/* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ /* * Deal with PKCS #11 Slots. */ #include #include "seccomon.h" #include "secmod.h" #include "nssilock.h" #include "secmodi.h" #include "secmodti.h" #include "pkcs11t.h" #include "pk11func.h" #include "secitem.h" #include "secerr.h" #include "dev.h" #include "dev3hack.h" #include "pkim.h" #include "utilpars.h" #include "pkcs11uri.h" /************************************************************* * local static and global data *************************************************************/ /* * This array helps parsing between names, mechanisms, and flags. * to make the config files understand more entries, add them * to this table. */ const PK11DefaultArrayEntry PK11_DefaultArray[] = { { "RSA", SECMOD_RSA_FLAG, CKM_RSA_PKCS }, { "DSA", SECMOD_DSA_FLAG, CKM_DSA }, { "ECC", SECMOD_ECC_FLAG, CKM_ECDSA }, { "EDDSA", SECMOD_ECC_FLAG, CKM_EDDSA }, { "DH", SECMOD_DH_FLAG, CKM_DH_PKCS_DERIVE }, { "RC2", SECMOD_RC2_FLAG, CKM_RC2_CBC }, { "RC4", SECMOD_RC4_FLAG, CKM_RC4 }, { "DES", SECMOD_DES_FLAG, CKM_DES_CBC }, { "AES", SECMOD_AES_FLAG, CKM_AES_CBC }, { "Camellia", SECMOD_CAMELLIA_FLAG, CKM_CAMELLIA_CBC }, { "SEED", SECMOD_SEED_FLAG, CKM_SEED_CBC }, { "RC5", SECMOD_RC5_FLAG, CKM_RC5_CBC }, { "SHA-1", SECMOD_SHA1_FLAG, CKM_SHA_1 }, /* { "SHA224", SECMOD_SHA256_FLAG, CKM_SHA224 }, */ { "SHA256", SECMOD_SHA256_FLAG, CKM_SHA256 }, /* { "SHA384", SECMOD_SHA512_FLAG, CKM_SHA384 }, */ { "SHA512", SECMOD_SHA512_FLAG, CKM_SHA512 }, { "MD5", SECMOD_MD5_FLAG, CKM_MD5 }, { "MD2", SECMOD_MD2_FLAG, CKM_MD2 }, { "SSL", SECMOD_SSL_FLAG, CKM_SSL3_PRE_MASTER_KEY_GEN }, { "TLS", SECMOD_TLS_FLAG, CKM_TLS_MASTER_KEY_DERIVE }, { "SKIPJACK", SECMOD_FORTEZZA_FLAG, CKM_SKIPJACK_CBC64 }, { "Publicly-readable certs", SECMOD_FRIENDLY_FLAG, CKM_INVALID_MECHANISM }, { "Random Num Generator", SECMOD_RANDOM_FLAG, CKM_FAKE_RANDOM }, }; const int num_pk11_default_mechanisms = sizeof(PK11_DefaultArray) / sizeof(PK11_DefaultArray[0]); const PK11DefaultArrayEntry * PK11_GetDefaultArray(int *size) { if (size) { *size = num_pk11_default_mechanisms; } return PK11_DefaultArray; } /* * These slotlists are lists of modules which provide default support for * a given algorithm or mechanism. */ static PK11SlotList pk11_seedSlotList, pk11_camelliaSlotList, pk11_aesSlotList, pk11_desSlotList, pk11_rc4SlotList, pk11_rc2SlotList, pk11_rc5SlotList, pk11_sha1SlotList, pk11_md5SlotList, pk11_md2SlotList, pk11_rsaSlotList, pk11_dsaSlotList, pk11_dhSlotList, pk11_ecSlotList, pk11_ideaSlotList, pk11_sslSlotList, pk11_tlsSlotList, pk11_randomSlotList, pk11_sha256SlotList, pk11_sha512SlotList; /* slots do SHA512 and SHA384 */ /************************************************************ * Generic Slot List and Slot List element manipulations ************************************************************/ /* * allocate a new list */ PK11SlotList * PK11_NewSlotList(void) { PK11SlotList *list; list = (PK11SlotList *)PORT_Alloc(sizeof(PK11SlotList)); if (list == NULL) return NULL; list->head = NULL; list->tail = NULL; list->lock = PZ_NewLock(nssILockList); if (list->lock == NULL) { PORT_Free(list); return NULL; } return list; } /* * free a list element when all the references go away. */ SECStatus PK11_FreeSlotListElement(PK11SlotList *list, PK11SlotListElement *le) { PRBool freeit = PR_FALSE; if (list == NULL || le == NULL) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return SECFailure; } PZ_Lock(list->lock); if (le->refCount-- == 1) { freeit = PR_TRUE; } PZ_Unlock(list->lock); if (freeit) { PK11_FreeSlot(le->slot); PORT_Free(le); } return SECSuccess; } static void pk11_FreeSlotListStatic(PK11SlotList *list) { PK11SlotListElement *le, *next; if (list == NULL) return; for (le = list->head; le; le = next) { next = le->next; PK11_FreeSlotListElement(list, le); } if (list->lock) { PZ_DestroyLock(list->lock); } list->lock = NULL; list->head = NULL; } /* * if we are freeing the list, we must be the only ones with a pointer * to the list. */ void PK11_FreeSlotList(PK11SlotList *list) { pk11_FreeSlotListStatic(list); PORT_Free(list); } /* * add a slot to a list * "slot" is the slot to be added. Ownership is not transferred. * "sorted" indicates whether or not the slot should be inserted according to * cipherOrder of the associated module. PR_FALSE indicates that the slot * should be inserted to the head of the list. */ SECStatus PK11_AddSlotToList(PK11SlotList *list, PK11SlotInfo *slot, PRBool sorted) { PK11SlotListElement *le; PK11SlotListElement *element; le = (PK11SlotListElement *)PORT_Alloc(sizeof(PK11SlotListElement)); if (le == NULL) return SECFailure; le->slot = PK11_ReferenceSlot(slot); le->prev = NULL; le->refCount = 1; PZ_Lock(list->lock); element = list->head; /* Insertion sort, with higher cipherOrders are sorted first in the list */ while (element && sorted && (element->slot->module->cipherOrder > le->slot->module->cipherOrder)) { element = element->next; } if (element) { le->prev = element->prev; element->prev = le; le->next = element; } else { le->prev = list->tail; le->next = NULL; list->tail = le; } if (le->prev) le->prev->next = le; if (list->head == element) list->head = le; PZ_Unlock(list->lock); return SECSuccess; } /* * remove a slot entry from the list */ SECStatus PK11_DeleteSlotFromList(PK11SlotList *list, PK11SlotListElement *le) { PZ_Lock(list->lock); if (le->prev) le->prev->next = le->next; else list->head = le->next; if (le->next) le->next->prev = le->prev; else list->tail = le->prev; le->next = le->prev = NULL; PZ_Unlock(list->lock); PK11_FreeSlotListElement(list, le); return SECSuccess; } /* * Move a list to the end of the target list. * NOTE: There is no locking here... This assumes BOTH lists are private copy * lists. It also does not re-sort the target list. */ SECStatus pk11_MoveListToList(PK11SlotList *target, PK11SlotList *src) { if (src->head == NULL) return SECSuccess; if (target->tail == NULL) { target->head = src->head; } else { target->tail->next = src->head; } src->head->prev = target->tail; target->tail = src->tail; src->head = src->tail = NULL; return SECSuccess; } /* * get an element from the list with a reference. You must own the list. */ PK11SlotListElement * PK11_GetFirstRef(PK11SlotList *list) { PK11SlotListElement *le; le = list->head; if (le != NULL) (le)->refCount++; return le; } /* * get the next element from the list with a reference. You must own the list. */ PK11SlotListElement * PK11_GetNextRef(PK11SlotList *list, PK11SlotListElement *le, PRBool restart) { PK11SlotListElement *new_le; new_le = le->next; if (new_le) new_le->refCount++; PK11_FreeSlotListElement(list, le); return new_le; } /* * get an element safely from the list. This just makes sure that if * this element is not deleted while we deal with it. */ PK11SlotListElement * PK11_GetFirstSafe(PK11SlotList *list) { PK11SlotListElement *le; PZ_Lock(list->lock); le = list->head; if (le != NULL) (le)->refCount++; PZ_Unlock(list->lock); return le; } /* * NOTE: if this element gets deleted, we can no longer safely traverse using * it's pointers. We can either terminate the loop, or restart from the * beginning. This is controlled by the restart option. */ PK11SlotListElement * PK11_GetNextSafe(PK11SlotList *list, PK11SlotListElement *le, PRBool restart) { PK11SlotListElement *new_le; PZ_Lock(list->lock); new_le = le->next; if (le->next == NULL) { /* if the prev and next fields are NULL then either this element * has been removed and we need to walk the list again (if restart * is true) or this was the only element on the list */ if ((le->prev == NULL) && restart && (list->head != le)) { new_le = list->head; } } if (new_le) new_le->refCount++; PZ_Unlock(list->lock); PK11_FreeSlotListElement(list, le); return new_le; } /* * Find the element that holds this slot */ PK11SlotListElement * PK11_FindSlotElement(PK11SlotList *list, PK11SlotInfo *slot) { PK11SlotListElement *le; for (le = PK11_GetFirstSafe(list); le; le = PK11_GetNextSafe(list, le, PR_TRUE)) { if (le->slot == slot) return le; } return NULL; } /************************************************************ * Generic Slot Utilities ************************************************************/ /* * Create a new slot structure */ PK11SlotInfo * PK11_NewSlotInfo(SECMODModule *mod) { PK11SlotInfo *slot; slot = (PK11SlotInfo *)PORT_Alloc(sizeof(PK11SlotInfo)); if (slot == NULL) { return slot; } slot->freeListLock = PZ_NewLock(nssILockFreelist); if (slot->freeListLock == NULL) { PORT_Free(slot); return NULL; } slot->nssTokenLock = PZ_NewLock(nssILockOther); if (slot->nssTokenLock == NULL) { PZ_DestroyLock(slot->freeListLock); PORT_Free(slot); return NULL; } slot->sessionLock = mod->isThreadSafe ? PZ_NewLock(nssILockSession) : mod->refLock; if (slot->sessionLock == NULL) { PZ_DestroyLock(slot->nssTokenLock); PZ_DestroyLock(slot->freeListLock); PORT_Free(slot); return NULL; } slot->freeSymKeysWithSessionHead = NULL; slot->freeSymKeysHead = NULL; slot->keyCount = 0; slot->maxKeyCount = 0; slot->functionList = NULL; slot->needTest = PR_TRUE; slot->isPerm = PR_FALSE; slot->isHW = PR_FALSE; slot->isInternal = PR_FALSE; slot->isThreadSafe = PR_FALSE; slot->disabled = PR_FALSE; slot->series = 1; slot->flagSeries = 0; slot->flagState = PR_FALSE; slot->wrapKey = 0; slot->wrapMechanism = CKM_INVALID_MECHANISM; slot->refKeys[0] = CK_INVALID_HANDLE; slot->reason = PK11_DIS_NONE; slot->readOnly = PR_TRUE; slot->needLogin = PR_FALSE; slot->hasRandom = PR_FALSE; slot->defRWSession = PR_FALSE; slot->protectedAuthPath = PR_FALSE; slot->flags = 0; slot->session = CK_INVALID_HANDLE; slot->slotID = 0; slot->defaultFlags = 0; slot->refCount = 1; slot->askpw = 0; slot->timeout = 0; slot->mechanismList = NULL; slot->mechanismCount = 0; slot->cert_array = NULL; slot->cert_count = 0; slot->slot_name[0] = 0; slot->token_name[0] = 0; PORT_Memset(slot->serial, ' ', sizeof(slot->serial)); PORT_Memset(&slot->tokenInfo, 0, sizeof(slot->tokenInfo)); slot->module = NULL; slot->authTransact = 0; slot->authTime = LL_ZERO; slot->minPassword = 0; slot->maxPassword = 0; slot->hasRootCerts = PR_FALSE; slot->hasRootTrust = PR_FALSE; slot->nssToken = NULL; slot->profileList = NULL; slot->profileCount = 0; return slot; } /* create a new reference to a slot so it doesn't go away */ PK11SlotInfo * PK11_ReferenceSlot(PK11SlotInfo *slot) { PR_ATOMIC_INCREMENT(&slot->refCount); return slot; } /* Destroy all info on a slot we have built up */ void PK11_DestroySlot(PK11SlotInfo *slot) { /* free up the cached keys and sessions */ PK11_CleanKeyList(slot); /* free up all the sessions on this slot */ if (slot->functionList) { PK11_GETTAB(slot) ->C_CloseAllSessions(slot->slotID); } if (slot->mechanismList) { PORT_Free(slot->mechanismList); } if (slot->profileList) { PORT_Free(slot->profileList); } if (slot->isThreadSafe && slot->sessionLock) { PZ_DestroyLock(slot->sessionLock); } slot->sessionLock = NULL; if (slot->freeListLock) { PZ_DestroyLock(slot->freeListLock); slot->freeListLock = NULL; } if (slot->nssTokenLock) { PZ_DestroyLock(slot->nssTokenLock); slot->nssTokenLock = NULL; } /* finally Tell our parent module that we've gone away so it can unload */ if (slot->module) { SECMOD_SlotDestroyModule(slot->module, PR_TRUE); } /* ok, well not quit finally... now we free the memory */ PORT_Free(slot); } /* We're all done with the slot, free it */ void PK11_FreeSlot(PK11SlotInfo *slot) { if (PR_ATOMIC_DECREMENT(&slot->refCount) == 0) { PK11_DestroySlot(slot); } } void PK11_EnterSlotMonitor(PK11SlotInfo *slot) { PZ_Lock(slot->sessionLock); } void PK11_ExitSlotMonitor(PK11SlotInfo *slot) { PZ_Unlock(slot->sessionLock); } /*********************************************************** * Functions to find specific slots. ***********************************************************/ PRBool SECMOD_HasRootCerts(void) { SECMODModuleList *mlp; SECMODModuleList *modules; SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock(); int i; PRBool found = PR_FALSE; if (!moduleLock) { PORT_SetError(SEC_ERROR_NOT_INITIALIZED); return found; } /* work through all the slots */ SECMOD_GetReadLock(moduleLock); modules = SECMOD_GetDefaultModuleList(); for (mlp = modules; mlp != NULL; mlp = mlp->next) { for (i = 0; i < mlp->module->slotCount; i++) { PK11SlotInfo *tmpSlot = mlp->module->slots[i]; if (PK11_IsPresent(tmpSlot)) { if (tmpSlot->hasRootCerts) { found = PR_TRUE; break; } } } if (found) break; } SECMOD_ReleaseReadLock(moduleLock); return found; } /*********************************************************** * Functions to find specific slots. ***********************************************************/ PK11SlotList * PK11_FindSlotsByNames(const char *dllName, const char *slotName, const char *tokenName, PRBool presentOnly) { SECMODModuleList *mlp; SECMODModuleList *modules; SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock(); int i; PK11SlotList *slotList = NULL; PRUint32 slotcount = 0; SECStatus rv = SECSuccess; if (!moduleLock) { PORT_SetError(SEC_ERROR_NOT_INITIALIZED); return slotList; } slotList = PK11_NewSlotList(); if (!slotList) { PORT_SetError(SEC_ERROR_NO_MEMORY); return slotList; } if (((NULL == dllName) || (0 == *dllName)) && ((NULL == slotName) || (0 == *slotName)) && ((NULL == tokenName) || (0 == *tokenName))) { /* default to softoken */ /* PK11_GetInternalKeySlot increments the refcount on the internal slot, * but so does PK11_AddSlotToList. To avoid erroneously increasing the * refcount twice, we get our own reference to the internal slot and * decrement its refcount when we're done with it. */ PK11SlotInfo *internalKeySlot = PK11_GetInternalKeySlot(); PK11_AddSlotToList(slotList, internalKeySlot, PR_TRUE); PK11_FreeSlot(internalKeySlot); return slotList; } /* work through all the slots */ SECMOD_GetReadLock(moduleLock); modules = SECMOD_GetDefaultModuleList(); for (mlp = modules; mlp != NULL; mlp = mlp->next) { PORT_Assert(mlp->module); if (!mlp->module) { rv = SECFailure; break; } if ((!dllName) || (mlp->module->dllName && (0 == PORT_Strcmp(mlp->module->dllName, dllName)))) { for (i = 0; i < mlp->module->slotCount; i++) { PK11SlotInfo *tmpSlot = (mlp->module->slots ? mlp->module->slots[i] : NULL); PORT_Assert(tmpSlot); if (!tmpSlot) { rv = SECFailure; break; } if ((PR_FALSE == presentOnly || PK11_IsPresent(tmpSlot)) && ((!tokenName) || (0 == PORT_Strcmp(tmpSlot->token_name, tokenName))) && ((!slotName) || (0 == PORT_Strcmp(tmpSlot->slot_name, slotName)))) { PK11_AddSlotToList(slotList, tmpSlot, PR_TRUE); slotcount++; } } } } SECMOD_ReleaseReadLock(moduleLock); if ((0 == slotcount) || (SECFailure == rv)) { PORT_SetError(SEC_ERROR_NO_TOKEN); PK11_FreeSlotList(slotList); slotList = NULL; } if (SECFailure == rv) { PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); } return slotList; } typedef PRBool (*PK11SlotMatchFunc)(PK11SlotInfo *slot, const void *arg); static PRBool pk11_MatchSlotByTokenName(PK11SlotInfo *slot, const void *arg) { return PORT_Strcmp(slot->token_name, arg) == 0; } static PRBool pk11_MatchSlotBySerial(PK11SlotInfo *slot, const void *arg) { return PORT_Memcmp(slot->serial, arg, sizeof(slot->serial)) == 0; } static PRBool pk11_MatchSlotByTokenURI(PK11SlotInfo *slot, const void *arg) { return pk11_MatchUriTokenInfo(slot, (PK11URI *)arg); } static PK11SlotInfo * pk11_FindSlot(const void *arg, PK11SlotMatchFunc func) { SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock(); SECMODModuleList *mlp; SECMODModuleList *modules; int i; PK11SlotInfo *slot = NULL; if (!moduleLock) { PORT_SetError(SEC_ERROR_NOT_INITIALIZED); return slot; } /* work through all the slots */ SECMOD_GetReadLock(moduleLock); modules = SECMOD_GetDefaultModuleList(); for (mlp = modules; mlp != NULL; mlp = mlp->next) { for (i = 0; i < mlp->module->slotCount; i++) { PK11SlotInfo *tmpSlot = mlp->module->slots[i]; if (PK11_IsPresent(tmpSlot)) { if (func(tmpSlot, arg)) { slot = PK11_ReferenceSlot(tmpSlot); break; } } } if (slot != NULL) break; } SECMOD_ReleaseReadLock(moduleLock); if (slot == NULL) { PORT_SetError(SEC_ERROR_NO_TOKEN); } return slot; } static PK11SlotInfo * pk11_FindSlotByTokenURI(const char *uriString) { PK11SlotInfo *slot = NULL; PK11URI *uri; uri = PK11URI_ParseURI(uriString); if (!uri) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return slot; } slot = pk11_FindSlot(uri, pk11_MatchSlotByTokenURI); PK11URI_DestroyURI(uri); return slot; } PK11SlotInfo * PK11_FindSlotByName(const char *name) { if ((name == NULL) || (*name == 0)) { return PK11_GetInternalKeySlot(); } if (!PORT_Strncasecmp(name, "pkcs11:", strlen("pkcs11:"))) { return pk11_FindSlotByTokenURI(name); } return pk11_FindSlot(name, pk11_MatchSlotByTokenName); } PK11SlotInfo * PK11_FindSlotBySerial(char *serial) { return pk11_FindSlot(serial, pk11_MatchSlotBySerial); } /* * notification stub. If we ever get interested in any events that * the pkcs11 functions may pass back to use, we can catch them here... * currently pdata is a slotinfo structure. */ CK_RV pk11_notify(CK_SESSION_HANDLE session, CK_NOTIFICATION event, CK_VOID_PTR pdata) { return CKR_OK; } /* * grab a new RW session * !!! has a side effect of grabbing the Monitor if either the slot's default * session is RW or the slot is not thread safe. Monitor is release in function * below */ CK_SESSION_HANDLE PK11_GetRWSession(PK11SlotInfo *slot) { CK_SESSION_HANDLE rwsession; CK_RV crv; PRBool haveMonitor = PR_FALSE; if (!slot->isThreadSafe || slot->defRWSession) { PK11_EnterSlotMonitor(slot); haveMonitor = PR_TRUE; } if (slot->defRWSession) { PORT_Assert(slot->session != CK_INVALID_HANDLE); if (slot->session != CK_INVALID_HANDLE) return slot->session; } crv = PK11_GETTAB(slot)->C_OpenSession(slot->slotID, CKF_RW_SESSION | CKF_SERIAL_SESSION, slot, pk11_notify, &rwsession); PORT_Assert(rwsession != CK_INVALID_HANDLE || crv != CKR_OK); if (crv != CKR_OK || rwsession == CK_INVALID_HANDLE) { if (crv == CKR_OK) crv = CKR_DEVICE_ERROR; if (haveMonitor) PK11_ExitSlotMonitor(slot); PORT_SetError(PK11_MapError(crv)); return CK_INVALID_HANDLE; } if (slot->defRWSession) { /* we have the monitor */ slot->session = rwsession; } return rwsession; } PRBool PK11_RWSessionHasLock(PK11SlotInfo *slot, CK_SESSION_HANDLE session_handle) { PRBool hasLock; hasLock = (PRBool)(!slot->isThreadSafe || (slot->defRWSession && slot->session != CK_INVALID_HANDLE)); return hasLock; } static PRBool pk11_RWSessionIsDefault(PK11SlotInfo *slot, CK_SESSION_HANDLE rwsession) { PRBool isDefault; isDefault = (PRBool)(slot->session == rwsession && slot->defRWSession && slot->session != CK_INVALID_HANDLE); return isDefault; } /* * close the rwsession and restore our readonly session * !!! has a side effect of releasing the Monitor if either the slot's default * session is RW or the slot is not thread safe. */ void PK11_RestoreROSession(PK11SlotInfo *slot, CK_SESSION_HANDLE rwsession) { PORT_Assert(rwsession != CK_INVALID_HANDLE); if (rwsession != CK_INVALID_HANDLE) { PRBool doExit = PK11_RWSessionHasLock(slot, rwsession); if (!pk11_RWSessionIsDefault(slot, rwsession)) PK11_GETTAB(slot) ->C_CloseSession(rwsession); if (doExit) PK11_ExitSlotMonitor(slot); } } /************************************************************ * Manage the built-In Slot Lists ************************************************************/ /* Init the static built int slot list (should actually integrate * with PK11_NewSlotList */ static void pk11_InitSlotListStatic(PK11SlotList *list) { list->lock = PZ_NewLock(nssILockList); list->head = NULL; } /* initialize the system slotlists */ SECStatus PK11_InitSlotLists(void) { pk11_InitSlotListStatic(&pk11_seedSlotList); pk11_InitSlotListStatic(&pk11_camelliaSlotList); pk11_InitSlotListStatic(&pk11_aesSlotList); pk11_InitSlotListStatic(&pk11_desSlotList); pk11_InitSlotListStatic(&pk11_rc4SlotList); pk11_InitSlotListStatic(&pk11_rc2SlotList); pk11_InitSlotListStatic(&pk11_rc5SlotList); pk11_InitSlotListStatic(&pk11_md5SlotList); pk11_InitSlotListStatic(&pk11_md2SlotList); pk11_InitSlotListStatic(&pk11_sha1SlotList); pk11_InitSlotListStatic(&pk11_rsaSlotList); pk11_InitSlotListStatic(&pk11_dsaSlotList); pk11_InitSlotListStatic(&pk11_dhSlotList); pk11_InitSlotListStatic(&pk11_ecSlotList); pk11_InitSlotListStatic(&pk11_ideaSlotList); pk11_InitSlotListStatic(&pk11_sslSlotList); pk11_InitSlotListStatic(&pk11_tlsSlotList); pk11_InitSlotListStatic(&pk11_randomSlotList); pk11_InitSlotListStatic(&pk11_sha256SlotList); pk11_InitSlotListStatic(&pk11_sha512SlotList); return SECSuccess; } void PK11_DestroySlotLists(void) { pk11_FreeSlotListStatic(&pk11_seedSlotList); pk11_FreeSlotListStatic(&pk11_camelliaSlotList); pk11_FreeSlotListStatic(&pk11_aesSlotList); pk11_FreeSlotListStatic(&pk11_desSlotList); pk11_FreeSlotListStatic(&pk11_rc4SlotList); pk11_FreeSlotListStatic(&pk11_rc2SlotList); pk11_FreeSlotListStatic(&pk11_rc5SlotList); pk11_FreeSlotListStatic(&pk11_md5SlotList); pk11_FreeSlotListStatic(&pk11_md2SlotList); pk11_FreeSlotListStatic(&pk11_sha1SlotList); pk11_FreeSlotListStatic(&pk11_rsaSlotList); pk11_FreeSlotListStatic(&pk11_dsaSlotList); pk11_FreeSlotListStatic(&pk11_dhSlotList); pk11_FreeSlotListStatic(&pk11_ecSlotList); pk11_FreeSlotListStatic(&pk11_ideaSlotList); pk11_FreeSlotListStatic(&pk11_sslSlotList); pk11_FreeSlotListStatic(&pk11_tlsSlotList); pk11_FreeSlotListStatic(&pk11_randomSlotList); pk11_FreeSlotListStatic(&pk11_sha256SlotList); pk11_FreeSlotListStatic(&pk11_sha512SlotList); return; } /* return a system slot list based on mechanism */ PK11SlotList * PK11_GetSlotList(CK_MECHANISM_TYPE type) { /* XXX a workaround for Bugzilla bug #55267 */ #if defined(HPUX) && defined(__LP64__) if (CKM_INVALID_MECHANISM == type) return NULL; #endif switch (type) { case CKM_SEED_CBC: case CKM_SEED_ECB: return &pk11_seedSlotList; case CKM_CAMELLIA_CBC: case CKM_CAMELLIA_ECB: return &pk11_camelliaSlotList; case CKM_AES_CBC: case CKM_AES_CCM: case CKM_AES_CTR: case CKM_AES_CTS: case CKM_AES_GCM: case CKM_AES_ECB: return &pk11_aesSlotList; case CKM_DES_CBC: case CKM_DES_ECB: case CKM_DES3_ECB: case CKM_DES3_CBC: return &pk11_desSlotList; case CKM_RC4: return &pk11_rc4SlotList; case CKM_RC5_CBC: return &pk11_rc5SlotList; case CKM_SHA_1: return &pk11_sha1SlotList; case CKM_SHA224: case CKM_SHA256: case CKM_SHA3_224: case CKM_SHA3_256: return &pk11_sha256SlotList; case CKM_SHA384: case CKM_SHA512: case CKM_SHA3_384: case CKM_SHA3_512: return &pk11_sha512SlotList; case CKM_MD5: return &pk11_md5SlotList; case CKM_MD2: return &pk11_md2SlotList; case CKM_RC2_ECB: case CKM_RC2_CBC: return &pk11_rc2SlotList; case CKM_RSA_PKCS: case CKM_RSA_PKCS_KEY_PAIR_GEN: case CKM_RSA_X_509: return &pk11_rsaSlotList; case CKM_DSA: return &pk11_dsaSlotList; case CKM_DH_PKCS_KEY_PAIR_GEN: case CKM_DH_PKCS_DERIVE: return &pk11_dhSlotList; case CKM_EDDSA: case CKM_EC_EDWARDS_KEY_PAIR_GEN: case CKM_ECDSA: case CKM_ECDSA_SHA1: case CKM_EC_KEY_PAIR_GEN: /* aka CKM_ECDSA_KEY_PAIR_GEN */ case CKM_ECDH1_DERIVE: case CKM_NSS_KYBER_KEY_PAIR_GEN: /* Bug 1893029 */ case CKM_NSS_KYBER: return &pk11_ecSlotList; case CKM_SSL3_PRE_MASTER_KEY_GEN: case CKM_SSL3_MASTER_KEY_DERIVE: case CKM_SSL3_SHA1_MAC: case CKM_SSL3_MD5_MAC: return &pk11_sslSlotList; case CKM_TLS_MASTER_KEY_DERIVE: case CKM_TLS_KEY_AND_MAC_DERIVE: case CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256: return &pk11_tlsSlotList; case CKM_IDEA_CBC: case CKM_IDEA_ECB: return &pk11_ideaSlotList; case CKM_FAKE_RANDOM: return &pk11_randomSlotList; } return NULL; } /* * load the static SlotInfo structures used to select a PKCS11 slot. * preSlotInfo has a list of all the default flags for the slots on this * module. */ void PK11_LoadSlotList(PK11SlotInfo *slot, PK11PreSlotInfo *psi, int count) { int i; for (i = 0; i < count; i++) { if (psi[i].slotID == slot->slotID) break; } if (i == count) return; slot->defaultFlags = psi[i].defaultFlags; slot->askpw = psi[i].askpw; slot->timeout = psi[i].timeout; slot->hasRootCerts = psi[i].hasRootCerts; /* if the slot is already disabled, don't load them into the * default slot lists. We get here so we can save the default * list value. */ if (slot->disabled) return; /* if the user has disabled us, don't load us in */ if (slot->defaultFlags & PK11_DISABLE_FLAG) { slot->disabled = PR_TRUE; slot->reason = PK11_DIS_USER_SELECTED; /* free up sessions and things?? */ return; } for (i = 0; i < num_pk11_default_mechanisms; i++) { if (slot->defaultFlags & PK11_DefaultArray[i].flag) { CK_MECHANISM_TYPE mechanism = PK11_DefaultArray[i].mechanism; PK11SlotList *slotList = PK11_GetSlotList(mechanism); if (slotList) PK11_AddSlotToList(slotList, slot, PR_FALSE); } } return; } /* * update a slot to its new attribute according to the slot list * returns: SECSuccess if nothing to do or add/delete is successful */ SECStatus PK11_UpdateSlotAttribute(PK11SlotInfo *slot, const PK11DefaultArrayEntry *entry, PRBool add) /* add: PR_TRUE if want to turn on */ { SECStatus result = SECSuccess; PK11SlotList *slotList = PK11_GetSlotList(entry->mechanism); if (add) { /* trying to turn on a mechanism */ /* turn on the default flag in the slot */ slot->defaultFlags |= entry->flag; /* add this slot to the list */ if (slotList != NULL) result = PK11_AddSlotToList(slotList, slot, PR_FALSE); } else { /* trying to turn off */ /* turn OFF the flag in the slot */ slot->defaultFlags &= ~entry->flag; if (slotList) { /* find the element in the list & delete it */ PK11SlotListElement *le = PK11_FindSlotElement(slotList, slot); /* remove the slot from the list */ if (le) result = PK11_DeleteSlotFromList(slotList, le); } } return result; } /* * clear a slot off of all of it's default list */ void PK11_ClearSlotList(PK11SlotInfo *slot) { int i; if (slot->disabled) return; if (slot->defaultFlags == 0) return; for (i = 0; i < num_pk11_default_mechanisms; i++) { if (slot->defaultFlags & PK11_DefaultArray[i].flag) { CK_MECHANISM_TYPE mechanism = PK11_DefaultArray[i].mechanism; PK11SlotList *slotList = PK11_GetSlotList(mechanism); PK11SlotListElement *le = NULL; if (slotList) le = PK11_FindSlotElement(slotList, slot); if (le) { PK11_DeleteSlotFromList(slotList, le); PK11_FreeSlotListElement(slotList, le); } } } } /****************************************************************** * Slot initialization ******************************************************************/ /* * turn a PKCS11 Static Label into a string */ char * PK11_MakeString(PLArenaPool *arena, char *space, char *staticString, int stringLen) { int i; char *newString; for (i = (stringLen - 1); i >= 0; i--) { if (staticString[i] != ' ') break; } /* move i to point to the last space */ i++; if (arena) { newString = (char *)PORT_ArenaAlloc(arena, i + 1 /* space for NULL */); } else if (space) { newString = space; } else { newString = (char *)PORT_Alloc(i + 1 /* space for NULL */); } if (newString == NULL) return NULL; if (i) PORT_Memcpy(newString, staticString, i); newString[i] = 0; return newString; } /* * check if a null-terminated string matches with a PKCS11 Static Label */ PRBool pk11_MatchString(const char *string, const char *staticString, size_t staticStringLen) { size_t i = staticStringLen; /* move i to point to the last space */ while (i > 0) { if (staticString[i - 1] != ' ') break; i--; } if (strlen(string) == i && memcmp(string, staticString, i) == 0) { return PR_TRUE; } return PR_FALSE; } /* * Reads in the slots mechanism list for later use */ SECStatus PK11_ReadMechanismList(PK11SlotInfo *slot) { CK_ULONG count; CK_RV crv; PRUint32 i; if (slot->mechanismList) { PORT_Free(slot->mechanismList); slot->mechanismList = NULL; } slot->mechanismCount = 0; if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); crv = PK11_GETTAB(slot)->C_GetMechanismList(slot->slotID, NULL, &count); if (crv != CKR_OK) { if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); PORT_SetError(PK11_MapError(crv)); return SECFailure; } slot->mechanismList = (CK_MECHANISM_TYPE *) PORT_Alloc(count * sizeof(CK_MECHANISM_TYPE)); if (slot->mechanismList == NULL) { if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); return SECFailure; } crv = PK11_GETTAB(slot)->C_GetMechanismList(slot->slotID, slot->mechanismList, &count); if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); if (crv != CKR_OK) { PORT_Free(slot->mechanismList); slot->mechanismList = NULL; PORT_SetError(PK11_MapError(crv)); return SECSuccess; } slot->mechanismCount = count; PORT_Memset(slot->mechanismBits, 0, sizeof(slot->mechanismBits)); for (i = 0; i < count; i++) { CK_MECHANISM_TYPE mech = slot->mechanismList[i]; if (mech < 0x7ff) { slot->mechanismBits[mech & 0xff] |= 1 << (mech >> 8); } } return SECSuccess; } static SECStatus pk11_ReadProfileList(PK11SlotInfo *slot) { CK_ATTRIBUTE findTemp[2]; CK_ATTRIBUTE *attrs; CK_BBOOL cktrue = CK_TRUE; CK_OBJECT_CLASS oclass = CKO_PROFILE; size_t tsize; int objCount; CK_OBJECT_HANDLE *handles = NULL; int i; attrs = findTemp; PK11_SETATTRS(attrs, CKA_TOKEN, &cktrue, sizeof(cktrue)); attrs++; PK11_SETATTRS(attrs, CKA_CLASS, &oclass, sizeof(oclass)); attrs++; tsize = attrs - findTemp; PORT_Assert(tsize <= sizeof(findTemp) / sizeof(CK_ATTRIBUTE)); if (slot->profileList) { PORT_Free(slot->profileList); slot->profileList = NULL; } slot->profileCount = 0; objCount = 0; handles = pk11_FindObjectsByTemplate(slot, findTemp, tsize, &objCount); if (handles == NULL) { if (objCount < 0) { return SECFailure; /* error code is set */ } PORT_Assert(objCount == 0); return SECSuccess; } slot->profileList = (CK_PROFILE_ID *) PORT_Alloc(objCount * sizeof(CK_PROFILE_ID)); if (slot->profileList == NULL) { PORT_Free(handles); return SECFailure; /* error code is set */ } for (i = 0; i < objCount; i++) { CK_ULONG value; value = PK11_ReadULongAttribute(slot, handles[i], CKA_PROFILE_ID); if (value == CK_UNAVAILABLE_INFORMATION) { continue; } slot->profileList[slot->profileCount++] = value; } PORT_Free(handles); return SECSuccess; } static PRBool pk11_HasProfile(PK11SlotInfo *slot, CK_PROFILE_ID id) { int i; for (i = 0; i < slot->profileCount; i++) { if (slot->profileList[i] == id) { return PR_TRUE; } } return PR_FALSE; } /* * initialize a new token * unlike initialize slot, this can be called multiple times in the lifetime * of NSS. It reads the information associated with a card or token, * that is not going to change unless the card or token changes. */ SECStatus PK11_InitToken(PK11SlotInfo *slot, PRBool loadCerts) { CK_RV crv; SECStatus rv; PRStatus status; NSSToken *nssToken; /* set the slot flags to the current token values */ if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); crv = PK11_GETTAB(slot)->C_GetTokenInfo(slot->slotID, &slot->tokenInfo); if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); if (crv != CKR_OK) { PORT_SetError(PK11_MapError(crv)); return SECFailure; } /* set the slot flags to the current token values */ slot->series++; /* allow other objects to detect that the * slot is different */ slot->flags = slot->tokenInfo.flags; slot->needLogin = ((slot->tokenInfo.flags & CKF_LOGIN_REQUIRED) ? PR_TRUE : PR_FALSE); slot->readOnly = ((slot->tokenInfo.flags & CKF_WRITE_PROTECTED) ? PR_TRUE : PR_FALSE); slot->hasRandom = ((slot->tokenInfo.flags & CKF_RNG) ? PR_TRUE : PR_FALSE); slot->protectedAuthPath = ((slot->tokenInfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH) ? PR_TRUE : PR_FALSE); slot->lastLoginCheck = 0; slot->lastState = 0; /* on some platforms Active Card incorrectly sets the * CKF_PROTECTED_AUTHENTICATION_PATH bit when it doesn't mean to. */ if (slot->isActiveCard) { slot->protectedAuthPath = PR_FALSE; } (void)PK11_MakeString(NULL, slot->token_name, (char *)slot->tokenInfo.label, sizeof(slot->tokenInfo.label)); slot->minPassword = slot->tokenInfo.ulMinPinLen; slot->maxPassword = slot->tokenInfo.ulMaxPinLen; PORT_Memcpy(slot->serial, slot->tokenInfo.serialNumber, sizeof(slot->serial)); nssToken = PK11Slot_GetNSSToken(slot); nssToken_UpdateName(nssToken); /* null token is OK */ (void)nssToken_Destroy(nssToken); slot->defRWSession = (PRBool)((!slot->readOnly) && (slot->tokenInfo.ulMaxSessionCount == 1)); rv = PK11_ReadMechanismList(slot); if (rv != SECSuccess) return rv; slot->hasRSAInfo = PR_FALSE; slot->RSAInfoFlags = 0; /* initialize the maxKeyCount value */ if (slot->tokenInfo.ulMaxSessionCount == 0) { slot->maxKeyCount = 800; /* should be #define or a config param */ } else if (slot->tokenInfo.ulMaxSessionCount < 20) { /* don't have enough sessions to keep that many keys around */ slot->maxKeyCount = 0; } else { slot->maxKeyCount = slot->tokenInfo.ulMaxSessionCount / 2; } /* Make sure our session handle is valid */ if (slot->session == CK_INVALID_HANDLE) { /* we know we don't have a valid session, go get one */ CK_SESSION_HANDLE session; /* session should be Readonly, serial */ if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); crv = PK11_GETTAB(slot)->C_OpenSession(slot->slotID, (slot->defRWSession ? CKF_RW_SESSION : 0) | CKF_SERIAL_SESSION, slot, pk11_notify, &session); if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); if (crv != CKR_OK) { PORT_SetError(PK11_MapError(crv)); return SECFailure; } slot->session = session; } else { /* The session we have may be defunct (the token associated with it) * has been removed */ CK_SESSION_INFO sessionInfo; if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); crv = PK11_GETTAB(slot)->C_GetSessionInfo(slot->session, &sessionInfo); if (crv == CKR_DEVICE_ERROR) { PK11_GETTAB(slot) ->C_CloseSession(slot->session); crv = CKR_SESSION_CLOSED; } if ((crv == CKR_SESSION_CLOSED) || (crv == CKR_SESSION_HANDLE_INVALID)) { crv = PK11_GETTAB(slot)->C_OpenSession(slot->slotID, (slot->defRWSession ? CKF_RW_SESSION : 0) | CKF_SERIAL_SESSION, slot, pk11_notify, &slot->session); if (crv != CKR_OK) { PORT_SetError(PK11_MapError(crv)); slot->session = CK_INVALID_HANDLE; if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); return SECFailure; } } if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); } nssToken = PK11Slot_GetNSSToken(slot); status = nssToken_Refresh(nssToken); /* null token is OK */ (void)nssToken_Destroy(nssToken); if (status != PR_SUCCESS) return SECFailure; /* Not all tokens have profile objects or even recognize what profile * objects are it's OK for pk11_ReadProfileList to fail */ (void)pk11_ReadProfileList(slot); if (!(slot->isInternal) && (slot->hasRandom)) { /* if this slot has a random number generater, use it to add entropy * to the internal slot. */ PK11SlotInfo *int_slot = PK11_GetInternalSlot(); if (int_slot) { unsigned char random_bytes[32]; /* if this slot can issue random numbers, get some entropy from * that random number generater and give it to our internal token. */ PK11_EnterSlotMonitor(slot); crv = PK11_GETTAB(slot)->C_GenerateRandom(slot->session, random_bytes, sizeof(random_bytes)); PK11_ExitSlotMonitor(slot); if (crv == CKR_OK) { PK11_EnterSlotMonitor(int_slot); PK11_GETTAB(int_slot) ->C_SeedRandom(int_slot->session, random_bytes, sizeof(random_bytes)); PK11_ExitSlotMonitor(int_slot); } /* Now return the favor and send entropy to the token's random * number generater */ PK11_EnterSlotMonitor(int_slot); crv = PK11_GETTAB(int_slot)->C_GenerateRandom(int_slot->session, random_bytes, sizeof(random_bytes)); PK11_ExitSlotMonitor(int_slot); if (crv == CKR_OK) { PK11_EnterSlotMonitor(slot); crv = PK11_GETTAB(slot)->C_SeedRandom(slot->session, random_bytes, sizeof(random_bytes)); PK11_ExitSlotMonitor(slot); } PK11_FreeSlot(int_slot); } } /* work around a problem in softoken where it incorrectly * reports databases opened read only as read/write. */ if (slot->isInternal && !slot->readOnly) { CK_SESSION_HANDLE session = CK_INVALID_HANDLE; /* try to open a R/W session */ crv = PK11_GETTAB(slot)->C_OpenSession(slot->slotID, CKF_RW_SESSION | CKF_SERIAL_SESSION, slot, pk11_notify, &session); /* what a well behaved token should return if you open * a RW session on a read only token */ if (crv == CKR_TOKEN_WRITE_PROTECTED) { slot->readOnly = PR_TRUE; } else if (crv == CKR_OK) { CK_SESSION_INFO sessionInfo; /* Because of a second bug in softoken, which silently returns * a RO session, we need to check what type of session we got. */ crv = PK11_GETTAB(slot)->C_GetSessionInfo(session, &sessionInfo); if (crv == CKR_OK) { if ((sessionInfo.flags & CKF_RW_SESSION) == 0) { /* session was readonly, so this softoken slot must be readonly */ slot->readOnly = PR_TRUE; } } PK11_GETTAB(slot) ->C_CloseSession(session); } } return SECSuccess; } /* * initialize a new token * unlike initialize slot, this can be called multiple times in the lifetime * of NSS. It reads the information associated with a card or token, * that is not going to change unless the card or token changes. */ SECStatus PK11_TokenRefresh(PK11SlotInfo *slot) { CK_RV crv; /* set the slot flags to the current token values */ if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); crv = PK11_GETTAB(slot)->C_GetTokenInfo(slot->slotID, &slot->tokenInfo); if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); if (crv != CKR_OK) { PORT_SetError(PK11_MapError(crv)); return SECFailure; } slot->flags = slot->tokenInfo.flags; slot->needLogin = ((slot->tokenInfo.flags & CKF_LOGIN_REQUIRED) ? PR_TRUE : PR_FALSE); slot->readOnly = ((slot->tokenInfo.flags & CKF_WRITE_PROTECTED) ? PR_TRUE : PR_FALSE); slot->hasRandom = ((slot->tokenInfo.flags & CKF_RNG) ? PR_TRUE : PR_FALSE); slot->protectedAuthPath = ((slot->tokenInfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH) ? PR_TRUE : PR_FALSE); /* on some platforms Active Card incorrectly sets the * CKF_PROTECTED_AUTHENTICATION_PATH bit when it doesn't mean to. */ if (slot->isActiveCard) { slot->protectedAuthPath = PR_FALSE; } return SECSuccess; } static PRBool pk11_isRootSlot(PK11SlotInfo *slot) { CK_ATTRIBUTE findTemp[1]; CK_ATTRIBUTE *attrs; CK_OBJECT_CLASS oclass = CKO_NSS_BUILTIN_ROOT_LIST; size_t tsize; CK_OBJECT_HANDLE handle; attrs = findTemp; PK11_SETATTRS(attrs, CKA_CLASS, &oclass, sizeof(oclass)); attrs++; tsize = attrs - findTemp; PORT_Assert(tsize <= sizeof(findTemp) / sizeof(CK_ATTRIBUTE)); handle = pk11_FindObjectByTemplate(slot, findTemp, tsize); if (handle == CK_INVALID_HANDLE) { return PR_FALSE; } return PR_TRUE; } /* * Initialize the slot : * This initialization code is called on each slot a module supports when * it is loaded. It does the bringup initialization. The difference between * this and InitToken is Init slot does those one time initialization stuff, * usually associated with the reader, while InitToken may get called multiple * times as tokens are removed and re-inserted. */ void PK11_InitSlot(SECMODModule *mod, CK_SLOT_ID slotID, PK11SlotInfo *slot) { SECStatus rv; CK_SLOT_INFO slotInfo; slot->functionList = mod->functionList; slot->isInternal = mod->internal; slot->slotID = slotID; slot->isThreadSafe = mod->isThreadSafe; slot->hasRSAInfo = PR_FALSE; slot->module = mod; /* NOTE: we don't make a reference here because * modules have references to their slots. This * works because modules keep implicit references * from their slots, and won't unload and disappear * until all their slots have been freed */ if (PK11_GetSlotInfo(slot, &slotInfo) != SECSuccess) { slot->disabled = PR_TRUE; slot->reason = PK11_DIS_COULD_NOT_INIT_TOKEN; return; } /* test to make sure claimed mechanism work */ slot->needTest = mod->internal ? PR_FALSE : PR_TRUE; (void)PK11_MakeString(NULL, slot->slot_name, (char *)slotInfo.slotDescription, sizeof(slotInfo.slotDescription)); slot->isHW = (PRBool)((slotInfo.flags & CKF_HW_SLOT) == CKF_HW_SLOT); #define ACTIVE_CARD "ActivCard SA" slot->isActiveCard = (PRBool)(PORT_Strncmp((char *)slotInfo.manufacturerID, ACTIVE_CARD, sizeof(ACTIVE_CARD) - 1) == 0); if ((slotInfo.flags & CKF_REMOVABLE_DEVICE) == 0) { slot->isPerm = PR_TRUE; /* permanment slots must have the token present always */ if ((slotInfo.flags & CKF_TOKEN_PRESENT) == 0) { slot->disabled = PR_TRUE; slot->reason = PK11_DIS_TOKEN_NOT_PRESENT; return; /* nothing else to do */ } } /* if the token is present, initialize it */ if ((slotInfo.flags & CKF_TOKEN_PRESENT) != 0) { rv = PK11_InitToken(slot, PR_TRUE); /* the only hard failures are on permanent devices, or function * verify failures... function verify failures are already handled * by tokenInit */ if ((rv != SECSuccess) && (slot->isPerm) && (!slot->disabled)) { slot->disabled = PR_TRUE; slot->reason = PK11_DIS_COULD_NOT_INIT_TOKEN; } if (rv == SECSuccess && pk11_isRootSlot(slot)) { if (!slot->hasRootCerts) { slot->module->trustOrder = 100; } slot->hasRootCerts = PR_TRUE; } } if ((slotInfo.flags & CKF_USER_PIN_INITIALIZED) != 0) { slot->flags |= CKF_USER_PIN_INITIALIZED; } } /********************************************************************* * Slot mapping utility functions. *********************************************************************/ /* * determine if the token is present. If the token is present, make sure * we have a valid session handle. Also set the value of needLogin * appropriately. */ static PRBool pk11_IsPresentCertLoad(PK11SlotInfo *slot, PRBool loadCerts) { CK_SLOT_INFO slotInfo; CK_SESSION_INFO sessionInfo; CK_RV crv; /* disabled slots are never present */ if (slot->disabled) { return PR_FALSE; } /* permanent slots are always present */ if (slot->isPerm && (slot->session != CK_INVALID_HANDLE)) { return PR_TRUE; } NSSToken *nssToken = PK11Slot_GetNSSToken(slot); if (nssToken) { PRBool present = nssToken_IsPresent(nssToken); (void)nssToken_Destroy(nssToken); return present; } /* removable slots have a flag that says they are present */ if (PK11_GetSlotInfo(slot, &slotInfo) != SECSuccess) { return PR_FALSE; } if ((slotInfo.flags & CKF_TOKEN_PRESENT) == 0) { /* if the slot is no longer present, close the session */ if (slot->session != CK_INVALID_HANDLE) { if (!slot->isThreadSafe) { PK11_EnterSlotMonitor(slot); } PK11_GETTAB(slot) ->C_CloseSession(slot->session); slot->session = CK_INVALID_HANDLE; if (!slot->isThreadSafe) { PK11_ExitSlotMonitor(slot); } } return PR_FALSE; } /* use the session Info to determine if the card has been removed and then * re-inserted */ if (slot->session != CK_INVALID_HANDLE) { if (slot->isThreadSafe) { PK11_EnterSlotMonitor(slot); } crv = PK11_GETTAB(slot)->C_GetSessionInfo(slot->session, &sessionInfo); if (crv != CKR_OK) { PK11_GETTAB(slot) ->C_CloseSession(slot->session); slot->session = CK_INVALID_HANDLE; } if (slot->isThreadSafe) { PK11_ExitSlotMonitor(slot); } } /* card has not been removed, current token info is correct */ if (slot->session != CK_INVALID_HANDLE) return PR_TRUE; /* initialize the token info state */ if (PK11_InitToken(slot, loadCerts) != SECSuccess) { return PR_FALSE; } return PR_TRUE; } /* * old version of the routine */ PRBool PK11_IsPresent(PK11SlotInfo *slot) { return pk11_IsPresentCertLoad(slot, PR_TRUE); } /* is the slot disabled? */ PRBool PK11_IsDisabled(PK11SlotInfo *slot) { return slot->disabled; } /* and why? */ PK11DisableReasons PK11_GetDisabledReason(PK11SlotInfo *slot) { return slot->reason; } /* returns PR_TRUE if successfully disable the slot */ /* returns PR_FALSE otherwise */ PRBool PK11_UserDisableSlot(PK11SlotInfo *slot) { /* Prevent users from disabling the internal module. */ if (slot->isInternal) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return PR_FALSE; } slot->defaultFlags |= PK11_DISABLE_FLAG; slot->disabled = PR_TRUE; slot->reason = PK11_DIS_USER_SELECTED; return PR_TRUE; } PRBool PK11_UserEnableSlot(PK11SlotInfo *slot) { slot->defaultFlags &= ~PK11_DISABLE_FLAG; slot->disabled = PR_FALSE; slot->reason = PK11_DIS_NONE; return PR_TRUE; } PRBool PK11_HasRootCerts(PK11SlotInfo *slot) { return slot->hasRootCerts; } /* Get the module this slot is attached to */ SECMODModule * PK11_GetModule(PK11SlotInfo *slot) { return slot->module; } /* return the default flags of a slot */ unsigned long PK11_GetDefaultFlags(PK11SlotInfo *slot) { return slot->defaultFlags; } /* * The following wrapper functions allow us to export an opaque slot * function to the rest of libsec and the world... */ PRBool PK11_IsReadOnly(PK11SlotInfo *slot) { return slot->readOnly; } PRBool PK11_IsHW(PK11SlotInfo *slot) { return slot->isHW; } PRBool PK11_IsRemovable(PK11SlotInfo *slot) { return !slot->isPerm; } PRBool PK11_IsInternal(PK11SlotInfo *slot) { return slot->isInternal; } PRBool PK11_IsInternalKeySlot(PK11SlotInfo *slot) { PK11SlotInfo *int_slot; PRBool result; if (!slot->isInternal) { return PR_FALSE; } int_slot = PK11_GetInternalKeySlot(); result = (int_slot == slot) ? PR_TRUE : PR_FALSE; PK11_FreeSlot(int_slot); return result; } PRBool PK11_NeedLogin(PK11SlotInfo *slot) { return slot->needLogin; } PRBool PK11_IsFriendly(PK11SlotInfo *slot) { /* internal slot always has public readable certs */ return (PRBool)(slot->isInternal || pk11_HasProfile(slot, CKP_PUBLIC_CERTIFICATES_TOKEN) || ((slot->defaultFlags & SECMOD_FRIENDLY_FLAG) == SECMOD_FRIENDLY_FLAG)); } char * PK11_GetTokenName(PK11SlotInfo *slot) { return slot->token_name; } char * PK11_GetTokenURI(PK11SlotInfo *slot) { PK11URI *uri; char *ret = NULL; char label[32 + 1], manufacturer[32 + 1], serial[16 + 1], model[16 + 1]; PK11URIAttribute attrs[4]; size_t nattrs = 0; PK11_MakeString(NULL, label, (char *)slot->tokenInfo.label, sizeof(slot->tokenInfo.label)); if (*label != '\0') { attrs[nattrs].name = PK11URI_PATTR_TOKEN; attrs[nattrs].value = label; nattrs++; } PK11_MakeString(NULL, manufacturer, (char *)slot->tokenInfo.manufacturerID, sizeof(slot->tokenInfo.manufacturerID)); if (*manufacturer != '\0') { attrs[nattrs].name = PK11URI_PATTR_MANUFACTURER; attrs[nattrs].value = manufacturer; nattrs++; } PK11_MakeString(NULL, serial, (char *)slot->tokenInfo.serialNumber, sizeof(slot->tokenInfo.serialNumber)); if (*serial != '\0') { attrs[nattrs].name = PK11URI_PATTR_SERIAL; attrs[nattrs].value = serial; nattrs++; } PK11_MakeString(NULL, model, (char *)slot->tokenInfo.model, sizeof(slot->tokenInfo.model)); if (*model != '\0') { attrs[nattrs].name = PK11URI_PATTR_MODEL; attrs[nattrs].value = model; nattrs++; } uri = PK11URI_CreateURI(attrs, nattrs, NULL, 0); if (uri == NULL) { PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); return NULL; } ret = PK11URI_FormatURI(NULL, uri); PK11URI_DestroyURI(uri); if (ret == NULL) { PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); } return ret; } char * PK11_GetSlotName(PK11SlotInfo *slot) { return slot->slot_name; } int PK11_GetSlotSeries(PK11SlotInfo *slot) { return slot->series; } int PK11_GetCurrentWrapIndex(PK11SlotInfo *slot) { return slot->wrapKey; } CK_SLOT_ID PK11_GetSlotID(PK11SlotInfo *slot) { return slot->slotID; } SECMODModuleID PK11_GetModuleID(PK11SlotInfo *slot) { return slot->module->moduleID; } static void pk11_zeroTerminatedToBlankPadded(CK_CHAR *buffer, size_t buffer_size) { CK_CHAR *walk = buffer; CK_CHAR *end = buffer + buffer_size; /* find the NULL */ while (walk < end && *walk != '\0') { walk++; } /* clear out the buffer */ while (walk < end) { *walk++ = ' '; } } /* return the slot info structure */ SECStatus PK11_GetSlotInfo(PK11SlotInfo *slot, CK_SLOT_INFO *info) { CK_RV crv; if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); /* * some buggy drivers do not fill the buffer completely, * erase the buffer first */ PORT_Memset(info->slotDescription, ' ', sizeof(info->slotDescription)); PORT_Memset(info->manufacturerID, ' ', sizeof(info->manufacturerID)); crv = PK11_GETTAB(slot)->C_GetSlotInfo(slot->slotID, info); pk11_zeroTerminatedToBlankPadded(info->slotDescription, sizeof(info->slotDescription)); pk11_zeroTerminatedToBlankPadded(info->manufacturerID, sizeof(info->manufacturerID)); if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); if (crv != CKR_OK) { PORT_SetError(PK11_MapError(crv)); return SECFailure; } return SECSuccess; } /* return the token info structure */ SECStatus PK11_GetTokenInfo(PK11SlotInfo *slot, CK_TOKEN_INFO *info) { CK_RV crv; if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); /* * some buggy drivers do not fill the buffer completely, * erase the buffer first */ PORT_Memset(info->label, ' ', sizeof(info->label)); PORT_Memset(info->manufacturerID, ' ', sizeof(info->manufacturerID)); PORT_Memset(info->model, ' ', sizeof(info->model)); PORT_Memset(info->serialNumber, ' ', sizeof(info->serialNumber)); crv = PK11_GETTAB(slot)->C_GetTokenInfo(slot->slotID, info); pk11_zeroTerminatedToBlankPadded(info->label, sizeof(info->label)); pk11_zeroTerminatedToBlankPadded(info->manufacturerID, sizeof(info->manufacturerID)); pk11_zeroTerminatedToBlankPadded(info->model, sizeof(info->model)); pk11_zeroTerminatedToBlankPadded(info->serialNumber, sizeof(info->serialNumber)); if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); if (crv != CKR_OK) { PORT_SetError(PK11_MapError(crv)); return SECFailure; } return SECSuccess; } PRBool pk11_MatchUriTokenInfo(PK11SlotInfo *slot, PK11URI *uri) { const char *value; value = PK11URI_GetPathAttribute(uri, PK11URI_PATTR_TOKEN); if (value) { if (!pk11_MatchString(value, (char *)slot->tokenInfo.label, sizeof(slot->tokenInfo.label))) { return PR_FALSE; } } value = PK11URI_GetPathAttribute(uri, PK11URI_PATTR_MANUFACTURER); if (value) { if (!pk11_MatchString(value, (char *)slot->tokenInfo.manufacturerID, sizeof(slot->tokenInfo.manufacturerID))) { return PR_FALSE; } } value = PK11URI_GetPathAttribute(uri, PK11URI_PATTR_SERIAL); if (value) { if (!pk11_MatchString(value, (char *)slot->tokenInfo.serialNumber, sizeof(slot->tokenInfo.serialNumber))) { return PR_FALSE; } } value = PK11URI_GetPathAttribute(uri, PK11URI_PATTR_MODEL); if (value) { if (!pk11_MatchString(value, (char *)slot->tokenInfo.model, sizeof(slot->tokenInfo.model))) { return PR_FALSE; } } return PR_TRUE; } /* Find out if we need to initialize the user's pin */ PRBool PK11_NeedUserInit(PK11SlotInfo *slot) { PRBool needUserInit = (PRBool)((slot->flags & CKF_USER_PIN_INITIALIZED) == 0); if (needUserInit) { CK_TOKEN_INFO info; SECStatus rv; /* see if token has been initialized off line */ rv = PK11_GetTokenInfo(slot, &info); if (rv == SECSuccess) { slot->flags = info.flags; } } return (PRBool)((slot->flags & CKF_USER_PIN_INITIALIZED) == 0); } static PK11SlotInfo *pk11InternalKeySlot = NULL; /* * Set a new default internal keyslot. If one has already been set, clear it. * Passing NULL falls back to the NSS normally selected default internal key * slot. */ void pk11_SetInternalKeySlot(PK11SlotInfo *slot) { if (pk11InternalKeySlot) { PK11_FreeSlot(pk11InternalKeySlot); } pk11InternalKeySlot = slot ? PK11_ReferenceSlot(slot) : NULL; } /* * Set a new default internal keyslot if the normal key slot has not already * been overridden. Subsequent calls to this function will be ignored unless * pk11_SetInternalKeySlot is used to clear the current default. */ void pk11_SetInternalKeySlotIfFirst(PK11SlotInfo *slot) { if (pk11InternalKeySlot) { return; } pk11InternalKeySlot = slot ? PK11_ReferenceSlot(slot) : NULL; } /* * Swap out a default internal keyslot. Caller owns the Slot Reference */ PK11SlotInfo * pk11_SwapInternalKeySlot(PK11SlotInfo *slot) { PK11SlotInfo *swap = pk11InternalKeySlot; pk11InternalKeySlot = slot ? PK11_ReferenceSlot(slot) : NULL; return swap; } /* get the internal key slot. FIPS has only one slot for both key slots and * default slots */ PK11SlotInfo * PK11_GetInternalKeySlot(void) { SECMODModule *mod; if (pk11InternalKeySlot) { return PK11_ReferenceSlot(pk11InternalKeySlot); } mod = SECMOD_GetInternalModule(); PORT_Assert(mod != NULL); if (!mod) { PORT_SetError(SEC_ERROR_NO_MODULE); return NULL; } return PK11_ReferenceSlot(mod->isFIPS ? mod->slots[0] : mod->slots[1]); } /* get the internal default slot */ PK11SlotInfo * PK11_GetInternalSlot(void) { SECMODModule *mod = SECMOD_GetInternalModule(); PORT_Assert(mod != NULL); if (!mod) { PORT_SetError(SEC_ERROR_NO_MODULE); return NULL; } if (mod->isFIPS) { return PK11_GetInternalKeySlot(); } return PK11_ReferenceSlot(mod->slots[0]); } /* * check if a given slot supports the requested mechanism */ PRBool PK11_DoesMechanism(PK11SlotInfo *slot, CK_MECHANISM_TYPE type) { int i; /* CKM_FAKE_RANDOM is not a real PKCS mechanism. It's a marker to * tell us we're looking form someone that has implemented get * random bits */ if (type == CKM_FAKE_RANDOM) { return slot->hasRandom; } /* for most mechanism, bypass the linear lookup */ if (type < 0x7ff) { return (slot->mechanismBits[type & 0xff] & (1 << (type >> 8))) ? PR_TRUE : PR_FALSE; } for (i = 0; i < (int)slot->mechanismCount; i++) { if (slot->mechanismList[i] == type) return PR_TRUE; } return PR_FALSE; } PRBool pk11_filterSlot(PK11SlotInfo *slot, CK_MECHANISM_TYPE mechanism, CK_FLAGS mechanismInfoFlags, unsigned int keySize); /* * Check that the given mechanism has the appropriate flags. This function * presumes that slot can already do the given mechanism. */ PRBool PK11_DoesMechanismFlag(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, CK_FLAGS flags) { return !pk11_filterSlot(slot, type, flags, 0); } /* * Return true if a token that can do the desired mechanism exists. * This allows us to have hardware tokens that can do function XYZ magically * allow SSL Ciphers to appear if they are plugged in. */ PRBool PK11_TokenExists(CK_MECHANISM_TYPE type) { SECMODModuleList *mlp; SECMODModuleList *modules; SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock(); PK11SlotInfo *slot; PRBool found = PR_FALSE; int i; if (!moduleLock) { PORT_SetError(SEC_ERROR_NOT_INITIALIZED); return found; } /* we only need to know if there is a token that does this mechanism. * check the internal module first because it's fast, and supports * almost everything. */ slot = PK11_GetInternalSlot(); if (slot) { found = PK11_DoesMechanism(slot, type); PK11_FreeSlot(slot); } if (found) return PR_TRUE; /* bypass getting module locks */ SECMOD_GetReadLock(moduleLock); modules = SECMOD_GetDefaultModuleList(); for (mlp = modules; mlp != NULL && (!found); mlp = mlp->next) { for (i = 0; i < mlp->module->slotCount; i++) { slot = mlp->module->slots[i]; if (PK11_IsPresent(slot)) { if (PK11_DoesMechanism(slot, type)) { found = PR_TRUE; break; } } } } SECMOD_ReleaseReadLock(moduleLock); return found; } /* * get all the currently available tokens in a list. * that can perform the given mechanism. If mechanism is CKM_INVALID_MECHANISM, * get all the tokens. Make sure tokens that need authentication are put at * the end of this list. */ PK11SlotList * PK11_GetAllTokens(CK_MECHANISM_TYPE type, PRBool needRW, PRBool loadCerts, void *wincx) { PK11SlotList *list; PK11SlotList *loginList; PK11SlotList *friendlyList; SECMODModuleList *mlp; SECMODModuleList *modules; SECMODListLock *moduleLock; int i; moduleLock = SECMOD_GetDefaultModuleListLock(); if (!moduleLock) { PORT_SetError(SEC_ERROR_NOT_INITIALIZED); return NULL; } list = PK11_NewSlotList(); loginList = PK11_NewSlotList(); friendlyList = PK11_NewSlotList(); if ((list == NULL) || (loginList == NULL) || (friendlyList == NULL)) { if (list) PK11_FreeSlotList(list); if (loginList) PK11_FreeSlotList(loginList); if (friendlyList) PK11_FreeSlotList(friendlyList); return NULL; } SECMOD_GetReadLock(moduleLock); modules = SECMOD_GetDefaultModuleList(); for (mlp = modules; mlp != NULL; mlp = mlp->next) { for (i = 0; i < mlp->module->slotCount; i++) { PK11SlotInfo *slot = mlp->module->slots[i]; if (pk11_IsPresentCertLoad(slot, loadCerts)) { if (needRW && slot->readOnly) continue; if ((type == CKM_INVALID_MECHANISM) || PK11_DoesMechanism(slot, type)) { if (pk11_LoginStillRequired(slot, wincx)) { if (PK11_IsFriendly(slot)) { PK11_AddSlotToList(friendlyList, slot, PR_TRUE); } else { PK11_AddSlotToList(loginList, slot, PR_TRUE); } } else { PK11_AddSlotToList(list, slot, PR_TRUE); } } } } } SECMOD_ReleaseReadLock(moduleLock); pk11_MoveListToList(list, friendlyList); PK11_FreeSlotList(friendlyList); pk11_MoveListToList(list, loginList); PK11_FreeSlotList(loginList); return list; } /* * NOTE: This routine is working from a private List generated by * PK11_GetAllTokens. That is why it does not need to lock. */ PK11SlotList * PK11_GetPrivateKeyTokens(CK_MECHANISM_TYPE type, PRBool needRW, void *wincx) { PK11SlotList *list = PK11_GetAllTokens(type, needRW, PR_TRUE, wincx); PK11SlotListElement *le, *next; SECStatus rv; if (list == NULL) return list; for (le = list->head; le; le = next) { next = le->next; /* save the pointer here in case we have to * free the element later */ rv = PK11_Authenticate(le->slot, PR_TRUE, wincx); if (rv != SECSuccess) { PK11_DeleteSlotFromList(list, le); continue; } } return list; } /* * returns true if the slot doesn't conform to the requested attributes */ PRBool pk11_filterSlot(PK11SlotInfo *slot, CK_MECHANISM_TYPE mechanism, CK_FLAGS mechanismInfoFlags, unsigned int keySize) { CK_MECHANISM_INFO mechanism_info; CK_RV crv = CKR_OK; /* handle the only case where we don't actually fetch the mechanisms * on the fly */ if ((keySize == 0) && (mechanism == CKM_RSA_PKCS) && (slot->hasRSAInfo)) { mechanism_info.flags = slot->RSAInfoFlags; } else { if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); crv = PK11_GETTAB(slot)->C_GetMechanismInfo(slot->slotID, mechanism, &mechanism_info); if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); /* if we were getting the RSA flags, save them */ if ((crv == CKR_OK) && (mechanism == CKM_RSA_PKCS) && (!slot->hasRSAInfo)) { slot->RSAInfoFlags = mechanism_info.flags; slot->hasRSAInfo = PR_TRUE; } } /* couldn't get the mechanism info */ if (crv != CKR_OK) { return PR_TRUE; } if (keySize && ((mechanism_info.ulMinKeySize > keySize) || (mechanism_info.ulMaxKeySize < keySize))) { /* Token can do mechanism, but not at the key size we * want */ return PR_TRUE; } if (mechanismInfoFlags && ((mechanism_info.flags & mechanismInfoFlags) != mechanismInfoFlags)) { return PR_TRUE; } return PR_FALSE; } /* * Find the best slot which supports the given set of mechanisms and key sizes. * In normal cases this should grab the first slot on the list with no fuss. * The size array is presumed to match one for one with the mechanism type * array, which allows you to specify the required key size for each * mechanism in the list. Whether key size is in bits or bytes is mechanism * dependent. Typically asymetric keys are in bits and symetric keys are in * bytes. */ PK11SlotInfo * PK11_GetBestSlotMultipleWithAttributes(CK_MECHANISM_TYPE *type, CK_FLAGS *mechanismInfoFlags, unsigned int *keySize, unsigned int mech_count, void *wincx) { PK11SlotList *list = NULL; PK11SlotListElement *le; PK11SlotInfo *slot = NULL; PRBool freeit = PR_FALSE; PRBool listNeedLogin = PR_FALSE; unsigned int i; SECStatus rv; list = PK11_GetSlotList(type[0]); if ((list == NULL) || (list->head == NULL)) { /* We need to look up all the tokens for the mechanism */ list = PK11_GetAllTokens(type[0], PR_FALSE, PR_TRUE, wincx); freeit = PR_TRUE; } /* no one can do it! */ if (list == NULL) { PORT_SetError(SEC_ERROR_NO_TOKEN); return NULL; } PORT_SetError(0); listNeedLogin = PR_FALSE; for (i = 0; i < mech_count; i++) { if ((type[i] != CKM_FAKE_RANDOM) && (type[i] != CKM_SHA_1) && (type[i] != CKM_SHA224) && (type[i] != CKM_SHA256) && (type[i] != CKM_SHA384) && (type[i] != CKM_SHA512) && (type[i] != CKM_MD5) && (type[i] != CKM_MD2)) { listNeedLogin = PR_TRUE; break; } } for (le = PK11_GetFirstSafe(list); le; le = PK11_GetNextSafe(list, le, PR_TRUE)) { if (PK11_IsPresent(le->slot)) { PRBool doExit = PR_FALSE; for (i = 0; i < mech_count; i++) { if (!PK11_DoesMechanism(le->slot, type[i])) { doExit = PR_TRUE; break; } if ((mechanismInfoFlags && mechanismInfoFlags[i]) || (keySize && keySize[i])) { if (pk11_filterSlot(le->slot, type[i], mechanismInfoFlags ? mechanismInfoFlags[i] : 0, keySize ? keySize[i] : 0)) { doExit = PR_TRUE; break; } } } if (doExit) continue; if (listNeedLogin && le->slot->needLogin) { rv = PK11_Authenticate(le->slot, PR_TRUE, wincx); if (rv != SECSuccess) continue; } slot = le->slot; PK11_ReferenceSlot(slot); PK11_FreeSlotListElement(list, le); if (freeit) { PK11_FreeSlotList(list); } return slot; } } if (freeit) { PK11_FreeSlotList(list); } if (PORT_GetError() == 0) { PORT_SetError(SEC_ERROR_NO_TOKEN); } return NULL; } PK11SlotInfo * PK11_GetBestSlotMultiple(CK_MECHANISM_TYPE *type, unsigned int mech_count, void *wincx) { return PK11_GetBestSlotMultipleWithAttributes(type, NULL, NULL, mech_count, wincx); } /* original get best slot now calls the multiple version with only one type */ PK11SlotInfo * PK11_GetBestSlot(CK_MECHANISM_TYPE type, void *wincx) { return PK11_GetBestSlotMultipleWithAttributes(&type, NULL, NULL, 1, wincx); } PK11SlotInfo * PK11_GetBestSlotWithAttributes(CK_MECHANISM_TYPE type, CK_FLAGS mechanismFlags, unsigned int keySize, void *wincx) { return PK11_GetBestSlotMultipleWithAttributes(&type, &mechanismFlags, &keySize, 1, wincx); } int PK11_GetBestKeyLength(PK11SlotInfo *slot, CK_MECHANISM_TYPE mechanism) { CK_MECHANISM_INFO mechanism_info; CK_RV crv; if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); crv = PK11_GETTAB(slot)->C_GetMechanismInfo(slot->slotID, mechanism, &mechanism_info); if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); if (crv != CKR_OK) return 0; if (mechanism_info.ulMinKeySize == mechanism_info.ulMaxKeySize) return 0; return mechanism_info.ulMaxKeySize; } /* * This function uses the existing PKCS #11 module to find the * longest supported key length in the preferred token for a mechanism. * This varies from the above function in that 1) it returns the key length * even for fixed key algorithms, and 2) it looks through the tokens * generally rather than for a specific token. This is used in liu of * a PK11_GetKeyLength function in pk11mech.c since we can actually read * supported key lengths from PKCS #11. * * For symmetric key operations the length is returned in bytes. */ int PK11_GetMaxKeyLength(CK_MECHANISM_TYPE mechanism) { CK_MECHANISM_INFO mechanism_info; PK11SlotList *list = NULL; PK11SlotListElement *le; PRBool freeit = PR_FALSE; int keyLength = 0; list = PK11_GetSlotList(mechanism); if ((list == NULL) || (list->head == NULL)) { /* We need to look up all the tokens for the mechanism */ list = PK11_GetAllTokens(mechanism, PR_FALSE, PR_FALSE, NULL); freeit = PR_TRUE; } /* no tokens recognize this mechanism */ if (list == NULL) { PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); return 0; } for (le = PK11_GetFirstSafe(list); le; le = PK11_GetNextSafe(list, le, PR_TRUE)) { PK11SlotInfo *slot = le->slot; CK_RV crv; if (PK11_IsPresent(slot)) { if (!slot->isThreadSafe) PK11_EnterSlotMonitor(slot); crv = PK11_GETTAB(slot)->C_GetMechanismInfo(slot->slotID, mechanism, &mechanism_info); if (!slot->isThreadSafe) PK11_ExitSlotMonitor(slot); if ((crv == CKR_OK) && (mechanism_info.ulMaxKeySize != 0) && (mechanism_info.ulMaxKeySize != 0xffffffff)) { keyLength = mechanism_info.ulMaxKeySize; break; } } } /* fallback to pk11_GetPredefinedKeyLength for fixed key size algorithms */ if (keyLength == 0) { CK_KEY_TYPE keyType; keyType = PK11_GetKeyType(mechanism, 0); keyLength = pk11_GetPredefinedKeyLength(keyType); } if (le) PK11_FreeSlotListElement(list, le); if (freeit) PK11_FreeSlotList(list); return keyLength; } SECStatus PK11_SeedRandom(PK11SlotInfo *slot, unsigned char *data, int len) { CK_RV crv; PK11_EnterSlotMonitor(slot); crv = PK11_GETTAB(slot)->C_SeedRandom(slot->session, data, (CK_ULONG)len); PK11_ExitSlotMonitor(slot); if (crv != CKR_OK) { PORT_SetError(PK11_MapError(crv)); return SECFailure; } return SECSuccess; } SECStatus PK11_GenerateRandomOnSlot(PK11SlotInfo *slot, unsigned char *data, int len) { CK_RV crv; if (!slot->isInternal) PK11_EnterSlotMonitor(slot); crv = PK11_GETTAB(slot)->C_GenerateRandom(slot->session, data, (CK_ULONG)len); if (!slot->isInternal) PK11_ExitSlotMonitor(slot); if (crv != CKR_OK) { PORT_SetError(PK11_MapError(crv)); return SECFailure; } return SECSuccess; } /* Attempts to update the Best Slot for "FAKE RANDOM" generation. ** If that's not the internal slot, then it also attempts to update the ** internal slot. ** The return value indicates if the INTERNAL slot was updated OK. */ SECStatus PK11_RandomUpdate(void *data, size_t bytes) { PK11SlotInfo *slot; PRBool bestIsInternal; SECStatus status; slot = PK11_GetBestSlot(CKM_FAKE_RANDOM, NULL); if (slot == NULL) { slot = PK11_GetInternalSlot(); if (!slot) return SECFailure; } bestIsInternal = PK11_IsInternal(slot); status = PK11_SeedRandom(slot, data, bytes); PK11_FreeSlot(slot); if (!bestIsInternal) { /* do internal slot, too. */ slot = PK11_GetInternalSlot(); PORT_Assert(slot); if (!slot) { return SECFailure; } status = PK11_SeedRandom(slot, data, bytes); PK11_FreeSlot(slot); } return status; } SECStatus PK11_GenerateRandom(unsigned char *data, int len) { PK11SlotInfo *slot; SECStatus rv; slot = PK11_GetBestSlot(CKM_FAKE_RANDOM, NULL); if (slot == NULL) return SECFailure; rv = PK11_GenerateRandomOnSlot(slot, data, len); PK11_FreeSlot(slot); return rv; } /* * Reset the token to it's initial state. For the internal module, this will * Purge your keydb, and reset your cert db certs to USER_INIT. */ SECStatus PK11_ResetToken(PK11SlotInfo *slot, char *sso_pwd) { unsigned char tokenName[32]; size_t tokenNameLen; CK_RV crv; /* reconstruct the token name */ tokenNameLen = PORT_Strlen(slot->token_name); if (tokenNameLen > sizeof(tokenName)) { tokenNameLen = sizeof(tokenName); } PORT_Memcpy(tokenName, slot->token_name, tokenNameLen); if (tokenNameLen < sizeof(tokenName)) { PORT_Memset(&tokenName[tokenNameLen], ' ', sizeof(tokenName) - tokenNameLen); } /* initialize the token */ PK11_EnterSlotMonitor(slot); /* first shutdown the token. Existing sessions will get closed here */ PK11_GETTAB(slot) ->C_CloseAllSessions(slot->slotID); slot->session = CK_INVALID_HANDLE; /* now re-init the token */ crv = PK11_GETTAB(slot)->C_InitToken(slot->slotID, (unsigned char *)sso_pwd, sso_pwd ? PORT_Strlen(sso_pwd) : 0, tokenName); /* finally bring the token back up */ PK11_InitToken(slot, PR_TRUE); PK11_ExitSlotMonitor(slot); if (crv != CKR_OK) { PORT_SetError(PK11_MapError(crv)); return SECFailure; } NSSToken *token = PK11Slot_GetNSSToken(slot); if (token) { nssTrustDomain_UpdateCachedTokenCerts(token->trustDomain, token); (void)nssToken_Destroy(token); } return SECSuccess; } void PK11Slot_SetNSSToken(PK11SlotInfo *sl, NSSToken *nsst) { NSSToken *old; if (nsst) { nsst = nssToken_AddRef(nsst); } PZ_Lock(sl->nssTokenLock); old = sl->nssToken; sl->nssToken = nsst; PZ_Unlock(sl->nssTokenLock); if (old) { (void)nssToken_Destroy(old); } } NSSToken * PK11Slot_GetNSSToken(PK11SlotInfo *sl) { NSSToken *rv = NULL; PZ_Lock(sl->nssTokenLock); if (sl->nssToken) { rv = nssToken_AddRef(sl->nssToken); } PZ_Unlock(sl->nssTokenLock); return rv; } PRBool pk11slot_GetFIPSStatus(PK11SlotInfo *slot, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE object, CK_ULONG operationType) { SECMODModule *mod = slot->module; CK_RV crv; CK_ULONG fipsState = CKS_NSS_FIPS_NOT_OK; /* handle the obvious conditions: * 1) the module doesn't have a fipsIndicator - fips state must be false */ if (mod->fipsIndicator == NULL) { return PR_FALSE; } /* 2) the session doesn't exist - fips state must be false */ if (session == CK_INVALID_HANDLE) { return PR_FALSE; } /* go fetch the state */ crv = mod->fipsIndicator(session, object, operationType, &fipsState); if (crv != CKR_OK) { return PR_FALSE; } return (fipsState == CKS_NSS_FIPS_OK) ? PR_TRUE : PR_FALSE; } PRBool PK11_SlotGetLastFIPSStatus(PK11SlotInfo *slot) { return pk11slot_GetFIPSStatus(slot, slot->session, CK_INVALID_HANDLE, CKT_NSS_SESSION_LAST_CHECK); } /* * wait for a token to change it's state. The application passes in the expected * new state in event. */ PK11TokenStatus PK11_WaitForTokenEvent(PK11SlotInfo *slot, PK11TokenEvent event, PRIntervalTime timeout, PRIntervalTime latency, int series) { PRIntervalTime first_time = 0; PRBool first_time_set = PR_FALSE; PRBool waitForRemoval; if (slot->isPerm) { return PK11TokenNotRemovable; } if (latency == 0) { latency = PR_SecondsToInterval(5); } waitForRemoval = (PRBool)(event == PK11TokenRemovedOrChangedEvent); if (series == 0) { series = PK11_GetSlotSeries(slot); } while (PK11_IsPresent(slot) == waitForRemoval) { PRIntervalTime interval; if (waitForRemoval && series != PK11_GetSlotSeries(slot)) { return PK11TokenChanged; } if (timeout == PR_INTERVAL_NO_WAIT) { return waitForRemoval ? PK11TokenPresent : PK11TokenRemoved; } if (timeout != PR_INTERVAL_NO_TIMEOUT) { interval = PR_IntervalNow(); if (!first_time_set) { first_time = interval; first_time_set = PR_TRUE; } if ((interval - first_time) > timeout) { return waitForRemoval ? PK11TokenPresent : PK11TokenRemoved; } } PR_Sleep(latency); } return waitForRemoval ? PK11TokenRemoved : PK11TokenPresent; }