pk11slot.c

Bug Summary

File:	s/lib/pk11wrap/pk11slot.c
Warning:	line 1430, column 17 Value stored to 'crv' is never read

Annotated Source Code

Press '?' to see keyboard shortcuts

Show analyzer invocation

clang -cc1 -cc1 -triple x86_64-pc-linux-gnu -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name pk11slot.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -analyzer-config-compatibility-mode=true -mrelocation-model pic -pic-level 2 -fhalf-no-semantic-interposition -mframe-pointer=all -fmath-errno -ffp-contract=on -fno-rounding-math -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fdebug-compilation-dir=/var/lib/jenkins/workspace/nss-scan-build/nss/lib/pk11wrap -ffunction-sections -fdata-sections -fcoverage-compilation-dir=/var/lib/jenkins/workspace/nss-scan-build/nss/lib/pk11wrap -resource-dir /usr/lib/llvm-18/lib/clang/18 -D HAVE_STRERROR -D LINUX -D linux -D XP_UNIX -D XP_UNIX -D SHLIB_SUFFIX="so" -D SHLIB_PREFIX="lib" -D NSS_SHLIB_VERSION="3" -D SOFTOKEN_SHLIB_VERSION="3" -D DEBUG -U NDEBUG -D _DEFAULT_SOURCE -D _BSD_SOURCE -D _POSIX_SOURCE -D SDB_MEASURE_USE_TEMP_DIR -D _REENTRANT -D DEBUG -U NDEBUG -D _DEFAULT_SOURCE -D _BSD_SOURCE -D _POSIX_SOURCE -D SDB_MEASURE_USE_TEMP_DIR -D _REENTRANT -D NSS_DISABLE_SSE3 -D NSS_NO_INIT_SUPPORT -D USE_UTIL_DIRECTLY -D NO_NSPR_10_SUPPORT -D SSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES -I ../../../dist/Linux4.19_x86_64_gcc_glibc_PTH_64_DBG.OBJ/include -I ../../../dist/public/nss -I ../../../dist/private/nss -internal-isystem /usr/lib/llvm-18/lib/clang/18/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/14/../../../../x86_64-linux-gnu/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -std=c99 -ferror-limit 19 -fgnuc-version=4.2.1 -analyzer-output=html -analyzer-config stable-report-filename=true -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /tmp/scan-build-2024-05-18-082241-28900-1 -x c pk11slot.c

1	/* This Source Code Form is subject to the terms of the Mozilla Public
2	* License, v. 2.0. If a copy of the MPL was not distributed with this
3	* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4	/*
5	* Deal with PKCS #11 Slots.
6	*/
7
8	#include <stddef.h>
9
10	#include "seccomon.h"
11	#include "secmod.h"
12	#include "nssilock.h"
13	#include "secmodi.h"
14	#include "secmodti.h"
15	#include "pkcs11t.h"
16	#include "pk11func.h"
17	#include "secitem.h"
18	#include "secerr.h"
19
20	#include "dev.h"
21	#include "dev3hack.h"
22	#include "pkim.h"
23	#include "utilpars.h"
24	#include "pkcs11uri.h"
25
26	/*************************************************************
27	* local static and global data
28	*************************************************************/
29
30	/*
31	* This array helps parsing between names, mechanisms, and flags.
32	* to make the config files understand more entries, add them
33	* to this table.
34	*/
35	const PK11DefaultArrayEntry PK11_DefaultArray[] = {
36	{ "RSA", SECMOD_RSA_FLAG0x00000001L, CKM_RSA_PKCS0x00000001UL },
37	{ "DSA", SECMOD_DSA_FLAG0x00000002L, CKM_DSA0x00000011UL },
38	{ "ECC", SECMOD_ECC_FLAG0x00040000L, CKM_ECDSA0x00001041UL },
39	{ "EDDSA", SECMOD_ECC_FLAG0x00040000L, CKM_EDDSA0x00001057UL },
40	{ "DH", SECMOD_DH_FLAG0x00000020L, CKM_DH_PKCS_DERIVE0x00000021UL },
41	{ "RC2", SECMOD_RC2_FLAG0x00000004L, CKM_RC2_CBC0x00000102UL },
42	{ "RC4", SECMOD_RC4_FLAG0x00000008L, CKM_RC40x00000111UL },
43	{ "DES", SECMOD_DES_FLAG0x00000010L, CKM_DES_CBC0x00000122UL },
44	{ "AES", SECMOD_AES_FLAG0x00002000L, CKM_AES_CBC0x00001082UL },
45	{ "Camellia", SECMOD_CAMELLIA_FLAG0x00010000L, CKM_CAMELLIA_CBC0x00000552UL },
46	{ "SEED", SECMOD_SEED_FLAG0x00020000L, CKM_SEED_CBC0x00000652UL },
47	{ "RC5", SECMOD_RC5_FLAG0x00000080L, CKM_RC5_CBC0x00000332UL },
48	{ "SHA-1", SECMOD_SHA1_FLAG0x00000100L, CKM_SHA_10x00000220UL },
49	/* { "SHA224", SECMOD_SHA256_FLAG, CKM_SHA224 }, */
50	{ "SHA256", SECMOD_SHA256_FLAG0x00004000L, CKM_SHA2560x00000250UL },
51	/* { "SHA384", SECMOD_SHA512_FLAG, CKM_SHA384 }, */
52	{ "SHA512", SECMOD_SHA512_FLAG0x00008000L, CKM_SHA5120x00000270UL },
53	{ "MD5", SECMOD_MD5_FLAG0x00000200L, CKM_MD50x00000210UL },
54	{ "MD2", SECMOD_MD2_FLAG0x00000400L, CKM_MD20x00000200UL },
55	{ "SSL", SECMOD_SSL_FLAG0x00000800L, CKM_SSL3_PRE_MASTER_KEY_GEN0x00000370UL },
56	{ "TLS", SECMOD_TLS_FLAG0x00001000L, CKM_TLS_MASTER_KEY_DERIVE0x00000375UL },
57	{ "SKIPJACK", SECMOD_FORTEZZA_FLAG0x00000040L, CKM_SKIPJACK_CBC640x00001002UL },
58	{ "Publicly-readable certs", SECMOD_FRIENDLY_FLAG0x10000000L, CKM_INVALID_MECHANISM0xffffffffUL },
59	{ "Random Num Generator", SECMOD_RANDOM_FLAG0x80000000L, CKM_FAKE_RANDOM0x80000efeUL },
60	};
61	const int num_pk11_default_mechanisms =
62	sizeof(PK11_DefaultArray) / sizeof(PK11_DefaultArray[0]);
63
64	const PK11DefaultArrayEntry *
65	PK11_GetDefaultArray(int *size)
66	{
67	if (size) {
68	*size = num_pk11_default_mechanisms;
69	}
70	return PK11_DefaultArray;
71	}
72
73	/*
74	* These slotlists are lists of modules which provide default support for
75	* a given algorithm or mechanism.
76	*/
77	static PK11SlotList
78	pk11_seedSlotList,
79	pk11_camelliaSlotList,
80	pk11_aesSlotList,
81	pk11_desSlotList,
82	pk11_rc4SlotList,
83	pk11_rc2SlotList,
84	pk11_rc5SlotList,
85	pk11_sha1SlotList,
86	pk11_md5SlotList,
87	pk11_md2SlotList,
88	pk11_rsaSlotList,
89	pk11_dsaSlotList,
90	pk11_dhSlotList,
91	pk11_ecSlotList,
92	pk11_ideaSlotList,
93	pk11_sslSlotList,
94	pk11_tlsSlotList,
95	pk11_randomSlotList,
96	pk11_sha256SlotList,
97	pk11_sha512SlotList; /* slots do SHA512 and SHA384 */
98
99	/************************************************************
100	* Generic Slot List and Slot List element manipulations
101	************************************************************/
102
103	/*
104	* allocate a new list
105	*/
106	PK11SlotList *
107	PK11_NewSlotList(void)
108	{
109	PK11SlotList *list;
110
111	list = (PK11SlotList *)PORT_AllocPORT_Alloc_Util(sizeof(PK11SlotList));
112	if (list == NULL((void*)0))
113	return NULL((void*)0);
114	list->head = NULL((void*)0);
115	list->tail = NULL((void*)0);
116	list->lock = PZ_NewLock(nssILockList)PR_NewLock();
117	if (list->lock == NULL((void*)0)) {
118	PORT_FreePORT_Free_Util(list);
119	return NULL((void*)0);
120	}
121
122	return list;
123	}
124
125	/*
126	* free a list element when all the references go away.
127	*/
128	SECStatus
129	PK11_FreeSlotListElement(PK11SlotList list, PK11SlotListElement le)
130	{
131	PRBool freeit = PR_FALSE0;
132
133	if (list == NULL((void)0) \|\| le == NULL((void)0)) {
134	PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS);
135	return SECFailure;
136	}
137
138	PZ_Lock(list->lock)PR_Lock((list->lock));
139	if (le->refCount-- == 1) {
140	freeit = PR_TRUE1;
141	}
142	PZ_Unlock(list->lock)PR_Unlock((list->lock));
143	if (freeit) {
144	PK11_FreeSlot(le->slot);
145	PORT_FreePORT_Free_Util(le);
146	}
147	return SECSuccess;
148	}
149
150	static void
151	pk11_FreeSlotListStatic(PK11SlotList *list)
152	{
153	PK11SlotListElement le, next;
154	if (list == NULL((void*)0))
155	return;
156
157	for (le = list->head; le; le = next) {
158	next = le->next;
159	PK11_FreeSlotListElement(list, le);
160	}
161	if (list->lock) {
162	PZ_DestroyLock(list->lock)PR_DestroyLock((list->lock));
163	}
164	list->lock = NULL((void*)0);
165	list->head = NULL((void*)0);
166	}
167
168	/*
169	* if we are freeing the list, we must be the only ones with a pointer
170	* to the list.
171	*/
172	void
173	PK11_FreeSlotList(PK11SlotList *list)
174	{
175	pk11_FreeSlotListStatic(list);
176	PORT_FreePORT_Free_Util(list);
177	}
178
179	/*
180	* add a slot to a list
181	* "slot" is the slot to be added. Ownership is not transferred.
182	* "sorted" indicates whether or not the slot should be inserted according to
183	* cipherOrder of the associated module. PR_FALSE indicates that the slot
184	* should be inserted to the head of the list.
185	*/
186	SECStatus
187	PK11_AddSlotToList(PK11SlotList list, PK11SlotInfo slot, PRBool sorted)
188	{
189	PK11SlotListElement *le;
190	PK11SlotListElement *element;
191
192	le = (PK11SlotListElement *)PORT_AllocPORT_Alloc_Util(sizeof(PK11SlotListElement));
193	if (le == NULL((void*)0))
194	return SECFailure;
195
196	le->slot = PK11_ReferenceSlot(slot);
197	le->prev = NULL((void*)0);
198	le->refCount = 1;
199	PZ_Lock(list->lock)PR_Lock((list->lock));
200	element = list->head;
201	/* Insertion sort, with higher cipherOrders are sorted first in the list */
202	while (element && sorted && (element->slot->module->cipherOrder > le->slot->module->cipherOrder)) {
203	element = element->next;
204	}
205	if (element) {
206	le->prev = element->prev;
207	element->prev = le;
208	le->next = element;
209	} else {
210	le->prev = list->tail;
211	le->next = NULL((void*)0);
212	list->tail = le;
213	}
214	if (le->prev)
215	le->prev->next = le;
216	if (list->head == element)
217	list->head = le;
218	PZ_Unlock(list->lock)PR_Unlock((list->lock));
219
220	return SECSuccess;
221	}
222
223	/*
224	* remove a slot entry from the list
225	*/
226	SECStatus
227	PK11_DeleteSlotFromList(PK11SlotList list, PK11SlotListElement le)
228	{
229	PZ_Lock(list->lock)PR_Lock((list->lock));
230	if (le->prev)
231	le->prev->next = le->next;
232	else
233	list->head = le->next;
234	if (le->next)
235	le->next->prev = le->prev;
236	else
237	list->tail = le->prev;
238	le->next = le->prev = NULL((void*)0);
239	PZ_Unlock(list->lock)PR_Unlock((list->lock));
240	PK11_FreeSlotListElement(list, le);
241	return SECSuccess;
242	}
243
244	/*
245	* Move a list to the end of the target list.
246	* NOTE: There is no locking here... This assumes BOTH lists are private copy
247	* lists. It also does not re-sort the target list.
248	*/
249	SECStatus
250	pk11_MoveListToList(PK11SlotList target, PK11SlotList src)
251	{
252	if (src->head == NULL((void*)0))
253	return SECSuccess;
254
255	if (target->tail == NULL((void*)0)) {
256	target->head = src->head;
257	} else {
258	target->tail->next = src->head;
259	}
260	src->head->prev = target->tail;
261	target->tail = src->tail;
262	src->head = src->tail = NULL((void*)0);
263	return SECSuccess;
264	}
265
266	/*
267	* get an element from the list with a reference. You must own the list.
268	*/
269	PK11SlotListElement *
270	PK11_GetFirstRef(PK11SlotList *list)
271	{
272	PK11SlotListElement *le;
273
274	le = list->head;
275	if (le != NULL((void*)0))
276	(le)->refCount++;
277	return le;
278	}
279
280	/*
281	* get the next element from the list with a reference. You must own the list.
282	*/
283	PK11SlotListElement *
284	PK11_GetNextRef(PK11SlotList list, PK11SlotListElement le, PRBool restart)
285	{
286	PK11SlotListElement *new_le;
287	new_le = le->next;
288	if (new_le)
289	new_le->refCount++;
290	PK11_FreeSlotListElement(list, le);
291	return new_le;
292	}
293
294	/*
295	* get an element safely from the list. This just makes sure that if
296	* this element is not deleted while we deal with it.
297	*/
298	PK11SlotListElement *
299	PK11_GetFirstSafe(PK11SlotList *list)
300	{
301	PK11SlotListElement *le;
302
303	PZ_Lock(list->lock)PR_Lock((list->lock));
304	le = list->head;
305	if (le != NULL((void*)0))
306	(le)->refCount++;
307	PZ_Unlock(list->lock)PR_Unlock((list->lock));
308	return le;
309	}
310
311	/*
312	* NOTE: if this element gets deleted, we can no longer safely traverse using
313	* it's pointers. We can either terminate the loop, or restart from the
314	* beginning. This is controlled by the restart option.
315	*/
316	PK11SlotListElement *
317	PK11_GetNextSafe(PK11SlotList list, PK11SlotListElement le, PRBool restart)
318	{
319	PK11SlotListElement *new_le;
320	PZ_Lock(list->lock)PR_Lock((list->lock));
321	new_le = le->next;
322	if (le->next == NULL((void*)0)) {
323	/* if the prev and next fields are NULL then either this element
324	* has been removed and we need to walk the list again (if restart
325	* is true) or this was the only element on the list */
326	if ((le->prev == NULL((void*)0)) && restart && (list->head != le)) {
327	new_le = list->head;
328	}
329	}
330	if (new_le)
331	new_le->refCount++;
332	PZ_Unlock(list->lock)PR_Unlock((list->lock));
333	PK11_FreeSlotListElement(list, le);
334	return new_le;
335	}
336
337	/*
338	* Find the element that holds this slot
339	*/
340	PK11SlotListElement *
341	PK11_FindSlotElement(PK11SlotList list, PK11SlotInfo slot)
342	{
343	PK11SlotListElement *le;
344
345	for (le = PK11_GetFirstSafe(list); le;
346	le = PK11_GetNextSafe(list, le, PR_TRUE1)) {
347	if (le->slot == slot)
348	return le;
349	}
350	return NULL((void*)0);
351	}
352
353	/************************************************************
354	* Generic Slot Utilities
355	************************************************************/
356	/*
357	* Create a new slot structure
358	*/
359	PK11SlotInfo *
360	PK11_NewSlotInfo(SECMODModule *mod)
361	{
362	PK11SlotInfo *slot;
363
364	slot = (PK11SlotInfo *)PORT_AllocPORT_Alloc_Util(sizeof(PK11SlotInfo));
365	if (slot == NULL((void*)0)) {
366	return slot;
367	}
368	slot->freeListLock = PZ_NewLock(nssILockFreelist)PR_NewLock();
369	if (slot->freeListLock == NULL((void*)0)) {
370	PORT_FreePORT_Free_Util(slot);
371	return NULL((void*)0);
372	}
373	slot->nssTokenLock = PZ_NewLock(nssILockOther)PR_NewLock();
374	if (slot->nssTokenLock == NULL((void*)0)) {
375	PZ_DestroyLock(slot->freeListLock)PR_DestroyLock((slot->freeListLock));
376	PORT_FreePORT_Free_Util(slot);
377	return NULL((void*)0);
378	}
379	slot->sessionLock = mod->isThreadSafe ? PZ_NewLock(nssILockSession)PR_NewLock() : mod->refLock;
380	if (slot->sessionLock == NULL((void*)0)) {
381	PZ_DestroyLock(slot->nssTokenLock)PR_DestroyLock((slot->nssTokenLock));
382	PZ_DestroyLock(slot->freeListLock)PR_DestroyLock((slot->freeListLock));
383	PORT_FreePORT_Free_Util(slot);
384	return NULL((void*)0);
385	}
386	slot->freeSymKeysWithSessionHead = NULL((void*)0);
387	slot->freeSymKeysHead = NULL((void*)0);
388	slot->keyCount = 0;
389	slot->maxKeyCount = 0;
390	slot->functionList = NULL((void*)0);
391	slot->needTest = PR_TRUE1;
392	slot->isPerm = PR_FALSE0;
393	slot->isHW = PR_FALSE0;
394	slot->isInternal = PR_FALSE0;
395	slot->isThreadSafe = PR_FALSE0;
396	slot->disabled = PR_FALSE0;
397	slot->series = 1;
398	slot->flagSeries = 0;
399	slot->flagState = PR_FALSE0;
400	slot->wrapKey = 0;
401	slot->wrapMechanism = CKM_INVALID_MECHANISM0xffffffffUL;
402	slot->refKeys[0] = CK_INVALID_HANDLE0;
403	slot->reason = PK11_DIS_NONE;
404	slot->readOnly = PR_TRUE1;
405	slot->needLogin = PR_FALSE0;
406	slot->hasRandom = PR_FALSE0;
407	slot->defRWSession = PR_FALSE0;
408	slot->protectedAuthPath = PR_FALSE0;
409	slot->flags = 0;
410	slot->session = CK_INVALID_HANDLE0;
411	slot->slotID = 0;
412	slot->defaultFlags = 0;
413	slot->refCount = 1;
414	slot->askpw = 0;
415	slot->timeout = 0;
416	slot->mechanismList = NULL((void*)0);
417	slot->mechanismCount = 0;
418	slot->cert_array = NULL((void*)0);
419	slot->cert_count = 0;
420	slot->slot_name[0] = 0;
421	slot->token_name[0] = 0;
422	PORT_Memsetmemset(slot->serial, ' ', sizeof(slot->serial));
423	PORT_Memsetmemset(&slot->tokenInfo, 0, sizeof(slot->tokenInfo));
424	slot->module = NULL((void*)0);
425	slot->authTransact = 0;
426	slot->authTime = LL_ZERO0L;
427	slot->minPassword = 0;
428	slot->maxPassword = 0;
429	slot->hasRootCerts = PR_FALSE0;
430	slot->hasRootTrust = PR_FALSE0;
431	slot->nssToken = NULL((void*)0);
432	slot->profileList = NULL((void*)0);
433	slot->profileCount = 0;
434	return slot;
435	}
436
437	/* create a new reference to a slot so it doesn't go away */
438	PK11SlotInfo *
439	PK11_ReferenceSlot(PK11SlotInfo *slot)
440	{
441	PR_ATOMIC_INCREMENT(&slot->refCount)__sync_add_and_fetch(&slot->refCount, 1);
442	return slot;
443	}
444
445	/* Destroy all info on a slot we have built up */
446	void
447	PK11_DestroySlot(PK11SlotInfo *slot)
448	{
449	/* free up the cached keys and sessions */
450	PK11_CleanKeyList(slot);
451
452	/* free up all the sessions on this slot */
453	if (slot->functionList) {
454	PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList))
455	->C_CloseAllSessions(slot->slotID);
456	}
457
458	if (slot->mechanismList) {
459	PORT_FreePORT_Free_Util(slot->mechanismList);
460	}
461	if (slot->profileList) {
462	PORT_FreePORT_Free_Util(slot->profileList);
463	}
464	if (slot->isThreadSafe && slot->sessionLock) {
465	PZ_DestroyLock(slot->sessionLock)PR_DestroyLock((slot->sessionLock));
466	}
467	slot->sessionLock = NULL((void*)0);
468	if (slot->freeListLock) {
469	PZ_DestroyLock(slot->freeListLock)PR_DestroyLock((slot->freeListLock));
470	slot->freeListLock = NULL((void*)0);
471	}
472	if (slot->nssTokenLock) {
473	PZ_DestroyLock(slot->nssTokenLock)PR_DestroyLock((slot->nssTokenLock));
474	slot->nssTokenLock = NULL((void*)0);
475	}
476
477	/* finally Tell our parent module that we've gone away so it can unload */
478	if (slot->module) {
479	SECMOD_SlotDestroyModule(slot->module, PR_TRUE1);
480	}
481
482	/* ok, well not quit finally... now we free the memory */
483	PORT_FreePORT_Free_Util(slot);
484	}
485
486	/* We're all done with the slot, free it */
487	void
488	PK11_FreeSlot(PK11SlotInfo *slot)
489	{
490	if (PR_ATOMIC_DECREMENT(&slot->refCount)__sync_sub_and_fetch(&slot->refCount, 1) == 0) {
491	PK11_DestroySlot(slot);
492	}
493	}
494
495	void
496	PK11_EnterSlotMonitor(PK11SlotInfo *slot)
497	{
498	PZ_Lock(slot->sessionLock)PR_Lock((slot->sessionLock));
499	}
500
501	void
502	PK11_ExitSlotMonitor(PK11SlotInfo *slot)
503	{
504	PZ_Unlock(slot->sessionLock)PR_Unlock((slot->sessionLock));
505	}
506
507	/***********************************************************
508	* Functions to find specific slots.
509	***********************************************************/
510	PRBool
511	SECMOD_HasRootCerts(void)
512	{
513	SECMODModuleList *mlp;
514	SECMODModuleList *modules;
515	SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
516	int i;
517	PRBool found = PR_FALSE0;
518
519	if (!moduleLock) {
520	PORT_SetErrorPORT_SetError_Util(SEC_ERROR_NOT_INITIALIZED);
521	return found;
522	}
523
524	/* work through all the slots */
525	SECMOD_GetReadLock(moduleLock);
526	modules = SECMOD_GetDefaultModuleList();
527	for (mlp = modules; mlp != NULL((void*)0); mlp = mlp->next) {
528	for (i = 0; i < mlp->module->slotCount; i++) {
529	PK11SlotInfo *tmpSlot = mlp->module->slots[i];
530	if (PK11_IsPresent(tmpSlot)) {
531	if (tmpSlot->hasRootCerts) {
532	found = PR_TRUE1;
533	break;
534	}
535	}
536	}
537	if (found)
538	break;
539	}
540	SECMOD_ReleaseReadLock(moduleLock);
541
542	return found;
543	}
544
545	/***********************************************************
546	* Functions to find specific slots.
547	***********************************************************/
548	PK11SlotList *
549	PK11_FindSlotsByNames(const char dllName, const char slotName,
550	const char *tokenName, PRBool presentOnly)
551	{
552	SECMODModuleList *mlp;
553	SECMODModuleList *modules;
554	SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
555	int i;
556	PK11SlotList slotList = NULL((void)0);
557	PRUint32 slotcount = 0;
558	SECStatus rv = SECSuccess;
559
560	if (!moduleLock) {
561	PORT_SetErrorPORT_SetError_Util(SEC_ERROR_NOT_INITIALIZED);
562	return slotList;
563	}
564
565	slotList = PK11_NewSlotList();
566	if (!slotList) {
567	PORT_SetErrorPORT_SetError_Util(SEC_ERROR_NO_MEMORY);
568	return slotList;
569	}
570
571	if (((NULL((void)0) == dllName) \|\| (0 == dllName)) &&
572	((NULL((void)0) == slotName) \|\| (0 == slotName)) &&
573	((NULL((void)0) == tokenName) \|\| (0 == tokenName))) {
574	/* default to softoken */
575	/* PK11_GetInternalKeySlot increments the refcount on the internal slot,
576	* but so does PK11_AddSlotToList. To avoid erroneously increasing the
577	* refcount twice, we get our own reference to the internal slot and
578	* decrement its refcount when we're done with it. */
579	PK11SlotInfo *internalKeySlot = PK11_GetInternalKeySlot();
580	PK11_AddSlotToList(slotList, internalKeySlot, PR_TRUE1);
581	PK11_FreeSlot(internalKeySlot);
582	return slotList;
583	}
584
585	/* work through all the slots */
586	SECMOD_GetReadLock(moduleLock);
587	modules = SECMOD_GetDefaultModuleList();
588	for (mlp = modules; mlp != NULL((void*)0); mlp = mlp->next) {
589	PORT_Assert(mlp->module)((mlp->module)?((void)0):PR_Assert("mlp->module","pk11slot.c" ,589));
590	if (!mlp->module) {
591	rv = SECFailure;
592	break;
593	}
594	if ((!dllName) \|\| (mlp->module->dllName &&
595	(0 == PORT_Strcmpstrcmp(mlp->module->dllName, dllName)))) {
596	for (i = 0; i < mlp->module->slotCount; i++) {
597	PK11SlotInfo tmpSlot = (mlp->module->slots ? mlp->module->slots[i] : NULL((void)0));
598	PORT_Assert(tmpSlot)((tmpSlot)?((void)0):PR_Assert("tmpSlot","pk11slot.c",598));
599	if (!tmpSlot) {
600	rv = SECFailure;
601	break;
602	}
603	if ((PR_FALSE0 == presentOnly \|\| PK11_IsPresent(tmpSlot)) &&
604	((!tokenName) \|\|
605	(0 == PORT_Strcmpstrcmp(tmpSlot->token_name, tokenName))) &&
606	((!slotName) \|\|
607	(0 == PORT_Strcmpstrcmp(tmpSlot->slot_name, slotName)))) {
608	PK11_AddSlotToList(slotList, tmpSlot, PR_TRUE1);
609	slotcount++;
610	}
611	}
612	}
613	}
614	SECMOD_ReleaseReadLock(moduleLock);
615
616	if ((0 == slotcount) \|\| (SECFailure == rv)) {
617	PORT_SetErrorPORT_SetError_Util(SEC_ERROR_NO_TOKEN);
618	PK11_FreeSlotList(slotList);
619	slotList = NULL((void*)0);
620	}
621
622	if (SECFailure == rv) {
623	PORT_SetErrorPORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE);
624	}
625
626	return slotList;
627	}
628
629	typedef PRBool (PK11SlotMatchFunc)(PK11SlotInfo slot, const void *arg);
630
631	static PRBool
632	pk11_MatchSlotByTokenName(PK11SlotInfo slot, const void arg)
633	{
634	return PORT_Strcmpstrcmp(slot->token_name, arg) == 0;
635	}
636
637	static PRBool
638	pk11_MatchSlotBySerial(PK11SlotInfo slot, const void arg)
639	{
640	return PORT_Memcmpmemcmp(slot->serial, arg, sizeof(slot->serial)) == 0;
641	}
642
643	static PRBool
644	pk11_MatchSlotByTokenURI(PK11SlotInfo slot, const void arg)
645	{
646	return pk11_MatchUriTokenInfo(slot, (PK11URI *)arg);
647	}
648
649	static PK11SlotInfo *
650	pk11_FindSlot(const void *arg, PK11SlotMatchFunc func)
651	{
652	SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
653	SECMODModuleList *mlp;
654	SECMODModuleList *modules;
655	int i;
656	PK11SlotInfo slot = NULL((void)0);
657
658	if (!moduleLock) {
659	PORT_SetErrorPORT_SetError_Util(SEC_ERROR_NOT_INITIALIZED);
660	return slot;
661	}
662	/* work through all the slots */
663	SECMOD_GetReadLock(moduleLock);
664	modules = SECMOD_GetDefaultModuleList();
665	for (mlp = modules; mlp != NULL((void*)0); mlp = mlp->next) {
666	for (i = 0; i < mlp->module->slotCount; i++) {
667	PK11SlotInfo *tmpSlot = mlp->module->slots[i];
668	if (PK11_IsPresent(tmpSlot)) {
669	if (func(tmpSlot, arg)) {
670	slot = PK11_ReferenceSlot(tmpSlot);
671	break;
672	}
673	}
674	}
675	if (slot != NULL((void*)0))
676	break;
677	}
678	SECMOD_ReleaseReadLock(moduleLock);
679
680	if (slot == NULL((void*)0)) {
681	PORT_SetErrorPORT_SetError_Util(SEC_ERROR_NO_TOKEN);
682	}
683
684	return slot;
685	}
686
687	static PK11SlotInfo *
688	pk11_FindSlotByTokenURI(const char *uriString)
689	{
690	PK11SlotInfo slot = NULL((void)0);
691	PK11URI *uri;
692
693	uri = PK11URI_ParseURI(uriString);
694	if (!uri) {
695	PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS);
696	return slot;
697	}
698
699	slot = pk11_FindSlot(uri, pk11_MatchSlotByTokenURI);
700	PK11URI_DestroyURI(uri);
701	return slot;
702	}
703
704	PK11SlotInfo *
705	PK11_FindSlotByName(const char *name)
706	{
707	if ((name == NULL((void)0)) \|\| (name == 0)) {
708	return PK11_GetInternalKeySlot();
709	}
710
711	if (!PORT_StrncasecmpPL_strncasecmp(name, "pkcs11:", strlen("pkcs11:"))) {
712	return pk11_FindSlotByTokenURI(name);
713	}
714
715	return pk11_FindSlot(name, pk11_MatchSlotByTokenName);
716	}
717
718	PK11SlotInfo *
719	PK11_FindSlotBySerial(char *serial)
720	{
721	return pk11_FindSlot(serial, pk11_MatchSlotBySerial);
722	}
723
724	/*
725	* notification stub. If we ever get interested in any events that
726	* the pkcs11 functions may pass back to use, we can catch them here...
727	* currently pdata is a slotinfo structure.
728	*/
729	CK_RV
730	pk11_notify(CK_SESSION_HANDLE session, CK_NOTIFICATION event,
731	CK_VOID_PTR pdata)
732	{
733	return CKR_OK0x00000000UL;
734	}
735
736	/*
737	* grab a new RW session
738	* !!! has a side effect of grabbing the Monitor if either the slot's default
739	* session is RW or the slot is not thread safe. Monitor is release in function
740	* below
741	*/
742	CK_SESSION_HANDLE
743	PK11_GetRWSession(PK11SlotInfo *slot)
744	{
745	CK_SESSION_HANDLE rwsession;
746	CK_RV crv;
747	PRBool haveMonitor = PR_FALSE0;
748
749	if (!slot->isThreadSafe \|\| slot->defRWSession) {
750	PK11_EnterSlotMonitor(slot);
751	haveMonitor = PR_TRUE1;
752	}
753	if (slot->defRWSession) {
754	PORT_Assert(slot->session != CK_INVALID_HANDLE)((slot->session != 0)?((void)0):PR_Assert("slot->session != CK_INVALID_HANDLE" ,"pk11slot.c",754));
755	if (slot->session != CK_INVALID_HANDLE0)
756	return slot->session;
757	}
758
759	crv = PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList))->C_OpenSession(slot->slotID,
760	CKF_RW_SESSION0x00000002UL \| CKF_SERIAL_SESSION0x00000004UL,
761	slot, pk11_notify, &rwsession);
762	PORT_Assert(rwsession != CK_INVALID_HANDLE \|\| crv != CKR_OK)((rwsession != 0 \|\| crv != 0x00000000UL)?((void)0):PR_Assert( "rwsession != CK_INVALID_HANDLE \|\| crv != CKR_OK","pk11slot.c" ,762));
763	if (crv != CKR_OK0x00000000UL \|\| rwsession == CK_INVALID_HANDLE0) {
764	if (crv == CKR_OK0x00000000UL)
765	crv = CKR_DEVICE_ERROR0x00000030UL;
766	if (haveMonitor)
767	PK11_ExitSlotMonitor(slot);
768	PORT_SetErrorPORT_SetError_Util(PK11_MapError(crv));
769	return CK_INVALID_HANDLE0;
770	}
771	if (slot->defRWSession) { /* we have the monitor */
772	slot->session = rwsession;
773	}
774	return rwsession;
775	}
776
777	PRBool
778	PK11_RWSessionHasLock(PK11SlotInfo *slot, CK_SESSION_HANDLE session_handle)
779	{
780	PRBool hasLock;
781	hasLock = (PRBool)(!slot->isThreadSafe \|\|
782	(slot->defRWSession && slot->session != CK_INVALID_HANDLE0));
783	return hasLock;
784	}
785
786	static PRBool
787	pk11_RWSessionIsDefault(PK11SlotInfo *slot, CK_SESSION_HANDLE rwsession)
788	{
789	PRBool isDefault;
790	isDefault = (PRBool)(slot->session == rwsession &&
791	slot->defRWSession &&
792	slot->session != CK_INVALID_HANDLE0);
793	return isDefault;
794	}
795
796	/*
797	* close the rwsession and restore our readonly session
798	* !!! has a side effect of releasing the Monitor if either the slot's default
799	* session is RW or the slot is not thread safe.
800	*/
801	void
802	PK11_RestoreROSession(PK11SlotInfo *slot, CK_SESSION_HANDLE rwsession)
803	{
804	PORT_Assert(rwsession != CK_INVALID_HANDLE)((rwsession != 0)?((void)0):PR_Assert("rwsession != CK_INVALID_HANDLE" ,"pk11slot.c",804));
805	if (rwsession != CK_INVALID_HANDLE0) {
806	PRBool doExit = PK11_RWSessionHasLock(slot, rwsession);
807	if (!pk11_RWSessionIsDefault(slot, rwsession))
808	PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList))
809	->C_CloseSession(rwsession);
810	if (doExit)
811	PK11_ExitSlotMonitor(slot);
812	}
813	}
814
815	/************************************************************
816	* Manage the built-In Slot Lists
817	************************************************************/
818
819	/* Init the static built int slot list (should actually integrate
820	* with PK11_NewSlotList */
821	static void
822	pk11_InitSlotListStatic(PK11SlotList *list)
823	{
824	list->lock = PZ_NewLock(nssILockList)PR_NewLock();
825	list->head = NULL((void*)0);
826	}
827
828	/* initialize the system slotlists */
829	SECStatus
830	PK11_InitSlotLists(void)
831	{
832	pk11_InitSlotListStatic(&pk11_seedSlotList);
833	pk11_InitSlotListStatic(&pk11_camelliaSlotList);
834	pk11_InitSlotListStatic(&pk11_aesSlotList);
835	pk11_InitSlotListStatic(&pk11_desSlotList);
836	pk11_InitSlotListStatic(&pk11_rc4SlotList);
837	pk11_InitSlotListStatic(&pk11_rc2SlotList);
838	pk11_InitSlotListStatic(&pk11_rc5SlotList);
839	pk11_InitSlotListStatic(&pk11_md5SlotList);
840	pk11_InitSlotListStatic(&pk11_md2SlotList);
841	pk11_InitSlotListStatic(&pk11_sha1SlotList);
842	pk11_InitSlotListStatic(&pk11_rsaSlotList);
843	pk11_InitSlotListStatic(&pk11_dsaSlotList);
844	pk11_InitSlotListStatic(&pk11_dhSlotList);
845	pk11_InitSlotListStatic(&pk11_ecSlotList);
846	pk11_InitSlotListStatic(&pk11_ideaSlotList);
847	pk11_InitSlotListStatic(&pk11_sslSlotList);
848	pk11_InitSlotListStatic(&pk11_tlsSlotList);
849	pk11_InitSlotListStatic(&pk11_randomSlotList);
850	pk11_InitSlotListStatic(&pk11_sha256SlotList);
851	pk11_InitSlotListStatic(&pk11_sha512SlotList);
852	return SECSuccess;
853	}
854
855	void
856	PK11_DestroySlotLists(void)
857	{
858	pk11_FreeSlotListStatic(&pk11_seedSlotList);
859	pk11_FreeSlotListStatic(&pk11_camelliaSlotList);
860	pk11_FreeSlotListStatic(&pk11_aesSlotList);
861	pk11_FreeSlotListStatic(&pk11_desSlotList);
862	pk11_FreeSlotListStatic(&pk11_rc4SlotList);
863	pk11_FreeSlotListStatic(&pk11_rc2SlotList);
864	pk11_FreeSlotListStatic(&pk11_rc5SlotList);
865	pk11_FreeSlotListStatic(&pk11_md5SlotList);
866	pk11_FreeSlotListStatic(&pk11_md2SlotList);
867	pk11_FreeSlotListStatic(&pk11_sha1SlotList);
868	pk11_FreeSlotListStatic(&pk11_rsaSlotList);
869	pk11_FreeSlotListStatic(&pk11_dsaSlotList);
870	pk11_FreeSlotListStatic(&pk11_dhSlotList);
871	pk11_FreeSlotListStatic(&pk11_ecSlotList);
872	pk11_FreeSlotListStatic(&pk11_ideaSlotList);
873	pk11_FreeSlotListStatic(&pk11_sslSlotList);
874	pk11_FreeSlotListStatic(&pk11_tlsSlotList);
875	pk11_FreeSlotListStatic(&pk11_randomSlotList);
876	pk11_FreeSlotListStatic(&pk11_sha256SlotList);
877	pk11_FreeSlotListStatic(&pk11_sha512SlotList);
878	return;
879	}
880
881	/* return a system slot list based on mechanism */
882	PK11SlotList *
883	PK11_GetSlotList(CK_MECHANISM_TYPE type)
884	{
885	/* XXX a workaround for Bugzilla bug #55267 */
886	#if defined(HPUX) && defined(__LP64__1)
887	if (CKM_INVALID_MECHANISM0xffffffffUL == type)
888	return NULL((void*)0);
889	#endif
890	switch (type) {
891	case CKM_SEED_CBC0x00000652UL:
892	case CKM_SEED_ECB0x00000651UL:
893	return &pk11_seedSlotList;
894	case CKM_CAMELLIA_CBC0x00000552UL:
895	case CKM_CAMELLIA_ECB0x00000551UL:
896	return &pk11_camelliaSlotList;
897	case CKM_AES_CBC0x00001082UL:
898	case CKM_AES_CCM0x00001088UL:
899	case CKM_AES_CTR0x00001086UL:
900	case CKM_AES_CTS0x00001089UL:
901	case CKM_AES_GCM0x00001087UL:
902	case CKM_AES_ECB0x00001081UL:
903	return &pk11_aesSlotList;
904	case CKM_DES_CBC0x00000122UL:
905	case CKM_DES_ECB0x00000121UL:
906	case CKM_DES3_ECB0x00000132UL:
907	case CKM_DES3_CBC0x00000133UL:
908	return &pk11_desSlotList;
909	case CKM_RC40x00000111UL:
910	return &pk11_rc4SlotList;
911	case CKM_RC5_CBC0x00000332UL:
912	return &pk11_rc5SlotList;
913	case CKM_SHA_10x00000220UL:
914	return &pk11_sha1SlotList;
915	case CKM_SHA2240x00000255UL:
916	case CKM_SHA2560x00000250UL:
917	case CKM_SHA3_2240x000002B5UL:
918	case CKM_SHA3_2560x000002B0UL:
919	return &pk11_sha256SlotList;
920	case CKM_SHA3840x00000260UL:
921	case CKM_SHA5120x00000270UL:
922	case CKM_SHA3_3840x000002C0UL:
923	case CKM_SHA3_5120x000002D0UL:
924	return &pk11_sha512SlotList;
925	case CKM_MD50x00000210UL:
926	return &pk11_md5SlotList;
927	case CKM_MD20x00000200UL:
928	return &pk11_md2SlotList;
929	case CKM_RC2_ECB0x00000101UL:
930	case CKM_RC2_CBC0x00000102UL:
931	return &pk11_rc2SlotList;
932	case CKM_RSA_PKCS0x00000001UL:
933	case CKM_RSA_PKCS_KEY_PAIR_GEN0x00000000UL:
934	case CKM_RSA_X_5090x00000003UL:
935	return &pk11_rsaSlotList;
936	case CKM_DSA0x00000011UL:
937	return &pk11_dsaSlotList;
938	case CKM_DH_PKCS_KEY_PAIR_GEN0x00000020UL:
939	case CKM_DH_PKCS_DERIVE0x00000021UL:
940	return &pk11_dhSlotList;
941	case CKM_EDDSA0x00001057UL:
942	case CKM_EC_EDWARDS_KEY_PAIR_GEN0x00001055UL:
943	case CKM_ECDSA0x00001041UL:
944	case CKM_ECDSA_SHA10x00001042UL:
945	case CKM_EC_KEY_PAIR_GEN0x00001040UL: /* aka CKM_ECDSA_KEY_PAIR_GEN */
946	case CKM_ECDH1_DERIVE0x00001050UL:
947	case CKM_NSS_KYBER_KEY_PAIR_GEN((0x80000000UL \| 0x4E534350) + 45): /* Bug 1893029 */
948	case CKM_NSS_KYBER((0x80000000UL \| 0x4E534350) + 46):
949	return &pk11_ecSlotList;
950	case CKM_SSL3_PRE_MASTER_KEY_GEN0x00000370UL:
951	case CKM_SSL3_MASTER_KEY_DERIVE0x00000371UL:
952	case CKM_SSL3_SHA1_MAC0x00000381UL:
953	case CKM_SSL3_MD5_MAC0x00000380UL:
954	return &pk11_sslSlotList;
955	case CKM_TLS_MASTER_KEY_DERIVE0x00000375UL:
956	case CKM_TLS_KEY_AND_MAC_DERIVE0x00000376UL:
957	case CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256((0x80000000UL \| 0x4E534350) + 23):
958	return &pk11_tlsSlotList;
959	case CKM_IDEA_CBC0x00000342UL:
960	case CKM_IDEA_ECB0x00000341UL:
961	return &pk11_ideaSlotList;
962	case CKM_FAKE_RANDOM0x80000efeUL:
963	return &pk11_randomSlotList;
964	}
965	return NULL((void*)0);
966	}
967
968	/*
969	* load the static SlotInfo structures used to select a PKCS11 slot.
970	* preSlotInfo has a list of all the default flags for the slots on this
971	* module.
972	*/
973	void
974	PK11_LoadSlotList(PK11SlotInfo slot, PK11PreSlotInfo psi, int count)
975	{
976	int i;
977
978	for (i = 0; i < count; i++) {
979	if (psi[i].slotID == slot->slotID)
980	break;
981	}
982
983	if (i == count)
984	return;
985
986	slot->defaultFlags = psi[i].defaultFlags;
987	slot->askpw = psi[i].askpw;
988	slot->timeout = psi[i].timeout;
989	slot->hasRootCerts = psi[i].hasRootCerts;
990
991	/* if the slot is already disabled, don't load them into the
992	* default slot lists. We get here so we can save the default
993	* list value. */
994	if (slot->disabled)
995	return;
996
997	/* if the user has disabled us, don't load us in */
998	if (slot->defaultFlags & PK11_DISABLE_FLAG0x40000000L) {
999	slot->disabled = PR_TRUE1;
1000	slot->reason = PK11_DIS_USER_SELECTED;
1001	/* free up sessions and things?? */
1002	return;
1003	}
1004
1005	for (i = 0; i < num_pk11_default_mechanisms; i++) {
1006	if (slot->defaultFlags & PK11_DefaultArray[i].flag) {
1007	CK_MECHANISM_TYPE mechanism = PK11_DefaultArray[i].mechanism;
1008	PK11SlotList *slotList = PK11_GetSlotList(mechanism);
1009
1010	if (slotList)
1011	PK11_AddSlotToList(slotList, slot, PR_FALSE0);
1012	}
1013	}
1014
1015	return;
1016	}
1017
1018	/*
1019	* update a slot to its new attribute according to the slot list
1020	* returns: SECSuccess if nothing to do or add/delete is successful
1021	*/
1022	SECStatus
1023	PK11_UpdateSlotAttribute(PK11SlotInfo *slot,
1024	const PK11DefaultArrayEntry *entry,
1025	PRBool add)
1026	/* add: PR_TRUE if want to turn on */
1027	{
1028	SECStatus result = SECSuccess;
1029	PK11SlotList *slotList = PK11_GetSlotList(entry->mechanism);
1030
1031	if (add) { /* trying to turn on a mechanism */
1032
1033	/* turn on the default flag in the slot */
1034	slot->defaultFlags \|= entry->flag;
1035
1036	/* add this slot to the list */
1037	if (slotList != NULL((void*)0))
1038	result = PK11_AddSlotToList(slotList, slot, PR_FALSE0);
1039
1040	} else { /* trying to turn off */
1041
1042	/* turn OFF the flag in the slot */
1043	slot->defaultFlags &= ~entry->flag;
1044
1045	if (slotList) {
1046	/* find the element in the list & delete it */
1047	PK11SlotListElement *le = PK11_FindSlotElement(slotList, slot);
1048
1049	/* remove the slot from the list */
1050	if (le)
1051	result = PK11_DeleteSlotFromList(slotList, le);
1052	}
1053	}
1054	return result;
1055	}
1056
1057	/*
1058	* clear a slot off of all of it's default list
1059	*/
1060	void
1061	PK11_ClearSlotList(PK11SlotInfo *slot)
1062	{
1063	int i;
1064
1065	if (slot->disabled)
1066	return;
1067	if (slot->defaultFlags == 0)
1068	return;
1069
1070	for (i = 0; i < num_pk11_default_mechanisms; i++) {
1071	if (slot->defaultFlags & PK11_DefaultArray[i].flag) {
1072	CK_MECHANISM_TYPE mechanism = PK11_DefaultArray[i].mechanism;
1073	PK11SlotList *slotList = PK11_GetSlotList(mechanism);
1074	PK11SlotListElement le = NULL((void)0);
1075
1076	if (slotList)
1077	le = PK11_FindSlotElement(slotList, slot);
1078
1079	if (le) {
1080	PK11_DeleteSlotFromList(slotList, le);
1081	PK11_FreeSlotListElement(slotList, le);
1082	}
1083	}
1084	}
1085	}
1086
1087	/******************************************************************
1088	* Slot initialization
1089	******************************************************************/
1090	/*
1091	* turn a PKCS11 Static Label into a string
1092	*/
1093	char *
1094	PK11_MakeString(PLArenaPool arena, char space,
1095	char *staticString, int stringLen)
1096	{
1097	int i;
1098	char *newString;
1099	for (i = (stringLen - 1); i >= 0; i--) {
1100	if (staticString[i] != ' ')
1101	break;
1102	}
1103	/* move i to point to the last space */
1104	i++;
1105	if (arena) {
1106	newString = (char )PORT_ArenaAllocPORT_ArenaAlloc_Util(arena, i + 1 / space for NULL */);
1107	} else if (space) {
1108	newString = space;
1109	} else {
1110	newString = (char )PORT_AllocPORT_Alloc_Util(i + 1 / space for NULL */);
1111	}
1112	if (newString == NULL((void*)0))
1113	return NULL((void*)0);
1114
1115	if (i)
1116	PORT_Memcpymemcpy(newString, staticString, i);
1117	newString[i] = 0;
1118
1119	return newString;
1120	}
1121
1122	/*
1123	* check if a null-terminated string matches with a PKCS11 Static Label
1124	*/
1125	PRBool
1126	pk11_MatchString(const char *string,
1127	const char *staticString, size_t staticStringLen)
1128	{
1129	size_t i = staticStringLen;
1130
1131	/* move i to point to the last space */
1132	while (i > 0) {
1133	if (staticString[i - 1] != ' ')
1134	break;
1135	i--;
1136	}
1137
1138	if (strlen(string) == i && memcmp(string, staticString, i) == 0) {
1139	return PR_TRUE1;
1140	}
1141
1142	return PR_FALSE0;
1143	}
1144
1145	/*
1146	* Reads in the slots mechanism list for later use
1147	*/
1148	SECStatus
1149	PK11_ReadMechanismList(PK11SlotInfo *slot)
1150	{
1151	CK_ULONG count;
1152	CK_RV crv;
1153	PRUint32 i;
1154
1155	if (slot->mechanismList) {
1156	PORT_FreePORT_Free_Util(slot->mechanismList);
1157	slot->mechanismList = NULL((void*)0);
1158	}
1159	slot->mechanismCount = 0;
1160
1161	if (!slot->isThreadSafe)
1162	PK11_EnterSlotMonitor(slot);
1163	crv = PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList))->C_GetMechanismList(slot->slotID, NULL((void*)0), &count);
1164	if (crv != CKR_OK0x00000000UL) {
1165	if (!slot->isThreadSafe)
1166	PK11_ExitSlotMonitor(slot);
1167	PORT_SetErrorPORT_SetError_Util(PK11_MapError(crv));
1168	return SECFailure;
1169	}
1170
1171	slot->mechanismList = (CK_MECHANISM_TYPE *)
1172	PORT_AllocPORT_Alloc_Util(count * sizeof(CK_MECHANISM_TYPE));
1173	if (slot->mechanismList == NULL((void*)0)) {
1174	if (!slot->isThreadSafe)
1175	PK11_ExitSlotMonitor(slot);
1176	return SECFailure;
1177	}
1178	crv = PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList))->C_GetMechanismList(slot->slotID,
1179	slot->mechanismList, &count);
1180	if (!slot->isThreadSafe)
1181	PK11_ExitSlotMonitor(slot);
1182	if (crv != CKR_OK0x00000000UL) {
1183	PORT_FreePORT_Free_Util(slot->mechanismList);
1184	slot->mechanismList = NULL((void*)0);
1185	PORT_SetErrorPORT_SetError_Util(PK11_MapError(crv));
1186	return SECSuccess;
1187	}
1188	slot->mechanismCount = count;
1189	PORT_Memsetmemset(slot->mechanismBits, 0, sizeof(slot->mechanismBits));
1190
1191	for (i = 0; i < count; i++) {
1192	CK_MECHANISM_TYPE mech = slot->mechanismList[i];
1193	if (mech < 0x7ff) {
1194	slot->mechanismBits[mech & 0xff] \|= 1 << (mech >> 8);
1195	}
1196	}
1197	return SECSuccess;
1198	}
1199
1200	static SECStatus
1201	pk11_ReadProfileList(PK11SlotInfo *slot)
1202	{
1203	CK_ATTRIBUTE findTemp[2];
1204	CK_ATTRIBUTE *attrs;
1205	CK_BBOOL cktrue = CK_TRUE1;
1206	CK_OBJECT_CLASS oclass = CKO_PROFILE0x00000009UL;
1207	size_t tsize;
1208	int objCount;
1209	CK_OBJECT_HANDLE handles = NULL((void)0);
1210	int i;
1211
1212	attrs = findTemp;
1213	PK11_SETATTRS(attrs, CKA_TOKEN, &cktrue, sizeof(cktrue))(attrs)->type = (0x00000001UL); (attrs)->pValue = (& cktrue); (attrs)->ulValueLen = (sizeof(cktrue));;
1214	attrs++;
1215	PK11_SETATTRS(attrs, CKA_CLASS, &oclass, sizeof(oclass))(attrs)->type = (0x00000000UL); (attrs)->pValue = (& oclass); (attrs)->ulValueLen = (sizeof(oclass));;
1216	attrs++;
1217	tsize = attrs - findTemp;
1218	PORT_Assert(tsize <= sizeof(findTemp) / sizeof(CK_ATTRIBUTE))((tsize <= sizeof(findTemp) / sizeof(CK_ATTRIBUTE))?((void )0):PR_Assert("tsize <= sizeof(findTemp) / sizeof(CK_ATTRIBUTE)" ,"pk11slot.c",1218));
1219
1220	if (slot->profileList) {
1221	PORT_FreePORT_Free_Util(slot->profileList);
1222	slot->profileList = NULL((void*)0);
1223	}
1224	slot->profileCount = 0;
1225
1226	objCount = 0;
1227	handles = pk11_FindObjectsByTemplate(slot, findTemp, tsize, &objCount);
1228	if (handles == NULL((void*)0)) {
1229	if (objCount < 0) {
1230	return SECFailure; /* error code is set */
1231	}
1232	PORT_Assert(objCount == 0)((objCount == 0)?((void)0):PR_Assert("objCount == 0","pk11slot.c" ,1232));
1233	return SECSuccess;
1234	}
1235
1236	slot->profileList = (CK_PROFILE_ID *)
1237	PORT_AllocPORT_Alloc_Util(objCount * sizeof(CK_PROFILE_ID));
1238	if (slot->profileList == NULL((void*)0)) {
1239	PORT_FreePORT_Free_Util(handles);
1240	return SECFailure; /* error code is set */
1241	}
1242
1243	for (i = 0; i < objCount; i++) {
1244	CK_ULONG value;
1245
1246	value = PK11_ReadULongAttribute(slot, handles[i], CKA_PROFILE_ID0x00000601UL);
1247	if (value == CK_UNAVAILABLE_INFORMATION(~0UL)) {
1248	continue;
1249	}
1250	slot->profileList[slot->profileCount++] = value;
1251	}
1252
1253	PORT_FreePORT_Free_Util(handles);
1254	return SECSuccess;
1255	}
1256
1257	static PRBool
1258	pk11_HasProfile(PK11SlotInfo *slot, CK_PROFILE_ID id)
1259	{
1260	int i;
1261
1262	for (i = 0; i < slot->profileCount; i++) {
1263	if (slot->profileList[i] == id) {
1264	return PR_TRUE1;
1265	}
1266	}
1267	return PR_FALSE0;
1268	}
1269
1270	/*
1271	* initialize a new token
1272	* unlike initialize slot, this can be called multiple times in the lifetime
1273	* of NSS. It reads the information associated with a card or token,
1274	* that is not going to change unless the card or token changes.
1275	*/
1276	SECStatus
1277	PK11_InitToken(PK11SlotInfo *slot, PRBool loadCerts)
1278	{
1279	CK_RV crv;
1280	SECStatus rv;
1281	PRStatus status;
1282	NSSToken *nssToken;
1283
1284	/* set the slot flags to the current token values */
1285	if (!slot->isThreadSafe)
1286	PK11_EnterSlotMonitor(slot);
1287	crv = PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList))->C_GetTokenInfo(slot->slotID, &slot->tokenInfo);
1288	if (!slot->isThreadSafe)
1289	PK11_ExitSlotMonitor(slot);
1290	if (crv != CKR_OK0x00000000UL) {
1291	PORT_SetErrorPORT_SetError_Util(PK11_MapError(crv));
1292	return SECFailure;
1293	}
1294
1295	/* set the slot flags to the current token values */
1296	slot->series++; /* allow other objects to detect that the
1297	* slot is different */
1298	slot->flags = slot->tokenInfo.flags;
1299	slot->needLogin = ((slot->tokenInfo.flags & CKF_LOGIN_REQUIRED0x00000004UL) ? PR_TRUE1 : PR_FALSE0);
1300	slot->readOnly = ((slot->tokenInfo.flags & CKF_WRITE_PROTECTED0x00000002UL) ? PR_TRUE1 : PR_FALSE0);
1301
1302	slot->hasRandom = ((slot->tokenInfo.flags & CKF_RNG0x00000001UL) ? PR_TRUE1 : PR_FALSE0);
1303	slot->protectedAuthPath =
1304	((slot->tokenInfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH0x00000100UL)
1305	? PR_TRUE1
1306	: PR_FALSE0);
1307	slot->lastLoginCheck = 0;
1308	slot->lastState = 0;
1309	/* on some platforms Active Card incorrectly sets the
1310	* CKF_PROTECTED_AUTHENTICATION_PATH bit when it doesn't mean to. */
1311	if (slot->isActiveCard) {
1312	slot->protectedAuthPath = PR_FALSE0;
1313	}
1314	(void)PK11_MakeString(NULL((void*)0), slot->token_name,
1315	(char *)slot->tokenInfo.label, sizeof(slot->tokenInfo.label));
1316	slot->minPassword = slot->tokenInfo.ulMinPinLen;
1317	slot->maxPassword = slot->tokenInfo.ulMaxPinLen;
1318	PORT_Memcpymemcpy(slot->serial, slot->tokenInfo.serialNumber, sizeof(slot->serial));
1319
1320	nssToken = PK11Slot_GetNSSToken(slot);
1321	nssToken_UpdateName(nssToken); /* null token is OK */
1322	(void)nssToken_Destroy(nssToken);
1323
1324	slot->defRWSession = (PRBool)((!slot->readOnly) &&
1325	(slot->tokenInfo.ulMaxSessionCount == 1));
1326	rv = PK11_ReadMechanismList(slot);
1327	if (rv != SECSuccess)
1328	return rv;
1329
1330	slot->hasRSAInfo = PR_FALSE0;
1331	slot->RSAInfoFlags = 0;
1332
1333	/* initialize the maxKeyCount value */
1334	if (slot->tokenInfo.ulMaxSessionCount == 0) {
1335	slot->maxKeyCount = 800; /* should be #define or a config param */
1336	} else if (slot->tokenInfo.ulMaxSessionCount < 20) {
1337	/* don't have enough sessions to keep that many keys around */
1338	slot->maxKeyCount = 0;
1339	} else {
1340	slot->maxKeyCount = slot->tokenInfo.ulMaxSessionCount / 2;
1341	}
1342
1343	/* Make sure our session handle is valid */
1344	if (slot->session == CK_INVALID_HANDLE0) {
1345	/* we know we don't have a valid session, go get one */
1346	CK_SESSION_HANDLE session;
1347
1348	/* session should be Readonly, serial */
1349	if (!slot->isThreadSafe)
1350	PK11_EnterSlotMonitor(slot);
1351	crv = PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList))->C_OpenSession(slot->slotID,
1352	(slot->defRWSession ? CKF_RW_SESSION0x00000002UL : 0) \| CKF_SERIAL_SESSION0x00000004UL,
1353	slot, pk11_notify, &session);
1354	if (!slot->isThreadSafe)
1355	PK11_ExitSlotMonitor(slot);
1356	if (crv != CKR_OK0x00000000UL) {
1357	PORT_SetErrorPORT_SetError_Util(PK11_MapError(crv));
1358	return SECFailure;
1359	}
1360	slot->session = session;
1361	} else {
1362	/* The session we have may be defunct (the token associated with it)
1363	* has been removed */
1364	CK_SESSION_INFO sessionInfo;
1365
1366	if (!slot->isThreadSafe)
1367	PK11_EnterSlotMonitor(slot);
1368	crv = PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList))->C_GetSessionInfo(slot->session, &sessionInfo);
1369	if (crv == CKR_DEVICE_ERROR0x00000030UL) {
1370	PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList))
1371	->C_CloseSession(slot->session);
1372	crv = CKR_SESSION_CLOSED0x000000B0UL;
1373	}
1374	if ((crv == CKR_SESSION_CLOSED0x000000B0UL) \|\| (crv == CKR_SESSION_HANDLE_INVALID0x000000B3UL)) {
1375	crv = PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList))->C_OpenSession(slot->slotID,
1376	(slot->defRWSession ? CKF_RW_SESSION0x00000002UL : 0) \| CKF_SERIAL_SESSION0x00000004UL,
1377	slot, pk11_notify, &slot->session);
1378	if (crv != CKR_OK0x00000000UL) {
1379	PORT_SetErrorPORT_SetError_Util(PK11_MapError(crv));
1380	slot->session = CK_INVALID_HANDLE0;
1381	if (!slot->isThreadSafe)
1382	PK11_ExitSlotMonitor(slot);
1383	return SECFailure;
1384	}
1385	}
1386	if (!slot->isThreadSafe)
1387	PK11_ExitSlotMonitor(slot);
1388	}
1389
1390	nssToken = PK11Slot_GetNSSToken(slot);
1391	status = nssToken_Refresh(nssToken); /* null token is OK */
1392	(void)nssToken_Destroy(nssToken);
1393	if (status != PR_SUCCESS)
1394	return SECFailure;
1395
1396	/* Not all tokens have profile objects or even recognize what profile
1397	* objects are it's OK for pk11_ReadProfileList to fail */
1398	(void)pk11_ReadProfileList(slot);
1399
1400	if (!(slot->isInternal) && (slot->hasRandom)) {
1401	/* if this slot has a random number generater, use it to add entropy
1402	* to the internal slot. */
1403	PK11SlotInfo *int_slot = PK11_GetInternalSlot();
1404
1405	if (int_slot) {
1406	unsigned char random_bytes[32];
1407
1408	/* if this slot can issue random numbers, get some entropy from
1409	* that random number generater and give it to our internal token.
1410	*/
1411	PK11_EnterSlotMonitor(slot);
1412	crv = PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList))->C_GenerateRandom(slot->session, random_bytes, sizeof(random_bytes));
1413	PK11_ExitSlotMonitor(slot);
1414	if (crv == CKR_OK0x00000000UL) {
1415	PK11_EnterSlotMonitor(int_slot);
1416	PK11_GETTAB(int_slot)((CK_FUNCTION_LIST_3_0_PTR)((int_slot)->functionList))
1417	->C_SeedRandom(int_slot->session,
1418	random_bytes, sizeof(random_bytes));
1419	PK11_ExitSlotMonitor(int_slot);
1420	}
1421
1422	/* Now return the favor and send entropy to the token's random
1423	* number generater */
1424	PK11_EnterSlotMonitor(int_slot);
1425	crv = PK11_GETTAB(int_slot)((CK_FUNCTION_LIST_3_0_PTR)((int_slot)->functionList))->C_GenerateRandom(int_slot->session,
1426	random_bytes, sizeof(random_bytes));
1427	PK11_ExitSlotMonitor(int_slot);
1428	if (crv == CKR_OK0x00000000UL) {
1429	PK11_EnterSlotMonitor(slot);
1430	crv = PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList))->C_SeedRandom(slot->session,
	Value stored to 'crv' is never read
1431	random_bytes, sizeof(random_bytes));
1432	PK11_ExitSlotMonitor(slot);
1433	}
1434	PK11_FreeSlot(int_slot);
1435	}
1436	}
1437	/* work around a problem in softoken where it incorrectly
1438	* reports databases opened read only as read/write. */
1439	if (slot->isInternal && !slot->readOnly) {
1440	CK_SESSION_HANDLE session = CK_INVALID_HANDLE0;
1441
1442	/* try to open a R/W session */
1443	crv = PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList))->C_OpenSession(slot->slotID,
1444	CKF_RW_SESSION0x00000002UL \| CKF_SERIAL_SESSION0x00000004UL, slot, pk11_notify, &session);
1445	/* what a well behaved token should return if you open
1446	* a RW session on a read only token */
1447	if (crv == CKR_TOKEN_WRITE_PROTECTED0x000000E2UL) {
1448	slot->readOnly = PR_TRUE1;
1449	} else if (crv == CKR_OK0x00000000UL) {
1450	CK_SESSION_INFO sessionInfo;
1451
1452	/* Because of a second bug in softoken, which silently returns
1453	* a RO session, we need to check what type of session we got. */
1454	crv = PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList))->C_GetSessionInfo(session, &sessionInfo);
1455	if (crv == CKR_OK0x00000000UL) {
1456	if ((sessionInfo.flags & CKF_RW_SESSION0x00000002UL) == 0) {
1457	/* session was readonly, so this softoken slot must be readonly */
1458	slot->readOnly = PR_TRUE1;
1459	}
1460	}
1461	PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList))
1462	->C_CloseSession(session);
1463	}
1464	}
1465
1466	return SECSuccess;
1467	}
1468
1469	/*
1470	* initialize a new token
1471	* unlike initialize slot, this can be called multiple times in the lifetime
1472	* of NSS. It reads the information associated with a card or token,
1473	* that is not going to change unless the card or token changes.
1474	*/
1475	SECStatus
1476	PK11_TokenRefresh(PK11SlotInfo *slot)
1477	{
1478	CK_RV crv;
1479
1480	/* set the slot flags to the current token values */
1481	if (!slot->isThreadSafe)
1482	PK11_EnterSlotMonitor(slot);
1483	crv = PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList))->C_GetTokenInfo(slot->slotID, &slot->tokenInfo);
1484	if (!slot->isThreadSafe)
1485	PK11_ExitSlotMonitor(slot);
1486	if (crv != CKR_OK0x00000000UL) {
1487	PORT_SetErrorPORT_SetError_Util(PK11_MapError(crv));
1488	return SECFailure;
1489	}
1490
1491	slot->flags = slot->tokenInfo.flags;
1492	slot->needLogin = ((slot->tokenInfo.flags & CKF_LOGIN_REQUIRED0x00000004UL) ? PR_TRUE1 : PR_FALSE0);
1493	slot->readOnly = ((slot->tokenInfo.flags & CKF_WRITE_PROTECTED0x00000002UL) ? PR_TRUE1 : PR_FALSE0);
1494	slot->hasRandom = ((slot->tokenInfo.flags & CKF_RNG0x00000001UL) ? PR_TRUE1 : PR_FALSE0);
1495	slot->protectedAuthPath =
1496	((slot->tokenInfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH0x00000100UL)
1497	? PR_TRUE1
1498	: PR_FALSE0);
1499	/* on some platforms Active Card incorrectly sets the
1500	* CKF_PROTECTED_AUTHENTICATION_PATH bit when it doesn't mean to. */
1501	if (slot->isActiveCard) {
1502	slot->protectedAuthPath = PR_FALSE0;
1503	}
1504	return SECSuccess;
1505	}
1506
1507	static PRBool
1508	pk11_isRootSlot(PK11SlotInfo *slot)
1509	{
1510	CK_ATTRIBUTE findTemp[1];
1511	CK_ATTRIBUTE *attrs;
1512	CK_OBJECT_CLASS oclass = CKO_NSS_BUILTIN_ROOT_LIST((0x80000000UL \| 0x4E534350) + 4);
1513	size_t tsize;
1514	CK_OBJECT_HANDLE handle;
1515
1516	attrs = findTemp;
1517	PK11_SETATTRS(attrs, CKA_CLASS, &oclass, sizeof(oclass))(attrs)->type = (0x00000000UL); (attrs)->pValue = (& oclass); (attrs)->ulValueLen = (sizeof(oclass));;
1518	attrs++;
1519	tsize = attrs - findTemp;
1520	PORT_Assert(tsize <= sizeof(findTemp) / sizeof(CK_ATTRIBUTE))((tsize <= sizeof(findTemp) / sizeof(CK_ATTRIBUTE))?((void )0):PR_Assert("tsize <= sizeof(findTemp) / sizeof(CK_ATTRIBUTE)" ,"pk11slot.c",1520));
1521
1522	handle = pk11_FindObjectByTemplate(slot, findTemp, tsize);
1523	if (handle == CK_INVALID_HANDLE0) {
1524	return PR_FALSE0;
1525	}
1526	return PR_TRUE1;
1527	}
1528
1529	/*
1530	* Initialize the slot :
1531	* This initialization code is called on each slot a module supports when
1532	* it is loaded. It does the bringup initialization. The difference between
1533	* this and InitToken is Init slot does those one time initialization stuff,
1534	* usually associated with the reader, while InitToken may get called multiple
1535	* times as tokens are removed and re-inserted.
1536	*/
1537	void
1538	PK11_InitSlot(SECMODModule mod, CK_SLOT_ID slotID, PK11SlotInfo slot)
1539	{
1540	SECStatus rv;
1541	CK_SLOT_INFO slotInfo;
1542
1543	slot->functionList = mod->functionList;
1544	slot->isInternal = mod->internal;
1545	slot->slotID = slotID;
1546	slot->isThreadSafe = mod->isThreadSafe;
1547	slot->hasRSAInfo = PR_FALSE0;
1548	slot->module = mod; /* NOTE: we don't make a reference here because
1549	* modules have references to their slots. This
1550	* works because modules keep implicit references
1551	* from their slots, and won't unload and disappear
1552	* until all their slots have been freed */
1553
1554	if (PK11_GetSlotInfo(slot, &slotInfo) != SECSuccess) {
1555	slot->disabled = PR_TRUE1;
1556	slot->reason = PK11_DIS_COULD_NOT_INIT_TOKEN;
1557	return;
1558	}
1559
1560	/* test to make sure claimed mechanism work */
1561	slot->needTest = mod->internal ? PR_FALSE0 : PR_TRUE1;
1562	(void)PK11_MakeString(NULL((void*)0), slot->slot_name,
1563	(char *)slotInfo.slotDescription, sizeof(slotInfo.slotDescription));
1564	slot->isHW = (PRBool)((slotInfo.flags & CKF_HW_SLOT0x00000004UL) == CKF_HW_SLOT0x00000004UL);
1565	#define ACTIVE_CARD"ActivCard SA" "ActivCard SA"
1566	slot->isActiveCard = (PRBool)(PORT_Strncmpstrncmp((char *)slotInfo.manufacturerID,
1567	ACTIVE_CARD"ActivCard SA", sizeof(ACTIVE_CARD"ActivCard SA") - 1) == 0);
1568	if ((slotInfo.flags & CKF_REMOVABLE_DEVICE0x00000002UL) == 0) {
1569	slot->isPerm = PR_TRUE1;
1570	/* permanment slots must have the token present always */
1571	if ((slotInfo.flags & CKF_TOKEN_PRESENT0x00000001UL) == 0) {
1572	slot->disabled = PR_TRUE1;
1573	slot->reason = PK11_DIS_TOKEN_NOT_PRESENT;
1574	return; /* nothing else to do */
1575	}
1576	}
1577	/* if the token is present, initialize it */
1578	if ((slotInfo.flags & CKF_TOKEN_PRESENT0x00000001UL) != 0) {
1579	rv = PK11_InitToken(slot, PR_TRUE1);
1580	/* the only hard failures are on permanent devices, or function
1581	* verify failures... function verify failures are already handled
1582	* by tokenInit */
1583	if ((rv != SECSuccess) && (slot->isPerm) && (!slot->disabled)) {
1584	slot->disabled = PR_TRUE1;
1585	slot->reason = PK11_DIS_COULD_NOT_INIT_TOKEN;
1586	}
1587	if (rv == SECSuccess && pk11_isRootSlot(slot)) {
1588	if (!slot->hasRootCerts) {
1589	slot->module->trustOrder = 100;
1590	}
1591	slot->hasRootCerts = PR_TRUE1;
1592	}
1593	}
1594	if ((slotInfo.flags & CKF_USER_PIN_INITIALIZED0x00000008UL) != 0) {
1595	slot->flags \|= CKF_USER_PIN_INITIALIZED0x00000008UL;
1596	}
1597	}
1598
1599	/*********************************************************************
1600	* Slot mapping utility functions.
1601	*********************************************************************/
1602
1603	/*
1604	* determine if the token is present. If the token is present, make sure
1605	* we have a valid session handle. Also set the value of needLogin
1606	* appropriately.
1607	*/
1608	static PRBool
1609	pk11_IsPresentCertLoad(PK11SlotInfo *slot, PRBool loadCerts)
1610	{
1611	CK_SLOT_INFO slotInfo;
1612	CK_SESSION_INFO sessionInfo;
1613	CK_RV crv;
1614
1615	/* disabled slots are never present */
1616	if (slot->disabled) {
1617	return PR_FALSE0;
1618	}
1619
1620	/* permanent slots are always present */
1621	if (slot->isPerm && (slot->session != CK_INVALID_HANDLE0)) {
1622	return PR_TRUE1;
1623	}
1624
1625	NSSToken *nssToken = PK11Slot_GetNSSToken(slot);
1626	if (nssToken) {
1627	PRBool present = nssToken_IsPresent(nssToken);
1628	(void)nssToken_Destroy(nssToken);
1629	return present;
1630	}
1631
1632	/* removable slots have a flag that says they are present */
1633	if (PK11_GetSlotInfo(slot, &slotInfo) != SECSuccess) {
1634	return PR_FALSE0;
1635	}
1636
1637	if ((slotInfo.flags & CKF_TOKEN_PRESENT0x00000001UL) == 0) {
1638	/* if the slot is no longer present, close the session */
1639	if (slot->session != CK_INVALID_HANDLE0) {
1640	if (!slot->isThreadSafe) {
1641	PK11_EnterSlotMonitor(slot);
1642	}
1643	PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList))
1644	->C_CloseSession(slot->session);
1645	slot->session = CK_INVALID_HANDLE0;
1646	if (!slot->isThreadSafe) {
1647	PK11_ExitSlotMonitor(slot);
1648	}
1649	}
1650	return PR_FALSE0;
1651	}
1652
1653	/* use the session Info to determine if the card has been removed and then
1654	* re-inserted */
1655	if (slot->session != CK_INVALID_HANDLE0) {
1656	if (slot->isThreadSafe) {
1657	PK11_EnterSlotMonitor(slot);
1658	}
1659	crv = PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList))->C_GetSessionInfo(slot->session, &sessionInfo);
1660	if (crv != CKR_OK0x00000000UL) {
1661	PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList))
1662	->C_CloseSession(slot->session);
1663	slot->session = CK_INVALID_HANDLE0;
1664	}
1665	if (slot->isThreadSafe) {
1666	PK11_ExitSlotMonitor(slot);
1667	}
1668	}
1669
1670	/* card has not been removed, current token info is correct */
1671	if (slot->session != CK_INVALID_HANDLE0)
1672	return PR_TRUE1;
1673
1674	/* initialize the token info state */
1675	if (PK11_InitToken(slot, loadCerts) != SECSuccess) {
1676	return PR_FALSE0;
1677	}
1678
1679	return PR_TRUE1;
1680	}
1681
1682	/*
1683	* old version of the routine
1684	*/
1685	PRBool
1686	PK11_IsPresent(PK11SlotInfo *slot)
1687	{
1688	return pk11_IsPresentCertLoad(slot, PR_TRUE1);
1689	}
1690
1691	/* is the slot disabled? */
1692	PRBool
1693	PK11_IsDisabled(PK11SlotInfo *slot)
1694	{
1695	return slot->disabled;
1696	}
1697
1698	/* and why? */
1699	PK11DisableReasons
1700	PK11_GetDisabledReason(PK11SlotInfo *slot)
1701	{
1702	return slot->reason;
1703	}
1704
1705	/* returns PR_TRUE if successfully disable the slot */
1706	/* returns PR_FALSE otherwise */
1707	PRBool
1708	PK11_UserDisableSlot(PK11SlotInfo *slot)
1709	{
1710
1711	/* Prevent users from disabling the internal module. */
1712	if (slot->isInternal) {
1713	PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ARGS);
1714	return PR_FALSE0;
1715	}
1716
1717	slot->defaultFlags \|= PK11_DISABLE_FLAG0x40000000L;
1718	slot->disabled = PR_TRUE1;
1719	slot->reason = PK11_DIS_USER_SELECTED;
1720
1721	return PR_TRUE1;
1722	}
1723
1724	PRBool
1725	PK11_UserEnableSlot(PK11SlotInfo *slot)
1726	{
1727
1728	slot->defaultFlags &= ~PK11_DISABLE_FLAG0x40000000L;
1729	slot->disabled = PR_FALSE0;
1730	slot->reason = PK11_DIS_NONE;
1731	return PR_TRUE1;
1732	}
1733
1734	PRBool
1735	PK11_HasRootCerts(PK11SlotInfo *slot)
1736	{
1737	return slot->hasRootCerts;
1738	}
1739
1740	/* Get the module this slot is attached to */
1741	SECMODModule *
1742	PK11_GetModule(PK11SlotInfo *slot)
1743	{
1744	return slot->module;
1745	}
1746
1747	/* return the default flags of a slot */
1748	unsigned long
1749	PK11_GetDefaultFlags(PK11SlotInfo *slot)
1750	{
1751	return slot->defaultFlags;
1752	}
1753
1754	/*
1755	* The following wrapper functions allow us to export an opaque slot
1756	* function to the rest of libsec and the world... */
1757	PRBool
1758	PK11_IsReadOnly(PK11SlotInfo *slot)
1759	{
1760	return slot->readOnly;
1761	}
1762
1763	PRBool
1764	PK11_IsHW(PK11SlotInfo *slot)
1765	{
1766	return slot->isHW;
1767	}
1768
1769	PRBool
1770	PK11_IsRemovable(PK11SlotInfo *slot)
1771	{
1772	return !slot->isPerm;
1773	}
1774
1775	PRBool
1776	PK11_IsInternal(PK11SlotInfo *slot)
1777	{
1778	return slot->isInternal;
1779	}
1780
1781	PRBool
1782	PK11_IsInternalKeySlot(PK11SlotInfo *slot)
1783	{
1784	PK11SlotInfo *int_slot;
1785	PRBool result;
1786
1787	if (!slot->isInternal) {
1788	return PR_FALSE0;
1789	}
1790
1791	int_slot = PK11_GetInternalKeySlot();
1792	result = (int_slot == slot) ? PR_TRUE1 : PR_FALSE0;
1793	PK11_FreeSlot(int_slot);
1794	return result;
1795	}
1796
1797	PRBool
1798	PK11_NeedLogin(PK11SlotInfo *slot)
1799	{
1800	return slot->needLogin;
1801	}
1802
1803	PRBool
1804	PK11_IsFriendly(PK11SlotInfo *slot)
1805	{
1806	/* internal slot always has public readable certs */
1807	return (PRBool)(slot->isInternal \|\|
1808	pk11_HasProfile(slot, CKP_PUBLIC_CERTIFICATES_TOKEN0x00000004UL) \|\|
1809	((slot->defaultFlags & SECMOD_FRIENDLY_FLAG0x10000000L) ==
1810	SECMOD_FRIENDLY_FLAG0x10000000L));
1811	}
1812
1813	char *
1814	PK11_GetTokenName(PK11SlotInfo *slot)
1815	{
1816	return slot->token_name;
1817	}
1818
1819	char *
1820	PK11_GetTokenURI(PK11SlotInfo *slot)
1821	{
1822	PK11URI *uri;
1823	char ret = NULL((void)0);
1824	char label[32 + 1], manufacturer[32 + 1], serial[16 + 1], model[16 + 1];
1825	PK11URIAttribute attrs[4];
1826	size_t nattrs = 0;
1827
1828	PK11_MakeString(NULL((void)0), label, (char )slot->tokenInfo.label,
1829	sizeof(slot->tokenInfo.label));
1830	if (*label != '\0') {
1831	attrs[nattrs].name = PK11URI_PATTR_TOKEN"token";
1832	attrs[nattrs].value = label;
1833	nattrs++;
1834	}
1835
1836	PK11_MakeString(NULL((void)0), manufacturer, (char )slot->tokenInfo.manufacturerID,
1837	sizeof(slot->tokenInfo.manufacturerID));
1838	if (*manufacturer != '\0') {
1839	attrs[nattrs].name = PK11URI_PATTR_MANUFACTURER"manufacturer";
1840	attrs[nattrs].value = manufacturer;
1841	nattrs++;
1842	}
1843
1844	PK11_MakeString(NULL((void)0), serial, (char )slot->tokenInfo.serialNumber,
1845	sizeof(slot->tokenInfo.serialNumber));
1846	if (*serial != '\0') {
1847	attrs[nattrs].name = PK11URI_PATTR_SERIAL"serial";
1848	attrs[nattrs].value = serial;
1849	nattrs++;
1850	}
1851
1852	PK11_MakeString(NULL((void)0), model, (char )slot->tokenInfo.model,
1853	sizeof(slot->tokenInfo.model));
1854	if (*model != '\0') {
1855	attrs[nattrs].name = PK11URI_PATTR_MODEL"model";
1856	attrs[nattrs].value = model;
1857	nattrs++;
1858	}
1859
1860	uri = PK11URI_CreateURI(attrs, nattrs, NULL((void*)0), 0);
1861	if (uri == NULL((void*)0)) {
1862	PORT_SetErrorPORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE);
1863	return NULL((void*)0);
1864	}
1865
1866	ret = PK11URI_FormatURI(NULL((void*)0), uri);
1867	PK11URI_DestroyURI(uri);
1868
1869	if (ret == NULL((void*)0)) {
1870	PORT_SetErrorPORT_SetError_Util(SEC_ERROR_LIBRARY_FAILURE);
1871	}
1872
1873	return ret;
1874	}
1875
1876	char *
1877	PK11_GetSlotName(PK11SlotInfo *slot)
1878	{
1879	return slot->slot_name;
1880	}
1881
1882	int
1883	PK11_GetSlotSeries(PK11SlotInfo *slot)
1884	{
1885	return slot->series;
1886	}
1887
1888	int
1889	PK11_GetCurrentWrapIndex(PK11SlotInfo *slot)
1890	{
1891	return slot->wrapKey;
1892	}
1893
1894	CK_SLOT_ID
1895	PK11_GetSlotID(PK11SlotInfo *slot)
1896	{
1897	return slot->slotID;
1898	}
1899
1900	SECMODModuleID
1901	PK11_GetModuleID(PK11SlotInfo *slot)
1902	{
1903	return slot->module->moduleID;
1904	}
1905
1906	static void
1907	pk11_zeroTerminatedToBlankPadded(CK_CHAR *buffer, size_t buffer_size)
1908	{
1909	CK_CHAR *walk = buffer;
1910	CK_CHAR *end = buffer + buffer_size;
1911
1912	/* find the NULL */
1913	while (walk < end && *walk != '\0') {
1914	walk++;
1915	}
1916
1917	/* clear out the buffer */
1918	while (walk < end) {
1919	*walk++ = ' ';
1920	}
1921	}
1922
1923	/* return the slot info structure */
1924	SECStatus
1925	PK11_GetSlotInfo(PK11SlotInfo slot, CK_SLOT_INFO info)
1926	{
1927	CK_RV crv;
1928
1929	if (!slot->isThreadSafe)
1930	PK11_EnterSlotMonitor(slot);
1931	/*
1932	* some buggy drivers do not fill the buffer completely,
1933	* erase the buffer first
1934	*/
1935	PORT_Memsetmemset(info->slotDescription, ' ', sizeof(info->slotDescription));
1936	PORT_Memsetmemset(info->manufacturerID, ' ', sizeof(info->manufacturerID));
1937	crv = PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList))->C_GetSlotInfo(slot->slotID, info);
1938	pk11_zeroTerminatedToBlankPadded(info->slotDescription,
1939	sizeof(info->slotDescription));
1940	pk11_zeroTerminatedToBlankPadded(info->manufacturerID,
1941	sizeof(info->manufacturerID));
1942	if (!slot->isThreadSafe)
1943	PK11_ExitSlotMonitor(slot);
1944	if (crv != CKR_OK0x00000000UL) {
1945	PORT_SetErrorPORT_SetError_Util(PK11_MapError(crv));
1946	return SECFailure;
1947	}
1948	return SECSuccess;
1949	}
1950
1951	/* return the token info structure */
1952	SECStatus
1953	PK11_GetTokenInfo(PK11SlotInfo slot, CK_TOKEN_INFO info)
1954	{
1955	CK_RV crv;
1956	if (!slot->isThreadSafe)
1957	PK11_EnterSlotMonitor(slot);
1958	/*
1959	* some buggy drivers do not fill the buffer completely,
1960	* erase the buffer first
1961	*/
1962	PORT_Memsetmemset(info->label, ' ', sizeof(info->label));
1963	PORT_Memsetmemset(info->manufacturerID, ' ', sizeof(info->manufacturerID));
1964	PORT_Memsetmemset(info->model, ' ', sizeof(info->model));
1965	PORT_Memsetmemset(info->serialNumber, ' ', sizeof(info->serialNumber));
1966	crv = PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList))->C_GetTokenInfo(slot->slotID, info);
1967	pk11_zeroTerminatedToBlankPadded(info->label, sizeof(info->label));
1968	pk11_zeroTerminatedToBlankPadded(info->manufacturerID,
1969	sizeof(info->manufacturerID));
1970	pk11_zeroTerminatedToBlankPadded(info->model, sizeof(info->model));
1971	pk11_zeroTerminatedToBlankPadded(info->serialNumber,
1972	sizeof(info->serialNumber));
1973	if (!slot->isThreadSafe)
1974	PK11_ExitSlotMonitor(slot);
1975	if (crv != CKR_OK0x00000000UL) {
1976	PORT_SetErrorPORT_SetError_Util(PK11_MapError(crv));
1977	return SECFailure;
1978	}
1979	return SECSuccess;
1980	}
1981
1982	PRBool
1983	pk11_MatchUriTokenInfo(PK11SlotInfo slot, PK11URI uri)
1984	{
1985	const char *value;
1986
1987	value = PK11URI_GetPathAttribute(uri, PK11URI_PATTR_TOKEN"token");
1988	if (value) {
1989	if (!pk11_MatchString(value, (char *)slot->tokenInfo.label,
1990	sizeof(slot->tokenInfo.label))) {
1991	return PR_FALSE0;
1992	}
1993	}
1994
1995	value = PK11URI_GetPathAttribute(uri, PK11URI_PATTR_MANUFACTURER"manufacturer");
1996	if (value) {
1997	if (!pk11_MatchString(value, (char *)slot->tokenInfo.manufacturerID,
1998	sizeof(slot->tokenInfo.manufacturerID))) {
1999	return PR_FALSE0;
2000	}
2001	}
2002
2003	value = PK11URI_GetPathAttribute(uri, PK11URI_PATTR_SERIAL"serial");
2004	if (value) {
2005	if (!pk11_MatchString(value, (char *)slot->tokenInfo.serialNumber,
2006	sizeof(slot->tokenInfo.serialNumber))) {
2007	return PR_FALSE0;
2008	}
2009	}
2010
2011	value = PK11URI_GetPathAttribute(uri, PK11URI_PATTR_MODEL"model");
2012	if (value) {
2013	if (!pk11_MatchString(value, (char *)slot->tokenInfo.model,
2014	sizeof(slot->tokenInfo.model))) {
2015	return PR_FALSE0;
2016	}
2017	}
2018
2019	return PR_TRUE1;
2020	}
2021
2022	/* Find out if we need to initialize the user's pin */
2023	PRBool
2024	PK11_NeedUserInit(PK11SlotInfo *slot)
2025	{
2026	PRBool needUserInit = (PRBool)((slot->flags & CKF_USER_PIN_INITIALIZED0x00000008UL) == 0);
2027
2028	if (needUserInit) {
2029	CK_TOKEN_INFO info;
2030	SECStatus rv;
2031
2032	/* see if token has been initialized off line */
2033	rv = PK11_GetTokenInfo(slot, &info);
2034	if (rv == SECSuccess) {
2035	slot->flags = info.flags;
2036	}
2037	}
2038	return (PRBool)((slot->flags & CKF_USER_PIN_INITIALIZED0x00000008UL) == 0);
2039	}
2040
2041	static PK11SlotInfo pk11InternalKeySlot = NULL((void)0);
2042
2043	/*
2044	* Set a new default internal keyslot. If one has already been set, clear it.
2045	* Passing NULL falls back to the NSS normally selected default internal key
2046	* slot.
2047	*/
2048	void
2049	pk11_SetInternalKeySlot(PK11SlotInfo *slot)
2050	{
2051	if (pk11InternalKeySlot) {
2052	PK11_FreeSlot(pk11InternalKeySlot);
2053	}
2054	pk11InternalKeySlot = slot ? PK11_ReferenceSlot(slot) : NULL((void*)0);
2055	}
2056
2057	/*
2058	* Set a new default internal keyslot if the normal key slot has not already
2059	* been overridden. Subsequent calls to this function will be ignored unless
2060	* pk11_SetInternalKeySlot is used to clear the current default.
2061	*/
2062	void
2063	pk11_SetInternalKeySlotIfFirst(PK11SlotInfo *slot)
2064	{
2065	if (pk11InternalKeySlot) {
2066	return;
2067	}
2068	pk11InternalKeySlot = slot ? PK11_ReferenceSlot(slot) : NULL((void*)0);
2069	}
2070
2071	/*
2072	* Swap out a default internal keyslot. Caller owns the Slot Reference
2073	*/
2074	PK11SlotInfo *
2075	pk11_SwapInternalKeySlot(PK11SlotInfo *slot)
2076	{
2077	PK11SlotInfo *swap = pk11InternalKeySlot;
2078
2079	pk11InternalKeySlot = slot ? PK11_ReferenceSlot(slot) : NULL((void*)0);
2080	return swap;
2081	}
2082
2083	/* get the internal key slot. FIPS has only one slot for both key slots and
2084	* default slots */
2085	PK11SlotInfo *
2086	PK11_GetInternalKeySlot(void)
2087	{
2088	SECMODModule *mod;
2089
2090	if (pk11InternalKeySlot) {
2091	return PK11_ReferenceSlot(pk11InternalKeySlot);
2092	}
2093
2094	mod = SECMOD_GetInternalModule();
2095	PORT_Assert(mod != NULL)((mod != ((void*)0))?((void)0):PR_Assert("mod != NULL","pk11slot.c" ,2095));
2096	if (!mod) {
2097	PORT_SetErrorPORT_SetError_Util(SEC_ERROR_NO_MODULE);
2098	return NULL((void*)0);
2099	}
2100	return PK11_ReferenceSlot(mod->isFIPS ? mod->slots[0] : mod->slots[1]);
2101	}
2102
2103	/* get the internal default slot */
2104	PK11SlotInfo *
2105	PK11_GetInternalSlot(void)
2106	{
2107	SECMODModule *mod = SECMOD_GetInternalModule();
2108	PORT_Assert(mod != NULL)((mod != ((void*)0))?((void)0):PR_Assert("mod != NULL","pk11slot.c" ,2108));
2109	if (!mod) {
2110	PORT_SetErrorPORT_SetError_Util(SEC_ERROR_NO_MODULE);
2111	return NULL((void*)0);
2112	}
2113	if (mod->isFIPS) {
2114	return PK11_GetInternalKeySlot();
2115	}
2116	return PK11_ReferenceSlot(mod->slots[0]);
2117	}
2118
2119	/*
2120	* check if a given slot supports the requested mechanism
2121	*/
2122	PRBool
2123	PK11_DoesMechanism(PK11SlotInfo *slot, CK_MECHANISM_TYPE type)
2124	{
2125	int i;
2126
2127	/* CKM_FAKE_RANDOM is not a real PKCS mechanism. It's a marker to
2128	* tell us we're looking form someone that has implemented get
2129	* random bits */
2130	if (type == CKM_FAKE_RANDOM0x80000efeUL) {
2131	return slot->hasRandom;
2132	}
2133
2134	/* for most mechanism, bypass the linear lookup */
2135	if (type < 0x7ff) {
2136	return (slot->mechanismBits[type & 0xff] & (1 << (type >> 8))) ? PR_TRUE1 : PR_FALSE0;
2137	}
2138
2139	for (i = 0; i < (int)slot->mechanismCount; i++) {
2140	if (slot->mechanismList[i] == type)
2141	return PR_TRUE1;
2142	}
2143	return PR_FALSE0;
2144	}
2145
2146	PRBool pk11_filterSlot(PK11SlotInfo *slot, CK_MECHANISM_TYPE mechanism,
2147	CK_FLAGS mechanismInfoFlags, unsigned int keySize);
2148	/*
2149	* Check that the given mechanism has the appropriate flags. This function
2150	* presumes that slot can already do the given mechanism.
2151	*/
2152	PRBool
2153	PK11_DoesMechanismFlag(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
2154	CK_FLAGS flags)
2155	{
2156	return !pk11_filterSlot(slot, type, flags, 0);
2157	}
2158
2159	/*
2160	* Return true if a token that can do the desired mechanism exists.
2161	* This allows us to have hardware tokens that can do function XYZ magically
2162	* allow SSL Ciphers to appear if they are plugged in.
2163	*/
2164	PRBool
2165	PK11_TokenExists(CK_MECHANISM_TYPE type)
2166	{
2167	SECMODModuleList *mlp;
2168	SECMODModuleList *modules;
2169	SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock();
2170	PK11SlotInfo *slot;
2171	PRBool found = PR_FALSE0;
2172	int i;
2173
2174	if (!moduleLock) {
2175	PORT_SetErrorPORT_SetError_Util(SEC_ERROR_NOT_INITIALIZED);
2176	return found;
2177	}
2178	/* we only need to know if there is a token that does this mechanism.
2179	* check the internal module first because it's fast, and supports
2180	* almost everything. */
2181	slot = PK11_GetInternalSlot();
2182	if (slot) {
2183	found = PK11_DoesMechanism(slot, type);
2184	PK11_FreeSlot(slot);
2185	}
2186	if (found)
2187	return PR_TRUE1; /* bypass getting module locks */
2188
2189	SECMOD_GetReadLock(moduleLock);
2190	modules = SECMOD_GetDefaultModuleList();
2191	for (mlp = modules; mlp != NULL((void*)0) && (!found); mlp = mlp->next) {
2192	for (i = 0; i < mlp->module->slotCount; i++) {
2193	slot = mlp->module->slots[i];
2194	if (PK11_IsPresent(slot)) {
2195	if (PK11_DoesMechanism(slot, type)) {
2196	found = PR_TRUE1;
2197	break;
2198	}
2199	}
2200	}
2201	}
2202	SECMOD_ReleaseReadLock(moduleLock);
2203	return found;
2204	}
2205
2206	/*
2207	* get all the currently available tokens in a list.
2208	* that can perform the given mechanism. If mechanism is CKM_INVALID_MECHANISM,
2209	* get all the tokens. Make sure tokens that need authentication are put at
2210	* the end of this list.
2211	*/
2212	PK11SlotList *
2213	PK11_GetAllTokens(CK_MECHANISM_TYPE type, PRBool needRW, PRBool loadCerts,
2214	void *wincx)
2215	{
2216	PK11SlotList *list;
2217	PK11SlotList *loginList;
2218	PK11SlotList *friendlyList;
2219	SECMODModuleList *mlp;
2220	SECMODModuleList *modules;
2221	SECMODListLock *moduleLock;
2222	int i;
2223
2224	moduleLock = SECMOD_GetDefaultModuleListLock();
2225	if (!moduleLock) {
2226	PORT_SetErrorPORT_SetError_Util(SEC_ERROR_NOT_INITIALIZED);
2227	return NULL((void*)0);
2228	}
2229
2230	list = PK11_NewSlotList();
2231	loginList = PK11_NewSlotList();
2232	friendlyList = PK11_NewSlotList();
2233	if ((list == NULL((void)0)) \|\| (loginList == NULL((void)0)) \|\| (friendlyList == NULL((void*)0))) {
2234	if (list)
2235	PK11_FreeSlotList(list);
2236	if (loginList)
2237	PK11_FreeSlotList(loginList);
2238	if (friendlyList)
2239	PK11_FreeSlotList(friendlyList);
2240	return NULL((void*)0);
2241	}
2242
2243	SECMOD_GetReadLock(moduleLock);
2244
2245	modules = SECMOD_GetDefaultModuleList();
2246	for (mlp = modules; mlp != NULL((void*)0); mlp = mlp->next) {
2247	for (i = 0; i < mlp->module->slotCount; i++) {
2248	PK11SlotInfo *slot = mlp->module->slots[i];
2249
2250	if (pk11_IsPresentCertLoad(slot, loadCerts)) {
2251	if (needRW && slot->readOnly)
2252	continue;
2253	if ((type == CKM_INVALID_MECHANISM0xffffffffUL) \|\| PK11_DoesMechanism(slot, type)) {
2254	if (pk11_LoginStillRequired(slot, wincx)) {
2255	if (PK11_IsFriendly(slot)) {
2256	PK11_AddSlotToList(friendlyList, slot, PR_TRUE1);
2257	} else {
2258	PK11_AddSlotToList(loginList, slot, PR_TRUE1);
2259	}
2260	} else {
2261	PK11_AddSlotToList(list, slot, PR_TRUE1);
2262	}
2263	}
2264	}
2265	}
2266	}
2267	SECMOD_ReleaseReadLock(moduleLock);
2268
2269	pk11_MoveListToList(list, friendlyList);
2270	PK11_FreeSlotList(friendlyList);
2271	pk11_MoveListToList(list, loginList);
2272	PK11_FreeSlotList(loginList);
2273
2274	return list;
2275	}
2276
2277	/*
2278	* NOTE: This routine is working from a private List generated by
2279	* PK11_GetAllTokens. That is why it does not need to lock.
2280	*/
2281	PK11SlotList *
2282	PK11_GetPrivateKeyTokens(CK_MECHANISM_TYPE type, PRBool needRW, void *wincx)
2283	{
2284	PK11SlotList *list = PK11_GetAllTokens(type, needRW, PR_TRUE1, wincx);
2285	PK11SlotListElement le, next;
2286	SECStatus rv;
2287
2288	if (list == NULL((void*)0))
2289	return list;
2290
2291	for (le = list->head; le; le = next) {
2292	next = le->next; /* save the pointer here in case we have to
2293	* free the element later */
2294	rv = PK11_Authenticate(le->slot, PR_TRUE1, wincx);
2295	if (rv != SECSuccess) {
2296	PK11_DeleteSlotFromList(list, le);
2297	continue;
2298	}
2299	}
2300	return list;
2301	}
2302
2303	/*
2304	* returns true if the slot doesn't conform to the requested attributes
2305	*/
2306	PRBool
2307	pk11_filterSlot(PK11SlotInfo *slot, CK_MECHANISM_TYPE mechanism,
2308	CK_FLAGS mechanismInfoFlags, unsigned int keySize)
2309	{
2310	CK_MECHANISM_INFO mechanism_info;
2311	CK_RV crv = CKR_OK0x00000000UL;
2312
2313	/* handle the only case where we don't actually fetch the mechanisms
2314	* on the fly */
2315	if ((keySize == 0) && (mechanism == CKM_RSA_PKCS0x00000001UL) && (slot->hasRSAInfo)) {
2316	mechanism_info.flags = slot->RSAInfoFlags;
2317	} else {
2318	if (!slot->isThreadSafe)
2319	PK11_EnterSlotMonitor(slot);
2320	crv = PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList))->C_GetMechanismInfo(slot->slotID, mechanism,
2321	&mechanism_info);
2322	if (!slot->isThreadSafe)
2323	PK11_ExitSlotMonitor(slot);
2324	/* if we were getting the RSA flags, save them */
2325	if ((crv == CKR_OK0x00000000UL) && (mechanism == CKM_RSA_PKCS0x00000001UL) && (!slot->hasRSAInfo)) {
2326	slot->RSAInfoFlags = mechanism_info.flags;
2327	slot->hasRSAInfo = PR_TRUE1;
2328	}
2329	}
2330	/* couldn't get the mechanism info */
2331	if (crv != CKR_OK0x00000000UL) {
2332	return PR_TRUE1;
2333	}
2334	if (keySize && ((mechanism_info.ulMinKeySize > keySize) \|\| (mechanism_info.ulMaxKeySize < keySize))) {
2335	/* Token can do mechanism, but not at the key size we
2336	* want */
2337	return PR_TRUE1;
2338	}
2339	if (mechanismInfoFlags && ((mechanism_info.flags & mechanismInfoFlags) !=
2340	mechanismInfoFlags)) {
2341	return PR_TRUE1;
2342	}
2343	return PR_FALSE0;
2344	}
2345
2346	/*
2347	* Find the best slot which supports the given set of mechanisms and key sizes.
2348	* In normal cases this should grab the first slot on the list with no fuss.
2349	* The size array is presumed to match one for one with the mechanism type
2350	* array, which allows you to specify the required key size for each
2351	* mechanism in the list. Whether key size is in bits or bytes is mechanism
2352	* dependent. Typically asymetric keys are in bits and symetric keys are in
2353	* bytes.
2354	*/
2355	PK11SlotInfo *
2356	PK11_GetBestSlotMultipleWithAttributes(CK_MECHANISM_TYPE *type,
2357	CK_FLAGS mechanismInfoFlags, unsigned int keySize,
2358	unsigned int mech_count, void *wincx)
2359	{
2360	PK11SlotList list = NULL((void)0);
2361	PK11SlotListElement *le;
2362	PK11SlotInfo slot = NULL((void)0);
2363	PRBool freeit = PR_FALSE0;
2364	PRBool listNeedLogin = PR_FALSE0;
2365	unsigned int i;
2366	SECStatus rv;
2367
2368	list = PK11_GetSlotList(type[0]);
2369
2370	if ((list == NULL((void)0)) \|\| (list->head == NULL((void)0))) {
2371	/* We need to look up all the tokens for the mechanism */
2372	list = PK11_GetAllTokens(type[0], PR_FALSE0, PR_TRUE1, wincx);
2373	freeit = PR_TRUE1;
2374	}
2375
2376	/* no one can do it! */
2377	if (list == NULL((void*)0)) {
2378	PORT_SetErrorPORT_SetError_Util(SEC_ERROR_NO_TOKEN);
2379	return NULL((void*)0);
2380	}
2381
2382	PORT_SetErrorPORT_SetError_Util(0);
2383
2384	listNeedLogin = PR_FALSE0;
2385	for (i = 0; i < mech_count; i++) {
2386	if ((type[i] != CKM_FAKE_RANDOM0x80000efeUL) &&
2387	(type[i] != CKM_SHA_10x00000220UL) &&
2388	(type[i] != CKM_SHA2240x00000255UL) &&
2389	(type[i] != CKM_SHA2560x00000250UL) &&
2390	(type[i] != CKM_SHA3840x00000260UL) &&
2391	(type[i] != CKM_SHA5120x00000270UL) &&
2392	(type[i] != CKM_MD50x00000210UL) &&
2393	(type[i] != CKM_MD20x00000200UL)) {
2394	listNeedLogin = PR_TRUE1;
2395	break;
2396	}
2397	}
2398
2399	for (le = PK11_GetFirstSafe(list); le;
2400	le = PK11_GetNextSafe(list, le, PR_TRUE1)) {
2401	if (PK11_IsPresent(le->slot)) {
2402	PRBool doExit = PR_FALSE0;
2403	for (i = 0; i < mech_count; i++) {
2404	if (!PK11_DoesMechanism(le->slot, type[i])) {
2405	doExit = PR_TRUE1;
2406	break;
2407	}
2408	if ((mechanismInfoFlags && mechanismInfoFlags[i]) \|\|
2409	(keySize && keySize[i])) {
2410	if (pk11_filterSlot(le->slot, type[i],
2411	mechanismInfoFlags ? mechanismInfoFlags[i] : 0,
2412	keySize ? keySize[i] : 0)) {
2413	doExit = PR_TRUE1;
2414	break;
2415	}
2416	}
2417	}
2418
2419	if (doExit)
2420	continue;
2421
2422	if (listNeedLogin && le->slot->needLogin) {
2423	rv = PK11_Authenticate(le->slot, PR_TRUE1, wincx);
2424	if (rv != SECSuccess)
2425	continue;
2426	}
2427	slot = le->slot;
2428	PK11_ReferenceSlot(slot);
2429	PK11_FreeSlotListElement(list, le);
2430	if (freeit) {
2431	PK11_FreeSlotList(list);
2432	}
2433	return slot;
2434	}
2435	}
2436	if (freeit) {
2437	PK11_FreeSlotList(list);
2438	}
2439	if (PORT_GetErrorPORT_GetError_Util() == 0) {
2440	PORT_SetErrorPORT_SetError_Util(SEC_ERROR_NO_TOKEN);
2441	}
2442	return NULL((void*)0);
2443	}
2444
2445	PK11SlotInfo *
2446	PK11_GetBestSlotMultiple(CK_MECHANISM_TYPE *type,
2447	unsigned int mech_count, void *wincx)
2448	{
2449	return PK11_GetBestSlotMultipleWithAttributes(type, NULL((void)0), NULL((void)0),
2450	mech_count, wincx);
2451	}
2452
2453	/* original get best slot now calls the multiple version with only one type */
2454	PK11SlotInfo *
2455	PK11_GetBestSlot(CK_MECHANISM_TYPE type, void *wincx)
2456	{
2457	return PK11_GetBestSlotMultipleWithAttributes(&type, NULL((void)0), NULL((void)0), 1, wincx);
2458	}
2459
2460	PK11SlotInfo *
2461	PK11_GetBestSlotWithAttributes(CK_MECHANISM_TYPE type, CK_FLAGS mechanismFlags,
2462	unsigned int keySize, void *wincx)
2463	{
2464	return PK11_GetBestSlotMultipleWithAttributes(&type, &mechanismFlags,
2465	&keySize, 1, wincx);
2466	}
2467
2468	int
2469	PK11_GetBestKeyLength(PK11SlotInfo *slot, CK_MECHANISM_TYPE mechanism)
2470	{
2471	CK_MECHANISM_INFO mechanism_info;
2472	CK_RV crv;
2473
2474	if (!slot->isThreadSafe)
2475	PK11_EnterSlotMonitor(slot);
2476	crv = PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList))->C_GetMechanismInfo(slot->slotID,
2477	mechanism, &mechanism_info);
2478	if (!slot->isThreadSafe)
2479	PK11_ExitSlotMonitor(slot);
2480	if (crv != CKR_OK0x00000000UL)
2481	return 0;
2482
2483	if (mechanism_info.ulMinKeySize == mechanism_info.ulMaxKeySize)
2484	return 0;
2485	return mechanism_info.ulMaxKeySize;
2486	}
2487
2488	/*
2489	* This function uses the existing PKCS #11 module to find the
2490	* longest supported key length in the preferred token for a mechanism.
2491	* This varies from the above function in that 1) it returns the key length
2492	* even for fixed key algorithms, and 2) it looks through the tokens
2493	* generally rather than for a specific token. This is used in liu of
2494	* a PK11_GetKeyLength function in pk11mech.c since we can actually read
2495	* supported key lengths from PKCS #11.
2496	*
2497	* For symmetric key operations the length is returned in bytes.
2498	*/
2499	int
2500	PK11_GetMaxKeyLength(CK_MECHANISM_TYPE mechanism)
2501	{
2502	CK_MECHANISM_INFO mechanism_info;
2503	PK11SlotList list = NULL((void)0);
2504	PK11SlotListElement *le;
2505	PRBool freeit = PR_FALSE0;
2506	int keyLength = 0;
2507
2508	list = PK11_GetSlotList(mechanism);
2509
2510	if ((list == NULL((void)0)) \|\| (list->head == NULL((void)0))) {
2511	/* We need to look up all the tokens for the mechanism */
2512	list = PK11_GetAllTokens(mechanism, PR_FALSE0, PR_FALSE0, NULL((void*)0));
2513	freeit = PR_TRUE1;
2514	}
2515
2516	/* no tokens recognize this mechanism */
2517	if (list == NULL((void*)0)) {
2518	PORT_SetErrorPORT_SetError_Util(SEC_ERROR_INVALID_ALGORITHM);
2519	return 0;
2520	}
2521
2522	for (le = PK11_GetFirstSafe(list); le;
2523	le = PK11_GetNextSafe(list, le, PR_TRUE1)) {
2524	PK11SlotInfo *slot = le->slot;
2525	CK_RV crv;
2526	if (PK11_IsPresent(slot)) {
2527	if (!slot->isThreadSafe)
2528	PK11_EnterSlotMonitor(slot);
2529	crv = PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList))->C_GetMechanismInfo(slot->slotID,
2530	mechanism, &mechanism_info);
2531	if (!slot->isThreadSafe)
2532	PK11_ExitSlotMonitor(slot);
2533	if ((crv == CKR_OK0x00000000UL) && (mechanism_info.ulMaxKeySize != 0) && (mechanism_info.ulMaxKeySize != 0xffffffff)) {
2534	keyLength = mechanism_info.ulMaxKeySize;
2535	break;
2536	}
2537	}
2538	}
2539
2540	/* fallback to pk11_GetPredefinedKeyLength for fixed key size algorithms */
2541	if (keyLength == 0) {
2542	CK_KEY_TYPE keyType;
2543	keyType = PK11_GetKeyType(mechanism, 0);
2544	keyLength = pk11_GetPredefinedKeyLength(keyType);
2545	}
2546
2547	if (le)
2548	PK11_FreeSlotListElement(list, le);
2549	if (freeit)
2550	PK11_FreeSlotList(list);
2551	return keyLength;
2552	}
2553
2554	SECStatus
2555	PK11_SeedRandom(PK11SlotInfo slot, unsigned char data, int len)
2556	{
2557	CK_RV crv;
2558
2559	PK11_EnterSlotMonitor(slot);
2560	crv = PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList))->C_SeedRandom(slot->session, data, (CK_ULONG)len);
2561	PK11_ExitSlotMonitor(slot);
2562	if (crv != CKR_OK0x00000000UL) {
2563	PORT_SetErrorPORT_SetError_Util(PK11_MapError(crv));
2564	return SECFailure;
2565	}
2566	return SECSuccess;
2567	}
2568
2569	SECStatus
2570	PK11_GenerateRandomOnSlot(PK11SlotInfo slot, unsigned char data, int len)
2571	{
2572	CK_RV crv;
2573
2574	if (!slot->isInternal)
2575	PK11_EnterSlotMonitor(slot);
2576	crv = PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList))->C_GenerateRandom(slot->session, data,
2577	(CK_ULONG)len);
2578	if (!slot->isInternal)
2579	PK11_ExitSlotMonitor(slot);
2580	if (crv != CKR_OK0x00000000UL) {
2581	PORT_SetErrorPORT_SetError_Util(PK11_MapError(crv));
2582	return SECFailure;
2583	}
2584	return SECSuccess;
2585	}
2586
2587	/* Attempts to update the Best Slot for "FAKE RANDOM" generation.
2588	** If that's not the internal slot, then it also attempts to update the
2589	** internal slot.
2590	** The return value indicates if the INTERNAL slot was updated OK.
2591	*/
2592	SECStatus
2593	PK11_RandomUpdate(void *data, size_t bytes)
2594	{
2595	PK11SlotInfo *slot;
2596	PRBool bestIsInternal;
2597	SECStatus status;
2598
2599	slot = PK11_GetBestSlot(CKM_FAKE_RANDOM0x80000efeUL, NULL((void*)0));
2600	if (slot == NULL((void*)0)) {
2601	slot = PK11_GetInternalSlot();
2602	if (!slot)
2603	return SECFailure;
2604	}
2605
2606	bestIsInternal = PK11_IsInternal(slot);
2607	status = PK11_SeedRandom(slot, data, bytes);
2608	PK11_FreeSlot(slot);
2609
2610	if (!bestIsInternal) {
2611	/* do internal slot, too. */
2612	slot = PK11_GetInternalSlot();
2613	PORT_Assert(slot)((slot)?((void)0):PR_Assert("slot","pk11slot.c",2613));
2614	if (!slot) {
2615	return SECFailure;
2616	}
2617	status = PK11_SeedRandom(slot, data, bytes);
2618	PK11_FreeSlot(slot);
2619	}
2620	return status;
2621	}
2622
2623	SECStatus
2624	PK11_GenerateRandom(unsigned char *data, int len)
2625	{
2626	PK11SlotInfo *slot;
2627	SECStatus rv;
2628
2629	slot = PK11_GetBestSlot(CKM_FAKE_RANDOM0x80000efeUL, NULL((void*)0));
2630	if (slot == NULL((void*)0))
2631	return SECFailure;
2632
2633	rv = PK11_GenerateRandomOnSlot(slot, data, len);
2634	PK11_FreeSlot(slot);
2635	return rv;
2636	}
2637
2638	/*
2639	* Reset the token to it's initial state. For the internal module, this will
2640	* Purge your keydb, and reset your cert db certs to USER_INIT.
2641	*/
2642	SECStatus
2643	PK11_ResetToken(PK11SlotInfo slot, char sso_pwd)
2644	{
2645	unsigned char tokenName[32];
2646	size_t tokenNameLen;
2647	CK_RV crv;
2648
2649	/* reconstruct the token name */
2650	tokenNameLen = PORT_Strlen(slot->token_name)strlen(slot->token_name);
2651	if (tokenNameLen > sizeof(tokenName)) {
2652	tokenNameLen = sizeof(tokenName);
2653	}
2654
2655	PORT_Memcpymemcpy(tokenName, slot->token_name, tokenNameLen);
2656	if (tokenNameLen < sizeof(tokenName)) {
2657	PORT_Memsetmemset(&tokenName[tokenNameLen], ' ',
2658	sizeof(tokenName) - tokenNameLen);
2659	}
2660
2661	/* initialize the token */
2662	PK11_EnterSlotMonitor(slot);
2663
2664	/* first shutdown the token. Existing sessions will get closed here */
2665	PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList))
2666	->C_CloseAllSessions(slot->slotID);
2667	slot->session = CK_INVALID_HANDLE0;
2668
2669	/* now re-init the token */
2670	crv = PK11_GETTAB(slot)((CK_FUNCTION_LIST_3_0_PTR)((slot)->functionList))->C_InitToken(slot->slotID,
2671	(unsigned char *)sso_pwd, sso_pwd ? PORT_Strlen(sso_pwd)strlen(sso_pwd) : 0, tokenName);
2672
2673	/* finally bring the token back up */
2674	PK11_InitToken(slot, PR_TRUE1);
2675	PK11_ExitSlotMonitor(slot);
2676	if (crv != CKR_OK0x00000000UL) {
2677	PORT_SetErrorPORT_SetError_Util(PK11_MapError(crv));
2678	return SECFailure;
2679	}
2680	NSSToken *token = PK11Slot_GetNSSToken(slot);
2681	if (token) {
2682	nssTrustDomain_UpdateCachedTokenCerts(token->trustDomain, token);
2683	(void)nssToken_Destroy(token);
2684	}
2685	return SECSuccess;
2686	}
2687
2688	void
2689	PK11Slot_SetNSSToken(PK11SlotInfo sl, NSSToken nsst)
2690	{
2691	NSSToken *old;
2692	if (nsst) {
2693	nsst = nssToken_AddRef(nsst);
2694	}
2695
2696	PZ_Lock(sl->nssTokenLock)PR_Lock((sl->nssTokenLock));
2697	old = sl->nssToken;
2698	sl->nssToken = nsst;
2699	PZ_Unlock(sl->nssTokenLock)PR_Unlock((sl->nssTokenLock));
2700
2701	if (old) {
2702	(void)nssToken_Destroy(old);
2703	}
2704	}
2705
2706	NSSToken *
2707	PK11Slot_GetNSSToken(PK11SlotInfo *sl)
2708	{
2709	NSSToken rv = NULL((void)0);
2710
2711	PZ_Lock(sl->nssTokenLock)PR_Lock((sl->nssTokenLock));
2712	if (sl->nssToken) {
2713	rv = nssToken_AddRef(sl->nssToken);
2714	}
2715	PZ_Unlock(sl->nssTokenLock)PR_Unlock((sl->nssTokenLock));
2716
2717	return rv;
2718	}
2719
2720	PRBool
2721	pk11slot_GetFIPSStatus(PK11SlotInfo *slot, CK_SESSION_HANDLE session,
2722	CK_OBJECT_HANDLE object, CK_ULONG operationType)
2723	{
2724	SECMODModule *mod = slot->module;
2725	CK_RV crv;
2726	CK_ULONG fipsState = CKS_NSS_FIPS_NOT_OK0UL;
2727
2728	/* handle the obvious conditions:
2729	* 1) the module doesn't have a fipsIndicator - fips state must be false */
2730	if (mod->fipsIndicator == NULL((void*)0)) {
2731	return PR_FALSE0;
2732	}
2733	/* 2) the session doesn't exist - fips state must be false */
2734	if (session == CK_INVALID_HANDLE0) {
2735	return PR_FALSE0;
2736	}
2737
2738	/* go fetch the state */
2739	crv = mod->fipsIndicator(session, object, operationType, &fipsState);
2740	if (crv != CKR_OK0x00000000UL) {
2741	return PR_FALSE0;
2742	}
2743	return (fipsState == CKS_NSS_FIPS_OK1UL) ? PR_TRUE1 : PR_FALSE0;
2744	}
2745
2746	PRBool
2747	PK11_SlotGetLastFIPSStatus(PK11SlotInfo *slot)
2748	{
2749	return pk11slot_GetFIPSStatus(slot, slot->session, CK_INVALID_HANDLE0,
2750	CKT_NSS_SESSION_LAST_CHECK4UL);
2751	}
2752
2753	/*
2754	* wait for a token to change it's state. The application passes in the expected
2755	* new state in event.
2756	*/
2757	PK11TokenStatus
2758	PK11_WaitForTokenEvent(PK11SlotInfo *slot, PK11TokenEvent event,
2759	PRIntervalTime timeout, PRIntervalTime latency, int series)
2760	{
2761	PRIntervalTime first_time = 0;
2762	PRBool first_time_set = PR_FALSE0;
2763	PRBool waitForRemoval;
2764
2765	if (slot->isPerm) {
2766	return PK11TokenNotRemovable;
2767	}
2768	if (latency == 0) {
2769	latency = PR_SecondsToInterval(5);
2770	}
2771	waitForRemoval = (PRBool)(event == PK11TokenRemovedOrChangedEvent);
2772
2773	if (series == 0) {
2774	series = PK11_GetSlotSeries(slot);
2775	}
2776	while (PK11_IsPresent(slot) == waitForRemoval) {
2777	PRIntervalTime interval;
2778
2779	if (waitForRemoval && series != PK11_GetSlotSeries(slot)) {
2780	return PK11TokenChanged;
2781	}
2782	if (timeout == PR_INTERVAL_NO_WAIT0UL) {
2783	return waitForRemoval ? PK11TokenPresent : PK11TokenRemoved;
2784	}
2785	if (timeout != PR_INTERVAL_NO_TIMEOUT0xffffffffUL) {
2786	interval = PR_IntervalNow();
2787	if (!first_time_set) {
2788	first_time = interval;
2789	first_time_set = PR_TRUE1;
2790	}
2791	if ((interval - first_time) > timeout) {
2792	return waitForRemoval ? PK11TokenPresent : PK11TokenRemoved;
2793	}
2794	}
2795	PR_Sleep(latency);
2796	}
2797	return waitForRemoval ? PK11TokenRemoved : PK11TokenPresent;
2798	}