
1449 | } else if (crv == CKR_OK0x00000000UL) { |
1450 | CK_SESSION_INFO sessionInfo; |
1451 | |
1452 | /* Because of a second bug in softoken, which silently returns |
1453 | * a RO session, we need to check what type of session we got. */ |
1454 | crv = PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList))->C_GetSessionInfo(session, &sessionInfo); |
1455 | if (crv == CKR_OK0x00000000UL) { |
1456 | if ((sessionInfo.flags & CKF_RW_SESSION0x00000002UL) == 0) { |
1457 | /* session was readonly, so this softoken slot must be readonly */ |
1458 | slot->readOnly = PR_TRUE1; |
1459 | } |
1460 | } |
1461 | PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList)) |
1462 | ->C_CloseSession(session); |
1463 | } |
1464 | } |
1465 | |
1466 | return SECSuccess; |
1467 | } |
1468 | |
1469 | /* |
1470 | * initialize a new token |
1471 | * unlike initialize slot, this can be called multiple times in the lifetime |
1472 | * of NSS. It reads the information associated with a card or token, |
1473 | * that is not going to change unless the card or token changes. |
1474 | */ |
1475 | SECStatus |
1476 | PK11_TokenRefresh(PK11SlotInfo *slot) |
1477 | { |
1478 | CK_RV crv; |
1479 | |
1480 | /* set the slot flags to the current token values */ |
1481 | if (!slot->isThreadSafe) |
1482 | PK11_EnterSlotMonitor(slot); |
1483 | crv = PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList))->C_GetTokenInfo(slot->slotID, &slot->tokenInfo); |
1484 | if (!slot->isThreadSafe) |
1485 | PK11_ExitSlotMonitor(slot); |
1486 | if (crv != CKR_OK0x00000000UL) { |
1487 | PORT_SetErrorPORT_SetError_Util(PK11_MapError(crv)); |
1488 | return SECFailure; |
1489 | } |
1490 | |
1491 | slot->flags = slot->tokenInfo.flags; |
1492 | slot->needLogin = ((slot->tokenInfo.flags & CKF_LOGIN_REQUIRED0x00000004UL) ? PR_TRUE1 : PR_FALSE0); |
1493 | slot->readOnly = ((slot->tokenInfo.flags & CKF_WRITE_PROTECTED0x00000002UL) ? PR_TRUE1 : PR_FALSE0); |
1494 | slot->hasRandom = ((slot->tokenInfo.flags & CKF_RNG0x00000001UL) ? PR_TRUE1 : PR_FALSE0); |
1495 | slot->protectedAuthPath = |
1496 | ((slot->tokenInfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH0x00000100UL) |
1497 | ? PR_TRUE1 |
1498 | : PR_FALSE0); |
1499 | /* on some platforms Active Card incorrectly sets the |
1500 | * CKF_PROTECTED_AUTHENTICATION_PATH bit when it doesn't mean to. */ |
1501 | if (slot->isActiveCard) { |
1502 | slot->protectedAuthPath = PR_FALSE0; |
1503 | } |
1504 | return SECSuccess; |
1505 | } |
1506 | |
1507 | static PRBool |
1508 | pk11_isRootSlot(PK11SlotInfo *slot) |
1509 | { |
1510 | CK_ATTRIBUTE findTemp[1]; |
1511 | CK_ATTRIBUTE *attrs; |
1512 | CK_OBJECT_CLASS oclass = CKO_NSS_BUILTIN_ROOT_LIST((0x80000000UL | 0x4E534350) + 4); |
1513 | size_t tsize; |
1514 | CK_OBJECT_HANDLE handle; |
1515 | |
1516 | attrs = findTemp; |
1517 | PK11_SETATTRS(attrs, CKA_CLASS, &oclass, sizeof(oclass))(attrs)->type = (0x00000000UL); (attrs)->pValue = (& oclass); (attrs)->ulValueLen = (sizeof(oclass));; |
1518 | attrs++; |
1519 | tsize = attrs - findTemp; |
1520 | PORT_Assert(tsize <= sizeof(findTemp) / sizeof(CK_ATTRIBUTE))((tsize <= sizeof(findTemp) / sizeof(CK_ATTRIBUTE))?((void )0):PR_Assert("tsize <= sizeof(findTemp) / sizeof(CK_ATTRIBUTE)" ,"pk11slot.c",1520)); |
1521 | |
1522 | handle = pk11_FindObjectByTemplate(slot, findTemp, tsize); |
1523 | if (handle == CK_INVALID_HANDLE0) { |
1524 | return PR_FALSE0; |
1525 | } |
1526 | return PR_TRUE1; |
1527 | } |
1528 | |
1529 | /* |
1530 | * Initialize the slot : |
1531 | * This initialization code is called on each slot a module supports when |
1532 | * it is loaded. It does the bringup initialization. The difference between |
1533 | * this and InitToken is Init slot does those one time initialization stuff, |
1534 | * usually associated with the reader, while InitToken may get called multiple |
1535 | * times as tokens are removed and re-inserted. |
1536 | */ |
1537 | void |
1538 | PK11_InitSlot(SECMODModule *mod, CK_SLOT_ID slotID, PK11SlotInfo *slot) |
1539 | { |
1540 | SECStatus rv; |
1541 | CK_SLOT_INFO slotInfo; |
1542 | |
1543 | slot->functionList = mod->functionList; |
1544 | slot->isInternal = mod->internal; |
1545 | slot->slotID = slotID; |
1546 | slot->isThreadSafe = mod->isThreadSafe; |
1547 | slot->hasRSAInfo = PR_FALSE0; |
1548 | slot->module = mod; /* NOTE: we don't make a reference here because |
1549 | * modules have references to their slots. This |
1550 | * works because modules keep implicit references |
1551 | * from their slots, and won't unload and disappear |
1552 | * until all their slots have been freed */ |
1553 | |
1554 | if (PK11_GetSlotInfo(slot, &slotInfo) != SECSuccess) { |
1555 | slot->disabled = PR_TRUE1; |
1556 | slot->reason = PK11_DIS_COULD_NOT_INIT_TOKEN; |
1557 | return; |
1558 | } |
1559 | |
1560 | /* test to make sure claimed mechanism work */ |
1561 | slot->needTest = mod->internal ? PR_FALSE0 : PR_TRUE1; |
1562 | (void)PK11_MakeString(NULL((void*)0), slot->slot_name, |
1563 | (char *)slotInfo.slotDescription, sizeof(slotInfo.slotDescription)); |
1564 | slot->isHW = (PRBool)((slotInfo.flags & CKF_HW_SLOT0x00000004UL) == CKF_HW_SLOT0x00000004UL); |
1565 | #define ACTIVE_CARD"ActivCard SA" "ActivCard SA" |
1566 | slot->isActiveCard = (PRBool)(PORT_Strncmpstrncmp((char *)slotInfo.manufacturerID, |
1567 | ACTIVE_CARD"ActivCard SA", sizeof(ACTIVE_CARD"ActivCard SA") - 1) == 0); |
1568 | if ((slotInfo.flags & CKF_REMOVABLE_DEVICE0x00000002UL) == 0) { |
1569 | slot->isPerm = PR_TRUE1; |
1570 | /* permanment slots must have the token present always */ |
1571 | if ((slotInfo.flags & CKF_TOKEN_PRESENT0x00000001UL) == 0) { |
1572 | slot->disabled = PR_TRUE1; |
1573 | slot->reason = PK11_DIS_TOKEN_NOT_PRESENT; |
1574 | return; /* nothing else to do */ |
1575 | } |
1576 | } |
1577 | /* if the token is present, initialize it */ |
1578 | if ((slotInfo.flags & CKF_TOKEN_PRESENT0x00000001UL) != 0) { |
1579 | rv = PK11_InitToken(slot, PR_TRUE1); |
1580 | /* the only hard failures are on permanent devices, or function |
1581 | * verify failures... function verify failures are already handled |
1582 | * by tokenInit */ |
1583 | if ((rv != SECSuccess) && (slot->isPerm) && (!slot->disabled)) { |
1584 | slot->disabled = PR_TRUE1; |
1585 | slot->reason = PK11_DIS_COULD_NOT_INIT_TOKEN; |
1586 | } |
1587 | if (rv == SECSuccess && pk11_isRootSlot(slot)) { |
1588 | if (!slot->hasRootCerts) { |
1589 | slot->module->trustOrder = 100; |
1590 | } |
1591 | slot->hasRootCerts = PR_TRUE1; |
1592 | } |
1593 | } |
1594 | if ((slotInfo.flags & CKF_USER_PIN_INITIALIZED0x00000008UL) != 0) { |
1595 | slot->flags |= CKF_USER_PIN_INITIALIZED0x00000008UL; |
1596 | } |
1597 | } |
1598 | |
1599 | /********************************************************************* |
1600 | * Slot mapping utility functions. |
1601 | *********************************************************************/ |
1602 | |
1603 | /* |
1604 | * determine if the token is present. If the token is present, make sure |
1605 | * we have a valid session handle. Also set the value of needLogin |
1606 | * appropriately. |
1607 | */ |
1608 | static PRBool |
1609 | pk11_IsPresentCertLoad(PK11SlotInfo *slot, PRBool loadCerts) |
1610 | { |
1611 | CK_SLOT_INFO slotInfo; |
1612 | CK_SESSION_INFO sessionInfo; |
1613 | CK_RV crv; |
1614 | |
1615 | /* disabled slots are never present */ |
1616 | if (slot->disabled) { |
1617 | return PR_FALSE0; |
1618 | } |
1619 | |
1620 | /* permanent slots are always present */ |
1621 | if (slot->isPerm && (slot->session != CK_INVALID_HANDLE0)) { |
1622 | return PR_TRUE1; |
1623 | } |
1624 | |
1625 | NSSToken *nssToken = PK11Slot_GetNSSToken(slot); |
1626 | if (nssToken) { |
1627 | PRBool present = nssToken_IsPresent(nssToken); |
1628 | (void)nssToken_Destroy(nssToken); |
1629 | return present; |
1630 | } |
1631 | |
1632 | /* removable slots have a flag that says they are present */ |
1633 | if (PK11_GetSlotInfo(slot, &slotInfo) != SECSuccess) { |
1634 | return PR_FALSE0; |
1635 | } |
1636 | |
1637 | if ((slotInfo.flags & CKF_TOKEN_PRESENT0x00000001UL) == 0) { |
1638 | /* if the slot is no longer present, close the session */ |
1639 | if (slot->session != CK_INVALID_HANDLE0) { |
1640 | if (!slot->isThreadSafe) { |
1641 | PK11_EnterSlotMonitor(slot); |
1642 | } |
1643 | PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList)) |
1644 | ->C_CloseSession(slot->session); |
1645 | slot->session = CK_INVALID_HANDLE0; |
1646 | if (!slot->isThreadSafe) { |
1647 | PK11_ExitSlotMonitor(slot); |
1648 | } |
1649 | } |
1650 | return PR_FALSE0; |
1651 | } |
1652 | |
1653 | /* use the session Info to determine if the card has been removed and then |
1654 | * re-inserted */ |
1655 | if (slot->session != CK_INVALID_HANDLE0) { |
1656 | if (slot->isThreadSafe) { |
1657 | PK11_EnterSlotMonitor(slot); |
1658 | } |
1659 | crv = PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList))->C_GetSessionInfo(slot->session, &sessionInfo); |
1660 | if (crv != CKR_OK0x00000000UL) { |
1661 | PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList)) |
1662 | ->C_CloseSession(slot->session); |
1663 | slot->session = CK_INVALID_HANDLE0; |
1664 | } |
1665 | if (slot->isThreadSafe) { |
1666 | PK11_ExitSlotMonitor(slot); |
1667 | } |
1668 | } |
1669 | |
1670 | /* card has not been removed, current token info is correct */ |
1671 | if (slot->session != CK_INVALID_HANDLE0) |
1672 | return PR_TRUE1; |
1673 | |
1674 | /* initialize the token info state */ |
1675 | if (PK11_InitToken(slot, loadCerts) != SECSuccess) { |
1676 | return PR_FALSE0; |
1677 | } |
1678 | |
1679 | return PR_TRUE1; |
1680 | } |
1681 | |
1682 | /* |
1683 | * old version of the routine |
1684 | */ |
1685 | PRBool |
1686 | PK11_IsPresent(PK11SlotInfo *slot) |
1687 | { |
1688 | return pk11_IsPresentCertLoad(slot, PR_TRUE1); |
1689 | } |
1690 | |
1691 | /* is the slot disabled? */ |
1692 | PRBool |
1693 | PK11_IsDisabled(PK11SlotInfo *slot) |
1694 | { |
1695 | return slot->disabled; |
1696 | } |
1697 | |
1698 | /* and why? */ |
1699 | PK11DisableReasons |
1700 | PK11_GetDisabledReason(PK11SlotInfo *slot) |
1701 | { |
1702 | return slot->reason; |
1703 | } |
1704 | |
1705 | /* returns PR_TRUE if successfully disable the slot */ |
1706 | /* returns PR_FALSE otherwise */ |
1707 | PRBool |
1708 | PK11_UserDisableSlot(PK11SlotInfo *slot) |
1709 | { |
1710 | |
1711 | /* Prevent users from disabling the internal module. */ |
1712 | if (slot->isInternal) { |
1713 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS); |
1714 | return PR_FALSE0; |
1715 | } |
1716 | |
1717 | slot->defaultFlags |= PK11_DISABLE_FLAG0x40000000L; |
1718 | slot->disabled = PR_TRUE1; |
1719 | slot->reason = PK11_DIS_USER_SELECTED; |
1720 | |
1721 | return PR_TRUE1; |
1722 | } |
1723 | |
1724 | PRBool |
1725 | PK11_UserEnableSlot(PK11SlotInfo *slot) |
1726 | { |
1727 | |
1728 | slot->defaultFlags &= ~PK11_DISABLE_FLAG0x40000000L; |
1729 | slot->disabled = PR_FALSE0; |
1730 | slot->reason = PK11_DIS_NONE; |
1731 | return PR_TRUE1; |
1732 | } |
1733 | |
1734 | PRBool |
1735 | PK11_HasRootCerts(PK11SlotInfo *slot) |
1736 | { |
1737 | return slot->hasRootCerts; |
1738 | } |
1739 | |
1740 | /* Get the module this slot is attached to */ |
1741 | SECMODModule * |
1742 | PK11_GetModule(PK11SlotInfo *slot) |
1743 | { |
1744 | return slot->module; |
1745 | } |
1746 | |
1747 | /* return the default flags of a slot */ |
1748 | unsigned long |
1749 | PK11_GetDefaultFlags(PK11SlotInfo *slot) |
1750 | { |
1751 | return slot->defaultFlags; |
1752 | } |
1753 | |
1754 | /* |
1755 | * The following wrapper functions allow us to export an opaque slot |
1756 | * function to the rest of libsec and the world... */ |
1757 | PRBool |
1758 | PK11_IsReadOnly(PK11SlotInfo *slot) |
1759 | { |
1760 | return slot->readOnly; |
1761 | } |
1762 | |
1763 | PRBool |
1764 | PK11_IsHW(PK11SlotInfo *slot) |
1765 | { |
1766 | return slot->isHW; |
1767 | } |
1768 | |
1769 | PRBool |
1770 | PK11_IsRemovable(PK11SlotInfo *slot) |
1771 | { |
1772 | return !slot->isPerm; |
1773 | } |
1774 | |
1775 | PRBool |
1776 | PK11_IsInternal(PK11SlotInfo *slot) |
1777 | { |
1778 | return slot->isInternal; |
1779 | } |
1780 | |
1781 | PRBool |
1782 | PK11_IsInternalKeySlot(PK11SlotInfo *slot) |
1783 | { |
1784 | PK11SlotInfo *int_slot; |
1785 | PRBool result; |
1786 | |
1787 | if (!slot->isInternal) { |
1788 | return PR_FALSE0; |
1789 | } |
1790 | |
1791 | int_slot = PK11_GetInternalKeySlot(); |
1792 | result = (int_slot == slot) ? PR_TRUE1 : PR_FALSE0; |
1793 | PK11_FreeSlot(int_slot); |
1794 | return result; |
1795 | } |
1796 | |
1797 | PRBool |
1798 | PK11_NeedLogin(PK11SlotInfo *slot) |
1799 | { |
1800 | return slot->needLogin; |
1801 | } |
1802 | |
1803 | PRBool |
1804 | PK11_IsFriendly(PK11SlotInfo *slot) |
1805 | { |
1806 | /* internal slot always has public readable certs */ |
1807 | return (PRBool)(slot->isInternal || |
1808 | pk11_HasProfile(slot, CKP_PUBLIC_CERTIFICATES_TOKEN0x00000004UL) || |
1809 | ((slot->defaultFlags & SECMOD_FRIENDLY_FLAG0x10000000L) == |
1810 | SECMOD_FRIENDLY_FLAG0x10000000L)); |
1811 | } |
1812 | |
1813 | char * |
1814 | PK11_GetTokenName(PK11SlotInfo *slot) |
1815 | { |
1816 | return slot->token_name; |
1817 | } |
1818 | |
1819 | char * |
1820 | PK11_GetTokenURI(PK11SlotInfo *slot) |
1821 | { |
1822 | PK11URI *uri; |
1823 | char *ret = NULL((void*)0); |
1824 | char label[32 + 1], manufacturer[32 + 1], serial[16 + 1], model[16 + 1]; |
1825 | PK11URIAttribute attrs[4]; |
1826 | size_t nattrs = 0; |
1827 | |
1828 | PK11_MakeString(NULL((void*)0), label, (char *)slot->tokenInfo.label, |
1829 | sizeof(slot->tokenInfo.label)); |
1830 | if (*label != '\0') { |
1831 | attrs[nattrs].name = PK11URI_PATTR_TOKEN"token"; |
1832 | attrs[nattrs].value = label; |
1833 | nattrs++; |
1834 | } |
1835 | |
1836 | PK11_MakeString(NULL((void*)0), manufacturer, (char *)slot->tokenInfo.manufacturerID, |
1837 | sizeof(slot->tokenInfo.manufacturerID)); |
1838 | if (*manufacturer != '\0') { |
1839 | attrs[nattrs].name = PK11URI_PATTR_MANUFACTURER"manufacturer"; |
1840 | attrs[nattrs].value = manufacturer; |
1841 | nattrs++; |
1842 | } |
1843 | |
1844 | PK11_MakeString(NULL((void*)0), serial, (char *)slot->tokenInfo.serialNumber, |
1845 | sizeof(slot->tokenInfo.serialNumber)); |
1846 | if (*serial != '\0') { |
1847 | attrs[nattrs].name = PK11URI_PATTR_SERIAL"serial"; |
1848 | attrs[nattrs].value = serial; |
1849 | nattrs++; |
1850 | } |
1851 | |
1852 | PK11_MakeString(NULL((void*)0), model, (char *)slot->tokenInfo.model, |
1853 | sizeof(slot->tokenInfo.model)); |
1854 | if (*model != '\0') { |
1855 | attrs[nattrs].name = PK11URI_PATTR_MODEL"model"; |
1856 | attrs[nattrs].value = model; |
1857 | nattrs++; |
1858 | } |
1859 | |
1860 | uri = PK11URI_CreateURI(attrs, nattrs, NULL((void*)0), 0); |
1861 | if (uri == NULL((void*)0)) { |
1862 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); |
1863 | return NULL((void*)0); |
1864 | } |
1865 | |
1866 | ret = PK11URI_FormatURI(NULL((void*)0), uri); |
1867 | PK11URI_DestroyURI(uri); |
1868 | |
1869 | if (ret == NULL((void*)0)) { |
1870 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE); |
1871 | } |
1872 | |
1873 | return ret; |
1874 | } |
1875 | |
1876 | char * |
1877 | PK11_GetSlotName(PK11SlotInfo *slot) |
1878 | { |
1879 | return slot->slot_name; |
1880 | } |
1881 | |
1882 | int |
1883 | PK11_GetSlotSeries(PK11SlotInfo *slot) |
1884 | { |
1885 | return slot->series; |
1886 | } |
1887 | |
1888 | int |
1889 | PK11_GetCurrentWrapIndex(PK11SlotInfo *slot) |
1890 | { |
1891 | return slot->wrapKey; |
1892 | } |
1893 | |
1894 | CK_SLOT_ID |
1895 | PK11_GetSlotID(PK11SlotInfo *slot) |
1896 | { |
1897 | return slot->slotID; |
1898 | } |
1899 | |
1900 | SECMODModuleID |
1901 | PK11_GetModuleID(PK11SlotInfo *slot) |
1902 | { |
1903 | return slot->module->moduleID; |
1904 | } |
1905 | |
1906 | static void |
1907 | pk11_zeroTerminatedToBlankPadded(CK_CHAR *buffer, size_t buffer_size) |
1908 | { |
1909 | CK_CHAR *walk = buffer; |
1910 | CK_CHAR *end = buffer + buffer_size; |
1911 | |
1912 | /* find the NULL */ |
1913 | while (walk < end && *walk != '\0') { |
1914 | walk++; |
1915 | } |
1916 | |
1917 | /* clear out the buffer */ |
1918 | while (walk < end) { |
1919 | *walk++ = ' '; |
1920 | } |
1921 | } |
1922 | |
1923 | /* return the slot info structure */ |
1924 | SECStatus |
1925 | PK11_GetSlotInfo(PK11SlotInfo *slot, CK_SLOT_INFO *info) |
1926 | { |
1927 | CK_RV crv; |
1928 | |
1929 | if (!slot->isThreadSafe) |
1930 | PK11_EnterSlotMonitor(slot); |
1931 | /* |
1932 | * some buggy drivers do not fill the buffer completely, |
1933 | * erase the buffer first |
1934 | */ |
1935 | PORT_Memsetmemset(info->slotDescription, ' ', sizeof(info->slotDescription)); |
1936 | PORT_Memsetmemset(info->manufacturerID, ' ', sizeof(info->manufacturerID)); |
1937 | crv = PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList))->C_GetSlotInfo(slot->slotID, info); |
1938 | pk11_zeroTerminatedToBlankPadded(info->slotDescription, |
1939 | sizeof(info->slotDescription)); |
1940 | pk11_zeroTerminatedToBlankPadded(info->manufacturerID, |
1941 | sizeof(info->manufacturerID)); |
1942 | if (!slot->isThreadSafe) |
1943 | PK11_ExitSlotMonitor(slot); |
1944 | if (crv != CKR_OK0x00000000UL) { |
1945 | PORT_SetErrorPORT_SetError_Util(PK11_MapError(crv)); |
1946 | return SECFailure; |
1947 | } |
1948 | return SECSuccess; |
1949 | } |
1950 | |
1951 | /* return the token info structure */ |
1952 | SECStatus |
1953 | PK11_GetTokenInfo(PK11SlotInfo *slot, CK_TOKEN_INFO *info) |
1954 | { |
1955 | CK_RV crv; |
1956 | if (!slot->isThreadSafe) |
1957 | PK11_EnterSlotMonitor(slot); |
1958 | /* |
1959 | * some buggy drivers do not fill the buffer completely, |
1960 | * erase the buffer first |
1961 | */ |
1962 | PORT_Memsetmemset(info->label, ' ', sizeof(info->label)); |
1963 | PORT_Memsetmemset(info->manufacturerID, ' ', sizeof(info->manufacturerID)); |
1964 | PORT_Memsetmemset(info->model, ' ', sizeof(info->model)); |
1965 | PORT_Memsetmemset(info->serialNumber, ' ', sizeof(info->serialNumber)); |
1966 | crv = PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList))->C_GetTokenInfo(slot->slotID, info); |
1967 | pk11_zeroTerminatedToBlankPadded(info->label, sizeof(info->label)); |
1968 | pk11_zeroTerminatedToBlankPadded(info->manufacturerID, |
1969 | sizeof(info->manufacturerID)); |
1970 | pk11_zeroTerminatedToBlankPadded(info->model, sizeof(info->model)); |
1971 | pk11_zeroTerminatedToBlankPadded(info->serialNumber, |
1972 | sizeof(info->serialNumber)); |
1973 | if (!slot->isThreadSafe) |
1974 | PK11_ExitSlotMonitor(slot); |
1975 | if (crv != CKR_OK0x00000000UL) { |
1976 | PORT_SetErrorPORT_SetError_Util(PK11_MapError(crv)); |
1977 | return SECFailure; |
1978 | } |
1979 | return SECSuccess; |
1980 | } |
1981 | |
1982 | PRBool |
1983 | pk11_MatchUriTokenInfo(PK11SlotInfo *slot, PK11URI *uri) |
1984 | { |
1985 | const char *value; |
1986 | |
1987 | value = PK11URI_GetPathAttribute(uri, PK11URI_PATTR_TOKEN"token"); |
1988 | if (value) { |
1989 | if (!pk11_MatchString(value, (char *)slot->tokenInfo.label, |
1990 | sizeof(slot->tokenInfo.label))) { |
1991 | return PR_FALSE0; |
1992 | } |
1993 | } |
1994 | |
1995 | value = PK11URI_GetPathAttribute(uri, PK11URI_PATTR_MANUFACTURER"manufacturer"); |
1996 | if (value) { |
1997 | if (!pk11_MatchString(value, (char *)slot->tokenInfo.manufacturerID, |
1998 | sizeof(slot->tokenInfo.manufacturerID))) { |
1999 | return PR_FALSE0; |
2000 | } |
2001 | } |
2002 | |
2003 | value = PK11URI_GetPathAttribute(uri, PK11URI_PATTR_SERIAL"serial"); |
2004 | if (value) { |
2005 | if (!pk11_MatchString(value, (char *)slot->tokenInfo.serialNumber, |
2006 | sizeof(slot->tokenInfo.serialNumber))) { |
2007 | return PR_FALSE0; |
2008 | } |
2009 | } |
2010 | |
2011 | value = PK11URI_GetPathAttribute(uri, PK11URI_PATTR_MODEL"model"); |
2012 | if (value) { |
2013 | if (!pk11_MatchString(value, (char *)slot->tokenInfo.model, |
2014 | sizeof(slot->tokenInfo.model))) { |
2015 | return PR_FALSE0; |
2016 | } |
2017 | } |
2018 | |
2019 | return PR_TRUE1; |
2020 | } |
2021 | |
2022 | /* Find out if we need to initialize the user's pin */ |
2023 | PRBool |
2024 | PK11_NeedUserInit(PK11SlotInfo *slot) |
2025 | { |
2026 | PRBool needUserInit = (PRBool)((slot->flags & CKF_USER_PIN_INITIALIZED0x00000008UL) == 0); |
2027 | |
2028 | if (needUserInit) { |
2029 | CK_TOKEN_INFO info; |
2030 | SECStatus rv; |
2031 | |
2032 | /* see if token has been initialized off line */ |
2033 | rv = PK11_GetTokenInfo(slot, &info); |
2034 | if (rv == SECSuccess) { |
2035 | slot->flags = info.flags; |
2036 | } |
2037 | } |
2038 | return (PRBool)((slot->flags & CKF_USER_PIN_INITIALIZED0x00000008UL) == 0); |
2039 | } |
2040 | |
2041 | static PK11SlotInfo *pk11InternalKeySlot = NULL((void*)0); |
2042 | |
2043 | /* |
2044 | * Set a new default internal keyslot. If one has already been set, clear it. |
2045 | * Passing NULL falls back to the NSS normally selected default internal key |
2046 | * slot. |
2047 | */ |
2048 | void |
2049 | pk11_SetInternalKeySlot(PK11SlotInfo *slot) |
2050 | { |
2051 | if (pk11InternalKeySlot) { |
2052 | PK11_FreeSlot(pk11InternalKeySlot); |
2053 | } |
2054 | pk11InternalKeySlot = slot ? PK11_ReferenceSlot(slot) : NULL((void*)0); |
2055 | } |
2056 | |
2057 | /* |
2058 | * Set a new default internal keyslot if the normal key slot has not already |
2059 | * been overridden. Subsequent calls to this function will be ignored unless |
2060 | * pk11_SetInternalKeySlot is used to clear the current default. |
2061 | */ |
2062 | void |
2063 | pk11_SetInternalKeySlotIfFirst(PK11SlotInfo *slot) |
2064 | { |
2065 | if (pk11InternalKeySlot) { |
2066 | return; |
2067 | } |
2068 | pk11InternalKeySlot = slot ? PK11_ReferenceSlot(slot) : NULL((void*)0); |
2069 | } |
2070 | |
2071 | /* |
2072 | * Swap out a default internal keyslot. Caller owns the Slot Reference |
2073 | */ |
2074 | PK11SlotInfo * |
2075 | pk11_SwapInternalKeySlot(PK11SlotInfo *slot) |
2076 | { |
2077 | PK11SlotInfo *swap = pk11InternalKeySlot; |
2078 | |
2079 | pk11InternalKeySlot = slot ? PK11_ReferenceSlot(slot) : NULL((void*)0); |
2080 | return swap; |
2081 | } |
2082 | |
2083 | /* get the internal key slot. FIPS has only one slot for both key slots and |
2084 | * default slots */ |
2085 | PK11SlotInfo * |
2086 | PK11_GetInternalKeySlot(void) |
2087 | { |
2088 | SECMODModule *mod; |
2089 | |
2090 | if (pk11InternalKeySlot) { |
2091 | return PK11_ReferenceSlot(pk11InternalKeySlot); |
2092 | } |
2093 | |
2094 | mod = SECMOD_GetInternalModule(); |
2095 | PORT_Assert(mod != NULL)((mod != ((void*)0))?((void)0):PR_Assert("mod != NULL","pk11slot.c" ,2095)); |
2096 | if (!mod) { |
2097 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_NO_MODULE); |
2098 | return NULL((void*)0); |
2099 | } |
2100 | return PK11_ReferenceSlot(mod->isFIPS ? mod->slots[0] : mod->slots[1]); |
2101 | } |
2102 | |
2103 | /* get the internal default slot */ |
2104 | PK11SlotInfo * |
2105 | PK11_GetInternalSlot(void) |
2106 | { |
2107 | SECMODModule *mod = SECMOD_GetInternalModule(); |
2108 | PORT_Assert(mod != NULL)((mod != ((void*)0))?((void)0):PR_Assert("mod != NULL","pk11slot.c" ,2108)); |
2109 | if (!mod) { |
2110 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_NO_MODULE); |
2111 | return NULL((void*)0); |
2112 | } |
2113 | if (mod->isFIPS) { |
2114 | return PK11_GetInternalKeySlot(); |
2115 | } |
2116 | return PK11_ReferenceSlot(mod->slots[0]); |
2117 | } |
2118 | |
2119 | /* |
2120 | * check if a given slot supports the requested mechanism |
2121 | */ |
2122 | PRBool |
2123 | PK11_DoesMechanism(PK11SlotInfo *slot, CK_MECHANISM_TYPE type) |
2124 | { |
2125 | int i; |
2126 | |
2127 | /* CKM_FAKE_RANDOM is not a real PKCS mechanism. It's a marker to |
2128 | * tell us we're looking form someone that has implemented get |
2129 | * random bits */ |
2130 | if (type == CKM_FAKE_RANDOM0x80000efeUL) { |
2131 | return slot->hasRandom; |
2132 | } |
2133 | |
2134 | /* for most mechanism, bypass the linear lookup */ |
2135 | if (type < 0x7ff) { |
2136 | return (slot->mechanismBits[type & 0xff] & (1 << (type >> 8))) ? PR_TRUE1 : PR_FALSE0; |
2137 | } |
2138 | |
2139 | for (i = 0; i < (int)slot->mechanismCount; i++) { |
2140 | if (slot->mechanismList[i] == type) |
2141 | return PR_TRUE1; |
2142 | } |
2143 | return PR_FALSE0; |
2144 | } |
2145 | |
2146 | PRBool pk11_filterSlot(PK11SlotInfo *slot, CK_MECHANISM_TYPE mechanism, |
2147 | CK_FLAGS mechanismInfoFlags, unsigned int keySize); |
2148 | /* |
2149 | * Check that the given mechanism has the appropriate flags. This function |
2150 | * presumes that slot can already do the given mechanism. |
2151 | */ |
2152 | PRBool |
2153 | PK11_DoesMechanismFlag(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, |
2154 | CK_FLAGS flags) |
2155 | { |
2156 | return !pk11_filterSlot(slot, type, flags, 0); |
2157 | } |
2158 | |
2159 | /* |
2160 | * Return true if a token that can do the desired mechanism exists. |
2161 | * This allows us to have hardware tokens that can do function XYZ magically |
2162 | * allow SSL Ciphers to appear if they are plugged in. |
2163 | */ |
2164 | PRBool |
2165 | PK11_TokenExists(CK_MECHANISM_TYPE type) |
2166 | { |
2167 | SECMODModuleList *mlp; |
2168 | SECMODModuleList *modules; |
2169 | SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock(); |
2170 | PK11SlotInfo *slot; |
2171 | PRBool found = PR_FALSE0; |
2172 | int i; |
2173 | |
2174 | if (!moduleLock) { |
2175 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_NOT_INITIALIZED); |
2176 | return found; |
2177 | } |
2178 | /* we only need to know if there is a token that does this mechanism. |
2179 | * check the internal module first because it's fast, and supports |
2180 | * almost everything. */ |
2181 | slot = PK11_GetInternalSlot(); |
2182 | if (slot) { |
2183 | found = PK11_DoesMechanism(slot, type); |
2184 | PK11_FreeSlot(slot); |
2185 | } |
2186 | if (found) |
2187 | return PR_TRUE1; /* bypass getting module locks */ |
2188 | |
2189 | SECMOD_GetReadLock(moduleLock); |
2190 | modules = SECMOD_GetDefaultModuleList(); |
2191 | for (mlp = modules; mlp != NULL((void*)0) && (!found); mlp = mlp->next) { |
2192 | for (i = 0; i < mlp->module->slotCount; i++) { |
2193 | slot = mlp->module->slots[i]; |
2194 | if (PK11_IsPresent(slot)) { |
2195 | if (PK11_DoesMechanism(slot, type)) { |
2196 | found = PR_TRUE1; |
2197 | break; |
2198 | } |
2199 | } |
2200 | } |
2201 | } |
2202 | SECMOD_ReleaseReadLock(moduleLock); |
2203 | return found; |
2204 | } |
2205 | |
2206 | /* |
2207 | * get all the currently available tokens in a list. |
2208 | * that can perform the given mechanism. If mechanism is CKM_INVALID_MECHANISM, |
2209 | * get all the tokens. Make sure tokens that need authentication are put at |
2210 | * the end of this list. |
2211 | */ |
2212 | PK11SlotList * |
2213 | PK11_GetAllTokens(CK_MECHANISM_TYPE type, PRBool needRW, PRBool loadCerts, |
2214 | void *wincx) |
2215 | { |
2216 | PK11SlotList *list; |
2217 | PK11SlotList *loginList; |
2218 | PK11SlotList *friendlyList; |
2219 | SECMODModuleList *mlp; |
2220 | SECMODModuleList *modules; |
2221 | SECMODListLock *moduleLock; |
2222 | int i; |
2223 | |
2224 | moduleLock = SECMOD_GetDefaultModuleListLock(); |
2225 | if (!moduleLock) { |
2226 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_NOT_INITIALIZED); |
2227 | return NULL((void*)0); |
2228 | } |
2229 | |
2230 | list = PK11_NewSlotList(); |
2231 | loginList = PK11_NewSlotList(); |
2232 | friendlyList = PK11_NewSlotList(); |
2233 | if ((list == NULL((void*)0)) || (loginList == NULL((void*)0)) || (friendlyList == NULL((void*)0))) { |
2234 | if (list) |
2235 | PK11_FreeSlotList(list); |
2236 | if (loginList) |
2237 | PK11_FreeSlotList(loginList); |
2238 | if (friendlyList) |
2239 | PK11_FreeSlotList(friendlyList); |
2240 | return NULL((void*)0); |
2241 | } |
2242 | |
2243 | SECMOD_GetReadLock(moduleLock); |
2244 | |
2245 | modules = SECMOD_GetDefaultModuleList(); |
2246 | for (mlp = modules; mlp != NULL((void*)0); mlp = mlp->next) { |
2247 | for (i = 0; i < mlp->module->slotCount; i++) { |
2248 | PK11SlotInfo *slot = mlp->module->slots[i]; |
2249 | |
2250 | if (pk11_IsPresentCertLoad(slot, loadCerts)) { |
2251 | if (needRW && slot->readOnly) |
2252 | continue; |
2253 | if ((type == CKM_INVALID_MECHANISM0xffffffffUL) || PK11_DoesMechanism(slot, type)) { |
2254 | if (pk11_LoginStillRequired(slot, wincx)) { |
2255 | if (PK11_IsFriendly(slot)) { |
2256 | PK11_AddSlotToList(friendlyList, slot, PR_TRUE1); |
2257 | } else { |
2258 | PK11_AddSlotToList(loginList, slot, PR_TRUE1); |
2259 | } |
2260 | } else { |
2261 | PK11_AddSlotToList(list, slot, PR_TRUE1); |
2262 | } |
2263 | } |
2264 | } |
2265 | } |
2266 | } |
2267 | SECMOD_ReleaseReadLock(moduleLock); |
2268 | |
2269 | pk11_MoveListToList(list, friendlyList); |
2270 | PK11_FreeSlotList(friendlyList); |
2271 | pk11_MoveListToList(list, loginList); |
2272 | PK11_FreeSlotList(loginList); |
2273 | |
2274 | return list; |
2275 | } |
2276 | |
2277 | /* |
2278 | * NOTE: This routine is working from a private List generated by |
2279 | * PK11_GetAllTokens. That is why it does not need to lock. |
2280 | */ |
2281 | PK11SlotList * |
2282 | PK11_GetPrivateKeyTokens(CK_MECHANISM_TYPE type, PRBool needRW, void *wincx) |
2283 | { |
2284 | PK11SlotList *list = PK11_GetAllTokens(type, needRW, PR_TRUE1, wincx); |
2285 | PK11SlotListElement *le, *next; |
2286 | SECStatus rv; |
2287 | |
2288 | if (list == NULL((void*)0)) |
2289 | return list; |
2290 | |
2291 | for (le = list->head; le; le = next) { |
2292 | next = le->next; /* save the pointer here in case we have to |
2293 | * free the element later */ |
2294 | rv = PK11_Authenticate(le->slot, PR_TRUE1, wincx); |
2295 | if (rv != SECSuccess) { |
2296 | PK11_DeleteSlotFromList(list, le); |
2297 | continue; |
2298 | } |
2299 | } |
2300 | return list; |
2301 | } |
2302 | |
2303 | /* |
2304 | * returns true if the slot doesn't conform to the requested attributes |
2305 | */ |
2306 | PRBool |
2307 | pk11_filterSlot(PK11SlotInfo *slot, CK_MECHANISM_TYPE mechanism, |
2308 | CK_FLAGS mechanismInfoFlags, unsigned int keySize) |
2309 | { |
2310 | CK_MECHANISM_INFO mechanism_info; |
2311 | CK_RV crv = CKR_OK0x00000000UL; |
2312 | |
2313 | /* handle the only case where we don't actually fetch the mechanisms |
2314 | * on the fly */ |
2315 | if ((keySize == 0) && (mechanism == CKM_RSA_PKCS0x00000001UL) && (slot->hasRSAInfo)) { |
2316 | mechanism_info.flags = slot->RSAInfoFlags; |
2317 | } else { |
2318 | if (!slot->isThreadSafe) |
2319 | PK11_EnterSlotMonitor(slot); |
2320 | crv = PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList))->C_GetMechanismInfo(slot->slotID, mechanism, |
2321 | &mechanism_info); |
2322 | if (!slot->isThreadSafe) |
2323 | PK11_ExitSlotMonitor(slot); |
2324 | /* if we were getting the RSA flags, save them */ |
2325 | if ((crv == CKR_OK0x00000000UL) && (mechanism == CKM_RSA_PKCS0x00000001UL) && (!slot->hasRSAInfo)) { |
2326 | slot->RSAInfoFlags = mechanism_info.flags; |
2327 | slot->hasRSAInfo = PR_TRUE1; |
2328 | } |
2329 | } |
2330 | /* couldn't get the mechanism info */ |
2331 | if (crv != CKR_OK0x00000000UL) { |
2332 | return PR_TRUE1; |
2333 | } |
2334 | if (keySize && ((mechanism_info.ulMinKeySize > keySize) || (mechanism_info.ulMaxKeySize < keySize))) { |
2335 | /* Token can do mechanism, but not at the key size we |
2336 | * want */ |
2337 | return PR_TRUE1; |
2338 | } |
2339 | if (mechanismInfoFlags && ((mechanism_info.flags & mechanismInfoFlags) != |
2340 | mechanismInfoFlags)) { |
2341 | return PR_TRUE1; |
2342 | } |
2343 | return PR_FALSE0; |
2344 | } |
2345 | |
2346 | /* |
2347 | * Find the best slot which supports the given set of mechanisms and key sizes. |
2348 | * In normal cases this should grab the first slot on the list with no fuss. |
2349 | * The size array is presumed to match one for one with the mechanism type |
2350 | * array, which allows you to specify the required key size for each |
2351 | * mechanism in the list. Whether key size is in bits or bytes is mechanism |
2352 | * dependent. Typically asymetric keys are in bits and symetric keys are in |
2353 | * bytes. |
2354 | */ |
2355 | PK11SlotInfo * |
2356 | PK11_GetBestSlotMultipleWithAttributes(CK_MECHANISM_TYPE *type, |
2357 | CK_FLAGS *mechanismInfoFlags, unsigned int *keySize, |
2358 | unsigned int mech_count, void *wincx) |
2359 | { |
2360 | PK11SlotList *list = NULL((void*)0); |
2361 | PK11SlotListElement *le; |
2362 | PK11SlotInfo *slot = NULL((void*)0); |
2363 | PRBool freeit = PR_FALSE0; |
2364 | PRBool listNeedLogin = PR_FALSE0; |
2365 | unsigned int i; |
2366 | SECStatus rv; |
2367 | |
2368 | list = PK11_GetSlotList(type[0]); |
2369 | |
2370 | if ((list == NULL((void*)0)) || (list->head == NULL((void*)0))) { |
2371 | /* We need to look up all the tokens for the mechanism */ |
2372 | list = PK11_GetAllTokens(type[0], PR_FALSE0, PR_TRUE1, wincx); |
2373 | freeit = PR_TRUE1; |
2374 | } |
2375 | |
2376 | /* no one can do it! */ |
2377 | if (list == NULL((void*)0)) { |
2378 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_NO_TOKEN); |
2379 | return NULL((void*)0); |
2380 | } |
2381 | |
2382 | PORT_SetErrorPORT_SetError_Util(0); |
2383 | |
2384 | listNeedLogin = PR_FALSE0; |
2385 | for (i = 0; i < mech_count; i++) { |
2386 | if ((type[i] != CKM_FAKE_RANDOM0x80000efeUL) && |
2387 | (type[i] != CKM_SHA_10x00000220UL) && |
2388 | (type[i] != CKM_SHA2240x00000255UL) && |
2389 | (type[i] != CKM_SHA2560x00000250UL) && |
2390 | (type[i] != CKM_SHA3840x00000260UL) && |
2391 | (type[i] != CKM_SHA5120x00000270UL) && |
2392 | (type[i] != CKM_MD50x00000210UL) && |
2393 | (type[i] != CKM_MD20x00000200UL)) { |
2394 | listNeedLogin = PR_TRUE1; |
2395 | break; |
2396 | } |
2397 | } |
2398 | |
2399 | for (le = PK11_GetFirstSafe(list); le; |
2400 | le = PK11_GetNextSafe(list, le, PR_TRUE1)) { |
2401 | if (PK11_IsPresent(le->slot)) { |
2402 | PRBool doExit = PR_FALSE0; |
2403 | for (i = 0; i < mech_count; i++) { |
2404 | if (!PK11_DoesMechanism(le->slot, type[i])) { |
2405 | doExit = PR_TRUE1; |
2406 | break; |
2407 | } |
2408 | if ((mechanismInfoFlags && mechanismInfoFlags[i]) || |
2409 | (keySize && keySize[i])) { |
2410 | if (pk11_filterSlot(le->slot, type[i], |
2411 | mechanismInfoFlags ? mechanismInfoFlags[i] : 0, |
2412 | keySize ? keySize[i] : 0)) { |
2413 | doExit = PR_TRUE1; |
2414 | break; |
2415 | } |
2416 | } |
2417 | } |
2418 | |
2419 | if (doExit) |
2420 | continue; |
2421 | |
2422 | if (listNeedLogin && le->slot->needLogin) { |
2423 | rv = PK11_Authenticate(le->slot, PR_TRUE1, wincx); |
2424 | if (rv != SECSuccess) |
2425 | continue; |
2426 | } |
2427 | slot = le->slot; |
2428 | PK11_ReferenceSlot(slot); |
2429 | PK11_FreeSlotListElement(list, le); |
2430 | if (freeit) { |
2431 | PK11_FreeSlotList(list); |
2432 | } |
2433 | return slot; |
2434 | } |
2435 | } |
2436 | if (freeit) { |
2437 | PK11_FreeSlotList(list); |
2438 | } |
2439 | if (PORT_GetErrorPORT_GetError_Util() == 0) { |
2440 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_NO_TOKEN); |
2441 | } |
2442 | return NULL((void*)0); |
2443 | } |
2444 | |
2445 | PK11SlotInfo * |
2446 | PK11_GetBestSlotMultiple(CK_MECHANISM_TYPE *type, |
2447 | unsigned int mech_count, void *wincx) |
2448 | { |
2449 | return PK11_GetBestSlotMultipleWithAttributes(type, NULL((void*)0), NULL((void*)0), |
2450 | mech_count, wincx); |
2451 | } |
2452 | |
2453 | /* original get best slot now calls the multiple version with only one type */ |
2454 | PK11SlotInfo * |
2455 | PK11_GetBestSlot(CK_MECHANISM_TYPE type, void *wincx) |
2456 | { |
2457 | return PK11_GetBestSlotMultipleWithAttributes(&type, NULL((void*)0), NULL((void*)0), 1, wincx); |
2458 | } |
2459 | |
2460 | PK11SlotInfo * |
2461 | PK11_GetBestSlotWithAttributes(CK_MECHANISM_TYPE type, CK_FLAGS mechanismFlags, |
2462 | unsigned int keySize, void *wincx) |
2463 | { |
2464 | return PK11_GetBestSlotMultipleWithAttributes(&type, &mechanismFlags, |
2465 | &keySize, 1, wincx); |
2466 | } |
2467 | |
2468 | int |
2469 | PK11_GetBestKeyLength(PK11SlotInfo *slot, CK_MECHANISM_TYPE mechanism) |
2470 | { |
2471 | CK_MECHANISM_INFO mechanism_info; |
2472 | CK_RV crv; |
2473 | |
2474 | if (!slot->isThreadSafe) |
2475 | PK11_EnterSlotMonitor(slot); |
2476 | crv = PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList))->C_GetMechanismInfo(slot->slotID, |
2477 | mechanism, &mechanism_info); |
2478 | if (!slot->isThreadSafe) |
2479 | PK11_ExitSlotMonitor(slot); |
2480 | if (crv != CKR_OK0x00000000UL) |
2481 | return 0; |
2482 | |
2483 | if (mechanism_info.ulMinKeySize == mechanism_info.ulMaxKeySize) |
2484 | return 0; |
2485 | return mechanism_info.ulMaxKeySize; |
2486 | } |
2487 | |
2488 | /* |
2489 | * This function uses the existing PKCS #11 module to find the |
2490 | * longest supported key length in the preferred token for a mechanism. |
2491 | * This varies from the above function in that 1) it returns the key length |
2492 | * even for fixed key algorithms, and 2) it looks through the tokens |
2493 | * generally rather than for a specific token. This is used in liu of |
2494 | * a PK11_GetKeyLength function in pk11mech.c since we can actually read |
2495 | * supported key lengths from PKCS #11. |
2496 | * |
2497 | * For symmetric key operations the length is returned in bytes. |
2498 | */ |
2499 | int |
2500 | PK11_GetMaxKeyLength(CK_MECHANISM_TYPE mechanism) |
2501 | { |
2502 | CK_MECHANISM_INFO mechanism_info; |
2503 | PK11SlotList *list = NULL((void*)0); |
2504 | PK11SlotListElement *le; |
2505 | PRBool freeit = PR_FALSE0; |
2506 | int keyLength = 0; |
2507 | |
2508 | list = PK11_GetSlotList(mechanism); |
2509 | |
2510 | if ((list == NULL((void*)0)) || (list->head == NULL((void*)0))) { |
2511 | /* We need to look up all the tokens for the mechanism */ |
2512 | list = PK11_GetAllTokens(mechanism, PR_FALSE0, PR_FALSE0, NULL((void*)0)); |
2513 | freeit = PR_TRUE1; |
2514 | } |
2515 | |
2516 | /* no tokens recognize this mechanism */ |
2517 | if (list == NULL((void*)0)) { |
2518 | PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ALGORITHM); |
2519 | return 0; |
2520 | } |
2521 | |
2522 | for (le = PK11_GetFirstSafe(list); le; |
2523 | le = PK11_GetNextSafe(list, le, PR_TRUE1)) { |
2524 | PK11SlotInfo *slot = le->slot; |
2525 | CK_RV crv; |
2526 | if (PK11_IsPresent(slot)) { |
2527 | if (!slot->isThreadSafe) |
2528 | PK11_EnterSlotMonitor(slot); |
2529 | crv = PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList))->C_GetMechanismInfo(slot->slotID, |
2530 | mechanism, &mechanism_info); |
2531 | if (!slot->isThreadSafe) |
2532 | PK11_ExitSlotMonitor(slot); |
2533 | if ((crv == CKR_OK0x00000000UL) && (mechanism_info.ulMaxKeySize != 0) && (mechanism_info.ulMaxKeySize != 0xffffffff)) { |
2534 | keyLength = mechanism_info.ulMaxKeySize; |
2535 | break; |
2536 | } |
2537 | } |
2538 | } |
2539 | |
2540 | /* fallback to pk11_GetPredefinedKeyLength for fixed key size algorithms */ |
2541 | if (keyLength == 0) { |
2542 | CK_KEY_TYPE keyType; |
2543 | keyType = PK11_GetKeyType(mechanism, 0); |
2544 | keyLength = pk11_GetPredefinedKeyLength(keyType); |
2545 | } |
2546 | |
2547 | if (le) |
2548 | PK11_FreeSlotListElement(list, le); |
2549 | if (freeit) |
2550 | PK11_FreeSlotList(list); |
2551 | return keyLength; |
2552 | } |
2553 | |
2554 | SECStatus |
2555 | PK11_SeedRandom(PK11SlotInfo *slot, unsigned char *data, int len) |
2556 | { |
2557 | CK_RV crv; |
2558 | |
2559 | PK11_EnterSlotMonitor(slot); |
2560 | crv = PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList))->C_SeedRandom(slot->session, data, (CK_ULONG)len); |
2561 | PK11_ExitSlotMonitor(slot); |
2562 | if (crv != CKR_OK0x00000000UL) { |
2563 | PORT_SetErrorPORT_SetError_Util(PK11_MapError(crv)); |
2564 | return SECFailure; |
2565 | } |
2566 | return SECSuccess; |
2567 | } |
2568 | |
2569 | SECStatus |
2570 | PK11_GenerateRandomOnSlot(PK11SlotInfo *slot, unsigned char *data, int len) |
2571 | { |
2572 | CK_RV crv; |
2573 | |
2574 | if (!slot->isInternal) |
2575 | PK11_EnterSlotMonitor(slot); |
2576 | crv = PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList))->C_GenerateRandom(slot->session, data, |
2577 | (CK_ULONG)len); |
2578 | if (!slot->isInternal) |
2579 | PK11_ExitSlotMonitor(slot); |
2580 | if (crv != CKR_OK0x00000000UL) { |
2581 | PORT_SetErrorPORT_SetError_Util(PK11_MapError(crv)); |
2582 | return SECFailure; |
2583 | } |
2584 | return SECSuccess; |
2585 | } |
2586 | |
2587 | /* Attempts to update the Best Slot for "FAKE RANDOM" generation. |
2588 | ** If that's not the internal slot, then it also attempts to update the |
2589 | ** internal slot. |
2590 | ** The return value indicates if the INTERNAL slot was updated OK. |
2591 | */ |
2592 | SECStatus |
2593 | PK11_RandomUpdate(void *data, size_t bytes) |
2594 | { |
2595 | PK11SlotInfo *slot; |
2596 | PRBool bestIsInternal; |
2597 | SECStatus status; |
2598 | |
2599 | slot = PK11_GetBestSlot(CKM_FAKE_RANDOM0x80000efeUL, NULL((void*)0)); |
2600 | if (slot == NULL((void*)0)) { |
2601 | slot = PK11_GetInternalSlot(); |
2602 | if (!slot) |
2603 | return SECFailure; |
2604 | } |
2605 | |
2606 | bestIsInternal = PK11_IsInternal(slot); |
2607 | status = PK11_SeedRandom(slot, data, bytes); |
2608 | PK11_FreeSlot(slot); |
2609 | |
2610 | if (!bestIsInternal) { |
2611 | /* do internal slot, too. */ |
2612 | slot = PK11_GetInternalSlot(); |
2613 | PORT_Assert(slot)((slot)?((void)0):PR_Assert("slot","pk11slot.c",2613)); |
2614 | if (!slot) { |
2615 | return SECFailure; |
2616 | } |
2617 | status = PK11_SeedRandom(slot, data, bytes); |
2618 | PK11_FreeSlot(slot); |
2619 | } |
2620 | return status; |
2621 | } |
2622 | |
2623 | SECStatus |
2624 | PK11_GenerateRandom(unsigned char *data, int len) |
2625 | { |
2626 | PK11SlotInfo *slot; |
2627 | SECStatus rv; |
2628 | |
2629 | slot = PK11_GetBestSlot(CKM_FAKE_RANDOM0x80000efeUL, NULL((void*)0)); |
2630 | if (slot == NULL((void*)0)) |
2631 | return SECFailure; |
2632 | |
2633 | rv = PK11_GenerateRandomOnSlot(slot, data, len); |
2634 | PK11_FreeSlot(slot); |
2635 | return rv; |
2636 | } |
2637 | |
2638 | /* |
2639 | * Reset the token to it's initial state. For the internal module, this will |
2640 | * Purge your keydb, and reset your cert db certs to USER_INIT. |
2641 | */ |
2642 | SECStatus |
2643 | PK11_ResetToken(PK11SlotInfo *slot, char *sso_pwd) |
2644 | { |
2645 | unsigned char tokenName[32]; |
2646 | size_t tokenNameLen; |
2647 | CK_RV crv; |
2648 | |
2649 | /* reconstruct the token name */ |
2650 | tokenNameLen = PORT_Strlen(slot->token_name)strlen(slot->token_name); |
2651 | if (tokenNameLen > sizeof(tokenName)) { |
2652 | tokenNameLen = sizeof(tokenName); |
2653 | } |
2654 | |
2655 | PORT_Memcpymemcpy(tokenName, slot->token_name, tokenNameLen); |
2656 | if (tokenNameLen < sizeof(tokenName)) { |
2657 | PORT_Memsetmemset(&tokenName[tokenNameLen], ' ', |
2658 | sizeof(tokenName) - tokenNameLen); |
2659 | } |
2660 | |
2661 | /* initialize the token */ |
2662 | PK11_EnterSlotMonitor(slot); |
2663 | |
2664 | /* first shutdown the token. Existing sessions will get closed here */ |
2665 | PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList)) |
2666 | ->C_CloseAllSessions(slot->slotID); |
2667 | slot->session = CK_INVALID_HANDLE0; |
2668 | |
2669 | /* now re-init the token */ |
2670 | crv = PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList))->C_InitToken(slot->slotID, |
2671 | (unsigned char *)sso_pwd, sso_pwd ? PORT_Strlen(sso_pwd)strlen(sso_pwd) : 0, tokenName); |
2672 | |
2673 | /* finally bring the token back up */ |
2674 | PK11_InitToken(slot, PR_TRUE1); |
2675 | PK11_ExitSlotMonitor(slot); |
2676 | if (crv != CKR_OK0x00000000UL) { |
2677 | PORT_SetErrorPORT_SetError_Util(PK11_MapError(crv)); |
2678 | return SECFailure; |
2679 | } |
2680 | NSSToken *token = PK11Slot_GetNSSToken(slot); |
2681 | if (token) { |
2682 | nssTrustDomain_UpdateCachedTokenCerts(token->trustDomain, token); |
2683 | (void)nssToken_Destroy(token); |
2684 | } |
2685 | return SECSuccess; |
2686 | } |
2687 | |
2688 | void |
2689 | PK11Slot_SetNSSToken(PK11SlotInfo *sl, NSSToken *nsst) |
2690 | { |
2691 | NSSToken *old; |
2692 | if (nsst) { |
2693 | nsst = nssToken_AddRef(nsst); |
2694 | } |
2695 | |
2696 | PZ_Lock(sl->nssTokenLock)PR_Lock((sl->nssTokenLock)); |
2697 | old = sl->nssToken; |
2698 | sl->nssToken = nsst; |
2699 | PZ_Unlock(sl->nssTokenLock)PR_Unlock((sl->nssTokenLock)); |
2700 | |
2701 | if (old) { |
2702 | (void)nssToken_Destroy(old); |
2703 | } |
2704 | } |
2705 | |
2706 | NSSToken * |
2707 | PK11Slot_GetNSSToken(PK11SlotInfo *sl) |
2708 | { |
2709 | NSSToken *rv = NULL((void*)0); |
2710 | |
2711 | PZ_Lock(sl->nssTokenLock)PR_Lock((sl->nssTokenLock)); |
2712 | if (sl->nssToken) { |
2713 | rv = nssToken_AddRef(sl->nssToken); |
2714 | } |
2715 | PZ_Unlock(sl->nssTokenLock)PR_Unlock((sl->nssTokenLock)); |
2716 | |
2717 | return rv; |
2718 | } |
2719 | |
2720 | PRBool |
2721 | pk11slot_GetFIPSStatus(PK11SlotInfo *slot, CK_SESSION_HANDLE session, |
2722 | CK_OBJECT_HANDLE object, CK_ULONG operationType) |
2723 | { |
2724 | SECMODModule *mod = slot->module; |
2725 | CK_RV crv; |
2726 | CK_ULONG fipsState = CKS_NSS_FIPS_NOT_OK0UL; |
2727 | |
2728 | /* handle the obvious conditions: |
2729 | * 1) the module doesn't have a fipsIndicator - fips state must be false */ |
2730 | if (mod->fipsIndicator == NULL((void*)0)) { |
2731 | return PR_FALSE0; |
2732 | } |
2733 | /* 2) the session doesn't exist - fips state must be false */ |
2734 | if (session == CK_INVALID_HANDLE0) { |
2735 | return PR_FALSE0; |
2736 | } |
2737 | |
2738 | /* go fetch the state */ |
2739 | crv = mod->fipsIndicator(session, object, operationType, &fipsState); |
2740 | if (crv != CKR_OK0x00000000UL) { |
2741 | return PR_FALSE0; |
2742 | } |
2743 | return (fipsState == CKS_NSS_FIPS_OK1UL) ? PR_TRUE1 : PR_FALSE0; |
2744 | } |
2745 | |
2746 | PRBool |
2747 | PK11_SlotGetLastFIPSStatus(PK11SlotInfo *slot) |
2748 | { |
2749 | return pk11slot_GetFIPSStatus(slot, slot->session, CK_INVALID_HANDLE0, |
2750 | CKT_NSS_SESSION_LAST_CHECK4UL); |
2751 | } |
2752 | |
2753 | /* |
2754 | * wait for a token to change it's state. The application passes in the expected |
2755 | * new state in event. |
2756 | */ |
2757 | PK11TokenStatus |
2758 | PK11_WaitForTokenEvent(PK11SlotInfo *slot, PK11TokenEvent event, |
2759 | PRIntervalTime timeout, PRIntervalTime latency, int series) |
2760 | { |
2761 | PRIntervalTime first_time = 0; |
2762 | PRBool first_time_set = PR_FALSE0; |
2763 | PRBool waitForRemoval; |
2764 | |
2765 | if (slot->isPerm) { |
2766 | return PK11TokenNotRemovable; |
2767 | } |
2768 | if (latency == 0) { |
2769 | latency = PR_SecondsToInterval(5); |
2770 | } |
2771 | waitForRemoval = (PRBool)(event == PK11TokenRemovedOrChangedEvent); |
2772 | |
2773 | if (series == 0) { |
2774 | series = PK11_GetSlotSeries(slot); |
2775 | } |
2776 | while (PK11_IsPresent(slot) == waitForRemoval) { |
2777 | PRIntervalTime interval; |
2778 | |
2779 | if (waitForRemoval && series != PK11_GetSlotSeries(slot)) { |
2780 | return PK11TokenChanged; |
2781 | } |
2782 | if (timeout == PR_INTERVAL_NO_WAIT0UL) { |
2783 | return waitForRemoval ? PK11TokenPresent : PK11TokenRemoved; |
2784 | } |
2785 | if (timeout != PR_INTERVAL_NO_TIMEOUT0xffffffffUL) { |
2786 | interval = PR_IntervalNow(); |
2787 | if (!first_time_set) { |
2788 | first_time = interval; |
2789 | first_time_set = PR_TRUE1; |
2790 | } |
2791 | if ((interval - first_time) > timeout) { |
2792 | return waitForRemoval ? PK11TokenPresent : PK11TokenRemoved; |
2793 | } |
2794 | } |
2795 | PR_Sleep(latency); |
2796 | } |
2797 | return waitForRemoval ? PK11TokenRemoved : PK11TokenPresent; |
2798 | } |