summaryrefslogtreecommitdiffstats
path: root/security/nss/lib/softoken
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--security/nss/lib/softoken/Makefile76
-rw-r--r--security/nss/lib/softoken/config.mk65
-rw-r--r--security/nss/lib/softoken/exports.gyp44
-rw-r--r--security/nss/lib/softoken/fips_algorithms.h182
-rw-r--r--security/nss/lib/softoken/fipsaudt.c321
-rw-r--r--security/nss/lib/softoken/fipstest.c797
-rw-r--r--security/nss/lib/softoken/fipstokn.c2080
-rw-r--r--security/nss/lib/softoken/jpakesftk.c359
-rw-r--r--security/nss/lib/softoken/kbkdf.c1520
-rw-r--r--security/nss/lib/softoken/legacydb/Makefile60
-rw-r--r--security/nss/lib/softoken/legacydb/cdbhdl.h51
-rw-r--r--security/nss/lib/softoken/legacydb/config.mk50
-rw-r--r--security/nss/lib/softoken/legacydb/dbmshim.c539
-rw-r--r--security/nss/lib/softoken/legacydb/keydb.c2274
-rw-r--r--security/nss/lib/softoken/legacydb/keydbi.h52
-rw-r--r--security/nss/lib/softoken/legacydb/legacydb.gyp66
-rw-r--r--security/nss/lib/softoken/legacydb/lgattr.c1782
-rw-r--r--security/nss/lib/softoken/legacydb/lgcreate.c1020
-rw-r--r--security/nss/lib/softoken/legacydb/lgdb.h177
-rw-r--r--security/nss/lib/softoken/legacydb/lgdestroy.c110
-rw-r--r--security/nss/lib/softoken/legacydb/lgfind.c912
-rw-r--r--security/nss/lib/softoken/legacydb/lgfips.c120
-rw-r--r--security/nss/lib/softoken/legacydb/lginit.c661
-rw-r--r--security/nss/lib/softoken/legacydb/lgutil.c399
-rw-r--r--security/nss/lib/softoken/legacydb/lowcert.c854
-rw-r--r--security/nss/lib/softoken/legacydb/lowkey.c388
-rw-r--r--security/nss/lib/softoken/legacydb/lowkeyi.h148
-rw-r--r--security/nss/lib/softoken/legacydb/lowkeyti.h130
-rw-r--r--security/nss/lib/softoken/legacydb/manifest.mn32
-rw-r--r--security/nss/lib/softoken/legacydb/nssdbm.def31
-rw-r--r--security/nss/lib/softoken/legacydb/nssdbm.rc68
-rw-r--r--security/nss/lib/softoken/legacydb/pcert.h228
-rw-r--r--security/nss/lib/softoken/legacydb/pcertdb.c5350
-rw-r--r--security/nss/lib/softoken/legacydb/pcertt.h418
-rw-r--r--security/nss/lib/softoken/legacydb/pk11db.c731
-rw-r--r--security/nss/lib/softoken/lgglue.c422
-rw-r--r--security/nss/lib/softoken/lgglue.h59
-rw-r--r--security/nss/lib/softoken/lowkey.c544
-rw-r--r--security/nss/lib/softoken/lowkeyi.h70
-rw-r--r--security/nss/lib/softoken/lowkeyti.h100
-rw-r--r--security/nss/lib/softoken/lowpbe.c1820
-rw-r--r--security/nss/lib/softoken/lowpbe.h112
-rw-r--r--security/nss/lib/softoken/manifest.mn70
-rw-r--r--security/nss/lib/softoken/padbuf.c49
-rw-r--r--security/nss/lib/softoken/pkcs11.c5416
-rw-r--r--security/nss/lib/softoken/pkcs11c.c8965
-rw-r--r--security/nss/lib/softoken/pkcs11i.h977
-rw-r--r--security/nss/lib/softoken/pkcs11ni.h20
-rw-r--r--security/nss/lib/softoken/pkcs11u.c2563
-rw-r--r--security/nss/lib/softoken/sdb.c2469
-rw-r--r--security/nss/lib/softoken/sdb.h101
-rw-r--r--security/nss/lib/softoken/sftkdb.c3047
-rw-r--r--security/nss/lib/softoken/sftkdb.h75
-rw-r--r--security/nss/lib/softoken/sftkdbt.h12
-rw-r--r--security/nss/lib/softoken/sftkdbti.h82
-rw-r--r--security/nss/lib/softoken/sftkdhverify.c6845
-rw-r--r--security/nss/lib/softoken/sftkhmac.c477
-rw-r--r--security/nss/lib/softoken/sftkike.c1419
-rw-r--r--security/nss/lib/softoken/sftkmessage.c377
-rw-r--r--security/nss/lib/softoken/sftkpars.c268
-rw-r--r--security/nss/lib/softoken/sftkpwd.c1485
-rw-r--r--security/nss/lib/softoken/softkver.c18
-rw-r--r--security/nss/lib/softoken/softkver.h27
-rw-r--r--security/nss/lib/softoken/softoken.gyp111
-rw-r--r--security/nss/lib/softoken/softoken.h280
-rw-r--r--security/nss/lib/softoken/softokn.def39
-rw-r--r--security/nss/lib/softoken/softokn.rc68
-rw-r--r--security/nss/lib/softoken/softoknt.h46
-rw-r--r--security/nss/lib/softoken/tlsprf.c198
69 files changed, 60726 insertions, 0 deletions
diff --git a/security/nss/lib/softoken/Makefile b/security/nss/lib/softoken/Makefile
new file mode 100644
index 0000000000..68ad05753e
--- /dev/null
+++ b/security/nss/lib/softoken/Makefile
@@ -0,0 +1,76 @@
+#! gmake
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY). #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL) #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL) #
+#######################################################################
+
+ifdef NSS_NO_INIT_SUPPORT
+ DEFINES += -DNSS_NO_INIT_SUPPORT
+endif
+ifeq ($(OS_TARGET),Linux)
+ifeq ($(CPU_ARCH),ppc)
+ifdef USE_64
+ DEFINES += -DNSS_NO_INIT_SUPPORT
+endif # USE_64
+endif # ppc
+endif # Linux
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL). #
+#######################################################################
+
+include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL) #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL) #
+#######################################################################
+
+ifdef NSS_DISABLE_DBM
+DIRS=
+endif
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL). #
+#######################################################################
+
+
+# indicates dependency on freebl static lib
+$(SHARED_LIBRARY): $(CRYPTOLIB)
+
+# On AIX 4.3, IBM xlC_r compiler (version 3.6.6) cannot compile
+# pkcs11c.c in 64-bit mode for unknown reasons. A workaround is
+# to compile it with optimizations turned on. (Bugzilla bug #63815)
+ifeq ($(OS_TARGET)$(OS_RELEASE),AIX4.3)
+ifeq ($(USE_64),1)
+ifndef BUILD_OPT
+$(OBJDIR)/pkcs11.o: pkcs11.c | $$(@D)/d
+ $(CC) -o $@ -c -O2 $(CFLAGS) $<
+
+$(OBJDIR)/pkcs11c.o: pkcs11c.c | $$(@D)/d
+ $(CC) -o $@ -c -O2 $(CFLAGS) $<
+endif
+endif
+endif
diff --git a/security/nss/lib/softoken/config.mk b/security/nss/lib/softoken/config.mk
new file mode 100644
index 0000000000..339f804938
--- /dev/null
+++ b/security/nss/lib/softoken/config.mk
@@ -0,0 +1,65 @@
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+# $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
+CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
+
+EXTRA_LIBS += \
+ $(CRYPTOLIB) \
+ $(NULL)
+
+# can't do this in manifest.mn because OS_TARGET isn't defined there.
+ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+
+ifdef NS_USE_GCC
+EXTRA_SHARED_LIBS += \
+ -L$(SQLITE_LIB_DIR) \
+ -l$(SQLITE_LIB_NAME) \
+ -L$(NSSUTIL_LIB_DIR) \
+ -lnssutil3 \
+ -L$(NSPR_LIB_DIR) \
+ -lplc4 \
+ -lplds4 \
+ -lnspr4 \
+ $(NULL)
+else # ! NS_USE_GCC
+
+EXTRA_SHARED_LIBS += \
+ $(SQLITE_LIB_DIR)/$(SQLITE_LIB_NAME).lib \
+ $(NSSUTIL_LIB_DIR)/nssutil3.lib \
+ $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.lib \
+ $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.lib \
+ $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.lib \
+ $(NULL)
+endif # NS_USE_GCC
+
+else
+
+# $(PROGRAM) has NO explicit dependencies on $(EXTRA_SHARED_LIBS)
+# $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX.
+EXTRA_SHARED_LIBS += \
+ -L$(SQLITE_LIB_DIR) \
+ -l$(SQLITE_LIB_NAME) \
+ -L$(NSSUTIL_LIB_DIR) \
+ -lnssutil3 \
+ -L$(NSPR_LIB_DIR) \
+ -lplc4 \
+ -lplds4 \
+ -lnspr4 \
+ $(NULL)
+endif
+
+ifeq ($(OS_TARGET),AIX)
+OS_LIBS += -lpthread
+endif
+
+ifdef NSS_ENABLE_FIPS_INDICATORS
+DEFINES += -DNSS_ENABLE_FIPS_INDICATORS
+endif
+
+ifdef NSS_FIPS_MODULE_ID
+DEFINES += -DNSS_FIPS_MODULE_ID=\"${NSS_FIPS_MODULE_ID}\"
+endif
+
diff --git a/security/nss/lib/softoken/exports.gyp b/security/nss/lib/softoken/exports.gyp
new file mode 100644
index 0000000000..82b9817e6e
--- /dev/null
+++ b/security/nss/lib/softoken/exports.gyp
@@ -0,0 +1,44 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+{
+ 'includes': [
+ '../../coreconf/config.gypi'
+ ],
+ 'targets': [
+ {
+ 'target_name': 'lib_softoken_exports',
+ 'type': 'none',
+ 'copies': [
+ {
+ 'files': [
+ 'lowkeyi.h',
+ 'lowkeyti.h'
+ ],
+ 'destination': '<(nss_public_dist_dir)/<(module)'
+ },
+ {
+ 'files': [
+ 'pkcs11ni.h',
+ 'sdb.h',
+ 'sftkdbt.h',
+ 'softkver.h',
+ 'softoken.h',
+ 'softoknt.h'
+ ],
+ 'destination': '<(nss_private_dist_dir)/<(module)',
+ 'conditions': [
+ [ 'disable_dbm==0', {
+ 'files': [
+ 'lgglue.h',
+ ]
+ }]
+ ]
+ }
+ ]
+ }
+ ],
+ 'variables': {
+ 'module': 'nss'
+ }
+}
diff --git a/security/nss/lib/softoken/fips_algorithms.h b/security/nss/lib/softoken/fips_algorithms.h
new file mode 100644
index 0000000000..5ead006d57
--- /dev/null
+++ b/security/nss/lib/softoken/fips_algorithms.h
@@ -0,0 +1,182 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/*
+ * Vendors should replace this header file with the file containing those
+ * algorithms which have NIST algorithm Certificates.
+ */
+
+/* handle special cases. Classes require existing code to already be
+ * in place for that class */
+typedef enum {
+ SFTKFIPSNone = 0,
+ SFTKFIPSDH, /* allow only specific primes */
+ SFTKFIPSECC, /* not just keys but specific curves */
+ SFTKFIPSAEAD, /* single shot AEAD functions not allowed in FIPS mode */
+ SFTKFIPSRSAPSS
+} SFTKFIPSSpecialClass;
+
+typedef struct SFTKFIPSAlgorithmListStr SFTKFIPSAlgorithmList;
+struct SFTKFIPSAlgorithmListStr {
+ CK_MECHANISM_TYPE type;
+ CK_MECHANISM_INFO info;
+ CK_ULONG step;
+ SFTKFIPSSpecialClass special;
+};
+
+SFTKFIPSAlgorithmList sftk_fips_mechs[] = {
+/* A sample set of algorithms to allow basic testing in our continous
+ * testing infrastructure. The vendor version should replace this with
+ * a version that matches their algorithm testing and security policy */
+/* NOTE, This looks a lot like the PKCS #11 mechanism list in pkcs11.c, it
+ * differs in the following ways:
+ * 1) the addition of step and class elements to help restrict
+ * the supported key sizes and types.
+ * 2) The mechanism flags are restricted to only those that map to
+ * fips approved operations.
+ * 3) All key sizes are in bits, independent of mechanism.
+ * 4) You can add more then one entry for the same mechanism to handle
+ * multiple descrete keys where the MIN/MAX/STEP semantics doesn't apply
+ * or where different operations have different key requirements.
+ * This table does not encode all the modules legal FIPS semantics, only
+ * those semantics that might possibly change due to algorithms dropping
+ * of the security policy late in the process. */
+/* handy common flag types */
+#define CKF_KPG CKF_GENERATE_KEY_PAIR
+#define CKF_GEN CKF_GENERATE
+#define CKF_SGN (CKF_SIGN | CKF_VERIFY)
+#define CKF_ENC (CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP)
+#define CKF_KEK (CKF_WRAP | CKF_UNWRAP)
+#define CKF_KEA CKF_DERIVE
+#define CKF_KDF CKF_DERIVE
+#define CKF_HSH CKF_DIGEST
+#define CK_MAX 0xffffffffUL
+/* mechanisms using the same key types share the same key type
+ * limits */
+#define RSA_FB_KEY 2048, 4096 /* min, max */
+#define RSA_FB_STEP 1
+#define RSA_LEGACY_FB_KEY 1024, 1792 /* min, max */
+#define RSA_LEGACY_FB_STEP 256
+#define DSA_FB_KEY 2048, 4096 /* min, max */
+#define DSA_FB_STEP 1024
+#define DH_FB_KEY 2048, 4096 /* min, max */
+#define DH_FB_STEP 1024
+#define EC_FB_KEY 256, 521 /* min, max */
+#define EC_FB_STEP 1 /* key limits handled by special operation */
+#define AES_FB_KEY 128, 256
+#define AES_FB_STEP 64
+ { CKM_RSA_PKCS_KEY_PAIR_GEN, { RSA_FB_KEY, CKF_KPG }, RSA_FB_STEP, SFTKFIPSNone },
+ { CKM_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS },
+ { CKM_RSA_PKCS_OAEP, { RSA_FB_KEY, CKF_ENC }, RSA_FB_STEP, SFTKFIPSNone },
+ { CKM_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS },
+ /* -------------- RSA Multipart Signing Operations -------------------- */
+ { CKM_SHA224_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
+ { CKM_SHA256_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
+ { CKM_SHA384_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
+ { CKM_SHA512_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
+ { CKM_SHA224_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS },
+ { CKM_SHA256_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS },
+ { CKM_SHA384_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS },
+ { CKM_SHA512_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS },
+ { CKM_SHA224_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS },
+ { CKM_SHA256_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS },
+ { CKM_SHA384_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS },
+ { CKM_SHA512_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS },
+ { CKM_SHA224_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS },
+ { CKM_SHA256_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS },
+ { CKM_SHA384_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS },
+ { CKM_SHA512_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS },
+ /* ------------------------- DSA Operations --------------------------- */
+ { CKM_DSA_KEY_PAIR_GEN, { DSA_FB_KEY, CKF_KPG }, DSA_FB_STEP, SFTKFIPSNone },
+ { CKM_DSA, { DSA_FB_KEY, CKF_SGN }, DSA_FB_STEP, SFTKFIPSNone },
+ { CKM_DSA_PARAMETER_GEN, { DSA_FB_KEY, CKF_KPG }, DSA_FB_STEP, SFTKFIPSNone },
+ { CKM_DSA_SHA224, { DSA_FB_KEY, CKF_SGN }, DSA_FB_STEP, SFTKFIPSNone },
+ { CKM_DSA_SHA256, { DSA_FB_KEY, CKF_SGN }, DSA_FB_STEP, SFTKFIPSNone },
+ { CKM_DSA_SHA384, { DSA_FB_KEY, CKF_SGN }, DSA_FB_STEP, SFTKFIPSNone },
+ { CKM_DSA_SHA512, { DSA_FB_KEY, CKF_SGN }, DSA_FB_STEP, SFTKFIPSNone },
+ /* -------------------- Diffie Hellman Operations --------------------- */
+ /* no diffie hellman yet */
+ { CKM_DH_PKCS_KEY_PAIR_GEN, { DH_FB_KEY, CKF_KPG }, DH_FB_STEP, SFTKFIPSDH },
+ { CKM_DH_PKCS_DERIVE, { DH_FB_KEY, CKF_KEA }, DH_FB_STEP, SFTKFIPSDH },
+ /* -------------------- Elliptic Curve Operations --------------------- */
+ { CKM_EC_KEY_PAIR_GEN, { EC_FB_KEY, CKF_KPG }, EC_FB_STEP, SFTKFIPSECC },
+ { CKM_ECDH1_DERIVE, { EC_FB_KEY, CKF_KEA }, EC_FB_STEP, SFTKFIPSECC },
+ { CKM_ECDSA, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC },
+ { CKM_ECDSA_SHA224, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC },
+ { CKM_ECDSA_SHA256, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC },
+ { CKM_ECDSA_SHA384, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC },
+ { CKM_ECDSA_SHA512, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC },
+ /* ------------------------- RC2 Operations --------------------------- */
+ /* ------------------------- AES Operations --------------------------- */
+ { CKM_AES_KEY_GEN, { AES_FB_KEY, CKF_GEN }, AES_FB_STEP, SFTKFIPSNone },
+ { CKM_AES_ECB, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
+ { CKM_AES_CBC, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
+ { CKM_AES_MAC, { AES_FB_KEY, CKF_SGN }, AES_FB_STEP, SFTKFIPSNone },
+ { CKM_AES_MAC_GENERAL, { AES_FB_KEY, CKF_SGN }, AES_FB_STEP, SFTKFIPSNone },
+ { CKM_AES_CMAC, { AES_FB_KEY, CKF_SGN }, AES_FB_STEP, SFTKFIPSNone },
+ { CKM_AES_CMAC_GENERAL, { AES_FB_KEY, CKF_SGN }, AES_FB_STEP, SFTKFIPSNone },
+ { CKM_AES_CBC_PAD, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
+ { CKM_AES_CTS, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
+ { CKM_AES_CTR, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
+ { CKM_AES_GCM, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSAEAD },
+ { CKM_AES_KEY_WRAP, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
+ { CKM_AES_KEY_WRAP_PAD, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
+ { CKM_AES_KEY_WRAP_KWP, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
+ { CKM_AES_XCBC_MAC_96, { 96, 96, CKF_SGN }, 1, SFTKFIPSNone },
+ { CKM_AES_XCBC_MAC, { 128, 128, CKF_SGN }, 1, SFTKFIPSNone },
+ /* ------------------------- Hashing Operations ----------------------- */
+ { CKM_SHA224, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone },
+ { CKM_SHA224_HMAC, { 112, 224, CKF_SGN }, 1, SFTKFIPSNone },
+ { CKM_SHA224_HMAC_GENERAL, { 112, 224, CKF_SGN }, 1, SFTKFIPSNone },
+ { CKM_SHA256, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone },
+ { CKM_SHA256_HMAC, { 128, 256, CKF_SGN }, 1, SFTKFIPSNone },
+ { CKM_SHA256_HMAC_GENERAL, { 128, 256, CKF_SGN }, 1, SFTKFIPSNone },
+ { CKM_SHA384, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone },
+ { CKM_SHA384_HMAC, { 192, 384, CKF_SGN }, 1, SFTKFIPSNone },
+ { CKM_SHA384_HMAC_GENERAL, { 192, 384, CKF_SGN }, 1, SFTKFIPSNone },
+ { CKM_SHA512, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone },
+ { CKM_SHA512_HMAC, { 256, 512, CKF_SGN }, 1, SFTKFIPSNone },
+ { CKM_SHA512_HMAC_GENERAL, { 256, 512, CKF_SGN }, 1, SFTKFIPSNone },
+ /* --------------------- Secret Key Operations ------------------------ */
+ { CKM_GENERIC_SECRET_KEY_GEN, { 8, 256, CKF_GEN }, 1, SFTKFIPSNone },
+ /* ---------------------- SSL/TLS operations ------------------------- */
+ { CKM_SHA224_KEY_DERIVATION, { 112, 224, CKF_KDF }, 1, SFTKFIPSNone },
+ { CKM_SHA256_KEY_DERIVATION, { 128, 256, CKF_KDF }, 1, SFTKFIPSNone },
+ { CKM_SHA384_KEY_DERIVATION, { 192, 384, CKF_KDF }, 1, SFTKFIPSNone },
+ { CKM_SHA512_KEY_DERIVATION, { 256, 512, CKF_KDF }, 1, SFTKFIPSNone },
+ { CKM_TLS12_MASTER_KEY_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone },
+ { CKM_TLS12_MASTER_KEY_DERIVE_DH, { DH_FB_KEY, CKF_KDF }, 1, SFTKFIPSNone },
+ { CKM_TLS12_KEY_AND_MAC_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone },
+ { CKM_TLS_PRF_GENERAL, { 8, 512, CKF_SGN }, 1, SFTKFIPSNone },
+ { CKM_TLS_MAC, { 8, 512, CKF_SGN }, 1, SFTKFIPSNone },
+ /* sigh, is this algorithm really tested. ssl doesn't seem to have a
+ * way of turning the extension off */
+ { CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, { 192, 1024, CKF_KDF }, 1, SFTKFIPSNone },
+ { CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH, { 192, 1024, CKF_DERIVE }, 1, SFTKFIPSNone },
+
+ /* ------------------------- HKDF Operations -------------------------- */
+ { CKM_HKDF_DERIVE, { 8, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone },
+ { CKM_HKDF_DATA, { 8, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone },
+ { CKM_HKDF_KEY_GEN, { 160, 224, CKF_GEN }, 1, SFTKFIPSNone },
+ { CKM_HKDF_KEY_GEN, { 256, 512, CKF_GEN }, 128, SFTKFIPSNone },
+ /* ------------------ NIST 800-108 Key Derivations ------------------- */
+ { CKM_SP800_108_COUNTER_KDF, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
+ { CKM_SP800_108_FEEDBACK_KDF, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
+ { CKM_SP800_108_DOUBLE_PIPELINE_KDF, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
+ { CKM_NSS_SP800_108_COUNTER_KDF_DERIVE_DATA, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
+ { CKM_NSS_SP800_108_FEEDBACK_KDF_DERIVE_DATA, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
+ { CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
+ /* --------------------IPSEC ----------------------- */
+ { CKM_NSS_IKE_PRF_PLUS_DERIVE, { 8, 255 * 64, CKF_KDF }, 1, SFTKFIPSNone },
+ { CKM_NSS_IKE_PRF_DERIVE, { 8, 64, CKF_KDF }, 1, SFTKFIPSNone },
+ { CKM_NSS_IKE1_PRF_DERIVE, { 8, 64, CKF_KDF }, 1, SFTKFIPSNone },
+ { CKM_NSS_IKE1_APP_B_PRF_DERIVE, { 8, 255 * 64, CKF_KDF }, 1, SFTKFIPSNone },
+ /* ------------------ PBE Key Derivations ------------------- */
+ { CKM_PKCS5_PBKD2, { 1, 256, CKF_GEN }, 1, SFTKFIPSNone },
+ { CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN, { 224, 224, CKF_GEN }, 1, SFTKFIPSNone },
+ { CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN, { 256, 256, CKF_GEN }, 1, SFTKFIPSNone },
+ { CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN, { 384, 384, CKF_GEN }, 1, SFTKFIPSNone },
+ { CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN, { 512, 512, CKF_GEN }, 1, SFTKFIPSNone }
+};
+const int SFTK_NUMBER_FIPS_ALGORITHMS = PR_ARRAY_SIZE(sftk_fips_mechs);
diff --git a/security/nss/lib/softoken/fipsaudt.c b/security/nss/lib/softoken/fipsaudt.c
new file mode 100644
index 0000000000..e0fd641eb8
--- /dev/null
+++ b/security/nss/lib/softoken/fipsaudt.c
@@ -0,0 +1,321 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/*
+ * This file implements audit logging required by FIPS 140-2 Security
+ * Level 2.
+ */
+
+#include "prprf.h"
+#include "softoken.h"
+
+/*
+ * Print the value of the returned object handle in the output buffer
+ * on a successful return of the PKCS #11 function. If the PKCS #11
+ * function failed or the pointer to object handle is NULL (which is
+ * the case for C_DeriveKey with CKM_TLS_KEY_AND_MAC_DERIVE), an empty
+ * string is stored in the output buffer.
+ *
+ * out: the output buffer
+ * outlen: the length of the output buffer
+ * argName: the name of the "pointer to object handle" argument
+ * phObject: the pointer to object handle
+ * rv: the return value of the PKCS #11 function
+ */
+static void
+sftk_PrintReturnedObjectHandle(char *out, PRUint32 outlen,
+ const char *argName, CK_OBJECT_HANDLE_PTR phObject, CK_RV rv)
+{
+ if ((rv == CKR_OK) && phObject) {
+ PR_snprintf(out, outlen,
+ " *%s=0x%08lX", argName, (PRUint32)*phObject);
+ } else {
+ PORT_Assert(outlen != 0);
+ out[0] = '\0';
+ }
+}
+
+/*
+ * MECHANISM_BUFSIZE needs to be large enough for sftk_PrintMechanism,
+ * which uses <= 49 bytes.
+ */
+#define MECHANISM_BUFSIZE 64
+
+static void
+sftk_PrintMechanism(char *out, PRUint32 outlen,
+ CK_MECHANISM_PTR pMechanism)
+{
+ if (pMechanism) {
+ /*
+ * If we change the format string, we need to make sure
+ * MECHANISM_BUFSIZE is still large enough. We allow
+ * 20 bytes for %p on a 64-bit platform.
+ */
+ PR_snprintf(out, outlen, "%p {mechanism=0x%08lX, ...}",
+ pMechanism, (PRUint32)pMechanism->mechanism);
+ } else {
+ PR_snprintf(out, outlen, "%p", pMechanism);
+ }
+}
+
+void
+sftk_AuditCreateObject(CK_SESSION_HANDLE hSession,
+ CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
+ CK_OBJECT_HANDLE_PTR phObject, CK_RV rv)
+{
+ char msg[256];
+ char shObject[32];
+ NSSAuditSeverity severity = (rv == CKR_OK) ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
+
+ sftk_PrintReturnedObjectHandle(shObject, sizeof shObject,
+ "phObject", phObject, rv);
+ PR_snprintf(msg, sizeof msg,
+ "C_CreateObject(hSession=0x%08lX, pTemplate=%p, ulCount=%lu, "
+ "phObject=%p)=0x%08lX%s",
+ (PRUint32)hSession, pTemplate, (PRUint32)ulCount,
+ phObject, (PRUint32)rv, shObject);
+ sftk_LogAuditMessage(severity, NSS_AUDIT_LOAD_KEY, msg);
+}
+
+void
+sftk_AuditCopyObject(CK_SESSION_HANDLE hSession,
+ CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
+ CK_OBJECT_HANDLE_PTR phNewObject, CK_RV rv)
+{
+ char msg[256];
+ char shNewObject[32];
+ NSSAuditSeverity severity = (rv == CKR_OK) ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
+
+ sftk_PrintReturnedObjectHandle(shNewObject, sizeof shNewObject,
+ "phNewObject", phNewObject, rv);
+ PR_snprintf(msg, sizeof msg,
+ "C_CopyObject(hSession=0x%08lX, hObject=0x%08lX, "
+ "pTemplate=%p, ulCount=%lu, phNewObject=%p)=0x%08lX%s",
+ (PRUint32)hSession, (PRUint32)hObject,
+ pTemplate, (PRUint32)ulCount, phNewObject, (PRUint32)rv, shNewObject);
+ sftk_LogAuditMessage(severity, NSS_AUDIT_COPY_KEY, msg);
+}
+
+/* WARNING: hObject has been destroyed and can only be printed. */
+void
+sftk_AuditDestroyObject(CK_SESSION_HANDLE hSession,
+ CK_OBJECT_HANDLE hObject, CK_RV rv)
+{
+ char msg[256];
+ NSSAuditSeverity severity = (rv == CKR_OK) ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
+
+ PR_snprintf(msg, sizeof msg,
+ "C_DestroyObject(hSession=0x%08lX, hObject=0x%08lX)=0x%08lX",
+ (PRUint32)hSession, (PRUint32)hObject, (PRUint32)rv);
+ sftk_LogAuditMessage(severity, NSS_AUDIT_DESTROY_KEY, msg);
+}
+
+void
+sftk_AuditGetObjectSize(CK_SESSION_HANDLE hSession,
+ CK_OBJECT_HANDLE hObject, CK_ULONG_PTR pulSize, CK_RV rv)
+{
+ char msg[256];
+ NSSAuditSeverity severity = (rv == CKR_OK) ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
+
+ PR_snprintf(msg, sizeof msg,
+ "C_GetObjectSize(hSession=0x%08lX, hObject=0x%08lX, "
+ "pulSize=%p)=0x%08lX",
+ (PRUint32)hSession, (PRUint32)hObject,
+ pulSize, (PRUint32)rv);
+ sftk_LogAuditMessage(severity, NSS_AUDIT_ACCESS_KEY, msg);
+}
+
+void
+sftk_AuditGetAttributeValue(CK_SESSION_HANDLE hSession,
+ CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate,
+ CK_ULONG ulCount, CK_RV rv)
+{
+ char msg[256];
+ NSSAuditSeverity severity = (rv == CKR_OK) ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
+
+ PR_snprintf(msg, sizeof msg,
+ "C_GetAttributeValue(hSession=0x%08lX, hObject=0x%08lX, "
+ "pTemplate=%p, ulCount=%lu)=0x%08lX",
+ (PRUint32)hSession, (PRUint32)hObject,
+ pTemplate, (PRUint32)ulCount, (PRUint32)rv);
+ sftk_LogAuditMessage(severity, NSS_AUDIT_ACCESS_KEY, msg);
+}
+
+void
+sftk_AuditSetAttributeValue(CK_SESSION_HANDLE hSession,
+ CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate,
+ CK_ULONG ulCount, CK_RV rv)
+{
+ char msg[256];
+ NSSAuditSeverity severity = (rv == CKR_OK) ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
+
+ PR_snprintf(msg, sizeof msg,
+ "C_SetAttributeValue(hSession=0x%08lX, hObject=0x%08lX, "
+ "pTemplate=%p, ulCount=%lu)=0x%08lX",
+ (PRUint32)hSession, (PRUint32)hObject,
+ pTemplate, (PRUint32)ulCount, (PRUint32)rv);
+ sftk_LogAuditMessage(severity, NSS_AUDIT_CHANGE_KEY, msg);
+}
+
+void
+sftk_AuditCryptInit(const char *opName, CK_SESSION_HANDLE hSession,
+ CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey, CK_RV rv)
+{
+ char msg[256];
+ char mech[MECHANISM_BUFSIZE];
+ NSSAuditSeverity severity = (rv == CKR_OK) ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
+
+ sftk_PrintMechanism(mech, sizeof mech, pMechanism);
+ PR_snprintf(msg, sizeof msg,
+ "C_%sInit(hSession=0x%08lX, pMechanism=%s, "
+ "hKey=0x%08lX)=0x%08lX",
+ opName, (PRUint32)hSession, mech,
+ (PRUint32)hKey, (PRUint32)rv);
+ sftk_LogAuditMessage(severity, NSS_AUDIT_CRYPT, msg);
+}
+
+void
+sftk_AuditGenerateKey(CK_SESSION_HANDLE hSession,
+ CK_MECHANISM_PTR pMechanism, CK_ATTRIBUTE_PTR pTemplate,
+ CK_ULONG ulCount, CK_OBJECT_HANDLE_PTR phKey, CK_RV rv)
+{
+ char msg[256];
+ char mech[MECHANISM_BUFSIZE];
+ char shKey[32];
+ NSSAuditSeverity severity = (rv == CKR_OK) ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
+
+ sftk_PrintMechanism(mech, sizeof mech, pMechanism);
+ sftk_PrintReturnedObjectHandle(shKey, sizeof shKey, "phKey", phKey, rv);
+ PR_snprintf(msg, sizeof msg,
+ "C_GenerateKey(hSession=0x%08lX, pMechanism=%s, "
+ "pTemplate=%p, ulCount=%lu, phKey=%p)=0x%08lX%s",
+ (PRUint32)hSession, mech,
+ pTemplate, (PRUint32)ulCount, phKey, (PRUint32)rv, shKey);
+ sftk_LogAuditMessage(severity, NSS_AUDIT_GENERATE_KEY, msg);
+}
+
+void
+sftk_AuditGenerateKeyPair(CK_SESSION_HANDLE hSession,
+ CK_MECHANISM_PTR pMechanism, CK_ATTRIBUTE_PTR pPublicKeyTemplate,
+ CK_ULONG ulPublicKeyAttributeCount, CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
+ CK_ULONG ulPrivateKeyAttributeCount, CK_OBJECT_HANDLE_PTR phPublicKey,
+ CK_OBJECT_HANDLE_PTR phPrivateKey, CK_RV rv)
+{
+ char msg[512];
+ char mech[MECHANISM_BUFSIZE];
+ char shPublicKey[32];
+ char shPrivateKey[32];
+ NSSAuditSeverity severity = (rv == CKR_OK) ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
+
+ sftk_PrintMechanism(mech, sizeof mech, pMechanism);
+ sftk_PrintReturnedObjectHandle(shPublicKey, sizeof shPublicKey,
+ "phPublicKey", phPublicKey, rv);
+ sftk_PrintReturnedObjectHandle(shPrivateKey, sizeof shPrivateKey,
+ "phPrivateKey", phPrivateKey, rv);
+ PR_snprintf(msg, sizeof msg,
+ "C_GenerateKeyPair(hSession=0x%08lX, pMechanism=%s, "
+ "pPublicKeyTemplate=%p, ulPublicKeyAttributeCount=%lu, "
+ "pPrivateKeyTemplate=%p, ulPrivateKeyAttributeCount=%lu, "
+ "phPublicKey=%p, phPrivateKey=%p)=0x%08lX%s%s",
+ (PRUint32)hSession, mech,
+ pPublicKeyTemplate, (PRUint32)ulPublicKeyAttributeCount,
+ pPrivateKeyTemplate, (PRUint32)ulPrivateKeyAttributeCount,
+ phPublicKey, phPrivateKey, (PRUint32)rv, shPublicKey, shPrivateKey);
+ sftk_LogAuditMessage(severity, NSS_AUDIT_GENERATE_KEY, msg);
+}
+
+void
+sftk_AuditWrapKey(CK_SESSION_HANDLE hSession,
+ CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hWrappingKey,
+ CK_OBJECT_HANDLE hKey, CK_BYTE_PTR pWrappedKey,
+ CK_ULONG_PTR pulWrappedKeyLen, CK_RV rv)
+{
+ char msg[256];
+ char mech[MECHANISM_BUFSIZE];
+ NSSAuditSeverity severity = (rv == CKR_OK) ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
+
+ sftk_PrintMechanism(mech, sizeof mech, pMechanism);
+ PR_snprintf(msg, sizeof msg,
+ "C_WrapKey(hSession=0x%08lX, pMechanism=%s, hWrappingKey=0x%08lX, "
+ "hKey=0x%08lX, pWrappedKey=%p, pulWrappedKeyLen=%p)=0x%08lX",
+ (PRUint32)hSession, mech, (PRUint32)hWrappingKey,
+ (PRUint32)hKey, pWrappedKey, pulWrappedKeyLen, (PRUint32)rv);
+ sftk_LogAuditMessage(severity, NSS_AUDIT_WRAP_KEY, msg);
+}
+
+void
+sftk_AuditUnwrapKey(CK_SESSION_HANDLE hSession,
+ CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hUnwrappingKey,
+ CK_BYTE_PTR pWrappedKey, CK_ULONG ulWrappedKeyLen,
+ CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount,
+ CK_OBJECT_HANDLE_PTR phKey, CK_RV rv)
+{
+ char msg[256];
+ char mech[MECHANISM_BUFSIZE];
+ char shKey[32];
+ NSSAuditSeverity severity = (rv == CKR_OK) ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
+
+ sftk_PrintMechanism(mech, sizeof mech, pMechanism);
+ sftk_PrintReturnedObjectHandle(shKey, sizeof shKey, "phKey", phKey, rv);
+ PR_snprintf(msg, sizeof msg,
+ "C_UnwrapKey(hSession=0x%08lX, pMechanism=%s, "
+ "hUnwrappingKey=0x%08lX, pWrappedKey=%p, ulWrappedKeyLen=%lu, "
+ "pTemplate=%p, ulAttributeCount=%lu, phKey=%p)=0x%08lX%s",
+ (PRUint32)hSession, mech,
+ (PRUint32)hUnwrappingKey, pWrappedKey, (PRUint32)ulWrappedKeyLen,
+ pTemplate, (PRUint32)ulAttributeCount, phKey, (PRUint32)rv, shKey);
+ sftk_LogAuditMessage(severity, NSS_AUDIT_UNWRAP_KEY, msg);
+}
+
+void
+sftk_AuditDeriveKey(CK_SESSION_HANDLE hSession,
+ CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hBaseKey,
+ CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount,
+ CK_OBJECT_HANDLE_PTR phKey, CK_RV rv)
+{
+ char msg[512];
+ char mech[MECHANISM_BUFSIZE];
+ char shKey[32];
+ char sTlsKeys[128];
+ NSSAuditSeverity severity = (rv == CKR_OK) ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
+
+ sftk_PrintMechanism(mech, sizeof mech, pMechanism);
+ sftk_PrintReturnedObjectHandle(shKey, sizeof shKey, "phKey", phKey, rv);
+ if ((rv == CKR_OK) &&
+ (pMechanism->mechanism == CKM_TLS_KEY_AND_MAC_DERIVE)) {
+ CK_SSL3_KEY_MAT_PARAMS *param =
+ (CK_SSL3_KEY_MAT_PARAMS *)pMechanism->pParameter;
+ CK_SSL3_KEY_MAT_OUT *keymat = param->pReturnedKeyMaterial;
+ PR_snprintf(sTlsKeys, sizeof sTlsKeys,
+ " hClientMacSecret=0x%08lX hServerMacSecret=0x%08lX"
+ " hClientKey=0x%08lX hServerKey=0x%08lX",
+ (PRUint32)keymat->hClientMacSecret,
+ (PRUint32)keymat->hServerMacSecret,
+ (PRUint32)keymat->hClientKey,
+ (PRUint32)keymat->hServerKey);
+ } else {
+ sTlsKeys[0] = '\0';
+ }
+ PR_snprintf(msg, sizeof msg,
+ "C_DeriveKey(hSession=0x%08lX, pMechanism=%s, "
+ "hBaseKey=0x%08lX, pTemplate=%p, ulAttributeCount=%lu, "
+ "phKey=%p)=0x%08lX%s%s",
+ (PRUint32)hSession, mech,
+ (PRUint32)hBaseKey, pTemplate, (PRUint32)ulAttributeCount,
+ phKey, (PRUint32)rv, shKey, sTlsKeys);
+ sftk_LogAuditMessage(severity, NSS_AUDIT_DERIVE_KEY, msg);
+}
+
+void
+sftk_AuditDigestKey(CK_SESSION_HANDLE hSession,
+ CK_OBJECT_HANDLE hKey, CK_RV rv)
+{
+ char msg[256];
+ NSSAuditSeverity severity = (rv == CKR_OK) ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
+
+ PR_snprintf(msg, sizeof msg,
+ "C_DigestKey(hSession=0x%08lX, hKey=0x%08lX)=0x%08lX",
+ (PRUint32)hSession, (PRUint32)hKey, (PRUint32)rv);
+ sftk_LogAuditMessage(severity, NSS_AUDIT_DIGEST_KEY, msg);
+}
diff --git a/security/nss/lib/softoken/fipstest.c b/security/nss/lib/softoken/fipstest.c
new file mode 100644
index 0000000000..6010a50d6c
--- /dev/null
+++ b/security/nss/lib/softoken/fipstest.c
@@ -0,0 +1,797 @@
+/*
+ * PKCS #11 FIPS Power-Up Self Test.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef NSS_FIPS_DISABLED
+#include "seccomon.h"
+#include "blapi.h"
+#include "softoken.h"
+#include "lowkeyi.h"
+#include "secoid.h"
+#include "secerr.h"
+#include "pkcs11i.h"
+#include "lowpbe.h"
+
+/*
+ * different platforms have different ways of calling and initial entry point
+ * when the dll/.so is loaded. Most platforms support either a posix pragma
+ * or the GCC attribute. Some platforms suppor a pre-defined name, and some
+ * platforms have a link line way of invoking this function.
+ */
+
+/* The pragma */
+#if defined(USE_INIT_PRAGMA)
+#pragma init(sftk_startup_tests)
+#endif
+
+/* GCC Attribute */
+#if defined(__GNUC__) && !defined(NSS_NO_INIT_SUPPORT)
+#define INIT_FUNCTION __attribute__((constructor))
+#else
+#define INIT_FUNCTION
+#endif
+
+static void INIT_FUNCTION sftk_startup_tests(void);
+
+/* Windows pre-defined entry */
+#if defined(XP_WIN) && !defined(NSS_NO_INIT_SUPPORT)
+#include <windows.h>
+
+BOOL WINAPI
+DllMain(
+ HINSTANCE hinstDLL, // handle to DLL module
+ DWORD fdwReason, // reason for calling function
+ LPVOID lpReserved) // reserved
+{
+ // Perform actions based on the reason for calling.
+ switch (fdwReason) {
+ case DLL_PROCESS_ATTACH:
+ // Initialize once for each new process.
+ // Return FALSE to fail DLL load.
+ sftk_startup_tests();
+ break;
+
+ case DLL_THREAD_ATTACH:
+ // Do thread-specific initialization.
+ break;
+
+ case DLL_THREAD_DETACH:
+ // Do thread-specific cleanup.
+ break;
+
+ case DLL_PROCESS_DETACH:
+ // Perform any necessary cleanup.
+ break;
+ }
+ return TRUE; // Successful DLL_PROCESS_ATTACH.
+}
+#endif
+
+/* FIPS preprocessor directives for RSA. */
+#define FIPS_RSA_TYPE siBuffer
+#define FIPS_RSA_PUBLIC_EXPONENT_LENGTH 3 /* 24-bits */
+#define FIPS_RSA_PRIVATE_VERSION_LENGTH 1 /* 8-bits */
+#define FIPS_RSA_MESSAGE_LENGTH 256 /* 2048-bits */
+#define FIPS_RSA_COEFFICIENT_LENGTH 128 /* 1024-bits */
+#define FIPS_RSA_PRIME0_LENGTH 128 /* 1024-bits */
+#define FIPS_RSA_PRIME1_LENGTH 128 /* 1024-bits */
+#define FIPS_RSA_EXPONENT0_LENGTH 128 /* 1024-bits */
+#define FIPS_RSA_EXPONENT1_LENGTH 128 /* 1024-bits */
+#define FIPS_RSA_PRIVATE_EXPONENT_LENGTH 256 /* 2048-bits */
+#define FIPS_RSA_ENCRYPT_LENGTH 256 /* 2048-bits */
+#define FIPS_RSA_DECRYPT_LENGTH 256 /* 2048-bits */
+#define FIPS_RSA_SIGNATURE_LENGTH 256 /* 2048-bits */
+#define FIPS_RSA_MODULUS_LENGTH 256 /* 2048-bits */
+
+/*
+* Test the softoken RSA_HashSign and RSH_HashCheckSign.
+*/
+static SECStatus
+sftk_fips_RSA_PowerUpSigSelfTest(HASH_HashType shaAlg,
+ NSSLOWKEYPublicKey *rsa_public_key,
+ NSSLOWKEYPrivateKey *rsa_private_key,
+ const unsigned char *rsa_known_msg,
+ const unsigned int rsa_kmsg_length,
+ const unsigned char *rsa_known_signature)
+{
+ SECOidTag shaOid; /* SHA OID */
+ unsigned char sha[HASH_LENGTH_MAX]; /* SHA digest */
+ unsigned int shaLength = 0; /* length of SHA */
+ unsigned int rsa_bytes_signed;
+ unsigned char rsa_computed_signature[FIPS_RSA_SIGNATURE_LENGTH];
+ SECStatus rv;
+
+ if (shaAlg == HASH_AlgSHA1) {
+ if (SHA1_HashBuf(sha, rsa_known_msg, rsa_kmsg_length) != SECSuccess) {
+ goto loser;
+ }
+ shaLength = SHA1_LENGTH;
+ shaOid = SEC_OID_SHA1;
+ } else if (shaAlg == HASH_AlgSHA256) {
+ if (SHA256_HashBuf(sha, rsa_known_msg, rsa_kmsg_length) != SECSuccess) {
+ goto loser;
+ }
+ shaLength = SHA256_LENGTH;
+ shaOid = SEC_OID_SHA256;
+ } else if (shaAlg == HASH_AlgSHA384) {
+ if (SHA384_HashBuf(sha, rsa_known_msg, rsa_kmsg_length) != SECSuccess) {
+ goto loser;
+ }
+ shaLength = SHA384_LENGTH;
+ shaOid = SEC_OID_SHA384;
+ } else if (shaAlg == HASH_AlgSHA512) {
+ if (SHA512_HashBuf(sha, rsa_known_msg, rsa_kmsg_length) != SECSuccess) {
+ goto loser;
+ }
+ shaLength = SHA512_LENGTH;
+ shaOid = SEC_OID_SHA512;
+ } else {
+ goto loser;
+ }
+
+ /*************************************************/
+ /* RSA Single-Round Known Answer Signature Test. */
+ /*************************************************/
+
+ /* Perform RSA signature with the RSA private key. */
+ rv = RSA_HashSign(shaOid,
+ rsa_private_key,
+ rsa_computed_signature,
+ &rsa_bytes_signed,
+ FIPS_RSA_SIGNATURE_LENGTH,
+ sha,
+ shaLength);
+
+ if ((rv != SECSuccess) ||
+ (rsa_bytes_signed != FIPS_RSA_SIGNATURE_LENGTH) ||
+ (PORT_Memcmp(rsa_computed_signature, rsa_known_signature,
+ FIPS_RSA_SIGNATURE_LENGTH) != 0)) {
+ goto loser;
+ }
+
+ /****************************************************/
+ /* RSA Single-Round Known Answer Verification Test. */
+ /****************************************************/
+
+ /* Perform RSA verification with the RSA public key. */
+ rv = RSA_HashCheckSign(shaOid,
+ rsa_public_key,
+ rsa_computed_signature,
+ rsa_bytes_signed,
+ sha,
+ shaLength);
+
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+ return (SECSuccess);
+
+loser:
+
+ return (SECFailure);
+}
+
+static SECStatus
+sftk_fips_RSA_PowerUpSelfTest(void)
+{
+ /* RSA Known Modulus used in both Public/Private Key Values (2048-bits). */
+ static const PRUint8 rsa_modulus[FIPS_RSA_MODULUS_LENGTH] = {
+ 0xb8, 0x15, 0x00, 0x33, 0xda, 0x0c, 0x9d, 0xa5,
+ 0x14, 0x8c, 0xde, 0x1f, 0x23, 0x07, 0x54, 0xe2,
+ 0xc6, 0xb9, 0x51, 0x04, 0xc9, 0x65, 0x24, 0x6e,
+ 0x0a, 0x46, 0x34, 0x5c, 0x37, 0x86, 0x6b, 0x88,
+ 0x24, 0x27, 0xac, 0xa5, 0x02, 0x79, 0xfb, 0xed,
+ 0x75, 0xc5, 0x3f, 0x6e, 0xdf, 0x05, 0x5f, 0x0f,
+ 0x20, 0x70, 0xa0, 0x5b, 0x85, 0xdb, 0xac, 0xb9,
+ 0x5f, 0x02, 0xc2, 0x64, 0x1e, 0x84, 0x5b, 0x3e,
+ 0xad, 0xbf, 0xf6, 0x2e, 0x51, 0xd6, 0xad, 0xf7,
+ 0xa7, 0x86, 0x75, 0x86, 0xec, 0xa7, 0xe1, 0xf7,
+ 0x08, 0xbf, 0xdc, 0x56, 0xb1, 0x3b, 0xca, 0xd8,
+ 0xfc, 0x51, 0xdf, 0x9a, 0x2a, 0x37, 0x06, 0xf2,
+ 0xd1, 0x6b, 0x9a, 0x5e, 0x2a, 0xe5, 0x20, 0x57,
+ 0x35, 0x9f, 0x1f, 0x98, 0xcf, 0x40, 0xc7, 0xd6,
+ 0x98, 0xdb, 0xde, 0xf5, 0x64, 0x53, 0xf7, 0x9d,
+ 0x45, 0xf3, 0xd6, 0x78, 0xb9, 0xe3, 0xa3, 0x20,
+ 0xcd, 0x79, 0x43, 0x35, 0xef, 0xd7, 0xfb, 0xb9,
+ 0x80, 0x88, 0x27, 0x2f, 0x63, 0xa8, 0x67, 0x3d,
+ 0x4a, 0xfa, 0x06, 0xc6, 0xd2, 0x86, 0x0b, 0xa7,
+ 0x28, 0xfd, 0xe0, 0x1e, 0x93, 0x4b, 0x17, 0x2e,
+ 0xb0, 0x11, 0x6f, 0xc6, 0x2b, 0x98, 0x0f, 0x15,
+ 0xe3, 0x87, 0x16, 0x7a, 0x7c, 0x67, 0x3e, 0x12,
+ 0x2b, 0xf8, 0xbe, 0x48, 0xc1, 0x97, 0x47, 0xf4,
+ 0x1f, 0x81, 0x80, 0x12, 0x28, 0xe4, 0x7b, 0x1e,
+ 0xb7, 0x00, 0xa4, 0xde, 0xaa, 0xfb, 0x0f, 0x77,
+ 0x84, 0xa3, 0xd6, 0xb2, 0x03, 0x48, 0xdd, 0x53,
+ 0x8b, 0x46, 0x41, 0x28, 0x52, 0xc4, 0x53, 0xf0,
+ 0x1c, 0x95, 0xd9, 0x36, 0xe0, 0x0f, 0x26, 0x46,
+ 0x9c, 0x61, 0x0e, 0x80, 0xca, 0x86, 0xaf, 0x39,
+ 0x95, 0xe5, 0x60, 0x43, 0x61, 0x3e, 0x2b, 0xb4,
+ 0xe8, 0xbd, 0x8d, 0x77, 0x62, 0xf5, 0x32, 0x43,
+ 0x2f, 0x4b, 0x65, 0x82, 0x14, 0xdd, 0x29, 0x5b
+ };
+
+ /* RSA Known Public Key Values (24-bits). */
+ static const PRUint8 rsa_public_exponent[FIPS_RSA_PUBLIC_EXPONENT_LENGTH] = { 0x01, 0x00, 0x01 };
+ /* RSA Known Private Key Values (version is 8-bits), */
+ /* (private exponent is 2048-bits), */
+ /* (private prime0 is 1024-bits), */
+ /* (private prime1 is 1024-bits), */
+ /* (private prime exponent0 is 1024-bits), */
+ /* (private prime exponent1 is 1024-bits), */
+ /* and (private coefficient is 1024-bits). */
+ static const PRUint8 rsa_version[] = { 0x00 };
+
+ static const PRUint8 rsa_private_exponent[FIPS_RSA_PRIVATE_EXPONENT_LENGTH] = {
+ 0x29, 0x08, 0x05, 0x53, 0x89, 0x76, 0xe6, 0x6c,
+ 0xb5, 0x77, 0xf0, 0xca, 0xdf, 0xf3, 0xf2, 0x67,
+ 0xda, 0x03, 0xd4, 0x9b, 0x4c, 0x88, 0xce, 0xe5,
+ 0xf8, 0x44, 0x4d, 0xc7, 0x80, 0x58, 0xe5, 0xff,
+ 0x22, 0x8f, 0xf5, 0x5b, 0x92, 0x81, 0xbe, 0x35,
+ 0xdf, 0xda, 0x67, 0x99, 0x3e, 0xfc, 0xe3, 0x83,
+ 0x6b, 0xa7, 0xaf, 0x16, 0xb7, 0x6f, 0x8f, 0xc0,
+ 0x81, 0xfd, 0x0b, 0x77, 0x65, 0x95, 0xfb, 0x00,
+ 0xad, 0x99, 0xec, 0x35, 0xc6, 0xe8, 0x23, 0x3e,
+ 0xe0, 0x88, 0x88, 0x09, 0xdb, 0x16, 0x50, 0xb7,
+ 0xcf, 0xab, 0x74, 0x61, 0x9e, 0x7f, 0xc5, 0x67,
+ 0x38, 0x56, 0xc7, 0x90, 0x85, 0x78, 0x5e, 0x84,
+ 0x21, 0x49, 0xea, 0xce, 0xb2, 0xa0, 0xff, 0xe4,
+ 0x70, 0x7f, 0x57, 0x7b, 0xa8, 0x36, 0xb8, 0x54,
+ 0x8d, 0x1d, 0xf5, 0x44, 0x9d, 0x68, 0x59, 0xf9,
+ 0x24, 0x6e, 0x85, 0x8f, 0xc3, 0x5f, 0x8a, 0x2c,
+ 0x94, 0xb7, 0xbc, 0x0e, 0xa5, 0xef, 0x93, 0x06,
+ 0x38, 0xcd, 0x07, 0x0c, 0xae, 0xb8, 0x44, 0x1a,
+ 0xd8, 0xe7, 0xf5, 0x9a, 0x1e, 0x9c, 0x18, 0xc7,
+ 0x6a, 0xc2, 0x7f, 0x28, 0x01, 0x4f, 0xb4, 0xb8,
+ 0x90, 0x97, 0x5a, 0x43, 0x38, 0xad, 0xe8, 0x95,
+ 0x68, 0x83, 0x1a, 0x1b, 0x10, 0x07, 0xe6, 0x02,
+ 0x52, 0x1f, 0xbf, 0x76, 0x6b, 0x46, 0xd6, 0xfb,
+ 0xc3, 0xbe, 0xb5, 0xac, 0x52, 0x53, 0x01, 0x1c,
+ 0xf3, 0xc5, 0xeb, 0x64, 0xf2, 0x1e, 0xc4, 0x38,
+ 0xe9, 0xaa, 0xd9, 0xc3, 0x72, 0x51, 0xa5, 0x44,
+ 0x58, 0x69, 0x0b, 0x1b, 0x98, 0x7f, 0xf2, 0x23,
+ 0xff, 0xeb, 0xf0, 0x75, 0x24, 0xcf, 0xc5, 0x1e,
+ 0xb8, 0x6a, 0xc5, 0x2f, 0x4f, 0x23, 0x50, 0x7d,
+ 0x15, 0x9d, 0x19, 0x7a, 0x0b, 0x82, 0xe0, 0x21,
+ 0x5b, 0x5f, 0x9d, 0x50, 0x2b, 0x83, 0xe4, 0x48,
+ 0xcc, 0x39, 0xe5, 0xfb, 0x13, 0x7b, 0x6f, 0x81
+ };
+
+ static const PRUint8 rsa_prime0[FIPS_RSA_PRIME0_LENGTH] = {
+ 0xe4, 0xbf, 0x21, 0x62, 0x9b, 0xa9, 0x77, 0x40,
+ 0x8d, 0x2a, 0xce, 0xa1, 0x67, 0x5a, 0x4c, 0x96,
+ 0x45, 0x98, 0x67, 0xbd, 0x75, 0x22, 0x33, 0x6f,
+ 0xe6, 0xcb, 0x77, 0xde, 0x9e, 0x97, 0x7d, 0x96,
+ 0x8c, 0x5e, 0x5d, 0x34, 0xfb, 0x27, 0xfc, 0x6d,
+ 0x74, 0xdb, 0x9d, 0x2e, 0x6d, 0xf6, 0xea, 0xfc,
+ 0xce, 0x9e, 0xda, 0xa7, 0x25, 0xa2, 0xf4, 0x58,
+ 0x6d, 0x0a, 0x3f, 0x01, 0xc2, 0xb4, 0xab, 0x38,
+ 0xc1, 0x14, 0x85, 0xb6, 0xfa, 0x94, 0xc3, 0x85,
+ 0xf9, 0x3c, 0x2e, 0x96, 0x56, 0x01, 0xe7, 0xd6,
+ 0x14, 0x71, 0x4f, 0xfb, 0x4c, 0x85, 0x52, 0xc4,
+ 0x61, 0x1e, 0xa5, 0x1e, 0x96, 0x13, 0x0d, 0x8f,
+ 0x66, 0xae, 0xa0, 0xcd, 0x7d, 0x25, 0x66, 0x19,
+ 0x15, 0xc2, 0xcf, 0xc3, 0x12, 0x3c, 0xe8, 0xa4,
+ 0x52, 0x4c, 0xcb, 0x28, 0x3c, 0xc4, 0xbf, 0x95,
+ 0x33, 0xe3, 0x81, 0xea, 0x0c, 0x6c, 0xa2, 0x05
+ };
+ static const PRUint8 rsa_prime1[FIPS_RSA_PRIME1_LENGTH] = {
+ 0xce, 0x03, 0x94, 0xf4, 0xa9, 0x2c, 0x1e, 0x06,
+ 0xe7, 0x40, 0x30, 0x01, 0xf7, 0xbb, 0x68, 0x8c,
+ 0x27, 0xd2, 0x15, 0xe3, 0x28, 0x49, 0x5b, 0xa8,
+ 0xc1, 0x9a, 0x42, 0x7e, 0x31, 0xf9, 0x08, 0x34,
+ 0x81, 0xa2, 0x0f, 0x04, 0x61, 0x34, 0xe3, 0x36,
+ 0x92, 0xb1, 0x09, 0x2b, 0xe9, 0xef, 0x84, 0x88,
+ 0xbe, 0x9c, 0x98, 0x60, 0xa6, 0x60, 0x84, 0xe9,
+ 0x75, 0x6f, 0xcc, 0x81, 0xd1, 0x96, 0xef, 0xdd,
+ 0x2e, 0xca, 0xc4, 0xf5, 0x42, 0xfb, 0x13, 0x2b,
+ 0x57, 0xbf, 0x14, 0x5e, 0xc2, 0x7f, 0x77, 0x35,
+ 0x29, 0xc4, 0xe5, 0xe0, 0xf9, 0x6d, 0x15, 0x4a,
+ 0x42, 0x56, 0x1c, 0x3e, 0x0c, 0xc5, 0xce, 0x70,
+ 0x08, 0x63, 0x1e, 0x73, 0xdb, 0x7e, 0x74, 0x05,
+ 0x32, 0x01, 0xc6, 0x36, 0x32, 0x75, 0x6b, 0xed,
+ 0x9d, 0xfe, 0x7c, 0x7e, 0xa9, 0x57, 0xb4, 0xe9,
+ 0x22, 0xe4, 0xe7, 0xfe, 0x36, 0x07, 0x9b, 0xdf
+ };
+ static const PRUint8 rsa_exponent0[FIPS_RSA_EXPONENT0_LENGTH] = {
+ 0x04, 0x5a, 0x3a, 0xa9, 0x64, 0xaa, 0xd9, 0xd1,
+ 0x09, 0x9e, 0x99, 0xe5, 0xea, 0x50, 0x86, 0x8a,
+ 0x89, 0x72, 0x77, 0xee, 0xdb, 0xee, 0xb5, 0xa9,
+ 0xd8, 0x6b, 0x60, 0xb1, 0x84, 0xb4, 0xff, 0x37,
+ 0xc1, 0x1d, 0xfe, 0x8a, 0x06, 0x89, 0x61, 0x3d,
+ 0x37, 0xef, 0x01, 0xd3, 0xa3, 0x56, 0x02, 0x6c,
+ 0xa3, 0x05, 0xd4, 0xc5, 0x3f, 0x6b, 0x15, 0x59,
+ 0x25, 0x61, 0xff, 0x86, 0xea, 0x0c, 0x84, 0x01,
+ 0x85, 0x72, 0xfd, 0x84, 0x58, 0xca, 0x41, 0xda,
+ 0x27, 0xbe, 0xe4, 0x68, 0x09, 0xe4, 0xe9, 0x63,
+ 0x62, 0x6a, 0x31, 0x8a, 0x67, 0x8f, 0x55, 0xde,
+ 0xd4, 0xb6, 0x3f, 0x90, 0x10, 0x6c, 0xf6, 0x62,
+ 0x17, 0x23, 0x15, 0x7e, 0x33, 0x76, 0x65, 0xb5,
+ 0xee, 0x7b, 0x11, 0x76, 0xf5, 0xbe, 0xe0, 0xf2,
+ 0x57, 0x7a, 0x8c, 0x97, 0x0c, 0x68, 0xf5, 0xf8,
+ 0x41, 0xcf, 0x7f, 0x66, 0x53, 0xac, 0x31, 0x7d
+ };
+ static const PRUint8 rsa_exponent1[FIPS_RSA_EXPONENT1_LENGTH] = {
+ 0x93, 0x54, 0x14, 0x6e, 0x73, 0x9d, 0x4d, 0x4b,
+ 0xfa, 0x8c, 0xf8, 0xc8, 0x2f, 0x76, 0x22, 0xea,
+ 0x38, 0x80, 0x11, 0x8f, 0x05, 0xfc, 0x90, 0x44,
+ 0x3b, 0x50, 0x2a, 0x45, 0x3d, 0x4f, 0xaf, 0x02,
+ 0x7d, 0xc2, 0x7b, 0xa2, 0xd2, 0x31, 0x94, 0x5c,
+ 0x2e, 0xc3, 0xd4, 0x9f, 0x47, 0x09, 0x37, 0x6a,
+ 0xe3, 0x85, 0xf1, 0xa3, 0x0c, 0xd8, 0xf1, 0xb4,
+ 0x53, 0x7b, 0xc4, 0x71, 0x02, 0x86, 0x42, 0xbb,
+ 0x96, 0xff, 0x03, 0xa3, 0xb2, 0x67, 0x03, 0xea,
+ 0x77, 0x31, 0xfb, 0x4b, 0x59, 0x24, 0xf7, 0x07,
+ 0x59, 0xfb, 0xa9, 0xba, 0x1e, 0x26, 0x58, 0x97,
+ 0x66, 0xa1, 0x56, 0x49, 0x39, 0xb1, 0x2c, 0x55,
+ 0x0a, 0x6a, 0x78, 0x18, 0xba, 0xdb, 0xcf, 0xf4,
+ 0xf7, 0x32, 0x35, 0xa2, 0x04, 0xab, 0xdc, 0xa7,
+ 0x6d, 0xd9, 0xd5, 0x06, 0x6f, 0xec, 0x7d, 0x40,
+ 0x4c, 0xe8, 0x0e, 0xd0, 0xc9, 0xaa, 0xdf, 0x59
+ };
+ static const PRUint8 rsa_coefficient[FIPS_RSA_COEFFICIENT_LENGTH] = {
+ 0x17, 0xd7, 0xf5, 0x0a, 0xf0, 0x68, 0x97, 0x96,
+ 0xc4, 0x29, 0x18, 0x77, 0x9a, 0x1f, 0xe3, 0xf3,
+ 0x12, 0x13, 0x0f, 0x7e, 0x7b, 0xb9, 0xc1, 0x91,
+ 0xf9, 0xc7, 0x08, 0x56, 0x5c, 0xa4, 0xbc, 0x83,
+ 0x71, 0xf9, 0x78, 0xd9, 0x2b, 0xec, 0xfe, 0x6b,
+ 0xdc, 0x2f, 0x63, 0xc9, 0xcd, 0x50, 0x14, 0x5b,
+ 0xd3, 0x6e, 0x85, 0x4d, 0x0c, 0xa2, 0x0b, 0xa0,
+ 0x09, 0xb6, 0xca, 0x34, 0x9c, 0xc2, 0xc1, 0x4a,
+ 0xb0, 0xbc, 0x45, 0x93, 0xa5, 0x7e, 0x99, 0xb5,
+ 0xbd, 0xe4, 0x69, 0x29, 0x08, 0x28, 0xd2, 0xcd,
+ 0xab, 0x24, 0x78, 0x48, 0x41, 0x26, 0x0b, 0x37,
+ 0xa3, 0x43, 0xd1, 0x95, 0x1a, 0xd6, 0xee, 0x22,
+ 0x1c, 0x00, 0x0b, 0xc2, 0xb7, 0xa4, 0xa3, 0x21,
+ 0xa9, 0xcd, 0xe4, 0x69, 0xd3, 0x45, 0x02, 0xb1,
+ 0xb7, 0x3a, 0xbf, 0x51, 0x35, 0x1b, 0x78, 0xc2,
+ 0xcf, 0x0c, 0x0d, 0x60, 0x09, 0xa9, 0x44, 0x02
+ };
+
+ /* RSA Known Plaintext Message (1024-bits). */
+ static const PRUint8 rsa_known_plaintext_msg[FIPS_RSA_MESSAGE_LENGTH] = {
+ "Known plaintext message utilized"
+ "for RSA Encryption & Decryption"
+ "blocks SHA256, SHA384 and "
+ "SHA512 RSA Signature KAT tests. "
+ "Known plaintext message utilized"
+ "for RSA Encryption & Decryption"
+ "blocks SHA256, SHA384 and "
+ "SHA512 RSA Signature KAT tests."
+ };
+
+ /* RSA Known Signed Hash (2048-bits). */
+ static const PRUint8 rsa_known_sha256_signature[] = {
+ 0x8c, 0x2d, 0x2e, 0xfb, 0x37, 0xb5, 0x6f, 0x38,
+ 0x9f, 0x06, 0x5a, 0xf3, 0x8c, 0xa0, 0xd0, 0x7a,
+ 0xde, 0xcf, 0xf9, 0x14, 0x95, 0x59, 0xd3, 0x5f,
+ 0x51, 0x5d, 0x5d, 0xad, 0xd8, 0x71, 0x33, 0x50,
+ 0x1d, 0x03, 0x3b, 0x3a, 0x32, 0x00, 0xb4, 0xde,
+ 0x7f, 0xe4, 0xb1, 0xe5, 0x6b, 0x83, 0xf4, 0x80,
+ 0x10, 0x3b, 0xb8, 0x8a, 0xdb, 0xe8, 0x0a, 0x42,
+ 0x9e, 0x8d, 0xd7, 0xbe, 0xed, 0xde, 0x5a, 0x3d,
+ 0xc6, 0xdb, 0xfe, 0x49, 0x6a, 0xe9, 0x1e, 0x75,
+ 0x66, 0xf1, 0x3f, 0x9e, 0x3f, 0xff, 0x05, 0x65,
+ 0xde, 0xca, 0x62, 0x62, 0xf3, 0xec, 0x53, 0x09,
+ 0xa0, 0x37, 0xd5, 0x66, 0x62, 0x72, 0x14, 0xb6,
+ 0x51, 0x32, 0x67, 0x50, 0xc1, 0xe1, 0x2f, 0x9e,
+ 0x98, 0x4e, 0x53, 0x96, 0x55, 0x4b, 0xc4, 0x92,
+ 0xc3, 0xb4, 0x80, 0xf0, 0x35, 0xc9, 0x00, 0x4b,
+ 0x5c, 0x85, 0x92, 0xb1, 0xe8, 0x6e, 0xa5, 0x51,
+ 0x38, 0x9f, 0xc9, 0x11, 0xb6, 0x14, 0xdf, 0x34,
+ 0x64, 0x40, 0x82, 0x82, 0xde, 0x16, 0x69, 0x93,
+ 0x89, 0x4e, 0x5c, 0x32, 0xf2, 0x0a, 0x4e, 0x9e,
+ 0xbd, 0x63, 0x99, 0x4f, 0xf3, 0x15, 0x90, 0xc2,
+ 0xfe, 0x6f, 0xb7, 0xf4, 0xad, 0xd4, 0x8e, 0x0b,
+ 0xd2, 0xf5, 0x22, 0xd2, 0x71, 0x65, 0x13, 0xf7,
+ 0x82, 0x7b, 0x75, 0xb6, 0xc1, 0xb4, 0x45, 0xbd,
+ 0x8f, 0x95, 0xcf, 0x5b, 0x95, 0x32, 0xef, 0x18,
+ 0x5f, 0xd3, 0xdf, 0x7e, 0x22, 0xdd, 0x25, 0xeb,
+ 0xe1, 0xbf, 0x3b, 0x9a, 0x55, 0x75, 0x4f, 0x3c,
+ 0x38, 0x67, 0x57, 0x04, 0x04, 0x57, 0x27, 0xf6,
+ 0x34, 0x0e, 0x57, 0x8a, 0x7c, 0xff, 0x7d, 0xca,
+ 0x8c, 0x06, 0xf8, 0x9d, 0xdb, 0xe4, 0xd8, 0x19,
+ 0xdd, 0x4d, 0xfd, 0x8f, 0xa0, 0x06, 0x53, 0xe8,
+ 0x33, 0x00, 0x70, 0x3f, 0x6b, 0xc3, 0xbd, 0x9a,
+ 0x78, 0xb5, 0xa9, 0xef, 0x6d, 0xda, 0x67, 0x92
+ };
+
+ /* RSA Known Signed Hash (2048-bits). */
+ static const PRUint8 rsa_known_sha384_signature[] = {
+ 0x20, 0x2d, 0x21, 0x3a, 0xaa, 0x1e, 0x05, 0x15,
+ 0x5c, 0xca, 0x84, 0x86, 0xc0, 0x15, 0x81, 0xdf,
+ 0xd4, 0x06, 0x9f, 0xe0, 0xc1, 0xed, 0xef, 0x0f,
+ 0xfe, 0xb3, 0xc3, 0xbb, 0x28, 0xa5, 0x56, 0xbf,
+ 0xe3, 0x11, 0x5c, 0xc2, 0xc0, 0x0b, 0xfa, 0xfa,
+ 0x3d, 0xd3, 0x06, 0x20, 0xe2, 0xc9, 0xe4, 0x66,
+ 0x28, 0xb7, 0xc0, 0x3b, 0x3c, 0x96, 0xc6, 0x49,
+ 0x3b, 0xcf, 0x86, 0x49, 0x31, 0xaf, 0x5b, 0xa3,
+ 0xec, 0x63, 0x10, 0xdf, 0xda, 0x2f, 0x68, 0xac,
+ 0x7b, 0x3a, 0x49, 0xfa, 0xe6, 0x0d, 0xfe, 0x37,
+ 0x17, 0x56, 0x8e, 0x5c, 0x48, 0x97, 0x43, 0xf7,
+ 0xa0, 0xbc, 0xe3, 0x4b, 0x42, 0xde, 0x58, 0x1d,
+ 0xd9, 0x5d, 0xb3, 0x08, 0x35, 0xbd, 0xa4, 0xe1,
+ 0x80, 0xc3, 0x64, 0xab, 0x21, 0x97, 0xad, 0xfb,
+ 0x71, 0xee, 0xa3, 0x3d, 0x9c, 0xaa, 0xfa, 0x16,
+ 0x60, 0x46, 0x32, 0xda, 0x44, 0x2e, 0x10, 0x92,
+ 0x20, 0xd8, 0x98, 0x80, 0x84, 0x75, 0x5b, 0x70,
+ 0x91, 0x00, 0x33, 0x19, 0x69, 0xc9, 0x2a, 0xec,
+ 0x3d, 0xe5, 0x5f, 0x0f, 0x9a, 0xa7, 0x97, 0x1f,
+ 0x79, 0xc3, 0x1d, 0x65, 0x74, 0x62, 0xc5, 0xa1,
+ 0x23, 0x65, 0x4b, 0x84, 0xa1, 0x03, 0x98, 0xf3,
+ 0xf1, 0x02, 0x24, 0xca, 0xe5, 0xd4, 0xc8, 0xa2,
+ 0x30, 0xad, 0x72, 0x7d, 0x29, 0x60, 0x1a, 0x8e,
+ 0x6f, 0x23, 0xa4, 0xda, 0x68, 0xa4, 0x45, 0x9c,
+ 0x39, 0x70, 0x44, 0x18, 0x4b, 0x73, 0xfe, 0xf8,
+ 0x33, 0x53, 0x1d, 0x7e, 0x93, 0x93, 0xac, 0xc7,
+ 0x1e, 0x6e, 0x6b, 0xfd, 0x9e, 0xba, 0xa6, 0x71,
+ 0x70, 0x47, 0x6a, 0xd6, 0x82, 0x32, 0xa2, 0x6e,
+ 0x20, 0x72, 0xb0, 0xba, 0xec, 0x91, 0xbb, 0x6b,
+ 0xcc, 0x84, 0x0a, 0x33, 0x2b, 0x8a, 0x8d, 0xeb,
+ 0x71, 0xcd, 0xca, 0x67, 0x1b, 0xad, 0x10, 0xd4,
+ 0xce, 0x4f, 0xc0, 0x29, 0xec, 0xfa, 0xed, 0xfa
+ };
+
+ /* RSA Known Signed Hash (2048-bits). */
+ static const PRUint8 rsa_known_sha512_signature[] = {
+ 0x35, 0x0e, 0x74, 0x9d, 0xeb, 0xc7, 0x67, 0x31,
+ 0x9f, 0xff, 0x0b, 0xbb, 0x5e, 0x66, 0xb4, 0x2f,
+ 0xbf, 0x72, 0x60, 0x4f, 0xe9, 0xbd, 0xec, 0xc8,
+ 0x17, 0x79, 0x5f, 0x39, 0x83, 0xb4, 0x54, 0x2e,
+ 0x01, 0xb9, 0xd3, 0x20, 0x47, 0xcb, 0xd4, 0x42,
+ 0xf2, 0x6e, 0x36, 0xc1, 0x97, 0xad, 0xef, 0x8e,
+ 0xe6, 0x51, 0xee, 0x5e, 0x9e, 0x88, 0xb4, 0x9d,
+ 0xda, 0x3e, 0x77, 0x4b, 0xe8, 0xae, 0x48, 0x53,
+ 0x2c, 0xc4, 0xd3, 0x25, 0x6b, 0x23, 0xb7, 0x54,
+ 0x3c, 0x95, 0x8f, 0xfb, 0x6f, 0x6d, 0xc5, 0x56,
+ 0x39, 0x69, 0x28, 0x0e, 0x74, 0x9b, 0x31, 0xe8,
+ 0x76, 0x77, 0x2b, 0xc1, 0x44, 0x89, 0x81, 0x93,
+ 0xfc, 0xf6, 0xec, 0x5f, 0x8f, 0x89, 0xfc, 0x1d,
+ 0xa4, 0x53, 0x58, 0x8c, 0xe9, 0xc0, 0xc0, 0x26,
+ 0xe6, 0xdf, 0x6d, 0x27, 0xb1, 0x8e, 0x3e, 0xb6,
+ 0x47, 0xe1, 0x02, 0x96, 0xc2, 0x5f, 0x7f, 0x3d,
+ 0xc5, 0x6c, 0x2f, 0xea, 0xaa, 0x5e, 0x39, 0xfc,
+ 0x77, 0xca, 0x00, 0x02, 0x5c, 0x64, 0x7c, 0xce,
+ 0x7d, 0x63, 0x82, 0x05, 0xed, 0xf7, 0x5b, 0x55,
+ 0x58, 0xc0, 0xeb, 0x76, 0xd7, 0x95, 0x55, 0x37,
+ 0x85, 0x7d, 0x17, 0xad, 0xd2, 0x11, 0xfd, 0x97,
+ 0x48, 0xb5, 0xc2, 0x5e, 0xc7, 0x62, 0xc0, 0xe0,
+ 0x68, 0xa8, 0x61, 0x14, 0x41, 0xca, 0x25, 0x3a,
+ 0xec, 0x48, 0x54, 0x22, 0x83, 0x2b, 0x69, 0x54,
+ 0xfd, 0xc8, 0x99, 0x9a, 0xee, 0x37, 0x03, 0xa3,
+ 0x8f, 0x0f, 0x32, 0xb0, 0xaa, 0x74, 0x39, 0x04,
+ 0x7c, 0xd9, 0xc2, 0x8f, 0xbe, 0xf2, 0xc4, 0xbe,
+ 0xdd, 0x7a, 0x7a, 0x7f, 0x72, 0xd3, 0x80, 0x59,
+ 0x18, 0xa0, 0xa1, 0x2d, 0x6f, 0xa3, 0xa9, 0x48,
+ 0xed, 0x20, 0xa6, 0xea, 0xaa, 0x10, 0x83, 0x98,
+ 0x0c, 0x13, 0x69, 0x6e, 0xcd, 0x31, 0x6b, 0xd0,
+ 0x66, 0xa6, 0x5e, 0x30, 0x0c, 0x82, 0xd5, 0x81
+ };
+
+ static const RSAPublicKey bl_public_key = {
+ NULL,
+ { FIPS_RSA_TYPE, (unsigned char *)rsa_modulus,
+ FIPS_RSA_MODULUS_LENGTH },
+ { FIPS_RSA_TYPE, (unsigned char *)rsa_public_exponent,
+ FIPS_RSA_PUBLIC_EXPONENT_LENGTH }
+ };
+ static const RSAPrivateKey bl_private_key = {
+ NULL,
+ { FIPS_RSA_TYPE, (unsigned char *)rsa_version,
+ FIPS_RSA_PRIVATE_VERSION_LENGTH },
+ { FIPS_RSA_TYPE, (unsigned char *)rsa_modulus,
+ FIPS_RSA_MODULUS_LENGTH },
+ { FIPS_RSA_TYPE, (unsigned char *)rsa_public_exponent,
+ FIPS_RSA_PUBLIC_EXPONENT_LENGTH },
+ { FIPS_RSA_TYPE, (unsigned char *)rsa_private_exponent,
+ FIPS_RSA_PRIVATE_EXPONENT_LENGTH },
+ { FIPS_RSA_TYPE, (unsigned char *)rsa_prime0,
+ FIPS_RSA_PRIME0_LENGTH },
+ { FIPS_RSA_TYPE, (unsigned char *)rsa_prime1,
+ FIPS_RSA_PRIME1_LENGTH },
+ { FIPS_RSA_TYPE, (unsigned char *)rsa_exponent0,
+ FIPS_RSA_EXPONENT0_LENGTH },
+ { FIPS_RSA_TYPE, (unsigned char *)rsa_exponent1,
+ FIPS_RSA_EXPONENT1_LENGTH },
+ { FIPS_RSA_TYPE, (unsigned char *)rsa_coefficient,
+ FIPS_RSA_COEFFICIENT_LENGTH }
+ };
+
+/* RSA variables. */
+#ifdef CREATE_TEMP_ARENAS
+ PLArenaPool *rsa_public_arena;
+ PLArenaPool *rsa_private_arena;
+#endif
+ NSSLOWKEYPublicKey *rsa_public_key;
+ NSSLOWKEYPrivateKey *rsa_private_key;
+ SECStatus rsa_status;
+
+ NSSLOWKEYPublicKey low_public_key = { NULL, NSSLOWKEYRSAKey };
+ NSSLOWKEYPrivateKey low_private_key = { NULL, NSSLOWKEYRSAKey };
+
+ /****************************************/
+ /* Compose RSA Public/Private Key Pair. */
+ /****************************************/
+
+ low_public_key.u.rsa = bl_public_key;
+ low_private_key.u.rsa = bl_private_key;
+
+ rsa_public_key = &low_public_key;
+ rsa_private_key = &low_private_key;
+
+#ifdef CREATE_TEMP_ARENAS
+ /* Create some space for the RSA public key. */
+ rsa_public_arena = PORT_NewArena(NSS_SOFTOKEN_DEFAULT_CHUNKSIZE);
+
+ if (rsa_public_arena == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ return (SECFailure);
+ }
+
+ /* Create some space for the RSA private key. */
+ rsa_private_arena = PORT_NewArena(NSS_SOFTOKEN_DEFAULT_CHUNKSIZE);
+
+ if (rsa_private_arena == NULL) {
+ PORT_FreeArena(rsa_public_arena, PR_TRUE);
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ return (SECFailure);
+ }
+
+ rsa_public_key->arena = rsa_public_arena;
+ rsa_private_key->arena = rsa_private_arena;
+#endif
+
+ /**************************************************/
+ /* RSA Hash tests */
+ /**************************************************/
+
+ rsa_status = sftk_fips_RSA_PowerUpSigSelfTest(HASH_AlgSHA256,
+ rsa_public_key, rsa_private_key,
+ rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH,
+ rsa_known_sha256_signature);
+ if (rsa_status != SECSuccess)
+ goto rsa_loser;
+
+ rsa_status = sftk_fips_RSA_PowerUpSigSelfTest(HASH_AlgSHA384,
+ rsa_public_key, rsa_private_key,
+ rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH,
+ rsa_known_sha384_signature);
+ if (rsa_status != SECSuccess)
+ goto rsa_loser;
+
+ rsa_status = sftk_fips_RSA_PowerUpSigSelfTest(HASH_AlgSHA512,
+ rsa_public_key, rsa_private_key,
+ rsa_known_plaintext_msg, FIPS_RSA_MESSAGE_LENGTH,
+ rsa_known_sha512_signature);
+ if (rsa_status != SECSuccess)
+ goto rsa_loser;
+
+ /* Dispose of all RSA key material. */
+ nsslowkey_DestroyPublicKey(rsa_public_key);
+ nsslowkey_DestroyPrivateKey(rsa_private_key);
+
+ return (SECSuccess);
+
+rsa_loser:
+
+ nsslowkey_DestroyPublicKey(rsa_public_key);
+ nsslowkey_DestroyPrivateKey(rsa_private_key);
+
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return (SECFailure);
+}
+
+static SECStatus
+sftk_fips_HKDF_PowerUpSelfTest(void)
+{
+ SECStatus status;
+ static const unsigned char base_key[] = {
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+ 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
+ 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
+ 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
+ 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+ 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f
+ };
+ static const unsigned char known_hkdf_sha256_key[] = {
+ 0xdd, 0xdb, 0xeb, 0xe5, 0x6d, 0xd2, 0x96, 0xa4,
+ 0x07, 0xc5, 0x7d, 0xda, 0x31, 0x56, 0x8d, 0xa5,
+ 0x41, 0x3e, 0x90, 0xd4, 0xe6, 0x98, 0xeb, 0xf8,
+ 0x5a, 0x49, 0x7f, 0x38, 0xef, 0x01, 0x8a, 0xe5,
+ 0xda, 0x36, 0xe5, 0xcf, 0x21, 0xe3, 0x9f, 0xc3,
+ 0x32, 0xb3, 0x1e, 0xf6, 0xc5, 0x10, 0x4c, 0x86,
+ 0x53, 0x5e, 0x6f, 0xe0, 0x63, 0x6e, 0x43, 0x33,
+ 0x61, 0x35, 0xf4, 0x17, 0x10, 0x77, 0x75, 0x2a
+ };
+/* current NIST IG's say we only need to test one instance
+ * of kdfs, keep these others around in case the guidance
+ * changes */
+#ifdef NSS_FULL_POST
+ static const unsigned char known_hkdf_sha384_key[] = {
+ 0x35, 0x64, 0xc4, 0xa1, 0xcc, 0xc1, 0xdc, 0xe4,
+ 0xe2, 0xca, 0x51, 0xae, 0xe8, 0x92, 0x88, 0x30,
+ 0x8b, 0xb0, 0x2b, 0xac, 0x00, 0x15, 0xac, 0x15,
+ 0x97, 0xc9, 0xf4, 0x6b, 0xf6, 0x3f, 0x97, 0xea,
+ 0x48, 0x55, 0x38, 0x25, 0x06, 0x5d, 0x91, 0x64,
+ 0xbd, 0x09, 0xf3, 0x44, 0xbc, 0x82, 0xbe, 0xdb,
+ 0x5c, 0xd7, 0xf2, 0x24, 0xa5, 0x55, 0x8d, 0xa9,
+ 0xa8, 0x85, 0xde, 0x8c, 0x33, 0xe0, 0x4d, 0xc3
+ };
+ static const unsigned char known_hkdf_sha512_key[] = {
+ 0x63, 0x4e, 0xbc, 0x42, 0xb3, 0x56, 0x74, 0x7d,
+ 0x1b, 0x55, 0xf0, 0x34, 0x54, 0xcb, 0x6d, 0x58,
+ 0x39, 0x96, 0x10, 0xda, 0x03, 0x20, 0x8f, 0x77,
+ 0x0d, 0xb4, 0xf7, 0xf6, 0x67, 0x0d, 0x5b, 0x6b,
+ 0xd0, 0x30, 0xc4, 0xdd, 0x67, 0x61, 0x5d, 0x9a,
+ 0xf5, 0x18, 0x6e, 0x1b, 0x60, 0x97, 0xc2, 0x4d,
+ 0x23, 0x43, 0x69, 0xe6, 0x3b, 0xa5, 0xdf, 0xe9,
+ 0x7c, 0xf1, 0x87, 0x48, 0x6f, 0xb9, 0xd3, 0x02
+ };
+#endif
+ unsigned char outBytes[64] = { 0 };
+
+ CK_HKDF_PARAMS hkdf_params;
+
+ hkdf_params.bExpand = CK_TRUE;
+ hkdf_params.bExtract = CK_TRUE;
+ hkdf_params.ulSaltType = CKF_HKDF_SALT_DATA;
+ hkdf_params.pSalt = (CK_BYTE_PTR)base_key;
+ hkdf_params.ulSaltLen = sizeof(base_key);
+ hkdf_params.pInfo = (CK_BYTE_PTR)base_key;
+ hkdf_params.ulInfoLen = sizeof(base_key);
+
+ /**************************************************/
+ /* HKDF tests */
+ /**************************************************/
+
+ hkdf_params.prfHashMechanism = CKM_SHA256_HMAC;
+ status = sftk_HKDF(&hkdf_params, CK_INVALID_HANDLE, NULL,
+ base_key, 32, NULL, outBytes, sizeof(outBytes),
+ PR_TRUE, PR_TRUE);
+ if ((status != SECSuccess) ||
+ PORT_Memcmp(outBytes, known_hkdf_sha256_key, sizeof(outBytes)) != 0) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return (SECFailure);
+ }
+
+#ifdef NSS_FULL_POST
+ hkdf_params.prfHashMechanism = CKM_SHA384_HMAC;
+ status = sftk_HKDF(&hkdf_params, CK_INVALID_HANDLE, NULL,
+ base_key, 48, NULL, outBytes, sizeof(outBytes),
+ PR_TRUE, PR_TRUE);
+ if ((status != SECSuccess) ||
+ PORT_Memcmp(outBytes, known_hkdf_sha384_key, sizeof(outBytes)) != 0) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return (SECFailure);
+ }
+
+ hkdf_params.prfHashMechanism = CKM_SHA512_HMAC;
+ status = sftk_HKDF(&hkdf_params, CK_INVALID_HANDLE, NULL,
+ base_key, 64, NULL, outBytes, sizeof(outBytes),
+ PR_TRUE, PR_TRUE);
+ if ((status != SECSuccess) ||
+ PORT_Memcmp(outBytes, known_hkdf_sha512_key, sizeof(outBytes)) != 0) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return (SECFailure);
+ }
+#endif
+
+ return (SECSuccess);
+}
+
+static PRBool sftk_self_tests_ran = PR_FALSE;
+static PRBool sftk_self_tests_success = PR_FALSE;
+
+/*
+ * This function is called at dll load time, the code tha makes this
+ * happen is platform specific on defined above.
+ */
+void
+sftk_startup_tests_with_rerun(PRBool rerun)
+{
+ SECStatus rv;
+ const char *libraryName = rerun ? BLAPI_FIPS_RERUN_FLAG_STRING SOFTOKEN_LIB_NAME : SOFTOKEN_LIB_NAME;
+
+ PORT_Assert(!sftk_self_tests_ran);
+ PORT_Assert(!sftk_self_tests_success);
+ sftk_self_tests_ran = PR_TRUE;
+ sftk_self_tests_success = PR_FALSE; /* just in case */
+
+ /* need to initiallize the oid library before the RSA tests */
+ rv = SECOID_Init();
+ if (rv != SECSuccess) {
+ return;
+ }
+ /* make sure freebl is initialized, or our RSA check
+ * may fail. This is normally done at freebl load time, but it's
+ * possible we may have shut freebl down without unloading it. */
+ rv = BL_Init();
+ if (rv != SECSuccess) {
+ return;
+ }
+
+ rv = RNG_RNGInit();
+ if (rv != SECSuccess) {
+ return;
+ }
+ /* check the RSA combined functions in softoken */
+ rv = sftk_fips_RSA_PowerUpSelfTest();
+ if (rv != SECSuccess) {
+ return;
+ }
+ if (!BLAPI_SHVerify(libraryName,
+ (PRFuncPtr)&sftk_fips_RSA_PowerUpSelfTest)) {
+ /* something is wrong with the library, fail without enabling
+ * the token */
+ return;
+ }
+ rv = sftk_fips_IKE_PowerUpSelfTests();
+ if (rv != SECSuccess) {
+ return;
+ }
+
+ rv = sftk_fips_SP800_108_PowerUpSelfTests();
+ if (rv != SECSuccess) {
+ return;
+ }
+
+ rv = sftk_fips_HKDF_PowerUpSelfTest();
+ if (rv != SECSuccess) {
+ return;
+ }
+
+ rv = sftk_fips_pbkdf_PowerUpSelfTests();
+ if (rv != SECSuccess) {
+ return;
+ }
+
+ sftk_self_tests_success = PR_TRUE;
+}
+
+static void
+sftk_startup_tests(void)
+{
+ sftk_startup_tests_with_rerun(PR_FALSE);
+}
+
+/*
+ * this is called from nsc_Common_Initizialize entry points that gates access
+ * to * all other pkcs11 functions. This prevents softoken operation if our
+ * power on selftest failed.
+ */
+CK_RV
+sftk_FIPSEntryOK(PRBool rerun)
+{
+#ifdef NSS_NO_INIT_SUPPORT
+ /* this should only be set on platforms that can't handle one of the INIT
+ * schemes. This code allows those platforms to continue to function,
+ * though they don't meet the strict NIST requirements. If NSS_NO_INIT_SUPPORT
+ * is not set, and init support has not been properly enabled, softken
+ * will always fail because of the test below
+ */
+ if (!sftk_self_tests_ran) {
+ sftk_startup_tests();
+ }
+#endif
+ if (rerun) {
+ sftk_self_tests_ran = PR_FALSE;
+ sftk_self_tests_success = PR_FALSE;
+ sftk_startup_tests_with_rerun(PR_TRUE);
+ }
+ if (!sftk_self_tests_success) {
+ return CKR_DEVICE_ERROR;
+ }
+ return CKR_OK;
+}
+#else
+#include "pkcs11t.h"
+CK_RV
+sftk_FIPSEntryOK()
+{
+ return CKR_DEVICE_ERROR;
+}
+#endif /* NSS_FIPS_DISABLED */
diff --git a/security/nss/lib/softoken/fipstokn.c b/security/nss/lib/softoken/fipstokn.c
new file mode 100644
index 0000000000..cf5d73ce74
--- /dev/null
+++ b/security/nss/lib/softoken/fipstokn.c
@@ -0,0 +1,2080 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/*
+ * This file implements PKCS 11 on top of our existing security modules
+ *
+ * For more information about PKCS 11 See PKCS 11 Token Inteface Standard.
+ * This implementation has two slots:
+ * slot 1 is our generic crypto support. It does not require login
+ * (unless you've enabled FIPS). It supports Public Key ops, and all they
+ * bulk ciphers and hashes. It can also support Private Key ops for imported
+ * Private keys. It does not have any token storage.
+ * slot 2 is our private key support. It requires a login before use. It
+ * can store Private Keys and Certs as token objects. Currently only private
+ * keys and their associated Certificates are saved on the token.
+ *
+ * In this implementation, session objects are only visible to the session
+ * that created or generated them.
+ */
+#include "seccomon.h"
+#include "softoken.h"
+#include "lowkeyi.h"
+#include "pkcs11.h"
+#include "pkcs11i.h"
+#include "prenv.h"
+#include "prprf.h"
+
+#include <ctype.h>
+
+#ifdef XP_UNIX
+#define NSS_AUDIT_WITH_SYSLOG 1
+#include <syslog.h>
+#include <unistd.h>
+#endif
+
+#ifdef LINUX
+#include <pthread.h>
+#include <dlfcn.h>
+#define LIBAUDIT_NAME "libaudit.so.1"
+#ifndef AUDIT_CRYPTO_TEST_USER
+#define AUDIT_CRYPTO_TEST_USER 2400 /* Crypto test results */
+#define AUDIT_CRYPTO_PARAM_CHANGE_USER 2401 /* Crypto attribute change */
+#define AUDIT_CRYPTO_LOGIN 2402 /* Logged in as crypto officer */
+#define AUDIT_CRYPTO_LOGOUT 2403 /* Logged out from crypto */
+#define AUDIT_CRYPTO_KEY_USER 2404 /* Create,delete,negotiate */
+#define AUDIT_CRYPTO_FAILURE_USER 2405 /* Fail decrypt,encrypt,randomize */
+#endif
+static void *libaudit_handle;
+static int (*audit_open_func)(void);
+static void (*audit_close_func)(int fd);
+static int (*audit_log_user_message_func)(int audit_fd, int type,
+ const char *message, const char *hostname, const char *addr,
+ const char *tty, int result);
+static int (*audit_send_user_message_func)(int fd, int type,
+ const char *message);
+
+static pthread_once_t libaudit_once_control = PTHREAD_ONCE_INIT;
+
+static void
+libaudit_init(void)
+{
+ libaudit_handle = dlopen(LIBAUDIT_NAME, RTLD_LAZY);
+ if (!libaudit_handle) {
+ return;
+ }
+ audit_open_func = dlsym(libaudit_handle, "audit_open");
+ audit_close_func = dlsym(libaudit_handle, "audit_close");
+ /*
+ * audit_send_user_message is the older function.
+ * audit_log_user_message, if available, is preferred.
+ */
+ audit_log_user_message_func = dlsym(libaudit_handle,
+ "audit_log_user_message");
+ if (!audit_log_user_message_func) {
+ audit_send_user_message_func = dlsym(libaudit_handle,
+ "audit_send_user_message");
+ }
+ if (!audit_open_func || !audit_close_func ||
+ (!audit_log_user_message_func && !audit_send_user_message_func)) {
+ dlclose(libaudit_handle);
+ libaudit_handle = NULL;
+ audit_open_func = NULL;
+ audit_close_func = NULL;
+ audit_log_user_message_func = NULL;
+ audit_send_user_message_func = NULL;
+ }
+}
+#endif /* LINUX */
+
+/*
+ * ******************** Password Utilities *******************************
+ */
+static PRBool isLoggedIn = PR_FALSE;
+static PRBool isLevel2 = PR_TRUE;
+PRBool sftk_fatalError = PR_FALSE;
+
+/*
+ * This function returns
+ * - CKR_PIN_INVALID if the password/PIN is not a legal UTF8 string
+ * - CKR_PIN_LEN_RANGE if the password/PIN is too short or does not
+ * consist of characters from three or more character classes.
+ * - CKR_OK otherwise
+ *
+ * The minimum password/PIN length is FIPS_MIN_PIN Unicode characters.
+ * We define five character classes: digits (0-9), ASCII lowercase letters,
+ * ASCII uppercase letters, ASCII non-alphanumeric characters (such as
+ * space and punctuation marks), and non-ASCII characters. If an ASCII
+ * uppercase letter is the first character of the password/PIN, the
+ * uppercase letter is not counted toward its character class. Similarly,
+ * if a digit is the last character of the password/PIN, the digit is not
+ * counted toward its character class.
+ *
+ * Although NSC_SetPIN and NSC_InitPIN already do the maximum and minimum
+ * password/PIN length checks, they check the length in bytes as opposed
+ * to characters. To meet the minimum password/PIN guessing probability
+ * requirements in FIPS 140-2, we need to check the length in characters.
+ */
+static CK_RV
+sftk_newPinCheck(CK_CHAR_PTR pPin, CK_ULONG ulPinLen)
+{
+ unsigned int i;
+ int nchar = 0; /* number of characters */
+ int ntrail = 0; /* number of trailing bytes to follow */
+ int ndigit = 0; /* number of decimal digits */
+ int nlower = 0; /* number of ASCII lowercase letters */
+ int nupper = 0; /* number of ASCII uppercase letters */
+ int nnonalnum = 0; /* number of ASCII non-alphanumeric characters */
+ int nnonascii = 0; /* number of non-ASCII characters */
+ int nclass; /* number of character classes */
+
+ for (i = 0; i < ulPinLen; i++) {
+ unsigned int byte = pPin[i];
+
+ if (ntrail) {
+ if ((byte & 0xc0) != 0x80) {
+ /* illegal */
+ nchar = -1;
+ break;
+ }
+ if (--ntrail == 0) {
+ nchar++;
+ nnonascii++;
+ }
+ continue;
+ }
+ if ((byte & 0x80) == 0x00) {
+ /* single-byte (ASCII) character */
+ nchar++;
+ if (isdigit(byte)) {
+ if (i < ulPinLen - 1) {
+ ndigit++;
+ }
+ } else if (islower(byte)) {
+ nlower++;
+ } else if (isupper(byte)) {
+ if (i > 0) {
+ nupper++;
+ }
+ } else {
+ nnonalnum++;
+ }
+ } else if ((byte & 0xe0) == 0xc0) {
+ /* leading byte of two-byte character */
+ ntrail = 1;
+ } else if ((byte & 0xf0) == 0xe0) {
+ /* leading byte of three-byte character */
+ ntrail = 2;
+ } else if ((byte & 0xf8) == 0xf0) {
+ /* leading byte of four-byte character */
+ ntrail = 3;
+ } else {
+ /* illegal */
+ nchar = -1;
+ break;
+ }
+ }
+ if (nchar == -1) {
+ /* illegal UTF8 string */
+ return CKR_PIN_INVALID;
+ }
+ if (nchar < FIPS_MIN_PIN) {
+ return CKR_PIN_LEN_RANGE;
+ }
+ nclass = (ndigit != 0) + (nlower != 0) + (nupper != 0) +
+ (nnonalnum != 0) + (nnonascii != 0);
+ if (nclass < 3) {
+ return CKR_PIN_LEN_RANGE;
+ }
+ return CKR_OK;
+}
+
+/* FIPS required checks before any useful cryptographic services */
+static CK_RV
+sftk_fipsCheck(void)
+{
+ if (sftk_fatalError)
+ return CKR_DEVICE_ERROR;
+ if (isLevel2 && !isLoggedIn)
+ return CKR_USER_NOT_LOGGED_IN;
+ return CKR_OK;
+}
+
+#define SFTK_FIPSCHECK() \
+ CK_RV rv; \
+ if ((rv = sftk_fipsCheck()) != CKR_OK) \
+ return rv;
+
+#define SFTK_FIPSFATALCHECK() \
+ if (sftk_fatalError) \
+ return CKR_DEVICE_ERROR;
+
+/* grab an attribute out of a raw template */
+void *
+fc_getAttribute(CK_ATTRIBUTE_PTR pTemplate,
+ CK_ULONG ulCount, CK_ATTRIBUTE_TYPE type)
+{
+ int i;
+
+ for (i = 0; i < (int)ulCount; i++) {
+ if (pTemplate[i].type == type) {
+ return pTemplate[i].pValue;
+ }
+ }
+ return NULL;
+}
+
+#define __PASTE(x, y) x##y
+
+/* ------------- forward declare all the NSC_ functions ------------- */
+#undef CK_NEED_ARG_LIST
+#undef CK_PKCS11_FUNCTION_INFO
+
+#define CK_PKCS11_3_0 1
+
+#define CK_PKCS11_FUNCTION_INFO(name) CK_RV __PASTE(NS, name)
+#define CK_NEED_ARG_LIST 1
+
+#include "pkcs11f.h"
+
+/* ------------- forward declare all the FIPS functions ------------- */
+#undef CK_NEED_ARG_LIST
+#undef CK_PKCS11_FUNCTION_INFO
+
+#define CK_PKCS11_FUNCTION_INFO(name) CK_RV __PASTE(F, name)
+#define CK_NEED_ARG_LIST 1
+
+#include "pkcs11f.h"
+
+/* ------------- build the CK_CRYPTO_TABLE ------------------------- */
+static CK_FUNCTION_LIST_3_0 sftk_fipsTable = {
+ { CRYPTOKI_VERSION_MAJOR, CRYPTOKI_VERSION_MINOR },
+
+#undef CK_NEED_ARG_LIST
+#undef CK_PKCS11_FUNCTION_INFO
+
+#define CK_PKCS11_FUNCTION_INFO(name) \
+ __PASTE(F, name) \
+ ,
+
+#include "pkcs11f.h"
+
+};
+
+/* forward declaration of special GetInfo functions */
+CK_RV FC_GetInfoV2(CK_INFO_PTR pInfo);
+CK_RV NSC_GetInfoV2(CK_INFO_PTR pInfo);
+CK_RV FC_GetMechanismInfoV2(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type,
+ CK_MECHANISM_INFO_PTR pInfo);
+CK_RV NSC_GetMechanismInfoV2(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type,
+ CK_MECHANISM_INFO_PTR pInfo);
+
+static CK_FUNCTION_LIST sftk_fipsTable_v2 = {
+ { 2, 40 },
+
+#undef CK_PKCS11_3_0
+#define CK_PKCS11_2_0_ONLY 1
+#undef CK_NEED_ARG_LIST
+#undef CK_PKCS11_FUNCTION_INFO
+#define C_GetInfo C_GetInfoV2
+#define C_GetMechanismInfo C_GetMechanismInfoV2
+
+#define CK_PKCS11_FUNCTION_INFO(name) \
+ __PASTE(F, name) \
+ ,
+
+#include "pkcs11f.h"
+
+};
+
+#undef C_GetInfo
+#undef C_GetMechanismInfo
+#undef CK_NEED_ARG_LIST
+#undef CK_PKCS11_FUNCTION_INFO
+#undef CK_PKCS11_2_0_ONLY
+
+#undef __PASTE
+
+/*
+ * Array is orderd by default first
+ */
+static CK_INTERFACE fips_interfaces[] = {
+ { (CK_UTF8CHAR_PTR) "PKCS 11", &sftk_fipsTable, NSS_INTERFACE_FLAGS },
+ { (CK_UTF8CHAR_PTR) "PKCS 11", &sftk_fipsTable_v2, NSS_INTERFACE_FLAGS },
+ { (CK_UTF8CHAR_PTR) "Vendor NSS Module Interface", &sftk_module_funcList, NSS_INTERFACE_FLAGS },
+ { (CK_UTF8CHAR_PTR) "Vendor NSS FIPS Interface", &sftk_fips_funcList, NSS_INTERFACE_FLAGS }
+};
+/* must match the count of interfaces in fips_interfaces above*/
+#define FIPS_INTERFACE_COUNT 4
+
+/* CKO_NOT_A_KEY can be any object class that's not a key object. */
+#define CKO_NOT_A_KEY CKO_DATA
+
+#define SFTK_IS_KEY_OBJECT(objClass) \
+ (((objClass) == CKO_PUBLIC_KEY) || \
+ ((objClass) == CKO_PRIVATE_KEY) || \
+ ((objClass) == CKO_SECRET_KEY))
+
+#define SFTK_IS_NONPUBLIC_KEY_OBJECT(objClass) \
+ (((objClass) == CKO_PRIVATE_KEY) || ((objClass) == CKO_SECRET_KEY))
+
+static CK_RV
+sftk_get_object_class_and_fipsCheck(CK_SESSION_HANDLE hSession,
+ CK_OBJECT_HANDLE hObject, CK_OBJECT_CLASS *pObjClass)
+{
+ CK_RV rv;
+ CK_ATTRIBUTE class;
+ class.type = CKA_CLASS;
+ class.pValue = pObjClass;
+ class.ulValueLen = sizeof(*pObjClass);
+ rv = NSC_GetAttributeValue(hSession, hObject, &class, 1);
+ if ((rv == CKR_OK) && SFTK_IS_NONPUBLIC_KEY_OBJECT(*pObjClass)) {
+ rv = sftk_fipsCheck();
+ }
+ return rv;
+}
+
+#ifdef LINUX
+
+int
+sftk_mapLinuxAuditType(NSSAuditSeverity severity, NSSAuditType auditType)
+{
+ switch (auditType) {
+ case NSS_AUDIT_ACCESS_KEY:
+ case NSS_AUDIT_CHANGE_KEY:
+ case NSS_AUDIT_COPY_KEY:
+ case NSS_AUDIT_DERIVE_KEY:
+ case NSS_AUDIT_DESTROY_KEY:
+ case NSS_AUDIT_DIGEST_KEY:
+ case NSS_AUDIT_GENERATE_KEY:
+ case NSS_AUDIT_LOAD_KEY:
+ case NSS_AUDIT_UNWRAP_KEY:
+ case NSS_AUDIT_WRAP_KEY:
+ return AUDIT_CRYPTO_KEY_USER;
+ case NSS_AUDIT_CRYPT:
+ return (severity == NSS_AUDIT_ERROR) ? AUDIT_CRYPTO_FAILURE_USER : AUDIT_CRYPTO_KEY_USER;
+ case NSS_AUDIT_FIPS_STATE:
+ case NSS_AUDIT_INIT_PIN:
+ case NSS_AUDIT_INIT_TOKEN:
+ case NSS_AUDIT_SET_PIN:
+ return AUDIT_CRYPTO_PARAM_CHANGE_USER;
+ case NSS_AUDIT_SELF_TEST:
+ return AUDIT_CRYPTO_TEST_USER;
+ case NSS_AUDIT_LOGIN:
+ return AUDIT_CRYPTO_LOGIN;
+ case NSS_AUDIT_LOGOUT:
+ return AUDIT_CRYPTO_LOGOUT;
+ /* we skip the fault case here so we can get compiler
+ * warnings if new 'NSSAuditType's are added without
+ * added them to this list, defaults fall through */
+ }
+ /* default */
+ return AUDIT_CRYPTO_PARAM_CHANGE_USER;
+}
+#endif
+
+/**********************************************************************
+ *
+ * FIPS 140 auditable event logging
+ *
+ **********************************************************************/
+
+PRBool sftk_audit_enabled = PR_FALSE;
+
+/*
+ * Each audit record must have the following information:
+ * - Date and time of the event
+ * - Type of event
+ * - user (subject) identity
+ * - outcome (success or failure) of the event
+ * - process ID
+ * - name (ID) of the object
+ * - for changes to data (except for authentication data and CSPs), the new
+ * and old values of the data
+ * - for authentication attempts, the origin of the attempt (e.g., terminal
+ * identifier)
+ * - for assuming a role, the type of role, and the location of the request
+ */
+void
+sftk_LogAuditMessage(NSSAuditSeverity severity, NSSAuditType auditType,
+ const char *msg)
+{
+#ifdef NSS_AUDIT_WITH_SYSLOG
+ int level;
+
+ switch (severity) {
+ case NSS_AUDIT_ERROR:
+ level = LOG_ERR;
+ break;
+ case NSS_AUDIT_WARNING:
+ level = LOG_WARNING;
+ break;
+ default:
+ level = LOG_INFO;
+ break;
+ }
+ /* timestamp is provided by syslog in the message header */
+ syslog(level | LOG_USER /* facility */,
+ "NSS " SOFTOKEN_LIB_NAME "[pid=%d uid=%d]: %s",
+ (int)getpid(), (int)getuid(), msg);
+#ifdef LINUX
+ if (pthread_once(&libaudit_once_control, libaudit_init) != 0) {
+ return;
+ }
+ if (libaudit_handle) {
+ int audit_fd;
+ int linuxAuditType;
+ int result = (severity != NSS_AUDIT_ERROR); /* 1=success; 0=failed */
+ char *message = PR_smprintf("NSS " SOFTOKEN_LIB_NAME ": %s", msg);
+ if (!message) {
+ return;
+ }
+ audit_fd = audit_open_func();
+ if (audit_fd < 0) {
+ PR_smprintf_free(message);
+ return;
+ }
+ linuxAuditType = sftk_mapLinuxAuditType(severity, auditType);
+ if (audit_log_user_message_func) {
+ audit_log_user_message_func(audit_fd, linuxAuditType, message,
+ NULL, NULL, NULL, result);
+ } else {
+ audit_send_user_message_func(audit_fd, linuxAuditType, message);
+ }
+ audit_close_func(audit_fd);
+ PR_smprintf_free(message);
+ }
+#endif /* LINUX */
+#else
+/* do nothing */
+#endif
+}
+
+/**********************************************************************
+ *
+ * Start of PKCS 11 functions
+ *
+ **********************************************************************/
+/* return the function list */
+CK_RV
+FC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList)
+{
+
+ CHECK_FORK();
+
+ *pFunctionList = &sftk_fipsTable_v2;
+ return CKR_OK;
+}
+
+CK_RV
+FC_GetInterfaceList(CK_INTERFACE_PTR interfaces, CK_ULONG_PTR pulCount)
+{
+ CK_ULONG count = *pulCount;
+ *pulCount = FIPS_INTERFACE_COUNT;
+ if (interfaces == NULL) {
+ return CKR_OK;
+ }
+ if (count < FIPS_INTERFACE_COUNT) {
+ return CKR_BUFFER_TOO_SMALL;
+ }
+ PORT_Memcpy(interfaces, fips_interfaces, sizeof(fips_interfaces));
+ return CKR_OK;
+}
+
+/*
+ * Get the requested interface, use the fips_interfaces array so we can
+ * easily add new interfaces as they occur.
+ */
+CK_RV
+FC_GetInterface(CK_UTF8CHAR_PTR pInterfaceName, CK_VERSION_PTR pVersion,
+ CK_INTERFACE_PTR_PTR ppInterface, CK_FLAGS flags)
+{
+ int i;
+ for (i = 0; i < FIPS_INTERFACE_COUNT; i++) {
+ CK_INTERFACE_PTR interface = &fips_interfaces[i];
+ if (pInterfaceName && PORT_Strcmp((char *)pInterfaceName, (char *)interface->pInterfaceName) != 0) {
+ continue;
+ }
+ if (pVersion && PORT_Memcmp(pVersion, (CK_VERSION *)interface->pFunctionList, sizeof(CK_VERSION)) != 0) {
+ continue;
+ }
+ if (flags & ((interface->flags & flags) != flags)) {
+ continue;
+ }
+ *ppInterface = interface;
+ return CKR_OK;
+ }
+ return CKR_ARGUMENTS_BAD;
+}
+
+/* sigh global so pkcs11 can read it */
+PRBool nsf_init = PR_FALSE;
+
+void
+fc_log_init_error(CK_RV crv)
+{
+ if (sftk_audit_enabled) {
+ char msg[128];
+ PR_snprintf(msg, sizeof msg,
+ "C_Initialize()=0x%08lX "
+ "power-up self-tests failed",
+ (PRUint32)crv);
+ sftk_LogAuditMessage(NSS_AUDIT_ERROR, NSS_AUDIT_SELF_TEST, msg);
+ }
+}
+
+/* FC_Initialize initializes the PKCS #11 library. */
+CK_RV
+FC_Initialize(CK_VOID_PTR pReserved)
+{
+ const char *envp;
+ CK_RV crv;
+ PRBool rerun;
+
+ if ((envp = PR_GetEnv("NSS_ENABLE_AUDIT")) != NULL) {
+ sftk_audit_enabled = (atoi(envp) == 1);
+ }
+
+ /* if we have the forcePOST flag on, rerun the integrity checks */
+ /* we need to know this before we fully parse the arguments in
+ * nsc_CommonInitialize, so read it now */
+ rerun = sftk_RawArgHasFlag("flags", "forcePost", pReserved);
+
+ /* At this point we should have already done post and integrity checks.
+ * if we haven't, it probably means the FIPS product has not been installed
+ * or the tests failed. Don't let an application try to enter FIPS mode. This
+ * also forces the tests to be rerun if forcePOST is set. */
+ crv = sftk_FIPSEntryOK(rerun);
+ if (crv != CKR_OK) {
+ sftk_fatalError = PR_TRUE;
+ fc_log_init_error(crv);
+ return crv;
+ }
+
+ sftk_ForkReset(pReserved, &crv);
+
+ if (nsf_init) {
+ return CKR_CRYPTOKI_ALREADY_INITIALIZED;
+ }
+
+ crv = nsc_CommonInitialize(pReserved, PR_TRUE);
+
+ /* not an 'else' rv can be set by either SFTK_LowInit or SFTK_SlotInit*/
+ if (crv != CKR_OK) {
+ sftk_fatalError = PR_TRUE;
+ return crv;
+ }
+
+ sftk_fatalError = PR_FALSE; /* any error has been reset */
+ nsf_init = PR_TRUE;
+ isLevel2 = PR_TRUE; /* assume level 2 unless we learn otherwise */
+
+ return CKR_OK;
+}
+
+/*FC_Finalize indicates that an application is done with the PKCS #11 library.*/
+CK_RV
+FC_Finalize(CK_VOID_PTR pReserved)
+{
+ CK_RV crv;
+
+ if (sftk_ForkReset(pReserved, &crv)) {
+ return crv;
+ }
+
+ if (!nsf_init) {
+ return CKR_OK;
+ }
+
+ crv = nsc_CommonFinalize(pReserved, PR_TRUE);
+
+ nsf_init = (PRBool) !(crv == CKR_OK);
+ return crv;
+}
+
+/* FC_GetInfo returns general information about PKCS #11. */
+CK_RV
+FC_GetInfo(CK_INFO_PTR pInfo)
+{
+ CHECK_FORK();
+
+ return NSC_GetInfo(pInfo);
+}
+
+/* FC_GetInfo returns general information about PKCS #11. */
+CK_RV
+FC_GetInfoV2(CK_INFO_PTR pInfo)
+{
+ CHECK_FORK();
+
+ return NSC_GetInfoV2(pInfo);
+}
+
+/* FC_GetSlotList obtains a list of slots in the system. */
+CK_RV
+FC_GetSlotList(CK_BBOOL tokenPresent,
+ CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount)
+{
+ CHECK_FORK();
+
+ return nsc_CommonGetSlotList(tokenPresent, pSlotList, pulCount,
+ NSC_FIPS_MODULE);
+}
+
+/* FC_GetSlotInfo obtains information about a particular slot in the system. */
+CK_RV
+FC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo)
+{
+ CHECK_FORK();
+
+ return NSC_GetSlotInfo(slotID, pInfo);
+}
+
+/*FC_GetTokenInfo obtains information about a particular token in the system.*/
+CK_RV
+FC_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo)
+{
+ CK_RV crv;
+
+ CHECK_FORK();
+
+ crv = NSC_GetTokenInfo(slotID, pInfo);
+ if (crv == CKR_OK) {
+ /* use the global database to figure out if we are running in
+ * FIPS 140 Level 1 or Level 2 */
+ if (slotID == FIPS_SLOT_ID &&
+ (pInfo->flags & CKF_LOGIN_REQUIRED) == 0) {
+ isLevel2 = PR_FALSE;
+ }
+ }
+ return crv;
+}
+
+/*FC_GetMechanismList obtains a list of mechanism types supported by a token.*/
+CK_RV
+FC_GetMechanismList(CK_SLOT_ID slotID,
+ CK_MECHANISM_TYPE_PTR pMechanismList, CK_ULONG_PTR pusCount)
+{
+ CHECK_FORK();
+
+ SFTK_FIPSFATALCHECK();
+ if (sftk_isFIPS(slotID)) {
+ slotID = NETSCAPE_SLOT_ID;
+ }
+ /* FIPS Slots support all functions */
+ return NSC_GetMechanismList(slotID, pMechanismList, pusCount);
+}
+
+/* FC_GetMechanismInfo obtains information about a particular mechanism
+ * possibly supported by a token. */
+CK_RV
+FC_GetMechanismInfo(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type,
+ CK_MECHANISM_INFO_PTR pInfo)
+{
+ CHECK_FORK();
+
+ SFTK_FIPSFATALCHECK();
+ if (sftk_isFIPS(slotID)) {
+ slotID = NETSCAPE_SLOT_ID;
+ }
+ /* FIPS Slots support all functions */
+ return NSC_GetMechanismInfo(slotID, type, pInfo);
+}
+
+/* FC_GetMechanismInfoV2 same as FC_GetMechanismInfo except the Message
+ * flags have been stripped out */
+CK_RV
+FC_GetMechanismInfoV2(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type,
+ CK_MECHANISM_INFO_PTR pInfo)
+{
+ CHECK_FORK();
+
+ SFTK_FIPSFATALCHECK();
+ if (sftk_isFIPS(slotID)) {
+ slotID = NETSCAPE_SLOT_ID;
+ }
+ /* FIPS Slots support all functions */
+ return NSC_GetMechanismInfoV2(slotID, type, pInfo);
+}
+
+/* FC_InitToken initializes a token. */
+CK_RV
+FC_InitToken(CK_SLOT_ID slotID, CK_CHAR_PTR pPin,
+ CK_ULONG usPinLen, CK_CHAR_PTR pLabel)
+{
+ CK_RV crv;
+
+ CHECK_FORK();
+
+ crv = NSC_InitToken(slotID, pPin, usPinLen, pLabel);
+ if (sftk_audit_enabled) {
+ char msg[128];
+ NSSAuditSeverity severity = (crv == CKR_OK) ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
+ /* pLabel points to a 32-byte label, which is not null-terminated */
+ PR_snprintf(msg, sizeof msg,
+ "C_InitToken(slotID=%lu, pLabel=\"%.32s\")=0x%08lX",
+ (PRUint32)slotID, pLabel, (PRUint32)crv);
+ sftk_LogAuditMessage(severity, NSS_AUDIT_INIT_TOKEN, msg);
+ }
+ return crv;
+}
+
+/* FC_InitPIN initializes the normal user's PIN. */
+CK_RV
+FC_InitPIN(CK_SESSION_HANDLE hSession,
+ CK_CHAR_PTR pPin, CK_ULONG ulPinLen)
+{
+ CK_RV rv;
+
+ CHECK_FORK();
+
+ if (sftk_fatalError)
+ return CKR_DEVICE_ERROR;
+ /* NSC_InitPIN will only work once per database. We can either initialize
+ * it to level1 (pin len == 0) or level2. If we initialize to level 2, then
+ * we need to make sure the pin meets FIPS requirements */
+ if ((ulPinLen == 0) || ((rv = sftk_newPinCheck(pPin, ulPinLen)) == CKR_OK)) {
+ rv = NSC_InitPIN(hSession, pPin, ulPinLen);
+ if ((rv == CKR_OK) &&
+ (sftk_SlotIDFromSessionHandle(hSession) == FIPS_SLOT_ID)) {
+ isLevel2 = (ulPinLen > 0) ? PR_TRUE : PR_FALSE;
+ }
+ }
+ if (sftk_audit_enabled) {
+ char msg[128];
+ NSSAuditSeverity severity = (rv == CKR_OK) ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
+ PR_snprintf(msg, sizeof msg,
+ "C_InitPIN(hSession=0x%08lX)=0x%08lX",
+ (PRUint32)hSession, (PRUint32)rv);
+ sftk_LogAuditMessage(severity, NSS_AUDIT_INIT_PIN, msg);
+ }
+ return rv;
+}
+
+/* FC_SetPIN modifies the PIN of user that is currently logged in. */
+/* NOTE: This is only valid for the PRIVATE_KEY_SLOT */
+CK_RV
+FC_SetPIN(CK_SESSION_HANDLE hSession, CK_CHAR_PTR pOldPin,
+ CK_ULONG usOldLen, CK_CHAR_PTR pNewPin, CK_ULONG usNewLen)
+{
+ CK_RV rv;
+
+ CHECK_FORK();
+
+ rv = sftk_fipsCheck();
+ if (rv != CKR_OK) {
+ goto loser;
+ }
+
+ if (isLevel2 || usNewLen > 0) {
+ rv = sftk_newPinCheck(pNewPin, usNewLen);
+ if (rv != CKR_OK) {
+ goto loser;
+ }
+ rv = NSC_SetPIN(hSession, pOldPin, usOldLen, pNewPin, usNewLen);
+ if (rv != CKR_OK) {
+ goto loser;
+ }
+ if (sftk_SlotIDFromSessionHandle(hSession) == FIPS_SLOT_ID) {
+ /* if we set the password in level1 we now go
+ * to level2. NOTE: we don't allow the user to
+ * go from level2 to level1 */
+ isLevel2 = PR_TRUE;
+ }
+ } else {
+ /* here both old and new passwords are empty, but we need to
+ * call NSC_SetPIN to force rekey the database entries */
+ PORT_Assert(usNewLen == 0);
+ rv = NSC_SetPIN(hSession, pOldPin, usOldLen, pNewPin, usNewLen);
+ if (rv != CKR_OK) {
+ goto loser;
+ }
+ }
+
+loser:
+ if (sftk_audit_enabled) {
+ char msg[128];
+ NSSAuditSeverity severity = (rv == CKR_OK) ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
+ PR_snprintf(msg, sizeof msg,
+ "C_SetPIN(hSession=0x%08lX)=0x%08lX",
+ (PRUint32)hSession, (PRUint32)rv);
+ sftk_LogAuditMessage(severity, NSS_AUDIT_SET_PIN, msg);
+ }
+ return rv;
+}
+
+/* FC_OpenSession opens a session between an application and a token. */
+CK_RV
+FC_OpenSession(CK_SLOT_ID slotID, CK_FLAGS flags,
+ CK_VOID_PTR pApplication, CK_NOTIFY Notify, CK_SESSION_HANDLE_PTR phSession)
+{
+ SFTK_FIPSFATALCHECK();
+
+ CHECK_FORK();
+
+ return NSC_OpenSession(slotID, flags, pApplication, Notify, phSession);
+}
+
+/* FC_CloseSession closes a session between an application and a token. */
+CK_RV
+FC_CloseSession(CK_SESSION_HANDLE hSession)
+{
+ CHECK_FORK();
+
+ return NSC_CloseSession(hSession);
+}
+
+/* FC_CloseAllSessions closes all sessions with a token. */
+CK_RV
+FC_CloseAllSessions(CK_SLOT_ID slotID)
+{
+
+ CHECK_FORK();
+
+ return NSC_CloseAllSessions(slotID);
+}
+
+CK_RV
+FC_SessionCancel(CK_SESSION_HANDLE hSession, CK_FLAGS flags)
+{
+ SFTK_FIPSFATALCHECK();
+
+ CHECK_FORK();
+
+ return NSC_SessionCancel(hSession, flags);
+}
+
+/* FC_GetSessionInfo obtains information about the session. */
+CK_RV
+FC_GetSessionInfo(CK_SESSION_HANDLE hSession,
+ CK_SESSION_INFO_PTR pInfo)
+{
+ CK_RV rv;
+ SFTK_FIPSFATALCHECK();
+
+ CHECK_FORK();
+
+ rv = NSC_GetSessionInfo(hSession, pInfo);
+ if (rv == CKR_OK) {
+ /* handle the case where the auxilary slot doesn't require login.
+ * piggy back on the main token's login state */
+ if (isLoggedIn &&
+ ((pInfo->state == CKS_RO_PUBLIC_SESSION) ||
+ (pInfo->state == CKS_RW_PUBLIC_SESSION))) {
+ CK_RV crv;
+ CK_TOKEN_INFO tInfo;
+ crv = NSC_GetTokenInfo(sftk_SlotIDFromSessionHandle(hSession),
+ &tInfo);
+ /* if the token doesn't login, use our global login state */
+ if ((crv == CKR_OK) && ((tInfo.flags & CKF_LOGIN_REQUIRED) == 0)) {
+ if (pInfo->state == CKS_RO_PUBLIC_SESSION) {
+ pInfo->state = CKS_RO_USER_FUNCTIONS;
+ } else {
+ pInfo->state = CKS_RW_USER_FUNCTIONS;
+ }
+ }
+ }
+ }
+ return rv;
+}
+
+/* FC_Login logs a user into a token. */
+CK_RV
+FC_Login(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType,
+ CK_CHAR_PTR pPin, CK_ULONG usPinLen)
+{
+ CK_RV rv;
+ PRBool successful;
+ if (sftk_fatalError)
+ return CKR_DEVICE_ERROR;
+ rv = NSC_Login(hSession, userType, pPin, usPinLen);
+ successful = (rv == CKR_OK) || (rv == CKR_USER_ALREADY_LOGGED_IN);
+ if (successful)
+ isLoggedIn = PR_TRUE;
+ if (sftk_audit_enabled) {
+ char msg[128];
+ NSSAuditSeverity severity;
+ severity = successful ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
+ PR_snprintf(msg, sizeof msg,
+ "C_Login(hSession=0x%08lX, userType=%lu)=0x%08lX",
+ (PRUint32)hSession, (PRUint32)userType, (PRUint32)rv);
+ sftk_LogAuditMessage(severity, NSS_AUDIT_LOGIN, msg);
+ }
+ return rv;
+}
+
+CK_RV
+FC_LoginUser(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType,
+ CK_CHAR_PTR pPin, CK_ULONG ulPinLen, CK_UTF8CHAR_PTR pUsername,
+ CK_ULONG ulUsernameLen)
+{
+ CK_RV rv;
+ PRBool successful;
+ if (sftk_fatalError)
+ return CKR_DEVICE_ERROR;
+ rv = NSC_LoginUser(hSession, userType, pPin, ulPinLen,
+ pUsername, ulUsernameLen);
+ successful = (rv == CKR_OK) || (rv == CKR_USER_ALREADY_LOGGED_IN);
+ if (successful)
+ isLoggedIn = PR_TRUE;
+ if (sftk_audit_enabled) {
+ char msg[128];
+ char user[61];
+ int len = PR_MIN(ulUsernameLen, sizeof(user) - 1);
+ PORT_Memcpy(user, pUsername, len);
+ user[len] = 0;
+ NSSAuditSeverity severity;
+ severity = successful ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
+ PR_snprintf(msg, sizeof msg,
+ "C_LoginUser(hSession=0x%08lX, userType=%lu username=%s)=0x%08lX",
+ (PRUint32)hSession, (PRUint32)userType, user, (PRUint32)rv);
+ sftk_LogAuditMessage(severity, NSS_AUDIT_LOGIN, msg);
+ }
+ return rv;
+}
+
+/* FC_Logout logs a user out from a token. */
+CK_RV
+FC_Logout(CK_SESSION_HANDLE hSession)
+{
+ CK_RV rv;
+
+ CHECK_FORK();
+
+ if ((rv = sftk_fipsCheck()) == CKR_OK) {
+ rv = NSC_Logout(hSession);
+ isLoggedIn = PR_FALSE;
+ }
+ if (sftk_audit_enabled) {
+ char msg[128];
+ NSSAuditSeverity severity = (rv == CKR_OK) ? NSS_AUDIT_INFO : NSS_AUDIT_ERROR;
+ PR_snprintf(msg, sizeof msg,
+ "C_Logout(hSession=0x%08lX)=0x%08lX",
+ (PRUint32)hSession, (PRUint32)rv);
+ sftk_LogAuditMessage(severity, NSS_AUDIT_LOGOUT, msg);
+ }
+ return rv;
+}
+
+/* FC_CreateObject creates a new object. */
+CK_RV
+FC_CreateObject(CK_SESSION_HANDLE hSession,
+ CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
+ CK_OBJECT_HANDLE_PTR phObject)
+{
+ CK_OBJECT_CLASS *classptr;
+ CK_RV rv = CKR_OK;
+
+ CHECK_FORK();
+
+ classptr = (CK_OBJECT_CLASS *)fc_getAttribute(pTemplate, ulCount, CKA_CLASS);
+ if (classptr == NULL)
+ return CKR_TEMPLATE_INCOMPLETE;
+
+ if (*classptr == CKO_NSS_NEWSLOT || *classptr == CKO_NSS_DELSLOT) {
+ if (sftk_fatalError)
+ return CKR_DEVICE_ERROR;
+ } else {
+ rv = sftk_fipsCheck();
+ if (rv != CKR_OK)
+ return rv;
+ }
+
+ /* FIPS can't create keys from raw key material */
+ if (SFTK_IS_NONPUBLIC_KEY_OBJECT(*classptr)) {
+ rv = CKR_ATTRIBUTE_VALUE_INVALID;
+ } else {
+ rv = NSC_CreateObject(hSession, pTemplate, ulCount, phObject);
+ }
+ if (sftk_audit_enabled && SFTK_IS_KEY_OBJECT(*classptr)) {
+ sftk_AuditCreateObject(hSession, pTemplate, ulCount, phObject, rv);
+ }
+ return rv;
+}
+
+/* FC_CopyObject copies an object, creating a new object for the copy. */
+CK_RV
+FC_CopyObject(CK_SESSION_HANDLE hSession,
+ CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
+ CK_OBJECT_HANDLE_PTR phNewObject)
+{
+ CK_RV rv;
+ CK_OBJECT_CLASS objClass = CKO_NOT_A_KEY;
+
+ CHECK_FORK();
+
+ SFTK_FIPSFATALCHECK();
+ rv = sftk_get_object_class_and_fipsCheck(hSession, hObject, &objClass);
+ if (rv == CKR_OK) {
+ rv = NSC_CopyObject(hSession, hObject, pTemplate, ulCount, phNewObject);
+ }
+ if (sftk_audit_enabled && SFTK_IS_KEY_OBJECT(objClass)) {
+ sftk_AuditCopyObject(hSession,
+ hObject, pTemplate, ulCount, phNewObject, rv);
+ }
+ return rv;
+}
+
+/* FC_DestroyObject destroys an object. */
+CK_RV
+FC_DestroyObject(CK_SESSION_HANDLE hSession,
+ CK_OBJECT_HANDLE hObject)
+{
+ CK_RV rv;
+ CK_OBJECT_CLASS objClass = CKO_NOT_A_KEY;
+
+ CHECK_FORK();
+
+ SFTK_FIPSFATALCHECK();
+ rv = sftk_get_object_class_and_fipsCheck(hSession, hObject, &objClass);
+ if (rv == CKR_OK) {
+ rv = NSC_DestroyObject(hSession, hObject);
+ }
+ if (sftk_audit_enabled && SFTK_IS_KEY_OBJECT(objClass)) {
+ sftk_AuditDestroyObject(hSession, hObject, rv);
+ }
+ return rv;
+}
+
+/* FC_GetObjectSize gets the size of an object in bytes. */
+CK_RV
+FC_GetObjectSize(CK_SESSION_HANDLE hSession,
+ CK_OBJECT_HANDLE hObject, CK_ULONG_PTR pulSize)
+{
+ CK_RV rv;
+ CK_OBJECT_CLASS objClass = CKO_NOT_A_KEY;
+
+ CHECK_FORK();
+
+ SFTK_FIPSFATALCHECK();
+ rv = sftk_get_object_class_and_fipsCheck(hSession, hObject, &objClass);
+ if (rv == CKR_OK) {
+ rv = NSC_GetObjectSize(hSession, hObject, pulSize);
+ }
+ if (sftk_audit_enabled && SFTK_IS_KEY_OBJECT(objClass)) {
+ sftk_AuditGetObjectSize(hSession, hObject, pulSize, rv);
+ }
+ return rv;
+}
+
+/* FC_GetAttributeValue obtains the value of one or more object attributes. */
+CK_RV
+FC_GetAttributeValue(CK_SESSION_HANDLE hSession,
+ CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount)
+{
+ CK_RV rv;
+ CK_OBJECT_CLASS objClass = CKO_NOT_A_KEY;
+
+ CHECK_FORK();
+
+ SFTK_FIPSFATALCHECK();
+ rv = sftk_get_object_class_and_fipsCheck(hSession, hObject, &objClass);
+ if (rv == CKR_OK) {
+ rv = NSC_GetAttributeValue(hSession, hObject, pTemplate, ulCount);
+ }
+ if (sftk_audit_enabled && SFTK_IS_KEY_OBJECT(objClass)) {
+ sftk_AuditGetAttributeValue(hSession, hObject, pTemplate, ulCount, rv);
+ }
+ return rv;
+}
+
+/* FC_SetAttributeValue modifies the value of one or more object attributes */
+CK_RV
+FC_SetAttributeValue(CK_SESSION_HANDLE hSession,
+ CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount)
+{
+ CK_RV rv;
+ CK_OBJECT_CLASS objClass = CKO_NOT_A_KEY;
+
+ CHECK_FORK();
+
+ SFTK_FIPSFATALCHECK();
+ rv = sftk_get_object_class_and_fipsCheck(hSession, hObject, &objClass);
+ if (rv == CKR_OK) {
+ rv = NSC_SetAttributeValue(hSession, hObject, pTemplate, ulCount);
+ }
+ if (sftk_audit_enabled && SFTK_IS_KEY_OBJECT(objClass)) {
+ sftk_AuditSetAttributeValue(hSession, hObject, pTemplate, ulCount, rv);
+ }
+ return rv;
+}
+
+/* FC_FindObjectsInit initializes a search for token and session objects
+ * that match a template. */
+CK_RV
+FC_FindObjectsInit(CK_SESSION_HANDLE hSession,
+ CK_ATTRIBUTE_PTR pTemplate, CK_ULONG usCount)
+{
+ /* let publically readable object be found */
+ unsigned int i;
+ CK_RV rv;
+ PRBool needLogin = PR_FALSE;
+
+ CHECK_FORK();
+
+ SFTK_FIPSFATALCHECK();
+
+ for (i = 0; i < usCount; i++) {
+ CK_OBJECT_CLASS class;
+ if (pTemplate[i].type != CKA_CLASS) {
+ continue;
+ }
+ if (pTemplate[i].ulValueLen != sizeof(CK_OBJECT_CLASS)) {
+ continue;
+ }
+ if (pTemplate[i].pValue == NULL) {
+ continue;
+ }
+ class = *(CK_OBJECT_CLASS *)pTemplate[i].pValue;
+ if ((class == CKO_PRIVATE_KEY) || (class == CKO_SECRET_KEY)) {
+ needLogin = PR_TRUE;
+ break;
+ }
+ }
+ if (needLogin) {
+ if ((rv = sftk_fipsCheck()) != CKR_OK)
+ return rv;
+ }
+ return NSC_FindObjectsInit(hSession, pTemplate, usCount);
+}
+
+/* FC_FindObjects continues a search for token and session objects
+ * that match a template, obtaining additional object handles. */
+CK_RV
+FC_FindObjects(CK_SESSION_HANDLE hSession,
+ CK_OBJECT_HANDLE_PTR phObject, CK_ULONG usMaxObjectCount,
+ CK_ULONG_PTR pusObjectCount)
+{
+ CHECK_FORK();
+
+ /* let publically readable object be found */
+ SFTK_FIPSFATALCHECK();
+ return NSC_FindObjects(hSession, phObject, usMaxObjectCount,
+ pusObjectCount);
+}
+
+/*
+ ************** Crypto Functions: Encrypt ************************
+ */
+
+/* FC_EncryptInit initializes an encryption operation. */
+CK_RV
+FC_EncryptInit(CK_SESSION_HANDLE hSession,
+ CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey)
+{
+ SFTK_FIPSCHECK();
+ CHECK_FORK();
+
+ rv = NSC_EncryptInit(hSession, pMechanism, hKey);
+ if (sftk_audit_enabled) {
+ sftk_AuditCryptInit("Encrypt", hSession, pMechanism, hKey, rv);
+ }
+ return rv;
+}
+
+/* FC_Encrypt encrypts single-part data. */
+CK_RV
+FC_Encrypt(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
+ CK_ULONG usDataLen, CK_BYTE_PTR pEncryptedData,
+ CK_ULONG_PTR pusEncryptedDataLen)
+{
+ SFTK_FIPSCHECK();
+ CHECK_FORK();
+
+ return NSC_Encrypt(hSession, pData, usDataLen, pEncryptedData,
+ pusEncryptedDataLen);
+}
+
+/* FC_EncryptUpdate continues a multiple-part encryption operation. */
+CK_RV
+FC_EncryptUpdate(CK_SESSION_HANDLE hSession,
+ CK_BYTE_PTR pPart, CK_ULONG usPartLen, CK_BYTE_PTR pEncryptedPart,
+ CK_ULONG_PTR pusEncryptedPartLen)
+{
+ SFTK_FIPSCHECK();
+ CHECK_FORK();
+
+ return NSC_EncryptUpdate(hSession, pPart, usPartLen, pEncryptedPart,
+ pusEncryptedPartLen);
+}
+
+/* FC_EncryptFinal finishes a multiple-part encryption operation. */
+CK_RV
+FC_EncryptFinal(CK_SESSION_HANDLE hSession,
+ CK_BYTE_PTR pLastEncryptedPart, CK_ULONG_PTR pusLastEncryptedPartLen)
+{
+ SFTK_FIPSCHECK();
+ CHECK_FORK();
+
+ return NSC_EncryptFinal(hSession, pLastEncryptedPart,
+ pusLastEncryptedPartLen);
+}
+
+/*
+ ************** Crypto Functions: Decrypt ************************
+ */
+
+/* FC_DecryptInit initializes a decryption operation. */
+CK_RV
+FC_DecryptInit(CK_SESSION_HANDLE hSession,
+ CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey)
+{
+ SFTK_FIPSCHECK();
+ CHECK_FORK();
+
+ rv = NSC_DecryptInit(hSession, pMechanism, hKey);
+ if (sftk_audit_enabled) {
+ sftk_AuditCryptInit("Decrypt", hSession, pMechanism, hKey, rv);
+ }
+ return rv;
+}
+
+/* FC_Decrypt decrypts encrypted data in a single part. */
+CK_RV
+FC_Decrypt(CK_SESSION_HANDLE hSession,
+ CK_BYTE_PTR pEncryptedData, CK_ULONG usEncryptedDataLen, CK_BYTE_PTR pData,
+ CK_ULONG_PTR pusDataLen)
+{
+ SFTK_FIPSCHECK();
+ CHECK_FORK();
+
+ return NSC_Decrypt(hSession, pEncryptedData, usEncryptedDataLen, pData,
+ pusDataLen);
+}
+
+/* FC_DecryptUpdate continues a multiple-part decryption operation. */
+CK_RV
+FC_DecryptUpdate(CK_SESSION_HANDLE hSession,
+ CK_BYTE_PTR pEncryptedPart, CK_ULONG usEncryptedPartLen,
+ CK_BYTE_PTR pPart, CK_ULONG_PTR pusPartLen)
+{
+ SFTK_FIPSCHECK();
+ CHECK_FORK();
+
+ return NSC_DecryptUpdate(hSession, pEncryptedPart, usEncryptedPartLen,
+ pPart, pusPartLen);
+}
+
+/* FC_DecryptFinal finishes a multiple-part decryption operation. */
+CK_RV
+FC_DecryptFinal(CK_SESSION_HANDLE hSession,
+ CK_BYTE_PTR pLastPart, CK_ULONG_PTR pusLastPartLen)
+{
+ SFTK_FIPSCHECK();
+ CHECK_FORK();
+
+ return NSC_DecryptFinal(hSession, pLastPart, pusLastPartLen);
+}
+
+/*
+ ************** Crypto Functions: Digest (HASH) ************************
+ */
+
+/* FC_DigestInit initializes a message-digesting operation. */
+CK_RV
+FC_DigestInit(CK_SESSION_HANDLE hSession,
+ CK_MECHANISM_PTR pMechanism)
+{
+ SFTK_FIPSFATALCHECK();
+ CHECK_FORK();
+
+ return NSC_DigestInit(hSession, pMechanism);
+}
+
+/* FC_Digest digests data in a single part. */
+CK_RV
+FC_Digest(CK_SESSION_HANDLE hSession,
+ CK_BYTE_PTR pData, CK_ULONG usDataLen, CK_BYTE_PTR pDigest,
+ CK_ULONG_PTR pusDigestLen)
+{
+ SFTK_FIPSFATALCHECK();
+ CHECK_FORK();
+
+ return NSC_Digest(hSession, pData, usDataLen, pDigest, pusDigestLen);
+}
+
+/* FC_DigestUpdate continues a multiple-part message-digesting operation. */
+CK_RV
+FC_DigestUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
+ CK_ULONG usPartLen)
+{
+ SFTK_FIPSFATALCHECK();
+ CHECK_FORK();
+
+ return NSC_DigestUpdate(hSession, pPart, usPartLen);
+}
+
+/* FC_DigestFinal finishes a multiple-part message-digesting operation. */
+CK_RV
+FC_DigestFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pDigest,
+ CK_ULONG_PTR pusDigestLen)
+{
+ SFTK_FIPSFATALCHECK();
+ CHECK_FORK();
+
+ return NSC_DigestFinal(hSession, pDigest, pusDigestLen);
+}
+
+/*
+ ************** Crypto Functions: Sign ************************
+ */
+
+/* FC_SignInit initializes a signature (private key encryption) operation,
+ * where the signature is (will be) an appendix to the data,
+ * and plaintext cannot be recovered from the signature */
+CK_RV
+FC_SignInit(CK_SESSION_HANDLE hSession,
+ CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey)
+{
+ SFTK_FIPSCHECK();
+ CHECK_FORK();
+
+ rv = NSC_SignInit(hSession, pMechanism, hKey);
+ if (sftk_audit_enabled) {
+ sftk_AuditCryptInit("Sign", hSession, pMechanism, hKey, rv);
+ }
+ return rv;
+}
+
+/* FC_Sign signs (encrypts with private key) data in a single part,
+ * where the signature is (will be) an appendix to the data,
+ * and plaintext cannot be recovered from the signature */
+CK_RV
+FC_Sign(CK_SESSION_HANDLE hSession,
+ CK_BYTE_PTR pData, CK_ULONG usDataLen, CK_BYTE_PTR pSignature,
+ CK_ULONG_PTR pusSignatureLen)
+{
+ SFTK_FIPSCHECK();
+ CHECK_FORK();
+
+ return NSC_Sign(hSession, pData, usDataLen, pSignature, pusSignatureLen);
+}
+
+/* FC_SignUpdate continues a multiple-part signature operation,
+ * where the signature is (will be) an appendix to the data,
+ * and plaintext cannot be recovered from the signature */
+CK_RV
+FC_SignUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
+ CK_ULONG usPartLen)
+{
+ SFTK_FIPSCHECK();
+ CHECK_FORK();
+
+ return NSC_SignUpdate(hSession, pPart, usPartLen);
+}
+
+/* FC_SignFinal finishes a multiple-part signature operation,
+ * returning the signature. */
+CK_RV
+FC_SignFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature,
+ CK_ULONG_PTR pusSignatureLen)
+{
+ SFTK_FIPSCHECK();
+ CHECK_FORK();
+
+ return NSC_SignFinal(hSession, pSignature, pusSignatureLen);
+}
+
+/*
+ ************** Crypto Functions: Sign Recover ************************
+ */
+/* FC_SignRecoverInit initializes a signature operation,
+ * where the (digest) data can be recovered from the signature.
+ * E.g. encryption with the user's private key */
+CK_RV
+FC_SignRecoverInit(CK_SESSION_HANDLE hSession,
+ CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey)
+{
+ SFTK_FIPSCHECK();
+ CHECK_FORK();
+
+ rv = NSC_SignRecoverInit(hSession, pMechanism, hKey);
+ if (sftk_audit_enabled) {
+ sftk_AuditCryptInit("SignRecover", hSession, pMechanism, hKey, rv);
+ }
+ return rv;
+}
+
+/* FC_SignRecover signs data in a single operation
+ * where the (digest) data can be recovered from the signature.
+ * E.g. encryption with the user's private key */
+CK_RV
+FC_SignRecover(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
+ CK_ULONG usDataLen, CK_BYTE_PTR pSignature, CK_ULONG_PTR pusSignatureLen)
+{
+ SFTK_FIPSCHECK();
+ CHECK_FORK();
+
+ return NSC_SignRecover(hSession, pData, usDataLen, pSignature, pusSignatureLen);
+}
+
+/*
+ ************** Crypto Functions: verify ************************
+ */
+
+/* FC_VerifyInit initializes a verification operation,
+ * where the signature is an appendix to the data,
+ * and plaintext cannot be recovered from the signature (e.g. DSA) */
+CK_RV
+FC_VerifyInit(CK_SESSION_HANDLE hSession,
+ CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey)
+{
+ SFTK_FIPSCHECK();
+ CHECK_FORK();
+
+ rv = NSC_VerifyInit(hSession, pMechanism, hKey);
+ if (sftk_audit_enabled) {
+ sftk_AuditCryptInit("Verify", hSession, pMechanism, hKey, rv);
+ }
+ return rv;
+}
+
+/* FC_Verify verifies a signature in a single-part operation,
+ * where the signature is an appendix to the data,
+ * and plaintext cannot be recovered from the signature */
+CK_RV
+FC_Verify(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
+ CK_ULONG usDataLen, CK_BYTE_PTR pSignature, CK_ULONG usSignatureLen)
+{
+ /* make sure we're legal */
+ SFTK_FIPSCHECK();
+ CHECK_FORK();
+
+ return NSC_Verify(hSession, pData, usDataLen, pSignature, usSignatureLen);
+}
+
+/* FC_VerifyUpdate continues a multiple-part verification operation,
+ * where the signature is an appendix to the data,
+ * and plaintext cannot be recovered from the signature */
+CK_RV
+FC_VerifyUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
+ CK_ULONG usPartLen)
+{
+ SFTK_FIPSCHECK();
+ CHECK_FORK();
+
+ return NSC_VerifyUpdate(hSession, pPart, usPartLen);
+}
+
+/* FC_VerifyFinal finishes a multiple-part verification operation,
+ * checking the signature. */
+CK_RV
+FC_VerifyFinal(CK_SESSION_HANDLE hSession,
+ CK_BYTE_PTR pSignature, CK_ULONG usSignatureLen)
+{
+ SFTK_FIPSCHECK();
+ CHECK_FORK();
+
+ return NSC_VerifyFinal(hSession, pSignature, usSignatureLen);
+}
+
+/*
+ ************** Crypto Functions: Verify Recover ************************
+ */
+
+/* FC_VerifyRecoverInit initializes a signature verification operation,
+ * where the data is recovered from the signature.
+ * E.g. Decryption with the user's public key */
+CK_RV
+FC_VerifyRecoverInit(CK_SESSION_HANDLE hSession,
+ CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey)
+{
+ SFTK_FIPSCHECK();
+ CHECK_FORK();
+
+ rv = NSC_VerifyRecoverInit(hSession, pMechanism, hKey);
+ if (sftk_audit_enabled) {
+ sftk_AuditCryptInit("VerifyRecover", hSession, pMechanism, hKey, rv);
+ }
+ return rv;
+}
+
+/* FC_VerifyRecover verifies a signature in a single-part operation,
+ * where the data is recovered from the signature.
+ * E.g. Decryption with the user's public key */
+CK_RV
+FC_VerifyRecover(CK_SESSION_HANDLE hSession,
+ CK_BYTE_PTR pSignature, CK_ULONG usSignatureLen,
+ CK_BYTE_PTR pData, CK_ULONG_PTR pusDataLen)
+{
+ SFTK_FIPSCHECK();
+ CHECK_FORK();
+
+ return NSC_VerifyRecover(hSession, pSignature, usSignatureLen, pData,
+ pusDataLen);
+}
+
+/*
+ **************************** Key Functions: ************************
+ */
+
+/* FC_GenerateKey generates a secret key, creating a new key object. */
+CK_RV
+FC_GenerateKey(CK_SESSION_HANDLE hSession,
+ CK_MECHANISM_PTR pMechanism, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
+ CK_OBJECT_HANDLE_PTR phKey)
+{
+ CK_BBOOL *boolptr;
+
+ SFTK_FIPSCHECK();
+ CHECK_FORK();
+
+ /* all secret keys must be sensitive, if the upper level code tries to say
+ * otherwise, reject it. */
+ boolptr = (CK_BBOOL *)fc_getAttribute(pTemplate, ulCount, CKA_SENSITIVE);
+ if (boolptr != NULL) {
+ if (!(*boolptr)) {
+ return CKR_ATTRIBUTE_VALUE_INVALID;
+ }
+ }
+
+ rv = NSC_GenerateKey(hSession, pMechanism, pTemplate, ulCount, phKey);
+ if (sftk_audit_enabled) {
+ sftk_AuditGenerateKey(hSession, pMechanism, pTemplate, ulCount, phKey, rv);
+ }
+ return rv;
+}
+
+/* FC_GenerateKeyPair generates a public-key/private-key pair,
+ * creating new key objects. */
+CK_RV
+FC_GenerateKeyPair(CK_SESSION_HANDLE hSession,
+ CK_MECHANISM_PTR pMechanism, CK_ATTRIBUTE_PTR pPublicKeyTemplate,
+ CK_ULONG usPublicKeyAttributeCount, CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
+ CK_ULONG usPrivateKeyAttributeCount, CK_OBJECT_HANDLE_PTR phPublicKey,
+ CK_OBJECT_HANDLE_PTR phPrivateKey)
+{
+ CK_BBOOL *boolptr;
+ CK_RV crv;
+
+ SFTK_FIPSCHECK();
+ CHECK_FORK();
+
+ /* all private keys must be sensitive, if the upper level code tries to say
+ * otherwise, reject it. */
+ boolptr = (CK_BBOOL *)fc_getAttribute(pPrivateKeyTemplate,
+ usPrivateKeyAttributeCount, CKA_SENSITIVE);
+ if (boolptr != NULL) {
+ if (!(*boolptr)) {
+ return CKR_ATTRIBUTE_VALUE_INVALID;
+ }
+ }
+ crv = NSC_GenerateKeyPair(hSession, pMechanism, pPublicKeyTemplate,
+ usPublicKeyAttributeCount, pPrivateKeyTemplate,
+ usPrivateKeyAttributeCount, phPublicKey, phPrivateKey);
+ if (crv == CKR_GENERAL_ERROR) {
+ /* pairwise consistency check failed. */
+ sftk_fatalError = PR_TRUE;
+ }
+ if (sftk_audit_enabled) {
+ sftk_AuditGenerateKeyPair(hSession, pMechanism, pPublicKeyTemplate,
+ usPublicKeyAttributeCount, pPrivateKeyTemplate,
+ usPrivateKeyAttributeCount, phPublicKey, phPrivateKey, crv);
+ }
+ return crv;
+}
+
+/* FC_WrapKey wraps (i.e., encrypts) a key. */
+CK_RV
+FC_WrapKey(CK_SESSION_HANDLE hSession,
+ CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hWrappingKey,
+ CK_OBJECT_HANDLE hKey, CK_BYTE_PTR pWrappedKey,
+ CK_ULONG_PTR pulWrappedKeyLen)
+{
+ SFTK_FIPSCHECK();
+ CHECK_FORK();
+
+ rv = NSC_WrapKey(hSession, pMechanism, hWrappingKey, hKey, pWrappedKey,
+ pulWrappedKeyLen);
+ if (sftk_audit_enabled) {
+ sftk_AuditWrapKey(hSession, pMechanism, hWrappingKey, hKey, pWrappedKey,
+ pulWrappedKeyLen, rv);
+ }
+ return rv;
+}
+
+/* FC_UnwrapKey unwraps (decrypts) a wrapped key, creating a new key object. */
+CK_RV
+FC_UnwrapKey(CK_SESSION_HANDLE hSession,
+ CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hUnwrappingKey,
+ CK_BYTE_PTR pWrappedKey, CK_ULONG ulWrappedKeyLen,
+ CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount,
+ CK_OBJECT_HANDLE_PTR phKey)
+{
+ CK_BBOOL *boolptr;
+
+ SFTK_FIPSCHECK();
+ CHECK_FORK();
+
+ /* all secret keys must be sensitive, if the upper level code tries to say
+ * otherwise, reject it. */
+ boolptr = (CK_BBOOL *)fc_getAttribute(pTemplate,
+ ulAttributeCount, CKA_SENSITIVE);
+ if (boolptr != NULL) {
+ if (!(*boolptr)) {
+ return CKR_ATTRIBUTE_VALUE_INVALID;
+ }
+ }
+ rv = NSC_UnwrapKey(hSession, pMechanism, hUnwrappingKey, pWrappedKey,
+ ulWrappedKeyLen, pTemplate, ulAttributeCount, phKey);
+ if (sftk_audit_enabled) {
+ sftk_AuditUnwrapKey(hSession, pMechanism, hUnwrappingKey, pWrappedKey,
+ ulWrappedKeyLen, pTemplate, ulAttributeCount, phKey, rv);
+ }
+ return rv;
+}
+
+/* FC_DeriveKey derives a key from a base key, creating a new key object. */
+CK_RV
+FC_DeriveKey(CK_SESSION_HANDLE hSession,
+ CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hBaseKey,
+ CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount,
+ CK_OBJECT_HANDLE_PTR phKey)
+{
+ CK_BBOOL *boolptr;
+
+ SFTK_FIPSCHECK();
+ CHECK_FORK();
+
+ /* all secret keys must be sensitive, if the upper level code tries to say
+ * otherwise, reject it. */
+ boolptr = (CK_BBOOL *)fc_getAttribute(pTemplate,
+ ulAttributeCount, CKA_SENSITIVE);
+ if (boolptr != NULL) {
+ if (!(*boolptr)) {
+ return CKR_ATTRIBUTE_VALUE_INVALID;
+ }
+ }
+ rv = NSC_DeriveKey(hSession, pMechanism, hBaseKey, pTemplate,
+ ulAttributeCount, phKey);
+ if (sftk_audit_enabled) {
+ sftk_AuditDeriveKey(hSession, pMechanism, hBaseKey, pTemplate,
+ ulAttributeCount, phKey, rv);
+ }
+ return rv;
+}
+
+/*
+ **************************** Radom Functions: ************************
+ */
+
+/* FC_SeedRandom mixes additional seed material into the token's random number
+ * generator. */
+CK_RV
+FC_SeedRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSeed,
+ CK_ULONG usSeedLen)
+{
+ CK_RV crv;
+
+ SFTK_FIPSFATALCHECK();
+ CHECK_FORK();
+
+ crv = NSC_SeedRandom(hSession, pSeed, usSeedLen);
+ if (crv != CKR_OK) {
+ sftk_fatalError = PR_TRUE;
+ }
+ return crv;
+}
+
+/* FC_GenerateRandom generates random data. */
+CK_RV
+FC_GenerateRandom(CK_SESSION_HANDLE hSession,
+ CK_BYTE_PTR pRandomData, CK_ULONG ulRandomLen)
+{
+ CK_RV crv;
+
+ CHECK_FORK();
+
+ SFTK_FIPSFATALCHECK();
+ crv = NSC_GenerateRandom(hSession, pRandomData, ulRandomLen);
+ if (crv != CKR_OK) {
+ sftk_fatalError = PR_TRUE;
+ if (sftk_audit_enabled) {
+ char msg[128];
+ PR_snprintf(msg, sizeof msg,
+ "C_GenerateRandom(hSession=0x%08lX, pRandomData=%p, "
+ "ulRandomLen=%lu)=0x%08lX "
+ "self-test: continuous RNG test failed",
+ (PRUint32)hSession, pRandomData,
+ (PRUint32)ulRandomLen, (PRUint32)crv);
+ sftk_LogAuditMessage(NSS_AUDIT_ERROR, NSS_AUDIT_SELF_TEST, msg);
+ }
+ }
+ return crv;
+}
+
+/* FC_GetFunctionStatus obtains an updated status of a function running
+ * in parallel with an application. */
+CK_RV
+FC_GetFunctionStatus(CK_SESSION_HANDLE hSession)
+{
+ SFTK_FIPSCHECK();
+ CHECK_FORK();
+
+ return NSC_GetFunctionStatus(hSession);
+}
+
+/* FC_CancelFunction cancels a function running in parallel */
+CK_RV
+FC_CancelFunction(CK_SESSION_HANDLE hSession)
+{
+ SFTK_FIPSCHECK();
+ CHECK_FORK();
+
+ return NSC_CancelFunction(hSession);
+}
+
+/*
+ **************************** Version 1.1 Functions: ************************
+ */
+
+/* FC_GetOperationState saves the state of the cryptographic
+ *operation in a session. */
+CK_RV
+FC_GetOperationState(CK_SESSION_HANDLE hSession,
+ CK_BYTE_PTR pOperationState, CK_ULONG_PTR pulOperationStateLen)
+{
+ SFTK_FIPSFATALCHECK();
+ CHECK_FORK();
+
+ return NSC_GetOperationState(hSession, pOperationState, pulOperationStateLen);
+}
+
+/* FC_SetOperationState restores the state of the cryptographic operation
+ * in a session. */
+CK_RV
+FC_SetOperationState(CK_SESSION_HANDLE hSession,
+ CK_BYTE_PTR pOperationState, CK_ULONG ulOperationStateLen,
+ CK_OBJECT_HANDLE hEncryptionKey, CK_OBJECT_HANDLE hAuthenticationKey)
+{
+ SFTK_FIPSFATALCHECK();
+ CHECK_FORK();
+
+ return NSC_SetOperationState(hSession, pOperationState, ulOperationStateLen,
+ hEncryptionKey, hAuthenticationKey);
+}
+
+/* FC_FindObjectsFinal finishes a search for token and session objects. */
+CK_RV
+FC_FindObjectsFinal(CK_SESSION_HANDLE hSession)
+{
+ /* let publically readable object be found */
+ SFTK_FIPSFATALCHECK();
+ CHECK_FORK();
+
+ return NSC_FindObjectsFinal(hSession);
+}
+
+/* Dual-function cryptographic operations */
+
+/* FC_DigestEncryptUpdate continues a multiple-part digesting and encryption
+ * operation. */
+CK_RV
+FC_DigestEncryptUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
+ CK_ULONG ulPartLen, CK_BYTE_PTR pEncryptedPart,
+ CK_ULONG_PTR pulEncryptedPartLen)
+{
+ SFTK_FIPSCHECK();
+ CHECK_FORK();
+
+ return NSC_DigestEncryptUpdate(hSession, pPart, ulPartLen, pEncryptedPart,
+ pulEncryptedPartLen);
+}
+
+/* FC_DecryptDigestUpdate continues a multiple-part decryption and digesting
+ * operation. */
+CK_RV
+FC_DecryptDigestUpdate(CK_SESSION_HANDLE hSession,
+ CK_BYTE_PTR pEncryptedPart, CK_ULONG ulEncryptedPartLen,
+ CK_BYTE_PTR pPart, CK_ULONG_PTR pulPartLen)
+{
+ SFTK_FIPSCHECK();
+ CHECK_FORK();
+
+ return NSC_DecryptDigestUpdate(hSession, pEncryptedPart, ulEncryptedPartLen,
+ pPart, pulPartLen);
+}
+
+/* FC_SignEncryptUpdate continues a multiple-part signing and encryption
+ * operation. */
+CK_RV
+FC_SignEncryptUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
+ CK_ULONG ulPartLen, CK_BYTE_PTR pEncryptedPart,
+ CK_ULONG_PTR pulEncryptedPartLen)
+{
+ SFTK_FIPSCHECK();
+ CHECK_FORK();
+
+ return NSC_SignEncryptUpdate(hSession, pPart, ulPartLen, pEncryptedPart,
+ pulEncryptedPartLen);
+}
+
+/* FC_DecryptVerifyUpdate continues a multiple-part decryption and verify
+ * operation. */
+CK_RV
+FC_DecryptVerifyUpdate(CK_SESSION_HANDLE hSession,
+ CK_BYTE_PTR pEncryptedData, CK_ULONG ulEncryptedDataLen,
+ CK_BYTE_PTR pData, CK_ULONG_PTR pulDataLen)
+{
+ SFTK_FIPSCHECK();
+ CHECK_FORK();
+
+ return NSC_DecryptVerifyUpdate(hSession, pEncryptedData, ulEncryptedDataLen,
+ pData, pulDataLen);
+}
+
+/* FC_DigestKey continues a multi-part message-digesting operation,
+ * by digesting the value of a secret key as part of the data already digested.
+ */
+CK_RV
+FC_DigestKey(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hKey)
+{
+ SFTK_FIPSCHECK();
+ CHECK_FORK();
+
+ rv = NSC_DigestKey(hSession, hKey);
+ if (sftk_audit_enabled) {
+ sftk_AuditDigestKey(hSession, hKey, rv);
+ }
+ return rv;
+}
+
+CK_RV
+FC_WaitForSlotEvent(CK_FLAGS flags, CK_SLOT_ID_PTR pSlot,
+ CK_VOID_PTR pReserved)
+{
+ CHECK_FORK();
+
+ return NSC_WaitForSlotEvent(flags, pSlot, pReserved);
+}
+
+CK_RV
+FC_MessageEncryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+ CK_OBJECT_HANDLE hKey)
+{
+ SFTK_FIPSCHECK();
+ CHECK_FORK();
+
+ rv = NSC_MessageEncryptInit(hSession, pMechanism, hKey);
+ if (sftk_audit_enabled) {
+ sftk_AuditCryptInit("MessageEncrypt", hSession, pMechanism, hKey, rv);
+ }
+ return rv;
+}
+
+CK_RV
+FC_EncryptMessage(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter,
+ CK_ULONG ulParameterLen, CK_BYTE_PTR pAssociatedData,
+ CK_ULONG ulAssociatedDataLen, CK_BYTE_PTR pPlaintext,
+ CK_ULONG ulPlaintextLen, CK_BYTE_PTR pCiphertext,
+ CK_ULONG_PTR pulCiphertextLen)
+{
+ SFTK_FIPSCHECK();
+ CHECK_FORK();
+ return NSC_EncryptMessage(hSession, pParameter, ulParameterLen,
+ pAssociatedData, ulAssociatedDataLen,
+ pPlaintext, ulPlaintextLen, pCiphertext,
+ pulCiphertextLen);
+}
+
+CK_RV
+FC_EncryptMessageBegin(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter,
+ CK_ULONG ulParameterLen, CK_BYTE_PTR pAssociatedData,
+ CK_ULONG ulAssociatedDataLen)
+{
+ SFTK_FIPSCHECK();
+ CHECK_FORK();
+ return NSC_EncryptMessageBegin(hSession, pParameter, ulParameterLen,
+ pAssociatedData, ulAssociatedDataLen);
+}
+
+CK_RV
+FC_EncryptMessageNext(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter,
+ CK_ULONG ulParameterLen, CK_BYTE_PTR pPlaintextPart,
+ CK_ULONG ulPlaintextPartLen, CK_BYTE_PTR pCiphertextPart,
+ CK_ULONG_PTR pulCiphertextPartLen, CK_FLAGS flags)
+{
+ SFTK_FIPSCHECK();
+ CHECK_FORK();
+ return NSC_EncryptMessageNext(hSession, pParameter, ulParameterLen,
+ pPlaintextPart, ulPlaintextPartLen,
+ pCiphertextPart, pulCiphertextPartLen, flags);
+}
+
+CK_RV
+FC_MessageEncryptFinal(CK_SESSION_HANDLE hSession)
+{
+ SFTK_FIPSCHECK();
+ CHECK_FORK();
+ return NSC_MessageEncryptFinal(hSession);
+}
+
+CK_RV
+FC_MessageDecryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+ CK_OBJECT_HANDLE hKey)
+{
+ SFTK_FIPSCHECK();
+ CHECK_FORK();
+
+ rv = NSC_MessageDecryptInit(hSession, pMechanism, hKey);
+ if (sftk_audit_enabled) {
+ sftk_AuditCryptInit("MessageDecrypt", hSession, pMechanism, hKey, rv);
+ }
+ return rv;
+}
+
+CK_RV
+FC_DecryptMessage(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter,
+ CK_ULONG ulParameterLen, CK_BYTE_PTR pAssociatedData,
+ CK_ULONG ulAssociatedDataLen, CK_BYTE_PTR pCiphertext,
+ CK_ULONG ulCiphertextLen, CK_BYTE_PTR pPlaintext,
+ CK_ULONG_PTR pulPlaintextLen)
+{
+ SFTK_FIPSCHECK();
+ CHECK_FORK();
+ return NSC_DecryptMessage(hSession, pParameter, ulParameterLen,
+ pAssociatedData, ulAssociatedDataLen,
+ pCiphertext, ulCiphertextLen, pPlaintext,
+ pulPlaintextLen);
+}
+
+CK_RV
+FC_DecryptMessageBegin(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter,
+ CK_ULONG ulParameterLen, CK_BYTE_PTR pAssociatedData,
+ CK_ULONG ulAssociatedDataLen)
+{
+ SFTK_FIPSCHECK();
+ CHECK_FORK();
+ return NSC_DecryptMessageBegin(hSession, pParameter, ulParameterLen,
+ pAssociatedData, ulAssociatedDataLen);
+}
+
+CK_RV
+FC_DecryptMessageNext(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter,
+ CK_ULONG ulParameterLen, CK_BYTE_PTR pCiphertextPart,
+ CK_ULONG ulCiphertextPartLen, CK_BYTE_PTR pPlaintextPart,
+ CK_ULONG_PTR pulPlaintextPartLen, CK_FLAGS flags)
+{
+ SFTK_FIPSCHECK();
+ CHECK_FORK();
+ return NSC_DecryptMessageNext(hSession, pParameter, ulParameterLen,
+ pCiphertextPart, ulCiphertextPartLen,
+ pPlaintextPart, pulPlaintextPartLen, flags);
+}
+
+CK_RV
+FC_MessageDecryptFinal(CK_SESSION_HANDLE hSession)
+{
+ SFTK_FIPSCHECK();
+ CHECK_FORK();
+ return NSC_MessageDecryptFinal(hSession);
+}
+
+CK_RV
+FC_MessageSignInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+ CK_OBJECT_HANDLE hKey)
+{
+ SFTK_FIPSCHECK();
+ CHECK_FORK();
+
+ rv = NSC_MessageSignInit(hSession, pMechanism, hKey);
+ if (sftk_audit_enabled) {
+ sftk_AuditCryptInit("MessageSign", hSession, pMechanism, hKey, rv);
+ }
+ return rv;
+}
+
+CK_RV
+FC_SignMessage(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter,
+ CK_ULONG ulParameterLen, CK_BYTE_PTR pData, CK_ULONG ulDataLen,
+ CK_BYTE_PTR pSignature, CK_ULONG_PTR pulSignatureLen)
+{
+ SFTK_FIPSCHECK();
+ CHECK_FORK();
+ return NSC_SignMessage(hSession, pParameter, ulParameterLen, pData,
+ ulDataLen, pSignature, pulSignatureLen);
+}
+
+CK_RV
+FC_SignMessageBegin(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter,
+ CK_ULONG ulParameterLen)
+{
+ SFTK_FIPSCHECK();
+ CHECK_FORK();
+ return NSC_SignMessageBegin(hSession, pParameter, ulParameterLen);
+}
+
+CK_RV
+FC_SignMessageNext(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter,
+ CK_ULONG ulParameterLen, CK_BYTE_PTR pData,
+ CK_ULONG ulDataLen, CK_BYTE_PTR pSignature,
+ CK_ULONG_PTR pulSignatureLen)
+{
+ SFTK_FIPSCHECK();
+ CHECK_FORK();
+ return NSC_SignMessageNext(hSession, pParameter, ulParameterLen, pData,
+ ulDataLen, pSignature, pulSignatureLen);
+}
+
+CK_RV
+FC_MessageSignFinal(CK_SESSION_HANDLE hSession)
+{
+ SFTK_FIPSCHECK();
+ CHECK_FORK();
+ return NSC_MessageSignFinal(hSession);
+}
+
+CK_RV
+FC_MessageVerifyInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+ CK_OBJECT_HANDLE hKey)
+{
+ SFTK_FIPSCHECK();
+ CHECK_FORK();
+
+ rv = NSC_MessageVerifyInit(hSession, pMechanism, hKey);
+ if (sftk_audit_enabled) {
+ sftk_AuditCryptInit("MessageVerify", hSession, pMechanism, hKey, rv);
+ }
+ return rv;
+}
+
+CK_RV
+FC_VerifyMessage(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter,
+ CK_ULONG ulParameterLen, CK_BYTE_PTR pData,
+ CK_ULONG ulDataLen, CK_BYTE_PTR pSignature,
+ CK_ULONG ulSignatureLen)
+{
+ SFTK_FIPSCHECK();
+ CHECK_FORK();
+ return NSC_VerifyMessage(hSession, pParameter, ulParameterLen, pData,
+ ulDataLen, pSignature, ulSignatureLen);
+}
+
+CK_RV
+FC_VerifyMessageBegin(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter,
+ CK_ULONG ulParameterLen)
+{
+ SFTK_FIPSCHECK();
+ CHECK_FORK();
+ return NSC_VerifyMessageBegin(hSession, pParameter, ulParameterLen);
+}
+
+CK_RV
+FC_VerifyMessageNext(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter,
+ CK_ULONG ulParameterLen, CK_BYTE_PTR pData,
+ CK_ULONG ulDataLen, CK_BYTE_PTR pSignature,
+ CK_ULONG ulSignatureLen)
+{
+ SFTK_FIPSCHECK();
+ CHECK_FORK();
+ return NSC_VerifyMessageNext(hSession, pParameter, ulParameterLen,
+ pData, ulDataLen, pSignature, ulSignatureLen);
+}
+
+CK_RV
+FC_MessageVerifyFinal(CK_SESSION_HANDLE hSession)
+{
+ SFTK_FIPSCHECK();
+ CHECK_FORK();
+ return NSC_MessageVerifyFinal(hSession);
+}
diff --git a/security/nss/lib/softoken/jpakesftk.c b/security/nss/lib/softoken/jpakesftk.c
new file mode 100644
index 0000000000..7ed1e3495c
--- /dev/null
+++ b/security/nss/lib/softoken/jpakesftk.c
@@ -0,0 +1,359 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "seccomon.h"
+#include "secerr.h"
+#include "blapi.h"
+#include "pkcs11i.h"
+#include "softoken.h"
+
+static CK_RV
+jpake_mapStatus(SECStatus rv, CK_RV invalidArgsMapping)
+{
+ int err;
+ if (rv == SECSuccess)
+ return CKR_OK;
+ err = PORT_GetError();
+ switch (err) {
+ /* XXX: SEC_ERROR_INVALID_ARGS might be caused by invalid template
+ parameters. */
+ case SEC_ERROR_INVALID_ARGS:
+ return invalidArgsMapping;
+ case SEC_ERROR_BAD_SIGNATURE:
+ return CKR_SIGNATURE_INVALID;
+ case SEC_ERROR_NO_MEMORY:
+ return CKR_HOST_MEMORY;
+ }
+ return CKR_FUNCTION_FAILED;
+}
+
+/* If key is not NULL then the gx value will be stored as an attribute with
+ the type given by the gxAttrType parameter. */
+static CK_RV
+jpake_Sign(PLArenaPool *arena, const PQGParams *pqg, HASH_HashType hashType,
+ const SECItem *signerID, const SECItem *x,
+ CK_NSS_JPAKEPublicValue *out)
+{
+ SECItem gx, gv, r;
+ CK_RV crv;
+
+ PORT_Assert(arena != NULL);
+
+ gx.data = NULL;
+ gv.data = NULL;
+ r.data = NULL;
+ crv = jpake_mapStatus(JPAKE_Sign(arena, pqg, hashType, signerID, x, NULL,
+ NULL, &gx, &gv, &r),
+ CKR_MECHANISM_PARAM_INVALID);
+ if (crv == CKR_OK) {
+ if ((out->pGX != NULL && out->ulGXLen >= gx.len) ||
+ (out->pGV != NULL && out->ulGVLen >= gv.len) ||
+ (out->pR != NULL && out->ulRLen >= r.len)) {
+ PORT_Memcpy(out->pGX, gx.data, gx.len);
+ PORT_Memcpy(out->pGV, gv.data, gv.len);
+ PORT_Memcpy(out->pR, r.data, r.len);
+ out->ulGXLen = gx.len;
+ out->ulGVLen = gv.len;
+ out->ulRLen = r.len;
+ } else {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ }
+ }
+ return crv;
+}
+
+static CK_RV
+jpake_Verify(PLArenaPool *arena, const PQGParams *pqg,
+ HASH_HashType hashType, const SECItem *signerID,
+ const CK_BYTE *peerIDData, CK_ULONG peerIDLen,
+ const CK_NSS_JPAKEPublicValue *publicValueIn)
+{
+ SECItem peerID, gx, gv, r;
+ peerID.data = (unsigned char *)peerIDData;
+ peerID.len = peerIDLen;
+ gx.data = publicValueIn->pGX;
+ gx.len = publicValueIn->ulGXLen;
+ gv.data = publicValueIn->pGV;
+ gv.len = publicValueIn->ulGVLen;
+ r.data = publicValueIn->pR;
+ r.len = publicValueIn->ulRLen;
+ return jpake_mapStatus(JPAKE_Verify(arena, pqg, hashType, signerID, &peerID,
+ &gx, &gv, &r),
+ CKR_MECHANISM_PARAM_INVALID);
+}
+
+#define NUM_ELEM(x) (sizeof(x) / sizeof(x)[0])
+
+/* If the template has the key type set, ensure that it was set to the correct
+ * value. If the template did not have the key type set, set it to the
+ * correct value.
+ */
+static CK_RV
+jpake_enforceKeyType(SFTKObject *key, CK_KEY_TYPE keyType)
+{
+ CK_RV crv;
+ SFTKAttribute *keyTypeAttr = sftk_FindAttribute(key, CKA_KEY_TYPE);
+ if (keyTypeAttr != NULL) {
+ crv = *(CK_KEY_TYPE *)keyTypeAttr->attrib.pValue == keyType
+ ? CKR_OK
+ : CKR_TEMPLATE_INCONSISTENT;
+ sftk_FreeAttribute(keyTypeAttr);
+ } else {
+ crv = sftk_forceAttribute(key, CKA_KEY_TYPE, &keyType, sizeof keyType);
+ }
+ return crv;
+}
+
+static CK_RV
+jpake_MultipleSecItem2Attribute(SFTKObject *key, const SFTKItemTemplate *attrs,
+ size_t attrsCount)
+{
+ size_t i;
+
+ for (i = 0; i < attrsCount; ++i) {
+ CK_RV crv = sftk_forceAttribute(key, attrs[i].type, attrs[i].item->data,
+ attrs[i].item->len);
+ if (crv != CKR_OK)
+ return crv;
+ }
+ return CKR_OK;
+}
+
+CK_RV
+jpake_Round1(HASH_HashType hashType, CK_NSS_JPAKERound1Params *params,
+ SFTKObject *key)
+{
+ CK_RV crv;
+ PQGParams pqg;
+ PLArenaPool *arena;
+ SECItem signerID;
+ SFTKItemTemplate templateAttrs[] = {
+ { CKA_PRIME, &pqg.prime },
+ { CKA_SUBPRIME, &pqg.subPrime },
+ { CKA_BASE, &pqg.base },
+ { CKA_NSS_JPAKE_SIGNERID, &signerID }
+ };
+ SECItem x2, gx1, gx2;
+ const SFTKItemTemplate generatedAttrs[] = {
+ { CKA_NSS_JPAKE_X2, &x2 },
+ { CKA_NSS_JPAKE_GX1, &gx1 },
+ { CKA_NSS_JPAKE_GX2, &gx2 },
+ };
+ SECItem x1;
+
+ PORT_Assert(params != NULL);
+ PORT_Assert(key != NULL);
+
+ arena = PORT_NewArena(NSS_SOFTOKEN_DEFAULT_CHUNKSIZE);
+ if (arena == NULL)
+ crv = CKR_HOST_MEMORY;
+
+ crv = sftk_MultipleAttribute2SecItem(arena, key, templateAttrs,
+ NUM_ELEM(templateAttrs));
+
+ if (crv == CKR_OK && (signerID.data == NULL || signerID.len == 0))
+ crv = CKR_TEMPLATE_INCOMPLETE;
+
+ /* generate x1, g^x1 and the proof of knowledge of x1 */
+ if (crv == CKR_OK) {
+ x1.data = NULL;
+ crv = jpake_mapStatus(DSA_NewRandom(arena, &pqg.subPrime, &x1),
+ CKR_TEMPLATE_INCONSISTENT);
+ }
+ if (crv == CKR_OK)
+ crv = jpake_Sign(arena, &pqg, hashType, &signerID, &x1, &params->gx1);
+
+ /* generate x2, g^x2 and the proof of knowledge of x2 */
+ if (crv == CKR_OK) {
+ x2.data = NULL;
+ crv = jpake_mapStatus(DSA_NewRandom(arena, &pqg.subPrime, &x2),
+ CKR_TEMPLATE_INCONSISTENT);
+ }
+ if (crv == CKR_OK)
+ crv = jpake_Sign(arena, &pqg, hashType, &signerID, &x2, &params->gx2);
+
+ /* Save the values needed for round 2 into CKA_VALUE */
+ if (crv == CKR_OK) {
+ gx1.data = params->gx1.pGX;
+ gx1.len = params->gx1.ulGXLen;
+ gx2.data = params->gx2.pGX;
+ gx2.len = params->gx2.ulGXLen;
+ crv = jpake_MultipleSecItem2Attribute(key, generatedAttrs,
+ NUM_ELEM(generatedAttrs));
+ }
+
+ PORT_FreeArena(arena, PR_TRUE);
+ return crv;
+}
+
+CK_RV
+jpake_Round2(HASH_HashType hashType, CK_NSS_JPAKERound2Params *params,
+ SFTKObject *sourceKey, SFTKObject *key)
+{
+ CK_RV crv;
+ PLArenaPool *arena;
+ PQGParams pqg;
+ SECItem signerID, x2, gx1, gx2;
+ SFTKItemTemplate sourceAttrs[] = {
+ { CKA_PRIME, &pqg.prime },
+ { CKA_SUBPRIME, &pqg.subPrime },
+ { CKA_BASE, &pqg.base },
+ { CKA_NSS_JPAKE_SIGNERID, &signerID },
+ { CKA_NSS_JPAKE_X2, &x2 },
+ { CKA_NSS_JPAKE_GX1, &gx1 },
+ { CKA_NSS_JPAKE_GX2, &gx2 },
+ };
+ SECItem x2s, gx3, gx4;
+ const SFTKItemTemplate copiedAndGeneratedAttrs[] = {
+ { CKA_NSS_JPAKE_SIGNERID, &signerID },
+ { CKA_PRIME, &pqg.prime },
+ { CKA_SUBPRIME, &pqg.subPrime },
+ { CKA_NSS_JPAKE_X2, &x2 },
+ { CKA_NSS_JPAKE_X2S, &x2s },
+ { CKA_NSS_JPAKE_GX1, &gx1 },
+ { CKA_NSS_JPAKE_GX2, &gx2 },
+ { CKA_NSS_JPAKE_GX3, &gx3 },
+ { CKA_NSS_JPAKE_GX4, &gx4 }
+ };
+ SECItem peerID;
+
+ PORT_Assert(params != NULL);
+ PORT_Assert(sourceKey != NULL);
+ PORT_Assert(key != NULL);
+
+ arena = PORT_NewArena(NSS_SOFTOKEN_DEFAULT_CHUNKSIZE);
+ if (arena == NULL)
+ crv = CKR_HOST_MEMORY;
+
+ /* TODO: check CKK_NSS_JPAKE_ROUND1 */
+
+ crv = sftk_MultipleAttribute2SecItem(arena, sourceKey, sourceAttrs,
+ NUM_ELEM(sourceAttrs));
+
+ /* Get the peer's ID out of the template and sanity-check it. */
+ if (crv == CKR_OK)
+ crv = sftk_Attribute2SecItem(arena, &peerID, key,
+ CKA_NSS_JPAKE_PEERID);
+ if (crv == CKR_OK && (peerID.data == NULL || peerID.len == 0))
+ crv = CKR_TEMPLATE_INCOMPLETE;
+ if (crv == CKR_OK && SECITEM_CompareItem(&signerID, &peerID) == SECEqual)
+ crv = CKR_TEMPLATE_INCONSISTENT;
+
+ /* Verify zero-knowledge proofs for g^x3 and g^x4 */
+ if (crv == CKR_OK)
+ crv = jpake_Verify(arena, &pqg, hashType, &signerID,
+ peerID.data, peerID.len, &params->gx3);
+ if (crv == CKR_OK)
+ crv = jpake_Verify(arena, &pqg, hashType, &signerID,
+ peerID.data, peerID.len, &params->gx4);
+
+ /* Calculate the base and x2s for A=base^x2s */
+ if (crv == CKR_OK) {
+ SECItem s;
+ s.data = params->pSharedKey;
+ s.len = params->ulSharedKeyLen;
+ gx3.data = params->gx3.pGX;
+ gx3.len = params->gx3.ulGXLen;
+ gx4.data = params->gx4.pGX;
+ gx4.len = params->gx4.ulGXLen;
+ pqg.base.data = NULL;
+ x2s.data = NULL;
+ crv = jpake_mapStatus(JPAKE_Round2(arena, &pqg.prime, &pqg.subPrime,
+ &gx1, &gx3, &gx4, &pqg.base,
+ &x2, &s, &x2s),
+ CKR_MECHANISM_PARAM_INVALID);
+ }
+
+ /* Generate A=base^x2s and its zero-knowledge proof. */
+ if (crv == CKR_OK)
+ crv = jpake_Sign(arena, &pqg, hashType, &signerID, &x2s, &params->A);
+
+ /* Copy P and Q from the ROUND1 key to the ROUND2 key and save the values
+ needed for the final key material derivation into CKA_VALUE. */
+ if (crv == CKR_OK)
+ crv = sftk_forceAttribute(key, CKA_PRIME, pqg.prime.data,
+ pqg.prime.len);
+ if (crv == CKR_OK)
+ crv = sftk_forceAttribute(key, CKA_SUBPRIME, pqg.subPrime.data,
+ pqg.subPrime.len);
+ if (crv == CKR_OK) {
+ crv = jpake_MultipleSecItem2Attribute(key, copiedAndGeneratedAttrs,
+ NUM_ELEM(copiedAndGeneratedAttrs));
+ }
+
+ if (crv == CKR_OK)
+ crv = jpake_enforceKeyType(key, CKK_NSS_JPAKE_ROUND2);
+
+ PORT_FreeArena(arena, PR_TRUE);
+ return crv;
+}
+
+CK_RV
+jpake_Final(HASH_HashType hashType, const CK_NSS_JPAKEFinalParams *param,
+ SFTKObject *sourceKey, SFTKObject *key)
+{
+ PLArenaPool *arena;
+ SECItem K;
+ PQGParams pqg;
+ CK_RV crv;
+ SECItem peerID, signerID, x2s, x2, gx1, gx2, gx3, gx4;
+ SFTKItemTemplate sourceAttrs[] = {
+ { CKA_NSS_JPAKE_PEERID, &peerID },
+ { CKA_NSS_JPAKE_SIGNERID, &signerID },
+ { CKA_PRIME, &pqg.prime },
+ { CKA_SUBPRIME, &pqg.subPrime },
+ { CKA_NSS_JPAKE_X2, &x2 },
+ { CKA_NSS_JPAKE_X2S, &x2s },
+ { CKA_NSS_JPAKE_GX1, &gx1 },
+ { CKA_NSS_JPAKE_GX2, &gx2 },
+ { CKA_NSS_JPAKE_GX3, &gx3 },
+ { CKA_NSS_JPAKE_GX4, &gx4 }
+ };
+
+ PORT_Assert(param != NULL);
+ PORT_Assert(sourceKey != NULL);
+ PORT_Assert(key != NULL);
+
+ arena = PORT_NewArena(NSS_SOFTOKEN_DEFAULT_CHUNKSIZE);
+ if (arena == NULL)
+ crv = CKR_HOST_MEMORY;
+
+ /* TODO: verify key type CKK_NSS_JPAKE_ROUND2 */
+
+ crv = sftk_MultipleAttribute2SecItem(arena, sourceKey, sourceAttrs,
+ NUM_ELEM(sourceAttrs));
+
+ /* Calculate base for B=base^x4s */
+ if (crv == CKR_OK) {
+ pqg.base.data = NULL;
+ crv = jpake_mapStatus(JPAKE_Round2(arena, &pqg.prime, &pqg.subPrime,
+ &gx1, &gx2, &gx3, &pqg.base,
+ NULL, NULL, NULL),
+ CKR_MECHANISM_PARAM_INVALID);
+ }
+
+ /* Verify zero-knowledge proof for B */
+ if (crv == CKR_OK)
+ crv = jpake_Verify(arena, &pqg, hashType, &signerID,
+ peerID.data, peerID.len, &param->B);
+ if (crv == CKR_OK) {
+ SECItem B;
+ B.data = param->B.pGX;
+ B.len = param->B.ulGXLen;
+ K.data = NULL;
+ crv = jpake_mapStatus(JPAKE_Final(arena, &pqg.prime, &pqg.subPrime,
+ &x2, &gx4, &x2s, &B, &K),
+ CKR_MECHANISM_PARAM_INVALID);
+ }
+
+ /* Save key material into CKA_VALUE. */
+ if (crv == CKR_OK)
+ crv = sftk_forceAttribute(key, CKA_VALUE, K.data, K.len);
+
+ if (crv == CKR_OK)
+ crv = jpake_enforceKeyType(key, CKK_GENERIC_SECRET);
+
+ PORT_FreeArena(arena, PR_TRUE);
+ return crv;
+}
diff --git a/security/nss/lib/softoken/kbkdf.c b/security/nss/lib/softoken/kbkdf.c
new file mode 100644
index 0000000000..c6021ef5e5
--- /dev/null
+++ b/security/nss/lib/softoken/kbkdf.c
@@ -0,0 +1,1520 @@
+#include "pkcs11i.h"
+#include "blapi.h"
+#include "secerr.h"
+#include "softoken.h"
+
+/* Overview:
+ *
+ * This file contains implementations of the three KDFs from NIST SP800-108
+ * "Recommendation for Key Derivation Using Pseudorandom Functions":
+ *
+ * 1. KDF in Counter Mode (section 5.1)
+ * 2. KDF in Feedback Mode (section 5.2)
+ * 3. KDF in Double-Pipeline Iteration Mode (section 5.3)
+ *
+ * These KDFs are a form of negotiable building blocks for KDFs: protocol
+ * designers can choose various fields, their endianness, and the underlying
+ * PRF. These constructs are generic enough to handle creation of arbitrary,
+ * (but known ahead of time) length outputs.
+ *
+ * The families of PRFs described here are used, among other places, in
+ * Kerberos and GlobalPlatform's Secure Channel Protocol 03. The PKCS#11 v3.0
+ * design for this KDF facilitates a wide range of uses.
+ *
+ * Implementation Details:
+ *
+ * We reuse the new sftk_MACCtx for handling the underlying MACing; with a few
+ * safe restrictions, we can reuse whatever it gives us to use as a PRF.
+ *
+ * We implement the core of the KDF in the *Raw(...) version of the function
+ * call. The PKCS#11 key handling happens in the non-Raw version. This means
+ * we need a single large allocation upfront (large enough to store the entire
+ * key stream), but means we can share key parsing logic and enable the
+ * creation of data objects.
+ */
+
+/* [ section: #define's ] */
+
+#define VALID_CK_BOOL(x) ((x) == CK_TRUE || (x) == CK_FALSE)
+#define IS_COUNTER(_mech) ((_mech) == CKM_SP800_108_COUNTER_KDF || (_mech) == CKM_NSS_SP800_108_COUNTER_KDF_DERIVE_DATA)
+#define DOES_DERIVE_DATA(_mech) ((_mech) == CKM_NSS_SP800_108_COUNTER_KDF_DERIVE_DATA || (_mech) == CKM_NSS_SP800_108_FEEDBACK_KDF_DERIVE_DATA || (_mech) == CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA)
+
+/* [ section: parameter validation ] */
+
+static CK_RV
+kbkdf_LoadParameters(CK_MECHANISM_TYPE mech, CK_MECHANISM_PTR pMechanism, CK_SP800_108_KDF_PARAMS_PTR kdf_params, CK_BYTE_PTR *initial_value, CK_ULONG_PTR initial_value_length)
+{
+ /* This function loads the parameters for the given mechanism into the
+ * specified kdf_params, splitting off the IV if present. In PKCS#11 v3.0,
+ * CK_SP800_108_FEEDBACK_KDF_PARAMS and CK_SP800_108_KDF_PARAMS have
+ * different ordering of internal parameters, which means that it isn't
+ * easy to reuse feedback parameters in the same functions as non-feedback
+ * parameters. Rather than duplicating the logic, split out the only
+ * Feedback-specific data (the IV) into a separate argument and repack it
+ * into the passed kdf_params struct instead. */
+ PR_ASSERT(pMechanism != NULL && kdf_params != NULL && initial_value != NULL && initial_value_length != NULL);
+
+ CK_SP800_108_KDF_PARAMS_PTR in_params;
+ CK_SP800_108_FEEDBACK_KDF_PARAMS_PTR feedback_params;
+
+ if (mech == CKM_SP800_108_FEEDBACK_KDF || mech == CKM_NSS_SP800_108_FEEDBACK_KDF_DERIVE_DATA) {
+ if (pMechanism->ulParameterLen != sizeof(CK_SP800_108_FEEDBACK_KDF_PARAMS)) {
+ return CKR_MECHANISM_PARAM_INVALID;
+ }
+
+ feedback_params = (CK_SP800_108_FEEDBACK_KDF_PARAMS *)pMechanism->pParameter;
+
+ if (feedback_params->pIV == NULL && feedback_params->ulIVLen > 0) {
+ return CKR_MECHANISM_PARAM_INVALID;
+ }
+
+ kdf_params->prfType = feedback_params->prfType;
+ kdf_params->ulNumberOfDataParams = feedback_params->ulNumberOfDataParams;
+ kdf_params->pDataParams = feedback_params->pDataParams;
+ kdf_params->ulAdditionalDerivedKeys = feedback_params->ulAdditionalDerivedKeys;
+ kdf_params->pAdditionalDerivedKeys = feedback_params->pAdditionalDerivedKeys;
+
+ *initial_value = feedback_params->pIV;
+ *initial_value_length = feedback_params->ulIVLen;
+ } else {
+ if (pMechanism->ulParameterLen != sizeof(CK_SP800_108_KDF_PARAMS)) {
+ return CKR_MECHANISM_PARAM_INVALID;
+ }
+
+ in_params = (CK_SP800_108_KDF_PARAMS *)pMechanism->pParameter;
+
+ (*kdf_params) = *in_params;
+ }
+
+ return CKR_OK;
+}
+
+static CK_RV
+kbkdf_ValidateParameter(CK_MECHANISM_TYPE mech, const CK_PRF_DATA_PARAM *data)
+{
+ /* This function validates that the passed data parameter (data) conforms
+ * to PKCS#11 v3.0's expectations for KDF parameters. This depends both on
+ * the type of this parameter (data->type) and on the KDF mechanism (mech)
+ * as certain parameters are context dependent (like Iteration Variable).
+ */
+
+ /* If the parameter is missing a value when one is expected, then this
+ * parameter is invalid. */
+ if ((data->pValue == NULL) != (data->ulValueLen == 0)) {
+ return CKR_MECHANISM_PARAM_INVALID;
+ }
+
+ switch (data->type) {
+ case CK_SP800_108_ITERATION_VARIABLE:
+ case CK_SP800_108_OPTIONAL_COUNTER: {
+ if (data->type == CK_SP800_108_ITERATION_VARIABLE && !IS_COUNTER(mech)) {
+ /* In Feedback and Double Pipeline KDFs, PKCS#11 v3.0 connotes the
+ * iteration variable as the chaining value from the previous PRF
+ * invocation. In contrast, counter mode treats this variable as a
+ * COUNTER_FORMAT descriptor. Thus we can skip validation of
+ * iteration variable parameters outside of counter mode. However,
+ * PKCS#11 v3.0 technically mandates that pValue is NULL, so we
+ * still have to validate that. */
+
+ if (data->pValue != NULL) {
+ return CKR_MECHANISM_PARAM_INVALID;
+ }
+
+ return CKR_OK;
+ }
+
+ /* In counter mode, data->pValue should be a pointer to an instance of
+ * CK_SP800_108_COUNTER_FORMAT; validate its length. */
+ if (data->ulValueLen != sizeof(CK_SP800_108_COUNTER_FORMAT)) {
+ return CKR_MECHANISM_PARAM_INVALID;
+ }
+
+ CK_SP800_108_COUNTER_FORMAT_PTR param = (CK_SP800_108_COUNTER_FORMAT_PTR)data->pValue;
+
+ /* Validate the endian parameter. */
+ if (!VALID_CK_BOOL(param->bLittleEndian)) {
+ return CKR_MECHANISM_PARAM_INVALID;
+ }
+
+ /* Due to restrictions by our underlying hashes, we restrict bit
+ * widths to actually be byte widths by ensuring they're a multiple
+ * of eight. */
+ if ((param->ulWidthInBits % 8) != 0) {
+ return CKR_MECHANISM_PARAM_INVALID;
+ }
+
+ /* Note that section 5.1 denotes the maximum length of the counter
+ * to be 32. */
+ if (param->ulWidthInBits > 32) {
+ return CKR_MECHANISM_PARAM_INVALID;
+ }
+ break;
+ }
+ case CK_SP800_108_DKM_LENGTH: {
+ /* data->pValue should be a pointer to an instance of
+ * CK_SP800_108_DKM_LENGTH_FORMAT; validate its length. */
+ if (data->ulValueLen != sizeof(CK_SP800_108_DKM_LENGTH_FORMAT)) {
+ return CKR_MECHANISM_PARAM_INVALID;
+ }
+
+ CK_SP800_108_DKM_LENGTH_FORMAT_PTR param = (CK_SP800_108_DKM_LENGTH_FORMAT_PTR)data->pValue;
+
+ /* Validate the method parameter. */
+ if (param->dkmLengthMethod != CK_SP800_108_DKM_LENGTH_SUM_OF_KEYS &&
+ param->dkmLengthMethod != CK_SP800_108_DKM_LENGTH_SUM_OF_SEGMENTS) {
+ return CKR_MECHANISM_PARAM_INVALID;
+ }
+
+ /* Validate the endian parameter. */
+ if (!VALID_CK_BOOL(param->bLittleEndian)) {
+ return CKR_MECHANISM_PARAM_INVALID;
+ }
+
+ /* Validate the maximum width: we restrict it to being a byte width
+ * instead of a bit width due to restrictions by the underlying
+ * PRFs. */
+ if ((param->ulWidthInBits % 8) != 0) {
+ return CKR_MECHANISM_PARAM_INVALID;
+ }
+
+ /* Ensure that the width doesn't overflow a 64-bit int. This
+ * restriction is arbitrary but since the counters can't exceed
+ * 32-bits (and most PRFs output at most 1024 bits), you're unlikely
+ * to need all 64-bits of length indicator. */
+ if (param->ulWidthInBits > 64) {
+ return CKR_MECHANISM_PARAM_INVALID;
+ }
+ break;
+ }
+ case CK_SP800_108_BYTE_ARRAY:
+ /* There is no additional data to validate for byte arrays; we can
+ * only assume the byte array is of the specified size. */
+ break;
+ default:
+ /* Unexpected parameter type. */
+ return CKR_MECHANISM_PARAM_INVALID;
+ }
+
+ return CKR_OK;
+}
+
+static CK_RV
+kbkdf_ValidateDerived(CK_DERIVED_KEY_PTR key)
+{
+ CK_KEY_TYPE keyType = CKK_GENERIC_SECRET;
+ PRUint64 keySize = 0;
+
+ /* The pointer to the key handle shouldn't be NULL. If it is, we can't
+ * do anything else, so exit early. Every other failure case sets the
+ * key->phKey = CK_INVALID_HANDLE, so we can't use `goto failure` here. */
+ if (key->phKey == NULL) {
+ return CKR_MECHANISM_PARAM_INVALID;
+ }
+
+ /* Validate that we have no attributes if and only if pTemplate is NULL.
+ * Otherwise, there's an inconsistency somewhere. */
+ if ((key->ulAttributeCount == 0) != (key->pTemplate == NULL)) {
+ goto failure;
+ }
+
+ for (size_t offset = 0; offset < key->ulAttributeCount; offset++) {
+ CK_ATTRIBUTE_PTR template = key->pTemplate + offset;
+
+ /* We only look for the CKA_VALUE_LEN and CKA_KEY_TYPE attributes.
+ * Everything else we assume we can set on the key if it is passed
+ * here. However, if we can't inquire as to a length (and barring
+ * that, if we have a key type without a standard length), we're
+ * definitely stuck. This mirrors the logic at the top of
+ * NSC_DeriveKey(...). */
+ if (template->type == CKA_KEY_TYPE) {
+ if (template->ulValueLen != sizeof(CK_KEY_TYPE)) {
+ goto failure;
+ }
+
+ keyType = *(CK_KEY_TYPE *)template->pValue;
+ } else if (template->type == CKA_VALUE_LEN) {
+ if (template->ulValueLen != sizeof(CK_ULONG)) {
+ goto failure;
+ }
+
+ keySize = *(CK_ULONG *)template->pValue;
+ }
+ }
+
+ if (keySize == 0) {
+ /* When we lack a keySize, see if we can infer it from the type of the
+ * passed key. */
+ keySize = sftk_MapKeySize(keyType);
+ }
+
+ /* The main piece of information we validate is that we have a length for
+ * this key. */
+ if (keySize == 0 || keySize >= (1ull << 32ull)) {
+ goto failure;
+ }
+
+ return CKR_OK;
+
+failure:
+ /* PKCS#11 v3.0: If the failure was caused by the content of a specific
+ * key's template (ie the template defined by the content of pTemplate),
+ * the corresponding phKey value will be set to CK_INVALID_HANDLE to
+ * identify the offending template. */
+ *(key->phKey) = CK_INVALID_HANDLE;
+ return CKR_MECHANISM_PARAM_INVALID;
+}
+
+static CK_RV
+kbkdf_ValidateParameters(CK_MECHANISM_TYPE mech, const CK_SP800_108_KDF_PARAMS *params, CK_ULONG keySize)
+{
+ CK_RV ret = CKR_MECHANISM_PARAM_INVALID;
+ int param_type_count[5] = { 0, 0, 0, 0, 0 };
+ size_t offset = 0;
+
+ /* Start with checking the prfType as a mechanism against a list of
+ * PRFs allowed by PKCS#11 v3.0. */
+ if (!(/* The following types aren't defined in NSS yet. */
+ /* params->prfType != CKM_3DES_CMAC && */
+ params->prfType == CKM_AES_CMAC || /* allow */
+ /* We allow any HMAC except MD2 and MD5. */
+ params->prfType != CKM_MD2_HMAC || /* disallow */
+ params->prfType != CKM_MD5_HMAC || /* disallow */
+ sftk_HMACMechanismToHash(params->prfType) != HASH_AlgNULL /* Valid HMAC <-> HASH isn't NULL */
+ )) {
+ return CKR_MECHANISM_PARAM_INVALID;
+ }
+
+ /* We can't have a null pDataParams pointer: we always need at least one
+ * parameter to succeed. */
+ if (params->pDataParams == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+
+ /* Validate each KDF parameter. */
+ for (offset = 0; offset < params->ulNumberOfDataParams; offset++) {
+ /* Validate this parameter has acceptable values. */
+ ret = kbkdf_ValidateParameter(mech, params->pDataParams + offset);
+ if (ret != CKR_OK) {
+ return CKR_MECHANISM_PARAM_INVALID;
+ }
+
+ /* Count that we have a parameter of this type. The above logic
+ * in ValidateParameter MUST validate that type is within the
+ * appropriate range. */
+ PR_ASSERT(params->pDataParams[offset].type < sizeof(param_type_count) / sizeof(param_type_count[0]));
+ param_type_count[params->pDataParams[offset].type] += 1;
+ }
+
+ if (IS_COUNTER(mech)) {
+ /* We have to have at least one iteration variable parameter. */
+ if (param_type_count[CK_SP800_108_ITERATION_VARIABLE] == 0) {
+ return CKR_MECHANISM_PARAM_INVALID;
+ }
+
+ /* We can't have any optional counters parameters -- these belong in
+ * iteration variable parameters instead. */
+ if (param_type_count[CK_SP800_108_OPTIONAL_COUNTER] != 0) {
+ return CKR_MECHANISM_PARAM_INVALID;
+ }
+ }
+
+ /* Validate basic assumptions about derived keys:
+ * NULL <-> ulAdditionalDerivedKeys > 0
+ */
+ if ((params->ulAdditionalDerivedKeys == 0) != (params->pAdditionalDerivedKeys == NULL)) {
+ return CKR_MECHANISM_PARAM_INVALID;
+ }
+
+ /* Validate each derived key. */
+ for (offset = 0; offset < params->ulAdditionalDerivedKeys; offset++) {
+ ret = kbkdf_ValidateDerived(params->pAdditionalDerivedKeys + offset);
+ if (ret != CKR_OK) {
+ return CKR_MECHANISM_PARAM_INVALID;
+ }
+ }
+
+ /* Validate the length of our primary key. */
+ if (keySize == 0 || ((PRUint64)keySize) >= (1ull << 32ull)) {
+ return CKR_KEY_SIZE_RANGE;
+ }
+
+ return CKR_OK;
+}
+
+/* [ section: parameter helpers ] */
+
+static CK_VOID_PTR
+kbkdf_FindParameter(const CK_SP800_108_KDF_PARAMS *params, CK_PRF_DATA_TYPE type)
+{
+ for (size_t offset = 0; offset < params->ulNumberOfDataParams; offset++) {
+ if (params->pDataParams[offset].type == type) {
+ return params->pDataParams[offset].pValue;
+ }
+ }
+
+ return NULL;
+}
+
+size_t
+kbkdf_IncrementBuffer(size_t cur_offset, size_t consumed, size_t prf_length)
+{
+ return cur_offset + PR_ROUNDUP(consumed, prf_length);
+}
+
+CK_ULONG
+kbkdf_GetDerivedKeySize(CK_DERIVED_KEY_PTR derived_key)
+{
+ /* Precondition: kbkdf_ValidateDerived(...) returns CKR_OK for this key,
+ * which implies that keySize is defined. */
+
+ CK_KEY_TYPE keyType = CKK_GENERIC_SECRET;
+ CK_ULONG keySize = 0;
+
+ for (size_t offset = 0; offset < derived_key->ulAttributeCount; offset++) {
+ CK_ATTRIBUTE_PTR template = derived_key->pTemplate + offset;
+
+ /* Find the two attributes we care about. */
+ if (template->type == CKA_KEY_TYPE) {
+ keyType = *(CK_KEY_TYPE *)template->pValue;
+ } else if (template->type == CKA_VALUE_LEN) {
+ keySize = *(CK_ULONG *)template->pValue;
+ }
+ }
+
+ /* Prefer keySize, if we have it. */
+ if (keySize > 0) {
+ return keySize;
+ }
+
+ /* Else, fall back to this mapping. We know kbkdf_ValidateDerived(...)
+ * passed, so this should return non-zero. */
+ return sftk_MapKeySize(keyType);
+}
+
+static CK_RV
+kbkdf_CalculateLength(const CK_SP800_108_KDF_PARAMS *params, sftk_MACCtx *ctx, CK_ULONG ret_key_size, PRUint64 *output_bitlen, size_t *buffer_length)
+{
+ /* Two cases: either we have additional derived keys or we don't. In the
+ * case that we don't, the length of the derivation is the size of the
+ * single derived key, and that is the length of the PRF buffer. Otherwise,
+ * we need to use the proper CK_SP800_108_DKM_LENGTH_METHOD to calculate
+ * the length of the output (in bits), with a separate value for the size
+ * of the PRF data buffer. This means that, under PKCS#11 with additional
+ * derived keys, we lie to the KDF about the _actual_ length of the PRF
+ * output.
+ *
+ * Note that *output_bitlen is the L parameter in NIST SP800-108 and is in
+ * bits. However, *buffer_length is in bytes.
+ */
+
+ if (params->ulAdditionalDerivedKeys == 0) {
+ /* When we have no additional derived keys, we get the keySize from
+ * the value passed to one of our KBKDF_* methods. */
+ *output_bitlen = ret_key_size;
+ *buffer_length = ret_key_size;
+ } else {
+ /* Offset in the additional derived keys array. */
+ size_t offset = 0;
+
+ /* Size of the derived key. */
+ CK_ULONG derived_size = 0;
+
+ /* In the below, we place the sum of the keys into *output_bitlen
+ * and the size of the buffer (with padding mandated by PKCS#11 v3.0)
+ * into *buffer_length. If the method is the segment sum, then we
+ * replace *output_bitlen with *buffer_length at the end. This ensures
+ * we always get a output buffer large enough to handle all derived
+ * keys, and *output_bitlen reflects the correct L value. */
+
+ /* Count the initial derived key. */
+ *output_bitlen = ret_key_size;
+ *buffer_length = kbkdf_IncrementBuffer(0, ret_key_size, ctx->mac_size);
+
+ /* Handle n - 1 keys. The last key is special. */
+ for (; offset < params->ulAdditionalDerivedKeys - 1; offset++) {
+ derived_size = kbkdf_GetDerivedKeySize(params->pAdditionalDerivedKeys + offset);
+
+ *output_bitlen += derived_size;
+ *buffer_length = kbkdf_IncrementBuffer(*buffer_length, derived_size, ctx->mac_size);
+ }
+
+ /* Handle the last key. */
+ derived_size = kbkdf_GetDerivedKeySize(params->pAdditionalDerivedKeys + offset);
+
+ *output_bitlen += derived_size;
+ *buffer_length = kbkdf_IncrementBuffer(*buffer_length, derived_size, ctx->mac_size);
+
+ /* Pointer to the DKM method parameter. Note that this implicit cast
+ * is safe since we've assumed we've been validated by
+ * kbkdf_ValidateParameters(...). When kdm_param is NULL, we don't
+ * use the output_bitlen parameter. */
+ CK_SP800_108_DKM_LENGTH_FORMAT_PTR dkm_param = kbkdf_FindParameter(params, CK_SP800_108_DKM_LENGTH);
+ if (dkm_param != NULL) {
+ if (dkm_param->dkmLengthMethod == CK_SP800_108_DKM_LENGTH_SUM_OF_SEGMENTS) {
+ *output_bitlen = *buffer_length;
+ }
+ }
+ }
+
+ /* Note that keySize is the size in bytes and ctx->mac_size is also
+ * the size in bytes. However, output_bitlen needs to be in bits, so
+ * multiply by 8 here. */
+ *output_bitlen *= 8;
+
+ return CKR_OK;
+}
+
+static CK_RV
+kbkdf_CalculateIterations(CK_MECHANISM_TYPE mech, const CK_SP800_108_KDF_PARAMS *params, sftk_MACCtx *ctx, size_t buffer_length, PRUint32 *num_iterations)
+{
+ CK_SP800_108_COUNTER_FORMAT_PTR param_ptr = NULL;
+ PRUint64 iteration_count;
+ PRUint64 r = 32;
+
+ /* We need to know how many full iterations are required. This is done
+ * by rounding up the division of the PRF length into buffer_length.
+ * However, we're not guaranteed that the last output is a full PRF
+ * invocation, so handle that here. */
+ iteration_count = buffer_length + (ctx->mac_size - 1);
+ iteration_count = iteration_count / ctx->mac_size;
+
+ /* NIST SP800-108, section 5.1, process step #2:
+ *
+ * if n > 2^r - 1, then indicate an error and stop.
+ *
+ * In non-counter mode KDFs, r is set at 32, leaving behavior
+ * under-defined when the optional counter is included but fewer than
+ * 32 bits. This implementation assumes r is 32, but if the counter
+ * parameter is included, validates it against that. In counter-mode
+ * KDFs, this is in the ITERATION_VARIABLE parameter; in feedback- or
+ * pipeline-mode KDFs, this is in the COUNTER parameter.
+ *
+ * This is consistent with the supplied sample CAVP tests; none reuses the
+ * same counter value. In some configurations, this could result in
+ * duplicated KDF output. We seek to avoid that from happening.
+ */
+ if (IS_COUNTER(mech)) {
+ param_ptr = kbkdf_FindParameter(params, CK_SP800_108_ITERATION_VARIABLE);
+
+ /* Validated by kbkdf_ValidateParameters(...) above. */
+ PR_ASSERT(param_ptr != NULL);
+
+ r = ((CK_SP800_108_COUNTER_FORMAT_PTR)param_ptr)->ulWidthInBits;
+ } else {
+ param_ptr = kbkdf_FindParameter(params, CK_SP800_108_COUNTER);
+
+ /* Not guaranteed to exist, hence the default value of r=32. */
+ if (param_ptr != NULL) {
+ r = ((CK_SP800_108_COUNTER_FORMAT_PTR)param_ptr)->ulWidthInBits;
+ }
+ }
+
+ if (iteration_count >= (1ull << r) || r > 32) {
+ return CKR_MECHANISM_PARAM_INVALID;
+ }
+
+ *num_iterations = (PRUint32)iteration_count;
+
+ return CKR_OK;
+}
+
+static CK_RV
+kbkdf_AddParameters(CK_MECHANISM_TYPE mech, sftk_MACCtx *ctx, const CK_SP800_108_KDF_PARAMS *params, PRUint32 counter, PRUint64 length, const unsigned char *chaining_prf, size_t chaining_prf_len, CK_PRF_DATA_TYPE exclude)
+{
+ size_t offset = 0;
+ CK_RV ret = CKR_OK;
+
+ for (offset = 0; offset < params->ulNumberOfDataParams; offset++) {
+ CK_PRF_DATA_PARAM_PTR param = params->pDataParams + offset;
+
+ if (param->type == exclude) {
+ /* Necessary for Double Pipeline mode: when constructing the IV,
+ * we skip the optional counter. */
+ continue;
+ }
+
+ switch (param->type) {
+ case CK_SP800_108_ITERATION_VARIABLE: {
+ /* When present in COUNTER mode, this signifies adding the counter
+ * variable to the PRF. Otherwise, it signifies the chaining
+ * value for other KDF modes. */
+ if (IS_COUNTER(mech)) {
+ CK_SP800_108_COUNTER_FORMAT_PTR counter_format = (CK_SP800_108_COUNTER_FORMAT_PTR)param->pValue;
+ CK_BYTE buffer[sizeof(PRUint64)];
+ CK_ULONG num_bytes;
+ sftk_EncodeInteger(counter, counter_format->ulWidthInBits, counter_format->bLittleEndian, buffer, &num_bytes);
+ ret = sftk_MAC_Update(ctx, buffer, num_bytes);
+ } else {
+ ret = sftk_MAC_Update(ctx, chaining_prf, chaining_prf_len);
+ }
+ break;
+ }
+ case CK_SP800_108_COUNTER: {
+ /* Only present in the case when not using COUNTER mode. */
+ PR_ASSERT(!IS_COUNTER(mech));
+
+ /* We should've already validated that this parameter is of
+ * type COUNTER_FORMAT. */
+ CK_SP800_108_COUNTER_FORMAT_PTR counter_format = (CK_SP800_108_COUNTER_FORMAT_PTR)param->pValue;
+ CK_BYTE buffer[sizeof(PRUint64)];
+ CK_ULONG num_bytes;
+ sftk_EncodeInteger(counter, counter_format->ulWidthInBits, counter_format->bLittleEndian, buffer, &num_bytes);
+ ret = sftk_MAC_Update(ctx, buffer, num_bytes);
+ break;
+ }
+ case CK_SP800_108_BYTE_ARRAY:
+ ret = sftk_MAC_Update(ctx, (CK_BYTE_PTR)param->pValue, param->ulValueLen);
+ break;
+ case CK_SP800_108_DKM_LENGTH: {
+ /* We've already done the hard work of calculating the length in
+ * the kbkdf_CalculateIterations function; we merely need to add
+ * the length to the desired point in the input stream. */
+ CK_SP800_108_DKM_LENGTH_FORMAT_PTR length_format = (CK_SP800_108_DKM_LENGTH_FORMAT_PTR)param->pValue;
+ CK_BYTE buffer[sizeof(PRUint64)];
+ CK_ULONG num_bytes;
+ sftk_EncodeInteger(length, length_format->ulWidthInBits, length_format->bLittleEndian, buffer, &num_bytes);
+ ret = sftk_MAC_Update(ctx, buffer, num_bytes);
+ break;
+ }
+ default:
+ /* This should've been caught by kbkdf_ValidateParameters(...). */
+ PR_ASSERT(PR_FALSE);
+ return CKR_MECHANISM_PARAM_INVALID;
+ }
+
+ if (ret != CKR_OK) {
+ return ret;
+ }
+ }
+
+ return CKR_OK;
+}
+
+CK_RV
+kbkdf_SaveKey(SFTKObject *key, unsigned char *key_buffer, unsigned int key_len)
+{
+ return sftk_forceAttribute(key, CKA_VALUE, key_buffer, key_len);
+}
+
+CK_RV
+kbkdf_CreateKey(CK_MECHANISM_TYPE kdf_mech, CK_SESSION_HANDLE hSession, CK_DERIVED_KEY_PTR derived_key, SFTKObject **ret_key)
+{
+ /* Largely duplicated from NSC_DeriveKey(...) */
+ CK_RV ret = CKR_HOST_MEMORY;
+ SFTKObject *key = NULL;
+ SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession);
+ size_t offset = 0;
+
+ /* Slot should be non-NULL because NSC_DeriveKey(...) has already
+ * performed a sftk_SlotFromSessionHandle(...) call on this session
+ * handle. However, Coverity incorrectly flagged this (see 1607955). */
+ PR_ASSERT(slot != NULL);
+ PR_ASSERT(ret_key != NULL);
+ PR_ASSERT(derived_key != NULL);
+ PR_ASSERT(derived_key->phKey != NULL);
+
+ if (slot == NULL) {
+ return CKR_SESSION_HANDLE_INVALID;
+ }
+
+ /* Create the new key object for this additional derived key. */
+ key = sftk_NewObject(slot);
+ if (key == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+
+ /* Setup the key from the provided template. */
+ for (offset = 0; offset < derived_key->ulAttributeCount; offset++) {
+ ret = sftk_AddAttributeType(key, sftk_attr_expand(derived_key->pTemplate + offset));
+ if (ret != CKR_OK) {
+ sftk_FreeObject(key);
+ return ret;
+ }
+ }
+
+ /* When using the CKM_SP800_* series of mechanisms, the result must be a
+ * secret key, so its contents can be adequately protected in FIPS mode.
+ * However, when using the special CKM_NSS_SP800_*_DERIVE_DATA series, the
+ * contents need not be protected, so we set CKO_DATA on these "keys". */
+ CK_OBJECT_CLASS classType = CKO_SECRET_KEY;
+ if (DOES_DERIVE_DATA(kdf_mech)) {
+ classType = CKO_DATA;
+ }
+
+ ret = sftk_forceAttribute(key, CKA_CLASS, &classType, sizeof(classType));
+ if (ret != CKR_OK) {
+ sftk_FreeObject(key);
+ return ret;
+ }
+
+ *ret_key = key;
+ return CKR_OK;
+}
+
+CK_RV
+kbkdf_FinalizeKey(CK_SESSION_HANDLE hSession, CK_DERIVED_KEY_PTR derived_key, SFTKObject *key)
+{
+ /* Largely duplicated from NSC_DeriveKey(...) */
+ CK_RV ret = CKR_HOST_MEMORY;
+ SFTKSession *session = NULL;
+
+ PR_ASSERT(derived_key != NULL && key != NULL);
+
+ SFTKSessionObject *sessionForKey = sftk_narrowToSessionObject(key);
+ PR_ASSERT(sessionForKey != NULL);
+ sessionForKey->wasDerived = PR_TRUE;
+
+ session = sftk_SessionFromHandle(hSession);
+
+ /* Session should be non-NULL because NSC_DeriveKey(...) has already
+ * performed a sftk_SessionFromHandle(...) call on this session handle. */
+ PR_ASSERT(session != NULL);
+
+ ret = sftk_handleObject(key, session);
+ if (ret != CKR_OK) {
+ goto done;
+ }
+
+ *(derived_key->phKey) = key->handle;
+
+done:
+ /* Guaranteed that key != NULL */
+ sftk_FreeObject(key);
+
+ /* Doesn't do anything. */
+ if (session) {
+ sftk_FreeSession(session);
+ }
+
+ return ret;
+}
+
+CK_RV
+kbkdf_SaveKeys(CK_MECHANISM_TYPE mech, CK_SESSION_HANDLE hSession, CK_SP800_108_KDF_PARAMS_PTR params, unsigned char *output_buffer, size_t buffer_len, size_t prf_length, SFTKObject *ret_key, CK_ULONG ret_key_size)
+{
+ CK_RV ret;
+ size_t key_offset = 0;
+ size_t buffer_offset = 0;
+
+ PR_ASSERT(output_buffer != NULL && buffer_len > 0 && ret_key != NULL);
+
+ /* First place key material into the main key. */
+ ret = kbkdf_SaveKey(ret_key, output_buffer + buffer_offset, ret_key_size);
+ if (ret != CKR_OK) {
+ return ret;
+ }
+
+ /* Then increment the offset based on PKCS#11 additional key guidelines:
+ * no two keys may share the key stream from the same PRF invocation. */
+ buffer_offset = kbkdf_IncrementBuffer(buffer_offset, ret_key_size, prf_length);
+
+ if (params->ulAdditionalDerivedKeys > 0) {
+ /* Note that the following code is technically incorrect: PKCS#11 v3.0
+ * says that _no_ key should be set in the event of failure to derive
+ * _any_ key. */
+ for (key_offset = 0; key_offset < params->ulAdditionalDerivedKeys; key_offset++) {
+ CK_DERIVED_KEY_PTR derived_key = params->pAdditionalDerivedKeys + key_offset;
+ SFTKObject *key_obj = NULL;
+ size_t key_size = kbkdf_GetDerivedKeySize(derived_key);
+
+ /* Create a new internal key object for this derived key. */
+ ret = kbkdf_CreateKey(mech, hSession, derived_key, &key_obj);
+ if (ret != CKR_OK) {
+ *(derived_key->phKey) = CK_INVALID_HANDLE;
+ return ret;
+ }
+
+ /* Save the underlying key bytes to the key object. */
+ ret = kbkdf_SaveKey(key_obj, output_buffer + buffer_offset, key_size);
+ if (ret != CKR_OK) {
+ /* When kbkdf_CreateKey(...) exits with an error, it will free
+ * the constructed key object. kbkdf_FinalizeKey(...) also
+ * always frees the key object. In the unlikely event that
+ * kbkdf_SaveKey(...) _does_ fail, we thus need to free it
+ * manually. */
+ sftk_FreeObject(key_obj);
+ *(derived_key->phKey) = CK_INVALID_HANDLE;
+ return ret;
+ }
+
+ /* Handle the increment. */
+ buffer_offset = kbkdf_IncrementBuffer(buffer_offset, key_size, prf_length);
+
+ /* Finalize this key. */
+ ret = kbkdf_FinalizeKey(hSession, derived_key, key_obj);
+ if (ret != CKR_OK) {
+ *(derived_key->phKey) = CK_INVALID_HANDLE;
+ return ret;
+ }
+ }
+ }
+
+ return CKR_OK;
+}
+
+/* [ section: KDFs ] */
+
+static CK_RV
+kbkdf_CounterRaw(const CK_SP800_108_KDF_PARAMS *params, sftk_MACCtx *ctx, unsigned char *ret_buffer, size_t buffer_length, PRUint64 output_bitlen)
+{
+ CK_RV ret = CKR_OK;
+
+ /* Counter variable for this KDF instance. */
+ PRUint32 counter;
+
+ /* Number of iterations required of this PRF necessary to reach the
+ * desired output length. */
+ PRUint32 num_iterations;
+
+ /* Offset in ret_buffer that we're at. */
+ size_t buffer_offset = 0;
+
+ /* Size of this block, in bytes. Defaults to ctx->mac_size except on
+ * the last iteration where it could be a partial block. */
+ size_t block_size = ctx->mac_size;
+
+ /* Calculate the number of iterations required based on the size of the
+ * output buffer. */
+ ret = kbkdf_CalculateIterations(CKM_SP800_108_COUNTER_KDF, params, ctx, buffer_length, &num_iterations);
+ if (ret != CKR_OK) {
+ return ret;
+ }
+
+ /*
+ * 5.1 - [ KDF in Counter Mode ]
+ *
+ * Fixed values:
+ * 1. h - the length of the PRF in bits (ctx->mac_size)
+ * 2. r - the length of the binary representation of the counter i
+ * (params[k: params[k].type == CK_SP800_108_ITERATION_VARIABLE:].data->ulWidthInBits)
+ * Input:
+ * 1. K_I - the key for the PRF (base_key)
+ * 2. label - a binary data field, usually before the separator. Optional.
+ * 3. context - a binary data field, usually after the separator. Optional.
+ * 4. L - length of the output in bits (output_bitlen)
+ *
+ * Process:
+ * 1. n := ceil(L / h) (num_iterations)
+ * 2. if n > 2^r - 1, then indicate an error and stop
+ * 3. result(0) = NULL
+ * 4. for i = 1 to n, do
+ * a. K(i) = PRF(K_I, [i]_2 || Label || 0x00 || Context || [L]_2)
+ * b. result(i) := result(i - 1) || K(i).
+ * 5. return K_O := the leftmost L bits of result(n).
+ */
+ for (counter = 1; counter <= num_iterations; counter++) {
+ if (counter == num_iterations) {
+ block_size = buffer_length - buffer_offset;
+
+ /* Assumption: if we've validated our arguments correctly, this
+ * should always be true. */
+ PR_ASSERT(block_size <= ctx->mac_size);
+ }
+
+ /* Add all parameters required by this instance of the KDF to the
+ * input stream of the underlying PRF. */
+ ret = kbkdf_AddParameters(CKM_SP800_108_COUNTER_KDF, ctx, params, counter, output_bitlen, NULL, 0 /* chaining_prf output */, 0 /* exclude */);
+ if (ret != CKR_OK) {
+ return ret;
+ }
+
+ /* Finalize this iteration of the PRF. */
+ ret = sftk_MAC_Finish(ctx, ret_buffer + buffer_offset, NULL, block_size);
+ if (ret != CKR_OK) {
+ return ret;
+ }
+
+ /* Increment our position in the key material. */
+ buffer_offset += block_size;
+
+ if (counter < num_iterations) {
+ /* Reset the underlying PRF for the next iteration. Only do this
+ * when we have a next iteration since it isn't necessary to do
+ * either before the first iteration (MAC is already initialized)
+ * or after the last iteration (we won't be called again). */
+ ret = sftk_MAC_Reset(ctx);
+ if (ret != CKR_OK) {
+ return ret;
+ }
+ }
+ }
+
+ return CKR_OK;
+}
+
+static CK_RV
+kbkdf_FeedbackRaw(const CK_SP800_108_KDF_PARAMS *params, const unsigned char *initial_value, CK_ULONG initial_value_length, sftk_MACCtx *ctx, unsigned char *ret_buffer, size_t buffer_length, PRUint64 output_bitlen)
+{
+ CK_RV ret = CKR_OK;
+
+ /* Counter variable for this KDF instance. */
+ PRUint32 counter;
+
+ /* Number of iterations required of this PRF necessary to reach the
+ * desired output length. */
+ PRUint32 num_iterations;
+
+ /* Offset in ret_buffer that we're at. */
+ size_t buffer_offset = 0;
+
+ /* Size of this block, in bytes. Defaults to ctx->mac_size except on
+ * the last iteration where it could be a partial block. */
+ size_t block_size = ctx->mac_size;
+
+ /* The last PRF invocation and/or the initial value; used for feedback
+ * chaining in this KDF. Note that we have to make it large enough to
+ * fit the output of the PRF, but we can delay its actual creation until
+ * the first PRF invocation. Until then, point to the IV value. */
+ unsigned char *chaining_value = (unsigned char *)initial_value;
+
+ /* Size of the chaining value discussed above. Defaults to the size of
+ * the IV value. */
+ size_t chaining_length = initial_value_length;
+
+ /* Calculate the number of iterations required based on the size of the
+ * output buffer. */
+ ret = kbkdf_CalculateIterations(CKM_SP800_108_FEEDBACK_KDF, params, ctx, buffer_length, &num_iterations);
+ if (ret != CKR_OK) {
+ goto finish;
+ }
+
+ /*
+ * 5.2 - [ KDF in Feedback Mode ]
+ *
+ * Fixed values:
+ * 1. h - the length of the PRF in bits (ctx->mac_size)
+ * 2. r - the length of the binary representation of the counter i
+ * (params[k: params[k].type == CK_SP800_108_OPTIONAL_COUNTER:].data->ulWidthInBits)
+ * Note that it is only specified when the optional counter is requested.
+ * Input:
+ * 1. K_I - the key for the PRF (base_key)
+ * 2. label - a binary data field, usually before the separator. Optional.
+ * 3. context - a binary data field, usually after the separator. Optional.
+ * 4. IV - a binary data field, initial PRF value. (params->pIV)
+ * 5. L - length of the output in bits (output_bitlen)
+ *
+ * Process:
+ * 1. n := ceil(L / h) (num_iterations)
+ * 2. if n > 2^32 - 1, then indicate an error and stop
+ * 3. result(0) = NULL, K(0) := IV (chaining_value)
+ * 4. for i = 1 to n, do
+ * a. K(i) = PRF(K_I, K(i-1) {|| [i]_2} || Label || 0x00 || Context || [L]_2)
+ * b. result(i) := result(i - 1) || K(i).
+ * 5. return K_O := the leftmost L bits of result(n).
+ */
+ for (counter = 1; counter <= num_iterations; counter++) {
+ if (counter == num_iterations) {
+ block_size = buffer_length - buffer_offset;
+
+ /* Assumption: if we've validated our arguments correctly, this
+ * should always be true. */
+ PR_ASSERT(block_size <= ctx->mac_size);
+ }
+
+ /* Add all parameters required by this instance of the KDF to the
+ * input stream of the underlying PRF. */
+ ret = kbkdf_AddParameters(CKM_SP800_108_FEEDBACK_KDF, ctx, params, counter, output_bitlen, chaining_value, chaining_length, 0 /* exclude */);
+ if (ret != CKR_OK) {
+ goto finish;
+ }
+
+ if (counter == 1) {
+ /* On the first iteration, chaining_value points to the IV from
+ * the caller and chaining_length is the length of that IV. We
+ * now need to allocate a buffer of suitable length to store the
+ * MAC output. */
+ chaining_value = PORT_ZNewArray(unsigned char, ctx->mac_size);
+ chaining_length = ctx->mac_size;
+
+ if (chaining_value == NULL) {
+ ret = CKR_HOST_MEMORY;
+ goto finish;
+ }
+ }
+
+ /* Finalize this iteration of the PRF. Unlike other KDF forms, we
+ * first save this to the chaining value so that we can reuse it
+ * in the next iteration before copying the necessary length to
+ * the output buffer. */
+ ret = sftk_MAC_Finish(ctx, chaining_value, NULL, chaining_length);
+ if (ret != CKR_OK) {
+ goto finish;
+ }
+
+ /* Save as much of the chaining value as we need for output. */
+ PORT_Memcpy(ret_buffer + buffer_offset, chaining_value, block_size);
+
+ /* Increment our position in the key material. */
+ buffer_offset += block_size;
+
+ if (counter < num_iterations) {
+ /* Reset the underlying PRF for the next iteration. Only do this
+ * when we have a next iteration since it isn't necessary to do
+ * either before the first iteration (MAC is already initialized)
+ * or after the last iteration (we won't be called again). */
+ ret = sftk_MAC_Reset(ctx);
+ if (ret != CKR_OK) {
+ goto finish;
+ }
+ }
+ }
+
+finish:
+ if (chaining_value != initial_value && chaining_value != NULL) {
+ PORT_ZFree(chaining_value, chaining_length);
+ }
+
+ return ret;
+}
+
+static CK_RV
+kbkdf_PipelineRaw(const CK_SP800_108_KDF_PARAMS *params, sftk_MACCtx *ctx, unsigned char *ret_buffer, size_t buffer_length, PRUint64 output_bitlen)
+{
+ CK_RV ret = CKR_OK;
+
+ /* Counter variable for this KDF instance. */
+ PRUint32 counter;
+
+ /* Number of iterations required of this PRF necessary to reach the
+ * desired output length. */
+ PRUint32 num_iterations;
+
+ /* Offset in ret_buffer that we're at. */
+ size_t buffer_offset = 0;
+
+ /* Size of this block, in bytes. Defaults to ctx->mac_size except on
+ * the last iteration where it could be a partial block. */
+ size_t block_size = ctx->mac_size;
+
+ /* The last PRF invocation. This is used for the first of the double
+ * PRF invocations this KDF is named after. This defaults to NULL,
+ * signifying that we have to calculate the initial value from params;
+ * when non-NULL, we directly add only this value to the PRF. */
+ unsigned char *chaining_value = NULL;
+
+ /* Size of the chaining value discussed above. Defaults to 0. */
+ size_t chaining_length = 0;
+
+ /* Calculate the number of iterations required based on the size of the
+ * output buffer. */
+ ret = kbkdf_CalculateIterations(CKM_SP800_108_DOUBLE_PIPELINE_KDF, params, ctx, buffer_length, &num_iterations);
+ if (ret != CKR_OK) {
+ goto finish;
+ }
+
+ /*
+ * 5.3 - [ KDF in Double-Pipeline Iteration Mode ]
+ *
+ * Fixed values:
+ * 1. h - the length of the PRF in bits (ctx->mac_size)
+ * 2. r - the length of the binary representation of the counter i
+ * (params[k: params[k].type == CK_SP800_108_OPTIONAL_COUNTER:].data->ulWidthInBits)
+ * Note that it is only specified when the optional counter is requested.
+ * Input:
+ * 1. K_I - the key for the PRF (base_key)
+ * 2. label - a binary data field, usually before the separator. Optional.
+ * 3. context - a binary data field, usually after the separator. Optional.
+ * 4. L - length of the output in bits (output_bitlen)
+ *
+ * Process:
+ * 1. n := ceil(L / h) (num_iterations)
+ * 2. if n > 2^32 - 1, then indicate an error and stop
+ * 3. result(0) = NULL
+ * 4. A(0) := IV := Label || 0x00 || Context || [L]_2
+ * 5. for i = 1 to n, do
+ * a. A(i) := PRF(K_I, A(i-1))
+ * b. K(i) := PRF(K_I, A(i) {|| [i]_2} || Label || 0x00 || Context || [L]_2
+ * c. result(i) := result(i-1) || K(i)
+ * 6. return K_O := the leftmost L bits of result(n).
+ */
+ for (counter = 1; counter <= num_iterations; counter++) {
+ if (counter == num_iterations) {
+ block_size = buffer_length - buffer_offset;
+
+ /* Assumption: if we've validated our arguments correctly, this
+ * should always be true. */
+ PR_ASSERT(block_size <= ctx->mac_size);
+ }
+
+ /* ===== First pipeline: construct A(i) ===== */
+ if (counter == 1) {
+ /* On the first iteration, we have no chaining value so specify
+ * NULL for the pointer and 0 for the length, and exclude the
+ * optional counter if it exists. This is what NIST specifies as
+ * the IV for the KDF. */
+ ret = kbkdf_AddParameters(CKM_SP800_108_DOUBLE_PIPELINE_KDF, ctx, params, counter, output_bitlen, NULL, 0, CK_SP800_108_OPTIONAL_COUNTER);
+ if (ret != CKR_OK) {
+ goto finish;
+ }
+
+ /* Allocate the chaining value so we can save the PRF output. */
+ chaining_value = PORT_ZNewArray(unsigned char, ctx->mac_size);
+ chaining_length = ctx->mac_size;
+ if (chaining_value == NULL) {
+ ret = CKR_HOST_MEMORY;
+ goto finish;
+ }
+ } else {
+ /* On all other iterations, the next stage of the first pipeline
+ * comes directly from this stage. */
+ ret = sftk_MAC_Update(ctx, chaining_value, chaining_length);
+ if (ret != CKR_OK) {
+ goto finish;
+ }
+ }
+
+ /* Save the PRF output to chaining_value for use in the second
+ * pipeline. */
+ ret = sftk_MAC_Finish(ctx, chaining_value, NULL, chaining_length);
+ if (ret != CKR_OK) {
+ goto finish;
+ }
+
+ /* Reset the PRF so we can reuse it for the second pipeline. */
+ ret = sftk_MAC_Reset(ctx);
+ if (ret != CKR_OK) {
+ goto finish;
+ }
+
+ /* ===== Second pipeline: construct K(i) ===== */
+
+ /* Add all parameters required by this instance of the KDF to the
+ * input stream of the underlying PRF. Note that this includes the
+ * chaining value we calculated from the previous pipeline stage. */
+ ret = kbkdf_AddParameters(CKM_SP800_108_FEEDBACK_KDF, ctx, params, counter, output_bitlen, chaining_value, chaining_length, 0 /* exclude */);
+ if (ret != CKR_OK) {
+ goto finish;
+ }
+
+ /* Finalize this iteration of the PRF directly to the output buffer.
+ * Unlike Feedback mode, this pipeline doesn't influence the previous
+ * stage. */
+ ret = sftk_MAC_Finish(ctx, ret_buffer + buffer_offset, NULL, block_size);
+ if (ret != CKR_OK) {
+ goto finish;
+ }
+
+ /* Increment our position in the key material. */
+ buffer_offset += block_size;
+
+ if (counter < num_iterations) {
+ /* Reset the underlying PRF for the next iteration. Only do this
+ * when we have a next iteration since it isn't necessary to do
+ * either before the first iteration (MAC is already initialized)
+ * or after the last iteration (we won't be called again). */
+ ret = sftk_MAC_Reset(ctx);
+ if (ret != CKR_OK) {
+ goto finish;
+ }
+ }
+ }
+
+finish:
+ PORT_ZFree(chaining_value, chaining_length);
+
+ return ret;
+}
+
+static CK_RV
+kbkdf_RawDispatch(CK_MECHANISM_TYPE mech,
+ const CK_SP800_108_KDF_PARAMS *kdf_params,
+ const CK_BYTE *initial_value,
+ CK_ULONG initial_value_length,
+ SFTKObject *prf_key, const unsigned char *prf_key_bytes,
+ unsigned int prf_key_length, unsigned char **out_key_bytes,
+ size_t *out_key_length, unsigned int *mac_size,
+ CK_ULONG ret_key_size)
+{
+ CK_RV ret;
+ /* Context for our underlying PRF function.
+ *
+ * Zeroing context required unconditional call of sftk_MAC_Destroy.
+ */
+ sftk_MACCtx ctx = { 0 };
+
+ /* We need one buffers large enough to fit the entire KDF key stream for
+ * all iterations of the PRF. This needs only include to the end of the
+ * last key, so it isn't an even multiple of the PRF output size. */
+ unsigned char *output_buffer = NULL;
+
+ /* Size of the above buffer, in bytes. Note that this is technically
+ * separate from the below output_bitlen variable due to the presence
+ * of additional derived keys. See commentary in kbkdf_CalculateLength.
+ */
+ size_t buffer_length = 0;
+
+ /* While NIST specifies a maximum length (in bits) for the counter, they
+ * don't for the maximum length. It is unlikely, but theoretically
+ * possible for output of the PRF to exceed 32 bits while keeping the
+ * counter under 2^32. Thus, use a 64-bit variable for the maximum
+ * output length.
+ *
+ * It is unlikely any caller will request this much data in practice.
+ * 2^32 invocations of the PRF (for a 512-bit PRF) would be 256GB of
+ * data in the KDF key stream alone. The bigger limit is the number of
+ * and size of keys (again, 2^32); this could easily exceed 256GB when
+ * counting the backing softoken key, the key data, template data, and
+ * the input parameters to this KDF.
+ *
+ * This is the L parameter in NIST SP800-108.
+ */
+ PRUint64 output_bitlen = 0;
+
+ /* First validate our passed input parameters against PKCS#11 v3.0
+ * and NIST SP800-108 requirements. */
+ ret = kbkdf_ValidateParameters(mech, kdf_params, ret_key_size);
+ if (ret != CKR_OK) {
+ goto finish;
+ }
+
+ /* Initialize the underlying PRF state. */
+ if (prf_key) {
+ ret = sftk_MAC_Init(&ctx, kdf_params->prfType, prf_key);
+ } else {
+ ret = sftk_MAC_InitRaw(&ctx, kdf_params->prfType, prf_key_bytes,
+ prf_key_length, PR_TRUE);
+ }
+ if (ret != CKR_OK) {
+ goto finish;
+ }
+
+ /* Compute the size of our output buffer based on passed parameters and
+ * the output size of the underlying PRF. */
+ ret = kbkdf_CalculateLength(kdf_params, &ctx, ret_key_size, &output_bitlen, &buffer_length);
+ if (ret != CKR_OK) {
+ goto finish;
+ }
+
+ /* Allocate memory for the PRF output */
+ output_buffer = PORT_ZNewArray(unsigned char, buffer_length);
+ if (output_buffer == NULL) {
+ ret = CKR_HOST_MEMORY;
+ goto finish;
+ }
+
+ /* Call into the underlying KDF */
+ switch (mech) {
+ case CKM_NSS_SP800_108_COUNTER_KDF_DERIVE_DATA: /* fall through */
+ case CKM_SP800_108_COUNTER_KDF:
+ ret = kbkdf_CounterRaw(kdf_params, &ctx, output_buffer, buffer_length, output_bitlen);
+ break;
+ case CKM_NSS_SP800_108_FEEDBACK_KDF_DERIVE_DATA: /* fall through */
+ case CKM_SP800_108_FEEDBACK_KDF:
+ ret = kbkdf_FeedbackRaw(kdf_params, initial_value, initial_value_length, &ctx, output_buffer, buffer_length, output_bitlen);
+ break;
+ case CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA: /* fall through */
+ case CKM_SP800_108_DOUBLE_PIPELINE_KDF:
+ ret = kbkdf_PipelineRaw(kdf_params, &ctx, output_buffer, buffer_length, output_bitlen);
+ break;
+ default:
+ /* Shouldn't happen unless NIST introduces a new KBKDF type. */
+ PR_ASSERT(PR_FALSE);
+ ret = CKR_FUNCTION_FAILED;
+ }
+
+ /* Validate the above KDF succeeded. */
+ if (ret != CKR_OK) {
+ goto finish;
+ }
+
+ *out_key_bytes = output_buffer;
+ *out_key_length = buffer_length;
+ *mac_size = ctx.mac_size;
+
+ output_buffer = NULL; /* returning the buffer, don't zero and free it */
+
+finish:
+ PORT_ZFree(output_buffer, buffer_length);
+
+ /* Free the PRF. This should handle clearing all sensitive information. */
+ sftk_MAC_Destroy(&ctx, PR_FALSE);
+ return ret;
+}
+
+/* [ section: PKCS#11 entry ] */
+
+CK_RV
+kbkdf_Dispatch(CK_MECHANISM_TYPE mech, CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, SFTKObject *prf_key, SFTKObject *ret_key, CK_ULONG ret_key_size)
+{
+ /* This handles boilerplate common to all KBKDF types. Instead of placing
+ * this in pkcs11c.c, place it here to reduce clutter. */
+
+ CK_RV ret;
+
+ /* Assumptions about our calling environment. */
+ PR_ASSERT(pMechanism != NULL && prf_key != NULL && ret_key != NULL);
+
+ /* Validate that the caller passed parameters. */
+ if (pMechanism->pParameter == NULL) {
+ return CKR_MECHANISM_PARAM_INVALID;
+ }
+
+ /* Create a common set of parameters to use for all KDF types. This
+ * separates out the KDF parameters from the Feedback-specific IV,
+ * allowing us to use a common type for all calls. */
+ CK_SP800_108_KDF_PARAMS kdf_params = { 0 };
+ CK_BYTE_PTR initial_value = NULL;
+ CK_ULONG initial_value_length = 0;
+ unsigned char *output_buffer = NULL;
+ size_t buffer_length = 0;
+ unsigned int mac_size = 0;
+
+ /* Split Feedback-specific IV from remaining KDF parameters. */
+ ret = kbkdf_LoadParameters(mech, pMechanism, &kdf_params, &initial_value, &initial_value_length);
+ if (ret != CKR_OK) {
+ goto finish;
+ }
+ /* let rawDispatch handle the rest. We split this out so we could
+ * handle the POST test without accessing pkcs #11 objects. */
+ ret = kbkdf_RawDispatch(mech, &kdf_params, initial_value,
+ initial_value_length, prf_key, NULL, 0,
+ &output_buffer, &buffer_length, &mac_size,
+ ret_key_size);
+ if (ret != CKR_OK) {
+ goto finish;
+ }
+
+ /* Write the output of the PRF into the appropriate keys. */
+ ret = kbkdf_SaveKeys(mech, hSession, &kdf_params, output_buffer, buffer_length, mac_size, ret_key, ret_key_size);
+ if (ret != CKR_OK) {
+ goto finish;
+ }
+
+finish:
+ PORT_ZFree(output_buffer, buffer_length);
+
+ return ret;
+}
+
+struct sftk_SP800_Test_struct {
+ CK_MECHANISM_TYPE mech;
+ CK_SP800_108_KDF_PARAMS kdf_params;
+ unsigned int expected_mac_size;
+ unsigned int ret_key_length;
+ const unsigned char expected_key_bytes[64];
+};
+
+static const CK_SP800_108_COUNTER_FORMAT counter_32 = { 0, 32 };
+static const CK_PRF_DATA_PARAM counter_32_data = { CK_SP800_108_ITERATION_VARIABLE, (CK_VOID_PTR)&counter_32, sizeof(counter_32) };
+
+#ifdef NSS_FULL_POST
+static const CK_SP800_108_COUNTER_FORMAT counter_16 = { 0, 16 };
+static const CK_PRF_DATA_PARAM counter_16_data = { CK_SP800_108_ITERATION_VARIABLE, (CK_VOID_PTR)&counter_16, sizeof(counter_16) };
+static const CK_PRF_DATA_PARAM counter_null_data = { CK_SP800_108_ITERATION_VARIABLE, NULL, 0 };
+#endif
+
+static const struct sftk_SP800_Test_struct sftk_SP800_Tests[] = {
+#ifdef NSS_FULL_POST
+ {
+ CKM_SP800_108_COUNTER_KDF,
+ { CKM_AES_CMAC, 1, (CK_PRF_DATA_PARAM_PTR)&counter_16_data, 0, NULL },
+ 16,
+ 64,
+ { 0x7b, 0x1c, 0xe7, 0xf3, 0x14, 0x67, 0x15, 0xdd,
+ 0xde, 0x0c, 0x09, 0x46, 0x3f, 0x47, 0x7b, 0xa6,
+ 0xb8, 0xba, 0x40, 0x07, 0x7c, 0xe3, 0x19, 0x53,
+ 0x26, 0xac, 0x4c, 0x2e, 0x2b, 0x37, 0x41, 0xe4,
+ 0x1b, 0x01, 0x3f, 0x2f, 0x2d, 0x16, 0x95, 0xee,
+ 0xeb, 0x7e, 0x72, 0x7d, 0xa4, 0xab, 0x2e, 0x67,
+ 0x1d, 0xef, 0x6f, 0xa2, 0xc6, 0xee, 0x3c, 0xcf,
+ 0xef, 0x88, 0xfd, 0x5c, 0x1d, 0x7b, 0xa0, 0x5a },
+ },
+ {
+ CKM_SP800_108_COUNTER_KDF,
+ { CKM_SHA384_HMAC, 1, (CK_PRF_DATA_PARAM_PTR)&counter_32_data, 0, NULL },
+ 48,
+ 64,
+ { 0xe6, 0x62, 0xa4, 0x32, 0x5c, 0xe4, 0xc2, 0x28,
+ 0x73, 0x8a, 0x5d, 0x94, 0xe7, 0x05, 0xe0, 0x5a,
+ 0x71, 0x61, 0xb2, 0x3c, 0x51, 0x28, 0x03, 0x1d,
+ 0xa7, 0xf5, 0x10, 0x83, 0x34, 0xdb, 0x11, 0x73,
+ 0x92, 0xa6, 0x79, 0x74, 0x81, 0x5d, 0x22, 0x7e,
+ 0x8d, 0xf2, 0x59, 0x14, 0x56, 0x60, 0xcf, 0xb2,
+ 0xb3, 0xfd, 0x46, 0xfd, 0x9b, 0x74, 0xfe, 0x4a,
+ 0x09, 0x30, 0x4a, 0xdf, 0x07, 0x43, 0xfe, 0x85 },
+ },
+ {
+ CKM_SP800_108_COUNTER_KDF,
+ { CKM_SHA512_HMAC, 1, (CK_PRF_DATA_PARAM_PTR)&counter_32_data, 0, NULL },
+ 64,
+ 64,
+ { 0xb0, 0x78, 0x36, 0xe1, 0x15, 0xd6, 0xf0, 0xac,
+ 0x68, 0x7b, 0x42, 0xd3, 0xb6, 0x82, 0x51, 0xad,
+ 0x95, 0x0a, 0x69, 0x88, 0x84, 0xc2, 0x2e, 0x07,
+ 0x34, 0x62, 0x8d, 0x42, 0x72, 0x0f, 0x22, 0xe6,
+ 0xd5, 0x7f, 0x80, 0x15, 0xe6, 0x84, 0x00, 0x65,
+ 0xef, 0x64, 0x77, 0x29, 0xd6, 0x3b, 0xc7, 0x9a,
+ 0x15, 0x6d, 0x36, 0xf3, 0x96, 0xc9, 0x14, 0x3f,
+ 0x2d, 0x4a, 0x7c, 0xdb, 0xc3, 0x6c, 0x3d, 0x6a },
+ },
+ {
+ CKM_SP800_108_FEEDBACK_KDF,
+ { CKM_AES_CMAC, 1, (CK_PRF_DATA_PARAM_PTR)&counter_null_data, 0, NULL },
+ 16,
+ 64,
+ { 0xc0, 0xa0, 0x23, 0x96, 0x16, 0x4d, 0xd6, 0xbd,
+ 0x2a, 0x75, 0x8e, 0x72, 0xf5, 0xc3, 0xa0, 0xb8,
+ 0x78, 0x83, 0x15, 0x21, 0x34, 0xd3, 0xd8, 0x71,
+ 0xc9, 0xe7, 0x4b, 0x20, 0xb7, 0x65, 0x5b, 0x13,
+ 0xbc, 0x85, 0x54, 0xe3, 0xb6, 0xee, 0x73, 0xd5,
+ 0xf2, 0xa0, 0x94, 0x1a, 0x79, 0x66, 0x3b, 0x1e,
+ 0x67, 0x3e, 0x69, 0xa4, 0x12, 0x40, 0xa9, 0xda,
+ 0x8d, 0x14, 0xb1, 0xce, 0xf1, 0x4b, 0x79, 0x4e },
+ },
+ {
+ CKM_SP800_108_FEEDBACK_KDF,
+ { CKM_SHA256_HMAC, 1, (CK_PRF_DATA_PARAM_PTR)&counter_null_data, 0, NULL },
+ 32,
+ 64,
+ { 0x99, 0x9b, 0x08, 0x79, 0x14, 0x2e, 0x58, 0x34,
+ 0xd7, 0x92, 0xa7, 0x7e, 0x7f, 0xc2, 0xf0, 0x34,
+ 0xa3, 0x4e, 0x33, 0xf0, 0x63, 0x95, 0x2d, 0xad,
+ 0xbf, 0x3b, 0xcb, 0x6d, 0x4e, 0x07, 0xd9, 0xe9,
+ 0xbd, 0xbd, 0x77, 0x54, 0xe1, 0xa3, 0x36, 0x26,
+ 0xcd, 0xb1, 0xf9, 0x2d, 0x80, 0x68, 0xa2, 0x01,
+ 0x4e, 0xbf, 0x35, 0xec, 0x65, 0xae, 0xfd, 0x71,
+ 0xa6, 0xd7, 0x62, 0x26, 0x2c, 0x3f, 0x73, 0x63 },
+ },
+ {
+ CKM_SP800_108_FEEDBACK_KDF,
+ { CKM_SHA384_HMAC, 1, (CK_PRF_DATA_PARAM_PTR)&counter_null_data, 0, NULL },
+ 48,
+ 64,
+ { 0xc8, 0x7a, 0xf8, 0xd9, 0x6b, 0x90, 0x82, 0x35,
+ 0xea, 0xf5, 0x2c, 0x8f, 0xce, 0xaa, 0x3b, 0xa5,
+ 0x68, 0xd3, 0x7f, 0xae, 0x31, 0x93, 0xe6, 0x69,
+ 0x0c, 0xd1, 0x74, 0x7f, 0x8f, 0xc2, 0xe2, 0x33,
+ 0x93, 0x45, 0x23, 0xba, 0xb3, 0x73, 0xc9, 0x2c,
+ 0xd6, 0xd2, 0x10, 0x16, 0xe9, 0x9f, 0x9e, 0xe8,
+ 0xc1, 0x0e, 0x29, 0x95, 0x3d, 0x16, 0x68, 0x24,
+ 0x40, 0x4d, 0x40, 0x21, 0x41, 0xa6, 0xc8, 0xdb },
+ },
+ {
+ CKM_SP800_108_FEEDBACK_KDF,
+ { CKM_SHA512_HMAC, 1, (CK_PRF_DATA_PARAM_PTR)&counter_null_data, 0, NULL },
+ 64,
+ 64,
+ { 0x81, 0x39, 0x12, 0xc2, 0xf9, 0x31, 0x24, 0x7c,
+ 0x71, 0x12, 0x97, 0x08, 0x82, 0x76, 0x83, 0x55,
+ 0x8c, 0x82, 0xf3, 0x09, 0xd6, 0x1b, 0x7a, 0xa2,
+ 0x6e, 0x71, 0x6b, 0xad, 0x46, 0x57, 0x60, 0x89,
+ 0x38, 0xcf, 0x63, 0xfa, 0xf4, 0x38, 0x27, 0xef,
+ 0xf0, 0xaf, 0x75, 0x4e, 0xc2, 0xe0, 0x31, 0xdb,
+ 0x59, 0x7d, 0x19, 0xc9, 0x6d, 0xbb, 0xed, 0x95,
+ 0xaf, 0x3e, 0xd8, 0x33, 0x76, 0xab, 0xec, 0xfa },
+ },
+ {
+ CKM_SP800_108_DOUBLE_PIPELINE_KDF,
+ { CKM_AES_CMAC, 1, (CK_PRF_DATA_PARAM_PTR)&counter_null_data, 0, NULL },
+ 16,
+ 64,
+ { 0x3e, 0xa8, 0xbf, 0x77, 0x84, 0x90, 0xb0, 0x3a,
+ 0x89, 0x16, 0x32, 0x01, 0x92, 0xd3, 0x1f, 0x1b,
+ 0xc1, 0x06, 0xc5, 0x32, 0x62, 0x03, 0x50, 0x16,
+ 0x3b, 0xb9, 0xa7, 0xdc, 0xb5, 0x68, 0x6a, 0xbb,
+ 0xbb, 0x7d, 0x63, 0x69, 0x24, 0x6e, 0x09, 0xd6,
+ 0x6f, 0x80, 0x57, 0x65, 0xc5, 0x62, 0x33, 0x96,
+ 0x69, 0xe6, 0xab, 0x65, 0x36, 0xd0, 0xe2, 0x5c,
+ 0xd7, 0xbd, 0xe4, 0x68, 0x13, 0xd6, 0xb1, 0x46 },
+ },
+ {
+ CKM_SP800_108_DOUBLE_PIPELINE_KDF,
+ { CKM_SHA256_HMAC, 1, (CK_PRF_DATA_PARAM_PTR)&counter_null_data, 0, NULL },
+ 32,
+ 64,
+ { 0xeb, 0x28, 0xd9, 0x2c, 0x19, 0x33, 0xb9, 0x2a,
+ 0xf9, 0xac, 0x85, 0xbd, 0xf4, 0xdb, 0xfa, 0x88,
+ 0x73, 0xf4, 0x36, 0x08, 0xdb, 0xfe, 0x13, 0xd1,
+ 0x5a, 0xec, 0x7b, 0x68, 0x13, 0x53, 0xb3, 0xd1,
+ 0x31, 0xf2, 0x83, 0xae, 0x9f, 0x75, 0x47, 0xb6,
+ 0x6d, 0x3c, 0x20, 0x16, 0x47, 0x9c, 0x27, 0x66,
+ 0xec, 0xa9, 0xdf, 0x0c, 0xda, 0x2a, 0xf9, 0xf4,
+ 0x55, 0x74, 0xde, 0x9d, 0x3f, 0xe3, 0x5e, 0x14 },
+ },
+ {
+ CKM_SP800_108_DOUBLE_PIPELINE_KDF,
+ { CKM_SHA384_HMAC, 1, (CK_PRF_DATA_PARAM_PTR)&counter_null_data, 0, NULL },
+ 48,
+ 64,
+ { 0xa5, 0xca, 0x32, 0x40, 0x00, 0x93, 0xb2, 0xcc,
+ 0x78, 0x3c, 0xa6, 0xc4, 0xaf, 0xa8, 0xb3, 0xd0,
+ 0xa4, 0x6b, 0xb5, 0x31, 0x35, 0x87, 0x33, 0xa2,
+ 0x6a, 0x6b, 0xe1, 0xff, 0xea, 0x1d, 0x6e, 0x9e,
+ 0x0b, 0xde, 0x8b, 0x92, 0x15, 0xd6, 0x56, 0x2f,
+ 0xb6, 0x1a, 0xd7, 0xd2, 0x01, 0x3e, 0x28, 0x2e,
+ 0xfa, 0x84, 0x3c, 0xc0, 0xe8, 0xbe, 0x94, 0xc0,
+ 0x06, 0xbd, 0xbf, 0x87, 0x1f, 0xb8, 0x64, 0xc2 },
+ },
+ {
+ CKM_SP800_108_DOUBLE_PIPELINE_KDF,
+ { CKM_SHA512_HMAC, 1, (CK_PRF_DATA_PARAM_PTR)&counter_null_data, 0, NULL },
+ 64,
+ 64,
+ { 0x3f, 0xd9, 0x4e, 0x80, 0x58, 0x21, 0xc8, 0xea,
+ 0x22, 0x17, 0xcf, 0x7d, 0xce, 0xfd, 0xec, 0x03,
+ 0xb9, 0xe4, 0xa2, 0xf7, 0xc0, 0xf1, 0x68, 0x81,
+ 0x53, 0x71, 0xb7, 0x42, 0x14, 0x4e, 0x5b, 0x09,
+ 0x05, 0x31, 0xb9, 0x27, 0x18, 0x2d, 0x23, 0xf8,
+ 0x9c, 0x3d, 0x4e, 0xd0, 0xdd, 0xf3, 0x1e, 0x4b,
+ 0xf2, 0xf9, 0x1a, 0x5d, 0x00, 0x66, 0x22, 0x83,
+ 0xae, 0x3c, 0x53, 0xd2, 0x54, 0x4b, 0x06, 0x4c },
+ },
+#endif
+ {
+ CKM_SP800_108_COUNTER_KDF,
+ { CKM_SHA256_HMAC, 1, (CK_PRF_DATA_PARAM_PTR)&counter_32_data, 0, NULL },
+ 32,
+ 64,
+ { 0xfb, 0x2b, 0xb5, 0xde, 0xce, 0x5a, 0x2b, 0xdc,
+ 0x25, 0x8f, 0x54, 0x17, 0x4b, 0x5a, 0xa7, 0x90,
+ 0x64, 0x36, 0xeb, 0x43, 0x1f, 0x1d, 0xf9, 0x23,
+ 0xb2, 0x22, 0x29, 0xa0, 0xfa, 0x2e, 0x21, 0xb6,
+ 0xb7, 0xfb, 0x27, 0x0a, 0x1c, 0xa6, 0x58, 0x43,
+ 0xa1, 0x16, 0x44, 0x29, 0x4b, 0x1c, 0xb3, 0x72,
+ 0xd5, 0x98, 0x9d, 0x27, 0xd5, 0x75, 0x25, 0xbf,
+ 0x23, 0x61, 0x40, 0x48, 0xbb, 0x0b, 0x49, 0x8e },
+ }
+};
+
+SECStatus
+sftk_fips_SP800_108_PowerUpSelfTests(void)
+{
+ int i;
+ CK_RV crv;
+
+ const unsigned char prf_key[] = {
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
+ 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28,
+ 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38,
+ 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48,
+ 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58,
+ 0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68,
+ 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78
+ };
+ for (i = 0; i < PR_ARRAY_SIZE(sftk_SP800_Tests); i++) {
+ const struct sftk_SP800_Test_struct *test = &sftk_SP800_Tests[i];
+ unsigned char *output_buffer;
+ size_t buffer_length;
+ unsigned int mac_size;
+
+ crv = kbkdf_RawDispatch(test->mech, &test->kdf_params,
+ prf_key, test->expected_mac_size,
+ NULL, prf_key, test->expected_mac_size,
+ &output_buffer, &buffer_length, &mac_size,
+ test->ret_key_length);
+ if (crv != CKR_OK) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+ if ((mac_size != test->expected_mac_size) ||
+ (buffer_length != test->ret_key_length) ||
+ (output_buffer == NULL) ||
+ (PORT_Memcmp(output_buffer, test->expected_key_bytes, buffer_length) != 0)) {
+ PORT_ZFree(output_buffer, buffer_length);
+ return SECFailure;
+ }
+ PORT_ZFree(output_buffer, buffer_length);
+ }
+ return SECSuccess;
+}
diff --git a/security/nss/lib/softoken/legacydb/Makefile b/security/nss/lib/softoken/legacydb/Makefile
new file mode 100644
index 0000000000..1b860a3358
--- /dev/null
+++ b/security/nss/lib/softoken/legacydb/Makefile
@@ -0,0 +1,60 @@
+#! gmake
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY). #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL) #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL) #
+#######################################################################
+
+ifdef NSS_NO_INIT_SUPPORT
+ DEFINES += -DNSS_NO_INIT_SUPPORT
+endif
+ifeq ($(OS_TARGET),Linux)
+ifeq ($(CPU_ARCH),ppc)
+ifdef USE_64
+ DEFINES += -DNSS_NO_INIT_SUPPORT
+endif # USE_64
+endif # ppc
+else # !Linux
+ # turn off no init support everywhere for now
+ DEFINES += -DNSS_NO_INIT_SUPPORT
+endif # Linux
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL). #
+#######################################################################
+
+include config.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL) #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL) #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL). #
+#######################################################################
+
+# indicates dependency on freebl static lib
+$(SHARED_LIBRARY): $(CRYPTOLIB)
diff --git a/security/nss/lib/softoken/legacydb/cdbhdl.h b/security/nss/lib/softoken/legacydb/cdbhdl.h
new file mode 100644
index 0000000000..e7243db775
--- /dev/null
+++ b/security/nss/lib/softoken/legacydb/cdbhdl.h
@@ -0,0 +1,51 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/*
+ * cdbhdl.h - certificate database handle
+ * private to the certdb module
+ */
+#ifndef _CDBHDL_H_
+#define _CDBHDL_H_
+
+#include "nspr.h"
+#include "mcom_db.h"
+#include "pcertt.h"
+#include "prtypes.h"
+
+/*
+ * Handle structure for open certificate databases
+ */
+struct NSSLOWCERTCertDBHandleStr {
+ DB *permCertDB;
+ PZMonitor *dbMon;
+ PRBool dbVerify;
+ PRInt32 ref; /* reference count */
+};
+
+#ifdef DBM_USING_NSPR
+#define NO_RDONLY PR_RDONLY
+#define NO_RDWR PR_RDWR
+#define NO_CREATE (PR_RDWR | PR_CREATE_FILE | PR_TRUNCATE)
+#else
+#define NO_RDONLY O_RDONLY
+#define NO_RDWR O_RDWR
+#define NO_CREATE (O_RDWR | O_CREAT | O_TRUNC)
+#endif
+
+typedef DB *(*rdbfunc)(const char *appName, const char *prefix,
+ const char *type, int flags);
+typedef int (*rdbstatusfunc)(void);
+
+#define RDB_FAIL 1
+#define RDB_RETRY 2
+
+DB *rdbopen(const char *appName, const char *prefix,
+ const char *type, int flags, int *status);
+
+DB *dbsopen(const char *dbname, int flags, int mode, DBTYPE type,
+ const void *appData);
+SECStatus db_Copy(DB *dest, DB *src);
+int db_InitComplete(DB *db);
+
+#endif
diff --git a/security/nss/lib/softoken/legacydb/config.mk b/security/nss/lib/softoken/legacydb/config.mk
new file mode 100644
index 0000000000..54a23c3b0d
--- /dev/null
+++ b/security/nss/lib/softoken/legacydb/config.mk
@@ -0,0 +1,50 @@
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+# $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
+CRYPTOLIB=$(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
+
+EXTRA_LIBS += \
+ $(CRYPTOLIB) \
+ $(DIST)/lib/$(LIB_PREFIX)dbm.$(LIB_SUFFIX) \
+ $(NULL)
+
+# can't do this in manifest.mn because OS_TARGET isn't defined there.
+ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+
+ifdef NS_USE_GCC
+EXTRA_SHARED_LIBS += \
+ -L$(DIST)/lib \
+ -L$(NSSUTIL_LIB_DIR) \
+ -lnssutil3 \
+ -L$(NSPR_LIB_DIR) \
+ -lplc4 \
+ -lplds4 \
+ -lnspr4 \
+ $(NULL)
+else # ! NS_USE_GCC
+
+EXTRA_SHARED_LIBS += \
+ $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.lib \
+ $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.lib \
+ $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.lib \
+ $(DIST)/lib/nssutil3.lib \
+ $(NULL)
+endif # NS_USE_GCC
+
+else
+
+# $(PROGRAM) has NO explicit dependencies on $(EXTRA_SHARED_LIBS)
+# $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX.
+EXTRA_SHARED_LIBS += \
+ -L$(DIST)/lib \
+ -L$(NSSUTIL_LIB_DIR) \
+ -lnssutil3 \
+ -L$(NSPR_LIB_DIR) \
+ -lplc4 \
+ -lplds4 \
+ -lnspr4 \
+ $(NULL)
+endif
diff --git a/security/nss/lib/softoken/legacydb/dbmshim.c b/security/nss/lib/softoken/legacydb/dbmshim.c
new file mode 100644
index 0000000000..cca24bc6be
--- /dev/null
+++ b/security/nss/lib/softoken/legacydb/dbmshim.c
@@ -0,0 +1,539 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/*
+ * Berkeley DB 1.85 Shim code to handle blobs.
+ */
+#include "mcom_db.h"
+#include "secitem.h"
+#include "nssb64.h"
+#include "blapi.h"
+#include "secerr.h"
+
+#include "lgdb.h"
+
+/*
+ * Blob block:
+ * Byte 0 CERTDB Version -+ -+
+ * Byte 1 certDBEntryTypeBlob | BLOB_HEAD_LEN |
+ * Byte 2 flags (always '0'); | |
+ * Byte 3 reserved (always '0'); -+ |
+ * Byte 4 LSB length | <--BLOB_LENGTH_START | BLOB_BUF_LEN
+ * Byte 5 . | |
+ * Byte 6 . | BLOB_LENGTH_LEN |
+ * Byte 7 MSB length | |
+ * Byte 8 blob_filename -+ -+ <-- BLOB_NAME_START |
+ * Byte 9 . | BLOB_NAME_LEN |
+ * . . | |
+ * Byte 37 . -+ -+
+ */
+#define DBS_BLOCK_SIZE (16 * 1024) /* 16 k */
+#define DBS_MAX_ENTRY_SIZE (DBS_BLOCK_SIZE - (2048)) /* 14 k */
+#define DBS_CACHE_SIZE DBS_BLOCK_SIZE * 8
+#define ROUNDDIV(x, y) (x + (y - 1)) / y
+#define BLOB_HEAD_LEN 4
+#define BLOB_LENGTH_START BLOB_HEAD_LEN
+#define BLOB_LENGTH_LEN 4
+#define BLOB_NAME_START BLOB_LENGTH_START + BLOB_LENGTH_LEN
+#define BLOB_NAME_LEN 1 + ROUNDDIV(SHA1_LENGTH, 3) * 4 + 1
+#define BLOB_BUF_LEN BLOB_HEAD_LEN + BLOB_LENGTH_LEN + BLOB_NAME_LEN
+
+/* a Shim data structure. This data structure has a db built into it. */
+typedef struct DBSStr DBS;
+
+struct DBSStr {
+ DB db;
+ char *blobdir;
+ int mode;
+ PRBool readOnly;
+ char staticBlobArea[BLOB_BUF_LEN];
+};
+
+/*
+ * return true if the Datablock contains a blobtype
+ */
+static PRBool
+dbs_IsBlob(DBT *blobData)
+{
+ unsigned char *addr = (unsigned char *)blobData->data;
+ if (blobData->size < BLOB_BUF_LEN) {
+ return PR_FALSE;
+ }
+ return addr && ((certDBEntryType)addr[1] == certDBEntryTypeBlob);
+}
+
+/*
+ * extract the filename in the blob of the real data set.
+ * This value is not malloced (does not need to be freed by the caller.
+ */
+static const char *
+dbs_getBlobFileName(DBT *blobData)
+{
+ char *addr = (char *)blobData->data;
+
+ return &addr[BLOB_NAME_START];
+}
+
+/*
+ * extract the size of the actual blob from the blob record
+ */
+static PRUint32
+dbs_getBlobSize(DBT *blobData)
+{
+ unsigned char *addr = (unsigned char *)blobData->data;
+
+ return (PRUint32)(addr[BLOB_LENGTH_START + 3] << 24) |
+ (addr[BLOB_LENGTH_START + 2] << 16) |
+ (addr[BLOB_LENGTH_START + 1] << 8) |
+ addr[BLOB_LENGTH_START];
+}
+
+/* We are using base64 data for the filename, but base64 data can include a
+ * '/' which is interpreted as a path separator on many platforms. Replace it
+ * with an inocuous '-'. We don't need to convert back because we never actual
+ * decode the filename.
+ */
+
+static void
+dbs_replaceSlash(char *cp, int len)
+{
+ while (len--) {
+ if (*cp == '/')
+ *cp = '-';
+ cp++;
+ }
+}
+
+/*
+ * create a blob record from a key, data and return it in blobData.
+ * NOTE: The data element is static data (keeping with the dbm model).
+ */
+static void
+dbs_mkBlob(DBS *dbsp, const DBT *key, const DBT *data, DBT *blobData)
+{
+ unsigned char sha1_data[SHA1_LENGTH];
+ char *b = dbsp->staticBlobArea;
+ PRUint32 length = data->size;
+ SECItem sha1Item;
+
+ b[0] = CERT_DB_FILE_VERSION; /* certdb version number */
+ b[1] = (char)certDBEntryTypeBlob; /* type */
+ b[2] = 0; /* flags */
+ b[3] = 0; /* reserved */
+ b[BLOB_LENGTH_START] = length & 0xff;
+ b[BLOB_LENGTH_START + 1] = (length >> 8) & 0xff;
+ b[BLOB_LENGTH_START + 2] = (length >> 16) & 0xff;
+ b[BLOB_LENGTH_START + 3] = (length >> 24) & 0xff;
+ sha1Item.data = sha1_data;
+ sha1Item.len = SHA1_LENGTH;
+ SHA1_HashBuf(sha1_data, key->data, key->size);
+ b[BLOB_NAME_START] = 'b'; /* Make sure we start with a alpha */
+ NSSBase64_EncodeItem(NULL, &b[BLOB_NAME_START + 1], BLOB_NAME_LEN - 1, &sha1Item);
+ b[BLOB_BUF_LEN - 1] = 0;
+ dbs_replaceSlash(&b[BLOB_NAME_START + 1], BLOB_NAME_LEN - 1);
+ blobData->data = b;
+ blobData->size = BLOB_BUF_LEN;
+ return;
+}
+
+/*
+ * construct a path to the actual blob. The string returned must be
+ * freed by the caller with PR_smprintf_free.
+ *
+ * Note: this file does lots of consistancy checks on the DBT. The
+ * routines that call this depend on these checks, so they don't worry
+ * about them (success of this routine implies a good blobdata record).
+ */
+static char *
+dbs_getBlobFilePath(char *blobdir, DBT *blobData)
+{
+ const char *name;
+
+ if (blobdir == NULL) {
+ PR_SetError(SEC_ERROR_BAD_DATABASE, 0);
+ return NULL;
+ }
+ if (!dbs_IsBlob(blobData)) {
+ PR_SetError(SEC_ERROR_BAD_DATABASE, 0);
+ return NULL;
+ }
+ name = dbs_getBlobFileName(blobData);
+ if (!name || *name == 0) {
+ PR_SetError(SEC_ERROR_BAD_DATABASE, 0);
+ return NULL;
+ }
+ return PR_smprintf("%s" PATH_SEPARATOR "%s", blobdir, name);
+}
+
+/*
+ * Delete a blob file pointed to by the blob record.
+ */
+static void
+dbs_removeBlob(DBS *dbsp, DBT *blobData)
+{
+ char *file;
+
+ file = dbs_getBlobFilePath(dbsp->blobdir, blobData);
+ if (!file) {
+ return;
+ }
+ PR_Delete(file);
+ PR_smprintf_free(file);
+}
+
+/*
+ * Directory modes are slightly different, the 'x' bit needs to be on to
+ * access them. Copy all the read bits to 'x' bits
+ */
+static int
+dbs_DirMode(int mode)
+{
+ int x_bits = (mode >> 2) & 0111;
+ return mode | x_bits;
+}
+
+/*
+ * write a data blob to it's file. blobdData is the blob record that will be
+ * stored in the database. data is the actual data to go out on disk.
+ */
+static int
+dbs_writeBlob(DBS *dbsp, int mode, DBT *blobData, const DBT *data)
+{
+ char *file = NULL;
+ PRFileDesc *filed;
+ PRStatus status;
+ int len;
+ int error = 0;
+
+ file = dbs_getBlobFilePath(dbsp->blobdir, blobData);
+ if (!file) {
+ goto loser;
+ }
+ if (PR_Access(dbsp->blobdir, PR_ACCESS_EXISTS) != PR_SUCCESS) {
+ status = PR_MkDir(dbsp->blobdir, dbs_DirMode(mode));
+ if (status != PR_SUCCESS) {
+ goto loser;
+ }
+ }
+ filed = PR_OpenFile(file, PR_CREATE_FILE | PR_TRUNCATE | PR_WRONLY, mode);
+ if (filed == NULL) {
+ error = PR_GetError();
+ goto loser;
+ }
+ len = PR_Write(filed, data->data, data->size);
+ error = PR_GetError();
+ PR_Close(filed);
+ if (len < (int)data->size) {
+ goto loser;
+ }
+ PR_smprintf_free(file);
+ return 0;
+
+loser:
+ if (file) {
+ PR_Delete(file);
+ PR_smprintf_free(file);
+ }
+ /* don't let close or delete reset the error */
+ PR_SetError(error, 0);
+ return -1;
+}
+
+/*
+ * platforms that cannot map the file need to read it into a temp buffer.
+ */
+static unsigned char *
+dbs_EmulateMap(PRFileDesc *filed, int len)
+{
+ unsigned char *addr;
+ PRInt32 dataRead;
+
+ addr = PORT_Alloc(len);
+ if (addr == NULL) {
+ return NULL;
+ }
+
+ dataRead = PR_Read(filed, addr, len);
+ if (dataRead != len) {
+ PORT_Free(addr);
+ if (dataRead > 0) {
+ /* PR_Read didn't set an error, we need to */
+ PR_SetError(SEC_ERROR_BAD_DATABASE, 0);
+ }
+ return NULL;
+ }
+
+ return addr;
+}
+
+/*
+ * pull a database record off the disk
+ * data points to the blob record on input and the real record (if we could
+ * read it) on output. if there is an error data is not modified.
+ */
+static int
+dbs_readBlob(DBS *dbsp, DBT *data)
+{
+ char *file = NULL;
+ PRFileDesc *filed = NULL;
+ unsigned char *addr = NULL;
+ int error;
+ int len = -1;
+
+ file = dbs_getBlobFilePath(dbsp->blobdir, data);
+ if (!file) {
+ goto loser;
+ }
+ filed = PR_OpenFile(file, PR_RDONLY, 0);
+ PR_smprintf_free(file);
+ file = NULL;
+ if (filed == NULL) {
+ goto loser;
+ }
+
+ len = dbs_getBlobSize(data);
+ /* Bug 1323150
+ * PR_MemMap fails on Windows for larger certificates.
+ * https://msdn.microsoft.com/en-us/library/windows/desktop/aa366761(v=vs.85).aspx
+ * Let's always use the emulated map, i.e. read the file.
+ */
+ addr = dbs_EmulateMap(filed, len);
+ if (addr == NULL) {
+ goto loser;
+ }
+ PR_Close(filed);
+
+ data->data = addr;
+ data->size = len;
+ return 0;
+
+loser:
+ /* preserve the error code */
+ error = PR_GetError();
+ if (filed) {
+ PR_Close(filed);
+ }
+ PR_SetError(error, 0);
+ return -1;
+}
+
+/*
+ * actual DBM shims
+ */
+static int
+dbs_get(const DB *dbs, const DBT *key, DBT *data, unsigned int flags)
+{
+ int ret;
+ DBS *dbsp = (DBS *)dbs;
+ DB *db = (DB *)dbs->internal;
+
+ ret = (*db->get)(db, key, data, flags);
+ if ((ret == 0) && dbs_IsBlob(data)) {
+ ret = dbs_readBlob(dbsp, data);
+ }
+
+ return (ret);
+}
+
+static int
+dbs_put(const DB *dbs, DBT *key, const DBT *data, unsigned int flags)
+{
+ DBT blob;
+ int ret = 0;
+ DBS *dbsp = (DBS *)dbs;
+ DB *db = (DB *)dbs->internal;
+
+ /* If the db is readonly, just pass the data down to rdb and let it fail */
+ if (!dbsp->readOnly) {
+ DBT oldData;
+ int ret1;
+
+ /* make sure the current record is deleted if it's a blob */
+ ret1 = (*db->get)(db, key, &oldData, 0);
+ if ((ret1 == 0) && flags == R_NOOVERWRITE) {
+ /* let DBM return the error to maintain consistancy */
+ return (*db->put)(db, key, data, flags);
+ }
+ if ((ret1 == 0) && dbs_IsBlob(&oldData)) {
+ dbs_removeBlob(dbsp, &oldData);
+ }
+
+ if (data->size > DBS_MAX_ENTRY_SIZE) {
+ dbs_mkBlob(dbsp, key, data, &blob);
+ ret = dbs_writeBlob(dbsp, dbsp->mode, &blob, data);
+ data = &blob;
+ }
+ }
+
+ if (ret == 0) {
+ ret = (*db->put)(db, key, data, flags);
+ }
+ return (ret);
+}
+
+static int
+dbs_sync(const DB *dbs, unsigned int flags)
+{
+ DB *db = (DB *)dbs->internal;
+ return (*db->sync)(db, flags);
+}
+
+static int
+dbs_del(const DB *dbs, const DBT *key, unsigned int flags)
+{
+ int ret;
+ DBS *dbsp = (DBS *)dbs;
+ DB *db = (DB *)dbs->internal;
+
+ if (!dbsp->readOnly) {
+ DBT oldData;
+ ret = (*db->get)(db, key, &oldData, 0);
+ if ((ret == 0) && dbs_IsBlob(&oldData)) {
+ dbs_removeBlob(dbsp, &oldData);
+ }
+ }
+
+ return (*db->del)(db, key, flags);
+}
+
+static int
+dbs_seq(const DB *dbs, DBT *key, DBT *data, unsigned int flags)
+{
+ int ret;
+ DBS *dbsp = (DBS *)dbs;
+ DB *db = (DB *)dbs->internal;
+
+ ret = (*db->seq)(db, key, data, flags);
+ if ((ret == 0) && dbs_IsBlob(data)) {
+ /* don't return a blob read as an error so traversals keep going */
+ (void)dbs_readBlob(dbsp, data);
+ }
+
+ return (ret);
+}
+
+static int
+dbs_close(DB *dbs)
+{
+ DBS *dbsp = (DBS *)dbs;
+ DB *db = (DB *)dbs->internal;
+ int ret;
+
+ ret = (*db->close)(db);
+ PORT_Free(dbsp->blobdir);
+ PORT_Free(dbsp);
+ return ret;
+}
+
+static int
+dbs_fd(const DB *dbs)
+{
+ DB *db = (DB *)dbs->internal;
+
+ return (*db->fd)(db);
+}
+
+/*
+ * the naming convention we use is
+ * change the .xxx into .dir. (for nss it's always .db);
+ * if no .extension exists or is equal to .dir, add a .dir
+ * the returned data must be freed.
+ */
+#define DIRSUFFIX ".dir"
+static char *
+dbs_mkBlobDirName(const char *dbname)
+{
+ int dbname_len = PORT_Strlen(dbname);
+ int dbname_end = dbname_len;
+ const char *cp;
+ char *blobDir = NULL;
+
+ /* scan back from the end looking for either a directory separator, a '.',
+ * or the end of the string. NOTE: Windows should check for both separators
+ * here. For now this is safe because we know NSS always uses a '.'
+ */
+ for (cp = &dbname[dbname_len];
+ (cp > dbname) && (*cp != '.') && (*cp != *PATH_SEPARATOR);
+ cp--)
+ /* Empty */;
+ if (*cp == '.') {
+ dbname_end = cp - dbname;
+ if (PORT_Strcmp(cp, DIRSUFFIX) == 0) {
+ dbname_end = dbname_len;
+ }
+ }
+ blobDir = PORT_ZAlloc(dbname_end + sizeof(DIRSUFFIX));
+ if (blobDir == NULL) {
+ return NULL;
+ }
+ PORT_Memcpy(blobDir, dbname, dbname_end);
+ PORT_Memcpy(&blobDir[dbname_end], DIRSUFFIX, sizeof(DIRSUFFIX));
+ return blobDir;
+}
+
+#define DBM_DEFAULT 0
+static const HASHINFO dbs_hashInfo = {
+ DBS_BLOCK_SIZE, /* bucket size, must be greater than = to
+ * or maximum entry size (+ header)
+ * we allow before blobing */
+ DBM_DEFAULT, /* Fill Factor */
+ DBM_DEFAULT, /* number of elements */
+ DBS_CACHE_SIZE, /* cache size */
+ DBM_DEFAULT, /* hash function */
+ DBM_DEFAULT, /* byte order */
+};
+
+/*
+ * the open function. NOTE: this is the only exposed function in this file.
+ * everything else is called through the function table pointer.
+ */
+DB *
+dbsopen(const char *dbname, int flags, int mode, DBTYPE type,
+ const void *userData)
+{
+ DB *db = NULL, *dbs = NULL;
+ DBS *dbsp = NULL;
+
+ /* NOTE: we are overriding userData with dbs_hashInfo. since all known
+ * callers pass 0, this is ok, otherwise we should merge the two */
+
+ dbsp = (DBS *)PORT_ZAlloc(sizeof(DBS));
+ if (!dbsp) {
+ return NULL;
+ }
+ dbs = &dbsp->db;
+
+ dbsp->blobdir = dbs_mkBlobDirName(dbname);
+ if (dbsp->blobdir == NULL) {
+ goto loser;
+ }
+ dbsp->mode = mode;
+ dbsp->readOnly = (PRBool)(flags == NO_RDONLY);
+
+ /* the real dbm call */
+ db = dbopen(dbname, flags, mode, type, &dbs_hashInfo);
+ if (db == NULL) {
+ goto loser;
+ }
+ dbs->internal = (void *)db;
+ dbs->type = type;
+ dbs->close = dbs_close;
+ dbs->get = dbs_get;
+ dbs->del = dbs_del;
+ dbs->put = dbs_put;
+ dbs->seq = dbs_seq;
+ dbs->sync = dbs_sync;
+ dbs->fd = dbs_fd;
+
+ return dbs;
+loser:
+ if (db) {
+ (*db->close)(db);
+ }
+ if (dbsp->blobdir) {
+ PORT_Free(dbsp->blobdir);
+ }
+ PORT_Free(dbsp);
+ return NULL;
+}
diff --git a/security/nss/lib/softoken/legacydb/keydb.c b/security/nss/lib/softoken/legacydb/keydb.c
new file mode 100644
index 0000000000..22ab1cc0ef
--- /dev/null
+++ b/security/nss/lib/softoken/legacydb/keydb.c
@@ -0,0 +1,2274 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "lowkeyi.h"
+#include "secasn1.h"
+#include "secder.h"
+#include "secoid.h"
+#include "blapi.h"
+#include "secitem.h"
+#include "pcert.h"
+#include "mcom_db.h"
+#include "secerr.h"
+
+#include "keydbi.h"
+#include "lgdb.h"
+
+/*
+ * Record keys for keydb
+ */
+#define SALT_STRING "global-salt"
+#define VERSION_STRING "Version"
+#define KEYDB_PW_CHECK_STRING "password-check"
+#define KEYDB_PW_CHECK_LEN 14
+#define KEYDB_FAKE_PW_CHECK_STRING "fake-password-check"
+#define KEYDB_FAKE_PW_CHECK_LEN 19
+
+/* Size of the global salt for key database */
+#define SALT_LENGTH 16
+
+SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
+
+const SEC_ASN1Template nsslowkey_EncryptedPrivateKeyInfoTemplate[] = {
+ { SEC_ASN1_SEQUENCE,
+ 0, NULL, sizeof(NSSLOWKEYEncryptedPrivateKeyInfo) },
+ { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+ offsetof(NSSLOWKEYEncryptedPrivateKeyInfo, algorithm),
+ SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+ { SEC_ASN1_OCTET_STRING,
+ offsetof(NSSLOWKEYEncryptedPrivateKeyInfo, encryptedData) },
+ { 0 }
+};
+
+const SEC_ASN1Template nsslowkey_PointerToEncryptedPrivateKeyInfoTemplate[] = {
+ { SEC_ASN1_POINTER, 0, nsslowkey_EncryptedPrivateKeyInfoTemplate }
+};
+
+/* ====== Default key databse encryption algorithm ====== */
+static void
+sec_destroy_dbkey(NSSLOWKEYDBKey *dbkey)
+{
+ if (dbkey && dbkey->arena) {
+ PORT_FreeArena(dbkey->arena, PR_FALSE);
+ }
+}
+
+static void
+free_dbt(DBT *dbt)
+{
+ if (dbt) {
+ PORT_Free(dbt->data);
+ PORT_Free(dbt);
+ }
+
+ return;
+}
+
+static int keydb_Get(NSSLOWKEYDBHandle *db, DBT *key, DBT *data,
+ unsigned int flags);
+static int keydb_Put(NSSLOWKEYDBHandle *db, DBT *key, DBT *data,
+ unsigned int flags);
+static int keydb_Sync(NSSLOWKEYDBHandle *db, unsigned int flags);
+static int keydb_Del(NSSLOWKEYDBHandle *db, DBT *key, unsigned int flags);
+static int keydb_Seq(NSSLOWKEYDBHandle *db, DBT *key, DBT *data,
+ unsigned int flags);
+static void keydb_Close(NSSLOWKEYDBHandle *db);
+
+/*
+ * format of key database entries for version 3 of database:
+ * byte offset field
+ * ----------- -----
+ * 0 version
+ * 1 salt-len
+ * 2 nn-len
+ * 3.. salt-data
+ * ... nickname
+ * ... encrypted-key-data
+ */
+static DBT *
+encode_dbkey(NSSLOWKEYDBKey *dbkey, unsigned char version)
+{
+ DBT *bufitem = NULL;
+ unsigned char *buf;
+ int nnlen;
+ char *nn;
+
+ bufitem = (DBT *)PORT_ZAlloc(sizeof(DBT));
+ if (bufitem == NULL) {
+ goto loser;
+ }
+
+ if (dbkey->nickname) {
+ nn = dbkey->nickname;
+ nnlen = PORT_Strlen(nn) + 1;
+ } else {
+ nn = "";
+ nnlen = 1;
+ }
+
+ /* compute the length of the record */
+ /* 1 + 1 + 1 == version number header + salt length + nn len */
+ bufitem->size = dbkey->salt.len + nnlen + dbkey->derPK.len + 1 + 1 + 1;
+
+ bufitem->data = (void *)PORT_ZAlloc(bufitem->size);
+ if (bufitem->data == NULL) {
+ goto loser;
+ }
+
+ buf = (unsigned char *)bufitem->data;
+
+ /* set version number */
+ buf[0] = version;
+
+ /* set length of salt */
+ PORT_Assert(dbkey->salt.len < 256);
+ buf[1] = dbkey->salt.len;
+
+ /* set length of nickname */
+ PORT_Assert(nnlen < 256);
+ buf[2] = nnlen;
+
+ /* copy salt */
+ if (dbkey->salt.len > 0) {
+ PORT_Memcpy(&buf[3], dbkey->salt.data, dbkey->salt.len);
+ }
+
+ /* copy nickname */
+ PORT_Memcpy(&buf[3 + dbkey->salt.len], nn, nnlen);
+
+ /* copy encrypted key */
+ PORT_Memcpy(&buf[3 + dbkey->salt.len + nnlen], dbkey->derPK.data,
+ dbkey->derPK.len);
+
+ return (bufitem);
+
+loser:
+ if (bufitem) {
+ free_dbt(bufitem);
+ }
+
+ return (NULL);
+}
+
+static NSSLOWKEYDBKey *
+decode_dbkey(DBT *bufitem, int expectedVersion)
+{
+ NSSLOWKEYDBKey *dbkey;
+ PLArenaPool *arena = NULL;
+ unsigned char *buf;
+ int version;
+ int keyoff;
+ int nnlen;
+ int saltoff;
+
+ buf = (unsigned char *)bufitem->data;
+
+ version = buf[0];
+
+ if (version != expectedVersion) {
+ goto loser;
+ }
+
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (arena == NULL) {
+ goto loser;
+ }
+
+ dbkey = (NSSLOWKEYDBKey *)PORT_ArenaZAlloc(arena, sizeof(NSSLOWKEYDBKey));
+ if (dbkey == NULL) {
+ goto loser;
+ }
+
+ dbkey->arena = arena;
+ dbkey->salt.data = NULL;
+ dbkey->derPK.data = NULL;
+
+ dbkey->salt.len = buf[1];
+ dbkey->salt.data = (unsigned char *)PORT_ArenaZAlloc(arena, dbkey->salt.len);
+ if (dbkey->salt.data == NULL) {
+ goto loser;
+ }
+
+ saltoff = 2;
+ keyoff = 2 + dbkey->salt.len;
+
+ if (expectedVersion >= 3) {
+ nnlen = buf[2];
+ if (nnlen) {
+ dbkey->nickname = (char *)PORT_ArenaZAlloc(arena, nnlen + 1);
+ if (dbkey->nickname) {
+ PORT_Memcpy(dbkey->nickname, &buf[keyoff + 1], nnlen);
+ }
+ }
+ keyoff += (nnlen + 1);
+ saltoff = 3;
+ }
+
+ PORT_Memcpy(dbkey->salt.data, &buf[saltoff], dbkey->salt.len);
+
+ dbkey->derPK.len = bufitem->size - keyoff;
+ dbkey->derPK.data = (unsigned char *)PORT_ArenaZAlloc(arena, dbkey->derPK.len);
+ if (dbkey->derPK.data == NULL) {
+ goto loser;
+ }
+
+ PORT_Memcpy(dbkey->derPK.data, &buf[keyoff], dbkey->derPK.len);
+
+ return (dbkey);
+
+loser:
+
+ if (arena) {
+ PORT_FreeArena(arena, PR_FALSE);
+ }
+
+ return (NULL);
+}
+
+static NSSLOWKEYDBKey *
+get_dbkey(NSSLOWKEYDBHandle *handle, DBT *index)
+{
+ NSSLOWKEYDBKey *dbkey;
+ DBT entry;
+ int ret;
+
+ /* get it from the database */
+ ret = keydb_Get(handle, index, &entry, 0);
+ if (ret) {
+ PORT_SetError(SEC_ERROR_BAD_DATABASE);
+ return NULL;
+ }
+
+ /* set up dbkey struct */
+
+ dbkey = decode_dbkey(&entry, handle->version);
+
+ return (dbkey);
+}
+
+static SECStatus
+put_dbkey(NSSLOWKEYDBHandle *handle, DBT *index, NSSLOWKEYDBKey *dbkey, PRBool update)
+{
+ DBT *keydata = NULL;
+ int status;
+
+ keydata = encode_dbkey(dbkey, handle->version);
+ if (keydata == NULL) {
+ goto loser;
+ }
+
+ /* put it in the database */
+ if (update) {
+ status = keydb_Put(handle, index, keydata, 0);
+ } else {
+ status = keydb_Put(handle, index, keydata, R_NOOVERWRITE);
+ }
+
+ if (status) {
+ goto loser;
+ }
+
+ /* sync the database */
+ status = keydb_Sync(handle, 0);
+ if (status) {
+ goto loser;
+ }
+
+ free_dbt(keydata);
+ return (SECSuccess);
+
+loser:
+ if (keydata) {
+ free_dbt(keydata);
+ }
+
+ return (SECFailure);
+}
+
+SECStatus
+nsslowkey_TraverseKeys(NSSLOWKEYDBHandle *handle,
+ SECStatus (*keyfunc)(DBT *k, DBT *d, void *pdata),
+ void *udata)
+{
+ DBT data;
+ DBT key;
+ SECStatus status;
+ int ret;
+
+ if (handle == NULL) {
+ return (SECFailure);
+ }
+
+ ret = keydb_Seq(handle, &key, &data, R_FIRST);
+ if (ret) {
+ return (SECFailure);
+ }
+
+ do {
+ /* skip version record */
+ if (data.size > 1) {
+ if (key.size == (sizeof(SALT_STRING) - 1)) {
+ if (PORT_Memcmp(key.data, SALT_STRING, key.size) == 0) {
+ continue;
+ }
+ }
+
+ /* skip password check */
+ if (key.size == KEYDB_PW_CHECK_LEN) {
+ if (PORT_Memcmp(key.data, KEYDB_PW_CHECK_STRING,
+ KEYDB_PW_CHECK_LEN) == 0) {
+ continue;
+ }
+ }
+
+ status = (*keyfunc)(&key, &data, udata);
+ if (status != SECSuccess) {
+ return (status);
+ }
+ }
+ } while (keydb_Seq(handle, &key, &data, R_NEXT) == 0);
+
+ return (SECSuccess);
+}
+
+#ifdef notdef
+typedef struct keyNode {
+ struct keyNode *next;
+ DBT key;
+} keyNode;
+
+typedef struct {
+ PLArenaPool *arena;
+ keyNode *head;
+} keyList;
+
+static SECStatus
+sec_add_key_to_list(DBT *key, DBT *data, void *arg)
+{
+ keyList *keylist;
+ keyNode *node;
+ void *keydata;
+
+ keylist = (keyList *)arg;
+
+ /* allocate the node struct */
+ node = (keyNode *)PORT_ArenaZAlloc(keylist->arena, sizeof(keyNode));
+ if (node == NULL) {
+ return (SECFailure);
+ }
+
+ /* allocate room for key data */
+ keydata = PORT_ArenaZAlloc(keylist->arena, key->size);
+ if (keydata == NULL) {
+ return (SECFailure);
+ }
+
+ /* link node into list */
+ node->next = keylist->head;
+ keylist->head = node;
+
+ /* copy key into node */
+ PORT_Memcpy(keydata, key->data, key->size);
+ node->key.size = key->size;
+ node->key.data = keydata;
+
+ return (SECSuccess);
+}
+#endif
+
+static SECItem *
+decodeKeyDBGlobalSalt(DBT *saltData)
+{
+ SECItem *saltitem;
+
+ saltitem = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
+ if (saltitem == NULL) {
+ return (NULL);
+ }
+
+ saltitem->data = (unsigned char *)PORT_ZAlloc(saltData->size);
+ if (saltitem->data == NULL) {
+ PORT_Free(saltitem);
+ return (NULL);
+ }
+
+ saltitem->len = saltData->size;
+ PORT_Memcpy(saltitem->data, saltData->data, saltitem->len);
+
+ return (saltitem);
+}
+
+static SECItem *
+GetKeyDBGlobalSalt(NSSLOWKEYDBHandle *handle)
+{
+ DBT saltKey;
+ DBT saltData;
+ int ret;
+
+ saltKey.data = SALT_STRING;
+ saltKey.size = sizeof(SALT_STRING) - 1;
+
+ ret = keydb_Get(handle, &saltKey, &saltData, 0);
+ if (ret) {
+ return (NULL);
+ }
+
+ return (decodeKeyDBGlobalSalt(&saltData));
+}
+
+static SECStatus
+StoreKeyDBGlobalSalt(NSSLOWKEYDBHandle *handle, SECItem *salt)
+{
+ DBT saltKey;
+ DBT saltData;
+ int status;
+
+ saltKey.data = SALT_STRING;
+ saltKey.size = sizeof(SALT_STRING) - 1;
+
+ saltData.data = (void *)salt->data;
+ saltData.size = salt->len;
+
+ /* put global salt into the database now */
+ status = keydb_Put(handle, &saltKey, &saltData, 0);
+ if (status) {
+ return (SECFailure);
+ }
+
+ return (SECSuccess);
+}
+
+static SECStatus
+makeGlobalVersion(NSSLOWKEYDBHandle *handle)
+{
+ unsigned char version;
+ DBT versionData;
+ DBT versionKey;
+ int status;
+
+ version = NSSLOWKEY_DB_FILE_VERSION;
+ versionData.data = &version;
+ versionData.size = 1;
+ versionKey.data = VERSION_STRING;
+ versionKey.size = sizeof(VERSION_STRING) - 1;
+
+ /* put version string into the database now */
+ status = keydb_Put(handle, &versionKey, &versionData, 0);
+ if (status) {
+ return (SECFailure);
+ }
+ handle->version = version;
+
+ return (SECSuccess);
+}
+
+static SECStatus
+makeGlobalSalt(NSSLOWKEYDBHandle *handle)
+{
+ DBT saltKey;
+ DBT saltData;
+ unsigned char saltbuf[16];
+ int status;
+
+ saltKey.data = SALT_STRING;
+ saltKey.size = sizeof(SALT_STRING) - 1;
+
+ saltData.data = (void *)saltbuf;
+ saltData.size = sizeof(saltbuf);
+ RNG_GenerateGlobalRandomBytes(saltbuf, sizeof(saltbuf));
+
+ /* put global salt into the database now */
+ status = keydb_Put(handle, &saltKey, &saltData, 0);
+ if (status) {
+ return (SECFailure);
+ }
+
+ return (SECSuccess);
+}
+
+static SECStatus
+encodePWCheckEntry(PLArenaPool *arena, SECItem *entry, SECOidTag alg,
+ SECItem *encCheck);
+
+static unsigned char
+nsslowkey_version(NSSLOWKEYDBHandle *handle)
+{
+ DBT versionKey;
+ DBT versionData;
+ int ret;
+ versionKey.data = VERSION_STRING;
+ versionKey.size = sizeof(VERSION_STRING) - 1;
+
+ if (handle->db == NULL) {
+ return 255;
+ }
+
+ /* lookup version string in database */
+ ret = keydb_Get(handle, &versionKey, &versionData, 0);
+
+ /* error accessing the database */
+ if (ret < 0) {
+ return 255;
+ }
+
+ if (ret >= 1) {
+ return 0;
+ }
+ return *((unsigned char *)versionData.data);
+}
+
+static PRBool
+seckey_HasAServerKey(NSSLOWKEYDBHandle *handle)
+{
+ DBT key;
+ DBT data;
+ int ret;
+ PRBool found = PR_FALSE;
+
+ ret = keydb_Seq(handle, &key, &data, R_FIRST);
+ if (ret) {
+ return PR_FALSE;
+ }
+
+ do {
+ /* skip version record */
+ if (data.size > 1) {
+ /* skip salt */
+ if (key.size == (sizeof(SALT_STRING) - 1)) {
+ if (PORT_Memcmp(key.data, SALT_STRING, key.size) == 0) {
+ continue;
+ }
+ }
+ /* skip pw check entry */
+ if (key.size == KEYDB_PW_CHECK_LEN) {
+ if (PORT_Memcmp(key.data, KEYDB_PW_CHECK_STRING,
+ KEYDB_PW_CHECK_LEN) == 0) {
+ continue;
+ }
+ }
+
+ /* keys stored by nickname will have 0 as the last byte of the
+ * db key. Other keys must be stored by modulus. We will not
+ * update those because they are left over from a keygen that
+ * never resulted in a cert.
+ */
+ if (((unsigned char *)key.data)[key.size - 1] != 0) {
+ continue;
+ }
+
+ if (PORT_Strcmp(key.data, "Server-Key") == 0) {
+ found = PR_TRUE;
+ break;
+ }
+ }
+ } while (keydb_Seq(handle, &key, &data, R_NEXT) == 0);
+
+ return found;
+}
+
+/* forward declare local create function */
+static NSSLOWKEYDBHandle *nsslowkey_NewHandle(DB *dbHandle);
+
+/*
+ * currently updates key database from v2 to v3
+ */
+static SECStatus
+nsslowkey_UpdateKeyDBPass1(NSSLOWKEYDBHandle *handle)
+{
+ SECStatus rv;
+ DBT checkKey;
+ DBT checkData;
+ DBT saltKey;
+ DBT saltData;
+ DBT key;
+ DBT data;
+ unsigned char version;
+ NSSLOWKEYDBKey *dbkey = NULL;
+ NSSLOWKEYDBHandle *update = NULL;
+ SECItem *oldSalt = NULL;
+ int ret;
+ SECItem checkitem;
+
+ if (handle->updatedb == NULL) {
+ return SECSuccess;
+ }
+
+ /* create a full DB Handle for our update so we
+ * can use the correct locks for the db primatives */
+ update = nsslowkey_NewHandle(handle->updatedb);
+ if (update == NULL) {
+ return SECSuccess;
+ }
+
+ /* update has now inherited the database handle */
+ handle->updatedb = NULL;
+
+ /*
+ * check the version record
+ */
+ version = nsslowkey_version(update);
+ if (version != 2) {
+ goto done;
+ }
+
+ saltKey.data = SALT_STRING;
+ saltKey.size = sizeof(SALT_STRING) - 1;
+
+ ret = keydb_Get(update, &saltKey, &saltData, 0);
+ if (ret) {
+ /* no salt in old db, so it is corrupted */
+ goto done;
+ }
+
+ oldSalt = decodeKeyDBGlobalSalt(&saltData);
+ if (oldSalt == NULL) {
+ /* bad salt in old db, so it is corrupted */
+ goto done;
+ }
+
+ /*
+ * look for a pw check entry
+ */
+ checkKey.data = KEYDB_PW_CHECK_STRING;
+ checkKey.size = KEYDB_PW_CHECK_LEN;
+
+ ret = keydb_Get(update, &checkKey, &checkData, 0);
+ if (ret) {
+ /*
+ * if we have a key, but no KEYDB_PW_CHECK_STRING, then this must
+ * be an old server database, and it does have a password associated
+ * with it. Put a fake entry in so we can identify this db when we do
+ * get the password for it.
+ */
+ if (seckey_HasAServerKey(update)) {
+ DBT fcheckKey;
+ DBT fcheckData;
+
+ /*
+ * include a fake string
+ */
+ fcheckKey.data = KEYDB_FAKE_PW_CHECK_STRING;
+ fcheckKey.size = KEYDB_FAKE_PW_CHECK_LEN;
+ fcheckData.data = "1";
+ fcheckData.size = 1;
+ /* put global salt into the new database now */
+ ret = keydb_Put(handle, &saltKey, &saltData, 0);
+ if (ret) {
+ goto done;
+ }
+ ret = keydb_Put(handle, &fcheckKey, &fcheckData, 0);
+ if (ret) {
+ goto done;
+ }
+ } else {
+ goto done;
+ }
+ } else {
+ /* put global salt into the new database now */
+ ret = keydb_Put(handle, &saltKey, &saltData, 0);
+ if (ret) {
+ goto done;
+ }
+
+ dbkey = decode_dbkey(&checkData, 2);
+ if (dbkey == NULL) {
+ goto done;
+ }
+ checkitem = dbkey->derPK;
+ dbkey->derPK.data = NULL;
+
+ /* format the new pw check entry */
+ rv = encodePWCheckEntry(NULL, &dbkey->derPK, SEC_OID_RC4, &checkitem);
+ if (rv != SECSuccess) {
+ goto done;
+ }
+
+ rv = put_dbkey(handle, &checkKey, dbkey, PR_TRUE);
+ if (rv != SECSuccess) {
+ goto done;
+ }
+
+ /* free the dbkey */
+ sec_destroy_dbkey(dbkey);
+ dbkey = NULL;
+ }
+
+ /* now traverse the database */
+ ret = keydb_Seq(update, &key, &data, R_FIRST);
+ if (ret) {
+ goto done;
+ }
+
+ do {
+ /* skip version record */
+ if (data.size > 1) {
+ /* skip salt */
+ if (key.size == (sizeof(SALT_STRING) - 1)) {
+ if (PORT_Memcmp(key.data, SALT_STRING, key.size) == 0) {
+ continue;
+ }
+ }
+ /* skip pw check entry */
+ if (key.size == checkKey.size) {
+ if (PORT_Memcmp(key.data, checkKey.data, key.size) == 0) {
+ continue;
+ }
+ }
+
+ /* keys stored by nickname will have 0 as the last byte of the
+ * db key. Other keys must be stored by modulus. We will not
+ * update those because they are left over from a keygen that
+ * never resulted in a cert.
+ */
+ if (((unsigned char *)key.data)[key.size - 1] != 0) {
+ continue;
+ }
+
+ dbkey = decode_dbkey(&data, 2);
+ if (dbkey == NULL) {
+ continue;
+ }
+
+ /* This puts the key into the new database with the same
+ * index (nickname) that it had before. The second pass
+ * of the update will have the password. It will decrypt
+ * and re-encrypt the entries using a new algorithm.
+ */
+ dbkey->nickname = (char *)key.data;
+ rv = put_dbkey(handle, &key, dbkey, PR_FALSE);
+ dbkey->nickname = NULL;
+
+ sec_destroy_dbkey(dbkey);
+ }
+ } while (keydb_Seq(update, &key, &data, R_NEXT) == 0);
+
+ dbkey = NULL;
+
+done:
+ /* sync the database */
+ ret = keydb_Sync(handle, 0);
+
+ nsslowkey_CloseKeyDB(update);
+
+ if (oldSalt) {
+ SECITEM_FreeItem(oldSalt, PR_TRUE);
+ }
+
+ if (dbkey) {
+ sec_destroy_dbkey(dbkey);
+ }
+
+ return (SECSuccess);
+}
+
+static SECStatus
+openNewDB(const char *appName, const char *prefix, const char *dbname,
+ NSSLOWKEYDBHandle *handle, NSSLOWKEYDBNameFunc namecb, void *cbarg)
+{
+ SECStatus rv = SECFailure;
+ int status = RDB_FAIL;
+ char *updname = NULL;
+ DB *updatedb = NULL;
+ PRBool updated = PR_FALSE;
+ int ret;
+
+ if (appName) {
+ handle->db = rdbopen(appName, prefix, "key", NO_CREATE, &status);
+ } else {
+ handle->db = dbopen(dbname, NO_CREATE, 0600, DB_HASH, 0);
+ }
+ /* if create fails then we lose */
+ if (handle->db == NULL) {
+ return (status == RDB_RETRY) ? SECWouldBlock : SECFailure;
+ }
+
+ /* force a transactional read, which will verify that one and only one
+ * process attempts the update. */
+ if (nsslowkey_version(handle) == NSSLOWKEY_DB_FILE_VERSION) {
+ /* someone else has already updated the database for us */
+ db_InitComplete(handle->db);
+ return SECSuccess;
+ }
+
+ /*
+ * if we are creating a multiaccess database, see if there is a
+ * local database we can update from.
+ */
+ if (appName) {
+ NSSLOWKEYDBHandle *updateHandle;
+ updatedb = dbopen(dbname, NO_RDONLY, 0600, DB_HASH, 0);
+ if (!updatedb) {
+ goto noupdate;
+ }
+
+ /* nsslowkey_version needs a full handle because it calls
+ * the kdb_Get() function, which needs to lock.
+ */
+ updateHandle = nsslowkey_NewHandle(updatedb);
+ if (!updateHandle) {
+ updatedb->close(updatedb);
+ goto noupdate;
+ }
+
+ handle->version = nsslowkey_version(updateHandle);
+ if (handle->version != NSSLOWKEY_DB_FILE_VERSION) {
+ nsslowkey_CloseKeyDB(updateHandle);
+ goto noupdate;
+ }
+
+ /* copy the new DB from the old one */
+ db_Copy(handle->db, updatedb);
+ nsslowkey_CloseKeyDB(updateHandle);
+ db_InitComplete(handle->db);
+ return SECSuccess;
+ }
+noupdate:
+
+ /* update the version number */
+ rv = makeGlobalVersion(handle);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ /*
+ * try to update from v2 db
+ */
+ updname = (*namecb)(cbarg, 2);
+ if (updname != NULL) {
+ handle->updatedb = dbopen(updname, NO_RDONLY, 0600, DB_HASH, 0);
+ PORT_Free(updname);
+
+ if (handle->updatedb) {
+ /*
+ * Try to update the db using a null password. If the db
+ * doesn't have a password, then this will work. If it does
+ * have a password, then this will fail and we will do the
+ * update later
+ */
+ rv = nsslowkey_UpdateKeyDBPass1(handle);
+ if (rv == SECSuccess) {
+ updated = PR_TRUE;
+ }
+ }
+ }
+
+ /* we are using the old salt if we updated from an old db */
+ if (!updated) {
+ rv = makeGlobalSalt(handle);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+ }
+
+ /* sync the database */
+ ret = keydb_Sync(handle, 0);
+ if (ret) {
+ rv = SECFailure;
+ goto loser;
+ }
+ rv = SECSuccess;
+
+loser:
+ db_InitComplete(handle->db);
+ return rv;
+}
+
+static DB *
+openOldDB(const char *appName, const char *prefix, const char *dbname,
+ PRBool openflags)
+{
+ DB *db = NULL;
+
+ if (appName) {
+ db = rdbopen(appName, prefix, "key", openflags, NULL);
+ } else {
+ db = dbopen(dbname, openflags, 0600, DB_HASH, 0);
+ }
+
+ return db;
+}
+
+/* check for correct version number */
+static PRBool
+verifyVersion(NSSLOWKEYDBHandle *handle)
+{
+ int version = nsslowkey_version(handle);
+
+ handle->version = version;
+ if (version != NSSLOWKEY_DB_FILE_VERSION) {
+ if (handle->db) {
+ keydb_Close(handle);
+ handle->db = NULL;
+ }
+ }
+ return handle->db != NULL;
+}
+
+static NSSLOWKEYDBHandle *
+nsslowkey_NewHandle(DB *dbHandle)
+{
+ NSSLOWKEYDBHandle *handle;
+ handle = (NSSLOWKEYDBHandle *)PORT_ZAlloc(sizeof(NSSLOWKEYDBHandle));
+ if (handle == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ return NULL;
+ }
+
+ handle->appname = NULL;
+ handle->dbname = NULL;
+ handle->global_salt = NULL;
+ handle->updatedb = NULL;
+ handle->db = dbHandle;
+ handle->ref = 1;
+ handle->lock = PZ_NewLock(nssILockKeyDB);
+
+ return handle;
+}
+
+NSSLOWKEYDBHandle *
+nsslowkey_OpenKeyDB(PRBool readOnly, const char *appName, const char *prefix,
+ NSSLOWKEYDBNameFunc namecb, void *cbarg)
+{
+ NSSLOWKEYDBHandle *handle = NULL;
+ SECStatus rv;
+ int openflags;
+ char *dbname = NULL;
+
+ handle = nsslowkey_NewHandle(NULL);
+
+ openflags = readOnly ? NO_RDONLY : NO_RDWR;
+
+ dbname = (*namecb)(cbarg, NSSLOWKEY_DB_FILE_VERSION);
+ if (dbname == NULL) {
+ goto loser;
+ }
+ handle->appname = appName ? PORT_Strdup(appName) : NULL;
+ handle->dbname = (appName == NULL) ? PORT_Strdup(dbname) : (prefix ? PORT_Strdup(prefix) : NULL);
+ handle->readOnly = readOnly;
+
+ handle->db = openOldDB(appName, prefix, dbname, openflags);
+ if (handle->db) {
+ verifyVersion(handle);
+ if (handle->version == 255) {
+ goto loser;
+ }
+ }
+
+ /* if first open fails, try to create a new DB */
+ if (handle->db == NULL) {
+ if (readOnly) {
+ goto loser;
+ }
+
+ rv = openNewDB(appName, prefix, dbname, handle, namecb, cbarg);
+ /* two processes started to initialize the database at the same time.
+ * The multiprocess code blocked the second one, then had it retry to
+ * see if it can just open the database normally */
+ if (rv == SECWouldBlock) {
+ handle->db = openOldDB(appName, prefix, dbname, openflags);
+ verifyVersion(handle);
+ if (handle->db == NULL) {
+ goto loser;
+ }
+ } else if (rv != SECSuccess) {
+ goto loser;
+ }
+ }
+
+ handle->global_salt = GetKeyDBGlobalSalt(handle);
+ if (dbname)
+ PORT_Free(dbname);
+ return handle;
+
+loser:
+
+ if (dbname)
+ PORT_Free(dbname);
+ PORT_SetError(SEC_ERROR_BAD_DATABASE);
+ nsslowkey_CloseKeyDB(handle);
+ return NULL;
+}
+
+/*
+ * Close the database
+ */
+void
+nsslowkey_CloseKeyDB(NSSLOWKEYDBHandle *handle)
+{
+ if (handle != NULL) {
+ if (handle->db != NULL) {
+ keydb_Close(handle);
+ }
+ if (handle->updatedb) {
+ handle->updatedb->close(handle->updatedb);
+ }
+ if (handle->dbname)
+ PORT_Free(handle->dbname);
+ if (handle->appname)
+ PORT_Free(handle->appname);
+ if (handle->global_salt) {
+ SECITEM_FreeItem(handle->global_salt, PR_TRUE);
+ }
+ if (handle->lock != NULL) {
+ SKIP_AFTER_FORK(PZ_DestroyLock(handle->lock));
+ }
+
+ PORT_Free(handle);
+ }
+}
+
+/* Get the key database version */
+int
+nsslowkey_GetKeyDBVersion(NSSLOWKEYDBHandle *handle)
+{
+ PORT_Assert(handle != NULL);
+
+ return handle->version;
+}
+
+/*
+ * Delete a private key that was stored in the database
+ */
+SECStatus
+nsslowkey_DeleteKey(NSSLOWKEYDBHandle *handle, const SECItem *pubkey)
+{
+ DBT namekey;
+ int ret;
+
+ if (handle == NULL) {
+ PORT_SetError(SEC_ERROR_BAD_DATABASE);
+ return (SECFailure);
+ }
+
+ /* set up db key and data */
+ namekey.data = pubkey->data;
+ namekey.size = pubkey->len;
+
+ /* delete it from the database */
+ ret = keydb_Del(handle, &namekey, 0);
+ if (ret) {
+ PORT_SetError(SEC_ERROR_BAD_DATABASE);
+ return (SECFailure);
+ }
+
+ /* sync the database */
+ ret = keydb_Sync(handle, 0);
+ if (ret) {
+ PORT_SetError(SEC_ERROR_BAD_DATABASE);
+ return (SECFailure);
+ }
+
+ return (SECSuccess);
+}
+
+/*
+ * Store a key in the database, indexed by its public key modulus.(value!)
+ */
+SECStatus
+nsslowkey_StoreKeyByPublicKey(NSSLOWKEYDBHandle *handle,
+ NSSLOWKEYPrivateKey *privkey,
+ SECItem *pubKeyData,
+ char *nickname,
+ SDB *sdb)
+{
+ return nsslowkey_StoreKeyByPublicKeyAlg(handle, privkey, pubKeyData,
+ nickname, sdb, PR_FALSE);
+}
+
+SECStatus
+nsslowkey_UpdateNickname(NSSLOWKEYDBHandle *handle,
+ NSSLOWKEYPrivateKey *privkey,
+ SECItem *pubKeyData,
+ char *nickname,
+ SDB *sdb)
+{
+ return nsslowkey_StoreKeyByPublicKeyAlg(handle, privkey, pubKeyData,
+ nickname, sdb, PR_TRUE);
+}
+
+/* see if the symetric CKA_ID already Exists.
+ */
+PRBool
+nsslowkey_KeyForIDExists(NSSLOWKEYDBHandle *handle, SECItem *id)
+{
+ DBT namekey;
+ DBT dummy;
+ int status;
+
+ namekey.data = (char *)id->data;
+ namekey.size = id->len;
+ status = keydb_Get(handle, &namekey, &dummy, 0);
+ if (status) {
+ return PR_FALSE;
+ }
+
+ return PR_TRUE;
+}
+
+/* see if the public key for this cert is in the database filed
+ * by modulus
+ */
+PRBool
+nsslowkey_KeyForCertExists(NSSLOWKEYDBHandle *handle, NSSLOWCERTCertificate *cert)
+{
+ NSSLOWKEYPublicKey *pubkey = NULL;
+ DBT namekey;
+ DBT dummy;
+ int status;
+
+ /* get cert's public key */
+ pubkey = nsslowcert_ExtractPublicKey(cert);
+ if (pubkey == NULL) {
+ return PR_FALSE;
+ }
+
+ /* TNH - make key from NSSLOWKEYPublicKey */
+ switch (pubkey->keyType) {
+ case NSSLOWKEYRSAKey:
+ namekey.data = pubkey->u.rsa.modulus.data;
+ namekey.size = pubkey->u.rsa.modulus.len;
+ break;
+ case NSSLOWKEYDSAKey:
+ namekey.data = pubkey->u.dsa.publicValue.data;
+ namekey.size = pubkey->u.dsa.publicValue.len;
+ break;
+ case NSSLOWKEYDHKey:
+ namekey.data = pubkey->u.dh.publicValue.data;
+ namekey.size = pubkey->u.dh.publicValue.len;
+ break;
+ case NSSLOWKEYECKey:
+ namekey.data = pubkey->u.ec.publicValue.data;
+ namekey.size = pubkey->u.ec.publicValue.len;
+ break;
+ default:
+ /* XXX We don't do Fortezza or DH yet. */
+ return PR_FALSE;
+ }
+
+ if (handle->version != 3) {
+ unsigned char buf[SHA1_LENGTH];
+ SHA1_HashBuf(buf, namekey.data, namekey.size);
+ /* NOTE: don't use pubkey after this! it's now thrashed */
+ PORT_Memcpy(namekey.data, buf, sizeof(buf));
+ namekey.size = sizeof(buf);
+ }
+
+ status = keydb_Get(handle, &namekey, &dummy, 0);
+ /* some databases have the key stored as a signed value */
+ if (status) {
+ unsigned char *buf = (unsigned char *)PORT_Alloc(namekey.size + 1);
+ if (buf) {
+ PORT_Memcpy(&buf[1], namekey.data, namekey.size);
+ buf[0] = 0;
+ namekey.data = buf;
+ namekey.size++;
+ status = keydb_Get(handle, &namekey, &dummy, 0);
+ PORT_Free(buf);
+ }
+ }
+ lg_nsslowkey_DestroyPublicKey(pubkey);
+ if (status) {
+ return PR_FALSE;
+ }
+
+ return PR_TRUE;
+}
+
+typedef struct NSSLowPasswordDataParamStr {
+ SECItem salt;
+ SECItem iter;
+} NSSLowPasswordDataParam;
+
+static const SEC_ASN1Template NSSLOWPasswordParamTemplate[] = {
+ { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLowPasswordDataParam) },
+ { SEC_ASN1_OCTET_STRING, offsetof(NSSLowPasswordDataParam, salt) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLowPasswordDataParam, iter) },
+ { 0 }
+};
+struct LGEncryptedDataInfoStr {
+ SECAlgorithmID algorithm;
+ SECItem encryptedData;
+};
+typedef struct LGEncryptedDataInfoStr LGEncryptedDataInfo;
+
+const SEC_ASN1Template lg_EncryptedDataInfoTemplate[] = {
+ { SEC_ASN1_SEQUENCE,
+ 0, NULL, sizeof(LGEncryptedDataInfo) },
+ { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+ offsetof(LGEncryptedDataInfo, algorithm),
+ SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+ { SEC_ASN1_OCTET_STRING,
+ offsetof(LGEncryptedDataInfo, encryptedData) },
+ { 0 }
+};
+
+static SECItem *
+nsslowkey_EncodePW(SECOidTag alg, const SECItem *salt, SECItem *data)
+{
+ NSSLowPasswordDataParam param;
+ LGEncryptedDataInfo edi;
+ PLArenaPool *arena;
+ unsigned char one = 1;
+ SECItem *epw = NULL;
+ SECItem *encParam;
+ int iterLen = 0;
+ int saltLen;
+ SECStatus rv;
+
+ param.salt = *salt;
+ param.iter.type = siBuffer; /* encode as signed integer */
+ param.iter.data = &one;
+ param.iter.len = 1;
+ edi.encryptedData = *data;
+
+ iterLen = salt->len > 1 ? salt->data[salt->len - 1] : 2;
+ saltLen = (salt->len - iterLen) - 1;
+ /* if the resulting saltLen is a sha hash length, then assume that
+ * the iteration count is tacked on the end of the buffer */
+ if ((saltLen == SHA1_LENGTH) || (saltLen == SHA256_LENGTH) || (saltLen == SHA384_LENGTH) || (saltLen == SHA224_LENGTH) ||
+ (saltLen == SHA512_LENGTH)) {
+ param.iter.data = &salt->data[saltLen];
+ param.iter.len = iterLen;
+ param.salt.len = saltLen;
+ }
+
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (arena == NULL) {
+ return NULL;
+ }
+
+ encParam = SEC_ASN1EncodeItem(arena, NULL, &param,
+ NSSLOWPasswordParamTemplate);
+ if (encParam == NULL) {
+ goto loser;
+ }
+ rv = SECOID_SetAlgorithmID(arena, &edi.algorithm, alg, encParam);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+ epw = SEC_ASN1EncodeItem(NULL, NULL, &edi, lg_EncryptedDataInfoTemplate);
+
+loser:
+ PORT_FreeArena(arena, PR_FALSE);
+ return epw;
+}
+
+static SECItem *
+nsslowkey_DecodePW(const SECItem *derData, SECOidTag *alg, SECItem *salt)
+{
+ NSSLowPasswordDataParam param;
+ LGEncryptedDataInfo edi;
+ PLArenaPool *arena;
+ SECItem *pwe = NULL;
+ SECStatus rv;
+
+ salt->data = NULL;
+ param.iter.type = siBuffer; /* decode as signed integer */
+
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (arena == NULL) {
+ return NULL;
+ }
+
+ rv = SEC_QuickDERDecodeItem(arena, &edi, lg_EncryptedDataInfoTemplate,
+ derData);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+ *alg = SECOID_GetAlgorithmTag(&edi.algorithm);
+ rv = SEC_QuickDERDecodeItem(arena, &param, NSSLOWPasswordParamTemplate,
+ &edi.algorithm.parameters);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+ /* if the iteration count isn't one, tack it at the end of the salt */
+ if (!((param.iter.len == 1) && (param.iter.data[0] == 1))) {
+ int total_len = param.salt.len + param.iter.len + 1;
+ salt->data = PORT_Alloc(total_len);
+ if (salt->data == NULL) {
+ goto loser;
+ }
+ PORT_Memcpy(salt->data, param.salt.data, param.salt.len);
+ PORT_Memcpy(&salt->data[param.salt.len], param.iter.data,
+ param.iter.len);
+ salt->data[total_len - 1] = param.iter.len;
+ salt->len = total_len;
+ } else {
+ rv = SECITEM_CopyItem(NULL, salt, &param.salt);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+ }
+ pwe = SECITEM_DupItem(&edi.encryptedData);
+
+loser:
+ if (!pwe && salt->data) {
+ PORT_Free(salt->data);
+ salt->data = NULL;
+ }
+ PORT_FreeArena(arena, PR_FALSE);
+ return pwe;
+}
+
+/*
+ * check to see if the user has a password
+ */
+static SECStatus
+nsslowkey_GetPWCheckEntry(NSSLOWKEYDBHandle *handle, NSSLOWKEYPasswordEntry *entry)
+{
+ DBT checkkey; /*, checkdata; */
+ NSSLOWKEYDBKey *dbkey = NULL;
+ SECItem *global_salt = NULL;
+ SECItem *item = NULL;
+ SECItem entryData, oid;
+ SECItem none = { siBuffer, NULL, 0 };
+ SECStatus rv = SECFailure;
+ SECOidTag algorithm;
+
+ if (handle == NULL) {
+ /* PORT_SetError */
+ return (SECFailure);
+ }
+
+ global_salt = GetKeyDBGlobalSalt(handle);
+ if (!global_salt) {
+ global_salt = &none;
+ }
+ if (global_salt->len > sizeof(entry->data)) {
+ /* PORT_SetError */
+ goto loser;
+ }
+
+ PORT_Memcpy(entry->data, global_salt->data, global_salt->len);
+ entry->salt.data = entry->data;
+ entry->salt.len = global_salt->len;
+ entry->value.data = &entry->data[entry->salt.len];
+
+ checkkey.data = KEYDB_PW_CHECK_STRING;
+ checkkey.size = KEYDB_PW_CHECK_LEN;
+ dbkey = get_dbkey(handle, &checkkey);
+ if (dbkey == NULL) {
+ /* handle 'FAKE' check here */
+ goto loser;
+ }
+
+ oid.len = dbkey->derPK.data[0];
+ oid.data = &dbkey->derPK.data[1];
+
+ if (dbkey->derPK.len < (KEYDB_PW_CHECK_LEN + 1 + oid.len)) {
+ goto loser;
+ }
+ algorithm = SECOID_FindOIDTag(&oid);
+ entryData.type = siBuffer;
+ entryData.len = dbkey->derPK.len - (oid.len + 1);
+ entryData.data = &dbkey->derPK.data[oid.len + 1];
+
+ item = nsslowkey_EncodePW(algorithm, &dbkey->salt, &entryData);
+ if (!item || (item->len + entry->salt.len) > sizeof(entry->data)) {
+ goto loser;
+ }
+ PORT_Memcpy(entry->value.data, item->data, item->len);
+ entry->value.len = item->len;
+ rv = SECSuccess;
+
+loser:
+ if (item) {
+ SECITEM_FreeItem(item, PR_TRUE);
+ }
+ if (dbkey) {
+ sec_destroy_dbkey(dbkey);
+ }
+ if (global_salt != &none) {
+ SECITEM_FreeItem(global_salt, PR_TRUE);
+ }
+ return rv;
+}
+
+/*
+ * check to see if the user has a password
+ */
+static SECStatus
+nsslowkey_PutPWCheckEntry(NSSLOWKEYDBHandle *handle, NSSLOWKEYPasswordEntry *entry)
+{
+ DBT checkkey;
+ NSSLOWKEYDBKey *dbkey = NULL;
+ SECItem *item = NULL;
+ SECItem salt;
+ SECOidTag algid = SEC_OID_UNKNOWN;
+ SECStatus rv = SECFailure;
+ PLArenaPool *arena;
+ int ret;
+
+ if (handle == NULL) {
+ /* PORT_SetError */
+ return (SECFailure);
+ }
+
+ checkkey.data = KEYDB_PW_CHECK_STRING;
+ checkkey.size = KEYDB_PW_CHECK_LEN;
+
+ salt.data = NULL;
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (arena == NULL) {
+ return SECFailure;
+ }
+
+ item = nsslowkey_DecodePW(&entry->value, &algid, &salt);
+ if (item == NULL) {
+ goto loser;
+ }
+
+ dbkey = PORT_ArenaZNew(arena, NSSLOWKEYDBKey);
+ if (dbkey == NULL) {
+ goto loser;
+ }
+
+ dbkey->arena = arena;
+
+ rv = SECITEM_CopyItem(arena, &dbkey->salt, &salt);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ rv = encodePWCheckEntry(arena, &dbkey->derPK, algid, item);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ rv = put_dbkey(handle, &checkkey, dbkey, PR_TRUE);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ if (handle->global_salt) {
+ SECITEM_FreeItem(handle->global_salt, PR_TRUE);
+ handle->global_salt = NULL;
+ }
+ rv = StoreKeyDBGlobalSalt(handle, &entry->salt);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+ ret = keydb_Sync(handle, 0);
+ if (ret) {
+ rv = SECFailure;
+ goto loser;
+ }
+ handle->global_salt = GetKeyDBGlobalSalt(handle);
+
+loser:
+ if (item) {
+ SECITEM_FreeItem(item, PR_TRUE);
+ }
+ if (arena) {
+ PORT_FreeArena(arena, PR_TRUE);
+ }
+ if (salt.data) {
+ PORT_Free(salt.data);
+ }
+ return rv;
+}
+
+#ifdef EC_DEBUG
+#define SEC_PRINT(str1, str2, num, sitem) \
+ printf("pkcs11c.c:%s:%s (keytype=%d) [len=%d]\n", \
+ str1, str2, num, sitem->len); \
+ for (i = 0; i < sitem->len; i++) { \
+ printf("%02x:", sitem->data[i]); \
+ } \
+ printf("\n")
+#else
+#define SEC_PRINT(a, b, c, d)
+#endif /* EC_DEBUG */
+
+SECStatus
+seckey_encrypt_private_key(PLArenaPool *permarena, NSSLOWKEYPrivateKey *pk,
+ SDB *sdbpw, SECItem *result)
+{
+ NSSLOWKEYPrivateKeyInfo *pki = NULL;
+ SECStatus rv = SECFailure;
+ PLArenaPool *temparena = NULL;
+ SECItem *der_item = NULL;
+ SECItem *cipherText = NULL;
+ SECItem *dummy = NULL;
+#ifdef EC_DEBUG
+ SECItem *fordebug = NULL;
+#endif
+ int savelen;
+
+ temparena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
+ if (temparena == NULL)
+ goto loser;
+
+ /* allocate structures */
+ pki = (NSSLOWKEYPrivateKeyInfo *)PORT_ArenaZAlloc(temparena,
+ sizeof(NSSLOWKEYPrivateKeyInfo));
+ der_item = (SECItem *)PORT_ArenaZAlloc(temparena, sizeof(SECItem));
+ if ((pki == NULL) || (der_item == NULL))
+ goto loser;
+
+ /* setup private key info */
+ dummy = SEC_ASN1EncodeInteger(temparena, &(pki->version),
+ NSSLOWKEY_PRIVATE_KEY_INFO_VERSION);
+ if (dummy == NULL)
+ goto loser;
+
+ /* Encode the key, and set the algorithm (with params) */
+ switch (pk->keyType) {
+ case NSSLOWKEYRSAKey:
+ lg_prepare_low_rsa_priv_key_for_asn1(pk);
+ dummy = SEC_ASN1EncodeItem(temparena, &(pki->privateKey), pk,
+ lg_nsslowkey_RSAPrivateKeyTemplate);
+ if (dummy == NULL) {
+ rv = SECFailure;
+ goto loser;
+ }
+
+ rv = SECOID_SetAlgorithmID(temparena, &(pki->algorithm),
+ SEC_OID_PKCS1_RSA_ENCRYPTION, 0);
+ if (rv == SECFailure) {
+ goto loser;
+ }
+
+ break;
+ case NSSLOWKEYDSAKey:
+ lg_prepare_low_dsa_priv_key_for_asn1(pk);
+ dummy = SEC_ASN1EncodeItem(temparena, &(pki->privateKey), pk,
+ lg_nsslowkey_DSAPrivateKeyTemplate);
+ if (dummy == NULL) {
+ rv = SECFailure;
+ goto loser;
+ }
+
+ lg_prepare_low_pqg_params_for_asn1(&pk->u.dsa.params);
+ dummy = SEC_ASN1EncodeItem(temparena, NULL, &pk->u.dsa.params,
+ lg_nsslowkey_PQGParamsTemplate);
+ if (dummy == NULL) {
+ rv = SECFailure;
+ goto loser;
+ }
+
+ rv = SECOID_SetAlgorithmID(temparena, &(pki->algorithm),
+ SEC_OID_ANSIX9_DSA_SIGNATURE, dummy);
+ if (rv == SECFailure) {
+ goto loser;
+ }
+
+ break;
+ case NSSLOWKEYDHKey:
+ lg_prepare_low_dh_priv_key_for_asn1(pk);
+ dummy = SEC_ASN1EncodeItem(temparena, &(pki->privateKey), pk,
+ lg_nsslowkey_DHPrivateKeyTemplate);
+ if (dummy == NULL) {
+ rv = SECFailure;
+ goto loser;
+ }
+
+ rv = SECOID_SetAlgorithmID(temparena, &(pki->algorithm),
+ SEC_OID_X942_DIFFIE_HELMAN_KEY, dummy);
+ if (rv == SECFailure) {
+ goto loser;
+ }
+ break;
+ case NSSLOWKEYECKey:
+ lg_prepare_low_ec_priv_key_for_asn1(pk);
+ /* Public value is encoded as a bit string so adjust length
+ * to be in bits before ASN encoding and readjust
+ * immediately after.
+ *
+ * Since the SECG specification recommends not including the
+ * parameters as part of ECPrivateKey, we zero out the curveOID
+ * length before encoding and restore it later.
+ */
+ pk->u.ec.publicValue.len <<= 3;
+ savelen = pk->u.ec.ecParams.curveOID.len;
+ pk->u.ec.ecParams.curveOID.len = 0;
+ dummy = SEC_ASN1EncodeItem(temparena, &(pki->privateKey), pk,
+ lg_nsslowkey_ECPrivateKeyTemplate);
+ pk->u.ec.ecParams.curveOID.len = savelen;
+ pk->u.ec.publicValue.len >>= 3;
+
+ if (dummy == NULL) {
+ rv = SECFailure;
+ goto loser;
+ }
+
+ dummy = &pk->u.ec.ecParams.DEREncoding;
+
+ /* At this point dummy should contain the encoded params */
+ rv = SECOID_SetAlgorithmID(temparena, &(pki->algorithm),
+ SEC_OID_ANSIX962_EC_PUBLIC_KEY, dummy);
+
+ if (rv == SECFailure) {
+ goto loser;
+ }
+
+#ifdef EC_DEBUG
+ fordebug = &(pki->privateKey);
+ SEC_PRINT("seckey_encrypt_private_key()", "PrivateKey",
+ pk->keyType, fordebug);
+#endif
+
+ break;
+ default:
+ /* We don't support DH or Fortezza private keys yet */
+ PORT_Assert(PR_FALSE);
+ break;
+ }
+
+ /* setup encrypted private key info */
+ dummy = SEC_ASN1EncodeItem(temparena, der_item, pki,
+ lg_nsslowkey_PrivateKeyInfoTemplate);
+
+ SEC_PRINT("seckey_encrypt_private_key()", "PrivateKeyInfo",
+ pk->keyType, der_item);
+
+ if (dummy == NULL) {
+ rv = SECFailure;
+ goto loser;
+ }
+
+ rv = lg_util_encrypt(temparena, sdbpw, dummy, &cipherText);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ rv = SECITEM_CopyItem(permarena, result, cipherText);
+
+loser:
+
+ if (temparena != NULL)
+ PORT_FreeArena(temparena, PR_TRUE);
+
+ return rv;
+}
+
+static SECStatus
+seckey_put_private_key(NSSLOWKEYDBHandle *keydb, DBT *index, SDB *sdbpw,
+ NSSLOWKEYPrivateKey *pk, char *nickname, PRBool update)
+{
+ NSSLOWKEYDBKey *dbkey = NULL;
+ PLArenaPool *arena = NULL;
+ SECStatus rv = SECFailure;
+
+ if ((keydb == NULL) || (index == NULL) || (sdbpw == NULL) ||
+ (pk == NULL))
+ return SECFailure;
+
+ arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
+ if (arena == NULL)
+ return SECFailure;
+
+ dbkey = (NSSLOWKEYDBKey *)PORT_ArenaZAlloc(arena, sizeof(NSSLOWKEYDBKey));
+ if (dbkey == NULL)
+ goto loser;
+ dbkey->arena = arena;
+ dbkey->nickname = nickname;
+
+ rv = seckey_encrypt_private_key(arena, pk, sdbpw, &dbkey->derPK);
+ if (rv != SECSuccess)
+ goto loser;
+
+ rv = put_dbkey(keydb, index, dbkey, update);
+
+/* let success fall through */
+loser:
+ if (arena != NULL)
+ PORT_FreeArena(arena, PR_TRUE);
+
+ return rv;
+}
+
+/*
+ * Store a key in the database, indexed by its public key modulus.
+ * Note that the nickname is optional. It was only used by keyutil.
+ */
+SECStatus
+nsslowkey_StoreKeyByPublicKeyAlg(NSSLOWKEYDBHandle *handle,
+ NSSLOWKEYPrivateKey *privkey,
+ SECItem *pubKeyData,
+ char *nickname,
+ SDB *sdbpw,
+ PRBool update)
+{
+ DBT namekey;
+ SECStatus rv;
+
+ if (handle == NULL) {
+ PORT_SetError(SEC_ERROR_BAD_DATABASE);
+ return (SECFailure);
+ }
+
+ /* set up db key and data */
+ namekey.data = pubKeyData->data;
+ namekey.size = pubKeyData->len;
+
+ /* encrypt the private key */
+ rv = seckey_put_private_key(handle, &namekey, sdbpw, privkey, nickname,
+ update);
+
+ return (rv);
+}
+
+static NSSLOWKEYPrivateKey *
+seckey_decrypt_private_key(SECItem *epki,
+ SDB *sdbpw)
+{
+ NSSLOWKEYPrivateKey *pk = NULL;
+ NSSLOWKEYPrivateKeyInfo *pki = NULL;
+ SECStatus rv = SECFailure;
+ PLArenaPool *temparena = NULL, *permarena = NULL;
+ SECItem *dest = NULL;
+#ifdef EC_DEBUG
+ SECItem *fordebug = NULL;
+#endif
+
+ if ((epki == NULL) || (sdbpw == NULL))
+ goto loser;
+
+ temparena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
+ permarena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
+ if ((temparena == NULL) || (permarena == NULL))
+ goto loser;
+
+ /* allocate temporary items */
+ pki = (NSSLOWKEYPrivateKeyInfo *)PORT_ArenaZAlloc(temparena,
+ sizeof(NSSLOWKEYPrivateKeyInfo));
+
+ /* allocate permanent arena items */
+ pk = (NSSLOWKEYPrivateKey *)PORT_ArenaZAlloc(permarena,
+ sizeof(NSSLOWKEYPrivateKey));
+
+ if ((pk == NULL) || (pki == NULL))
+ goto loser;
+
+ pk->arena = permarena;
+
+ rv = lg_util_decrypt(sdbpw, epki, &dest);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ if (dest != NULL) {
+ SECItem newPrivateKey;
+ SECItem newAlgParms;
+
+ SEC_PRINT("seckey_decrypt_private_key()", "PrivateKeyInfo", -1,
+ dest);
+
+ rv = SEC_QuickDERDecodeItem(temparena, pki,
+ lg_nsslowkey_PrivateKeyInfoTemplate, dest);
+ if (rv == SECSuccess) {
+ switch (SECOID_GetAlgorithmTag(&pki->algorithm)) {
+ case SEC_OID_X500_RSA_ENCRYPTION:
+ case SEC_OID_PKCS1_RSA_ENCRYPTION:
+ pk->keyType = NSSLOWKEYRSAKey;
+ lg_prepare_low_rsa_priv_key_for_asn1(pk);
+ if (SECSuccess != SECITEM_CopyItem(permarena, &newPrivateKey,
+ &pki->privateKey))
+ break;
+ rv = SEC_QuickDERDecodeItem(permarena, pk,
+ lg_nsslowkey_RSAPrivateKeyTemplate,
+ &newPrivateKey);
+ if (rv == SECSuccess) {
+ break;
+ }
+ /* Try decoding with the alternative template, but only allow
+ * a zero-length modulus for a secret key object.
+ * See bug 715073.
+ */
+ rv = SEC_QuickDERDecodeItem(permarena, pk,
+ lg_nsslowkey_RSAPrivateKeyTemplate2,
+ &newPrivateKey);
+ /* A publicExponent of 0 is the defining property of a secret
+ * key disguised as an RSA key. When decoding with the
+ * alternative template, only accept a secret key with an
+ * improperly encoded modulus and a publicExponent of 0.
+ */
+ if (rv == SECSuccess) {
+ if (pk->u.rsa.modulus.len == 2 &&
+ pk->u.rsa.modulus.data[0] == SEC_ASN1_INTEGER &&
+ pk->u.rsa.modulus.data[1] == 0 &&
+ pk->u.rsa.publicExponent.len == 1 &&
+ pk->u.rsa.publicExponent.data[0] == 0) {
+ /* Fix the zero-length integer by setting it to 0. */
+ pk->u.rsa.modulus.data = pk->u.rsa.publicExponent.data;
+ pk->u.rsa.modulus.len = pk->u.rsa.publicExponent.len;
+ } else {
+ PORT_SetError(SEC_ERROR_BAD_DER);
+ rv = SECFailure;
+ }
+ }
+ break;
+ case SEC_OID_ANSIX9_DSA_SIGNATURE:
+ pk->keyType = NSSLOWKEYDSAKey;
+ lg_prepare_low_dsa_priv_key_for_asn1(pk);
+ if (SECSuccess != SECITEM_CopyItem(permarena, &newPrivateKey,
+ &pki->privateKey))
+ break;
+ rv = SEC_QuickDERDecodeItem(permarena, pk,
+ lg_nsslowkey_DSAPrivateKeyTemplate,
+ &newPrivateKey);
+ if (rv != SECSuccess)
+ goto loser;
+ lg_prepare_low_pqg_params_for_asn1(&pk->u.dsa.params);
+ if (SECSuccess != SECITEM_CopyItem(permarena, &newAlgParms,
+ &pki->algorithm.parameters))
+ break;
+ rv = SEC_QuickDERDecodeItem(permarena, &pk->u.dsa.params,
+ lg_nsslowkey_PQGParamsTemplate,
+ &newAlgParms);
+ break;
+ case SEC_OID_X942_DIFFIE_HELMAN_KEY:
+ pk->keyType = NSSLOWKEYDHKey;
+ lg_prepare_low_dh_priv_key_for_asn1(pk);
+ if (SECSuccess != SECITEM_CopyItem(permarena, &newPrivateKey,
+ &pki->privateKey))
+ break;
+ rv = SEC_QuickDERDecodeItem(permarena, pk,
+ lg_nsslowkey_DHPrivateKeyTemplate,
+ &newPrivateKey);
+ break;
+ case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
+ pk->keyType = NSSLOWKEYECKey;
+ lg_prepare_low_ec_priv_key_for_asn1(pk);
+
+#ifdef EC_DEBUG
+ fordebug = &pki->privateKey;
+ SEC_PRINT("seckey_decrypt_private_key()", "PrivateKey",
+ pk->keyType, fordebug);
+#endif
+ if (SECSuccess != SECITEM_CopyItem(permarena, &newPrivateKey,
+ &pki->privateKey))
+ break;
+ rv = SEC_QuickDERDecodeItem(permarena, pk,
+ lg_nsslowkey_ECPrivateKeyTemplate,
+ &newPrivateKey);
+ if (rv != SECSuccess)
+ goto loser;
+
+ lg_prepare_low_ecparams_for_asn1(&pk->u.ec.ecParams);
+
+ rv = SECITEM_CopyItem(permarena,
+ &pk->u.ec.ecParams.DEREncoding,
+ &pki->algorithm.parameters);
+
+ if (rv != SECSuccess)
+ goto loser;
+
+ /* Fill out the rest of EC params */
+ rv = LGEC_FillParams(permarena, &pk->u.ec.ecParams.DEREncoding,
+ &pk->u.ec.ecParams);
+
+ if (rv != SECSuccess)
+ goto loser;
+
+ if (pk->u.ec.publicValue.len != 0) {
+ pk->u.ec.publicValue.len >>= 3;
+ }
+
+ break;
+ default:
+ rv = SECFailure;
+ break;
+ }
+ } else if (PORT_GetError() == SEC_ERROR_BAD_DER) {
+ PORT_SetError(SEC_ERROR_BAD_PASSWORD);
+ goto loser;
+ }
+ }
+
+/* let success fall through */
+loser:
+ if (temparena != NULL)
+ PORT_FreeArena(temparena, PR_TRUE);
+ if (dest != NULL)
+ SECITEM_ZfreeItem(dest, PR_TRUE);
+
+ if (rv != SECSuccess) {
+ if (permarena != NULL)
+ PORT_FreeArena(permarena, PR_TRUE);
+ pk = NULL;
+ }
+
+ return pk;
+}
+
+static NSSLOWKEYPrivateKey *
+seckey_decode_encrypted_private_key(NSSLOWKEYDBKey *dbkey, SDB *sdbpw)
+{
+ if ((dbkey == NULL) || (sdbpw == NULL)) {
+ return NULL;
+ }
+
+ return seckey_decrypt_private_key(&(dbkey->derPK), sdbpw);
+}
+
+static NSSLOWKEYPrivateKey *
+seckey_get_private_key(NSSLOWKEYDBHandle *keydb, DBT *index, char **nickname,
+ SDB *sdbpw)
+{
+ NSSLOWKEYDBKey *dbkey = NULL;
+ NSSLOWKEYPrivateKey *pk = NULL;
+
+ if ((keydb == NULL) || (index == NULL) || (sdbpw == NULL)) {
+ return NULL;
+ }
+
+ dbkey = get_dbkey(keydb, index);
+ if (dbkey == NULL) {
+ goto loser;
+ }
+
+ if (nickname) {
+ if (dbkey->nickname && (dbkey->nickname[0] != 0)) {
+ *nickname = PORT_Strdup(dbkey->nickname);
+ } else {
+ *nickname = NULL;
+ }
+ }
+
+ pk = seckey_decode_encrypted_private_key(dbkey, sdbpw);
+
+/* let success fall through */
+loser:
+
+ if (dbkey != NULL) {
+ sec_destroy_dbkey(dbkey);
+ }
+
+ return pk;
+}
+
+/*
+ * Find a key in the database, indexed by its public key modulus
+ * This is used to find keys that have been stored before their
+ * certificate arrives. Once the certificate arrives the key
+ * is looked up by the public modulus in the certificate, and the
+ * re-stored by its nickname.
+ */
+NSSLOWKEYPrivateKey *
+nsslowkey_FindKeyByPublicKey(NSSLOWKEYDBHandle *handle, SECItem *modulus,
+ SDB *sdbpw)
+{
+ DBT namekey;
+ NSSLOWKEYPrivateKey *pk = NULL;
+
+ if (handle == NULL) {
+ PORT_SetError(SEC_ERROR_BAD_DATABASE);
+ return NULL;
+ }
+
+ /* set up db key */
+ namekey.data = modulus->data;
+ namekey.size = modulus->len;
+
+ pk = seckey_get_private_key(handle, &namekey, NULL, sdbpw);
+
+ /* no need to free dbkey, since its on the stack, and the data it
+ * points to is owned by the database
+ */
+ return (pk);
+}
+
+char *
+nsslowkey_FindKeyNicknameByPublicKey(NSSLOWKEYDBHandle *handle,
+ SECItem *modulus, SDB *sdbpw)
+{
+ DBT namekey;
+ NSSLOWKEYPrivateKey *pk = NULL;
+ char *nickname = NULL;
+
+ if (handle == NULL) {
+ PORT_SetError(SEC_ERROR_BAD_DATABASE);
+ return NULL;
+ }
+
+ /* set up db key */
+ namekey.data = modulus->data;
+ namekey.size = modulus->len;
+
+ pk = seckey_get_private_key(handle, &namekey, &nickname, sdbpw);
+ if (pk) {
+ lg_nsslowkey_DestroyPrivateKey(pk);
+ }
+
+ /* no need to free dbkey, since its on the stack, and the data it
+ * points to is owned by the database
+ */
+ return (nickname);
+}
+/* ===== ENCODING ROUTINES ===== */
+
+static SECStatus
+encodePWCheckEntry(PLArenaPool *arena, SECItem *entry, SECOidTag alg,
+ SECItem *encCheck)
+{
+ SECOidData *oidData;
+
+ oidData = SECOID_FindOIDByTag(alg);
+ if (oidData == NULL) {
+ return SECFailure;
+ }
+
+ entry->len = 1 + oidData->oid.len + encCheck->len;
+ if (arena) {
+ entry->data = (unsigned char *)PORT_ArenaAlloc(arena, entry->len);
+ } else {
+ entry->data = (unsigned char *)PORT_Alloc(entry->len);
+ }
+
+ if (entry->data == NULL) {
+ return SECFailure;
+ }
+
+ /* first length of oid */
+ entry->data[0] = (unsigned char)oidData->oid.len;
+ /* next oid itself */
+ PORT_Memcpy(&entry->data[1], oidData->oid.data, oidData->oid.len);
+ /* finally the encrypted check string */
+ PORT_Memcpy(&entry->data[1 + oidData->oid.len], encCheck->data,
+ encCheck->len);
+
+ return SECSuccess;
+}
+
+#define MAX_DB_SIZE 0xffff
+/*
+ * Clear out all the keys in the existing database
+ */
+static SECStatus
+nsslowkey_ResetKeyDB(NSSLOWKEYDBHandle *handle)
+{
+ SECStatus rv;
+ int errors = 0;
+
+ if (handle->db == NULL) {
+ return (SECSuccess);
+ }
+
+ if (handle->readOnly) {
+ /* set an error code */
+ return SECFailure;
+ }
+
+ if (handle->appname == NULL && handle->dbname == NULL) {
+ return SECFailure;
+ }
+
+ keydb_Close(handle);
+ if (handle->appname) {
+ handle->db =
+ rdbopen(handle->appname, handle->dbname, "key", NO_CREATE, NULL);
+ } else {
+ handle->db = dbopen(handle->dbname, NO_CREATE, 0600, DB_HASH, 0);
+ }
+ if (handle->db == NULL) {
+ /* set an error code */
+ return SECFailure;
+ }
+
+ rv = makeGlobalVersion(handle);
+ if (rv != SECSuccess) {
+ errors++;
+ goto done;
+ }
+
+ if (handle->global_salt) {
+ rv = StoreKeyDBGlobalSalt(handle, handle->global_salt);
+ } else {
+ rv = makeGlobalSalt(handle);
+ if (rv == SECSuccess) {
+ handle->global_salt = GetKeyDBGlobalSalt(handle);
+ }
+ }
+ if (rv != SECSuccess) {
+ errors++;
+ }
+
+done:
+ /* sync the database */
+ (void)keydb_Sync(handle, 0);
+ db_InitComplete(handle->db);
+
+ return (errors == 0 ? SECSuccess : SECFailure);
+}
+
+static int
+keydb_Get(NSSLOWKEYDBHandle *kdb, DBT *key, DBT *data, unsigned int flags)
+{
+ int ret;
+ PRLock *kdbLock = kdb->lock;
+ DB *db = kdb->db;
+
+ PORT_Assert(kdbLock != NULL);
+ PZ_Lock(kdbLock);
+
+ ret = (*db->get)(db, key, data, flags);
+
+ (void)PZ_Unlock(kdbLock);
+
+ return (ret);
+}
+
+static int
+keydb_Put(NSSLOWKEYDBHandle *kdb, DBT *key, DBT *data, unsigned int flags)
+{
+ int ret = 0;
+ PRLock *kdbLock = kdb->lock;
+ DB *db = kdb->db;
+
+ PORT_Assert(kdbLock != NULL);
+ PZ_Lock(kdbLock);
+
+ ret = (*db->put)(db, key, data, flags);
+
+ (void)PZ_Unlock(kdbLock);
+
+ return (ret);
+}
+
+static int
+keydb_Sync(NSSLOWKEYDBHandle *kdb, unsigned int flags)
+{
+ int ret;
+ PRLock *kdbLock = kdb->lock;
+ DB *db = kdb->db;
+
+ PORT_Assert(kdbLock != NULL);
+ PZ_Lock(kdbLock);
+
+ ret = (*db->sync)(db, flags);
+
+ (void)PZ_Unlock(kdbLock);
+
+ return (ret);
+}
+
+static int
+keydb_Del(NSSLOWKEYDBHandle *kdb, DBT *key, unsigned int flags)
+{
+ int ret;
+ PRLock *kdbLock = kdb->lock;
+ DB *db = kdb->db;
+
+ PORT_Assert(kdbLock != NULL);
+ PZ_Lock(kdbLock);
+
+ ret = (*db->del)(db, key, flags);
+
+ (void)PZ_Unlock(kdbLock);
+
+ return (ret);
+}
+
+static int
+keydb_Seq(NSSLOWKEYDBHandle *kdb, DBT *key, DBT *data, unsigned int flags)
+{
+ int ret;
+ PRLock *kdbLock = kdb->lock;
+ DB *db = kdb->db;
+
+ PORT_Assert(kdbLock != NULL);
+ PZ_Lock(kdbLock);
+
+ ret = (*db->seq)(db, key, data, flags);
+
+ (void)PZ_Unlock(kdbLock);
+
+ return (ret);
+}
+
+static void
+keydb_Close(NSSLOWKEYDBHandle *kdb)
+{
+ PRLock *kdbLock = kdb->lock;
+ DB *db = kdb->db;
+
+ PORT_Assert(kdbLock != NULL);
+ SKIP_AFTER_FORK(PZ_Lock(kdbLock));
+
+ (*db->close)(db);
+
+ SKIP_AFTER_FORK(PZ_Unlock(kdbLock));
+
+ return;
+}
+
+/*
+ * SDB Entry Points for the Key DB
+ */
+
+CK_RV
+lg_GetMetaData(SDB *sdb, const char *id, SECItem *item1, SECItem *item2)
+{
+ NSSLOWKEYDBHandle *keydb;
+ NSSLOWKEYPasswordEntry entry;
+ SECStatus rv;
+
+ keydb = lg_getKeyDB(sdb);
+ if (keydb == NULL) {
+ return CKR_TOKEN_WRITE_PROTECTED;
+ }
+ if (PORT_Strcmp(id, "password") != 0) {
+ /* shouldn't happen */
+ return CKR_GENERAL_ERROR; /* no extra data stored */
+ }
+ rv = nsslowkey_GetPWCheckEntry(keydb, &entry);
+ if (rv != SECSuccess) {
+ return CKR_GENERAL_ERROR;
+ }
+ item1->len = entry.salt.len;
+ PORT_Memcpy(item1->data, entry.salt.data, item1->len);
+ item2->len = entry.value.len;
+ PORT_Memcpy(item2->data, entry.value.data, item2->len);
+ return CKR_OK;
+}
+
+CK_RV
+lg_PutMetaData(SDB *sdb, const char *id,
+ const SECItem *item1, const SECItem *item2)
+{
+ NSSLOWKEYDBHandle *keydb;
+ NSSLOWKEYPasswordEntry entry;
+ SECStatus rv;
+
+ keydb = lg_getKeyDB(sdb);
+ if (keydb == NULL) {
+ return CKR_TOKEN_WRITE_PROTECTED;
+ }
+ if (PORT_Strcmp(id, "password") != 0) {
+ /* shouldn't happen */
+ return CKR_GENERAL_ERROR; /* no extra data stored */
+ }
+ entry.salt = *item1;
+ entry.value = *item2;
+ rv = nsslowkey_PutPWCheckEntry(keydb, &entry);
+ if (rv != SECSuccess) {
+ return CKR_GENERAL_ERROR;
+ }
+ return CKR_OK;
+}
+
+CK_RV
+lg_DestroyMetaData(SDB *db, const char *id)
+{
+ return CKR_GENERAL_ERROR; /* no extra data stored */
+}
+
+CK_RV
+lg_Reset(SDB *sdb)
+{
+ NSSLOWKEYDBHandle *keydb;
+ SECStatus rv;
+
+ keydb = lg_getKeyDB(sdb);
+ if (keydb == NULL) {
+ return CKR_TOKEN_WRITE_PROTECTED;
+ }
+ rv = nsslowkey_ResetKeyDB(keydb);
+ if (rv != SECSuccess) {
+ return CKR_GENERAL_ERROR;
+ }
+ return CKR_OK;
+}
diff --git a/security/nss/lib/softoken/legacydb/keydbi.h b/security/nss/lib/softoken/legacydb/keydbi.h
new file mode 100644
index 0000000000..783c98ecc3
--- /dev/null
+++ b/security/nss/lib/softoken/legacydb/keydbi.h
@@ -0,0 +1,52 @@
+/*
+ * private.h - Private data structures for the software token library
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef _KEYDBI_H_
+#define _KEYDBI_H_
+
+#include "nspr.h"
+#include "seccomon.h"
+#include "mcom_db.h"
+
+/*
+ * Handle structure for open key databases
+ */
+struct NSSLOWKEYDBHandleStr {
+ DB *db;
+ DB *updatedb; /* used when updating an old version */
+ SECItem *global_salt; /* password hashing salt for this db */
+ int version; /* version of the database */
+ char *appname; /* multiaccess app name */
+ char *dbname; /* name of the openned DB */
+ PRBool readOnly; /* is the DB read only */
+ PRLock *lock;
+ PRInt32 ref; /* reference count */
+};
+
+/*
+** Typedef for callback for traversing key database.
+** "key" is the key used to index the data in the database (nickname)
+** "data" is the key data
+** "pdata" is the user's data
+*/
+typedef SECStatus (*NSSLOWKEYTraverseKeysFunc)(DBT *key, DBT *data, void *pdata);
+
+SEC_BEGIN_PROTOS
+
+/*
+** Traverse the entire key database, and pass the nicknames and keys to a
+** user supplied function.
+** "f" is the user function to call for each key
+** "udata" is the user's data, which is passed through to "f"
+*/
+extern SECStatus nsslowkey_TraverseKeys(NSSLOWKEYDBHandle *handle,
+ NSSLOWKEYTraverseKeysFunc f,
+ void *udata);
+
+SEC_END_PROTOS
+
+#endif /* _KEYDBI_H_ */
diff --git a/security/nss/lib/softoken/legacydb/legacydb.gyp b/security/nss/lib/softoken/legacydb/legacydb.gyp
new file mode 100644
index 0000000000..34c0235bdd
--- /dev/null
+++ b/security/nss/lib/softoken/legacydb/legacydb.gyp
@@ -0,0 +1,66 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+{
+ 'includes': [
+ '../../../coreconf/config.gypi'
+ ],
+ 'targets': [
+ {
+ 'target_name': 'nssdbm',
+ 'type': 'static_library',
+ 'sources': [
+ 'dbmshim.c',
+ 'keydb.c',
+ 'lgattr.c',
+ 'lgcreate.c',
+ 'lgdestroy.c',
+ 'lgfind.c',
+ 'lgfips.c',
+ 'lginit.c',
+ 'lgutil.c',
+ 'lowcert.c',
+ 'lowkey.c',
+ 'pcertdb.c',
+ 'pk11db.c'
+ ],
+ 'dependencies': [
+ '<(DEPTH)/exports.gyp:dbm_exports',
+ '<(DEPTH)/exports.gyp:nss_exports',
+ '<(DEPTH)/lib/freebl/freebl.gyp:freebl',
+ '<(DEPTH)/lib/dbm/src/src.gyp:dbm'
+ ]
+ },
+ {
+ 'target_name': 'nssdbm3',
+ 'type': 'shared_library',
+ 'dependencies': [
+ 'nssdbm'
+ ],
+ 'conditions': [
+ [ 'moz_fold_libs==0', {
+ 'dependencies': [
+ '<(DEPTH)/lib/util/util.gyp:nssutil3',
+ ],
+ }, {
+ 'libraries': [
+ '<(moz_folded_library_name)',
+ ],
+ }],
+ ],
+ 'variables': {
+ 'mapfile': 'nssdbm.def'
+ }
+ }
+ ],
+ 'target_defaults': {
+ 'defines': [
+ 'SHLIB_SUFFIX=\"<(dll_suffix)\"',
+ 'SHLIB_PREFIX=\"<(dll_prefix)\"',
+ 'LG_LIB_NAME=\"<(dll_prefix)nssdbm3.<(dll_suffix)\"'
+ ]
+ },
+ 'variables': {
+ 'module': 'nss'
+ }
+}
diff --git a/security/nss/lib/softoken/legacydb/lgattr.c b/security/nss/lib/softoken/legacydb/lgattr.c
new file mode 100644
index 0000000000..cbc708a3fa
--- /dev/null
+++ b/security/nss/lib/softoken/legacydb/lgattr.c
@@ -0,0 +1,1782 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/*
+ * Internal PKCS #11 functions. Should only be called by pkcs11.c
+ */
+#include "pkcs11.h"
+#include "lgdb.h"
+
+#include "pcertt.h"
+#include "lowkeyi.h"
+#include "pcert.h"
+#include "blapi.h"
+#include "secerr.h"
+#include "secasn1.h"
+
+/*
+ * Cache the object we are working on during Set's and Get's
+ */
+typedef struct LGObjectCacheStr {
+ CK_OBJECT_CLASS objclass;
+ CK_OBJECT_HANDLE handle;
+ SDB *sdb;
+ void *objectInfo;
+ LGFreeFunc infoFree;
+ SECItem dbKey;
+} LGObjectCache;
+
+static const CK_OBJECT_HANDLE lg_classArray[] = {
+ 0, CKO_PRIVATE_KEY, CKO_PUBLIC_KEY, CKO_SECRET_KEY,
+ CKO_NSS_TRUST, CKO_NSS_CRL, CKO_NSS_SMIME,
+ CKO_CERTIFICATE
+};
+
+#define handleToClass(handle) \
+ lg_classArray[((handle & LG_TOKEN_TYPE_MASK)) >> LG_TOKEN_TYPE_SHIFT]
+
+static void lg_DestroyObjectCache(LGObjectCache *obj);
+
+static LGObjectCache *
+lg_NewObjectCache(SDB *sdb, const SECItem *dbKey, CK_OBJECT_HANDLE handle)
+{
+ LGObjectCache *obj = NULL;
+ SECStatus rv;
+
+ obj = PORT_New(LGObjectCache);
+ if (obj == NULL) {
+ return NULL;
+ }
+
+ obj->objclass = handleToClass(handle);
+ obj->handle = handle;
+ obj->sdb = sdb;
+ obj->objectInfo = NULL;
+ obj->infoFree = NULL;
+ obj->dbKey.data = NULL;
+ obj->dbKey.len = 0;
+ lg_DBLock(sdb);
+ if (dbKey == NULL) {
+ dbKey = lg_lookupTokenKeyByHandle(sdb, handle);
+ }
+ if (dbKey == NULL) {
+ lg_DBUnlock(sdb);
+ goto loser;
+ }
+ rv = SECITEM_CopyItem(NULL, &obj->dbKey, dbKey);
+ lg_DBUnlock(sdb);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ return obj;
+loser:
+ (void)lg_DestroyObjectCache(obj);
+ return NULL;
+}
+
+/*
+ * free all the data associated with an object. Object reference count must
+ * be 'zero'.
+ */
+static void
+lg_DestroyObjectCache(LGObjectCache *obj)
+{
+ if (obj->dbKey.data) {
+ PORT_Free(obj->dbKey.data);
+ obj->dbKey.data = NULL;
+ }
+ if (obj->objectInfo) {
+ (*obj->infoFree)(obj->objectInfo);
+ obj->objectInfo = NULL;
+ obj->infoFree = NULL;
+ }
+ PORT_Free(obj);
+}
+/*
+ * ******************** Attribute Utilities *******************************
+ */
+
+static CK_RV
+lg_ULongAttribute(CK_ATTRIBUTE *attr, CK_ATTRIBUTE_TYPE type, CK_ULONG value)
+{
+ unsigned char *data;
+ int i;
+
+ if (attr->pValue == NULL) {
+ attr->ulValueLen = 4;
+ return CKR_OK;
+ }
+ if (attr->ulValueLen < 4) {
+ attr->ulValueLen = (CK_ULONG)-1;
+ return CKR_BUFFER_TOO_SMALL;
+ }
+
+ data = (unsigned char *)attr->pValue;
+ for (i = 0; i < 4; i++) {
+ data[i] = (value >> ((3 - i) * 8)) & 0xff;
+ }
+ attr->ulValueLen = 4;
+ return CKR_OK;
+}
+
+static CK_RV
+lg_CopyAttribute(CK_ATTRIBUTE *attr, CK_ATTRIBUTE_TYPE type,
+ CK_VOID_PTR value, CK_ULONG len)
+{
+
+ if (attr->pValue == NULL) {
+ attr->ulValueLen = len;
+ return CKR_OK;
+ }
+ if (attr->ulValueLen < len) {
+ attr->ulValueLen = (CK_ULONG)-1;
+ return CKR_BUFFER_TOO_SMALL;
+ }
+ if (len > 0 && value != NULL) {
+ PORT_Memcpy(attr->pValue, value, len);
+ }
+ attr->ulValueLen = len;
+ return CKR_OK;
+}
+
+static CK_RV
+lg_CopyAttributeSigned(CK_ATTRIBUTE *attribute, CK_ATTRIBUTE_TYPE type,
+ void *value, CK_ULONG len)
+{
+ unsigned char *dval = (unsigned char *)value;
+ if (*dval == 0) {
+ dval++;
+ len--;
+ }
+ return lg_CopyAttribute(attribute, type, dval, len);
+}
+
+static CK_RV
+lg_CopyPrivAttribute(CK_ATTRIBUTE *attribute, CK_ATTRIBUTE_TYPE type,
+ void *value, CK_ULONG len, SDB *sdbpw)
+{
+ SECItem plainText, *cipherText = NULL;
+ CK_RV crv = CKR_USER_NOT_LOGGED_IN;
+ SECStatus rv;
+
+ plainText.data = value;
+ plainText.len = len;
+ rv = lg_util_encrypt(NULL, sdbpw, &plainText, &cipherText);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+ crv = lg_CopyAttribute(attribute, type, cipherText->data, cipherText->len);
+loser:
+ if (cipherText) {
+ SECITEM_FreeItem(cipherText, PR_TRUE);
+ }
+ return crv;
+}
+
+static CK_RV
+lg_CopyPrivAttrSigned(CK_ATTRIBUTE *attribute, CK_ATTRIBUTE_TYPE type,
+ void *value, CK_ULONG len, SDB *sdbpw)
+{
+ unsigned char *dval = (unsigned char *)value;
+
+ if (*dval == 0) {
+ dval++;
+ len--;
+ }
+ return lg_CopyPrivAttribute(attribute, type, dval, len, sdbpw);
+}
+
+static CK_RV
+lg_invalidAttribute(CK_ATTRIBUTE *attr)
+{
+ attr->ulValueLen = (CK_ULONG)-1;
+ return CKR_ATTRIBUTE_TYPE_INVALID;
+}
+
+#define LG_DEF_ATTRIBUTE(value, len) \
+ { \
+ 0, value, len \
+ }
+
+#define LG_CLONE_ATTR(attribute, type, staticAttr) \
+ lg_CopyAttribute(attribute, type, staticAttr.pValue, staticAttr.ulValueLen)
+
+CK_BBOOL lg_staticTrueValue = CK_TRUE;
+CK_BBOOL lg_staticFalseValue = CK_FALSE;
+static const CK_ATTRIBUTE lg_StaticTrueAttr =
+ LG_DEF_ATTRIBUTE(&lg_staticTrueValue, sizeof(lg_staticTrueValue));
+static const CK_ATTRIBUTE lg_StaticFalseAttr =
+ LG_DEF_ATTRIBUTE(&lg_staticFalseValue, sizeof(lg_staticFalseValue));
+static const CK_ATTRIBUTE lg_StaticNullAttr = LG_DEF_ATTRIBUTE(NULL, 0);
+char lg_StaticOneValue = 1;
+
+/*
+ * helper functions which get the database and call the underlying
+ * low level database function.
+ */
+static char *
+lg_FindKeyNicknameByPublicKey(SDB *sdb, SECItem *dbKey)
+{
+ NSSLOWKEYDBHandle *keyHandle;
+ char *label;
+
+ keyHandle = lg_getKeyDB(sdb);
+ if (!keyHandle) {
+ return NULL;
+ }
+
+ label = nsslowkey_FindKeyNicknameByPublicKey(keyHandle, dbKey,
+ sdb);
+ return label;
+}
+
+NSSLOWKEYPrivateKey *
+lg_FindKeyByPublicKey(SDB *sdb, SECItem *dbKey)
+{
+ NSSLOWKEYPrivateKey *privKey;
+ NSSLOWKEYDBHandle *keyHandle;
+
+ keyHandle = lg_getKeyDB(sdb);
+ if (keyHandle == NULL) {
+ return NULL;
+ }
+ privKey = nsslowkey_FindKeyByPublicKey(keyHandle, dbKey, sdb);
+ if (privKey == NULL) {
+ return NULL;
+ }
+ return privKey;
+}
+
+static certDBEntrySMime *
+lg_getSMime(LGObjectCache *obj)
+{
+ certDBEntrySMime *entry;
+ NSSLOWCERTCertDBHandle *certHandle;
+
+ if (obj->objclass != CKO_NSS_SMIME) {
+ return NULL;
+ }
+ if (obj->objectInfo) {
+ return (certDBEntrySMime *)obj->objectInfo;
+ }
+
+ certHandle = lg_getCertDB(obj->sdb);
+ if (!certHandle) {
+ return NULL;
+ }
+ entry = nsslowcert_ReadDBSMimeEntry(certHandle, (char *)obj->dbKey.data);
+ obj->objectInfo = (void *)entry;
+ obj->infoFree = (LGFreeFunc)nsslowcert_DestroyDBEntry;
+ return entry;
+}
+
+static certDBEntryRevocation *
+lg_getCrl(LGObjectCache *obj)
+{
+ certDBEntryRevocation *crl;
+ PRBool isKrl;
+ NSSLOWCERTCertDBHandle *certHandle;
+
+ if (obj->objclass != CKO_NSS_CRL) {
+ return NULL;
+ }
+ if (obj->objectInfo) {
+ return (certDBEntryRevocation *)obj->objectInfo;
+ }
+
+ isKrl = (PRBool)(obj->handle == LG_TOKEN_KRL_HANDLE);
+ certHandle = lg_getCertDB(obj->sdb);
+ if (!certHandle) {
+ return NULL;
+ }
+
+ crl = nsslowcert_FindCrlByKey(certHandle, &obj->dbKey, isKrl);
+ obj->objectInfo = (void *)crl;
+ obj->infoFree = (LGFreeFunc)nsslowcert_DestroyDBEntry;
+ return crl;
+}
+
+static NSSLOWCERTCertificate *
+lg_getCert(LGObjectCache *obj, NSSLOWCERTCertDBHandle *certHandle)
+{
+ NSSLOWCERTCertificate *cert;
+ CK_OBJECT_CLASS objClass = obj->objclass;
+
+ if ((objClass != CKO_CERTIFICATE) && (objClass != CKO_NSS_TRUST)) {
+ return NULL;
+ }
+ if (objClass == CKO_CERTIFICATE && obj->objectInfo) {
+ return (NSSLOWCERTCertificate *)obj->objectInfo;
+ }
+ cert = nsslowcert_FindCertByKey(certHandle, &obj->dbKey);
+ if (objClass == CKO_CERTIFICATE) {
+ obj->objectInfo = (void *)cert;
+ obj->infoFree = (LGFreeFunc)nsslowcert_DestroyCertificate;
+ }
+ return cert;
+}
+
+static NSSLOWCERTTrust *
+lg_getTrust(LGObjectCache *obj, NSSLOWCERTCertDBHandle *certHandle)
+{
+ NSSLOWCERTTrust *trust;
+
+ if (obj->objclass != CKO_NSS_TRUST) {
+ return NULL;
+ }
+ if (obj->objectInfo) {
+ return (NSSLOWCERTTrust *)obj->objectInfo;
+ }
+ trust = nsslowcert_FindTrustByKey(certHandle, &obj->dbKey);
+ obj->objectInfo = (void *)trust;
+ obj->infoFree = (LGFreeFunc)nsslowcert_DestroyTrust;
+ return trust;
+}
+
+static NSSLOWKEYPublicKey *
+lg_GetPublicKey(LGObjectCache *obj)
+{
+ NSSLOWKEYPublicKey *pubKey;
+ NSSLOWKEYPrivateKey *privKey;
+
+ if (obj->objclass != CKO_PUBLIC_KEY) {
+ return NULL;
+ }
+ if (obj->objectInfo) {
+ return (NSSLOWKEYPublicKey *)obj->objectInfo;
+ }
+ privKey = lg_FindKeyByPublicKey(obj->sdb, &obj->dbKey);
+ if (privKey == NULL) {
+ return NULL;
+ }
+ pubKey = lg_nsslowkey_ConvertToPublicKey(privKey);
+ lg_nsslowkey_DestroyPrivateKey(privKey);
+ obj->objectInfo = (void *)pubKey;
+ obj->infoFree = (LGFreeFunc)lg_nsslowkey_DestroyPublicKey;
+ return pubKey;
+}
+
+/*
+ * we need two versions of lg_GetPrivateKey. One version that takes the
+ * DB handle so we can pass the handle we have already acquired in,
+ * rather than going through the 'getKeyDB' code again,
+ * which may fail the second time and another which just aquires
+ * the key handle from the sdb (where we don't already have a key handle.
+ * This version does the former.
+ */
+static NSSLOWKEYPrivateKey *
+lg_GetPrivateKeyWithDB(LGObjectCache *obj, NSSLOWKEYDBHandle *keyHandle)
+{
+ NSSLOWKEYPrivateKey *privKey;
+
+ if ((obj->objclass != CKO_PRIVATE_KEY) &&
+ (obj->objclass != CKO_SECRET_KEY)) {
+ return NULL;
+ }
+ if (obj->objectInfo) {
+ return (NSSLOWKEYPrivateKey *)obj->objectInfo;
+ }
+ privKey = nsslowkey_FindKeyByPublicKey(keyHandle, &obj->dbKey, obj->sdb);
+ if (privKey == NULL) {
+ return NULL;
+ }
+ obj->objectInfo = (void *)privKey;
+ obj->infoFree = (LGFreeFunc)lg_nsslowkey_DestroyPrivateKey;
+ return privKey;
+}
+
+/* this version does the latter */
+static NSSLOWKEYPrivateKey *
+lg_GetPrivateKey(LGObjectCache *obj)
+{
+ NSSLOWKEYDBHandle *keyHandle;
+ NSSLOWKEYPrivateKey *privKey;
+
+ keyHandle = lg_getKeyDB(obj->sdb);
+ if (!keyHandle) {
+ return NULL;
+ }
+ privKey = lg_GetPrivateKeyWithDB(obj, keyHandle);
+ return privKey;
+}
+
+/* lg_GetPubItem returns data associated with the public key.
+ * one only needs to free the public key. This comment is here
+ * because this sematic would be non-obvious otherwise. All callers
+ * should include this comment.
+ */
+static SECItem *
+lg_GetPubItem(NSSLOWKEYPublicKey *pubKey)
+{
+ SECItem *pubItem = NULL;
+ /* get value to compare from the cert's public key */
+ switch (pubKey->keyType) {
+ case NSSLOWKEYRSAKey:
+ pubItem = &pubKey->u.rsa.modulus;
+ break;
+ case NSSLOWKEYDSAKey:
+ pubItem = &pubKey->u.dsa.publicValue;
+ break;
+ case NSSLOWKEYDHKey:
+ pubItem = &pubKey->u.dh.publicValue;
+ break;
+ case NSSLOWKEYECKey:
+ pubItem = &pubKey->u.ec.publicValue;
+ break;
+ default:
+ break;
+ }
+ return pubItem;
+}
+
+static CK_RV
+lg_FindRSAPublicKeyAttribute(NSSLOWKEYPublicKey *key, CK_ATTRIBUTE_TYPE type,
+ CK_ATTRIBUTE *attribute)
+{
+ unsigned char hash[SHA1_LENGTH];
+ CK_KEY_TYPE keyType = CKK_RSA;
+
+ switch (type) {
+ case CKA_KEY_TYPE:
+ return lg_ULongAttribute(attribute, type, keyType);
+ case CKA_ID:
+ SHA1_HashBuf(hash, key->u.rsa.modulus.data, key->u.rsa.modulus.len);
+ return lg_CopyAttribute(attribute, type, hash, SHA1_LENGTH);
+ case CKA_DERIVE:
+ return LG_CLONE_ATTR(attribute, type, lg_StaticFalseAttr);
+ case CKA_ENCRYPT:
+ case CKA_VERIFY:
+ case CKA_VERIFY_RECOVER:
+ case CKA_WRAP:
+ return LG_CLONE_ATTR(attribute, type, lg_StaticTrueAttr);
+ case CKA_MODULUS:
+ return lg_CopyAttributeSigned(attribute, type, key->u.rsa.modulus.data,
+ key->u.rsa.modulus.len);
+ case CKA_PUBLIC_EXPONENT:
+ return lg_CopyAttributeSigned(attribute, type,
+ key->u.rsa.publicExponent.data,
+ key->u.rsa.publicExponent.len);
+ default:
+ break;
+ }
+ return lg_invalidAttribute(attribute);
+}
+
+static CK_RV
+lg_FindDSAPublicKeyAttribute(NSSLOWKEYPublicKey *key, CK_ATTRIBUTE_TYPE type,
+ CK_ATTRIBUTE *attribute)
+{
+ unsigned char hash[SHA1_LENGTH];
+ CK_KEY_TYPE keyType = CKK_DSA;
+
+ switch (type) {
+ case CKA_KEY_TYPE:
+ return lg_ULongAttribute(attribute, type, keyType);
+ case CKA_ID:
+ SHA1_HashBuf(hash, key->u.dsa.publicValue.data,
+ key->u.dsa.publicValue.len);
+ return lg_CopyAttribute(attribute, type, hash, SHA1_LENGTH);
+ case CKA_DERIVE:
+ case CKA_ENCRYPT:
+ case CKA_VERIFY_RECOVER:
+ case CKA_WRAP:
+ return LG_CLONE_ATTR(attribute, type, lg_StaticFalseAttr);
+ case CKA_VERIFY:
+ return LG_CLONE_ATTR(attribute, type, lg_StaticTrueAttr);
+ case CKA_VALUE:
+ return lg_CopyAttributeSigned(attribute, type,
+ key->u.dsa.publicValue.data,
+ key->u.dsa.publicValue.len);
+ case CKA_PRIME:
+ return lg_CopyAttributeSigned(attribute, type,
+ key->u.dsa.params.prime.data,
+ key->u.dsa.params.prime.len);
+ case CKA_SUBPRIME:
+ return lg_CopyAttributeSigned(attribute, type,
+ key->u.dsa.params.subPrime.data,
+ key->u.dsa.params.subPrime.len);
+ case CKA_BASE:
+ return lg_CopyAttributeSigned(attribute, type,
+ key->u.dsa.params.base.data,
+ key->u.dsa.params.base.len);
+ default:
+ break;
+ }
+ return lg_invalidAttribute(attribute);
+}
+
+static CK_RV
+lg_FindDHPublicKeyAttribute(NSSLOWKEYPublicKey *key, CK_ATTRIBUTE_TYPE type,
+ CK_ATTRIBUTE *attribute)
+{
+ unsigned char hash[SHA1_LENGTH];
+ CK_KEY_TYPE keyType = CKK_DH;
+
+ switch (type) {
+ case CKA_KEY_TYPE:
+ return lg_ULongAttribute(attribute, type, keyType);
+ case CKA_ID:
+ SHA1_HashBuf(hash, key->u.dh.publicValue.data, key->u.dh.publicValue.len);
+ return lg_CopyAttribute(attribute, type, hash, SHA1_LENGTH);
+ case CKA_DERIVE:
+ return LG_CLONE_ATTR(attribute, type, lg_StaticTrueAttr);
+ case CKA_ENCRYPT:
+ case CKA_VERIFY:
+ case CKA_VERIFY_RECOVER:
+ case CKA_WRAP:
+ return LG_CLONE_ATTR(attribute, type, lg_StaticFalseAttr);
+ case CKA_VALUE:
+ return lg_CopyAttributeSigned(attribute, type,
+ key->u.dh.publicValue.data,
+ key->u.dh.publicValue.len);
+ case CKA_PRIME:
+ return lg_CopyAttributeSigned(attribute, type, key->u.dh.prime.data,
+ key->u.dh.prime.len);
+ case CKA_BASE:
+ return lg_CopyAttributeSigned(attribute, type, key->u.dh.base.data,
+ key->u.dh.base.len);
+ default:
+ break;
+ }
+ return lg_invalidAttribute(attribute);
+}
+
+static CK_RV
+lg_FindECPublicKeyAttribute(NSSLOWKEYPublicKey *key, CK_ATTRIBUTE_TYPE type,
+ CK_ATTRIBUTE *attribute)
+{
+ unsigned char hash[SHA1_LENGTH];
+ CK_KEY_TYPE keyType = CKK_EC;
+
+ switch (type) {
+ case CKA_KEY_TYPE:
+ return lg_ULongAttribute(attribute, type, keyType);
+ case CKA_ID:
+ SHA1_HashBuf(hash, key->u.ec.publicValue.data,
+ key->u.ec.publicValue.len);
+ return lg_CopyAttribute(attribute, type, hash, SHA1_LENGTH);
+ case CKA_DERIVE:
+ case CKA_VERIFY:
+ return LG_CLONE_ATTR(attribute, type, lg_StaticTrueAttr);
+ case CKA_ENCRYPT:
+ case CKA_VERIFY_RECOVER:
+ case CKA_WRAP:
+ return LG_CLONE_ATTR(attribute, type, lg_StaticFalseAttr);
+ case CKA_EC_PARAMS:
+ return lg_CopyAttributeSigned(attribute, type,
+ key->u.ec.ecParams.DEREncoding.data,
+ key->u.ec.ecParams.DEREncoding.len);
+ case CKA_EC_POINT:
+ if (PR_GetEnvSecure("NSS_USE_DECODED_CKA_EC_POINT")) {
+ return lg_CopyAttributeSigned(attribute, type,
+ key->u.ec.publicValue.data,
+ key->u.ec.publicValue.len);
+ } else {
+ SECItem *pubValue = SEC_ASN1EncodeItem(NULL, NULL,
+ &(key->u.ec.publicValue),
+ SEC_ASN1_GET(SEC_OctetStringTemplate));
+ CK_RV crv;
+ if (!pubValue) {
+ return CKR_HOST_MEMORY;
+ }
+ crv = lg_CopyAttributeSigned(attribute, type,
+ pubValue->data,
+ pubValue->len);
+ SECITEM_FreeItem(pubValue, PR_TRUE);
+ return crv;
+ }
+ default:
+ break;
+ }
+ return lg_invalidAttribute(attribute);
+}
+
+static CK_RV
+lg_FindPublicKeyAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type,
+ CK_ATTRIBUTE *attribute)
+{
+ NSSLOWKEYPublicKey *key;
+ CK_RV crv;
+ char *label;
+
+ switch (type) {
+ case CKA_PRIVATE:
+ case CKA_SENSITIVE:
+ case CKA_ALWAYS_SENSITIVE:
+ case CKA_NEVER_EXTRACTABLE:
+ return LG_CLONE_ATTR(attribute, type, lg_StaticFalseAttr);
+ case CKA_MODIFIABLE:
+ case CKA_EXTRACTABLE:
+ return LG_CLONE_ATTR(attribute, type, lg_StaticTrueAttr);
+ case CKA_SUBJECT:
+ return LG_CLONE_ATTR(attribute, type, lg_StaticNullAttr);
+ case CKA_START_DATE:
+ case CKA_END_DATE:
+ return LG_CLONE_ATTR(attribute, type, lg_StaticNullAttr);
+ case CKA_LABEL:
+ label = lg_FindKeyNicknameByPublicKey(obj->sdb, &obj->dbKey);
+ if (label == NULL) {
+ return LG_CLONE_ATTR(attribute, type, lg_StaticNullAttr);
+ }
+ crv = lg_CopyAttribute(attribute, type, label, PORT_Strlen(label));
+ PORT_Free(label);
+ return crv;
+ default:
+ break;
+ }
+
+ key = lg_GetPublicKey(obj);
+ if (key == NULL) {
+ if (type == CKA_ID) {
+ return LG_CLONE_ATTR(attribute, type, lg_StaticNullAttr);
+ }
+ return CKR_OBJECT_HANDLE_INVALID;
+ }
+
+ switch (key->keyType) {
+ case NSSLOWKEYRSAKey:
+ return lg_FindRSAPublicKeyAttribute(key, type, attribute);
+ case NSSLOWKEYDSAKey:
+ return lg_FindDSAPublicKeyAttribute(key, type, attribute);
+ case NSSLOWKEYDHKey:
+ return lg_FindDHPublicKeyAttribute(key, type, attribute);
+ case NSSLOWKEYECKey:
+ return lg_FindECPublicKeyAttribute(key, type, attribute);
+ default:
+ break;
+ }
+
+ return lg_invalidAttribute(attribute);
+}
+
+static CK_RV
+lg_FindSecretKeyAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type,
+ CK_ATTRIBUTE *attribute)
+{
+ NSSLOWKEYPrivateKey *key;
+ char *label;
+ unsigned char *keyString;
+ CK_RV crv;
+ int keyTypeLen;
+ CK_ULONG keyLen;
+ CK_KEY_TYPE keyType;
+ PRUint32 keyTypeStorage;
+
+ switch (type) {
+ case CKA_PRIVATE:
+ case CKA_SENSITIVE:
+ case CKA_ALWAYS_SENSITIVE:
+ case CKA_EXTRACTABLE:
+ case CKA_DERIVE:
+ case CKA_ENCRYPT:
+ case CKA_DECRYPT:
+ case CKA_SIGN:
+ case CKA_VERIFY:
+ case CKA_WRAP:
+ case CKA_UNWRAP:
+ case CKA_MODIFIABLE:
+ case CKA_LOCAL:
+ return LG_CLONE_ATTR(attribute, type, lg_StaticTrueAttr);
+ case CKA_NEVER_EXTRACTABLE:
+ return LG_CLONE_ATTR(attribute, type, lg_StaticFalseAttr);
+ case CKA_START_DATE:
+ case CKA_END_DATE:
+ return LG_CLONE_ATTR(attribute, type, lg_StaticNullAttr);
+ case CKA_LABEL:
+ label = lg_FindKeyNicknameByPublicKey(obj->sdb, &obj->dbKey);
+ if (label == NULL) {
+ return LG_CLONE_ATTR(attribute, type, lg_StaticNullAttr);
+ }
+ crv = lg_CopyAttribute(attribute, type, label, PORT_Strlen(label));
+ PORT_Free(label);
+ return crv;
+ case CKA_ID:
+ return lg_CopyAttribute(attribute, type, obj->dbKey.data,
+ obj->dbKey.len);
+ case CKA_KEY_TYPE:
+ case CKA_VALUE_LEN:
+ case CKA_VALUE:
+ break;
+ default:
+ return lg_invalidAttribute(attribute);
+ }
+
+ key = lg_GetPrivateKey(obj);
+ if (key == NULL) {
+ return CKR_OBJECT_HANDLE_INVALID;
+ }
+ switch (type) {
+ case CKA_KEY_TYPE:
+ /* handle legacy databases. In legacy databases key_type was stored
+ * in host order, with any leading zeros stripped off. Only key types
+ * under 0x1f (AES) were stored. We assume that any values which are
+ * either 1 byte long (big endian), or have byte[0] between 0 and
+ * 0x7f and bytes[1]-bytes[3] equal to '0' (little endian). All other
+ * values are assumed to be from the new database, which is always 4
+ * bytes in network order */
+ keyType = 0;
+ keyString = key->u.rsa.coefficient.data;
+ keyTypeLen = key->u.rsa.coefficient.len;
+
+ /*
+ * Because of various endian and word lengths The database may have
+ * stored the keyType value in one of the following formats:
+ * (kt) <= 0x1f
+ * length data
+ * Big Endian, pre-3.9, all lengths: 1 (kt)
+ * Little Endian, pre-3.9, 32 bits: 4 (kt) 0 0 0
+ * Little Endian, pre-3.9, 64 bits: 8 (kt) 0 0 0 0 0 0 0
+ * All platforms, 3.9, 32 bits: 4 0 0 0 (kt)
+ * Big Endian, 3.9, 64 bits: 8 0 0 0 (kt) 0 0 0 0
+ * Little Endian, 3.9, 64 bits: 8 0 0 0 0 0 0 0 (kt)
+ * All platforms, >= 3.9.1, all lengths: 4 (a) k1 k2 k3
+ * where (a) is 0 or >= 0x80. currently (a) can only be 0.
+ */
+ /*
+ * this key was written on a 64 bit platform with a using NSS 3.9
+ * or earlier. Reduce the 64 bit possibilities above. When we are
+ * through, we will only have:
+ *
+ * Big Endian, pre-3.9, all lengths: 1 (kt)
+ * Little Endian, pre-3.9, all lengths: 4 (kt) 0 0 0
+ * All platforms, 3.9, all lengths: 4 0 0 0 (kt)
+ * All platforms, => 3.9.1, all lengths: 4 (a) k1 k2 k3
+ */
+ if (keyTypeLen == 8) {
+ keyTypeStorage = *(PRUint32 *)keyString;
+ if (keyTypeStorage == 0) {
+ keyString += sizeof(PRUint32);
+ }
+ keyTypeLen = 4;
+ }
+ /*
+ * Now Handle:
+ *
+ * All platforms, 3.9, all lengths: 4 0 0 0 (kt)
+ * All platforms, => 3.9.1, all lengths: 4 (a) k1 k2 k3
+ *
+ * NOTE: if kt == 0 or ak1k2k3 == 0, the test fails and
+ * we handle it as:
+ *
+ * Little Endian, pre-3.9, all lengths: 4 (kt) 0 0 0
+ */
+ if (keyTypeLen == sizeof(keyTypeStorage) &&
+ (((keyString[0] & 0x80) == 0x80) ||
+ !((keyString[1] == 0) && (keyString[2] == 0) && (keyString[3] == 0)))) {
+ PORT_Memcpy(&keyTypeStorage, keyString, sizeof(keyTypeStorage));
+ keyType = (CK_KEY_TYPE)PR_ntohl(keyTypeStorage);
+ } else {
+ /*
+ * Now Handle:
+ *
+ * Big Endian, pre-3.9, all lengths: 1 (kt)
+ * Little Endian, pre-3.9, all lengths: 4 (kt) 0 0 0
+ * -- KeyType == 0 all other cases ---: 4 0 0 0 0
+ */
+ keyType = (CK_KEY_TYPE)keyString[0];
+ }
+ return lg_ULongAttribute(attribute, type, keyType);
+ case CKA_VALUE:
+ return lg_CopyPrivAttribute(attribute, type, key->u.rsa.privateExponent.data,
+ key->u.rsa.privateExponent.len, obj->sdb);
+ case CKA_VALUE_LEN:
+ keyLen = key->u.rsa.privateExponent.len;
+ return lg_ULongAttribute(attribute, type, keyLen);
+ }
+ return lg_invalidAttribute(attribute);
+}
+
+static CK_RV
+lg_FindRSAPrivateKeyAttribute(NSSLOWKEYPrivateKey *key, CK_ATTRIBUTE_TYPE type,
+ CK_ATTRIBUTE *attribute, SDB *sdbpw)
+{
+ unsigned char hash[SHA1_LENGTH];
+ CK_KEY_TYPE keyType = CKK_RSA;
+
+ switch (type) {
+ case CKA_KEY_TYPE:
+ return lg_ULongAttribute(attribute, type, keyType);
+ case CKA_ID:
+ SHA1_HashBuf(hash, key->u.rsa.modulus.data, key->u.rsa.modulus.len);
+ return lg_CopyAttribute(attribute, type, hash, SHA1_LENGTH);
+ case CKA_DERIVE:
+ return LG_CLONE_ATTR(attribute, type, lg_StaticFalseAttr);
+ case CKA_DECRYPT:
+ case CKA_SIGN:
+ case CKA_SIGN_RECOVER:
+ case CKA_UNWRAP:
+ return LG_CLONE_ATTR(attribute, type, lg_StaticTrueAttr);
+ case CKA_MODULUS:
+ return lg_CopyAttributeSigned(attribute, type, key->u.rsa.modulus.data,
+ key->u.rsa.modulus.len);
+ case CKA_PUBLIC_EXPONENT:
+ return lg_CopyAttributeSigned(attribute, type,
+ key->u.rsa.publicExponent.data,
+ key->u.rsa.publicExponent.len);
+ case CKA_PRIVATE_EXPONENT:
+ return lg_CopyPrivAttrSigned(attribute, type,
+ key->u.rsa.privateExponent.data,
+ key->u.rsa.privateExponent.len, sdbpw);
+ case CKA_PRIME_1:
+ return lg_CopyPrivAttrSigned(attribute, type, key->u.rsa.prime1.data,
+ key->u.rsa.prime1.len, sdbpw);
+ case CKA_PRIME_2:
+ return lg_CopyPrivAttrSigned(attribute, type, key->u.rsa.prime2.data,
+ key->u.rsa.prime2.len, sdbpw);
+ case CKA_EXPONENT_1:
+ return lg_CopyPrivAttrSigned(attribute, type,
+ key->u.rsa.exponent1.data,
+ key->u.rsa.exponent1.len, sdbpw);
+ case CKA_EXPONENT_2:
+ return lg_CopyPrivAttrSigned(attribute, type,
+ key->u.rsa.exponent2.data,
+ key->u.rsa.exponent2.len, sdbpw);
+ case CKA_COEFFICIENT:
+ return lg_CopyPrivAttrSigned(attribute, type,
+ key->u.rsa.coefficient.data,
+ key->u.rsa.coefficient.len, sdbpw);
+ default:
+ break;
+ }
+ return lg_invalidAttribute(attribute);
+}
+
+static CK_RV
+lg_FindDSAPrivateKeyAttribute(NSSLOWKEYPrivateKey *key, CK_ATTRIBUTE_TYPE type,
+ CK_ATTRIBUTE *attribute, SDB *sdbpw)
+{
+ unsigned char hash[SHA1_LENGTH];
+ CK_KEY_TYPE keyType = CKK_DSA;
+
+ switch (type) {
+ case CKA_KEY_TYPE:
+ return lg_ULongAttribute(attribute, type, keyType);
+ case CKA_ID:
+ SHA1_HashBuf(hash, key->u.dsa.publicValue.data,
+ key->u.dsa.publicValue.len);
+ return lg_CopyAttribute(attribute, type, hash, SHA1_LENGTH);
+ case CKA_DERIVE:
+ case CKA_DECRYPT:
+ case CKA_SIGN_RECOVER:
+ case CKA_UNWRAP:
+ return LG_CLONE_ATTR(attribute, type, lg_StaticFalseAttr);
+ case CKA_SIGN:
+ return LG_CLONE_ATTR(attribute, type, lg_StaticTrueAttr);
+ case CKA_VALUE:
+ return lg_CopyPrivAttrSigned(attribute, type,
+ key->u.dsa.privateValue.data,
+ key->u.dsa.privateValue.len, sdbpw);
+ case CKA_PRIME:
+ return lg_CopyAttributeSigned(attribute, type,
+ key->u.dsa.params.prime.data,
+ key->u.dsa.params.prime.len);
+ case CKA_SUBPRIME:
+ return lg_CopyAttributeSigned(attribute, type,
+ key->u.dsa.params.subPrime.data,
+ key->u.dsa.params.subPrime.len);
+ case CKA_BASE:
+ return lg_CopyAttributeSigned(attribute, type,
+ key->u.dsa.params.base.data,
+ key->u.dsa.params.base.len);
+ case CKA_NSS_DB:
+ return lg_CopyAttributeSigned(attribute, type,
+ key->u.dsa.publicValue.data,
+ key->u.dsa.publicValue.len);
+ default:
+ break;
+ }
+ return lg_invalidAttribute(attribute);
+}
+
+static CK_RV
+lg_FindDHPrivateKeyAttribute(NSSLOWKEYPrivateKey *key, CK_ATTRIBUTE_TYPE type,
+ CK_ATTRIBUTE *attribute, SDB *sdbpw)
+{
+ unsigned char hash[SHA1_LENGTH];
+ CK_KEY_TYPE keyType = CKK_DH;
+
+ switch (type) {
+ case CKA_KEY_TYPE:
+ return lg_ULongAttribute(attribute, type, keyType);
+ case CKA_ID:
+ SHA1_HashBuf(hash, key->u.dh.publicValue.data, key->u.dh.publicValue.len);
+ return lg_CopyAttribute(attribute, type, hash, SHA1_LENGTH);
+ case CKA_DERIVE:
+ return LG_CLONE_ATTR(attribute, type, lg_StaticTrueAttr);
+ case CKA_DECRYPT:
+ case CKA_SIGN:
+ case CKA_SIGN_RECOVER:
+ case CKA_UNWRAP:
+ return LG_CLONE_ATTR(attribute, type, lg_StaticFalseAttr);
+ case CKA_VALUE:
+ return lg_CopyPrivAttrSigned(attribute, type,
+ key->u.dh.privateValue.data,
+ key->u.dh.privateValue.len, sdbpw);
+ case CKA_PRIME:
+ return lg_CopyAttributeSigned(attribute, type, key->u.dh.prime.data,
+ key->u.dh.prime.len);
+ case CKA_BASE:
+ return lg_CopyAttributeSigned(attribute, type, key->u.dh.base.data,
+ key->u.dh.base.len);
+ case CKA_NSS_DB:
+ return lg_CopyAttributeSigned(attribute, type,
+ key->u.dh.publicValue.data,
+ key->u.dh.publicValue.len);
+ default:
+ break;
+ }
+ return lg_invalidAttribute(attribute);
+}
+
+static CK_RV
+lg_FindECPrivateKeyAttribute(NSSLOWKEYPrivateKey *key, CK_ATTRIBUTE_TYPE type,
+ CK_ATTRIBUTE *attribute, SDB *sdbpw)
+{
+ unsigned char hash[SHA1_LENGTH];
+ CK_KEY_TYPE keyType = CKK_EC;
+
+ switch (type) {
+ case CKA_KEY_TYPE:
+ return lg_ULongAttribute(attribute, type, keyType);
+ case CKA_ID:
+ SHA1_HashBuf(hash, key->u.ec.publicValue.data, key->u.ec.publicValue.len);
+ return lg_CopyAttribute(attribute, type, hash, SHA1_LENGTH);
+ case CKA_DERIVE:
+ case CKA_SIGN:
+ return LG_CLONE_ATTR(attribute, type, lg_StaticTrueAttr);
+ case CKA_DECRYPT:
+ case CKA_SIGN_RECOVER:
+ case CKA_UNWRAP:
+ return LG_CLONE_ATTR(attribute, type, lg_StaticFalseAttr);
+ case CKA_VALUE:
+ return lg_CopyPrivAttribute(attribute, type,
+ key->u.ec.privateValue.data,
+ key->u.ec.privateValue.len, sdbpw);
+ case CKA_EC_PARAMS:
+ return lg_CopyAttributeSigned(attribute, type,
+ key->u.ec.ecParams.DEREncoding.data,
+ key->u.ec.ecParams.DEREncoding.len);
+ case CKA_NSS_DB:
+ return lg_CopyAttributeSigned(attribute, type,
+ key->u.ec.publicValue.data,
+ key->u.ec.publicValue.len);
+ default:
+ break;
+ }
+ return lg_invalidAttribute(attribute);
+}
+
+static CK_RV
+lg_FindPrivateKeyAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type,
+ CK_ATTRIBUTE *attribute)
+{
+ NSSLOWKEYPrivateKey *key;
+ char *label;
+ CK_RV crv;
+
+ switch (type) {
+ case CKA_PRIVATE:
+ case CKA_SENSITIVE:
+ case CKA_ALWAYS_SENSITIVE:
+ case CKA_EXTRACTABLE:
+ case CKA_MODIFIABLE:
+ case CKA_LOCAL:
+ return LG_CLONE_ATTR(attribute, type, lg_StaticTrueAttr);
+ case CKA_NEVER_EXTRACTABLE:
+ return LG_CLONE_ATTR(attribute, type, lg_StaticFalseAttr);
+ case CKA_SUBJECT:
+ return LG_CLONE_ATTR(attribute, type, lg_StaticNullAttr);
+ case CKA_START_DATE:
+ case CKA_END_DATE:
+ return LG_CLONE_ATTR(attribute, type, lg_StaticNullAttr);
+ case CKA_LABEL:
+ label = lg_FindKeyNicknameByPublicKey(obj->sdb, &obj->dbKey);
+ if (label == NULL) {
+ return LG_CLONE_ATTR(attribute, type, lg_StaticNullAttr);
+ }
+ crv = lg_CopyAttribute(attribute, type, label, PORT_Strlen(label));
+ PORT_Free(label);
+ return crv;
+ default:
+ break;
+ }
+ key = lg_GetPrivateKey(obj);
+ if (key == NULL) {
+ return CKR_OBJECT_HANDLE_INVALID;
+ }
+ switch (key->keyType) {
+ case NSSLOWKEYRSAKey:
+ return lg_FindRSAPrivateKeyAttribute(key, type, attribute, obj->sdb);
+ case NSSLOWKEYDSAKey:
+ return lg_FindDSAPrivateKeyAttribute(key, type, attribute, obj->sdb);
+ case NSSLOWKEYDHKey:
+ return lg_FindDHPrivateKeyAttribute(key, type, attribute, obj->sdb);
+ case NSSLOWKEYECKey:
+ return lg_FindECPrivateKeyAttribute(key, type, attribute, obj->sdb);
+ default:
+ break;
+ }
+
+ return lg_invalidAttribute(attribute);
+}
+
+static CK_RV
+lg_FindSMIMEAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type,
+ CK_ATTRIBUTE *attribute)
+{
+ certDBEntrySMime *entry;
+ switch (type) {
+ case CKA_PRIVATE:
+ case CKA_MODIFIABLE:
+ return LG_CLONE_ATTR(attribute, type, lg_StaticFalseAttr);
+ case CKA_NSS_EMAIL:
+ return lg_CopyAttribute(attribute, type, obj->dbKey.data,
+ obj->dbKey.len - 1);
+ case CKA_NSS_SMIME_TIMESTAMP:
+ case CKA_SUBJECT:
+ case CKA_VALUE:
+ break;
+ default:
+ return lg_invalidAttribute(attribute);
+ }
+ entry = lg_getSMime(obj);
+ if (entry == NULL) {
+ return CKR_OBJECT_HANDLE_INVALID;
+ }
+ switch (type) {
+ case CKA_NSS_SMIME_TIMESTAMP:
+ return lg_CopyAttribute(attribute, type, entry->optionsDate.data,
+ entry->optionsDate.len);
+ case CKA_SUBJECT:
+ return lg_CopyAttribute(attribute, type, entry->subjectName.data,
+ entry->subjectName.len);
+ case CKA_VALUE:
+ return lg_CopyAttribute(attribute, type, entry->smimeOptions.data,
+ entry->smimeOptions.len);
+ default:
+ break;
+ }
+ return lg_invalidAttribute(attribute);
+}
+
+static CK_RV
+lg_FindTrustAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type,
+ CK_ATTRIBUTE *attribute)
+{
+ NSSLOWCERTTrust *trust;
+ NSSLOWCERTCertDBHandle *certHandle;
+ NSSLOWCERTCertificate *cert;
+ unsigned char hash[SHA1_LENGTH];
+ unsigned int trustFlags;
+ CK_RV crv = CKR_CANCEL;
+
+ switch (type) {
+ case CKA_PRIVATE:
+ return LG_CLONE_ATTR(attribute, type, lg_StaticFalseAttr);
+ case CKA_MODIFIABLE:
+ return LG_CLONE_ATTR(attribute, type, lg_StaticTrueAttr);
+ case CKA_CERT_SHA1_HASH:
+ case CKA_CERT_MD5_HASH:
+ case CKA_TRUST_CLIENT_AUTH:
+ case CKA_TRUST_SERVER_AUTH:
+ case CKA_TRUST_EMAIL_PROTECTION:
+ case CKA_TRUST_CODE_SIGNING:
+ case CKA_TRUST_STEP_UP_APPROVED:
+ case CKA_ISSUER:
+ case CKA_SERIAL_NUMBER:
+ break;
+ default:
+ return lg_invalidAttribute(attribute);
+ }
+ certHandle = lg_getCertDB(obj->sdb);
+ if (!certHandle) {
+ return CKR_OBJECT_HANDLE_INVALID;
+ }
+ trust = lg_getTrust(obj, certHandle);
+ if (trust == NULL) {
+ return CKR_OBJECT_HANDLE_INVALID;
+ }
+ switch (type) {
+ case CKA_CERT_SHA1_HASH:
+ SHA1_HashBuf(hash, trust->derCert->data, trust->derCert->len);
+ return lg_CopyAttribute(attribute, type, hash, SHA1_LENGTH);
+ case CKA_CERT_MD5_HASH:
+ MD5_HashBuf(hash, trust->derCert->data, trust->derCert->len);
+ return lg_CopyAttribute(attribute, type, hash, MD5_LENGTH);
+ case CKA_TRUST_CLIENT_AUTH:
+ trustFlags = trust->trust->sslFlags &
+ CERTDB_TRUSTED_CLIENT_CA
+ ? trust->trust->sslFlags | CERTDB_TRUSTED_CA
+ : 0;
+ goto trust;
+ case CKA_TRUST_SERVER_AUTH:
+ trustFlags = trust->trust->sslFlags;
+ goto trust;
+ case CKA_TRUST_EMAIL_PROTECTION:
+ trustFlags = trust->trust->emailFlags;
+ goto trust;
+ case CKA_TRUST_CODE_SIGNING:
+ trustFlags = trust->trust->objectSigningFlags;
+ trust:
+ if (trustFlags & CERTDB_TRUSTED_CA) {
+ return lg_ULongAttribute(attribute, type,
+ CKT_NSS_TRUSTED_DELEGATOR);
+ }
+ if (trustFlags & CERTDB_TRUSTED) {
+ return lg_ULongAttribute(attribute, type, CKT_NSS_TRUSTED);
+ }
+ if (trustFlags & CERTDB_MUST_VERIFY) {
+ return lg_ULongAttribute(attribute, type,
+ CKT_NSS_MUST_VERIFY_TRUST);
+ }
+ if (trustFlags & CERTDB_TRUSTED_UNKNOWN) {
+ return lg_ULongAttribute(attribute, type, CKT_NSS_TRUST_UNKNOWN);
+ }
+ if (trustFlags & CERTDB_VALID_CA) {
+ return lg_ULongAttribute(attribute, type, CKT_NSS_VALID_DELEGATOR);
+ }
+ if (trustFlags & CERTDB_TERMINAL_RECORD) {
+ return lg_ULongAttribute(attribute, type, CKT_NSS_NOT_TRUSTED);
+ }
+ return lg_ULongAttribute(attribute, type, CKT_NSS_TRUST_UNKNOWN);
+ case CKA_TRUST_STEP_UP_APPROVED:
+ if (trust->trust->sslFlags & CERTDB_GOVT_APPROVED_CA) {
+ return LG_CLONE_ATTR(attribute, type, lg_StaticTrueAttr);
+ } else {
+ return LG_CLONE_ATTR(attribute, type, lg_StaticFalseAttr);
+ }
+ default:
+ break;
+ }
+
+ switch (type) {
+ case CKA_ISSUER:
+ cert = lg_getCert(obj, certHandle);
+ if (cert == NULL)
+ break;
+ crv = lg_CopyAttribute(attribute, type, cert->derIssuer.data,
+ cert->derIssuer.len);
+ break;
+ case CKA_SERIAL_NUMBER:
+ cert = lg_getCert(obj, certHandle);
+ if (cert == NULL)
+ break;
+ crv = lg_CopyAttribute(attribute, type, cert->derSN.data,
+ cert->derSN.len);
+ break;
+ default:
+ cert = NULL;
+ break;
+ }
+ if (cert) {
+ nsslowcert_DestroyCertificate(cert);
+ return crv;
+ }
+ return lg_invalidAttribute(attribute);
+}
+
+static CK_RV
+lg_FindCrlAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type,
+ CK_ATTRIBUTE *attribute)
+{
+ certDBEntryRevocation *crl;
+
+ switch (type) {
+ case CKA_PRIVATE:
+ case CKA_MODIFIABLE:
+ return LG_CLONE_ATTR(attribute, type, lg_StaticFalseAttr);
+ case CKA_NSS_KRL:
+ return ((obj->handle == LG_TOKEN_KRL_HANDLE)
+ ? LG_CLONE_ATTR(attribute, type, lg_StaticTrueAttr)
+ : LG_CLONE_ATTR(attribute, type, lg_StaticFalseAttr));
+ case CKA_SUBJECT:
+ return lg_CopyAttribute(attribute, type, obj->dbKey.data,
+ obj->dbKey.len);
+ case CKA_NSS_URL:
+ case CKA_VALUE:
+ break;
+ default:
+ return lg_invalidAttribute(attribute);
+ }
+ crl = lg_getCrl(obj);
+ if (!crl) {
+ return CKR_OBJECT_HANDLE_INVALID;
+ }
+ switch (type) {
+ case CKA_NSS_URL:
+ if (crl->url == NULL) {
+ return LG_CLONE_ATTR(attribute, type, lg_StaticNullAttr);
+ }
+ return lg_CopyAttribute(attribute, type, crl->url,
+ PORT_Strlen(crl->url) + 1);
+ case CKA_VALUE:
+ return lg_CopyAttribute(attribute, type, crl->derCrl.data,
+ crl->derCrl.len);
+ default:
+ break;
+ }
+ return lg_invalidAttribute(attribute);
+}
+
+static CK_RV
+lg_FindCertAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type,
+ CK_ATTRIBUTE *attribute)
+{
+ NSSLOWCERTCertificate *cert;
+ NSSLOWCERTCertDBHandle *certHandle;
+ NSSLOWKEYPublicKey *pubKey;
+ unsigned char hash[SHA1_LENGTH];
+ SECItem *item;
+
+ switch (type) {
+ case CKA_PRIVATE:
+ return LG_CLONE_ATTR(attribute, type, lg_StaticFalseAttr);
+ case CKA_MODIFIABLE:
+ return LG_CLONE_ATTR(attribute, type, lg_StaticTrueAttr);
+ case CKA_CERTIFICATE_TYPE:
+ /* hardcoding X.509 into here */
+ return lg_ULongAttribute(attribute, type, CKC_X_509);
+ case CKA_VALUE:
+ case CKA_ID:
+ case CKA_LABEL:
+ case CKA_SUBJECT:
+ case CKA_ISSUER:
+ case CKA_SERIAL_NUMBER:
+ case CKA_NSS_EMAIL:
+ break;
+ default:
+ return lg_invalidAttribute(attribute);
+ }
+
+ certHandle = lg_getCertDB(obj->sdb);
+ if (certHandle == NULL) {
+ return CKR_OBJECT_HANDLE_INVALID;
+ }
+
+ cert = lg_getCert(obj, certHandle);
+ if (cert == NULL) {
+ return CKR_OBJECT_HANDLE_INVALID;
+ }
+ switch (type) {
+ case CKA_VALUE:
+ return lg_CopyAttribute(attribute, type, cert->derCert.data,
+ cert->derCert.len);
+ case CKA_ID:
+ if (((cert->trust->sslFlags & CERTDB_USER) == 0) &&
+ ((cert->trust->emailFlags & CERTDB_USER) == 0) &&
+ ((cert->trust->objectSigningFlags & CERTDB_USER) == 0)) {
+ return LG_CLONE_ATTR(attribute, type, lg_StaticNullAttr);
+ }
+ pubKey = nsslowcert_ExtractPublicKey(cert);
+ if (pubKey == NULL)
+ break;
+ item = lg_GetPubItem(pubKey);
+ if (item == NULL) {
+ lg_nsslowkey_DestroyPublicKey(pubKey);
+ break;
+ }
+ SHA1_HashBuf(hash, item->data, item->len);
+ /* item is imbedded in pubKey, just free the key */
+ lg_nsslowkey_DestroyPublicKey(pubKey);
+ return lg_CopyAttribute(attribute, type, hash, SHA1_LENGTH);
+ case CKA_LABEL:
+ return cert->nickname
+ ? lg_CopyAttribute(attribute, type, cert->nickname,
+ PORT_Strlen(cert->nickname))
+ : LG_CLONE_ATTR(attribute, type, lg_StaticNullAttr);
+ case CKA_SUBJECT:
+ return lg_CopyAttribute(attribute, type, cert->derSubject.data,
+ cert->derSubject.len);
+ case CKA_ISSUER:
+ return lg_CopyAttribute(attribute, type, cert->derIssuer.data,
+ cert->derIssuer.len);
+ case CKA_SERIAL_NUMBER:
+ return lg_CopyAttribute(attribute, type, cert->derSN.data,
+ cert->derSN.len);
+ case CKA_NSS_EMAIL:
+ return (cert->emailAddr && cert->emailAddr[0])
+ ? lg_CopyAttribute(attribute, type, cert->emailAddr,
+ PORT_Strlen(cert->emailAddr))
+ : LG_CLONE_ATTR(attribute, type, lg_StaticNullAttr);
+ default:
+ break;
+ }
+ return lg_invalidAttribute(attribute);
+}
+
+CK_RV
+lg_GetSingleAttribute(LGObjectCache *obj, CK_ATTRIBUTE *attribute)
+{
+ /* handle the common ones */
+ CK_ATTRIBUTE_TYPE type = attribute->type;
+ switch (type) {
+ case CKA_CLASS:
+ return lg_ULongAttribute(attribute, type, obj->objclass);
+ case CKA_TOKEN:
+ return LG_CLONE_ATTR(attribute, type, lg_StaticTrueAttr);
+ case CKA_LABEL:
+ if ((obj->objclass == CKO_CERTIFICATE) ||
+ (obj->objclass == CKO_PRIVATE_KEY) ||
+ (obj->objclass == CKO_PUBLIC_KEY) ||
+ (obj->objclass == CKO_SECRET_KEY)) {
+ break;
+ }
+ return LG_CLONE_ATTR(attribute, type, lg_StaticNullAttr);
+ default:
+ break;
+ }
+ switch (obj->objclass) {
+ case CKO_CERTIFICATE:
+ return lg_FindCertAttribute(obj, type, attribute);
+ case CKO_NSS_CRL:
+ return lg_FindCrlAttribute(obj, type, attribute);
+ case CKO_NSS_TRUST:
+ return lg_FindTrustAttribute(obj, type, attribute);
+ case CKO_NSS_SMIME:
+ return lg_FindSMIMEAttribute(obj, type, attribute);
+ case CKO_PUBLIC_KEY:
+ return lg_FindPublicKeyAttribute(obj, type, attribute);
+ case CKO_PRIVATE_KEY:
+ return lg_FindPrivateKeyAttribute(obj, type, attribute);
+ case CKO_SECRET_KEY:
+ return lg_FindSecretKeyAttribute(obj, type, attribute);
+ default:
+ break;
+ }
+ return lg_invalidAttribute(attribute);
+}
+
+/*
+ * Fill in the attribute template based on the data in the database.
+ */
+CK_RV
+lg_GetAttributeValue(SDB *sdb, CK_OBJECT_HANDLE handle, CK_ATTRIBUTE *templ,
+ CK_ULONG count)
+{
+ LGObjectCache *obj = lg_NewObjectCache(sdb, NULL, handle & ~LG_TOKEN_MASK);
+ CK_RV crv, crvCollect = CKR_OK;
+ unsigned int i;
+
+ if (obj == NULL) {
+ return CKR_OBJECT_HANDLE_INVALID;
+ }
+
+ for (i = 0; i < count; i++) {
+ crv = lg_GetSingleAttribute(obj, &templ[i]);
+ if (crvCollect == CKR_OK)
+ crvCollect = crv;
+ }
+
+ lg_DestroyObjectCache(obj);
+ return crvCollect;
+}
+
+PRBool
+lg_cmpAttribute(LGObjectCache *obj, const CK_ATTRIBUTE *attribute)
+{
+ unsigned char buf[LG_BUF_SPACE];
+ CK_ATTRIBUTE testAttr;
+ unsigned char *tempBuf = NULL;
+ PRBool match = PR_TRUE;
+ CK_RV crv;
+
+ /* we're going to compare 'attribute' with the actual attribute from
+ * the object. We'll use the length of 'attribute' to decide how much
+ * space we need to read the test attribute. If 'attribute' doesn't give
+ * enough space, then we know the values don't match and that will
+ * show up as ckr != CKR_OK */
+ testAttr = *attribute;
+ testAttr.pValue = buf;
+
+ /* if we don't have enough space, malloc it */
+ if (attribute->ulValueLen > LG_BUF_SPACE) {
+ tempBuf = PORT_Alloc(attribute->ulValueLen);
+ if (!tempBuf) {
+ return PR_FALSE;
+ }
+ testAttr.pValue = tempBuf;
+ }
+
+ /* get the attribute */
+ crv = lg_GetSingleAttribute(obj, &testAttr);
+ /* if the attribute was read OK, compare it */
+ if ((crv != CKR_OK) ||
+ (attribute->pValue == NULL) ||
+ (attribute->ulValueLen != testAttr.ulValueLen) ||
+ (PORT_Memcmp(attribute->pValue, testAttr.pValue, testAttr.ulValueLen) != 0)) {
+ /* something didn't match, this isn't the object we are looking for */
+ match = PR_FALSE;
+ }
+ /* free the buffer we may have allocated */
+ if (tempBuf) {
+ PORT_Free(tempBuf);
+ }
+ return match;
+}
+
+PRBool
+lg_tokenMatch(SDB *sdb, const SECItem *dbKey, CK_OBJECT_HANDLE class,
+ const CK_ATTRIBUTE *templ, CK_ULONG count)
+{
+ PRBool match = PR_TRUE;
+ LGObjectCache *obj = lg_NewObjectCache(sdb, dbKey, class);
+ unsigned int i;
+
+ if (obj == NULL) {
+ return PR_FALSE;
+ }
+
+ for (i = 0; i < count; i++) {
+ match = lg_cmpAttribute(obj, &templ[i]);
+ if (!match) {
+ break;
+ }
+ }
+
+ /* done looking, free up our cache */
+ lg_DestroyObjectCache(obj);
+
+ /* if we get through the whole list without finding a mismatched attribute,
+ * then this object fits the criteria we are matching */
+ return match;
+}
+
+static CK_RV
+lg_SetCertAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type,
+ const void *value, unsigned int len)
+{
+ NSSLOWCERTCertificate *cert;
+ NSSLOWCERTCertDBHandle *certHandle;
+ char *nickname = NULL;
+ SECStatus rv;
+ CK_RV crv;
+
+ /* we can't change the EMAIL values, but let the
+ * upper layers feel better about the fact we tried to set these */
+ if (type == CKA_NSS_EMAIL) {
+ return CKR_OK;
+ }
+
+ certHandle = lg_getCertDB(obj->sdb);
+ if (certHandle == NULL) {
+ crv = CKR_TOKEN_WRITE_PROTECTED;
+ goto done;
+ }
+
+ if ((type != CKA_LABEL) && (type != CKA_ID)) {
+ crv = CKR_ATTRIBUTE_READ_ONLY;
+ goto done;
+ }
+
+ cert = lg_getCert(obj, certHandle);
+ if (cert == NULL) {
+ crv = CKR_OBJECT_HANDLE_INVALID;
+ goto done;
+ }
+
+ /* if the app is trying to set CKA_ID, it's probably because it just
+ * imported the key. Look to see if we need to set the CERTDB_USER bits.
+ */
+ if (type == CKA_ID) {
+ if (((cert->trust->sslFlags & CERTDB_USER) == 0) &&
+ ((cert->trust->emailFlags & CERTDB_USER) == 0) &&
+ ((cert->trust->objectSigningFlags & CERTDB_USER) == 0)) {
+ NSSLOWKEYDBHandle *keyHandle;
+
+ keyHandle = lg_getKeyDB(obj->sdb);
+ if (keyHandle) {
+ if (nsslowkey_KeyForCertExists(keyHandle, cert)) {
+ NSSLOWCERTCertTrust trust = *cert->trust;
+ trust.sslFlags |= CERTDB_USER;
+ trust.emailFlags |= CERTDB_USER;
+ trust.objectSigningFlags |= CERTDB_USER;
+ nsslowcert_ChangeCertTrust(certHandle, cert, &trust);
+ }
+ }
+ }
+ crv = CKR_OK;
+ goto done;
+ }
+
+ /* must be CKA_LABEL */
+ if (value != NULL) {
+ nickname = PORT_ZAlloc(len + 1);
+ if (nickname == NULL) {
+ crv = CKR_HOST_MEMORY;
+ goto done;
+ }
+ PORT_Memcpy(nickname, value, len);
+ nickname[len] = 0;
+ }
+ rv = nsslowcert_AddPermNickname(certHandle, cert, nickname);
+ crv = (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR;
+
+done:
+ if (nickname) {
+ PORT_Free(nickname);
+ }
+ return crv;
+}
+
+static CK_RV
+lg_SetPrivateKeyAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type,
+ const void *value, unsigned int len,
+ PRBool *writePrivate)
+{
+ NSSLOWKEYPrivateKey *privKey;
+ NSSLOWKEYDBHandle *keyHandle;
+ char *nickname = NULL;
+ SECStatus rv;
+ CK_RV crv;
+
+ /* we can't change the ID and we don't store the subject, but let the
+ * upper layers feel better about the fact we tried to set these */
+ if ((type == CKA_ID) || (type == CKA_SUBJECT) ||
+ (type == CKA_LOCAL) || (type == CKA_NEVER_EXTRACTABLE) ||
+ (type == CKA_ALWAYS_SENSITIVE)) {
+ return CKR_OK;
+ }
+
+ keyHandle = lg_getKeyDB(obj->sdb);
+ if (keyHandle == NULL) {
+ crv = CKR_TOKEN_WRITE_PROTECTED;
+ goto done;
+ }
+
+ privKey = lg_GetPrivateKeyWithDB(obj, keyHandle);
+ if (privKey == NULL) {
+ crv = CKR_OBJECT_HANDLE_INVALID;
+ goto done;
+ }
+
+ crv = CKR_ATTRIBUTE_READ_ONLY;
+ switch (type) {
+ case CKA_LABEL:
+ if (value != NULL) {
+ nickname = PORT_ZAlloc(len + 1);
+ if (nickname == NULL) {
+ crv = CKR_HOST_MEMORY;
+ goto done;
+ }
+ PORT_Memcpy(nickname, value, len);
+ nickname[len] = 0;
+ }
+ rv = nsslowkey_UpdateNickname(keyHandle, privKey, &obj->dbKey,
+ nickname, obj->sdb);
+ crv = (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR;
+ break;
+ case CKA_UNWRAP:
+ case CKA_SIGN:
+ case CKA_DERIVE:
+ case CKA_SIGN_RECOVER:
+ case CKA_DECRYPT:
+ /* ignore attempts to change restrict these.
+ * legacyDB ignore these flags and always presents all of them
+ * that are valid as true.
+ * NOTE: We only get here if the current value and the new value do
+ * not match. */
+ if (*(char *)value == 0) {
+ crv = CKR_OK;
+ }
+ break;
+ case CKA_VALUE:
+ case CKA_PRIVATE_EXPONENT:
+ case CKA_PRIME_1:
+ case CKA_PRIME_2:
+ case CKA_EXPONENT_1:
+ case CKA_EXPONENT_2:
+ case CKA_COEFFICIENT:
+ /* We aren't really changing these values, we are just triggering
+ * the database to update it's entry */
+ *writePrivate = PR_TRUE;
+ crv = CKR_OK;
+ break;
+ default:
+ crv = CKR_ATTRIBUTE_READ_ONLY;
+ break;
+ }
+done:
+ if (nickname) {
+ PORT_Free(nickname);
+ }
+ return crv;
+}
+
+static CK_RV
+lg_SetPublicKeyAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type,
+ const void *value, unsigned int len,
+ PRBool *writePrivate)
+{
+ /* we can't change the ID and we don't store the subject, but let the
+ * upper layers feel better about the fact we tried to set these */
+ if ((type == CKA_ID) || (type == CKA_SUBJECT) || (type == CKA_LABEL)) {
+ return CKR_OK;
+ }
+ return CKR_ATTRIBUTE_READ_ONLY;
+}
+
+static CK_RV
+lg_SetTrustAttribute(LGObjectCache *obj, const CK_ATTRIBUTE *attr)
+{
+ unsigned int flags;
+ CK_TRUST trust;
+ NSSLOWCERTCertificate *cert = NULL;
+ NSSLOWCERTCertDBHandle *certHandle;
+ NSSLOWCERTCertTrust dbTrust;
+ SECStatus rv;
+ CK_RV crv;
+
+ if (attr->type == CKA_LABEL) {
+ return CKR_OK;
+ }
+
+ crv = lg_GetULongAttribute(attr->type, attr, 1, &trust);
+ if (crv != CKR_OK) {
+ return crv;
+ }
+ flags = lg_MapTrust(trust, (PRBool)(attr->type == CKA_TRUST_CLIENT_AUTH));
+
+ certHandle = lg_getCertDB(obj->sdb);
+
+ if (certHandle == NULL) {
+ crv = CKR_TOKEN_WRITE_PROTECTED;
+ goto done;
+ }
+
+ cert = lg_getCert(obj, certHandle);
+ if (cert == NULL) {
+ crv = CKR_OBJECT_HANDLE_INVALID;
+ goto done;
+ }
+ dbTrust = *cert->trust;
+
+ switch (attr->type) {
+ case CKA_TRUST_EMAIL_PROTECTION:
+ dbTrust.emailFlags = flags |
+ (cert->trust->emailFlags & CERTDB_PRESERVE_TRUST_BITS);
+ break;
+ case CKA_TRUST_CODE_SIGNING:
+ dbTrust.objectSigningFlags = flags |
+ (cert->trust->objectSigningFlags & CERTDB_PRESERVE_TRUST_BITS);
+ break;
+ case CKA_TRUST_CLIENT_AUTH:
+ dbTrust.sslFlags = flags | (cert->trust->sslFlags &
+ (CERTDB_PRESERVE_TRUST_BITS | CERTDB_TRUSTED_CA));
+ break;
+ case CKA_TRUST_SERVER_AUTH:
+ dbTrust.sslFlags = flags | (cert->trust->sslFlags &
+ (CERTDB_PRESERVE_TRUST_BITS | CERTDB_TRUSTED_CLIENT_CA));
+ break;
+ default:
+ crv = CKR_ATTRIBUTE_READ_ONLY;
+ goto done;
+ }
+
+ rv = nsslowcert_ChangeCertTrust(certHandle, cert, &dbTrust);
+ crv = (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR;
+done:
+ if (cert) {
+ nsslowcert_DestroyCertificate(cert);
+ }
+ return crv;
+}
+
+static CK_RV
+lg_SetSingleAttribute(LGObjectCache *obj, const CK_ATTRIBUTE *attr,
+ PRBool *writePrivate)
+{
+ CK_ATTRIBUTE attribLocal;
+ CK_RV crv;
+
+ if ((attr->type == CKA_NSS_DB) && (obj->objclass == CKO_PRIVATE_KEY)) {
+ *writePrivate = PR_TRUE;
+ return CKR_OK;
+ }
+
+ /* Make sure the attribute exists first */
+ attribLocal.type = attr->type;
+ attribLocal.pValue = NULL;
+ attribLocal.ulValueLen = 0;
+ crv = lg_GetSingleAttribute(obj, &attribLocal);
+ if (crv != CKR_OK) {
+ return crv;
+ }
+
+ /* if we are just setting it to the value we already have,
+ * allow it to happen. Let label setting go through so
+ * we have the opportunity to repair any database corruption. */
+ if (attr->type != CKA_LABEL) {
+ if (lg_cmpAttribute(obj, attr)) {
+ return CKR_OK;
+ }
+ }
+
+ crv = CKR_ATTRIBUTE_READ_ONLY;
+ switch (obj->objclass) {
+ case CKO_CERTIFICATE:
+ /* change NICKNAME, EMAIL, */
+ crv = lg_SetCertAttribute(obj, attr->type,
+ attr->pValue, attr->ulValueLen);
+ break;
+ case CKO_NSS_CRL:
+ /* change URL */
+ break;
+ case CKO_NSS_TRUST:
+ crv = lg_SetTrustAttribute(obj, attr);
+ break;
+ case CKO_PRIVATE_KEY:
+ case CKO_SECRET_KEY:
+ crv = lg_SetPrivateKeyAttribute(obj, attr->type,
+ attr->pValue, attr->ulValueLen, writePrivate);
+ break;
+ case CKO_PUBLIC_KEY:
+ crv = lg_SetPublicKeyAttribute(obj, attr->type,
+ attr->pValue, attr->ulValueLen, writePrivate);
+ break;
+ }
+ return crv;
+}
+
+/*
+ * Fill in the attribute template based on the data in the database.
+ */
+CK_RV
+lg_SetAttributeValue(SDB *sdb, CK_OBJECT_HANDLE handle,
+ const CK_ATTRIBUTE *templ, CK_ULONG count)
+{
+ LGObjectCache *obj = lg_NewObjectCache(sdb, NULL, handle & ~LG_TOKEN_MASK);
+ CK_RV crv, crvCollect = CKR_OK;
+ PRBool writePrivate = PR_FALSE;
+ unsigned int i;
+
+ if (obj == NULL) {
+ return CKR_OBJECT_HANDLE_INVALID;
+ }
+
+ for (i = 0; i < count; i++) {
+ crv = lg_SetSingleAttribute(obj, &templ[i], &writePrivate);
+ if (crvCollect == CKR_OK)
+ crvCollect = crv;
+ }
+
+ /* Write any collected changes out for private and secret keys.
+ * don't do the write for just the label */
+ if (writePrivate) {
+ NSSLOWKEYPrivateKey *privKey = lg_GetPrivateKey(obj);
+ SECStatus rv = SECFailure;
+ char *label = lg_FindKeyNicknameByPublicKey(obj->sdb, &obj->dbKey);
+
+ if (privKey) {
+ rv = nsslowkey_StoreKeyByPublicKeyAlg(lg_getKeyDB(sdb), privKey,
+ &obj->dbKey, label, sdb, PR_TRUE);
+ }
+ if (rv != SECSuccess) {
+ crv = CKR_DEVICE_ERROR;
+ }
+ PORT_Free(label);
+ }
+
+ lg_DestroyObjectCache(obj);
+ return crvCollect;
+}
diff --git a/security/nss/lib/softoken/legacydb/lgcreate.c b/security/nss/lib/softoken/legacydb/lgcreate.c
new file mode 100644
index 0000000000..3ed50a4255
--- /dev/null
+++ b/security/nss/lib/softoken/legacydb/lgcreate.c
@@ -0,0 +1,1020 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+#include "secitem.h"
+#include "pkcs11.h"
+#include "lgdb.h"
+#include "pcert.h"
+#include "lowkeyi.h"
+#include "blapi.h"
+#include "secder.h"
+#include "secasn1.h"
+
+#include "keydbi.h"
+
+/*
+ * ******************** Object Creation Utilities ***************************
+ */
+
+/*
+ * check the consistancy and initialize a Certificate Object
+ */
+static CK_RV
+lg_createCertObject(SDB *sdb, CK_OBJECT_HANDLE *handle,
+ const CK_ATTRIBUTE *templ, CK_ULONG count)
+{
+ SECItem derCert;
+ NSSLOWCERTCertificate *cert;
+ NSSLOWCERTCertTrust *trust = NULL;
+ NSSLOWCERTCertTrust userTrust = { CERTDB_USER, CERTDB_USER, CERTDB_USER };
+ NSSLOWCERTCertTrust defTrust = { CERTDB_TRUSTED_UNKNOWN,
+ CERTDB_TRUSTED_UNKNOWN, CERTDB_TRUSTED_UNKNOWN };
+ char *label = NULL;
+ char *email = NULL;
+ SECStatus rv;
+ CK_RV crv;
+ PRBool inDB = PR_TRUE;
+ NSSLOWCERTCertDBHandle *certHandle = lg_getCertDB(sdb);
+ NSSLOWKEYDBHandle *keyHandle = NULL;
+ CK_CERTIFICATE_TYPE type;
+ const CK_ATTRIBUTE *attribute;
+
+ /* we can't store any certs private */
+ if (lg_isTrue(CKA_PRIVATE, templ, count)) {
+ return CKR_ATTRIBUTE_VALUE_INVALID;
+ }
+
+ /* We only support X.509 Certs for now */
+ crv = lg_GetULongAttribute(CKA_CERTIFICATE_TYPE, templ, count, &type);
+ if (crv != CKR_OK) {
+ return crv;
+ }
+
+ if (type != CKC_X_509) {
+ return CKR_ATTRIBUTE_VALUE_INVALID;
+ }
+
+ /* X.509 Certificate */
+
+ if (certHandle == NULL) {
+ return CKR_TOKEN_WRITE_PROTECTED;
+ }
+
+ /* get the der cert */
+ attribute = lg_FindAttribute(CKA_VALUE, templ, count);
+ if (!attribute) {
+ return CKR_ATTRIBUTE_VALUE_INVALID;
+ }
+
+ derCert.type = 0;
+ derCert.data = (unsigned char *)attribute->pValue;
+ derCert.len = attribute->ulValueLen;
+
+ label = lg_getString(CKA_LABEL, templ, count);
+
+ cert = nsslowcert_FindCertByDERCert(certHandle, &derCert);
+ if (cert == NULL) {
+ cert = nsslowcert_DecodeDERCertificate(&derCert, label);
+ inDB = PR_FALSE;
+ }
+ if (cert == NULL) {
+ if (label)
+ PORT_Free(label);
+ return CKR_ATTRIBUTE_VALUE_INVALID;
+ }
+
+ keyHandle = lg_getKeyDB(sdb);
+ if (keyHandle) {
+ if (nsslowkey_KeyForCertExists(keyHandle, cert)) {
+ trust = &userTrust;
+ }
+ }
+
+ if (!inDB) {
+ if (!trust)
+ trust = &defTrust;
+ rv = nsslowcert_AddPermCert(certHandle, cert, label, trust);
+ } else {
+ rv = trust ? nsslowcert_ChangeCertTrust(certHandle, cert, trust) : SECSuccess;
+ }
+
+ if (label)
+ PORT_Free(label);
+
+ if (rv != SECSuccess) {
+ nsslowcert_DestroyCertificate(cert);
+ return CKR_DEVICE_ERROR;
+ }
+
+ /*
+ * Add a NULL S/MIME profile if necessary.
+ */
+ email = lg_getString(CKA_NSS_EMAIL, templ, count);
+ if (email) {
+ certDBEntrySMime *entry;
+
+ entry = nsslowcert_ReadDBSMimeEntry(certHandle, email);
+ if (!entry) {
+ nsslowcert_SaveSMimeProfile(certHandle, email,
+ &cert->derSubject, NULL, NULL);
+ } else {
+ nsslowcert_DestroyDBEntry((certDBEntry *)entry);
+ }
+ PORT_Free(email);
+ }
+ *handle = lg_mkHandle(sdb, &cert->certKey, LG_TOKEN_TYPE_CERT);
+ nsslowcert_DestroyCertificate(cert);
+
+ return CKR_OK;
+}
+
+unsigned int
+lg_MapTrust(CK_TRUST trust, PRBool clientAuth)
+{
+ unsigned int trustCA = clientAuth ? CERTDB_TRUSTED_CLIENT_CA : CERTDB_TRUSTED_CA;
+ switch (trust) {
+ case CKT_NSS_TRUSTED:
+ return CERTDB_TERMINAL_RECORD | CERTDB_TRUSTED;
+ case CKT_NSS_TRUSTED_DELEGATOR:
+ return CERTDB_VALID_CA | trustCA;
+ case CKT_NSS_MUST_VERIFY_TRUST:
+ return CERTDB_MUST_VERIFY;
+ case CKT_NSS_NOT_TRUSTED:
+ return CERTDB_TERMINAL_RECORD;
+ case CKT_NSS_VALID_DELEGATOR: /* implies must verify */
+ return CERTDB_VALID_CA;
+ default:
+ break;
+ }
+ return CERTDB_TRUSTED_UNKNOWN;
+}
+
+/*
+ * check the consistancy and initialize a Trust Object
+ */
+static CK_RV
+lg_createTrustObject(SDB *sdb, CK_OBJECT_HANDLE *handle,
+ const CK_ATTRIBUTE *templ, CK_ULONG count)
+{
+ const CK_ATTRIBUTE *issuer = NULL;
+ const CK_ATTRIBUTE *serial = NULL;
+ NSSLOWCERTCertificate *cert = NULL;
+ const CK_ATTRIBUTE *trust;
+ CK_TRUST sslTrust = CKT_NSS_TRUST_UNKNOWN;
+ CK_TRUST clientTrust = CKT_NSS_TRUST_UNKNOWN;
+ CK_TRUST emailTrust = CKT_NSS_TRUST_UNKNOWN;
+ CK_TRUST signTrust = CKT_NSS_TRUST_UNKNOWN;
+ CK_BBOOL stepUp;
+ NSSLOWCERTCertTrust dbTrust = { 0 };
+ SECStatus rv;
+ NSSLOWCERTCertDBHandle *certHandle = lg_getCertDB(sdb);
+ NSSLOWCERTIssuerAndSN issuerSN;
+
+ /* we can't store any certs private */
+ if (lg_isTrue(CKA_PRIVATE, templ, count)) {
+ return CKR_ATTRIBUTE_VALUE_INVALID;
+ }
+
+ if (certHandle == NULL) {
+ return CKR_TOKEN_WRITE_PROTECTED;
+ }
+
+ issuer = lg_FindAttribute(CKA_ISSUER, templ, count);
+ serial = lg_FindAttribute(CKA_SERIAL_NUMBER, templ, count);
+
+ if (issuer && serial) {
+ issuerSN.derIssuer.data = (unsigned char *)issuer->pValue;
+ issuerSN.derIssuer.len = issuer->ulValueLen;
+
+ issuerSN.serialNumber.data = (unsigned char *)serial->pValue;
+ issuerSN.serialNumber.len = serial->ulValueLen;
+
+ cert = nsslowcert_FindCertByIssuerAndSN(certHandle, &issuerSN);
+ }
+
+ if (cert == NULL) {
+ return CKR_ATTRIBUTE_VALUE_INVALID;
+ }
+
+ lg_GetULongAttribute(CKA_TRUST_SERVER_AUTH, templ, count, &sslTrust);
+ lg_GetULongAttribute(CKA_TRUST_CLIENT_AUTH, templ, count, &clientTrust);
+ lg_GetULongAttribute(CKA_TRUST_EMAIL_PROTECTION, templ, count, &emailTrust);
+ lg_GetULongAttribute(CKA_TRUST_CODE_SIGNING, templ, count, &signTrust);
+ stepUp = CK_FALSE;
+ trust = lg_FindAttribute(CKA_TRUST_STEP_UP_APPROVED, templ, count);
+ if (trust) {
+ if (trust->ulValueLen == sizeof(CK_BBOOL)) {
+ stepUp = *(CK_BBOOL *)trust->pValue;
+ }
+ }
+
+ /* preserve certain old fields */
+ if (cert->trust) {
+ dbTrust.sslFlags = cert->trust->sslFlags & CERTDB_PRESERVE_TRUST_BITS;
+ dbTrust.emailFlags =
+ cert->trust->emailFlags & CERTDB_PRESERVE_TRUST_BITS;
+ dbTrust.objectSigningFlags =
+ cert->trust->objectSigningFlags & CERTDB_PRESERVE_TRUST_BITS;
+ }
+
+ dbTrust.sslFlags |= lg_MapTrust(sslTrust, PR_FALSE);
+ dbTrust.sslFlags |= lg_MapTrust(clientTrust, PR_TRUE);
+ dbTrust.emailFlags |= lg_MapTrust(emailTrust, PR_FALSE);
+ dbTrust.objectSigningFlags |= lg_MapTrust(signTrust, PR_FALSE);
+ if (stepUp) {
+ dbTrust.sslFlags |= CERTDB_GOVT_APPROVED_CA;
+ }
+
+ rv = nsslowcert_ChangeCertTrust(certHandle, cert, &dbTrust);
+ *handle = lg_mkHandle(sdb, &cert->certKey, LG_TOKEN_TYPE_TRUST);
+ nsslowcert_DestroyCertificate(cert);
+ if (rv != SECSuccess) {
+ return CKR_DEVICE_ERROR;
+ }
+
+ return CKR_OK;
+}
+
+/*
+ * check the consistancy and initialize a Trust Object
+ */
+static CK_RV
+lg_createSMimeObject(SDB *sdb, CK_OBJECT_HANDLE *handle,
+ const CK_ATTRIBUTE *templ, CK_ULONG count)
+{
+ SECItem derSubj, rawProfile, rawTime, emailKey;
+ SECItem *pRawProfile = NULL;
+ SECItem *pRawTime = NULL;
+ char *email = NULL;
+ const CK_ATTRIBUTE *subject = NULL,
+ *profile = NULL,
+ *time = NULL;
+ SECStatus rv;
+ NSSLOWCERTCertDBHandle *certHandle;
+ CK_RV ck_rv = CKR_OK;
+
+ /* we can't store any certs private */
+ if (lg_isTrue(CKA_PRIVATE, templ, count)) {
+ return CKR_ATTRIBUTE_VALUE_INVALID;
+ }
+
+ certHandle = lg_getCertDB(sdb);
+ if (certHandle == NULL) {
+ return CKR_TOKEN_WRITE_PROTECTED;
+ }
+
+ /* lookup SUBJECT */
+ subject = lg_FindAttribute(CKA_SUBJECT, templ, count);
+ PORT_Assert(subject);
+ if (!subject) {
+ ck_rv = CKR_ATTRIBUTE_VALUE_INVALID;
+ goto loser;
+ }
+
+ derSubj.data = (unsigned char *)subject->pValue;
+ derSubj.len = subject->ulValueLen;
+ derSubj.type = 0;
+
+ /* lookup VALUE */
+ profile = lg_FindAttribute(CKA_VALUE, templ, count);
+ if (profile) {
+ rawProfile.data = (unsigned char *)profile->pValue;
+ rawProfile.len = profile->ulValueLen;
+ rawProfile.type = siBuffer;
+ pRawProfile = &rawProfile;
+ }
+
+ /* lookup Time */
+ time = lg_FindAttribute(CKA_NSS_SMIME_TIMESTAMP, templ, count);
+ if (time) {
+ rawTime.data = (unsigned char *)time->pValue;
+ rawTime.len = time->ulValueLen;
+ rawTime.type = siBuffer;
+ pRawTime = &rawTime;
+ }
+
+ email = lg_getString(CKA_NSS_EMAIL, templ, count);
+ if (!email) {
+ ck_rv = CKR_ATTRIBUTE_VALUE_INVALID;
+ goto loser;
+ }
+
+ /* Store S/MIME Profile by SUBJECT */
+ rv = nsslowcert_SaveSMimeProfile(certHandle, email, &derSubj,
+ pRawProfile, pRawTime);
+ if (rv != SECSuccess) {
+ ck_rv = CKR_DEVICE_ERROR;
+ goto loser;
+ }
+ emailKey.data = (unsigned char *)email;
+ emailKey.len = PORT_Strlen(email) + 1;
+
+ *handle = lg_mkHandle(sdb, &emailKey, LG_TOKEN_TYPE_SMIME);
+
+loser:
+ if (email)
+ PORT_Free(email);
+
+ return ck_rv;
+}
+
+/*
+ * check the consistancy and initialize a Trust Object
+ */
+static CK_RV
+lg_createCrlObject(SDB *sdb, CK_OBJECT_HANDLE *handle,
+ const CK_ATTRIBUTE *templ, CK_ULONG count)
+{
+ PRBool isKRL = PR_FALSE;
+ SECItem derSubj, derCrl;
+ char *url = NULL;
+ const CK_ATTRIBUTE *subject, *crl;
+ SECStatus rv;
+ NSSLOWCERTCertDBHandle *certHandle;
+
+ certHandle = lg_getCertDB(sdb);
+
+ /* we can't store any private crls */
+ if (lg_isTrue(CKA_PRIVATE, templ, count)) {
+ return CKR_ATTRIBUTE_VALUE_INVALID;
+ }
+
+ if (certHandle == NULL) {
+ return CKR_TOKEN_WRITE_PROTECTED;
+ }
+
+ /* lookup SUBJECT */
+ subject = lg_FindAttribute(CKA_SUBJECT, templ, count);
+ if (!subject) {
+ return CKR_ATTRIBUTE_VALUE_INVALID;
+ }
+
+ derSubj.data = (unsigned char *)subject->pValue;
+ derSubj.len = subject->ulValueLen;
+
+ /* lookup VALUE */
+ crl = lg_FindAttribute(CKA_VALUE, templ, count);
+ PORT_Assert(crl);
+ if (!crl) {
+ return CKR_ATTRIBUTE_VALUE_INVALID;
+ }
+ derCrl.data = (unsigned char *)crl->pValue;
+ derCrl.len = crl->ulValueLen;
+
+ url = lg_getString(CKA_NSS_URL, templ, count);
+ isKRL = lg_isTrue(CKA_NSS_KRL, templ, count);
+
+ /* Store CRL by SUBJECT */
+ rv = nsslowcert_AddCrl(certHandle, &derCrl, &derSubj, url, isKRL);
+
+ if (url) {
+ PORT_Free(url);
+ }
+ if (rv != SECSuccess) {
+ return CKR_DEVICE_ERROR;
+ }
+
+ /* if we overwrote the existing CRL, poison the handle entry so we get
+ * a new object handle */
+ (void)lg_poisonHandle(sdb, &derSubj,
+ isKRL ? LG_TOKEN_KRL_HANDLE : LG_TOKEN_TYPE_CRL);
+ *handle = lg_mkHandle(sdb, &derSubj,
+ isKRL ? LG_TOKEN_KRL_HANDLE : LG_TOKEN_TYPE_CRL);
+
+ return CKR_OK;
+}
+
+/*
+ * check the consistancy and initialize a Public Key Object
+ */
+static CK_RV
+lg_createPublicKeyObject(SDB *sdb, CK_KEY_TYPE key_type,
+ CK_OBJECT_HANDLE *handle, const CK_ATTRIBUTE *templ, CK_ULONG count)
+{
+ CK_ATTRIBUTE_TYPE pubKeyAttr = CKA_VALUE;
+ CK_RV crv = CKR_OK;
+ NSSLOWKEYPrivateKey *priv;
+ SECItem pubKeySpace = { siBuffer, NULL, 0 };
+ SECItem *pubKey;
+ SECItem pubKey2Space = { siBuffer, NULL, 0 };
+ PLArenaPool *arena = NULL;
+ NSSLOWKEYDBHandle *keyHandle = NULL;
+
+ switch (key_type) {
+ case CKK_RSA:
+ pubKeyAttr = CKA_MODULUS;
+ break;
+ case CKK_EC:
+ pubKeyAttr = CKA_EC_POINT;
+ break;
+ case CKK_DSA:
+ case CKK_DH:
+ break;
+ default:
+ return CKR_ATTRIBUTE_VALUE_INVALID;
+ }
+
+ pubKey = &pubKeySpace;
+ crv = lg_Attribute2SSecItem(NULL, pubKeyAttr, templ, count, pubKey);
+ if (crv != CKR_OK)
+ return crv;
+
+ if (key_type == CKK_EC) {
+ SECStatus rv;
+ /*
+ * for ECC, use the decoded key first.
+ */
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (arena == NULL) {
+ crv = CKR_HOST_MEMORY;
+ goto done;
+ }
+ rv = SEC_QuickDERDecodeItem(arena, &pubKey2Space,
+ SEC_ASN1_GET(SEC_OctetStringTemplate),
+ pubKey);
+ if (rv != SECSuccess) {
+ /* decode didn't work, just try the pubKey */
+ PORT_FreeArena(arena, PR_FALSE);
+ arena = NULL;
+ } else {
+ /* try the decoded pub key first */
+ pubKey = &pubKey2Space;
+ }
+ }
+
+ PORT_Assert(pubKey->data);
+ if (pubKey->data == NULL) {
+ crv = CKR_ATTRIBUTE_VALUE_INVALID;
+ goto done;
+ }
+ keyHandle = lg_getKeyDB(sdb);
+ if (keyHandle == NULL) {
+ crv = CKR_TOKEN_WRITE_PROTECTED;
+ goto done;
+ }
+ if (keyHandle->version != 3) {
+ unsigned char buf[SHA1_LENGTH];
+ SHA1_HashBuf(buf, pubKey->data, pubKey->len);
+ PORT_Memcpy(pubKey->data, buf, sizeof(buf));
+ pubKey->len = sizeof(buf);
+ }
+ /* make sure the associated private key already exists */
+ /* only works if we are logged in */
+ priv = nsslowkey_FindKeyByPublicKey(keyHandle, pubKey, sdb /*password*/);
+ if (priv == NULL && pubKey == &pubKey2Space) {
+ /* no match on the decoded key, match the original pubkey */
+ pubKey = &pubKeySpace;
+ priv = nsslowkey_FindKeyByPublicKey(keyHandle, pubKey,
+ sdb /*password*/);
+ }
+ if (priv == NULL) {
+ /* the legacy database can only 'store' public keys which already
+ * have their corresponding private keys in the database */
+ crv = CKR_ATTRIBUTE_VALUE_INVALID;
+ goto done;
+ }
+ lg_nsslowkey_DestroyPrivateKey(priv);
+ crv = CKR_OK;
+
+ *handle = lg_mkHandle(sdb, pubKey, LG_TOKEN_TYPE_PUB);
+
+done:
+ PORT_Free(pubKeySpace.data);
+ if (arena) {
+ PORT_FreeArena(arena, PR_FALSE);
+ }
+
+ return crv;
+}
+
+/* make a private key from a verified object */
+static NSSLOWKEYPrivateKey *
+lg_mkPrivKey(SDB *sdb, const CK_ATTRIBUTE *templ, CK_ULONG count,
+ CK_KEY_TYPE key_type, CK_RV *crvp)
+{
+ NSSLOWKEYPrivateKey *privKey;
+ PLArenaPool *arena;
+ CK_RV crv = CKR_OK;
+ SECStatus rv;
+
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (arena == NULL) {
+ *crvp = CKR_HOST_MEMORY;
+ return NULL;
+ }
+
+ privKey = (NSSLOWKEYPrivateKey *)
+ PORT_ArenaZAlloc(arena, sizeof(NSSLOWKEYPrivateKey));
+ if (privKey == NULL) {
+ PORT_FreeArena(arena, PR_FALSE);
+ *crvp = CKR_HOST_MEMORY;
+ return NULL;
+ }
+
+ /* in future this would be a switch on key_type */
+ privKey->arena = arena;
+ switch (key_type) {
+ case CKK_RSA:
+ privKey->keyType = NSSLOWKEYRSAKey;
+ crv = lg_Attribute2SSecItem(arena, CKA_MODULUS, templ, count,
+ &privKey->u.rsa.modulus);
+ if (crv != CKR_OK)
+ break;
+ crv = lg_Attribute2SSecItem(arena, CKA_PUBLIC_EXPONENT, templ, count,
+ &privKey->u.rsa.publicExponent);
+ if (crv != CKR_OK)
+ break;
+ crv = lg_PrivAttr2SSecItem(arena, CKA_PRIVATE_EXPONENT, templ, count,
+ &privKey->u.rsa.privateExponent, sdb);
+ if (crv != CKR_OK)
+ break;
+ crv = lg_PrivAttr2SSecItem(arena, CKA_PRIME_1, templ, count,
+ &privKey->u.rsa.prime1, sdb);
+ if (crv != CKR_OK)
+ break;
+ crv = lg_PrivAttr2SSecItem(arena, CKA_PRIME_2, templ, count,
+ &privKey->u.rsa.prime2, sdb);
+ if (crv != CKR_OK)
+ break;
+ crv = lg_PrivAttr2SSecItem(arena, CKA_EXPONENT_1, templ, count,
+ &privKey->u.rsa.exponent1, sdb);
+ if (crv != CKR_OK)
+ break;
+ crv = lg_PrivAttr2SSecItem(arena, CKA_EXPONENT_2, templ, count,
+ &privKey->u.rsa.exponent2, sdb);
+ if (crv != CKR_OK)
+ break;
+ crv = lg_PrivAttr2SSecItem(arena, CKA_COEFFICIENT, templ, count,
+ &privKey->u.rsa.coefficient, sdb);
+ if (crv != CKR_OK)
+ break;
+ rv = DER_SetUInteger(privKey->arena, &privKey->u.rsa.version,
+ NSSLOWKEY_VERSION);
+ if (rv != SECSuccess)
+ crv = CKR_HOST_MEMORY;
+ break;
+
+ case CKK_DSA:
+ privKey->keyType = NSSLOWKEYDSAKey;
+ crv = lg_Attribute2SSecItem(arena, CKA_PRIME, templ, count,
+ &privKey->u.dsa.params.prime);
+ if (crv != CKR_OK)
+ break;
+ crv = lg_Attribute2SSecItem(arena, CKA_SUBPRIME, templ, count,
+ &privKey->u.dsa.params.subPrime);
+ if (crv != CKR_OK)
+ break;
+ crv = lg_Attribute2SSecItem(arena, CKA_BASE, templ, count,
+ &privKey->u.dsa.params.base);
+ if (crv != CKR_OK)
+ break;
+ crv = lg_PrivAttr2SSecItem(arena, CKA_VALUE, templ, count,
+ &privKey->u.dsa.privateValue, sdb);
+ if (crv != CKR_OK)
+ break;
+ if (lg_hasAttribute(CKA_NSS_DB, templ, count)) {
+ crv = lg_Attribute2SSecItem(arena, CKA_NSS_DB, templ, count,
+ &privKey->u.dsa.publicValue);
+ /* privKey was zero'd so public value is already set to NULL, 0
+ * if we don't set it explicitly */
+ }
+ break;
+
+ case CKK_DH:
+ privKey->keyType = NSSLOWKEYDHKey;
+ crv = lg_Attribute2SSecItem(arena, CKA_PRIME, templ, count,
+ &privKey->u.dh.prime);
+ if (crv != CKR_OK)
+ break;
+ crv = lg_Attribute2SSecItem(arena, CKA_BASE, templ, count,
+ &privKey->u.dh.base);
+ if (crv != CKR_OK)
+ break;
+ crv = lg_PrivAttr2SSecItem(arena, CKA_VALUE, templ, count,
+ &privKey->u.dh.privateValue, sdb);
+ if (crv != CKR_OK)
+ break;
+ if (lg_hasAttribute(CKA_NSS_DB, templ, count)) {
+ crv = lg_Attribute2SSecItem(arena, CKA_NSS_DB, templ, count,
+ &privKey->u.dh.publicValue);
+ /* privKey was zero'd so public value is already set to NULL, 0
+ * if we don't set it explicitly */
+ }
+ break;
+
+ case CKK_EC:
+ privKey->keyType = NSSLOWKEYECKey;
+ crv = lg_Attribute2SSecItem(arena, CKA_EC_PARAMS, templ, count,
+ &privKey->u.ec.ecParams.DEREncoding);
+ if (crv != CKR_OK)
+ break;
+
+ /* Fill out the rest of the ecParams structure
+ * based on the encoded params
+ */
+ if (LGEC_FillParams(arena, &privKey->u.ec.ecParams.DEREncoding,
+ &privKey->u.ec.ecParams) != SECSuccess) {
+ crv = CKR_DOMAIN_PARAMS_INVALID;
+ break;
+ }
+ crv = lg_PrivAttr2SSecItem(arena, CKA_VALUE, templ, count,
+ &privKey->u.ec.privateValue, sdb);
+ if (crv != CKR_OK)
+ break;
+ if (lg_hasAttribute(CKA_NSS_DB, templ, count)) {
+ crv = lg_Attribute2SSecItem(arena, CKA_NSS_DB, templ, count,
+ &privKey->u.ec.publicValue);
+ if (crv != CKR_OK)
+ break;
+ /* privKey was zero'd so public value is already set to NULL, 0
+ * if we don't set it explicitly */
+ }
+ rv = DER_SetUInteger(privKey->arena, &privKey->u.ec.version,
+ NSSLOWKEY_EC_PRIVATE_KEY_VERSION);
+ if (rv != SECSuccess)
+ crv = CKR_HOST_MEMORY;
+ break;
+
+ default:
+ crv = CKR_KEY_TYPE_INCONSISTENT;
+ break;
+ }
+ *crvp = crv;
+ if (crv != CKR_OK) {
+ PORT_FreeArena(arena, PR_FALSE);
+ return NULL;
+ }
+ return privKey;
+}
+
+/*
+ * check the consistancy and initialize a Private Key Object
+ */
+static CK_RV
+lg_createPrivateKeyObject(SDB *sdb, CK_KEY_TYPE key_type,
+ CK_OBJECT_HANDLE *handle, const CK_ATTRIBUTE *templ, CK_ULONG count)
+{
+ NSSLOWKEYPrivateKey *privKey;
+ char *label;
+ SECStatus rv = SECSuccess;
+ CK_RV crv = CKR_DEVICE_ERROR;
+ SECItem pubKey;
+ NSSLOWKEYDBHandle *keyHandle = lg_getKeyDB(sdb);
+
+ if (keyHandle == NULL) {
+ return CKR_TOKEN_WRITE_PROTECTED;
+ }
+
+ privKey = lg_mkPrivKey(sdb, templ, count, key_type, &crv);
+ if (privKey == NULL)
+ return crv;
+ label = lg_getString(CKA_LABEL, templ, count);
+
+ crv = lg_Attribute2SSecItem(NULL, CKA_NSS_DB, templ, count, &pubKey);
+ if (crv != CKR_OK) {
+ crv = CKR_TEMPLATE_INCOMPLETE;
+ rv = SECFailure;
+ goto fail;
+ }
+#ifdef notdef
+ if (keyHandle->version != 3) {
+ unsigned char buf[SHA1_LENGTH];
+ SHA1_HashBuf(buf, pubKey.data, pubKey.len);
+ PORT_Memcpy(pubKey.data, buf, sizeof(buf));
+ pubKey.len = sizeof(buf);
+ }
+#endif
+ /* get the key type */
+ if (key_type == CKK_RSA) {
+ rv = RSA_PrivateKeyCheck(&privKey->u.rsa);
+ if (rv == SECFailure) {
+ goto fail;
+ }
+ }
+ rv = nsslowkey_StoreKeyByPublicKey(keyHandle, privKey, &pubKey,
+ label, sdb /*->password*/);
+
+fail:
+ if (label)
+ PORT_Free(label);
+ *handle = lg_mkHandle(sdb, &pubKey, LG_TOKEN_TYPE_PRIV);
+ if (pubKey.data)
+ PORT_Free(pubKey.data);
+ lg_nsslowkey_DestroyPrivateKey(privKey);
+ if (rv != SECSuccess)
+ return crv;
+
+ return CKR_OK;
+}
+
+#define LG_KEY_MAX_RETRIES 10 /* don't hang if we are having problems with the rng */
+#define LG_KEY_ID_SIZE 18 /* don't use either SHA1 or MD5 sizes */
+/*
+ * Secret keys must have a CKA_ID value to be stored in the database. This code
+ * will generate one if there wasn't one already.
+ */
+static CK_RV
+lg_GenerateSecretCKA_ID(NSSLOWKEYDBHandle *handle, SECItem *id, char *label)
+{
+ unsigned int retries;
+ SECStatus rv = SECSuccess;
+ CK_RV crv = CKR_OK;
+
+ id->data = NULL;
+ if (label) {
+ id->data = (unsigned char *)PORT_Strdup(label);
+ if (id->data == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+ id->len = PORT_Strlen(label) + 1;
+ if (!nsslowkey_KeyForIDExists(handle, id)) {
+ return CKR_OK;
+ }
+ PORT_Free(id->data);
+ id->data = NULL;
+ id->len = 0;
+ }
+ id->data = (unsigned char *)PORT_Alloc(LG_KEY_ID_SIZE);
+ if (id->data == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+ id->len = LG_KEY_ID_SIZE;
+
+ retries = 0;
+ do {
+ rv = RNG_GenerateGlobalRandomBytes(id->data, id->len);
+ } while (rv == SECSuccess && nsslowkey_KeyForIDExists(handle, id) &&
+ (++retries <= LG_KEY_MAX_RETRIES));
+
+ if ((rv != SECSuccess) || (retries > LG_KEY_MAX_RETRIES)) {
+ crv = CKR_DEVICE_ERROR; /* random number generator is bad */
+ PORT_Free(id->data);
+ id->data = NULL;
+ id->len = 0;
+ }
+ return crv;
+}
+
+static NSSLOWKEYPrivateKey *
+lg_mkSecretKeyRep(const CK_ATTRIBUTE *templ,
+ CK_ULONG count, CK_KEY_TYPE key_type,
+ SECItem *pubkey, SDB *sdbpw)
+{
+ NSSLOWKEYPrivateKey *privKey = 0;
+ PLArenaPool *arena = 0;
+ CK_KEY_TYPE keyType;
+ PRUint32 keyTypeStorage;
+ SECItem keyTypeItem;
+ CK_RV crv;
+ SECStatus rv;
+ static unsigned char derZero[1] = { 0 };
+
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (arena == NULL) {
+ crv = CKR_HOST_MEMORY;
+ goto loser;
+ }
+
+ privKey = (NSSLOWKEYPrivateKey *)
+ PORT_ArenaZAlloc(arena, sizeof(NSSLOWKEYPrivateKey));
+ if (privKey == NULL) {
+ crv = CKR_HOST_MEMORY;
+ goto loser;
+ }
+
+ privKey->arena = arena;
+
+ /* Secret keys are represented in the database as "fake" RSA keys.
+ * The RSA key is marked as a secret key representation by setting the
+ * public exponent field to 0, which is an invalid RSA exponent.
+ * The other fields are set as follows:
+ * modulus - CKA_ID value for the secret key
+ * private exponent - CKA_VALUE (the key itself)
+ * coefficient - CKA_KEY_TYPE, which indicates what encryption algorithm
+ * is used for the key.
+ * all others - set to integer 0
+ */
+ privKey->keyType = NSSLOWKEYRSAKey;
+
+ /* The modulus is set to the key id of the symmetric key */
+ privKey->u.rsa.modulus.data =
+ (unsigned char *)PORT_ArenaAlloc(arena, pubkey->len);
+ if (privKey->u.rsa.modulus.data == NULL) {
+ crv = CKR_HOST_MEMORY;
+ goto loser;
+ }
+ privKey->u.rsa.modulus.len = pubkey->len;
+ PORT_Memcpy(privKey->u.rsa.modulus.data, pubkey->data, pubkey->len);
+
+ /* The public exponent is set to 0 to indicate a special key */
+ privKey->u.rsa.publicExponent.len = sizeof derZero;
+ privKey->u.rsa.publicExponent.data = derZero;
+
+ /* The private exponent is the actual key value */
+ crv = lg_PrivAttr2SecItem(arena, CKA_VALUE, templ, count,
+ &privKey->u.rsa.privateExponent, sdbpw);
+ if (crv != CKR_OK)
+ goto loser;
+
+ /* All other fields empty - needs testing */
+ privKey->u.rsa.prime1.len = sizeof derZero;
+ privKey->u.rsa.prime1.data = derZero;
+
+ privKey->u.rsa.prime2.len = sizeof derZero;
+ privKey->u.rsa.prime2.data = derZero;
+
+ privKey->u.rsa.exponent1.len = sizeof derZero;
+ privKey->u.rsa.exponent1.data = derZero;
+
+ privKey->u.rsa.exponent2.len = sizeof derZero;
+ privKey->u.rsa.exponent2.data = derZero;
+
+ /* Coeficient set to KEY_TYPE */
+ crv = lg_GetULongAttribute(CKA_KEY_TYPE, templ, count, &keyType);
+ if (crv != CKR_OK)
+ goto loser;
+ /* on 64 bit platforms, we still want to store 32 bits of keyType (This is
+ * safe since the PKCS #11 defines for all types are 32 bits or less). */
+ keyTypeStorage = (PRUint32)keyType;
+ keyTypeStorage = PR_htonl(keyTypeStorage);
+ keyTypeItem.data = (unsigned char *)&keyTypeStorage;
+ keyTypeItem.len = sizeof(keyTypeStorage);
+ rv = SECITEM_CopyItem(arena, &privKey->u.rsa.coefficient, &keyTypeItem);
+ if (rv != SECSuccess) {
+ crv = CKR_HOST_MEMORY;
+ goto loser;
+ }
+
+ /* Private key version field set normally for compatibility */
+ rv = DER_SetUInteger(privKey->arena,
+ &privKey->u.rsa.version, NSSLOWKEY_VERSION);
+ if (rv != SECSuccess) {
+ crv = CKR_HOST_MEMORY;
+ goto loser;
+ }
+
+loser:
+ if (crv != CKR_OK) {
+ PORT_FreeArena(arena, PR_FALSE);
+ privKey = 0;
+ }
+
+ return privKey;
+}
+
+/*
+ * check the consistancy and initialize a Secret Key Object
+ */
+static CK_RV
+lg_createSecretKeyObject(SDB *sdb, CK_KEY_TYPE key_type,
+ CK_OBJECT_HANDLE *handle, const CK_ATTRIBUTE *templ, CK_ULONG count)
+{
+ CK_RV crv;
+ NSSLOWKEYPrivateKey *privKey = NULL;
+ NSSLOWKEYDBHandle *keyHandle = NULL;
+ SECItem pubKey;
+ char *label = NULL;
+ SECStatus rv = SECSuccess;
+
+ pubKey.data = 0;
+
+ /* If the object is a TOKEN object, store in the database */
+ keyHandle = lg_getKeyDB(sdb);
+
+ if (keyHandle == NULL) {
+ return CKR_TOKEN_WRITE_PROTECTED;
+ }
+
+ label = lg_getString(CKA_LABEL, templ, count);
+
+ crv = lg_Attribute2SecItem(NULL, CKA_ID, templ, count, &pubKey);
+ /* Should this be ID? */
+ if (crv != CKR_OK)
+ goto loser;
+
+ /* if we don't have an ID, generate one */
+ if (pubKey.len == 0) {
+ if (pubKey.data) {
+ PORT_Free(pubKey.data);
+ pubKey.data = NULL;
+ }
+ crv = lg_GenerateSecretCKA_ID(keyHandle, &pubKey, label);
+ if (crv != CKR_OK)
+ goto loser;
+ }
+
+ privKey = lg_mkSecretKeyRep(templ, count, key_type, &pubKey, sdb);
+ if (privKey == NULL) {
+ crv = CKR_HOST_MEMORY;
+ goto loser;
+ }
+
+ rv = nsslowkey_StoreKeyByPublicKey(keyHandle,
+ privKey, &pubKey, label, sdb /*->password*/);
+ if (rv != SECSuccess) {
+ crv = CKR_DEVICE_ERROR;
+ goto loser;
+ }
+
+ *handle = lg_mkHandle(sdb, &pubKey, LG_TOKEN_TYPE_KEY);
+
+loser:
+ if (label)
+ PORT_Free(label);
+ if (privKey)
+ lg_nsslowkey_DestroyPrivateKey(privKey);
+ if (pubKey.data)
+ PORT_Free(pubKey.data);
+
+ return crv;
+}
+
+/*
+ * check the consistancy and initialize a Key Object
+ */
+static CK_RV
+lg_createKeyObject(SDB *sdb, CK_OBJECT_CLASS objclass,
+ CK_OBJECT_HANDLE *handle, const CK_ATTRIBUTE *templ, CK_ULONG count)
+{
+ CK_RV crv;
+ CK_KEY_TYPE key_type;
+
+ /* get the key type */
+ crv = lg_GetULongAttribute(CKA_KEY_TYPE, templ, count, &key_type);
+ if (crv != CKR_OK) {
+ return crv;
+ }
+
+ switch (objclass) {
+ case CKO_PUBLIC_KEY:
+ return lg_createPublicKeyObject(sdb, key_type, handle, templ, count);
+ case CKO_PRIVATE_KEY:
+ return lg_createPrivateKeyObject(sdb, key_type, handle, templ, count);
+ case CKO_SECRET_KEY:
+ return lg_createSecretKeyObject(sdb, key_type, handle, templ, count);
+ default:
+ break;
+ }
+ return CKR_ATTRIBUTE_VALUE_INVALID;
+}
+
+/*
+ * return the 'next' key handle
+ */
+CK_RV
+lg_GetNewObjectID(SDB *sdb, CK_OBJECT_HANDLE *handle)
+{
+ /* the upper level needs the Object ID early to populate any
+ * signature attributes. The legacy can't really return a new
+ * handle without the full object template (chicken and egg issue).
+ * Fortunately we can just return a bogus handle because the legacy
+ * database doesn't support meta data and can't store any of the signed
+ * attributes anyway */
+ *handle = CK_INVALID_HANDLE;
+ return CKR_OK;
+}
+
+/*
+ * Parse the template and create an object stored in the DB that reflects.
+ * the object specified in the database.
+ */
+CK_RV
+lg_CreateObject(SDB *sdb, CK_OBJECT_HANDLE *handle,
+ const CK_ATTRIBUTE *templ, CK_ULONG count)
+{
+ CK_RV crv;
+ CK_OBJECT_CLASS objclass;
+
+ /* get the object class */
+ crv = lg_GetULongAttribute(CKA_CLASS, templ, count, &objclass);
+ if (crv != CKR_OK) {
+ return crv;
+ }
+
+ /* Now handle the specific object class.
+ */
+ switch (objclass) {
+ case CKO_CERTIFICATE:
+ crv = lg_createCertObject(sdb, handle, templ, count);
+ break;
+ case CKO_NSS_TRUST:
+ crv = lg_createTrustObject(sdb, handle, templ, count);
+ break;
+ case CKO_NSS_CRL:
+ crv = lg_createCrlObject(sdb, handle, templ, count);
+ break;
+ case CKO_NSS_SMIME:
+ crv = lg_createSMimeObject(sdb, handle, templ, count);
+ break;
+ case CKO_PRIVATE_KEY:
+ case CKO_PUBLIC_KEY:
+ case CKO_SECRET_KEY:
+ crv = lg_createKeyObject(sdb, objclass, handle, templ, count);
+ break;
+ default:
+ crv = CKR_ATTRIBUTE_VALUE_INVALID;
+ break;
+ }
+
+ return crv;
+}
diff --git a/security/nss/lib/softoken/legacydb/lgdb.h b/security/nss/lib/softoken/legacydb/lgdb.h
new file mode 100644
index 0000000000..c28e8a3687
--- /dev/null
+++ b/security/nss/lib/softoken/legacydb/lgdb.h
@@ -0,0 +1,177 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/*
+ * Internal data structures and functions used by pkcs11.c
+ */
+#ifndef _LGDB_H_
+#define _LGDB_H_ 1
+
+#include "nssilock.h"
+#include "seccomon.h"
+#include "secoidt.h"
+#include "lowkeyti.h"
+#include "pkcs11t.h"
+#include "sdb.h"
+#include "cdbhdl.h"
+
+#define MULTIACCESS "multiaccess:"
+
+/* path stuff (was machine dependent) used by dbinit.c and pk11db.c */
+#define PATH_SEPARATOR "/"
+#define SECMOD_DB "secmod.db"
+#define CERT_DB_FMT "%scert%s.db"
+#define KEY_DB_FMT "%skey%s.db"
+
+SEC_BEGIN_PROTOS
+
+/* internal utility functions used by pkcs11.c */
+extern const CK_ATTRIBUTE *lg_FindAttribute(CK_ATTRIBUTE_TYPE type,
+ const CK_ATTRIBUTE *templ, CK_ULONG count);
+extern CK_RV lg_Attribute2SecItem(PLArenaPool *, CK_ATTRIBUTE_TYPE type,
+ const CK_ATTRIBUTE *templ, CK_ULONG count,
+ SECItem *item);
+extern CK_RV lg_Attribute2SSecItem(PLArenaPool *, CK_ATTRIBUTE_TYPE type,
+ const CK_ATTRIBUTE *templ, CK_ULONG count,
+ SECItem *item);
+extern CK_RV lg_PrivAttr2SecItem(PLArenaPool *, CK_ATTRIBUTE_TYPE type,
+ const CK_ATTRIBUTE *templ, CK_ULONG count,
+ SECItem *item, SDB *sdbpw);
+extern CK_RV lg_PrivAttr2SSecItem(PLArenaPool *, CK_ATTRIBUTE_TYPE type,
+ const CK_ATTRIBUTE *templ, CK_ULONG count,
+ SECItem *item, SDB *sdbpw);
+extern CK_RV lg_GetULongAttribute(CK_ATTRIBUTE_TYPE type,
+ const CK_ATTRIBUTE *templ, CK_ULONG count,
+ CK_ULONG *out);
+extern PRBool lg_hasAttribute(CK_ATTRIBUTE_TYPE type,
+ const CK_ATTRIBUTE *templ, CK_ULONG count);
+extern PRBool lg_isTrue(CK_ATTRIBUTE_TYPE type,
+ const CK_ATTRIBUTE *templ, CK_ULONG count);
+extern PRBool lg_isSensitive(CK_ATTRIBUTE_TYPE type, CK_OBJECT_CLASS inClass);
+extern char *lg_getString(CK_ATTRIBUTE_TYPE type,
+ const CK_ATTRIBUTE *templ, CK_ULONG count);
+extern unsigned int lg_MapTrust(CK_TRUST trust, PRBool clientAuth);
+
+/* clear out all the existing object ID to database key mappings.
+ * used to reinit a token */
+extern CK_RV lg_ClearTokenKeyHashTable(SDB *sdb);
+
+extern void lg_FreeSearch(SDBFind *search);
+
+NSSLOWCERTCertDBHandle *lg_getCertDB(SDB *sdb);
+NSSLOWKEYDBHandle *lg_getKeyDB(SDB *sdb);
+
+const char *lg_EvaluateConfigDir(const char *configdir, char **domain);
+
+/* verify the FIPS selftests ran and were successful */
+PRBool lg_FIPSEntryOK(void);
+
+/*
+ * object handle modifiers
+ */
+#define LG_TOKEN_MASK 0xc0000000L
+#define LG_TOKEN_TYPE_MASK 0x38000000L
+#define LG_TOKEN_TYPE_SHIFT 27
+/* keydb (high bit == 0) */
+#define LG_TOKEN_TYPE_PRIV 0x08000000L
+#define LG_TOKEN_TYPE_PUB 0x10000000L
+#define LG_TOKEN_TYPE_KEY 0x18000000L
+/* certdb (high bit == 1) */
+#define LG_TOKEN_TYPE_TRUST 0x20000000L
+#define LG_TOKEN_TYPE_CRL 0x28000000L
+#define LG_TOKEN_TYPE_SMIME 0x30000000L
+#define LG_TOKEN_TYPE_CERT 0x38000000L
+
+#define LG_TOKEN_KRL_HANDLE (LG_TOKEN_TYPE_CRL | 1)
+
+#define LG_SEARCH_BLOCK_SIZE 10
+#define LG_BUF_SPACE 50
+#define LG_STRICT PR_FALSE
+
+/*
+ * token object utilities
+ */
+void lg_addHandle(SDBFind *search, CK_OBJECT_HANDLE handle);
+PRBool lg_poisonHandle(SDB *sdb, SECItem *dbkey, CK_OBJECT_HANDLE handle);
+PRBool lg_tokenMatch(SDB *sdb, const SECItem *dbKey, CK_OBJECT_HANDLE class,
+ const CK_ATTRIBUTE *templ, CK_ULONG count);
+const SECItem *lg_lookupTokenKeyByHandle(SDB *sdb, CK_OBJECT_HANDLE handle);
+CK_OBJECT_HANDLE lg_mkHandle(SDB *sdb, SECItem *dbKey, CK_OBJECT_HANDLE class);
+SECStatus lg_deleteTokenKeyByHandle(SDB *sdb, CK_OBJECT_HANDLE handle);
+
+SECStatus lg_util_encrypt(PLArenaPool *arena, SDB *sdbpw,
+ SECItem *plainText, SECItem **cipherText);
+SECStatus lg_util_decrypt(SDB *sdbpw,
+ SECItem *cipherText, SECItem **plainText);
+PLHashTable *lg_GetHashTable(SDB *sdb);
+void lg_DBLock(SDB *sdb);
+void lg_DBUnlock(SDB *sdb);
+
+typedef void (*LGFreeFunc)(void *);
+
+/*
+ * database functions
+ */
+
+/* lg_FindObjectsInit initializes a search for token and session objects
+ * that match a template. */
+CK_RV lg_FindObjectsInit(SDB *sdb, const CK_ATTRIBUTE *pTemplate,
+ CK_ULONG ulCount, SDBFind **search);
+/* lg_FindObjects continues a search for token and session objects
+ * that match a template, obtaining additional object handles. */
+CK_RV lg_FindObjects(SDB *sdb, SDBFind *search,
+ CK_OBJECT_HANDLE *phObject, CK_ULONG ulMaxObjectCount,
+ CK_ULONG *pulObjectCount);
+
+/* lg_FindObjectsFinal finishes a search for token and session objects. */
+CK_RV lg_FindObjectsFinal(SDB *lgdb, SDBFind *search);
+
+/* lg_CreateObject parses the template and create an object stored in the
+ * DB that reflects the object specified in the template. */
+CK_RV lg_CreateObject(SDB *sdb, CK_OBJECT_HANDLE *handle,
+ const CK_ATTRIBUTE *templ, CK_ULONG count);
+
+CK_RV lg_GetAttributeValue(SDB *sdb, CK_OBJECT_HANDLE object_id,
+ CK_ATTRIBUTE *template, CK_ULONG count);
+CK_RV lg_SetAttributeValue(SDB *sdb, CK_OBJECT_HANDLE object_id,
+ const CK_ATTRIBUTE *template, CK_ULONG count);
+CK_RV lg_DestroyObject(SDB *sdb, CK_OBJECT_HANDLE object_id);
+
+CK_RV lg_Close(SDB *sdb);
+CK_RV lg_Reset(SDB *sdb);
+
+/*
+ * The old database doesn't share and doesn't support
+ * transactions.
+ */
+CK_RV lg_Begin(SDB *sdb);
+CK_RV lg_Commit(SDB *sdb);
+CK_RV lg_Abort(SDB *sdb);
+CK_RV lg_GetMetaData(SDB *sdb, const char *id, SECItem *item1, SECItem *item2);
+CK_RV lg_PutMetaData(SDB *sdb, const char *id,
+ const SECItem *item1, const SECItem *item2);
+CK_RV lg_DestroyMetaData(SDB *sdb, const char *id);
+CK_RV lg_GetNewObjectID(SDB *sdb, CK_OBJECT_HANDLE *object_id);
+
+SEC_END_PROTOS
+
+#ifndef XP_UNIX
+
+#define NO_FORK_CHECK
+
+#endif
+
+#ifndef NO_FORK_CHECK
+
+extern PRBool lg_parentForkedAfterC_Initialize;
+#define SKIP_AFTER_FORK(x) \
+ if (!lg_parentForkedAfterC_Initialize) \
+ x
+
+#else
+
+#define SKIP_AFTER_FORK(x) x
+
+#endif /* NO_FORK_CHECK */
+
+#endif /* _LGDB_H_ */
diff --git a/security/nss/lib/softoken/legacydb/lgdestroy.c b/security/nss/lib/softoken/legacydb/lgdestroy.c
new file mode 100644
index 0000000000..1e3839d7be
--- /dev/null
+++ b/security/nss/lib/softoken/legacydb/lgdestroy.c
@@ -0,0 +1,110 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/*
+ * Internal PKCS #11 functions. Should only be called by pkcs11.c
+ */
+#include "pkcs11.h"
+#include "lgdb.h"
+#include "pcert.h"
+#include "lowkeyi.h"
+
+/*
+ * remove an object.
+ */
+CK_RV
+lg_DestroyObject(SDB *sdb, CK_OBJECT_HANDLE object_id)
+{
+ CK_RV crv = CKR_OK;
+ SECStatus rv;
+ NSSLOWCERTCertificate *cert;
+ NSSLOWCERTCertTrust tmptrust;
+ PRBool isKrl;
+ NSSLOWKEYDBHandle *keyHandle;
+ NSSLOWCERTCertDBHandle *certHandle;
+ const SECItem *dbKey;
+
+ object_id &= ~LG_TOKEN_MASK;
+ dbKey = lg_lookupTokenKeyByHandle(sdb, object_id);
+ if (dbKey == NULL) {
+ return CKR_OBJECT_HANDLE_INVALID;
+ }
+
+ /* remove the objects from the real data base */
+ switch (object_id & LG_TOKEN_TYPE_MASK) {
+ case LG_TOKEN_TYPE_PRIV:
+ case LG_TOKEN_TYPE_KEY:
+ /* KEYID is the public KEY for DSA and DH, and the MODULUS for
+ * RSA */
+ keyHandle = lg_getKeyDB(sdb);
+ if (!keyHandle) {
+ crv = CKR_TOKEN_WRITE_PROTECTED;
+ break;
+ }
+ rv = nsslowkey_DeleteKey(keyHandle, dbKey);
+ if (rv != SECSuccess) {
+ crv = CKR_DEVICE_ERROR;
+ }
+ break;
+ case LG_TOKEN_TYPE_PUB:
+ break; /* public keys only exist at the behest of the priv key */
+ case LG_TOKEN_TYPE_CERT:
+ certHandle = lg_getCertDB(sdb);
+ if (!certHandle) {
+ crv = CKR_TOKEN_WRITE_PROTECTED;
+ break;
+ }
+ cert = nsslowcert_FindCertByKey(certHandle, dbKey);
+ if (cert == NULL) {
+ crv = CKR_DEVICE_ERROR;
+ break;
+ }
+ rv = nsslowcert_DeletePermCertificate(cert);
+ if (rv != SECSuccess) {
+ crv = CKR_DEVICE_ERROR;
+ }
+ nsslowcert_DestroyCertificate(cert);
+ break;
+ case LG_TOKEN_TYPE_CRL:
+ certHandle = lg_getCertDB(sdb);
+ if (!certHandle) {
+ crv = CKR_TOKEN_WRITE_PROTECTED;
+ break;
+ }
+ isKrl = (PRBool)(object_id == LG_TOKEN_KRL_HANDLE);
+ rv = nsslowcert_DeletePermCRL(certHandle, dbKey, isKrl);
+ if (rv == SECFailure)
+ crv = CKR_DEVICE_ERROR;
+ break;
+ case LG_TOKEN_TYPE_TRUST:
+ certHandle = lg_getCertDB(sdb);
+ if (!certHandle) {
+ crv = CKR_TOKEN_WRITE_PROTECTED;
+ break;
+ }
+ cert = nsslowcert_FindCertByKey(certHandle, dbKey);
+ if (cert == NULL) {
+ crv = CKR_DEVICE_ERROR;
+ break;
+ }
+ tmptrust = *cert->trust;
+ tmptrust.sslFlags &= CERTDB_PRESERVE_TRUST_BITS;
+ tmptrust.emailFlags &= CERTDB_PRESERVE_TRUST_BITS;
+ tmptrust.objectSigningFlags &= CERTDB_PRESERVE_TRUST_BITS;
+ tmptrust.sslFlags |= CERTDB_TRUSTED_UNKNOWN;
+ tmptrust.emailFlags |= CERTDB_TRUSTED_UNKNOWN;
+ tmptrust.objectSigningFlags |= CERTDB_TRUSTED_UNKNOWN;
+ rv = nsslowcert_ChangeCertTrust(certHandle, cert, &tmptrust);
+ if (rv != SECSuccess)
+ crv = CKR_DEVICE_ERROR;
+ nsslowcert_DestroyCertificate(cert);
+ break;
+ default:
+ break;
+ }
+ lg_DBLock(sdb);
+ lg_deleteTokenKeyByHandle(sdb, object_id);
+ lg_DBUnlock(sdb);
+
+ return crv;
+}
diff --git a/security/nss/lib/softoken/legacydb/lgfind.c b/security/nss/lib/softoken/legacydb/lgfind.c
new file mode 100644
index 0000000000..3c18c0ef12
--- /dev/null
+++ b/security/nss/lib/softoken/legacydb/lgfind.c
@@ -0,0 +1,912 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+#include "secitem.h"
+#include "pkcs11.h"
+#include "lgdb.h"
+#include "lowkeyi.h"
+#include "pcert.h"
+#include "blapi.h"
+
+#include "keydbi.h"
+
+/*
+ * This code maps PKCS #11 Finds to legacy database searches. This code
+ * was orginally in pkcs11.c in previous versions of NSS.
+ */
+
+struct SDBFindStr {
+ CK_OBJECT_HANDLE *handles;
+ int size;
+ int index;
+ int array_size;
+};
+
+/*
+ * free a search structure
+ */
+void
+lg_FreeSearch(SDBFind *search)
+{
+ if (search->handles) {
+ PORT_Free(search->handles);
+ }
+ PORT_Free(search);
+}
+
+void
+lg_addHandle(SDBFind *search, CK_OBJECT_HANDLE handle)
+{
+ if (search->handles == NULL) {
+ return;
+ }
+ if (search->size >= search->array_size) {
+ search->array_size += LG_SEARCH_BLOCK_SIZE;
+ search->handles = (CK_OBJECT_HANDLE *)PORT_Realloc(search->handles,
+ sizeof(CK_OBJECT_HANDLE) * search->array_size);
+ if (search->handles == NULL) {
+ return;
+ }
+ }
+ search->handles[search->size] = handle;
+ search->size++;
+}
+
+/*
+ * find any certs that may match the template and load them.
+ */
+#define LG_CERT 0x00000001
+#define LG_TRUST 0x00000002
+#define LG_CRL 0x00000004
+#define LG_SMIME 0x00000008
+#define LG_PRIVATE 0x00000010
+#define LG_PUBLIC 0x00000020
+#define LG_KEY 0x00000040
+
+/*
+ * structure to collect key handles.
+ */
+typedef struct lgEntryDataStr {
+ SDB *sdb;
+ SDBFind *searchHandles;
+ const CK_ATTRIBUTE *template;
+ CK_ULONG templ_count;
+} lgEntryData;
+
+static SECStatus
+lg_crl_collect(SECItem *data, SECItem *key, certDBEntryType type, void *arg)
+{
+ lgEntryData *crlData;
+ CK_OBJECT_HANDLE class_handle;
+ SDB *sdb;
+
+ crlData = (lgEntryData *)arg;
+ sdb = crlData->sdb;
+
+ class_handle = (type == certDBEntryTypeRevocation) ? LG_TOKEN_TYPE_CRL : LG_TOKEN_KRL_HANDLE;
+ if (lg_tokenMatch(sdb, key, class_handle,
+ crlData->template, crlData->templ_count)) {
+ lg_addHandle(crlData->searchHandles,
+ lg_mkHandle(sdb, key, class_handle));
+ }
+ return (SECSuccess);
+}
+
+static void
+lg_searchCrls(SDB *sdb, SECItem *derSubject, PRBool isKrl,
+ unsigned long classFlags, SDBFind *search,
+ const CK_ATTRIBUTE *pTemplate, CK_ULONG ulCount)
+{
+ NSSLOWCERTCertDBHandle *certHandle = NULL;
+
+ certHandle = lg_getCertDB(sdb);
+ if (certHandle == NULL) {
+ return;
+ }
+ if (derSubject->data != NULL) {
+ certDBEntryRevocation *crl =
+ nsslowcert_FindCrlByKey(certHandle, derSubject, isKrl);
+
+ if (crl != NULL) {
+ lg_addHandle(search, lg_mkHandle(sdb, derSubject,
+ isKrl ? LG_TOKEN_KRL_HANDLE : LG_TOKEN_TYPE_CRL));
+ nsslowcert_DestroyDBEntry((certDBEntry *)crl);
+ }
+ } else {
+ lgEntryData crlData;
+
+ /* traverse */
+ crlData.sdb = sdb;
+ crlData.searchHandles = search;
+ crlData.template = pTemplate;
+ crlData.templ_count = ulCount;
+ nsslowcert_TraverseDBEntries(certHandle, certDBEntryTypeRevocation,
+ lg_crl_collect, (void *)&crlData);
+ nsslowcert_TraverseDBEntries(certHandle, certDBEntryTypeKeyRevocation,
+ lg_crl_collect, (void *)&crlData);
+ }
+}
+
+/*
+ * structure to collect key handles.
+ */
+typedef struct lgKeyDataStr {
+ SDB *sdb;
+ NSSLOWKEYDBHandle *keyHandle;
+ SDBFind *searchHandles;
+ SECItem *id;
+ const CK_ATTRIBUTE *template;
+ CK_ULONG templ_count;
+ unsigned long classFlags;
+ PRBool strict;
+} lgKeyData;
+
+static PRBool
+isSecretKey(NSSLOWKEYPrivateKey *privKey)
+{
+ if (privKey->keyType == NSSLOWKEYRSAKey &&
+ privKey->u.rsa.publicExponent.len == 1 &&
+ privKey->u.rsa.publicExponent.data[0] == 0)
+ return PR_TRUE;
+
+ return PR_FALSE;
+}
+
+static SECStatus
+lg_key_collect(DBT *key, DBT *data, void *arg)
+{
+ lgKeyData *keyData;
+ NSSLOWKEYPrivateKey *privKey = NULL;
+ SECItem tmpDBKey;
+ SDB *sdb;
+ unsigned long classFlags;
+
+ keyData = (lgKeyData *)arg;
+ sdb = keyData->sdb;
+ classFlags = keyData->classFlags;
+
+ tmpDBKey.data = key->data;
+ tmpDBKey.len = key->size;
+ tmpDBKey.type = siBuffer;
+
+ PORT_Assert(keyData->keyHandle);
+ if (!keyData->strict && keyData->id && keyData->id->data) {
+ SECItem result;
+ PRBool haveMatch = PR_FALSE;
+ unsigned char hashKey[SHA1_LENGTH];
+ result.data = hashKey;
+ result.len = sizeof(hashKey);
+
+ if (keyData->id->len == 0) {
+ /* Make sure this isn't a LG_KEY */
+ privKey = nsslowkey_FindKeyByPublicKey(keyData->keyHandle,
+ &tmpDBKey, keyData->sdb /*->password*/);
+ if (privKey) {
+ /* turn off the unneeded class flags */
+ classFlags &= isSecretKey(privKey) ? ~(LG_PRIVATE | LG_PUBLIC) : ~LG_KEY;
+ haveMatch = (PRBool)((classFlags & (LG_KEY | LG_PRIVATE | LG_PUBLIC)) != 0);
+ lg_nsslowkey_DestroyPrivateKey(privKey);
+ }
+ } else {
+ SHA1_HashBuf(hashKey, key->data, key->size); /* match id */
+ haveMatch = SECITEM_ItemsAreEqual(keyData->id, &result);
+ if (!haveMatch && ((unsigned char *)key->data)[0] == 0) {
+ /* This is a fix for backwards compatibility. The key
+ * database indexes private keys by the public key, and
+ * versions of NSS prior to 3.4 stored the public key as
+ * a signed integer. The public key is now treated as an
+ * unsigned integer, with no leading zero. In order to
+ * correctly compute the hash of an old key, it is necessary
+ * to fallback and detect the leading zero.
+ */
+ SHA1_HashBuf(hashKey,
+ (unsigned char *)key->data + 1, key->size - 1);
+ haveMatch = SECITEM_ItemsAreEqual(keyData->id, &result);
+ }
+ }
+ if (haveMatch) {
+ if (classFlags & LG_PRIVATE) {
+ lg_addHandle(keyData->searchHandles,
+ lg_mkHandle(sdb, &tmpDBKey, LG_TOKEN_TYPE_PRIV));
+ }
+ if (classFlags & LG_PUBLIC) {
+ lg_addHandle(keyData->searchHandles,
+ lg_mkHandle(sdb, &tmpDBKey, LG_TOKEN_TYPE_PUB));
+ }
+ if (classFlags & LG_KEY) {
+ lg_addHandle(keyData->searchHandles,
+ lg_mkHandle(sdb, &tmpDBKey, LG_TOKEN_TYPE_KEY));
+ }
+ }
+ return SECSuccess;
+ }
+
+ privKey = nsslowkey_FindKeyByPublicKey(keyData->keyHandle, &tmpDBKey,
+ keyData->sdb /*->password*/);
+ if (privKey == NULL) {
+ goto loser;
+ }
+
+ if (isSecretKey(privKey)) {
+ if ((classFlags & LG_KEY) &&
+ lg_tokenMatch(keyData->sdb, &tmpDBKey, LG_TOKEN_TYPE_KEY,
+ keyData->template, keyData->templ_count)) {
+ lg_addHandle(keyData->searchHandles,
+ lg_mkHandle(keyData->sdb, &tmpDBKey, LG_TOKEN_TYPE_KEY));
+ }
+ } else {
+ if ((classFlags & LG_PRIVATE) &&
+ lg_tokenMatch(keyData->sdb, &tmpDBKey, LG_TOKEN_TYPE_PRIV,
+ keyData->template, keyData->templ_count)) {
+ lg_addHandle(keyData->searchHandles,
+ lg_mkHandle(keyData->sdb, &tmpDBKey, LG_TOKEN_TYPE_PRIV));
+ }
+ if ((classFlags & LG_PUBLIC) &&
+ lg_tokenMatch(keyData->sdb, &tmpDBKey, LG_TOKEN_TYPE_PUB,
+ keyData->template, keyData->templ_count)) {
+ lg_addHandle(keyData->searchHandles,
+ lg_mkHandle(keyData->sdb, &tmpDBKey, LG_TOKEN_TYPE_PUB));
+ }
+ }
+
+loser:
+ if (privKey) {
+ lg_nsslowkey_DestroyPrivateKey(privKey);
+ }
+ return (SECSuccess);
+}
+
+static void
+lg_searchKeys(SDB *sdb, SECItem *key_id,
+ unsigned long classFlags, SDBFind *search, PRBool mustStrict,
+ const CK_ATTRIBUTE *pTemplate, CK_ULONG ulCount)
+{
+ NSSLOWKEYDBHandle *keyHandle = NULL;
+ NSSLOWKEYPrivateKey *privKey;
+ lgKeyData keyData;
+ PRBool found = PR_FALSE;
+
+ keyHandle = lg_getKeyDB(sdb);
+ if (keyHandle == NULL) {
+ return;
+ }
+
+ if (key_id->data) {
+ privKey = nsslowkey_FindKeyByPublicKey(keyHandle, key_id, sdb);
+ if (privKey) {
+ if ((classFlags & LG_KEY) && isSecretKey(privKey)) {
+ lg_addHandle(search,
+ lg_mkHandle(sdb, key_id, LG_TOKEN_TYPE_KEY));
+ found = PR_TRUE;
+ }
+ if ((classFlags & LG_PRIVATE) && !isSecretKey(privKey)) {
+ lg_addHandle(search,
+ lg_mkHandle(sdb, key_id, LG_TOKEN_TYPE_PRIV));
+ found = PR_TRUE;
+ }
+ if ((classFlags & LG_PUBLIC) && !isSecretKey(privKey)) {
+ lg_addHandle(search,
+ lg_mkHandle(sdb, key_id, LG_TOKEN_TYPE_PUB));
+ found = PR_TRUE;
+ }
+ lg_nsslowkey_DestroyPrivateKey(privKey);
+ }
+ /* don't do the traversal if we have an up to date db */
+ if (keyHandle->version != 3) {
+ goto loser;
+ }
+ /* don't do the traversal if it can't possibly be the correct id */
+ /* all soft token id's are SHA1_HASH_LEN's */
+ if (key_id->len != SHA1_LENGTH) {
+ goto loser;
+ }
+ if (found) {
+ /* if we already found some keys, don't do the traversal */
+ goto loser;
+ }
+ }
+ keyData.sdb = sdb;
+ keyData.keyHandle = keyHandle;
+ keyData.searchHandles = search;
+ keyData.id = key_id;
+ keyData.template = pTemplate;
+ keyData.templ_count = ulCount;
+ keyData.classFlags = classFlags;
+ keyData.strict = mustStrict ? mustStrict : LG_STRICT;
+
+ nsslowkey_TraverseKeys(keyHandle, lg_key_collect, &keyData);
+
+loser:
+ return;
+}
+
+/*
+ * structure to collect certs into
+ */
+typedef struct lgCertDataStr {
+ SDB *sdb;
+ int cert_count;
+ int max_cert_count;
+ NSSLOWCERTCertificate **certs;
+ const CK_ATTRIBUTE *template;
+ CK_ULONG templ_count;
+ unsigned long classFlags;
+ PRBool strict;
+} lgCertData;
+
+/*
+ * collect all the certs from the traverse call.
+ */
+static SECStatus
+lg_cert_collect(NSSLOWCERTCertificate *cert, void *arg)
+{
+ lgCertData *cd = (lgCertData *)arg;
+
+ if (cert == NULL) {
+ return SECSuccess;
+ }
+
+ if (cd->certs == NULL) {
+ return SECFailure;
+ }
+
+ if (cd->strict) {
+ if ((cd->classFlags & LG_CERT) &&
+ !lg_tokenMatch(cd->sdb, &cert->certKey, LG_TOKEN_TYPE_CERT, cd->template, cd->templ_count)) {
+ return SECSuccess;
+ }
+ if ((cd->classFlags & LG_TRUST) &&
+ !lg_tokenMatch(cd->sdb, &cert->certKey, LG_TOKEN_TYPE_TRUST, cd->template, cd->templ_count)) {
+ return SECSuccess;
+ }
+ }
+
+ /* allocate more space if we need it. This should only happen in
+ * the general traversal case */
+ if (cd->cert_count >= cd->max_cert_count) {
+ int size;
+ cd->max_cert_count += LG_SEARCH_BLOCK_SIZE;
+ size = cd->max_cert_count * sizeof(NSSLOWCERTCertificate *);
+ cd->certs = (NSSLOWCERTCertificate **)PORT_Realloc(cd->certs, size);
+ if (cd->certs == NULL) {
+ return SECFailure;
+ }
+ }
+
+ cd->certs[cd->cert_count++] = nsslowcert_DupCertificate(cert);
+ return SECSuccess;
+}
+
+/* provide impedence matching ... */
+static SECStatus
+lg_cert_collect2(NSSLOWCERTCertificate *cert, SECItem *dymmy, void *arg)
+{
+ return lg_cert_collect(cert, arg);
+}
+
+static void
+lg_searchSingleCert(lgCertData *certData, NSSLOWCERTCertificate *cert)
+{
+ if (cert == NULL) {
+ return;
+ }
+ if (certData->strict &&
+ !lg_tokenMatch(certData->sdb, &cert->certKey, LG_TOKEN_TYPE_CERT,
+ certData->template, certData->templ_count)) {
+ nsslowcert_DestroyCertificate(cert);
+ return;
+ }
+ certData->certs = (NSSLOWCERTCertificate **)
+ PORT_Alloc(sizeof(NSSLOWCERTCertificate *));
+ if (certData->certs == NULL) {
+ nsslowcert_DestroyCertificate(cert);
+ return;
+ }
+ certData->certs[0] = cert;
+ certData->cert_count = 1;
+}
+
+static void
+lg_CertSetupData(lgCertData *certData, int count)
+{
+ certData->max_cert_count = count;
+
+ if (certData->max_cert_count <= 0) {
+ return;
+ }
+ certData->certs = (NSSLOWCERTCertificate **)
+ PORT_Alloc(count * sizeof(NSSLOWCERTCertificate *));
+ return;
+}
+
+static void
+lg_searchCertsAndTrust(SDB *sdb, SECItem *derCert, SECItem *name,
+ SECItem *derSubject, NSSLOWCERTIssuerAndSN *issuerSN,
+ SECItem *email,
+ unsigned long classFlags, SDBFind *handles,
+ const CK_ATTRIBUTE *pTemplate, CK_LONG ulCount)
+{
+ NSSLOWCERTCertDBHandle *certHandle = NULL;
+ lgCertData certData;
+ int i;
+
+ certHandle = lg_getCertDB(sdb);
+ if (certHandle == NULL)
+ return;
+
+ certData.sdb = sdb;
+ certData.max_cert_count = 0;
+ certData.certs = NULL;
+ certData.cert_count = 0;
+ certData.template = pTemplate;
+ certData.templ_count = ulCount;
+ certData.classFlags = classFlags;
+ certData.strict = LG_STRICT;
+
+ /*
+ * Find the Cert.
+ */
+ if (derCert->data != NULL) {
+ NSSLOWCERTCertificate *cert =
+ nsslowcert_FindCertByDERCert(certHandle, derCert);
+ lg_searchSingleCert(&certData, cert);
+ } else if (name->data != NULL) {
+ char *tmp_name = (char *)PORT_Alloc(name->len + 1);
+ int count;
+
+ if (tmp_name == NULL) {
+ return;
+ }
+ PORT_Memcpy(tmp_name, name->data, name->len);
+ tmp_name[name->len] = 0;
+
+ count = nsslowcert_NumPermCertsForNickname(certHandle, tmp_name);
+ lg_CertSetupData(&certData, count);
+ nsslowcert_TraversePermCertsForNickname(certHandle, tmp_name,
+ lg_cert_collect, &certData);
+ PORT_Free(tmp_name);
+ } else if (derSubject->data != NULL) {
+ int count;
+
+ count = nsslowcert_NumPermCertsForSubject(certHandle, derSubject);
+ lg_CertSetupData(&certData, count);
+ nsslowcert_TraversePermCertsForSubject(certHandle, derSubject,
+ lg_cert_collect, &certData);
+ } else if ((issuerSN->derIssuer.data != NULL) &&
+ (issuerSN->serialNumber.data != NULL)) {
+ if (classFlags & LG_CERT) {
+ NSSLOWCERTCertificate *cert =
+ nsslowcert_FindCertByIssuerAndSN(certHandle, issuerSN);
+
+ lg_searchSingleCert(&certData, cert);
+ }
+ if (classFlags & LG_TRUST) {
+ NSSLOWCERTTrust *trust =
+ nsslowcert_FindTrustByIssuerAndSN(certHandle, issuerSN);
+
+ if (trust) {
+ lg_addHandle(handles,
+ lg_mkHandle(sdb, &trust->dbKey, LG_TOKEN_TYPE_TRUST));
+ nsslowcert_DestroyTrust(trust);
+ }
+ }
+ } else if (email->data != NULL) {
+ char *tmp_name = (char *)PORT_Alloc(email->len + 1);
+ certDBEntrySMime *entry = NULL;
+
+ if (tmp_name == NULL) {
+ return;
+ }
+ PORT_Memcpy(tmp_name, email->data, email->len);
+ tmp_name[email->len] = 0;
+
+ entry = nsslowcert_ReadDBSMimeEntry(certHandle, tmp_name);
+ if (entry) {
+ int count;
+ SECItem *subjectName = &entry->subjectName;
+
+ count = nsslowcert_NumPermCertsForSubject(certHandle, subjectName);
+ lg_CertSetupData(&certData, count);
+ nsslowcert_TraversePermCertsForSubject(certHandle, subjectName,
+ lg_cert_collect, &certData);
+
+ nsslowcert_DestroyDBEntry((certDBEntry *)entry);
+ }
+ PORT_Free(tmp_name);
+ } else {
+ /* we aren't filtering the certs, we are working on all, so turn
+ * on the strict filters. */
+ certData.strict = PR_TRUE;
+ lg_CertSetupData(&certData, LG_SEARCH_BLOCK_SIZE);
+ nsslowcert_TraversePermCerts(certHandle, lg_cert_collect2, &certData);
+ }
+
+ /*
+ * build the handles
+ */
+ for (i = 0; i < certData.cert_count; i++) {
+ NSSLOWCERTCertificate *cert = certData.certs[i];
+
+ /* if we filtered it would have been on the stuff above */
+ if (classFlags & LG_CERT) {
+ lg_addHandle(handles,
+ lg_mkHandle(sdb, &cert->certKey, LG_TOKEN_TYPE_CERT));
+ }
+ if ((classFlags & LG_TRUST) && nsslowcert_hasTrust(cert->trust)) {
+ lg_addHandle(handles,
+ lg_mkHandle(sdb, &cert->certKey, LG_TOKEN_TYPE_TRUST));
+ }
+ nsslowcert_DestroyCertificate(cert);
+ }
+
+ if (certData.certs)
+ PORT_Free(certData.certs);
+ return;
+}
+
+static SECStatus
+lg_smime_collect(SECItem *data, SECItem *key, certDBEntryType type, void *arg)
+{
+ lgEntryData *smimeData;
+ SDB *sdb;
+
+ smimeData = (lgEntryData *)arg;
+ sdb = smimeData->sdb;
+
+ if (lg_tokenMatch(sdb, key, LG_TOKEN_TYPE_SMIME,
+ smimeData->template, smimeData->templ_count)) {
+ lg_addHandle(smimeData->searchHandles,
+ lg_mkHandle(sdb, key, LG_TOKEN_TYPE_SMIME));
+ }
+ return (SECSuccess);
+}
+
+static void
+lg_searchSMime(SDB *sdb, SECItem *email, SDBFind *handles,
+ const CK_ATTRIBUTE *pTemplate, CK_LONG ulCount)
+{
+ NSSLOWCERTCertDBHandle *certHandle = NULL;
+ certDBEntrySMime *entry;
+
+ certHandle = lg_getCertDB(sdb);
+ if (certHandle == NULL)
+ return;
+
+ if (email->data != NULL) {
+ char *tmp_name = (char *)PORT_Alloc(email->len + 1);
+
+ if (tmp_name == NULL) {
+ return;
+ }
+ PORT_Memcpy(tmp_name, email->data, email->len);
+ tmp_name[email->len] = 0;
+
+ entry = nsslowcert_ReadDBSMimeEntry(certHandle, tmp_name);
+ if (entry) {
+ SECItem emailKey;
+
+ emailKey.data = (unsigned char *)tmp_name;
+ emailKey.len = PORT_Strlen(tmp_name) + 1;
+ emailKey.type = 0;
+ lg_addHandle(handles,
+ lg_mkHandle(sdb, &emailKey, LG_TOKEN_TYPE_SMIME));
+ nsslowcert_DestroyDBEntry((certDBEntry *)entry);
+ }
+ PORT_Free(tmp_name);
+ } else {
+ /* traverse */
+ lgEntryData smimeData;
+
+ /* traverse */
+ smimeData.sdb = sdb;
+ smimeData.searchHandles = handles;
+ smimeData.template = pTemplate;
+ smimeData.templ_count = ulCount;
+ nsslowcert_TraverseDBEntries(certHandle, certDBEntryTypeSMimeProfile,
+ lg_smime_collect, (void *)&smimeData);
+ }
+ return;
+}
+
+static CK_RV
+lg_searchTokenList(SDB *sdb, SDBFind *search,
+ const CK_ATTRIBUTE *pTemplate, CK_LONG ulCount)
+{
+ int i;
+ PRBool isKrl = PR_FALSE;
+ SECItem derCert = { siBuffer, NULL, 0 };
+ SECItem derSubject = { siBuffer, NULL, 0 };
+ SECItem name = { siBuffer, NULL, 0 };
+ SECItem email = { siBuffer, NULL, 0 };
+ SECItem key_id = { siBuffer, NULL, 0 };
+ SECItem cert_sha1_hash = { siBuffer, NULL, 0 };
+ SECItem cert_md5_hash = { siBuffer, NULL, 0 };
+ NSSLOWCERTIssuerAndSN issuerSN = {
+ { siBuffer, NULL, 0 },
+ { siBuffer, NULL, 0 }
+ };
+ SECItem *copy = NULL;
+ CK_CERTIFICATE_TYPE certType;
+ CK_OBJECT_CLASS objectClass;
+ CK_RV crv;
+ unsigned long classFlags;
+
+ if (lg_getCertDB(sdb) == NULL) {
+ classFlags = LG_PRIVATE | LG_KEY;
+ } else {
+ classFlags = LG_CERT | LG_TRUST | LG_PUBLIC | LG_SMIME | LG_CRL;
+ }
+
+ /*
+ * look for things to search on token objects for. If the right options
+ * are specified, we can use them as direct indeces into the database
+ * (rather than using linear searches. We can also use the attributes to
+ * limit the kinds of objects we are searching for. Later we can use this
+ * array to filter the remaining objects more finely.
+ */
+ for (i = 0; classFlags && i < (int)ulCount; i++) {
+
+ switch (pTemplate[i].type) {
+ case CKA_SUBJECT:
+ copy = &derSubject;
+ classFlags &= (LG_CERT | LG_PRIVATE | LG_PUBLIC | LG_SMIME | LG_CRL);
+ break;
+ case CKA_ISSUER:
+ copy = &issuerSN.derIssuer;
+ classFlags &= (LG_CERT | LG_TRUST);
+ break;
+ case CKA_SERIAL_NUMBER:
+ copy = &issuerSN.serialNumber;
+ classFlags &= (LG_CERT | LG_TRUST);
+ break;
+ case CKA_VALUE:
+ copy = &derCert;
+ classFlags &= (LG_CERT | LG_CRL | LG_SMIME);
+ break;
+ case CKA_LABEL:
+ copy = &name;
+ break;
+ case CKA_NSS_EMAIL:
+ copy = &email;
+ classFlags &= LG_SMIME | LG_CERT;
+ break;
+ case CKA_NSS_SMIME_TIMESTAMP:
+ classFlags &= LG_SMIME;
+ break;
+ case CKA_CLASS:
+ crv = lg_GetULongAttribute(CKA_CLASS, &pTemplate[i], 1, &objectClass);
+ if (crv != CKR_OK) {
+ classFlags = 0;
+ break;
+ }
+ switch (objectClass) {
+ case CKO_CERTIFICATE:
+ classFlags &= LG_CERT;
+ break;
+ case CKO_NSS_TRUST:
+ classFlags &= LG_TRUST;
+ break;
+ case CKO_NSS_CRL:
+ classFlags &= LG_CRL;
+ break;
+ case CKO_NSS_SMIME:
+ classFlags &= LG_SMIME;
+ break;
+ case CKO_PRIVATE_KEY:
+ classFlags &= LG_PRIVATE;
+ break;
+ case CKO_PUBLIC_KEY:
+ classFlags &= LG_PUBLIC;
+ break;
+ case CKO_SECRET_KEY:
+ classFlags &= LG_KEY;
+ break;
+ default:
+ classFlags = 0;
+ break;
+ }
+ break;
+ case CKA_PRIVATE:
+ if (pTemplate[i].ulValueLen != sizeof(CK_BBOOL)) {
+ classFlags = 0;
+ break;
+ }
+ if (*((CK_BBOOL *)pTemplate[i].pValue) == CK_TRUE) {
+ classFlags &= (LG_PRIVATE | LG_KEY);
+ } else {
+ classFlags &= ~(LG_PRIVATE | LG_KEY);
+ }
+ break;
+ case CKA_SENSITIVE:
+ if (pTemplate[i].ulValueLen != sizeof(CK_BBOOL)) {
+ classFlags = 0;
+ break;
+ }
+ if (*((CK_BBOOL *)pTemplate[i].pValue) == CK_TRUE) {
+ classFlags &= (LG_PRIVATE | LG_KEY);
+ } else {
+ classFlags = 0;
+ }
+ break;
+ case CKA_TOKEN:
+ if (pTemplate[i].ulValueLen != sizeof(CK_BBOOL)) {
+ classFlags = 0;
+ break;
+ }
+ if (*((CK_BBOOL *)pTemplate[i].pValue) != CK_TRUE) {
+ classFlags = 0;
+ }
+ break;
+ case CKA_CERT_SHA1_HASH:
+ classFlags &= LG_TRUST;
+ copy = &cert_sha1_hash;
+ break;
+ case CKA_CERT_MD5_HASH:
+ classFlags &= LG_TRUST;
+ copy = &cert_md5_hash;
+ break;
+ case CKA_CERTIFICATE_TYPE:
+ crv = lg_GetULongAttribute(CKA_CERTIFICATE_TYPE, &pTemplate[i],
+ 1, &certType);
+ if (crv != CKR_OK) {
+ classFlags = 0;
+ break;
+ }
+ classFlags &= LG_CERT;
+ if (certType != CKC_X_509) {
+ classFlags = 0;
+ }
+ break;
+ case CKA_ID:
+ copy = &key_id;
+ classFlags &= (LG_CERT | LG_PRIVATE | LG_KEY | LG_PUBLIC);
+ break;
+ case CKA_NSS_KRL:
+ if (pTemplate[i].ulValueLen != sizeof(CK_BBOOL)) {
+ classFlags = 0;
+ break;
+ }
+ classFlags &= LG_CRL;
+ isKrl = (PRBool)(*((CK_BBOOL *)pTemplate[i].pValue) == CK_TRUE);
+ break;
+ case CKA_MODIFIABLE:
+ break;
+ case CKA_KEY_TYPE:
+ case CKA_DERIVE:
+ classFlags &= LG_PUBLIC | LG_PRIVATE | LG_KEY;
+ break;
+ case CKA_VERIFY_RECOVER:
+ classFlags &= LG_PUBLIC;
+ break;
+ case CKA_SIGN_RECOVER:
+ classFlags &= LG_PRIVATE;
+ break;
+ case CKA_ENCRYPT:
+ case CKA_VERIFY:
+ case CKA_WRAP:
+ classFlags &= LG_PUBLIC | LG_KEY;
+ break;
+ case CKA_DECRYPT:
+ case CKA_SIGN:
+ case CKA_UNWRAP:
+ case CKA_ALWAYS_SENSITIVE:
+ case CKA_EXTRACTABLE:
+ case CKA_NEVER_EXTRACTABLE:
+ classFlags &= LG_PRIVATE | LG_KEY;
+ break;
+ /* can't be a certificate if it doesn't match one of the above
+ * attributes */
+ default:
+ classFlags = 0;
+ break;
+ }
+ if (copy) {
+ copy->data = (unsigned char *)pTemplate[i].pValue;
+ copy->len = pTemplate[i].ulValueLen;
+ }
+ copy = NULL;
+ }
+
+ /* certs */
+ if (classFlags & (LG_CERT | LG_TRUST)) {
+ lg_searchCertsAndTrust(sdb, &derCert, &name, &derSubject,
+ &issuerSN, &email, classFlags, search,
+ pTemplate, ulCount);
+ }
+
+ /* keys */
+ if (classFlags & (LG_PRIVATE | LG_PUBLIC | LG_KEY)) {
+ PRBool mustStrict = (name.len != 0);
+ lg_searchKeys(sdb, &key_id, classFlags, search,
+ mustStrict, pTemplate, ulCount);
+ }
+
+ /* crl's */
+ if (classFlags & LG_CRL) {
+ lg_searchCrls(sdb, &derSubject, isKrl, classFlags, search,
+ pTemplate, ulCount);
+ }
+ /* Add S/MIME entry stuff */
+ if (classFlags & LG_SMIME) {
+ lg_searchSMime(sdb, &email, search, pTemplate, ulCount);
+ }
+ return CKR_OK;
+}
+
+/* lg_FindObjectsInit initializes a search for token and session objects
+ * that match a template. */
+CK_RV
+lg_FindObjectsInit(SDB *sdb, const CK_ATTRIBUTE *pTemplate,
+ CK_ULONG ulCount, SDBFind **retSearch)
+{
+ SDBFind *search;
+ CK_RV crv = CKR_OK;
+
+ *retSearch = NULL;
+
+ search = (SDBFind *)PORT_Alloc(sizeof(SDBFind));
+ if (search == NULL) {
+ crv = CKR_HOST_MEMORY;
+ goto loser;
+ }
+ search->handles = (CK_OBJECT_HANDLE *)
+ PORT_Alloc(sizeof(CK_OBJECT_HANDLE) * LG_SEARCH_BLOCK_SIZE);
+ if (search->handles == NULL) {
+ crv = CKR_HOST_MEMORY;
+ goto loser;
+ }
+ search->index = 0;
+ search->size = 0;
+ search->array_size = LG_SEARCH_BLOCK_SIZE;
+ /* FIXME - do we still need to get Login state? */
+
+ crv = lg_searchTokenList(sdb, search, pTemplate, ulCount);
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+
+ *retSearch = search;
+ return CKR_OK;
+
+loser:
+ if (search) {
+ lg_FreeSearch(search);
+ }
+ return crv;
+}
+
+/* lg_FindObjects continues a search for token and session objects
+ * that match a template, obtaining additional object handles. */
+CK_RV
+lg_FindObjects(SDB *sdb, SDBFind *search,
+ CK_OBJECT_HANDLE *phObject, CK_ULONG ulMaxObjectCount,
+ CK_ULONG *pulObjectCount)
+{
+ int transfer;
+ int left;
+
+ *pulObjectCount = 0;
+ left = search->size - search->index;
+ transfer = ((int)ulMaxObjectCount > left) ? left : ulMaxObjectCount;
+ if (transfer > 0) {
+ PORT_Memcpy(phObject, &search->handles[search->index],
+ transfer * sizeof(CK_OBJECT_HANDLE));
+ } else {
+ *phObject = CK_INVALID_HANDLE;
+ }
+
+ search->index += transfer;
+ *pulObjectCount = transfer;
+ return CKR_OK;
+}
+
+/* lg_FindObjectsFinal finishes a search for token and session objects. */
+CK_RV
+lg_FindObjectsFinal(SDB *lgdb, SDBFind *search)
+{
+
+ if (search != NULL) {
+ lg_FreeSearch(search);
+ }
+ return CKR_OK;
+}
diff --git a/security/nss/lib/softoken/legacydb/lgfips.c b/security/nss/lib/softoken/legacydb/lgfips.c
new file mode 100644
index 0000000000..d9270b4355
--- /dev/null
+++ b/security/nss/lib/softoken/legacydb/lgfips.c
@@ -0,0 +1,120 @@
+/*
+ * PKCS #11 FIPS Power-Up Self Test.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/* $Id: fipstest.c,v 1.31 2012/06/28 17:55:06 rrelyea%redhat.com Exp $ */
+
+#ifndef NSS_FIPS_DISABLED
+
+#include "seccomon.h"
+#include "lgdb.h"
+#include "blapi.h"
+
+/*
+ * different platforms have different ways of calling and initial entry point
+ * when the dll/.so is loaded. Most platforms support either a posix pragma
+ * or the GCC attribute. Some platforms suppor a pre-defined name, and some
+ * platforms have a link line way of invoking this function.
+ */
+
+/* The pragma */
+#if defined(USE_INIT_PRAGMA)
+#pragma init(lg_startup_tests)
+#endif
+
+/* GCC Attribute */
+#if defined(__GNUC__) && !defined(NSS_NO_INIT_SUPPORT)
+#define INIT_FUNCTION __attribute__((constructor))
+#else
+#define INIT_FUNCTION
+#endif
+
+static void INIT_FUNCTION lg_startup_tests(void);
+
+/* Windows pre-defined entry */
+#if defined(XP_WIN) && !defined(NSS_NO_INIT_SUPPORT)
+#include <windows.h>
+
+BOOL WINAPI
+DllMain(
+ HINSTANCE hinstDLL, // handle to DLL module
+ DWORD fdwReason, // reason for calling function
+ LPVOID lpReserved) // reserved
+{
+ // Perform actions based on the reason for calling.
+ switch (fdwReason) {
+ case DLL_PROCESS_ATTACH:
+ // Initialize once for each new process.
+ // Return FALSE to fail DLL load.
+ lg_startup_tests();
+ break;
+
+ case DLL_THREAD_ATTACH:
+ // Do thread-specific initialization.
+ break;
+
+ case DLL_THREAD_DETACH:
+ // Do thread-specific cleanup.
+ break;
+
+ case DLL_PROCESS_DETACH:
+ // Perform any necessary cleanup.
+ break;
+ }
+ return TRUE; // Successful DLL_PROCESS_ATTACH.
+}
+#endif
+
+static PRBool lg_self_tests_ran = PR_FALSE;
+static PRBool lg_self_tests_success = PR_FALSE;
+
+static void
+lg_local_function(void)
+{
+}
+
+/*
+ * This function is called at dll load time, the code tha makes this
+ * happen is platform specific on defined above.
+ */
+static void
+lg_startup_tests(void)
+{
+ const char *libraryName = LG_LIB_NAME;
+
+ PORT_Assert(!lg_self_tests_ran);
+ PORT_Assert(!lg_self_tests_success);
+ lg_self_tests_ran = PR_TRUE;
+ lg_self_tests_success = PR_FALSE; /* just in case */
+
+ /* no self tests required for the legacy db, only the integrity check */
+ /* check the integrity of our shared library */
+ if (!BLAPI_SHVerify(libraryName, (PRFuncPtr)&lg_local_function)) {
+ /* something is wrong with the library, fail without enabling
+ * the fips token */
+ return;
+ }
+ /* FIPS product has been installed and is functioning, allow
+ * the module to operate in fips mode */
+ lg_self_tests_success = PR_TRUE;
+}
+
+PRBool
+lg_FIPSEntryOK()
+{
+#ifdef NSS_NO_INIT_SUPPORT
+ /* this should only be set on platforms that can't handle one of the INIT
+ * schemes. This code allows those platforms to continue to function,
+ * though they don't meet the strict NIST requirements. If NO_INIT_SUPPORT
+ * is not set, and init support has not been properly enabled, softken
+ * will always fail because of the test below */
+ if (!lg_self_tests_ran) {
+ lg_startup_tests();
+ }
+#endif
+ return lg_self_tests_success;
+}
+
+#endif /* NSS_FIPS_DISABLED */
diff --git a/security/nss/lib/softoken/legacydb/lginit.c b/security/nss/lib/softoken/legacydb/lginit.c
new file mode 100644
index 0000000000..3cd4d8ea03
--- /dev/null
+++ b/security/nss/lib/softoken/legacydb/lginit.c
@@ -0,0 +1,661 @@
+/*
+ * NSS utility functions
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "lowkeyi.h"
+#include "pcert.h"
+#include "keydbi.h"
+#include "lgdb.h"
+#include "secoid.h"
+#include "prenv.h"
+#include "softkver.h"
+
+/* Library identity and versioning */
+
+#if defined(DEBUG)
+#define _DEBUG_STRING " (debug)"
+#else
+#define _DEBUG_STRING ""
+#endif
+
+/*
+ * Version information
+ */
+const char __nss_dbm_version[] = "Version: NSS " SOFTOKEN_VERSION _DEBUG_STRING;
+
+typedef struct LGPrivateStr {
+ NSSLOWCERTCertDBHandle *certDB;
+ NSSLOWKEYDBHandle *keyDB;
+ PRLock *dbLock;
+ PLHashTable *hashTable;
+} LGPrivate;
+
+static char *
+lg_certdb_name_cb(void *arg, int dbVersion)
+{
+ const char *configdir = (const char *)arg;
+ const char *dbver;
+ char *smpname = NULL;
+ char *dbname = NULL;
+
+ switch (dbVersion) {
+ case 8:
+ dbver = "8";
+ break;
+ case 7:
+ dbver = "7";
+ break;
+ case 6:
+ dbver = "6";
+ break;
+ case 5:
+ dbver = "5";
+ break;
+ case 4:
+ default:
+ dbver = "";
+ break;
+ }
+
+ /* make sure we return something allocated with PORT_ so we have properly
+ * matched frees at the end */
+ smpname = PR_smprintf(CERT_DB_FMT, configdir, dbver);
+ if (smpname) {
+ dbname = PORT_Strdup(smpname);
+ PR_smprintf_free(smpname);
+ }
+ return dbname;
+}
+
+static char *
+lg_keydb_name_cb(void *arg, int dbVersion)
+{
+ const char *configdir = (const char *)arg;
+ const char *dbver;
+ char *smpname = NULL;
+ char *dbname = NULL;
+
+ switch (dbVersion) {
+ case 4:
+ dbver = "4";
+ break;
+ case 3:
+ dbver = "3";
+ break;
+ case 1:
+ dbver = "1";
+ break;
+ case 2:
+ default:
+ dbver = "";
+ break;
+ }
+
+ smpname = PR_smprintf(KEY_DB_FMT, configdir, dbver);
+ if (smpname) {
+ dbname = PORT_Strdup(smpname);
+ PR_smprintf_free(smpname);
+ }
+ return dbname;
+}
+
+const char *
+lg_EvaluateConfigDir(const char *configdir, char **appName)
+{
+ if (PORT_Strncmp(configdir, MULTIACCESS, sizeof(MULTIACCESS) - 1) == 0) {
+ char *cdir;
+
+ *appName = PORT_Strdup(configdir + sizeof(MULTIACCESS) - 1);
+ if (*appName == NULL) {
+ return configdir;
+ }
+ cdir = *appName;
+ while (*cdir && *cdir != ':') {
+ cdir++;
+ }
+ if (*cdir == ':') {
+ *cdir = 0;
+ cdir++;
+ }
+ configdir = cdir;
+ }
+ return configdir;
+}
+
+static int rdbmapflags(int flags);
+static rdbfunc lg_rdbfunc = NULL;
+static rdbstatusfunc lg_rdbstatusfunc = NULL;
+
+/* NOTE: SHLIB_SUFFIX is defined on the command line */
+#define RDBLIB SHLIB_PREFIX "rdb." SHLIB_SUFFIX
+
+DB *
+rdbopen(const char *appName, const char *prefix,
+ const char *type, int flags, int *status)
+{
+ PRLibrary *lib;
+ DB *db;
+ char *disableUnload = NULL;
+
+ if (lg_rdbfunc) {
+ db = (*lg_rdbfunc)(appName, prefix, type, rdbmapflags(flags));
+ if (!db && status && lg_rdbstatusfunc) {
+ *status = (*lg_rdbstatusfunc)();
+ }
+ return db;
+ }
+
+ /*
+ * try to open the library.
+ */
+ lib = PR_LoadLibrary(RDBLIB);
+
+ if (!lib) {
+ return NULL;
+ }
+
+ /* get the entry points */
+ lg_rdbstatusfunc = (rdbstatusfunc)PR_FindSymbol(lib, "rdbstatus");
+ lg_rdbfunc = (rdbfunc)PR_FindSymbol(lib, "rdbopen");
+ if (lg_rdbfunc) {
+ db = (*lg_rdbfunc)(appName, prefix, type, rdbmapflags(flags));
+ if (!db && status && lg_rdbstatusfunc) {
+ *status = (*lg_rdbstatusfunc)();
+ }
+ return db;
+ }
+
+ /* couldn't find the entry point, unload the library and fail */
+ disableUnload = PR_GetEnvSecure("NSS_DISABLE_UNLOAD");
+ if (!disableUnload) {
+ PR_UnloadLibrary(lib);
+ }
+ return NULL;
+}
+
+/*
+ * the following data structures are from rdb.h.
+ */
+struct RDBStr {
+ DB db;
+ int (*xactstart)(DB *db);
+ int (*xactdone)(DB *db, PRBool abort);
+ int version;
+ int (*dbinitcomplete)(DB *db);
+};
+
+#define DB_RDB ((DBTYPE)0xff)
+#define RDB_RDONLY 1
+#define RDB_RDWR 2
+#define RDB_CREATE 4
+
+static int
+rdbmapflags(int flags)
+{
+ switch (flags) {
+ case NO_RDONLY:
+ return RDB_RDONLY;
+ case NO_RDWR:
+ return RDB_RDWR;
+ case NO_CREATE:
+ return RDB_CREATE;
+ default:
+ break;
+ }
+ return 0;
+}
+
+PRBool
+db_IsRDB(DB *db)
+{
+ return (PRBool)db->type == DB_RDB;
+}
+
+int
+db_BeginTransaction(DB *db)
+{
+ struct RDBStr *rdb = (struct RDBStr *)db;
+ if (db->type != DB_RDB) {
+ return 0;
+ }
+
+ return rdb->xactstart(db);
+}
+
+int
+db_FinishTransaction(DB *db, PRBool abort)
+{
+ struct RDBStr *rdb = (struct RDBStr *)db;
+ if (db->type != DB_RDB) {
+ return 0;
+ }
+
+ return rdb->xactdone(db, abort);
+}
+
+static DB *
+lg_getRawDB(SDB *sdb)
+{
+ NSSLOWCERTCertDBHandle *certDB;
+ NSSLOWKEYDBHandle *keyDB;
+
+ certDB = lg_getCertDB(sdb);
+ if (certDB) {
+ return certDB->permCertDB;
+ }
+ keyDB = lg_getKeyDB(sdb);
+ if (keyDB) {
+ return keyDB->db;
+ }
+ return NULL;
+}
+
+CK_RV
+lg_Begin(SDB *sdb)
+{
+ DB *db = lg_getRawDB(sdb);
+ int ret;
+
+ if (db == NULL) {
+ return CKR_GENERAL_ERROR; /* shouldn't happen */
+ }
+ ret = db_BeginTransaction(db);
+ if (ret != 0) {
+ return CKR_GENERAL_ERROR; /* could happen */
+ }
+ return CKR_OK;
+}
+
+CK_RV
+lg_Commit(SDB *sdb)
+{
+ DB *db = lg_getRawDB(sdb);
+ int ret;
+
+ if (db == NULL) {
+ return CKR_GENERAL_ERROR; /* shouldn't happen */
+ }
+ ret = db_FinishTransaction(db, PR_FALSE);
+ if (ret != 0) {
+ return CKR_GENERAL_ERROR; /* could happen */
+ }
+ return CKR_OK;
+}
+
+CK_RV
+lg_Abort(SDB *sdb)
+{
+ DB *db = lg_getRawDB(sdb);
+ int ret;
+
+ if (db == NULL) {
+ return CKR_GENERAL_ERROR; /* shouldn't happen */
+ }
+ ret = db_FinishTransaction(db, PR_TRUE);
+ if (ret != 0) {
+ return CKR_GENERAL_ERROR; /* could happen */
+ }
+ return CKR_OK;
+}
+
+int
+db_InitComplete(DB *db)
+{
+ struct RDBStr *rdb = (struct RDBStr *)db;
+ if (db->type != DB_RDB) {
+ return 0;
+ }
+ /* we should have added a version number to the RDBS structure. Since we
+ * didn't, we detect that we have and 'extended' structure if the rdbstatus
+ * func exists */
+ if (!lg_rdbstatusfunc) {
+ return 0;
+ }
+
+ return rdb->dbinitcomplete(db);
+}
+
+SECStatus
+db_Copy(DB *dest, DB *src)
+{
+ int ret;
+ DBT key, data;
+ ret = (*src->seq)(src, &key, &data, R_FIRST);
+ if (ret) {
+ return SECSuccess;
+ }
+
+ do {
+ (void)(*dest->put)(dest, &key, &data, R_NOOVERWRITE);
+ } while ((*src->seq)(src, &key, &data, R_NEXT) == 0);
+ (void)(*dest->sync)(dest, 0);
+
+ return SECSuccess;
+}
+
+static CK_RV
+lg_OpenCertDB(const char *configdir, const char *prefix, PRBool readOnly,
+ NSSLOWCERTCertDBHandle **certdbPtr)
+{
+ NSSLOWCERTCertDBHandle *certdb = NULL;
+ CK_RV crv = CKR_NSS_CERTDB_FAILED;
+ SECStatus rv;
+ char *name = NULL;
+ char *appName = NULL;
+
+ if (prefix == NULL) {
+ prefix = "";
+ }
+
+ configdir = lg_EvaluateConfigDir(configdir, &appName);
+
+ name = PR_smprintf("%s" PATH_SEPARATOR "%s", configdir, prefix);
+ if (name == NULL)
+ goto loser;
+
+ certdb = (NSSLOWCERTCertDBHandle *)PORT_ZAlloc(sizeof(NSSLOWCERTCertDBHandle));
+ if (certdb == NULL)
+ goto loser;
+
+ certdb->ref = 1;
+ /* fix when we get the DB in */
+ rv = nsslowcert_OpenCertDB(certdb, readOnly, appName, prefix,
+ lg_certdb_name_cb, (void *)name, PR_FALSE);
+ if (rv == SECSuccess) {
+ crv = CKR_OK;
+ *certdbPtr = certdb;
+ certdb = NULL;
+ }
+loser:
+ if (certdb)
+ PR_Free(certdb);
+ if (name)
+ PR_smprintf_free(name);
+ if (appName)
+ PORT_Free(appName);
+ return crv;
+}
+
+static CK_RV
+lg_OpenKeyDB(const char *configdir, const char *prefix, PRBool readOnly,
+ NSSLOWKEYDBHandle **keydbPtr)
+{
+ NSSLOWKEYDBHandle *keydb;
+ char *name = NULL;
+ char *appName = NULL;
+
+ if (prefix == NULL) {
+ prefix = "";
+ }
+ configdir = lg_EvaluateConfigDir(configdir, &appName);
+
+ name = PR_smprintf("%s" PATH_SEPARATOR "%s", configdir, prefix);
+ if (name == NULL)
+ return CKR_HOST_MEMORY;
+ keydb = nsslowkey_OpenKeyDB(readOnly, appName, prefix,
+ lg_keydb_name_cb, (void *)name);
+ PR_smprintf_free(name);
+ if (appName)
+ PORT_Free(appName);
+ if (keydb == NULL)
+ return CKR_NSS_KEYDB_FAILED;
+ *keydbPtr = keydb;
+
+ return CKR_OK;
+}
+
+/*
+ * Accessors for the private parts of the sdb structure.
+ */
+void
+lg_DBLock(SDB *sdb)
+{
+ LGPrivate *lgdb_p = (LGPrivate *)sdb->private;
+ SKIP_AFTER_FORK(PR_Lock(lgdb_p->dbLock));
+}
+
+void
+lg_DBUnlock(SDB *sdb)
+{
+ LGPrivate *lgdb_p = (LGPrivate *)sdb->private;
+ SKIP_AFTER_FORK(PR_Unlock(lgdb_p->dbLock));
+}
+
+PLHashTable *
+lg_GetHashTable(SDB *sdb)
+{
+ LGPrivate *lgdb_p = (LGPrivate *)sdb->private;
+ return lgdb_p->hashTable;
+}
+
+NSSLOWCERTCertDBHandle *
+lg_getCertDB(SDB *sdb)
+{
+ LGPrivate *lgdb_p = (LGPrivate *)sdb->private;
+
+ return lgdb_p->certDB;
+}
+
+NSSLOWKEYDBHandle *
+lg_getKeyDB(SDB *sdb)
+{
+ LGPrivate *lgdb_p = (LGPrivate *)sdb->private;
+
+ return lgdb_p->keyDB;
+}
+
+PRBool lg_parentForkedAfterC_Initialize;
+
+void
+lg_SetForkState(PRBool forked)
+{
+ lg_parentForkedAfterC_Initialize = forked;
+}
+
+CK_RV
+lg_Close(SDB *sdb)
+{
+ LGPrivate *lgdb_p = (LGPrivate *)sdb->private;
+ lg_ClearTokenKeyHashTable(sdb);
+ if (lgdb_p) {
+ if (lgdb_p->certDB) {
+ nsslowcert_ClosePermCertDB(lgdb_p->certDB);
+ } else if (lgdb_p->keyDB) {
+ nsslowkey_CloseKeyDB(lgdb_p->keyDB);
+ }
+ if (lgdb_p->dbLock) {
+ SKIP_AFTER_FORK(PR_DestroyLock(lgdb_p->dbLock));
+ }
+ if (lgdb_p->hashTable) {
+ PL_HashTableDestroy(lgdb_p->hashTable);
+ }
+ PORT_Free(lgdb_p);
+ }
+ PORT_Free(sdb);
+ return CKR_OK;
+}
+
+static PLHashNumber
+lg_HashNumber(const void *key)
+{
+ return (PLHashNumber)((char *)key - (char *)NULL);
+}
+
+/*
+ * helper function to wrap a NSSLOWCERTCertDBHandle or a NSSLOWKEYDBHandle
+ * with and sdb structure.
+ */
+CK_RV
+lg_init(SDB **pSdb, int flags, NSSLOWCERTCertDBHandle *certdbPtr,
+ NSSLOWKEYDBHandle *keydbPtr)
+{
+ SDB *sdb = NULL;
+ LGPrivate *lgdb_p = NULL;
+ CK_RV error = CKR_HOST_MEMORY;
+
+ *pSdb = NULL;
+ sdb = (SDB *)PORT_Alloc(sizeof(SDB));
+ if (sdb == NULL) {
+ goto loser;
+ }
+ lgdb_p = (LGPrivate *)PORT_Alloc(sizeof(LGPrivate));
+ if (lgdb_p == NULL) {
+ goto loser;
+ }
+ /* invariant fields */
+ lgdb_p->certDB = certdbPtr;
+ lgdb_p->keyDB = keydbPtr;
+ lgdb_p->dbLock = PR_NewLock();
+ if (lgdb_p->dbLock == NULL) {
+ goto loser;
+ }
+ lgdb_p->hashTable = PL_NewHashTable(64, lg_HashNumber, PL_CompareValues,
+ SECITEM_HashCompare, NULL, 0);
+ if (lgdb_p->hashTable == NULL) {
+ PR_DestroyLock(lgdb_p->dbLock);
+ goto loser;
+ }
+
+ sdb->private = lgdb_p;
+ sdb->version = 1;
+ sdb->sdb_flags = flags;
+ sdb->app_private = NULL;
+ sdb->sdb_FindObjectsInit = lg_FindObjectsInit;
+ sdb->sdb_FindObjects = lg_FindObjects;
+ sdb->sdb_FindObjectsFinal = lg_FindObjectsFinal;
+ sdb->sdb_GetAttributeValue = lg_GetAttributeValue;
+ sdb->sdb_SetAttributeValue = lg_SetAttributeValue;
+ sdb->sdb_CreateObject = lg_CreateObject;
+ sdb->sdb_DestroyObject = lg_DestroyObject;
+ sdb->sdb_GetMetaData = lg_GetMetaData;
+ sdb->sdb_PutMetaData = lg_PutMetaData;
+ sdb->sdb_DestroyMetaData = lg_DestroyMetaData;
+ sdb->sdb_Begin = lg_Begin;
+ sdb->sdb_Commit = lg_Commit;
+ sdb->sdb_Abort = lg_Abort;
+ sdb->sdb_Reset = lg_Reset;
+ sdb->sdb_Close = lg_Close;
+ sdb->sdb_SetForkState = lg_SetForkState;
+ sdb->sdb_GetNewObjectID = lg_GetNewObjectID;
+
+ *pSdb = sdb;
+ return CKR_OK;
+
+loser:
+ if (sdb) {
+ PORT_Free(sdb);
+ }
+ if (lgdb_p) {
+ PORT_Free(lgdb_p);
+ }
+ return error;
+}
+
+/*
+ * OK there are now lots of options here, lets go through them all:
+ *
+ * configdir - base directory where all the cert, key, and module datbases live.
+ * certPrefix - prefix added to the beginning of the cert database example: "
+ * "https-server1-"
+ * keyPrefix - prefix added to the beginning of the key database example: "
+ * "https-server1-"
+ * secmodName - name of the security module database (usually "secmod.db").
+ * readOnly - Boolean: true if the databases are to be openned read only.
+ * nocertdb - Don't open the cert DB and key DB's, just initialize the
+ * Volatile certdb.
+ * nomoddb - Don't open the security module DB, just initialize the
+ * PKCS #11 module.
+ * forceOpen - Continue to force initializations even if the databases cannot
+ * be opened.
+ */
+CK_RV
+legacy_Open(const char *configdir, const char *certPrefix,
+ const char *keyPrefix, int certVersion, int keyVersion,
+ int flags, SDB **certDB, SDB **keyDB)
+{
+ CK_RV crv = CKR_OK;
+ SECStatus rv;
+ PRBool readOnly = ((flags & 0x7) == SDB_RDONLY) ? PR_TRUE : PR_FALSE;
+
+#define NSS_VERSION_VARIABLE __nss_dbm_version
+#include "verref.h"
+
+#ifndef NSS_FIPS_DISABLED
+ if (flags & SDB_FIPS) {
+ /* We shouldn't get here when FIPS is not enabled on the database. But
+ * we also don't care when this NSS build doesn't support FIPS. */
+ if (!lg_FIPSEntryOK()) {
+ return CKR_DEVICE_ERROR;
+ }
+ }
+#endif
+
+ rv = SECOID_Init();
+ if (SECSuccess != rv) {
+ return CKR_DEVICE_ERROR;
+ }
+ nsslowcert_InitLocks();
+
+ if (keyDB)
+ *keyDB = NULL;
+ if (certDB)
+ *certDB = NULL;
+
+ if (certDB) {
+ NSSLOWCERTCertDBHandle *certdbPtr = NULL;
+
+ crv = lg_OpenCertDB(configdir, certPrefix, readOnly, &certdbPtr);
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+ crv = lg_init(certDB, flags, certdbPtr, NULL);
+ if (crv != CKR_OK) {
+ nsslowcert_ClosePermCertDB(certdbPtr);
+ goto loser;
+ }
+ }
+ if (keyDB) {
+ NSSLOWKEYDBHandle *keydbPtr;
+
+ crv = lg_OpenKeyDB(configdir, keyPrefix, readOnly, &keydbPtr);
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+ crv = lg_init(keyDB, flags, NULL, keydbPtr);
+ if (crv != CKR_OK) {
+ nsslowkey_CloseKeyDB(keydbPtr);
+ goto loser;
+ }
+ if (certDB && *certDB) {
+ LGPrivate *lgdb_p = (LGPrivate *)(*certDB)->private;
+ lgdb_p->keyDB = keydbPtr;
+ }
+ }
+
+loser:
+ if (crv != CKR_OK) {
+ if (keyDB && *keyDB) {
+ lg_Close(*keyDB);
+ *keyDB = NULL;
+ }
+ if (certDB && *certDB) {
+ lg_Close(*certDB);
+ *certDB = NULL;
+ }
+ }
+ return crv;
+}
+
+CK_RV
+legacy_Shutdown(PRBool forked)
+{
+ lg_SetForkState(forked);
+ nsslowcert_DestroyFreeLists();
+ nsslowcert_DestroyGlobalLocks();
+ SECOID_Shutdown();
+ lg_SetForkState(PR_FALSE);
+ return CKR_OK;
+}
diff --git a/security/nss/lib/softoken/legacydb/lgutil.c b/security/nss/lib/softoken/legacydb/lgutil.c
new file mode 100644
index 0000000000..d872bf4b39
--- /dev/null
+++ b/security/nss/lib/softoken/legacydb/lgutil.c
@@ -0,0 +1,399 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+#include "lgdb.h"
+#include "secerr.h"
+#include "lgglue.h"
+
+/*
+ * ******************** Attribute Utilities *******************************
+ */
+
+/*
+ * look up and attribute structure from a type and Object structure.
+ * The returned attribute is referenced and needs to be freed when
+ * it is no longer needed.
+ */
+const CK_ATTRIBUTE *
+lg_FindAttribute(CK_ATTRIBUTE_TYPE type, const CK_ATTRIBUTE *templ,
+ CK_ULONG count)
+{
+ unsigned int i;
+
+ for (i = 0; i < count; i++) {
+ if (templ[i].type == type) {
+ return &templ[i];
+ }
+ }
+ return NULL;
+}
+
+/*
+ * return true if object has attribute
+ */
+PRBool
+lg_hasAttribute(CK_ATTRIBUTE_TYPE type, const CK_ATTRIBUTE *templ,
+ CK_ULONG count)
+{
+ if (lg_FindAttribute(type, templ, count) == NULL) {
+ return PR_FALSE;
+ }
+ return PR_TRUE;
+}
+
+/*
+ * copy an attribute into a SECItem. Secitem is allocated in the specified
+ * arena.
+ */
+CK_RV
+lg_Attribute2SecItem(PLArenaPool *arena, CK_ATTRIBUTE_TYPE type,
+ const CK_ATTRIBUTE *templ, CK_ULONG count,
+ SECItem *item)
+{
+ int len;
+ const CK_ATTRIBUTE *attribute;
+
+ attribute = lg_FindAttribute(type, templ, count);
+ if (attribute == NULL)
+ return CKR_TEMPLATE_INCOMPLETE;
+ len = attribute->ulValueLen;
+
+ if (arena) {
+ item->data = (unsigned char *)PORT_ArenaAlloc(arena, len);
+ } else {
+ item->data = (unsigned char *)PORT_Alloc(len);
+ }
+ if (item->data == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+ item->len = len;
+ if (item->len) {
+ PORT_Memcpy(item->data, attribute->pValue, len);
+ }
+ return CKR_OK;
+}
+
+/*
+ * copy an unsigned attribute into a SECItem. Secitem is allocated in
+ * the specified arena.
+ */
+CK_RV
+lg_Attribute2SSecItem(PLArenaPool *arena, CK_ATTRIBUTE_TYPE type,
+ const CK_ATTRIBUTE *templ, CK_ULONG count,
+ SECItem *item)
+{
+ const CK_ATTRIBUTE *attribute;
+ item->data = NULL;
+
+ attribute = lg_FindAttribute(type, templ, count);
+ if (attribute == NULL)
+ return CKR_TEMPLATE_INCOMPLETE;
+
+ (void)SECITEM_AllocItem(arena, item, attribute->ulValueLen);
+ if (item->data == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+ PORT_Memcpy(item->data, attribute->pValue, item->len);
+ return CKR_OK;
+}
+
+/*
+ * copy an unsigned attribute into a SECItem. Secitem is allocated in
+ * the specified arena.
+ */
+CK_RV
+lg_PrivAttr2SSecItem(PLArenaPool *arena, CK_ATTRIBUTE_TYPE type,
+ const CK_ATTRIBUTE *templ, CK_ULONG count,
+ SECItem *item, SDB *sdbpw)
+{
+ const CK_ATTRIBUTE *attribute;
+ SECItem epki, *dest = NULL;
+ SECStatus rv;
+
+ item->data = NULL;
+
+ attribute = lg_FindAttribute(type, templ, count);
+ if (attribute == NULL)
+ return CKR_TEMPLATE_INCOMPLETE;
+
+ epki.data = attribute->pValue;
+ epki.len = attribute->ulValueLen;
+
+ rv = lg_util_decrypt(sdbpw, &epki, &dest);
+ if (rv != SECSuccess) {
+ return CKR_USER_NOT_LOGGED_IN;
+ }
+ (void)SECITEM_AllocItem(arena, item, dest->len);
+ if (item->data == NULL) {
+ SECITEM_FreeItem(dest, PR_TRUE);
+ return CKR_HOST_MEMORY;
+ }
+
+ PORT_Memcpy(item->data, dest->data, item->len);
+ SECITEM_FreeItem(dest, PR_TRUE);
+ return CKR_OK;
+}
+
+CK_RV
+lg_PrivAttr2SecItem(PLArenaPool *arena, CK_ATTRIBUTE_TYPE type,
+ const CK_ATTRIBUTE *templ, CK_ULONG count,
+ SECItem *item, SDB *sdbpw)
+{
+ return lg_PrivAttr2SSecItem(arena, type, templ, count, item, sdbpw);
+}
+
+/*
+ * this is only valid for CK_BBOOL type attributes. Return the state
+ * of that attribute.
+ */
+PRBool
+lg_isTrue(CK_ATTRIBUTE_TYPE type, const CK_ATTRIBUTE *templ, CK_ULONG count)
+{
+ const CK_ATTRIBUTE *attribute;
+ PRBool tok = PR_FALSE;
+
+ attribute = lg_FindAttribute(type, templ, count);
+ if (attribute == NULL) {
+ return PR_FALSE;
+ }
+ tok = (PRBool)(*(CK_BBOOL *)attribute->pValue);
+
+ return tok;
+}
+
+/*
+ * return a null terminated string from attribute 'type'. This string
+ * is allocated and needs to be freed with PORT_Free() When complete.
+ */
+char *
+lg_getString(CK_ATTRIBUTE_TYPE type, const CK_ATTRIBUTE *templ, CK_ULONG count)
+{
+ const CK_ATTRIBUTE *attribute;
+ char *label = NULL;
+
+ attribute = lg_FindAttribute(type, templ, count);
+ if (attribute == NULL)
+ return NULL;
+
+ if (attribute->pValue != NULL) {
+ label = (char *)PORT_Alloc(attribute->ulValueLen + 1);
+ if (label == NULL) {
+ return NULL;
+ }
+
+ PORT_Memcpy(label, attribute->pValue, attribute->ulValueLen);
+ label[attribute->ulValueLen] = 0;
+ }
+ return label;
+}
+
+CK_RV
+lg_GetULongAttribute(CK_ATTRIBUTE_TYPE type, const CK_ATTRIBUTE *templ,
+ CK_ULONG count, CK_ULONG *longData)
+{
+ const CK_ATTRIBUTE *attribute;
+ CK_ULONG value = 0;
+ const unsigned char *data;
+ int i;
+
+ attribute = lg_FindAttribute(type, templ, count);
+ if (attribute == NULL)
+ return CKR_TEMPLATE_INCOMPLETE;
+
+ if (attribute->ulValueLen != 4) {
+ return CKR_ATTRIBUTE_VALUE_INVALID;
+ }
+ data = (const unsigned char *)attribute->pValue;
+ for (i = 0; i < 4; i++) {
+ value |= (CK_ULONG)(data[i]) << ((3 - i) * 8);
+ }
+
+ *longData = value;
+ return CKR_OK;
+}
+
+/*
+ * ******************** Object Utilities *******************************
+ */
+
+SECStatus
+lg_deleteTokenKeyByHandle(SDB *sdb, CK_OBJECT_HANDLE handle)
+{
+ SECItem *item;
+ PRBool rem;
+ PLHashTable *hashTable = lg_GetHashTable(sdb);
+
+ item = (SECItem *)PL_HashTableLookup(hashTable, (void *)handle);
+ rem = PL_HashTableRemove(hashTable, (void *)handle);
+ if (rem && item) {
+ SECITEM_FreeItem(item, PR_TRUE);
+ }
+ return rem ? SECSuccess : SECFailure;
+}
+
+/* must be called holding lg_DBLock(sdb) */
+static SECStatus
+lg_addTokenKeyByHandle(SDB *sdb, CK_OBJECT_HANDLE handle, SECItem *key)
+{
+ PLHashEntry *entry;
+ SECItem *item;
+ PLHashTable *hashTable = lg_GetHashTable(sdb);
+
+ item = SECITEM_DupItem(key);
+ if (item == NULL) {
+ return SECFailure;
+ }
+ entry = PL_HashTableAdd(hashTable, (void *)handle, item);
+ if (entry == NULL) {
+ SECITEM_FreeItem(item, PR_TRUE);
+ return SECFailure;
+ }
+ return SECSuccess;
+}
+
+/* must be called holding lg_DBLock(sdb) */
+const SECItem *
+lg_lookupTokenKeyByHandle(SDB *sdb, CK_OBJECT_HANDLE handle)
+{
+ PLHashTable *hashTable = lg_GetHashTable(sdb);
+ return (const SECItem *)PL_HashTableLookup(hashTable, (void *)handle);
+}
+
+static PRIntn
+lg_freeHashItem(PLHashEntry *entry, PRIntn index, void *arg)
+{
+ SECItem *item = (SECItem *)entry->value;
+
+ SECITEM_FreeItem(item, PR_TRUE);
+ return HT_ENUMERATE_NEXT;
+}
+
+CK_RV
+lg_ClearTokenKeyHashTable(SDB *sdb)
+{
+ PLHashTable *hashTable;
+ lg_DBLock(sdb);
+ hashTable = lg_GetHashTable(sdb);
+ PL_HashTableEnumerateEntries(hashTable, lg_freeHashItem, NULL);
+ lg_DBUnlock(sdb);
+ return CKR_OK;
+}
+
+/*
+ * handle Token Object stuff
+ */
+static void
+lg_XORHash(unsigned char *key, unsigned char *dbkey, int len)
+{
+ int i;
+
+ PORT_Memset(key, 0, 4);
+
+ for (i = 0; i < len - 4; i += 4) {
+ key[0] ^= dbkey[i];
+ key[1] ^= dbkey[i + 1];
+ key[2] ^= dbkey[i + 2];
+ key[3] ^= dbkey[i + 3];
+ }
+}
+
+/* Make a token handle for an object and record it so we can find it again */
+CK_OBJECT_HANDLE
+lg_mkHandle(SDB *sdb, SECItem *dbKey, CK_OBJECT_HANDLE class)
+{
+ unsigned char hashBuf[4];
+ CK_OBJECT_HANDLE handle;
+ const SECItem *key;
+
+ handle = class;
+ /* there is only one KRL, use a fixed handle for it */
+ if (handle != LG_TOKEN_KRL_HANDLE) {
+ lg_XORHash(hashBuf, dbKey->data, dbKey->len);
+ handle = ((CK_OBJECT_HANDLE)hashBuf[0] << 24) |
+ ((CK_OBJECT_HANDLE)hashBuf[1] << 16) |
+ ((CK_OBJECT_HANDLE)hashBuf[2] << 8) |
+ (CK_OBJECT_HANDLE)hashBuf[3];
+ handle = class | (handle & ~(LG_TOKEN_TYPE_MASK | LG_TOKEN_MASK));
+ /* we have a CRL who's handle has randomly matched the reserved KRL
+ * handle, increment it */
+ if (handle == LG_TOKEN_KRL_HANDLE) {
+ handle++;
+ }
+ }
+
+ lg_DBLock(sdb);
+ while ((key = lg_lookupTokenKeyByHandle(sdb, handle)) != NULL) {
+ if (SECITEM_ItemsAreEqual(key, dbKey)) {
+ lg_DBUnlock(sdb);
+ return handle;
+ }
+ handle++;
+ }
+ lg_addTokenKeyByHandle(sdb, handle, dbKey);
+ lg_DBUnlock(sdb);
+ return handle;
+}
+
+PRBool
+lg_poisonHandle(SDB *sdb, SECItem *dbKey, CK_OBJECT_HANDLE class)
+{
+ unsigned char hashBuf[4];
+ CK_OBJECT_HANDLE handle;
+ const SECItem *key;
+
+ handle = class;
+ /* there is only one KRL, use a fixed handle for it */
+ if (handle != LG_TOKEN_KRL_HANDLE) {
+ lg_XORHash(hashBuf, dbKey->data, dbKey->len);
+ handle = (hashBuf[0] << 24) | (hashBuf[1] << 16) |
+ (hashBuf[2] << 8) | hashBuf[3];
+ handle = class | (handle & ~(LG_TOKEN_TYPE_MASK | LG_TOKEN_MASK));
+ /* we have a CRL who's handle has randomly matched the reserved KRL
+ * handle, increment it */
+ if (handle == LG_TOKEN_KRL_HANDLE) {
+ handle++;
+ }
+ }
+ lg_DBLock(sdb);
+ while ((key = lg_lookupTokenKeyByHandle(sdb, handle)) != NULL) {
+ if (SECITEM_ItemsAreEqual(key, dbKey)) {
+ key->data[0] ^= 0x80;
+ lg_DBUnlock(sdb);
+ return PR_TRUE;
+ }
+ handle++;
+ }
+ lg_DBUnlock(sdb);
+ return PR_FALSE;
+}
+
+static LGEncryptFunc lg_encrypt_stub = NULL;
+static LGDecryptFunc lg_decrypt_stub = NULL;
+
+void
+legacy_SetCryptFunctions(LGEncryptFunc enc, LGDecryptFunc dec)
+{
+ lg_encrypt_stub = enc;
+ lg_decrypt_stub = dec;
+}
+
+SECStatus
+lg_util_encrypt(PLArenaPool *arena, SDB *sdb,
+ SECItem *plainText, SECItem **cipherText)
+{
+ if (lg_encrypt_stub == NULL) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+ return (*lg_encrypt_stub)(arena, sdb, plainText, cipherText);
+}
+
+SECStatus
+lg_util_decrypt(SDB *sdb, SECItem *cipherText, SECItem **plainText)
+{
+ if (lg_decrypt_stub == NULL) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+ return (*lg_decrypt_stub)(sdb, cipherText, plainText);
+}
diff --git a/security/nss/lib/softoken/legacydb/lowcert.c b/security/nss/lib/softoken/legacydb/lowcert.c
new file mode 100644
index 0000000000..5a349f0aad
--- /dev/null
+++ b/security/nss/lib/softoken/legacydb/lowcert.c
@@ -0,0 +1,854 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/*
+ * Certificate handling code
+ */
+
+#include "seccomon.h"
+#include "secder.h"
+#include "nssilock.h"
+#include "lowkeyi.h"
+#include "secasn1.h"
+#include "secoid.h"
+#include "secerr.h"
+#include "pcert.h"
+
+SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
+
+static const SEC_ASN1Template nsslowcert_SubjectPublicKeyInfoTemplate[] = {
+ { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWCERTSubjectPublicKeyInfo) },
+ { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+ offsetof(NSSLOWCERTSubjectPublicKeyInfo, algorithm),
+ SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+ { SEC_ASN1_BIT_STRING,
+ offsetof(NSSLOWCERTSubjectPublicKeyInfo, subjectPublicKey) },
+ { 0 }
+};
+
+static const SEC_ASN1Template nsslowcert_RSAPublicKeyTemplate[] = {
+ { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPublicKey) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPublicKey, u.rsa.modulus) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPublicKey, u.rsa.publicExponent) },
+ { 0 }
+};
+static const SEC_ASN1Template nsslowcert_DSAPublicKeyTemplate[] = {
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPublicKey, u.dsa.publicValue) },
+ { 0 }
+};
+static const SEC_ASN1Template nsslowcert_DHPublicKeyTemplate[] = {
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPublicKey, u.dh.publicValue) },
+ { 0 }
+};
+
+/*
+ * See bugzilla bug 125359
+ * Since NSS (via PKCS#11) wants to handle big integers as unsigned ints,
+ * all of the templates above that en/decode into integers must be converted
+ * from ASN.1's signed integer type. This is done by marking either the
+ * source or destination (encoding or decoding, respectively) type as
+ * siUnsignedInteger.
+ */
+
+static void
+prepare_low_rsa_pub_key_for_asn1(NSSLOWKEYPublicKey *pubk)
+{
+ pubk->u.rsa.modulus.type = siUnsignedInteger;
+ pubk->u.rsa.publicExponent.type = siUnsignedInteger;
+}
+
+static void
+prepare_low_dsa_pub_key_for_asn1(NSSLOWKEYPublicKey *pubk)
+{
+ pubk->u.dsa.publicValue.type = siUnsignedInteger;
+ pubk->u.dsa.params.prime.type = siUnsignedInteger;
+ pubk->u.dsa.params.subPrime.type = siUnsignedInteger;
+ pubk->u.dsa.params.base.type = siUnsignedInteger;
+}
+
+static void
+prepare_low_dh_pub_key_for_asn1(NSSLOWKEYPublicKey *pubk)
+{
+ pubk->u.dh.prime.type = siUnsignedInteger;
+ pubk->u.dh.base.type = siUnsignedInteger;
+ pubk->u.dh.publicValue.type = siUnsignedInteger;
+}
+
+/*
+ * simple cert decoder to avoid the cost of asn1 engine
+ */
+static unsigned char *
+nsslowcert_dataStart(unsigned char *buf, unsigned int length,
+ unsigned int *data_length, PRBool includeTag,
+ unsigned char *rettag)
+{
+ unsigned char tag;
+ unsigned int used_length = 0;
+
+ /* need at least a tag and a 1 byte length */
+ if (length < 2) {
+ return NULL;
+ }
+
+ tag = buf[used_length++];
+
+ if (rettag) {
+ *rettag = tag;
+ }
+
+ /* blow out when we come to the end */
+ if (tag == 0) {
+ return NULL;
+ }
+
+ *data_length = buf[used_length++];
+
+ if (*data_length & 0x80) {
+ int len_count = *data_length & 0x7f;
+
+ if (len_count + used_length > length) {
+ return NULL;
+ }
+
+ *data_length = 0;
+
+ while (len_count-- > 0) {
+ *data_length = (*data_length << 8) | buf[used_length++];
+ }
+ }
+
+ if (*data_length > (length - used_length)) {
+ *data_length = length - used_length;
+ return NULL;
+ }
+ if (includeTag)
+ *data_length += used_length;
+
+ return (buf + (includeTag ? 0 : used_length));
+}
+
+static void
+SetTimeType(SECItem *item, unsigned char tagtype)
+{
+ switch (tagtype) {
+ case SEC_ASN1_UTC_TIME:
+ item->type = siUTCTime;
+ break;
+
+ case SEC_ASN1_GENERALIZED_TIME:
+ item->type = siGeneralizedTime;
+ break;
+
+ default:
+ PORT_Assert(0);
+ break;
+ }
+}
+
+static int
+nsslowcert_GetValidityFields(unsigned char *buf, int buf_length,
+ SECItem *notBefore, SECItem *notAfter)
+{
+ unsigned char tagtype;
+ notBefore->data = nsslowcert_dataStart(buf, buf_length,
+ &notBefore->len, PR_FALSE, &tagtype);
+ if (notBefore->data == NULL)
+ return SECFailure;
+ SetTimeType(notBefore, tagtype);
+ buf_length -= (notBefore->data - buf) + notBefore->len;
+ buf = notBefore->data + notBefore->len;
+ notAfter->data = nsslowcert_dataStart(buf, buf_length,
+ &notAfter->len, PR_FALSE, &tagtype);
+ if (notAfter->data == NULL)
+ return SECFailure;
+ SetTimeType(notAfter, tagtype);
+ return SECSuccess;
+}
+
+static int
+nsslowcert_GetCertFields(unsigned char *cert, int cert_length,
+ SECItem *issuer, SECItem *serial, SECItem *derSN, SECItem *subject,
+ SECItem *valid, SECItem *subjkey, SECItem *extensions)
+{
+ unsigned char *buf;
+ unsigned int buf_length;
+ unsigned char *dummy;
+ unsigned int dummylen;
+
+ /* get past the signature wrap */
+ buf = nsslowcert_dataStart(cert, cert_length, &buf_length, PR_FALSE, NULL);
+ if (buf == NULL)
+ return SECFailure;
+ /* get into the raw cert data */
+ buf = nsslowcert_dataStart(buf, buf_length, &buf_length, PR_FALSE, NULL);
+ if (buf == NULL)
+ return SECFailure;
+ /* skip past any optional version number */
+ if ((buf[0] & 0xa0) == 0xa0) {
+ dummy = nsslowcert_dataStart(buf, buf_length, &dummylen, PR_FALSE, NULL);
+ if (dummy == NULL)
+ return SECFailure;
+ buf_length -= (dummy - buf) + dummylen;
+ buf = dummy + dummylen;
+ }
+ /* serial number */
+ if (derSN) {
+ derSN->data = nsslowcert_dataStart(buf, buf_length, &derSN->len, PR_TRUE, NULL);
+ /* derSN->data doesn't need to be checked because if it fails so will
+ * serial->data below. The only difference between the two calls is
+ * whether or not the tags are included in the returned buffer */
+ }
+ serial->data = nsslowcert_dataStart(buf, buf_length, &serial->len, PR_FALSE, NULL);
+ if (serial->data == NULL)
+ return SECFailure;
+ buf_length -= (serial->data - buf) + serial->len;
+ buf = serial->data + serial->len;
+ /* skip the OID */
+ dummy = nsslowcert_dataStart(buf, buf_length, &dummylen, PR_FALSE, NULL);
+ if (dummy == NULL)
+ return SECFailure;
+ buf_length -= (dummy - buf) + dummylen;
+ buf = dummy + dummylen;
+ /* issuer */
+ issuer->data = nsslowcert_dataStart(buf, buf_length, &issuer->len, PR_TRUE, NULL);
+ if (issuer->data == NULL)
+ return SECFailure;
+ buf_length -= (issuer->data - buf) + issuer->len;
+ buf = issuer->data + issuer->len;
+
+ /* only wanted issuer/SN */
+ if (valid == NULL) {
+ return SECSuccess;
+ }
+ /* validity */
+ valid->data = nsslowcert_dataStart(buf, buf_length, &valid->len, PR_FALSE, NULL);
+ if (valid->data == NULL)
+ return SECFailure;
+ buf_length -= (valid->data - buf) + valid->len;
+ buf = valid->data + valid->len;
+ /*subject */
+ subject->data = nsslowcert_dataStart(buf, buf_length, &subject->len, PR_TRUE, NULL);
+ if (subject->data == NULL)
+ return SECFailure;
+ buf_length -= (subject->data - buf) + subject->len;
+ buf = subject->data + subject->len;
+ /* subject key info */
+ subjkey->data = nsslowcert_dataStart(buf, buf_length, &subjkey->len, PR_TRUE, NULL);
+ if (subjkey->data == NULL)
+ return SECFailure;
+ buf_length -= (subjkey->data - buf) + subjkey->len;
+ buf = subjkey->data + subjkey->len;
+
+ extensions->data = NULL;
+ extensions->len = 0;
+ while (buf_length > 0) {
+ /* EXTENSIONS */
+ if (buf[0] == 0xa3) {
+ extensions->data = nsslowcert_dataStart(buf, buf_length,
+ &extensions->len, PR_FALSE, NULL);
+ /* if the DER is bad, we should fail. Previously we accepted
+ * bad DER here and treated the extension as missin */
+ if (extensions->data == NULL ||
+ (extensions->data - buf) + extensions->len != buf_length)
+ return SECFailure;
+ buf = extensions->data;
+ buf_length = extensions->len;
+ /* now parse the SEQUENCE holding the extensions. */
+ dummy = nsslowcert_dataStart(buf, buf_length, &dummylen, PR_FALSE, NULL);
+ if (dummy == NULL ||
+ (dummy - buf) + dummylen != buf_length)
+ return SECFailure;
+ buf_length -= (dummy - buf);
+ buf = dummy;
+ /* Now parse the extensions inside this sequence */
+ }
+ dummy = nsslowcert_dataStart(buf, buf_length, &dummylen, PR_FALSE, NULL);
+ if (dummy == NULL)
+ return SECFailure;
+ buf_length -= (dummy - buf) + dummylen;
+ buf = dummy + dummylen;
+ }
+ return SECSuccess;
+}
+
+static SECStatus
+nsslowcert_GetCertTimes(NSSLOWCERTCertificate *c, PRTime *notBefore, PRTime *notAfter)
+{
+ int rv;
+ NSSLOWCERTValidity validity;
+
+ rv = nsslowcert_GetValidityFields(c->validity.data, c->validity.len,
+ &validity.notBefore, &validity.notAfter);
+ if (rv != SECSuccess) {
+ return rv;
+ }
+
+ /* convert DER not-before time */
+ rv = DER_DecodeTimeChoice(notBefore, &validity.notBefore);
+ if (rv) {
+ return (SECFailure);
+ }
+
+ /* convert DER not-after time */
+ rv = DER_DecodeTimeChoice(notAfter, &validity.notAfter);
+ if (rv) {
+ return (SECFailure);
+ }
+
+ return (SECSuccess);
+}
+
+/*
+ * is certa newer than certb? If one is expired, pick the other one.
+ */
+PRBool
+nsslowcert_IsNewer(NSSLOWCERTCertificate *certa, NSSLOWCERTCertificate *certb)
+{
+ PRTime notBeforeA, notAfterA, notBeforeB, notAfterB, now;
+ SECStatus rv;
+ PRBool newerbefore, newerafter;
+
+ rv = nsslowcert_GetCertTimes(certa, &notBeforeA, &notAfterA);
+ if (rv != SECSuccess) {
+ return (PR_FALSE);
+ }
+
+ rv = nsslowcert_GetCertTimes(certb, &notBeforeB, &notAfterB);
+ if (rv != SECSuccess) {
+ return (PR_TRUE);
+ }
+
+ newerbefore = PR_FALSE;
+ if (LL_CMP(notBeforeA, >, notBeforeB)) {
+ newerbefore = PR_TRUE;
+ }
+
+ newerafter = PR_FALSE;
+ if (LL_CMP(notAfterA, >, notAfterB)) {
+ newerafter = PR_TRUE;
+ }
+
+ if (newerbefore && newerafter) {
+ return (PR_TRUE);
+ }
+
+ if ((!newerbefore) && (!newerafter)) {
+ return (PR_FALSE);
+ }
+
+ /* get current time */
+ now = PR_Now();
+
+ if (newerbefore) {
+ /* cert A was issued after cert B, but expires sooner */
+ /* if A is expired, then pick B */
+ if (LL_CMP(notAfterA, <, now)) {
+ return (PR_FALSE);
+ }
+ return (PR_TRUE);
+ } else {
+ /* cert B was issued after cert A, but expires sooner */
+ /* if B is expired, then pick A */
+ if (LL_CMP(notAfterB, <, now)) {
+ return (PR_TRUE);
+ }
+ return (PR_FALSE);
+ }
+}
+
+#define SOFT_DEFAULT_CHUNKSIZE 2048
+
+static SECStatus
+nsslowcert_KeyFromIssuerAndSN(PLArenaPool *arena,
+ SECItem *issuer, SECItem *sn, SECItem *key)
+{
+ unsigned int len = sn->len + issuer->len;
+
+ if (!arena) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ goto loser;
+ }
+ if (len > NSS_MAX_LEGACY_DB_KEY_SIZE) {
+ PORT_SetError(SEC_ERROR_INPUT_LEN);
+ goto loser;
+ }
+ key->data = (unsigned char *)PORT_ArenaAlloc(arena, len);
+ if (!key->data) {
+ goto loser;
+ }
+
+ key->len = len;
+ /* copy the serialNumber */
+ PORT_Memcpy(key->data, sn->data, sn->len);
+
+ /* copy the issuer */
+ PORT_Memcpy(&key->data[sn->len], issuer->data, issuer->len);
+
+ return (SECSuccess);
+
+loser:
+ return (SECFailure);
+}
+
+static SECStatus
+nsslowcert_KeyFromIssuerAndSNStatic(unsigned char *space,
+ int spaceLen, SECItem *issuer, SECItem *sn, SECItem *key)
+{
+ unsigned int len = sn->len + issuer->len;
+
+ key->data = pkcs11_allocStaticData(len, space, spaceLen);
+ if (!key->data) {
+ goto loser;
+ }
+
+ key->len = len;
+ /* copy the serialNumber */
+ PORT_Memcpy(key->data, sn->data, sn->len);
+
+ /* copy the issuer */
+ PORT_Memcpy(&key->data[sn->len], issuer->data, issuer->len);
+
+ return (SECSuccess);
+
+loser:
+ return (SECFailure);
+}
+
+static char *
+nsslowcert_EmailName(SECItem *derDN, char *space, unsigned int len)
+{
+ unsigned char *buf;
+ unsigned int buf_length;
+
+ /* unwrap outer sequence */
+ buf = nsslowcert_dataStart(derDN->data, derDN->len, &buf_length, PR_FALSE, NULL);
+ if (buf == NULL)
+ return NULL;
+
+ /* Walk each RDN */
+ while (buf_length > 0) {
+ unsigned char *rdn;
+ unsigned int rdn_length;
+
+ /* grab next rdn */
+ rdn = nsslowcert_dataStart(buf, buf_length, &rdn_length, PR_FALSE, NULL);
+ if (rdn == NULL) {
+ return NULL;
+ }
+ buf_length -= (rdn - buf) + rdn_length;
+ buf = rdn + rdn_length;
+
+ while (rdn_length > 0) {
+ unsigned char *ava;
+ unsigned int ava_length;
+ unsigned char *oid;
+ unsigned int oid_length;
+ unsigned char *name;
+ unsigned int name_length;
+ SECItem oidItem;
+ SECOidTag type;
+
+ /* unwrap the ava */
+ ava = nsslowcert_dataStart(rdn, rdn_length, &ava_length, PR_FALSE,
+ NULL);
+ if (ava == NULL)
+ return NULL;
+ rdn_length -= (ava - rdn) + ava_length;
+ rdn = ava + ava_length;
+
+ oid = nsslowcert_dataStart(ava, ava_length, &oid_length, PR_FALSE,
+ NULL);
+ if (oid == NULL) {
+ return NULL;
+ }
+ ava_length -= (oid - ava) + oid_length;
+ ava = oid + oid_length;
+
+ name = nsslowcert_dataStart(ava, ava_length, &name_length, PR_FALSE,
+ NULL);
+ if (name == NULL) {
+ return NULL;
+ }
+ ava_length -= (name - ava) + name_length;
+ ava = name + name_length;
+
+ oidItem.data = oid;
+ oidItem.len = oid_length;
+ type = SECOID_FindOIDTag(&oidItem);
+ if ((type == SEC_OID_PKCS9_EMAIL_ADDRESS) ||
+ (type == SEC_OID_RFC1274_MAIL)) {
+ /* Email is supposed to be IA5String, so no
+ * translation necessary */
+ char *emailAddr;
+ emailAddr = (char *)pkcs11_copyStaticData(name, name_length + 1,
+ (unsigned char *)space, len);
+ if (emailAddr) {
+ emailAddr[name_length] = 0;
+ }
+ return emailAddr;
+ }
+ }
+ }
+ return NULL;
+}
+
+static char *
+nsslowcert_EmailAltName(NSSLOWCERTCertificate *cert, char *space,
+ unsigned int len)
+{
+ unsigned char *exts;
+ unsigned int exts_length;
+
+ /* unwrap the sequence */
+ exts = nsslowcert_dataStart(cert->extensions.data, cert->extensions.len,
+ &exts_length, PR_FALSE, NULL);
+ /* loop through extension */
+ while (exts && exts_length > 0) {
+ unsigned char *ext;
+ unsigned int ext_length;
+ unsigned char *oid;
+ unsigned int oid_length;
+ unsigned char *nameList;
+ unsigned int nameList_length;
+ SECItem oidItem;
+ SECOidTag type;
+
+ ext = nsslowcert_dataStart(exts, exts_length, &ext_length,
+ PR_FALSE, NULL);
+ if (ext == NULL) {
+ break;
+ }
+ exts_length -= (ext - exts) + ext_length;
+ exts = ext + ext_length;
+
+ oid = nsslowcert_dataStart(ext, ext_length, &oid_length, PR_FALSE, NULL);
+ if (oid == NULL) {
+ break;
+ }
+ ext_length -= (oid - ext) + oid_length;
+ ext = oid + oid_length;
+ oidItem.data = oid;
+ oidItem.len = oid_length;
+ type = SECOID_FindOIDTag(&oidItem);
+
+ /* get Alt Extension */
+ if (type != SEC_OID_X509_SUBJECT_ALT_NAME) {
+ continue;
+ }
+
+ /* skip passed the critical flag */
+ if (ext[0] == 0x01) { /* BOOLEAN */
+ unsigned char *dummy;
+ unsigned int dummy_length;
+ dummy = nsslowcert_dataStart(ext, ext_length, &dummy_length,
+ PR_FALSE, NULL);
+ if (dummy == NULL) {
+ break;
+ }
+ ext_length -= (dummy - ext) + dummy_length;
+ ext = dummy + dummy_length;
+ }
+
+ /* unwrap the name list */
+ nameList = nsslowcert_dataStart(ext, ext_length, &nameList_length,
+ PR_FALSE, NULL);
+ if (nameList == NULL) {
+ break;
+ }
+ ext_length -= (nameList - ext) + nameList_length;
+ ext = nameList + nameList_length;
+ nameList = nsslowcert_dataStart(nameList, nameList_length,
+ &nameList_length, PR_FALSE, NULL);
+ /* loop through the name list */
+ while (nameList && nameList_length > 0) {
+ unsigned char *thisName;
+ unsigned int thisName_length;
+
+ thisName = nsslowcert_dataStart(nameList, nameList_length,
+ &thisName_length, PR_FALSE, NULL);
+ if (thisName == NULL) {
+ break;
+ }
+ if (nameList[0] == 0xa2) { /* DNS Name */
+ SECItem dn;
+ char *emailAddr;
+
+ dn.data = thisName;
+ dn.len = thisName_length;
+ emailAddr = nsslowcert_EmailName(&dn, space, len);
+ if (emailAddr) {
+ return emailAddr;
+ }
+ }
+ if (nameList[0] == 0x81) { /* RFC 822name */
+ char *emailAddr;
+ emailAddr = (char *)pkcs11_copyStaticData(thisName,
+ thisName_length + 1, (unsigned char *)space, len);
+ if (emailAddr) {
+ emailAddr[thisName_length] = 0;
+ }
+ return emailAddr;
+ }
+ nameList_length -= (thisName - nameList) + thisName_length;
+ nameList = thisName + thisName_length;
+ }
+ break;
+ }
+ return NULL;
+}
+
+static char *
+nsslowcert_GetCertificateEmailAddress(NSSLOWCERTCertificate *cert)
+{
+ char *emailAddr = NULL;
+ char *str;
+
+ emailAddr = nsslowcert_EmailName(&cert->derSubject, cert->emailAddrSpace,
+ sizeof(cert->emailAddrSpace));
+ /* couldn't find the email address in the DN, check the subject Alt name */
+ if (!emailAddr && cert->extensions.data) {
+ emailAddr = nsslowcert_EmailAltName(cert, cert->emailAddrSpace,
+ sizeof(cert->emailAddrSpace));
+ }
+
+ /* make it lower case */
+ str = emailAddr;
+ while (str && *str) {
+ *str = tolower(*str);
+ str++;
+ }
+ return emailAddr;
+}
+
+/*
+ * take a DER certificate and decode it into a certificate structure
+ */
+NSSLOWCERTCertificate *
+nsslowcert_DecodeDERCertificate(SECItem *derSignedCert, char *nickname)
+{
+ NSSLOWCERTCertificate *cert;
+ int rv;
+
+ /* allocate the certificate structure */
+ cert = nsslowcert_CreateCert();
+
+ if (!cert) {
+ goto loser;
+ }
+
+ /* point to passed in DER data */
+ cert->derCert = *derSignedCert;
+ cert->nickname = NULL;
+ cert->certKey.data = NULL;
+ cert->referenceCount = 1;
+
+ /* decode the certificate info */
+ rv = nsslowcert_GetCertFields(cert->derCert.data, cert->derCert.len,
+ &cert->derIssuer, &cert->serialNumber, &cert->derSN, &cert->derSubject,
+ &cert->validity, &cert->derSubjKeyInfo, &cert->extensions);
+
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ /* cert->subjectKeyID; x509v3 subject key identifier */
+ cert->subjectKeyID.data = NULL;
+ cert->subjectKeyID.len = 0;
+ cert->dbEntry = NULL;
+ cert->trust = NULL;
+ cert->dbhandle = NULL;
+
+ /* generate and save the database key for the cert */
+ rv = nsslowcert_KeyFromIssuerAndSNStatic(cert->certKeySpace,
+ sizeof(cert->certKeySpace), &cert->derIssuer,
+ &cert->serialNumber, &cert->certKey);
+ if (rv) {
+ goto loser;
+ }
+
+ /* set the nickname */
+ if (nickname == NULL) {
+ cert->nickname = NULL;
+ } else {
+ /* copy and install the nickname */
+ cert->nickname = pkcs11_copyNickname(nickname, cert->nicknameSpace,
+ sizeof(cert->nicknameSpace));
+ }
+
+#ifdef FIXME
+ /* initialize the subjectKeyID */
+ rv = cert_GetKeyID(cert);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+#endif
+
+ /* set the email address */
+ cert->emailAddr = nsslowcert_GetCertificateEmailAddress(cert);
+
+ cert->referenceCount = 1;
+
+ return (cert);
+
+loser:
+ if (cert) {
+ nsslowcert_DestroyCertificate(cert);
+ }
+
+ return (0);
+}
+
+char *
+nsslowcert_FixupEmailAddr(char *emailAddr)
+{
+ char *retaddr;
+ char *str;
+
+ if (emailAddr == NULL) {
+ return (NULL);
+ }
+
+ /* copy the string */
+ str = retaddr = PORT_Strdup(emailAddr);
+ if (str == NULL) {
+ return (NULL);
+ }
+
+ /* make it lower case */
+ while (*str) {
+ *str = tolower(*str);
+ str++;
+ }
+
+ return (retaddr);
+}
+
+/*
+ * Generate a database key, based on serial number and issuer, from a
+ * DER certificate.
+ */
+SECStatus
+nsslowcert_KeyFromDERCert(PLArenaPool *arena, SECItem *derCert, SECItem *key)
+{
+ int rv;
+ NSSLOWCERTCertKey certkey;
+
+ PORT_Memset(&certkey, 0, sizeof(NSSLOWCERTCertKey));
+
+ rv = nsslowcert_GetCertFields(derCert->data, derCert->len,
+ &certkey.derIssuer, &certkey.serialNumber, NULL, NULL,
+ NULL, NULL, NULL);
+
+ if (rv) {
+ goto loser;
+ }
+
+ return (nsslowcert_KeyFromIssuerAndSN(arena, &certkey.derIssuer,
+ &certkey.serialNumber, key));
+loser:
+ return (SECFailure);
+}
+
+NSSLOWKEYPublicKey *
+nsslowcert_ExtractPublicKey(NSSLOWCERTCertificate *cert)
+{
+ NSSLOWCERTSubjectPublicKeyInfo spki;
+ NSSLOWKEYPublicKey *pubk;
+ SECItem os;
+ SECStatus rv;
+ PLArenaPool *arena;
+ SECOidTag tag;
+ SECItem newDerSubjKeyInfo;
+
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (arena == NULL)
+ return NULL;
+
+ pubk = (NSSLOWKEYPublicKey *)
+ PORT_ArenaZAlloc(arena, sizeof(NSSLOWKEYPublicKey));
+ if (pubk == NULL) {
+ PORT_FreeArena(arena, PR_FALSE);
+ return NULL;
+ }
+
+ pubk->arena = arena;
+ PORT_Memset(&spki, 0, sizeof(spki));
+
+ /* copy the DER into the arena, since Quick DER returns data that points
+ into the DER input, which may get freed by the caller */
+ rv = SECITEM_CopyItem(arena, &newDerSubjKeyInfo, &cert->derSubjKeyInfo);
+ if (rv != SECSuccess) {
+ PORT_FreeArena(arena, PR_FALSE);
+ return NULL;
+ }
+
+ /* we haven't bothered decoding the spki struct yet, do it now */
+ rv = SEC_QuickDERDecodeItem(arena, &spki,
+ nsslowcert_SubjectPublicKeyInfoTemplate, &newDerSubjKeyInfo);
+ if (rv != SECSuccess) {
+ PORT_FreeArena(arena, PR_FALSE);
+ return NULL;
+ }
+
+ /* Convert bit string length from bits to bytes */
+ os = spki.subjectPublicKey;
+ DER_ConvertBitString(&os);
+
+ tag = SECOID_GetAlgorithmTag(&spki.algorithm);
+ switch (tag) {
+ case SEC_OID_X500_RSA_ENCRYPTION:
+ case SEC_OID_PKCS1_RSA_ENCRYPTION:
+ case SEC_OID_PKCS1_RSA_PSS_SIGNATURE:
+ pubk->keyType = NSSLOWKEYRSAKey;
+ prepare_low_rsa_pub_key_for_asn1(pubk);
+ rv = SEC_QuickDERDecodeItem(arena, pubk,
+ nsslowcert_RSAPublicKeyTemplate, &os);
+ if (rv == SECSuccess)
+ return pubk;
+ break;
+ case SEC_OID_ANSIX9_DSA_SIGNATURE:
+ pubk->keyType = NSSLOWKEYDSAKey;
+ prepare_low_dsa_pub_key_for_asn1(pubk);
+ rv = SEC_QuickDERDecodeItem(arena, pubk,
+ nsslowcert_DSAPublicKeyTemplate, &os);
+ if (rv == SECSuccess)
+ return pubk;
+ break;
+ case SEC_OID_X942_DIFFIE_HELMAN_KEY:
+ pubk->keyType = NSSLOWKEYDHKey;
+ prepare_low_dh_pub_key_for_asn1(pubk);
+ rv = SEC_QuickDERDecodeItem(arena, pubk,
+ nsslowcert_DHPublicKeyTemplate, &os);
+ if (rv == SECSuccess)
+ return pubk;
+ break;
+ case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
+ pubk->keyType = NSSLOWKEYECKey;
+ /* Since PKCS#11 directly takes the DER encoding of EC params
+ * and public value, we don't need any decoding here.
+ */
+ rv = SECITEM_CopyItem(arena, &pubk->u.ec.ecParams.DEREncoding,
+ &spki.algorithm.parameters);
+ if (rv != SECSuccess)
+ break;
+
+ /* Fill out the rest of the ecParams structure
+ * based on the encoded params
+ */
+ if (LGEC_FillParams(arena, &pubk->u.ec.ecParams.DEREncoding,
+ &pubk->u.ec.ecParams) != SECSuccess)
+ break;
+
+ rv = SECITEM_CopyItem(arena, &pubk->u.ec.publicValue, &os);
+ if (rv == SECSuccess)
+ return pubk;
+ break;
+ default:
+ rv = SECFailure;
+ break;
+ }
+
+ lg_nsslowkey_DestroyPublicKey(pubk);
+ return NULL;
+}
diff --git a/security/nss/lib/softoken/legacydb/lowkey.c b/security/nss/lib/softoken/legacydb/lowkey.c
new file mode 100644
index 0000000000..a9b7cce3d4
--- /dev/null
+++ b/security/nss/lib/softoken/legacydb/lowkey.c
@@ -0,0 +1,388 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+#include "lowkeyi.h"
+#include "secoid.h"
+#include "secitem.h"
+#include "secder.h"
+#include "secasn1.h"
+#include "secerr.h"
+
+SEC_ASN1_MKSUB(SEC_AnyTemplate)
+SEC_ASN1_MKSUB(SEC_BitStringTemplate)
+SEC_ASN1_MKSUB(SEC_ObjectIDTemplate)
+SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
+
+static const SEC_ASN1Template nsslowkey_AttributeTemplate[] = {
+ { SEC_ASN1_SEQUENCE,
+ 0, NULL, sizeof(NSSLOWKEYAttribute) },
+ { SEC_ASN1_OBJECT_ID, offsetof(NSSLOWKEYAttribute, attrType) },
+ { SEC_ASN1_SET_OF | SEC_ASN1_XTRN, offsetof(NSSLOWKEYAttribute, attrValue),
+ SEC_ASN1_SUB(SEC_AnyTemplate) },
+ { 0 }
+};
+
+static const SEC_ASN1Template nsslowkey_SetOfAttributeTemplate[] = {
+ { SEC_ASN1_SET_OF, 0, nsslowkey_AttributeTemplate },
+};
+/* ASN1 Templates for new decoder/encoder */
+const SEC_ASN1Template lg_nsslowkey_PrivateKeyInfoTemplate[] = {
+ { SEC_ASN1_SEQUENCE,
+ 0, NULL, sizeof(NSSLOWKEYPrivateKeyInfo) },
+ { SEC_ASN1_INTEGER,
+ offsetof(NSSLOWKEYPrivateKeyInfo, version) },
+ { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+ offsetof(NSSLOWKEYPrivateKeyInfo, algorithm),
+ SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+ { SEC_ASN1_OCTET_STRING,
+ offsetof(NSSLOWKEYPrivateKeyInfo, privateKey) },
+ { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+ offsetof(NSSLOWKEYPrivateKeyInfo, attributes),
+ nsslowkey_SetOfAttributeTemplate },
+ { 0 }
+};
+
+const SEC_ASN1Template lg_nsslowkey_PQGParamsTemplate[] = {
+ { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(PQGParams) },
+ { SEC_ASN1_INTEGER, offsetof(PQGParams, prime) },
+ { SEC_ASN1_INTEGER, offsetof(PQGParams, subPrime) },
+ { SEC_ASN1_INTEGER, offsetof(PQGParams, base) },
+ { 0 }
+};
+
+const SEC_ASN1Template lg_nsslowkey_RSAPrivateKeyTemplate[] = {
+ { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.rsa.version) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.rsa.modulus) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.rsa.publicExponent) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.rsa.privateExponent) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.rsa.prime1) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.rsa.prime2) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.rsa.exponent1) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.rsa.exponent2) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.rsa.coefficient) },
+ { 0 }
+};
+
+/*
+ * Allows u.rsa.modulus to be zero length for secret keys with an empty
+ * CKA_ID incorrectly generated in NSS 3.13.3 or earlier. Only used for
+ * decoding. See bug 715073.
+ */
+const SEC_ASN1Template lg_nsslowkey_RSAPrivateKeyTemplate2[] = {
+ { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.rsa.version) },
+ { SEC_ASN1_ANY, offsetof(NSSLOWKEYPrivateKey, u.rsa.modulus) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.rsa.publicExponent) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.rsa.privateExponent) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.rsa.prime1) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.rsa.prime2) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.rsa.exponent1) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.rsa.exponent2) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.rsa.coefficient) },
+ { 0 }
+};
+
+const SEC_ASN1Template lg_nsslowkey_DSAPrivateKeyTemplate[] = {
+ { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.dsa.publicValue) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.dsa.privateValue) },
+ { 0 }
+};
+
+const SEC_ASN1Template lg_nsslowkey_DHPrivateKeyTemplate[] = {
+ { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.dh.publicValue) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.dh.privateValue) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.dh.base) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.dh.prime) },
+ { 0 }
+};
+
+/* NOTE: The SECG specification allows the private key structure
+ * to contain curve parameters but recommends that they be stored
+ * in the PrivateKeyAlgorithmIdentifier field of the PrivateKeyInfo
+ * instead.
+ */
+const SEC_ASN1Template lg_nsslowkey_ECPrivateKeyTemplate[] = {
+ { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.ec.version) },
+ { SEC_ASN1_OCTET_STRING,
+ offsetof(NSSLOWKEYPrivateKey, u.ec.privateValue) },
+ /* We only support named curves for which the parameters are
+ * encoded as an object ID.
+ */
+ { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED |
+ SEC_ASN1_EXPLICIT | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0,
+ offsetof(NSSLOWKEYPrivateKey, u.ec.ecParams.curveOID),
+ SEC_ASN1_SUB(SEC_ObjectIDTemplate) },
+ { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED |
+ SEC_ASN1_EXPLICIT | SEC_ASN1_CONTEXT_SPECIFIC |
+ SEC_ASN1_XTRN | 1,
+ offsetof(NSSLOWKEYPrivateKey, u.ec.publicValue),
+ SEC_ASN1_SUB(SEC_BitStringTemplate) },
+ { 0 }
+};
+
+/*
+ * smaller version of EC_FillParams. In this code, we only need
+ * oid and DER data.
+ */
+SECStatus
+LGEC_FillParams(PLArenaPool *arena, const SECItem *encodedParams,
+ ECParams *params)
+{
+ SECOidTag tag;
+ SECItem oid = { siBuffer, NULL, 0 };
+
+#if EC_DEBUG
+ int i;
+
+ printf("Encoded params in EC_DecodeParams: ");
+ for (i = 0; i < encodedParams->len; i++) {
+ printf("%02x:", encodedParams->data[i]);
+ }
+ printf("\n");
+#endif
+
+ oid.len = encodedParams->len - 2;
+ oid.data = encodedParams->data + 2;
+ if ((encodedParams->data[0] != SEC_ASN1_OBJECT_ID) ||
+ ((tag = SECOID_FindOIDTag(&oid)) == SEC_OID_UNKNOWN)) {
+ PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
+ return SECFailure;
+ }
+
+ params->arena = arena;
+
+ /* For named curves, fill out curveOID */
+ params->curveOID.len = oid.len;
+ params->curveOID.data = (unsigned char *)PORT_ArenaAlloc(arena, oid.len);
+ if (params->curveOID.data == NULL) {
+ return SECFailure;
+ }
+ memcpy(params->curveOID.data, oid.data, oid.len);
+
+ return SECSuccess;
+}
+
+/* Copy all of the fields from srcParams into dstParams
+ */
+SECStatus
+LGEC_CopyParams(PLArenaPool *arena, ECParams *dstParams,
+ const ECParams *srcParams)
+{
+ SECStatus rv = SECFailure;
+
+ dstParams->arena = arena;
+ rv = SECITEM_CopyItem(arena, &dstParams->DEREncoding,
+ &srcParams->DEREncoding);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+ rv = SECITEM_CopyItem(arena, &dstParams->curveOID,
+ &srcParams->curveOID);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ return SECSuccess;
+
+loser:
+ return SECFailure;
+}
+/*
+ * See bugzilla bug 125359
+ * Since NSS (via PKCS#11) wants to handle big integers as unsigned ints,
+ * all of the templates above that en/decode into integers must be converted
+ * from ASN.1's signed integer type. This is done by marking either the
+ * source or destination (encoding or decoding, respectively) type as
+ * siUnsignedInteger.
+ */
+
+void
+lg_prepare_low_rsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
+{
+ key->u.rsa.modulus.type = siUnsignedInteger;
+ key->u.rsa.publicExponent.type = siUnsignedInteger;
+ key->u.rsa.privateExponent.type = siUnsignedInteger;
+ key->u.rsa.prime1.type = siUnsignedInteger;
+ key->u.rsa.prime2.type = siUnsignedInteger;
+ key->u.rsa.exponent1.type = siUnsignedInteger;
+ key->u.rsa.exponent2.type = siUnsignedInteger;
+ key->u.rsa.coefficient.type = siUnsignedInteger;
+}
+
+void
+lg_prepare_low_pqg_params_for_asn1(PQGParams *params)
+{
+ params->prime.type = siUnsignedInteger;
+ params->subPrime.type = siUnsignedInteger;
+ params->base.type = siUnsignedInteger;
+}
+
+void
+lg_prepare_low_dsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
+{
+ key->u.dsa.publicValue.type = siUnsignedInteger;
+ key->u.dsa.privateValue.type = siUnsignedInteger;
+ key->u.dsa.params.prime.type = siUnsignedInteger;
+ key->u.dsa.params.subPrime.type = siUnsignedInteger;
+ key->u.dsa.params.base.type = siUnsignedInteger;
+}
+
+void
+lg_prepare_low_dh_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
+{
+ key->u.dh.prime.type = siUnsignedInteger;
+ key->u.dh.base.type = siUnsignedInteger;
+ key->u.dh.publicValue.type = siUnsignedInteger;
+ key->u.dh.privateValue.type = siUnsignedInteger;
+}
+
+void
+lg_prepare_low_ecparams_for_asn1(ECParams *params)
+{
+ params->DEREncoding.type = siUnsignedInteger;
+ params->curveOID.type = siUnsignedInteger;
+}
+
+void
+lg_prepare_low_ec_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
+{
+ key->u.ec.version.type = siUnsignedInteger;
+ key->u.ec.ecParams.DEREncoding.type = siUnsignedInteger;
+ key->u.ec.ecParams.curveOID.type = siUnsignedInteger;
+ key->u.ec.privateValue.type = siUnsignedInteger;
+ key->u.ec.publicValue.type = siUnsignedInteger;
+}
+
+void
+lg_nsslowkey_DestroyPrivateKey(NSSLOWKEYPrivateKey *privk)
+{
+ if (privk && privk->arena) {
+ PORT_FreeArena(privk->arena, PR_TRUE);
+ }
+}
+
+void
+lg_nsslowkey_DestroyPublicKey(NSSLOWKEYPublicKey *pubk)
+{
+ if (pubk && pubk->arena) {
+ PORT_FreeArena(pubk->arena, PR_FALSE);
+ }
+}
+
+NSSLOWKEYPublicKey *
+lg_nsslowkey_ConvertToPublicKey(NSSLOWKEYPrivateKey *privk)
+{
+ NSSLOWKEYPublicKey *pubk;
+ PLArenaPool *arena;
+
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (arena == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ return NULL;
+ }
+
+ switch (privk->keyType) {
+ case NSSLOWKEYRSAKey:
+ case NSSLOWKEYNullKey:
+ pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena,
+ sizeof(NSSLOWKEYPublicKey));
+ if (pubk != NULL) {
+ SECStatus rv;
+
+ pubk->arena = arena;
+ pubk->keyType = privk->keyType;
+ if (privk->keyType == NSSLOWKEYNullKey)
+ return pubk;
+ rv = SECITEM_CopyItem(arena, &pubk->u.rsa.modulus,
+ &privk->u.rsa.modulus);
+ if (rv == SECSuccess) {
+ rv = SECITEM_CopyItem(arena, &pubk->u.rsa.publicExponent,
+ &privk->u.rsa.publicExponent);
+ if (rv == SECSuccess)
+ return pubk;
+ }
+ } else {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ }
+ break;
+ case NSSLOWKEYDSAKey:
+ pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena,
+ sizeof(NSSLOWKEYPublicKey));
+ if (pubk != NULL) {
+ SECStatus rv;
+
+ pubk->arena = arena;
+ pubk->keyType = privk->keyType;
+ rv = SECITEM_CopyItem(arena, &pubk->u.dsa.publicValue,
+ &privk->u.dsa.publicValue);
+ if (rv != SECSuccess)
+ break;
+ rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.prime,
+ &privk->u.dsa.params.prime);
+ if (rv != SECSuccess)
+ break;
+ rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.subPrime,
+ &privk->u.dsa.params.subPrime);
+ if (rv != SECSuccess)
+ break;
+ rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.base,
+ &privk->u.dsa.params.base);
+ if (rv == SECSuccess)
+ return pubk;
+ }
+ break;
+ case NSSLOWKEYDHKey:
+ pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena,
+ sizeof(NSSLOWKEYPublicKey));
+ if (pubk != NULL) {
+ SECStatus rv;
+
+ pubk->arena = arena;
+ pubk->keyType = privk->keyType;
+ rv = SECITEM_CopyItem(arena, &pubk->u.dh.publicValue,
+ &privk->u.dh.publicValue);
+ if (rv != SECSuccess)
+ break;
+ rv = SECITEM_CopyItem(arena, &pubk->u.dh.prime,
+ &privk->u.dh.prime);
+ if (rv != SECSuccess)
+ break;
+ rv = SECITEM_CopyItem(arena, &pubk->u.dh.base,
+ &privk->u.dh.base);
+ if (rv == SECSuccess)
+ return pubk;
+ }
+ break;
+ case NSSLOWKEYECKey:
+ pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena,
+ sizeof(NSSLOWKEYPublicKey));
+ if (pubk != NULL) {
+ SECStatus rv;
+
+ pubk->arena = arena;
+ pubk->keyType = privk->keyType;
+ rv = SECITEM_CopyItem(arena, &pubk->u.ec.publicValue,
+ &privk->u.ec.publicValue);
+ if (rv != SECSuccess)
+ break;
+ pubk->u.ec.ecParams.arena = arena;
+ /* Copy the rest of the params */
+ rv = LGEC_CopyParams(arena, &(pubk->u.ec.ecParams),
+ &(privk->u.ec.ecParams));
+ if (rv == SECSuccess)
+ return pubk;
+ }
+ break;
+ /* No Fortezza in Low Key implementations (Fortezza keys aren't
+ * stored in our data base */
+ default:
+ break;
+ }
+
+ PORT_FreeArena(arena, PR_FALSE);
+ return NULL;
+}
diff --git a/security/nss/lib/softoken/legacydb/lowkeyi.h b/security/nss/lib/softoken/legacydb/lowkeyi.h
new file mode 100644
index 0000000000..4a5bcfa914
--- /dev/null
+++ b/security/nss/lib/softoken/legacydb/lowkeyi.h
@@ -0,0 +1,148 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef _LOWKEYI_H_
+#define _LOWKEYI_H_
+
+#include "prtypes.h"
+#include "seccomon.h"
+#include "secoidt.h"
+#include "pcertt.h"
+#include "lowkeyti.h"
+#include "sdb.h"
+
+SEC_BEGIN_PROTOS
+
+/*
+ * See bugzilla bug 125359
+ * Since NSS (via PKCS#11) wants to handle big integers as unsigned ints,
+ * all of the templates above that en/decode into integers must be converted
+ * from ASN.1's signed integer type. This is done by marking either the
+ * source or destination (encoding or decoding, respectively) type as
+ * siUnsignedInteger.
+ */
+extern void lg_prepare_low_rsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
+extern void lg_prepare_low_pqg_params_for_asn1(PQGParams *params);
+extern void lg_prepare_low_dsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
+extern void lg_prepare_low_dh_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
+extern void lg_prepare_low_ec_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
+extern void lg_prepare_low_ecparams_for_asn1(ECParams *params);
+
+typedef char *(*NSSLOWKEYDBNameFunc)(void *arg, int dbVersion);
+
+/*
+** Open a key database.
+*/
+extern NSSLOWKEYDBHandle *nsslowkey_OpenKeyDB(PRBool readOnly,
+ const char *domain,
+ const char *prefix,
+ NSSLOWKEYDBNameFunc namecb,
+ void *cbarg);
+
+/*
+** Close the specified key database.
+*/
+extern void nsslowkey_CloseKeyDB(NSSLOWKEYDBHandle *handle);
+
+/*
+ * Get the version number of the database
+ */
+extern int nsslowkey_GetKeyDBVersion(NSSLOWKEYDBHandle *handle);
+
+/*
+** Delete a key from the database
+*/
+extern SECStatus nsslowkey_DeleteKey(NSSLOWKEYDBHandle *handle,
+ const SECItem *pubkey);
+
+/*
+** Store a key in the database, indexed by its public key modulus.
+** "pk" is the private key to store
+** "f" is the callback function for getting the password
+** "arg" is the argument for the callback
+*/
+extern SECStatus nsslowkey_StoreKeyByPublicKey(NSSLOWKEYDBHandle *handle,
+ NSSLOWKEYPrivateKey *pk,
+ SECItem *pubKeyData,
+ char *nickname,
+ SDB *sdb);
+
+/* does the key for this cert exist in the database filed by modulus */
+extern PRBool nsslowkey_KeyForCertExists(NSSLOWKEYDBHandle *handle,
+ NSSLOWCERTCertificate *cert);
+/* does a key with this ID already exist? */
+extern PRBool nsslowkey_KeyForIDExists(NSSLOWKEYDBHandle *handle, SECItem *id);
+
+/*
+** Destroy a private key object.
+** "key" the object
+** "freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+extern void lg_nsslowkey_DestroyPrivateKey(NSSLOWKEYPrivateKey *key);
+
+/*
+** Destroy a public key object.
+** "key" the object
+** "freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+extern void lg_nsslowkey_DestroyPublicKey(NSSLOWKEYPublicKey *key);
+
+/*
+** Convert a low private key "privateKey" into a public low key
+*/
+extern NSSLOWKEYPublicKey
+ *
+ lg_nsslowkey_ConvertToPublicKey(NSSLOWKEYPrivateKey *privateKey);
+
+SECStatus
+nsslowkey_UpdateNickname(NSSLOWKEYDBHandle *handle,
+ NSSLOWKEYPrivateKey *privkey,
+ SECItem *pubKeyData,
+ char *nickname,
+ SDB *sdb);
+
+/* Store key by modulus and specify an encryption algorithm to use.
+ * handle is the pointer to the key database,
+ * privkey is the private key to be stored,
+ * f and arg are the function and arguments to the callback
+ * to get a password,
+ * algorithm is the algorithm which the privKey is to be stored.
+ * A return of anything but SECSuccess indicates failure.
+ */
+extern SECStatus
+nsslowkey_StoreKeyByPublicKeyAlg(NSSLOWKEYDBHandle *handle,
+ NSSLOWKEYPrivateKey *privkey,
+ SECItem *pubKeyData,
+ char *nickname,
+ SDB *sdb,
+ PRBool update);
+
+/* Find key by modulus. This function is the inverse of store key
+ * by modulus. An attempt to locate the key with "modulus" is
+ * performed. If the key is found, the private key is returned,
+ * else NULL is returned.
+ * modulus is the modulus to locate
+ */
+extern NSSLOWKEYPrivateKey *
+nsslowkey_FindKeyByPublicKey(NSSLOWKEYDBHandle *handle, SECItem *modulus,
+ SDB *sdb);
+
+extern char *
+nsslowkey_FindKeyNicknameByPublicKey(NSSLOWKEYDBHandle *handle,
+ SECItem *modulus, SDB *sdb);
+
+/*
+ * smaller version of EC_FillParams. In this code, we only need
+ * oid and DER data.
+ */
+SECStatus LGEC_FillParams(PLArenaPool *arena, const SECItem *encodedParams,
+ ECParams *params);
+
+/* Copy all of the fields from srcParams into dstParams */
+SECStatus LGEC_CopyParams(PLArenaPool *arena, ECParams *dstParams,
+ const ECParams *srcParams);
+
+SEC_END_PROTOS
+
+#endif /* _LOWKEYI_H_ */
diff --git a/security/nss/lib/softoken/legacydb/lowkeyti.h b/security/nss/lib/softoken/legacydb/lowkeyti.h
new file mode 100644
index 0000000000..2fd5d4e293
--- /dev/null
+++ b/security/nss/lib/softoken/legacydb/lowkeyti.h
@@ -0,0 +1,130 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+#ifndef _LOWKEYTI_H_
+#define _LOWKEYTI_H_ 1
+
+#include "blapit.h"
+#include "prtypes.h"
+#include "plarena.h"
+#include "secitem.h"
+#include "secasn1t.h"
+#include "secoidt.h"
+
+/*
+ * a key in/for the data base
+ */
+struct NSSLOWKEYDBKeyStr {
+ PLArenaPool *arena;
+ int version;
+ char *nickname;
+ SECItem salt;
+ SECItem derPK;
+};
+typedef struct NSSLOWKEYDBKeyStr NSSLOWKEYDBKey;
+
+typedef struct NSSLOWKEYDBHandleStr NSSLOWKEYDBHandle;
+
+#ifdef NSS_USE_KEY4_DB
+#define NSSLOWKEY_DB_FILE_VERSION 4
+#else
+#define NSSLOWKEY_DB_FILE_VERSION 3
+#endif
+
+#define NSSLOWKEY_VERSION 0 /* what we *create* */
+
+/*
+** Typedef for callback to get a password "key".
+*/
+extern const SEC_ASN1Template lg_nsslowkey_PQGParamsTemplate[];
+extern const SEC_ASN1Template lg_nsslowkey_RSAPrivateKeyTemplate[];
+extern const SEC_ASN1Template lg_nsslowkey_RSAPrivateKeyTemplate2[];
+extern const SEC_ASN1Template lg_nsslowkey_DSAPrivateKeyTemplate[];
+extern const SEC_ASN1Template lg_nsslowkey_DHPrivateKeyTemplate[];
+extern const SEC_ASN1Template lg_nsslowkey_DHPrivateKeyExportTemplate[];
+#define NSSLOWKEY_EC_PRIVATE_KEY_VERSION 1 /* as per SECG 1 C.4 */
+extern const SEC_ASN1Template lg_nsslowkey_ECPrivateKeyTemplate[];
+
+extern const SEC_ASN1Template lg_nsslowkey_PrivateKeyInfoTemplate[];
+extern const SEC_ASN1Template nsslowkey_EncryptedPrivateKeyInfoTemplate[];
+
+/*
+ * PKCS #8 attributes
+ */
+struct NSSLOWKEYAttributeStr {
+ SECItem attrType;
+ SECItem *attrValue;
+};
+typedef struct NSSLOWKEYAttributeStr NSSLOWKEYAttribute;
+
+/*
+** A PKCS#8 private key info object
+*/
+struct NSSLOWKEYPrivateKeyInfoStr {
+ PLArenaPool *arena;
+ SECItem version;
+ SECAlgorithmID algorithm;
+ SECItem privateKey;
+ NSSLOWKEYAttribute **attributes;
+};
+typedef struct NSSLOWKEYPrivateKeyInfoStr NSSLOWKEYPrivateKeyInfo;
+#define NSSLOWKEY_PRIVATE_KEY_INFO_VERSION 0 /* what we *create* */
+
+/*
+** A PKCS#8 private key info object
+*/
+struct NSSLOWKEYEncryptedPrivateKeyInfoStr {
+ PLArenaPool *arena;
+ SECAlgorithmID algorithm;
+ SECItem encryptedData;
+};
+typedef struct NSSLOWKEYEncryptedPrivateKeyInfoStr NSSLOWKEYEncryptedPrivateKeyInfo;
+
+typedef enum {
+ NSSLOWKEYNullKey = 0,
+ NSSLOWKEYRSAKey = 1,
+ NSSLOWKEYDSAKey = 2,
+ NSSLOWKEYDHKey = 4,
+ NSSLOWKEYECKey = 5
+} NSSLOWKEYType;
+
+/*
+** An RSA public key object.
+*/
+struct NSSLOWKEYPublicKeyStr {
+ PLArenaPool *arena;
+ NSSLOWKEYType keyType;
+ union {
+ RSAPublicKey rsa;
+ DSAPublicKey dsa;
+ DHPublicKey dh;
+ ECPublicKey ec;
+ } u;
+};
+typedef struct NSSLOWKEYPublicKeyStr NSSLOWKEYPublicKey;
+
+/*
+** Low Level private key object
+** This is only used by the raw Crypto engines (crypto), keydb (keydb),
+** and PKCS #11. Everyone else uses the high level key structure.
+*/
+struct NSSLOWKEYPrivateKeyStr {
+ PLArenaPool *arena;
+ NSSLOWKEYType keyType;
+ union {
+ RSAPrivateKey rsa;
+ DSAPrivateKey dsa;
+ DHPrivateKey dh;
+ ECPrivateKey ec;
+ } u;
+};
+typedef struct NSSLOWKEYPrivateKeyStr NSSLOWKEYPrivateKey;
+
+typedef struct NSSLOWKEYPasswordEntryStr NSSLOWKEYPasswordEntry;
+struct NSSLOWKEYPasswordEntryStr {
+ SECItem salt;
+ SECItem value;
+ unsigned char data[128];
+};
+
+#endif /* _LOWKEYTI_H_ */
diff --git a/security/nss/lib/softoken/legacydb/manifest.mn b/security/nss/lib/softoken/legacydb/manifest.mn
new file mode 100644
index 0000000000..caac524be0
--- /dev/null
+++ b/security/nss/lib/softoken/legacydb/manifest.mn
@@ -0,0 +1,32 @@
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+CORE_DEPTH = ../../..
+
+MODULE = nss
+
+REQUIRES = dbm
+
+LIBRARY_NAME = nssdbm
+LIBRARY_VERSION = 3
+MAPFILE = $(OBJDIR)/$(LIBRARY_NAME).def
+
+DEFINES += -DSHLIB_SUFFIX=\"$(DLL_SUFFIX)\" -DSHLIB_PREFIX=\"$(DLL_PREFIX)\" -DLG_LIB_NAME=\"$(notdir $(SHARED_LIBRARY))\"
+
+CSRCS = \
+ dbmshim.c \
+ keydb.c \
+ lgattr.c \
+ lgcreate.c \
+ lgdestroy.c \
+ lgfind.c \
+ lgfips.c \
+ lginit.c \
+ lgutil.c \
+ lowcert.c \
+ lowkey.c \
+ pcertdb.c \
+ pk11db.c \
+ $(NULL)
+
diff --git a/security/nss/lib/softoken/legacydb/nssdbm.def b/security/nss/lib/softoken/legacydb/nssdbm.def
new file mode 100644
index 0000000000..dd6d5fa47b
--- /dev/null
+++ b/security/nss/lib/softoken/legacydb/nssdbm.def
@@ -0,0 +1,31 @@
+;+#
+;+# This Source Code Form is subject to the terms of the Mozilla Public
+;+# License, v. 2.0. If a copy of the MPL was not distributed with this
+;+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;+#
+;+# OK, this file is meant to support SUN, LINUX, AIX and WINDOWS
+;+# 1. For all unix platforms, the string ";-" means "remove this line"
+;+# 2. For all unix platforms, the string " DATA " will be removed from any
+;+# line on which it occurs.
+;+# 3. Lines containing ";+" will have ";+" removed on SUN and LINUX.
+;+# On AIX, lines containing ";+" will be removed.
+;+# 4. For all unix platforms, the string ";;" will thave the ";;" removed.
+;+# 5. For all unix platforms, after the above processing has taken place,
+;+# all characters after the first ";" on the line will be removed.
+;+# And for AIX, the first ";" will also be removed.
+;+# This file is passed directly to windows. Since ';' is a comment, all UNIX
+;+# directives are hidden behind ";", ";+", and ";-"
+;+NSSDBM_3.12 { # NSS 3.12 release
+;+ global:
+LIBRARY nssdbm3 ;-
+EXPORTS ;-
+legacy_Open;
+legacy_Shutdown;
+legacy_ReadSecmodDB;
+legacy_ReleaseSecmodDBData;
+legacy_AddSecmodDB;
+legacy_DeleteSecmodDB;
+legacy_SetCryptFunctions;
+;+ local:
+;+ *;
+;+};
diff --git a/security/nss/lib/softoken/legacydb/nssdbm.rc b/security/nss/lib/softoken/legacydb/nssdbm.rc
new file mode 100644
index 0000000000..cff86168e9
--- /dev/null
+++ b/security/nss/lib/softoken/legacydb/nssdbm.rc
@@ -0,0 +1,68 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "../softkver.h"
+#include <winver.h>
+
+#define MY_LIBNAME "nssdbm"
+#define MY_FILEDESCRIPTION "Legacy Database Driver"
+
+#define STRINGIZE(x) #x
+#define STRINGIZE2(x) STRINGIZE(x)
+#define SOFTOKEN_VMAJOR_STR STRINGIZE2(SOFTOKEN_VMAJOR)
+
+#ifdef _DEBUG
+#define MY_DEBUG_STR " (debug)"
+#define MY_FILEFLAGS_1 VS_FF_DEBUG
+#else
+#define MY_DEBUG_STR ""
+#define MY_FILEFLAGS_1 0x0L
+#endif
+#if SOFTOKEN_BETA
+#define MY_FILEFLAGS_2 MY_FILEFLAGS_1|VS_FF_PRERELEASE
+#else
+#define MY_FILEFLAGS_2 MY_FILEFLAGS_1
+#endif
+
+#ifdef WINNT
+#define MY_FILEOS VOS_NT_WINDOWS32
+#else
+#define MY_FILEOS VOS__WINDOWS32
+#endif
+
+#define MY_INTERNAL_NAME MY_LIBNAME SOFTOKEN_VMAJOR_STR
+
+/////////////////////////////////////////////////////////////////////////////
+//
+// Version-information resource
+//
+
+VS_VERSION_INFO VERSIONINFO
+ FILEVERSION SOFTOKEN_VMAJOR,SOFTOKEN_VMINOR,SOFTOKEN_VPATCH,SOFTOKEN_VBUILD
+ PRODUCTVERSION SOFTOKEN_VMAJOR,SOFTOKEN_VMINOR,SOFTOKEN_VPATCH,SOFTOKEN_VBUILD
+ FILEFLAGSMASK VS_FFI_FILEFLAGSMASK
+ FILEFLAGS MY_FILEFLAGS_2
+ FILEOS MY_FILEOS
+ FILETYPE VFT_DLL
+ FILESUBTYPE 0x0L // not used
+
+BEGIN
+ BLOCK "StringFileInfo"
+ BEGIN
+ BLOCK "040904B0" // Lang=US English, CharSet=Unicode
+ BEGIN
+ VALUE "CompanyName", "Mozilla Foundation\0"
+ VALUE "FileDescription", MY_FILEDESCRIPTION MY_DEBUG_STR "\0"
+ VALUE "FileVersion", SOFTOKEN_VERSION "\0"
+ VALUE "InternalName", MY_INTERNAL_NAME "\0"
+ VALUE "OriginalFilename", MY_INTERNAL_NAME ".dll\0"
+ VALUE "ProductName", "Network Security Services\0"
+ VALUE "ProductVersion", SOFTOKEN_VERSION "\0"
+ END
+ END
+ BLOCK "VarFileInfo"
+ BEGIN
+ VALUE "Translation", 0x409, 1200
+ END
+END
diff --git a/security/nss/lib/softoken/legacydb/pcert.h b/security/nss/lib/softoken/legacydb/pcert.h
new file mode 100644
index 0000000000..d4be3f93d3
--- /dev/null
+++ b/security/nss/lib/softoken/legacydb/pcert.h
@@ -0,0 +1,228 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef _PCERTDB_H_
+#define _PCERTDB_H_
+
+#include "plarena.h"
+#include "prlong.h"
+#include "pcertt.h"
+
+#include "lowkeyti.h" /* for struct NSSLOWKEYPublicKeyStr */
+
+SEC_BEGIN_PROTOS
+
+/*
+ * initialize any global certificate locks
+ */
+SECStatus nsslowcert_InitLocks(void);
+
+/*
+** Add a DER encoded certificate to the permanent database.
+** "derCert" is the DER encoded certificate.
+** "nickname" is the nickname to use for the cert
+** "trust" is the trust parameters for the cert
+*/
+SECStatus nsslowcert_AddPermCert(NSSLOWCERTCertDBHandle *handle,
+ NSSLOWCERTCertificate *cert,
+ char *nickname, NSSLOWCERTCertTrust *trust);
+SECStatus nsslowcert_AddPermNickname(NSSLOWCERTCertDBHandle *dbhandle,
+ NSSLOWCERTCertificate *cert, char *nickname);
+
+SECStatus nsslowcert_DeletePermCertificate(NSSLOWCERTCertificate *cert);
+
+typedef SECStatus(PR_CALLBACK *PermCertCallback)(NSSLOWCERTCertificate *cert,
+ SECItem *k, void *pdata);
+/*
+** Traverse the entire permanent database, and pass the certs off to a
+** user supplied function.
+** "certfunc" is the user function to call for each certificate
+** "udata" is the user's data, which is passed through to "certfunc"
+*/
+SECStatus
+nsslowcert_TraversePermCerts(NSSLOWCERTCertDBHandle *handle,
+ PermCertCallback certfunc,
+ void *udata);
+
+PRBool
+nsslowcert_CertDBKeyConflict(SECItem *derCert, NSSLOWCERTCertDBHandle *handle);
+
+certDBEntryRevocation *
+nsslowcert_FindCrlByKey(NSSLOWCERTCertDBHandle *handle,
+ SECItem *crlKey, PRBool isKRL);
+
+SECStatus
+nsslowcert_DeletePermCRL(NSSLOWCERTCertDBHandle *handle, const SECItem *derName,
+ PRBool isKRL);
+SECStatus
+nsslowcert_AddCrl(NSSLOWCERTCertDBHandle *handle, SECItem *derCrl,
+ SECItem *derKey, char *url, PRBool isKRL);
+
+NSSLOWCERTCertDBHandle *nsslowcert_GetDefaultCertDB();
+NSSLOWKEYPublicKey *nsslowcert_ExtractPublicKey(NSSLOWCERTCertificate *);
+
+NSSLOWCERTCertificate *
+nsslowcert_NewTempCertificate(NSSLOWCERTCertDBHandle *handle, SECItem *derCert,
+ char *nickname, PRBool isperm, PRBool copyDER);
+NSSLOWCERTCertificate *
+nsslowcert_DupCertificate(NSSLOWCERTCertificate *cert);
+void nsslowcert_DestroyCertificate(NSSLOWCERTCertificate *cert);
+void nsslowcert_DestroyTrust(NSSLOWCERTTrust *Trust);
+
+/*
+ * Lookup a certificate in the databases without locking
+ * "certKey" is the database key to look for
+ *
+ * XXX - this should be internal, but pkcs 11 needs to call it during a
+ * traversal.
+ */
+NSSLOWCERTCertificate *
+nsslowcert_FindCertByKey(NSSLOWCERTCertDBHandle *handle, const SECItem *certKey);
+
+/*
+ * Lookup trust for a certificate in the databases without locking
+ * "certKey" is the database key to look for
+ *
+ * XXX - this should be internal, but pkcs 11 needs to call it during a
+ * traversal.
+ */
+NSSLOWCERTTrust *
+nsslowcert_FindTrustByKey(NSSLOWCERTCertDBHandle *handle, const SECItem *certKey);
+
+/*
+** Generate a certificate key from the issuer and serialnumber, then look it
+** up in the database. Return the cert if found.
+** "issuerAndSN" is the issuer and serial number to look for
+*/
+extern NSSLOWCERTCertificate *
+nsslowcert_FindCertByIssuerAndSN(NSSLOWCERTCertDBHandle *handle, NSSLOWCERTIssuerAndSN *issuerAndSN);
+
+/*
+** Generate a certificate key from the issuer and serialnumber, then look it
+** up in the database. Return the cert if found.
+** "issuerAndSN" is the issuer and serial number to look for
+*/
+extern NSSLOWCERTTrust *
+nsslowcert_FindTrustByIssuerAndSN(NSSLOWCERTCertDBHandle *handle, NSSLOWCERTIssuerAndSN *issuerAndSN);
+
+/*
+** Find a certificate in the database by a DER encoded certificate
+** "derCert" is the DER encoded certificate
+*/
+extern NSSLOWCERTCertificate *
+nsslowcert_FindCertByDERCert(NSSLOWCERTCertDBHandle *handle, SECItem *derCert);
+
+/* convert an email address to lower case */
+char *nsslowcert_FixupEmailAddr(char *emailAddr);
+
+/*
+** Decode a DER encoded certificate into an NSSLOWCERTCertificate structure
+** "derSignedCert" is the DER encoded signed certificate
+** "copyDER" is true if the DER should be copied, false if the
+** existing copy should be referenced
+** "nickname" is the nickname to use in the database. If it is NULL
+** then a temporary nickname is generated.
+*/
+extern NSSLOWCERTCertificate *
+nsslowcert_DecodeDERCertificate(SECItem *derSignedCert, char *nickname);
+
+SECStatus
+nsslowcert_KeyFromDERCert(PLArenaPool *arena, SECItem *derCert, SECItem *key);
+
+certDBEntrySMime *
+nsslowcert_ReadDBSMimeEntry(NSSLOWCERTCertDBHandle *certHandle,
+ char *emailAddr);
+void
+nsslowcert_DestroyDBEntry(certDBEntry *entry);
+
+SECStatus
+nsslowcert_OpenCertDB(NSSLOWCERTCertDBHandle *handle, PRBool readOnly,
+ const char *domain, const char *prefix,
+ NSSLOWCERTDBNameFunc namecb, void *cbarg, PRBool openVolatile);
+
+void
+nsslowcert_ClosePermCertDB(NSSLOWCERTCertDBHandle *handle);
+
+/*
+ * is certa newer than certb? If one is expired, pick the other one.
+ */
+PRBool
+nsslowcert_IsNewer(NSSLOWCERTCertificate *certa, NSSLOWCERTCertificate *certb);
+
+SECStatus
+nsslowcert_TraverseDBEntries(NSSLOWCERTCertDBHandle *handle,
+ certDBEntryType type,
+ SECStatus (*callback)(SECItem *data, SECItem *key,
+ certDBEntryType type, void *pdata),
+ void *udata);
+SECStatus
+nsslowcert_TraversePermCertsForSubject(NSSLOWCERTCertDBHandle *handle,
+ SECItem *derSubject,
+ NSSLOWCERTCertCallback cb, void *cbarg);
+int
+nsslowcert_NumPermCertsForSubject(NSSLOWCERTCertDBHandle *handle,
+ SECItem *derSubject);
+SECStatus
+nsslowcert_TraversePermCertsForNickname(NSSLOWCERTCertDBHandle *handle,
+ char *nickname, NSSLOWCERTCertCallback cb, void *cbarg);
+
+int
+nsslowcert_NumPermCertsForNickname(NSSLOWCERTCertDBHandle *handle,
+ char *nickname);
+SECStatus
+nsslowcert_GetCertTrust(NSSLOWCERTCertificate *cert,
+ NSSLOWCERTCertTrust *trust);
+
+SECStatus
+nsslowcert_SaveSMimeProfile(NSSLOWCERTCertDBHandle *dbhandle, char *emailAddr,
+ SECItem *derSubject, SECItem *emailProfile, SECItem *profileTime);
+
+/*
+ * Change the trust attributes of a certificate and make them permanent
+ * in the database.
+ */
+SECStatus
+nsslowcert_ChangeCertTrust(NSSLOWCERTCertDBHandle *handle,
+ NSSLOWCERTCertificate *cert, NSSLOWCERTCertTrust *trust);
+
+PRBool
+nsslowcert_needDBVerify(NSSLOWCERTCertDBHandle *handle);
+
+void
+nsslowcert_setDBVerify(NSSLOWCERTCertDBHandle *handle, PRBool value);
+
+PRBool
+nsslowcert_hasTrust(NSSLOWCERTCertTrust *trust);
+
+void
+nsslowcert_DestroyFreeLists(void);
+
+void
+nsslowcert_DestroyGlobalLocks(void);
+
+void
+pkcs11_freeNickname(char *nickname, char *space);
+
+char *
+pkcs11_copyNickname(char *nickname, char *space, int spaceLen);
+
+void
+pkcs11_freeStaticData(unsigned char *data, unsigned char *space);
+
+unsigned char *
+pkcs11_allocStaticData(int datalen, unsigned char *space, int spaceLen);
+
+unsigned char *
+pkcs11_copyStaticData(unsigned char *data, int datalen, unsigned char *space,
+ int spaceLen);
+NSSLOWCERTCertificate *
+nsslowcert_CreateCert(void);
+
+certDBEntry *
+nsslowcert_DecodeAnyDBEntry(SECItem *dbData, const SECItem *dbKey,
+ certDBEntryType entryType, void *pdata);
+
+SEC_END_PROTOS
+
+#endif /* _PCERTDB_H_ */
diff --git a/security/nss/lib/softoken/legacydb/pcertdb.c b/security/nss/lib/softoken/legacydb/pcertdb.c
new file mode 100644
index 0000000000..488d0f06ca
--- /dev/null
+++ b/security/nss/lib/softoken/legacydb/pcertdb.c
@@ -0,0 +1,5350 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/*
+ * Permanent Certificate database handling code
+ */
+#include "lowkeyti.h"
+#include "pcert.h"
+#include "mcom_db.h"
+#include "pcert.h"
+#include "secitem.h"
+#include "secder.h"
+
+#include "secerr.h"
+#include "lgdb.h"
+
+/* forward declaration */
+NSSLOWCERTCertificate *
+nsslowcert_FindCertByDERCertNoLocking(NSSLOWCERTCertDBHandle *handle, SECItem *derCert);
+static SECStatus
+nsslowcert_UpdateSMimeProfile(NSSLOWCERTCertDBHandle *dbhandle,
+ char *emailAddr, SECItem *derSubject, SECItem *emailProfile,
+ SECItem *profileTime);
+static SECStatus
+nsslowcert_UpdatePermCert(NSSLOWCERTCertDBHandle *dbhandle,
+ NSSLOWCERTCertificate *cert, char *nickname, NSSLOWCERTCertTrust *trust);
+static SECStatus
+nsslowcert_UpdateCrl(NSSLOWCERTCertDBHandle *handle, SECItem *derCrl,
+ SECItem *crlKey, char *url, PRBool isKRL);
+
+static NSSLOWCERTCertificate *certListHead = NULL;
+static NSSLOWCERTTrust *trustListHead = NULL;
+static certDBEntryCert *entryListHead = NULL;
+static int certListCount = 0;
+static int trustListCount = 0;
+static int entryListCount = 0;
+#define MAX_CERT_LIST_COUNT 10
+#define MAX_TRUST_LIST_COUNT 10
+#define MAX_ENTRY_LIST_COUNT 10
+
+/*
+ * the following functions are wrappers for the db library that implement
+ * a global lock to make the database thread safe.
+ */
+static PZLock *dbLock = NULL;
+static PZLock *certRefCountLock = NULL;
+static PZLock *certTrustLock = NULL;
+static PZLock *freeListLock = NULL;
+
+void
+certdb_InitDBLock(NSSLOWCERTCertDBHandle *handle)
+{
+ if (dbLock == NULL) {
+ dbLock = PZ_NewLock(nssILockCertDB);
+ PORT_Assert(dbLock != NULL);
+ }
+}
+
+SECStatus
+nsslowcert_InitLocks(void)
+{
+ if (freeListLock == NULL) {
+ freeListLock = PZ_NewLock(nssILockRefLock);
+ if (freeListLock == NULL) {
+ return SECFailure;
+ }
+ }
+ if (certRefCountLock == NULL) {
+ certRefCountLock = PZ_NewLock(nssILockRefLock);
+ if (certRefCountLock == NULL) {
+ return SECFailure;
+ }
+ }
+ if (certTrustLock == NULL) {
+ certTrustLock = PZ_NewLock(nssILockCertDB);
+ if (certTrustLock == NULL) {
+ return SECFailure;
+ }
+ }
+
+ return SECSuccess;
+}
+
+/*
+ * Acquire the global lock on the cert database.
+ * This lock is currently used for the following operations:
+ * adding or deleting a cert to either the temp or perm databases
+ * converting a temp to perm or perm to temp
+ * changing (maybe just adding!?) the trust of a cert
+ * chaning the DB status checking Configuration
+ */
+static void
+nsslowcert_LockDB(NSSLOWCERTCertDBHandle *handle)
+{
+ PZ_EnterMonitor(handle->dbMon);
+ return;
+}
+
+/*
+ * Free the global cert database lock.
+ */
+static void
+nsslowcert_UnlockDB(NSSLOWCERTCertDBHandle *handle)
+{
+#ifdef DEBUG
+ PRStatus prstat = PZ_ExitMonitor(handle->dbMon);
+ PORT_Assert(prstat == PR_SUCCESS);
+#else
+ PZ_ExitMonitor(handle->dbMon);
+#endif
+}
+
+/*
+ * Acquire the cert reference count lock
+ * There is currently one global lock for all certs, but I'm putting a cert
+ * arg here so that it will be easy to make it per-cert in the future if
+ * that turns out to be necessary.
+ */
+static void
+nsslowcert_LockCertRefCount(NSSLOWCERTCertificate *cert)
+{
+ PORT_Assert(certRefCountLock != NULL);
+
+ PZ_Lock(certRefCountLock);
+ return;
+}
+
+/*
+ * Free the cert reference count lock
+ */
+static void
+nsslowcert_UnlockCertRefCount(NSSLOWCERTCertificate *cert)
+{
+ PORT_Assert(certRefCountLock != NULL);
+
+#ifdef DEBUG
+ {
+ PRStatus prstat = PZ_Unlock(certRefCountLock);
+ PORT_Assert(prstat == PR_SUCCESS);
+ }
+#else
+ PZ_Unlock(certRefCountLock);
+#endif
+}
+
+/*
+ * Acquire the cert trust lock
+ * There is currently one global lock for all certs, but I'm putting a cert
+ * arg here so that it will be easy to make it per-cert in the future if
+ * that turns out to be necessary.
+ */
+static void
+nsslowcert_LockCertTrust(NSSLOWCERTCertificate *cert)
+{
+ PORT_Assert(certTrustLock != NULL);
+
+ PZ_Lock(certTrustLock);
+ return;
+}
+
+/*
+ * Free the cert trust lock
+ */
+static void
+nsslowcert_UnlockCertTrust(NSSLOWCERTCertificate *cert)
+{
+ PORT_Assert(certTrustLock != NULL);
+
+#ifdef DEBUG
+ {
+ PRStatus prstat = PZ_Unlock(certTrustLock);
+ PORT_Assert(prstat == PR_SUCCESS);
+ }
+#else
+ PZ_Unlock(certTrustLock);
+#endif
+}
+
+/*
+ * Acquire the cert reference count lock
+ * There is currently one global lock for all certs, but I'm putting a cert
+ * arg here so that it will be easy to make it per-cert in the future if
+ * that turns out to be necessary.
+ */
+static void
+nsslowcert_LockFreeList(void)
+{
+ PORT_Assert(freeListLock != NULL);
+
+ SKIP_AFTER_FORK(PZ_Lock(freeListLock));
+ return;
+}
+
+/*
+ * Free the cert reference count lock
+ */
+static void
+nsslowcert_UnlockFreeList(void)
+{
+ PORT_Assert(freeListLock != NULL);
+
+#ifdef DEBUG
+ {
+ PRStatus prstat = PR_SUCCESS;
+ SKIP_AFTER_FORK(prstat = PZ_Unlock(freeListLock));
+ PORT_Assert(prstat == PR_SUCCESS);
+ }
+#else
+ SKIP_AFTER_FORK(PZ_Unlock(freeListLock));
+#endif
+}
+
+NSSLOWCERTCertificate *
+nsslowcert_DupCertificate(NSSLOWCERTCertificate *c)
+{
+ if (c) {
+ nsslowcert_LockCertRefCount(c);
+ ++c->referenceCount;
+ nsslowcert_UnlockCertRefCount(c);
+ }
+ return c;
+}
+
+static int
+certdb_Get(DB *db, DBT *key, DBT *data, unsigned int flags)
+{
+ int ret;
+
+ PORT_Assert(dbLock != NULL);
+ PZ_Lock(dbLock);
+
+ ret = (*db->get)(db, key, data, flags);
+
+ (void)PZ_Unlock(dbLock);
+
+ return (ret);
+}
+
+static int
+certdb_Put(DB *db, DBT *key, DBT *data, unsigned int flags)
+{
+ int ret = 0;
+
+ PORT_Assert(dbLock != NULL);
+ PZ_Lock(dbLock);
+
+ ret = (*db->put)(db, key, data, flags);
+
+ (void)PZ_Unlock(dbLock);
+
+ return (ret);
+}
+
+static int
+certdb_Sync(DB *db, unsigned int flags)
+{
+ int ret;
+
+ PORT_Assert(dbLock != NULL);
+ PZ_Lock(dbLock);
+
+ ret = (*db->sync)(db, flags);
+
+ (void)PZ_Unlock(dbLock);
+
+ return (ret);
+}
+
+#define DB_NOT_FOUND -30991 /* from DBM 3.2 */
+static int
+certdb_Del(DB *db, DBT *key, unsigned int flags)
+{
+ int ret;
+
+ PORT_Assert(dbLock != NULL);
+ PZ_Lock(dbLock);
+
+ ret = (*db->del)(db, key, flags);
+
+ (void)PZ_Unlock(dbLock);
+
+ /* don't fail if the record is already deleted */
+ if (ret == DB_NOT_FOUND) {
+ ret = 0;
+ }
+
+ return (ret);
+}
+
+static int
+certdb_Seq(DB *db, DBT *key, DBT *data, unsigned int flags)
+{
+ int ret;
+
+ PORT_Assert(dbLock != NULL);
+ PZ_Lock(dbLock);
+
+ ret = (*db->seq)(db, key, data, flags);
+
+ (void)PZ_Unlock(dbLock);
+
+ return (ret);
+}
+
+static void
+certdb_Close(DB *db)
+{
+ PORT_Assert(dbLock != NULL);
+ SKIP_AFTER_FORK(PZ_Lock(dbLock));
+
+ (*db->close)(db);
+
+ SKIP_AFTER_FORK(PZ_Unlock(dbLock));
+
+ return;
+}
+
+void
+pkcs11_freeNickname(char *nickname, char *space)
+{
+ if (nickname && nickname != space) {
+ PORT_Free(nickname);
+ }
+}
+
+char *
+pkcs11_copyNickname(char *nickname, char *space, int spaceLen)
+{
+ int len;
+ char *copy = NULL;
+
+ len = PORT_Strlen(nickname) + 1;
+ if (len <= spaceLen) {
+ copy = space;
+ PORT_Memcpy(copy, nickname, len);
+ } else {
+ copy = PORT_Strdup(nickname);
+ }
+
+ return copy;
+}
+
+void
+pkcs11_freeStaticData(unsigned char *data, unsigned char *space)
+{
+ if (data && data != space) {
+ PORT_Free(data);
+ }
+}
+
+unsigned char *
+pkcs11_allocStaticData(int len, unsigned char *space, int spaceLen)
+{
+ unsigned char *data = NULL;
+
+ if (len <= spaceLen) {
+ data = space;
+ } else {
+ data = (unsigned char *)PORT_Alloc(len);
+ }
+
+ return data;
+}
+
+unsigned char *
+pkcs11_copyStaticData(unsigned char *data, int len,
+ unsigned char *space, int spaceLen)
+{
+ unsigned char *copy = pkcs11_allocStaticData(len, space, spaceLen);
+ if (copy) {
+ PORT_Memcpy(copy, data, len);
+ }
+
+ return copy;
+}
+
+/*
+ * destroy a database entry
+ */
+static void
+DestroyDBEntry(certDBEntry *entry)
+{
+ PLArenaPool *arena = entry->common.arena;
+
+ /* must be one of our certDBEntry from the free list */
+ if (arena == NULL) {
+ certDBEntryCert *certEntry;
+ if (entry->common.type != certDBEntryTypeCert) {
+ return;
+ }
+ certEntry = (certDBEntryCert *)entry;
+
+ pkcs11_freeStaticData(certEntry->derCert.data, certEntry->derCertSpace);
+ pkcs11_freeNickname(certEntry->nickname, certEntry->nicknameSpace);
+
+ nsslowcert_LockFreeList();
+ if (entryListCount > MAX_ENTRY_LIST_COUNT) {
+ PORT_Free(certEntry);
+ } else {
+ entryListCount++;
+ PORT_Memset(certEntry, 0, sizeof(*certEntry));
+ certEntry->next = entryListHead;
+ entryListHead = certEntry;
+ }
+ nsslowcert_UnlockFreeList();
+ return;
+ }
+
+ /* Zero out the entry struct, so that any further attempts to use it
+ * will cause an exception (e.g. null pointer reference). */
+ PORT_Memset(&entry->common, 0, sizeof entry->common);
+ PORT_FreeArena(arena, PR_FALSE);
+
+ return;
+}
+
+/* forward references */
+static void nsslowcert_DestroyCertificateNoLocking(NSSLOWCERTCertificate *cert);
+
+static SECStatus
+DeleteDBEntry(NSSLOWCERTCertDBHandle *handle, certDBEntryType type, SECItem *dbkey)
+{
+ DBT key;
+ int ret;
+
+ /* init the database key */
+ key.data = dbkey->data;
+ key.size = dbkey->len;
+
+ dbkey->data[0] = (unsigned char)type;
+
+ /* delete entry from database */
+ ret = certdb_Del(handle->permCertDB, &key, 0);
+ if (ret != 0) {
+ PORT_SetError(SEC_ERROR_BAD_DATABASE);
+ goto loser;
+ }
+
+ ret = certdb_Sync(handle->permCertDB, 0);
+ if (ret) {
+ PORT_SetError(SEC_ERROR_BAD_DATABASE);
+ goto loser;
+ }
+
+ return (SECSuccess);
+
+loser:
+ return (SECFailure);
+}
+
+static SECStatus
+ReadDBEntry(NSSLOWCERTCertDBHandle *handle, certDBEntryCommon *entry,
+ SECItem *dbkey, SECItem *dbentry, PLArenaPool *arena)
+{
+ DBT data, key;
+ int ret;
+ unsigned char *buf;
+
+ /* init the database key */
+ key.data = dbkey->data;
+ key.size = dbkey->len;
+
+ dbkey->data[0] = (unsigned char)entry->type;
+
+ /* read entry from database */
+ ret = certdb_Get(handle->permCertDB, &key, &data, 0);
+ if (ret != 0) {
+ PORT_SetError(SEC_ERROR_BAD_DATABASE);
+ goto loser;
+ }
+
+ /* validate the entry */
+ if (data.size < SEC_DB_ENTRY_HEADER_LEN) {
+ PORT_SetError(SEC_ERROR_BAD_DATABASE);
+ goto loser;
+ }
+ buf = (unsigned char *)data.data;
+ /* version 7 has the same schema, we may be using a v7 db if we openned
+ * the databases readonly. */
+ if (!((buf[0] == (unsigned char)CERT_DB_FILE_VERSION) ||
+ (buf[0] == (unsigned char)CERT_DB_V7_FILE_VERSION))) {
+ PORT_SetError(SEC_ERROR_BAD_DATABASE);
+ goto loser;
+ }
+ if (buf[1] != (unsigned char)entry->type) {
+ PORT_SetError(SEC_ERROR_BAD_DATABASE);
+ goto loser;
+ }
+
+ /* copy out header information */
+ entry->version = (unsigned int)buf[0];
+ entry->type = (certDBEntryType)buf[1];
+ entry->flags = (unsigned int)buf[2];
+
+ /* format body of entry for return to caller */
+ dbentry->len = data.size - SEC_DB_ENTRY_HEADER_LEN;
+ if (dbentry->len) {
+ if (arena) {
+ dbentry->data = (unsigned char *)
+ PORT_ArenaAlloc(arena, dbentry->len);
+ if (dbentry->data == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ goto loser;
+ }
+
+ PORT_Memcpy(dbentry->data, &buf[SEC_DB_ENTRY_HEADER_LEN],
+ dbentry->len);
+ } else {
+ dbentry->data = &buf[SEC_DB_ENTRY_HEADER_LEN];
+ }
+ } else {
+ dbentry->data = NULL;
+ }
+
+ return (SECSuccess);
+
+loser:
+ return (SECFailure);
+}
+
+/**
+ ** Implement low level database access
+ **/
+static SECStatus
+WriteDBEntry(NSSLOWCERTCertDBHandle *handle, certDBEntryCommon *entry,
+ SECItem *dbkey, SECItem *dbentry)
+{
+ int ret;
+ DBT data, key;
+ unsigned char *buf;
+
+ data.data = dbentry->data;
+ data.size = dbentry->len;
+
+ buf = (unsigned char *)data.data;
+
+ buf[0] = (unsigned char)entry->version;
+ buf[1] = (unsigned char)entry->type;
+ buf[2] = (unsigned char)entry->flags;
+
+ key.data = dbkey->data;
+ key.size = dbkey->len;
+
+ dbkey->data[0] = (unsigned char)entry->type;
+
+ /* put the record into the database now */
+ ret = certdb_Put(handle->permCertDB, &key, &data, 0);
+
+ if (ret != 0) {
+ goto loser;
+ }
+
+ ret = certdb_Sync(handle->permCertDB, 0);
+
+ if (ret) {
+ goto loser;
+ }
+
+ return (SECSuccess);
+
+loser:
+ return (SECFailure);
+}
+
+/*
+ * encode a database cert record
+ */
+static SECStatus
+EncodeDBCertEntry(certDBEntryCert *entry, PLArenaPool *arena, SECItem *dbitem)
+{
+ unsigned int nnlen;
+ unsigned char *buf;
+ char *nn;
+ char zbuf = 0;
+
+ if (entry->nickname) {
+ nn = entry->nickname;
+ } else {
+ nn = &zbuf;
+ }
+ nnlen = PORT_Strlen(nn) + 1;
+
+ /* allocate space for encoded database record, including space
+ * for low level header
+ */
+ dbitem->len = entry->derCert.len + nnlen + DB_CERT_ENTRY_HEADER_LEN +
+ SEC_DB_ENTRY_HEADER_LEN;
+
+ dbitem->data = (unsigned char *)PORT_ArenaAlloc(arena, dbitem->len);
+ if (dbitem->data == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ goto loser;
+ }
+
+ /* fill in database record */
+ buf = &dbitem->data[SEC_DB_ENTRY_HEADER_LEN];
+
+ buf[0] = (PRUint8)(entry->trust.sslFlags >> 8);
+ buf[1] = (PRUint8)(entry->trust.sslFlags);
+ buf[2] = (PRUint8)(entry->trust.emailFlags >> 8);
+ buf[3] = (PRUint8)(entry->trust.emailFlags);
+ buf[4] = (PRUint8)(entry->trust.objectSigningFlags >> 8);
+ buf[5] = (PRUint8)(entry->trust.objectSigningFlags);
+ buf[6] = (PRUint8)(entry->derCert.len >> 8);
+ buf[7] = (PRUint8)(entry->derCert.len);
+ buf[8] = (PRUint8)(nnlen >> 8);
+ buf[9] = (PRUint8)(nnlen);
+
+ PORT_Memcpy(&buf[DB_CERT_ENTRY_HEADER_LEN], entry->derCert.data,
+ entry->derCert.len);
+
+ PORT_Memcpy(&buf[DB_CERT_ENTRY_HEADER_LEN + entry->derCert.len],
+ nn, nnlen);
+
+ return (SECSuccess);
+
+loser:
+ return (SECFailure);
+}
+
+/*
+ * encode a database key for a cert record
+ */
+static SECStatus
+EncodeDBCertKey(const SECItem *certKey, PLArenaPool *arena, SECItem *dbkey)
+{
+ unsigned int len = certKey->len + SEC_DB_KEY_HEADER_LEN;
+ if (len > NSS_MAX_LEGACY_DB_KEY_SIZE)
+ goto loser;
+ if (arena) {
+ dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, len);
+ } else {
+ if (dbkey->len < len) {
+ dbkey->data = (unsigned char *)PORT_Alloc(len);
+ }
+ }
+ dbkey->len = len;
+ if (dbkey->data == NULL) {
+ goto loser;
+ }
+ PORT_Memcpy(&dbkey->data[SEC_DB_KEY_HEADER_LEN],
+ certKey->data, certKey->len);
+ dbkey->data[0] = certDBEntryTypeCert;
+
+ return (SECSuccess);
+loser:
+ return (SECFailure);
+}
+
+static SECStatus
+EncodeDBGenericKey(const SECItem *certKey, PLArenaPool *arena, SECItem *dbkey,
+ certDBEntryType entryType)
+{
+ /*
+ * we only allow _one_ KRL key!
+ */
+ if (entryType == certDBEntryTypeKeyRevocation) {
+ dbkey->len = SEC_DB_KEY_HEADER_LEN;
+ dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, dbkey->len);
+ if (dbkey->data == NULL) {
+ goto loser;
+ }
+ dbkey->data[0] = (unsigned char)entryType;
+ return (SECSuccess);
+ }
+
+ dbkey->len = certKey->len + SEC_DB_KEY_HEADER_LEN;
+ if (dbkey->len > NSS_MAX_LEGACY_DB_KEY_SIZE)
+ goto loser;
+ dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, dbkey->len);
+ if (dbkey->data == NULL) {
+ goto loser;
+ }
+ PORT_Memcpy(&dbkey->data[SEC_DB_KEY_HEADER_LEN],
+ certKey->data, certKey->len);
+ dbkey->data[0] = (unsigned char)entryType;
+
+ return (SECSuccess);
+loser:
+ return (SECFailure);
+}
+
+static SECStatus
+DecodeDBCertEntry(certDBEntryCert *entry, SECItem *dbentry)
+{
+ unsigned int nnlen;
+ unsigned int headerlen;
+ int lenoff;
+
+ /* allow updates of old versions of the database */
+ switch (entry->common.version) {
+ case 5:
+ headerlen = DB_CERT_V5_ENTRY_HEADER_LEN;
+ lenoff = 3;
+ break;
+ case 6:
+ /* should not get here */
+ PORT_Assert(0);
+ headerlen = DB_CERT_V6_ENTRY_HEADER_LEN;
+ lenoff = 3;
+ break;
+ case 7:
+ case 8:
+ headerlen = DB_CERT_ENTRY_HEADER_LEN;
+ lenoff = 6;
+ break;
+ default:
+ /* better not get here */
+ PORT_Assert(0);
+ headerlen = DB_CERT_V5_ENTRY_HEADER_LEN;
+ lenoff = 3;
+ break;
+ }
+
+ /* is record long enough for header? */
+ if (dbentry->len < headerlen) {
+ PORT_SetError(SEC_ERROR_BAD_DATABASE);
+ goto loser;
+ }
+
+ /* is database entry correct length? */
+ entry->derCert.len = ((dbentry->data[lenoff] << 8) |
+ dbentry->data[lenoff + 1]);
+ nnlen = ((dbentry->data[lenoff + 2] << 8) | dbentry->data[lenoff + 3]);
+ lenoff = dbentry->len - (entry->derCert.len + nnlen + headerlen);
+ if (lenoff) {
+ if (lenoff < 0 || (lenoff & 0xffff) != 0) {
+ PORT_SetError(SEC_ERROR_BAD_DATABASE);
+ goto loser;
+ }
+ /* The cert size exceeded 64KB. Reconstruct the correct length. */
+ entry->derCert.len += lenoff;
+ }
+
+ /* Is data long enough? */
+ if (dbentry->len < headerlen + entry->derCert.len) {
+ PORT_SetError(SEC_ERROR_BAD_DATABASE);
+ goto loser;
+ }
+
+ /* copy the dercert */
+ entry->derCert.data = pkcs11_copyStaticData(&dbentry->data[headerlen],
+ entry->derCert.len, entry->derCertSpace, sizeof(entry->derCertSpace));
+ if (entry->derCert.data == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ goto loser;
+ }
+
+ /* copy the nickname */
+ if (nnlen > 1) {
+ /* Is data long enough? */
+ if (dbentry->len < headerlen + entry->derCert.len + nnlen) {
+ PORT_SetError(SEC_ERROR_BAD_DATABASE);
+ goto loser;
+ }
+ entry->nickname = (char *)pkcs11_copyStaticData(
+ &dbentry->data[headerlen + entry->derCert.len], nnlen,
+ (unsigned char *)entry->nicknameSpace,
+ sizeof(entry->nicknameSpace));
+ if (entry->nickname == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ goto loser;
+ }
+ } else {
+ entry->nickname = NULL;
+ }
+
+ if (entry->common.version < 7) {
+ /* allow updates of v5 db */
+ entry->trust.sslFlags = dbentry->data[0];
+ entry->trust.emailFlags = dbentry->data[1];
+ entry->trust.objectSigningFlags = dbentry->data[2];
+ } else {
+ entry->trust.sslFlags = (dbentry->data[0] << 8) | dbentry->data[1];
+ entry->trust.emailFlags = (dbentry->data[2] << 8) | dbentry->data[3];
+ entry->trust.objectSigningFlags =
+ (dbentry->data[4] << 8) | dbentry->data[5];
+ }
+
+ return (SECSuccess);
+loser:
+ return (SECFailure);
+}
+
+/*
+ * Create a new certDBEntryCert from existing data
+ */
+static certDBEntryCert *
+NewDBCertEntry(SECItem *derCert, char *nickname,
+ NSSLOWCERTCertTrust *trust, int flags)
+{
+ certDBEntryCert *entry;
+ PLArenaPool *arena = NULL;
+ int nnlen;
+
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+
+ if (!arena) {
+ goto loser;
+ }
+
+ entry = PORT_ArenaZNew(arena, certDBEntryCert);
+ if (entry == NULL) {
+ goto loser;
+ }
+
+ /* fill in the dbCert */
+ entry->common.arena = arena;
+ entry->common.type = certDBEntryTypeCert;
+ entry->common.version = CERT_DB_FILE_VERSION;
+ entry->common.flags = flags;
+
+ if (trust) {
+ entry->trust = *trust;
+ }
+
+ entry->derCert.data = (unsigned char *)PORT_ArenaAlloc(arena, derCert->len);
+ if (!entry->derCert.data) {
+ goto loser;
+ }
+ entry->derCert.len = derCert->len;
+ PORT_Memcpy(entry->derCert.data, derCert->data, derCert->len);
+
+ nnlen = (nickname ? strlen(nickname) + 1 : 0);
+
+ if (nnlen) {
+ entry->nickname = (char *)PORT_ArenaAlloc(arena, nnlen);
+ if (!entry->nickname) {
+ goto loser;
+ }
+ PORT_Memcpy(entry->nickname, nickname, nnlen);
+
+ } else {
+ entry->nickname = 0;
+ }
+
+ return (entry);
+
+loser:
+
+ /* allocation error, free arena and return */
+ if (arena) {
+ PORT_FreeArena(arena, PR_FALSE);
+ }
+
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ return (0);
+}
+
+/*
+ * Decode a version 4 DBCert from the byte stream database format
+ * and construct a current database entry struct
+ */
+static certDBEntryCert *
+DecodeV4DBCertEntry(unsigned char *buf, int len)
+{
+ certDBEntryCert *entry;
+ int certlen;
+ int nnlen;
+ PLArenaPool *arena;
+
+ /* make sure length is at least long enough for the header */
+ if (len < DBCERT_V4_HEADER_LEN) {
+ PORT_SetError(SEC_ERROR_BAD_DATABASE);
+ return (0);
+ }
+
+ /* get other lengths */
+ certlen = buf[3] << 8 | buf[4];
+ nnlen = buf[5] << 8 | buf[6];
+
+ /* make sure DB entry is the right size */
+ if ((certlen + nnlen + DBCERT_V4_HEADER_LEN) != len) {
+ PORT_SetError(SEC_ERROR_BAD_DATABASE);
+ return (0);
+ }
+
+ /* allocate arena */
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+
+ if (!arena) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ return (0);
+ }
+
+ /* allocate structure and members */
+ entry = (certDBEntryCert *)PORT_ArenaAlloc(arena, sizeof(certDBEntryCert));
+
+ if (!entry) {
+ goto loser;
+ }
+
+ entry->common.arena = arena;
+ entry->common.version = CERT_DB_FILE_VERSION;
+ entry->common.type = certDBEntryTypeCert;
+ entry->common.flags = 0;
+ entry->trust.sslFlags = buf[0];
+ entry->trust.emailFlags = buf[1];
+ entry->trust.objectSigningFlags = buf[2];
+
+ entry->derCert.data = (unsigned char *)PORT_ArenaAlloc(arena, certlen);
+ if (!entry->derCert.data) {
+ goto loser;
+ }
+ entry->derCert.len = certlen;
+ PORT_Memcpy(entry->derCert.data, &buf[DBCERT_V4_HEADER_LEN], certlen);
+
+ if (nnlen) {
+ entry->nickname = (char *)PORT_ArenaAlloc(arena, nnlen);
+ if (!entry->nickname) {
+ goto loser;
+ }
+ PORT_Memcpy(entry->nickname, &buf[DBCERT_V4_HEADER_LEN + certlen], nnlen);
+
+ if (PORT_Strcmp(entry->nickname, "Server-Cert") == 0) {
+ entry->trust.sslFlags |= CERTDB_USER;
+ }
+ } else {
+ entry->nickname = 0;
+ }
+
+ return (entry);
+
+loser:
+ PORT_FreeArena(arena, PR_FALSE);
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ return (0);
+}
+
+/*
+ * Encode a Certificate database entry into byte stream suitable for
+ * the database
+ */
+static SECStatus
+WriteDBCertEntry(NSSLOWCERTCertDBHandle *handle, certDBEntryCert *entry)
+{
+ SECItem dbitem, dbkey;
+ PLArenaPool *tmparena = NULL;
+ SECItem tmpitem;
+ SECStatus rv;
+
+ tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (tmparena == NULL) {
+ goto loser;
+ }
+
+ rv = EncodeDBCertEntry(entry, tmparena, &dbitem);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ /* get the database key and format it */
+ rv = nsslowcert_KeyFromDERCert(tmparena, &entry->derCert, &tmpitem);
+ if (rv == SECFailure) {
+ goto loser;
+ }
+
+ rv = EncodeDBCertKey(&tmpitem, tmparena, &dbkey);
+ if (rv == SECFailure) {
+ goto loser;
+ }
+
+ /* now write it to the database */
+ rv = WriteDBEntry(handle, &entry->common, &dbkey, &dbitem);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ PORT_FreeArena(tmparena, PR_FALSE);
+ return (SECSuccess);
+
+loser:
+ if (tmparena) {
+ PORT_FreeArena(tmparena, PR_FALSE);
+ }
+ return (SECFailure);
+}
+
+/*
+ * delete a certificate entry
+ */
+static SECStatus
+DeleteDBCertEntry(NSSLOWCERTCertDBHandle *handle, SECItem *certKey)
+{
+ SECItem dbkey;
+ SECStatus rv;
+
+ dbkey.data = NULL;
+ dbkey.len = 0;
+
+ rv = EncodeDBCertKey(certKey, NULL, &dbkey);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ rv = DeleteDBEntry(handle, certDBEntryTypeCert, &dbkey);
+ if (rv == SECFailure) {
+ goto loser;
+ }
+
+ PORT_Free(dbkey.data);
+
+ return (SECSuccess);
+
+loser:
+ if (dbkey.data) {
+ PORT_Free(dbkey.data);
+ }
+ return (SECFailure);
+}
+
+static certDBEntryCert *
+CreateCertEntry(void)
+{
+ certDBEntryCert *entry;
+
+ nsslowcert_LockFreeList();
+ entry = entryListHead;
+ if (entry) {
+ entryListCount--;
+ entryListHead = entry->next;
+ }
+ PORT_Assert(entryListCount >= 0);
+ nsslowcert_UnlockFreeList();
+ if (entry) {
+ return entry;
+ }
+
+ return PORT_ZNew(certDBEntryCert);
+}
+
+static void
+DestroyCertEntryFreeList(void)
+{
+ certDBEntryCert *entry;
+
+ nsslowcert_LockFreeList();
+ while (NULL != (entry = entryListHead)) {
+ entryListCount--;
+ entryListHead = entry->next;
+ PORT_Free(entry);
+ }
+ PORT_Assert(!entryListCount);
+ entryListCount = 0;
+ nsslowcert_UnlockFreeList();
+}
+
+/*
+ * Read a certificate entry
+ */
+static certDBEntryCert *
+ReadDBCertEntry(NSSLOWCERTCertDBHandle *handle, const SECItem *certKey)
+{
+ certDBEntryCert *entry;
+ SECItem dbkey;
+ SECItem dbentry;
+ SECStatus rv;
+ unsigned char buf[512];
+
+ dbkey.data = buf;
+ dbkey.len = sizeof(buf);
+
+ entry = CreateCertEntry();
+ if (entry == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ goto loser;
+ }
+ entry->common.arena = NULL;
+ entry->common.type = certDBEntryTypeCert;
+
+ rv = EncodeDBCertKey(certKey, NULL, &dbkey);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ rv = ReadDBEntry(handle, &entry->common, &dbkey, &dbentry, NULL);
+ if (rv == SECFailure) {
+ goto loser;
+ }
+
+ rv = DecodeDBCertEntry(entry, &dbentry);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ pkcs11_freeStaticData(dbkey.data, buf);
+ dbkey.data = NULL;
+ return (entry);
+
+loser:
+ pkcs11_freeStaticData(dbkey.data, buf);
+ dbkey.data = NULL;
+ if (entry) {
+ DestroyDBEntry((certDBEntry *)entry);
+ }
+
+ return (NULL);
+}
+
+/*
+ * encode a database cert record
+ */
+static SECStatus
+EncodeDBCrlEntry(certDBEntryRevocation *entry, PLArenaPool *arena, SECItem *dbitem)
+{
+ unsigned int nnlen = 0;
+ unsigned char *buf;
+
+ if (entry->url) {
+ nnlen = PORT_Strlen(entry->url) + 1;
+ }
+
+ /* allocate space for encoded database record, including space
+ * for low level header
+ */
+ dbitem->len = entry->derCrl.len + nnlen + SEC_DB_ENTRY_HEADER_LEN + DB_CRL_ENTRY_HEADER_LEN;
+
+ dbitem->data = (unsigned char *)PORT_ArenaAlloc(arena, dbitem->len);
+ if (dbitem->data == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ goto loser;
+ }
+
+ /* fill in database record */
+ buf = &dbitem->data[SEC_DB_ENTRY_HEADER_LEN];
+
+ buf[0] = (PRUint8)(entry->derCrl.len >> 8);
+ buf[1] = (PRUint8)(entry->derCrl.len);
+ buf[2] = (PRUint8)(nnlen >> 8);
+ buf[3] = (PRUint8)(nnlen);
+
+ PORT_Memcpy(&buf[DB_CRL_ENTRY_HEADER_LEN], entry->derCrl.data,
+ entry->derCrl.len);
+
+ if (nnlen != 0) {
+ PORT_Memcpy(&buf[DB_CRL_ENTRY_HEADER_LEN + entry->derCrl.len],
+ entry->url, nnlen);
+ }
+
+ return (SECSuccess);
+
+loser:
+ return (SECFailure);
+}
+
+static SECStatus
+DecodeDBCrlEntry(certDBEntryRevocation *entry, SECItem *dbentry)
+{
+ unsigned int urlLen;
+ int lenDiff;
+
+ /* is record long enough for header? */
+ if (dbentry->len < DB_CRL_ENTRY_HEADER_LEN) {
+ PORT_SetError(SEC_ERROR_BAD_DATABASE);
+ goto loser;
+ }
+
+ /* is database entry correct length? */
+ entry->derCrl.len = ((dbentry->data[0] << 8) | dbentry->data[1]);
+ urlLen = ((dbentry->data[2] << 8) | dbentry->data[3]);
+ lenDiff = dbentry->len -
+ (entry->derCrl.len + urlLen + DB_CRL_ENTRY_HEADER_LEN);
+ if (lenDiff) {
+ if (lenDiff < 0 || (lenDiff & 0xffff) != 0) {
+ PORT_SetError(SEC_ERROR_BAD_DATABASE);
+ goto loser;
+ }
+ /* CRL entry is greater than 64 K. Hack to make this continue to work */
+ entry->derCrl.len += lenDiff;
+ }
+
+ /* copy the der CRL */
+ entry->derCrl.data = (unsigned char *)PORT_ArenaAlloc(entry->common.arena,
+ entry->derCrl.len);
+ if (entry->derCrl.data == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ goto loser;
+ }
+ PORT_Memcpy(entry->derCrl.data, &dbentry->data[DB_CRL_ENTRY_HEADER_LEN],
+ entry->derCrl.len);
+
+ /* copy the url */
+ entry->url = NULL;
+ if (urlLen != 0) {
+ entry->url = (char *)PORT_ArenaAlloc(entry->common.arena, urlLen);
+ if (entry->url == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ goto loser;
+ }
+ PORT_Memcpy(entry->url,
+ &dbentry->data[DB_CRL_ENTRY_HEADER_LEN + entry->derCrl.len],
+ urlLen);
+ }
+
+ return (SECSuccess);
+loser:
+ return (SECFailure);
+}
+
+/*
+ * Create a new certDBEntryRevocation from existing data
+ */
+static certDBEntryRevocation *
+NewDBCrlEntry(SECItem *derCrl, char *url, certDBEntryType crlType, int flags)
+{
+ certDBEntryRevocation *entry;
+ PLArenaPool *arena = NULL;
+ int nnlen;
+
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+
+ if (!arena) {
+ goto loser;
+ }
+
+ entry = PORT_ArenaZNew(arena, certDBEntryRevocation);
+ if (entry == NULL) {
+ goto loser;
+ }
+
+ /* fill in the dbRevolcation */
+ entry->common.arena = arena;
+ entry->common.type = crlType;
+ entry->common.version = CERT_DB_FILE_VERSION;
+ entry->common.flags = flags;
+
+ entry->derCrl.data = (unsigned char *)PORT_ArenaAlloc(arena, derCrl->len);
+ if (!entry->derCrl.data) {
+ goto loser;
+ }
+
+ if (url) {
+ nnlen = PORT_Strlen(url) + 1;
+ entry->url = (char *)PORT_ArenaAlloc(arena, nnlen);
+ if (!entry->url) {
+ goto loser;
+ }
+ PORT_Memcpy(entry->url, url, nnlen);
+ } else {
+ entry->url = NULL;
+ }
+
+ entry->derCrl.len = derCrl->len;
+ PORT_Memcpy(entry->derCrl.data, derCrl->data, derCrl->len);
+
+ return (entry);
+
+loser:
+
+ /* allocation error, free arena and return */
+ if (arena) {
+ PORT_FreeArena(arena, PR_FALSE);
+ }
+
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ return (0);
+}
+
+static SECStatus
+WriteDBCrlEntry(NSSLOWCERTCertDBHandle *handle, certDBEntryRevocation *entry,
+ SECItem *crlKey)
+{
+ SECItem dbkey;
+ PLArenaPool *tmparena = NULL;
+ SECItem encodedEntry;
+ SECStatus rv;
+
+ tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (tmparena == NULL) {
+ goto loser;
+ }
+
+ rv = EncodeDBCrlEntry(entry, tmparena, &encodedEntry);
+ if (rv == SECFailure) {
+ goto loser;
+ }
+
+ rv = EncodeDBGenericKey(crlKey, tmparena, &dbkey, entry->common.type);
+ if (rv == SECFailure) {
+ goto loser;
+ }
+
+ /* now write it to the database */
+ rv = WriteDBEntry(handle, &entry->common, &dbkey, &encodedEntry);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ PORT_FreeArena(tmparena, PR_FALSE);
+ return (SECSuccess);
+
+loser:
+ if (tmparena) {
+ PORT_FreeArena(tmparena, PR_FALSE);
+ }
+ return (SECFailure);
+}
+/*
+ * delete a crl entry
+ */
+static SECStatus
+DeleteDBCrlEntry(NSSLOWCERTCertDBHandle *handle, const SECItem *crlKey,
+ certDBEntryType crlType)
+{
+ SECItem dbkey;
+ PLArenaPool *arena = NULL;
+ SECStatus rv;
+
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (arena == NULL) {
+ goto loser;
+ }
+
+ rv = EncodeDBGenericKey(crlKey, arena, &dbkey, crlType);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ rv = DeleteDBEntry(handle, crlType, &dbkey);
+ if (rv == SECFailure) {
+ goto loser;
+ }
+
+ PORT_FreeArena(arena, PR_FALSE);
+ return (SECSuccess);
+
+loser:
+ if (arena) {
+ PORT_FreeArena(arena, PR_FALSE);
+ }
+
+ return (SECFailure);
+}
+
+/*
+ * Read a certificate entry
+ */
+static certDBEntryRevocation *
+ReadDBCrlEntry(NSSLOWCERTCertDBHandle *handle, SECItem *certKey,
+ certDBEntryType crlType)
+{
+ PLArenaPool *arena = NULL;
+ PLArenaPool *tmparena = NULL;
+ certDBEntryRevocation *entry;
+ SECItem dbkey;
+ SECItem dbentry;
+ SECStatus rv;
+
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (arena == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ goto loser;
+ }
+
+ tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (tmparena == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ goto loser;
+ }
+
+ entry = (certDBEntryRevocation *)
+ PORT_ArenaAlloc(arena, sizeof(certDBEntryRevocation));
+ if (entry == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ goto loser;
+ }
+ entry->common.arena = arena;
+ entry->common.type = crlType;
+
+ rv = EncodeDBGenericKey(certKey, tmparena, &dbkey, crlType);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ rv = ReadDBEntry(handle, &entry->common, &dbkey, &dbentry, NULL);
+ if (rv == SECFailure) {
+ goto loser;
+ }
+
+ rv = DecodeDBCrlEntry(entry, &dbentry);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ PORT_FreeArena(tmparena, PR_FALSE);
+ return (entry);
+
+loser:
+ if (tmparena) {
+ PORT_FreeArena(tmparena, PR_FALSE);
+ }
+ if (arena) {
+ PORT_FreeArena(arena, PR_FALSE);
+ }
+
+ return (NULL);
+}
+
+void
+nsslowcert_DestroyDBEntry(certDBEntry *entry)
+{
+ DestroyDBEntry(entry);
+ return;
+}
+
+/*
+ * Encode a database nickname record
+ */
+static SECStatus
+EncodeDBNicknameEntry(certDBEntryNickname *entry, PLArenaPool *arena,
+ SECItem *dbitem)
+{
+ unsigned char *buf;
+
+ /* allocate space for encoded database record, including space
+ * for low level header
+ */
+ dbitem->len = entry->subjectName.len + DB_NICKNAME_ENTRY_HEADER_LEN +
+ SEC_DB_ENTRY_HEADER_LEN;
+ dbitem->data = (unsigned char *)PORT_ArenaAlloc(arena, dbitem->len);
+ if (dbitem->data == NULL) {
+ goto loser;
+ }
+
+ /* fill in database record */
+ buf = &dbitem->data[SEC_DB_ENTRY_HEADER_LEN];
+ buf[0] = (PRUint8)(entry->subjectName.len >> 8);
+ buf[1] = (PRUint8)(entry->subjectName.len);
+ PORT_Memcpy(&buf[DB_NICKNAME_ENTRY_HEADER_LEN], entry->subjectName.data,
+ entry->subjectName.len);
+
+ return (SECSuccess);
+
+loser:
+ return (SECFailure);
+}
+
+/*
+ * Encode a database key for a nickname record
+ */
+static SECStatus
+EncodeDBNicknameKey(char *nickname, PLArenaPool *arena,
+ SECItem *dbkey)
+{
+ unsigned int nnlen;
+
+ nnlen = PORT_Strlen(nickname) + 1; /* includes null */
+
+ /* now get the database key and format it */
+ dbkey->len = nnlen + SEC_DB_KEY_HEADER_LEN;
+ if (dbkey->len > NSS_MAX_LEGACY_DB_KEY_SIZE)
+ goto loser;
+ dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, dbkey->len);
+ if (dbkey->data == NULL) {
+ goto loser;
+ }
+ PORT_Memcpy(&dbkey->data[SEC_DB_KEY_HEADER_LEN], nickname, nnlen);
+ dbkey->data[0] = certDBEntryTypeNickname;
+
+ return (SECSuccess);
+
+loser:
+ return (SECFailure);
+}
+
+static SECStatus
+DecodeDBNicknameEntry(certDBEntryNickname *entry, SECItem *dbentry,
+ char *nickname)
+{
+ int lenDiff;
+
+ /* is record long enough for header? */
+ if (dbentry->len < DB_NICKNAME_ENTRY_HEADER_LEN) {
+ PORT_SetError(SEC_ERROR_BAD_DATABASE);
+ goto loser;
+ }
+
+ /* is database entry correct length? */
+ entry->subjectName.len = ((dbentry->data[0] << 8) | dbentry->data[1]);
+ lenDiff = dbentry->len -
+ (entry->subjectName.len + DB_NICKNAME_ENTRY_HEADER_LEN);
+ if (lenDiff) {
+ if (lenDiff < 0 || (lenDiff & 0xffff) != 0) {
+ PORT_SetError(SEC_ERROR_BAD_DATABASE);
+ goto loser;
+ }
+ /* The entry size exceeded 64KB. Reconstruct the correct length. */
+ entry->subjectName.len += lenDiff;
+ }
+
+ /* copy the certkey */
+ entry->subjectName.data =
+ (unsigned char *)PORT_ArenaAlloc(entry->common.arena,
+ entry->subjectName.len);
+ if (entry->subjectName.data == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ goto loser;
+ }
+ PORT_Memcpy(entry->subjectName.data,
+ &dbentry->data[DB_NICKNAME_ENTRY_HEADER_LEN],
+ entry->subjectName.len);
+ entry->subjectName.type = siBuffer;
+
+ entry->nickname = (char *)PORT_ArenaAlloc(entry->common.arena,
+ PORT_Strlen(nickname) + 1);
+ if (entry->nickname) {
+ PORT_Strcpy(entry->nickname, nickname);
+ }
+
+ return (SECSuccess);
+
+loser:
+ return (SECFailure);
+}
+
+/*
+ * create a new nickname entry
+ */
+static certDBEntryNickname *
+NewDBNicknameEntry(char *nickname, SECItem *subjectName, unsigned int flags)
+{
+ PLArenaPool *arena = NULL;
+ certDBEntryNickname *entry;
+ int nnlen;
+ SECStatus rv;
+
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (arena == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ goto loser;
+ }
+
+ entry = (certDBEntryNickname *)PORT_ArenaAlloc(arena,
+ sizeof(certDBEntryNickname));
+ if (entry == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ goto loser;
+ }
+
+ /* init common fields */
+ entry->common.arena = arena;
+ entry->common.type = certDBEntryTypeNickname;
+ entry->common.version = CERT_DB_FILE_VERSION;
+ entry->common.flags = flags;
+
+ /* copy the nickname */
+ nnlen = PORT_Strlen(nickname) + 1;
+
+ entry->nickname = (char *)PORT_ArenaAlloc(arena, nnlen);
+ if (entry->nickname == NULL) {
+ goto loser;
+ }
+
+ PORT_Memcpy(entry->nickname, nickname, nnlen);
+
+ rv = SECITEM_CopyItem(arena, &entry->subjectName, subjectName);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ return (entry);
+loser:
+ if (arena) {
+ PORT_FreeArena(arena, PR_FALSE);
+ }
+
+ return (NULL);
+}
+
+/*
+ * delete a nickname entry
+ */
+static SECStatus
+DeleteDBNicknameEntry(NSSLOWCERTCertDBHandle *handle, char *nickname)
+{
+ PLArenaPool *arena = NULL;
+ SECStatus rv;
+ SECItem dbkey;
+
+ if (nickname == NULL) {
+ return (SECSuccess);
+ }
+
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (arena == NULL) {
+ goto loser;
+ }
+
+ rv = EncodeDBNicknameKey(nickname, arena, &dbkey);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ rv = DeleteDBEntry(handle, certDBEntryTypeNickname, &dbkey);
+ if (rv == SECFailure) {
+ goto loser;
+ }
+
+ PORT_FreeArena(arena, PR_FALSE);
+ return (SECSuccess);
+
+loser:
+ if (arena) {
+ PORT_FreeArena(arena, PR_FALSE);
+ }
+
+ return (SECFailure);
+}
+
+/*
+ * Read a nickname entry
+ */
+static certDBEntryNickname *
+ReadDBNicknameEntry(NSSLOWCERTCertDBHandle *handle, char *nickname)
+{
+ PLArenaPool *arena = NULL;
+ PLArenaPool *tmparena = NULL;
+ certDBEntryNickname *entry;
+ SECItem dbkey;
+ SECItem dbentry;
+ SECStatus rv;
+
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (arena == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ goto loser;
+ }
+
+ tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (tmparena == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ goto loser;
+ }
+
+ entry = (certDBEntryNickname *)PORT_ArenaAlloc(arena,
+ sizeof(certDBEntryNickname));
+ if (entry == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ goto loser;
+ }
+ entry->common.arena = arena;
+ entry->common.type = certDBEntryTypeNickname;
+
+ rv = EncodeDBNicknameKey(nickname, tmparena, &dbkey);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ rv = ReadDBEntry(handle, &entry->common, &dbkey, &dbentry, tmparena);
+ if (rv == SECFailure) {
+ goto loser;
+ }
+
+ /* is record long enough for header? */
+ if (dbentry.len < DB_NICKNAME_ENTRY_HEADER_LEN) {
+ PORT_SetError(SEC_ERROR_BAD_DATABASE);
+ goto loser;
+ }
+
+ rv = DecodeDBNicknameEntry(entry, &dbentry, nickname);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ PORT_FreeArena(tmparena, PR_FALSE);
+ return (entry);
+
+loser:
+ if (tmparena) {
+ PORT_FreeArena(tmparena, PR_FALSE);
+ }
+ if (arena) {
+ PORT_FreeArena(arena, PR_FALSE);
+ }
+
+ return (NULL);
+}
+
+/*
+ * Encode a nickname entry into byte stream suitable for
+ * the database
+ */
+static SECStatus
+WriteDBNicknameEntry(NSSLOWCERTCertDBHandle *handle, certDBEntryNickname *entry)
+{
+ SECItem dbitem, dbkey;
+ PLArenaPool *tmparena = NULL;
+ SECStatus rv;
+
+ tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (tmparena == NULL) {
+ goto loser;
+ }
+
+ rv = EncodeDBNicknameEntry(entry, tmparena, &dbitem);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ rv = EncodeDBNicknameKey(entry->nickname, tmparena, &dbkey);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ /* now write it to the database */
+ rv = WriteDBEntry(handle, &entry->common, &dbkey, &dbitem);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ PORT_FreeArena(tmparena, PR_FALSE);
+ return (SECSuccess);
+
+loser:
+ if (tmparena) {
+ PORT_FreeArena(tmparena, PR_FALSE);
+ }
+ return (SECFailure);
+}
+
+static SECStatus
+EncodeDBSMimeEntry(certDBEntrySMime *entry, PLArenaPool *arena,
+ SECItem *dbitem)
+{
+ unsigned char *buf;
+
+ /* allocate space for encoded database record, including space
+ * for low level header
+ */
+ dbitem->len = entry->subjectName.len + entry->smimeOptions.len +
+ entry->optionsDate.len +
+ DB_SMIME_ENTRY_HEADER_LEN + SEC_DB_ENTRY_HEADER_LEN;
+
+ dbitem->data = (unsigned char *)PORT_ArenaAlloc(arena, dbitem->len);
+ if (dbitem->data == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ goto loser;
+ }
+
+ /* fill in database record */
+ buf = &dbitem->data[SEC_DB_ENTRY_HEADER_LEN];
+
+ buf[0] = (PRUint8)(entry->subjectName.len >> 8);
+ buf[1] = (PRUint8)(entry->subjectName.len);
+ buf[2] = (PRUint8)(entry->smimeOptions.len >> 8);
+ buf[3] = (PRUint8)(entry->smimeOptions.len);
+ buf[4] = (PRUint8)(entry->optionsDate.len >> 8);
+ buf[5] = (PRUint8)(entry->optionsDate.len);
+
+ /* if no smime options, then there should not be an options date either */
+ PORT_Assert(!((entry->smimeOptions.len == 0) &&
+ (entry->optionsDate.len != 0)));
+
+ PORT_Memcpy(&buf[DB_SMIME_ENTRY_HEADER_LEN], entry->subjectName.data,
+ entry->subjectName.len);
+ if (entry->smimeOptions.len) {
+ PORT_Memcpy(&buf[DB_SMIME_ENTRY_HEADER_LEN + entry->subjectName.len],
+ entry->smimeOptions.data,
+ entry->smimeOptions.len);
+ PORT_Memcpy(&buf[DB_SMIME_ENTRY_HEADER_LEN + entry->subjectName.len +
+ entry->smimeOptions.len],
+ entry->optionsDate.data,
+ entry->optionsDate.len);
+ }
+
+ return (SECSuccess);
+
+loser:
+ return (SECFailure);
+}
+
+/*
+ * Encode a database key for a SMIME record
+ */
+static SECStatus
+EncodeDBSMimeKey(char *emailAddr, PLArenaPool *arena,
+ SECItem *dbkey)
+{
+ unsigned int addrlen;
+
+ addrlen = PORT_Strlen(emailAddr) + 1; /* includes null */
+
+ /* now get the database key and format it */
+ dbkey->len = addrlen + SEC_DB_KEY_HEADER_LEN;
+ if (dbkey->len > NSS_MAX_LEGACY_DB_KEY_SIZE)
+ goto loser;
+ dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, dbkey->len);
+ if (dbkey->data == NULL) {
+ goto loser;
+ }
+ PORT_Memcpy(&dbkey->data[SEC_DB_KEY_HEADER_LEN], emailAddr, addrlen);
+ dbkey->data[0] = certDBEntryTypeSMimeProfile;
+
+ return (SECSuccess);
+
+loser:
+ return (SECFailure);
+}
+
+/*
+ * Decode a database SMIME record
+ */
+static SECStatus
+DecodeDBSMimeEntry(certDBEntrySMime *entry, SECItem *dbentry, char *emailAddr)
+{
+ int lenDiff;
+
+ /* is record long enough for header? */
+ if (dbentry->len < DB_SMIME_ENTRY_HEADER_LEN) {
+ PORT_SetError(SEC_ERROR_BAD_DATABASE);
+ goto loser;
+ }
+
+ /* is database entry correct length? */
+ entry->subjectName.len = ((dbentry->data[0] << 8) | dbentry->data[1]);
+ entry->smimeOptions.len = ((dbentry->data[2] << 8) | dbentry->data[3]);
+ entry->optionsDate.len = ((dbentry->data[4] << 8) | dbentry->data[5]);
+ lenDiff = dbentry->len - (entry->subjectName.len +
+ entry->smimeOptions.len +
+ entry->optionsDate.len +
+ DB_SMIME_ENTRY_HEADER_LEN);
+ if (lenDiff) {
+ if (lenDiff < 0 || (lenDiff & 0xffff) != 0) {
+ PORT_SetError(SEC_ERROR_BAD_DATABASE);
+ goto loser;
+ }
+ /* The entry size exceeded 64KB. Reconstruct the correct length. */
+ entry->subjectName.len += lenDiff;
+ }
+
+ /* copy the subject name */
+ entry->subjectName.data =
+ (unsigned char *)PORT_ArenaAlloc(entry->common.arena,
+ entry->subjectName.len);
+ if (entry->subjectName.data == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ goto loser;
+ }
+ PORT_Memcpy(entry->subjectName.data,
+ &dbentry->data[DB_SMIME_ENTRY_HEADER_LEN],
+ entry->subjectName.len);
+
+ /* copy the smime options */
+ if (entry->smimeOptions.len) {
+ entry->smimeOptions.data =
+ (unsigned char *)PORT_ArenaAlloc(entry->common.arena,
+ entry->smimeOptions.len);
+ if (entry->smimeOptions.data == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ goto loser;
+ }
+ PORT_Memcpy(entry->smimeOptions.data,
+ &dbentry->data[DB_SMIME_ENTRY_HEADER_LEN +
+ entry->subjectName.len],
+ entry->smimeOptions.len);
+ } else {
+ entry->smimeOptions.data = NULL;
+ }
+ if (entry->optionsDate.len) {
+ entry->optionsDate.data =
+ (unsigned char *)PORT_ArenaAlloc(entry->common.arena,
+ entry->optionsDate.len);
+ if (entry->optionsDate.data == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ goto loser;
+ }
+ PORT_Memcpy(entry->optionsDate.data,
+ &dbentry->data[DB_SMIME_ENTRY_HEADER_LEN +
+ entry->subjectName.len +
+ entry->smimeOptions.len],
+ entry->optionsDate.len);
+ } else {
+ entry->optionsDate.data = NULL;
+ }
+
+ /* both options and options date must either exist or not exist */
+ if (((entry->optionsDate.len == 0) ||
+ (entry->smimeOptions.len == 0)) &&
+ entry->smimeOptions.len != entry->optionsDate.len) {
+ PORT_SetError(SEC_ERROR_BAD_DATABASE);
+ goto loser;
+ }
+
+ entry->emailAddr = (char *)PORT_ArenaAlloc(entry->common.arena,
+ PORT_Strlen(emailAddr) + 1);
+ if (entry->emailAddr) {
+ PORT_Strcpy(entry->emailAddr, emailAddr);
+ }
+
+ return (SECSuccess);
+
+loser:
+ return (SECFailure);
+}
+
+/*
+ * create a new SMIME entry
+ */
+static certDBEntrySMime *
+NewDBSMimeEntry(char *emailAddr, SECItem *subjectName, SECItem *smimeOptions,
+ SECItem *optionsDate, unsigned int flags)
+{
+ PLArenaPool *arena = NULL;
+ certDBEntrySMime *entry;
+ int addrlen;
+ SECStatus rv;
+
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (arena == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ goto loser;
+ }
+
+ entry = (certDBEntrySMime *)PORT_ArenaAlloc(arena,
+ sizeof(certDBEntrySMime));
+ if (entry == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ goto loser;
+ }
+
+ /* init common fields */
+ entry->common.arena = arena;
+ entry->common.type = certDBEntryTypeSMimeProfile;
+ entry->common.version = CERT_DB_FILE_VERSION;
+ entry->common.flags = flags;
+
+ /* copy the email addr */
+ addrlen = PORT_Strlen(emailAddr) + 1;
+
+ entry->emailAddr = (char *)PORT_ArenaAlloc(arena, addrlen);
+ if (entry->emailAddr == NULL) {
+ goto loser;
+ }
+
+ PORT_Memcpy(entry->emailAddr, emailAddr, addrlen);
+
+ /* copy the subject name */
+ rv = SECITEM_CopyItem(arena, &entry->subjectName, subjectName);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ /* copy the smime options */
+ if (smimeOptions) {
+ rv = SECITEM_CopyItem(arena, &entry->smimeOptions, smimeOptions);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+ } else {
+ PORT_Assert(optionsDate == NULL);
+ entry->smimeOptions.data = NULL;
+ entry->smimeOptions.len = 0;
+ }
+
+ /* copy the options date */
+ if (optionsDate) {
+ rv = SECITEM_CopyItem(arena, &entry->optionsDate, optionsDate);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+ } else {
+ PORT_Assert(smimeOptions == NULL);
+ entry->optionsDate.data = NULL;
+ entry->optionsDate.len = 0;
+ }
+
+ return (entry);
+loser:
+ if (arena) {
+ PORT_FreeArena(arena, PR_FALSE);
+ }
+
+ return (NULL);
+}
+
+/*
+ * delete a SMIME entry
+ */
+static SECStatus
+DeleteDBSMimeEntry(NSSLOWCERTCertDBHandle *handle, char *emailAddr)
+{
+ PLArenaPool *arena = NULL;
+ SECStatus rv;
+ SECItem dbkey;
+
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (arena == NULL) {
+ goto loser;
+ }
+
+ rv = EncodeDBSMimeKey(emailAddr, arena, &dbkey);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ rv = DeleteDBEntry(handle, certDBEntryTypeSMimeProfile, &dbkey);
+ if (rv == SECFailure) {
+ goto loser;
+ }
+
+ PORT_FreeArena(arena, PR_FALSE);
+ return (SECSuccess);
+
+loser:
+ if (arena) {
+ PORT_FreeArena(arena, PR_FALSE);
+ }
+
+ return (SECFailure);
+}
+
+/*
+ * Read a SMIME entry
+ */
+certDBEntrySMime *
+nsslowcert_ReadDBSMimeEntry(NSSLOWCERTCertDBHandle *handle, char *emailAddr)
+{
+ PLArenaPool *arena = NULL;
+ PLArenaPool *tmparena = NULL;
+ certDBEntrySMime *entry = NULL;
+ SECItem dbkey;
+ SECItem dbentry;
+ SECStatus rv;
+
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (arena == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ goto loser;
+ }
+
+ tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (tmparena == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ goto loser;
+ }
+
+ entry = (certDBEntrySMime *)PORT_ArenaZAlloc(arena,
+ sizeof(certDBEntrySMime));
+ if (entry == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ goto loser;
+ }
+ entry->common.arena = arena;
+ entry->common.type = certDBEntryTypeSMimeProfile;
+
+ rv = EncodeDBSMimeKey(emailAddr, tmparena, &dbkey);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ rv = ReadDBEntry(handle, &entry->common, &dbkey, &dbentry, tmparena);
+ if (rv == SECFailure) {
+ goto loser;
+ }
+
+ /* is record long enough for header? */
+ if (dbentry.len < DB_SMIME_ENTRY_HEADER_LEN) {
+ PORT_SetError(SEC_ERROR_BAD_DATABASE);
+ goto loser;
+ }
+
+ rv = DecodeDBSMimeEntry(entry, &dbentry, emailAddr);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ PORT_FreeArena(tmparena, PR_FALSE);
+ return (entry);
+
+loser:
+ if (tmparena) {
+ PORT_FreeArena(tmparena, PR_FALSE);
+ }
+ if (arena) {
+ PORT_FreeArena(arena, PR_FALSE);
+ }
+
+ return (NULL);
+}
+
+/*
+ * Encode a SMIME entry into byte stream suitable for
+ * the database
+ */
+static SECStatus
+WriteDBSMimeEntry(NSSLOWCERTCertDBHandle *handle, certDBEntrySMime *entry)
+{
+ SECItem dbitem, dbkey;
+ PLArenaPool *tmparena = NULL;
+ SECStatus rv;
+
+ tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (tmparena == NULL) {
+ goto loser;
+ }
+
+ rv = EncodeDBSMimeEntry(entry, tmparena, &dbitem);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ rv = EncodeDBSMimeKey(entry->emailAddr, tmparena, &dbkey);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ /* now write it to the database */
+ rv = WriteDBEntry(handle, &entry->common, &dbkey, &dbitem);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ PORT_FreeArena(tmparena, PR_FALSE);
+ return (SECSuccess);
+
+loser:
+ if (tmparena) {
+ PORT_FreeArena(tmparena, PR_FALSE);
+ }
+ return (SECFailure);
+}
+
+/*
+ * Encode a database subject record
+ */
+static SECStatus
+EncodeDBSubjectEntry(certDBEntrySubject *entry, PLArenaPool *arena,
+ SECItem *dbitem)
+{
+ unsigned char *buf;
+ int len;
+ unsigned int ncerts;
+ unsigned int i;
+ unsigned char *tmpbuf;
+ unsigned int nnlen = 0;
+ unsigned int eaddrslen = 0;
+ int keyidoff;
+ SECItem *certKeys = entry->certKeys;
+ SECItem *keyIDs = entry->keyIDs;
+ ;
+
+ if (entry->nickname) {
+ nnlen = PORT_Strlen(entry->nickname) + 1;
+ }
+ if (entry->emailAddrs) {
+ eaddrslen = 2;
+ for (i = 0; i < entry->nemailAddrs; i++) {
+ eaddrslen += PORT_Strlen(entry->emailAddrs[i]) + 1 + 2;
+ }
+ }
+
+ ncerts = entry->ncerts;
+
+ /* compute the length of the entry */
+ keyidoff = DB_SUBJECT_ENTRY_HEADER_LEN + nnlen;
+ len = keyidoff + (4 * ncerts) + eaddrslen;
+ for (i = 0; i < ncerts; i++) {
+ if (keyIDs[i].len > 0xffff ||
+ (certKeys[i].len > 0xffff)) {
+ PORT_SetError(SEC_ERROR_INPUT_LEN);
+ goto loser;
+ }
+ len += certKeys[i].len;
+ len += keyIDs[i].len;
+ }
+
+ /* allocate space for encoded database record, including space
+ * for low level header
+ */
+ dbitem->len = len + SEC_DB_ENTRY_HEADER_LEN;
+
+ dbitem->data = (unsigned char *)PORT_ArenaAlloc(arena, dbitem->len);
+ if (dbitem->data == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ goto loser;
+ }
+
+ /* fill in database record */
+ buf = &dbitem->data[SEC_DB_ENTRY_HEADER_LEN];
+
+ buf[0] = (PRUint8)(ncerts >> 8);
+ buf[1] = (PRUint8)(ncerts);
+ buf[2] = (PRUint8)(nnlen >> 8);
+ buf[3] = (PRUint8)(nnlen);
+ /* v7 email field is NULL in v8 */
+ buf[4] = 0;
+ buf[5] = 0;
+
+ PORT_Assert(DB_SUBJECT_ENTRY_HEADER_LEN == 6);
+
+ if (entry->nickname) {
+ PORT_Memcpy(&buf[DB_SUBJECT_ENTRY_HEADER_LEN], entry->nickname, nnlen);
+ }
+ tmpbuf = &buf[keyidoff];
+ for (i = 0; i < ncerts; i++) {
+ tmpbuf[0] = (PRUint8)(certKeys[i].len >> 8);
+ tmpbuf[1] = (PRUint8)(certKeys[i].len);
+ tmpbuf += 2;
+ }
+ for (i = 0; i < ncerts; i++) {
+ tmpbuf[0] = (PRUint8)(keyIDs[i].len >> 8);
+ tmpbuf[1] = (PRUint8)(keyIDs[i].len);
+ tmpbuf += 2;
+ }
+
+ for (i = 0; i < ncerts; i++) {
+ PORT_Memcpy(tmpbuf, certKeys[i].data, certKeys[i].len);
+ tmpbuf += certKeys[i].len;
+ }
+ for (i = 0; i < ncerts; i++) {
+ if (keyIDs[i].len) {
+ PORT_Memcpy(tmpbuf, keyIDs[i].data, keyIDs[i].len);
+ tmpbuf += keyIDs[i].len;
+ }
+ }
+
+ if (entry->emailAddrs) {
+ tmpbuf[0] = (PRUint8)(entry->nemailAddrs >> 8);
+ tmpbuf[1] = (PRUint8)(entry->nemailAddrs);
+ tmpbuf += 2;
+ for (i = 0; i < entry->nemailAddrs; i++) {
+ int nameLen = PORT_Strlen(entry->emailAddrs[i]) + 1;
+ tmpbuf[0] = (PRUint8)(nameLen >> 8);
+ tmpbuf[1] = (PRUint8)(nameLen);
+ tmpbuf += 2;
+ PORT_Memcpy(tmpbuf, entry->emailAddrs[i], nameLen);
+ tmpbuf += nameLen;
+ }
+ }
+
+ PORT_Assert(tmpbuf == &buf[len]);
+
+ return (SECSuccess);
+
+loser:
+ return (SECFailure);
+}
+
+/*
+ * Encode a database key for a subject record
+ */
+static SECStatus
+EncodeDBSubjectKey(SECItem *derSubject, PLArenaPool *arena,
+ SECItem *dbkey)
+{
+ dbkey->len = derSubject->len + SEC_DB_KEY_HEADER_LEN;
+ if (dbkey->len > NSS_MAX_LEGACY_DB_KEY_SIZE)
+ goto loser;
+ dbkey->data = (unsigned char *)PORT_ArenaAlloc(arena, dbkey->len);
+ if (dbkey->data == NULL) {
+ goto loser;
+ }
+ PORT_Memcpy(&dbkey->data[SEC_DB_KEY_HEADER_LEN], derSubject->data,
+ derSubject->len);
+ dbkey->data[0] = certDBEntryTypeSubject;
+
+ return (SECSuccess);
+
+loser:
+ return (SECFailure);
+}
+
+static SECStatus
+DecodeDBSubjectEntry(certDBEntrySubject *entry, SECItem *dbentry,
+ const SECItem *derSubject)
+{
+ PLArenaPool *arena = entry->common.arena;
+ unsigned char *tmpbuf;
+ unsigned char *end;
+ void *mark = PORT_ArenaMark(arena);
+ unsigned int eaddrlen;
+ unsigned int i;
+ unsigned int keyidoff;
+ unsigned int len;
+ unsigned int ncerts = 0;
+ unsigned int nnlen;
+ SECStatus rv;
+
+ rv = SECITEM_CopyItem(arena, &entry->derSubject, derSubject);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ /* is record long enough for header? */
+ if (dbentry->len < DB_SUBJECT_ENTRY_HEADER_LEN) {
+ PORT_SetError(SEC_ERROR_BAD_DATABASE);
+ goto loser;
+ }
+
+ entry->ncerts = ncerts = ((dbentry->data[0] << 8) | dbentry->data[1]);
+ nnlen = ((dbentry->data[2] << 8) | dbentry->data[3]);
+ eaddrlen = ((dbentry->data[4] << 8) | dbentry->data[5]);
+ keyidoff = DB_SUBJECT_ENTRY_HEADER_LEN + nnlen + eaddrlen;
+ len = keyidoff + (4 * ncerts);
+ if (dbentry->len < len) {
+ PORT_SetError(SEC_ERROR_BAD_DATABASE);
+ goto loser;
+ }
+
+ entry->certKeys = PORT_ArenaNewArray(arena, SECItem, ncerts);
+ entry->keyIDs = PORT_ArenaNewArray(arena, SECItem, ncerts);
+ if ((entry->certKeys == NULL) || (entry->keyIDs == NULL)) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ goto loser;
+ }
+
+ if (nnlen > 1) { /* null terminator is stored */
+ entry->nickname = (char *)PORT_ArenaAlloc(arena, nnlen);
+ if (entry->nickname == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ goto loser;
+ }
+ PORT_Memcpy(entry->nickname,
+ &dbentry->data[DB_SUBJECT_ENTRY_HEADER_LEN],
+ nnlen);
+ } else {
+ entry->nickname = NULL;
+ }
+
+ /* if we have an old style email entry, there is only one */
+ entry->nemailAddrs = 0;
+ if (eaddrlen > 1) { /* null terminator is stored */
+ entry->emailAddrs = PORT_ArenaNewArray(arena, char *, 2);
+ if (entry->emailAddrs == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ goto loser;
+ }
+ entry->emailAddrs[0] = (char *)PORT_ArenaAlloc(arena, eaddrlen);
+ if (entry->emailAddrs[0] == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ goto loser;
+ }
+ PORT_Memcpy(entry->emailAddrs[0],
+ &dbentry->data[DB_SUBJECT_ENTRY_HEADER_LEN + nnlen],
+ eaddrlen);
+ entry->nemailAddrs = 1;
+ } else {
+ entry->emailAddrs = NULL;
+ }
+
+ /* collect the lengths of the certKeys and keyIDs, and total the
+ * overall length.
+ */
+ tmpbuf = &dbentry->data[keyidoff];
+ for (i = 0; i < ncerts; i++) {
+ unsigned int itemlen = (tmpbuf[0] << 8) | tmpbuf[1];
+ entry->certKeys[i].len = itemlen;
+ len += itemlen;
+ tmpbuf += 2;
+ }
+ for (i = 0; i < ncerts; i++) {
+ unsigned int itemlen = (tmpbuf[0] << 8) | tmpbuf[1];
+ entry->keyIDs[i].len = itemlen;
+ len += itemlen;
+ tmpbuf += 2;
+ }
+
+ /* is encoded entry large enough ? */
+ if (len > dbentry->len) {
+ PORT_SetError(SEC_ERROR_BAD_DATABASE);
+ goto loser;
+ }
+
+ for (i = 0; i < ncerts; i++) {
+ unsigned int kLen = entry->certKeys[i].len;
+ entry->certKeys[i].data = (unsigned char *)PORT_ArenaAlloc(arena, kLen);
+ if (entry->certKeys[i].data == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ goto loser;
+ }
+ PORT_Memcpy(entry->certKeys[i].data, tmpbuf, kLen);
+ tmpbuf += kLen;
+ }
+ for (i = 0; i < ncerts; i++) {
+ unsigned int iLen = entry->keyIDs[i].len;
+ entry->keyIDs[i].data = (unsigned char *)PORT_ArenaAlloc(arena, iLen);
+ if (entry->keyIDs[i].data == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ goto loser;
+ }
+ PORT_Memcpy(entry->keyIDs[i].data, tmpbuf, iLen);
+ tmpbuf += iLen;
+ }
+
+ end = dbentry->data + dbentry->len;
+ if ((eaddrlen == 0) && (end - tmpbuf > 1)) {
+ /* read in the additional email addresses */
+ entry->nemailAddrs = (((unsigned int)tmpbuf[0]) << 8) | tmpbuf[1];
+ tmpbuf += 2;
+ if (end - tmpbuf < 2 * (int)entry->nemailAddrs)
+ goto loser;
+ entry->emailAddrs = PORT_ArenaNewArray(arena, char *, entry->nemailAddrs);
+ if (entry->emailAddrs == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ goto loser;
+ }
+ for (i = 0; i < entry->nemailAddrs; i++) {
+ int nameLen;
+ if (end - tmpbuf < 2) {
+ goto loser;
+ }
+ nameLen = (((int)tmpbuf[0]) << 8) | tmpbuf[1];
+ tmpbuf += 2;
+ if (end - tmpbuf < nameLen) {
+ goto loser;
+ }
+ entry->emailAddrs[i] = PORT_ArenaAlloc(arena, nameLen);
+ if (entry->emailAddrs == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ goto loser;
+ }
+ PORT_Memcpy(entry->emailAddrs[i], tmpbuf, nameLen);
+ tmpbuf += nameLen;
+ }
+ if (tmpbuf != end)
+ goto loser;
+ }
+ PORT_ArenaUnmark(arena, mark);
+ return (SECSuccess);
+
+loser:
+ PORT_ArenaRelease(arena, mark); /* discard above allocations */
+ return (SECFailure);
+}
+
+/*
+ * create a new subject entry with a single cert
+ */
+static certDBEntrySubject *
+NewDBSubjectEntry(SECItem *derSubject, SECItem *certKey,
+ SECItem *keyID, char *nickname, char *emailAddr,
+ unsigned int flags)
+{
+ PLArenaPool *arena = NULL;
+ certDBEntrySubject *entry;
+ SECStatus rv;
+ unsigned int nnlen;
+
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (arena == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ goto loser;
+ }
+
+ entry = (certDBEntrySubject *)PORT_ArenaAlloc(arena,
+ sizeof(certDBEntrySubject));
+ if (entry == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ goto loser;
+ }
+
+ /* init common fields */
+ entry->common.arena = arena;
+ entry->common.type = certDBEntryTypeSubject;
+ entry->common.version = CERT_DB_FILE_VERSION;
+ entry->common.flags = flags;
+
+ /* copy the subject */
+ rv = SECITEM_CopyItem(arena, &entry->derSubject, derSubject);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ entry->ncerts = 1;
+ entry->nemailAddrs = 0;
+ /* copy nickname */
+ if (nickname && (*nickname != '\0')) {
+ nnlen = PORT_Strlen(nickname) + 1;
+ entry->nickname = (char *)PORT_ArenaAlloc(arena, nnlen);
+ if (entry->nickname == NULL) {
+ goto loser;
+ }
+
+ PORT_Memcpy(entry->nickname, nickname, nnlen);
+ } else {
+ entry->nickname = NULL;
+ }
+
+ /* copy email addr */
+ if (emailAddr && (*emailAddr != '\0')) {
+ emailAddr = nsslowcert_FixupEmailAddr(emailAddr);
+ if (emailAddr == NULL) {
+ entry->emailAddrs = NULL;
+ goto loser;
+ }
+
+ entry->emailAddrs = (char **)PORT_ArenaAlloc(arena, sizeof(char *));
+ if (entry->emailAddrs == NULL) {
+ PORT_Free(emailAddr);
+ goto loser;
+ }
+ entry->emailAddrs[0] = PORT_ArenaStrdup(arena, emailAddr);
+ if (entry->emailAddrs[0]) {
+ entry->nemailAddrs = 1;
+ }
+
+ PORT_Free(emailAddr);
+ } else {
+ entry->emailAddrs = NULL;
+ }
+
+ /* allocate space for certKeys and keyIDs */
+ entry->certKeys = (SECItem *)PORT_ArenaAlloc(arena, sizeof(SECItem));
+ entry->keyIDs = (SECItem *)PORT_ArenaAlloc(arena, sizeof(SECItem));
+ if ((entry->certKeys == NULL) || (entry->keyIDs == NULL)) {
+ goto loser;
+ }
+
+ /* copy the certKey and keyID */
+ rv = SECITEM_CopyItem(arena, &entry->certKeys[0], certKey);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+ rv = SECITEM_CopyItem(arena, &entry->keyIDs[0], keyID);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ return (entry);
+loser:
+ if (arena) {
+ PORT_FreeArena(arena, PR_FALSE);
+ }
+
+ return (NULL);
+}
+
+/*
+ * delete a subject entry
+ */
+static SECStatus
+DeleteDBSubjectEntry(NSSLOWCERTCertDBHandle *handle, SECItem *derSubject)
+{
+ SECItem dbkey;
+ PLArenaPool *arena = NULL;
+ SECStatus rv;
+
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (arena == NULL) {
+ goto loser;
+ }
+
+ rv = EncodeDBSubjectKey(derSubject, arena, &dbkey);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ rv = DeleteDBEntry(handle, certDBEntryTypeSubject, &dbkey);
+ if (rv == SECFailure) {
+ goto loser;
+ }
+
+ PORT_FreeArena(arena, PR_FALSE);
+ return (SECSuccess);
+
+loser:
+ if (arena) {
+ PORT_FreeArena(arena, PR_FALSE);
+ }
+
+ return (SECFailure);
+}
+
+/*
+ * Read the subject entry
+ */
+static certDBEntrySubject *
+ReadDBSubjectEntry(NSSLOWCERTCertDBHandle *handle, SECItem *derSubject)
+{
+ /* |arena| isn't function-bounded, so cannot be a PORTCheapArenaPool. */
+ PLArenaPool *arena = NULL;
+ PORTCheapArenaPool tmpArena;
+
+ certDBEntrySubject *entry;
+ SECItem dbkey;
+ SECItem dbentry;
+ SECStatus rv;
+
+ PORT_InitCheapArena(&tmpArena, DER_DEFAULT_CHUNKSIZE);
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (arena == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ goto loser;
+ }
+
+ entry = (certDBEntrySubject *)PORT_ArenaAlloc(arena,
+ sizeof(certDBEntrySubject));
+ if (entry == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ goto loser;
+ }
+ entry->common.arena = arena;
+ entry->common.type = certDBEntryTypeSubject;
+
+ rv = EncodeDBSubjectKey(derSubject, &tmpArena.arena, &dbkey);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ rv = ReadDBEntry(handle, &entry->common, &dbkey, &dbentry, &tmpArena.arena);
+ if (rv == SECFailure) {
+ goto loser;
+ }
+
+ rv = DecodeDBSubjectEntry(entry, &dbentry, derSubject);
+ if (rv == SECFailure) {
+ goto loser;
+ }
+
+ PORT_DestroyCheapArena(&tmpArena);
+ return (entry);
+
+loser:
+ PORT_DestroyCheapArena(&tmpArena);
+ if (arena) {
+ PORT_FreeArena(arena, PR_FALSE);
+ }
+
+ return (NULL);
+}
+
+/*
+ * Encode a subject name entry into byte stream suitable for
+ * the database
+ */
+static SECStatus
+WriteDBSubjectEntry(NSSLOWCERTCertDBHandle *handle, certDBEntrySubject *entry)
+{
+ SECItem dbitem, dbkey;
+ PLArenaPool *tmparena = NULL;
+ SECStatus rv;
+
+ tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (tmparena == NULL) {
+ goto loser;
+ }
+
+ rv = EncodeDBSubjectEntry(entry, tmparena, &dbitem);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ rv = EncodeDBSubjectKey(&entry->derSubject, tmparena, &dbkey);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ /* now write it to the database */
+ rv = WriteDBEntry(handle, &entry->common, &dbkey, &dbitem);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ PORT_FreeArena(tmparena, PR_FALSE);
+ return (SECSuccess);
+
+loser:
+ if (tmparena) {
+ PORT_FreeArena(tmparena, PR_FALSE);
+ }
+ return (SECFailure);
+}
+
+typedef enum { nsslowcert_remove,
+ nsslowcert_add } nsslowcertUpdateType;
+
+static SECStatus
+nsslowcert_UpdateSubjectEmailAddr(NSSLOWCERTCertDBHandle *dbhandle,
+ SECItem *derSubject, char *emailAddr, nsslowcertUpdateType updateType)
+{
+ certDBEntrySubject *entry = NULL;
+ int index = -1, i;
+ SECStatus rv;
+
+ if (emailAddr) {
+ emailAddr = nsslowcert_FixupEmailAddr(emailAddr);
+ if (emailAddr == NULL) {
+ return SECFailure;
+ }
+ } else {
+ return SECSuccess;
+ }
+
+ entry = ReadDBSubjectEntry(dbhandle, derSubject);
+ if (entry == NULL) {
+ rv = SECFailure;
+ goto done;
+ }
+
+ for (i = 0; i < (int)(entry->nemailAddrs); i++) {
+ if (PORT_Strcmp(entry->emailAddrs[i], emailAddr) == 0) {
+ index = i;
+ }
+ }
+
+ if (updateType == nsslowcert_remove) {
+ if (index == -1) {
+ rv = SECSuccess;
+ goto done;
+ }
+ entry->nemailAddrs--;
+ for (i = index; i < (int)(entry->nemailAddrs); i++) {
+ entry->emailAddrs[i] = entry->emailAddrs[i + 1];
+ }
+ } else {
+ char **newAddrs = NULL;
+
+ if (index != -1) {
+ rv = SECSuccess;
+ goto done;
+ }
+ newAddrs = (char **)PORT_ArenaAlloc(entry->common.arena,
+ (entry->nemailAddrs + 1) * sizeof(char *));
+ if (!newAddrs) {
+ rv = SECFailure;
+ goto done;
+ }
+ for (i = 0; i < (int)(entry->nemailAddrs); i++) {
+ newAddrs[i] = entry->emailAddrs[i];
+ }
+ newAddrs[entry->nemailAddrs] =
+ PORT_ArenaStrdup(entry->common.arena, emailAddr);
+ if (!newAddrs[entry->nemailAddrs]) {
+ rv = SECFailure;
+ goto done;
+ }
+ entry->emailAddrs = newAddrs;
+ entry->nemailAddrs++;
+ }
+
+ /* delete the subject entry */
+ DeleteDBSubjectEntry(dbhandle, derSubject);
+
+ /* write the new one */
+ rv = WriteDBSubjectEntry(dbhandle, entry);
+
+done:
+ if (entry)
+ DestroyDBEntry((certDBEntry *)entry);
+ if (emailAddr)
+ PORT_Free(emailAddr);
+ return rv;
+}
+
+/*
+ * writes a nickname to an existing subject entry that does not currently
+ * have one
+ */
+static SECStatus
+AddNicknameToSubject(NSSLOWCERTCertDBHandle *dbhandle,
+ NSSLOWCERTCertificate *cert, char *nickname)
+{
+ certDBEntrySubject *entry;
+ SECStatus rv;
+
+ if (nickname == NULL) {
+ return (SECFailure);
+ }
+
+ entry = ReadDBSubjectEntry(dbhandle, &cert->derSubject);
+ PORT_Assert(entry != NULL);
+ if (entry == NULL) {
+ goto loser;
+ }
+
+ PORT_Assert(entry->nickname == NULL);
+ if (entry->nickname != NULL) {
+ goto loser;
+ }
+
+ entry->nickname = PORT_ArenaStrdup(entry->common.arena, nickname);
+
+ if (entry->nickname == NULL) {
+ goto loser;
+ }
+
+ /* delete the subject entry */
+ DeleteDBSubjectEntry(dbhandle, &cert->derSubject);
+
+ /* write the new one */
+ rv = WriteDBSubjectEntry(dbhandle, entry);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ DestroyDBEntry((certDBEntry *)entry);
+ return (SECSuccess);
+
+loser:
+ DestroyDBEntry((certDBEntry *)entry);
+ return (SECFailure);
+}
+
+/*
+ * create a new version entry
+ */
+static certDBEntryVersion *
+NewDBVersionEntry(unsigned int flags)
+{
+ PLArenaPool *arena = NULL;
+ certDBEntryVersion *entry;
+
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (arena == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ goto loser;
+ }
+
+ entry = (certDBEntryVersion *)PORT_ArenaAlloc(arena,
+ sizeof(certDBEntryVersion));
+ if (entry == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ goto loser;
+ }
+ entry->common.arena = arena;
+ entry->common.type = certDBEntryTypeVersion;
+ entry->common.version = CERT_DB_FILE_VERSION;
+ entry->common.flags = flags;
+
+ return (entry);
+loser:
+ if (arena) {
+ PORT_FreeArena(arena, PR_FALSE);
+ }
+
+ return (NULL);
+}
+
+/*
+ * Read the version entry
+ */
+static certDBEntryVersion *
+ReadDBVersionEntry(NSSLOWCERTCertDBHandle *handle)
+{
+ PLArenaPool *arena = NULL;
+ PLArenaPool *tmparena = NULL;
+ certDBEntryVersion *entry;
+ SECItem dbkey;
+ SECItem dbentry;
+ SECStatus rv;
+
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (arena == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ goto loser;
+ }
+
+ tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (tmparena == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ goto loser;
+ }
+
+ entry = PORT_ArenaZNew(arena, certDBEntryVersion);
+ if (entry == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ goto loser;
+ }
+ entry->common.arena = arena;
+ entry->common.type = certDBEntryTypeVersion;
+
+ /* now get the database key and format it */
+ dbkey.len = SEC_DB_VERSION_KEY_LEN + SEC_DB_KEY_HEADER_LEN;
+ dbkey.data = (unsigned char *)PORT_ArenaAlloc(tmparena, dbkey.len);
+ if (dbkey.data == NULL) {
+ goto loser;
+ }
+ PORT_Memcpy(&dbkey.data[SEC_DB_KEY_HEADER_LEN], SEC_DB_VERSION_KEY,
+ SEC_DB_VERSION_KEY_LEN);
+
+ rv = ReadDBEntry(handle, &entry->common, &dbkey, &dbentry, tmparena);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ PORT_FreeArena(tmparena, PR_FALSE);
+ return (entry);
+
+loser:
+ if (tmparena) {
+ PORT_FreeArena(tmparena, PR_FALSE);
+ }
+ if (arena) {
+ PORT_FreeArena(arena, PR_FALSE);
+ }
+
+ return (NULL);
+}
+
+/*
+ * Encode a version entry into byte stream suitable for
+ * the database
+ */
+static SECStatus
+WriteDBVersionEntry(NSSLOWCERTCertDBHandle *handle, certDBEntryVersion *entry)
+{
+ SECItem dbitem, dbkey;
+ PLArenaPool *tmparena = NULL;
+ SECStatus rv;
+
+ tmparena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (tmparena == NULL) {
+ goto loser;
+ }
+
+ /* allocate space for encoded database record, including space
+ * for low level header
+ */
+ dbitem.len = SEC_DB_ENTRY_HEADER_LEN;
+
+ dbitem.data = (unsigned char *)PORT_ArenaAlloc(tmparena, dbitem.len);
+ if (dbitem.data == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ goto loser;
+ }
+
+ /* now get the database key and format it */
+ dbkey.len = SEC_DB_VERSION_KEY_LEN + SEC_DB_KEY_HEADER_LEN;
+ dbkey.data = (unsigned char *)PORT_ArenaAlloc(tmparena, dbkey.len);
+ if (dbkey.data == NULL) {
+ goto loser;
+ }
+ PORT_Memcpy(&dbkey.data[SEC_DB_KEY_HEADER_LEN], SEC_DB_VERSION_KEY,
+ SEC_DB_VERSION_KEY_LEN);
+
+ /* now write it to the database */
+ rv = WriteDBEntry(handle, &entry->common, &dbkey, &dbitem);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ PORT_FreeArena(tmparena, PR_FALSE);
+ return (SECSuccess);
+
+loser:
+ if (tmparena) {
+ PORT_FreeArena(tmparena, PR_FALSE);
+ }
+ return (SECFailure);
+}
+
+/*
+ * cert is no longer a perm cert, but will remain a temp cert
+ */
+static SECStatus
+RemovePermSubjectNode(NSSLOWCERTCertificate *cert)
+{
+ certDBEntrySubject *entry;
+ unsigned int i;
+ SECStatus rv;
+
+ entry = ReadDBSubjectEntry(cert->dbhandle, &cert->derSubject);
+ if (entry == NULL) {
+ return (SECFailure);
+ }
+
+ PORT_Assert(entry->ncerts);
+ rv = SECFailure;
+
+ if (entry->ncerts > 1) {
+ for (i = 0; i < entry->ncerts; i++) {
+ if (SECITEM_CompareItem(&entry->certKeys[i], &cert->certKey) ==
+ SECEqual) {
+ /* copy rest of list forward one entry */
+ for (i = i + 1; i < entry->ncerts; i++) {
+ entry->certKeys[i - 1] = entry->certKeys[i];
+ entry->keyIDs[i - 1] = entry->keyIDs[i];
+ }
+ entry->ncerts--;
+ DeleteDBSubjectEntry(cert->dbhandle, &cert->derSubject);
+ rv = WriteDBSubjectEntry(cert->dbhandle, entry);
+ break;
+ }
+ }
+ } else {
+ /* no entries left, delete the perm entry in the DB */
+ if (entry->emailAddrs) {
+ /* if the subject had an email record, then delete it too */
+ for (i = 0; i < entry->nemailAddrs; i++) {
+ DeleteDBSMimeEntry(cert->dbhandle, entry->emailAddrs[i]);
+ }
+ }
+ if (entry->nickname) {
+ DeleteDBNicknameEntry(cert->dbhandle, entry->nickname);
+ }
+
+ DeleteDBSubjectEntry(cert->dbhandle, &cert->derSubject);
+ }
+ DestroyDBEntry((certDBEntry *)entry);
+
+ return (rv);
+}
+
+/*
+ * add a cert to the perm subject list
+ */
+static SECStatus
+AddPermSubjectNode(certDBEntrySubject *entry, NSSLOWCERTCertificate *cert,
+ char *nickname)
+{
+ SECItem *newCertKeys, *newKeyIDs;
+ unsigned int i, new_i;
+ SECStatus rv;
+ unsigned int ncerts;
+
+ PORT_Assert(entry);
+ ncerts = entry->ncerts;
+
+ if (nickname && entry->nickname) {
+ /* nicknames must be the same */
+ PORT_Assert(PORT_Strcmp(nickname, entry->nickname) == 0);
+ }
+
+ if ((entry->nickname == NULL) && (nickname != NULL)) {
+ /* copy nickname into the entry */
+ entry->nickname = PORT_ArenaStrdup(entry->common.arena, nickname);
+ if (entry->nickname == NULL) {
+ return (SECFailure);
+ }
+ }
+
+ /* a DB entry already exists, so add this cert */
+ newCertKeys = PORT_ArenaZNewArray(entry->common.arena, SECItem, ncerts + 1);
+ newKeyIDs = PORT_ArenaZNewArray(entry->common.arena, SECItem, ncerts + 1);
+
+ if ((newCertKeys == NULL) || (newKeyIDs == NULL)) {
+ return (SECFailure);
+ }
+
+ /* Step 1: copy certs older than "cert" into new entry. */
+ for (i = 0, new_i = 0; i < ncerts; i++) {
+ NSSLOWCERTCertificate *cmpcert;
+ PRBool isNewer;
+ cmpcert = nsslowcert_FindCertByKey(cert->dbhandle,
+ &entry->certKeys[i]);
+ /* The entry has been corrupted, remove it from the list */
+ if (!cmpcert) {
+ continue;
+ }
+
+ isNewer = nsslowcert_IsNewer(cert, cmpcert);
+ nsslowcert_DestroyCertificate(cmpcert);
+ if (isNewer)
+ break;
+ /* copy this cert entry */
+ newCertKeys[new_i] = entry->certKeys[i];
+ newKeyIDs[new_i] = entry->keyIDs[i];
+ new_i++;
+ }
+
+ /* Step 2: Add "cert" to the entry. */
+ rv = SECITEM_CopyItem(entry->common.arena, &newCertKeys[new_i],
+ &cert->certKey);
+ if (rv != SECSuccess) {
+ return (SECFailure);
+ }
+ rv = SECITEM_CopyItem(entry->common.arena, &newKeyIDs[new_i],
+ &cert->subjectKeyID);
+ if (rv != SECSuccess) {
+ return (SECFailure);
+ }
+ new_i++;
+
+ /* Step 3: copy remaining certs (if any) from old entry to new. */
+ for (; i < ncerts; i++, new_i++) {
+ newCertKeys[new_i] = entry->certKeys[i];
+ newKeyIDs[new_i] = entry->keyIDs[i];
+ }
+
+ /* update certKeys and keyIDs */
+ entry->certKeys = newCertKeys;
+ entry->keyIDs = newKeyIDs;
+
+ /* set new count value */
+ entry->ncerts = new_i;
+
+ DeleteDBSubjectEntry(cert->dbhandle, &cert->derSubject);
+ rv = WriteDBSubjectEntry(cert->dbhandle, entry);
+ return (rv);
+}
+
+SECStatus
+nsslowcert_TraversePermCertsForSubject(NSSLOWCERTCertDBHandle *handle,
+ SECItem *derSubject,
+ NSSLOWCERTCertCallback cb, void *cbarg)
+{
+ certDBEntrySubject *entry;
+ unsigned int i;
+ NSSLOWCERTCertificate *cert;
+ SECStatus rv = SECSuccess;
+
+ entry = ReadDBSubjectEntry(handle, derSubject);
+
+ if (entry == NULL) {
+ return (SECFailure);
+ }
+
+ for (i = 0; i < entry->ncerts; i++) {
+ cert = nsslowcert_FindCertByKey(handle, &entry->certKeys[i]);
+ if (!cert) {
+ continue;
+ }
+ rv = (*cb)(cert, cbarg);
+ nsslowcert_DestroyCertificate(cert);
+ if (rv == SECFailure) {
+ break;
+ }
+ }
+
+ DestroyDBEntry((certDBEntry *)entry);
+
+ return (rv);
+}
+
+int
+nsslowcert_NumPermCertsForSubject(NSSLOWCERTCertDBHandle *handle,
+ SECItem *derSubject)
+{
+ certDBEntrySubject *entry;
+ int ret;
+
+ entry = ReadDBSubjectEntry(handle, derSubject);
+
+ if (entry == NULL) {
+ return (SECFailure);
+ }
+
+ ret = entry->ncerts;
+
+ DestroyDBEntry((certDBEntry *)entry);
+
+ return (ret);
+}
+
+SECStatus
+nsslowcert_TraversePermCertsForNickname(NSSLOWCERTCertDBHandle *handle,
+ char *nickname, NSSLOWCERTCertCallback cb, void *cbarg)
+{
+ certDBEntryNickname *nnentry = NULL;
+ certDBEntrySMime *smentry = NULL;
+ SECStatus rv;
+ SECItem *derSubject = NULL;
+
+ nnentry = ReadDBNicknameEntry(handle, nickname);
+ if (nnentry) {
+ derSubject = &nnentry->subjectName;
+ } else {
+ smentry = nsslowcert_ReadDBSMimeEntry(handle, nickname);
+ if (smentry) {
+ derSubject = &smentry->subjectName;
+ }
+ }
+
+ if (derSubject) {
+ rv = nsslowcert_TraversePermCertsForSubject(handle, derSubject,
+ cb, cbarg);
+ } else {
+ rv = SECFailure;
+ }
+
+ if (nnentry) {
+ DestroyDBEntry((certDBEntry *)nnentry);
+ }
+ if (smentry) {
+ DestroyDBEntry((certDBEntry *)smentry);
+ }
+
+ return (rv);
+}
+
+int
+nsslowcert_NumPermCertsForNickname(NSSLOWCERTCertDBHandle *handle,
+ char *nickname)
+{
+ certDBEntryNickname *entry;
+ int ret;
+
+ entry = ReadDBNicknameEntry(handle, nickname);
+
+ if (entry) {
+ ret = nsslowcert_NumPermCertsForSubject(handle, &entry->subjectName);
+ DestroyDBEntry((certDBEntry *)entry);
+ } else {
+ ret = 0;
+ }
+ return (ret);
+}
+
+/*
+ * add a nickname to a cert that doesn't have one
+ */
+static SECStatus
+AddNicknameToPermCert(NSSLOWCERTCertDBHandle *dbhandle,
+ NSSLOWCERTCertificate *cert, char *nickname)
+{
+ certDBEntryCert *entry;
+ int rv;
+
+ entry = cert->dbEntry;
+ PORT_Assert(entry != NULL);
+ if (entry == NULL) {
+ goto loser;
+ }
+
+ pkcs11_freeNickname(entry->nickname, entry->nicknameSpace);
+ entry->nickname = NULL;
+ entry->nickname = pkcs11_copyNickname(nickname, entry->nicknameSpace,
+ sizeof(entry->nicknameSpace));
+
+ rv = WriteDBCertEntry(dbhandle, entry);
+ if (rv) {
+ goto loser;
+ }
+
+ pkcs11_freeNickname(cert->nickname, cert->nicknameSpace);
+ cert->nickname = NULL;
+ cert->nickname = pkcs11_copyNickname(nickname, cert->nicknameSpace,
+ sizeof(cert->nicknameSpace));
+
+ return (SECSuccess);
+
+loser:
+ return (SECFailure);
+}
+
+/*
+ * add a nickname to a cert that is already in the perm database, but doesn't
+ * have one yet (it is probably an e-mail cert).
+ */
+SECStatus
+nsslowcert_AddPermNickname(NSSLOWCERTCertDBHandle *dbhandle,
+ NSSLOWCERTCertificate *cert, char *nickname)
+{
+ SECStatus rv = SECFailure;
+ certDBEntrySubject *entry = NULL;
+ certDBEntryNickname *nicknameEntry = NULL;
+
+ nsslowcert_LockDB(dbhandle);
+
+ entry = ReadDBSubjectEntry(dbhandle, &cert->derSubject);
+ if (entry == NULL)
+ goto loser;
+
+ if (entry->nickname == NULL) {
+
+ /* no nickname for subject */
+ rv = AddNicknameToSubject(dbhandle, cert, nickname);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+ rv = AddNicknameToPermCert(dbhandle, cert, nickname);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+ nicknameEntry = NewDBNicknameEntry(nickname, &cert->derSubject, 0);
+ if (nicknameEntry == NULL) {
+ goto loser;
+ }
+
+ rv = WriteDBNicknameEntry(dbhandle, nicknameEntry);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+ } else {
+ /* subject already has a nickname */
+ rv = AddNicknameToPermCert(dbhandle, cert, entry->nickname);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+ /* make sure nickname entry exists. If the database was corrupted,
+ * we may have lost the nickname entry. Add it back now */
+ nicknameEntry = ReadDBNicknameEntry(dbhandle, entry->nickname);
+ if (nicknameEntry == NULL) {
+ nicknameEntry = NewDBNicknameEntry(entry->nickname,
+ &cert->derSubject, 0);
+ if (nicknameEntry == NULL) {
+ goto loser;
+ }
+
+ rv = WriteDBNicknameEntry(dbhandle, nicknameEntry);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+ }
+ }
+ rv = SECSuccess;
+
+loser:
+ if (entry) {
+ DestroyDBEntry((certDBEntry *)entry);
+ }
+ if (nicknameEntry) {
+ DestroyDBEntry((certDBEntry *)nicknameEntry);
+ }
+ nsslowcert_UnlockDB(dbhandle);
+ return (rv);
+}
+
+static certDBEntryCert *
+AddCertToPermDB(NSSLOWCERTCertDBHandle *handle, NSSLOWCERTCertificate *cert,
+ char *nickname, NSSLOWCERTCertTrust *trust)
+{
+ certDBEntryCert *certEntry = NULL;
+ certDBEntryNickname *nicknameEntry = NULL;
+ certDBEntrySubject *subjectEntry = NULL;
+ int state = 0;
+ SECStatus rv;
+ PRBool donnentry = PR_FALSE;
+
+ if (nickname) {
+ donnentry = PR_TRUE;
+ }
+
+ subjectEntry = ReadDBSubjectEntry(handle, &cert->derSubject);
+
+ if (subjectEntry && subjectEntry->nickname) {
+ donnentry = PR_FALSE;
+ nickname = subjectEntry->nickname;
+ }
+
+ certEntry = NewDBCertEntry(&cert->derCert, nickname, trust, 0);
+ if (certEntry == NULL) {
+ goto loser;
+ }
+
+ if (donnentry) {
+ nicknameEntry = NewDBNicknameEntry(nickname, &cert->derSubject, 0);
+ if (nicknameEntry == NULL) {
+ goto loser;
+ }
+ }
+
+ rv = WriteDBCertEntry(handle, certEntry);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+ state = 1;
+
+ if (nicknameEntry) {
+ rv = WriteDBNicknameEntry(handle, nicknameEntry);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+ }
+
+ state = 2;
+
+ /* "Change" handles if necessary */
+ cert->dbhandle = handle;
+
+ /* add to or create new subject entry */
+ if (subjectEntry) {
+ /* REWRITE BASED ON SUBJECT ENTRY */
+ rv = AddPermSubjectNode(subjectEntry, cert, nickname);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+ } else {
+ /* make a new subject entry - this case is only used when updating
+ * an old version of the database. This is OK because the oldnickname
+ * db format didn't allow multiple certs with the same subject.
+ */
+ /* where does subjectKeyID and certKey come from? */
+ subjectEntry = NewDBSubjectEntry(&cert->derSubject, &cert->certKey,
+ &cert->subjectKeyID, nickname,
+ NULL, 0);
+ if (subjectEntry == NULL) {
+ goto loser;
+ }
+ rv = WriteDBSubjectEntry(handle, subjectEntry);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+ }
+
+ state = 3;
+
+ if (nicknameEntry) {
+ DestroyDBEntry((certDBEntry *)nicknameEntry);
+ }
+
+ if (subjectEntry) {
+ DestroyDBEntry((certDBEntry *)subjectEntry);
+ }
+
+ return (certEntry);
+
+loser:
+ /* don't leave partial entry in the database */
+ if (state > 0) {
+ DeleteDBCertEntry(handle, &cert->certKey);
+ }
+ if ((state > 1) && donnentry) {
+ DeleteDBNicknameEntry(handle, nickname);
+ }
+ if (certEntry) {
+ DestroyDBEntry((certDBEntry *)certEntry);
+ }
+ if (nicknameEntry) {
+ DestroyDBEntry((certDBEntry *)nicknameEntry);
+ }
+ if (subjectEntry) {
+ DestroyDBEntry((certDBEntry *)subjectEntry);
+ }
+
+ return (NULL);
+}
+
+/* forward declaration */
+static SECStatus
+UpdateV7DB(NSSLOWCERTCertDBHandle *handle, DB *updatedb);
+
+/*
+ * version 8 uses the same schema as version 7. The only differences are
+ * 1) version 8 db uses the blob shim to store data entries > 32k.
+ * 2) version 8 db sets the db block size to 32k.
+ * both of these are dealt with by the handle.
+ */
+
+static SECStatus
+UpdateV8DB(NSSLOWCERTCertDBHandle *handle, DB *updatedb)
+{
+ return UpdateV7DB(handle, updatedb);
+}
+
+/*
+ * we could just blindly sequence through reading key data pairs and writing
+ * them back out, but some cert.db's have gotten quite large and may have some
+ * subtle corruption problems, so instead we cycle through the certs and
+ * CRL's and S/MIME profiles and rebuild our subject lists from those records.
+ */
+static SECStatus
+UpdateV7DB(NSSLOWCERTCertDBHandle *handle, DB *updatedb)
+{
+ DBT key, data;
+ int ret;
+ NSSLOWCERTCertificate *cert;
+ PRBool isKRL = PR_FALSE;
+ certDBEntryType entryType;
+ SECItem dbEntry, dbKey;
+ certDBEntryRevocation crlEntry;
+ certDBEntryCert certEntry;
+ certDBEntrySMime smimeEntry;
+ SECStatus rv;
+
+ ret = (*updatedb->seq)(updatedb, &key, &data, R_FIRST);
+
+ if (ret) {
+ return (SECFailure);
+ }
+
+ do {
+ unsigned char *dataBuf = (unsigned char *)data.data;
+ unsigned char *keyBuf = (unsigned char *)key.data;
+ dbEntry.data = &dataBuf[SEC_DB_ENTRY_HEADER_LEN];
+ dbEntry.len = data.size - SEC_DB_ENTRY_HEADER_LEN;
+ entryType = (certDBEntryType)keyBuf[0];
+ dbKey.data = &keyBuf[SEC_DB_KEY_HEADER_LEN];
+ dbKey.len = key.size - SEC_DB_KEY_HEADER_LEN;
+ if ((dbEntry.len <= 0) || (dbKey.len <= 0)) {
+ continue;
+ }
+
+ switch (entryType) {
+ /* these entries will get regenerated as we read the
+ * rest of the data from the database */
+ case certDBEntryTypeVersion:
+ case certDBEntryTypeSubject:
+ case certDBEntryTypeContentVersion:
+ case certDBEntryTypeNickname:
+ /* smime profiles need entries created after the certs have
+ * been imported, loop over them in a second run */
+ case certDBEntryTypeSMimeProfile:
+ break;
+
+ case certDBEntryTypeCert:
+ /* decode Entry */
+ certEntry.common.version = (unsigned int)dataBuf[0];
+ certEntry.common.type = entryType;
+ certEntry.common.flags = (unsigned int)dataBuf[2];
+ rv = DecodeDBCertEntry(&certEntry, &dbEntry);
+ if (rv != SECSuccess) {
+ break;
+ }
+ /* should we check for existing duplicates? */
+ cert = nsslowcert_DecodeDERCertificate(&certEntry.derCert,
+ certEntry.nickname);
+ if (cert) {
+ nsslowcert_UpdatePermCert(handle, cert, certEntry.nickname,
+ &certEntry.trust);
+ nsslowcert_DestroyCertificate(cert);
+ }
+ /* free any data the decode may have allocated. */
+ pkcs11_freeStaticData(certEntry.derCert.data,
+ certEntry.derCertSpace);
+ pkcs11_freeNickname(certEntry.nickname, certEntry.nicknameSpace);
+ break;
+
+ case certDBEntryTypeKeyRevocation:
+ isKRL = PR_TRUE;
+ /* fall through */
+ case certDBEntryTypeRevocation:
+ crlEntry.common.version = (unsigned int)dataBuf[0];
+ crlEntry.common.type = entryType;
+ crlEntry.common.flags = (unsigned int)dataBuf[2];
+ crlEntry.common.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (crlEntry.common.arena == NULL) {
+ break;
+ }
+ rv = DecodeDBCrlEntry(&crlEntry, &dbEntry);
+ if (rv != SECSuccess) {
+ break;
+ }
+ nsslowcert_UpdateCrl(handle, &crlEntry.derCrl, &dbKey,
+ crlEntry.url, isKRL);
+ /* free data allocated by the decode */
+ PORT_FreeArena(crlEntry.common.arena, PR_FALSE);
+ crlEntry.common.arena = NULL;
+ break;
+
+ default:
+ break;
+ }
+ } while ((*updatedb->seq)(updatedb, &key, &data, R_NEXT) == 0);
+
+ /* now loop again updating just the SMimeProfile. */
+ ret = (*updatedb->seq)(updatedb, &key, &data, R_FIRST);
+
+ if (ret) {
+ return (SECFailure);
+ }
+
+ do {
+ unsigned char *dataBuf = (unsigned char *)data.data;
+ unsigned char *keyBuf = (unsigned char *)key.data;
+ dbEntry.data = &dataBuf[SEC_DB_ENTRY_HEADER_LEN];
+ dbEntry.len = data.size - SEC_DB_ENTRY_HEADER_LEN;
+ entryType = (certDBEntryType)keyBuf[0];
+ if (entryType != certDBEntryTypeSMimeProfile) {
+ continue;
+ }
+ dbKey.data = &keyBuf[SEC_DB_KEY_HEADER_LEN];
+ dbKey.len = key.size - SEC_DB_KEY_HEADER_LEN;
+ if ((dbEntry.len <= 0) || (dbKey.len <= 0)) {
+ continue;
+ }
+ smimeEntry.common.version = (unsigned int)dataBuf[0];
+ smimeEntry.common.type = entryType;
+ smimeEntry.common.flags = (unsigned int)dataBuf[2];
+ smimeEntry.common.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ /* decode entry */
+ rv = DecodeDBSMimeEntry(&smimeEntry, &dbEntry, (char *)dbKey.data);
+ if (rv == SECSuccess) {
+ nsslowcert_UpdateSMimeProfile(handle, smimeEntry.emailAddr,
+ &smimeEntry.subjectName, &smimeEntry.smimeOptions,
+ &smimeEntry.optionsDate);
+ }
+ PORT_FreeArena(smimeEntry.common.arena, PR_FALSE);
+ smimeEntry.common.arena = NULL;
+ } while ((*updatedb->seq)(updatedb, &key, &data, R_NEXT) == 0);
+
+ (*updatedb->close)(updatedb);
+
+ /* a database update is a good time to go back and verify the integrity of
+ * the keys and certs */
+ handle->dbVerify = PR_TRUE;
+ return (SECSuccess);
+}
+
+/*
+ * NOTE - Version 6 DB did not go out to the real world in a release,
+ * so we can remove this function in a later release.
+ */
+static SECStatus
+UpdateV6DB(NSSLOWCERTCertDBHandle *handle, DB *updatedb)
+{
+ int ret;
+ DBT key, data;
+ unsigned char *buf, *tmpbuf = NULL;
+ certDBEntryType type;
+ certDBEntryNickname *nnEntry = NULL;
+ certDBEntrySubject *subjectEntry = NULL;
+ certDBEntrySMime *emailEntry = NULL;
+ char *nickname;
+ char *emailAddr;
+
+ /*
+ * Sequence through the old database and copy all of the entries
+ * to the new database. Subject name entries will have the new
+ * fields inserted into them (with zero length).
+ */
+ ret = (*updatedb->seq)(updatedb, &key, &data, R_FIRST);
+ if (ret) {
+ return (SECFailure);
+ }
+
+ do {
+ buf = (unsigned char *)data.data;
+
+ if (data.size >= 3) {
+ if (buf[0] == 6) { /* version number */
+ type = (certDBEntryType)buf[1];
+ if (type == certDBEntryTypeSubject) {
+ /* expando subjecto entrieo */
+ tmpbuf = (unsigned char *)PORT_Alloc(data.size + 4);
+ if (tmpbuf) {
+ /* copy header stuff */
+ PORT_Memcpy(tmpbuf, buf, SEC_DB_ENTRY_HEADER_LEN + 2);
+ /* insert 4 more bytes of zero'd header */
+ PORT_Memset(&tmpbuf[SEC_DB_ENTRY_HEADER_LEN + 2],
+ 0, 4);
+ /* copy rest of the data */
+ PORT_Memcpy(&tmpbuf[SEC_DB_ENTRY_HEADER_LEN + 6],
+ &buf[SEC_DB_ENTRY_HEADER_LEN + 2],
+ data.size - (SEC_DB_ENTRY_HEADER_LEN + 2));
+
+ data.data = (void *)tmpbuf;
+ data.size += 4;
+ buf = tmpbuf;
+ }
+ } else if (type == certDBEntryTypeCert) {
+ /* expando certo entrieo */
+ tmpbuf = (unsigned char *)PORT_Alloc(data.size + 3);
+ if (tmpbuf) {
+ /* copy header stuff */
+ PORT_Memcpy(tmpbuf, buf, SEC_DB_ENTRY_HEADER_LEN);
+
+ /* copy trust flage, setting msb's to 0 */
+ tmpbuf[SEC_DB_ENTRY_HEADER_LEN] = 0;
+ tmpbuf[SEC_DB_ENTRY_HEADER_LEN + 1] =
+ buf[SEC_DB_ENTRY_HEADER_LEN];
+ tmpbuf[SEC_DB_ENTRY_HEADER_LEN + 2] = 0;
+ tmpbuf[SEC_DB_ENTRY_HEADER_LEN + 3] =
+ buf[SEC_DB_ENTRY_HEADER_LEN + 1];
+ tmpbuf[SEC_DB_ENTRY_HEADER_LEN + 4] = 0;
+ tmpbuf[SEC_DB_ENTRY_HEADER_LEN + 5] =
+ buf[SEC_DB_ENTRY_HEADER_LEN + 2];
+
+ /* copy rest of the data */
+ PORT_Memcpy(&tmpbuf[SEC_DB_ENTRY_HEADER_LEN + 6],
+ &buf[SEC_DB_ENTRY_HEADER_LEN + 3],
+ data.size - (SEC_DB_ENTRY_HEADER_LEN + 3));
+
+ data.data = (void *)tmpbuf;
+ data.size += 3;
+ buf = tmpbuf;
+ }
+ }
+
+ /* update the record version number */
+ buf[0] = CERT_DB_FILE_VERSION;
+
+ /* copy to the new database */
+ ret = certdb_Put(handle->permCertDB, &key, &data, 0);
+ if (tmpbuf) {
+ PORT_Free(tmpbuf);
+ tmpbuf = NULL;
+ }
+ if (ret) {
+ return SECFailure;
+ }
+ }
+ }
+ } while ((*updatedb->seq)(updatedb, &key, &data, R_NEXT) == 0);
+
+ ret = certdb_Sync(handle->permCertDB, 0);
+ if (ret) {
+ return SECFailure;
+ }
+
+ ret = (*updatedb->seq)(updatedb, &key, &data, R_FIRST);
+ if (ret) {
+ return (SECFailure);
+ }
+
+ do {
+ buf = (unsigned char *)data.data;
+
+ if (data.size >= 3) {
+ if (buf[0] == CERT_DB_FILE_VERSION) { /* version number */
+ type = (certDBEntryType)buf[1];
+ if (type == certDBEntryTypeNickname) {
+ nickname = &((char *)key.data)[1];
+
+ /* get the matching nickname entry in the new DB */
+ nnEntry = ReadDBNicknameEntry(handle, nickname);
+ if (nnEntry == NULL) {
+ goto endloop;
+ }
+
+ /* find the subject entry pointed to by nickname */
+ subjectEntry = ReadDBSubjectEntry(handle,
+ &nnEntry->subjectName);
+ if (subjectEntry == NULL) {
+ goto endloop;
+ }
+
+ subjectEntry->nickname =
+ (char *)PORT_ArenaAlloc(subjectEntry->common.arena,
+ key.size - 1);
+ if (subjectEntry->nickname) {
+ PORT_Memcpy(subjectEntry->nickname, nickname,
+ key.size - 1);
+ (void)WriteDBSubjectEntry(handle, subjectEntry);
+ }
+ } else if (type == certDBEntryTypeSMimeProfile) {
+ emailAddr = &((char *)key.data)[1];
+
+ /* get the matching smime entry in the new DB */
+ emailEntry = nsslowcert_ReadDBSMimeEntry(handle, emailAddr);
+ if (emailEntry == NULL) {
+ goto endloop;
+ }
+
+ /* find the subject entry pointed to by nickname */
+ subjectEntry = ReadDBSubjectEntry(handle,
+ &emailEntry->subjectName);
+ if (subjectEntry == NULL) {
+ goto endloop;
+ }
+
+ subjectEntry->emailAddrs = (char **)
+ PORT_ArenaAlloc(subjectEntry->common.arena,
+ sizeof(char *));
+ if (subjectEntry->emailAddrs) {
+ subjectEntry->emailAddrs[0] =
+ (char *)PORT_ArenaAlloc(subjectEntry->common.arena,
+ key.size - 1);
+ if (subjectEntry->emailAddrs[0]) {
+ PORT_Memcpy(subjectEntry->emailAddrs[0], emailAddr,
+ key.size - 1);
+ subjectEntry->nemailAddrs = 1;
+ (void)WriteDBSubjectEntry(handle, subjectEntry);
+ }
+ }
+ }
+
+ endloop:
+ if (subjectEntry) {
+ DestroyDBEntry((certDBEntry *)subjectEntry);
+ subjectEntry = NULL;
+ }
+ if (nnEntry) {
+ DestroyDBEntry((certDBEntry *)nnEntry);
+ nnEntry = NULL;
+ }
+ if (emailEntry) {
+ DestroyDBEntry((certDBEntry *)emailEntry);
+ emailEntry = NULL;
+ }
+ }
+ }
+ } while ((*updatedb->seq)(updatedb, &key, &data, R_NEXT) == 0);
+
+ ret = certdb_Sync(handle->permCertDB, 0);
+ if (ret) {
+ return SECFailure;
+ }
+
+ (*updatedb->close)(updatedb);
+ return (SECSuccess);
+}
+
+static SECStatus
+updateV5Callback(NSSLOWCERTCertificate *cert, SECItem *k, void *pdata)
+{
+ NSSLOWCERTCertDBHandle *handle;
+ certDBEntryCert *entry;
+ NSSLOWCERTCertTrust *trust;
+
+ handle = (NSSLOWCERTCertDBHandle *)pdata;
+ trust = &cert->dbEntry->trust;
+
+ /* SSL user certs can be used for email if they have an email addr */
+ if (cert->emailAddr && (trust->sslFlags & CERTDB_USER) &&
+ (trust->emailFlags == 0)) {
+ trust->emailFlags = CERTDB_USER;
+ }
+ /* servers didn't set the user flags on the server cert.. */
+ if (PORT_Strcmp(cert->dbEntry->nickname, "Server-Cert") == 0) {
+ trust->sslFlags |= CERTDB_USER;
+ }
+
+ entry = AddCertToPermDB(handle, cert, cert->dbEntry->nickname,
+ &cert->dbEntry->trust);
+ if (entry) {
+ DestroyDBEntry((certDBEntry *)entry);
+ }
+
+ return (SECSuccess);
+}
+
+static SECStatus
+UpdateV5DB(NSSLOWCERTCertDBHandle *handle, DB *updatedb)
+{
+ NSSLOWCERTCertDBHandle updatehandle;
+
+ updatehandle.permCertDB = updatedb;
+ updatehandle.dbMon = PZ_NewMonitor(nssILockCertDB);
+ updatehandle.dbVerify = 0;
+ updatehandle.ref = 1; /* prevent premature close */
+
+ (void)nsslowcert_TraversePermCerts(&updatehandle, updateV5Callback,
+ (void *)handle);
+
+ PZ_DestroyMonitor(updatehandle.dbMon);
+
+ (*updatedb->close)(updatedb);
+ return (SECSuccess);
+}
+
+static PRBool
+isV4DB(DB *db)
+{
+ DBT key, data;
+ int ret;
+
+ key.data = "Version";
+ key.size = 7;
+
+ ret = (*db->get)(db, &key, &data, 0);
+ if (ret) {
+ return PR_FALSE;
+ }
+
+ if ((data.size == 1) && (*(unsigned char *)data.data <= 4)) {
+ return PR_TRUE;
+ }
+
+ return PR_FALSE;
+}
+
+static SECStatus
+UpdateV4DB(NSSLOWCERTCertDBHandle *handle, DB *updatedb)
+{
+ DBT key, data;
+ certDBEntryCert *entry, *entry2;
+ int ret;
+ NSSLOWCERTCertificate *cert;
+
+ ret = (*updatedb->seq)(updatedb, &key, &data, R_FIRST);
+
+ if (ret) {
+ return (SECFailure);
+ }
+
+ do {
+ if (data.size != 1) { /* skip version number */
+
+ /* decode the old DB entry */
+ entry = (certDBEntryCert *)
+ DecodeV4DBCertEntry((unsigned char *)data.data, data.size);
+
+ if (entry) {
+ cert = nsslowcert_DecodeDERCertificate(&entry->derCert,
+ entry->nickname);
+
+ if (cert != NULL) {
+ /* add to new database */
+ entry2 = AddCertToPermDB(handle, cert, entry->nickname,
+ &entry->trust);
+
+ nsslowcert_DestroyCertificate(cert);
+ if (entry2) {
+ DestroyDBEntry((certDBEntry *)entry2);
+ }
+ }
+ DestroyDBEntry((certDBEntry *)entry);
+ }
+ }
+ } while ((*updatedb->seq)(updatedb, &key, &data, R_NEXT) == 0);
+
+ (*updatedb->close)(updatedb);
+ return (SECSuccess);
+}
+
+/*
+ * return true if a database key conflict exists
+ */
+PRBool
+nsslowcert_CertDBKeyConflict(SECItem *derCert, NSSLOWCERTCertDBHandle *handle)
+{
+ SECStatus rv;
+ DBT tmpdata;
+ DBT namekey;
+ int ret;
+ SECItem keyitem;
+ PLArenaPool *arena = NULL;
+ SECItem derKey;
+
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (arena == NULL) {
+ goto loser;
+ }
+
+ /* get the db key of the cert */
+ rv = nsslowcert_KeyFromDERCert(arena, derCert, &derKey);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ rv = EncodeDBCertKey(&derKey, arena, &keyitem);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ namekey.data = keyitem.data;
+ namekey.size = keyitem.len;
+
+ ret = certdb_Get(handle->permCertDB, &namekey, &tmpdata, 0);
+ if (ret == 0) {
+ goto loser;
+ }
+
+ PORT_FreeArena(arena, PR_FALSE);
+
+ return (PR_FALSE);
+loser:
+ if (arena) {
+ PORT_FreeArena(arena, PR_FALSE);
+ }
+
+ return (PR_TRUE);
+}
+
+/*
+ * return true if a nickname conflict exists
+ * NOTE: caller must have already made sure that this exact cert
+ * doesn't exist in the DB
+ */
+static PRBool
+nsslowcert_CertNicknameConflict(char *nickname, SECItem *derSubject,
+ NSSLOWCERTCertDBHandle *handle)
+{
+ PRBool rv;
+ certDBEntryNickname *entry;
+
+ if (nickname == NULL) {
+ return (PR_FALSE);
+ }
+
+ entry = ReadDBNicknameEntry(handle, nickname);
+
+ if (entry == NULL) {
+ /* no entry for this nickname, so no conflict */
+ return (PR_FALSE);
+ }
+
+ rv = PR_TRUE;
+ if (SECITEM_CompareItem(derSubject, &entry->subjectName) == SECEqual) {
+ /* if subject names are the same, then no conflict */
+ rv = PR_FALSE;
+ }
+
+ DestroyDBEntry((certDBEntry *)entry);
+ return (rv);
+}
+
+#ifdef DBM_USING_NSPR
+#define NO_RDONLY PR_RDONLY
+#define NO_RDWR PR_RDWR
+#define NO_CREATE (PR_RDWR | PR_CREATE_FILE | PR_TRUNCATE)
+#else
+#define NO_RDONLY O_RDONLY
+#define NO_RDWR O_RDWR
+#define NO_CREATE (O_RDWR | O_CREAT | O_TRUNC)
+#endif
+
+/*
+ * open an old database that needs to be updated
+ */
+static DB *
+nsslowcert_openolddb(NSSLOWCERTDBNameFunc namecb, void *cbarg, int version)
+{
+ char *tmpname;
+ DB *updatedb = NULL;
+
+ tmpname = (*namecb)(cbarg, version); /* get v6 db name */
+ if (tmpname) {
+ updatedb = dbopen(tmpname, NO_RDONLY, 0600, DB_HASH, 0);
+ PORT_Free(tmpname);
+ }
+ return updatedb;
+}
+
+static SECStatus
+openNewCertDB(const char *appName, const char *prefix, const char *certdbname,
+ NSSLOWCERTCertDBHandle *handle, NSSLOWCERTDBNameFunc namecb, void *cbarg)
+{
+ SECStatus rv;
+ certDBEntryVersion *versionEntry = NULL;
+ DB *updatedb = NULL;
+ int status = RDB_FAIL;
+
+ if (appName) {
+ handle->permCertDB = rdbopen(appName, prefix, "cert", NO_CREATE, &status);
+ } else {
+ handle->permCertDB = dbsopen(certdbname, NO_CREATE, 0600, DB_HASH, 0);
+ }
+
+ /* if create fails then we lose */
+ if (handle->permCertDB == 0) {
+ return status == RDB_RETRY ? SECWouldBlock : SECFailure;
+ }
+
+ /* Verify version number; */
+ versionEntry = NewDBVersionEntry(0);
+ if (versionEntry == NULL) {
+ rv = SECFailure;
+ goto loser;
+ }
+
+ rv = WriteDBVersionEntry(handle, versionEntry);
+
+ DestroyDBEntry((certDBEntry *)versionEntry);
+
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ /* rv must already be Success here because of previous if statement */
+ /* try to upgrade old db here */
+ if (appName &&
+ (updatedb = dbsopen(certdbname, NO_RDONLY, 0600, DB_HASH, 0)) != NULL) {
+ rv = UpdateV8DB(handle, updatedb);
+ } else if ((updatedb = nsslowcert_openolddb(namecb, cbarg, 7)) != NULL) {
+ rv = UpdateV7DB(handle, updatedb);
+ } else if ((updatedb = nsslowcert_openolddb(namecb, cbarg, 6)) != NULL) {
+ rv = UpdateV6DB(handle, updatedb);
+ } else if ((updatedb = nsslowcert_openolddb(namecb, cbarg, 5)) != NULL) {
+ rv = UpdateV5DB(handle, updatedb);
+ } else if ((updatedb = nsslowcert_openolddb(namecb, cbarg, 4)) != NULL) {
+ /* NES has v5 format db's with v4 db names! */
+ if (isV4DB(updatedb)) {
+ rv = UpdateV4DB(handle, updatedb);
+ } else {
+ rv = UpdateV5DB(handle, updatedb);
+ }
+ }
+
+loser:
+ db_InitComplete(handle->permCertDB);
+ return rv;
+}
+
+static int
+nsslowcert_GetVersionNumber(NSSLOWCERTCertDBHandle *handle)
+{
+ certDBEntryVersion *versionEntry = NULL;
+ int version = 0;
+
+ versionEntry = ReadDBVersionEntry(handle);
+ if (versionEntry == NULL) {
+ return 0;
+ }
+ version = versionEntry->common.version;
+ DestroyDBEntry((certDBEntry *)versionEntry);
+ return version;
+}
+
+/*
+ * Open the certificate database and index databases. Create them if
+ * they are not there or bad.
+ */
+static SECStatus
+nsslowcert_OpenPermCertDB(NSSLOWCERTCertDBHandle *handle, PRBool readOnly,
+ const char *appName, const char *prefix,
+ NSSLOWCERTDBNameFunc namecb, void *cbarg)
+{
+ SECStatus rv;
+ int openflags;
+ char *certdbname;
+ int version = 0;
+
+ certdbname = (*namecb)(cbarg, CERT_DB_FILE_VERSION);
+ if (certdbname == NULL) {
+ return (SECFailure);
+ }
+
+ openflags = readOnly ? NO_RDONLY : NO_RDWR;
+
+ /*
+ * first open the permanent file based database.
+ */
+ if (appName) {
+ handle->permCertDB = rdbopen(appName, prefix, "cert", openflags, NULL);
+ } else {
+ handle->permCertDB = dbsopen(certdbname, openflags, 0600, DB_HASH, 0);
+ }
+
+ /* check for correct version number */
+ if (handle->permCertDB) {
+ version = nsslowcert_GetVersionNumber(handle);
+ if ((version != CERT_DB_FILE_VERSION) &&
+ !(appName && version == CERT_DB_V7_FILE_VERSION)) {
+ goto loser;
+ }
+ } else if (readOnly) {
+ /* don't create if readonly */
+ /* Try openning a version 7 database */
+ handle->permCertDB = nsslowcert_openolddb(namecb, cbarg, 7);
+ if (!handle->permCertDB) {
+ goto loser;
+ }
+ if (nsslowcert_GetVersionNumber(handle) != 7) {
+ goto loser;
+ }
+ } else {
+ /* if first open fails, try to create a new DB */
+ rv = openNewCertDB(appName, prefix, certdbname, handle, namecb, cbarg);
+ if (rv == SECWouldBlock) {
+ /* only the rdb version can fail with wouldblock */
+ handle->permCertDB =
+ rdbopen(appName, prefix, "cert", openflags, NULL);
+
+ /* check for correct version number */
+ if (!handle->permCertDB) {
+ goto loser;
+ }
+ version = nsslowcert_GetVersionNumber(handle);
+ if ((version != CERT_DB_FILE_VERSION) &&
+ !(appName && version == CERT_DB_V7_FILE_VERSION)) {
+ goto loser;
+ }
+ } else if (rv != SECSuccess) {
+ goto loser;
+ }
+ }
+
+ PORT_Free(certdbname);
+
+ return (SECSuccess);
+
+loser:
+
+ PORT_SetError(SEC_ERROR_BAD_DATABASE);
+
+ if (handle->permCertDB) {
+ certdb_Close(handle->permCertDB);
+ handle->permCertDB = 0;
+ }
+
+ PORT_Free(certdbname);
+
+ return (SECFailure);
+}
+
+/*
+ * delete all DB records associated with a particular certificate
+ */
+static SECStatus
+DeletePermCert(NSSLOWCERTCertificate *cert)
+{
+ SECStatus rv;
+ SECStatus ret;
+
+ ret = SECSuccess;
+
+ rv = DeleteDBCertEntry(cert->dbhandle, &cert->certKey);
+ if (rv != SECSuccess) {
+ ret = SECFailure;
+ }
+
+ rv = RemovePermSubjectNode(cert);
+
+ return (ret);
+}
+
+/*
+ * Delete a certificate from the permanent database.
+ */
+SECStatus
+nsslowcert_DeletePermCertificate(NSSLOWCERTCertificate *cert)
+{
+ SECStatus rv;
+
+ nsslowcert_LockDB(cert->dbhandle);
+
+ /* delete the records from the permanent database */
+ rv = DeletePermCert(cert);
+
+ /* get rid of dbcert and stuff pointing to it */
+ DestroyDBEntry((certDBEntry *)cert->dbEntry);
+ cert->dbEntry = NULL;
+ cert->trust = NULL;
+
+ nsslowcert_UnlockDB(cert->dbhandle);
+ return (rv);
+}
+
+/*
+ * Traverse all of the entries in the database of a particular type
+ * call the given function for each one.
+ */
+SECStatus
+nsslowcert_TraverseDBEntries(NSSLOWCERTCertDBHandle *handle,
+ certDBEntryType type,
+ SECStatus (*callback)(SECItem *data, SECItem *key,
+ certDBEntryType type, void *pdata),
+ void *udata)
+{
+ DBT data;
+ DBT key;
+ SECStatus rv = SECSuccess;
+ int ret;
+ SECItem dataitem;
+ SECItem keyitem;
+ unsigned char *buf;
+ unsigned char *keybuf;
+
+ ret = certdb_Seq(handle->permCertDB, &key, &data, R_FIRST);
+ if (ret) {
+ return (SECFailure);
+ }
+ /* here, ret is zero and rv is SECSuccess.
+ * Below here, ret is a count of successful calls to the callback function.
+ */
+ do {
+ buf = (unsigned char *)data.data;
+
+ if (buf[1] == (unsigned char)type) {
+ dataitem.len = data.size;
+ dataitem.data = buf;
+ dataitem.type = siBuffer;
+ keyitem.len = key.size - SEC_DB_KEY_HEADER_LEN;
+ keybuf = (unsigned char *)key.data;
+ keyitem.data = &keybuf[SEC_DB_KEY_HEADER_LEN];
+ keyitem.type = siBuffer;
+ /* type should equal keybuf[0]. */
+
+ rv = (*callback)(&dataitem, &keyitem, type, udata);
+ if (rv == SECSuccess) {
+ ++ret;
+ }
+ }
+ } while (certdb_Seq(handle->permCertDB, &key, &data, R_NEXT) == 0);
+ /* If any callbacks succeeded, or no calls to callbacks were made,
+ * then report success. Otherwise, report failure.
+ */
+ return (ret ? SECSuccess : rv);
+}
+/*
+ * Decode a certificate and enter it into the temporary certificate database.
+ * Deal with nicknames correctly
+ *
+ * This is the private entry point.
+ */
+static NSSLOWCERTCertificate *
+DecodeACert(NSSLOWCERTCertDBHandle *handle, certDBEntryCert *entry)
+{
+ NSSLOWCERTCertificate *cert = NULL;
+
+ cert = nsslowcert_DecodeDERCertificate(&entry->derCert, entry->nickname);
+
+ if (cert == NULL) {
+ goto loser;
+ }
+
+ cert->dbhandle = handle;
+ cert->dbEntry = entry;
+ cert->trust = &entry->trust;
+
+ return (cert);
+
+loser:
+ return (0);
+}
+
+static NSSLOWCERTTrust *
+CreateTrust(void)
+{
+ NSSLOWCERTTrust *trust = NULL;
+
+ nsslowcert_LockFreeList();
+ trust = trustListHead;
+ if (trust) {
+ trustListCount--;
+ trustListHead = trust->next;
+ trust->next = NULL;
+ }
+ PORT_Assert(trustListCount >= 0);
+ nsslowcert_UnlockFreeList();
+ if (trust) {
+ return trust;
+ }
+
+ return PORT_ZNew(NSSLOWCERTTrust);
+}
+
+static void
+DestroyTrustFreeList(void)
+{
+ NSSLOWCERTTrust *trust;
+
+ nsslowcert_LockFreeList();
+ while (NULL != (trust = trustListHead)) {
+ trustListCount--;
+ trustListHead = trust->next;
+ PORT_Free(trust);
+ }
+ PORT_Assert(!trustListCount);
+ trustListCount = 0;
+ nsslowcert_UnlockFreeList();
+}
+
+static NSSLOWCERTTrust *
+DecodeTrustEntry(NSSLOWCERTCertDBHandle *handle, certDBEntryCert *entry,
+ const SECItem *dbKey)
+{
+ NSSLOWCERTTrust *trust = CreateTrust();
+ if (trust == NULL) {
+ return trust;
+ }
+ trust->dbhandle = handle;
+ trust->dbEntry = entry;
+ trust->dbKey.data = pkcs11_copyStaticData(dbKey->data, dbKey->len,
+ trust->dbKeySpace, sizeof(trust->dbKeySpace));
+ if (!trust->dbKey.data) {
+ PORT_Free(trust);
+ return NULL;
+ }
+ trust->dbKey.len = dbKey->len;
+
+ trust->trust = &entry->trust;
+ trust->derCert = &entry->derCert;
+
+ return (trust);
+}
+
+typedef struct {
+ PermCertCallback certfunc;
+ NSSLOWCERTCertDBHandle *handle;
+ void *data;
+} PermCertCallbackState;
+
+/*
+ * traversal callback to decode certs and call callers callback
+ */
+static SECStatus
+certcallback(SECItem *dbdata, SECItem *dbkey, certDBEntryType type, void *data)
+{
+ PermCertCallbackState *mystate;
+ SECStatus rv;
+ certDBEntryCert *entry;
+ SECItem entryitem;
+ NSSLOWCERTCertificate *cert;
+ PLArenaPool *arena = NULL;
+
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (arena == NULL) {
+ goto loser;
+ }
+
+ entry = (certDBEntryCert *)PORT_ArenaAlloc(arena, sizeof(certDBEntryCert));
+ if (!entry) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ goto loser;
+ }
+ mystate = (PermCertCallbackState *)data;
+ entry->common.version = (unsigned int)dbdata->data[0];
+ entry->common.type = (certDBEntryType)dbdata->data[1];
+ entry->common.flags = (unsigned int)dbdata->data[2];
+ entry->common.arena = arena;
+
+ entryitem.len = dbdata->len - SEC_DB_ENTRY_HEADER_LEN;
+ entryitem.data = &dbdata->data[SEC_DB_ENTRY_HEADER_LEN];
+
+ rv = DecodeDBCertEntry(entry, &entryitem);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+ entry->derCert.type = siBuffer;
+
+ /* note: Entry is 'inheritted'. */
+ cert = DecodeACert(mystate->handle, entry);
+
+ rv = (*mystate->certfunc)(cert, dbkey, mystate->data);
+
+ /* arena stored in entry destroyed by nsslowcert_DestroyCertificate */
+ nsslowcert_DestroyCertificateNoLocking(cert);
+
+ return (rv);
+
+loser:
+ if (arena) {
+ PORT_FreeArena(arena, PR_FALSE);
+ }
+ return (SECFailure);
+}
+
+/*
+ * Traverse all of the certificates in the permanent database and
+ * call the given function for each one; expect the caller to have lock.
+ */
+static SECStatus
+TraversePermCertsNoLocking(NSSLOWCERTCertDBHandle *handle,
+ SECStatus (*certfunc)(NSSLOWCERTCertificate *cert,
+ SECItem *k,
+ void *pdata),
+ void *udata)
+{
+ SECStatus rv;
+ PermCertCallbackState mystate;
+
+ mystate.certfunc = certfunc;
+ mystate.handle = handle;
+ mystate.data = udata;
+ rv = nsslowcert_TraverseDBEntries(handle, certDBEntryTypeCert, certcallback,
+ (void *)&mystate);
+
+ return (rv);
+}
+
+/*
+ * Traverse all of the certificates in the permanent database and
+ * call the given function for each one.
+ */
+SECStatus
+nsslowcert_TraversePermCerts(NSSLOWCERTCertDBHandle *handle,
+ SECStatus (*certfunc)(NSSLOWCERTCertificate *cert, SECItem *k,
+ void *pdata),
+ void *udata)
+{
+ SECStatus rv;
+
+ nsslowcert_LockDB(handle);
+ rv = TraversePermCertsNoLocking(handle, certfunc, udata);
+ nsslowcert_UnlockDB(handle);
+
+ return (rv);
+}
+
+/*
+ * Close the database
+ */
+void
+nsslowcert_ClosePermCertDB(NSSLOWCERTCertDBHandle *handle)
+{
+ if (handle) {
+ if (handle->permCertDB) {
+ certdb_Close(handle->permCertDB);
+ handle->permCertDB = NULL;
+ }
+ if (handle->dbMon) {
+ PZ_DestroyMonitor(handle->dbMon);
+ handle->dbMon = NULL;
+ }
+ PORT_Free(handle);
+ }
+ return;
+}
+
+/*
+ * Get the trust attributes from a certificate
+ */
+SECStatus
+nsslowcert_GetCertTrust(NSSLOWCERTCertificate *cert, NSSLOWCERTCertTrust *trust)
+{
+ SECStatus rv;
+
+ nsslowcert_LockCertTrust(cert);
+
+ if (cert->trust == NULL) {
+ rv = SECFailure;
+ } else {
+ *trust = *cert->trust;
+ rv = SECSuccess;
+ }
+
+ nsslowcert_UnlockCertTrust(cert);
+ return (rv);
+}
+
+/*
+ * Change the trust attributes of a certificate and make them permanent
+ * in the database.
+ */
+SECStatus
+nsslowcert_ChangeCertTrust(NSSLOWCERTCertDBHandle *handle,
+ NSSLOWCERTCertificate *cert, NSSLOWCERTCertTrust *trust)
+{
+ certDBEntryCert *entry;
+ int rv;
+ SECStatus ret;
+
+ nsslowcert_LockDB(handle);
+ nsslowcert_LockCertTrust(cert);
+ /* only set the trust on permanent certs */
+ if (cert->trust == NULL) {
+ ret = SECFailure;
+ goto done;
+ }
+
+ *cert->trust = *trust;
+ if (cert->dbEntry == NULL) {
+ ret = SECSuccess; /* not in permanent database */
+ goto done;
+ }
+
+ entry = cert->dbEntry;
+ entry->trust = *trust;
+
+ rv = WriteDBCertEntry(handle, entry);
+ if (rv) {
+ ret = SECFailure;
+ goto done;
+ }
+
+ ret = SECSuccess;
+
+done:
+ nsslowcert_UnlockCertTrust(cert);
+ nsslowcert_UnlockDB(handle);
+ return (ret);
+}
+
+static SECStatus
+nsslowcert_UpdatePermCert(NSSLOWCERTCertDBHandle *dbhandle,
+ NSSLOWCERTCertificate *cert, char *nickname, NSSLOWCERTCertTrust *trust)
+{
+ char *oldnn;
+ certDBEntryCert *entry;
+ PRBool conflict;
+ SECStatus ret;
+
+ PORT_Assert(!cert->dbEntry);
+
+ /* don't add a conflicting nickname */
+ conflict = nsslowcert_CertNicknameConflict(nickname, &cert->derSubject,
+ dbhandle);
+ if (conflict) {
+ ret = SECFailure;
+ goto done;
+ }
+
+ /* save old nickname so that we can delete it */
+ oldnn = cert->nickname;
+
+ entry = AddCertToPermDB(dbhandle, cert, nickname, trust);
+
+ if (entry == NULL) {
+ ret = SECFailure;
+ goto done;
+ }
+
+ pkcs11_freeNickname(oldnn, cert->nicknameSpace);
+
+ cert->nickname = (entry->nickname) ? pkcs11_copyNickname(entry->nickname,
+ cert->nicknameSpace, sizeof(cert->nicknameSpace))
+ : NULL;
+ cert->trust = &entry->trust;
+ cert->dbEntry = entry;
+
+ ret = SECSuccess;
+done:
+ return (ret);
+}
+
+SECStatus
+nsslowcert_AddPermCert(NSSLOWCERTCertDBHandle *dbhandle,
+ NSSLOWCERTCertificate *cert, char *nickname, NSSLOWCERTCertTrust *trust)
+{
+ SECStatus ret;
+
+ nsslowcert_LockDB(dbhandle);
+
+ ret = nsslowcert_UpdatePermCert(dbhandle, cert, nickname, trust);
+
+ nsslowcert_UnlockDB(dbhandle);
+ return (ret);
+}
+
+/*
+ * Open the certificate database and index databases. Create them if
+ * they are not there or bad.
+ */
+SECStatus
+nsslowcert_OpenCertDB(NSSLOWCERTCertDBHandle *handle, PRBool readOnly,
+ const char *appName, const char *prefix,
+ NSSLOWCERTDBNameFunc namecb, void *cbarg, PRBool openVolatile)
+{
+ int rv;
+
+ certdb_InitDBLock(handle);
+
+ handle->dbMon = PZ_NewMonitor(nssILockCertDB);
+ PORT_Assert(handle->dbMon != NULL);
+ handle->dbVerify = PR_FALSE;
+
+ rv = nsslowcert_OpenPermCertDB(handle, readOnly, appName, prefix,
+ namecb, cbarg);
+ if (rv) {
+ goto loser;
+ }
+
+ return (SECSuccess);
+
+loser:
+ if (handle->dbMon) {
+ PZ_DestroyMonitor(handle->dbMon);
+ handle->dbMon = NULL;
+ }
+ PORT_SetError(SEC_ERROR_BAD_DATABASE);
+ return (SECFailure);
+}
+
+PRBool
+nsslowcert_needDBVerify(NSSLOWCERTCertDBHandle *handle)
+{
+ if (!handle)
+ return PR_FALSE;
+ return handle->dbVerify;
+}
+
+void
+nsslowcert_setDBVerify(NSSLOWCERTCertDBHandle *handle, PRBool value)
+{
+ handle->dbVerify = value;
+}
+
+/*
+ * Lookup a certificate in the databases.
+ */
+static NSSLOWCERTCertificate *
+FindCertByKey(NSSLOWCERTCertDBHandle *handle, const SECItem *certKey, PRBool lockdb)
+{
+ NSSLOWCERTCertificate *cert = NULL;
+ certDBEntryCert *entry;
+ PRBool locked = PR_FALSE;
+
+ if (lockdb) {
+ locked = PR_TRUE;
+ nsslowcert_LockDB(handle);
+ }
+
+ /* find in perm database */
+ entry = ReadDBCertEntry(handle, certKey);
+
+ if (entry == NULL) {
+ goto loser;
+ }
+
+ /* inherit entry */
+ cert = DecodeACert(handle, entry);
+
+loser:
+ if (cert == NULL) {
+ if (entry) {
+ DestroyDBEntry((certDBEntry *)entry);
+ }
+ }
+
+ if (locked) {
+ nsslowcert_UnlockDB(handle);
+ }
+
+ return (cert);
+}
+
+/*
+ * Lookup a certificate in the databases.
+ */
+static NSSLOWCERTTrust *
+FindTrustByKey(NSSLOWCERTCertDBHandle *handle, const SECItem *certKey, PRBool lockdb)
+{
+ NSSLOWCERTTrust *trust = NULL;
+ certDBEntryCert *entry;
+ PRBool locked = PR_FALSE;
+
+ if (lockdb) {
+ locked = PR_TRUE;
+ nsslowcert_LockDB(handle);
+ }
+
+ /* find in perm database */
+ entry = ReadDBCertEntry(handle, certKey);
+
+ if (entry == NULL) {
+ goto loser;
+ }
+
+ if (!nsslowcert_hasTrust(&entry->trust)) {
+ goto loser;
+ }
+
+ /* inherit entry */
+ trust = DecodeTrustEntry(handle, entry, certKey);
+
+loser:
+ if (trust == NULL) {
+ if (entry) {
+ DestroyDBEntry((certDBEntry *)entry);
+ }
+ }
+
+ if (locked) {
+ nsslowcert_UnlockDB(handle);
+ }
+
+ return (trust);
+}
+
+/*
+ * Lookup a certificate in the databases without locking
+ */
+NSSLOWCERTCertificate *
+nsslowcert_FindCertByKey(NSSLOWCERTCertDBHandle *handle, const SECItem *certKey)
+{
+ return (FindCertByKey(handle, certKey, PR_FALSE));
+}
+
+/*
+ * Lookup a trust object in the databases without locking
+ */
+NSSLOWCERTTrust *
+nsslowcert_FindTrustByKey(NSSLOWCERTCertDBHandle *handle, const SECItem *certKey)
+{
+ return (FindTrustByKey(handle, certKey, PR_FALSE));
+}
+
+/*
+ * Generate a key from an issuerAndSerialNumber, and find the
+ * associated cert in the database.
+ */
+NSSLOWCERTCertificate *
+nsslowcert_FindCertByIssuerAndSN(NSSLOWCERTCertDBHandle *handle, NSSLOWCERTIssuerAndSN *issuerAndSN)
+{
+ SECItem certKey;
+ SECItem *sn = &issuerAndSN->serialNumber;
+ SECItem *issuer = &issuerAndSN->derIssuer;
+ NSSLOWCERTCertificate *cert;
+ int data_len = sn->len;
+ int index = 0;
+
+ /* automatically detect DER encoded serial numbers and remove the der
+ * encoding since the database expects unencoded data.
+ * if it's DER encoded, there must be at least 3 bytes, tag, len, data */
+ if ((sn->len >= 3) && (sn->data[0] == 0x2)) {
+ /* remove the der encoding of the serial number before generating the
+ * key.. */
+ int data_left = sn->len - 2;
+ data_len = sn->data[1];
+ index = 2;
+
+ /* extended length ? (not very likely for a serial number) */
+ if (data_len & 0x80) {
+ int len_count = data_len & 0x7f;
+
+ data_len = 0;
+ data_left -= len_count;
+ if (data_left > 0) {
+ while (len_count--) {
+ data_len = (data_len << 8) | sn->data[index++];
+ }
+ }
+ }
+ /* XXX leaving any leading zeros on the serial number for backwards
+ * compatibility
+ */
+ /* not a valid der, must be just an unlucky serial number value */
+ if (data_len != data_left) {
+ data_len = sn->len;
+ index = 0;
+ }
+ }
+
+ certKey.type = 0;
+ certKey.data = (unsigned char *)PORT_Alloc(sn->len + issuer->len);
+ certKey.len = data_len + issuer->len;
+
+ if (certKey.data == NULL) {
+ return (0);
+ }
+
+ /* first try the serial number as hand-decoded above*/
+ /* copy the serialNumber */
+ PORT_Memcpy(certKey.data, &sn->data[index], data_len);
+
+ /* copy the issuer */
+ PORT_Memcpy(&certKey.data[data_len], issuer->data, issuer->len);
+
+ cert = nsslowcert_FindCertByKey(handle, &certKey);
+ if (cert) {
+ PORT_Free(certKey.data);
+ return (cert);
+ }
+
+ /* didn't find it, try by der encoded serial number */
+ /* copy the serialNumber */
+ PORT_Memcpy(certKey.data, sn->data, sn->len);
+
+ /* copy the issuer */
+ PORT_Memcpy(&certKey.data[sn->len], issuer->data, issuer->len);
+ certKey.len = sn->len + issuer->len;
+
+ cert = nsslowcert_FindCertByKey(handle, &certKey);
+
+ PORT_Free(certKey.data);
+
+ return (cert);
+}
+
+/*
+ * Generate a key from an issuerAndSerialNumber, and find the
+ * associated cert in the database.
+ */
+NSSLOWCERTTrust *
+nsslowcert_FindTrustByIssuerAndSN(NSSLOWCERTCertDBHandle *handle,
+ NSSLOWCERTIssuerAndSN *issuerAndSN)
+{
+ SECItem certKey;
+ SECItem *sn = &issuerAndSN->serialNumber;
+ SECItem *issuer = &issuerAndSN->derIssuer;
+ NSSLOWCERTTrust *trust;
+ unsigned char keyBuf[512];
+ int data_len = sn->len;
+ int index = 0;
+ int len;
+
+ /* automatically detect DER encoded serial numbers and remove the der
+ * encoding since the database expects unencoded data.
+ * if it's DER encoded, there must be at least 3 bytes, tag, len, data */
+ if ((sn->len >= 3) && (sn->data[0] == 0x2)) {
+ /* remove the der encoding of the serial number before generating the
+ * key.. */
+ int data_left = sn->len - 2;
+ data_len = sn->data[1];
+ index = 2;
+
+ /* extended length ? (not very likely for a serial number) */
+ if (data_len & 0x80) {
+ int len_count = data_len & 0x7f;
+
+ data_len = 0;
+ data_left -= len_count;
+ if (data_left > 0) {
+ while (len_count--) {
+ data_len = (data_len << 8) | sn->data[index++];
+ }
+ }
+ }
+ /* XXX leaving any leading zeros on the serial number for backwards
+ * compatibility
+ */
+ /* not a valid der, must be just an unlucky serial number value */
+ if (data_len != data_left) {
+ data_len = sn->len;
+ index = 0;
+ }
+ }
+
+ certKey.type = 0;
+ certKey.len = data_len + issuer->len;
+ len = sn->len + issuer->len;
+ if (len > sizeof(keyBuf)) {
+ certKey.data = (unsigned char *)PORT_Alloc(len);
+ } else {
+ certKey.data = keyBuf;
+ }
+
+ if (certKey.data == NULL) {
+ return (0);
+ }
+
+ /* first try the serial number as hand-decoded above*/
+ /* copy the serialNumber */
+ PORT_Memcpy(certKey.data, &sn->data[index], data_len);
+
+ /* copy the issuer */
+ PORT_Memcpy(&certKey.data[data_len], issuer->data, issuer->len);
+
+ trust = nsslowcert_FindTrustByKey(handle, &certKey);
+ if (trust) {
+ pkcs11_freeStaticData(certKey.data, keyBuf);
+ return (trust);
+ }
+
+ if (index == 0) {
+ pkcs11_freeStaticData(certKey.data, keyBuf);
+ return NULL;
+ }
+
+ /* didn't find it, try by der encoded serial number */
+ /* copy the serialNumber */
+ PORT_Memcpy(certKey.data, sn->data, sn->len);
+
+ /* copy the issuer */
+ PORT_Memcpy(&certKey.data[sn->len], issuer->data, issuer->len);
+ certKey.len = sn->len + issuer->len;
+
+ trust = nsslowcert_FindTrustByKey(handle, &certKey);
+
+ pkcs11_freeStaticData(certKey.data, keyBuf);
+
+ return (trust);
+}
+
+/*
+ * look for the given DER certificate in the database
+ */
+NSSLOWCERTCertificate *
+nsslowcert_FindCertByDERCert(NSSLOWCERTCertDBHandle *handle, SECItem *derCert)
+{
+ PLArenaPool *arena;
+ SECItem certKey;
+ SECStatus rv;
+ NSSLOWCERTCertificate *cert = NULL;
+
+ /* create a scratch arena */
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (arena == NULL) {
+ return (NULL);
+ }
+
+ /* extract the database key from the cert */
+ rv = nsslowcert_KeyFromDERCert(arena, derCert, &certKey);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ /* find the certificate */
+ cert = nsslowcert_FindCertByKey(handle, &certKey);
+
+loser:
+ PORT_FreeArena(arena, PR_FALSE);
+ return (cert);
+}
+
+static void
+DestroyCertificate(NSSLOWCERTCertificate *cert, PRBool lockdb)
+{
+ int refCount;
+ NSSLOWCERTCertDBHandle *handle;
+
+ if (cert) {
+
+ handle = cert->dbhandle;
+
+ /*
+ * handle may be NULL, for example if the cert was created with
+ * nsslowcert_DecodeDERCertificate.
+ */
+ if (lockdb && handle) {
+ nsslowcert_LockDB(handle);
+ }
+
+ nsslowcert_LockCertRefCount(cert);
+ PORT_Assert(cert->referenceCount > 0);
+ refCount = --cert->referenceCount;
+ nsslowcert_UnlockCertRefCount(cert);
+
+ if (refCount == 0) {
+ certDBEntryCert *entry = cert->dbEntry;
+
+ if (entry) {
+ DestroyDBEntry((certDBEntry *)entry);
+ }
+
+ pkcs11_freeNickname(cert->nickname, cert->nicknameSpace);
+ pkcs11_freeNickname(cert->emailAddr, cert->emailAddrSpace);
+ pkcs11_freeStaticData(cert->certKey.data, cert->certKeySpace);
+ cert->certKey.data = NULL;
+ cert->nickname = NULL;
+
+ /* zero cert before freeing. Any stale references to this cert
+ * after this point will probably cause an exception. */
+ PORT_Memset(cert, 0, sizeof *cert);
+
+ /* use reflock to protect the free list */
+ nsslowcert_LockFreeList();
+ if (certListCount > MAX_CERT_LIST_COUNT) {
+ PORT_Free(cert);
+ } else {
+ certListCount++;
+ cert->next = certListHead;
+ certListHead = cert;
+ }
+ nsslowcert_UnlockFreeList();
+ cert = NULL;
+ }
+ if (lockdb && handle) {
+ nsslowcert_UnlockDB(handle);
+ }
+ }
+
+ return;
+}
+
+NSSLOWCERTCertificate *
+nsslowcert_CreateCert(void)
+{
+ NSSLOWCERTCertificate *cert;
+ nsslowcert_LockFreeList();
+ cert = certListHead;
+ if (cert) {
+ certListHead = cert->next;
+ certListCount--;
+ }
+ PORT_Assert(certListCount >= 0);
+ nsslowcert_UnlockFreeList();
+ if (cert) {
+ return cert;
+ }
+ return PORT_ZNew(NSSLOWCERTCertificate);
+}
+
+static void
+DestroyCertFreeList(void)
+{
+ NSSLOWCERTCertificate *cert;
+
+ nsslowcert_LockFreeList();
+ while (NULL != (cert = certListHead)) {
+ certListCount--;
+ certListHead = cert->next;
+ PORT_Free(cert);
+ }
+ PORT_Assert(!certListCount);
+ certListCount = 0;
+ nsslowcert_UnlockFreeList();
+}
+
+void
+nsslowcert_DestroyTrust(NSSLOWCERTTrust *trust)
+{
+ certDBEntryCert *entry = trust->dbEntry;
+
+ if (entry) {
+ DestroyDBEntry((certDBEntry *)entry);
+ }
+ pkcs11_freeStaticData(trust->dbKey.data, trust->dbKeySpace);
+ PORT_Memset(trust, 0, sizeof(*trust));
+
+ nsslowcert_LockFreeList();
+ if (trustListCount > MAX_TRUST_LIST_COUNT) {
+ PORT_Free(trust);
+ } else {
+ trustListCount++;
+ trust->next = trustListHead;
+ trustListHead = trust;
+ }
+ nsslowcert_UnlockFreeList();
+
+ return;
+}
+
+void
+nsslowcert_DestroyCertificate(NSSLOWCERTCertificate *cert)
+{
+ DestroyCertificate(cert, PR_TRUE);
+ return;
+}
+
+static void
+nsslowcert_DestroyCertificateNoLocking(NSSLOWCERTCertificate *cert)
+{
+ DestroyCertificate(cert, PR_FALSE);
+ return;
+}
+
+/*
+ * Lookup a CRL in the databases. We mirror the same fast caching data base
+ * caching stuff used by certificates....?
+ */
+certDBEntryRevocation *
+nsslowcert_FindCrlByKey(NSSLOWCERTCertDBHandle *handle,
+ SECItem *crlKey, PRBool isKRL)
+{
+ SECItem keyitem;
+ SECStatus rv;
+ PLArenaPool *arena = NULL;
+ certDBEntryRevocation *entry = NULL;
+ certDBEntryType crlType = isKRL ? certDBEntryTypeKeyRevocation
+ : certDBEntryTypeRevocation;
+
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (arena == NULL) {
+ goto loser;
+ }
+
+ rv = EncodeDBGenericKey(crlKey, arena, &keyitem, crlType);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ /* find in perm database */
+ entry = ReadDBCrlEntry(handle, crlKey, crlType);
+
+ if (entry == NULL) {
+ goto loser;
+ }
+
+loser:
+ if (arena) {
+ PORT_FreeArena(arena, PR_FALSE);
+ }
+
+ return entry;
+}
+
+/*
+ * replace the existing URL in the data base with a new one
+ */
+static SECStatus
+nsslowcert_UpdateCrl(NSSLOWCERTCertDBHandle *handle, SECItem *derCrl,
+ SECItem *crlKey, char *url, PRBool isKRL)
+{
+ SECStatus rv = SECFailure;
+ certDBEntryRevocation *entry = NULL;
+ certDBEntryType crlType = isKRL ? certDBEntryTypeKeyRevocation
+ : certDBEntryTypeRevocation;
+ DeleteDBCrlEntry(handle, crlKey, crlType);
+
+ /* Write the new entry into the data base */
+ entry = NewDBCrlEntry(derCrl, url, crlType, 0);
+ if (entry == NULL)
+ goto done;
+
+ rv = WriteDBCrlEntry(handle, entry, crlKey);
+ if (rv != SECSuccess)
+ goto done;
+
+done:
+ if (entry) {
+ DestroyDBEntry((certDBEntry *)entry);
+ }
+ return rv;
+}
+
+SECStatus
+nsslowcert_AddCrl(NSSLOWCERTCertDBHandle *handle, SECItem *derCrl,
+ SECItem *crlKey, char *url, PRBool isKRL)
+{
+ SECStatus rv;
+
+ rv = nsslowcert_UpdateCrl(handle, derCrl, crlKey, url, isKRL);
+
+ return rv;
+}
+
+SECStatus
+nsslowcert_DeletePermCRL(NSSLOWCERTCertDBHandle *handle, const SECItem *derName,
+ PRBool isKRL)
+{
+ SECStatus rv;
+ certDBEntryType crlType = isKRL ? certDBEntryTypeKeyRevocation
+ : certDBEntryTypeRevocation;
+
+ rv = DeleteDBCrlEntry(handle, derName, crlType);
+ if (rv != SECSuccess)
+ goto done;
+
+done:
+ return rv;
+}
+
+PRBool
+nsslowcert_hasTrust(NSSLOWCERTCertTrust *trust)
+{
+ if (trust == NULL) {
+ return PR_FALSE;
+ }
+ /* if we only have CERTDB__USER and CERTDB_TRUSTED_UNKNOWN bits, then
+ * we don't have a trust record. */
+ return !(((trust->sslFlags & ~(CERTDB_USER | CERTDB_TRUSTED_UNKNOWN)) == 0) &&
+ ((trust->emailFlags & ~(CERTDB_USER | CERTDB_TRUSTED_UNKNOWN)) == 0) &&
+ ((trust->objectSigningFlags & ~(CERTDB_USER | CERTDB_TRUSTED_UNKNOWN)) == 0));
+}
+
+/*
+ * This function has the logic that decides if another person's cert and
+ * email profile from an S/MIME message should be saved. It can deal with
+ * the case when there is no profile.
+ */
+static SECStatus
+nsslowcert_UpdateSMimeProfile(NSSLOWCERTCertDBHandle *dbhandle,
+ char *emailAddr, SECItem *derSubject, SECItem *emailProfile,
+ SECItem *profileTime)
+{
+ certDBEntrySMime *entry = NULL;
+ SECStatus rv = SECFailure;
+ ;
+
+ /* find our existing entry */
+ entry = nsslowcert_ReadDBSMimeEntry(dbhandle, emailAddr);
+
+ if (entry) {
+ /* keep our old db entry consistant for old applications. */
+ if (!SECITEM_ItemsAreEqual(derSubject, &entry->subjectName)) {
+ nsslowcert_UpdateSubjectEmailAddr(dbhandle, &entry->subjectName,
+ emailAddr, nsslowcert_remove);
+ }
+ DestroyDBEntry((certDBEntry *)entry);
+ entry = NULL;
+ }
+
+ /* now save the entry */
+ entry = NewDBSMimeEntry(emailAddr, derSubject, emailProfile,
+ profileTime, 0);
+ if (entry == NULL) {
+ rv = SECFailure;
+ goto loser;
+ }
+
+ nsslowcert_LockDB(dbhandle);
+
+ rv = DeleteDBSMimeEntry(dbhandle, emailAddr);
+ /* if delete fails, try to write new entry anyway... */
+
+ /* link subject entry back here */
+ rv = nsslowcert_UpdateSubjectEmailAddr(dbhandle, derSubject, emailAddr,
+ nsslowcert_add);
+ if (rv != SECSuccess) {
+ nsslowcert_UnlockDB(dbhandle);
+ goto loser;
+ }
+
+ rv = WriteDBSMimeEntry(dbhandle, entry);
+ if (rv != SECSuccess) {
+ nsslowcert_UnlockDB(dbhandle);
+ goto loser;
+ }
+
+ nsslowcert_UnlockDB(dbhandle);
+
+ rv = SECSuccess;
+
+loser:
+ if (entry) {
+ DestroyDBEntry((certDBEntry *)entry);
+ }
+ return (rv);
+}
+
+SECStatus
+nsslowcert_SaveSMimeProfile(NSSLOWCERTCertDBHandle *dbhandle, char *emailAddr,
+ SECItem *derSubject, SECItem *emailProfile, SECItem *profileTime)
+{
+ SECStatus rv = SECFailure;
+ ;
+
+ rv = nsslowcert_UpdateSMimeProfile(dbhandle, emailAddr,
+ derSubject, emailProfile, profileTime);
+
+ return (rv);
+}
+
+void
+nsslowcert_DestroyFreeLists(void)
+{
+ if (freeListLock == NULL) {
+ return;
+ }
+ DestroyCertEntryFreeList();
+ DestroyTrustFreeList();
+ DestroyCertFreeList();
+ SKIP_AFTER_FORK(PZ_DestroyLock(freeListLock));
+ freeListLock = NULL;
+}
+
+void
+nsslowcert_DestroyGlobalLocks(void)
+{
+ if (dbLock) {
+ SKIP_AFTER_FORK(PZ_DestroyLock(dbLock));
+ dbLock = NULL;
+ }
+ if (certRefCountLock) {
+ SKIP_AFTER_FORK(PZ_DestroyLock(certRefCountLock));
+ certRefCountLock = NULL;
+ }
+ if (certTrustLock) {
+ SKIP_AFTER_FORK(PZ_DestroyLock(certTrustLock));
+ certTrustLock = NULL;
+ }
+}
+
+certDBEntry *
+nsslowcert_DecodeAnyDBEntry(SECItem *dbData, const SECItem *dbKey,
+ certDBEntryType entryType, void *pdata)
+{
+ PLArenaPool *arena = NULL;
+ certDBEntry *entry;
+ SECStatus rv;
+ SECItem dbEntry;
+
+ if ((dbData->len < SEC_DB_ENTRY_HEADER_LEN) || (dbKey->len == 0)) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ goto loser;
+ }
+ dbEntry.data = &dbData->data[SEC_DB_ENTRY_HEADER_LEN];
+ dbEntry.len = dbData->len - SEC_DB_ENTRY_HEADER_LEN;
+
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (arena == NULL) {
+ goto loser;
+ }
+ entry = PORT_ArenaZNew(arena, certDBEntry);
+ if (!entry)
+ goto loser;
+
+ entry->common.version = (unsigned int)dbData->data[0];
+ entry->common.flags = (unsigned int)dbData->data[2];
+ entry->common.type = entryType;
+ entry->common.arena = arena;
+
+ switch (entryType) {
+ case certDBEntryTypeContentVersion: /* This type appears to be unused */
+ case certDBEntryTypeVersion: /* This type has only the common hdr */
+ rv = SECSuccess;
+ break;
+
+ case certDBEntryTypeSubject:
+ rv = DecodeDBSubjectEntry(&entry->subject, &dbEntry, dbKey);
+ break;
+
+ case certDBEntryTypeNickname:
+ rv = DecodeDBNicknameEntry(&entry->nickname, &dbEntry,
+ (char *)dbKey->data);
+ break;
+
+ /* smime profiles need entries created after the certs have
+ * been imported, loop over them in a second run */
+ case certDBEntryTypeSMimeProfile:
+ rv = DecodeDBSMimeEntry(&entry->smime, &dbEntry, (char *)dbKey->data);
+ break;
+
+ case certDBEntryTypeCert:
+ rv = DecodeDBCertEntry(&entry->cert, &dbEntry);
+ break;
+
+ case certDBEntryTypeKeyRevocation:
+ case certDBEntryTypeRevocation:
+ rv = DecodeDBCrlEntry(&entry->revocation, &dbEntry);
+ break;
+
+ default:
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ rv = SECFailure;
+ }
+
+ if (rv == SECSuccess)
+ return entry;
+
+loser:
+ if (arena)
+ PORT_FreeArena(arena, PR_FALSE);
+ return NULL;
+}
diff --git a/security/nss/lib/softoken/legacydb/pcertt.h b/security/nss/lib/softoken/legacydb/pcertt.h
new file mode 100644
index 0000000000..7eaa82def8
--- /dev/null
+++ b/security/nss/lib/softoken/legacydb/pcertt.h
@@ -0,0 +1,418 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/*
+ * certt.h - public data structures for the certificate library
+ */
+#ifndef _PCERTT_H_
+#define _PCERTT_H_
+
+#include "prclist.h"
+#include "pkcs11t.h"
+#include "seccomon.h"
+#include "secoidt.h"
+#include "plarena.h"
+#include "prcvar.h"
+#include "nssilock.h"
+#include "prio.h"
+#include "prmon.h"
+
+/* Non-opaque objects */
+typedef struct NSSLOWCERTCertDBHandleStr NSSLOWCERTCertDBHandle;
+typedef struct NSSLOWCERTCertKeyStr NSSLOWCERTCertKey;
+
+typedef struct NSSLOWCERTTrustStr NSSLOWCERTTrust;
+typedef struct NSSLOWCERTCertTrustStr NSSLOWCERTCertTrust;
+typedef struct NSSLOWCERTCertificateStr NSSLOWCERTCertificate;
+typedef struct NSSLOWCERTCertificateListStr NSSLOWCERTCertificateList;
+typedef struct NSSLOWCERTIssuerAndSNStr NSSLOWCERTIssuerAndSN;
+typedef struct NSSLOWCERTSignedDataStr NSSLOWCERTSignedData;
+typedef struct NSSLOWCERTSubjectPublicKeyInfoStr NSSLOWCERTSubjectPublicKeyInfo;
+typedef struct NSSLOWCERTValidityStr NSSLOWCERTValidity;
+
+/*
+** An X.509 validity object
+*/
+struct NSSLOWCERTValidityStr {
+ PLArenaPool *arena;
+ SECItem notBefore;
+ SECItem notAfter;
+};
+
+/*
+ * A serial number and issuer name, which is used as a database key
+ */
+struct NSSLOWCERTCertKeyStr {
+ SECItem serialNumber;
+ SECItem derIssuer;
+};
+
+/*
+** A signed data object. Used to implement the "signed" macro used
+** in the X.500 specs.
+*/
+struct NSSLOWCERTSignedDataStr {
+ SECItem data;
+ SECAlgorithmID signatureAlgorithm;
+ SECItem signature;
+};
+
+/*
+** An X.509 subject-public-key-info object
+*/
+struct NSSLOWCERTSubjectPublicKeyInfoStr {
+ PLArenaPool *arena;
+ SECAlgorithmID algorithm;
+ SECItem subjectPublicKey;
+};
+
+typedef struct _certDBEntryCert certDBEntryCert;
+typedef struct _certDBEntryRevocation certDBEntryRevocation;
+
+struct NSSLOWCERTCertTrustStr {
+ unsigned int sslFlags;
+ unsigned int emailFlags;
+ unsigned int objectSigningFlags;
+};
+
+/*
+** PKCS11 Trust representation
+*/
+struct NSSLOWCERTTrustStr {
+ NSSLOWCERTTrust *next;
+ NSSLOWCERTCertDBHandle *dbhandle;
+ SECItem dbKey; /* database key for this cert */
+ certDBEntryCert *dbEntry; /* database entry struct */
+ NSSLOWCERTCertTrust *trust;
+ SECItem *derCert; /* original DER for the cert */
+ unsigned char dbKeySpace[512];
+};
+
+/*
+** An X.509 certificate object (the unsigned form)
+*/
+struct NSSLOWCERTCertificateStr {
+ /* the arena is used to allocate any data structures that have the same
+ * lifetime as the cert. This is all stuff that hangs off of the cert
+ * structure, and is all freed at the same time. I is used when the
+ * cert is decoded, destroyed, and at some times when it changes
+ * state
+ */
+ NSSLOWCERTCertificate *next;
+ NSSLOWCERTCertDBHandle *dbhandle;
+
+ SECItem derCert; /* original DER for the cert */
+ SECItem derIssuer; /* DER for issuer name */
+ SECItem derSN;
+ SECItem serialNumber;
+ SECItem derSubject; /* DER for subject name */
+ SECItem derSubjKeyInfo;
+ NSSLOWCERTSubjectPublicKeyInfo *subjectPublicKeyInfo;
+ SECItem certKey; /* database key for this cert */
+ SECItem validity;
+ certDBEntryCert *dbEntry; /* database entry struct */
+ SECItem subjectKeyID; /* x509v3 subject key identifier */
+ SECItem extensions;
+ char *nickname;
+ char *emailAddr;
+ NSSLOWCERTCertTrust *trust;
+
+ /* the reference count is modified whenever someone looks up, dups
+ * or destroys a certificate
+ */
+ int referenceCount;
+
+ char nicknameSpace[200];
+ char emailAddrSpace[200];
+ unsigned char certKeySpace[512];
+};
+
+#define SEC_CERTIFICATE_VERSION_1 0 /* default created */
+#define SEC_CERTIFICATE_VERSION_2 1 /* v2 */
+#define SEC_CERTIFICATE_VERSION_3 2 /* v3 extensions */
+
+#define SEC_CRL_VERSION_1 0 /* default */
+#define SEC_CRL_VERSION_2 1 /* v2 extensions */
+
+#define NSS_MAX_LEGACY_DB_KEY_SIZE (60 * 1024)
+
+struct NSSLOWCERTIssuerAndSNStr {
+ SECItem derIssuer;
+ SECItem serialNumber;
+};
+
+typedef SECStatus (*NSSLOWCERTCertCallback)(NSSLOWCERTCertificate *cert, void *arg);
+
+/* This is the typedef for the callback passed to nsslowcert_OpenCertDB() */
+/* callback to return database name based on version number */
+typedef char *(*NSSLOWCERTDBNameFunc)(void *arg, int dbVersion);
+
+/* XXX Lisa thinks the template declarations belong in cert.h, not here? */
+
+#include "secasn1t.h" /* way down here because I expect template stuff to
+ * move out of here anyway */
+
+/*
+ * Certificate Database related definitions and data structures
+ */
+
+/* version number of certificate database */
+#define CERT_DB_FILE_VERSION 8
+#define CERT_DB_V7_FILE_VERSION 7
+#define CERT_DB_CONTENT_VERSION 2
+
+#define SEC_DB_ENTRY_HEADER_LEN 3
+#define SEC_DB_KEY_HEADER_LEN 1
+
+/* All database entries have this form:
+ *
+ * byte offset field
+ * ----------- -----
+ * 0 version
+ * 1 type
+ * 2 flags
+ */
+
+/* database entry types */
+typedef enum {
+ certDBEntryTypeVersion = 0,
+ certDBEntryTypeCert = 1,
+ certDBEntryTypeNickname = 2,
+ certDBEntryTypeSubject = 3,
+ certDBEntryTypeRevocation = 4,
+ certDBEntryTypeKeyRevocation = 5,
+ certDBEntryTypeSMimeProfile = 6,
+ certDBEntryTypeContentVersion = 7,
+ certDBEntryTypeBlob = 8
+} certDBEntryType;
+
+typedef struct {
+ certDBEntryType type;
+ unsigned int version;
+ unsigned int flags;
+ PLArenaPool *arena;
+} certDBEntryCommon;
+
+/*
+ * Certificate entry:
+ *
+ * byte offset field
+ * ----------- -----
+ * 0 sslFlags-msb
+ * 1 sslFlags-lsb
+ * 2 emailFlags-msb
+ * 3 emailFlags-lsb
+ * 4 objectSigningFlags-msb
+ * 5 objectSigningFlags-lsb
+ * 6 derCert-len-msb
+ * 7 derCert-len-lsb
+ * 8 nickname-len-msb
+ * 9 nickname-len-lsb
+ * ... derCert
+ * ... nickname
+ *
+ * NOTE: the nickname string as stored in the database is null terminated,
+ * in other words, the last byte of the db entry is always 0
+ * if a nickname is present.
+ * NOTE: if nickname is not present, then nickname-len-msb and
+ * nickname-len-lsb will both be zero.
+ */
+struct _certDBEntryCert {
+ certDBEntryCommon common;
+ certDBEntryCert *next;
+ NSSLOWCERTCertTrust trust;
+ SECItem derCert;
+ char *nickname;
+ char nicknameSpace[200];
+ unsigned char derCertSpace[2048];
+};
+
+/*
+ * Certificate Nickname entry:
+ *
+ * byte offset field
+ * ----------- -----
+ * 0 subjectname-len-msb
+ * 1 subjectname-len-lsb
+ * 2... subjectname
+ *
+ * The database key for this type of entry is a nickname string
+ * The "subjectname" value is the DER encoded DN of the identity
+ * that matches this nickname.
+ */
+typedef struct {
+ certDBEntryCommon common;
+ char *nickname;
+ SECItem subjectName;
+} certDBEntryNickname;
+
+#define DB_NICKNAME_ENTRY_HEADER_LEN 2
+
+/*
+ * Certificate Subject entry:
+ *
+ * byte offset field
+ * ----------- -----
+ * 0 ncerts-msb
+ * 1 ncerts-lsb
+ * 2 nickname-msb
+ * 3 nickname-lsb
+ * 4 emailAddr-msb
+ * 5 emailAddr-lsb
+ * ... nickname
+ * ... emailAddr
+ * ...+2*i certkey-len-msb
+ * ...+1+2*i certkey-len-lsb
+ * ...+2*ncerts+2*i keyid-len-msb
+ * ...+1+2*ncerts+2*i keyid-len-lsb
+ * ... certkeys
+ * ... keyids
+ *
+ * The database key for this type of entry is the DER encoded subject name
+ * The "certkey" value is an array of certificate database lookup keys that
+ * points to the database entries for the certificates that matche
+ * this subject.
+ *
+ */
+typedef struct _certDBEntrySubject {
+ certDBEntryCommon common;
+ SECItem derSubject;
+ unsigned int ncerts;
+ char *nickname;
+ SECItem *certKeys;
+ SECItem *keyIDs;
+ char **emailAddrs;
+ unsigned int nemailAddrs;
+} certDBEntrySubject;
+
+#define DB_SUBJECT_ENTRY_HEADER_LEN 6
+
+/*
+ * Certificate SMIME profile entry:
+ *
+ * byte offset field
+ * ----------- -----
+ * 0 subjectname-len-msb
+ * 1 subjectname-len-lsb
+ * 2 smimeoptions-len-msb
+ * 3 smimeoptions-len-lsb
+ * 4 options-date-len-msb
+ * 5 options-date-len-lsb
+ * 6... subjectname
+ * ... smimeoptions
+ * ... options-date
+ *
+ * The database key for this type of entry is the email address string
+ * The "subjectname" value is the DER encoded DN of the identity
+ * that matches this nickname.
+ * The "smimeoptions" value is a string that represents the algorithm
+ * capabilities on the remote user.
+ * The "options-date" is the date that the smime options value was created.
+ * This is generally the signing time of the signed message that contained
+ * the options. It is a UTCTime value.
+ */
+typedef struct {
+ certDBEntryCommon common;
+ char *emailAddr;
+ SECItem subjectName;
+ SECItem smimeOptions;
+ SECItem optionsDate;
+} certDBEntrySMime;
+
+#define DB_SMIME_ENTRY_HEADER_LEN 6
+
+/*
+ * Crl/krl entry:
+ *
+ * byte offset field
+ * ----------- -----
+ * 0 derCert-len-msb
+ * 1 derCert-len-lsb
+ * 2 url-len-msb
+ * 3 url-len-lsb
+ * ... derCert
+ * ... url
+ *
+ * NOTE: the url string as stored in the database is null terminated,
+ * in other words, the last byte of the db entry is always 0
+ * if a nickname is present.
+ * NOTE: if url is not present, then url-len-msb and
+ * url-len-lsb will both be zero.
+ */
+#define DB_CRL_ENTRY_HEADER_LEN 4
+struct _certDBEntryRevocation {
+ certDBEntryCommon common;
+ SECItem derCrl;
+ char *url; /* where to load the crl from */
+};
+
+/*
+ * Database Version Entry:
+ *
+ * byte offset field
+ * ----------- -----
+ * only the low level header...
+ *
+ * The database key for this type of entry is the string "Version"
+ */
+typedef struct {
+ certDBEntryCommon common;
+} certDBEntryVersion;
+
+#define SEC_DB_VERSION_KEY "Version"
+#define SEC_DB_VERSION_KEY_LEN sizeof(SEC_DB_VERSION_KEY)
+
+/*
+ * Database Content Version Entry:
+ *
+ * byte offset field
+ * ----------- -----
+ * 0 contentVersion
+ *
+ * The database key for this type of entry is the string "ContentVersion"
+ */
+typedef struct {
+ certDBEntryCommon common;
+ char contentVersion;
+} certDBEntryContentVersion;
+
+#define SEC_DB_CONTENT_VERSION_KEY "ContentVersion"
+#define SEC_DB_CONTENT_VERSION_KEY_LEN sizeof(SEC_DB_CONTENT_VERSION_KEY)
+
+typedef union {
+ certDBEntryCommon common;
+ certDBEntryCert cert;
+ certDBEntryContentVersion content;
+ certDBEntryNickname nickname;
+ certDBEntryRevocation revocation;
+ certDBEntrySMime smime;
+ certDBEntrySubject subject;
+ certDBEntryVersion version;
+} certDBEntry;
+
+/* length of the fixed part of a database entry */
+#define DBCERT_V4_HEADER_LEN 7
+#define DB_CERT_V5_ENTRY_HEADER_LEN 7
+#define DB_CERT_V6_ENTRY_HEADER_LEN 7
+#define DB_CERT_ENTRY_HEADER_LEN 10
+
+/* common flags for all types of certificates */
+#define CERTDB_TERMINAL_RECORD (1u << 0)
+#define CERTDB_TRUSTED (1u << 1)
+#define CERTDB_SEND_WARN (1u << 2)
+#define CERTDB_VALID_CA (1u << 3)
+#define CERTDB_TRUSTED_CA (1u << 4) /* trusted for issuing server certs */
+#define CERTDB_NS_TRUSTED_CA (1u << 5)
+#define CERTDB_USER (1u << 6)
+#define CERTDB_TRUSTED_CLIENT_CA (1u << 7) /* trusted for issuing client certs */
+#define CERTDB_INVISIBLE_CA (1u << 8) /* don't show in UI */
+#define CERTDB_GOVT_APPROVED_CA (1u << 9) /* can do strong crypto in export ver */
+#define CERTDB_MUST_VERIFY (1u << 10) /* explicitly don't trust this cert */
+#define CERTDB_TRUSTED_UNKNOWN (1u << 11) /* accept trust from another source */
+
+/* bits not affected by the CKO_NETSCAPE_TRUST object */
+#define CERTDB_PRESERVE_TRUST_BITS (CERTDB_USER | \
+ CERTDB_NS_TRUSTED_CA | CERTDB_VALID_CA | CERTDB_INVISIBLE_CA | \
+ CERTDB_GOVT_APPROVED_CA)
+
+#endif /* _PCERTT_H_ */
diff --git a/security/nss/lib/softoken/legacydb/pk11db.c b/security/nss/lib/softoken/legacydb/pk11db.c
new file mode 100644
index 0000000000..a7421c83d3
--- /dev/null
+++ b/security/nss/lib/softoken/legacydb/pk11db.c
@@ -0,0 +1,731 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/*
+ * The following code handles the storage of PKCS 11 modules used by the
+ * NSS. This file is written to abstract away how the modules are
+ * stored so we can deside that later.
+ */
+
+#include "lgdb.h"
+#include "mcom_db.h"
+#include "secerr.h"
+#include "utilpars.h"
+
+#define FREE_CLEAR(p) \
+ if (p) { \
+ PORT_Free(p); \
+ p = NULL; \
+ }
+
+/* Construct a database key for a given module */
+static SECStatus
+lgdb_MakeKey(DBT *key, char *module)
+{
+ int len = 0;
+ char *commonName;
+
+ commonName = NSSUTIL_ArgGetParamValue("name", module);
+ if (commonName == NULL) {
+ commonName = NSSUTIL_ArgGetParamValue("library", module);
+ }
+ if (commonName == NULL)
+ return SECFailure;
+ len = PORT_Strlen(commonName);
+ key->data = commonName;
+ key->size = len;
+ return SECSuccess;
+}
+
+/* free out constructed database key */
+static void
+lgdb_FreeKey(DBT *key)
+{
+ if (key->data) {
+ PORT_Free(key->data);
+ }
+ key->data = NULL;
+ key->size = 0;
+}
+
+typedef struct lgdbDataStr lgdbData;
+typedef struct lgdbSlotDataStr lgdbSlotData;
+struct lgdbDataStr {
+ unsigned char major;
+ unsigned char minor;
+ unsigned char nameStart[2];
+ unsigned char slotOffset[2];
+ unsigned char internal;
+ unsigned char fips;
+ unsigned char ssl[8];
+ unsigned char trustOrder[4];
+ unsigned char cipherOrder[4];
+ unsigned char reserved1;
+ unsigned char isModuleDB;
+ unsigned char isModuleDBOnly;
+ unsigned char isCritical;
+ unsigned char reserved[4];
+ unsigned char names[6]; /* enough space for the length fields */
+};
+
+struct lgdbSlotDataStr {
+ unsigned char slotID[4];
+ unsigned char defaultFlags[4];
+ unsigned char timeout[4];
+ unsigned char askpw;
+ unsigned char hasRootCerts;
+ unsigned char reserved[18]; /* this makes it a round 32 bytes */
+};
+
+#define LGDB_DB_VERSION_MAJOR 0
+#define LGDB_DB_VERSION_MINOR 6
+#define LGDB_DB_EXT1_VERSION_MAJOR 0
+#define LGDB_DB_EXT1_VERSION_MINOR 6
+#define LGDB_DB_NOUI_VERSION_MAJOR 0
+#define LGDB_DB_NOUI_VERSION_MINOR 4
+
+#define LGDB_PUTSHORT(dest, src) \
+ (dest)[1] = (unsigned char)((src)&0xff); \
+ (dest)[0] = (unsigned char)(((src) >> 8) & 0xff);
+#define LGDB_PUTLONG(dest, src) \
+ (dest)[3] = (unsigned char)((src)&0xff); \
+ (dest)[2] = (unsigned char)(((src) >> 8) & 0xff); \
+ (dest)[1] = (unsigned char)(((src) >> 16) & 0xff); \
+ (dest)[0] = (unsigned char)(((src) >> 24) & 0xff);
+#define LGDB_GETSHORT(src) \
+ ((unsigned short)(((src)[0] << 8) | (src)[1]))
+#define LGDB_GETLONG(src) \
+ ((unsigned long)(((unsigned long)(src)[0] << 24) | \
+ ((unsigned long)(src)[1] << 16) | \
+ ((unsigned long)(src)[2] << 8) | \
+ (unsigned long)(src)[3]))
+
+/*
+ * build a data base entry from a module
+ */
+static SECStatus
+lgdb_EncodeData(DBT *data, char *module)
+{
+ lgdbData *encoded = NULL;
+ lgdbSlotData *slot;
+ unsigned char *dataPtr, *offsetPtr;
+ unsigned short len, len2 = 0, len3 = 0;
+ int count = 0;
+ unsigned short offset;
+ int dataLen, i;
+ unsigned long order;
+ unsigned long ssl[2];
+ char *commonName = NULL, *dllName = NULL, *param = NULL, *nss = NULL;
+ char *slotParams, *ciphers;
+ struct NSSUTILPreSlotInfoStr *slotInfo = NULL;
+ SECStatus rv = SECFailure;
+
+ rv = NSSUTIL_ArgParseModuleSpec(module, &dllName, &commonName, &param, &nss);
+ if (rv != SECSuccess)
+ return rv;
+ rv = SECFailure;
+
+ if (commonName == NULL) {
+ /* set error */
+ goto loser;
+ }
+
+ len = PORT_Strlen(commonName);
+ if (dllName) {
+ len2 = PORT_Strlen(dllName);
+ }
+ if (param) {
+ len3 = PORT_Strlen(param);
+ }
+
+ slotParams = NSSUTIL_ArgGetParamValue("slotParams", nss);
+ slotInfo = NSSUTIL_ArgParseSlotInfo(NULL, slotParams, &count);
+ if (slotParams)
+ PORT_Free(slotParams);
+
+ if (count && slotInfo == NULL) {
+ /* set error */
+ goto loser;
+ }
+
+ dataLen = sizeof(lgdbData) + len + len2 + len3 + sizeof(unsigned short) +
+ count * sizeof(lgdbSlotData);
+
+ data->data = (unsigned char *)PORT_ZAlloc(dataLen);
+ encoded = (lgdbData *)data->data;
+ dataPtr = (unsigned char *)data->data;
+ data->size = dataLen;
+
+ if (encoded == NULL) {
+ /* set error */
+ goto loser;
+ }
+
+ encoded->major = LGDB_DB_VERSION_MAJOR;
+ encoded->minor = LGDB_DB_VERSION_MINOR;
+ encoded->internal = (unsigned char)(NSSUTIL_ArgHasFlag("flags", "internal", nss) ? 1 : 0);
+ encoded->fips = (unsigned char)(NSSUTIL_ArgHasFlag("flags", "FIPS", nss) ? 1 : 0);
+ encoded->isModuleDB = (unsigned char)(NSSUTIL_ArgHasFlag("flags", "isModuleDB", nss) ? 1 : 0);
+ encoded->isModuleDBOnly = (unsigned char)(NSSUTIL_ArgHasFlag("flags", "isModuleDBOnly", nss) ? 1 : 0);
+ encoded->isCritical = (unsigned char)(NSSUTIL_ArgHasFlag("flags", "critical", nss) ? 1 : 0);
+
+ order = NSSUTIL_ArgReadLong("trustOrder", nss,
+ NSSUTIL_DEFAULT_TRUST_ORDER, NULL);
+ LGDB_PUTLONG(encoded->trustOrder, order);
+ order = NSSUTIL_ArgReadLong("cipherOrder", nss,
+ NSSUTIL_DEFAULT_CIPHER_ORDER, NULL);
+ LGDB_PUTLONG(encoded->cipherOrder, order);
+
+ ciphers = NSSUTIL_ArgGetParamValue("ciphers", nss);
+ NSSUTIL_ArgParseCipherFlags(&ssl[0], ciphers);
+ LGDB_PUTLONG(encoded->ssl, ssl[0]);
+ LGDB_PUTLONG(&encoded->ssl[4], ssl[1]);
+ if (ciphers)
+ PORT_Free(ciphers);
+
+ offset = (unsigned short)offsetof(lgdbData, names);
+ LGDB_PUTSHORT(encoded->nameStart, offset);
+ offset = offset + len + len2 + len3 + 3 * sizeof(unsigned short);
+ LGDB_PUTSHORT(encoded->slotOffset, offset);
+
+ LGDB_PUTSHORT(&dataPtr[offset], ((unsigned short)count));
+ slot = (lgdbSlotData *)(dataPtr + offset + sizeof(unsigned short));
+
+ offsetPtr = encoded->names;
+ LGDB_PUTSHORT(encoded->names, len);
+ offsetPtr += sizeof(unsigned short);
+ PORT_Memcpy(offsetPtr, commonName, len);
+ offsetPtr += len;
+
+ LGDB_PUTSHORT(offsetPtr, len2);
+ offsetPtr += sizeof(unsigned short);
+ if (len2) {
+ PORT_Memcpy(offsetPtr, dllName, len2);
+ }
+ offsetPtr += len2;
+
+ LGDB_PUTSHORT(offsetPtr, len3);
+ offsetPtr += sizeof(unsigned short);
+ if (len3) {
+ PORT_Memcpy(offsetPtr, param, len3);
+ }
+ offsetPtr += len3;
+
+ if (count) {
+ for (i = 0; i < count; i++) {
+ LGDB_PUTLONG(slot[i].slotID, slotInfo[i].slotID);
+ LGDB_PUTLONG(slot[i].defaultFlags,
+ slotInfo[i].defaultFlags);
+ LGDB_PUTLONG(slot[i].timeout, slotInfo[i].timeout);
+ slot[i].askpw = slotInfo[i].askpw;
+ slot[i].hasRootCerts = slotInfo[i].hasRootCerts;
+ PORT_Memset(slot[i].reserved, 0, sizeof(slot[i].reserved));
+ }
+ }
+ rv = SECSuccess;
+
+loser:
+ if (commonName)
+ PORT_Free(commonName);
+ if (dllName)
+ PORT_Free(dllName);
+ if (param)
+ PORT_Free(param);
+ if (slotInfo)
+ PORT_Free(slotInfo);
+ if (nss)
+ PORT_Free(nss);
+ return rv;
+}
+
+static void
+lgdb_FreeData(DBT *data)
+{
+ if (data->data) {
+ PORT_Free(data->data);
+ }
+}
+
+static void
+lgdb_FreeSlotStrings(char **slotStrings, int count)
+{
+ int i;
+
+ for (i = 0; i < count; i++) {
+ if (slotStrings[i]) {
+ PR_smprintf_free(slotStrings[i]);
+ slotStrings[i] = NULL;
+ }
+ }
+}
+
+/*
+ * build a module from the data base entry.
+ */
+static char *
+lgdb_DecodeData(char *defParams, DBT *data, PRBool *retInternal)
+{
+ lgdbData *encoded;
+ lgdbSlotData *slots;
+ PLArenaPool *arena;
+ char *commonName = NULL;
+ char *dllName = NULL;
+ char *parameters = NULL;
+ char *nss;
+ char *moduleSpec;
+ char **slotStrings = NULL;
+ unsigned char *names;
+ unsigned long slotCount;
+ unsigned long ssl0 = 0;
+ unsigned long ssl1 = 0;
+ unsigned long slotID;
+ unsigned long defaultFlags;
+ unsigned long timeout;
+ unsigned long trustOrder = NSSUTIL_DEFAULT_TRUST_ORDER;
+ unsigned long cipherOrder = NSSUTIL_DEFAULT_CIPHER_ORDER;
+ unsigned short len;
+ unsigned short namesOffset = 0; /* start of the names block */
+ unsigned long namesRunningOffset; /* offset to name we are
+ * currently processing */
+ unsigned short slotOffset;
+ PRBool isOldVersion = PR_FALSE;
+ PRBool internal;
+ PRBool isFIPS;
+ PRBool isModuleDB = PR_FALSE;
+ PRBool isModuleDBOnly = PR_FALSE;
+ PRBool extended = PR_FALSE;
+ int i;
+
+ arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
+ if (arena == NULL)
+ return NULL;
+
+#define CHECK_SIZE(x) \
+ if ((unsigned int)data->size < (unsigned int)(x)) \
+ goto db_loser
+
+ /* -------------------------------------------------------------
+ ** Process the buffer header, which is the lgdbData struct.
+ ** It may be an old or new version. Check the length for each.
+ */
+
+ CHECK_SIZE(offsetof(lgdbData, trustOrder[0]));
+
+ encoded = (lgdbData *)data->data;
+
+ internal = (encoded->internal != 0) ? PR_TRUE : PR_FALSE;
+ isFIPS = (encoded->fips != 0) ? PR_TRUE : PR_FALSE;
+
+ if (retInternal)
+ *retInternal = internal;
+ if (internal) {
+ parameters = PORT_ArenaStrdup(arena, defParams);
+ if (parameters == NULL)
+ goto loser;
+ }
+ if (internal && (encoded->major == LGDB_DB_NOUI_VERSION_MAJOR) &&
+ (encoded->minor <= LGDB_DB_NOUI_VERSION_MINOR)) {
+ isOldVersion = PR_TRUE;
+ }
+ if ((encoded->major == LGDB_DB_EXT1_VERSION_MAJOR) &&
+ (encoded->minor >= LGDB_DB_EXT1_VERSION_MINOR)) {
+ CHECK_SIZE(sizeof(lgdbData));
+ trustOrder = LGDB_GETLONG(encoded->trustOrder);
+ cipherOrder = LGDB_GETLONG(encoded->cipherOrder);
+ isModuleDB = (encoded->isModuleDB != 0) ? PR_TRUE : PR_FALSE;
+ isModuleDBOnly = (encoded->isModuleDBOnly != 0) ? PR_TRUE : PR_FALSE;
+ extended = PR_TRUE;
+ }
+ if (internal && !extended) {
+ trustOrder = 0;
+ cipherOrder = 100;
+ }
+ /* decode SSL cipher enable flags */
+ ssl0 = LGDB_GETLONG(encoded->ssl);
+ ssl1 = LGDB_GETLONG(encoded->ssl + 4);
+
+ slotOffset = LGDB_GETSHORT(encoded->slotOffset);
+ namesOffset = LGDB_GETSHORT(encoded->nameStart);
+
+ /*--------------------------------------------------------------
+ ** Now process the variable length set of names.
+ ** The names have this structure:
+ ** struct {
+ ** BYTE commonNameLen[ 2 ];
+ ** BYTE commonName [ commonNameLen ];
+ ** BTTE libNameLen [ 2 ];
+ ** BYTE libName [ libNameLen ];
+ ** If it is "extended" it also has these members:
+ ** BYTE initStringLen[ 2 ];
+ ** BYTE initString [ initStringLen ];
+ ** }
+ */
+
+ namesRunningOffset = namesOffset;
+ /* copy the module's common name */
+ CHECK_SIZE(namesRunningOffset + 2);
+ names = (unsigned char *)data->data;
+ len = LGDB_GETSHORT(names + namesRunningOffset);
+
+ CHECK_SIZE(namesRunningOffset + 2 + len);
+ commonName = (char *)PORT_ArenaAlloc(arena, len + 1);
+ if (commonName == NULL)
+ goto loser;
+ PORT_Memcpy(commonName, names + namesRunningOffset + 2, len);
+ commonName[len] = 0;
+ namesRunningOffset += len + 2;
+
+ /* copy the module's shared library file name. */
+ CHECK_SIZE(namesRunningOffset + 2);
+ len = LGDB_GETSHORT(names + namesRunningOffset);
+ if (len) {
+ CHECK_SIZE(namesRunningOffset + 2 + len);
+ dllName = (char *)PORT_ArenaAlloc(arena, len + 1);
+ if (dllName == NULL)
+ goto loser;
+ PORT_Memcpy(dllName, names + namesRunningOffset + 2, len);
+ dllName[len] = 0;
+ }
+ namesRunningOffset += len + 2;
+
+ /* copy the module's initialization string, if present. */
+ if (!internal && extended) {
+ CHECK_SIZE(namesRunningOffset + 2);
+ len = LGDB_GETSHORT(names + namesRunningOffset);
+ if (len) {
+ CHECK_SIZE(namesRunningOffset + 2 + len);
+ parameters = (char *)PORT_ArenaAlloc(arena, len + 1);
+ if (parameters == NULL)
+ goto loser;
+ PORT_Memcpy(parameters, names + namesRunningOffset + 2, len);
+ parameters[len] = 0;
+ }
+ namesRunningOffset += len + 2;
+ }
+
+ /*
+ * Consistency check: Make sure the slot and names blocks don't
+ * overlap. These blocks can occur in any order, so this check is made
+ * in 2 parts. First we check the case where the slot block starts
+ * after the name block. Later, when we have the slot block length,
+ * we check the case where slot block starts before the name block.
+ * NOTE: in most cases any overlap will likely be detected by invalid
+ * data read from the blocks, but it's better to find out sooner
+ * than later.
+ */
+ if (slotOffset >= namesOffset) { /* slot block starts after name block */
+ if (slotOffset < namesRunningOffset) {
+ goto db_loser;
+ }
+ }
+
+ /* ------------------------------------------------------------------
+ ** Part 3, process the slot table.
+ ** This part has this structure:
+ ** struct {
+ ** BYTE slotCount [ 2 ];
+ ** lgdbSlotData [ slotCount ];
+ ** {
+ */
+
+ CHECK_SIZE(slotOffset + 2);
+ slotCount = LGDB_GETSHORT((unsigned char *)data->data + slotOffset);
+
+ /*
+ * Consistency check: Part 2. We now have the slot block length, we can
+ * check the case where the slotblock procedes the name block.
+ */
+ if (slotOffset < namesOffset) { /* slot block starts before name block */
+ if (namesOffset < slotOffset + 2 + slotCount * sizeof(lgdbSlotData)) {
+ goto db_loser;
+ }
+ }
+
+ CHECK_SIZE((slotOffset + 2 + slotCount * sizeof(lgdbSlotData)));
+ slots = (lgdbSlotData *)((unsigned char *)data->data + slotOffset + 2);
+
+ /* slotCount; */
+ slotStrings = (char **)PORT_ArenaZAlloc(arena, slotCount * sizeof(char *));
+ if (slotStrings == NULL)
+ goto loser;
+ for (i = 0; i < (int)slotCount; i++, slots++) {
+ PRBool hasRootCerts = PR_FALSE;
+ PRBool hasRootTrust = PR_FALSE;
+ slotID = LGDB_GETLONG(slots->slotID);
+ defaultFlags = LGDB_GETLONG(slots->defaultFlags);
+ timeout = LGDB_GETLONG(slots->timeout);
+ hasRootCerts = slots->hasRootCerts;
+ if (isOldVersion && internal && (slotID != 2)) {
+ unsigned long internalFlags =
+ NSSUTIL_ArgParseSlotFlags("slotFlags",
+ NSSUTIL_DEFAULT_SFTKN_FLAGS);
+ defaultFlags |= internalFlags;
+ }
+ if (hasRootCerts && !extended) {
+ trustOrder = 100;
+ }
+
+ slotStrings[i] = NSSUTIL_MkSlotString(slotID, defaultFlags, timeout,
+ (unsigned char)slots->askpw,
+ hasRootCerts, hasRootTrust);
+ if (slotStrings[i] == NULL) {
+ lgdb_FreeSlotStrings(slotStrings, i);
+ goto loser;
+ }
+ }
+
+ nss = NSSUTIL_MkNSSString(slotStrings, slotCount, internal, isFIPS,
+ isModuleDB, isModuleDBOnly, internal, trustOrder,
+ cipherOrder, ssl0, ssl1);
+ lgdb_FreeSlotStrings(slotStrings, slotCount);
+ /* it's permissible (and normal) for nss to be NULL. it simply means
+ * there are no NSS specific parameters in the database */
+ moduleSpec = NSSUTIL_MkModuleSpec(dllName, commonName, parameters, nss);
+ PR_smprintf_free(nss);
+ PORT_FreeArena(arena, PR_TRUE);
+ return moduleSpec;
+
+db_loser:
+ PORT_SetError(SEC_ERROR_BAD_DATABASE);
+loser:
+ PORT_FreeArena(arena, PR_TRUE);
+ return NULL;
+}
+
+static DB *
+lgdb_OpenDB(const char *appName, const char *filename, const char *dbName,
+ PRBool readOnly, PRBool update)
+{
+ DB *pkcs11db = NULL;
+
+ if (appName) {
+ char *secname = PORT_Strdup(filename);
+ int len = strlen(secname);
+ int status = RDB_FAIL;
+
+ if (len >= 3 && PORT_Strcmp(&secname[len - 3], ".db") == 0) {
+ secname[len - 3] = 0;
+ }
+ pkcs11db =
+ rdbopen(appName, "", secname, readOnly ? NO_RDONLY : NO_RDWR, NULL);
+ if (update && !pkcs11db) {
+ DB *updatedb;
+
+ pkcs11db = rdbopen(appName, "", secname, NO_CREATE, &status);
+ if (!pkcs11db) {
+ if (status == RDB_RETRY) {
+ pkcs11db = rdbopen(appName, "", secname,
+ readOnly ? NO_RDONLY : NO_RDWR, NULL);
+ }
+ PORT_Free(secname);
+ return pkcs11db;
+ }
+ updatedb = dbopen(dbName, NO_RDONLY, 0600, DB_HASH, 0);
+ if (updatedb) {
+ db_Copy(pkcs11db, updatedb);
+ (*updatedb->close)(updatedb);
+ } else {
+ (*pkcs11db->close)(pkcs11db);
+ PORT_Free(secname);
+ return NULL;
+ }
+ }
+ PORT_Free(secname);
+ return pkcs11db;
+ }
+
+ /* I'm sure we should do more checks here sometime... */
+ pkcs11db = dbopen(dbName, readOnly ? NO_RDONLY : NO_RDWR, 0600, DB_HASH, 0);
+
+ /* didn't exist? create it */
+ if (pkcs11db == NULL) {
+ if (readOnly)
+ return NULL;
+
+ pkcs11db = dbopen(dbName, NO_CREATE, 0600, DB_HASH, 0);
+ if (pkcs11db)
+ (*pkcs11db->sync)(pkcs11db, 0);
+ }
+ return pkcs11db;
+}
+
+static void
+lgdb_CloseDB(DB *pkcs11db)
+{
+ (*pkcs11db->close)(pkcs11db);
+}
+
+SECStatus legacy_AddSecmodDB(const char *appName, const char *filename,
+ const char *dbname, char *module, PRBool rw);
+
+#define LGDB_STEP 10
+/*
+ * Read all the existing modules in
+ */
+char **
+legacy_ReadSecmodDB(const char *appName, const char *filename,
+ const char *dbname, char *params, PRBool rw)
+{
+ DBT key, data;
+ int ret;
+ DB *pkcs11db = NULL;
+ char **moduleList = NULL, **newModuleList = NULL;
+ int moduleCount = 1;
+ int useCount = LGDB_STEP;
+
+ moduleList = (char **)PORT_ZAlloc(useCount * sizeof(char **));
+ if (moduleList == NULL)
+ return NULL;
+
+ pkcs11db = lgdb_OpenDB(appName, filename, dbname, PR_TRUE, rw);
+ if (pkcs11db == NULL)
+ goto done;
+
+ /* read and parse the file or data base */
+ ret = (*pkcs11db->seq)(pkcs11db, &key, &data, R_FIRST);
+ if (ret)
+ goto done;
+
+ do {
+ char *moduleString;
+ PRBool internal = PR_FALSE;
+ if ((moduleCount + 1) >= useCount) {
+ useCount += LGDB_STEP;
+ newModuleList =
+ (char **)PORT_Realloc(moduleList, useCount * sizeof(char *));
+ if (newModuleList == NULL)
+ goto done;
+ moduleList = newModuleList;
+ PORT_Memset(&moduleList[moduleCount + 1], 0,
+ sizeof(char *) * LGDB_STEP);
+ }
+ moduleString = lgdb_DecodeData(params, &data, &internal);
+ if (internal) {
+ moduleList[0] = moduleString;
+ } else {
+ moduleList[moduleCount] = moduleString;
+ moduleCount++;
+ }
+ } while ((*pkcs11db->seq)(pkcs11db, &key, &data, R_NEXT) == 0);
+
+done:
+ if (!moduleList[0]) {
+ char *newparams = NSSUTIL_Quote(params, '"');
+ if (newparams) {
+ moduleList[0] = PR_smprintf(
+ NSSUTIL_DEFAULT_INTERNAL_INIT1 "%s" NSSUTIL_DEFAULT_INTERNAL_INIT2 "%s" NSSUTIL_DEFAULT_INTERNAL_INIT3,
+ newparams, NSSUTIL_DEFAULT_SFTKN_FLAGS);
+ PORT_Free(newparams);
+ }
+ }
+ /* deal with trust cert db here */
+
+ if (pkcs11db) {
+ lgdb_CloseDB(pkcs11db);
+ } else if (moduleList[0] && rw) {
+ legacy_AddSecmodDB(appName, filename, dbname, moduleList[0], rw);
+ }
+ if (!moduleList[0]) {
+ PORT_Free(moduleList);
+ moduleList = NULL;
+ }
+ return moduleList;
+}
+
+SECStatus
+legacy_ReleaseSecmodDBData(const char *appName, const char *filename,
+ const char *dbname, char **moduleSpecList, PRBool rw)
+{
+ if (moduleSpecList) {
+ char **index;
+ for (index = moduleSpecList; *index; index++) {
+ PR_smprintf_free(*index);
+ }
+ PORT_Free(moduleSpecList);
+ }
+ return SECSuccess;
+}
+
+/*
+ * Delete a module from the Data Base
+ */
+SECStatus
+legacy_DeleteSecmodDB(const char *appName, const char *filename,
+ const char *dbname, char *args, PRBool rw)
+{
+ DBT key;
+ SECStatus rv = SECFailure;
+ DB *pkcs11db = NULL;
+ int ret;
+
+ if (!rw)
+ return SECFailure;
+
+ /* make sure we have a db handle */
+ pkcs11db = lgdb_OpenDB(appName, filename, dbname, PR_FALSE, PR_FALSE);
+ if (pkcs11db == NULL) {
+ return SECFailure;
+ }
+
+ rv = lgdb_MakeKey(&key, args);
+ if (rv != SECSuccess)
+ goto done;
+ rv = SECFailure;
+ ret = (*pkcs11db->del)(pkcs11db, &key, 0);
+ lgdb_FreeKey(&key);
+ if (ret != 0)
+ goto done;
+
+ ret = (*pkcs11db->sync)(pkcs11db, 0);
+ if (ret == 0)
+ rv = SECSuccess;
+
+done:
+ lgdb_CloseDB(pkcs11db);
+ return rv;
+}
+
+/*
+ * Add a module to the Data base
+ */
+SECStatus
+legacy_AddSecmodDB(const char *appName, const char *filename,
+ const char *dbname, char *module, PRBool rw)
+{
+ DBT key, data;
+ SECStatus rv = SECFailure;
+ DB *pkcs11db = NULL;
+ int ret;
+
+ if (!rw)
+ return SECFailure;
+
+ /* make sure we have a db handle */
+ pkcs11db = lgdb_OpenDB(appName, filename, dbname, PR_FALSE, PR_FALSE);
+ if (pkcs11db == NULL) {
+ return SECFailure;
+ }
+
+ rv = lgdb_MakeKey(&key, module);
+ if (rv != SECSuccess)
+ goto done;
+ rv = lgdb_EncodeData(&data, module);
+ if (rv != SECSuccess) {
+ lgdb_FreeKey(&key);
+ goto done;
+ }
+ rv = SECFailure;
+ ret = (*pkcs11db->put)(pkcs11db, &key, &data, 0);
+ lgdb_FreeKey(&key);
+ lgdb_FreeData(&data);
+ if (ret != 0)
+ goto done;
+
+ ret = (*pkcs11db->sync)(pkcs11db, 0);
+ if (ret == 0)
+ rv = SECSuccess;
+
+done:
+ lgdb_CloseDB(pkcs11db);
+ return rv;
+}
diff --git a/security/nss/lib/softoken/lgglue.c b/security/nss/lib/softoken/lgglue.c
new file mode 100644
index 0000000000..461e9a3cd2
--- /dev/null
+++ b/security/nss/lib/softoken/lgglue.c
@@ -0,0 +1,422 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/*
+ * The following code handles the storage of PKCS 11 modules used by the
+ * NSS. This file is written to abstract away how the modules are
+ * stored so we can deside that later.
+ */
+#include "sftkdb.h"
+#include "sftkdbti.h"
+#include "sdb.h"
+#include "prsystem.h"
+#include "prprf.h"
+#include "prenv.h"
+#include "lgglue.h"
+#include "secerr.h"
+#include "softoken.h"
+
+static LGOpenFunc legacy_glue_open = NULL;
+static LGReadSecmodFunc legacy_glue_readSecmod = NULL;
+static LGReleaseSecmodFunc legacy_glue_releaseSecmod = NULL;
+static LGDeleteSecmodFunc legacy_glue_deleteSecmod = NULL;
+static LGAddSecmodFunc legacy_glue_addSecmod = NULL;
+static LGShutdownFunc legacy_glue_shutdown = NULL;
+
+/*
+ * The following 3 functions duplicate the work done by bl_LoadLibrary.
+ * We should make bl_LoadLibrary a global and replace the call to
+ * sftkdb_LoadLibrary(const char *libname) with it.
+ */
+#ifdef XP_UNIX
+#include <unistd.h>
+#define LG_MAX_LINKS 20
+static char *
+sftkdb_resolvePath(const char *orig)
+{
+ int count = 0;
+ int len = 0;
+ int ret = -1;
+ char *resolved = NULL;
+ char *source = NULL;
+
+ len = 1025; /* MAX PATH +1*/
+ if (strlen(orig) + 1 > len) {
+ /* PATH TOO LONG */
+ return NULL;
+ }
+ resolved = PORT_Alloc(len);
+ if (!resolved) {
+ return NULL;
+ }
+ source = PORT_Alloc(len);
+ if (!source) {
+ goto loser;
+ }
+ PORT_Strcpy(source, orig);
+ /* Walk down all the links */
+ while (count++ < LG_MAX_LINKS) {
+ char *tmp;
+ /* swap our previous sorce out with resolved */
+ /* read it */
+ ret = readlink(source, resolved, len - 1);
+ if (ret < 0) {
+ break;
+ }
+ resolved[ret] = 0;
+ tmp = source;
+ source = resolved;
+ resolved = tmp;
+ }
+ if (count > 1) {
+ ret = 0;
+ }
+loser:
+ if (resolved) {
+ PORT_Free(resolved);
+ }
+ if (ret < 0) {
+ if (source) {
+ PORT_Free(source);
+ source = NULL;
+ }
+ }
+ return source;
+}
+
+#endif
+
+static PRLibrary *
+sftkdb_LoadFromPath(const char *path, const char *libname)
+{
+ char *c;
+ int pathLen, nameLen, fullPathLen;
+ char *fullPathName = NULL;
+ PRLibSpec libSpec;
+ PRLibrary *lib = NULL;
+
+ /* strip of our parent's library name */
+ c = strrchr(path, PR_GetDirectorySeparator());
+ if (!c) {
+ return NULL; /* invalid path */
+ }
+ pathLen = (c - path) + 1;
+ nameLen = strlen(libname);
+ fullPathLen = pathLen + nameLen + 1;
+ fullPathName = (char *)PORT_Alloc(fullPathLen);
+ if (fullPathName == NULL) {
+ return NULL; /* memory allocation error */
+ }
+ PORT_Memcpy(fullPathName, path, pathLen);
+ PORT_Memcpy(fullPathName + pathLen, libname, nameLen);
+ fullPathName[fullPathLen - 1] = 0;
+
+ libSpec.type = PR_LibSpec_Pathname;
+ libSpec.value.pathname = fullPathName;
+ lib = PR_LoadLibraryWithFlags(libSpec, PR_LD_NOW | PR_LD_LOCAL);
+ PORT_Free(fullPathName);
+ return lib;
+}
+
+static PRLibrary *
+sftkdb_LoadLibrary(const char *libname)
+{
+ PRLibrary *lib = NULL;
+ PRFuncPtr fn_addr;
+ char *parentLibPath = NULL;
+
+ fn_addr = (PRFuncPtr)&sftkdb_LoadLibrary;
+ parentLibPath = PR_GetLibraryFilePathname(SOFTOKEN_LIB_NAME, fn_addr);
+
+ if (!parentLibPath) {
+ goto done;
+ }
+
+ lib = sftkdb_LoadFromPath(parentLibPath, libname);
+#ifdef XP_UNIX
+ /* handle symbolic link case */
+ if (!lib) {
+ char *trueParentLibPath = sftkdb_resolvePath(parentLibPath);
+ if (!trueParentLibPath) {
+ goto done;
+ }
+ lib = sftkdb_LoadFromPath(trueParentLibPath, libname);
+ PORT_Free(trueParentLibPath);
+ }
+#endif
+
+done:
+ if (parentLibPath) {
+ PORT_Free(parentLibPath);
+ }
+
+ /* still couldn't load it, try the generic path */
+ if (!lib) {
+ PRLibSpec libSpec;
+ libSpec.type = PR_LibSpec_Pathname;
+ libSpec.value.pathname = libname;
+ lib = PR_LoadLibraryWithFlags(libSpec, PR_LD_NOW | PR_LD_LOCAL);
+ }
+
+ return lib;
+}
+
+/*
+ * stub files for legacy db's to be able to encrypt and decrypt
+ * various keys and attributes.
+ */
+static SECStatus
+sftkdb_encrypt_stub(PLArenaPool *arena, SDB *sdb, SECItem *plainText,
+ SECItem **cipherText)
+{
+ SFTKDBHandle *handle = sdb->app_private;
+ SECStatus rv;
+ SECItem *key;
+ int iterationCount;
+
+ if (handle == NULL) {
+ return SECFailure;
+ }
+
+ /* if we aren't the key handle, try the other handle */
+ if (handle->type != SFTK_KEYDB_TYPE) {
+ handle = handle->peerDB;
+ }
+
+ /* not a key handle */
+ if (handle == NULL || handle->passwordLock == NULL) {
+ return SECFailure;
+ }
+
+ PZ_Lock(handle->passwordLock);
+ if (handle->passwordKey.data == NULL) {
+ PZ_Unlock(handle->passwordLock);
+ /* PORT_SetError */
+ return SECFailure;
+ }
+ key = handle->newKey ? handle->newKey : &handle->passwordKey;
+ if (sftk_isLegacyIterationCountAllowed()) {
+ if (handle->newKey) {
+ iterationCount = handle->newDefaultIterationCount;
+ } else {
+ iterationCount = handle->defaultIterationCount;
+ }
+ } else {
+ iterationCount = 1;
+ }
+
+ rv = sftkdb_EncryptAttribute(arena, handle, sdb, key, iterationCount,
+ CK_INVALID_HANDLE, CKT_INVALID_TYPE,
+ plainText, cipherText);
+ PZ_Unlock(handle->passwordLock);
+
+ return rv;
+}
+
+/*
+ * stub files for legacy db's to be able to encrypt and decrypt
+ * various keys and attributes.
+ */
+static SECStatus
+sftkdb_decrypt_stub(SDB *sdb, SECItem *cipherText, SECItem **plainText)
+{
+ SFTKDBHandle *handle = sdb->app_private;
+ SECStatus rv;
+ SECItem *oldKey = NULL;
+
+ if (handle == NULL) {
+ return SECFailure;
+ }
+
+ /* if we aren't the key handle, try the other handle */
+ oldKey = handle->oldKey;
+ if (handle->type != SFTK_KEYDB_TYPE) {
+ handle = handle->peerDB;
+ }
+
+ /* not a key handle */
+ if (handle == NULL || handle->passwordLock == NULL) {
+ return SECFailure;
+ }
+
+ PZ_Lock(handle->passwordLock);
+ if (handle->passwordKey.data == NULL) {
+ PZ_Unlock(handle->passwordLock);
+ /* PORT_SetError */
+ return SECFailure;
+ }
+ rv = sftkdb_DecryptAttribute(NULL, oldKey ? oldKey : &handle->passwordKey,
+ CK_INVALID_HANDLE,
+ CKT_INVALID_TYPE,
+ cipherText, plainText);
+ PZ_Unlock(handle->passwordLock);
+
+ return rv;
+}
+
+static const char *LEGACY_LIB_NAME =
+ SHLIB_PREFIX "nssdbm" SHLIB_VERSION "." SHLIB_SUFFIX;
+/*
+ * 2 bools to tell us if we've check the legacy library successfully or
+ * not. Initialize on startup to false by the C BSS segment;
+ */
+static PRLibrary *legacy_glue_lib = NULL;
+static SECStatus
+sftkdbLoad_Legacy()
+{
+ PRLibrary *lib = NULL;
+ LGSetCryptFunc setCryptFunction = NULL;
+
+ if (legacy_glue_lib) {
+ return SECSuccess;
+ }
+
+ lib = sftkdb_LoadLibrary(LEGACY_LIB_NAME);
+ if (lib == NULL) {
+ return SECFailure;
+ }
+
+ legacy_glue_open = (LGOpenFunc)PR_FindFunctionSymbol(lib, "legacy_Open");
+ legacy_glue_readSecmod =
+ (LGReadSecmodFunc)PR_FindFunctionSymbol(lib, "legacy_ReadSecmodDB");
+ legacy_glue_releaseSecmod =
+ (LGReleaseSecmodFunc)PR_FindFunctionSymbol(lib, "legacy_ReleaseSecmodDBData");
+ legacy_glue_deleteSecmod =
+ (LGDeleteSecmodFunc)PR_FindFunctionSymbol(lib, "legacy_DeleteSecmodDB");
+ legacy_glue_addSecmod =
+ (LGAddSecmodFunc)PR_FindFunctionSymbol(lib, "legacy_AddSecmodDB");
+ legacy_glue_shutdown =
+ (LGShutdownFunc)PR_FindFunctionSymbol(lib, "legacy_Shutdown");
+ setCryptFunction =
+ (LGSetCryptFunc)PR_FindFunctionSymbol(lib, "legacy_SetCryptFunctions");
+
+ if (!legacy_glue_open || !legacy_glue_readSecmod ||
+ !legacy_glue_releaseSecmod || !legacy_glue_deleteSecmod ||
+ !legacy_glue_addSecmod || !setCryptFunction) {
+ PR_UnloadLibrary(lib);
+ return SECFailure;
+ }
+
+ setCryptFunction(sftkdb_encrypt_stub, sftkdb_decrypt_stub);
+ legacy_glue_lib = lib;
+ return SECSuccess;
+}
+
+CK_RV
+sftkdbCall_open(const char *dir, const char *certPrefix, const char *keyPrefix,
+ int certVersion, int keyVersion, int flags,
+ SDB **certDB, SDB **keyDB)
+{
+ SECStatus rv;
+
+ rv = sftkdbLoad_Legacy();
+ if (rv != SECSuccess) {
+ return CKR_GENERAL_ERROR;
+ }
+ if (!legacy_glue_open) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+ return (*legacy_glue_open)(dir, certPrefix, keyPrefix,
+ certVersion, keyVersion,
+ flags, certDB, keyDB);
+}
+
+char **
+sftkdbCall_ReadSecmodDB(const char *appName, const char *filename,
+ const char *dbname, char *params, PRBool rw)
+{
+ SECStatus rv;
+
+ rv = sftkdbLoad_Legacy();
+ if (rv != SECSuccess) {
+ return NULL;
+ }
+ if (!legacy_glue_readSecmod) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return NULL;
+ }
+ return (*legacy_glue_readSecmod)(appName, filename, dbname, params, rw);
+}
+
+SECStatus
+sftkdbCall_ReleaseSecmodDBData(const char *appName,
+ const char *filename, const char *dbname,
+ char **moduleSpecList, PRBool rw)
+{
+ SECStatus rv;
+
+ rv = sftkdbLoad_Legacy();
+ if (rv != SECSuccess) {
+ return rv;
+ }
+ if (!legacy_glue_releaseSecmod) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+ return (*legacy_glue_releaseSecmod)(appName, filename, dbname,
+ moduleSpecList, rw);
+}
+
+SECStatus
+sftkdbCall_DeleteSecmodDB(const char *appName,
+ const char *filename, const char *dbname,
+ char *args, PRBool rw)
+{
+ SECStatus rv;
+
+ rv = sftkdbLoad_Legacy();
+ if (rv != SECSuccess) {
+ return rv;
+ }
+ if (!legacy_glue_deleteSecmod) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+ return (*legacy_glue_deleteSecmod)(appName, filename, dbname, args, rw);
+}
+
+SECStatus
+sftkdbCall_AddSecmodDB(const char *appName,
+ const char *filename, const char *dbname,
+ char *module, PRBool rw)
+{
+ SECStatus rv;
+
+ rv = sftkdbLoad_Legacy();
+ if (rv != SECSuccess) {
+ return rv;
+ }
+ if (!legacy_glue_addSecmod) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+ return (*legacy_glue_addSecmod)(appName, filename, dbname, module, rw);
+}
+
+CK_RV
+sftkdbCall_Shutdown(void)
+{
+ CK_RV crv = CKR_OK;
+ char *disableUnload = NULL;
+ if (!legacy_glue_lib) {
+ return CKR_OK;
+ }
+ if (legacy_glue_shutdown) {
+#ifdef NO_FORK_CHECK
+ PRBool parentForkedAfterC_Initialize = PR_FALSE;
+#endif
+ crv = (*legacy_glue_shutdown)(parentForkedAfterC_Initialize);
+ }
+ disableUnload = PR_GetEnvSecure("NSS_DISABLE_UNLOAD");
+ if (!disableUnload) {
+ PR_UnloadLibrary(legacy_glue_lib);
+ }
+ legacy_glue_lib = NULL;
+ legacy_glue_open = NULL;
+ legacy_glue_readSecmod = NULL;
+ legacy_glue_releaseSecmod = NULL;
+ legacy_glue_deleteSecmod = NULL;
+ legacy_glue_addSecmod = NULL;
+ return crv;
+}
diff --git a/security/nss/lib/softoken/lgglue.h b/security/nss/lib/softoken/lgglue.h
new file mode 100644
index 0000000000..61dbfecf62
--- /dev/null
+++ b/security/nss/lib/softoken/lgglue.h
@@ -0,0 +1,59 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/*
+ * This code defines the glue layer between softoken and the legacy DB library
+ */
+#include "sdb.h"
+
+/*
+ * function prototypes for the callbacks into softoken from the legacyDB
+ */
+
+typedef SECStatus (*LGEncryptFunc)(PLArenaPool *arena, SDB *sdb,
+ SECItem *plainText, SECItem **cipherText);
+typedef SECStatus (*LGDecryptFunc)(SDB *sdb, SECItem *cipherText,
+ SECItem **plainText);
+
+/*
+ * function prototypes for the exported functions.
+ */
+typedef CK_RV (*LGOpenFunc)(const char *dir, const char *certPrefix,
+ const char *keyPrefix,
+ int certVersion, int keyVersion, int flags,
+ SDB **certDB, SDB **keyDB);
+typedef char **(*LGReadSecmodFunc)(const char *appName,
+ const char *filename,
+ const char *dbname, char *params, PRBool rw);
+typedef SECStatus (*LGReleaseSecmodFunc)(const char *appName,
+ const char *filename,
+ const char *dbname, char **params, PRBool rw);
+typedef SECStatus (*LGDeleteSecmodFunc)(const char *appName,
+ const char *filename,
+ const char *dbname, char *params, PRBool rw);
+typedef SECStatus (*LGAddSecmodFunc)(const char *appName,
+ const char *filename,
+ const char *dbname, char *params, PRBool rw);
+typedef SECStatus (*LGShutdownFunc)(PRBool forked);
+typedef void (*LGSetForkStateFunc)(PRBool);
+typedef void (*LGSetCryptFunc)(LGEncryptFunc, LGDecryptFunc);
+
+/*
+ * Softoken Glue Functions
+ */
+CK_RV sftkdbCall_open(const char *dir, const char *certPrefix,
+ const char *keyPrefix,
+ int certVersion, int keyVersion, int flags,
+ SDB **certDB, SDB **keyDB);
+char **sftkdbCall_ReadSecmodDB(const char *appName, const char *filename,
+ const char *dbname, char *params, PRBool rw);
+SECStatus sftkdbCall_ReleaseSecmodDBData(const char *appName,
+ const char *filename, const char *dbname,
+ char **moduleSpecList, PRBool rw);
+SECStatus sftkdbCall_DeleteSecmodDB(const char *appName,
+ const char *filename, const char *dbname,
+ char *args, PRBool rw);
+SECStatus sftkdbCall_AddSecmodDB(const char *appName,
+ const char *filename, const char *dbname,
+ char *module, PRBool rw);
+CK_RV sftkdbCall_Shutdown(void);
diff --git a/security/nss/lib/softoken/lowkey.c b/security/nss/lib/softoken/lowkey.c
new file mode 100644
index 0000000000..f47bda231d
--- /dev/null
+++ b/security/nss/lib/softoken/lowkey.c
@@ -0,0 +1,544 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+#include "lowkeyi.h"
+#include "secoid.h"
+#include "secitem.h"
+#include "secder.h"
+#include "base64.h"
+#include "secasn1.h"
+#include "secerr.h"
+#include "softoken.h"
+
+SEC_ASN1_MKSUB(SEC_AnyTemplate)
+SEC_ASN1_MKSUB(SEC_BitStringTemplate)
+SEC_ASN1_MKSUB(SEC_ObjectIDTemplate)
+SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
+
+const SEC_ASN1Template nsslowkey_AttributeTemplate[] = {
+ { SEC_ASN1_SEQUENCE,
+ 0, NULL, sizeof(NSSLOWKEYAttribute) },
+ { SEC_ASN1_OBJECT_ID, offsetof(NSSLOWKEYAttribute, attrType) },
+ { SEC_ASN1_SET_OF | SEC_ASN1_XTRN,
+ offsetof(NSSLOWKEYAttribute, attrValue),
+ SEC_ASN1_SUB(SEC_AnyTemplate) },
+ { 0 }
+};
+
+const SEC_ASN1Template nsslowkey_SetOfAttributeTemplate[] = {
+ { SEC_ASN1_SET_OF, 0, nsslowkey_AttributeTemplate },
+};
+/* ASN1 Templates for new decoder/encoder */
+const SEC_ASN1Template nsslowkey_PrivateKeyInfoTemplate[] = {
+ { SEC_ASN1_SEQUENCE,
+ 0, NULL, sizeof(NSSLOWKEYPrivateKeyInfo) },
+ { SEC_ASN1_INTEGER,
+ offsetof(NSSLOWKEYPrivateKeyInfo, version) },
+ { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+ offsetof(NSSLOWKEYPrivateKeyInfo, algorithm),
+ SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+ { SEC_ASN1_OCTET_STRING,
+ offsetof(NSSLOWKEYPrivateKeyInfo, privateKey) },
+ { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+ offsetof(NSSLOWKEYPrivateKeyInfo, attributes),
+ nsslowkey_SetOfAttributeTemplate },
+ { 0 }
+};
+
+const SEC_ASN1Template nsslowkey_SubjectPublicKeyInfoTemplate[] = {
+ { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYSubjectPublicKeyInfo) },
+ { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+ offsetof(NSSLOWKEYSubjectPublicKeyInfo, algorithm),
+ SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+ { SEC_ASN1_BIT_STRING,
+ offsetof(NSSLOWKEYSubjectPublicKeyInfo, subjectPublicKey) },
+ { 0 }
+};
+
+const SEC_ASN1Template nsslowkey_RSAPublicKeyTemplate[] = {
+ { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPublicKey) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPublicKey, u.rsa.modulus) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPublicKey, u.rsa.publicExponent) },
+ { 0 }
+};
+
+const SEC_ASN1Template nsslowkey_PQGParamsTemplate[] = {
+ { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(PQGParams) },
+ { SEC_ASN1_INTEGER, offsetof(PQGParams, prime) },
+ { SEC_ASN1_INTEGER, offsetof(PQGParams, subPrime) },
+ { SEC_ASN1_INTEGER, offsetof(PQGParams, base) },
+ { 0 }
+};
+
+const SEC_ASN1Template nsslowkey_RSAPrivateKeyTemplate[] = {
+ { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.rsa.version) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.rsa.modulus) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.rsa.publicExponent) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.rsa.privateExponent) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.rsa.prime1) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.rsa.prime2) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.rsa.exponent1) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.rsa.exponent2) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.rsa.coefficient) },
+ { 0 }
+};
+
+const SEC_ASN1Template nsslowkey_DSAPrivateKeyTemplate[] = {
+ { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.dsa.publicValue) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.dsa.privateValue) },
+ { 0 }
+};
+
+const SEC_ASN1Template nsslowkey_DSAPrivateKeyExportTemplate[] = {
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.dsa.privateValue) },
+};
+
+const SEC_ASN1Template nsslowkey_DHPrivateKeyTemplate[] = {
+ { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.dh.publicValue) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.dh.privateValue) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.dh.base) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.dh.prime) },
+ { 0 }
+};
+
+/* NOTE: The SECG specification allows the private key structure
+ * to contain curve parameters but recommends that they be stored
+ * in the PrivateKeyAlgorithmIdentifier field of the PrivateKeyInfo
+ * instead.
+ */
+const SEC_ASN1Template nsslowkey_ECPrivateKeyTemplate[] = {
+ { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.ec.version) },
+ { SEC_ASN1_OCTET_STRING,
+ offsetof(NSSLOWKEYPrivateKey, u.ec.privateValue) },
+ /* We only support named curves for which the parameters are
+ * encoded as an object ID.
+ */
+ { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED |
+ SEC_ASN1_EXPLICIT | SEC_ASN1_CONTEXT_SPECIFIC |
+ SEC_ASN1_XTRN | 0,
+ offsetof(NSSLOWKEYPrivateKey, u.ec.ecParams.curveOID),
+ SEC_ASN1_SUB(SEC_ObjectIDTemplate) },
+ { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED |
+ SEC_ASN1_EXPLICIT | SEC_ASN1_CONTEXT_SPECIFIC |
+ SEC_ASN1_XTRN | 1,
+ offsetof(NSSLOWKEYPrivateKey, u.ec.publicValue),
+ SEC_ASN1_SUB(SEC_BitStringTemplate) },
+ { 0 }
+};
+/*
+ * See bugzilla bug 125359
+ * Since NSS (via PKCS#11) wants to handle big integers as unsigned ints,
+ * all of the templates above that en/decode into integers must be converted
+ * from ASN.1's signed integer type. This is done by marking either the
+ * source or destination (encoding or decoding, respectively) type as
+ * siUnsignedInteger.
+ */
+
+void
+prepare_low_rsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
+{
+ key->u.rsa.modulus.type = siUnsignedInteger;
+ key->u.rsa.publicExponent.type = siUnsignedInteger;
+ key->u.rsa.privateExponent.type = siUnsignedInteger;
+ key->u.rsa.prime1.type = siUnsignedInteger;
+ key->u.rsa.prime2.type = siUnsignedInteger;
+ key->u.rsa.exponent1.type = siUnsignedInteger;
+ key->u.rsa.exponent2.type = siUnsignedInteger;
+ key->u.rsa.coefficient.type = siUnsignedInteger;
+}
+
+void
+prepare_low_rsa_pub_key_for_asn1(NSSLOWKEYPublicKey *key)
+{
+ key->u.rsa.modulus.type = siUnsignedInteger;
+ key->u.rsa.publicExponent.type = siUnsignedInteger;
+}
+
+void
+prepare_low_pqg_params_for_asn1(PQGParams *params)
+{
+ params->prime.type = siUnsignedInteger;
+ params->subPrime.type = siUnsignedInteger;
+ params->base.type = siUnsignedInteger;
+}
+
+void
+prepare_low_dsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
+{
+ key->u.dsa.publicValue.type = siUnsignedInteger;
+ key->u.dsa.privateValue.type = siUnsignedInteger;
+ key->u.dsa.params.prime.type = siUnsignedInteger;
+ key->u.dsa.params.subPrime.type = siUnsignedInteger;
+ key->u.dsa.params.base.type = siUnsignedInteger;
+}
+
+void
+prepare_low_dsa_priv_key_export_for_asn1(NSSLOWKEYPrivateKey *key)
+{
+ key->u.dsa.privateValue.type = siUnsignedInteger;
+}
+
+void
+prepare_low_dh_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
+{
+ key->u.dh.prime.type = siUnsignedInteger;
+ key->u.dh.base.type = siUnsignedInteger;
+ key->u.dh.publicValue.type = siUnsignedInteger;
+ key->u.dh.privateValue.type = siUnsignedInteger;
+}
+
+void
+prepare_low_ecparams_for_asn1(ECParams *params)
+{
+ params->DEREncoding.type = siUnsignedInteger;
+ params->curveOID.type = siUnsignedInteger;
+}
+
+void
+prepare_low_ec_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
+{
+ key->u.ec.version.type = siUnsignedInteger;
+ key->u.ec.ecParams.DEREncoding.type = siUnsignedInteger;
+ key->u.ec.ecParams.curveOID.type = siUnsignedInteger;
+ key->u.ec.privateValue.type = siUnsignedInteger;
+ key->u.ec.publicValue.type = siUnsignedInteger;
+}
+
+void
+nsslowkey_DestroyPrivateKey(NSSLOWKEYPrivateKey *privk)
+{
+ if (privk && privk->arena) {
+ PORT_FreeArena(privk->arena, PR_TRUE);
+ }
+}
+
+void
+nsslowkey_DestroyPublicKey(NSSLOWKEYPublicKey *pubk)
+{
+ if (pubk && pubk->arena) {
+ PORT_FreeArena(pubk->arena, PR_TRUE);
+ }
+}
+unsigned
+nsslowkey_PublicModulusLen(NSSLOWKEYPublicKey *pubk)
+{
+ /* interpret modulus length as key strength... in
+ * fortezza that's the public key length */
+
+ switch (pubk->keyType) {
+ case NSSLOWKEYRSAKey:
+ if (pubk->u.rsa.modulus.len == 0) {
+ return 0;
+ }
+ if (pubk->u.rsa.modulus.data[0] == 0) {
+ return pubk->u.rsa.modulus.len - 1;
+ }
+ return pubk->u.rsa.modulus.len;
+ default:
+ break;
+ }
+ return 0;
+}
+
+unsigned
+nsslowkey_PrivateModulusLen(NSSLOWKEYPrivateKey *privk)
+{
+ switch (privk->keyType) {
+ case NSSLOWKEYRSAKey:
+ if (privk->u.rsa.modulus.len == 0) {
+ return 0;
+ }
+ if (privk->u.rsa.modulus.data[0] == 0) {
+ return privk->u.rsa.modulus.len - 1;
+ }
+ return privk->u.rsa.modulus.len;
+ default:
+ break;
+ }
+ return 0;
+}
+
+NSSLOWKEYPublicKey *
+nsslowkey_ConvertToPublicKey(NSSLOWKEYPrivateKey *privk)
+{
+ NSSLOWKEYPublicKey *pubk;
+ SECItem publicValue;
+ PLArenaPool *arena;
+
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (arena == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ return NULL;
+ }
+
+ switch (privk->keyType) {
+ case NSSLOWKEYRSAKey:
+ case NSSLOWKEYNullKey:
+ pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena,
+ sizeof(NSSLOWKEYPublicKey));
+ if (pubk != NULL) {
+ SECStatus rv;
+
+ pubk->arena = arena;
+ pubk->keyType = privk->keyType;
+ if (privk->keyType == NSSLOWKEYNullKey)
+ return pubk;
+ rv = SECITEM_CopyItem(arena, &pubk->u.rsa.modulus,
+ &privk->u.rsa.modulus);
+ if (rv == SECSuccess) {
+ rv = SECITEM_CopyItem(arena, &pubk->u.rsa.publicExponent,
+ &privk->u.rsa.publicExponent);
+ if (rv == SECSuccess)
+ return pubk;
+ }
+ } else {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ }
+ break;
+ case NSSLOWKEYDSAKey:
+ pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena,
+ sizeof(NSSLOWKEYPublicKey));
+ if (pubk != NULL) {
+ SECStatus rv;
+
+ pubk->arena = arena;
+ pubk->keyType = privk->keyType;
+ /* if the public key value doesn't exist, calculate it */
+ if (privk->u.dsa.publicValue.len == 0) {
+ rv = DH_Derive(&privk->u.dsa.params.base, &privk->u.dsa.params.prime,
+ &privk->u.dsa.privateValue, &publicValue, 0);
+ if (rv != SECSuccess) {
+ break;
+ }
+ rv = SECITEM_CopyItem(privk->arena, &privk->u.dsa.publicValue, &publicValue);
+ SECITEM_ZfreeItem(&publicValue, PR_FALSE);
+ if (rv != SECSuccess) {
+ break;
+ }
+ }
+ rv = SECITEM_CopyItem(arena, &pubk->u.dsa.publicValue,
+ &privk->u.dsa.publicValue);
+ if (rv != SECSuccess)
+ break;
+ rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.prime,
+ &privk->u.dsa.params.prime);
+ if (rv != SECSuccess)
+ break;
+ rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.subPrime,
+ &privk->u.dsa.params.subPrime);
+ if (rv != SECSuccess)
+ break;
+ rv = SECITEM_CopyItem(arena, &pubk->u.dsa.params.base,
+ &privk->u.dsa.params.base);
+ if (rv == SECSuccess)
+ return pubk;
+ }
+ break;
+ case NSSLOWKEYDHKey:
+ pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena,
+ sizeof(NSSLOWKEYPublicKey));
+ if (pubk != NULL) {
+ SECStatus rv;
+
+ pubk->arena = arena;
+ pubk->keyType = privk->keyType;
+ /* if the public key value doesn't exist, calculate it */
+ if (privk->u.dh.publicValue.len == 0) {
+ rv = DH_Derive(&privk->u.dh.base, &privk->u.dh.prime,
+ &privk->u.dh.privateValue, &publicValue, 0);
+ if (rv != SECSuccess) {
+ break;
+ }
+ rv = SECITEM_CopyItem(privk->arena, &privk->u.dh.publicValue, &publicValue);
+ SECITEM_ZfreeItem(&publicValue, PR_FALSE);
+ if (rv != SECSuccess) {
+ break;
+ }
+ }
+ rv = SECITEM_CopyItem(arena, &pubk->u.dh.publicValue,
+ &privk->u.dh.publicValue);
+ if (rv != SECSuccess)
+ break;
+ rv = SECITEM_CopyItem(arena, &pubk->u.dh.prime,
+ &privk->u.dh.prime);
+ if (rv != SECSuccess)
+ break;
+ rv = SECITEM_CopyItem(arena, &pubk->u.dh.base,
+ &privk->u.dh.base);
+ if (rv == SECSuccess)
+ return pubk;
+ }
+ break;
+ case NSSLOWKEYECKey:
+ pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena,
+ sizeof(NSSLOWKEYPublicKey));
+ if (pubk != NULL) {
+ SECStatus rv;
+
+ pubk->arena = arena;
+ pubk->keyType = privk->keyType;
+ rv = SECITEM_CopyItem(arena, &pubk->u.ec.publicValue,
+ &privk->u.ec.publicValue);
+ if (rv != SECSuccess)
+ break;
+ pubk->u.ec.ecParams.arena = arena;
+ /* Copy the rest of the params */
+ rv = EC_CopyParams(arena, &(pubk->u.ec.ecParams),
+ &(privk->u.ec.ecParams));
+ if (rv == SECSuccess)
+ return pubk;
+ }
+ break;
+ /* No Fortezza in Low Key implementations (Fortezza keys aren't
+ * stored in our data base */
+ default:
+ break;
+ }
+
+ PORT_FreeArena(arena, PR_TRUE);
+ return NULL;
+}
+
+NSSLOWKEYPrivateKey *
+nsslowkey_CopyPrivateKey(NSSLOWKEYPrivateKey *privKey)
+{
+ NSSLOWKEYPrivateKey *returnKey = NULL;
+ SECStatus rv = SECFailure;
+ PLArenaPool *poolp;
+
+ if (!privKey) {
+ return NULL;
+ }
+
+ poolp = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (!poolp) {
+ return NULL;
+ }
+
+ returnKey = (NSSLOWKEYPrivateKey *)PORT_ArenaZAlloc(poolp, sizeof(NSSLOWKEYPrivateKey));
+ if (!returnKey) {
+ rv = SECFailure;
+ goto loser;
+ }
+
+ returnKey->keyType = privKey->keyType;
+ returnKey->arena = poolp;
+
+ switch (privKey->keyType) {
+ case NSSLOWKEYRSAKey:
+ rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.modulus),
+ &(privKey->u.rsa.modulus));
+ if (rv != SECSuccess)
+ break;
+ rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.version),
+ &(privKey->u.rsa.version));
+ if (rv != SECSuccess)
+ break;
+ rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.publicExponent),
+ &(privKey->u.rsa.publicExponent));
+ if (rv != SECSuccess)
+ break;
+ rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.privateExponent),
+ &(privKey->u.rsa.privateExponent));
+ if (rv != SECSuccess)
+ break;
+ rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.prime1),
+ &(privKey->u.rsa.prime1));
+ if (rv != SECSuccess)
+ break;
+ rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.prime2),
+ &(privKey->u.rsa.prime2));
+ if (rv != SECSuccess)
+ break;
+ rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.exponent1),
+ &(privKey->u.rsa.exponent1));
+ if (rv != SECSuccess)
+ break;
+ rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.exponent2),
+ &(privKey->u.rsa.exponent2));
+ if (rv != SECSuccess)
+ break;
+ rv = SECITEM_CopyItem(poolp, &(returnKey->u.rsa.coefficient),
+ &(privKey->u.rsa.coefficient));
+ if (rv != SECSuccess)
+ break;
+ break;
+ case NSSLOWKEYDSAKey:
+ rv = SECITEM_CopyItem(poolp, &(returnKey->u.dsa.publicValue),
+ &(privKey->u.dsa.publicValue));
+ if (rv != SECSuccess)
+ break;
+ rv = SECITEM_CopyItem(poolp, &(returnKey->u.dsa.privateValue),
+ &(privKey->u.dsa.privateValue));
+ if (rv != SECSuccess)
+ break;
+ returnKey->u.dsa.params.arena = poolp;
+ rv = SECITEM_CopyItem(poolp, &(returnKey->u.dsa.params.prime),
+ &(privKey->u.dsa.params.prime));
+ if (rv != SECSuccess)
+ break;
+ rv = SECITEM_CopyItem(poolp, &(returnKey->u.dsa.params.subPrime),
+ &(privKey->u.dsa.params.subPrime));
+ if (rv != SECSuccess)
+ break;
+ rv = SECITEM_CopyItem(poolp, &(returnKey->u.dsa.params.base),
+ &(privKey->u.dsa.params.base));
+ if (rv != SECSuccess)
+ break;
+ break;
+ case NSSLOWKEYDHKey:
+ rv = SECITEM_CopyItem(poolp, &(returnKey->u.dh.publicValue),
+ &(privKey->u.dh.publicValue));
+ if (rv != SECSuccess)
+ break;
+ rv = SECITEM_CopyItem(poolp, &(returnKey->u.dh.privateValue),
+ &(privKey->u.dh.privateValue));
+ if (rv != SECSuccess)
+ break;
+ returnKey->u.dsa.params.arena = poolp;
+ rv = SECITEM_CopyItem(poolp, &(returnKey->u.dh.prime),
+ &(privKey->u.dh.prime));
+ if (rv != SECSuccess)
+ break;
+ rv = SECITEM_CopyItem(poolp, &(returnKey->u.dh.base),
+ &(privKey->u.dh.base));
+ if (rv != SECSuccess)
+ break;
+ break;
+ case NSSLOWKEYECKey:
+ rv = SECITEM_CopyItem(poolp, &(returnKey->u.ec.version),
+ &(privKey->u.ec.version));
+ if (rv != SECSuccess)
+ break;
+ rv = SECITEM_CopyItem(poolp, &(returnKey->u.ec.publicValue),
+ &(privKey->u.ec.publicValue));
+ if (rv != SECSuccess)
+ break;
+ rv = SECITEM_CopyItem(poolp, &(returnKey->u.ec.privateValue),
+ &(privKey->u.ec.privateValue));
+ if (rv != SECSuccess)
+ break;
+ returnKey->u.ec.ecParams.arena = poolp;
+ /* Copy the rest of the params */
+ rv = EC_CopyParams(poolp, &(returnKey->u.ec.ecParams),
+ &(privKey->u.ec.ecParams));
+ if (rv != SECSuccess)
+ break;
+ break;
+ default:
+ rv = SECFailure;
+ }
+
+loser:
+
+ if (rv != SECSuccess) {
+ PORT_FreeArena(poolp, PR_TRUE);
+ returnKey = NULL;
+ }
+
+ return returnKey;
+}
diff --git a/security/nss/lib/softoken/lowkeyi.h b/security/nss/lib/softoken/lowkeyi.h
new file mode 100644
index 0000000000..e599f01fa0
--- /dev/null
+++ b/security/nss/lib/softoken/lowkeyi.h
@@ -0,0 +1,70 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef _LOWKEYI_H_
+#define _LOWKEYI_H_
+
+#include "prtypes.h"
+#include "seccomon.h"
+#include "secoidt.h"
+#include "lowkeyti.h"
+
+SEC_BEGIN_PROTOS
+
+/*
+ * See bugzilla bug 125359
+ * Since NSS (via PKCS#11) wants to handle big integers as unsigned ints,
+ * all of the templates above that en/decode into integers must be converted
+ * from ASN.1's signed integer type. This is done by marking either the
+ * source or destination (encoding or decoding, respectively) type as
+ * siUnsignedInteger.
+ */
+extern void prepare_low_rsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
+extern void prepare_low_pqg_params_for_asn1(PQGParams *params);
+extern void prepare_low_dsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
+extern void prepare_low_dsa_priv_key_export_for_asn1(NSSLOWKEYPrivateKey *key);
+extern void prepare_low_dh_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
+extern void prepare_low_ec_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
+extern void prepare_low_ecparams_for_asn1(ECParams *params);
+extern void prepare_low_rsa_pub_key_for_asn1(NSSLOWKEYPublicKey *key);
+
+/*
+** Destroy a private key object.
+** "key" the object
+** "freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+extern void nsslowkey_DestroyPrivateKey(NSSLOWKEYPrivateKey *key);
+
+/*
+** Destroy a public key object.
+** "key" the object
+** "freeit" if PR_TRUE then free the object as well as its sub-objects
+*/
+extern void nsslowkey_DestroyPublicKey(NSSLOWKEYPublicKey *key);
+
+/*
+** Return the modulus length of "pubKey".
+*/
+extern unsigned int nsslowkey_PublicModulusLen(NSSLOWKEYPublicKey *pubKey);
+
+/*
+** Return the modulus length of "privKey".
+*/
+extern unsigned int nsslowkey_PrivateModulusLen(NSSLOWKEYPrivateKey *privKey);
+
+/*
+** Convert a low private key "privateKey" into a public low key
+*/
+extern NSSLOWKEYPublicKey *
+nsslowkey_ConvertToPublicKey(NSSLOWKEYPrivateKey *privateKey);
+
+/* Make a copy of a low private key in it's own arena.
+ * a return of NULL indicates an error.
+ */
+extern NSSLOWKEYPrivateKey *
+nsslowkey_CopyPrivateKey(NSSLOWKEYPrivateKey *privKey);
+
+SEC_END_PROTOS
+
+#endif /* _LOWKEYI_H_ */
diff --git a/security/nss/lib/softoken/lowkeyti.h b/security/nss/lib/softoken/lowkeyti.h
new file mode 100644
index 0000000000..7e77592c53
--- /dev/null
+++ b/security/nss/lib/softoken/lowkeyti.h
@@ -0,0 +1,100 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+#ifndef _LOWKEYTI_H_
+#define _LOWKEYTI_H_ 1
+
+#include "blapit.h"
+#include "prtypes.h"
+#include "plarena.h"
+#include "secitem.h"
+#include "secasn1t.h"
+#include "secoidt.h"
+
+/*
+** Typedef for callback to get a password "key".
+*/
+extern const SEC_ASN1Template nsslowkey_PQGParamsTemplate[];
+extern const SEC_ASN1Template nsslowkey_RSAPrivateKeyTemplate[];
+extern const SEC_ASN1Template nsslowkey_DSAPrivateKeyTemplate[];
+extern const SEC_ASN1Template nsslowkey_DSAPrivateKeyExportTemplate[];
+extern const SEC_ASN1Template nsslowkey_DHPrivateKeyTemplate[];
+extern const SEC_ASN1Template nsslowkey_DHPrivateKeyExportTemplate[];
+#define NSSLOWKEY_EC_PRIVATE_KEY_VERSION 1 /* as per SECG 1 C.4 */
+extern const SEC_ASN1Template nsslowkey_ECPrivateKeyTemplate[];
+
+extern const SEC_ASN1Template nsslowkey_PrivateKeyInfoTemplate[];
+extern const SEC_ASN1Template nsslowkey_EncryptedPrivateKeyInfoTemplate[];
+extern const SEC_ASN1Template nsslowkey_SubjectPublicKeyInfoTemplate[];
+extern const SEC_ASN1Template nsslowkey_RSAPublicKeyTemplate[];
+
+/*
+ * PKCS #8 attributes
+ */
+struct NSSLOWKEYAttributeStr {
+ SECItem attrType;
+ SECItem *attrValue;
+};
+typedef struct NSSLOWKEYAttributeStr NSSLOWKEYAttribute;
+
+/*
+** A PKCS#8 private key info object
+*/
+struct NSSLOWKEYPrivateKeyInfoStr {
+ PLArenaPool *arena;
+ SECItem version;
+ SECAlgorithmID algorithm;
+ SECItem privateKey;
+ NSSLOWKEYAttribute **attributes;
+};
+typedef struct NSSLOWKEYPrivateKeyInfoStr NSSLOWKEYPrivateKeyInfo;
+#define NSSLOWKEY_PRIVATE_KEY_INFO_VERSION 0 /* what we *create* */
+
+struct NSSLOWKEYSubjectPublicKeyInfoStr {
+ PLArenaPool *arena;
+ SECAlgorithmID algorithm;
+ SECItem subjectPublicKey;
+};
+typedef struct NSSLOWKEYSubjectPublicKeyInfoStr NSSLOWKEYSubjectPublicKeyInfo;
+
+typedef enum {
+ NSSLOWKEYNullKey = 0,
+ NSSLOWKEYRSAKey = 1,
+ NSSLOWKEYDSAKey = 2,
+ NSSLOWKEYDHKey = 4,
+ NSSLOWKEYECKey = 5
+} NSSLOWKEYType;
+
+/*
+** An RSA public key object.
+*/
+struct NSSLOWKEYPublicKeyStr {
+ PLArenaPool *arena;
+ NSSLOWKEYType keyType;
+ union {
+ RSAPublicKey rsa;
+ DSAPublicKey dsa;
+ DHPublicKey dh;
+ ECPublicKey ec;
+ } u;
+};
+typedef struct NSSLOWKEYPublicKeyStr NSSLOWKEYPublicKey;
+
+/*
+** Low Level private key object
+** This is only used by the raw Crypto engines (crypto), keydb (keydb),
+** and PKCS #11. Everyone else uses the high level key structure.
+*/
+struct NSSLOWKEYPrivateKeyStr {
+ PLArenaPool *arena;
+ NSSLOWKEYType keyType;
+ union {
+ RSAPrivateKey rsa;
+ DSAPrivateKey dsa;
+ DHPrivateKey dh;
+ ECPrivateKey ec;
+ } u;
+};
+typedef struct NSSLOWKEYPrivateKeyStr NSSLOWKEYPrivateKey;
+
+#endif /* _LOWKEYTI_H_ */
diff --git a/security/nss/lib/softoken/lowpbe.c b/security/nss/lib/softoken/lowpbe.c
new file mode 100644
index 0000000000..ff80f573ff
--- /dev/null
+++ b/security/nss/lib/softoken/lowpbe.c
@@ -0,0 +1,1820 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "plarena.h"
+
+#include "seccomon.h"
+#include "secitem.h"
+#include "secport.h"
+#include "hasht.h"
+#include "pkcs11t.h"
+#include "blapi.h"
+#include "hasht.h"
+#include "secasn1.h"
+#include "secder.h"
+#include "lowpbe.h"
+#include "secoid.h"
+#include "alghmac.h"
+#include "softoken.h"
+#include "secerr.h"
+#include "pkcs11i.h"
+
+SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
+
+/* how much a crypto encrypt/decryption may expand a buffer */
+#define MAX_CRYPTO_EXPANSION 64
+
+/* template for PKCS 5 PBE Parameter. This template has been expanded
+ * based upon the additions in PKCS 12. This should eventually be moved
+ * if RSA updates PKCS 5.
+ */
+static const SEC_ASN1Template NSSPKCS5PBEParameterTemplate[] = {
+ { SEC_ASN1_SEQUENCE,
+ 0, NULL, sizeof(NSSPKCS5PBEParameter) },
+ { SEC_ASN1_OCTET_STRING,
+ offsetof(NSSPKCS5PBEParameter, salt) },
+ { SEC_ASN1_INTEGER,
+ offsetof(NSSPKCS5PBEParameter, iteration) },
+ { 0 }
+};
+
+static const SEC_ASN1Template NSSPKCS5PKCS12V2PBEParameterTemplate[] = {
+ { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSPKCS5PBEParameter) },
+ { SEC_ASN1_OCTET_STRING, offsetof(NSSPKCS5PBEParameter, salt) },
+ { SEC_ASN1_INTEGER, offsetof(NSSPKCS5PBEParameter, iteration) },
+ { 0 }
+};
+
+/* PKCS5 v2 */
+
+struct nsspkcs5V2PBEParameterStr {
+ SECAlgorithmID keyParams; /* parameters of the key generation */
+ SECAlgorithmID algParams; /* parameters for the encryption or mac op */
+};
+
+typedef struct nsspkcs5V2PBEParameterStr nsspkcs5V2PBEParameter;
+
+static const SEC_ASN1Template NSSPKCS5V2PBES2ParameterTemplate[] = {
+ { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(nsspkcs5V2PBEParameter) },
+ { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+ offsetof(nsspkcs5V2PBEParameter, keyParams),
+ SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+ { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+ offsetof(nsspkcs5V2PBEParameter, algParams),
+ SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+ { 0 }
+};
+
+static const SEC_ASN1Template NSSPKCS5V2PBEParameterTemplate[] = {
+ { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSPKCS5PBEParameter) },
+ /* this is really a choice, but since we don't understand any other
+ * choice, just inline it. */
+ { SEC_ASN1_OCTET_STRING, offsetof(NSSPKCS5PBEParameter, salt) },
+ { SEC_ASN1_INTEGER, offsetof(NSSPKCS5PBEParameter, iteration) },
+ { SEC_ASN1_INTEGER, offsetof(NSSPKCS5PBEParameter, keyLength) },
+ { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+ offsetof(NSSPKCS5PBEParameter, prfAlg),
+ SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+ { 0 }
+};
+
+SECStatus
+nsspkcs5_HashBuf(const SECHashObject *hashObj, unsigned char *dest,
+ unsigned char *src, int len)
+{
+ void *ctx;
+ unsigned int retLen;
+
+ ctx = hashObj->create();
+ if (ctx == NULL) {
+ return SECFailure;
+ }
+ hashObj->begin(ctx);
+ hashObj->update(ctx, src, len);
+ hashObj->end(ctx, dest, &retLen, hashObj->length);
+ hashObj->destroy(ctx, PR_TRUE);
+ return SECSuccess;
+}
+
+/* generate bits using any hash
+ */
+static SECItem *
+nsspkcs5_PBKDF1(const SECHashObject *hashObj, SECItem *salt, SECItem *pwd,
+ int iter, PRBool faulty3DES)
+{
+ SECItem *hash = NULL, *pre_hash = NULL;
+ SECStatus rv = SECFailure;
+
+ if ((salt == NULL) || (pwd == NULL) || (iter < 0)) {
+ return NULL;
+ }
+
+ hash = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
+ pre_hash = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
+
+ if ((hash != NULL) && (pre_hash != NULL)) {
+ int i, ph_len;
+
+ ph_len = hashObj->length;
+ if ((salt->len + pwd->len) > hashObj->length) {
+ ph_len = salt->len + pwd->len;
+ }
+
+ rv = SECFailure;
+
+ /* allocate buffers */
+ hash->len = hashObj->length;
+ hash->data = (unsigned char *)PORT_ZAlloc(hash->len);
+ pre_hash->data = (unsigned char *)PORT_ZAlloc(ph_len);
+
+ /* in pbeSHA1TripleDESCBC there was an allocation error that made
+ * it into the caller. We do not want to propagate those errors
+ * further, so we are doing it correctly, but reading the old method.
+ */
+ if (faulty3DES) {
+ pre_hash->len = ph_len;
+ } else {
+ pre_hash->len = salt->len + pwd->len;
+ }
+
+ /* preform hash */
+ if ((hash->data != NULL) && (pre_hash->data != NULL)) {
+ rv = SECSuccess;
+ /* check for 0 length password */
+ if (pwd->len > 0) {
+ PORT_Memcpy(pre_hash->data, pwd->data, pwd->len);
+ }
+ if (salt->len > 0) {
+ PORT_Memcpy((pre_hash->data + pwd->len), salt->data, salt->len);
+ }
+ for (i = 0; ((i < iter) && (rv == SECSuccess)); i++) {
+ rv = nsspkcs5_HashBuf(hashObj, hash->data,
+ pre_hash->data, pre_hash->len);
+ if (rv != SECFailure) {
+ pre_hash->len = hashObj->length;
+ PORT_Memcpy(pre_hash->data, hash->data, hashObj->length);
+ }
+ }
+ }
+ }
+
+ if (pre_hash != NULL) {
+ SECITEM_ZfreeItem(pre_hash, PR_TRUE);
+ }
+
+ if ((rv != SECSuccess) && (hash != NULL)) {
+ SECITEM_ZfreeItem(hash, PR_TRUE);
+ hash = NULL;
+ }
+
+ return hash;
+}
+
+/* this bit generation routine is described in PKCS 12 and the proposed
+ * extensions to PKCS 5. an initial hash is generated following the
+ * instructions laid out in PKCS 5. If the number of bits generated is
+ * insufficient, then the method discussed in the proposed extensions to
+ * PKCS 5 in PKCS 12 are used. This extension makes use of the HMAC
+ * function. And the P_Hash function from the TLS standard.
+ */
+static SECItem *
+nsspkcs5_PFXPBE(const SECHashObject *hashObj, NSSPKCS5PBEParameter *pbe_param,
+ SECItem *init_hash, unsigned int bytes_needed)
+{
+ SECItem *ret_bits = NULL;
+ int hash_size = 0;
+ unsigned int i;
+ unsigned int hash_iter;
+ unsigned int dig_len;
+ SECStatus rv = SECFailure;
+ unsigned char *state = NULL;
+ unsigned int state_len;
+ HMACContext *cx = NULL;
+
+ hash_size = hashObj->length;
+ hash_iter = (bytes_needed + (unsigned int)hash_size - 1) / hash_size;
+
+ /* allocate return buffer */
+ ret_bits = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
+ if (ret_bits == NULL)
+ return NULL;
+ ret_bits->data = (unsigned char *)PORT_ZAlloc((hash_iter * hash_size) + 1);
+ ret_bits->len = (hash_iter * hash_size);
+ if (ret_bits->data == NULL) {
+ PORT_Free(ret_bits);
+ return NULL;
+ }
+
+ /* allocate intermediate hash buffer. 8 is for the 8 bytes of
+ * data which are added based on iteration number
+ */
+
+ if ((unsigned int)hash_size > pbe_param->salt.len) {
+ state_len = hash_size;
+ } else {
+ state_len = pbe_param->salt.len;
+ }
+ state = (unsigned char *)PORT_ZAlloc(state_len);
+ if (state == NULL) {
+ rv = SECFailure;
+ goto loser;
+ }
+ if (pbe_param->salt.len > 0) {
+ PORT_Memcpy(state, pbe_param->salt.data, pbe_param->salt.len);
+ }
+
+ cx = HMAC_Create(hashObj, init_hash->data, init_hash->len, PR_TRUE);
+ if (cx == NULL) {
+ rv = SECFailure;
+ goto loser;
+ }
+
+ for (i = 0; i < hash_iter; i++) {
+
+ /* generate output bits */
+ HMAC_Begin(cx);
+ HMAC_Update(cx, state, state_len);
+ HMAC_Update(cx, pbe_param->salt.data, pbe_param->salt.len);
+ rv = HMAC_Finish(cx, ret_bits->data + (i * hash_size),
+ &dig_len, hash_size);
+ if (rv != SECSuccess)
+ goto loser;
+ PORT_Assert((unsigned int)hash_size == dig_len);
+
+ /* generate new state */
+ HMAC_Begin(cx);
+ HMAC_Update(cx, state, state_len);
+ rv = HMAC_Finish(cx, state, &state_len, state_len);
+ if (rv != SECSuccess)
+ goto loser;
+ PORT_Assert(state_len == dig_len);
+ }
+
+loser:
+ if (state != NULL)
+ PORT_ZFree(state, state_len);
+ HMAC_Destroy(cx, PR_TRUE);
+
+ if (rv != SECSuccess) {
+ SECITEM_ZfreeItem(ret_bits, PR_TRUE);
+ ret_bits = NULL;
+ }
+
+ return ret_bits;
+}
+
+/* generate bits for the key and iv determination. if enough bits
+ * are not generated using PKCS 5, then we need to generate more bits
+ * based on the extension proposed in PKCS 12
+ */
+static SECItem *
+nsspkcs5_PBKDF1Extended(const SECHashObject *hashObj,
+ NSSPKCS5PBEParameter *pbe_param, SECItem *pwitem, PRBool faulty3DES)
+{
+ SECItem *hash = NULL;
+ SECItem *newHash = NULL;
+ int bytes_needed;
+ int bytes_available;
+
+ bytes_needed = pbe_param->ivLen + pbe_param->keyLen;
+ bytes_available = hashObj->length;
+
+ hash = nsspkcs5_PBKDF1(hashObj, &pbe_param->salt, pwitem,
+ pbe_param->iter, faulty3DES);
+
+ if (hash == NULL) {
+ return NULL;
+ }
+
+ if (bytes_needed <= bytes_available) {
+ return hash;
+ }
+
+ newHash = nsspkcs5_PFXPBE(hashObj, pbe_param, hash, bytes_needed);
+ if (hash != newHash)
+ SECITEM_ZfreeItem(hash, PR_TRUE);
+ return newHash;
+}
+
+/*
+ * PBDKDF2 is PKCS #5 v2.0 it's currently not used by NSS
+ */
+static void
+do_xor(unsigned char *dest, unsigned char *src, int len)
+{
+ /* use byt xor, not all platforms are happy about inaligned
+ * integer fetches */
+ while (len--) {
+ *dest = *dest ^ *src;
+ dest++;
+ src++;
+ }
+}
+
+static SECStatus
+nsspkcs5_PBKDF2_F(const SECHashObject *hashobj, SECItem *pwitem, SECItem *salt,
+ int iterations, unsigned int i, unsigned char *T)
+{
+ int j;
+ HMACContext *cx = NULL;
+ unsigned int hLen = hashobj->length;
+ SECStatus rv = SECFailure;
+ unsigned char *last = NULL;
+ unsigned int lastLength = salt->len + 4;
+ unsigned int lastBufLength;
+
+ cx = HMAC_Create(hashobj, pwitem->data, pwitem->len, PR_FALSE);
+ if (cx == NULL) {
+ goto loser;
+ }
+ PORT_Memset(T, 0, hLen);
+ lastBufLength = PR_MAX(lastLength, hLen);
+ last = PORT_Alloc(lastBufLength);
+ if (last == NULL) {
+ goto loser;
+ }
+ PORT_Memcpy(last, salt->data, salt->len);
+ last[salt->len] = (i >> 24) & 0xff;
+ last[salt->len + 1] = (i >> 16) & 0xff;
+ last[salt->len + 2] = (i >> 8) & 0xff;
+ last[salt->len + 3] = i & 0xff;
+
+ /* NOTE: we need at least one iteration to return success! */
+ for (j = 0; j < iterations; j++) {
+ HMAC_Begin(cx);
+ HMAC_Update(cx, last, lastLength);
+ rv = HMAC_Finish(cx, last, &lastLength, hLen);
+ if (rv != SECSuccess) {
+ break;
+ }
+ do_xor(T, last, hLen);
+ }
+loser:
+ if (cx) {
+ HMAC_Destroy(cx, PR_TRUE);
+ }
+ if (last) {
+ PORT_ZFree(last, lastBufLength);
+ }
+ return rv;
+}
+
+static SECItem *
+nsspkcs5_PBKDF2(const SECHashObject *hashobj, NSSPKCS5PBEParameter *pbe_param,
+ SECItem *pwitem)
+{
+ int iterations = pbe_param->iter;
+ int bytesNeeded = pbe_param->keyLen;
+ unsigned int dkLen = bytesNeeded;
+ unsigned int hLen = hashobj->length;
+ unsigned int nblocks = (dkLen + hLen - 1) / hLen;
+ unsigned int i;
+ unsigned char *rp;
+ unsigned char *T = NULL;
+ SECItem *result = NULL;
+ SECItem *salt = &pbe_param->salt;
+ SECStatus rv = SECFailure;
+
+ result = SECITEM_AllocItem(NULL, NULL, nblocks * hLen);
+ if (result == NULL) {
+ return NULL;
+ }
+
+ T = PORT_Alloc(hLen);
+ if (T == NULL) {
+ goto loser;
+ }
+
+ for (i = 1, rp = result->data; i <= nblocks; i++, rp += hLen) {
+ rv = nsspkcs5_PBKDF2_F(hashobj, pwitem, salt, iterations, i, T);
+ if (rv != SECSuccess) {
+ break;
+ }
+ PORT_Memcpy(rp, T, hLen);
+ }
+
+loser:
+ if (T) {
+ PORT_ZFree(T, hLen);
+ }
+ if (rv != SECSuccess) {
+ SECITEM_ZfreeItem(result, PR_TRUE);
+ result = NULL;
+ } else {
+ result->len = dkLen;
+ }
+
+ return result;
+}
+
+#define NSSPBE_ROUNDUP(x, y) ((((x) + ((y)-1)) / (y)) * (y))
+#define NSSPBE_MIN(x, y) ((x) < (y) ? (x) : (y))
+/*
+ * This is the extended PBE function defined by the final PKCS #12 spec.
+ */
+static SECItem *
+nsspkcs5_PKCS12PBE(const SECHashObject *hashObject,
+ NSSPKCS5PBEParameter *pbe_param, SECItem *pwitem,
+ PBEBitGenID bitGenPurpose, unsigned int bytesNeeded)
+{
+ PLArenaPool *arena = NULL;
+ unsigned int SLen, PLen;
+ unsigned int hashLength = hashObject->length;
+ unsigned char *S, *P;
+ SECItem *A = NULL, B, D, I;
+ SECItem *salt = &pbe_param->salt;
+ unsigned int c, i = 0;
+ unsigned int hashLen;
+ int iter;
+ unsigned char *iterBuf;
+ void *hash = NULL;
+ unsigned int bufferLength;
+
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (!arena) {
+ return NULL;
+ }
+
+ /* how many hash object lengths are needed */
+ c = (bytesNeeded + (hashLength - 1)) / hashLength;
+
+ /* 64 if 0 < hashLength <= 32, 128 if 32 < hashLength <= 64 */
+ bufferLength = NSSPBE_ROUNDUP(hashLength * 2, 64);
+
+ /* initialize our buffers */
+ D.len = bufferLength;
+ /* B and D are the same length, use one alloc go get both */
+ D.data = (unsigned char *)PORT_ArenaZAlloc(arena, D.len * 2);
+ B.len = D.len;
+ B.data = D.data + D.len;
+
+ /* if all goes well, A will be returned, so don't use our temp arena */
+ A = SECITEM_AllocItem(NULL, NULL, c * hashLength);
+ if (A == NULL) {
+ goto loser;
+ }
+
+ SLen = NSSPBE_ROUNDUP(salt->len, bufferLength);
+ PLen = NSSPBE_ROUNDUP(pwitem->len, bufferLength);
+ I.len = SLen + PLen;
+ I.data = (unsigned char *)PORT_ArenaZAlloc(arena, I.len);
+ if (I.data == NULL) {
+ goto loser;
+ }
+
+ /* S & P are only used to initialize I */
+ S = I.data;
+ P = S + SLen;
+
+ PORT_Memset(D.data, (char)bitGenPurpose, D.len);
+ if (SLen) {
+ for (i = 0; i < SLen; i += salt->len) {
+ PORT_Memcpy(S + i, salt->data, NSSPBE_MIN(SLen - i, salt->len));
+ }
+ }
+ if (PLen) {
+ for (i = 0; i < PLen; i += pwitem->len) {
+ PORT_Memcpy(P + i, pwitem->data, NSSPBE_MIN(PLen - i, pwitem->len));
+ }
+ }
+
+ iterBuf = (unsigned char *)PORT_ArenaZAlloc(arena, hashLength);
+ if (iterBuf == NULL) {
+ goto loser;
+ }
+
+ hash = hashObject->create();
+ if (!hash) {
+ goto loser;
+ }
+ /* calculate the PBE now */
+ for (i = 0; i < c; i++) {
+ int Bidx; /* must be signed or the for loop won't terminate */
+ unsigned int k, j;
+ unsigned char *Ai = A->data + i * hashLength;
+
+ for (iter = 0; iter < pbe_param->iter; iter++) {
+ hashObject->begin(hash);
+
+ if (iter) {
+ hashObject->update(hash, iterBuf, hashLen);
+ } else {
+ hashObject->update(hash, D.data, D.len);
+ hashObject->update(hash, I.data, I.len);
+ }
+
+ hashObject->end(hash, iterBuf, &hashLen, hashObject->length);
+ if (hashLen != hashObject->length) {
+ break;
+ }
+ }
+
+ PORT_Memcpy(Ai, iterBuf, hashLength);
+ for (Bidx = 0; Bidx < (int)B.len; Bidx += hashLength) {
+ PORT_Memcpy(B.data + Bidx, iterBuf, NSSPBE_MIN(B.len - Bidx, hashLength));
+ }
+
+ k = I.len / B.len;
+ for (j = 0; j < k; j++) {
+ unsigned int q, carryBit;
+ unsigned char *Ij = I.data + j * B.len;
+
+ /* (Ij = Ij+B+1) */
+ for (Bidx = (B.len - 1), q = 1, carryBit = 0; Bidx >= 0; Bidx--, q = 0) {
+ q += (unsigned int)Ij[Bidx];
+ q += (unsigned int)B.data[Bidx];
+ q += carryBit;
+
+ carryBit = (q > 0xff);
+ Ij[Bidx] = (unsigned char)(q & 0xff);
+ }
+ }
+ }
+loser:
+ if (hash) {
+ hashObject->destroy(hash, PR_TRUE);
+ }
+ if (arena) {
+ PORT_FreeArena(arena, PR_TRUE);
+ }
+
+ if (A) {
+ /* if i != c, then we didn't complete the loop above and must of failed
+ * somwhere along the way */
+ if (i != c) {
+ SECITEM_ZfreeItem(A, PR_TRUE);
+ A = NULL;
+ } else {
+ A->len = bytesNeeded;
+ }
+ }
+
+ return A;
+}
+
+struct KDFCacheItemStr {
+ SECItem *hash;
+ SECItem *salt;
+ SECItem *pwItem;
+ HASH_HashType hashType;
+ int iterations;
+ int keyLen;
+};
+typedef struct KDFCacheItemStr KDFCacheItem;
+
+/* Bug 1606992 - Cache the hash result for the common case that we're
+ * asked to repeatedly compute the key for the same password item,
+ * hash, iterations and salt. */
+#define KDF2_CACHE_COUNT 150
+static struct {
+ PZLock *lock;
+ struct {
+ KDFCacheItem common;
+ int ivLen;
+ PRBool faulty3DES;
+ } cacheKDF1;
+ struct {
+ KDFCacheItem common[KDF2_CACHE_COUNT];
+ int next;
+ } cacheKDF2;
+} PBECache;
+
+void
+sftk_PBELockInit(void)
+{
+ if (!PBECache.lock) {
+ PBECache.lock = PZ_NewLock(nssIPBECacheLock);
+ }
+}
+
+static void
+sftk_clearPBECommonCacheItemsLocked(KDFCacheItem *item)
+{
+ if (item->hash) {
+ SECITEM_ZfreeItem(item->hash, PR_TRUE);
+ item->hash = NULL;
+ }
+ if (item->salt) {
+ SECITEM_ZfreeItem(item->salt, PR_TRUE);
+ item->salt = NULL;
+ }
+ if (item->pwItem) {
+ SECITEM_ZfreeItem(item->pwItem, PR_TRUE);
+ item->pwItem = NULL;
+ }
+}
+
+static void
+sftk_setPBECommonCacheItemsKDFLocked(KDFCacheItem *cacheItem,
+ const SECItem *hash,
+ const NSSPKCS5PBEParameter *pbe_param,
+ const SECItem *pwItem)
+{
+ cacheItem->hash = SECITEM_DupItem(hash);
+ cacheItem->hashType = pbe_param->hashType;
+ cacheItem->iterations = pbe_param->iter;
+ cacheItem->keyLen = pbe_param->keyLen;
+ cacheItem->salt = SECITEM_DupItem(&pbe_param->salt);
+ cacheItem->pwItem = SECITEM_DupItem(pwItem);
+}
+
+static void
+sftk_setPBECacheKDF2(const SECItem *hash,
+ const NSSPKCS5PBEParameter *pbe_param,
+ const SECItem *pwItem)
+{
+ PZ_Lock(PBECache.lock);
+ KDFCacheItem *next = &PBECache.cacheKDF2.common[PBECache.cacheKDF2.next];
+
+ sftk_clearPBECommonCacheItemsLocked(next);
+
+ sftk_setPBECommonCacheItemsKDFLocked(next, hash, pbe_param, pwItem);
+ PBECache.cacheKDF2.next++;
+ if (PBECache.cacheKDF2.next >= KDF2_CACHE_COUNT) {
+ PBECache.cacheKDF2.next = 0;
+ }
+
+ PZ_Unlock(PBECache.lock);
+}
+
+static void
+sftk_setPBECacheKDF1(const SECItem *hash,
+ const NSSPKCS5PBEParameter *pbe_param,
+ const SECItem *pwItem,
+ PRBool faulty3DES)
+{
+ PZ_Lock(PBECache.lock);
+
+ sftk_clearPBECommonCacheItemsLocked(&PBECache.cacheKDF1.common);
+
+ sftk_setPBECommonCacheItemsKDFLocked(&PBECache.cacheKDF1.common,
+ hash, pbe_param, pwItem);
+ PBECache.cacheKDF1.faulty3DES = faulty3DES;
+ PBECache.cacheKDF1.ivLen = pbe_param->ivLen;
+
+ PZ_Unlock(PBECache.lock);
+}
+
+static PRBool
+sftk_comparePBECommonCacheItemLocked(const KDFCacheItem *cacheItem,
+ const NSSPKCS5PBEParameter *pbe_param,
+ const SECItem *pwItem)
+{
+ return (cacheItem->hash &&
+ cacheItem->salt &&
+ cacheItem->pwItem &&
+ pbe_param->hashType == cacheItem->hashType &&
+ pbe_param->iter == cacheItem->iterations &&
+ pbe_param->keyLen == cacheItem->keyLen &&
+ SECITEM_ItemsAreEqual(&pbe_param->salt, cacheItem->salt) &&
+ SECITEM_ItemsAreEqual(pwItem, cacheItem->pwItem));
+}
+
+static SECItem *
+sftk_getPBECacheKDF2(const NSSPKCS5PBEParameter *pbe_param,
+ const SECItem *pwItem)
+{
+ SECItem *result = NULL;
+ int i;
+
+ PZ_Lock(PBECache.lock);
+ for (i = 0; i < KDF2_CACHE_COUNT; i++) {
+ const KDFCacheItem *cacheItem = &PBECache.cacheKDF2.common[i];
+ if (sftk_comparePBECommonCacheItemLocked(cacheItem,
+ pbe_param, pwItem)) {
+ result = SECITEM_DupItem(cacheItem->hash);
+ break;
+ }
+ }
+ PZ_Unlock(PBECache.lock);
+
+ return result;
+}
+
+static SECItem *
+sftk_getPBECacheKDF1(const NSSPKCS5PBEParameter *pbe_param,
+ const SECItem *pwItem,
+ PRBool faulty3DES)
+{
+ SECItem *result = NULL;
+ const KDFCacheItem *cacheItem = &PBECache.cacheKDF1.common;
+
+ PZ_Lock(PBECache.lock);
+ if (sftk_comparePBECommonCacheItemLocked(cacheItem, pbe_param, pwItem) &&
+ PBECache.cacheKDF1.faulty3DES == faulty3DES &&
+ PBECache.cacheKDF1.ivLen == pbe_param->ivLen) {
+ result = SECITEM_DupItem(cacheItem->hash);
+ }
+ PZ_Unlock(PBECache.lock);
+
+ return result;
+}
+
+void
+sftk_PBELockShutdown(void)
+{
+ int i;
+ if (PBECache.lock) {
+ PZ_DestroyLock(PBECache.lock);
+ PBECache.lock = 0;
+ }
+ sftk_clearPBECommonCacheItemsLocked(&PBECache.cacheKDF1.common);
+ for (i = 0; i < KDF2_CACHE_COUNT; i++) {
+ sftk_clearPBECommonCacheItemsLocked(&PBECache.cacheKDF2.common[i]);
+ }
+ PBECache.cacheKDF2.next = 0;
+}
+
+/*
+ * generate key as per PKCS 5
+ */
+SECItem *
+nsspkcs5_ComputeKeyAndIV(NSSPKCS5PBEParameter *pbe_param, SECItem *pwitem,
+ SECItem *iv, PRBool faulty3DES)
+{
+ SECItem *hash = NULL, *key = NULL;
+ const SECHashObject *hashObj;
+ PRBool getIV = PR_FALSE;
+
+ if ((pbe_param == NULL) || (pwitem == NULL)) {
+ return NULL;
+ }
+
+ key = SECITEM_AllocItem(NULL, NULL, pbe_param->keyLen);
+ if (key == NULL) {
+ return NULL;
+ }
+
+ if (iv && (pbe_param->ivLen) && (iv->data == NULL)) {
+ getIV = PR_TRUE;
+ iv->data = (unsigned char *)PORT_Alloc(pbe_param->ivLen);
+ if (iv->data == NULL) {
+ goto loser;
+ }
+ iv->len = pbe_param->ivLen;
+ }
+
+ hashObj = HASH_GetRawHashObject(pbe_param->hashType);
+ switch (pbe_param->pbeType) {
+ case NSSPKCS5_PBKDF1:
+ hash = sftk_getPBECacheKDF1(pbe_param, pwitem, faulty3DES);
+ if (!hash) {
+ hash = nsspkcs5_PBKDF1Extended(hashObj, pbe_param, pwitem, faulty3DES);
+ sftk_setPBECacheKDF1(hash, pbe_param, pwitem, faulty3DES);
+ }
+ if (hash == NULL) {
+ goto loser;
+ }
+ PORT_Assert(hash->len >= key->len + (getIV ? iv->len : 0));
+ if (getIV) {
+ PORT_Memcpy(iv->data, hash->data + (hash->len - iv->len), iv->len);
+ }
+
+ break;
+ case NSSPKCS5_PBKDF2:
+ hash = sftk_getPBECacheKDF2(pbe_param, pwitem);
+ if (!hash) {
+ hash = nsspkcs5_PBKDF2(hashObj, pbe_param, pwitem);
+ sftk_setPBECacheKDF2(hash, pbe_param, pwitem);
+ }
+ if (getIV) {
+ PORT_Memcpy(iv->data, pbe_param->ivData, iv->len);
+ }
+ break;
+ case NSSPKCS5_PKCS12_V2:
+ if (getIV) {
+ hash = nsspkcs5_PKCS12PBE(hashObj, pbe_param, pwitem,
+ pbeBitGenCipherIV, iv->len);
+ if (hash == NULL) {
+ goto loser;
+ }
+ PORT_Memcpy(iv->data, hash->data, iv->len);
+ SECITEM_ZfreeItem(hash, PR_TRUE);
+ hash = NULL;
+ }
+ hash = nsspkcs5_PKCS12PBE(hashObj, pbe_param, pwitem,
+ pbe_param->keyID, key->len);
+ default:
+ break;
+ }
+
+ if (hash == NULL) {
+ goto loser;
+ }
+
+ if (pbe_param->is2KeyDES) {
+ PORT_Memcpy(key->data, hash->data, (key->len * 2) / 3);
+ PORT_Memcpy(&(key->data[(key->len * 2) / 3]), key->data,
+ key->len / 3);
+ } else {
+ PORT_Memcpy(key->data, hash->data, key->len);
+ }
+
+ SECITEM_ZfreeItem(hash, PR_TRUE);
+ return key;
+
+loser:
+ if (getIV && iv->data) {
+ PORT_ZFree(iv->data, iv->len);
+ iv->data = NULL;
+ }
+
+ SECITEM_ZfreeItem(key, PR_TRUE);
+ return NULL;
+}
+
+#define MAX_IV_LENGTH 64
+/* get a random IV into the parameters */
+static SECStatus
+nsspkcs5_SetIVParam(NSSPKCS5PBEParameter *pbe_param, int ivLen)
+{
+ SECStatus rv;
+ SECItem derIV;
+ SECItem iv;
+ SECItem *dummy = NULL;
+ unsigned char ivData[MAX_IV_LENGTH];
+
+ PORT_Assert(ivLen <= MAX_IV_LENGTH);
+
+ /* Because of a bug in the decode section, the IV's not are expected
+ * to be der encoded, but still need to parse as if they were der data.
+ * because we want to be compatible with existing versions of nss that
+ * have that bug, create an IV that looks like der data. That still
+ * leaves 14 bytes of entropy in the IV */
+ rv = RNG_GenerateGlobalRandomBytes(ivData, ivLen - 2);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+ derIV.data = NULL;
+ derIV.len = 0;
+ iv.data = ivData;
+ iv.len = ivLen - 2;
+ dummy = SEC_ASN1EncodeItem(pbe_param->poolp, &derIV, &iv,
+ SEC_ASN1_GET(SEC_OctetStringTemplate));
+ if (dummy == NULL) {
+ return SECFailure;
+ }
+ pbe_param->ivData = derIV.data;
+ pbe_param->ivLen = derIV.len;
+ PORT_Assert(pbe_param->ivLen == ivLen);
+ return SECSuccess;
+}
+
+static SECStatus
+nsspkcs5_FillInParam(SECOidTag algorithm, HASH_HashType hashType,
+ NSSPKCS5PBEParameter *pbe_param)
+{
+ PRBool skipType = PR_FALSE;
+ SECStatus rv;
+
+ pbe_param->keyLen = 5;
+ pbe_param->ivLen = 8;
+ pbe_param->hashType = hashType;
+ pbe_param->pbeType = NSSPKCS5_PBKDF1;
+ pbe_param->encAlg = SEC_OID_RC2_CBC;
+ pbe_param->is2KeyDES = PR_FALSE;
+ switch (algorithm) {
+ /* DES3 Algorithms */
+ case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_2KEY_TRIPLE_DES_CBC:
+ pbe_param->is2KeyDES = PR_TRUE;
+ /* fall through */
+ case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC:
+ pbe_param->pbeType = NSSPKCS5_PKCS12_V2;
+ /* fall through */
+ case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC:
+ pbe_param->keyLen = 24;
+ pbe_param->encAlg = SEC_OID_DES_EDE3_CBC;
+ break;
+
+ /* DES Algorithms */
+ case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC:
+ pbe_param->hashType = HASH_AlgMD2;
+ goto finish_des;
+ case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC:
+ pbe_param->hashType = HASH_AlgMD5;
+ /* fall through */
+ case SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC:
+ finish_des:
+ pbe_param->keyLen = 8;
+ pbe_param->encAlg = SEC_OID_DES_CBC;
+ break;
+
+#ifndef NSS_DISABLE_DEPRECATED_RC2
+ /* RC2 Algorithms */
+ case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC:
+ pbe_param->keyLen = 16;
+ /* fall through */
+ case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC:
+ pbe_param->pbeType = NSSPKCS5_PKCS12_V2;
+ break;
+ case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC:
+ pbe_param->keyLen = 16;
+ /* fall through */
+ case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC:
+ break;
+#endif
+
+ /* RC4 algorithms */
+ case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4:
+ skipType = PR_TRUE;
+ /* fall through */
+ case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4:
+ pbe_param->keyLen = 16;
+ /* fall through */
+ case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4:
+ if (!skipType) {
+ pbe_param->pbeType = NSSPKCS5_PKCS12_V2;
+ }
+ /* fall through */
+ case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC4:
+ pbe_param->ivLen = 0;
+ pbe_param->encAlg = SEC_OID_RC4;
+ break;
+
+ case SEC_OID_PKCS5_PBKDF2:
+ case SEC_OID_PKCS5_PBES2:
+ case SEC_OID_PKCS5_PBMAC1:
+ /* everything else will be filled in by the template */
+ pbe_param->ivLen = 0;
+ pbe_param->pbeType = NSSPKCS5_PBKDF2;
+ pbe_param->encAlg = SEC_OID_PKCS5_PBKDF2;
+ pbe_param->keyLen = 0; /* needs to be set by caller after return */
+ break;
+ /* AES uses PBKDF2 */
+ case SEC_OID_AES_128_CBC:
+ rv = nsspkcs5_SetIVParam(pbe_param, 16);
+ if (rv != SECSuccess) {
+ return rv;
+ }
+ pbe_param->ivLen = 16;
+ pbe_param->pbeType = NSSPKCS5_PBKDF2;
+ pbe_param->encAlg = algorithm;
+ pbe_param->keyLen = 128 / 8;
+ break;
+ case SEC_OID_AES_192_CBC:
+ rv = nsspkcs5_SetIVParam(pbe_param, 16);
+ if (rv != SECSuccess) {
+ return rv;
+ }
+ pbe_param->pbeType = NSSPKCS5_PBKDF2;
+ pbe_param->encAlg = algorithm;
+ pbe_param->keyLen = 192 / 8;
+ break;
+ case SEC_OID_AES_256_CBC:
+ rv = nsspkcs5_SetIVParam(pbe_param, 16);
+ if (rv != SECSuccess) {
+ return rv;
+ }
+ pbe_param->pbeType = NSSPKCS5_PBKDF2;
+ pbe_param->encAlg = algorithm;
+ pbe_param->keyLen = 256 / 8;
+ break;
+ case SEC_OID_AES_128_KEY_WRAP:
+ pbe_param->ivLen = 0;
+ pbe_param->pbeType = NSSPKCS5_PBKDF2;
+ pbe_param->encAlg = algorithm;
+ pbe_param->keyLen = 128 / 8;
+ break;
+ case SEC_OID_AES_192_KEY_WRAP:
+ pbe_param->ivLen = 0;
+ pbe_param->pbeType = NSSPKCS5_PBKDF2;
+ pbe_param->encAlg = algorithm;
+ pbe_param->keyLen = 192 / 8;
+ break;
+ case SEC_OID_AES_256_KEY_WRAP:
+ pbe_param->ivLen = 0;
+ pbe_param->pbeType = NSSPKCS5_PBKDF2;
+ pbe_param->encAlg = algorithm;
+ pbe_param->keyLen = 256 / 8;
+ break;
+
+ default:
+ return SECFailure;
+ }
+ if (pbe_param->pbeType == NSSPKCS5_PBKDF2) {
+ SECOidTag prfAlg = HASH_HMACOidFromHash(pbe_param->hashType);
+ if (prfAlg == SEC_OID_UNKNOWN) {
+ return SECFailure;
+ }
+ rv = SECOID_SetAlgorithmID(pbe_param->poolp, &pbe_param->prfAlg,
+ prfAlg, NULL);
+ if (rv != SECSuccess) {
+ return rv;
+ }
+ }
+ return SECSuccess;
+}
+
+/* decode the algid and generate a PKCS 5 parameter from it
+ */
+NSSPKCS5PBEParameter *
+nsspkcs5_NewParam(SECOidTag alg, HASH_HashType hashType, SECItem *salt,
+ int iterationCount)
+{
+ PLArenaPool *arena = NULL;
+ NSSPKCS5PBEParameter *pbe_param = NULL;
+ SECStatus rv = SECFailure;
+
+ arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
+ if (arena == NULL)
+ return NULL;
+
+ /* allocate memory for the parameter */
+ pbe_param = (NSSPKCS5PBEParameter *)PORT_ArenaZAlloc(arena,
+ sizeof(NSSPKCS5PBEParameter));
+
+ if (pbe_param == NULL) {
+ goto loser;
+ }
+
+ pbe_param->poolp = arena;
+
+ rv = nsspkcs5_FillInParam(alg, hashType, pbe_param);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ pbe_param->iter = iterationCount;
+ if (salt) {
+ rv = SECITEM_CopyItem(arena, &pbe_param->salt, salt);
+ }
+
+ /* default key gen */
+ pbe_param->keyID = pbeBitGenCipherKey;
+
+loser:
+ if (rv != SECSuccess) {
+ PORT_FreeArena(arena, PR_TRUE);
+ pbe_param = NULL;
+ }
+
+ return pbe_param;
+}
+
+/*
+ * find the hash type needed to implement a specific HMAC.
+ * OID definitions are from pkcs 5 v2.0 and 2.1
+ */
+HASH_HashType
+HASH_FromHMACOid(SECOidTag hmac)
+{
+ switch (hmac) {
+ case SEC_OID_HMAC_SHA1:
+ return HASH_AlgSHA1;
+ case SEC_OID_HMAC_SHA256:
+ return HASH_AlgSHA256;
+ case SEC_OID_HMAC_SHA384:
+ return HASH_AlgSHA384;
+ case SEC_OID_HMAC_SHA512:
+ return HASH_AlgSHA512;
+ case SEC_OID_HMAC_SHA224:
+ default:
+ break;
+ }
+ return HASH_AlgNULL;
+}
+
+SECOidTag
+HASH_HMACOidFromHash(HASH_HashType hashType)
+{
+ switch (hashType) {
+ case HASH_AlgSHA1:
+ return SEC_OID_HMAC_SHA1;
+ case HASH_AlgSHA256:
+ return SEC_OID_HMAC_SHA256;
+ case HASH_AlgSHA384:
+ return SEC_OID_HMAC_SHA384;
+ case HASH_AlgSHA512:
+ return SEC_OID_HMAC_SHA512;
+ case HASH_AlgSHA224:
+ return SEC_OID_HMAC_SHA224;
+ case HASH_AlgMD2:
+ case HASH_AlgMD5:
+ case HASH_AlgTOTAL:
+ default:
+ break;
+ }
+ return SEC_OID_UNKNOWN;
+}
+
+/* decode the algid and generate a PKCS 5 parameter from it
+ */
+NSSPKCS5PBEParameter *
+nsspkcs5_AlgidToParam(SECAlgorithmID *algid)
+{
+ NSSPKCS5PBEParameter *pbe_param = NULL;
+ nsspkcs5V2PBEParameter pbev2_param;
+ SECOidTag algorithm;
+ SECStatus rv = SECFailure;
+
+ if (algid == NULL) {
+ return NULL;
+ }
+
+ algorithm = SECOID_GetAlgorithmTag(algid);
+ if (algorithm == SEC_OID_UNKNOWN) {
+ goto loser;
+ }
+
+ pbe_param = nsspkcs5_NewParam(algorithm, HASH_AlgSHA1, NULL, 1);
+ if (pbe_param == NULL) {
+ goto loser;
+ }
+
+ /* decode parameter */
+ rv = SECFailure;
+ switch (pbe_param->pbeType) {
+ case NSSPKCS5_PBKDF1:
+ rv = SEC_ASN1DecodeItem(pbe_param->poolp, pbe_param,
+ NSSPKCS5PBEParameterTemplate, &algid->parameters);
+ break;
+ case NSSPKCS5_PKCS12_V2:
+ rv = SEC_ASN1DecodeItem(pbe_param->poolp, pbe_param,
+ NSSPKCS5PKCS12V2PBEParameterTemplate, &algid->parameters);
+ break;
+ case NSSPKCS5_PBKDF2:
+ PORT_Memset(&pbev2_param, 0, sizeof(pbev2_param));
+ /* just the PBE */
+ if (algorithm == SEC_OID_PKCS5_PBKDF2) {
+ rv = SEC_ASN1DecodeItem(pbe_param->poolp, pbe_param,
+ NSSPKCS5V2PBEParameterTemplate, &algid->parameters);
+ } else {
+ /* PBE data an others */
+ rv = SEC_ASN1DecodeItem(pbe_param->poolp, &pbev2_param,
+ NSSPKCS5V2PBES2ParameterTemplate, &algid->parameters);
+ if (rv != SECSuccess) {
+ break;
+ }
+ pbe_param->encAlg = SECOID_GetAlgorithmTag(&pbev2_param.algParams);
+ rv = SEC_ASN1DecodeItem(pbe_param->poolp, pbe_param,
+ NSSPKCS5V2PBEParameterTemplate,
+ &pbev2_param.keyParams.parameters);
+ if (rv != SECSuccess) {
+ break;
+ }
+ pbe_param->keyLen = DER_GetInteger(&pbe_param->keyLength);
+ }
+ /* we we are encrypting, save any iv's */
+ if (algorithm == SEC_OID_PKCS5_PBES2) {
+ pbe_param->ivLen = pbev2_param.algParams.parameters.len;
+ pbe_param->ivData = pbev2_param.algParams.parameters.data;
+ }
+ pbe_param->hashType =
+ HASH_FromHMACOid(SECOID_GetAlgorithmTag(&pbe_param->prfAlg));
+ if (pbe_param->hashType == HASH_AlgNULL) {
+ PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+ rv = SECFailure;
+ }
+ break;
+ }
+
+loser:
+ PORT_Memset(&pbev2_param, 0, sizeof(pbev2_param));
+ if (rv == SECSuccess) {
+ pbe_param->iter = DER_GetInteger(&pbe_param->iteration);
+ } else {
+ nsspkcs5_DestroyPBEParameter(pbe_param);
+ pbe_param = NULL;
+ }
+
+ return pbe_param;
+}
+
+/* destroy a pbe parameter. it assumes that the parameter was
+ * generated using the appropriate create function and therefor
+ * contains an arena pool.
+ */
+void
+nsspkcs5_DestroyPBEParameter(NSSPKCS5PBEParameter *pbe_param)
+{
+ if (pbe_param != NULL) {
+ PORT_FreeArena(pbe_param->poolp, PR_TRUE);
+ }
+}
+
+/* crypto routines */
+/* perform DES encryption and decryption. these routines are called
+ * by nsspkcs5_CipherData. In the case of an error, NULL is returned.
+ */
+static SECItem *
+sec_pkcs5_des(SECItem *key, SECItem *iv, SECItem *src, PRBool triple_des,
+ PRBool encrypt)
+{
+ SECItem *dest;
+ SECItem *dup_src;
+ CK_RV crv = CKR_DEVICE_ERROR;
+ int error;
+ SECStatus rv = SECFailure;
+ DESContext *ctxt;
+ unsigned int pad;
+
+ if ((src == NULL) || (key == NULL) || (iv == NULL)) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return NULL;
+ }
+
+ dup_src = SECITEM_DupItem(src);
+ if (dup_src == NULL) {
+ return NULL;
+ }
+
+ if (encrypt != PR_FALSE) {
+ void *dummy;
+
+ dummy = CBC_PadBuffer(NULL, dup_src->data,
+ dup_src->len, &dup_src->len, DES_BLOCK_SIZE);
+ if (dummy == NULL) {
+ SECITEM_ZfreeItem(dup_src, PR_TRUE);
+ return NULL;
+ }
+ dup_src->data = (unsigned char *)dummy;
+ }
+
+ dest = SECITEM_AllocItem(NULL, NULL, dup_src->len + MAX_CRYPTO_EXPANSION);
+ if (dest == NULL) {
+ goto loser;
+ }
+ ctxt = DES_CreateContext(key->data, iv->data,
+ (triple_des ? NSS_DES_EDE3_CBC : NSS_DES_CBC),
+ encrypt);
+ if (ctxt == NULL) {
+ goto loser;
+ }
+ rv = (encrypt ? DES_Encrypt : DES_Decrypt)(
+ ctxt, dest->data, &dest->len,
+ dest->len, dup_src->data, dup_src->len);
+
+ crv = (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR;
+ error = PORT_GetError();
+
+ /* remove padding */
+ if ((encrypt == PR_FALSE) && (rv == SECSuccess)) {
+ crv = sftk_CheckCBCPadding(dest->data, dest->len, DES_BLOCK_SIZE, &pad);
+ dest->len = PORT_CT_SEL(sftk_CKRVToMask(crv), dest->len - pad, dest->len);
+ PORT_SetError(PORT_CT_SEL(sftk_CKRVToMask(crv), error, SEC_ERROR_BAD_PASSWORD));
+ }
+ DES_DestroyContext(ctxt, PR_TRUE);
+
+loser:
+ if (crv != CKR_OK) {
+ if (dest != NULL) {
+ SECITEM_ZfreeItem(dest, PR_TRUE);
+ }
+ dest = NULL;
+ }
+
+ if (dup_src != NULL) {
+ SECITEM_ZfreeItem(dup_src, PR_TRUE);
+ }
+
+ return dest;
+}
+
+/* perform aes encryption/decryption if an error occurs, NULL is returned
+ */
+static SECItem *
+sec_pkcs5_aes(SECItem *key, SECItem *iv, SECItem *src, PRBool triple_des,
+ PRBool encrypt)
+{
+ SECItem *dest;
+ SECItem *dup_src;
+ CK_RV crv = CKR_DEVICE_ERROR;
+ int error;
+ SECStatus rv = SECFailure;
+ AESContext *ctxt;
+ unsigned int pad;
+
+ if ((src == NULL) || (key == NULL) || (iv == NULL)) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return NULL;
+ }
+
+ dup_src = SECITEM_DupItem(src);
+ if (dup_src == NULL) {
+ return NULL;
+ }
+
+ if (encrypt != PR_FALSE) {
+ void *dummy;
+
+ dummy = CBC_PadBuffer(NULL, dup_src->data,
+ dup_src->len, &dup_src->len, AES_BLOCK_SIZE);
+ if (dummy == NULL) {
+ SECITEM_ZfreeItem(dup_src, PR_TRUE);
+ return NULL;
+ }
+ dup_src->data = (unsigned char *)dummy;
+ }
+
+ dest = SECITEM_AllocItem(NULL, NULL, dup_src->len + MAX_CRYPTO_EXPANSION);
+ if (dest == NULL) {
+ goto loser;
+ }
+ ctxt = AES_CreateContext(key->data, iv->data, NSS_AES_CBC,
+ encrypt, key->len, AES_BLOCK_SIZE);
+ if (ctxt == NULL) {
+ goto loser;
+ }
+ rv = (encrypt ? AES_Encrypt : AES_Decrypt)(
+ ctxt, dest->data, &dest->len,
+ dest->len, dup_src->data, dup_src->len);
+
+ crv = (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR;
+ error = PORT_GetError();
+
+ /* remove padding */
+ if ((encrypt == PR_FALSE) && (rv == SECSuccess)) {
+ crv = sftk_CheckCBCPadding(dest->data, dest->len, AES_BLOCK_SIZE, &pad);
+ dest->len = PORT_CT_SEL(sftk_CKRVToMask(crv), dest->len - pad, dest->len);
+ PORT_SetError(PORT_CT_SEL(sftk_CKRVToMask(crv), error, SEC_ERROR_BAD_PASSWORD));
+ }
+ AES_DestroyContext(ctxt, PR_TRUE);
+
+loser:
+ if (crv != CKR_OK) {
+ if (dest != NULL) {
+ SECITEM_ZfreeItem(dest, PR_TRUE);
+ }
+ dest = NULL;
+ }
+
+ if (dup_src != NULL) {
+ SECITEM_ZfreeItem(dup_src, PR_TRUE);
+ }
+
+ return dest;
+}
+
+/* perform aes encryption/decryption if an error occurs, NULL is returned
+ */
+static SECItem *
+sec_pkcs5_aes_key_wrap(SECItem *key, SECItem *iv, SECItem *src, PRBool triple_des,
+ PRBool encrypt)
+{
+ SECItem *dest;
+ SECItem *dup_src;
+ CK_RV crv = CKR_DEVICE_ERROR;
+ int error;
+ SECStatus rv = SECFailure;
+ AESKeyWrapContext *ctxt;
+ unsigned int pad;
+
+ if ((src == NULL) || (key == NULL) || (iv == NULL)) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return NULL;
+ }
+
+ dup_src = SECITEM_DupItem(src);
+ if (dup_src == NULL) {
+ return NULL;
+ }
+
+ if (encrypt != PR_FALSE) {
+ void *dummy;
+
+ dummy = CBC_PadBuffer(NULL, dup_src->data,
+ dup_src->len, &dup_src->len, AES_BLOCK_SIZE);
+ if (dummy == NULL) {
+ SECITEM_ZfreeItem(dup_src, PR_TRUE);
+ return NULL;
+ }
+ dup_src->data = (unsigned char *)dummy;
+ }
+
+ dest = SECITEM_AllocItem(NULL, NULL, dup_src->len + MAX_CRYPTO_EXPANSION);
+ if (dest == NULL) {
+ goto loser;
+ }
+ ctxt = AESKeyWrap_CreateContext(key->data, iv->data, encrypt,
+ key->len);
+
+ if (ctxt == NULL) {
+ goto loser;
+ }
+ rv = (encrypt ? AESKeyWrap_Encrypt : AESKeyWrap_Decrypt)(
+ ctxt, dest->data, &dest->len,
+ dest->len, dup_src->data, dup_src->len);
+
+ crv = (rv == SECSuccess) ? CKR_OK : CKR_DEVICE_ERROR;
+ error = PORT_GetError();
+
+ /* remove padding */
+ if ((encrypt == PR_FALSE) && (rv == SECSuccess)) {
+ crv = sftk_CheckCBCPadding(dest->data, dest->len, AES_BLOCK_SIZE, &pad);
+ dest->len = PORT_CT_SEL(sftk_CKRVToMask(crv), dest->len - pad, dest->len);
+ PORT_SetError(PORT_CT_SEL(sftk_CKRVToMask(crv), error, SEC_ERROR_BAD_PASSWORD));
+ }
+ AESKeyWrap_DestroyContext(ctxt, PR_TRUE);
+
+loser:
+ if (crv != CKR_OK) {
+ if (dest != NULL) {
+ SECITEM_ZfreeItem(dest, PR_TRUE);
+ }
+ dest = NULL;
+ }
+
+ if (dup_src != NULL) {
+ SECITEM_ZfreeItem(dup_src, PR_TRUE);
+ }
+
+ return dest;
+}
+
+#ifndef NSS_DISABLE_DEPRECATED_RC2
+/* perform rc2 encryption/decryption if an error occurs, NULL is returned
+ */
+static SECItem *
+sec_pkcs5_rc2(SECItem *key, SECItem *iv, SECItem *src, PRBool dummy,
+ PRBool encrypt)
+{
+ SECItem *dest;
+ SECItem *dup_src;
+ SECStatus rv = SECFailure;
+ int pad;
+
+ if ((src == NULL) || (key == NULL) || (iv == NULL)) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return NULL;
+ }
+
+ dup_src = SECITEM_DupItem(src);
+ if (dup_src == NULL) {
+ return NULL;
+ }
+
+ if (encrypt != PR_FALSE) {
+ void *v;
+
+ v = CBC_PadBuffer(NULL, dup_src->data,
+ dup_src->len, &dup_src->len, 8 /* RC2_BLOCK_SIZE */);
+ if (v == NULL) {
+ SECITEM_ZfreeItem(dup_src, PR_TRUE);
+ return NULL;
+ }
+ dup_src->data = (unsigned char *)v;
+ }
+
+ dest = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
+ if (dest != NULL) {
+ dest->data = (unsigned char *)PORT_ZAlloc(dup_src->len + 64);
+ if (dest->data != NULL) {
+ RC2Context *ctxt;
+
+ ctxt = RC2_CreateContext(key->data, key->len, iv->data,
+ NSS_RC2_CBC, key->len);
+
+ if (ctxt != NULL) {
+ rv = (encrypt ? RC2_Encrypt : RC2_Decrypt)(
+ ctxt, dest->data, &dest->len,
+ dup_src->len + 64, dup_src->data, dup_src->len);
+
+ /* assumes 8 byte blocks -- remove padding */
+ if ((rv == SECSuccess) && (encrypt != PR_TRUE)) {
+ pad = dest->data[dest->len - 1];
+ if ((pad > 0) && (pad <= 8)) {
+ if (dest->data[dest->len - pad] != pad) {
+ PORT_SetError(SEC_ERROR_BAD_PASSWORD);
+ rv = SECFailure;
+ } else {
+ dest->len -= pad;
+ }
+ } else {
+ PORT_SetError(SEC_ERROR_BAD_PASSWORD);
+ rv = SECFailure;
+ }
+ }
+ }
+ }
+ }
+
+ if ((rv != SECSuccess) && (dest != NULL)) {
+ SECITEM_ZfreeItem(dest, PR_TRUE);
+ dest = NULL;
+ }
+
+ if (dup_src != NULL) {
+ SECITEM_ZfreeItem(dup_src, PR_TRUE);
+ }
+
+ return dest;
+}
+#endif /* NSS_DISABLE_DEPRECATED_RC2 */
+
+/* perform rc4 encryption and decryption */
+static SECItem *
+sec_pkcs5_rc4(SECItem *key, SECItem *iv, SECItem *src, PRBool dummy_op,
+ PRBool encrypt)
+{
+ SECItem *dest;
+ SECStatus rv = SECFailure;
+
+ if ((src == NULL) || (key == NULL) || (iv == NULL)) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return NULL;
+ }
+
+ dest = (SECItem *)PORT_ZAlloc(sizeof(SECItem));
+ if (dest != NULL) {
+ dest->data = (unsigned char *)PORT_ZAlloc(sizeof(unsigned char) *
+ (src->len + 64));
+ if (dest->data != NULL) {
+ RC4Context *ctxt;
+
+ ctxt = RC4_CreateContext(key->data, key->len);
+ if (ctxt) {
+ rv = (encrypt ? RC4_Encrypt : RC4_Decrypt)(
+ ctxt, dest->data, &dest->len,
+ src->len + 64, src->data, src->len);
+ RC4_DestroyContext(ctxt, PR_TRUE);
+ }
+ }
+ }
+
+ if ((rv != SECSuccess) && (dest)) {
+ SECITEM_ZfreeItem(dest, PR_TRUE);
+ dest = NULL;
+ }
+
+ return dest;
+}
+/* function pointer template for crypto functions */
+typedef SECItem *(*pkcs5_crypto_func)(SECItem *key, SECItem *iv,
+ SECItem *src, PRBool op1, PRBool op2);
+
+/* performs the cipher operation on the src and returns the result.
+ * if an error occurs, NULL is returned.
+ *
+ * a null length password is allowed. this corresponds to encrypting
+ * the data with ust the salt.
+ */
+/* change this to use PKCS 11? */
+SECItem *
+nsspkcs5_CipherData(NSSPKCS5PBEParameter *pbe_param, SECItem *pwitem,
+ SECItem *src, PRBool encrypt, PRBool *update)
+{
+ SECItem *key = NULL, iv;
+ SECItem *dest = NULL;
+ PRBool tripleDES = PR_TRUE;
+ pkcs5_crypto_func cryptof;
+
+ iv.data = NULL;
+
+ if (update) {
+ *update = PR_FALSE;
+ }
+
+ if ((pwitem == NULL) || (src == NULL)) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return NULL;
+ }
+
+ /* get key, and iv */
+ key = nsspkcs5_ComputeKeyAndIV(pbe_param, pwitem, &iv, PR_FALSE);
+ if (key == NULL) {
+ return NULL;
+ }
+
+ switch (pbe_param->encAlg) {
+ /* PKCS 5 v2 only */
+ case SEC_OID_AES_128_KEY_WRAP:
+ case SEC_OID_AES_192_KEY_WRAP:
+ case SEC_OID_AES_256_KEY_WRAP:
+ cryptof = sec_pkcs5_aes_key_wrap;
+ break;
+ case SEC_OID_AES_128_CBC:
+ case SEC_OID_AES_192_CBC:
+ case SEC_OID_AES_256_CBC:
+ cryptof = sec_pkcs5_aes;
+ break;
+ case SEC_OID_DES_EDE3_CBC:
+ cryptof = sec_pkcs5_des;
+ tripleDES = PR_TRUE;
+ break;
+ case SEC_OID_DES_CBC:
+ cryptof = sec_pkcs5_des;
+ tripleDES = PR_FALSE;
+ break;
+#ifndef NSS_DISABLE_DEPRECATED_RC2
+ case SEC_OID_RC2_CBC:
+ cryptof = sec_pkcs5_rc2;
+ break;
+#endif
+ case SEC_OID_RC4:
+ cryptof = sec_pkcs5_rc4;
+ break;
+ default:
+ cryptof = NULL;
+ break;
+ }
+
+ if (cryptof == NULL) {
+ goto loser;
+ }
+
+ dest = (*cryptof)(key, &iv, src, tripleDES, encrypt);
+ /*
+ * it's possible for some keys and keydb's to claim to
+ * be triple des when they're really des. In this case
+ * we simply try des. If des works we set the update flag
+ * so the key db knows it needs to update all it's entries.
+ * The case can only happen on decrypted of a
+ * SEC_OID_DES_EDE3_CBD.
+ */
+ if ((pbe_param->encAlg == SEC_OID_DES_EDE3_CBC) &&
+ (dest == NULL) && (encrypt == PR_FALSE)) {
+ dest = (*cryptof)(key, &iv, src, PR_FALSE, encrypt);
+ if (update && (dest != NULL))
+ *update = PR_TRUE;
+ }
+
+loser:
+ if (key != NULL) {
+ SECITEM_ZfreeItem(key, PR_TRUE);
+ }
+ if (iv.data != NULL) {
+ SECITEM_ZfreeItem(&iv, PR_FALSE);
+ }
+
+ return dest;
+}
+
+/* creates a algorithm ID containing the PBE algorithm and appropriate
+ * parameters. the required parameter is the algorithm. if salt is
+ * not specified, it is generated randomly. if IV is specified, it overrides
+ * the PKCS 5 generation of the IV.
+ *
+ * the returned SECAlgorithmID should be destroyed using
+ * SECOID_DestroyAlgorithmID
+ */
+SECAlgorithmID *
+nsspkcs5_CreateAlgorithmID(PLArenaPool *arena, SECOidTag algorithm,
+ NSSPKCS5PBEParameter *pbe_param)
+{
+ SECAlgorithmID *algid, *ret_algid = NULL;
+ SECItem der_param;
+ nsspkcs5V2PBEParameter pkcs5v2_param;
+
+ SECStatus rv = SECFailure;
+ void *dummy = NULL;
+
+ if (arena == NULL) {
+ return NULL;
+ }
+
+ der_param.data = NULL;
+ der_param.len = 0;
+
+ /* generate the algorithm id */
+ algid = (SECAlgorithmID *)PORT_ArenaZAlloc(arena, sizeof(SECAlgorithmID));
+ if (algid == NULL) {
+ goto loser;
+ }
+
+ if (pbe_param->iteration.data == NULL) {
+ dummy = SEC_ASN1EncodeInteger(pbe_param->poolp, &pbe_param->iteration,
+ pbe_param->iter);
+ if (dummy == NULL) {
+ goto loser;
+ }
+ }
+ switch (pbe_param->pbeType) {
+ case NSSPKCS5_PBKDF1:
+ dummy = SEC_ASN1EncodeItem(arena, &der_param, pbe_param,
+ NSSPKCS5PBEParameterTemplate);
+ break;
+ case NSSPKCS5_PKCS12_V2:
+ dummy = SEC_ASN1EncodeItem(arena, &der_param, pbe_param,
+ NSSPKCS5PKCS12V2PBEParameterTemplate);
+ break;
+ case NSSPKCS5_PBKDF2:
+ if (pbe_param->keyLength.data == NULL) {
+ dummy = SEC_ASN1EncodeInteger(pbe_param->poolp,
+ &pbe_param->keyLength, pbe_param->keyLen);
+ if (dummy == NULL) {
+ goto loser;
+ }
+ }
+ PORT_Memset(&pkcs5v2_param, 0, sizeof(pkcs5v2_param));
+ dummy = SEC_ASN1EncodeItem(arena, &der_param, pbe_param,
+ NSSPKCS5V2PBEParameterTemplate);
+ if (dummy == NULL) {
+ break;
+ }
+ dummy = NULL;
+ rv = SECOID_SetAlgorithmID(arena, &pkcs5v2_param.keyParams,
+ SEC_OID_PKCS5_PBKDF2, &der_param);
+ if (rv != SECSuccess) {
+ break;
+ }
+ der_param.data = pbe_param->ivData;
+ der_param.len = pbe_param->ivLen;
+ rv = SECOID_SetAlgorithmID(arena, &pkcs5v2_param.algParams,
+ pbe_param->encAlg, pbe_param->ivLen ? &der_param : NULL);
+ if (rv != SECSuccess) {
+ dummy = NULL;
+ break;
+ }
+ der_param.data = NULL;
+ der_param.len = 0;
+ dummy = SEC_ASN1EncodeItem(arena, &der_param, &pkcs5v2_param,
+ NSSPKCS5V2PBES2ParameterTemplate);
+ /* If the algorithm was set to some encryption oid, set it
+ * to PBES2 */
+ if ((algorithm != SEC_OID_PKCS5_PBKDF2) &&
+ (algorithm != SEC_OID_PKCS5_PBMAC1)) {
+ algorithm = SEC_OID_PKCS5_PBES2;
+ }
+ break;
+ default:
+ break;
+ }
+
+ if (dummy == NULL) {
+ goto loser;
+ }
+
+ rv = SECOID_SetAlgorithmID(arena, algid, algorithm, &der_param);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ ret_algid = (SECAlgorithmID *)PORT_ZAlloc(sizeof(SECAlgorithmID));
+ if (ret_algid == NULL) {
+ goto loser;
+ }
+
+ rv = SECOID_CopyAlgorithmID(NULL, ret_algid, algid);
+ if (rv != SECSuccess) {
+ SECOID_DestroyAlgorithmID(ret_algid, PR_TRUE);
+ ret_algid = NULL;
+ }
+
+loser:
+
+ return ret_algid;
+}
+
+#define TEST_KEY "pbkdf test key"
+SECStatus
+sftk_fips_pbkdf_PowerUpSelfTests(void)
+{
+ SECItem *result;
+ SECItem inKey;
+ NSSPKCS5PBEParameter pbe_params;
+ unsigned char iteration_count = 5;
+ unsigned char keyLen = 64;
+ char *inKeyData = TEST_KEY;
+ static const unsigned char saltData[] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07 };
+ static const unsigned char pbkdf_known_answer[] = {
+ 0x31, 0xf0, 0xe5, 0x39, 0x9f, 0x39, 0xb9, 0x29,
+ 0x68, 0xac, 0xf2, 0xe9, 0x53, 0x9b, 0xb4, 0x9c,
+ 0x28, 0x59, 0x8b, 0x5c, 0xd8, 0xd4, 0x02, 0x37,
+ 0x18, 0x22, 0xc1, 0x92, 0xd0, 0xfa, 0x72, 0x90,
+ 0x2c, 0x8d, 0x19, 0xd4, 0x56, 0xfb, 0x16, 0xfa,
+ 0x8d, 0x5c, 0x06, 0x33, 0xd1, 0x5f, 0x17, 0xb1,
+ 0x22, 0xd9, 0x9c, 0xaf, 0x5e, 0x3f, 0xf3, 0x66,
+ 0xc6, 0x14, 0xfe, 0x83, 0xfa, 0x1a, 0x2a, 0xc5
+ };
+
+ sftk_PBELockInit();
+
+ inKey.data = (unsigned char *)inKeyData;
+ inKey.len = sizeof(TEST_KEY) - 1;
+
+ pbe_params.salt.data = (unsigned char *)saltData;
+ pbe_params.salt.len = sizeof(saltData);
+ /* the interation and keyLength are used as intermediate
+ * values when decoding the Algorithm ID, set them for completeness,
+ * but they are not used */
+ pbe_params.iteration.data = &iteration_count;
+ pbe_params.iteration.len = 1;
+ pbe_params.keyLength.data = &keyLen;
+ pbe_params.keyLength.len = 1;
+ /* pkcs5v2 stores the key in the AlgorithmID, so we don't need to
+ * generate it here */
+ pbe_params.ivLen = 0;
+ pbe_params.ivData = NULL;
+ /* keyID is only used by pkcs12 extensions to pkcs5v1 */
+ pbe_params.keyID = pbeBitGenCipherKey;
+ /* Algorithm is used by the decryption code after get get our key */
+ pbe_params.encAlg = SEC_OID_AES_256_CBC;
+ /* these are the fields actually used in nsspkcs5_ComputeKeyAndIV
+ * for NSSPKCS5_PBKDF2 */
+ pbe_params.iter = iteration_count;
+ pbe_params.keyLen = keyLen;
+ pbe_params.hashType = HASH_AlgSHA256;
+ pbe_params.pbeType = NSSPKCS5_PBKDF2;
+ pbe_params.is2KeyDES = PR_FALSE;
+
+ result = nsspkcs5_ComputeKeyAndIV(&pbe_params, &inKey, NULL, PR_FALSE);
+ if ((result == NULL) || (result->len != sizeof(pbkdf_known_answer)) ||
+ (PORT_Memcmp(result->data, pbkdf_known_answer, sizeof(pbkdf_known_answer)) != 0)) {
+ SECITEM_FreeItem(result, PR_TRUE);
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+ SECITEM_FreeItem(result, PR_TRUE);
+ return SECSuccess;
+}
diff --git a/security/nss/lib/softoken/lowpbe.h b/security/nss/lib/softoken/lowpbe.h
new file mode 100644
index 0000000000..b567c59681
--- /dev/null
+++ b/security/nss/lib/softoken/lowpbe.h
@@ -0,0 +1,112 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef _SECPKCS5_H_
+#define _SECPKCS5_H_
+
+#include "plarena.h"
+#include "secitem.h"
+#include "seccomon.h"
+#include "secoidt.h"
+#include "hasht.h"
+
+typedef SECItem *(*SEC_PKCS5GetPBEPassword)(void *arg);
+
+/* used for V2 PKCS 12 Draft Spec */
+typedef enum {
+ pbeBitGenIDNull = 0,
+ pbeBitGenCipherKey = 0x01,
+ pbeBitGenCipherIV = 0x02,
+ pbeBitGenIntegrityKey = 0x03
+} PBEBitGenID;
+
+typedef enum {
+ NSSPKCS5_PBKDF1 = 0,
+ NSSPKCS5_PBKDF2 = 1,
+ NSSPKCS5_PKCS12_V2 = 2
+} NSSPKCS5PBEType;
+
+typedef struct NSSPKCS5PBEParameterStr NSSPKCS5PBEParameter;
+
+struct NSSPKCS5PBEParameterStr {
+ PLArenaPool *poolp;
+ SECItem salt; /* octet string */
+ SECItem iteration; /* integer */
+ SECItem keyLength; /* integer */
+
+ /* used locally */
+ int iter;
+ int keyLen;
+ int ivLen;
+ unsigned char *ivData;
+ HASH_HashType hashType;
+ NSSPKCS5PBEType pbeType;
+ SECAlgorithmID prfAlg;
+ PBEBitGenID keyID;
+ SECOidTag encAlg;
+ PRBool is2KeyDES;
+};
+
+SEC_BEGIN_PROTOS
+/* Create a PKCS5 Algorithm ID
+ * The algorithm ID is set up using the PKCS #5 parameter structure
+ * algorithm is the PBE algorithm ID for the desired algorithm
+ * pbe is a pbe param block with all the info needed to create the
+ * algorithm id.
+ * If an error occurs or the algorithm specified is not supported
+ * or is not a password based encryption algorithm, NULL is returned.
+ * Otherwise, a pointer to the algorithm id is returned.
+ */
+extern SECAlgorithmID *
+nsspkcs5_CreateAlgorithmID(PLArenaPool *arena, SECOidTag algorithm,
+ NSSPKCS5PBEParameter *pbe);
+
+/*
+ * Convert an Algorithm ID to a PBE Param.
+ * NOTE: this does not suppport PKCS 5 v2 because it's only used for the
+ * keyDB which only support PKCS 5 v1, PFX, and PKCS 12.
+ */
+NSSPKCS5PBEParameter *
+nsspkcs5_AlgidToParam(SECAlgorithmID *algid);
+
+/*
+ * Convert an Algorithm ID to a PBE Param.
+ * NOTE: this does not suppport PKCS 5 v2 because it's only used for the
+ * keyDB which only support PKCS 5 v1, PFX, and PKCS 12.
+ */
+NSSPKCS5PBEParameter *
+nsspkcs5_NewParam(SECOidTag alg, HASH_HashType hashType, SECItem *salt,
+ int iterationCount);
+
+/* Encrypt/Decrypt data using password based encryption.
+ * algid is the PBE algorithm identifier,
+ * pwitem is the password,
+ * src is the source for encryption/decryption,
+ * encrypt is PR_TRUE for encryption, PR_FALSE for decryption.
+ * The key and iv are generated based upon PKCS #5 then the src
+ * is either encrypted or decrypted. If an error occurs, NULL
+ * is returned, otherwise the ciphered contents is returned.
+ */
+extern SECItem *
+nsspkcs5_CipherData(NSSPKCS5PBEParameter *, SECItem *pwitem,
+ SECItem *src, PRBool encrypt, PRBool *update);
+
+extern SECItem *
+nsspkcs5_ComputeKeyAndIV(NSSPKCS5PBEParameter *, SECItem *pwitem,
+ SECItem *iv, PRBool faulty3DES);
+
+/* Destroys PBE parameter */
+extern void
+nsspkcs5_DestroyPBEParameter(NSSPKCS5PBEParameter *param);
+
+HASH_HashType HASH_FromHMACOid(SECOidTag oid);
+SECOidTag HASH_HMACOidFromHash(HASH_HashType);
+
+/* fips selftest */
+extern SECStatus
+sftk_fips_pbkdf_PowerUpSelfTests(void);
+
+SEC_END_PROTOS
+
+#endif
diff --git a/security/nss/lib/softoken/manifest.mn b/security/nss/lib/softoken/manifest.mn
new file mode 100644
index 0000000000..34daf1c4a0
--- /dev/null
+++ b/security/nss/lib/softoken/manifest.mn
@@ -0,0 +1,70 @@
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+CORE_DEPTH = ../..
+
+MODULE = nss
+ifndef NSS_DISABLE_DBM
+DIRS = legacydb
+endif
+
+LIBRARY_NAME = softokn
+LIBRARY_VERSION = 3
+MAPFILE = $(OBJDIR)/$(LIBRARY_NAME).def
+
+DEFINES += -DSHLIB_SUFFIX=\"$(DLL_SUFFIX)\" -DSHLIB_PREFIX=\"$(DLL_PREFIX)\" -DSOFTOKEN_LIB_NAME=\"$(notdir $(SHARED_LIBRARY))\" -DSHLIB_VERSION=\"$(LIBRARY_VERSION)\"
+
+ifdef SQLITE_INCLUDE_DIR
+INCLUDES += -I$(SQLITE_INCLUDE_DIR)
+endif
+
+EXPORTS = \
+ lowkeyi.h \
+ lowkeyti.h \
+ $(NULL)
+
+PRIVATE_EXPORTS = \
+ pkcs11ni.h \
+ softoken.h \
+ softoknt.h \
+ softkver.h \
+ sdb.h \
+ sftkdbt.h \
+ $(NULL)
+
+CSRCS = \
+ fipsaudt.c \
+ fipstest.c \
+ fipstokn.c \
+ kbkdf.c \
+ lowkey.c \
+ lowpbe.c \
+ padbuf.c \
+ pkcs11.c \
+ pkcs11c.c \
+ pkcs11u.c \
+ sdb.c \
+ sftkdb.c \
+ sftkdhverify.c \
+ sftkhmac.c \
+ sftkike.c \
+ sftkmessage.c \
+ sftkpars.c \
+ sftkpwd.c \
+ softkver.c \
+ tlsprf.c \
+ jpakesftk.c \
+ $(NULL)
+
+ifndef NSS_DISABLE_DBM
+PRIVATE_EXPORTS += lgglue.h
+CSRCS += lgglue.c
+endif
+
+ifdef SQLITE_UNSAFE_THREADS
+DEFINES += -DSQLITE_UNSAFE_THREADS
+endif
+
+# This part of the code, including all sub-dirs, can be optimized for size
+export ALLOW_OPT_CODE_SIZE = 1
diff --git a/security/nss/lib/softoken/padbuf.c b/security/nss/lib/softoken/padbuf.c
new file mode 100644
index 0000000000..6e897f2131
--- /dev/null
+++ b/security/nss/lib/softoken/padbuf.c
@@ -0,0 +1,49 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+#include "blapit.h"
+#include "secport.h"
+#include "secerr.h"
+
+/*
+ * Prepare a buffer for any padded CBC encryption algorithm, growing to the
+ * appropriate boundary and filling with the appropriate padding.
+ * blockSize must be a power of 2.
+ *
+ * NOTE: If arena is non-NULL, we re-allocate from there, otherwise
+ * we assume (and use) XP memory (re)allocation.
+ */
+unsigned char *
+CBC_PadBuffer(PLArenaPool *arena, unsigned char *inbuf, unsigned int inlen,
+ unsigned int *outlen, int blockSize)
+{
+ unsigned char *outbuf;
+ unsigned int des_len;
+ unsigned int i;
+ unsigned char des_pad_len;
+
+ /*
+ * We need from 1 to blockSize bytes -- we *always* grow.
+ * The extra bytes contain the value of the length of the padding:
+ * if we have 2 bytes of padding, then the padding is "0x02, 0x02".
+ */
+ des_len = (inlen + blockSize) & ~(blockSize - 1);
+
+ if (arena != NULL) {
+ outbuf = (unsigned char *)PORT_ArenaGrow(arena, inbuf, inlen, des_len);
+ } else {
+ outbuf = (unsigned char *)PORT_Realloc(inbuf, des_len);
+ }
+
+ if (outbuf == NULL) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ return NULL;
+ }
+
+ des_pad_len = des_len - inlen;
+ for (i = inlen; i < des_len; i++)
+ outbuf[i] = des_pad_len;
+
+ *outlen = des_len;
+ return outbuf;
+}
diff --git a/security/nss/lib/softoken/pkcs11.c b/security/nss/lib/softoken/pkcs11.c
new file mode 100644
index 0000000000..a730ba397e
--- /dev/null
+++ b/security/nss/lib/softoken/pkcs11.c
@@ -0,0 +1,5416 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/*
+ * This file implements PKCS 11 on top of our existing security modules
+ *
+ * For more information about PKCS 11 See PKCS 11 Token Inteface Standard.
+ * This implementation has two slots:
+ * slot 1 is our generic crypto support. It does not require login.
+ * It supports Public Key ops, and all they bulk ciphers and hashes.
+ * It can also support Private Key ops for imported Private keys. It does
+ * not have any token storage.
+ * slot 2 is our private key support. It requires a login before use. It
+ * can store Private Keys and Certs as token objects. Currently only private
+ * keys and their associated Certificates are saved on the token.
+ *
+ * In this implementation, session objects are only visible to the session
+ * that created or generated them.
+ */
+#include "seccomon.h"
+#include "secitem.h"
+#include "pkcs11.h"
+#include "pkcs11i.h"
+#include "softoken.h"
+#include "lowkeyi.h"
+#include "blapi.h"
+#include "secder.h"
+#include "secport.h"
+#include "secrng.h"
+#include "prtypes.h"
+#include "nspr.h"
+#include "softkver.h"
+#include "secoid.h"
+#include "sftkdb.h"
+#include "utilpars.h"
+#include "ec.h"
+#include "secasn1.h"
+#include "secerr.h"
+#include "lgglue.h"
+
+PRBool parentForkedAfterC_Initialize;
+
+#ifndef NO_FORK_CHECK
+
+PRBool sftkForkCheckDisabled;
+
+#if defined(CHECK_FORK_PTHREAD) || defined(CHECK_FORK_MIXED)
+PRBool forked = PR_FALSE;
+#endif
+
+#if defined(CHECK_FORK_GETPID) || defined(CHECK_FORK_MIXED)
+#include <unistd.h>
+pid_t myPid;
+#endif
+
+#ifdef CHECK_FORK_MIXED
+#include <sys/systeminfo.h>
+PRBool usePthread_atfork;
+#endif
+
+#endif
+
+/*
+ * ******************** Static data *******************************
+ */
+
+/* The next three strings must be exactly 32 characters long */
+static char *manufacturerID = "Mozilla Foundation ";
+static char manufacturerID_space[33];
+static char *libraryDescription = "NSS Internal Crypto Services ";
+static char libraryDescription_space[33];
+
+/*
+ * In FIPS mode, we disallow login attempts for 1 second after a login
+ * failure so that there are at most 60 login attempts per minute.
+ */
+static PRIntervalTime loginWaitTime;
+
+#define __PASTE(x, y) x##y
+
+/*
+ * we renamed all our internal functions, get the correct
+ * definitions for them...
+ */
+#undef CK_PKCS11_FUNCTION_INFO
+#undef CK_NEED_ARG_LIST
+
+#define CK_PKCS11_3_0 1
+#define CK_EXTERN extern
+#define CK_PKCS11_FUNCTION_INFO(func) \
+ CK_RV __PASTE(NS, func)
+#define CK_NEED_ARG_LIST 1
+
+#include "pkcs11f.h"
+
+/* build the crypto module table */
+static CK_FUNCTION_LIST_3_0 sftk_funcList = {
+ { CRYPTOKI_VERSION_MAJOR, CRYPTOKI_VERSION_MINOR },
+
+#undef CK_PKCS11_FUNCTION_INFO
+#undef CK_NEED_ARG_LIST
+
+#define CK_PKCS11_FUNCTION_INFO(func) \
+ __PASTE(NS, func) \
+ ,
+#include "pkcs11f.h"
+
+};
+
+/* need a special version of get info for version 2 which returns the version
+ * 2.4 version number */
+CK_RV NSC_GetInfoV2(CK_INFO_PTR pInfo);
+CK_RV NSC_GetMechanismInfoV2(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type,
+ CK_MECHANISM_INFO_PTR pInfo);
+
+/* build the crypto module table */
+static CK_FUNCTION_LIST sftk_funcList_v2 = {
+ { 2, 40 },
+
+#undef CK_PKCS11_3_0
+#define CK_PKCS_11_2_0_ONLY 1
+#undef CK_PKCS11_FUNCTION_INFO
+#undef CK_NEED_ARG_LIST
+#define C_GetInfo C_GetInfoV2
+#define C_GetMechanismInfo C_GetMechanismInfoV2
+
+#define CK_PKCS11_FUNCTION_INFO(func) \
+ __PASTE(NS, func) \
+ ,
+#include "pkcs11f.h"
+
+};
+
+#undef C_GetInfo
+#undef C_GetMechanismInfo
+#undef CK_PKCS_11_2_0_ONLY
+#undef CK_PKCS11_FUNCTION_INFO
+#undef CK_NEED_ARG_LIST
+
+#undef __PASTE
+
+CK_NSS_MODULE_FUNCTIONS sftk_module_funcList = {
+ { 1, 0 },
+ NSC_ModuleDBFunc
+};
+
+static CK_RV
+nsc_NSSGetFIPSStatus(CK_SESSION_HANDLE hSession,
+ CK_OBJECT_HANDLE hObject,
+ CK_ULONG ulOperationType,
+ CK_ULONG *pulFIPSStatus);
+CK_NSS_FIPS_FUNCTIONS sftk_fips_funcList = {
+ { 1, 0 },
+ nsc_NSSGetFIPSStatus
+};
+
+/*
+ * Array is orderd by default first
+ */
+static CK_INTERFACE nss_interfaces[] = {
+ { (CK_UTF8CHAR_PTR) "PKCS 11", &sftk_funcList, NSS_INTERFACE_FLAGS },
+ { (CK_UTF8CHAR_PTR) "PKCS 11", &sftk_funcList_v2, NSS_INTERFACE_FLAGS },
+ { (CK_UTF8CHAR_PTR) "Vendor NSS Module Interface", &sftk_module_funcList, NSS_INTERFACE_FLAGS },
+ { (CK_UTF8CHAR_PTR) "Vendor NSS FIPS Interface", &sftk_fips_funcList, NSS_INTERFACE_FLAGS }
+};
+/* must match the count of interfaces in nss_interfaces above */
+#define NSS_INTERFACE_COUNT 4
+
+/* List of DES Weak Keys */
+typedef unsigned char desKey[8];
+static const desKey sftk_desWeakTable[] = {
+#ifdef noParity
+ /* weak */
+ { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+ { 0x1e, 0x1e, 0x1e, 0x1e, 0x0e, 0x0e, 0x0e, 0x0e },
+ { 0xe0, 0xe0, 0xe0, 0xe0, 0xf0, 0xf0, 0xf0, 0xf0 },
+ { 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe },
+ /* semi-weak */
+ { 0x00, 0xfe, 0x00, 0xfe, 0x00, 0xfe, 0x00, 0xfe },
+ { 0xfe, 0x00, 0xfe, 0x00, 0x00, 0xfe, 0x00, 0xfe },
+
+ { 0x1e, 0xe0, 0x1e, 0xe0, 0x0e, 0xf0, 0x0e, 0xf0 },
+ { 0xe0, 0x1e, 0xe0, 0x1e, 0xf0, 0x0e, 0xf0, 0x0e },
+
+ { 0x00, 0xe0, 0x00, 0xe0, 0x00, 0x0f, 0x00, 0x0f },
+ { 0xe0, 0x00, 0xe0, 0x00, 0xf0, 0x00, 0xf0, 0x00 },
+
+ { 0x1e, 0xfe, 0x1e, 0xfe, 0x0e, 0xfe, 0x0e, 0xfe },
+ { 0xfe, 0x1e, 0xfe, 0x1e, 0xfe, 0x0e, 0xfe, 0x0e },
+
+ { 0x00, 0x1e, 0x00, 0x1e, 0x00, 0x0e, 0x00, 0x0e },
+ { 0x1e, 0x00, 0x1e, 0x00, 0x0e, 0x00, 0x0e, 0x00 },
+
+ { 0xe0, 0xfe, 0xe0, 0xfe, 0xf0, 0xfe, 0xf0, 0xfe },
+ { 0xfe, 0xe0, 0xfe, 0xe0, 0xfe, 0xf0, 0xfe, 0xf0 },
+#else
+ /* weak */
+ { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 },
+ { 0x1f, 0x1f, 0x1f, 0x1f, 0x0e, 0x0e, 0x0e, 0x0e },
+ { 0xe0, 0xe0, 0xe0, 0xe0, 0xf1, 0xf1, 0xf1, 0xf1 },
+ { 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe },
+
+ /* semi-weak */
+ { 0x01, 0xfe, 0x01, 0xfe, 0x01, 0xfe, 0x01, 0xfe },
+ { 0xfe, 0x01, 0xfe, 0x01, 0xfe, 0x01, 0xfe, 0x01 },
+
+ { 0x1f, 0xe0, 0x1f, 0xe0, 0x0e, 0xf1, 0x0e, 0xf1 },
+ { 0xe0, 0x1f, 0xe0, 0x1f, 0xf1, 0x0e, 0xf1, 0x0e },
+
+ { 0x01, 0xe0, 0x01, 0xe0, 0x01, 0xf1, 0x01, 0xf1 },
+ { 0xe0, 0x01, 0xe0, 0x01, 0xf1, 0x01, 0xf1, 0x01 },
+
+ { 0x1f, 0xfe, 0x1f, 0xfe, 0x0e, 0xfe, 0x0e, 0xfe },
+ { 0xfe, 0x1f, 0xfe, 0x1f, 0xfe, 0x0e, 0xfe, 0x0e },
+
+ { 0x01, 0x1f, 0x01, 0x1f, 0x01, 0x0e, 0x01, 0x0e },
+ { 0x1f, 0x01, 0x1f, 0x01, 0x0e, 0x01, 0x0e, 0x01 },
+
+ { 0xe0, 0xfe, 0xe0, 0xfe, 0xf1, 0xfe, 0xf1, 0xfe },
+ { 0xfe, 0xe0, 0xfe, 0xe0, 0xfe, 0xf1, 0xfe, 0xf1 }
+#endif
+};
+
+static const int sftk_desWeakTableSize = sizeof(sftk_desWeakTable) /
+ sizeof(sftk_desWeakTable[0]);
+
+/* DES KEY Parity conversion table. Takes each byte/2 as an index, returns
+ * that byte with the proper parity bit set */
+static const unsigned char parityTable[256] = {
+ /* Even...0x00,0x02,0x04,0x06,0x08,0x0a,0x0c,0x0e */
+ /* E */ 0x01, 0x02, 0x04, 0x07, 0x08, 0x0b, 0x0d, 0x0e,
+ /* Odd....0x10,0x12,0x14,0x16,0x18,0x1a,0x1c,0x1e */
+ /* O */ 0x10, 0x13, 0x15, 0x16, 0x19, 0x1a, 0x1c, 0x1f,
+ /* Odd....0x20,0x22,0x24,0x26,0x28,0x2a,0x2c,0x2e */
+ /* O */ 0x20, 0x23, 0x25, 0x26, 0x29, 0x2a, 0x2c, 0x2f,
+ /* Even...0x30,0x32,0x34,0x36,0x38,0x3a,0x3c,0x3e */
+ /* E */ 0x31, 0x32, 0x34, 0x37, 0x38, 0x3b, 0x3d, 0x3e,
+ /* Odd....0x40,0x42,0x44,0x46,0x48,0x4a,0x4c,0x4e */
+ /* O */ 0x40, 0x43, 0x45, 0x46, 0x49, 0x4a, 0x4c, 0x4f,
+ /* Even...0x50,0x52,0x54,0x56,0x58,0x5a,0x5c,0x5e */
+ /* E */ 0x51, 0x52, 0x54, 0x57, 0x58, 0x5b, 0x5d, 0x5e,
+ /* Even...0x60,0x62,0x64,0x66,0x68,0x6a,0x6c,0x6e */
+ /* E */ 0x61, 0x62, 0x64, 0x67, 0x68, 0x6b, 0x6d, 0x6e,
+ /* Odd....0x70,0x72,0x74,0x76,0x78,0x7a,0x7c,0x7e */
+ /* O */ 0x70, 0x73, 0x75, 0x76, 0x79, 0x7a, 0x7c, 0x7f,
+ /* Odd....0x80,0x82,0x84,0x86,0x88,0x8a,0x8c,0x8e */
+ /* O */ 0x80, 0x83, 0x85, 0x86, 0x89, 0x8a, 0x8c, 0x8f,
+ /* Even...0x90,0x92,0x94,0x96,0x98,0x9a,0x9c,0x9e */
+ /* E */ 0x91, 0x92, 0x94, 0x97, 0x98, 0x9b, 0x9d, 0x9e,
+ /* Even...0xa0,0xa2,0xa4,0xa6,0xa8,0xaa,0xac,0xae */
+ /* E */ 0xa1, 0xa2, 0xa4, 0xa7, 0xa8, 0xab, 0xad, 0xae,
+ /* Odd....0xb0,0xb2,0xb4,0xb6,0xb8,0xba,0xbc,0xbe */
+ /* O */ 0xb0, 0xb3, 0xb5, 0xb6, 0xb9, 0xba, 0xbc, 0xbf,
+ /* Even...0xc0,0xc2,0xc4,0xc6,0xc8,0xca,0xcc,0xce */
+ /* E */ 0xc1, 0xc2, 0xc4, 0xc7, 0xc8, 0xcb, 0xcd, 0xce,
+ /* Odd....0xd0,0xd2,0xd4,0xd6,0xd8,0xda,0xdc,0xde */
+ /* O */ 0xd0, 0xd3, 0xd5, 0xd6, 0xd9, 0xda, 0xdc, 0xdf,
+ /* Odd....0xe0,0xe2,0xe4,0xe6,0xe8,0xea,0xec,0xee */
+ /* O */ 0xe0, 0xe3, 0xe5, 0xe6, 0xe9, 0xea, 0xec, 0xef,
+ /* Even...0xf0,0xf2,0xf4,0xf6,0xf8,0xfa,0xfc,0xfe */
+ /* E */ 0xf1, 0xf2, 0xf4, 0xf7, 0xf8, 0xfb, 0xfd, 0xfe
+};
+
+/* Mechanisms */
+struct mechanismList {
+ CK_MECHANISM_TYPE type;
+ CK_MECHANISM_INFO info;
+ PRBool privkey;
+};
+
+/*
+ * the following table includes a complete list of mechanism defined by
+ * PKCS #11 version 2.01. Those Mechanisms not supported by this PKCS #11
+ * module are ifdef'ed out.
+ */
+#define CKF_EN_DE CKF_ENCRYPT | CKF_DECRYPT
+#define CKF_WR_UN CKF_WRAP | CKF_UNWRAP
+#define CKF_SN_VR CKF_SIGN | CKF_VERIFY
+#define CKF_SN_RE CKF_SIGN_RECOVER | CKF_VERIFY_RECOVER
+#define CKF_EN_DE_MSG CKF_ENCRYPT | CKF_DECRYPT | CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT
+
+#define CKF_EN_DE_WR_UN CKF_EN_DE | CKF_WR_UN
+#define CKF_SN_VR_RE CKF_SN_VR | CKF_SN_RE
+#define CKF_DUZ_IT_ALL CKF_EN_DE_WR_UN | CKF_SN_VR_RE
+
+#define CKF_EC_PNU CKF_EC_F_P | CKF_EC_NAMEDCURVE | CKF_EC_UNCOMPRESS
+
+#define CKF_EC_BPNU CKF_EC_F_2M | CKF_EC_PNU
+
+#define CK_MAX 0xffffffff
+
+static const struct mechanismList mechanisms[] = {
+
+ /*
+ * PKCS #11 Mechanism List.
+ *
+ * The first argument is the PKCS #11 Mechanism we support.
+ * The second argument is Mechanism info structure. It includes:
+ * The minimum key size,
+ * in bits for RSA, DSA, DH, EC*, KEA, RC2 and RC4 * algs.
+ * in bytes for RC5, AES, Camellia, and CAST*
+ * ignored for DES*, IDEA and FORTEZZA based
+ * The maximum key size,
+ * in bits for RSA, DSA, DH, EC*, KEA, RC2 and RC4 * algs.
+ * in bytes for RC5, AES, Camellia, and CAST*
+ * ignored for DES*, IDEA and FORTEZZA based
+ * Flags
+ * What operations are supported by this mechanism.
+ * The third argument is a bool which tells if this mechanism is
+ * supported in the database token.
+ *
+ */
+
+ /* ------------------------- RSA Operations ---------------------------*/
+ { CKM_RSA_PKCS_KEY_PAIR_GEN, { RSA_MIN_MODULUS_BITS, CK_MAX, CKF_GENERATE_KEY_PAIR }, PR_TRUE },
+ { CKM_RSA_PKCS, { RSA_MIN_MODULUS_BITS, CK_MAX, CKF_DUZ_IT_ALL }, PR_TRUE },
+ { CKM_RSA_PKCS_PSS, { RSA_MIN_MODULUS_BITS, CK_MAX, CKF_SN_VR }, PR_TRUE },
+ { CKM_RSA_PKCS_OAEP, { RSA_MIN_MODULUS_BITS, CK_MAX, CKF_EN_DE_WR_UN }, PR_TRUE },
+#ifdef SFTK_RSA9796_SUPPORTED
+ { CKM_RSA_9796, { RSA_MIN_MODULUS_BITS, CK_MAX, CKF_DUZ_IT_ALL }, PR_TRUE },
+#endif
+ { CKM_RSA_X_509, { RSA_MIN_MODULUS_BITS, CK_MAX, CKF_DUZ_IT_ALL }, PR_TRUE },
+ /* -------------- RSA Multipart Signing Operations -------------------- */
+ { CKM_MD2_RSA_PKCS, { RSA_MIN_MODULUS_BITS, CK_MAX, CKF_SN_VR }, PR_TRUE },
+ { CKM_MD5_RSA_PKCS, { RSA_MIN_MODULUS_BITS, CK_MAX, CKF_SN_VR }, PR_TRUE },
+ { CKM_SHA1_RSA_PKCS, { RSA_MIN_MODULUS_BITS, CK_MAX, CKF_SN_VR }, PR_TRUE },
+ { CKM_SHA224_RSA_PKCS, { RSA_MIN_MODULUS_BITS, CK_MAX, CKF_SN_VR }, PR_TRUE },
+ { CKM_SHA256_RSA_PKCS, { RSA_MIN_MODULUS_BITS, CK_MAX, CKF_SN_VR }, PR_TRUE },
+ { CKM_SHA384_RSA_PKCS, { RSA_MIN_MODULUS_BITS, CK_MAX, CKF_SN_VR }, PR_TRUE },
+ { CKM_SHA512_RSA_PKCS, { RSA_MIN_MODULUS_BITS, CK_MAX, CKF_SN_VR }, PR_TRUE },
+ { CKM_SHA1_RSA_PKCS_PSS, { RSA_MIN_MODULUS_BITS, CK_MAX, CKF_SN_VR }, PR_TRUE },
+ { CKM_SHA224_RSA_PKCS_PSS, { RSA_MIN_MODULUS_BITS, CK_MAX, CKF_SN_VR }, PR_TRUE },
+ { CKM_SHA256_RSA_PKCS_PSS, { RSA_MIN_MODULUS_BITS, CK_MAX, CKF_SN_VR }, PR_TRUE },
+ { CKM_SHA384_RSA_PKCS_PSS, { RSA_MIN_MODULUS_BITS, CK_MAX, CKF_SN_VR }, PR_TRUE },
+ { CKM_SHA512_RSA_PKCS_PSS, { RSA_MIN_MODULUS_BITS, CK_MAX, CKF_SN_VR }, PR_TRUE },
+ /* ------------------------- DSA Operations --------------------------- */
+ { CKM_DSA_KEY_PAIR_GEN, { DSA_MIN_P_BITS, DSA_MAX_P_BITS, CKF_GENERATE_KEY_PAIR }, PR_TRUE },
+ { CKM_DSA, { DSA_MIN_P_BITS, DSA_MAX_P_BITS, CKF_SN_VR }, PR_TRUE },
+ { CKM_DSA_PARAMETER_GEN, { DSA_MIN_P_BITS, DSA_MAX_P_BITS, CKF_GENERATE }, PR_TRUE },
+ { CKM_DSA_SHA1, { DSA_MIN_P_BITS, DSA_MAX_P_BITS, CKF_SN_VR }, PR_TRUE },
+ { CKM_DSA_SHA224, { DSA_MIN_P_BITS, DSA_MAX_P_BITS, CKF_SN_VR }, PR_TRUE },
+ { CKM_DSA_SHA256, { DSA_MIN_P_BITS, DSA_MAX_P_BITS, CKF_SN_VR }, PR_TRUE },
+ { CKM_DSA_SHA384, { DSA_MIN_P_BITS, DSA_MAX_P_BITS, CKF_SN_VR }, PR_TRUE },
+ { CKM_DSA_SHA512, { DSA_MIN_P_BITS, DSA_MAX_P_BITS, CKF_SN_VR }, PR_TRUE },
+ /* -------------------- Diffie Hellman Operations --------------------- */
+ /* no diffie hellman yet */
+ { CKM_DH_PKCS_KEY_PAIR_GEN, { DH_MIN_P_BITS, DH_MAX_P_BITS, CKF_GENERATE_KEY_PAIR }, PR_TRUE },
+ { CKM_DH_PKCS_DERIVE, { DH_MIN_P_BITS, DH_MAX_P_BITS, CKF_DERIVE }, PR_TRUE },
+ /* -------------------- Elliptic Curve Operations --------------------- */
+ { CKM_EC_KEY_PAIR_GEN, { EC_MIN_KEY_BITS, EC_MAX_KEY_BITS, CKF_GENERATE_KEY_PAIR | CKF_EC_BPNU }, PR_TRUE },
+ { CKM_ECDH1_DERIVE, { EC_MIN_KEY_BITS, EC_MAX_KEY_BITS, CKF_DERIVE | CKF_EC_BPNU }, PR_TRUE },
+ { CKM_ECDSA, { EC_MIN_KEY_BITS, EC_MAX_KEY_BITS, CKF_SN_VR | CKF_EC_BPNU }, PR_TRUE },
+ { CKM_ECDSA_SHA1, { EC_MIN_KEY_BITS, EC_MAX_KEY_BITS, CKF_SN_VR | CKF_EC_BPNU }, PR_TRUE },
+ { CKM_ECDSA_SHA224, { EC_MIN_KEY_BITS, EC_MAX_KEY_BITS, CKF_SN_VR | CKF_EC_BPNU }, PR_TRUE },
+ { CKM_ECDSA_SHA256, { EC_MIN_KEY_BITS, EC_MAX_KEY_BITS, CKF_SN_VR | CKF_EC_BPNU }, PR_TRUE },
+ { CKM_ECDSA_SHA384, { EC_MIN_KEY_BITS, EC_MAX_KEY_BITS, CKF_SN_VR | CKF_EC_BPNU }, PR_TRUE },
+ { CKM_ECDSA_SHA512, { EC_MIN_KEY_BITS, EC_MAX_KEY_BITS, CKF_SN_VR | CKF_EC_BPNU }, PR_TRUE },
+ /* ------------------------- RC2 Operations --------------------------- */
+ { CKM_RC2_KEY_GEN, { 1, 128, CKF_GENERATE }, PR_TRUE },
+ { CKM_RC2_ECB, { 1, 128, CKF_EN_DE_WR_UN }, PR_TRUE },
+ { CKM_RC2_CBC, { 1, 128, CKF_EN_DE_WR_UN }, PR_TRUE },
+ { CKM_RC2_MAC, { 1, 128, CKF_SN_VR }, PR_TRUE },
+ { CKM_RC2_MAC_GENERAL, { 1, 128, CKF_SN_VR }, PR_TRUE },
+ { CKM_RC2_CBC_PAD, { 1, 128, CKF_EN_DE_WR_UN }, PR_TRUE },
+ /* ------------------------- RC4 Operations --------------------------- */
+ { CKM_RC4_KEY_GEN, { 1, 256, CKF_GENERATE }, PR_FALSE },
+ { CKM_RC4, { 1, 256, CKF_EN_DE_WR_UN }, PR_FALSE },
+ /* ------------------------- DES Operations --------------------------- */
+ { CKM_DES_KEY_GEN, { 8, 8, CKF_GENERATE }, PR_TRUE },
+ { CKM_DES_ECB, { 8, 8, CKF_EN_DE_WR_UN }, PR_TRUE },
+ { CKM_DES_CBC, { 8, 8, CKF_EN_DE_WR_UN }, PR_TRUE },
+ { CKM_DES_MAC, { 8, 8, CKF_SN_VR }, PR_TRUE },
+ { CKM_DES_MAC_GENERAL, { 8, 8, CKF_SN_VR }, PR_TRUE },
+ { CKM_DES_CBC_PAD, { 8, 8, CKF_EN_DE_WR_UN }, PR_TRUE },
+ { CKM_DES2_KEY_GEN, { 24, 24, CKF_GENERATE }, PR_TRUE },
+ { CKM_DES3_KEY_GEN, { 24, 24, CKF_GENERATE }, PR_TRUE },
+ { CKM_DES3_ECB, { 24, 24, CKF_EN_DE_WR_UN }, PR_TRUE },
+ { CKM_DES3_CBC, { 24, 24, CKF_EN_DE_WR_UN }, PR_TRUE },
+ { CKM_DES3_MAC, { 24, 24, CKF_SN_VR }, PR_TRUE },
+ { CKM_DES3_MAC_GENERAL, { 24, 24, CKF_SN_VR }, PR_TRUE },
+ { CKM_DES3_CBC_PAD, { 24, 24, CKF_EN_DE_WR_UN }, PR_TRUE },
+ /* ------------------------- CDMF Operations --------------------------- */
+ { CKM_CDMF_KEY_GEN, { 8, 8, CKF_GENERATE }, PR_TRUE },
+ { CKM_CDMF_ECB, { 8, 8, CKF_EN_DE_WR_UN }, PR_TRUE },
+ { CKM_CDMF_CBC, { 8, 8, CKF_EN_DE_WR_UN }, PR_TRUE },
+ { CKM_CDMF_MAC, { 8, 8, CKF_SN_VR }, PR_TRUE },
+ { CKM_CDMF_MAC_GENERAL, { 8, 8, CKF_SN_VR }, PR_TRUE },
+ { CKM_CDMF_CBC_PAD, { 8, 8, CKF_EN_DE_WR_UN }, PR_TRUE },
+ /* ------------------------- AES Operations --------------------------- */
+ { CKM_AES_KEY_GEN, { 16, 32, CKF_GENERATE }, PR_TRUE },
+ { CKM_AES_ECB, { 16, 32, CKF_EN_DE_WR_UN }, PR_TRUE },
+ { CKM_AES_CBC, { 16, 32, CKF_EN_DE_WR_UN }, PR_TRUE },
+ { CKM_AES_MAC, { 16, 32, CKF_SN_VR }, PR_TRUE },
+ { CKM_AES_MAC_GENERAL, { 16, 32, CKF_SN_VR }, PR_TRUE },
+ { CKM_AES_CMAC, { 16, 32, CKF_SN_VR }, PR_TRUE },
+ { CKM_AES_CMAC_GENERAL, { 16, 32, CKF_SN_VR }, PR_TRUE },
+ { CKM_AES_CBC_PAD, { 16, 32, CKF_EN_DE_WR_UN }, PR_TRUE },
+ { CKM_AES_CTS, { 16, 32, CKF_EN_DE }, PR_TRUE },
+ { CKM_AES_CTR, { 16, 32, CKF_EN_DE }, PR_TRUE },
+ { CKM_AES_GCM, { 16, 32, CKF_EN_DE_MSG }, PR_TRUE },
+ { CKM_AES_XCBC_MAC_96, { 12, 12, CKF_SN_VR }, PR_TRUE },
+ { CKM_AES_XCBC_MAC, { 16, 16, CKF_SN_VR }, PR_TRUE },
+ /* ------------------------- Camellia Operations --------------------- */
+ { CKM_CAMELLIA_KEY_GEN, { 16, 32, CKF_GENERATE }, PR_TRUE },
+ { CKM_CAMELLIA_ECB, { 16, 32, CKF_EN_DE_WR_UN }, PR_TRUE },
+ { CKM_CAMELLIA_CBC, { 16, 32, CKF_EN_DE_WR_UN }, PR_TRUE },
+ { CKM_CAMELLIA_MAC, { 16, 32, CKF_SN_VR }, PR_TRUE },
+ { CKM_CAMELLIA_MAC_GENERAL, { 16, 32, CKF_SN_VR }, PR_TRUE },
+ { CKM_CAMELLIA_CBC_PAD, { 16, 32, CKF_EN_DE_WR_UN }, PR_TRUE },
+/* ------------------------- SEED Operations --------------------------- */
+#ifndef NSS_DISABLE_DEPRECATED_SEED
+ { CKM_SEED_KEY_GEN, { 16, 16, CKF_GENERATE }, PR_TRUE },
+ { CKM_SEED_ECB, { 16, 16, CKF_EN_DE_WR_UN }, PR_TRUE },
+ { CKM_SEED_CBC, { 16, 16, CKF_EN_DE_WR_UN }, PR_TRUE },
+ { CKM_SEED_MAC, { 16, 16, CKF_SN_VR }, PR_TRUE },
+ { CKM_SEED_MAC_GENERAL, { 16, 16, CKF_SN_VR }, PR_TRUE },
+ { CKM_SEED_CBC_PAD, { 16, 16, CKF_EN_DE_WR_UN }, PR_TRUE },
+#endif
+/* ------------------------- ChaCha20 Operations ---------------------- */
+#ifndef NSS_DISABLE_CHACHAPOLY
+ { CKM_NSS_CHACHA20_KEY_GEN, { 32, 32, CKF_GENERATE }, PR_TRUE },
+ { CKM_NSS_CHACHA20_POLY1305, { 32, 32, CKF_EN_DE }, PR_TRUE },
+ { CKM_NSS_CHACHA20_CTR, { 32, 32, CKF_EN_DE }, PR_TRUE },
+ { CKM_CHACHA20_KEY_GEN, { 32, 32, CKF_GENERATE }, PR_TRUE },
+ { CKM_CHACHA20, { 32, 32, CKF_EN_DE }, PR_TRUE },
+ { CKM_CHACHA20_POLY1305, { 32, 32, CKF_EN_DE_MSG }, PR_TRUE },
+#endif /* NSS_DISABLE_CHACHAPOLY */
+ /* ------------------------- Hashing Operations ----------------------- */
+ { CKM_MD2, { 0, 0, CKF_DIGEST }, PR_FALSE },
+ { CKM_MD2_HMAC, { 1, 128, CKF_SN_VR }, PR_TRUE },
+ { CKM_MD2_HMAC_GENERAL, { 1, 128, CKF_SN_VR }, PR_TRUE },
+ { CKM_MD5, { 0, 0, CKF_DIGEST }, PR_FALSE },
+ { CKM_MD5_HMAC, { 1, 128, CKF_SN_VR }, PR_TRUE },
+ { CKM_MD5_HMAC_GENERAL, { 1, 128, CKF_SN_VR }, PR_TRUE },
+ { CKM_SHA_1, { 0, 0, CKF_DIGEST }, PR_FALSE },
+ { CKM_SHA_1_HMAC, { 1, 128, CKF_SN_VR }, PR_TRUE },
+ { CKM_SHA_1_HMAC_GENERAL, { 1, 128, CKF_SN_VR }, PR_TRUE },
+ { CKM_SHA224, { 0, 0, CKF_DIGEST }, PR_FALSE },
+ { CKM_SHA224_HMAC, { 1, 128, CKF_SN_VR }, PR_TRUE },
+ { CKM_SHA224_HMAC_GENERAL, { 1, 128, CKF_SN_VR }, PR_TRUE },
+ { CKM_SHA256, { 0, 0, CKF_DIGEST }, PR_FALSE },
+ { CKM_SHA256_HMAC, { 1, 128, CKF_SN_VR }, PR_TRUE },
+ { CKM_SHA256_HMAC_GENERAL, { 1, 128, CKF_SN_VR }, PR_TRUE },
+ { CKM_SHA384, { 0, 0, CKF_DIGEST }, PR_FALSE },
+ { CKM_SHA384_HMAC, { 1, 128, CKF_SN_VR }, PR_TRUE },
+ { CKM_SHA384_HMAC_GENERAL, { 1, 128, CKF_SN_VR }, PR_TRUE },
+ { CKM_SHA512, { 0, 0, CKF_DIGEST }, PR_FALSE },
+ { CKM_SHA512_HMAC, { 1, 128, CKF_SN_VR }, PR_TRUE },
+ { CKM_SHA512_HMAC_GENERAL, { 1, 128, CKF_SN_VR }, PR_TRUE },
+ { CKM_TLS_PRF_GENERAL, { 0, 512, CKF_SN_VR }, PR_FALSE },
+ { CKM_TLS_MAC, { 0, 512, CKF_SN_VR }, PR_FALSE },
+ { CKM_NSS_TLS_PRF_GENERAL_SHA256,
+ { 0, 512, CKF_SN_VR },
+ PR_FALSE },
+ /* ------------------------- HKDF Operations -------------------------- */
+ { CKM_HKDF_DERIVE, { 1, 255 * 64, CKF_DERIVE }, PR_TRUE },
+ { CKM_HKDF_DATA, { 1, 255 * 64, CKF_DERIVE }, PR_TRUE },
+ { CKM_HKDF_KEY_GEN, { 20, 64, CKF_GENERATE }, PR_TRUE },
+ { CKM_NSS_HKDF_SHA1, { 1, 128, CKF_DERIVE }, PR_TRUE },
+ { CKM_NSS_HKDF_SHA256, { 1, 128, CKF_DERIVE }, PR_TRUE },
+ { CKM_NSS_HKDF_SHA384, { 1, 128, CKF_DERIVE }, PR_TRUE },
+ { CKM_NSS_HKDF_SHA512, { 1, 128, CKF_DERIVE }, PR_TRUE },
+/* ------------------------- CAST Operations --------------------------- */
+#ifdef NSS_SOFTOKEN_DOES_CAST
+ /* Cast operations are not supported ( yet? ) */
+ { CKM_CAST_KEY_GEN, { 1, 8, CKF_GENERATE }, PR_TRUE },
+ { CKM_CAST_ECB, { 1, 8, CKF_EN_DE_WR_UN }, PR_TRUE },
+ { CKM_CAST_CBC, { 1, 8, CKF_EN_DE_WR_UN }, PR_TRUE },
+ { CKM_CAST_MAC, { 1, 8, CKF_SN_VR }, PR_TRUE },
+ { CKM_CAST_MAC_GENERAL, { 1, 8, CKF_SN_VR }, PR_TRUE },
+ { CKM_CAST_CBC_PAD, { 1, 8, CKF_EN_DE_WR_UN }, PR_TRUE },
+ { CKM_CAST3_KEY_GEN, { 1, 16, CKF_GENERATE }, PR_TRUE },
+ { CKM_CAST3_ECB, { 1, 16, CKF_EN_DE_WR_UN }, PR_TRUE },
+ { CKM_CAST3_CBC, { 1, 16, CKF_EN_DE_WR_UN }, PR_TRUE },
+ { CKM_CAST3_MAC, { 1, 16, CKF_SN_VR }, PR_TRUE },
+ { CKM_CAST3_MAC_GENERAL, { 1, 16, CKF_SN_VR }, PR_TRUE },
+ { CKM_CAST3_CBC_PAD, { 1, 16, CKF_EN_DE_WR_UN }, PR_TRUE },
+ { CKM_CAST5_KEY_GEN, { 1, 16, CKF_GENERATE }, PR_TRUE },
+ { CKM_CAST5_ECB, { 1, 16, CKF_EN_DE_WR_UN }, PR_TRUE },
+ { CKM_CAST5_CBC, { 1, 16, CKF_EN_DE_WR_UN }, PR_TRUE },
+ { CKM_CAST5_MAC, { 1, 16, CKF_SN_VR }, PR_TRUE },
+ { CKM_CAST5_MAC_GENERAL, { 1, 16, CKF_SN_VR }, PR_TRUE },
+ { CKM_CAST5_CBC_PAD, { 1, 16, CKF_EN_DE_WR_UN }, PR_TRUE },
+#endif
+#if NSS_SOFTOKEN_DOES_RC5
+ /* ------------------------- RC5 Operations --------------------------- */
+ { CKM_RC5_KEY_GEN, { 1, 32, CKF_GENERATE }, PR_TRUE },
+ { CKM_RC5_ECB, { 1, 32, CKF_EN_DE_WR_UN }, PR_TRUE },
+ { CKM_RC5_CBC, { 1, 32, CKF_EN_DE_WR_UN }, PR_TRUE },
+ { CKM_RC5_MAC, { 1, 32, CKF_SN_VR }, PR_TRUE },
+ { CKM_RC5_MAC_GENERAL, { 1, 32, CKF_SN_VR }, PR_TRUE },
+ { CKM_RC5_CBC_PAD, { 1, 32, CKF_EN_DE_WR_UN }, PR_TRUE },
+#endif
+#ifdef NSS_SOFTOKEN_DOES_IDEA
+ /* ------------------------- IDEA Operations -------------------------- */
+ { CKM_IDEA_KEY_GEN, { 16, 16, CKF_GENERATE }, PR_TRUE },
+ { CKM_IDEA_ECB, { 16, 16, CKF_EN_DE_WR_UN }, PR_TRUE },
+ { CKM_IDEA_CBC, { 16, 16, CKF_EN_DE_WR_UN }, PR_TRUE },
+ { CKM_IDEA_MAC, { 16, 16, CKF_SN_VR }, PR_TRUE },
+ { CKM_IDEA_MAC_GENERAL, { 16, 16, CKF_SN_VR }, PR_TRUE },
+ { CKM_IDEA_CBC_PAD, { 16, 16, CKF_EN_DE_WR_UN }, PR_TRUE },
+#endif
+ /* --------------------- Secret Key Operations ------------------------ */
+ { CKM_GENERIC_SECRET_KEY_GEN, { 1, 32, CKF_GENERATE }, PR_TRUE },
+ { CKM_CONCATENATE_BASE_AND_KEY, { 1, 32, CKF_DERIVE }, PR_FALSE },
+ { CKM_CONCATENATE_BASE_AND_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE },
+ { CKM_CONCATENATE_DATA_AND_BASE, { 1, 32, CKF_DERIVE }, PR_FALSE },
+ { CKM_XOR_BASE_AND_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE },
+ { CKM_EXTRACT_KEY_FROM_KEY, { 1, 32, CKF_DERIVE }, PR_FALSE },
+ { CKM_DES3_ECB_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE },
+ { CKM_DES3_CBC_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE },
+ { CKM_AES_ECB_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE },
+ { CKM_AES_CBC_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE },
+ { CKM_CAMELLIA_ECB_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE },
+ { CKM_CAMELLIA_CBC_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE },
+#ifndef NSS_DISABLE_DEPRECATED_SEED
+ { CKM_SEED_ECB_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE },
+ { CKM_SEED_CBC_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE },
+#endif
+ /* ---------------------- SSL Key Derivations ------------------------- */
+ { CKM_SSL3_PRE_MASTER_KEY_GEN, { 48, 48, CKF_GENERATE }, PR_FALSE },
+ { CKM_SSL3_MASTER_KEY_DERIVE, { 48, 48, CKF_DERIVE }, PR_FALSE },
+ { CKM_SSL3_MASTER_KEY_DERIVE_DH, { 8, 128, CKF_DERIVE }, PR_FALSE },
+ { CKM_SSL3_KEY_AND_MAC_DERIVE, { 48, 48, CKF_DERIVE }, PR_FALSE },
+ { CKM_SSL3_MD5_MAC, { 0, 16, CKF_DERIVE }, PR_FALSE },
+ { CKM_SSL3_SHA1_MAC, { 0, 20, CKF_DERIVE }, PR_FALSE },
+ { CKM_MD5_KEY_DERIVATION, { 0, 16, CKF_DERIVE }, PR_FALSE },
+ { CKM_MD2_KEY_DERIVATION, { 0, 16, CKF_DERIVE }, PR_FALSE },
+ { CKM_SHA1_KEY_DERIVATION, { 0, 20, CKF_DERIVE }, PR_FALSE },
+ { CKM_SHA224_KEY_DERIVATION, { 0, 28, CKF_DERIVE }, PR_FALSE },
+ { CKM_SHA256_KEY_DERIVATION, { 0, 32, CKF_DERIVE }, PR_FALSE },
+ { CKM_SHA384_KEY_DERIVATION, { 0, 48, CKF_DERIVE }, PR_FALSE },
+ { CKM_SHA512_KEY_DERIVATION, { 0, 64, CKF_DERIVE }, PR_FALSE },
+ { CKM_TLS_MASTER_KEY_DERIVE, { 48, 48, CKF_DERIVE }, PR_FALSE },
+ { CKM_TLS12_MASTER_KEY_DERIVE, { 48, 48, CKF_DERIVE }, PR_FALSE },
+ { CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256,
+ { 48, 48, CKF_DERIVE },
+ PR_FALSE },
+ { CKM_TLS_MASTER_KEY_DERIVE_DH, { 8, 128, CKF_DERIVE }, PR_FALSE },
+ { CKM_TLS12_MASTER_KEY_DERIVE_DH, { 8, 128, CKF_DERIVE }, PR_FALSE },
+ { CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256,
+ { 8, 128, CKF_DERIVE },
+ PR_FALSE },
+ { CKM_TLS_KEY_AND_MAC_DERIVE, { 48, 48, CKF_DERIVE }, PR_FALSE },
+ { CKM_TLS12_KEY_AND_MAC_DERIVE, { 48, 48, CKF_DERIVE }, PR_FALSE },
+ { CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256,
+ { 48, 48, CKF_DERIVE },
+ PR_FALSE },
+ { CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE,
+ { 48, 128, CKF_DERIVE },
+ PR_FALSE },
+ { CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH,
+ { 48, 128, CKF_DERIVE },
+ PR_FALSE },
+ /* ---------------------- PBE Key Derivations ------------------------ */
+ { CKM_PBE_MD2_DES_CBC, { 8, 8, CKF_DERIVE }, PR_TRUE },
+ { CKM_PBE_MD5_DES_CBC, { 8, 8, CKF_DERIVE }, PR_TRUE },
+ /* ------------------ NSS PBE Key Derivations ------------------- */
+ { CKM_NSS_PBE_SHA1_DES_CBC, { 8, 8, CKF_GENERATE }, PR_TRUE },
+ { CKM_NSS_PBE_SHA1_FAULTY_3DES_CBC, { 24, 24, CKF_GENERATE }, PR_TRUE },
+ { CKM_PBE_SHA1_DES3_EDE_CBC, { 24, 24, CKF_GENERATE }, PR_TRUE },
+ { CKM_PBE_SHA1_DES2_EDE_CBC, { 24, 24, CKF_GENERATE }, PR_TRUE },
+ { CKM_PBE_SHA1_RC2_40_CBC, { 40, 40, CKF_GENERATE }, PR_TRUE },
+ { CKM_PBE_SHA1_RC2_128_CBC, { 128, 128, CKF_GENERATE }, PR_TRUE },
+ { CKM_PBE_SHA1_RC4_40, { 40, 40, CKF_GENERATE }, PR_TRUE },
+ { CKM_PBE_SHA1_RC4_128, { 128, 128, CKF_GENERATE }, PR_TRUE },
+ { CKM_PBA_SHA1_WITH_SHA1_HMAC, { 20, 20, CKF_GENERATE }, PR_TRUE },
+ { CKM_PKCS5_PBKD2, { 1, 256, CKF_GENERATE }, PR_TRUE },
+ { CKM_NSS_PBE_SHA1_HMAC_KEY_GEN, { 20, 20, CKF_GENERATE }, PR_TRUE },
+ { CKM_NSS_PBE_MD5_HMAC_KEY_GEN, { 16, 16, CKF_GENERATE }, PR_TRUE },
+ { CKM_NSS_PBE_MD2_HMAC_KEY_GEN, { 16, 16, CKF_GENERATE }, PR_TRUE },
+ { CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN, { 28, 28, CKF_GENERATE }, PR_TRUE },
+ { CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN, { 32, 32, CKF_GENERATE }, PR_TRUE },
+ { CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN, { 48, 48, CKF_GENERATE }, PR_TRUE },
+ { CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN, { 64, 64, CKF_GENERATE }, PR_TRUE },
+ /* ------------------ NIST 800-108 Key Derivations ------------------- */
+ { CKM_SP800_108_COUNTER_KDF, { 0, CK_MAX, CKF_DERIVE }, PR_TRUE },
+ { CKM_SP800_108_FEEDBACK_KDF, { 0, CK_MAX, CKF_DERIVE }, PR_TRUE },
+ { CKM_SP800_108_DOUBLE_PIPELINE_KDF, { 0, CK_MAX, CKF_DERIVE }, PR_TRUE },
+ { CKM_NSS_SP800_108_COUNTER_KDF_DERIVE_DATA, { 0, CK_MAX, CKF_DERIVE }, PR_TRUE },
+ { CKM_NSS_SP800_108_FEEDBACK_KDF_DERIVE_DATA, { 0, CK_MAX, CKF_DERIVE }, PR_TRUE },
+ { CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA, { 0, CK_MAX, CKF_DERIVE }, PR_TRUE },
+ /* ------------------ AES Key Wrap (also encrypt) ------------------- */
+ { CKM_NSS_AES_KEY_WRAP, { 16, 32, CKF_EN_DE_WR_UN }, PR_TRUE },
+ { CKM_NSS_AES_KEY_WRAP_PAD, { 16, 32, CKF_EN_DE_WR_UN }, PR_TRUE },
+ { CKM_AES_KEY_WRAP, { 16, 32, CKF_EN_DE_WR_UN }, PR_TRUE },
+ { CKM_AES_KEY_WRAP_PAD, { 16, 32, CKF_EN_DE_WR_UN }, PR_TRUE },
+ { CKM_AES_KEY_WRAP_KWP, { 1, 32, CKF_EN_DE_WR_UN }, PR_TRUE },
+ /* --------------------------- J-PAKE -------------------------------- */
+ { CKM_NSS_JPAKE_ROUND1_SHA1, { 0, 0, CKF_GENERATE }, PR_TRUE },
+ { CKM_NSS_JPAKE_ROUND1_SHA256, { 0, 0, CKF_GENERATE }, PR_TRUE },
+ { CKM_NSS_JPAKE_ROUND1_SHA384, { 0, 0, CKF_GENERATE }, PR_TRUE },
+ { CKM_NSS_JPAKE_ROUND1_SHA512, { 0, 0, CKF_GENERATE }, PR_TRUE },
+ { CKM_NSS_JPAKE_ROUND2_SHA1, { 0, 0, CKF_DERIVE }, PR_TRUE },
+ { CKM_NSS_JPAKE_ROUND2_SHA256, { 0, 0, CKF_DERIVE }, PR_TRUE },
+ { CKM_NSS_JPAKE_ROUND2_SHA384, { 0, 0, CKF_DERIVE }, PR_TRUE },
+ { CKM_NSS_JPAKE_ROUND2_SHA512, { 0, 0, CKF_DERIVE }, PR_TRUE },
+ { CKM_NSS_JPAKE_FINAL_SHA1, { 0, 0, CKF_DERIVE }, PR_TRUE },
+ { CKM_NSS_JPAKE_FINAL_SHA256, { 0, 0, CKF_DERIVE }, PR_TRUE },
+ { CKM_NSS_JPAKE_FINAL_SHA384, { 0, 0, CKF_DERIVE }, PR_TRUE },
+ { CKM_NSS_JPAKE_FINAL_SHA512, { 0, 0, CKF_DERIVE }, PR_TRUE },
+ /* -------------------- Constant Time TLS MACs ----------------------- */
+ { CKM_NSS_HMAC_CONSTANT_TIME, { 0, 0, CKF_DIGEST }, PR_TRUE },
+ { CKM_NSS_SSL3_MAC_CONSTANT_TIME, { 0, 0, CKF_DIGEST }, PR_TRUE },
+ /* --------------------IPSEC ----------------------- */
+ { CKM_NSS_IKE_PRF_PLUS_DERIVE, { 8, 255 * 64, CKF_DERIVE }, PR_TRUE },
+ { CKM_NSS_IKE_PRF_DERIVE, { 8, 64, CKF_DERIVE }, PR_TRUE },
+ { CKM_NSS_IKE1_PRF_DERIVE, { 8, 64, CKF_DERIVE }, PR_TRUE },
+ { CKM_NSS_IKE1_APP_B_PRF_DERIVE, { 8, 255 * 64, CKF_DERIVE }, PR_TRUE }
+};
+static const CK_ULONG mechanismCount = sizeof(mechanisms) / sizeof(mechanisms[0]);
+
+/* sigh global so fipstokn can read it */
+PRBool nsc_init = PR_FALSE;
+
+#if defined(CHECK_FORK_PTHREAD) || defined(CHECK_FORK_MIXED)
+
+#include <pthread.h>
+
+static void
+ForkedChild(void)
+{
+ if (nsc_init || nsf_init) {
+ forked = PR_TRUE;
+ }
+}
+
+#endif
+
+static char *
+sftk_setStringName(const char *inString, char *buffer, int buffer_length, PRBool nullTerminate)
+{
+ int full_length, string_length;
+
+ full_length = nullTerminate ? buffer_length - 1 : buffer_length;
+ string_length = PORT_Strlen(inString);
+ /*
+ * shorten the string, respecting utf8 encoding
+ * to do so, we work backward from the end
+ * bytes looking from the end are either:
+ * - ascii [0x00,0x7f]
+ * - the [2-n]th byte of a multibyte sequence
+ * [0x3F,0xBF], i.e, most significant 2 bits are '10'
+ * - the first byte of a multibyte sequence [0xC0,0xFD],
+ * i.e, most significant 2 bits are '11'
+ *
+ * When the string is too long, we lop off any trailing '10' bytes,
+ * if any. When these are all eliminated we lop off
+ * one additional byte. Thus if we lopped any '10'
+ * we'll be lopping a '11' byte (the first byte of the multibyte sequence),
+ * otherwise we're lopping off an ascii character.
+ *
+ * To test for '10' bytes, we first AND it with
+ * 11000000 (0xc0) so that we get 10000000 (0x80) if and only if
+ * the byte starts with 10. We test for equality.
+ */
+ while (string_length > full_length) {
+ /* need to shorten */
+ while (string_length > 0 &&
+ ((inString[string_length - 1] & (char)0xc0) == (char)0x80)) {
+ /* lop off '10' byte */
+ string_length--;
+ }
+ /*
+ * test string_length in case bad data is received
+ * and string consisted of all '10' bytes,
+ * avoiding any infinite loop
+ */
+ if (string_length) {
+ /* remove either '11' byte or an asci byte */
+ string_length--;
+ }
+ }
+ PORT_Memset(buffer, ' ', full_length);
+ if (nullTerminate) {
+ buffer[full_length] = 0;
+ }
+ PORT_Memcpy(buffer, inString, string_length);
+ return buffer;
+}
+/*
+ * Configuration utils
+ */
+static CK_RV
+sftk_configure(const char *man, const char *libdes)
+{
+
+ /* make sure the internationalization was done correctly... */
+ if (man) {
+ manufacturerID = sftk_setStringName(man, manufacturerID_space,
+ sizeof(manufacturerID_space), PR_TRUE);
+ }
+ if (libdes) {
+ libraryDescription = sftk_setStringName(libdes,
+ libraryDescription_space, sizeof(libraryDescription_space),
+ PR_TRUE);
+ }
+
+ return CKR_OK;
+}
+
+/*
+ * ******************** Password Utilities *******************************
+ */
+
+/*
+ * see if the key DB password is enabled
+ */
+static PRBool
+sftk_hasNullPassword(SFTKSlot *slot, SFTKDBHandle *keydb)
+{
+ PRBool pwenabled;
+
+ pwenabled = PR_FALSE;
+ if (sftkdb_HasPasswordSet(keydb) == SECSuccess) {
+ PRBool tokenRemoved = PR_FALSE;
+ SECStatus rv = sftkdb_CheckPasswordNull(keydb, &tokenRemoved);
+ if (tokenRemoved) {
+ sftk_CloseAllSessions(slot, PR_FALSE);
+ }
+ return (rv == SECSuccess);
+ }
+
+ return pwenabled;
+}
+
+/*
+ * ******************** Object Creation Utilities ***************************
+ */
+
+/* Make sure a given attribute exists. If it doesn't, initialize it to
+ * value and len
+ */
+CK_RV
+sftk_defaultAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type,
+ const void *value, unsigned int len)
+{
+ if (!sftk_hasAttribute(object, type)) {
+ return sftk_AddAttributeType(object, type, value, len);
+ }
+ return CKR_OK;
+}
+
+/*
+ * check the consistancy and initialize a Data Object
+ */
+static CK_RV
+sftk_handleDataObject(SFTKSession *session, SFTKObject *object)
+{
+ CK_RV crv;
+
+ /* first reject private and token data objects */
+ if (sftk_isTrue(object, CKA_PRIVATE) || sftk_isTrue(object, CKA_TOKEN)) {
+ return CKR_ATTRIBUTE_VALUE_INVALID;
+ }
+
+ /* now just verify the required date fields */
+ crv = sftk_defaultAttribute(object, CKA_APPLICATION, NULL, 0);
+ if (crv != CKR_OK)
+ return crv;
+ crv = sftk_defaultAttribute(object, CKA_VALUE, NULL, 0);
+ if (crv != CKR_OK)
+ return crv;
+
+ return CKR_OK;
+}
+
+/*
+ * check the consistancy and initialize a Certificate Object
+ */
+static CK_RV
+sftk_handleCertObject(SFTKSession *session, SFTKObject *object)
+{
+ CK_CERTIFICATE_TYPE type;
+ SFTKAttribute *attribute;
+ CK_RV crv;
+
+ /* certificates must have a type */
+ if (!sftk_hasAttribute(object, CKA_CERTIFICATE_TYPE)) {
+ return CKR_TEMPLATE_INCOMPLETE;
+ }
+
+ /* we can't store any certs private */
+ if (sftk_isTrue(object, CKA_PRIVATE)) {
+ return CKR_ATTRIBUTE_VALUE_INVALID;
+ }
+
+ /* We only support X.509 Certs for now */
+ attribute = sftk_FindAttribute(object, CKA_CERTIFICATE_TYPE);
+ if (attribute == NULL)
+ return CKR_TEMPLATE_INCOMPLETE;
+ type = *(CK_CERTIFICATE_TYPE *)attribute->attrib.pValue;
+ sftk_FreeAttribute(attribute);
+
+ if (type != CKC_X_509) {
+ return CKR_ATTRIBUTE_VALUE_INVALID;
+ }
+
+ /* X.509 Certificate */
+
+ /* make sure we have a cert */
+ if (!sftk_hasAttribute(object, CKA_VALUE)) {
+ return CKR_TEMPLATE_INCOMPLETE;
+ }
+
+ /* in PKCS #11, Subject is a required field */
+ if (!sftk_hasAttribute(object, CKA_SUBJECT)) {
+ return CKR_TEMPLATE_INCOMPLETE;
+ }
+
+ /* in PKCS #11, Issuer is a required field */
+ if (!sftk_hasAttribute(object, CKA_ISSUER)) {
+ return CKR_TEMPLATE_INCOMPLETE;
+ }
+
+ /* in PKCS #11, Serial is a required field */
+ if (!sftk_hasAttribute(object, CKA_SERIAL_NUMBER)) {
+ return CKR_TEMPLATE_INCOMPLETE;
+ }
+
+ /* add it to the object */
+ object->objectInfo = NULL;
+ object->infoFree = (SFTKFree)NULL;
+
+ /* now just verify the required date fields */
+ crv = sftk_defaultAttribute(object, CKA_ID, NULL, 0);
+ if (crv != CKR_OK) {
+ return crv;
+ }
+
+ if (sftk_isTrue(object, CKA_TOKEN)) {
+ SFTKSlot *slot = session->slot;
+ SFTKDBHandle *certHandle = sftk_getCertDB(slot);
+
+ if (certHandle == NULL) {
+ return CKR_TOKEN_WRITE_PROTECTED;
+ }
+
+ crv = sftkdb_write(certHandle, object, &object->handle);
+ sftk_freeDB(certHandle);
+ return crv;
+ }
+
+ return CKR_OK;
+}
+
+/*
+ * check the consistancy and initialize a Trust Object
+ */
+static CK_RV
+sftk_handleTrustObject(SFTKSession *session, SFTKObject *object)
+{
+ /* we can't store any certs private */
+ if (sftk_isTrue(object, CKA_PRIVATE)) {
+ return CKR_ATTRIBUTE_VALUE_INVALID;
+ }
+
+ /* certificates must have a type */
+ if (!sftk_hasAttribute(object, CKA_ISSUER)) {
+ return CKR_TEMPLATE_INCOMPLETE;
+ }
+ if (!sftk_hasAttribute(object, CKA_SERIAL_NUMBER)) {
+ return CKR_TEMPLATE_INCOMPLETE;
+ }
+ if (!sftk_hasAttribute(object, CKA_CERT_SHA1_HASH)) {
+ return CKR_TEMPLATE_INCOMPLETE;
+ }
+ if (!sftk_hasAttribute(object, CKA_CERT_MD5_HASH)) {
+ return CKR_TEMPLATE_INCOMPLETE;
+ }
+
+ if (sftk_isTrue(object, CKA_TOKEN)) {
+ SFTKSlot *slot = session->slot;
+ SFTKDBHandle *certHandle = sftk_getCertDB(slot);
+ CK_RV crv;
+
+ if (certHandle == NULL) {
+ return CKR_TOKEN_WRITE_PROTECTED;
+ }
+
+ crv = sftkdb_write(certHandle, object, &object->handle);
+ sftk_freeDB(certHandle);
+ return crv;
+ }
+
+ return CKR_OK;
+}
+
+/*
+ * check the consistancy and initialize a Trust Object
+ */
+static CK_RV
+sftk_handleSMimeObject(SFTKSession *session, SFTKObject *object)
+{
+
+ /* we can't store any certs private */
+ if (sftk_isTrue(object, CKA_PRIVATE)) {
+ return CKR_ATTRIBUTE_VALUE_INVALID;
+ }
+
+ /* certificates must have a type */
+ if (!sftk_hasAttribute(object, CKA_SUBJECT)) {
+ return CKR_TEMPLATE_INCOMPLETE;
+ }
+ if (!sftk_hasAttribute(object, CKA_NSS_EMAIL)) {
+ return CKR_TEMPLATE_INCOMPLETE;
+ }
+
+ if (sftk_isTrue(object, CKA_TOKEN)) {
+ SFTKSlot *slot = session->slot;
+ SFTKDBHandle *certHandle;
+ CK_RV crv;
+
+ PORT_Assert(slot);
+ if (slot == NULL) {
+ return CKR_SESSION_HANDLE_INVALID;
+ }
+
+ certHandle = sftk_getCertDB(slot);
+ if (certHandle == NULL) {
+ return CKR_TOKEN_WRITE_PROTECTED;
+ }
+
+ crv = sftkdb_write(certHandle, object, &object->handle);
+ sftk_freeDB(certHandle);
+ return crv;
+ }
+
+ return CKR_OK;
+}
+
+/*
+ * check the consistancy and initialize a Trust Object
+ */
+static CK_RV
+sftk_handleCrlObject(SFTKSession *session, SFTKObject *object)
+{
+
+ /* we can't store any certs private */
+ if (sftk_isTrue(object, CKA_PRIVATE)) {
+ return CKR_ATTRIBUTE_VALUE_INVALID;
+ }
+
+ /* certificates must have a type */
+ if (!sftk_hasAttribute(object, CKA_SUBJECT)) {
+ return CKR_TEMPLATE_INCOMPLETE;
+ }
+ if (!sftk_hasAttribute(object, CKA_VALUE)) {
+ return CKR_TEMPLATE_INCOMPLETE;
+ }
+
+ if (sftk_isTrue(object, CKA_TOKEN)) {
+ SFTKSlot *slot = session->slot;
+ SFTKDBHandle *certHandle = sftk_getCertDB(slot);
+ CK_RV crv;
+
+ if (certHandle == NULL) {
+ return CKR_TOKEN_WRITE_PROTECTED;
+ }
+
+ crv = sftkdb_write(certHandle, object, &object->handle);
+ sftk_freeDB(certHandle);
+ return crv;
+ }
+
+ return CKR_OK;
+}
+
+/*
+ * check the consistancy and initialize a Public Key Object
+ */
+static CK_RV
+sftk_handlePublicKeyObject(SFTKSession *session, SFTKObject *object,
+ CK_KEY_TYPE key_type)
+{
+ CK_BBOOL encrypt = CK_TRUE;
+ CK_BBOOL recover = CK_TRUE;
+ CK_BBOOL wrap = CK_TRUE;
+ CK_BBOOL derive = CK_FALSE;
+ CK_BBOOL verify = CK_TRUE;
+ CK_RV crv;
+
+ switch (key_type) {
+ case CKK_RSA:
+ crv = sftk_ConstrainAttribute(object, CKA_MODULUS,
+ RSA_MIN_MODULUS_BITS, 0, 0);
+ if (crv != CKR_OK) {
+ return crv;
+ }
+ crv = sftk_ConstrainAttribute(object, CKA_PUBLIC_EXPONENT, 2, 0, 0);
+ if (crv != CKR_OK) {
+ return crv;
+ }
+ break;
+ case CKK_DSA:
+ crv = sftk_ConstrainAttribute(object, CKA_SUBPRIME,
+ DSA_MIN_Q_BITS, DSA_MAX_Q_BITS, 0);
+ if (crv != CKR_OK) {
+ return crv;
+ }
+ crv = sftk_ConstrainAttribute(object, CKA_PRIME,
+ DSA_MIN_P_BITS, DSA_MAX_P_BITS, 64);
+ if (crv != CKR_OK) {
+ return crv;
+ }
+ crv = sftk_ConstrainAttribute(object, CKA_BASE, 2, DSA_MAX_P_BITS, 0);
+ if (crv != CKR_OK) {
+ return crv;
+ }
+ crv = sftk_ConstrainAttribute(object, CKA_VALUE, 2, DSA_MAX_P_BITS, 0);
+ if (crv != CKR_OK) {
+ return crv;
+ }
+ encrypt = CK_FALSE;
+ recover = CK_FALSE;
+ wrap = CK_FALSE;
+ break;
+ case CKK_DH:
+ crv = sftk_ConstrainAttribute(object, CKA_PRIME,
+ DH_MIN_P_BITS, DH_MAX_P_BITS, 0);
+ if (crv != CKR_OK) {
+ return crv;
+ }
+ crv = sftk_ConstrainAttribute(object, CKA_BASE, 2, DH_MAX_P_BITS, 0);
+ if (crv != CKR_OK) {
+ return crv;
+ }
+ crv = sftk_ConstrainAttribute(object, CKA_VALUE, 2, DH_MAX_P_BITS, 0);
+ if (crv != CKR_OK) {
+ return crv;
+ }
+ verify = CK_FALSE;
+ derive = CK_TRUE;
+ encrypt = CK_FALSE;
+ recover = CK_FALSE;
+ wrap = CK_FALSE;
+ break;
+ case CKK_EC:
+ if (!sftk_hasAttribute(object, CKA_EC_PARAMS)) {
+ return CKR_TEMPLATE_INCOMPLETE;
+ }
+ if (!sftk_hasAttribute(object, CKA_EC_POINT)) {
+ return CKR_TEMPLATE_INCOMPLETE;
+ }
+ derive = CK_TRUE; /* for ECDH */
+ verify = CK_TRUE; /* for ECDSA */
+ encrypt = CK_FALSE;
+ recover = CK_FALSE;
+ wrap = CK_FALSE;
+ break;
+ default:
+ return CKR_ATTRIBUTE_VALUE_INVALID;
+ }
+
+ /* make sure the required fields exist */
+ crv = sftk_defaultAttribute(object, CKA_SUBJECT, NULL, 0);
+ if (crv != CKR_OK)
+ return crv;
+ crv = sftk_defaultAttribute(object, CKA_ENCRYPT, &encrypt, sizeof(CK_BBOOL));
+ if (crv != CKR_OK)
+ return crv;
+ crv = sftk_defaultAttribute(object, CKA_VERIFY, &verify, sizeof(CK_BBOOL));
+ if (crv != CKR_OK)
+ return crv;
+ crv = sftk_defaultAttribute(object, CKA_VERIFY_RECOVER,
+ &recover, sizeof(CK_BBOOL));
+ if (crv != CKR_OK)
+ return crv;
+ crv = sftk_defaultAttribute(object, CKA_WRAP, &wrap, sizeof(CK_BBOOL));
+ if (crv != CKR_OK)
+ return crv;
+ crv = sftk_defaultAttribute(object, CKA_DERIVE, &derive, sizeof(CK_BBOOL));
+ if (crv != CKR_OK)
+ return crv;
+
+ object->objectInfo = sftk_GetPubKey(object, key_type, &crv);
+ if (object->objectInfo == NULL) {
+ return crv;
+ }
+ object->infoFree = (SFTKFree)nsslowkey_DestroyPublicKey;
+
+ /* Check that an imported EC key is valid */
+ if (key_type == CKK_EC) {
+ NSSLOWKEYPublicKey *pubKey = (NSSLOWKEYPublicKey *)object->objectInfo;
+ SECStatus rv = EC_ValidatePublicKey(&pubKey->u.ec.ecParams,
+ &pubKey->u.ec.publicValue);
+
+ if (rv != SECSuccess) {
+ return CKR_TEMPLATE_INCONSISTENT;
+ }
+ }
+
+ if (sftk_isTrue(object, CKA_TOKEN)) {
+ SFTKSlot *slot = session->slot;
+ SFTKDBHandle *certHandle = sftk_getCertDB(slot);
+
+ if (certHandle == NULL) {
+ return CKR_TOKEN_WRITE_PROTECTED;
+ }
+
+ crv = sftkdb_write(certHandle, object, &object->handle);
+ sftk_freeDB(certHandle);
+ return crv;
+ }
+
+ return CKR_OK;
+}
+
+static NSSLOWKEYPrivateKey *
+sftk_mkPrivKey(SFTKObject *object, CK_KEY_TYPE key, CK_RV *rvp);
+
+static SECStatus
+sftk_verifyRSAPrivateKey(SFTKObject *object, PRBool fillIfNeeded);
+
+/*
+ * check the consistancy and initialize a Private Key Object
+ */
+static CK_RV
+sftk_handlePrivateKeyObject(SFTKSession *session, SFTKObject *object, CK_KEY_TYPE key_type)
+{
+ CK_BBOOL cktrue = CK_TRUE;
+ CK_BBOOL encrypt = CK_TRUE;
+ CK_BBOOL sign = CK_FALSE;
+ CK_BBOOL recover = CK_TRUE;
+ CK_BBOOL wrap = CK_TRUE;
+ CK_BBOOL derive = CK_TRUE;
+ CK_BBOOL ckfalse = CK_FALSE;
+ PRBool createObjectInfo = PR_TRUE;
+ PRBool fillPrivateKey = PR_FALSE;
+ int missing_rsa_mod_component = 0;
+ int missing_rsa_exp_component = 0;
+ int missing_rsa_crt_component = 0;
+
+ SECItem mod;
+ CK_RV crv;
+ SECStatus rv;
+
+ switch (key_type) {
+ case CKK_RSA:
+ if (!sftk_hasAttribute(object, CKA_MODULUS)) {
+ missing_rsa_mod_component++;
+ }
+ if (!sftk_hasAttribute(object, CKA_PUBLIC_EXPONENT)) {
+ missing_rsa_exp_component++;
+ }
+ if (!sftk_hasAttribute(object, CKA_PRIVATE_EXPONENT)) {
+ missing_rsa_exp_component++;
+ }
+ if (!sftk_hasAttribute(object, CKA_PRIME_1)) {
+ missing_rsa_mod_component++;
+ }
+ if (!sftk_hasAttribute(object, CKA_PRIME_2)) {
+ missing_rsa_mod_component++;
+ }
+ if (!sftk_hasAttribute(object, CKA_EXPONENT_1)) {
+ missing_rsa_crt_component++;
+ }
+ if (!sftk_hasAttribute(object, CKA_EXPONENT_2)) {
+ missing_rsa_crt_component++;
+ }
+ if (!sftk_hasAttribute(object, CKA_COEFFICIENT)) {
+ missing_rsa_crt_component++;
+ }
+ if (missing_rsa_mod_component || missing_rsa_exp_component ||
+ missing_rsa_crt_component) {
+ /* we are missing a component, see if we have enough to rebuild
+ * the rest */
+ int have_exp = 2 - missing_rsa_exp_component;
+ int have_component = 5 -
+ (missing_rsa_exp_component + missing_rsa_mod_component);
+
+ if ((have_exp == 0) || (have_component < 3)) {
+ /* nope, not enough to reconstruct the private key */
+ return CKR_TEMPLATE_INCOMPLETE;
+ }
+ fillPrivateKey = PR_TRUE;
+ }
+ /*verify the parameters for consistency*/
+ rv = sftk_verifyRSAPrivateKey(object, fillPrivateKey);
+ if (rv != SECSuccess) {
+ return CKR_TEMPLATE_INCOMPLETE;
+ }
+
+ /* make sure Netscape DB attribute is set correctly */
+ crv = sftk_Attribute2SSecItem(NULL, &mod, object, CKA_MODULUS);
+ if (crv != CKR_OK)
+ return crv;
+ crv = sftk_forceAttribute(object, CKA_NSS_DB,
+ sftk_item_expand(&mod));
+ if (mod.data)
+ SECITEM_ZfreeItem(&mod, PR_FALSE);
+ if (crv != CKR_OK)
+ return crv;
+
+ sign = CK_TRUE;
+ derive = CK_FALSE;
+ break;
+ case CKK_DSA:
+ if (!sftk_hasAttribute(object, CKA_SUBPRIME)) {
+ return CKR_TEMPLATE_INCOMPLETE;
+ }
+ sign = CK_TRUE;
+ derive = CK_FALSE;
+ /* fall through */
+ case CKK_DH:
+ if (!sftk_hasAttribute(object, CKA_PRIME)) {
+ return CKR_TEMPLATE_INCOMPLETE;
+ }
+ if (!sftk_hasAttribute(object, CKA_BASE)) {
+ return CKR_TEMPLATE_INCOMPLETE;
+ }
+ if (!sftk_hasAttribute(object, CKA_VALUE)) {
+ return CKR_TEMPLATE_INCOMPLETE;
+ }
+ /* allow subprime to be set after the fact */
+ crv = sftk_defaultAttribute(object, CKA_SUBPRIME, NULL, 0);
+ if (crv != CKR_OK) {
+ return crv;
+ }
+ encrypt = CK_FALSE;
+ recover = CK_FALSE;
+ wrap = CK_FALSE;
+ break;
+ case CKK_EC:
+ if (!sftk_hasAttribute(object, CKA_EC_PARAMS)) {
+ return CKR_TEMPLATE_INCOMPLETE;
+ }
+ if (!sftk_hasAttribute(object, CKA_VALUE)) {
+ return CKR_TEMPLATE_INCOMPLETE;
+ }
+ encrypt = CK_FALSE;
+ sign = CK_TRUE;
+ recover = CK_FALSE;
+ wrap = CK_FALSE;
+ break;
+ case CKK_NSS_JPAKE_ROUND1:
+ if (!sftk_hasAttribute(object, CKA_PRIME) ||
+ !sftk_hasAttribute(object, CKA_SUBPRIME) ||
+ !sftk_hasAttribute(object, CKA_BASE)) {
+ return CKR_TEMPLATE_INCOMPLETE;
+ }
+ /* fall through */
+ case CKK_NSS_JPAKE_ROUND2:
+ /* CKA_NSS_JPAKE_SIGNERID and CKA_NSS_JPAKE_PEERID are checked in
+ the J-PAKE code. */
+ encrypt = sign = recover = wrap = CK_FALSE;
+ derive = CK_TRUE;
+ createObjectInfo = PR_FALSE;
+ break;
+ default:
+ return CKR_ATTRIBUTE_VALUE_INVALID;
+ }
+ crv = sftk_defaultAttribute(object, CKA_SUBJECT, NULL, 0);
+ if (crv != CKR_OK)
+ return crv;
+ crv = sftk_defaultAttribute(object, CKA_SENSITIVE, &cktrue, sizeof(CK_BBOOL));
+ if (crv != CKR_OK)
+ return crv;
+ crv = sftk_defaultAttribute(object, CKA_EXTRACTABLE, &cktrue, sizeof(CK_BBOOL));
+ if (crv != CKR_OK)
+ return crv;
+ crv = sftk_defaultAttribute(object, CKA_DECRYPT, &encrypt, sizeof(CK_BBOOL));
+ if (crv != CKR_OK)
+ return crv;
+ crv = sftk_defaultAttribute(object, CKA_SIGN, &sign, sizeof(CK_BBOOL));
+ if (crv != CKR_OK)
+ return crv;
+ crv = sftk_defaultAttribute(object, CKA_SIGN_RECOVER, &recover,
+ sizeof(CK_BBOOL));
+ if (crv != CKR_OK)
+ return crv;
+ crv = sftk_defaultAttribute(object, CKA_UNWRAP, &wrap, sizeof(CK_BBOOL));
+ if (crv != CKR_OK)
+ return crv;
+ crv = sftk_defaultAttribute(object, CKA_DERIVE, &derive, sizeof(CK_BBOOL));
+ if (crv != CKR_OK)
+ return crv;
+ /* the next two bits get modified only in the key gen and token cases */
+ crv = sftk_forceAttribute(object, CKA_ALWAYS_SENSITIVE,
+ &ckfalse, sizeof(CK_BBOOL));
+ if (crv != CKR_OK)
+ return crv;
+ crv = sftk_forceAttribute(object, CKA_NEVER_EXTRACTABLE,
+ &ckfalse, sizeof(CK_BBOOL));
+ if (crv != CKR_OK)
+ return crv;
+
+ /* should we check the non-token RSA private keys? */
+
+ if (sftk_isTrue(object, CKA_TOKEN)) {
+ SFTKSlot *slot = session->slot;
+ SFTKDBHandle *keyHandle = sftk_getKeyDB(slot);
+
+ if (keyHandle == NULL) {
+ return CKR_TOKEN_WRITE_PROTECTED;
+ }
+
+ crv = sftkdb_write(keyHandle, object, &object->handle);
+ sftk_freeDB(keyHandle);
+ return crv;
+ } else if (createObjectInfo) {
+ object->objectInfo = sftk_mkPrivKey(object, key_type, &crv);
+ if (object->objectInfo == NULL)
+ return crv;
+ object->infoFree = (SFTKFree)nsslowkey_DestroyPrivateKey;
+ }
+ return CKR_OK;
+}
+
+/* forward declare the DES formating function for handleSecretKey */
+void sftk_FormatDESKey(unsigned char *key, int length);
+
+/* Validate secret key data, and set defaults */
+static CK_RV
+validateSecretKey(SFTKSession *session, SFTKObject *object,
+ CK_KEY_TYPE key_type, PRBool isFIPS)
+{
+ CK_RV crv;
+ CK_BBOOL cktrue = CK_TRUE;
+ CK_BBOOL ckfalse = CK_FALSE;
+ SFTKAttribute *attribute = NULL;
+ unsigned long requiredLen;
+
+ crv = sftk_defaultAttribute(object, CKA_SENSITIVE,
+ isFIPS ? &cktrue : &ckfalse, sizeof(CK_BBOOL));
+ if (crv != CKR_OK)
+ return crv;
+ crv = sftk_defaultAttribute(object, CKA_EXTRACTABLE,
+ &cktrue, sizeof(CK_BBOOL));
+ if (crv != CKR_OK)
+ return crv;
+ crv = sftk_defaultAttribute(object, CKA_ENCRYPT, &cktrue, sizeof(CK_BBOOL));
+ if (crv != CKR_OK)
+ return crv;
+ crv = sftk_defaultAttribute(object, CKA_DECRYPT, &cktrue, sizeof(CK_BBOOL));
+ if (crv != CKR_OK)
+ return crv;
+ crv = sftk_defaultAttribute(object, CKA_SIGN, &ckfalse, sizeof(CK_BBOOL));
+ if (crv != CKR_OK)
+ return crv;
+ crv = sftk_defaultAttribute(object, CKA_VERIFY, &ckfalse, sizeof(CK_BBOOL));
+ if (crv != CKR_OK)
+ return crv;
+ crv = sftk_defaultAttribute(object, CKA_WRAP, &cktrue, sizeof(CK_BBOOL));
+ if (crv != CKR_OK)
+ return crv;
+ crv = sftk_defaultAttribute(object, CKA_UNWRAP, &cktrue, sizeof(CK_BBOOL));
+ if (crv != CKR_OK)
+ return crv;
+
+ if (!sftk_hasAttribute(object, CKA_VALUE)) {
+ return CKR_TEMPLATE_INCOMPLETE;
+ }
+ /* the next two bits get modified only in the key gen and token cases */
+ crv = sftk_forceAttribute(object, CKA_ALWAYS_SENSITIVE,
+ &ckfalse, sizeof(CK_BBOOL));
+ if (crv != CKR_OK)
+ return crv;
+ crv = sftk_forceAttribute(object, CKA_NEVER_EXTRACTABLE,
+ &ckfalse, sizeof(CK_BBOOL));
+ if (crv != CKR_OK)
+ return crv;
+
+ /* some types of keys have a value length */
+ crv = CKR_OK;
+ switch (key_type) {
+ /* force CKA_VALUE_LEN to be set */
+ case CKK_GENERIC_SECRET:
+ case CKK_RC2:
+ case CKK_RC4:
+#if NSS_SOFTOKEN_DOES_RC5
+ case CKK_RC5:
+#endif
+#ifdef NSS_SOFTOKEN_DOES_CAST
+ case CKK_CAST:
+ case CKK_CAST3:
+ case CKK_CAST5:
+#endif
+#if NSS_SOFTOKEN_DOES_IDEA
+ case CKK_IDEA:
+#endif
+ attribute = sftk_FindAttribute(object, CKA_VALUE);
+ /* shouldn't happen */
+ if (attribute == NULL)
+ return CKR_TEMPLATE_INCOMPLETE;
+ crv = sftk_forceAttribute(object, CKA_VALUE_LEN,
+ &attribute->attrib.ulValueLen, sizeof(CK_ULONG));
+ sftk_FreeAttribute(attribute);
+ break;
+ /* force the value to have the correct parity */
+ case CKK_DES:
+ case CKK_DES2:
+ case CKK_DES3:
+ case CKK_CDMF:
+ attribute = sftk_FindAttribute(object, CKA_VALUE);
+ /* shouldn't happen */
+ if (attribute == NULL)
+ return CKR_TEMPLATE_INCOMPLETE;
+ requiredLen = sftk_MapKeySize(key_type);
+ if (attribute->attrib.ulValueLen != requiredLen) {
+ sftk_FreeAttribute(attribute);
+ return CKR_KEY_SIZE_RANGE;
+ }
+ sftk_FormatDESKey((unsigned char *)attribute->attrib.pValue,
+ attribute->attrib.ulValueLen);
+ sftk_FreeAttribute(attribute);
+ break;
+ case CKK_AES:
+ attribute = sftk_FindAttribute(object, CKA_VALUE);
+ /* shouldn't happen */
+ if (attribute == NULL)
+ return CKR_TEMPLATE_INCOMPLETE;
+ if (attribute->attrib.ulValueLen != 16 &&
+ attribute->attrib.ulValueLen != 24 &&
+ attribute->attrib.ulValueLen != 32) {
+ sftk_FreeAttribute(attribute);
+ return CKR_KEY_SIZE_RANGE;
+ }
+ crv = sftk_forceAttribute(object, CKA_VALUE_LEN,
+ &attribute->attrib.ulValueLen, sizeof(CK_ULONG));
+ sftk_FreeAttribute(attribute);
+ break;
+ default:
+ break;
+ }
+
+ return crv;
+}
+
+/*
+ * check the consistancy and initialize a Secret Key Object
+ */
+static CK_RV
+sftk_handleSecretKeyObject(SFTKSession *session, SFTKObject *object,
+ CK_KEY_TYPE key_type, PRBool isFIPS)
+{
+ CK_RV crv;
+
+ /* First validate and set defaults */
+ crv = validateSecretKey(session, object, key_type, isFIPS);
+ if (crv != CKR_OK)
+ goto loser;
+
+ /* If the object is a TOKEN object, store in the database */
+ if (sftk_isTrue(object, CKA_TOKEN)) {
+ SFTKSlot *slot = session->slot;
+ SFTKDBHandle *keyHandle = sftk_getKeyDB(slot);
+
+ if (keyHandle == NULL) {
+ return CKR_TOKEN_WRITE_PROTECTED;
+ }
+
+ crv = sftkdb_write(keyHandle, object, &object->handle);
+ sftk_freeDB(keyHandle);
+ return crv;
+ }
+
+loser:
+
+ return crv;
+}
+
+/*
+ * check the consistancy and initialize a Key Object
+ */
+static CK_RV
+sftk_handleKeyObject(SFTKSession *session, SFTKObject *object)
+{
+ SFTKAttribute *attribute;
+ CK_KEY_TYPE key_type;
+ CK_BBOOL ckfalse = CK_FALSE;
+ CK_RV crv;
+
+ /* verify the required fields */
+ if (!sftk_hasAttribute(object, CKA_KEY_TYPE)) {
+ return CKR_TEMPLATE_INCOMPLETE;
+ }
+
+ /* now verify the common fields */
+ crv = sftk_defaultAttribute(object, CKA_ID, NULL, 0);
+ if (crv != CKR_OK)
+ return crv;
+ crv = sftk_defaultAttribute(object, CKA_START_DATE, NULL, 0);
+ if (crv != CKR_OK)
+ return crv;
+ crv = sftk_defaultAttribute(object, CKA_END_DATE, NULL, 0);
+ if (crv != CKR_OK)
+ return crv;
+ /* CKA_DERIVE is common to all keys, but it's default value is
+ * key dependent */
+ crv = sftk_defaultAttribute(object, CKA_LOCAL, &ckfalse, sizeof(CK_BBOOL));
+ if (crv != CKR_OK)
+ return crv;
+
+ /* get the key type */
+ attribute = sftk_FindAttribute(object, CKA_KEY_TYPE);
+ if (!attribute) {
+ return CKR_ATTRIBUTE_VALUE_INVALID;
+ }
+ key_type = *(CK_KEY_TYPE *)attribute->attrib.pValue;
+ sftk_FreeAttribute(attribute);
+
+ switch (object->objclass) {
+ case CKO_PUBLIC_KEY:
+ return sftk_handlePublicKeyObject(session, object, key_type);
+ case CKO_PRIVATE_KEY:
+ return sftk_handlePrivateKeyObject(session, object, key_type);
+ case CKO_SECRET_KEY:
+ /* make sure the required fields exist */
+ return sftk_handleSecretKeyObject(session, object, key_type,
+ (PRBool)(sftk_isFIPS(session->slot->slotID)));
+ default:
+ break;
+ }
+ return CKR_ATTRIBUTE_VALUE_INVALID;
+}
+
+/*
+ * check the consistancy and Verify a DSA Parameter Object
+ */
+static CK_RV
+sftk_handleDSAParameterObject(SFTKSession *session, SFTKObject *object)
+{
+ SFTKAttribute *primeAttr = NULL;
+ SFTKAttribute *subPrimeAttr = NULL;
+ SFTKAttribute *baseAttr = NULL;
+ SFTKAttribute *seedAttr = NULL;
+ SFTKAttribute *hAttr = NULL;
+ SFTKAttribute *attribute;
+ CK_RV crv = CKR_TEMPLATE_INCOMPLETE;
+ PQGParams params;
+ PQGVerify vfy, *verify = NULL;
+ SECStatus result, rv;
+ /* This bool keeps track of whether or not we need verify parameters.
+ * If a P, Q and G or supplied, we dont' need verify parameters, as we
+ * have PQ and G.
+ * - If G is not supplied, the presumption is that we want to
+ * verify P and Q only.
+ * - If counter is supplied, it is presumed we want to verify PQ because
+ * the counter is only used in verification.
+ * - If H is supplied, is is presumed we want to verify G because H is
+ * only used to verify G.
+ * - Any verification step must have the SEED (counter or H could be
+ * missing depending on exactly what we want to verify). If SEED is supplied,
+ * the code just goes ahead and runs verify (other errors are parameter
+ * errors are detected by the PQG_VerifyParams function). If SEED is not
+ * supplied, but we determined that we are trying to verify (because needVfy
+ * is set, go ahead and return CKR_TEMPLATE_INCOMPLETE.
+ */
+ PRBool needVfy = PR_FALSE;
+
+ primeAttr = sftk_FindAttribute(object, CKA_PRIME);
+ if (primeAttr == NULL)
+ goto loser;
+ params.prime.data = primeAttr->attrib.pValue;
+ params.prime.len = primeAttr->attrib.ulValueLen;
+
+ subPrimeAttr = sftk_FindAttribute(object, CKA_SUBPRIME);
+ if (subPrimeAttr == NULL)
+ goto loser;
+ params.subPrime.data = subPrimeAttr->attrib.pValue;
+ params.subPrime.len = subPrimeAttr->attrib.ulValueLen;
+
+ baseAttr = sftk_FindAttribute(object, CKA_BASE);
+ if (baseAttr != NULL) {
+ params.base.data = baseAttr->attrib.pValue;
+ params.base.len = baseAttr->attrib.ulValueLen;
+ } else {
+ params.base.data = NULL;
+ params.base.len = 0;
+ needVfy = PR_TRUE; /* presumably only including PQ so we can verify
+ * them. */
+ }
+
+ attribute = sftk_FindAttribute(object, CKA_NSS_PQG_COUNTER);
+ if (attribute != NULL) {
+ vfy.counter = *(CK_ULONG *)attribute->attrib.pValue;
+ sftk_FreeAttribute(attribute);
+ needVfy = PR_TRUE; /* included a count so we can verify PQ */
+ } else {
+ vfy.counter = -1;
+ }
+
+ hAttr = sftk_FindAttribute(object, CKA_NSS_PQG_H);
+ if (hAttr != NULL) {
+ vfy.h.data = hAttr->attrib.pValue;
+ vfy.h.len = hAttr->attrib.ulValueLen;
+ needVfy = PR_TRUE; /* included H so we can verify G */
+ } else {
+ vfy.h.data = NULL;
+ vfy.h.len = 0;
+ }
+ seedAttr = sftk_FindAttribute(object, CKA_NSS_PQG_SEED);
+ if (seedAttr != NULL) {
+ vfy.seed.data = seedAttr->attrib.pValue;
+ vfy.seed.len = seedAttr->attrib.ulValueLen;
+
+ verify = &vfy;
+ } else if (needVfy) {
+ goto loser; /* Verify always needs seed, if we need verify and not seed
+ * then fail */
+ }
+
+ crv = CKR_FUNCTION_FAILED;
+ rv = PQG_VerifyParams(&params, verify, &result);
+ if (rv == SECSuccess) {
+ crv = (result == SECSuccess) ? CKR_OK : CKR_ATTRIBUTE_VALUE_INVALID;
+ }
+
+loser:
+ if (hAttr)
+ sftk_FreeAttribute(hAttr);
+ if (seedAttr)
+ sftk_FreeAttribute(seedAttr);
+ if (baseAttr)
+ sftk_FreeAttribute(baseAttr);
+ if (subPrimeAttr)
+ sftk_FreeAttribute(subPrimeAttr);
+ if (primeAttr)
+ sftk_FreeAttribute(primeAttr);
+
+ return crv;
+}
+
+/*
+ * check the consistancy and initialize a Key Parameter Object
+ */
+static CK_RV
+sftk_handleKeyParameterObject(SFTKSession *session, SFTKObject *object)
+{
+ SFTKAttribute *attribute;
+ CK_KEY_TYPE key_type;
+ CK_BBOOL ckfalse = CK_FALSE;
+ CK_RV crv;
+
+ /* verify the required fields */
+ if (!sftk_hasAttribute(object, CKA_KEY_TYPE)) {
+ return CKR_TEMPLATE_INCOMPLETE;
+ }
+
+ /* now verify the common fields */
+ crv = sftk_defaultAttribute(object, CKA_LOCAL, &ckfalse, sizeof(CK_BBOOL));
+ if (crv != CKR_OK)
+ return crv;
+
+ /* get the key type */
+ attribute = sftk_FindAttribute(object, CKA_KEY_TYPE);
+ if (!attribute) {
+ return CKR_ATTRIBUTE_VALUE_INVALID;
+ }
+ key_type = *(CK_KEY_TYPE *)attribute->attrib.pValue;
+ sftk_FreeAttribute(attribute);
+
+ switch (key_type) {
+ case CKK_DSA:
+ return sftk_handleDSAParameterObject(session, object);
+
+ default:
+ break;
+ }
+ return CKR_KEY_TYPE_INCONSISTENT;
+}
+
+/*
+ * Handle Object does all the object consistancy checks, automatic attribute
+ * generation, attribute defaulting, etc. If handleObject succeeds, the object
+ * will be assigned an object handle, and the object installed in the session
+ * or stored in the DB.
+ */
+CK_RV
+sftk_handleObject(SFTKObject *object, SFTKSession *session)
+{
+ SFTKSlot *slot = session->slot;
+ SFTKAttribute *attribute;
+ CK_BBOOL ckfalse = CK_FALSE;
+ CK_BBOOL cktrue = CK_TRUE;
+ PRBool isLoggedIn, needLogin;
+ CK_RV crv;
+
+ /* make sure all the base object types are defined. If not set the
+ * defaults */
+ crv = sftk_defaultAttribute(object, CKA_TOKEN, &ckfalse, sizeof(CK_BBOOL));
+ if (crv != CKR_OK)
+ return crv;
+ crv = sftk_defaultAttribute(object, CKA_PRIVATE, &ckfalse, sizeof(CK_BBOOL));
+ if (crv != CKR_OK)
+ return crv;
+ crv = sftk_defaultAttribute(object, CKA_LABEL, NULL, 0);
+ if (crv != CKR_OK)
+ return crv;
+ crv = sftk_defaultAttribute(object, CKA_MODIFIABLE, &cktrue, sizeof(CK_BBOOL));
+ if (crv != CKR_OK)
+ return crv;
+
+ PZ_Lock(slot->slotLock);
+ isLoggedIn = slot->isLoggedIn;
+ needLogin = slot->needLogin;
+ PZ_Unlock(slot->slotLock);
+
+ /* don't create a private object if we aren't logged in */
+ if (!isLoggedIn && needLogin && sftk_isTrue(object, CKA_PRIVATE)) {
+ return CKR_USER_NOT_LOGGED_IN;
+ }
+
+ if (((session->info.flags & CKF_RW_SESSION) == 0) &&
+ (sftk_isTrue(object, CKA_TOKEN))) {
+ return CKR_SESSION_READ_ONLY;
+ }
+
+ /* Assign a unique SESSION object handle to every new object,
+ * whether it is a session object or a token object.
+ * At this point, all new objects are structured as session objects.
+ * Objects with the CKA_TOKEN attribute true will be turned into
+ * token objects and will have a token object handle assigned to
+ * them by a call to sftk_mkHandle in the handler for each object
+ * class, invoked below.
+ *
+ * It may be helpful to note/remember that
+ * sftk_narrowToXxxObject uses sftk_isToken,
+ * sftk_isToken examines the sign bit of the object's handle, but
+ * sftk_isTrue(...,CKA_TOKEN) examines the CKA_TOKEN attribute.
+ */
+ object->handle = sftk_getNextHandle(slot);
+
+ /* get the object class */
+ attribute = sftk_FindAttribute(object, CKA_CLASS);
+ if (attribute == NULL) {
+ return CKR_TEMPLATE_INCOMPLETE;
+ }
+ object->objclass = *(CK_OBJECT_CLASS *)attribute->attrib.pValue;
+ sftk_FreeAttribute(attribute);
+
+ /* Now handle the specific object class.
+ * At this point, all objects are session objects, and the session
+ * number must be passed to the object class handlers.
+ */
+ switch (object->objclass) {
+ case CKO_DATA:
+ crv = sftk_handleDataObject(session, object);
+ break;
+ case CKO_CERTIFICATE:
+ crv = sftk_handleCertObject(session, object);
+ break;
+ case CKO_NSS_TRUST:
+ crv = sftk_handleTrustObject(session, object);
+ break;
+ case CKO_NSS_CRL:
+ crv = sftk_handleCrlObject(session, object);
+ break;
+ case CKO_NSS_SMIME:
+ crv = sftk_handleSMimeObject(session, object);
+ break;
+ case CKO_PRIVATE_KEY:
+ case CKO_PUBLIC_KEY:
+ case CKO_SECRET_KEY:
+ crv = sftk_handleKeyObject(session, object);
+ break;
+ case CKO_DOMAIN_PARAMETERS:
+ crv = sftk_handleKeyParameterObject(session, object);
+ break;
+ default:
+ crv = CKR_ATTRIBUTE_VALUE_INVALID;
+ break;
+ }
+
+ /* can't fail from here on out unless the pk_handlXXX functions have
+ * failed the request */
+ if (crv != CKR_OK) {
+ return crv;
+ }
+
+ /* Now link the object into the slot and session structures.
+ * If the object has a true CKA_TOKEN attribute, the above object
+ * class handlers will have set the sign bit in the object handle,
+ * causing the following test to be true.
+ */
+ if (sftk_isToken(object->handle)) {
+ sftk_convertSessionToToken(object);
+ } else {
+ object->slot = slot;
+ sftk_AddObject(session, object);
+ }
+
+ return CKR_OK;
+}
+
+/*
+ * ******************** Public Key Utilities ***************************
+ */
+/* Generate a low public key structure from an object */
+NSSLOWKEYPublicKey *
+sftk_GetPubKey(SFTKObject *object, CK_KEY_TYPE key_type,
+ CK_RV *crvp)
+{
+ NSSLOWKEYPublicKey *pubKey;
+ PLArenaPool *arena;
+ CK_RV crv;
+
+ if (object->objclass != CKO_PUBLIC_KEY) {
+ *crvp = CKR_KEY_TYPE_INCONSISTENT;
+ return NULL;
+ }
+
+ if (sftk_isToken(object->handle)) {
+ /* ferret out the token object handle */
+ }
+
+ /* If we already have a key, use it */
+ if (object->objectInfo) {
+ *crvp = CKR_OK;
+ return (NSSLOWKEYPublicKey *)object->objectInfo;
+ }
+
+ /* allocate the structure */
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (arena == NULL) {
+ *crvp = CKR_HOST_MEMORY;
+ return NULL;
+ }
+
+ pubKey = (NSSLOWKEYPublicKey *)
+ PORT_ArenaAlloc(arena, sizeof(NSSLOWKEYPublicKey));
+ if (pubKey == NULL) {
+ PORT_FreeArena(arena, PR_FALSE);
+ *crvp = CKR_HOST_MEMORY;
+ return NULL;
+ }
+
+ /* fill in the structure */
+ pubKey->arena = arena;
+ switch (key_type) {
+ case CKK_RSA:
+ pubKey->keyType = NSSLOWKEYRSAKey;
+ crv = sftk_Attribute2SSecItem(arena, &pubKey->u.rsa.modulus,
+ object, CKA_MODULUS);
+ if (crv != CKR_OK)
+ break;
+ crv = sftk_Attribute2SSecItem(arena, &pubKey->u.rsa.publicExponent,
+ object, CKA_PUBLIC_EXPONENT);
+ break;
+ case CKK_DSA:
+ pubKey->keyType = NSSLOWKEYDSAKey;
+ crv = sftk_Attribute2SSecItem(arena, &pubKey->u.dsa.params.prime,
+ object, CKA_PRIME);
+ if (crv != CKR_OK)
+ break;
+ crv = sftk_Attribute2SSecItem(arena, &pubKey->u.dsa.params.subPrime,
+ object, CKA_SUBPRIME);
+ if (crv != CKR_OK)
+ break;
+ crv = sftk_Attribute2SSecItem(arena, &pubKey->u.dsa.params.base,
+ object, CKA_BASE);
+ if (crv != CKR_OK)
+ break;
+ crv = sftk_Attribute2SSecItem(arena, &pubKey->u.dsa.publicValue,
+ object, CKA_VALUE);
+ break;
+ case CKK_DH:
+ pubKey->keyType = NSSLOWKEYDHKey;
+ crv = sftk_Attribute2SSecItem(arena, &pubKey->u.dh.prime,
+ object, CKA_PRIME);
+ if (crv != CKR_OK)
+ break;
+ crv = sftk_Attribute2SSecItem(arena, &pubKey->u.dh.base,
+ object, CKA_BASE);
+ if (crv != CKR_OK)
+ break;
+ crv = sftk_Attribute2SSecItem(arena, &pubKey->u.dh.publicValue,
+ object, CKA_VALUE);
+ break;
+ case CKK_EC:
+ pubKey->keyType = NSSLOWKEYECKey;
+ crv = sftk_Attribute2SSecItem(arena,
+ &pubKey->u.ec.ecParams.DEREncoding,
+ object, CKA_EC_PARAMS);
+ if (crv != CKR_OK)
+ break;
+
+ /* Fill out the rest of the ecParams structure
+ * based on the encoded params
+ */
+ if (EC_FillParams(arena, &pubKey->u.ec.ecParams.DEREncoding,
+ &pubKey->u.ec.ecParams) != SECSuccess) {
+ crv = CKR_DOMAIN_PARAMS_INVALID;
+ break;
+ }
+
+ crv = sftk_Attribute2SSecItem(arena, &pubKey->u.ec.publicValue,
+ object, CKA_EC_POINT);
+ if (crv == CKR_OK) {
+ unsigned int keyLen = EC_GetPointSize(&pubKey->u.ec.ecParams);
+
+ /* special note: We can't just use the first byte to distinguish
+ * between EC_POINT_FORM_UNCOMPRESSED and SEC_ASN1_OCTET_STRING.
+ * Both are 0x04. */
+
+ /* Handle the non-DER encoded case.
+ * Some curves are always pressumed to be non-DER.
+ */
+ if (pubKey->u.ec.publicValue.len == keyLen &&
+ (pubKey->u.ec.ecParams.fieldID.type == ec_field_plain ||
+ pubKey->u.ec.publicValue.data[0] == EC_POINT_FORM_UNCOMPRESSED)) {
+ break; /* key was not DER encoded, no need to unwrap */
+ }
+
+ /* handle the encoded case */
+ if ((pubKey->u.ec.publicValue.data[0] == SEC_ASN1_OCTET_STRING) &&
+ pubKey->u.ec.publicValue.len > keyLen) {
+ SECItem publicValue;
+ SECStatus rv;
+
+ rv = SEC_QuickDERDecodeItem(arena, &publicValue,
+ SEC_ASN1_GET(SEC_OctetStringTemplate),
+ &pubKey->u.ec.publicValue);
+ /* nope, didn't decode correctly */
+ if ((rv != SECSuccess) || (publicValue.len != keyLen)) {
+ crv = CKR_ATTRIBUTE_VALUE_INVALID;
+ break;
+ }
+ /* we don't handle compressed points except in the case of ECCurve25519 */
+ if ((pubKey->u.ec.ecParams.fieldID.type != ec_field_plain) &&
+ (publicValue.data[0] != EC_POINT_FORM_UNCOMPRESSED)) {
+ crv = CKR_ATTRIBUTE_VALUE_INVALID;
+ break;
+ }
+ /* replace our previous with the decoded key */
+ pubKey->u.ec.publicValue = publicValue;
+ break;
+ }
+ crv = CKR_ATTRIBUTE_VALUE_INVALID;
+ }
+ break;
+ default:
+ crv = CKR_KEY_TYPE_INCONSISTENT;
+ break;
+ }
+ *crvp = crv;
+ if (crv != CKR_OK) {
+ PORT_FreeArena(arena, PR_TRUE);
+ return NULL;
+ }
+
+ object->objectInfo = pubKey;
+ object->infoFree = (SFTKFree)nsslowkey_DestroyPublicKey;
+ return pubKey;
+}
+
+/* make a private key from a verified object */
+static NSSLOWKEYPrivateKey *
+sftk_mkPrivKey(SFTKObject *object, CK_KEY_TYPE key_type, CK_RV *crvp)
+{
+ NSSLOWKEYPrivateKey *privKey;
+ SFTKItemTemplate itemTemplate[SFTK_MAX_ITEM_TEMPLATE];
+ int itemTemplateCount = 0;
+ PLArenaPool *arena;
+ CK_RV crv = CKR_OK;
+ SECStatus rv;
+
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (arena == NULL) {
+ *crvp = CKR_HOST_MEMORY;
+ return NULL;
+ }
+
+ privKey = (NSSLOWKEYPrivateKey *)
+ PORT_ArenaZAlloc(arena, sizeof(NSSLOWKEYPrivateKey));
+ if (privKey == NULL) {
+ PORT_FreeArena(arena, PR_FALSE);
+ *crvp = CKR_HOST_MEMORY;
+ return NULL;
+ }
+
+ /* in future this would be a switch on key_type */
+ privKey->arena = arena;
+ switch (key_type) {
+ case CKK_RSA:
+ privKey->keyType = NSSLOWKEYRSAKey;
+
+ SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount,
+ &privKey->u.rsa.modulus, CKA_MODULUS);
+ itemTemplateCount++;
+ SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount,
+ &privKey->u.rsa.publicExponent, CKA_PUBLIC_EXPONENT);
+ itemTemplateCount++;
+ SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount,
+ &privKey->u.rsa.privateExponent, CKA_PRIVATE_EXPONENT);
+ itemTemplateCount++;
+ SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount,
+ &privKey->u.rsa.prime1, CKA_PRIME_1);
+ itemTemplateCount++;
+ SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount,
+ &privKey->u.rsa.prime2, CKA_PRIME_2);
+ itemTemplateCount++;
+ SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount,
+ &privKey->u.rsa.exponent1, CKA_EXPONENT_1);
+ itemTemplateCount++;
+ SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount,
+ &privKey->u.rsa.exponent2, CKA_EXPONENT_2);
+ itemTemplateCount++;
+ SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount,
+ &privKey->u.rsa.coefficient, CKA_COEFFICIENT);
+ itemTemplateCount++;
+ rv = DER_SetUInteger(privKey->arena, &privKey->u.rsa.version,
+ NSSLOWKEY_PRIVATE_KEY_INFO_VERSION);
+ if (rv != SECSuccess)
+ crv = CKR_HOST_MEMORY;
+ break;
+
+ case CKK_DSA:
+ privKey->keyType = NSSLOWKEYDSAKey;
+ SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount,
+ &privKey->u.dsa.params.prime, CKA_PRIME);
+ itemTemplateCount++;
+ SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount,
+ &privKey->u.dsa.params.subPrime, CKA_SUBPRIME);
+ itemTemplateCount++;
+ SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount,
+ &privKey->u.dsa.params.base, CKA_BASE);
+ itemTemplateCount++;
+ SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount,
+ &privKey->u.dsa.privateValue, CKA_VALUE);
+ itemTemplateCount++;
+ /* privKey was zero'd so public value is already set to NULL, 0
+ * if we don't set it explicitly */
+ break;
+
+ case CKK_DH:
+ privKey->keyType = NSSLOWKEYDHKey;
+ SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount,
+ &privKey->u.dh.prime, CKA_PRIME);
+ itemTemplateCount++;
+ SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount,
+ &privKey->u.dh.base, CKA_BASE);
+ itemTemplateCount++;
+ SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount,
+ &privKey->u.dh.privateValue, CKA_VALUE);
+ itemTemplateCount++;
+ /* privKey was zero'd so public value is already set to NULL, 0
+ * if we don't set it explicitly */
+ break;
+
+ case CKK_EC:
+ privKey->keyType = NSSLOWKEYECKey;
+ crv = sftk_Attribute2SSecItem(arena,
+ &privKey->u.ec.ecParams.DEREncoding,
+ object, CKA_EC_PARAMS);
+ if (crv != CKR_OK)
+ break;
+
+ /* Fill out the rest of the ecParams structure
+ * based on the encoded params
+ */
+ if (EC_FillParams(arena, &privKey->u.ec.ecParams.DEREncoding,
+ &privKey->u.ec.ecParams) != SECSuccess) {
+ crv = CKR_DOMAIN_PARAMS_INVALID;
+ break;
+ }
+ crv = sftk_Attribute2SSecItem(arena, &privKey->u.ec.privateValue,
+ object, CKA_VALUE);
+ if (crv != CKR_OK)
+ break;
+
+ if (sftk_hasAttribute(object, CKA_NSS_DB)) {
+ crv = sftk_Attribute2SSecItem(arena, &privKey->u.ec.publicValue,
+ object, CKA_NSS_DB);
+ if (crv != CKR_OK)
+ break;
+ /* privKey was zero'd so public value is already set to NULL, 0
+ * if we don't set it explicitly */
+ }
+ rv = DER_SetUInteger(privKey->arena, &privKey->u.ec.version,
+ NSSLOWKEY_EC_PRIVATE_KEY_VERSION);
+ if (rv != SECSuccess) {
+ crv = CKR_HOST_MEMORY;
+/* The following ifdef is needed for Linux arm distros and
+ * Android as gcc 4.6 has a bug when targeting arm (but not
+ * thumb). The bug has been fixed in gcc 4.7.
+ * http://gcc.gnu.org/bugzilla/show_bug.cgi?id=56561
+ */
+#if defined(__arm__) && !defined(__thumb__) && defined(__GNUC__)
+ *crvp = CKR_HOST_MEMORY;
+ break;
+#endif
+ }
+ break;
+
+ default:
+ crv = CKR_KEY_TYPE_INCONSISTENT;
+ break;
+ }
+ if (crv == CKR_OK && itemTemplateCount != 0) {
+ PORT_Assert(itemTemplateCount > 0);
+ PORT_Assert(itemTemplateCount <= SFTK_MAX_ITEM_TEMPLATE);
+ crv = sftk_MultipleAttribute2SecItem(arena, object, itemTemplate,
+ itemTemplateCount);
+ }
+ *crvp = crv;
+ if (crv != CKR_OK) {
+ PORT_FreeArena(arena, PR_TRUE);
+ return NULL;
+ }
+ return privKey;
+}
+
+/*
+ * If a partial RSA private key is present, fill in the rest if necessary,
+ * and then verify the parameters are well-formed
+ */
+static SECStatus
+sftk_verifyRSAPrivateKey(SFTKObject *object, PRBool fillIfNeeded)
+{
+ RSAPrivateKey tmpKey = { 0 };
+ SFTKAttribute *modulus = NULL;
+ SFTKAttribute *prime1 = NULL;
+ SFTKAttribute *prime2 = NULL;
+ SFTKAttribute *privateExponent = NULL;
+ SFTKAttribute *publicExponent = NULL;
+ SFTKAttribute *exponent1 = NULL;
+ SFTKAttribute *exponent2 = NULL;
+ SFTKAttribute *coefficient = NULL;
+ SECStatus rv;
+ CK_RV crv;
+
+ /* first fill in the components that we have. Populate only uses
+ * the non-crt components, so only fill those in */
+ tmpKey.arena = NULL;
+ modulus = sftk_FindAttribute(object, CKA_MODULUS);
+ if (modulus) {
+ tmpKey.modulus.data = modulus->attrib.pValue;
+ tmpKey.modulus.len = modulus->attrib.ulValueLen;
+ }
+ prime1 = sftk_FindAttribute(object, CKA_PRIME_1);
+ if (prime1) {
+ tmpKey.prime1.data = prime1->attrib.pValue;
+ tmpKey.prime1.len = prime1->attrib.ulValueLen;
+ }
+ prime2 = sftk_FindAttribute(object, CKA_PRIME_2);
+ if (prime2) {
+ tmpKey.prime2.data = prime2->attrib.pValue;
+ tmpKey.prime2.len = prime2->attrib.ulValueLen;
+ }
+ privateExponent = sftk_FindAttribute(object, CKA_PRIVATE_EXPONENT);
+ if (privateExponent) {
+ tmpKey.privateExponent.data = privateExponent->attrib.pValue;
+ tmpKey.privateExponent.len = privateExponent->attrib.ulValueLen;
+ }
+ publicExponent = sftk_FindAttribute(object, CKA_PUBLIC_EXPONENT);
+ if (publicExponent) {
+ tmpKey.publicExponent.data = publicExponent->attrib.pValue;
+ tmpKey.publicExponent.len = publicExponent->attrib.ulValueLen;
+ }
+ exponent1 = sftk_FindAttribute(object, CKA_EXPONENT_1);
+ if (exponent1) {
+ tmpKey.exponent1.data = exponent1->attrib.pValue;
+ tmpKey.exponent1.len = exponent1->attrib.ulValueLen;
+ }
+ exponent2 = sftk_FindAttribute(object, CKA_EXPONENT_2);
+ if (exponent2) {
+ tmpKey.exponent2.data = exponent2->attrib.pValue;
+ tmpKey.exponent2.len = exponent2->attrib.ulValueLen;
+ }
+ coefficient = sftk_FindAttribute(object, CKA_COEFFICIENT);
+ if (coefficient) {
+ tmpKey.coefficient.data = coefficient->attrib.pValue;
+ tmpKey.coefficient.len = coefficient->attrib.ulValueLen;
+ }
+
+ if (fillIfNeeded) {
+ /*
+ * populate requires one exponent plus 2 other components to work.
+ * we expected our caller to check that first. If that didn't happen,
+ * populate will simply return an error here.
+ */
+ rv = RSA_PopulatePrivateKey(&tmpKey);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+ }
+ rv = RSA_PrivateKeyCheck(&tmpKey);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+ /* now that we have a fully populated key, set all our attribute values */
+ rv = SECFailure;
+ if (!modulus || modulus->attrib.pValue != tmpKey.modulus.data) {
+ crv = sftk_forceAttribute(object, CKA_MODULUS,
+ sftk_item_expand(&tmpKey.modulus));
+ if (crv != CKR_OK)
+ goto loser;
+ }
+ if (!publicExponent ||
+ publicExponent->attrib.pValue != tmpKey.publicExponent.data) {
+ crv = sftk_forceAttribute(object, CKA_PUBLIC_EXPONENT,
+ sftk_item_expand(&tmpKey.publicExponent));
+ if (crv != CKR_OK)
+ goto loser;
+ }
+ if (!privateExponent ||
+ privateExponent->attrib.pValue != tmpKey.privateExponent.data) {
+ crv = sftk_forceAttribute(object, CKA_PRIVATE_EXPONENT,
+ sftk_item_expand(&tmpKey.privateExponent));
+ if (crv != CKR_OK)
+ goto loser;
+ }
+ if (!prime1 || prime1->attrib.pValue != tmpKey.prime1.data) {
+ crv = sftk_forceAttribute(object, CKA_PRIME_1,
+ sftk_item_expand(&tmpKey.prime1));
+ if (crv != CKR_OK)
+ goto loser;
+ }
+ if (!prime2 || prime2->attrib.pValue != tmpKey.prime2.data) {
+ crv = sftk_forceAttribute(object, CKA_PRIME_2,
+ sftk_item_expand(&tmpKey.prime2));
+ if (crv != CKR_OK)
+ goto loser;
+ }
+ if (!exponent1 || exponent1->attrib.pValue != tmpKey.exponent1.data) {
+ crv = sftk_forceAttribute(object, CKA_EXPONENT_1,
+ sftk_item_expand(&tmpKey.exponent1));
+ if (crv != CKR_OK)
+ goto loser;
+ }
+ if (!exponent2 || exponent2->attrib.pValue != tmpKey.exponent2.data) {
+ crv = sftk_forceAttribute(object, CKA_EXPONENT_2,
+ sftk_item_expand(&tmpKey.exponent2));
+ if (crv != CKR_OK)
+ goto loser;
+ }
+ if (!coefficient || coefficient->attrib.pValue != tmpKey.coefficient.data) {
+ crv = sftk_forceAttribute(object, CKA_COEFFICIENT,
+ sftk_item_expand(&tmpKey.coefficient));
+ if (crv != CKR_OK)
+ goto loser;
+ }
+ rv = SECSuccess;
+
+/* we're done (one way or the other), clean up all our stuff */
+loser:
+ if (tmpKey.arena) {
+ PORT_FreeArena(tmpKey.arena, PR_TRUE);
+ }
+ if (modulus) {
+ sftk_FreeAttribute(modulus);
+ }
+ if (prime1) {
+ sftk_FreeAttribute(prime1);
+ }
+ if (prime2) {
+ sftk_FreeAttribute(prime2);
+ }
+ if (privateExponent) {
+ sftk_FreeAttribute(privateExponent);
+ }
+ if (publicExponent) {
+ sftk_FreeAttribute(publicExponent);
+ }
+ if (exponent1) {
+ sftk_FreeAttribute(exponent1);
+ }
+ if (exponent2) {
+ sftk_FreeAttribute(exponent2);
+ }
+ if (coefficient) {
+ sftk_FreeAttribute(coefficient);
+ }
+ return rv;
+}
+
+/* Generate a low private key structure from an object */
+NSSLOWKEYPrivateKey *
+sftk_GetPrivKey(SFTKObject *object, CK_KEY_TYPE key_type, CK_RV *crvp)
+{
+ NSSLOWKEYPrivateKey *priv = NULL;
+
+ if (object->objclass != CKO_PRIVATE_KEY) {
+ *crvp = CKR_KEY_TYPE_INCONSISTENT;
+ return NULL;
+ }
+ if (object->objectInfo) {
+ *crvp = CKR_OK;
+ return (NSSLOWKEYPrivateKey *)object->objectInfo;
+ }
+
+ priv = sftk_mkPrivKey(object, key_type, crvp);
+ object->objectInfo = priv;
+ object->infoFree = (SFTKFree)nsslowkey_DestroyPrivateKey;
+ return priv;
+}
+
+/* populate a public key object from a lowpublic keys structure */
+CK_RV
+sftk_PutPubKey(SFTKObject *publicKey, SFTKObject *privateKey, CK_KEY_TYPE keyType, NSSLOWKEYPublicKey *pubKey)
+{
+ CK_OBJECT_CLASS classType = CKO_PUBLIC_KEY;
+ CK_BBOOL cktrue = CK_TRUE;
+ CK_RV crv = CKR_OK;
+ sftk_DeleteAttributeType(publicKey, CKA_CLASS);
+ sftk_DeleteAttributeType(publicKey, CKA_KEY_TYPE);
+ sftk_DeleteAttributeType(publicKey, CKA_VALUE);
+
+ switch (keyType) {
+ case CKK_RSA:
+ sftk_DeleteAttributeType(publicKey, CKA_MODULUS);
+ sftk_DeleteAttributeType(publicKey, CKA_PUBLIC_EXPONENT);
+ /* format the keys */
+ /* fill in the RSA dependent paramenters in the public key */
+ crv = sftk_AddAttributeType(publicKey, CKA_MODULUS,
+ sftk_item_expand(&pubKey->u.rsa.modulus));
+ if (crv != CKR_OK) {
+ break;
+ }
+ crv = sftk_AddAttributeType(publicKey, CKA_PUBLIC_EXPONENT,
+ sftk_item_expand(&pubKey->u.rsa.publicExponent));
+ break;
+ case CKK_DSA:
+ sftk_DeleteAttributeType(publicKey, CKA_PRIME);
+ sftk_DeleteAttributeType(publicKey, CKA_SUBPRIME);
+ sftk_DeleteAttributeType(publicKey, CKA_BASE);
+ crv = sftk_AddAttributeType(publicKey, CKA_PRIME,
+ sftk_item_expand(&pubKey->u.dsa.params.prime));
+ if (crv != CKR_OK) {
+ break;
+ }
+ crv = sftk_AddAttributeType(publicKey, CKA_SUBPRIME,
+ sftk_item_expand(&pubKey->u.dsa.params.subPrime));
+ if (crv != CKR_OK) {
+ break;
+ }
+ crv = sftk_AddAttributeType(publicKey, CKA_BASE,
+ sftk_item_expand(&pubKey->u.dsa.params.base));
+ if (crv != CKR_OK) {
+ break;
+ }
+ crv = sftk_AddAttributeType(publicKey, CKA_VALUE,
+ sftk_item_expand(&pubKey->u.dsa.publicValue));
+ break;
+ case CKK_DH:
+ sftk_DeleteAttributeType(publicKey, CKA_PRIME);
+ sftk_DeleteAttributeType(publicKey, CKA_BASE);
+ crv = sftk_AddAttributeType(publicKey, CKA_PRIME,
+ sftk_item_expand(&pubKey->u.dh.prime));
+ if (crv != CKR_OK) {
+ break;
+ }
+ crv = sftk_AddAttributeType(publicKey, CKA_BASE,
+ sftk_item_expand(&pubKey->u.dh.base));
+ if (crv != CKR_OK) {
+ break;
+ }
+ crv = sftk_AddAttributeType(publicKey, CKA_VALUE,
+ sftk_item_expand(&pubKey->u.dh.publicValue));
+ break;
+ case CKK_EC:
+ sftk_DeleteAttributeType(publicKey, CKA_EC_PARAMS);
+ sftk_DeleteAttributeType(publicKey, CKA_EC_POINT);
+ crv = sftk_AddAttributeType(publicKey, CKA_EC_PARAMS,
+ sftk_item_expand(&pubKey->u.ec.ecParams.DEREncoding));
+ if (crv != CKR_OK) {
+ break;
+ }
+ crv = sftk_AddAttributeType(publicKey, CKA_EC_POINT,
+ sftk_item_expand(&pubKey->u.ec.publicValue));
+ break;
+ default:
+ return CKR_KEY_TYPE_INCONSISTENT;
+ }
+ if (crv != CKR_OK) {
+ return crv;
+ }
+ crv = sftk_AddAttributeType(publicKey, CKA_CLASS, &classType,
+ sizeof(CK_OBJECT_CLASS));
+ if (crv != CKR_OK) {
+ return crv;
+ }
+ crv = sftk_AddAttributeType(publicKey, CKA_KEY_TYPE, &keyType,
+ sizeof(CK_KEY_TYPE));
+ if (crv != CKR_OK) {
+ return crv;
+ }
+ /* now handle the operator attributes */
+ if (sftk_isTrue(privateKey, CKA_DECRYPT)) {
+ crv = sftk_forceAttribute(publicKey, CKA_ENCRYPT, &cktrue, sizeof(CK_BBOOL));
+ if (crv != CKR_OK) {
+ return crv;
+ }
+ }
+ if (sftk_isTrue(privateKey, CKA_SIGN)) {
+ crv = sftk_forceAttribute(publicKey, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL));
+ if (crv != CKR_OK) {
+ return crv;
+ }
+ }
+ if (sftk_isTrue(privateKey, CKA_SIGN_RECOVER)) {
+ crv = sftk_forceAttribute(publicKey, CKA_VERIFY_RECOVER, &cktrue, sizeof(CK_BBOOL));
+ if (crv != CKR_OK) {
+ return crv;
+ }
+ }
+ if (sftk_isTrue(privateKey, CKA_DERIVE)) {
+ crv = sftk_forceAttribute(publicKey, CKA_DERIVE, &cktrue, sizeof(CK_BBOOL));
+ if (crv != CKR_OK) {
+ return crv;
+ }
+ }
+ return crv;
+}
+
+/*
+ **************************** Symetric Key utils ************************
+ */
+/*
+ * set the DES key with parity bits correctly
+ */
+void
+sftk_FormatDESKey(unsigned char *key, int length)
+{
+ int i;
+
+ /* format the des key */
+ for (i = 0; i < length; i++) {
+ key[i] = parityTable[key[i] >> 1];
+ }
+}
+
+/*
+ * check a des key (des2 or des3 subkey) for weak keys.
+ */
+PRBool
+sftk_CheckDESKey(unsigned char *key)
+{
+ int i;
+
+ /* format the des key with parity */
+ sftk_FormatDESKey(key, 8);
+
+ for (i = 0; i < sftk_desWeakTableSize; i++) {
+ if (PORT_Memcmp(key, sftk_desWeakTable[i], 8) == 0) {
+ return PR_TRUE;
+ }
+ }
+ return PR_FALSE;
+}
+
+/*
+ * check if a des or triple des key is weak.
+ */
+PRBool
+sftk_IsWeakKey(unsigned char *key, CK_KEY_TYPE key_type)
+{
+
+ switch (key_type) {
+ case CKK_DES:
+ return sftk_CheckDESKey(key);
+ case CKM_DES2_KEY_GEN:
+ if (sftk_CheckDESKey(key))
+ return PR_TRUE;
+ return sftk_CheckDESKey(&key[8]);
+ case CKM_DES3_KEY_GEN:
+ if (sftk_CheckDESKey(key))
+ return PR_TRUE;
+ if (sftk_CheckDESKey(&key[8]))
+ return PR_TRUE;
+ return sftk_CheckDESKey(&key[16]);
+ default:
+ break;
+ }
+ return PR_FALSE;
+}
+
+/**********************************************************************
+ *
+ * Start of PKCS 11 functions
+ *
+ **********************************************************************/
+
+/* return the function list */
+CK_RV
+NSC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList)
+{
+ *pFunctionList = (CK_FUNCTION_LIST_PTR)&sftk_funcList_v2;
+ return CKR_OK;
+}
+
+/* return the function list */
+CK_RV
+C_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList)
+{
+ return NSC_GetFunctionList(pFunctionList);
+}
+
+CK_RV
+NSC_GetInterfaceList(CK_INTERFACE_PTR interfaces, CK_ULONG_PTR pulCount)
+{
+ CK_ULONG count = *pulCount;
+ *pulCount = NSS_INTERFACE_COUNT;
+ if (interfaces == NULL) {
+ return CKR_OK;
+ }
+ if (count < NSS_INTERFACE_COUNT) {
+ return CKR_BUFFER_TOO_SMALL;
+ }
+ PORT_Memcpy(interfaces, nss_interfaces, sizeof(nss_interfaces));
+ return CKR_OK;
+}
+
+CK_RV
+C_GetInterfaceList(CK_INTERFACE_PTR interfaces, CK_ULONG_PTR pulCount)
+{
+ return NSC_GetInterfaceList(interfaces, pulCount);
+}
+
+/*
+ * Get the requested interface, use the nss_interfaces array so we can
+ * easily add new interfaces as they occur.
+ */
+CK_RV
+NSC_GetInterface(CK_UTF8CHAR_PTR pInterfaceName, CK_VERSION_PTR pVersion,
+ CK_INTERFACE_PTR_PTR ppInterface, CK_FLAGS flags)
+{
+ int i;
+ for (i = 0; i < NSS_INTERFACE_COUNT; i++) {
+ CK_INTERFACE_PTR interface = &nss_interfaces[i];
+ if (pInterfaceName && PORT_Strcmp((char *)pInterfaceName, (char *)interface->pInterfaceName) != 0) {
+ continue;
+ }
+ if (pVersion && PORT_Memcmp(pVersion, (CK_VERSION *)interface->pFunctionList, sizeof(CK_VERSION)) != 0) {
+ continue;
+ }
+ if (flags & ((interface->flags & flags) != flags)) {
+ continue;
+ }
+ *ppInterface = interface;
+ return CKR_OK;
+ }
+ return CKR_ARGUMENTS_BAD;
+}
+
+CK_RV
+C_GetInterface(CK_UTF8CHAR_PTR pInterfaceName, CK_VERSION_PTR pVersion,
+ CK_INTERFACE_PTR_PTR ppInterface, CK_FLAGS flags)
+{
+ return NSC_GetInterface(pInterfaceName, pVersion, ppInterface, flags);
+}
+
+static PLHashNumber
+sftk_HashNumber(const void *key)
+{
+ return (PLHashNumber)((char *)key - (char *)NULL);
+}
+
+/*
+ * eventually I'd like to expunge all occurances of XXX_SLOT_ID and
+ * just go with the info in the slot. This is one place, however,
+ * where it might be a little difficult.
+ */
+const char *
+sftk_getDefTokName(CK_SLOT_ID slotID)
+{
+ static char buf[33];
+
+ switch (slotID) {
+ case NETSCAPE_SLOT_ID:
+ return "NSS Generic Crypto Services ";
+ case PRIVATE_KEY_SLOT_ID:
+ return "NSS Certificate DB ";
+ case FIPS_SLOT_ID:
+ return "NSS FIPS 140-2 Certificate DB ";
+ default:
+ break;
+ }
+ snprintf(buf, sizeof(buf), "NSS Application Token %08x ", (unsigned int)slotID);
+ return buf;
+}
+
+const char *
+sftk_getDefSlotName(CK_SLOT_ID slotID)
+{
+ static char buf[65];
+
+ switch (slotID) {
+ case NETSCAPE_SLOT_ID:
+ return "NSS Internal Cryptographic Services ";
+ case PRIVATE_KEY_SLOT_ID:
+ return "NSS User Private Key and Certificate Services ";
+ case FIPS_SLOT_ID:
+ return "NSS FIPS 140-2 User Private Key Services ";
+ default:
+ break;
+ }
+ snprintf(buf, sizeof(buf),
+ "NSS Application Slot %08x ",
+ (unsigned int)slotID);
+ return buf;
+}
+
+static CK_ULONG nscSlotCount[2] = { 0, 0 };
+static CK_SLOT_ID_PTR nscSlotList[2] = { NULL, NULL };
+static CK_ULONG nscSlotListSize[2] = { 0, 0 };
+static PLHashTable *nscSlotHashTable[2] = { NULL, NULL };
+
+static unsigned int
+sftk_GetModuleIndex(CK_SLOT_ID slotID)
+{
+ if (sftk_isFIPS(slotID)) {
+ return NSC_FIPS_MODULE;
+ }
+ return NSC_NON_FIPS_MODULE;
+}
+
+/* look up a slot structure from the ID (used to be a macro when we only
+ * had two slots) */
+/* if all is true, return the slot even if it has been 'unloaded' */
+/* if all is false, only return the slots which are present */
+SFTKSlot *
+sftk_SlotFromID(CK_SLOT_ID slotID, PRBool all)
+{
+ SFTKSlot *slot;
+ unsigned int index = sftk_GetModuleIndex(slotID);
+
+ if (nscSlotHashTable[index] == NULL)
+ return NULL;
+ slot = (SFTKSlot *)PL_HashTableLookupConst(nscSlotHashTable[index],
+ (void *)(uintptr_t)slotID);
+ /* cleared slots shouldn't 'show up' */
+ if (slot && !all && !slot->present)
+ slot = NULL;
+ return slot;
+}
+
+CK_SLOT_ID
+sftk_SlotIDFromSessionHandle(CK_SESSION_HANDLE handle)
+{
+ CK_ULONG slotIDIndex = (handle >> 24) & 0x7f;
+ CK_ULONG moduleIndex = (handle >> 31) & 1;
+
+ if (slotIDIndex >= nscSlotCount[moduleIndex]) {
+ return (CK_SLOT_ID)-1;
+ }
+ return nscSlotList[moduleIndex][slotIDIndex];
+}
+
+SFTKSlot *
+sftk_SlotFromSessionHandle(CK_SESSION_HANDLE handle)
+{
+ return sftk_SlotFromID(sftk_SlotIDFromSessionHandle(handle), PR_FALSE);
+}
+
+static CK_RV
+sftk_RegisterSlot(SFTKSlot *slot, unsigned int moduleIndex)
+{
+ PLHashEntry *entry;
+ unsigned int index;
+
+ index = sftk_GetModuleIndex(slot->slotID);
+
+ /* make sure the slotID for this module is valid */
+ if (moduleIndex != index) {
+ return CKR_SLOT_ID_INVALID;
+ }
+
+ if (nscSlotList[index] == NULL) {
+ nscSlotListSize[index] = NSC_SLOT_LIST_BLOCK_SIZE;
+ nscSlotList[index] = (CK_SLOT_ID *)
+ PORT_ZAlloc(nscSlotListSize[index] * sizeof(CK_SLOT_ID));
+ if (nscSlotList[index] == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+ }
+ if (nscSlotCount[index] >= nscSlotListSize[index]) {
+ CK_SLOT_ID *oldNscSlotList = nscSlotList[index];
+ CK_ULONG oldNscSlotListSize = nscSlotListSize[index];
+ nscSlotListSize[index] += NSC_SLOT_LIST_BLOCK_SIZE;
+ nscSlotList[index] = (CK_SLOT_ID *)PORT_Realloc(oldNscSlotList,
+ nscSlotListSize[index] * sizeof(CK_SLOT_ID));
+ if (nscSlotList[index] == NULL) {
+ /* evidently coverity doesn't know realloc does not
+ * free var if it fails ! */
+ /* coverity [use_after_free : FALSE] */
+ nscSlotList[index] = oldNscSlotList;
+ nscSlotListSize[index] = oldNscSlotListSize;
+ return CKR_HOST_MEMORY;
+ }
+ }
+
+ if (nscSlotHashTable[index] == NULL) {
+ nscSlotHashTable[index] = PL_NewHashTable(64, sftk_HashNumber,
+ PL_CompareValues, PL_CompareValues, NULL, 0);
+ if (nscSlotHashTable[index] == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+ }
+
+ entry = PL_HashTableAdd(nscSlotHashTable[index], (void *)(uintptr_t)slot->slotID, slot);
+ if (entry == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+ slot->index = (nscSlotCount[index] & 0x7f) | ((index << 7) & 0x80);
+ nscSlotList[index][nscSlotCount[index]++] = slot->slotID;
+
+ return CKR_OK;
+}
+
+/*
+ * ths function has all the common initialization that happens whenever we
+ * create a new slot or repurpose an old slot (only valid for slotID's 4
+ * and greater).
+ *
+ * things that are not reinitialized are:
+ * slotID (can't change)
+ * slotDescription (can't change once defined)
+ * the locks and hash tables (difficult to change in running code, and
+ * unnecessary. hash tables and list are cleared on shutdown, but they
+ * are cleared in a 'friendly' way).
+ * session and object ID counters -- so any old sessions and objects in the
+ * application will get properly notified that the world has changed.
+ *
+ * things that are reinitialized:
+ * database (otherwise what would the point be;).
+ * state variables related to databases.
+ * session count stat info.
+ * tokenDescription.
+ *
+ * NOTE: slotID's 4 and greater show up as removable devices.
+ *
+ */
+CK_RV
+SFTK_SlotReInit(SFTKSlot *slot, char *configdir, char *updatedir,
+ char *updateID, sftk_token_parameters *params,
+ unsigned int moduleIndex)
+{
+ PRBool needLogin = !params->noKeyDB;
+ CK_RV crv;
+
+ slot->hasTokens = PR_FALSE;
+ slot->sessionIDConflict = 0;
+ slot->sessionCount = 0;
+ slot->rwSessionCount = 0;
+ slot->needLogin = PR_FALSE;
+ slot->isLoggedIn = PR_FALSE;
+ slot->ssoLoggedIn = PR_FALSE;
+ slot->DB_loaded = PR_FALSE;
+ slot->certDB = NULL;
+ slot->keyDB = NULL;
+ slot->minimumPinLen = 0;
+ slot->readOnly = params->readOnly;
+ sftk_setStringName(params->tokdes ? params->tokdes : sftk_getDefTokName(slot->slotID), slot->tokDescription,
+ sizeof(slot->tokDescription), PR_TRUE);
+ sftk_setStringName(params->updtokdes ? params->updtokdes : " ",
+ slot->updateTokDescription,
+ sizeof(slot->updateTokDescription), PR_TRUE);
+
+ if ((!params->noCertDB) || (!params->noKeyDB)) {
+ SFTKDBHandle *certHandle = NULL;
+ SFTKDBHandle *keyHandle = NULL;
+ crv = sftk_DBInit(params->configdir ? params->configdir : configdir,
+ params->certPrefix, params->keyPrefix,
+ params->updatedir ? params->updatedir : updatedir,
+ params->updCertPrefix, params->updKeyPrefix,
+ params->updateID ? params->updateID : updateID,
+ params->readOnly, params->noCertDB, params->noKeyDB,
+ params->forceOpen,
+ moduleIndex == NSC_FIPS_MODULE,
+ &certHandle, &keyHandle);
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+
+ slot->certDB = certHandle;
+ slot->keyDB = keyHandle;
+ }
+ if (needLogin) {
+ /* if the data base is initialized with a null password,remember that */
+ slot->needLogin =
+ (PRBool)!sftk_hasNullPassword(slot, slot->keyDB);
+ if ((params->minPW >= 0) && (params->minPW <= SFTK_MAX_PIN)) {
+ slot->minimumPinLen = params->minPW;
+ }
+ if ((slot->minimumPinLen == 0) && (params->pwRequired)) {
+ slot->minimumPinLen = 1;
+ }
+ /* Make sure the pin len is set to the Minimum allowed value for fips
+ * when in FIPS mode. NOTE: we don't set it if the database has not
+ * been initialized yet so that we can init into level1 mode if needed
+ */
+ if ((sftkdb_HasPasswordSet(slot->keyDB) == SECSuccess) &&
+ (moduleIndex == NSC_FIPS_MODULE) &&
+ (slot->minimumPinLen < FIPS_MIN_PIN)) {
+ slot->minimumPinLen = FIPS_MIN_PIN;
+ }
+ }
+
+ slot->present = PR_TRUE;
+ return CKR_OK;
+
+loser:
+ SFTK_ShutdownSlot(slot);
+ return crv;
+}
+
+/*
+ * initialize one of the slot structures. figure out which by the ID
+ */
+CK_RV
+SFTK_SlotInit(char *configdir, char *updatedir, char *updateID,
+ sftk_token_parameters *params, unsigned int moduleIndex)
+{
+ unsigned int i;
+ CK_SLOT_ID slotID = params->slotID;
+ SFTKSlot *slot;
+ CK_RV crv = CKR_HOST_MEMORY;
+
+ /*
+ * first we initialize everything that is 'permanent' with this slot.
+ * that is everything we aren't going to shutdown if we close this slot
+ * and open it up again with different databases */
+
+ slot = PORT_ZNew(SFTKSlot);
+
+ if (slot == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+
+ slot->optimizeSpace = params->optimizeSpace;
+ if (slot->optimizeSpace) {
+ slot->sessObjHashSize = SPACE_SESSION_OBJECT_HASH_SIZE;
+ slot->sessHashSize = SPACE_SESSION_HASH_SIZE;
+ slot->numSessionLocks = 1;
+ } else {
+ slot->sessObjHashSize = TIME_SESSION_OBJECT_HASH_SIZE;
+ slot->sessHashSize = TIME_SESSION_HASH_SIZE;
+ slot->numSessionLocks = slot->sessHashSize / BUCKETS_PER_SESSION_LOCK;
+ }
+ slot->sessionLockMask = slot->numSessionLocks - 1;
+
+ slot->slotLock = PZ_NewLock(nssILockSession);
+ if (slot->slotLock == NULL)
+ goto mem_loser;
+ slot->sessionLock = PORT_ZNewArray(PZLock *, slot->numSessionLocks);
+ if (slot->sessionLock == NULL)
+ goto mem_loser;
+ for (i = 0; i < slot->numSessionLocks; i++) {
+ slot->sessionLock[i] = PZ_NewLock(nssILockSession);
+ if (slot->sessionLock[i] == NULL)
+ goto mem_loser;
+ }
+ slot->objectLock = PZ_NewLock(nssILockObject);
+ if (slot->objectLock == NULL)
+ goto mem_loser;
+ slot->pwCheckLock = PR_NewLock();
+ if (slot->pwCheckLock == NULL)
+ goto mem_loser;
+ slot->head = PORT_ZNewArray(SFTKSession *, slot->sessHashSize);
+ if (slot->head == NULL)
+ goto mem_loser;
+ slot->sessObjHashTable = PORT_ZNewArray(SFTKObject *, slot->sessObjHashSize);
+ if (slot->sessObjHashTable == NULL)
+ goto mem_loser;
+ slot->tokObjHashTable = PL_NewHashTable(64, sftk_HashNumber, PL_CompareValues,
+ SECITEM_HashCompare, NULL, 0);
+ if (slot->tokObjHashTable == NULL)
+ goto mem_loser;
+
+ slot->sessionIDCount = 0;
+ slot->sessionObjectHandleCount = NSC_MIN_SESSION_OBJECT_HANDLE;
+ slot->slotID = slotID;
+ sftk_setStringName(params->slotdes ? params->slotdes : sftk_getDefSlotName(slotID), slot->slotDescription,
+ sizeof(slot->slotDescription), PR_TRUE);
+ crv = sftk_InitSession(&slot->moduleObjects, slot, slotID, NULL, NULL,
+ CKF_SERIAL_SESSION);
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+
+ /* call the reinit code to set everything that changes between token
+ * init calls */
+ crv = SFTK_SlotReInit(slot, configdir, updatedir, updateID,
+ params, moduleIndex);
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+ if (sftk_isFIPS(slotID)) {
+ crv = sftk_CreateValidationObjects(slot);
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+ }
+ crv = sftk_RegisterSlot(slot, moduleIndex);
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+ return CKR_OK;
+
+mem_loser:
+ crv = CKR_HOST_MEMORY;
+loser:
+ SFTK_DestroySlotData(slot);
+ return crv;
+}
+
+CK_RV
+sftk_CloseAllSessions(SFTKSlot *slot, PRBool logout)
+{
+ SFTKSession *session;
+ unsigned int i;
+ SFTKDBHandle *handle;
+
+ /* first log out the card */
+ /* special case - if we are in a middle of upgrade, we want to close the
+ * sessions to fake a token removal to tell the upper level code we have
+ * switched from one database to another, but we don't want to
+ * explicity logout in case we can continue the upgrade with the
+ * existing password if possible.
+ */
+ if (logout) {
+ handle = sftk_getKeyDB(slot);
+ SKIP_AFTER_FORK(PZ_Lock(slot->slotLock));
+ slot->isLoggedIn = PR_FALSE;
+ if (slot->needLogin && handle) {
+ sftkdb_ClearPassword(handle);
+ }
+ SKIP_AFTER_FORK(PZ_Unlock(slot->slotLock));
+ if (handle) {
+ sftk_freeDB(handle);
+ }
+ }
+
+ /* now close all the current sessions */
+ /* NOTE: If you try to open new sessions before NSC_CloseAllSessions
+ * completes, some of those new sessions may or may not be closed by
+ * NSC_CloseAllSessions... but any session running when this code starts
+ * will guarrenteed be close, and no session will be partially closed */
+ for (i = 0; i < slot->sessHashSize; i++) {
+ PZLock *lock = SFTK_SESSION_LOCK(slot, i);
+ do {
+ SKIP_AFTER_FORK(PZ_Lock(lock));
+ session = slot->head[i];
+ /* hand deque */
+ /* this duplicates function of NSC_close session functions, but
+ * because we know that we are freeing all the sessions, we can
+ * do more efficient processing */
+ if (session) {
+ slot->head[i] = session->next;
+ if (session->next)
+ session->next->prev = NULL;
+ session->next = session->prev = NULL;
+ SKIP_AFTER_FORK(PZ_Unlock(lock));
+ SKIP_AFTER_FORK(PZ_Lock(slot->slotLock));
+ --slot->sessionCount;
+ SKIP_AFTER_FORK(PZ_Unlock(slot->slotLock));
+ if (session->info.flags & CKF_RW_SESSION) {
+ (void)PR_ATOMIC_DECREMENT(&slot->rwSessionCount);
+ }
+ } else {
+ SKIP_AFTER_FORK(PZ_Unlock(lock));
+ }
+ if (session) {
+ sftk_DestroySession(session);
+ }
+ } while (session != NULL);
+ }
+ return CKR_OK;
+}
+
+/*
+ * shut down the databases.
+ * we get the slot lock (which also protects slot->certDB and slot->keyDB)
+ * and clear the values so the new users will not find the databases.
+ * once things are clear, we can release our references to the databases.
+ * The databases will close when the last reference is released.
+ *
+ * We use reference counts so that we don't crash if someone shuts down
+ * a token that another thread is actively using.
+ */
+static void
+sftk_DBShutdown(SFTKSlot *slot)
+{
+ SFTKDBHandle *certHandle;
+ SFTKDBHandle *keyHandle;
+ SKIP_AFTER_FORK(PZ_Lock(slot->slotLock));
+ certHandle = slot->certDB;
+ slot->certDB = NULL;
+ keyHandle = slot->keyDB;
+ slot->keyDB = NULL;
+ SKIP_AFTER_FORK(PZ_Unlock(slot->slotLock));
+ if (certHandle) {
+ sftk_freeDB(certHandle);
+ }
+ if (keyHandle) {
+ sftk_freeDB(keyHandle);
+ }
+}
+
+CK_RV
+SFTK_ShutdownSlot(SFTKSlot *slot)
+{
+ /* make sure no new PK11 calls work except C_GetSlotInfo */
+ slot->present = PR_FALSE;
+
+ /* close all outstanding sessions
+ * the sessHashSize variable guarentees we have all the session
+ * mechanism set up */
+ if (slot->head) {
+ sftk_CloseAllSessions(slot, PR_TRUE);
+ }
+
+ /* clear all objects.. session objects are cleared as a result of
+ * closing all the sessions. We just need to clear the token object
+ * cache. slot->tokObjHashTable guarentees we have the token
+ * infrastructure set up. */
+ if (slot->tokObjHashTable) {
+ SFTK_ClearTokenKeyHashTable(slot);
+ }
+
+ /* clear the slot description for the next guy */
+ PORT_Memset(slot->tokDescription, 0, sizeof(slot->tokDescription));
+
+ /* now shut down the databases. */
+ sftk_DBShutdown(slot);
+ return CKR_OK;
+}
+
+/*
+ * initialize one of the slot structures. figure out which by the ID
+ */
+CK_RV
+SFTK_DestroySlotData(SFTKSlot *slot)
+{
+ unsigned int i;
+
+ SFTK_ShutdownSlot(slot);
+
+ sftk_ClearSession(&slot->moduleObjects);
+
+ if (slot->tokObjHashTable) {
+ PL_HashTableDestroy(slot->tokObjHashTable);
+ slot->tokObjHashTable = NULL;
+ }
+
+ if (slot->sessObjHashTable) {
+ PORT_Free(slot->sessObjHashTable);
+ slot->sessObjHashTable = NULL;
+ }
+ slot->sessObjHashSize = 0;
+
+ if (slot->head) {
+ PORT_Free(slot->head);
+ slot->head = NULL;
+ }
+ slot->sessHashSize = 0;
+
+ /* OK everything has been disassembled, now we can finally get rid
+ * of the locks */
+ SKIP_AFTER_FORK(PZ_DestroyLock(slot->slotLock));
+ slot->slotLock = NULL;
+ if (slot->sessionLock) {
+ for (i = 0; i < slot->numSessionLocks; i++) {
+ if (slot->sessionLock[i]) {
+ SKIP_AFTER_FORK(PZ_DestroyLock(slot->sessionLock[i]));
+ slot->sessionLock[i] = NULL;
+ }
+ }
+ PORT_Free(slot->sessionLock);
+ slot->sessionLock = NULL;
+ }
+ if (slot->objectLock) {
+ SKIP_AFTER_FORK(PZ_DestroyLock(slot->objectLock));
+ slot->objectLock = NULL;
+ }
+ if (slot->pwCheckLock) {
+ SKIP_AFTER_FORK(PR_DestroyLock(slot->pwCheckLock));
+ slot->pwCheckLock = NULL;
+ }
+ PORT_Free(slot);
+ return CKR_OK;
+}
+
+/*
+ * handle the SECMOD.db
+ */
+char **
+NSC_ModuleDBFunc(unsigned long function, char *parameters, void *args)
+{
+#ifndef NSS_DISABLE_DBM
+ char *secmod = NULL;
+ char *appName = NULL;
+ char *filename = NULL;
+ NSSDBType dbType = NSS_DB_TYPE_NONE;
+ PRBool rw;
+ static char *success = "Success";
+#endif /* NSS_DISABLE_DBM */
+ char **rvstr = NULL;
+
+ rvstr = NSSUTIL_DoModuleDBFunction(function, parameters, args);
+ if (rvstr != NULL) {
+ return rvstr;
+ }
+
+ if (PORT_GetError() != SEC_ERROR_LEGACY_DATABASE) {
+ return NULL;
+ }
+
+#ifndef NSS_DISABLE_DBM
+ /* The legacy database uses the old dbm, which is only linked with the
+ * legacy DB handler, which is only callable from softoken */
+
+ secmod = _NSSUTIL_GetSecmodName(parameters, &dbType, &appName,
+ &filename, &rw);
+
+ switch (function) {
+ case SECMOD_MODULE_DB_FUNCTION_FIND:
+ if (secmod == NULL) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ goto loser;
+ }
+ if (rw && (dbType != NSS_DB_TYPE_LEGACY) &&
+ (dbType != NSS_DB_TYPE_MULTIACCESS)) {
+ /* if we get here, we are trying to update the local database */
+ /* force data from the legacy DB */
+ char *oldSecmod = NULL;
+ char *oldAppName = NULL;
+ char *oldFilename = NULL;
+ PRBool oldrw;
+ char **strings = NULL;
+ int i;
+
+ dbType = NSS_DB_TYPE_LEGACY;
+ oldSecmod = _NSSUTIL_GetSecmodName(parameters, &dbType, &oldAppName,
+ &oldFilename, &oldrw);
+ strings = sftkdbCall_ReadSecmodDB(appName, oldFilename, oldSecmod,
+ (char *)parameters, oldrw);
+ if (strings) {
+ /* write out the strings */
+ for (i = 0; strings[i]; i++) {
+ NSSUTIL_DoModuleDBFunction(SECMOD_MODULE_DB_FUNCTION_ADD,
+ parameters, strings[i]);
+ }
+ sftkdbCall_ReleaseSecmodDBData(oldAppName, oldFilename, oldSecmod,
+ (char **)strings, oldrw);
+ } else {
+ /* write out a dummy record */
+ NSSUTIL_DoModuleDBFunction(SECMOD_MODULE_DB_FUNCTION_ADD,
+ parameters, " ");
+ }
+ if (oldSecmod) {
+ PR_smprintf_free(oldSecmod);
+ }
+ if (oldAppName) {
+ PORT_Free(oldAppName);
+ }
+ if (oldFilename) {
+ PORT_Free(oldFilename);
+ }
+ rvstr = NSSUTIL_DoModuleDBFunction(function, parameters, args);
+ break;
+ }
+ rvstr = sftkdbCall_ReadSecmodDB(appName, filename, secmod,
+ (char *)parameters, rw);
+ break;
+ case SECMOD_MODULE_DB_FUNCTION_ADD:
+ if (secmod == NULL) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ goto loser;
+ }
+ rvstr = (sftkdbCall_AddSecmodDB(appName, filename, secmod,
+ (char *)args, rw) == SECSuccess)
+ ? &success
+ : NULL;
+ break;
+ case SECMOD_MODULE_DB_FUNCTION_DEL:
+ if (secmod == NULL) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ goto loser;
+ }
+ rvstr = (sftkdbCall_DeleteSecmodDB(appName, filename, secmod,
+ (char *)args, rw) == SECSuccess)
+ ? &success
+ : NULL;
+ break;
+ case SECMOD_MODULE_DB_FUNCTION_RELEASE:
+ rvstr = (sftkdbCall_ReleaseSecmodDBData(appName, filename, secmod,
+ (char **)args, rw) == SECSuccess)
+ ? &success
+ : NULL;
+ break;
+ }
+
+loser:
+ if (secmod)
+ PR_smprintf_free(secmod);
+ if (appName)
+ PORT_Free(appName);
+ if (filename)
+ PORT_Free(filename);
+#endif /* NSS_DISABLE_DBM */
+ return rvstr;
+}
+
+static void
+nscFreeAllSlots(unsigned int moduleIndex)
+{
+ /* free all the slots */
+ SFTKSlot *slot = NULL;
+ CK_SLOT_ID slotID;
+ int i;
+
+ if (nscSlotList[moduleIndex]) {
+ CK_ULONG tmpSlotCount = nscSlotCount[moduleIndex];
+ CK_SLOT_ID_PTR tmpSlotList = nscSlotList[moduleIndex];
+ PLHashTable *tmpSlotHashTable = nscSlotHashTable[moduleIndex];
+
+ /* first close all the session */
+ for (i = 0; i < (int)tmpSlotCount; i++) {
+ slotID = tmpSlotList[i];
+ (void)NSC_CloseAllSessions(slotID);
+ }
+
+ /* now clear out the statics */
+ nscSlotList[moduleIndex] = NULL;
+ nscSlotCount[moduleIndex] = 0;
+ nscSlotHashTable[moduleIndex] = NULL;
+ nscSlotListSize[moduleIndex] = 0;
+
+ for (i = 0; i < (int)tmpSlotCount; i++) {
+ slotID = tmpSlotList[i];
+ slot = (SFTKSlot *)
+ PL_HashTableLookup(tmpSlotHashTable, (void *)(uintptr_t)slotID);
+ PORT_Assert(slot);
+ if (!slot)
+ continue;
+ SFTK_DestroySlotData(slot);
+ PL_HashTableRemove(tmpSlotHashTable, (void *)(uintptr_t)slotID);
+ }
+ PORT_Free(tmpSlotList);
+ PL_HashTableDestroy(tmpSlotHashTable);
+ }
+}
+
+static void
+sftk_closePeer(PRBool isFIPS)
+{
+ CK_SLOT_ID slotID = isFIPS ? PRIVATE_KEY_SLOT_ID : FIPS_SLOT_ID;
+ SFTKSlot *slot;
+ unsigned int moduleIndex = isFIPS ? NSC_NON_FIPS_MODULE : NSC_FIPS_MODULE;
+ PLHashTable *tmpSlotHashTable = nscSlotHashTable[moduleIndex];
+
+ slot = (SFTKSlot *)PL_HashTableLookup(tmpSlotHashTable, (void *)(uintptr_t)slotID);
+ if (slot == NULL) {
+ return;
+ }
+ sftk_DBShutdown(slot);
+ return;
+}
+
+extern void sftk_PBELockInit(void);
+extern void sftk_PBELockShutdown(void);
+
+/* NSC_Initialize initializes the Cryptoki library. */
+CK_RV
+nsc_CommonInitialize(CK_VOID_PTR pReserved, PRBool isFIPS)
+{
+ CK_RV crv = CKR_OK;
+ SECStatus rv;
+ CK_C_INITIALIZE_ARGS *init_args = (CK_C_INITIALIZE_ARGS *)pReserved;
+ PRBool destroy_freelist_on_error = PR_TRUE;
+ int i;
+ unsigned int moduleIndex = isFIPS ? NSC_FIPS_MODULE : NSC_NON_FIPS_MODULE;
+
+ if (isFIPS) {
+ loginWaitTime = PR_SecondsToInterval(1);
+ }
+
+ ENABLE_FORK_CHECK();
+
+ sftk_PBELockInit();
+
+ rv = SECOID_Init();
+ if (rv != SECSuccess) {
+ crv = CKR_DEVICE_ERROR;
+ return crv;
+ }
+
+ rv = RNG_RNGInit(); /* initialize random number generator */
+ if (rv != SECSuccess) {
+ crv = CKR_DEVICE_ERROR;
+ return crv;
+ }
+ rv = BL_Init(); /* initialize freebl engine */
+ if (rv != SECSuccess) {
+ crv = CKR_DEVICE_ERROR;
+ return crv;
+ }
+
+ /* NOTE:
+ * we should be getting out mutexes from this list, not statically binding
+ * them from NSPR. This should happen before we allow the internal to split
+ * off from the rest on NSS.
+ */
+
+ /* initialize the key and cert db's */
+ if (init_args && (!(init_args->flags & CKF_OS_LOCKING_OK))) {
+ if (init_args->CreateMutex && init_args->DestroyMutex &&
+ init_args->LockMutex && init_args->UnlockMutex) {
+ /* softoken always uses NSPR (ie. OS locking), and doesn't know how
+ * to use the lock functions provided by the application.
+ */
+ crv = CKR_CANT_LOCK;
+ return crv;
+ }
+ if (init_args->CreateMutex || init_args->DestroyMutex ||
+ init_args->LockMutex || init_args->UnlockMutex) {
+ /* only some of the lock functions were provided by the
+ * application. This is invalid per PKCS#11 spec.
+ */
+ crv = CKR_ARGUMENTS_BAD;
+ return crv;
+ }
+ }
+ crv = CKR_ARGUMENTS_BAD;
+ if ((init_args && init_args->LibraryParameters)) {
+ sftk_parameters paramStrings;
+
+ crv = sftk_parseParameters((char *)init_args->LibraryParameters, &paramStrings, isFIPS);
+ if (crv != CKR_OK) {
+ return crv;
+ }
+ crv = sftk_configure(paramStrings.man, paramStrings.libdes);
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+
+ /* if we have a peer already open, have him close his DB's so we
+ * don't clobber each other. */
+ if ((isFIPS && nsc_init) || (!isFIPS && nsf_init)) {
+ sftk_closePeer(isFIPS);
+ if (sftk_audit_enabled) {
+ if (isFIPS && nsc_init) {
+ sftk_LogAuditMessage(NSS_AUDIT_INFO, NSS_AUDIT_FIPS_STATE,
+ "enabled FIPS mode");
+ } else {
+ sftk_LogAuditMessage(NSS_AUDIT_INFO, NSS_AUDIT_FIPS_STATE,
+ "disabled FIPS mode");
+ }
+ }
+ /* if we have a peer open, we don't want to destroy the freelist
+ * from under the peer if we fail, the free list will be
+ * destroyed in that case when the C_Finalize is called for
+ * the peer */
+ destroy_freelist_on_error = PR_FALSE;
+ }
+ /* allow us to create objects in SFTK_SlotInit */
+ sftk_InitFreeLists();
+
+ for (i = 0; i < paramStrings.token_count; i++) {
+ crv = SFTK_SlotInit(paramStrings.configdir,
+ paramStrings.updatedir, paramStrings.updateID,
+ &paramStrings.tokens[i], moduleIndex);
+ if (crv != CKR_OK) {
+ nscFreeAllSlots(moduleIndex);
+ break;
+ }
+ }
+ loser:
+ sftk_freeParams(&paramStrings);
+ }
+ if (destroy_freelist_on_error && (CKR_OK != crv)) {
+ /* idempotent. If the list are already freed, this is a noop */
+ sftk_CleanupFreeLists();
+ }
+
+#ifndef NO_FORK_CHECK
+ if (CKR_OK == crv) {
+#if defined(CHECK_FORK_MIXED)
+ /* Before Solaris 10, fork handlers are not unregistered at dlclose()
+ * time. So, we only use pthread_atfork on Solaris 10 and later. For
+ * earlier versions, we use PID checks.
+ */
+ char buf[200];
+ int major = 0, minor = 0;
+
+ long rv = sysinfo(SI_RELEASE, buf, sizeof(buf));
+ if (rv > 0 && rv < sizeof(buf)) {
+ if (2 == sscanf(buf, "%d.%d", &major, &minor)) {
+ /* Are we on Solaris 10 or greater ? */
+ if (major > 5 || (5 == major && minor >= 10)) {
+ /* we are safe to use pthread_atfork */
+ usePthread_atfork = PR_TRUE;
+ }
+ }
+ }
+ if (usePthread_atfork) {
+ pthread_atfork(NULL, NULL, ForkedChild);
+ } else {
+ myPid = getpid();
+ }
+
+#elif defined(CHECK_FORK_PTHREAD)
+ pthread_atfork(NULL, NULL, ForkedChild);
+#elif defined(CHECK_FORK_GETPID)
+ myPid = getpid();
+#else
+#error Incorrect fork check method.
+#endif
+ }
+#endif
+ return crv;
+}
+
+CK_RV
+NSC_Initialize(CK_VOID_PTR pReserved)
+{
+ CK_RV crv;
+
+ sftk_ForkReset(pReserved, &crv);
+
+ if (nsc_init) {
+ return CKR_CRYPTOKI_ALREADY_INITIALIZED;
+ }
+ crv = nsc_CommonInitialize(pReserved, PR_FALSE);
+ nsc_init = (PRBool)(crv == CKR_OK);
+ return crv;
+}
+
+/* NSC_Finalize indicates that an application is done with the
+ * Cryptoki library.*/
+CK_RV
+nsc_CommonFinalize(CK_VOID_PTR pReserved, PRBool isFIPS)
+{
+ /* propagate the fork status to freebl and util */
+ BL_SetForkState(parentForkedAfterC_Initialize);
+ UTIL_SetForkState(parentForkedAfterC_Initialize);
+
+ nscFreeAllSlots(isFIPS ? NSC_FIPS_MODULE : NSC_NON_FIPS_MODULE);
+
+ /* don't muck with the globals if our peer is still initialized */
+ if (isFIPS && nsc_init) {
+ return CKR_OK;
+ }
+ if (!isFIPS && nsf_init) {
+ return CKR_OK;
+ }
+
+ sftk_CleanupFreeLists();
+ sftkdb_Shutdown();
+
+ /* This function does not discard all our previously aquired entropy. */
+ RNG_RNGShutdown();
+
+ /* tell freeBL to clean up after itself */
+ BL_Cleanup();
+
+ /* reset fork status in freebl. We must do this before BL_Unload so that
+ * this call doesn't force freebl to be reloaded. */
+ BL_SetForkState(PR_FALSE);
+
+#ifndef NSS_STATIC_SOFTOKEN
+ /* unload freeBL shared library from memory. This may only decrement the
+ * OS refcount if it's been loaded multiple times, eg. by libssl */
+ BL_Unload();
+#endif
+
+ /* clean up the default OID table */
+ SECOID_Shutdown();
+
+ sftk_PBELockShutdown();
+
+ /* reset fork status in util */
+ UTIL_SetForkState(PR_FALSE);
+
+ nsc_init = PR_FALSE;
+
+#ifndef NO_FORK_CHECK
+#ifdef CHECK_FORK_MIXED
+ if (!usePthread_atfork) {
+ myPid = 0; /* allow CHECK_FORK in the next softoken initialization to
+ * succeed */
+ } else {
+ forked = PR_FALSE; /* allow reinitialization */
+ }
+#elif defined(CHECK_FORK_GETPID)
+ myPid = 0; /* allow reinitialization */
+#elif defined(CHECK_FORK_PTHREAD)
+ forked = PR_FALSE; /* allow reinitialization */
+#endif
+#endif
+ return CKR_OK;
+}
+
+/* Hard-reset the entire softoken PKCS#11 module if the parent process forked
+ * while it was initialized. */
+PRBool
+sftk_ForkReset(CK_VOID_PTR pReserved, CK_RV *crv)
+{
+#ifndef NO_FORK_CHECK
+ if (PARENT_FORKED()) {
+ parentForkedAfterC_Initialize = PR_TRUE;
+ if (nsc_init) {
+ /* finalize non-FIPS token */
+ *crv = nsc_CommonFinalize(pReserved, PR_FALSE);
+ PORT_Assert(CKR_OK == *crv);
+ nsc_init = (PRBool) !(*crv == CKR_OK);
+ }
+ if (nsf_init) {
+ /* finalize FIPS token */
+ *crv = nsc_CommonFinalize(pReserved, PR_TRUE);
+ PORT_Assert(CKR_OK == *crv);
+ nsf_init = (PRBool) !(*crv == CKR_OK);
+ }
+ parentForkedAfterC_Initialize = PR_FALSE;
+ return PR_TRUE;
+ }
+#endif
+ return PR_FALSE;
+}
+
+/* NSC_Finalize indicates that an application is done with the
+ * Cryptoki library.*/
+CK_RV
+NSC_Finalize(CK_VOID_PTR pReserved)
+{
+ CK_RV crv;
+
+ /* reset entire PKCS#11 module upon fork */
+ if (sftk_ForkReset(pReserved, &crv)) {
+ return crv;
+ }
+
+ if (!nsc_init) {
+ return CKR_OK;
+ }
+
+ crv = nsc_CommonFinalize(pReserved, PR_FALSE);
+
+ nsc_init = (PRBool) !(crv == CKR_OK);
+
+ return crv;
+}
+
+extern const char __nss_softokn_version[];
+
+/* NSC_GetInfo returns general information about Cryptoki. */
+CK_RV
+NSC_GetInfo(CK_INFO_PTR pInfo)
+{
+#define NSS_VERSION_VARIABLE __nss_softokn_version
+#include "verref.h"
+
+ CHECK_FORK();
+
+ pInfo->cryptokiVersion.major = CRYPTOKI_VERSION_MAJOR;
+ pInfo->cryptokiVersion.minor = CRYPTOKI_VERSION_MINOR;
+ PORT_Memcpy(pInfo->manufacturerID, manufacturerID, 32);
+ pInfo->libraryVersion.major = SOFTOKEN_VMAJOR;
+ pInfo->libraryVersion.minor = SOFTOKEN_VMINOR;
+ PORT_Memcpy(pInfo->libraryDescription, libraryDescription, 32);
+ pInfo->flags = 0;
+ return CKR_OK;
+}
+
+/* NSC_GetInfo returns general information about Cryptoki. */
+CK_RV
+NSC_GetInfoV2(CK_INFO_PTR pInfo)
+{
+ CHECK_FORK();
+
+ pInfo->cryptokiVersion.major = 2;
+ pInfo->cryptokiVersion.minor = 40;
+ PORT_Memcpy(pInfo->manufacturerID, manufacturerID, 32);
+ pInfo->libraryVersion.major = SOFTOKEN_VMAJOR;
+ pInfo->libraryVersion.minor = SOFTOKEN_VMINOR;
+ PORT_Memcpy(pInfo->libraryDescription, libraryDescription, 32);
+ pInfo->flags = 0;
+ return CKR_OK;
+}
+
+/* NSC_GetSlotList obtains a list of slots in the system. */
+CK_RV
+nsc_CommonGetSlotList(CK_BBOOL tokenPresent,
+ CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount,
+ unsigned int moduleIndex)
+{
+ *pulCount = nscSlotCount[moduleIndex];
+ if (pSlotList != NULL) {
+ PORT_Memcpy(pSlotList, nscSlotList[moduleIndex],
+ nscSlotCount[moduleIndex] * sizeof(CK_SLOT_ID));
+ }
+ return CKR_OK;
+}
+
+/* NSC_GetSlotList obtains a list of slots in the system. */
+CK_RV
+NSC_GetSlotList(CK_BBOOL tokenPresent,
+ CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount)
+{
+ CHECK_FORK();
+ return nsc_CommonGetSlotList(tokenPresent, pSlotList, pulCount,
+ NSC_NON_FIPS_MODULE);
+}
+
+/* NSC_GetSlotInfo obtains information about a particular slot in the system. */
+CK_RV
+NSC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo)
+{
+ SFTKSlot *slot = sftk_SlotFromID(slotID, PR_TRUE);
+
+ CHECK_FORK();
+
+ if (slot == NULL)
+ return CKR_SLOT_ID_INVALID;
+
+ PORT_Memcpy(pInfo->manufacturerID, manufacturerID,
+ sizeof(pInfo->manufacturerID));
+ PORT_Memcpy(pInfo->slotDescription, slot->slotDescription,
+ sizeof(pInfo->slotDescription));
+ pInfo->flags = (slot->present) ? CKF_TOKEN_PRESENT : 0;
+
+ /* all user defined slots are defined as removable */
+ if (slotID >= SFTK_MIN_USER_SLOT_ID) {
+ pInfo->flags |= CKF_REMOVABLE_DEVICE;
+ } else {
+ /* In the case where we are doing a merge update, we need
+ * the DB slot to be removable so the token name can change
+ * appropriately. */
+ SFTKDBHandle *handle = sftk_getKeyDB(slot);
+ if (handle) {
+ if (sftkdb_InUpdateMerge(handle)) {
+ pInfo->flags |= CKF_REMOVABLE_DEVICE;
+ }
+ sftk_freeDB(handle);
+ }
+ }
+
+ /* If there is no key database, this is for example the case when NSS was
+ * initialized with NSS_NoDbInit(), then there won't be any point in
+ * requesting a PIN. Set the CKF_USER_PIN_INITIALIZED bit so that
+ * PK11_NeedUserInit() doesn't indicate that a PIN is needed.
+ */
+ if (slot->keyDB == NULL) {
+ pInfo->flags |= CKF_USER_PIN_INITIALIZED;
+ }
+
+ /* ok we really should read it out of the keydb file. */
+ /* pInfo->hardwareVersion.major = NSSLOWKEY_DB_FILE_VERSION; */
+ pInfo->hardwareVersion.major = SOFTOKEN_VMAJOR;
+ pInfo->hardwareVersion.minor = SOFTOKEN_VMINOR;
+ pInfo->firmwareVersion.major = SOFTOKEN_VPATCH;
+ pInfo->firmwareVersion.minor = SOFTOKEN_VBUILD;
+ return CKR_OK;
+}
+
+/*
+ * check the current state of the 'needLogin' flag in case the database has
+ * been changed underneath us.
+ */
+static PRBool
+sftk_checkNeedLogin(SFTKSlot *slot, SFTKDBHandle *keyHandle)
+{
+ PRBool needLogin;
+ if (sftkdb_PWCached(keyHandle) == SECSuccess) {
+ PZ_Lock(slot->slotLock);
+ needLogin = slot->needLogin;
+ PZ_Unlock(slot->slotLock);
+ } else {
+ needLogin = (PRBool)!sftk_hasNullPassword(slot, keyHandle);
+ PZ_Lock(slot->slotLock);
+ slot->needLogin = needLogin;
+ PZ_Unlock(slot->slotLock);
+ }
+ return needLogin;
+}
+
+static PRBool
+sftk_isBlank(const char *s, int len)
+{
+ int i;
+ for (i = 0; i < len; i++) {
+ if (s[i] != ' ') {
+ return PR_FALSE;
+ }
+ }
+ return PR_TRUE;
+}
+
+/* NSC_GetTokenInfo obtains information about a particular token in
+ * the system. */
+CK_RV
+NSC_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo)
+{
+ SFTKSlot *slot;
+ SFTKDBHandle *handle;
+
+ CHECK_FORK();
+
+ if (!nsc_init && !nsf_init)
+ return CKR_CRYPTOKI_NOT_INITIALIZED;
+ slot = sftk_SlotFromID(slotID, PR_FALSE);
+ if (slot == NULL)
+ return CKR_SLOT_ID_INVALID;
+
+ PORT_Memcpy(pInfo->manufacturerID, manufacturerID, 32);
+ PORT_Memcpy(pInfo->model, "NSS 3 ", 16);
+ PORT_Memcpy(pInfo->serialNumber, "0000000000000000", 16);
+ PORT_Memcpy(pInfo->utcTime, "0000000000000000", 16);
+ pInfo->ulMaxSessionCount = 0; /* arbitrarily large */
+ pInfo->ulMaxRwSessionCount = 0; /* arbitarily large */
+ PZ_Lock(slot->slotLock); /* Protect sessionCount / rwSessioncount */
+ pInfo->ulSessionCount = slot->sessionCount;
+ pInfo->ulRwSessionCount = slot->rwSessionCount;
+ PZ_Unlock(slot->slotLock); /* Unlock before sftk_getKeyDB */
+ pInfo->firmwareVersion.major = 0;
+ pInfo->firmwareVersion.minor = 0;
+ PORT_Memcpy(pInfo->label, slot->tokDescription, sizeof(pInfo->label));
+ handle = sftk_getKeyDB(slot);
+ pInfo->flags = CKF_RNG | CKF_DUAL_CRYPTO_OPERATIONS;
+ if (handle == NULL) {
+ pInfo->flags |= CKF_WRITE_PROTECTED;
+ pInfo->ulMaxPinLen = 0;
+ pInfo->ulMinPinLen = 0;
+ pInfo->ulTotalPublicMemory = 0;
+ pInfo->ulFreePublicMemory = 0;
+ pInfo->ulTotalPrivateMemory = 0;
+ pInfo->ulFreePrivateMemory = 0;
+ pInfo->hardwareVersion.major = 4;
+ pInfo->hardwareVersion.minor = 0;
+ } else {
+ /*
+ * we have three possible states which we may be in:
+ * (1) No DB password has been initialized. This also means we
+ * have no keys in the key db.
+ * (2) Password initialized to NULL. This means we have keys, but
+ * the user has chosen not use a password.
+ * (3) Finally we have an initialized password whicn is not NULL, and
+ * we will need to prompt for it.
+ */
+ if (sftkdb_HasPasswordSet(handle) == SECFailure) {
+ pInfo->flags |= CKF_LOGIN_REQUIRED;
+ } else if (!sftk_checkNeedLogin(slot, handle)) {
+ pInfo->flags |= CKF_USER_PIN_INITIALIZED;
+ } else {
+ pInfo->flags |= CKF_LOGIN_REQUIRED | CKF_USER_PIN_INITIALIZED;
+ /*
+ * if we are doing a merge style update, and we need to get the password
+ * of our source database (the database we are updating from), make sure we
+ * return a token name that will match the database we are prompting for.
+ */
+ if (sftkdb_NeedUpdateDBPassword(handle)) {
+ /* if we have an update tok description, use it. otherwise
+ * use the updateID for this database */
+ if (!sftk_isBlank(slot->updateTokDescription,
+ sizeof(pInfo->label))) {
+ PORT_Memcpy(pInfo->label, slot->updateTokDescription,
+ sizeof(pInfo->label));
+ } else {
+ /* build from updateID */
+ const char *updateID = sftkdb_GetUpdateID(handle);
+ if (updateID) {
+ sftk_setStringName(updateID, (char *)pInfo->label,
+ sizeof(pInfo->label), PR_FALSE);
+ }
+ }
+ }
+ }
+ pInfo->ulMaxPinLen = SFTK_MAX_PIN;
+ pInfo->ulMinPinLen = (CK_ULONG)slot->minimumPinLen;
+ pInfo->ulTotalPublicMemory = 1;
+ pInfo->ulFreePublicMemory = 1;
+ pInfo->ulTotalPrivateMemory = 1;
+ pInfo->ulFreePrivateMemory = 1;
+#ifdef SHDB_FIXME
+ pInfo->hardwareVersion.major = CERT_DB_FILE_VERSION;
+ pInfo->hardwareVersion.minor = handle->version;
+#else
+ pInfo->hardwareVersion.major = 0;
+ pInfo->hardwareVersion.minor = 0;
+#endif
+ sftk_freeDB(handle);
+ }
+ /*
+ * CKF_LOGIN_REQUIRED CKF_USER_PIN_INITIALIZED how CKF_TOKEN_INITIALIZED
+ * should be set
+ * 0 0 1
+ * 1 0 0
+ * 0 1 1
+ * 1 1 1
+ */
+ if (!(pInfo->flags & CKF_LOGIN_REQUIRED) ||
+ (pInfo->flags & CKF_USER_PIN_INITIALIZED)) {
+ pInfo->flags |= CKF_TOKEN_INITIALIZED;
+ }
+ return CKR_OK;
+}
+
+/* NSC_GetMechanismList obtains a list of mechanism types
+ * supported by a token. */
+CK_RV
+NSC_GetMechanismList(CK_SLOT_ID slotID,
+ CK_MECHANISM_TYPE_PTR pMechanismList, CK_ULONG_PTR pulCount)
+{
+ CK_ULONG i;
+
+ CHECK_FORK();
+
+ switch (slotID) {
+ /* default: */
+ case NETSCAPE_SLOT_ID:
+ *pulCount = mechanismCount;
+ if (pMechanismList != NULL) {
+ for (i = 0; i < mechanismCount; i++) {
+ pMechanismList[i] = mechanisms[i].type;
+ }
+ }
+ break;
+ default:
+ *pulCount = 0;
+ for (i = 0; i < mechanismCount; i++) {
+ if (mechanisms[i].privkey) {
+ (*pulCount)++;
+ if (pMechanismList != NULL) {
+ *pMechanismList++ = mechanisms[i].type;
+ }
+ }
+ }
+ break;
+ }
+ return CKR_OK;
+}
+
+/* NSC_GetMechanismInfo obtains information about a particular mechanism
+ * possibly supported by a token. */
+CK_RV
+NSC_GetMechanismInfo(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type,
+ CK_MECHANISM_INFO_PTR pInfo)
+{
+ PRBool isPrivateKey;
+ CK_ULONG i;
+
+ CHECK_FORK();
+
+ switch (slotID) {
+ case NETSCAPE_SLOT_ID:
+ isPrivateKey = PR_FALSE;
+ break;
+ default:
+ isPrivateKey = PR_TRUE;
+ break;
+ }
+ for (i = 0; i < mechanismCount; i++) {
+ if (type == mechanisms[i].type) {
+ if (isPrivateKey && !mechanisms[i].privkey) {
+ return CKR_MECHANISM_INVALID;
+ }
+ PORT_Memcpy(pInfo, &mechanisms[i].info, sizeof(CK_MECHANISM_INFO));
+ return CKR_OK;
+ }
+ }
+ return CKR_MECHANISM_INVALID;
+}
+
+/*
+ * If we are using the V2 interface, strip out the message flags
+ */
+#define SFTK_MESSAGE_FLAGS (CKF_MESSAGE_ENCRYPT | CKF_MESSAGE_DECRYPT | CKF_MESSAGE_SIGN | CKF_MESSAGE_VERIFY)
+CK_RV
+NSC_GetMechanismInfoV2(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type,
+ CK_MECHANISM_INFO_PTR pInfo)
+{
+ CK_RV crv;
+ crv = NSC_GetMechanismInfo(slotID, type, pInfo);
+ if (crv == CKR_OK) {
+ pInfo->flags = pInfo->flags & ~SFTK_MESSAGE_FLAGS;
+ }
+ return crv;
+}
+
+CK_RV
+sftk_MechAllowsOperation(CK_MECHANISM_TYPE type, CK_ATTRIBUTE_TYPE op)
+{
+ CK_ULONG i;
+ CK_FLAGS flags = sftk_AttributeToFlags(op);
+
+ if (flags == 0) {
+ return CKR_ARGUMENTS_BAD;
+ }
+ for (i = 0; i < mechanismCount; i++) {
+ if (type == mechanisms[i].type) {
+ return (flags & mechanisms[i].info.flags) ? CKR_OK
+ : CKR_MECHANISM_INVALID;
+ }
+ }
+ return CKR_MECHANISM_INVALID;
+}
+
+/* NSC_InitToken initializes a token. */
+CK_RV
+NSC_InitToken(CK_SLOT_ID slotID, CK_CHAR_PTR pPin,
+ CK_ULONG ulPinLen, CK_CHAR_PTR pLabel)
+{
+ SFTKSlot *slot = sftk_SlotFromID(slotID, PR_FALSE);
+ SFTKDBHandle *handle;
+ SECStatus rv;
+ unsigned int i;
+ SFTKObject *object;
+
+ CHECK_FORK();
+
+ if (slot == NULL)
+ return CKR_SLOT_ID_INVALID;
+
+ /* don't initialize the database if we aren't talking to a token
+ * that uses the key database.
+ */
+ if (slotID == NETSCAPE_SLOT_ID) {
+ return CKR_TOKEN_WRITE_PROTECTED;
+ }
+
+ /* first, delete all our loaded key and cert objects from our
+ * internal list. */
+ PZ_Lock(slot->objectLock);
+ for (i = 0; i < slot->sessObjHashSize; i++) {
+ do {
+ object = slot->sessObjHashTable[i];
+ /* hand deque */
+ /* this duplicates function of NSC_close session functions, but
+ * because we know that we are freeing all the sessions, we can
+ * do more efficient processing */
+ if (object) {
+ slot->sessObjHashTable[i] = object->next;
+
+ if (object->next)
+ object->next->prev = NULL;
+ object->next = object->prev = NULL;
+ }
+ if (object)
+ sftk_FreeObject(object);
+ } while (object != NULL);
+ }
+ slot->DB_loaded = PR_FALSE;
+ PZ_Unlock(slot->objectLock);
+
+ /* then clear out the key database */
+ handle = sftk_getKeyDB(slot);
+ if (handle == NULL) {
+ return CKR_TOKEN_WRITE_PROTECTED;
+ }
+
+ rv = sftkdb_ResetKeyDB(handle);
+ /* clear the password */
+ sftkdb_ClearPassword(handle);
+ /* update slot->needLogin (should be true now since no password is set) */
+ sftk_checkNeedLogin(slot, handle);
+ sftk_freeDB(handle);
+ if (rv != SECSuccess) {
+ return CKR_DEVICE_ERROR;
+ }
+
+ return CKR_OK;
+}
+
+/* NSC_InitPIN initializes the normal user's PIN. */
+CK_RV
+NSC_InitPIN(CK_SESSION_HANDLE hSession,
+ CK_CHAR_PTR pPin, CK_ULONG ulPinLen)
+{
+ SFTKSession *sp = NULL;
+ SFTKSlot *slot;
+ SFTKDBHandle *handle = NULL;
+ char newPinStr[SFTK_MAX_PIN + 1];
+ SECStatus rv;
+ CK_RV crv = CKR_SESSION_HANDLE_INVALID;
+ PRBool tokenRemoved = PR_FALSE;
+
+ CHECK_FORK();
+
+ sp = sftk_SessionFromHandle(hSession);
+ if (sp == NULL) {
+ goto loser;
+ }
+
+ slot = sftk_SlotFromSession(sp);
+ if (slot == NULL) {
+ goto loser;
+ }
+
+ handle = sftk_getKeyDB(slot);
+ if (handle == NULL) {
+ crv = CKR_PIN_LEN_RANGE;
+ goto loser;
+ }
+
+ if (sp->info.state != CKS_RW_SO_FUNCTIONS) {
+ crv = CKR_USER_NOT_LOGGED_IN;
+ goto loser;
+ }
+
+ sftk_FreeSession(sp);
+ sp = NULL;
+
+ /* make sure the pins aren't too long */
+ if (ulPinLen > SFTK_MAX_PIN) {
+ crv = CKR_PIN_LEN_RANGE;
+ goto loser;
+ }
+ if (ulPinLen < (CK_ULONG)slot->minimumPinLen) {
+ crv = CKR_PIN_LEN_RANGE;
+ goto loser;
+ }
+
+ if (sftkdb_HasPasswordSet(handle) != SECFailure) {
+ crv = CKR_DEVICE_ERROR;
+ goto loser;
+ }
+
+ /* convert to null terminated string */
+ PORT_Memcpy(newPinStr, pPin, ulPinLen);
+ newPinStr[ulPinLen] = 0;
+
+ /* build the hashed pins which we pass around */
+
+ /* change the data base */
+ rv = sftkdb_ChangePassword(handle, NULL, newPinStr, &tokenRemoved);
+ if (tokenRemoved) {
+ sftk_CloseAllSessions(slot, PR_FALSE);
+ }
+ PORT_Memset(newPinStr, 0, ulPinLen);
+ sftk_freeDB(handle);
+ handle = NULL;
+
+ /* Now update our local copy of the pin */
+ if (rv == SECSuccess) {
+ if (ulPinLen == 0) {
+ PZ_Lock(slot->slotLock);
+ slot->needLogin = PR_FALSE;
+ PZ_Unlock(slot->slotLock);
+ }
+ /* database has been initialized, now force min password in FIPS
+ * mode. NOTE: if we are in level1, we may not have a password, but
+ * forcing it now will prevent an insufficient password from being set.
+ */
+ if ((sftk_GetModuleIndex(slot->slotID) == NSC_FIPS_MODULE) &&
+ (slot->minimumPinLen < FIPS_MIN_PIN)) {
+ slot->minimumPinLen = FIPS_MIN_PIN;
+ }
+ return CKR_OK;
+ }
+ crv = CKR_PIN_INCORRECT;
+
+loser:
+ if (sp) {
+ sftk_FreeSession(sp);
+ }
+ if (handle) {
+ sftk_freeDB(handle);
+ }
+ return crv;
+}
+
+/* NSC_SetPIN modifies the PIN of user that is currently logged in. */
+/* NOTE: This is only valid for the PRIVATE_KEY_SLOT */
+CK_RV
+NSC_SetPIN(CK_SESSION_HANDLE hSession, CK_CHAR_PTR pOldPin,
+ CK_ULONG ulOldLen, CK_CHAR_PTR pNewPin, CK_ULONG ulNewLen)
+{
+ SFTKSession *sp = NULL;
+ SFTKSlot *slot;
+ SFTKDBHandle *handle = NULL;
+ char newPinStr[SFTK_MAX_PIN + 1], oldPinStr[SFTK_MAX_PIN + 1];
+ SECStatus rv;
+ CK_RV crv = CKR_SESSION_HANDLE_INVALID;
+ PRBool needLogin;
+ PRBool tokenRemoved = PR_FALSE;
+
+ CHECK_FORK();
+
+ sp = sftk_SessionFromHandle(hSession);
+ if (sp == NULL) {
+ goto loser;
+ }
+
+ slot = sftk_SlotFromSession(sp);
+ if (!slot) {
+ goto loser;
+ }
+
+ handle = sftk_getKeyDB(slot);
+ if (handle == NULL) {
+ sftk_FreeSession(sp);
+ return CKR_PIN_LEN_RANGE; /* XXX FIXME wrong return value */
+ }
+
+ PZ_Lock(slot->slotLock);
+ needLogin = slot->needLogin;
+ PZ_Unlock(slot->slotLock);
+ if (needLogin && sp->info.state != CKS_RW_USER_FUNCTIONS) {
+ crv = CKR_USER_NOT_LOGGED_IN;
+ goto loser;
+ }
+
+ sftk_FreeSession(sp);
+ sp = NULL;
+
+ /* make sure the pins aren't too long */
+ if ((ulNewLen > SFTK_MAX_PIN) || (ulOldLen > SFTK_MAX_PIN)) {
+ crv = CKR_PIN_LEN_RANGE;
+ goto loser;
+ }
+ /* check the length of new pin, unless both old and new passwords
+ * are empty */
+ if ((ulNewLen != 0 || ulOldLen != 0) &&
+ ulNewLen < (CK_ULONG)slot->minimumPinLen) {
+ crv = CKR_PIN_LEN_RANGE;
+ goto loser;
+ }
+
+ /* convert to null terminated string */
+ PORT_Memcpy(newPinStr, pNewPin, ulNewLen);
+ newPinStr[ulNewLen] = 0;
+ PORT_Memcpy(oldPinStr, pOldPin, ulOldLen);
+ oldPinStr[ulOldLen] = 0;
+
+ /* change the data base password */
+ PR_Lock(slot->pwCheckLock);
+ rv = sftkdb_ChangePassword(handle, oldPinStr, newPinStr, &tokenRemoved);
+ PORT_Memset(newPinStr, 0, ulNewLen);
+ PORT_Memset(oldPinStr, 0, ulOldLen);
+ if (tokenRemoved) {
+ sftk_CloseAllSessions(slot, PR_FALSE);
+ }
+ if ((rv != SECSuccess) && (sftk_isFIPS(slot->slotID))) {
+ PR_Sleep(loginWaitTime);
+ }
+ PR_Unlock(slot->pwCheckLock);
+
+ /* Now update our local copy of the pin */
+ if (rv == SECSuccess) {
+ PZ_Lock(slot->slotLock);
+ slot->needLogin = (PRBool)(ulNewLen != 0);
+ slot->isLoggedIn = (PRBool)(sftkdb_PWCached(handle) == SECSuccess);
+ PZ_Unlock(slot->slotLock);
+ /* Reset login flags. */
+ if (ulNewLen == 0) {
+ PZ_Lock(slot->slotLock);
+ slot->isLoggedIn = PR_FALSE;
+ slot->ssoLoggedIn = PR_FALSE;
+ PZ_Unlock(slot->slotLock);
+
+ tokenRemoved = PR_FALSE;
+ rv = sftkdb_CheckPasswordNull(handle, &tokenRemoved);
+ if (tokenRemoved) {
+ sftk_CloseAllSessions(slot, PR_FALSE);
+ }
+ }
+ sftk_update_all_states(slot);
+ sftk_freeDB(handle);
+ return CKR_OK;
+ }
+ crv = CKR_PIN_INCORRECT;
+loser:
+ if (sp) {
+ sftk_FreeSession(sp);
+ }
+ if (handle) {
+ sftk_freeDB(handle);
+ }
+ return crv;
+}
+
+/* NSC_OpenSession opens a session between an application and a token. */
+CK_RV
+NSC_OpenSession(CK_SLOT_ID slotID, CK_FLAGS flags,
+ CK_VOID_PTR pApplication, CK_NOTIFY Notify, CK_SESSION_HANDLE_PTR phSession)
+{
+ SFTKSlot *slot;
+ CK_SESSION_HANDLE sessionID;
+ SFTKSession *session;
+ SFTKSession *sameID;
+
+ CHECK_FORK();
+
+ slot = sftk_SlotFromID(slotID, PR_FALSE);
+ if (slot == NULL)
+ return CKR_SLOT_ID_INVALID;
+
+ /* new session (we only have serial sessions) */
+ session = sftk_NewSession(slotID, Notify, pApplication,
+ flags | CKF_SERIAL_SESSION);
+ if (session == NULL)
+ return CKR_HOST_MEMORY;
+
+ if (slot->readOnly && (flags & CKF_RW_SESSION)) {
+ /* NETSCAPE_SLOT_ID is Read ONLY */
+ session->info.flags &= ~CKF_RW_SESSION;
+ }
+ PZ_Lock(slot->slotLock);
+ ++slot->sessionCount;
+ PZ_Unlock(slot->slotLock);
+ if (session->info.flags & CKF_RW_SESSION) {
+ (void)PR_ATOMIC_INCREMENT(&slot->rwSessionCount);
+ }
+
+ do {
+ PZLock *lock;
+ do {
+ sessionID = (PR_ATOMIC_INCREMENT(&slot->sessionIDCount) & 0xffffff) | (slot->index << 24);
+ } while (sessionID == CK_INVALID_HANDLE);
+ lock = SFTK_SESSION_LOCK(slot, sessionID);
+ PZ_Lock(lock);
+ sftkqueue_find(sameID, sessionID, slot->head, slot->sessHashSize);
+ if (sameID == NULL) {
+ session->handle = sessionID;
+ sftk_update_state(slot, session);
+ sftkqueue_add(session, sessionID, slot->head, slot->sessHashSize);
+ } else {
+ slot->sessionIDConflict++; /* for debugging */
+ }
+ PZ_Unlock(lock);
+ } while (sameID != NULL);
+
+ *phSession = sessionID;
+ return CKR_OK;
+}
+
+/* NSC_CloseSession closes a session between an application and a token. */
+CK_RV
+NSC_CloseSession(CK_SESSION_HANDLE hSession)
+{
+ SFTKSlot *slot;
+ SFTKSession *session;
+ PRBool sessionFound;
+ PZLock *lock;
+
+ CHECK_FORK();
+
+ session = sftk_SessionFromHandle(hSession);
+ if (session == NULL)
+ return CKR_SESSION_HANDLE_INVALID;
+ slot = sftk_SlotFromSession(session);
+ sessionFound = PR_FALSE;
+
+ /* lock */
+ lock = SFTK_SESSION_LOCK(slot, hSession);
+ PZ_Lock(lock);
+ if (sftkqueue_is_queued(session, hSession, slot->head, slot->sessHashSize)) {
+ sessionFound = PR_TRUE;
+ sftkqueue_delete(session, hSession, slot->head, slot->sessHashSize);
+ }
+ PZ_Unlock(lock);
+
+ if (sessionFound) {
+ SFTKDBHandle *handle;
+ handle = sftk_getKeyDB(slot);
+ PZ_Lock(slot->slotLock);
+ if (--slot->sessionCount == 0) {
+ slot->isLoggedIn = PR_FALSE;
+ if (slot->needLogin && handle) {
+ sftkdb_ClearPassword(handle);
+ }
+ }
+ PZ_Unlock(slot->slotLock);
+ if (handle) {
+ sftk_freeDB(handle);
+ }
+ if (session->info.flags & CKF_RW_SESSION) {
+ (void)PR_ATOMIC_DECREMENT(&slot->rwSessionCount);
+ }
+ sftk_DestroySession(session);
+ session = NULL;
+ }
+
+ return CKR_OK;
+}
+
+/* NSC_CloseAllSessions closes all sessions with a token. */
+CK_RV
+NSC_CloseAllSessions(CK_SLOT_ID slotID)
+{
+ SFTKSlot *slot;
+
+#ifndef NO_FORK_CHECK
+ /* skip fork check if we are being called from C_Initialize or C_Finalize */
+ if (!parentForkedAfterC_Initialize) {
+ CHECK_FORK();
+ }
+#endif
+
+ slot = sftk_SlotFromID(slotID, PR_FALSE);
+ if (slot == NULL)
+ return CKR_SLOT_ID_INVALID;
+
+ return sftk_CloseAllSessions(slot, PR_TRUE);
+}
+
+/* NSC_GetSessionInfo obtains information about the session. */
+CK_RV
+NSC_GetSessionInfo(CK_SESSION_HANDLE hSession,
+ CK_SESSION_INFO_PTR pInfo)
+{
+ SFTKSession *session;
+
+ CHECK_FORK();
+
+ session = sftk_SessionFromHandle(hSession);
+ if (session == NULL)
+ return CKR_SESSION_HANDLE_INVALID;
+
+ PORT_Memcpy(pInfo, &session->info, sizeof(CK_SESSION_INFO));
+ sftk_FreeSession(session);
+ return CKR_OK;
+}
+
+/* NSC_Login logs a user into a token. */
+CK_RV
+NSC_Login(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType,
+ CK_CHAR_PTR pPin, CK_ULONG ulPinLen)
+{
+ SFTKSlot *slot;
+ SFTKSession *session;
+ SFTKDBHandle *handle;
+ CK_FLAGS sessionFlags;
+ SECStatus rv;
+ CK_RV crv;
+ char pinStr[SFTK_MAX_PIN + 1];
+ PRBool tokenRemoved = PR_FALSE;
+ PRBool isLoggedIn;
+ PRBool needLogin;
+
+ CHECK_FORK();
+
+ /* get the slot */
+ slot = sftk_SlotFromSessionHandle(hSession);
+ if (slot == NULL) {
+ return CKR_SESSION_HANDLE_INVALID;
+ }
+
+ /* make sure the session is valid */
+ session = sftk_SessionFromHandle(hSession);
+ if (session == NULL) {
+ return CKR_SESSION_HANDLE_INVALID;
+ }
+ sessionFlags = session->info.flags;
+ sftk_FreeSession(session);
+ session = NULL;
+
+ /* can't log into the Netscape Slot */
+ if (slot->slotID == NETSCAPE_SLOT_ID) {
+ return CKR_USER_TYPE_INVALID;
+ }
+
+ PZ_Lock(slot->slotLock);
+ isLoggedIn = slot->isLoggedIn;
+ needLogin = slot->needLogin;
+ PZ_Unlock(slot->slotLock);
+
+ if (isLoggedIn)
+ return CKR_USER_ALREADY_LOGGED_IN;
+ if (!needLogin) {
+ return ulPinLen ? CKR_PIN_INCORRECT : CKR_OK;
+ }
+ slot->ssoLoggedIn = PR_FALSE;
+
+ if (ulPinLen > SFTK_MAX_PIN)
+ return CKR_PIN_LEN_RANGE;
+
+ /* convert to null terminated string */
+ if (ulPinLen) {
+ PORT_Memcpy(pinStr, pPin, ulPinLen);
+ }
+ pinStr[ulPinLen] = 0;
+
+ handle = sftk_getKeyDB(slot);
+ if (handle == NULL) {
+ PORT_Memset(pinStr, 0, ulPinLen);
+ return CKR_USER_TYPE_INVALID;
+ }
+
+ /*
+ * Deal with bootstrap. We allow the SSO to login in with a NULL
+ * password if and only if we haven't initialized the KEY DB yet.
+ * We only allow this on a RW session.
+ */
+ rv = sftkdb_HasPasswordSet(handle);
+ if (rv == SECFailure) {
+ /* allow SSO's to log in only if there is not password on the
+ * key database */
+ if (((userType == CKU_SO) && (sessionFlags & CKF_RW_SESSION))
+ /* fips always needs to authenticate, even if there isn't a db */
+ || (sftk_isFIPS(slot->slotID))) {
+ /* should this be a fixed password? */
+ if (ulPinLen == 0) {
+ sftkdb_ClearPassword(handle);
+ PZ_Lock(slot->slotLock);
+ slot->isLoggedIn = PR_TRUE;
+ slot->ssoLoggedIn = (PRBool)(userType == CKU_SO);
+ PZ_Unlock(slot->slotLock);
+ sftk_update_all_states(slot);
+ crv = CKR_OK;
+ goto done;
+ }
+ crv = CKR_PIN_INCORRECT;
+ goto done;
+ }
+ crv = CKR_USER_TYPE_INVALID;
+ goto done;
+ }
+
+ /* don't allow the SSO to log in if the user is already initialized */
+ if (userType != CKU_USER) {
+ crv = CKR_USER_TYPE_INVALID;
+ goto done;
+ }
+
+ /* build the hashed pins which we pass around */
+ PR_Lock(slot->pwCheckLock);
+ rv = sftkdb_CheckPassword(handle, pinStr, &tokenRemoved);
+ if (tokenRemoved) {
+ sftk_CloseAllSessions(slot, PR_FALSE);
+ }
+ if ((rv != SECSuccess) && (sftk_isFIPS(slot->slotID))) {
+ PR_Sleep(loginWaitTime);
+ }
+ PR_Unlock(slot->pwCheckLock);
+ if (rv == SECSuccess) {
+ PZ_Lock(slot->slotLock);
+ /* make sure the login state matches the underlying
+ * database state */
+ slot->isLoggedIn = sftkdb_PWCached(handle) == SECSuccess ? PR_TRUE : PR_FALSE;
+ PZ_Unlock(slot->slotLock);
+
+ sftk_freeDB(handle);
+ handle = NULL;
+
+ /* update all sessions */
+ sftk_update_all_states(slot);
+ return CKR_OK;
+ }
+
+ crv = CKR_PIN_INCORRECT;
+done:
+ PORT_Memset(pinStr, 0, ulPinLen);
+ if (handle) {
+ sftk_freeDB(handle);
+ }
+ return crv;
+}
+
+CK_RV
+NSC_LoginUser(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType,
+ CK_CHAR_PTR pPin, CK_ULONG ulPinLen, CK_UTF8CHAR_PTR pUsername,
+ CK_ULONG ulUsernameLen)
+{
+ /* softoken currently does not support additional users */
+ return CKR_OPERATION_NOT_INITIALIZED;
+}
+
+/* NSC_Logout logs a user out from a token. */
+CK_RV
+NSC_Logout(CK_SESSION_HANDLE hSession)
+{
+ SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession);
+ SFTKSession *session;
+ SFTKDBHandle *handle;
+
+ CHECK_FORK();
+
+ if (slot == NULL) {
+ return CKR_SESSION_HANDLE_INVALID;
+ }
+ session = sftk_SessionFromHandle(hSession);
+ if (session == NULL)
+ return CKR_SESSION_HANDLE_INVALID;
+ sftk_FreeSession(session);
+ session = NULL;
+
+ if (!slot->isLoggedIn)
+ return CKR_USER_NOT_LOGGED_IN;
+
+ handle = sftk_getKeyDB(slot);
+ PZ_Lock(slot->slotLock);
+ slot->isLoggedIn = PR_FALSE;
+ slot->ssoLoggedIn = PR_FALSE;
+ if (slot->needLogin && handle) {
+ sftkdb_ClearPassword(handle);
+ }
+ PZ_Unlock(slot->slotLock);
+ if (handle) {
+ sftk_freeDB(handle);
+ }
+
+ sftk_update_all_states(slot);
+ return CKR_OK;
+}
+
+/*
+ * Create or remove a new slot on the fly.
+ * When creating a slot, "slot" is the slot that the request came from. The
+ * resulting slot will live in the same module as "slot".
+ * When removing a slot, "slot" is the slot to be removed.
+ * "object" is the creation object that specifies the module spec for the slot
+ * to add or remove.
+ */
+static CK_RV
+sftk_CreateNewSlot(SFTKSlot *slot, CK_OBJECT_CLASS class,
+ SFTKObject *object)
+{
+ PRBool isValidUserSlot = PR_FALSE;
+ PRBool isValidFIPSUserSlot = PR_FALSE;
+ PRBool isValidSlot = PR_FALSE;
+ PRBool isFIPS = PR_FALSE;
+ unsigned int moduleIndex = NSC_NON_FIPS_MODULE;
+ SFTKAttribute *attribute;
+ sftk_parameters paramStrings;
+ char *paramString;
+ CK_SLOT_ID slotID = 0;
+ SFTKSlot *newSlot = NULL;
+ CK_RV crv = CKR_OK;
+
+ if (class != CKO_NSS_DELSLOT && class != CKO_NSS_NEWSLOT) {
+ return CKR_ATTRIBUTE_VALUE_INVALID;
+ }
+ if (class == CKO_NSS_NEWSLOT && slot->slotID == FIPS_SLOT_ID) {
+ isFIPS = PR_TRUE;
+ }
+ attribute = sftk_FindAttribute(object, CKA_NSS_MODULE_SPEC);
+ if (attribute == NULL) {
+ return CKR_TEMPLATE_INCOMPLETE;
+ }
+ paramString = (char *)attribute->attrib.pValue;
+ crv = sftk_parseParameters(paramString, &paramStrings, isFIPS);
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+
+ /* enforce only one at a time */
+ if (paramStrings.token_count != 1) {
+ crv = CKR_ATTRIBUTE_VALUE_INVALID;
+ goto loser;
+ }
+
+ slotID = paramStrings.tokens[0].slotID;
+
+ /* stay within the valid ID space */
+ isValidUserSlot = (slotID >= SFTK_MIN_USER_SLOT_ID &&
+ slotID <= SFTK_MAX_USER_SLOT_ID);
+ isValidFIPSUserSlot = (slotID >= SFTK_MIN_FIPS_USER_SLOT_ID &&
+ slotID <= SFTK_MAX_FIPS_USER_SLOT_ID);
+
+ if (class == CKO_NSS_DELSLOT) {
+ if (slot->slotID == slotID) {
+ isValidSlot = isValidUserSlot || isValidFIPSUserSlot;
+ }
+ } else {
+ /* only the crypto or FIPS slots can create new slot objects */
+ if (slot->slotID == NETSCAPE_SLOT_ID) {
+ isValidSlot = isValidUserSlot;
+ moduleIndex = NSC_NON_FIPS_MODULE;
+ } else if (slot->slotID == FIPS_SLOT_ID) {
+ isValidSlot = isValidFIPSUserSlot;
+ moduleIndex = NSC_FIPS_MODULE;
+ }
+ }
+
+ if (!isValidSlot) {
+ crv = CKR_ATTRIBUTE_VALUE_INVALID;
+ goto loser;
+ }
+
+ /* unload any existing slot at this id */
+ newSlot = sftk_SlotFromID(slotID, PR_TRUE);
+ if (newSlot && newSlot->present) {
+ crv = SFTK_ShutdownSlot(newSlot);
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+ }
+
+ /* if we were just planning on deleting the slot, then do so now */
+ if (class == CKO_NSS_DELSLOT) {
+ /* sort of a unconventional use of this error code, be we are
+ * overusing CKR_ATTRIBUTE_VALUE_INVALID, and it does apply */
+ crv = newSlot ? CKR_OK : CKR_SLOT_ID_INVALID;
+ goto loser; /* really exit */
+ }
+
+ if (newSlot) {
+ crv = SFTK_SlotReInit(newSlot, paramStrings.configdir,
+ paramStrings.updatedir, paramStrings.updateID,
+ &paramStrings.tokens[0], moduleIndex);
+ } else {
+ crv = SFTK_SlotInit(paramStrings.configdir,
+ paramStrings.updatedir, paramStrings.updateID,
+ &paramStrings.tokens[0], moduleIndex);
+ }
+
+loser:
+ sftk_freeParams(&paramStrings);
+ sftk_FreeAttribute(attribute);
+
+ return crv;
+}
+
+/* NSC_CreateObject creates a new object. */
+CK_RV
+NSC_CreateObject(CK_SESSION_HANDLE hSession,
+ CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
+ CK_OBJECT_HANDLE_PTR phObject)
+{
+ SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession);
+ SFTKSession *session;
+ SFTKObject *object;
+ /* make sure class isn't randomly CKO_NSS_NEWSLOT or
+ * CKO_NETSCPE_DELSLOT. */
+ CK_OBJECT_CLASS class = CKO_VENDOR_DEFINED;
+ CK_RV crv;
+ int i;
+
+ CHECK_FORK();
+
+ *phObject = CK_INVALID_HANDLE;
+
+ if (slot == NULL) {
+ return CKR_SESSION_HANDLE_INVALID;
+ }
+ /*
+ * now lets create an object to hang the attributes off of
+ */
+ object = sftk_NewObject(slot); /* fill in the handle later */
+ if (object == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+ object->isFIPS = PR_FALSE; /* if we created the object on the fly,
+ * it's not a FIPS object */
+
+ /*
+ * load the template values into the object
+ */
+ for (i = 0; i < (int)ulCount; i++) {
+ crv = sftk_AddAttributeType(object, sftk_attr_expand(&pTemplate[i]));
+ if (crv != CKR_OK) {
+ sftk_FreeObject(object);
+ return crv;
+ }
+ if ((pTemplate[i].type == CKA_CLASS) && pTemplate[i].pValue) {
+ class = *(CK_OBJECT_CLASS *)pTemplate[i].pValue;
+ }
+ }
+
+ /* get the session */
+ session = sftk_SessionFromHandle(hSession);
+ if (session == NULL) {
+ sftk_FreeObject(object);
+ return CKR_SESSION_HANDLE_INVALID;
+ }
+
+ /*
+ * handle pseudo objects (CKO_NEWSLOT)
+ */
+ if ((class == CKO_NSS_NEWSLOT) || (class == CKO_NSS_DELSLOT)) {
+ crv = sftk_CreateNewSlot(slot, class, object);
+ goto done;
+ }
+
+ /*
+ * handle the base object stuff
+ */
+ crv = sftk_handleObject(object, session);
+ *phObject = object->handle;
+done:
+ sftk_FreeSession(session);
+ sftk_FreeObject(object);
+
+ return crv;
+}
+
+/* NSC_CopyObject copies an object, creating a new object for the copy. */
+CK_RV
+NSC_CopyObject(CK_SESSION_HANDLE hSession,
+ CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
+ CK_OBJECT_HANDLE_PTR phNewObject)
+{
+ SFTKObject *destObject, *srcObject;
+ SFTKSession *session;
+ CK_RV crv = CKR_OK;
+ SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession);
+ int i;
+
+ CHECK_FORK();
+
+ if (slot == NULL) {
+ return CKR_SESSION_HANDLE_INVALID;
+ }
+ /* Get srcObject so we can find the class */
+ session = sftk_SessionFromHandle(hSession);
+ if (session == NULL) {
+ return CKR_SESSION_HANDLE_INVALID;
+ }
+ srcObject = sftk_ObjectFromHandle(hObject, session);
+ if (srcObject == NULL) {
+ sftk_FreeSession(session);
+ return CKR_OBJECT_HANDLE_INVALID;
+ }
+ /*
+ * create an object to hang the attributes off of
+ */
+ destObject = sftk_NewObject(slot); /* fill in the handle later */
+ if (destObject == NULL) {
+ sftk_FreeSession(session);
+ sftk_FreeObject(srcObject);
+ return CKR_HOST_MEMORY;
+ }
+
+ /*
+ * load the template values into the object
+ */
+ for (i = 0; i < (int)ulCount; i++) {
+ if (sftk_modifyType(pTemplate[i].type, srcObject->objclass) == SFTK_NEVER) {
+ crv = CKR_ATTRIBUTE_READ_ONLY;
+ break;
+ }
+ crv = sftk_AddAttributeType(destObject, sftk_attr_expand(&pTemplate[i]));
+ if (crv != CKR_OK) {
+ break;
+ }
+ }
+ if (crv != CKR_OK) {
+ sftk_FreeSession(session);
+ sftk_FreeObject(srcObject);
+ sftk_FreeObject(destObject);
+ return crv;
+ }
+
+ /* sensitive can only be changed to CK_TRUE */
+ if (sftk_hasAttribute(destObject, CKA_SENSITIVE)) {
+ if (!sftk_isTrue(destObject, CKA_SENSITIVE)) {
+ sftk_FreeSession(session);
+ sftk_FreeObject(srcObject);
+ sftk_FreeObject(destObject);
+ return CKR_ATTRIBUTE_READ_ONLY;
+ }
+ }
+
+ /*
+ * now copy the old attributes from the new attributes
+ */
+ /* don't create a token object if we aren't in a rw session */
+ /* we need to hold the lock to copy a consistant version of
+ * the object. */
+ crv = sftk_CopyObject(destObject, srcObject);
+
+ destObject->objclass = srcObject->objclass;
+ sftk_FreeObject(srcObject);
+ if (crv != CKR_OK) {
+ sftk_FreeObject(destObject);
+ sftk_FreeSession(session);
+ return crv;
+ }
+
+ crv = sftk_handleObject(destObject, session);
+ *phNewObject = destObject->handle;
+ sftk_FreeSession(session);
+ sftk_FreeObject(destObject);
+
+ return crv;
+}
+
+/* NSC_GetObjectSize gets the size of an object in bytes. */
+CK_RV
+NSC_GetObjectSize(CK_SESSION_HANDLE hSession,
+ CK_OBJECT_HANDLE hObject, CK_ULONG_PTR pulSize)
+{
+ CHECK_FORK();
+
+ *pulSize = 0;
+ return CKR_OK;
+}
+
+static CK_RV
+nsc_GetTokenAttributeValue(SFTKSession *session, CK_OBJECT_HANDLE hObject,
+ CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount)
+{
+ SFTKSlot *slot = sftk_SlotFromSession(session);
+ SFTKDBHandle *dbHandle = sftk_getDBForTokenObject(slot, hObject);
+ SFTKDBHandle *keydb = NULL;
+ CK_RV crv;
+
+ if (dbHandle == NULL) {
+ return CKR_OBJECT_HANDLE_INVALID;
+ }
+
+ crv = sftkdb_GetAttributeValue(dbHandle, hObject, pTemplate, ulCount);
+
+ /* make sure we don't export any sensitive information */
+ keydb = sftk_getKeyDB(slot);
+ if (dbHandle == keydb) {
+ CK_ULONG i;
+ for (i = 0; i < ulCount; i++) {
+ if (sftk_isSensitive(pTemplate[i].type, CKO_PRIVATE_KEY)) {
+ crv = CKR_ATTRIBUTE_SENSITIVE;
+ if (pTemplate[i].pValue && (pTemplate[i].ulValueLen != -1)) {
+ PORT_Memset(pTemplate[i].pValue, 0,
+ pTemplate[i].ulValueLen);
+ }
+ pTemplate[i].ulValueLen = -1;
+ }
+ }
+ }
+
+ sftk_freeDB(dbHandle);
+ if (keydb) {
+ sftk_freeDB(keydb);
+ }
+ return crv;
+}
+
+/* NSC_GetAttributeValue obtains the value of one or more object attributes. */
+CK_RV
+NSC_GetAttributeValue(CK_SESSION_HANDLE hSession,
+ CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount)
+{
+ SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession);
+ SFTKSession *session;
+ SFTKObject *object;
+ SFTKAttribute *attribute;
+ PRBool sensitive, isLoggedIn, needLogin;
+ CK_RV crv;
+ int i;
+
+ CHECK_FORK();
+
+ if (slot == NULL) {
+ return CKR_SESSION_HANDLE_INVALID;
+ }
+ /*
+ * make sure we're allowed
+ */
+ session = sftk_SessionFromHandle(hSession);
+ if (session == NULL) {
+ return CKR_SESSION_HANDLE_INVALID;
+ }
+
+ /* short circuit everything for token objects */
+ if (sftk_isToken(hObject)) {
+ crv = nsc_GetTokenAttributeValue(session, hObject, pTemplate, ulCount);
+ sftk_FreeSession(session);
+ return crv;
+ }
+
+ /* handle the session object */
+ object = sftk_ObjectFromHandle(hObject, session);
+ sftk_FreeSession(session);
+ if (object == NULL) {
+ return CKR_OBJECT_HANDLE_INVALID;
+ }
+
+ PZ_Lock(slot->slotLock);
+ isLoggedIn = slot->isLoggedIn;
+ needLogin = slot->needLogin;
+ PZ_Unlock(slot->slotLock);
+
+ /* don't read a private object if we aren't logged in */
+ if (!isLoggedIn && needLogin && sftk_isTrue(object, CKA_PRIVATE)) {
+ sftk_FreeObject(object);
+ return CKR_USER_NOT_LOGGED_IN;
+ }
+
+ crv = CKR_OK;
+ sensitive = sftk_isTrue(object, CKA_SENSITIVE);
+ for (i = 0; i < (int)ulCount; i++) {
+ /* Make sure that this attribute is retrievable */
+ if (sensitive && sftk_isSensitive(pTemplate[i].type, object->objclass)) {
+ crv = CKR_ATTRIBUTE_SENSITIVE;
+ pTemplate[i].ulValueLen = -1;
+ continue;
+ }
+ attribute = sftk_FindAttribute(object, pTemplate[i].type);
+ if (attribute == NULL) {
+ crv = CKR_ATTRIBUTE_TYPE_INVALID;
+ pTemplate[i].ulValueLen = -1;
+ continue;
+ }
+ if (pTemplate[i].pValue != NULL) {
+ PORT_Memcpy(pTemplate[i].pValue, attribute->attrib.pValue,
+ attribute->attrib.ulValueLen);
+ }
+ pTemplate[i].ulValueLen = attribute->attrib.ulValueLen;
+ sftk_FreeAttribute(attribute);
+ }
+
+ sftk_FreeObject(object);
+ return crv;
+}
+
+/* NSC_SetAttributeValue modifies the value of one or more object attributes */
+CK_RV
+NSC_SetAttributeValue(CK_SESSION_HANDLE hSession,
+ CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount)
+{
+ SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession);
+ SFTKSession *session;
+ SFTKAttribute *attribute;
+ SFTKObject *object;
+ PRBool isToken, isLoggedIn, needLogin;
+ CK_RV crv = CKR_OK;
+ CK_BBOOL legal;
+ int i;
+
+ CHECK_FORK();
+
+ if (slot == NULL) {
+ return CKR_SESSION_HANDLE_INVALID;
+ }
+ /*
+ * make sure we're allowed
+ */
+ session = sftk_SessionFromHandle(hSession);
+ if (session == NULL) {
+ return CKR_SESSION_HANDLE_INVALID;
+ }
+
+ object = sftk_ObjectFromHandle(hObject, session);
+ if (object == NULL) {
+ sftk_FreeSession(session);
+ return CKR_OBJECT_HANDLE_INVALID;
+ }
+
+ PZ_Lock(slot->slotLock);
+ isLoggedIn = slot->isLoggedIn;
+ needLogin = slot->needLogin;
+ PZ_Unlock(slot->slotLock);
+
+ /* don't modify a private object if we aren't logged in */
+ if (!isLoggedIn && needLogin && sftk_isTrue(object, CKA_PRIVATE)) {
+ sftk_FreeSession(session);
+ sftk_FreeObject(object);
+ return CKR_USER_NOT_LOGGED_IN;
+ }
+
+ /* don't modify a token object if we aren't in a rw session */
+ isToken = sftk_isTrue(object, CKA_TOKEN);
+ if (((session->info.flags & CKF_RW_SESSION) == 0) && isToken) {
+ sftk_FreeSession(session);
+ sftk_FreeObject(object);
+ return CKR_SESSION_READ_ONLY;
+ }
+ sftk_FreeSession(session);
+
+ /* only change modifiable objects */
+ if (!sftk_isTrue(object, CKA_MODIFIABLE)) {
+ sftk_FreeObject(object);
+ return CKR_ATTRIBUTE_READ_ONLY;
+ }
+
+ for (i = 0; i < (int)ulCount; i++) {
+ /* Make sure that this attribute is changeable */
+ switch (sftk_modifyType(pTemplate[i].type, object->objclass)) {
+ case SFTK_NEVER:
+ case SFTK_ONCOPY:
+ default:
+ crv = CKR_ATTRIBUTE_READ_ONLY;
+ break;
+
+ case SFTK_SENSITIVE:
+ legal = (pTemplate[i].type == CKA_EXTRACTABLE) ? CK_FALSE : CK_TRUE;
+ if ((*(CK_BBOOL *)pTemplate[i].pValue) != legal) {
+ crv = CKR_ATTRIBUTE_READ_ONLY;
+ }
+ break;
+ case SFTK_ALWAYS:
+ break;
+ }
+ if (crv != CKR_OK)
+ break;
+
+ /* find the old attribute */
+ attribute = sftk_FindAttribute(object, pTemplate[i].type);
+ if (attribute == NULL) {
+ crv = CKR_ATTRIBUTE_TYPE_INVALID;
+ break;
+ }
+ sftk_FreeAttribute(attribute);
+ crv = sftk_forceAttribute(object, sftk_attr_expand(&pTemplate[i]));
+ if (crv != CKR_OK)
+ break;
+ }
+
+ sftk_FreeObject(object);
+ return crv;
+}
+
+static CK_RV
+sftk_expandSearchList(SFTKSearchResults *search, int count)
+{
+ search->array_size += count;
+ search->handles = (CK_OBJECT_HANDLE *)PORT_Realloc(search->handles,
+ sizeof(CK_OBJECT_HANDLE) * search->array_size);
+ return search->handles ? CKR_OK : CKR_HOST_MEMORY;
+}
+
+static CK_RV
+sftk_searchDatabase(SFTKDBHandle *handle, SFTKSearchResults *search,
+ const CK_ATTRIBUTE *pTemplate, CK_ULONG ulCount)
+{
+ CK_RV crv;
+ int objectListSize = search->array_size - search->size;
+ CK_OBJECT_HANDLE *array = &search->handles[search->size];
+ SDBFind *find;
+ CK_ULONG count;
+
+ crv = sftkdb_FindObjectsInit(handle, pTemplate, ulCount, &find);
+ if (crv != CKR_OK)
+ return crv;
+ do {
+ crv = sftkdb_FindObjects(handle, find, array, objectListSize, &count);
+ if ((crv != CKR_OK) || (count == 0))
+ break;
+ search->size += count;
+ objectListSize -= count;
+ if (objectListSize > 0)
+ break;
+ crv = sftk_expandSearchList(search, NSC_SEARCH_BLOCK_SIZE);
+ objectListSize = NSC_SEARCH_BLOCK_SIZE;
+ array = &search->handles[search->size];
+ } while (crv == CKR_OK);
+ sftkdb_FindObjectsFinal(handle, find);
+
+ return crv;
+}
+
+/* softoken used to search the SMimeEntries automatically instead of
+ * doing this in pk11wrap. This code should really be up in
+ * pk11wrap so that it will work with other tokens other than softoken.
+ */
+CK_RV
+sftk_emailhack(SFTKSlot *slot, SFTKDBHandle *handle,
+ SFTKSearchResults *search, CK_ATTRIBUTE *pTemplate, CK_ULONG ulCount)
+{
+ PRBool isCert = PR_FALSE;
+ int emailIndex = -1;
+ unsigned int i;
+ SFTKSearchResults smime_search;
+ CK_ATTRIBUTE smime_template[2];
+ CK_OBJECT_CLASS smime_class = CKO_NSS_SMIME;
+ SFTKAttribute *attribute = NULL;
+ SFTKObject *object = NULL;
+ CK_RV crv = CKR_OK;
+
+ smime_search.handles = NULL; /* paranoia, some one is bound to add a goto
+ * loser before this gets initialized */
+
+ /* see if we are looking for email certs */
+ for (i = 0; i < ulCount; i++) {
+ if (pTemplate[i].type == CKA_CLASS) {
+ if ((pTemplate[i].ulValueLen != sizeof(CK_OBJECT_CLASS) ||
+ (*(CK_OBJECT_CLASS *)pTemplate[i].pValue) != CKO_CERTIFICATE)) {
+ /* not a cert, skip out */
+ break;
+ }
+ isCert = PR_TRUE;
+ } else if (pTemplate[i].type == CKA_NSS_EMAIL) {
+ emailIndex = i;
+ }
+ if (isCert && (emailIndex != -1))
+ break;
+ }
+
+ if (!isCert || (emailIndex == -1)) {
+ return CKR_OK;
+ }
+
+ /* we are doing a cert and email search, find the SMimeEntry */
+ smime_template[0].type = CKA_CLASS;
+ smime_template[0].pValue = &smime_class;
+ smime_template[0].ulValueLen = sizeof(smime_class);
+ smime_template[1] = pTemplate[emailIndex];
+
+ smime_search.handles = (CK_OBJECT_HANDLE *)
+ PORT_Alloc(sizeof(CK_OBJECT_HANDLE) * NSC_SEARCH_BLOCK_SIZE);
+ if (smime_search.handles == NULL) {
+ crv = CKR_HOST_MEMORY;
+ goto loser;
+ }
+ smime_search.index = 0;
+ smime_search.size = 0;
+ smime_search.array_size = NSC_SEARCH_BLOCK_SIZE;
+
+ crv = sftk_searchDatabase(handle, &smime_search, smime_template, 2);
+ if (crv != CKR_OK || smime_search.size == 0) {
+ goto loser;
+ }
+
+ /* get the SMime subject */
+ object = sftk_NewTokenObject(slot, NULL, smime_search.handles[0]);
+ if (object == NULL) {
+ crv = CKR_HOST_MEMORY; /* is there any other reason for this failure? */
+ goto loser;
+ }
+ attribute = sftk_FindAttribute(object, CKA_SUBJECT);
+ if (attribute == NULL) {
+ crv = CKR_ATTRIBUTE_TYPE_INVALID;
+ goto loser;
+ }
+
+ /* now find the certs with that subject */
+ pTemplate[emailIndex] = attribute->attrib;
+ /* now add the appropriate certs to the search list */
+ crv = sftk_searchDatabase(handle, search, pTemplate, ulCount);
+ pTemplate[emailIndex] = smime_template[1]; /* restore the user's template*/
+
+loser:
+ if (attribute) {
+ sftk_FreeAttribute(attribute);
+ }
+ if (object) {
+ sftk_FreeObject(object);
+ }
+ if (smime_search.handles) {
+ PORT_Free(smime_search.handles);
+ }
+
+ return crv;
+}
+
+static void
+sftk_pruneSearch(CK_ATTRIBUTE *pTemplate, CK_ULONG ulCount,
+ PRBool *searchCertDB, PRBool *searchKeyDB)
+{
+ CK_ULONG i;
+
+ *searchCertDB = PR_TRUE;
+ *searchKeyDB = PR_TRUE;
+ for (i = 0; i < ulCount; i++) {
+ if (pTemplate[i].type == CKA_CLASS && pTemplate[i].pValue != NULL) {
+ CK_OBJECT_CLASS class = *((CK_OBJECT_CLASS *)pTemplate[i].pValue);
+ if (class == CKO_PRIVATE_KEY || class == CKO_SECRET_KEY) {
+ *searchCertDB = PR_FALSE;
+ } else {
+ *searchKeyDB = PR_FALSE;
+ }
+ break;
+ }
+ }
+}
+
+static CK_RV
+sftk_searchTokenList(SFTKSlot *slot, SFTKSearchResults *search,
+ CK_ATTRIBUTE *pTemplate, CK_ULONG ulCount,
+ PRBool isLoggedIn)
+{
+ CK_RV crv = CKR_OK;
+ CK_RV crv2;
+ PRBool searchCertDB;
+ PRBool searchKeyDB;
+
+ sftk_pruneSearch(pTemplate, ulCount, &searchCertDB, &searchKeyDB);
+
+ if (searchCertDB) {
+ SFTKDBHandle *certHandle = sftk_getCertDB(slot);
+ crv = sftk_searchDatabase(certHandle, search, pTemplate, ulCount);
+ crv2 = sftk_emailhack(slot, certHandle, search, pTemplate, ulCount);
+ if (crv == CKR_OK)
+ crv = crv2;
+ sftk_freeDB(certHandle);
+ }
+
+ if (crv == CKR_OK && isLoggedIn && searchKeyDB) {
+ SFTKDBHandle *keyHandle = sftk_getKeyDB(slot);
+ crv = sftk_searchDatabase(keyHandle, search, pTemplate, ulCount);
+ sftk_freeDB(keyHandle);
+ }
+ return crv;
+}
+
+/* NSC_FindObjectsInit initializes a search for token and session objects
+ * that match a template. */
+CK_RV
+NSC_FindObjectsInit(CK_SESSION_HANDLE hSession,
+ CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount)
+{
+ SFTKSearchResults *search = NULL, *freeSearch = NULL;
+ SFTKSession *session = NULL;
+ SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession);
+ CK_RV crv = CKR_OK;
+ PRBool isLoggedIn;
+
+ CHECK_FORK();
+
+ if (slot == NULL) {
+ return CKR_SESSION_HANDLE_INVALID;
+ }
+ session = sftk_SessionFromHandle(hSession);
+ if (session == NULL) {
+ crv = CKR_SESSION_HANDLE_INVALID;
+ goto loser;
+ }
+
+ search = (SFTKSearchResults *)PORT_Alloc(sizeof(SFTKSearchResults));
+ if (search == NULL) {
+ crv = CKR_HOST_MEMORY;
+ goto loser;
+ }
+ search->handles = (CK_OBJECT_HANDLE *)
+ PORT_Alloc(sizeof(CK_OBJECT_HANDLE) * NSC_SEARCH_BLOCK_SIZE);
+ if (search->handles == NULL) {
+ crv = CKR_HOST_MEMORY;
+ goto loser;
+ }
+ search->index = 0;
+ search->size = 0;
+ search->array_size = NSC_SEARCH_BLOCK_SIZE;
+
+ PZ_Lock(slot->slotLock);
+ isLoggedIn = (PRBool)((!slot->needLogin) || slot->isLoggedIn);
+ PZ_Unlock(slot->slotLock);
+
+ crv = sftk_searchTokenList(slot, search, pTemplate, ulCount, isLoggedIn);
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+
+ /* build list of found objects in the session */
+ crv = sftk_searchObjectList(search, slot->sessObjHashTable,
+ slot->sessObjHashSize, slot->objectLock,
+ pTemplate, ulCount, isLoggedIn);
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+
+ if ((freeSearch = session->search) != NULL) {
+ session->search = NULL;
+ sftk_FreeSearch(freeSearch);
+ }
+ session->search = search;
+ sftk_FreeSession(session);
+ return CKR_OK;
+
+loser:
+ if (search) {
+ sftk_FreeSearch(search);
+ }
+ if (session) {
+ sftk_FreeSession(session);
+ }
+ return crv;
+}
+
+/* NSC_FindObjects continues a search for token and session objects
+ * that match a template, obtaining additional object handles. */
+CK_RV
+NSC_FindObjects(CK_SESSION_HANDLE hSession,
+ CK_OBJECT_HANDLE_PTR phObject, CK_ULONG ulMaxObjectCount,
+ CK_ULONG_PTR pulObjectCount)
+{
+ SFTKSession *session;
+ SFTKSearchResults *search;
+ int transfer;
+ int left;
+
+ CHECK_FORK();
+
+ *pulObjectCount = 0;
+ session = sftk_SessionFromHandle(hSession);
+ if (session == NULL)
+ return CKR_SESSION_HANDLE_INVALID;
+ if (session->search == NULL) {
+ sftk_FreeSession(session);
+ return CKR_OK;
+ }
+ search = session->search;
+ left = session->search->size - session->search->index;
+ transfer = ((int)ulMaxObjectCount > left) ? left : ulMaxObjectCount;
+ if (transfer > 0) {
+ PORT_Memcpy(phObject, &search->handles[search->index],
+ transfer * sizeof(CK_OBJECT_HANDLE));
+ } else {
+ *phObject = CK_INVALID_HANDLE;
+ }
+
+ search->index += transfer;
+ if (search->index == search->size) {
+ session->search = NULL;
+ sftk_FreeSearch(search);
+ }
+ *pulObjectCount = transfer;
+ sftk_FreeSession(session);
+ return CKR_OK;
+}
+
+/* NSC_FindObjectsFinal finishes a search for token and session objects. */
+CK_RV
+NSC_FindObjectsFinal(CK_SESSION_HANDLE hSession)
+{
+ SFTKSession *session;
+ SFTKSearchResults *search;
+
+ CHECK_FORK();
+
+ session = sftk_SessionFromHandle(hSession);
+ if (session == NULL)
+ return CKR_SESSION_HANDLE_INVALID;
+ search = session->search;
+ session->search = NULL;
+ sftk_FreeSession(session);
+ if (search != NULL) {
+ sftk_FreeSearch(search);
+ }
+ return CKR_OK;
+}
+
+CK_RV
+NSC_WaitForSlotEvent(CK_FLAGS flags, CK_SLOT_ID_PTR pSlot,
+ CK_VOID_PTR pReserved)
+{
+ CHECK_FORK();
+
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+static CK_RV
+nsc_NSSGetFIPSStatus(CK_SESSION_HANDLE hSession,
+ CK_OBJECT_HANDLE hObject,
+ CK_ULONG ulOperationType,
+ CK_ULONG *pulFIPSStatus)
+{
+ CK_ULONG sessionState = CKS_NSS_UNINITIALIZED;
+ CK_ULONG objectState = CKS_NSS_UNINITIALIZED;
+ PRBool needSession = PR_FALSE;
+ PRBool needObject = PR_FALSE;
+ SFTKSession *session;
+ SFTKObject *object;
+
+ *pulFIPSStatus = CKS_NSS_FIPS_NOT_OK;
+
+ /* first determine what we need to look up */
+ switch (ulOperationType) {
+ case CKT_NSS_SESSION_CHECK:
+ case CKT_NSS_SESSION_LAST_CHECK:
+ needSession = PR_TRUE;
+ needObject = PR_FALSE;
+ break;
+ case CKT_NSS_OBJECT_CHECK:
+ needSession = PR_FALSE;
+ needObject = PR_TRUE;
+ break;
+ case CKT_NSS_BOTH_CHECK:
+ needSession = PR_TRUE;
+ needObject = PR_TRUE;
+ break;
+ default:
+ return CKR_ARGUMENTS_BAD;
+ }
+
+ /* we always need the session handle, the object handle is only
+ * meaningful if there is a session */
+ session = sftk_SessionFromHandle(hSession);
+ if (!session) {
+ return CKR_SESSION_HANDLE_INVALID;
+ }
+ if (needSession) {
+ if (CKT_NSS_SESSION_LAST_CHECK == ulOperationType) {
+ sessionState = session->lastOpWasFIPS ? CKS_NSS_FIPS_OK : CKS_NSS_FIPS_NOT_OK;
+ } else {
+ if (session->enc_context) {
+ sessionState = session->enc_context->isFIPS ? CKS_NSS_FIPS_OK : CKS_NSS_FIPS_NOT_OK;
+ }
+ if (sessionState != CKS_NSS_FIPS_NOT_OK && session->hash_context) {
+ sessionState = session->hash_context->isFIPS ? CKS_NSS_FIPS_OK : CKS_NSS_FIPS_NOT_OK;
+ }
+ /* sessionState is set to CKS_NSS_UNINITIALIZED if neither
+ * context exists */
+ }
+ }
+
+ if (needObject) {
+ object = sftk_ObjectFromHandle(hObject, session);
+ if (!object) {
+ sftk_FreeSession(session);
+ return CKR_OBJECT_HANDLE_INVALID;
+ }
+ objectState = object->isFIPS ? CKS_NSS_FIPS_OK : CKS_NSS_FIPS_NOT_OK;
+ sftk_FreeObject(object);
+ }
+
+ sftk_FreeSession(session);
+
+ /* If we didn't fetch the state, then it is uninitialized.
+ * The session state can also be uninitialized if there are no active
+ * crypto operations on the session. Turns out the rules for combining
+ * the states are the same whether or not the state was uninitialzed
+ * because we didn't fetch it or because there wasn't a state to fetch.
+ */
+
+ /* if the object State is uninitialized, return the state of the session. */
+ if (objectState == CKS_NSS_UNINITIALIZED) {
+ /* if they are both uninitalized, return CKS_FIPS_NOT_OK */
+ if (sessionState == CKS_NSS_UNINITIALIZED) {
+ /* *pulFIPSStatus already set to CKS_FIPS_NOT_OK */
+ return CKR_OK;
+ }
+ *pulFIPSStatus = sessionState;
+ return CKR_OK;
+ }
+ /* objectState is initialized, if sessionState is uninitialized, we can
+ * just return objectState */
+ if (sessionState == CKS_NSS_UNINITIALIZED) {
+ *pulFIPSStatus = objectState;
+ return CKR_OK;
+ }
+
+ /* they are are not equal, one must be CKS_FIPS_NOT_OK, so we return that
+ * value CKS_FIPS_NOT_OK */
+ if (objectState != sessionState) {
+ /* *pulFIPSStatus already set to CKS_FIPS_NOT_OK */
+ return CKR_OK;
+ }
+
+ /* objectState and sessionState or the same, so we can return either */
+ *pulFIPSStatus = sessionState;
+ return CKR_OK;
+}
diff --git a/security/nss/lib/softoken/pkcs11c.c b/security/nss/lib/softoken/pkcs11c.c
new file mode 100644
index 0000000000..f2cc984a84
--- /dev/null
+++ b/security/nss/lib/softoken/pkcs11c.c
@@ -0,0 +1,8965 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/*
+ * This file implements PKCS 11 on top of our existing security modules
+ *
+ * For more information about PKCS 11 See PKCS 11 Token Inteface Standard.
+ * This implementation has two slots:
+ * slot 1 is our generic crypto support. It does not require login.
+ * It supports Public Key ops, and all they bulk ciphers and hashes.
+ * It can also support Private Key ops for imported Private keys. It does
+ * not have any token storage.
+ * slot 2 is our private key support. It requires a login before use. It
+ * can store Private Keys and Certs as token objects. Currently only private
+ * keys and their associated Certificates are saved on the token.
+ *
+ * In this implementation, session objects are only visible to the session
+ * that created or generated them.
+ */
+#include "seccomon.h"
+#include "secitem.h"
+#include "secport.h"
+#include "blapi.h"
+#include "pkcs11.h"
+#include "pkcs11i.h"
+#include "pkcs1sig.h"
+#include "lowkeyi.h"
+#include "secder.h"
+#include "secdig.h"
+#include "lowpbe.h" /* We do PBE below */
+#include "pkcs11t.h"
+#include "secoid.h"
+#include "cmac.h"
+#include "alghmac.h"
+#include "softoken.h"
+#include "secasn1.h"
+#include "secerr.h"
+
+#include "prprf.h"
+#include "prenv.h"
+
+#define __PASTE(x, y) x##y
+#define BAD_PARAM_CAST(pMech, typeSize) (!pMech->pParameter || pMech->ulParameterLen < typeSize)
+/*
+ * we renamed all our internal functions, get the correct
+ * definitions for them...
+ */
+#undef CK_PKCS11_FUNCTION_INFO
+#undef CK_NEED_ARG_LIST
+
+#define CK_PKCS11_3_0 1
+
+#define CK_EXTERN extern
+#define CK_PKCS11_FUNCTION_INFO(func) \
+ CK_RV __PASTE(NS, func)
+#define CK_NEED_ARG_LIST 1
+
+#include "pkcs11f.h"
+
+/* create a definition of SHA1 that's consistent
+ * with the rest of the CKM_SHAxxx hashes*/
+#define CKM_SHA1 CKM_SHA_1
+#define CKM_SHA1_HMAC CKM_SHA_1_HMAC
+#define CKM_SHA1_HMAC_GENERAL CKM_SHA_1_HMAC_GENERAL
+
+typedef struct {
+ PRUint8 client_version[2];
+ PRUint8 random[46];
+} SSL3RSAPreMasterSecret;
+
+static void
+sftk_Null(void *data, PRBool freeit)
+{
+ return;
+}
+
+#ifdef EC_DEBUG
+#define SEC_PRINT(str1, str2, num, sitem) \
+ printf("pkcs11c.c:%s:%s (keytype=%d) [len=%d]\n", \
+ str1, str2, num, sitem->len); \
+ for (i = 0; i < sitem->len; i++) { \
+ printf("%02x:", sitem->data[i]); \
+ } \
+ printf("\n")
+#else
+#undef EC_DEBUG
+#define SEC_PRINT(a, b, c, d)
+#endif
+
+/*
+ * free routines.... Free local type allocated data, and convert
+ * other free routines to the destroy signature.
+ */
+static void
+sftk_FreePrivKey(NSSLOWKEYPrivateKey *key, PRBool freeit)
+{
+ nsslowkey_DestroyPrivateKey(key);
+}
+
+static void
+sftk_Space(void *data, PRBool freeit)
+{
+ PORT_Free(data);
+}
+
+static void
+sftk_ZSpace(void *data, PRBool freeit)
+{
+ size_t len = *(size_t *)data;
+ PORT_ZFree(data, len);
+}
+
+/*
+ * turn a CDMF key into a des key. CDMF is an old IBM scheme to export DES by
+ * Deprecating a full des key to 40 bit key strenth.
+ */
+static CK_RV
+sftk_cdmf2des(unsigned char *cdmfkey, unsigned char *deskey)
+{
+ unsigned char key1[8] = { 0xc4, 0x08, 0xb0, 0x54, 0x0b, 0xa1, 0xe0, 0xae };
+ unsigned char key2[8] = { 0xef, 0x2c, 0x04, 0x1c, 0xe6, 0x38, 0x2f, 0xe6 };
+ unsigned char enc_src[8];
+ unsigned char enc_dest[8];
+ unsigned int leng, i;
+ DESContext *descx;
+ SECStatus rv;
+ CK_RV crv = CKR_OK;
+
+ /* zero the parity bits */
+ for (i = 0; i < 8; i++) {
+ enc_src[i] = cdmfkey[i] & 0xfe;
+ }
+
+ /* encrypt with key 1 */
+ descx = DES_CreateContext(key1, NULL, NSS_DES, PR_TRUE);
+ if (descx == NULL) {
+ crv = CKR_HOST_MEMORY;
+ goto done;
+ }
+ rv = DES_Encrypt(descx, enc_dest, &leng, 8, enc_src, 8);
+ DES_DestroyContext(descx, PR_TRUE);
+ if (rv != SECSuccess) {
+ crv = sftk_MapCryptError(PORT_GetError());
+ goto done;
+ }
+
+ /* xor source with des, zero the parity bits and deprecate the key*/
+ for (i = 0; i < 8; i++) {
+ if (i & 1) {
+ enc_src[i] = (enc_src[i] ^ enc_dest[i]) & 0xfe;
+ } else {
+ enc_src[i] = (enc_src[i] ^ enc_dest[i]) & 0x0e;
+ }
+ }
+
+ /* encrypt with key 2 */
+ descx = DES_CreateContext(key2, NULL, NSS_DES, PR_TRUE);
+ if (descx == NULL) {
+ crv = CKR_HOST_MEMORY;
+ goto done;
+ }
+ rv = DES_Encrypt(descx, deskey, &leng, 8, enc_src, 8);
+ DES_DestroyContext(descx, PR_TRUE);
+ if (rv != SECSuccess) {
+ crv = sftk_MapCryptError(PORT_GetError());
+ goto done;
+ }
+
+ /* set the corret parity on our new des key */
+ sftk_FormatDESKey(deskey, 8);
+done:
+ PORT_Memset(enc_src, 0, sizeof enc_src);
+ PORT_Memset(enc_dest, 0, sizeof enc_dest);
+ return crv;
+}
+
+/* NSC_DestroyObject destroys an object. */
+CK_RV
+NSC_DestroyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject)
+{
+ SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession);
+ SFTKSession *session;
+ SFTKObject *object;
+ SFTKFreeStatus status;
+
+ CHECK_FORK();
+
+ if (slot == NULL) {
+ return CKR_SESSION_HANDLE_INVALID;
+ }
+ /*
+ * This whole block just makes sure we really can destroy the
+ * requested object.
+ */
+ session = sftk_SessionFromHandle(hSession);
+ if (session == NULL) {
+ return CKR_SESSION_HANDLE_INVALID;
+ }
+
+ object = sftk_ObjectFromHandle(hObject, session);
+ if (object == NULL) {
+ sftk_FreeSession(session);
+ return CKR_OBJECT_HANDLE_INVALID;
+ }
+
+ /* don't destroy a private object if we aren't logged in */
+ if ((!slot->isLoggedIn) && (slot->needLogin) &&
+ (sftk_isTrue(object, CKA_PRIVATE))) {
+ sftk_FreeSession(session);
+ sftk_FreeObject(object);
+ return CKR_USER_NOT_LOGGED_IN;
+ }
+
+ /* don't destroy a token object if we aren't in a rw session */
+
+ if (((session->info.flags & CKF_RW_SESSION) == 0) &&
+ (sftk_isTrue(object, CKA_TOKEN))) {
+ sftk_FreeSession(session);
+ sftk_FreeObject(object);
+ return CKR_SESSION_READ_ONLY;
+ }
+
+ sftk_DeleteObject(session, object);
+
+ sftk_FreeSession(session);
+
+ /*
+ * get some indication if the object is destroyed. Note: this is not
+ * 100%. Someone may have an object reference outstanding (though that
+ * should not be the case by here. Also note that the object is "half"
+ * destroyed. Our internal representation is destroyed, but it may still
+ * be in the data base.
+ */
+ status = sftk_FreeObject(object);
+
+ return (status != SFTK_DestroyFailure) ? CKR_OK : CKR_DEVICE_ERROR;
+}
+
+/*
+ * Returns true if "params" contains a valid set of PSS parameters
+ */
+static PRBool
+sftk_ValidatePssParams(const CK_RSA_PKCS_PSS_PARAMS *params)
+{
+ if (!params) {
+ return PR_FALSE;
+ }
+ if (sftk_GetHashTypeFromMechanism(params->hashAlg) == HASH_AlgNULL ||
+ sftk_GetHashTypeFromMechanism(params->mgf) == HASH_AlgNULL) {
+ return PR_FALSE;
+ }
+ return PR_TRUE;
+}
+
+/*
+ * Returns true if "params" contains a valid set of OAEP parameters
+ */
+static PRBool
+sftk_ValidateOaepParams(const CK_RSA_PKCS_OAEP_PARAMS *params)
+{
+ if (!params) {
+ return PR_FALSE;
+ }
+ /* The requirements of ulSourceLen/pSourceData come from PKCS #11, which
+ * state:
+ * If the parameter is empty, pSourceData must be NULL and
+ * ulSourceDataLen must be zero.
+ */
+ if (params->source != CKZ_DATA_SPECIFIED ||
+ (sftk_GetHashTypeFromMechanism(params->hashAlg) == HASH_AlgNULL) ||
+ (sftk_GetHashTypeFromMechanism(params->mgf) == HASH_AlgNULL) ||
+ (params->ulSourceDataLen == 0 && params->pSourceData != NULL) ||
+ (params->ulSourceDataLen != 0 && params->pSourceData == NULL)) {
+ return PR_FALSE;
+ }
+ return PR_TRUE;
+}
+
+/*
+ * return a context based on the SFTKContext type.
+ */
+SFTKSessionContext *
+sftk_ReturnContextByType(SFTKSession *session, SFTKContextType type)
+{
+ switch (type) {
+ case SFTK_ENCRYPT:
+ case SFTK_DECRYPT:
+ case SFTK_MESSAGE_ENCRYPT:
+ case SFTK_MESSAGE_DECRYPT:
+ return session->enc_context;
+ case SFTK_HASH:
+ return session->hash_context;
+ case SFTK_SIGN:
+ case SFTK_SIGN_RECOVER:
+ case SFTK_VERIFY:
+ case SFTK_VERIFY_RECOVER:
+ case SFTK_MESSAGE_SIGN:
+ case SFTK_MESSAGE_VERIFY:
+ return session->hash_context;
+ }
+ return NULL;
+}
+
+/*
+ * change a context based on the SFTKContext type.
+ */
+void
+sftk_SetContextByType(SFTKSession *session, SFTKContextType type,
+ SFTKSessionContext *context)
+{
+ switch (type) {
+ case SFTK_ENCRYPT:
+ case SFTK_DECRYPT:
+ case SFTK_MESSAGE_ENCRYPT:
+ case SFTK_MESSAGE_DECRYPT:
+ session->enc_context = context;
+ break;
+ case SFTK_HASH:
+ session->hash_context = context;
+ break;
+ case SFTK_SIGN:
+ case SFTK_SIGN_RECOVER:
+ case SFTK_VERIFY:
+ case SFTK_VERIFY_RECOVER:
+ case SFTK_MESSAGE_SIGN:
+ case SFTK_MESSAGE_VERIFY:
+ session->hash_context = context;
+ break;
+ }
+ return;
+}
+
+/*
+ * code to grab the context. Needed by every C_XXXUpdate, C_XXXFinal,
+ * and C_XXX function. The function takes a session handle, the context type,
+ * and wether or not the session needs to be multipart. It returns the context,
+ * and optionally returns the session pointer (if sessionPtr != NULL) if session
+ * pointer is returned, the caller is responsible for freeing it.
+ */
+CK_RV
+sftk_GetContext(CK_SESSION_HANDLE handle, SFTKSessionContext **contextPtr,
+ SFTKContextType type, PRBool needMulti, SFTKSession **sessionPtr)
+{
+ SFTKSession *session;
+ SFTKSessionContext *context;
+
+ session = sftk_SessionFromHandle(handle);
+ if (session == NULL)
+ return CKR_SESSION_HANDLE_INVALID;
+ context = sftk_ReturnContextByType(session, type);
+ /* make sure the context is valid */
+ if ((context == NULL) || (context->type != type) || (needMulti && !(context->multi))) {
+ sftk_FreeSession(session);
+ return CKR_OPERATION_NOT_INITIALIZED;
+ }
+ *contextPtr = context;
+ if (sessionPtr != NULL) {
+ *sessionPtr = session;
+ } else {
+ sftk_FreeSession(session);
+ }
+ return CKR_OK;
+}
+
+/** Terminate operation (in the PKCS#11 spec sense).
+ * Intuitive name for FreeContext/SetNullContext pair.
+ */
+void
+sftk_TerminateOp(SFTKSession *session, SFTKContextType ctype,
+ SFTKSessionContext *context)
+{
+ session->lastOpWasFIPS = context->isFIPS;
+ sftk_FreeContext(context);
+ sftk_SetContextByType(session, ctype, NULL);
+}
+
+/*
+ ************** Crypto Functions: Encrypt ************************
+ */
+
+/*
+ * All the NSC_InitXXX functions have a set of common checks and processing they
+ * all need to do at the beginning. This is done here.
+ */
+CK_RV
+sftk_InitGeneric(SFTKSession *session, CK_MECHANISM *pMechanism,
+ SFTKSessionContext **contextPtr,
+ SFTKContextType ctype, SFTKObject **keyPtr,
+ CK_OBJECT_HANDLE hKey, CK_KEY_TYPE *keyTypePtr,
+ CK_OBJECT_CLASS pubKeyType, CK_ATTRIBUTE_TYPE operation)
+{
+ SFTKObject *key = NULL;
+ SFTKAttribute *att;
+ SFTKSessionContext *context;
+
+ /* We can only init if there is not current context active */
+ if (sftk_ReturnContextByType(session, ctype) != NULL) {
+ return CKR_OPERATION_ACTIVE;
+ }
+
+ /* find the key */
+ if (keyPtr) {
+ key = sftk_ObjectFromHandle(hKey, session);
+ if (key == NULL) {
+ return CKR_KEY_HANDLE_INVALID;
+ }
+
+ /* make sure it's a valid key for this operation */
+ if (((key->objclass != CKO_SECRET_KEY) &&
+ (key->objclass != pubKeyType)) ||
+ !sftk_isTrue(key, operation)) {
+ sftk_FreeObject(key);
+ return CKR_KEY_TYPE_INCONSISTENT;
+ }
+ /* get the key type */
+ att = sftk_FindAttribute(key, CKA_KEY_TYPE);
+ if (att == NULL) {
+ sftk_FreeObject(key);
+ return CKR_KEY_TYPE_INCONSISTENT;
+ }
+ PORT_Assert(att->attrib.ulValueLen == sizeof(CK_KEY_TYPE));
+ if (att->attrib.ulValueLen != sizeof(CK_KEY_TYPE)) {
+ sftk_FreeAttribute(att);
+ sftk_FreeObject(key);
+ return CKR_ATTRIBUTE_VALUE_INVALID;
+ }
+ PORT_Memcpy(keyTypePtr, att->attrib.pValue, sizeof(CK_KEY_TYPE));
+ sftk_FreeAttribute(att);
+ *keyPtr = key;
+ }
+
+ /* allocate the context structure */
+ context = (SFTKSessionContext *)PORT_Alloc(sizeof(SFTKSessionContext));
+ if (context == NULL) {
+ if (key)
+ sftk_FreeObject(key);
+ return CKR_HOST_MEMORY;
+ }
+ context->type = ctype;
+ context->multi = PR_TRUE;
+ context->rsa = PR_FALSE;
+ context->cipherInfo = NULL;
+ context->hashInfo = NULL;
+ context->doPad = PR_FALSE;
+ context->padDataLength = 0;
+ context->key = key;
+ context->blockSize = 0;
+ context->maxLen = 0;
+ context->isFIPS = sftk_operationIsFIPS(session->slot, pMechanism,
+ operation, key);
+ *contextPtr = context;
+ return CKR_OK;
+}
+
+static int
+sftk_aes_mode(CK_MECHANISM_TYPE mechanism)
+{
+ switch (mechanism) {
+ case CKM_AES_CBC_PAD:
+ case CKM_AES_CBC:
+ return NSS_AES_CBC;
+ case CKM_AES_ECB:
+ return NSS_AES;
+ case CKM_AES_CTS:
+ return NSS_AES_CTS;
+ case CKM_AES_CTR:
+ return NSS_AES_CTR;
+ case CKM_AES_GCM:
+ return NSS_AES_GCM;
+ }
+ return -1;
+}
+
+static SECStatus
+sftk_RSAEncryptRaw(NSSLOWKEYPublicKey *key, unsigned char *output,
+ unsigned int *outputLen, unsigned int maxLen,
+ const unsigned char *input, unsigned int inputLen)
+{
+ SECStatus rv = SECFailure;
+
+ PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+ if (key->keyType != NSSLOWKEYRSAKey) {
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
+ return SECFailure;
+ }
+
+ rv = RSA_EncryptRaw(&key->u.rsa, output, outputLen, maxLen, input,
+ inputLen);
+ if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+ sftk_fatalError = PR_TRUE;
+ }
+
+ return rv;
+}
+
+static SECStatus
+sftk_RSADecryptRaw(NSSLOWKEYPrivateKey *key, unsigned char *output,
+ unsigned int *outputLen, unsigned int maxLen,
+ const unsigned char *input, unsigned int inputLen)
+{
+ SECStatus rv = SECFailure;
+
+ PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+ if (key->keyType != NSSLOWKEYRSAKey) {
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
+ return SECFailure;
+ }
+
+ rv = RSA_DecryptRaw(&key->u.rsa, output, outputLen, maxLen, input,
+ inputLen);
+ if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+ sftk_fatalError = PR_TRUE;
+ }
+
+ return rv;
+}
+
+static SECStatus
+sftk_RSAEncrypt(NSSLOWKEYPublicKey *key, unsigned char *output,
+ unsigned int *outputLen, unsigned int maxLen,
+ const unsigned char *input, unsigned int inputLen)
+{
+ SECStatus rv = SECFailure;
+
+ PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+ if (key->keyType != NSSLOWKEYRSAKey) {
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
+ return SECFailure;
+ }
+
+ rv = RSA_EncryptBlock(&key->u.rsa, output, outputLen, maxLen, input,
+ inputLen);
+ if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+ sftk_fatalError = PR_TRUE;
+ }
+
+ return rv;
+}
+
+static SECStatus
+sftk_RSADecrypt(NSSLOWKEYPrivateKey *key, unsigned char *output,
+ unsigned int *outputLen, unsigned int maxLen,
+ const unsigned char *input, unsigned int inputLen)
+{
+ SECStatus rv = SECFailure;
+
+ PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+ if (key->keyType != NSSLOWKEYRSAKey) {
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
+ return SECFailure;
+ }
+
+ rv = RSA_DecryptBlock(&key->u.rsa, output, outputLen, maxLen, input,
+ inputLen);
+ if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+ sftk_fatalError = PR_TRUE;
+ }
+
+ return rv;
+}
+
+static void
+sftk_freeRSAOAEPInfo(SFTKOAEPInfo *info, PRBool freeit)
+{
+ PORT_ZFree(info->params.pSourceData, info->params.ulSourceDataLen);
+ PORT_ZFree(info, sizeof(SFTKOAEPInfo));
+}
+
+static SECStatus
+sftk_RSAEncryptOAEP(SFTKOAEPInfo *info, unsigned char *output,
+ unsigned int *outputLen, unsigned int maxLen,
+ const unsigned char *input, unsigned int inputLen)
+{
+ HASH_HashType hashAlg;
+ HASH_HashType maskHashAlg;
+
+ PORT_Assert(info->key.pub->keyType == NSSLOWKEYRSAKey);
+ if (info->key.pub->keyType != NSSLOWKEYRSAKey) {
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
+ return SECFailure;
+ }
+
+ hashAlg = sftk_GetHashTypeFromMechanism(info->params.hashAlg);
+ maskHashAlg = sftk_GetHashTypeFromMechanism(info->params.mgf);
+
+ return RSA_EncryptOAEP(&info->key.pub->u.rsa, hashAlg, maskHashAlg,
+ (const unsigned char *)info->params.pSourceData,
+ info->params.ulSourceDataLen, NULL, 0,
+ output, outputLen, maxLen, input, inputLen);
+}
+
+static SECStatus
+sftk_RSADecryptOAEP(SFTKOAEPInfo *info, unsigned char *output,
+ unsigned int *outputLen, unsigned int maxLen,
+ const unsigned char *input, unsigned int inputLen)
+{
+ SECStatus rv = SECFailure;
+ HASH_HashType hashAlg;
+ HASH_HashType maskHashAlg;
+
+ PORT_Assert(info->key.priv->keyType == NSSLOWKEYRSAKey);
+ if (info->key.priv->keyType != NSSLOWKEYRSAKey) {
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
+ return SECFailure;
+ }
+
+ hashAlg = sftk_GetHashTypeFromMechanism(info->params.hashAlg);
+ maskHashAlg = sftk_GetHashTypeFromMechanism(info->params.mgf);
+
+ rv = RSA_DecryptOAEP(&info->key.priv->u.rsa, hashAlg, maskHashAlg,
+ (const unsigned char *)info->params.pSourceData,
+ info->params.ulSourceDataLen,
+ output, outputLen, maxLen, input, inputLen);
+ if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+ sftk_fatalError = PR_TRUE;
+ }
+ return rv;
+}
+
+static SFTKChaCha20Poly1305Info *
+sftk_ChaCha20Poly1305_CreateContext(const unsigned char *key,
+ unsigned int keyLen,
+ const CK_NSS_AEAD_PARAMS *params)
+{
+ SFTKChaCha20Poly1305Info *ctx;
+
+ if (params->ulNonceLen != sizeof(ctx->nonce)) {
+ PORT_SetError(SEC_ERROR_INPUT_LEN);
+ return NULL;
+ }
+
+ ctx = PORT_New(SFTKChaCha20Poly1305Info);
+ if (ctx == NULL) {
+ return NULL;
+ }
+
+ if (ChaCha20Poly1305_InitContext(&ctx->freeblCtx, key, keyLen,
+ params->ulTagLen) != SECSuccess) {
+ PORT_Free(ctx);
+ return NULL;
+ }
+
+ PORT_Memcpy(ctx->nonce, params->pNonce, sizeof(ctx->nonce));
+
+ /* AAD data and length must both be null, or both non-null. */
+ PORT_Assert((params->pAAD == NULL) == (params->ulAADLen == 0));
+
+ if (params->ulAADLen > sizeof(ctx->ad)) {
+ /* Need to allocate an overflow buffer for the additional data. */
+ ctx->adOverflow = (unsigned char *)PORT_Alloc(params->ulAADLen);
+ if (!ctx->adOverflow) {
+ PORT_Free(ctx);
+ return NULL;
+ }
+ PORT_Memcpy(ctx->adOverflow, params->pAAD, params->ulAADLen);
+ } else {
+ ctx->adOverflow = NULL;
+ if (params->pAAD) {
+ PORT_Memcpy(ctx->ad, params->pAAD, params->ulAADLen);
+ }
+ }
+ ctx->adLen = params->ulAADLen;
+
+ return ctx;
+}
+
+static void
+sftk_ChaCha20Poly1305_DestroyContext(SFTKChaCha20Poly1305Info *ctx,
+ PRBool freeit)
+{
+ ChaCha20Poly1305_DestroyContext(&ctx->freeblCtx, PR_FALSE);
+ if (ctx->adOverflow != NULL) {
+ PORT_ZFree(ctx->adOverflow, ctx->adLen);
+ ctx->adOverflow = NULL;
+ } else {
+ PORT_Memset(ctx->ad, 0, ctx->adLen);
+ }
+ ctx->adLen = 0;
+ if (freeit) {
+ PORT_Free(ctx);
+ }
+}
+
+static SECStatus
+sftk_ChaCha20Poly1305_Encrypt(const SFTKChaCha20Poly1305Info *ctx,
+ unsigned char *output, unsigned int *outputLen,
+ unsigned int maxOutputLen,
+ const unsigned char *input, unsigned int inputLen)
+{
+ const unsigned char *ad = ctx->adOverflow;
+
+ if (ad == NULL) {
+ ad = ctx->ad;
+ }
+
+ return ChaCha20Poly1305_Seal(&ctx->freeblCtx, output, outputLen,
+ maxOutputLen, input, inputLen, ctx->nonce,
+ sizeof(ctx->nonce), ad, ctx->adLen);
+}
+
+static SECStatus
+sftk_ChaCha20Poly1305_Decrypt(const SFTKChaCha20Poly1305Info *ctx,
+ unsigned char *output, unsigned int *outputLen,
+ unsigned int maxOutputLen,
+ const unsigned char *input, unsigned int inputLen)
+{
+ const unsigned char *ad = ctx->adOverflow;
+
+ if (ad == NULL) {
+ ad = ctx->ad;
+ }
+
+ return ChaCha20Poly1305_Open(&ctx->freeblCtx, output, outputLen,
+ maxOutputLen, input, inputLen, ctx->nonce,
+ sizeof(ctx->nonce), ad, ctx->adLen);
+}
+
+static SECStatus
+sftk_ChaCha20Ctr(const SFTKChaCha20CtrInfo *ctx,
+ unsigned char *output, unsigned int *outputLen,
+ unsigned int maxOutputLen,
+ const unsigned char *input, unsigned int inputLen)
+{
+ if (maxOutputLen < inputLen) {
+ PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+ return SECFailure;
+ }
+ ChaCha20_Xor(output, input, inputLen, ctx->key,
+ ctx->nonce, ctx->counter);
+ *outputLen = inputLen;
+ return SECSuccess;
+}
+
+static void
+sftk_ChaCha20Ctr_DestroyContext(SFTKChaCha20CtrInfo *ctx,
+ PRBool freeit)
+{
+ memset(ctx, 0, sizeof(*ctx));
+ if (freeit) {
+ PORT_Free(ctx);
+ }
+}
+
+/** NSC_CryptInit initializes an encryption/Decryption operation.
+ *
+ * Always called by NSC_EncryptInit, NSC_DecryptInit, NSC_WrapKey,NSC_UnwrapKey.
+ * Called by NSC_SignInit, NSC_VerifyInit (via sftk_InitCBCMac) only for block
+ * ciphers MAC'ing.
+ */
+CK_RV
+sftk_CryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+ CK_OBJECT_HANDLE hKey,
+ CK_ATTRIBUTE_TYPE mechUsage, CK_ATTRIBUTE_TYPE keyUsage,
+ SFTKContextType contextType, PRBool isEncrypt)
+{
+ SFTKSession *session;
+ SFTKObject *key;
+ SFTKSessionContext *context;
+ SFTKAttribute *att;
+#ifndef NSS_DISABLE_DEPRECATED_RC2
+ CK_RC2_CBC_PARAMS *rc2_param;
+ unsigned effectiveKeyLength;
+#endif
+#if NSS_SOFTOKEN_DOES_RC5
+ CK_RC5_CBC_PARAMS *rc5_param;
+ SECItem rc5Key;
+#endif
+ CK_NSS_GCM_PARAMS nss_gcm_param;
+ void *aes_param;
+ CK_NSS_AEAD_PARAMS nss_aead_params;
+ CK_NSS_AEAD_PARAMS *nss_aead_params_ptr = NULL;
+ CK_KEY_TYPE key_type;
+ CK_RV crv = CKR_OK;
+ unsigned char newdeskey[24];
+ PRBool useNewKey = PR_FALSE;
+ int t;
+
+ if (!pMechanism) {
+ return CKR_MECHANISM_PARAM_INVALID;
+ }
+
+ crv = sftk_MechAllowsOperation(pMechanism->mechanism, mechUsage);
+ if (crv != CKR_OK)
+ return crv;
+
+ session = sftk_SessionFromHandle(hSession);
+ if (session == NULL)
+ return CKR_SESSION_HANDLE_INVALID;
+
+ crv = sftk_InitGeneric(session, pMechanism, &context, contextType, &key,
+ hKey, &key_type,
+ isEncrypt ? CKO_PUBLIC_KEY : CKO_PRIVATE_KEY,
+ keyUsage);
+
+ if (crv != CKR_OK) {
+ sftk_FreeSession(session);
+ return crv;
+ }
+
+ context->doPad = PR_FALSE;
+ switch (pMechanism->mechanism) {
+ case CKM_RSA_PKCS:
+ case CKM_RSA_X_509:
+ if (key_type != CKK_RSA) {
+ crv = CKR_KEY_TYPE_INCONSISTENT;
+ break;
+ }
+ context->multi = PR_FALSE;
+ context->rsa = PR_TRUE;
+ if (isEncrypt) {
+ NSSLOWKEYPublicKey *pubKey = sftk_GetPubKey(key, CKK_RSA, &crv);
+ if (pubKey == NULL) {
+ crv = CKR_KEY_HANDLE_INVALID;
+ break;
+ }
+ context->maxLen = nsslowkey_PublicModulusLen(pubKey);
+ context->cipherInfo = (void *)pubKey;
+ context->update = (SFTKCipher)(pMechanism->mechanism == CKM_RSA_X_509
+ ? sftk_RSAEncryptRaw
+ : sftk_RSAEncrypt);
+ } else {
+ NSSLOWKEYPrivateKey *privKey = sftk_GetPrivKey(key, CKK_RSA, &crv);
+ if (privKey == NULL) {
+ crv = CKR_KEY_HANDLE_INVALID;
+ break;
+ }
+ context->maxLen = nsslowkey_PrivateModulusLen(privKey);
+ context->cipherInfo = (void *)privKey;
+ context->update = (SFTKCipher)(pMechanism->mechanism == CKM_RSA_X_509
+ ? sftk_RSADecryptRaw
+ : sftk_RSADecrypt);
+ }
+ context->destroy = sftk_Null;
+ break;
+ case CKM_RSA_PKCS_OAEP:
+ if (key_type != CKK_RSA) {
+ crv = CKR_KEY_TYPE_INCONSISTENT;
+ break;
+ }
+ if (pMechanism->ulParameterLen != sizeof(CK_RSA_PKCS_OAEP_PARAMS) ||
+ !sftk_ValidateOaepParams((CK_RSA_PKCS_OAEP_PARAMS *)pMechanism->pParameter)) {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+ context->multi = PR_FALSE;
+ context->rsa = PR_TRUE;
+ {
+ SFTKOAEPInfo *info;
+ CK_RSA_PKCS_OAEP_PARAMS *params =
+ (CK_RSA_PKCS_OAEP_PARAMS *)pMechanism->pParameter;
+ /* make a copy of the source data value for future
+ * use (once the user has reclaimed his data in pParameter)*/
+ void *newSource = NULL;
+ if (params->pSourceData) {
+ newSource = PORT_Alloc(params->ulSourceDataLen);
+ if (newSource == NULL) {
+ crv = CKR_HOST_MEMORY;
+ break;
+ }
+ PORT_Memcpy(newSource, params->pSourceData, params->ulSourceDataLen);
+ }
+ info = PORT_New(SFTKOAEPInfo);
+ if (info == NULL) {
+ PORT_ZFree(newSource, params->ulSourceDataLen);
+ crv = CKR_HOST_MEMORY;
+ break;
+ }
+ info->params = *params;
+ info->params.pSourceData = newSource;
+ info->isEncrypt = isEncrypt;
+
+ /* now setup encryption and decryption contexts */
+ if (isEncrypt) {
+ info->key.pub = sftk_GetPubKey(key, CKK_RSA, &crv);
+ if (info->key.pub == NULL) {
+ sftk_freeRSAOAEPInfo(info, PR_TRUE);
+ crv = CKR_KEY_HANDLE_INVALID;
+ break;
+ }
+ context->update = (SFTKCipher)sftk_RSAEncryptOAEP;
+ context->maxLen = nsslowkey_PublicModulusLen(info->key.pub);
+ } else {
+ info->key.priv = sftk_GetPrivKey(key, CKK_RSA, &crv);
+ if (info->key.priv == NULL) {
+ sftk_freeRSAOAEPInfo(info, PR_TRUE);
+ crv = CKR_KEY_HANDLE_INVALID;
+ break;
+ }
+ context->update = (SFTKCipher)sftk_RSADecryptOAEP;
+ context->maxLen = nsslowkey_PrivateModulusLen(info->key.priv);
+ }
+ context->cipherInfo = info;
+ }
+ context->destroy = (SFTKDestroy)sftk_freeRSAOAEPInfo;
+ break;
+#ifndef NSS_DISABLE_DEPRECATED_RC2
+ case CKM_RC2_CBC_PAD:
+ context->doPad = PR_TRUE;
+ /* fall thru */
+ case CKM_RC2_ECB:
+ case CKM_RC2_CBC:
+ context->blockSize = 8;
+ if (key_type != CKK_RC2) {
+ crv = CKR_KEY_TYPE_INCONSISTENT;
+ break;
+ }
+ att = sftk_FindAttribute(key, CKA_VALUE);
+ if (att == NULL) {
+ crv = CKR_KEY_HANDLE_INVALID;
+ break;
+ }
+
+ if (BAD_PARAM_CAST(pMechanism, sizeof(CK_RC2_CBC_PARAMS))) {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+ rc2_param = (CK_RC2_CBC_PARAMS *)pMechanism->pParameter;
+ effectiveKeyLength = (rc2_param->ulEffectiveBits + 7) / 8;
+ context->cipherInfo =
+ RC2_CreateContext((unsigned char *)att->attrib.pValue,
+ att->attrib.ulValueLen, rc2_param->iv,
+ pMechanism->mechanism == CKM_RC2_ECB ? NSS_RC2 : NSS_RC2_CBC, effectiveKeyLength);
+ sftk_FreeAttribute(att);
+ if (context->cipherInfo == NULL) {
+ crv = CKR_HOST_MEMORY;
+ break;
+ }
+ context->update = (SFTKCipher)(isEncrypt ? RC2_Encrypt : RC2_Decrypt);
+ context->destroy = (SFTKDestroy)RC2_DestroyContext;
+ break;
+#endif /* NSS_DISABLE_DEPRECATED_RC2 */
+
+#if NSS_SOFTOKEN_DOES_RC5
+ case CKM_RC5_CBC_PAD:
+ context->doPad = PR_TRUE;
+ /* fall thru */
+ case CKM_RC5_ECB:
+ case CKM_RC5_CBC:
+ if (key_type != CKK_RC5) {
+ crv = CKR_KEY_TYPE_INCONSISTENT;
+ break;
+ }
+ att = sftk_FindAttribute(key, CKA_VALUE);
+ if (att == NULL) {
+ crv = CKR_KEY_HANDLE_INVALID;
+ break;
+ }
+
+ if (BAD_PARAM_CAST(pMechanism, sizeof(CK_RC5_CBC_PARAMS))) {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+ rc5_param = (CK_RC5_CBC_PARAMS *)pMechanism->pParameter;
+ context->blockSize = rc5_param->ulWordsize * 2;
+ rc5Key.data = (unsigned char *)att->attrib.pValue;
+ rc5Key.len = att->attrib.ulValueLen;
+ context->cipherInfo = RC5_CreateContext(&rc5Key, rc5_param->ulRounds,
+ rc5_param->ulWordsize, rc5_param->pIv,
+ pMechanism->mechanism == CKM_RC5_ECB ? NSS_RC5 : NSS_RC5_CBC);
+ sftk_FreeAttribute(att);
+ if (context->cipherInfo == NULL) {
+ crv = CKR_HOST_MEMORY;
+ break;
+ }
+ context->update = (SFTKCipher)(isEncrypt ? RC5_Encrypt : RC5_Decrypt);
+ context->destroy = (SFTKDestroy)RC5_DestroyContext;
+ break;
+#endif
+ case CKM_RC4:
+ if (key_type != CKK_RC4) {
+ crv = CKR_KEY_TYPE_INCONSISTENT;
+ break;
+ }
+ att = sftk_FindAttribute(key, CKA_VALUE);
+ if (att == NULL) {
+ crv = CKR_KEY_HANDLE_INVALID;
+ break;
+ }
+ context->cipherInfo =
+ RC4_CreateContext((unsigned char *)att->attrib.pValue,
+ att->attrib.ulValueLen);
+ sftk_FreeAttribute(att);
+ if (context->cipherInfo == NULL) {
+ crv = CKR_HOST_MEMORY; /* WRONG !!! */
+ break;
+ }
+ context->update = (SFTKCipher)(isEncrypt ? RC4_Encrypt : RC4_Decrypt);
+ context->destroy = (SFTKDestroy)RC4_DestroyContext;
+ break;
+ case CKM_CDMF_CBC_PAD:
+ context->doPad = PR_TRUE;
+ /* fall thru */
+ case CKM_CDMF_ECB:
+ case CKM_CDMF_CBC:
+ if (key_type != CKK_CDMF) {
+ crv = CKR_KEY_TYPE_INCONSISTENT;
+ break;
+ }
+ t = (pMechanism->mechanism == CKM_CDMF_ECB) ? NSS_DES : NSS_DES_CBC;
+ goto finish_des;
+ case CKM_DES_ECB:
+ if (key_type != CKK_DES) {
+ crv = CKR_KEY_TYPE_INCONSISTENT;
+ break;
+ }
+ t = NSS_DES;
+ goto finish_des;
+ case CKM_DES_CBC_PAD:
+ context->doPad = PR_TRUE;
+ /* fall thru */
+ case CKM_DES_CBC:
+ if (key_type != CKK_DES) {
+ crv = CKR_KEY_TYPE_INCONSISTENT;
+ break;
+ }
+ t = NSS_DES_CBC;
+ goto finish_des;
+ case CKM_DES3_ECB:
+ if ((key_type != CKK_DES2) && (key_type != CKK_DES3)) {
+ crv = CKR_KEY_TYPE_INCONSISTENT;
+ break;
+ }
+ t = NSS_DES_EDE3;
+ goto finish_des;
+ case CKM_DES3_CBC_PAD:
+ context->doPad = PR_TRUE;
+ /* fall thru */
+ case CKM_DES3_CBC:
+ if ((key_type != CKK_DES2) && (key_type != CKK_DES3)) {
+ crv = CKR_KEY_TYPE_INCONSISTENT;
+ break;
+ }
+ t = NSS_DES_EDE3_CBC;
+ finish_des:
+ if ((t != NSS_DES && t != NSS_DES_EDE3) && (pMechanism->pParameter == NULL ||
+ pMechanism->ulParameterLen < 8)) {
+ crv = CKR_DOMAIN_PARAMS_INVALID;
+ break;
+ }
+ context->blockSize = 8;
+ att = sftk_FindAttribute(key, CKA_VALUE);
+ if (att == NULL) {
+ crv = CKR_KEY_HANDLE_INVALID;
+ break;
+ }
+ if (key_type == CKK_DES2 &&
+ (t == NSS_DES_EDE3_CBC || t == NSS_DES_EDE3)) {
+ /* extend DES2 key to DES3 key. */
+ memcpy(newdeskey, att->attrib.pValue, 16);
+ memcpy(newdeskey + 16, newdeskey, 8);
+ useNewKey = PR_TRUE;
+ } else if (key_type == CKK_CDMF) {
+ crv = sftk_cdmf2des((unsigned char *)att->attrib.pValue, newdeskey);
+ if (crv != CKR_OK) {
+ sftk_FreeAttribute(att);
+ break;
+ }
+ useNewKey = PR_TRUE;
+ }
+ context->cipherInfo = DES_CreateContext(
+ useNewKey ? newdeskey : (unsigned char *)att->attrib.pValue,
+ (unsigned char *)pMechanism->pParameter, t, isEncrypt);
+ if (useNewKey)
+ memset(newdeskey, 0, sizeof newdeskey);
+ sftk_FreeAttribute(att);
+ if (context->cipherInfo == NULL) {
+ crv = CKR_HOST_MEMORY;
+ break;
+ }
+ context->update = (SFTKCipher)(isEncrypt ? DES_Encrypt : DES_Decrypt);
+ context->destroy = (SFTKDestroy)DES_DestroyContext;
+ break;
+#ifndef NSS_DISABLE_DEPRECATED_SEED
+ case CKM_SEED_CBC_PAD:
+ context->doPad = PR_TRUE;
+ /* fall thru */
+ case CKM_SEED_CBC:
+ if (!pMechanism->pParameter ||
+ pMechanism->ulParameterLen != 16) {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+ /* fall thru */
+ case CKM_SEED_ECB:
+ context->blockSize = 16;
+ if (key_type != CKK_SEED) {
+ crv = CKR_KEY_TYPE_INCONSISTENT;
+ break;
+ }
+ att = sftk_FindAttribute(key, CKA_VALUE);
+ if (att == NULL) {
+ crv = CKR_KEY_HANDLE_INVALID;
+ break;
+ }
+ context->cipherInfo = SEED_CreateContext(
+ (unsigned char *)att->attrib.pValue,
+ (unsigned char *)pMechanism->pParameter,
+ pMechanism->mechanism == CKM_SEED_ECB ? NSS_SEED : NSS_SEED_CBC,
+ isEncrypt);
+ sftk_FreeAttribute(att);
+ if (context->cipherInfo == NULL) {
+ crv = CKR_HOST_MEMORY;
+ break;
+ }
+ context->update = (SFTKCipher)(isEncrypt ? SEED_Encrypt : SEED_Decrypt);
+ context->destroy = (SFTKDestroy)SEED_DestroyContext;
+ break;
+#endif /* NSS_DISABLE_DEPRECATED_SEED */
+ case CKM_CAMELLIA_CBC_PAD:
+ context->doPad = PR_TRUE;
+ /* fall thru */
+ case CKM_CAMELLIA_CBC:
+ if (!pMechanism->pParameter ||
+ pMechanism->ulParameterLen != 16) {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+ /* fall thru */
+ case CKM_CAMELLIA_ECB:
+ context->blockSize = 16;
+ if (key_type != CKK_CAMELLIA) {
+ crv = CKR_KEY_TYPE_INCONSISTENT;
+ break;
+ }
+ att = sftk_FindAttribute(key, CKA_VALUE);
+ if (att == NULL) {
+ crv = CKR_KEY_HANDLE_INVALID;
+ break;
+ }
+ context->cipherInfo = Camellia_CreateContext(
+ (unsigned char *)att->attrib.pValue,
+ (unsigned char *)pMechanism->pParameter,
+ pMechanism->mechanism ==
+ CKM_CAMELLIA_ECB
+ ? NSS_CAMELLIA
+ : NSS_CAMELLIA_CBC,
+ isEncrypt, att->attrib.ulValueLen);
+ sftk_FreeAttribute(att);
+ if (context->cipherInfo == NULL) {
+ crv = CKR_HOST_MEMORY;
+ break;
+ }
+ context->update = (SFTKCipher)(isEncrypt ? Camellia_Encrypt : Camellia_Decrypt);
+ context->destroy = (SFTKDestroy)Camellia_DestroyContext;
+ break;
+
+ case CKM_AES_CBC_PAD:
+ context->doPad = PR_TRUE;
+ /* fall thru */
+ case CKM_AES_ECB:
+ case CKM_AES_CBC:
+ context->blockSize = 16;
+ case CKM_AES_CTS:
+ case CKM_AES_CTR:
+ case CKM_AES_GCM:
+ aes_param = pMechanism->pParameter;
+ /*
+ * Due to a mismatch between the documentation and the header
+ * file, two different definitions for CK_GCM_PARAMS exist.
+ * The header file is normative according to Oasis, but NSS used
+ * the documentation. In PKCS #11 v3.0, this was reconciled in
+ * favor of the header file definition. To maintain binary
+ * compatibility, NSS now defines CK_GCM_PARAMS_V3 as the official
+ * version v3 (V2.4 header file) and CK_NSS_GCM_PARAMS as the
+ * legacy (V2.4 documentation, NSS version). CK_GCM_PARAMS
+ * is defined as CK_GCM_PARAMS_V3 if NSS_PKCS11_2_0_COMPAT is not
+ * defined and CK_NSS_GCM_PARAMS if it is. Internally
+ * softoken continues to use the legacy version. The code below
+ * automatically detects which parameter was passed in and
+ * converts CK_GCM_PARAMS_V3 to the CK_NSS_GCM_PARAMS (legacy
+ * version) on the fly. NSS proper will eventually start
+ * using the CK_GCM_PARAMS_V3 version and fall back to the
+ * CK_NSS_GCM_PARAMS if the CK_GCM_PARAMS_V3 version fails with
+ * CKR_MECHANISM_PARAM_INVALID.
+ */
+ if (pMechanism->mechanism == CKM_AES_GCM) {
+ if (!aes_param) {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+ if (pMechanism->ulParameterLen == sizeof(CK_GCM_PARAMS_V3)) {
+ /* convert the true V3 parameters into the old NSS parameters */
+ CK_GCM_PARAMS_V3 *gcm_params = (CK_GCM_PARAMS_V3 *)aes_param;
+ if (gcm_params->ulIvLen * 8 != gcm_params->ulIvBits) {
+ /* only support byte aligned IV lengths */
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+ aes_param = (void *)&nss_gcm_param;
+ nss_gcm_param.pIv = gcm_params->pIv;
+ nss_gcm_param.ulIvLen = gcm_params->ulIvLen;
+ nss_gcm_param.pAAD = gcm_params->pAAD;
+ nss_gcm_param.ulAADLen = gcm_params->ulAADLen;
+ nss_gcm_param.ulTagBits = gcm_params->ulTagBits;
+ } else if (pMechanism->ulParameterLen != sizeof(CK_NSS_GCM_PARAMS)) {
+ /* neither old nor new style params, must be invalid */
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+ } else if ((pMechanism->mechanism == CKM_AES_CTR && BAD_PARAM_CAST(pMechanism, sizeof(CK_AES_CTR_PARAMS))) ||
+ ((pMechanism->mechanism == CKM_AES_CBC || pMechanism->mechanism == CKM_AES_CTS) && BAD_PARAM_CAST(pMechanism, AES_BLOCK_SIZE))) {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+
+ if (pMechanism->mechanism == CKM_AES_GCM) {
+ context->multi = PR_FALSE;
+ }
+ if (key_type != CKK_AES) {
+ crv = CKR_KEY_TYPE_INCONSISTENT;
+ break;
+ }
+ att = sftk_FindAttribute(key, CKA_VALUE);
+ if (att == NULL) {
+ crv = CKR_KEY_HANDLE_INVALID;
+ break;
+ }
+ context->cipherInfo = AES_CreateContext(
+ (unsigned char *)att->attrib.pValue,
+ (unsigned char *)aes_param,
+ sftk_aes_mode(pMechanism->mechanism),
+ isEncrypt, att->attrib.ulValueLen, 16);
+ sftk_FreeAttribute(att);
+ if (context->cipherInfo == NULL) {
+ crv = CKR_HOST_MEMORY;
+ break;
+ }
+ context->update = (SFTKCipher)(isEncrypt ? AES_Encrypt : AES_Decrypt);
+ context->destroy = (SFTKDestroy)AES_DestroyContext;
+ break;
+
+ case CKM_NSS_CHACHA20_POLY1305:
+ case CKM_CHACHA20_POLY1305:
+ if (pMechanism->mechanism == CKM_NSS_CHACHA20_POLY1305) {
+ if (key_type != CKK_NSS_CHACHA20) {
+ crv = CKR_KEY_TYPE_INCONSISTENT;
+ break;
+ }
+ if ((pMechanism->pParameter == NULL) ||
+ (pMechanism->ulParameterLen != sizeof(CK_NSS_AEAD_PARAMS))) {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+ nss_aead_params_ptr = (CK_NSS_AEAD_PARAMS *)pMechanism->pParameter;
+ } else {
+ CK_SALSA20_CHACHA20_POLY1305_PARAMS_PTR chacha_poly_params;
+ if (key_type != CKK_CHACHA20) {
+ crv = CKR_KEY_TYPE_INCONSISTENT;
+ break;
+ }
+ if ((pMechanism->pParameter == NULL) ||
+ (pMechanism->ulParameterLen !=
+ sizeof(CK_SALSA20_CHACHA20_POLY1305_PARAMS))) {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+ chacha_poly_params = (CK_SALSA20_CHACHA20_POLY1305_PARAMS_PTR)
+ pMechanism->pParameter;
+ nss_aead_params_ptr = &nss_aead_params;
+ nss_aead_params.pNonce = chacha_poly_params->pNonce;
+ nss_aead_params.ulNonceLen = chacha_poly_params->ulNonceLen;
+ nss_aead_params.pAAD = chacha_poly_params->pAAD;
+ nss_aead_params.ulAADLen = chacha_poly_params->ulAADLen;
+ nss_aead_params.ulTagLen = 16; /* Poly1305 is always 16 */
+ }
+
+ context->multi = PR_FALSE;
+ att = sftk_FindAttribute(key, CKA_VALUE);
+ if (att == NULL) {
+ crv = CKR_KEY_HANDLE_INVALID;
+ break;
+ }
+ context->cipherInfo = sftk_ChaCha20Poly1305_CreateContext(
+ (unsigned char *)att->attrib.pValue, att->attrib.ulValueLen,
+ nss_aead_params_ptr);
+ sftk_FreeAttribute(att);
+ if (context->cipherInfo == NULL) {
+ crv = sftk_MapCryptError(PORT_GetError());
+ break;
+ }
+ context->update = (SFTKCipher)(isEncrypt ? sftk_ChaCha20Poly1305_Encrypt : sftk_ChaCha20Poly1305_Decrypt);
+ context->destroy = (SFTKDestroy)sftk_ChaCha20Poly1305_DestroyContext;
+ break;
+
+ case CKM_NSS_CHACHA20_CTR: /* old NSS private version */
+ case CKM_CHACHA20: /* PKCS #11 v3 version */
+ {
+ unsigned char *counter;
+ unsigned char *nonce;
+ unsigned long counter_len;
+ unsigned long nonce_len;
+ context->multi = PR_FALSE;
+ if (pMechanism->mechanism == CKM_NSS_CHACHA20_CTR) {
+ if (key_type != CKK_NSS_CHACHA20) {
+ crv = CKR_KEY_TYPE_INCONSISTENT;
+ break;
+ }
+ if (pMechanism->pParameter == NULL || pMechanism->ulParameterLen != 16) {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+ counter_len = 4;
+ counter = pMechanism->pParameter;
+ nonce = counter + 4;
+ nonce_len = 12;
+ } else {
+ CK_CHACHA20_PARAMS_PTR chacha20_param_ptr;
+ if (key_type != CKK_CHACHA20) {
+ crv = CKR_KEY_TYPE_INCONSISTENT;
+ break;
+ }
+ if (pMechanism->pParameter == NULL || pMechanism->ulParameterLen != sizeof(CK_CHACHA20_PARAMS)) {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+ chacha20_param_ptr = (CK_CHACHA20_PARAMS_PTR)pMechanism->pParameter;
+ if ((chacha20_param_ptr->blockCounterBits != 32) &&
+ (chacha20_param_ptr->blockCounterBits != 64)) {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+ counter_len = chacha20_param_ptr->blockCounterBits / PR_BITS_PER_BYTE;
+ counter = chacha20_param_ptr->pBlockCounter;
+ nonce = chacha20_param_ptr->pNonce;
+ nonce_len = chacha20_param_ptr->ulNonceBits / PR_BITS_PER_BYTE;
+ }
+
+ att = sftk_FindAttribute(key, CKA_VALUE);
+ if (att == NULL) {
+ crv = CKR_KEY_HANDLE_INVALID;
+ break;
+ }
+ SFTKChaCha20CtrInfo *ctx = PORT_ZNew(SFTKChaCha20CtrInfo);
+ if (!ctx) {
+ sftk_FreeAttribute(att);
+ crv = CKR_HOST_MEMORY;
+ break;
+ }
+ if (att->attrib.ulValueLen != sizeof(ctx->key)) {
+ sftk_FreeAttribute(att);
+ PORT_Free(ctx);
+ crv = CKR_KEY_HANDLE_INVALID;
+ break;
+ }
+ memcpy(ctx->key, att->attrib.pValue, att->attrib.ulValueLen);
+ sftk_FreeAttribute(att);
+
+ /* make sure we don't overflow our parameters */
+ if ((sizeof(ctx->counter) < counter_len) ||
+ (sizeof(ctx->nonce) < nonce_len)) {
+ PORT_Free(ctx);
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+
+ /* The counter is little endian. */
+ int i = 0;
+ for (; i < counter_len; ++i) {
+ ctx->counter |= (PRUint32)counter[i] << (i * 8);
+ }
+ memcpy(ctx->nonce, nonce, nonce_len);
+ context->cipherInfo = ctx;
+ context->update = (SFTKCipher)sftk_ChaCha20Ctr;
+ context->destroy = (SFTKDestroy)sftk_ChaCha20Ctr_DestroyContext;
+ break;
+ }
+
+ case CKM_NSS_AES_KEY_WRAP_PAD:
+ case CKM_AES_KEY_WRAP_PAD:
+ context->doPad = PR_TRUE;
+ /* fall thru */
+ case CKM_NSS_AES_KEY_WRAP:
+ case CKM_AES_KEY_WRAP:
+ context->blockSize = 8;
+ case CKM_AES_KEY_WRAP_KWP:
+ context->multi = PR_FALSE;
+ if (key_type != CKK_AES) {
+ crv = CKR_KEY_TYPE_INCONSISTENT;
+ break;
+ }
+ att = sftk_FindAttribute(key, CKA_VALUE);
+ if (att == NULL) {
+ crv = CKR_KEY_HANDLE_INVALID;
+ break;
+ }
+ context->cipherInfo = AESKeyWrap_CreateContext(
+ (unsigned char *)att->attrib.pValue,
+ (unsigned char *)pMechanism->pParameter,
+ isEncrypt, att->attrib.ulValueLen);
+ sftk_FreeAttribute(att);
+ if (context->cipherInfo == NULL) {
+ crv = CKR_HOST_MEMORY;
+ break;
+ }
+ if (pMechanism->mechanism == CKM_AES_KEY_WRAP_KWP) {
+ context->update = (SFTKCipher)(isEncrypt ? AESKeyWrap_EncryptKWP
+ : AESKeyWrap_DecryptKWP);
+ } else {
+ context->update = (SFTKCipher)(isEncrypt ? AESKeyWrap_Encrypt
+ : AESKeyWrap_Decrypt);
+ }
+ context->destroy = (SFTKDestroy)AESKeyWrap_DestroyContext;
+ break;
+
+ default:
+ crv = CKR_MECHANISM_INVALID;
+ break;
+ }
+
+ if (crv != CKR_OK) {
+ sftk_FreeContext(context);
+ sftk_FreeSession(session);
+ return crv;
+ }
+ sftk_SetContextByType(session, contextType, context);
+ sftk_FreeSession(session);
+ return CKR_OK;
+}
+
+/* NSC_EncryptInit initializes an encryption operation. */
+CK_RV
+NSC_EncryptInit(CK_SESSION_HANDLE hSession,
+ CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey)
+{
+ CHECK_FORK();
+ return sftk_CryptInit(hSession, pMechanism, hKey, CKA_ENCRYPT, CKA_ENCRYPT,
+ SFTK_ENCRYPT, PR_TRUE);
+}
+
+/* NSC_EncryptUpdate continues a multiple-part encryption operation. */
+CK_RV
+NSC_EncryptUpdate(CK_SESSION_HANDLE hSession,
+ CK_BYTE_PTR pPart, CK_ULONG ulPartLen, CK_BYTE_PTR pEncryptedPart,
+ CK_ULONG_PTR pulEncryptedPartLen)
+{
+ SFTKSessionContext *context;
+ unsigned int outlen, i;
+ unsigned int padoutlen = 0;
+ unsigned int maxout = *pulEncryptedPartLen;
+ CK_RV crv;
+ SECStatus rv;
+
+ CHECK_FORK();
+
+ /* make sure we're legal */
+ crv = sftk_GetContext(hSession, &context, SFTK_ENCRYPT, PR_TRUE, NULL);
+ if (crv != CKR_OK)
+ return crv;
+
+ if (!pEncryptedPart) {
+ if (context->doPad) {
+ CK_ULONG totalDataAvailable = ulPartLen + context->padDataLength;
+ CK_ULONG blocksToSend = totalDataAvailable / context->blockSize;
+
+ *pulEncryptedPartLen = blocksToSend * context->blockSize;
+ return CKR_OK;
+ }
+ *pulEncryptedPartLen = ulPartLen;
+ return CKR_OK;
+ }
+
+ /* do padding */
+ if (context->doPad) {
+ /* deal with previous buffered data */
+ if (context->padDataLength != 0) {
+ /* fill in the padded to a full block size */
+ for (i = context->padDataLength;
+ (ulPartLen != 0) && i < context->blockSize; i++) {
+ context->padBuf[i] = *pPart++;
+ ulPartLen--;
+ context->padDataLength++;
+ }
+
+ /* not enough data to encrypt yet? then return */
+ if (context->padDataLength != context->blockSize) {
+ *pulEncryptedPartLen = 0;
+ return CKR_OK;
+ }
+ /* encrypt the current padded data */
+ rv = (*context->update)(context->cipherInfo, pEncryptedPart,
+ &padoutlen, maxout, context->padBuf,
+ context->blockSize);
+ if (rv != SECSuccess) {
+ return sftk_MapCryptError(PORT_GetError());
+ }
+ pEncryptedPart += padoutlen;
+ maxout -= padoutlen;
+ }
+ /* save the residual */
+ context->padDataLength = ulPartLen % context->blockSize;
+ if (context->padDataLength) {
+ PORT_Memcpy(context->padBuf,
+ &pPart[ulPartLen - context->padDataLength],
+ context->padDataLength);
+ ulPartLen -= context->padDataLength;
+ }
+ /* if we've exhausted our new buffer, we're done */
+ if (ulPartLen == 0) {
+ *pulEncryptedPartLen = padoutlen;
+ return CKR_OK;
+ }
+ }
+
+ /* do it: NOTE: this assumes buf size in is >= buf size out! */
+ rv = (*context->update)(context->cipherInfo, pEncryptedPart,
+ &outlen, maxout, pPart, ulPartLen);
+ if (rv != SECSuccess) {
+ return sftk_MapCryptError(PORT_GetError());
+ }
+ *pulEncryptedPartLen = (CK_ULONG)(outlen + padoutlen);
+ return CKR_OK;
+}
+
+/* NSC_EncryptFinal finishes a multiple-part encryption operation. */
+CK_RV
+NSC_EncryptFinal(CK_SESSION_HANDLE hSession,
+ CK_BYTE_PTR pLastEncryptedPart, CK_ULONG_PTR pulLastEncryptedPartLen)
+{
+ SFTKSession *session;
+ SFTKSessionContext *context;
+ unsigned int outlen, i;
+ unsigned int maxout = *pulLastEncryptedPartLen;
+ CK_RV crv;
+ SECStatus rv = SECSuccess;
+ PRBool contextFinished = PR_TRUE;
+
+ CHECK_FORK();
+
+ /* make sure we're legal */
+ crv = sftk_GetContext(hSession, &context, SFTK_ENCRYPT, PR_TRUE, &session);
+ if (crv != CKR_OK)
+ return crv;
+
+ *pulLastEncryptedPartLen = 0;
+ if (!pLastEncryptedPart) {
+ /* caller is checking the amount of remaining data */
+ if (context->blockSize > 0 && context->doPad) {
+ *pulLastEncryptedPartLen = context->blockSize;
+ contextFinished = PR_FALSE; /* still have padding to go */
+ }
+ goto finish;
+ }
+
+ /* do padding */
+ if (context->doPad) {
+ unsigned char padbyte = (unsigned char)(context->blockSize - context->padDataLength);
+ /* fill out rest of pad buffer with pad magic*/
+ for (i = context->padDataLength; i < context->blockSize; i++) {
+ context->padBuf[i] = padbyte;
+ }
+ rv = (*context->update)(context->cipherInfo, pLastEncryptedPart,
+ &outlen, maxout, context->padBuf, context->blockSize);
+ if (rv == SECSuccess)
+ *pulLastEncryptedPartLen = (CK_ULONG)outlen;
+ }
+
+finish:
+ if (contextFinished)
+ sftk_TerminateOp(session, SFTK_ENCRYPT, context);
+ sftk_FreeSession(session);
+ return (rv == SECSuccess) ? CKR_OK : sftk_MapCryptError(PORT_GetError());
+}
+
+/* NSC_Encrypt encrypts single-part data. */
+CK_RV
+NSC_Encrypt(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
+ CK_ULONG ulDataLen, CK_BYTE_PTR pEncryptedData,
+ CK_ULONG_PTR pulEncryptedDataLen)
+{
+ SFTKSession *session;
+ SFTKSessionContext *context;
+ unsigned int outlen;
+ unsigned int maxoutlen = *pulEncryptedDataLen;
+ CK_RV crv;
+ CK_RV crv2;
+ SECStatus rv = SECSuccess;
+ SECItem pText;
+
+ pText.type = siBuffer;
+ pText.data = pData;
+ pText.len = ulDataLen;
+
+ CHECK_FORK();
+
+ /* make sure we're legal */
+ crv = sftk_GetContext(hSession, &context, SFTK_ENCRYPT, PR_FALSE, &session);
+ if (crv != CKR_OK)
+ return crv;
+
+ if (!pEncryptedData) {
+ outlen = context->rsa ? context->maxLen : ulDataLen + 2 * context->blockSize;
+ goto done;
+ }
+
+ if (context->doPad) {
+ if (context->multi) {
+ CK_ULONG updateLen = maxoutlen;
+ CK_ULONG finalLen;
+ /* padding is fairly complicated, have the update and final
+ * code deal with it */
+ sftk_FreeSession(session);
+ crv = NSC_EncryptUpdate(hSession, pData, ulDataLen, pEncryptedData,
+ &updateLen);
+ if (crv != CKR_OK) {
+ updateLen = 0;
+ }
+ maxoutlen -= updateLen;
+ pEncryptedData += updateLen;
+ finalLen = maxoutlen;
+ crv2 = NSC_EncryptFinal(hSession, pEncryptedData, &finalLen);
+ if (crv == CKR_OK && crv2 == CKR_OK) {
+ *pulEncryptedDataLen = updateLen + finalLen;
+ }
+ return crv == CKR_OK ? crv2 : crv;
+ }
+ /* doPad without multi means that padding must be done on the first
+ ** and only update. There will be no final.
+ */
+ PORT_Assert(context->blockSize > 1);
+ if (context->blockSize > 1) {
+ CK_ULONG remainder = ulDataLen % context->blockSize;
+ CK_ULONG padding = context->blockSize - remainder;
+ pText.len += padding;
+ pText.data = PORT_ZAlloc(pText.len);
+ if (pText.data) {
+ memcpy(pText.data, pData, ulDataLen);
+ memset(pText.data + ulDataLen, padding, padding);
+ } else {
+ crv = CKR_HOST_MEMORY;
+ goto fail;
+ }
+ }
+ }
+
+ /* do it: NOTE: this assumes buf size is big enough. */
+ rv = (*context->update)(context->cipherInfo, pEncryptedData,
+ &outlen, maxoutlen, pText.data, pText.len);
+ crv = (rv == SECSuccess) ? CKR_OK : sftk_MapCryptError(PORT_GetError());
+ if (pText.data != pData)
+ PORT_ZFree(pText.data, pText.len);
+fail:
+ sftk_TerminateOp(session, SFTK_ENCRYPT, context);
+done:
+ sftk_FreeSession(session);
+ if (crv == CKR_OK) {
+ *pulEncryptedDataLen = (CK_ULONG)outlen;
+ }
+ return crv;
+}
+
+/*
+ ************** Crypto Functions: Decrypt ************************
+ */
+
+/* NSC_DecryptInit initializes a decryption operation. */
+CK_RV
+NSC_DecryptInit(CK_SESSION_HANDLE hSession,
+ CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey)
+{
+ CHECK_FORK();
+ return sftk_CryptInit(hSession, pMechanism, hKey, CKA_DECRYPT, CKA_DECRYPT,
+ SFTK_DECRYPT, PR_FALSE);
+}
+
+/* NSC_DecryptUpdate continues a multiple-part decryption operation. */
+CK_RV
+NSC_DecryptUpdate(CK_SESSION_HANDLE hSession,
+ CK_BYTE_PTR pEncryptedPart, CK_ULONG ulEncryptedPartLen,
+ CK_BYTE_PTR pPart, CK_ULONG_PTR pulPartLen)
+{
+ SFTKSessionContext *context;
+ unsigned int padoutlen = 0;
+ unsigned int outlen;
+ unsigned int maxout = *pulPartLen;
+ CK_RV crv;
+ SECStatus rv;
+
+ CHECK_FORK();
+
+ /* make sure we're legal */
+ crv = sftk_GetContext(hSession, &context, SFTK_DECRYPT, PR_TRUE, NULL);
+ if (crv != CKR_OK)
+ return crv;
+
+ /* this can only happen on an NSS programming error */
+ PORT_Assert((context->padDataLength == 0) || context->padDataLength == context->blockSize);
+
+ if (context->doPad) {
+ /* Check the data length for block ciphers. If we are padding,
+ * then we must be using a block cipher. In the non-padding case
+ * the error will be returned by the underlying decryption
+ * function when we do the actual decrypt. We need to do the
+ * check here to avoid returning a negative length to the caller
+ * or reading before the beginning of the pEncryptedPart buffer.
+ */
+ if ((ulEncryptedPartLen == 0) ||
+ (ulEncryptedPartLen % context->blockSize) != 0) {
+ return CKR_ENCRYPTED_DATA_LEN_RANGE;
+ }
+ }
+
+ if (!pPart) {
+ if (context->doPad) {
+ *pulPartLen =
+ ulEncryptedPartLen + context->padDataLength - context->blockSize;
+ return CKR_OK;
+ }
+ /* for stream ciphers there is are no constraints on ulEncryptedPartLen.
+ * for block ciphers, it must be a multiple of blockSize. The error is
+ * detected when this function is called again do decrypt the output.
+ */
+ *pulPartLen = ulEncryptedPartLen;
+ return CKR_OK;
+ }
+
+ if (context->doPad) {
+ /* first decrypt our saved buffer */
+ if (context->padDataLength != 0) {
+ rv = (*context->update)(context->cipherInfo, pPart, &padoutlen,
+ maxout, context->padBuf, context->blockSize);
+ if (rv != SECSuccess)
+ return sftk_MapDecryptError(PORT_GetError());
+ pPart += padoutlen;
+ maxout -= padoutlen;
+ }
+ /* now save the final block for the next decrypt or the final */
+ PORT_Memcpy(context->padBuf, &pEncryptedPart[ulEncryptedPartLen - context->blockSize],
+ context->blockSize);
+ context->padDataLength = context->blockSize;
+ ulEncryptedPartLen -= context->padDataLength;
+ }
+
+ /* do it: NOTE: this assumes buf size in is >= buf size out! */
+ rv = (*context->update)(context->cipherInfo, pPart, &outlen,
+ maxout, pEncryptedPart, ulEncryptedPartLen);
+ if (rv != SECSuccess) {
+ return sftk_MapDecryptError(PORT_GetError());
+ }
+ *pulPartLen = (CK_ULONG)(outlen + padoutlen);
+ return CKR_OK;
+}
+
+/* NSC_DecryptFinal finishes a multiple-part decryption operation. */
+CK_RV
+NSC_DecryptFinal(CK_SESSION_HANDLE hSession,
+ CK_BYTE_PTR pLastPart, CK_ULONG_PTR pulLastPartLen)
+{
+ SFTKSession *session;
+ SFTKSessionContext *context;
+ unsigned int outlen;
+ unsigned int maxout = *pulLastPartLen;
+ CK_RV crv;
+ SECStatus rv = SECSuccess;
+
+ CHECK_FORK();
+
+ /* make sure we're legal */
+ crv = sftk_GetContext(hSession, &context, SFTK_DECRYPT, PR_TRUE, &session);
+ if (crv != CKR_OK)
+ return crv;
+
+ *pulLastPartLen = 0;
+ if (!pLastPart) {
+ /* caller is checking the amount of remaining data */
+ if (context->padDataLength > 0) {
+ *pulLastPartLen = context->padDataLength;
+ }
+ goto finish;
+ }
+
+ if (context->doPad) {
+ /* decrypt our saved buffer */
+ if (context->padDataLength != 0) {
+ /* this assumes that pLastPart is big enough to hold the *whole*
+ * buffer!!! */
+ rv = (*context->update)(context->cipherInfo, pLastPart, &outlen,
+ maxout, context->padBuf, context->blockSize);
+ if (rv != SECSuccess) {
+ crv = sftk_MapDecryptError(PORT_GetError());
+ } else {
+ unsigned int padSize = 0;
+ crv = sftk_CheckCBCPadding(pLastPart, outlen,
+ context->blockSize, &padSize);
+ /* Update pulLastPartLen, in constant time, if crv is OK */
+ *pulLastPartLen = PORT_CT_SEL(sftk_CKRVToMask(crv), outlen - padSize, *pulLastPartLen);
+ }
+ }
+ }
+
+ sftk_TerminateOp(session, SFTK_DECRYPT, context);
+finish:
+ sftk_FreeSession(session);
+ return crv;
+}
+
+/* NSC_Decrypt decrypts encrypted data in a single part. */
+CK_RV
+NSC_Decrypt(CK_SESSION_HANDLE hSession,
+ CK_BYTE_PTR pEncryptedData, CK_ULONG ulEncryptedDataLen, CK_BYTE_PTR pData,
+ CK_ULONG_PTR pulDataLen)
+{
+ SFTKSession *session;
+ SFTKSessionContext *context;
+ unsigned int outlen;
+ unsigned int maxoutlen = *pulDataLen;
+ CK_RV crv;
+ CK_RV crv2;
+ SECStatus rv = SECSuccess;
+
+ CHECK_FORK();
+
+ /* make sure we're legal */
+ crv = sftk_GetContext(hSession, &context, SFTK_DECRYPT, PR_FALSE, &session);
+ if (crv != CKR_OK)
+ return crv;
+
+ if (!pData) {
+ *pulDataLen = (CK_ULONG)(ulEncryptedDataLen + context->blockSize);
+ goto done;
+ }
+
+ if (context->doPad && context->multi) {
+ CK_ULONG updateLen = maxoutlen;
+ CK_ULONG finalLen;
+ /* padding is fairly complicated, have the update and final
+ * code deal with it */
+ sftk_FreeSession(session);
+ crv = NSC_DecryptUpdate(hSession, pEncryptedData, ulEncryptedDataLen,
+ pData, &updateLen);
+ if (crv == CKR_OK) {
+ maxoutlen -= updateLen;
+ pData += updateLen;
+ }
+ finalLen = maxoutlen;
+ crv2 = NSC_DecryptFinal(hSession, pData, &finalLen);
+ if (crv == CKR_OK) {
+ *pulDataLen = PORT_CT_SEL(sftk_CKRVToMask(crv2), updateLen + finalLen, *pulDataLen);
+ return crv2;
+ } else {
+ return crv;
+ }
+ }
+
+ rv = (*context->update)(context->cipherInfo, pData, &outlen, maxoutlen,
+ pEncryptedData, ulEncryptedDataLen);
+ /* XXX need to do MUCH better error mapping than this. */
+ crv = (rv == SECSuccess) ? CKR_OK : sftk_MapDecryptError(PORT_GetError());
+ if (rv == SECSuccess) {
+ if (context->doPad) {
+ unsigned int padSize = 0;
+ crv = sftk_CheckCBCPadding(pData, outlen, context->blockSize,
+ &padSize);
+ /* Update pulDataLen, in constant time, if crv is OK */
+ *pulDataLen = PORT_CT_SEL(sftk_CKRVToMask(crv), outlen - padSize, *pulDataLen);
+ } else {
+ *pulDataLen = (CK_ULONG)outlen;
+ }
+ }
+ sftk_TerminateOp(session, SFTK_DECRYPT, context);
+done:
+ sftk_FreeSession(session);
+ return crv;
+}
+
+/*
+ ************** Crypto Functions: Digest (HASH) ************************
+ */
+
+/* NSC_DigestInit initializes a message-digesting operation. */
+CK_RV
+NSC_DigestInit(CK_SESSION_HANDLE hSession,
+ CK_MECHANISM_PTR pMechanism)
+{
+ SFTKSession *session;
+ SFTKSessionContext *context;
+ CK_RV crv = CKR_OK;
+
+ CHECK_FORK();
+
+ session = sftk_SessionFromHandle(hSession);
+ if (session == NULL)
+ return CKR_SESSION_HANDLE_INVALID;
+ crv = sftk_InitGeneric(session, pMechanism, &context, SFTK_HASH,
+ NULL, 0, NULL, 0, CKA_DIGEST);
+ if (crv != CKR_OK) {
+ sftk_FreeSession(session);
+ return crv;
+ }
+
+#define INIT_MECH(mmm) \
+ case CKM_##mmm: { \
+ mmm##Context *mmm##_ctx = mmm##_NewContext(); \
+ context->cipherInfo = (void *)mmm##_ctx; \
+ context->cipherInfoLen = mmm##_FlattenSize(mmm##_ctx); \
+ context->currentMech = CKM_##mmm; \
+ context->hashUpdate = (SFTKHash)mmm##_Update; \
+ context->end = (SFTKEnd)mmm##_End; \
+ context->destroy = (SFTKDestroy)mmm##_DestroyContext; \
+ context->maxLen = mmm##_LENGTH; \
+ if (mmm##_ctx) \
+ mmm##_Begin(mmm##_ctx); \
+ else \
+ crv = CKR_HOST_MEMORY; \
+ break; \
+ }
+
+ switch (pMechanism->mechanism) {
+ INIT_MECH(MD2)
+ INIT_MECH(MD5)
+ INIT_MECH(SHA1)
+ INIT_MECH(SHA224)
+ INIT_MECH(SHA256)
+ INIT_MECH(SHA384)
+ INIT_MECH(SHA512)
+
+ default:
+ crv = CKR_MECHANISM_INVALID;
+ break;
+ }
+
+ if (crv != CKR_OK) {
+ sftk_FreeContext(context);
+ sftk_FreeSession(session);
+ return crv;
+ }
+ sftk_SetContextByType(session, SFTK_HASH, context);
+ sftk_FreeSession(session);
+ return CKR_OK;
+}
+
+/* NSC_Digest digests data in a single part. */
+CK_RV
+NSC_Digest(CK_SESSION_HANDLE hSession,
+ CK_BYTE_PTR pData, CK_ULONG ulDataLen, CK_BYTE_PTR pDigest,
+ CK_ULONG_PTR pulDigestLen)
+{
+ SFTKSession *session;
+ SFTKSessionContext *context;
+ unsigned int digestLen;
+ unsigned int maxout = *pulDigestLen;
+ CK_RV crv;
+
+ CHECK_FORK();
+
+ /* make sure we're legal */
+ crv = sftk_GetContext(hSession, &context, SFTK_HASH, PR_FALSE, &session);
+ if (crv != CKR_OK)
+ return crv;
+
+ if (pDigest == NULL) {
+ *pulDigestLen = context->maxLen;
+ goto finish;
+ }
+
+ /* do it: */
+ (*context->hashUpdate)(context->cipherInfo, pData, ulDataLen);
+ /* NOTE: this assumes buf size is bigenough for the algorithm */
+ (*context->end)(context->cipherInfo, pDigest, &digestLen, maxout);
+ *pulDigestLen = digestLen;
+
+ sftk_TerminateOp(session, SFTK_HASH, context);
+finish:
+ sftk_FreeSession(session);
+ return CKR_OK;
+}
+
+/* NSC_DigestUpdate continues a multiple-part message-digesting operation. */
+CK_RV
+NSC_DigestUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
+ CK_ULONG ulPartLen)
+{
+ SFTKSessionContext *context;
+ CK_RV crv;
+
+ CHECK_FORK();
+
+ /* make sure we're legal */
+ crv = sftk_GetContext(hSession, &context, SFTK_HASH, PR_TRUE, NULL);
+ if (crv != CKR_OK)
+ return crv;
+ /* do it: */
+ (*context->hashUpdate)(context->cipherInfo, pPart, ulPartLen);
+ return CKR_OK;
+}
+
+/* NSC_DigestFinal finishes a multiple-part message-digesting operation. */
+CK_RV
+NSC_DigestFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pDigest,
+ CK_ULONG_PTR pulDigestLen)
+{
+ SFTKSession *session;
+ SFTKSessionContext *context;
+ unsigned int maxout = *pulDigestLen;
+ unsigned int digestLen;
+ CK_RV crv;
+
+ CHECK_FORK();
+
+ /* make sure we're legal */
+ crv = sftk_GetContext(hSession, &context, SFTK_HASH, PR_TRUE, &session);
+ if (crv != CKR_OK)
+ return crv;
+
+ if (pDigest != NULL) {
+ (*context->end)(context->cipherInfo, pDigest, &digestLen, maxout);
+ *pulDigestLen = digestLen;
+ sftk_TerminateOp(session, SFTK_HASH, context);
+ } else {
+ *pulDigestLen = context->maxLen;
+ }
+
+ sftk_FreeSession(session);
+ return CKR_OK;
+}
+
+/*
+ * these helper functions are used by Generic Macing and Signing functions
+ * that use hashes as part of their operations.
+ */
+#define DOSUB(mmm) \
+ static CK_RV \
+ sftk_doSub##mmm(SFTKSessionContext *context) \
+ { \
+ mmm##Context *mmm##_ctx = mmm##_NewContext(); \
+ context->hashInfo = (void *)mmm##_ctx; \
+ context->hashUpdate = (SFTKHash)mmm##_Update; \
+ context->end = (SFTKEnd)mmm##_End; \
+ context->hashdestroy = (SFTKDestroy)mmm##_DestroyContext; \
+ if (!context->hashInfo) { \
+ return CKR_HOST_MEMORY; \
+ } \
+ mmm##_Begin(mmm##_ctx); \
+ return CKR_OK; \
+ }
+
+DOSUB(MD2)
+DOSUB(MD5)
+DOSUB(SHA1)
+DOSUB(SHA224)
+DOSUB(SHA256)
+DOSUB(SHA384)
+DOSUB(SHA512)
+
+static SECStatus
+sftk_SignCopy(
+ CK_ULONG *copyLen,
+ void *out, unsigned int *outLength,
+ unsigned int maxLength,
+ const unsigned char *hashResult,
+ unsigned int hashResultLength)
+{
+ unsigned int toCopy = *copyLen;
+ if (toCopy > maxLength) {
+ toCopy = maxLength;
+ }
+ if (toCopy > hashResultLength) {
+ toCopy = hashResultLength;
+ }
+ memcpy(out, hashResult, toCopy);
+ if (outLength) {
+ *outLength = toCopy;
+ }
+ return SECSuccess;
+}
+
+/* Verify is just a compare for HMAC */
+static SECStatus
+sftk_HMACCmp(CK_ULONG *copyLen, unsigned char *sig, unsigned int sigLen,
+ unsigned char *hash, unsigned int hashLen)
+{
+ if (NSS_SecureMemcmp(sig, hash, *copyLen) == 0) {
+ return SECSuccess;
+ }
+
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+ return SECFailure;
+}
+
+/*
+ * common HMAC + CMAC initialization routine
+ */
+static CK_RV
+sftk_doMACInit(CK_MECHANISM_TYPE mech, SFTKSessionContext *session,
+ SFTKObject *key, CK_ULONG mac_size)
+{
+ CK_RV crv;
+ sftk_MACCtx *context;
+ CK_ULONG *intpointer;
+ PRBool isFIPS = sftk_isFIPS(key->slot->slotID);
+
+ /* Set up the initial context. */
+ crv = sftk_MAC_Create(mech, key, &context);
+ if (crv != CKR_OK) {
+ return crv;
+ }
+
+ session->hashInfo = context;
+ session->multi = PR_TRUE;
+
+ /* Required by FIPS 198 Section 4. Delay this check until after the MAC
+ * has been initialized to steal the output size of the MAC. */
+ if (isFIPS && (mac_size < 4 || mac_size < context->mac_size / 2)) {
+ sftk_MAC_Destroy(context, PR_TRUE);
+ return CKR_BUFFER_TOO_SMALL;
+ }
+
+ /* Configure our helper functions appropriately. Note that these casts
+ * ignore the return values. */
+ session->hashUpdate = (SFTKHash)sftk_MAC_Update;
+ session->end = (SFTKEnd)sftk_MAC_Finish;
+ session->hashdestroy = (SFTKDestroy)sftk_MAC_Destroy;
+
+ intpointer = PORT_New(CK_ULONG);
+ if (intpointer == NULL) {
+ sftk_MAC_Destroy(context, PR_TRUE);
+ return CKR_HOST_MEMORY;
+ }
+ *intpointer = mac_size;
+ session->cipherInfo = intpointer;
+
+ /* Since we're only "hashing", copy the result from session->end to the
+ * caller using sftk_SignCopy. */
+ session->update = (SFTKCipher)sftk_SignCopy;
+ session->verify = (SFTKVerify)sftk_HMACCmp;
+ session->destroy = (SFTKDestroy)sftk_Space;
+
+ session->maxLen = context->mac_size;
+
+ return CKR_OK;
+}
+
+/*
+ * SSL Macing support. SSL Macs are inited, then update with the base
+ * hashing algorithm, then finalized in sign and verify
+ */
+
+/*
+ * FROM SSL:
+ * 60 bytes is 3 times the maximum length MAC size that is supported.
+ * We probably should have one copy of this table. We still need this table
+ * in ssl to 'sign' the handshake hashes.
+ */
+static unsigned char ssl_pad_1[60] = {
+ 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
+ 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
+ 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
+ 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
+ 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
+ 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
+ 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
+ 0x36, 0x36, 0x36, 0x36
+};
+static unsigned char ssl_pad_2[60] = {
+ 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
+ 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
+ 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
+ 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
+ 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
+ 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
+ 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
+ 0x5c, 0x5c, 0x5c, 0x5c
+};
+
+static SECStatus
+sftk_SSLMACSign(SFTKSSLMACInfo *info, unsigned char *sig, unsigned int *sigLen,
+ unsigned int maxLen, unsigned char *hash, unsigned int hashLen)
+{
+ unsigned char tmpBuf[SFTK_MAX_MAC_LENGTH];
+ unsigned int out;
+
+ info->begin(info->hashContext);
+ info->update(info->hashContext, info->key, info->keySize);
+ info->update(info->hashContext, ssl_pad_2, info->padSize);
+ info->update(info->hashContext, hash, hashLen);
+ info->end(info->hashContext, tmpBuf, &out, SFTK_MAX_MAC_LENGTH);
+ PORT_Memcpy(sig, tmpBuf, info->macSize);
+ PORT_Memset(tmpBuf, 0, info->macSize);
+ *sigLen = info->macSize;
+ return SECSuccess;
+}
+
+static SECStatus
+sftk_SSLMACVerify(SFTKSSLMACInfo *info, unsigned char *sig, unsigned int sigLen,
+ unsigned char *hash, unsigned int hashLen)
+{
+ unsigned char tmpBuf[SFTK_MAX_MAC_LENGTH];
+ unsigned int out;
+ int cmp;
+
+ info->begin(info->hashContext);
+ info->update(info->hashContext, info->key, info->keySize);
+ info->update(info->hashContext, ssl_pad_2, info->padSize);
+ info->update(info->hashContext, hash, hashLen);
+ info->end(info->hashContext, tmpBuf, &out, SFTK_MAX_MAC_LENGTH);
+ cmp = NSS_SecureMemcmp(sig, tmpBuf, info->macSize);
+ PORT_Memset(tmpBuf, 0, info->macSize);
+ return (cmp == 0) ? SECSuccess : SECFailure;
+}
+
+/*
+ * common HMAC initalization routine
+ */
+static CK_RV
+sftk_doSSLMACInit(SFTKSessionContext *context, SECOidTag oid,
+ SFTKObject *key, CK_ULONG mac_size)
+{
+ SFTKAttribute *keyval;
+ SFTKBegin begin;
+ int padSize;
+ SFTKSSLMACInfo *sslmacinfo;
+ CK_RV crv = CKR_MECHANISM_INVALID;
+
+ if (oid == SEC_OID_SHA1) {
+ crv = sftk_doSubSHA1(context);
+ if (crv != CKR_OK)
+ return crv;
+ begin = (SFTKBegin)SHA1_Begin;
+ padSize = 40;
+ } else {
+ crv = sftk_doSubMD5(context);
+ if (crv != CKR_OK)
+ return crv;
+ begin = (SFTKBegin)MD5_Begin;
+ padSize = 48;
+ }
+ context->multi = PR_TRUE;
+
+ keyval = sftk_FindAttribute(key, CKA_VALUE);
+ if (keyval == NULL)
+ return CKR_KEY_SIZE_RANGE;
+
+ context->hashUpdate(context->hashInfo, keyval->attrib.pValue,
+ keyval->attrib.ulValueLen);
+ context->hashUpdate(context->hashInfo, ssl_pad_1, padSize);
+ sslmacinfo = (SFTKSSLMACInfo *)PORT_Alloc(sizeof(SFTKSSLMACInfo));
+ if (sslmacinfo == NULL) {
+ sftk_FreeAttribute(keyval);
+ return CKR_HOST_MEMORY;
+ }
+ sslmacinfo->size = sizeof(SFTKSSLMACInfo);
+ sslmacinfo->macSize = mac_size;
+ sslmacinfo->hashContext = context->hashInfo;
+ PORT_Memcpy(sslmacinfo->key, keyval->attrib.pValue,
+ keyval->attrib.ulValueLen);
+ sslmacinfo->keySize = keyval->attrib.ulValueLen;
+ sslmacinfo->begin = begin;
+ sslmacinfo->end = context->end;
+ sslmacinfo->update = context->hashUpdate;
+ sslmacinfo->padSize = padSize;
+ sftk_FreeAttribute(keyval);
+ context->cipherInfo = (void *)sslmacinfo;
+ context->destroy = (SFTKDestroy)sftk_ZSpace;
+ context->update = (SFTKCipher)sftk_SSLMACSign;
+ context->verify = (SFTKVerify)sftk_SSLMACVerify;
+ context->maxLen = mac_size;
+ return CKR_OK;
+}
+
+/*
+ ************** Crypto Functions: Sign ************************
+ */
+
+/**
+ * Check if We're using CBCMacing and initialize the session context if we are.
+ * @param contextType SFTK_SIGN or SFTK_VERIFY
+ * @param keyUsage check whether key allows this usage
+ */
+static CK_RV
+sftk_InitCBCMac(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+ CK_OBJECT_HANDLE hKey, CK_ATTRIBUTE_TYPE keyUsage,
+ SFTKContextType contextType)
+
+{
+ CK_MECHANISM cbc_mechanism;
+ CK_ULONG mac_bytes = SFTK_INVALID_MAC_SIZE;
+#ifndef NSS_DISABLE_DEPRECATED_RC2
+ CK_RC2_CBC_PARAMS rc2_params;
+#endif
+#if NSS_SOFTOKEN_DOES_RC5
+ CK_RC5_CBC_PARAMS rc5_params;
+ CK_RC5_MAC_GENERAL_PARAMS *rc5_mac;
+#endif
+ unsigned char ivBlock[SFTK_MAX_BLOCK_SIZE];
+ unsigned char k2[SFTK_MAX_BLOCK_SIZE];
+ unsigned char k3[SFTK_MAX_BLOCK_SIZE];
+ SFTKSessionContext *context;
+ CK_RV crv;
+ unsigned int blockSize;
+ PRBool isXCBC = PR_FALSE;
+
+ if (!pMechanism) {
+ return CKR_MECHANISM_PARAM_INVALID;
+ }
+
+ switch (pMechanism->mechanism) {
+#ifndef NSS_DISABLE_DEPRECATED_RC2
+ case CKM_RC2_MAC_GENERAL:
+ if (BAD_PARAM_CAST(pMechanism, sizeof(CK_RC2_MAC_GENERAL_PARAMS))) {
+ return CKR_MECHANISM_PARAM_INVALID;
+ }
+ mac_bytes =
+ ((CK_RC2_MAC_GENERAL_PARAMS *)pMechanism->pParameter)->ulMacLength;
+ /* fall through */
+ case CKM_RC2_MAC:
+ /* this works because ulEffectiveBits is in the same place in both the
+ * CK_RC2_MAC_GENERAL_PARAMS and CK_RC2_CBC_PARAMS */
+ rc2_params.ulEffectiveBits = ((CK_RC2_MAC_GENERAL_PARAMS *)
+ pMechanism->pParameter)
+ ->ulEffectiveBits;
+ PORT_Memset(rc2_params.iv, 0, sizeof(rc2_params.iv));
+ cbc_mechanism.mechanism = CKM_RC2_CBC;
+ cbc_mechanism.pParameter = &rc2_params;
+ cbc_mechanism.ulParameterLen = sizeof(rc2_params);
+ blockSize = 8;
+ break;
+#endif /* NSS_DISABLE_DEPRECATED_RC2 */
+
+#if NSS_SOFTOKEN_DOES_RC5
+ case CKM_RC5_MAC_GENERAL:
+ if (BAD_PARAM_CAST(pMechanism, sizeof(CK_RC5_MAC_GENERAL_PARAMS))) {
+ return CKR_MECHANISM_PARAM_INVALID;
+ }
+ mac_bytes =
+ ((CK_RC5_MAC_GENERAL_PARAMS *)pMechanism->pParameter)->ulMacLength;
+ /* fall through */
+ case CKM_RC5_MAC:
+ /* this works because ulEffectiveBits is in the same place in both the
+ * CK_RC5_MAC_GENERAL_PARAMS and CK_RC5_CBC_PARAMS */
+ if (BAD_PARAM_CAST(pMechanism, sizeof(CK_RC5_MAC_GENERAL_PARAMS))) {
+ return CKR_MECHANISM_PARAM_INVALID;
+ }
+ rc5_mac = (CK_RC5_MAC_GENERAL_PARAMS *)pMechanism->pParameter;
+ rc5_params.ulWordsize = rc5_mac->ulWordsize;
+ rc5_params.ulRounds = rc5_mac->ulRounds;
+ rc5_params.pIv = ivBlock;
+ if ((blockSize = rc5_mac->ulWordsize * 2) > SFTK_MAX_BLOCK_SIZE)
+ return CKR_MECHANISM_PARAM_INVALID;
+ rc5_params.ulIvLen = blockSize;
+ PORT_Memset(ivBlock, 0, blockSize);
+ cbc_mechanism.mechanism = CKM_RC5_CBC;
+ cbc_mechanism.pParameter = &rc5_params;
+ cbc_mechanism.ulParameterLen = sizeof(rc5_params);
+ break;
+#endif
+ /* add cast and idea later */
+ case CKM_DES_MAC_GENERAL:
+ mac_bytes = *(CK_ULONG *)pMechanism->pParameter;
+ /* fall through */
+ case CKM_DES_MAC:
+ blockSize = 8;
+ PORT_Memset(ivBlock, 0, blockSize);
+ cbc_mechanism.mechanism = CKM_DES_CBC;
+ cbc_mechanism.pParameter = &ivBlock;
+ cbc_mechanism.ulParameterLen = blockSize;
+ break;
+ case CKM_DES3_MAC_GENERAL:
+ mac_bytes = *(CK_ULONG *)pMechanism->pParameter;
+ /* fall through */
+ case CKM_DES3_MAC:
+ blockSize = 8;
+ PORT_Memset(ivBlock, 0, blockSize);
+ cbc_mechanism.mechanism = CKM_DES3_CBC;
+ cbc_mechanism.pParameter = &ivBlock;
+ cbc_mechanism.ulParameterLen = blockSize;
+ break;
+ case CKM_CDMF_MAC_GENERAL:
+ mac_bytes = *(CK_ULONG *)pMechanism->pParameter;
+ /* fall through */
+ case CKM_CDMF_MAC:
+ blockSize = 8;
+ PORT_Memset(ivBlock, 0, blockSize);
+ cbc_mechanism.mechanism = CKM_CDMF_CBC;
+ cbc_mechanism.pParameter = &ivBlock;
+ cbc_mechanism.ulParameterLen = blockSize;
+ break;
+#ifndef NSS_DISABLE_DEPRECATED_SEED
+ case CKM_SEED_MAC_GENERAL:
+ mac_bytes = *(CK_ULONG *)pMechanism->pParameter;
+ /* fall through */
+ case CKM_SEED_MAC:
+ blockSize = 16;
+ PORT_Memset(ivBlock, 0, blockSize);
+ cbc_mechanism.mechanism = CKM_SEED_CBC;
+ cbc_mechanism.pParameter = &ivBlock;
+ cbc_mechanism.ulParameterLen = blockSize;
+ break;
+#endif /* NSS_DISABLE_DEPRECATED_SEED */
+ case CKM_CAMELLIA_MAC_GENERAL:
+ mac_bytes = *(CK_ULONG *)pMechanism->pParameter;
+ /* fall through */
+ case CKM_CAMELLIA_MAC:
+ blockSize = 16;
+ PORT_Memset(ivBlock, 0, blockSize);
+ cbc_mechanism.mechanism = CKM_CAMELLIA_CBC;
+ cbc_mechanism.pParameter = &ivBlock;
+ cbc_mechanism.ulParameterLen = blockSize;
+ break;
+ case CKM_AES_MAC_GENERAL:
+ mac_bytes = *(CK_ULONG *)pMechanism->pParameter;
+ /* fall through */
+ case CKM_AES_MAC:
+ blockSize = 16;
+ PORT_Memset(ivBlock, 0, blockSize);
+ cbc_mechanism.mechanism = CKM_AES_CBC;
+ cbc_mechanism.pParameter = &ivBlock;
+ cbc_mechanism.ulParameterLen = blockSize;
+ break;
+ case CKM_AES_XCBC_MAC_96:
+ case CKM_AES_XCBC_MAC:
+ /* The only difference between CKM_AES_XCBC_MAC
+ * and CKM_AES_XCBC_MAC_96 is the size of the returned mac. */
+ mac_bytes = pMechanism->mechanism == CKM_AES_XCBC_MAC_96 ? 12 : 16;
+ blockSize = 16;
+ PORT_Memset(ivBlock, 0, blockSize);
+ cbc_mechanism.mechanism = CKM_AES_CBC;
+ cbc_mechanism.pParameter = &ivBlock;
+ cbc_mechanism.ulParameterLen = blockSize;
+ /* is XCBC requires extra processing at the end of the operation */
+ isXCBC = PR_TRUE;
+ /* The input key is used to generate k1, k2, and k3. k2 and k3
+ * are used at the end in the pad step. k1 replaces the input
+ * key in the aes cbc mac */
+ crv = sftk_aes_xcbc_new_keys(hSession, hKey, &hKey, k2, k3);
+ if (crv != CKR_OK) {
+ return crv;
+ }
+ break;
+ default:
+ return CKR_FUNCTION_NOT_SUPPORTED;
+ }
+
+ /* if MAC size is externally supplied, it should be checked.
+ */
+ if (mac_bytes == SFTK_INVALID_MAC_SIZE)
+ mac_bytes = blockSize >> 1;
+ else {
+ if (mac_bytes > blockSize) {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ goto fail;
+ }
+ }
+
+ crv = sftk_CryptInit(hSession, &cbc_mechanism, hKey,
+ CKA_ENCRYPT, /* CBC mech is able to ENCRYPT, not SIGN/VERIFY */
+ keyUsage, contextType, PR_TRUE);
+ if (crv != CKR_OK)
+ goto fail;
+ crv = sftk_GetContext(hSession, &context, contextType, PR_TRUE, NULL);
+
+ /* this shouldn't happen! */
+ PORT_Assert(crv == CKR_OK);
+ if (crv != CKR_OK)
+ goto fail;
+ context->blockSize = blockSize;
+ context->macSize = mac_bytes;
+ context->isXCBC = isXCBC;
+ if (isXCBC) {
+ /* save the xcbc specific parameters */
+ PORT_Memcpy(context->k2, k2, blockSize);
+ PORT_Memcpy(context->k3, k3, blockSize);
+ PORT_Memset(k2, 0, blockSize);
+ PORT_Memset(k3, 0, blockSize);
+ /* get rid of the temp key now that the context has been created */
+ NSC_DestroyObject(hSession, hKey);
+ }
+ return CKR_OK;
+fail:
+ if (isXCBC) {
+ PORT_Memset(k2, 0, blockSize);
+ PORT_Memset(k3, 0, blockSize);
+ NSC_DestroyObject(hSession, hKey); /* get rid of our temp key */
+ }
+ return crv;
+}
+
+/*
+ * encode RSA PKCS #1 Signature data before signing...
+ */
+static SECStatus
+sftk_RSAHashSign(SFTKHashSignInfo *info, unsigned char *sig,
+ unsigned int *sigLen, unsigned int maxLen,
+ const unsigned char *hash, unsigned int hashLen)
+{
+ PORT_Assert(info->key->keyType == NSSLOWKEYRSAKey);
+ if (info->key->keyType != NSSLOWKEYRSAKey) {
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
+ return SECFailure;
+ }
+
+ return RSA_HashSign(info->hashOid, info->key, sig, sigLen, maxLen,
+ hash, hashLen);
+}
+
+/* XXX Old template; want to expunge it eventually. */
+static DERTemplate SECAlgorithmIDTemplate[] = {
+ { DER_SEQUENCE,
+ 0, NULL, sizeof(SECAlgorithmID) },
+ { DER_OBJECT_ID,
+ offsetof(SECAlgorithmID, algorithm) },
+ { DER_OPTIONAL | DER_ANY,
+ offsetof(SECAlgorithmID, parameters) },
+ { 0 }
+};
+
+/*
+ * XXX OLD Template. Once all uses have been switched over to new one,
+ * remove this.
+ */
+static DERTemplate SGNDigestInfoTemplate[] = {
+ { DER_SEQUENCE,
+ 0, NULL, sizeof(SGNDigestInfo) },
+ { DER_INLINE,
+ offsetof(SGNDigestInfo, digestAlgorithm),
+ SECAlgorithmIDTemplate },
+ { DER_OCTET_STRING,
+ offsetof(SGNDigestInfo, digest) },
+ { 0 }
+};
+
+/*
+ * encode RSA PKCS #1 Signature data before signing...
+ */
+SECStatus
+RSA_HashSign(SECOidTag hashOid, NSSLOWKEYPrivateKey *key,
+ unsigned char *sig, unsigned int *sigLen, unsigned int maxLen,
+ const unsigned char *hash, unsigned int hashLen)
+{
+ SECStatus rv = SECFailure;
+ SECItem digder;
+ PLArenaPool *arena = NULL;
+ SGNDigestInfo *di = NULL;
+
+ digder.data = NULL;
+
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (!arena) {
+ goto loser;
+ }
+
+ /* Construct digest info */
+ di = SGN_CreateDigestInfo(hashOid, hash, hashLen);
+ if (!di) {
+ goto loser;
+ }
+
+ /* Der encode the digest as a DigestInfo */
+ rv = DER_Encode(arena, &digder, SGNDigestInfoTemplate, di);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ /*
+ ** Encrypt signature after constructing appropriate PKCS#1 signature
+ ** block
+ */
+ rv = RSA_Sign(&key->u.rsa, sig, sigLen, maxLen, digder.data,
+ digder.len);
+ if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+ sftk_fatalError = PR_TRUE;
+ }
+
+loser:
+ SGN_DestroyDigestInfo(di);
+ if (arena != NULL) {
+ PORT_FreeArena(arena, PR_TRUE);
+ }
+ return rv;
+}
+
+static SECStatus
+sftk_RSASign(NSSLOWKEYPrivateKey *key, unsigned char *output,
+ unsigned int *outputLen, unsigned int maxOutputLen,
+ const unsigned char *input, unsigned int inputLen)
+{
+ SECStatus rv = SECFailure;
+
+ PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+ if (key->keyType != NSSLOWKEYRSAKey) {
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
+ return SECFailure;
+ }
+
+ rv = RSA_Sign(&key->u.rsa, output, outputLen, maxOutputLen, input,
+ inputLen);
+ if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+ sftk_fatalError = PR_TRUE;
+ }
+ return rv;
+}
+
+static SECStatus
+sftk_RSASignRaw(NSSLOWKEYPrivateKey *key, unsigned char *output,
+ unsigned int *outputLen, unsigned int maxOutputLen,
+ const unsigned char *input, unsigned int inputLen)
+{
+ SECStatus rv = SECFailure;
+
+ PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+ if (key->keyType != NSSLOWKEYRSAKey) {
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
+ return SECFailure;
+ }
+
+ rv = RSA_SignRaw(&key->u.rsa, output, outputLen, maxOutputLen, input,
+ inputLen);
+ if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+ sftk_fatalError = PR_TRUE;
+ }
+ return rv;
+}
+
+static SECStatus
+sftk_RSASignPSS(SFTKPSSSignInfo *info, unsigned char *sig,
+ unsigned int *sigLen, unsigned int maxLen,
+ const unsigned char *hash, unsigned int hashLen)
+{
+ SECStatus rv = SECFailure;
+ HASH_HashType hashAlg;
+ HASH_HashType maskHashAlg;
+ CK_RSA_PKCS_PSS_PARAMS *params = &info->params;
+
+ PORT_Assert(info->key->keyType == NSSLOWKEYRSAKey);
+ if (info->key->keyType != NSSLOWKEYRSAKey) {
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
+ return SECFailure;
+ }
+
+ hashAlg = sftk_GetHashTypeFromMechanism(params->hashAlg);
+ maskHashAlg = sftk_GetHashTypeFromMechanism(params->mgf);
+
+ rv = RSA_SignPSS(&info->key->u.rsa, hashAlg, maskHashAlg, NULL,
+ params->sLen, sig, sigLen, maxLen, hash, hashLen);
+ if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+ sftk_fatalError = PR_TRUE;
+ }
+ return rv;
+}
+
+static SECStatus
+nsc_DSA_Verify_Stub(void *ctx, void *sigBuf, unsigned int sigLen,
+ void *dataBuf, unsigned int dataLen)
+{
+ SECItem signature, digest;
+ NSSLOWKEYPublicKey *key = (NSSLOWKEYPublicKey *)ctx;
+
+ signature.data = (unsigned char *)sigBuf;
+ signature.len = sigLen;
+ digest.data = (unsigned char *)dataBuf;
+ digest.len = dataLen;
+ return DSA_VerifyDigest(&(key->u.dsa), &signature, &digest);
+}
+
+static SECStatus
+nsc_DSA_Sign_Stub(void *ctx, void *sigBuf,
+ unsigned int *sigLen, unsigned int maxSigLen,
+ void *dataBuf, unsigned int dataLen)
+{
+ SECItem signature, digest;
+ SECStatus rv;
+ NSSLOWKEYPrivateKey *key = (NSSLOWKEYPrivateKey *)ctx;
+
+ signature.data = (unsigned char *)sigBuf;
+ signature.len = maxSigLen;
+ digest.data = (unsigned char *)dataBuf;
+ digest.len = dataLen;
+ rv = DSA_SignDigest(&(key->u.dsa), &signature, &digest);
+ if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+ sftk_fatalError = PR_TRUE;
+ }
+ *sigLen = signature.len;
+ return rv;
+}
+
+static SECStatus
+nsc_ECDSAVerifyStub(void *ctx, void *sigBuf, unsigned int sigLen,
+ void *dataBuf, unsigned int dataLen)
+{
+ SECItem signature, digest;
+ NSSLOWKEYPublicKey *key = (NSSLOWKEYPublicKey *)ctx;
+
+ signature.data = (unsigned char *)sigBuf;
+ signature.len = sigLen;
+ digest.data = (unsigned char *)dataBuf;
+ digest.len = dataLen;
+ return ECDSA_VerifyDigest(&(key->u.ec), &signature, &digest);
+}
+
+static SECStatus
+nsc_ECDSASignStub(void *ctx, void *sigBuf,
+ unsigned int *sigLen, unsigned int maxSigLen,
+ void *dataBuf, unsigned int dataLen)
+{
+ SECItem signature, digest;
+ SECStatus rv;
+ NSSLOWKEYPrivateKey *key = (NSSLOWKEYPrivateKey *)ctx;
+
+ signature.data = (unsigned char *)sigBuf;
+ signature.len = maxSigLen;
+ digest.data = (unsigned char *)dataBuf;
+ digest.len = dataLen;
+ rv = ECDSA_SignDigest(&(key->u.ec), &signature, &digest);
+ if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+ sftk_fatalError = PR_TRUE;
+ }
+ *sigLen = signature.len;
+ return rv;
+}
+
+/* NSC_SignInit setups up the signing operations. There are three basic
+ * types of signing:
+ * (1) the tradition single part, where "Raw RSA" or "Raw DSA" is applied
+ * to data in a single Sign operation (which often looks a lot like an
+ * encrypt, with data coming in and data going out).
+ * (2) Hash based signing, where we continually hash the data, then apply
+ * some sort of signature to the end.
+ * (3) Block Encryption CBC MAC's, where the Data is encrypted with a key,
+ * and only the final block is part of the mac.
+ *
+ * For case number 3, we initialize a context much like the Encryption Context
+ * (in fact we share code). We detect case 3 in C_SignUpdate, C_Sign, and
+ * C_Final by the following method... if it's not multi-part, and it's doesn't
+ * have a hash context, it must be a block Encryption CBC MAC.
+ *
+ * For case number 2, we initialize a hash structure, as well as make it
+ * multi-part. Updates are simple calls to the hash update function. Final
+ * calls the hashend, then passes the result to the 'update' function (which
+ * operates as a final signature function). In some hash based MAC'ing (as
+ * opposed to hash base signatures), the update function is can be simply a
+ * copy (as is the case with HMAC).
+ */
+CK_RV
+NSC_SignInit(CK_SESSION_HANDLE hSession,
+ CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey)
+{
+ SFTKSession *session;
+ SFTKObject *key;
+ SFTKSessionContext *context;
+ CK_KEY_TYPE key_type;
+ CK_RV crv = CKR_OK;
+ NSSLOWKEYPrivateKey *privKey;
+ SFTKHashSignInfo *info = NULL;
+ SFTKPSSSignInfo *pinfo = NULL;
+
+ CHECK_FORK();
+
+ /* Block Cipher MACing Algorithms use a different Context init method..*/
+ crv = sftk_InitCBCMac(hSession, pMechanism, hKey, CKA_SIGN, SFTK_SIGN);
+ if (crv != CKR_FUNCTION_NOT_SUPPORTED)
+ return crv;
+
+ /* we're not using a block cipher mac */
+ session = sftk_SessionFromHandle(hSession);
+ if (session == NULL)
+ return CKR_SESSION_HANDLE_INVALID;
+ crv = sftk_InitGeneric(session, pMechanism, &context, SFTK_SIGN, &key,
+ hKey, &key_type, CKO_PRIVATE_KEY, CKA_SIGN);
+ if (crv != CKR_OK) {
+ sftk_FreeSession(session);
+ return crv;
+ }
+
+ context->multi = PR_FALSE;
+
+#define INIT_RSA_SIGN_MECH(mmm) \
+ case CKM_##mmm##_RSA_PKCS: \
+ context->multi = PR_TRUE; \
+ crv = sftk_doSub##mmm(context); \
+ if (crv != CKR_OK) \
+ break; \
+ context->update = (SFTKCipher)sftk_RSAHashSign; \
+ info = PORT_New(SFTKHashSignInfo); \
+ if (info == NULL) { \
+ crv = CKR_HOST_MEMORY; \
+ break; \
+ } \
+ info->hashOid = SEC_OID_##mmm; \
+ goto finish_rsa;
+
+ switch (pMechanism->mechanism) {
+ INIT_RSA_SIGN_MECH(MD5)
+ INIT_RSA_SIGN_MECH(MD2)
+ INIT_RSA_SIGN_MECH(SHA1)
+ INIT_RSA_SIGN_MECH(SHA224)
+ INIT_RSA_SIGN_MECH(SHA256)
+ INIT_RSA_SIGN_MECH(SHA384)
+ INIT_RSA_SIGN_MECH(SHA512)
+
+ case CKM_RSA_PKCS:
+ context->update = (SFTKCipher)sftk_RSASign;
+ goto finish_rsa;
+ case CKM_RSA_X_509:
+ context->update = (SFTKCipher)sftk_RSASignRaw;
+ finish_rsa:
+ if (key_type != CKK_RSA) {
+ crv = CKR_KEY_TYPE_INCONSISTENT;
+ break;
+ }
+ context->rsa = PR_TRUE;
+ privKey = sftk_GetPrivKey(key, CKK_RSA, &crv);
+ if (privKey == NULL) {
+ crv = CKR_KEY_TYPE_INCONSISTENT;
+ break;
+ }
+ /* OK, info is allocated only if we're doing hash and sign mechanism.
+ * It's necessary to be able to set the correct OID in the final
+ * signature.
+ */
+ if (info) {
+ info->key = privKey;
+ context->cipherInfo = info;
+ context->destroy = (SFTKDestroy)sftk_Space;
+ } else {
+ context->cipherInfo = privKey;
+ context->destroy = (SFTKDestroy)sftk_Null;
+ }
+ context->maxLen = nsslowkey_PrivateModulusLen(privKey);
+ break;
+
+#define INIT_RSA_PSS_SIG_MECH(mmm) \
+ case CKM_##mmm##_RSA_PKCS_PSS: \
+ context->multi = PR_TRUE; \
+ crv = sftk_doSub##mmm(context); \
+ if (crv != CKR_OK) \
+ break; \
+ if (pMechanism->ulParameterLen != sizeof(CK_RSA_PKCS_PSS_PARAMS)) { \
+ crv = CKR_MECHANISM_PARAM_INVALID; \
+ break; \
+ } \
+ if (((const CK_RSA_PKCS_PSS_PARAMS *)pMechanism->pParameter)->hashAlg != CKM_##mmm) { \
+ crv = CKR_MECHANISM_PARAM_INVALID; \
+ break; \
+ } \
+ goto finish_rsa_pss;
+ INIT_RSA_PSS_SIG_MECH(SHA1)
+ INIT_RSA_PSS_SIG_MECH(SHA224)
+ INIT_RSA_PSS_SIG_MECH(SHA256)
+ INIT_RSA_PSS_SIG_MECH(SHA384)
+ INIT_RSA_PSS_SIG_MECH(SHA512)
+ case CKM_RSA_PKCS_PSS:
+ finish_rsa_pss:
+ if (key_type != CKK_RSA) {
+ crv = CKR_KEY_TYPE_INCONSISTENT;
+ break;
+ }
+ context->rsa = PR_TRUE;
+ if (pMechanism->ulParameterLen != sizeof(CK_RSA_PKCS_PSS_PARAMS) ||
+ !sftk_ValidatePssParams((const CK_RSA_PKCS_PSS_PARAMS *)pMechanism->pParameter)) {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+ pinfo = PORT_New(SFTKPSSSignInfo);
+ if (pinfo == NULL) {
+ crv = CKR_HOST_MEMORY;
+ break;
+ }
+ pinfo->size = sizeof(SFTKPSSSignInfo);
+ pinfo->params = *(CK_RSA_PKCS_PSS_PARAMS *)pMechanism->pParameter;
+ pinfo->key = sftk_GetPrivKey(key, CKK_RSA, &crv);
+ if (pinfo->key == NULL) {
+ crv = CKR_KEY_TYPE_INCONSISTENT;
+ break;
+ }
+ context->cipherInfo = pinfo;
+ context->destroy = (SFTKDestroy)sftk_ZSpace;
+ context->update = (SFTKCipher)sftk_RSASignPSS;
+ context->maxLen = nsslowkey_PrivateModulusLen(pinfo->key);
+ break;
+
+#define INIT_DSA_SIG_MECH(mmm) \
+ case CKM_DSA_##mmm: \
+ context->multi = PR_TRUE; \
+ crv = sftk_doSub##mmm(context); \
+ if (crv != CKR_OK) \
+ break; \
+ goto finish_dsa;
+ INIT_DSA_SIG_MECH(SHA1)
+ INIT_DSA_SIG_MECH(SHA224)
+ INIT_DSA_SIG_MECH(SHA256)
+ INIT_DSA_SIG_MECH(SHA384)
+ INIT_DSA_SIG_MECH(SHA512)
+ case CKM_DSA:
+ finish_dsa:
+ if (key_type != CKK_DSA) {
+ crv = CKR_KEY_TYPE_INCONSISTENT;
+ break;
+ }
+ privKey = sftk_GetPrivKey(key, CKK_DSA, &crv);
+ if (privKey == NULL) {
+ break;
+ }
+ context->cipherInfo = privKey;
+ context->update = (SFTKCipher)nsc_DSA_Sign_Stub;
+ context->destroy = (privKey == key->objectInfo) ? (SFTKDestroy)sftk_Null : (SFTKDestroy)sftk_FreePrivKey;
+ context->maxLen = DSA_MAX_SIGNATURE_LEN;
+
+ break;
+
+#define INIT_ECDSA_SIG_MECH(mmm) \
+ case CKM_ECDSA_##mmm: \
+ context->multi = PR_TRUE; \
+ crv = sftk_doSub##mmm(context); \
+ if (crv != CKR_OK) \
+ break; \
+ goto finish_ecdsa;
+ INIT_ECDSA_SIG_MECH(SHA1)
+ INIT_ECDSA_SIG_MECH(SHA224)
+ INIT_ECDSA_SIG_MECH(SHA256)
+ INIT_ECDSA_SIG_MECH(SHA384)
+ INIT_ECDSA_SIG_MECH(SHA512)
+ case CKM_ECDSA:
+ finish_ecdsa:
+ if (key_type != CKK_EC) {
+ crv = CKR_KEY_TYPE_INCONSISTENT;
+ break;
+ }
+ privKey = sftk_GetPrivKey(key, CKK_EC, &crv);
+ if (privKey == NULL) {
+ crv = CKR_HOST_MEMORY;
+ break;
+ }
+ context->cipherInfo = privKey;
+ context->update = (SFTKCipher)nsc_ECDSASignStub;
+ context->destroy = (privKey == key->objectInfo) ? (SFTKDestroy)sftk_Null : (SFTKDestroy)sftk_FreePrivKey;
+ context->maxLen = MAX_ECKEY_LEN * 2;
+
+ break;
+
+#define INIT_HMAC_MECH(mmm) \
+ case CKM_##mmm##_HMAC_GENERAL: \
+ PORT_Assert(pMechanism->pParameter); \
+ if (!pMechanism->pParameter) { \
+ crv = CKR_MECHANISM_PARAM_INVALID; \
+ break; \
+ } \
+ crv = sftk_doMACInit(pMechanism->mechanism, context, key, \
+ *(CK_ULONG *)pMechanism->pParameter); \
+ break; \
+ case CKM_##mmm##_HMAC: \
+ crv = sftk_doMACInit(pMechanism->mechanism, context, key, \
+ mmm##_LENGTH); \
+ break;
+
+ INIT_HMAC_MECH(MD2)
+ INIT_HMAC_MECH(MD5)
+ INIT_HMAC_MECH(SHA1)
+ INIT_HMAC_MECH(SHA224)
+ INIT_HMAC_MECH(SHA256)
+ INIT_HMAC_MECH(SHA384)
+ INIT_HMAC_MECH(SHA512)
+
+ case CKM_AES_CMAC_GENERAL:
+ PORT_Assert(pMechanism->pParameter);
+ if (!pMechanism->pParameter || pMechanism->ulParameterLen != sizeof(CK_MAC_GENERAL_PARAMS)) {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+ crv = sftk_doMACInit(pMechanism->mechanism, context, key, *(CK_ULONG *)pMechanism->pParameter);
+ break;
+ case CKM_AES_CMAC:
+ crv = sftk_doMACInit(pMechanism->mechanism, context, key, AES_BLOCK_SIZE);
+ break;
+ case CKM_SSL3_MD5_MAC:
+ PORT_Assert(pMechanism->pParameter);
+ if (!pMechanism->pParameter) {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+ crv = sftk_doSSLMACInit(context, SEC_OID_MD5, key,
+ *(CK_ULONG *)pMechanism->pParameter);
+ break;
+ case CKM_SSL3_SHA1_MAC:
+ PORT_Assert(pMechanism->pParameter);
+ if (!pMechanism->pParameter) {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+ crv = sftk_doSSLMACInit(context, SEC_OID_SHA1, key,
+ *(CK_ULONG *)pMechanism->pParameter);
+ break;
+ case CKM_TLS_PRF_GENERAL:
+ crv = sftk_TLSPRFInit(context, key, key_type, HASH_AlgNULL, 0);
+ break;
+ case CKM_TLS_MAC: {
+ CK_TLS_MAC_PARAMS *tls12_mac_params;
+ HASH_HashType tlsPrfHash;
+ const char *label;
+
+ if (pMechanism->ulParameterLen != sizeof(CK_TLS_MAC_PARAMS)) {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+ tls12_mac_params = (CK_TLS_MAC_PARAMS *)pMechanism->pParameter;
+ if (tls12_mac_params->prfHashMechanism == CKM_TLS_PRF) {
+ /* The TLS 1.0 and 1.1 PRF */
+ tlsPrfHash = HASH_AlgNULL;
+ if (tls12_mac_params->ulMacLength != 12) {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+ } else {
+ /* The hash function for the TLS 1.2 PRF */
+ tlsPrfHash =
+ sftk_GetHashTypeFromMechanism(tls12_mac_params->prfHashMechanism);
+ if (tlsPrfHash == HASH_AlgNULL ||
+ tls12_mac_params->ulMacLength < 12) {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+ }
+ if (tls12_mac_params->ulServerOrClient == 1) {
+ label = "server finished";
+ } else if (tls12_mac_params->ulServerOrClient == 2) {
+ label = "client finished";
+ } else {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+ crv = sftk_TLSPRFInit(context, key, key_type, tlsPrfHash,
+ tls12_mac_params->ulMacLength);
+ if (crv == CKR_OK) {
+ context->hashUpdate(context->hashInfo, label, 15);
+ }
+ break;
+ }
+ case CKM_NSS_TLS_PRF_GENERAL_SHA256:
+ crv = sftk_TLSPRFInit(context, key, key_type, HASH_AlgSHA256, 0);
+ break;
+
+ case CKM_NSS_HMAC_CONSTANT_TIME: {
+ sftk_MACConstantTimeCtx *ctx =
+ sftk_HMACConstantTime_New(pMechanism, key);
+ CK_ULONG *intpointer;
+
+ if (ctx == NULL) {
+ crv = CKR_ARGUMENTS_BAD;
+ break;
+ }
+ intpointer = PORT_New(CK_ULONG);
+ if (intpointer == NULL) {
+ PORT_Free(ctx);
+ crv = CKR_HOST_MEMORY;
+ break;
+ }
+ *intpointer = ctx->hash->length;
+
+ context->cipherInfo = intpointer;
+ context->hashInfo = ctx;
+ context->currentMech = pMechanism->mechanism;
+ context->hashUpdate = sftk_HMACConstantTime_Update;
+ context->hashdestroy = sftk_MACConstantTime_DestroyContext;
+ context->end = sftk_MACConstantTime_EndHash;
+ context->update = (SFTKCipher)sftk_SignCopy;
+ context->destroy = sftk_Space;
+ context->maxLen = 64;
+ context->multi = PR_TRUE;
+ break;
+ }
+
+ case CKM_NSS_SSL3_MAC_CONSTANT_TIME: {
+ sftk_MACConstantTimeCtx *ctx =
+ sftk_SSLv3MACConstantTime_New(pMechanism, key);
+ CK_ULONG *intpointer;
+
+ if (ctx == NULL) {
+ crv = CKR_ARGUMENTS_BAD;
+ break;
+ }
+ intpointer = PORT_New(CK_ULONG);
+ if (intpointer == NULL) {
+ PORT_Free(ctx);
+ crv = CKR_HOST_MEMORY;
+ break;
+ }
+ *intpointer = ctx->hash->length;
+
+ context->cipherInfo = intpointer;
+ context->hashInfo = ctx;
+ context->currentMech = pMechanism->mechanism;
+ context->hashUpdate = sftk_SSLv3MACConstantTime_Update;
+ context->hashdestroy = sftk_MACConstantTime_DestroyContext;
+ context->end = sftk_MACConstantTime_EndHash;
+ context->update = (SFTKCipher)sftk_SignCopy;
+ context->destroy = sftk_Space;
+ context->maxLen = 64;
+ context->multi = PR_TRUE;
+ break;
+ }
+
+ default:
+ crv = CKR_MECHANISM_INVALID;
+ break;
+ }
+
+ if (crv != CKR_OK) {
+ if (info)
+ PORT_Free(info);
+ if (pinfo)
+ PORT_ZFree(pinfo, pinfo->size);
+ sftk_FreeContext(context);
+ sftk_FreeSession(session);
+ return crv;
+ }
+ sftk_SetContextByType(session, SFTK_SIGN, context);
+ sftk_FreeSession(session);
+ return CKR_OK;
+}
+
+/** MAC one block of data by block cipher
+ */
+static CK_RV
+sftk_MACBlock(SFTKSessionContext *ctx, void *blk)
+{
+ unsigned int outlen;
+ return (SECSuccess == (ctx->update)(ctx->cipherInfo, ctx->macBuf, &outlen,
+ SFTK_MAX_BLOCK_SIZE, blk, ctx->blockSize))
+ ? CKR_OK
+ : sftk_MapCryptError(PORT_GetError());
+}
+
+/** MAC last (incomplete) block of data by block cipher
+ *
+ * Call once, then terminate MACing operation.
+ */
+static CK_RV
+sftk_MACFinal(SFTKSessionContext *ctx)
+{
+ unsigned int padLen = ctx->padDataLength;
+ /* pad and proceed the residual */
+ if (ctx->isXCBC) {
+ CK_RV crv = sftk_xcbc_mac_pad(ctx->padBuf, padLen, ctx->blockSize,
+ ctx->k2, ctx->k3);
+ if (crv != CKR_OK)
+ return crv;
+ return sftk_MACBlock(ctx, ctx->padBuf);
+ }
+ if (padLen) {
+ /* shd clr ctx->padLen to make sftk_MACFinal idempotent */
+ PORT_Memset(ctx->padBuf + padLen, 0, ctx->blockSize - padLen);
+ return sftk_MACBlock(ctx, ctx->padBuf);
+ } else
+ return CKR_OK;
+}
+
+/** The common implementation for {Sign,Verify}Update. (S/V only vary in their
+ * setup and final operations).
+ *
+ * A call which results in an error terminates the operation [PKCS#11,v2.11]
+ */
+static CK_RV
+sftk_MACUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
+ CK_ULONG ulPartLen, SFTKContextType type)
+{
+ SFTKSession *session;
+ SFTKSessionContext *context;
+ CK_RV crv;
+
+ /* make sure we're legal */
+ crv = sftk_GetContext(hSession, &context, type, PR_TRUE, &session);
+ if (crv != CKR_OK)
+ return crv;
+
+ if (context->hashInfo) {
+ (*context->hashUpdate)(context->hashInfo, pPart, ulPartLen);
+ } else {
+ /* must be block cipher MACing */
+
+ unsigned int blkSize = context->blockSize;
+ unsigned char *residual = /* free room in context->padBuf */
+ context->padBuf + context->padDataLength;
+ unsigned int minInput = /* min input for MACing at least one block */
+ blkSize - context->padDataLength;
+
+ /* not enough data even for one block */
+ if (ulPartLen <= minInput) {
+ PORT_Memcpy(residual, pPart, ulPartLen);
+ context->padDataLength += ulPartLen;
+ goto cleanup;
+ }
+ /* MACing residual */
+ if (context->padDataLength) {
+ PORT_Memcpy(residual, pPart, minInput);
+ ulPartLen -= minInput;
+ pPart += minInput;
+ if (CKR_OK != (crv = sftk_MACBlock(context, context->padBuf)))
+ goto terminate;
+ }
+ /* MACing full blocks */
+ while (ulPartLen > blkSize) {
+ if (CKR_OK != (crv = sftk_MACBlock(context, pPart)))
+ goto terminate;
+ ulPartLen -= blkSize;
+ pPart += blkSize;
+ }
+ /* save the residual */
+ if ((context->padDataLength = ulPartLen))
+ PORT_Memcpy(context->padBuf, pPart, ulPartLen);
+ } /* blk cipher MACing */
+
+ goto cleanup;
+
+terminate:
+ sftk_TerminateOp(session, type, context);
+cleanup:
+ sftk_FreeSession(session);
+ return crv;
+}
+
+/* NSC_SignUpdate continues a multiple-part signature operation,
+ * where the signature is (will be) an appendix to the data,
+ * and plaintext cannot be recovered from the signature
+ *
+ * A call which results in an error terminates the operation [PKCS#11,v2.11]
+ */
+CK_RV
+NSC_SignUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
+ CK_ULONG ulPartLen)
+{
+ CHECK_FORK();
+ return sftk_MACUpdate(hSession, pPart, ulPartLen, SFTK_SIGN);
+}
+
+struct SFTK_SESSION_FLAGS {
+ CK_FLAGS flag;
+ SFTKContextType type;
+};
+
+const static struct SFTK_SESSION_FLAGS sftk_session_flags[] = {
+ { CKF_ENCRYPT, SFTK_ENCRYPT },
+ { CKF_DECRYPT, SFTK_DECRYPT },
+ { CKF_DIGEST, SFTK_HASH },
+ { CKF_SIGN, SFTK_SIGN },
+ { CKF_SIGN_RECOVER, SFTK_SIGN_RECOVER },
+ { CKF_VERIFY, SFTK_VERIFY },
+ { CKF_VERIFY_RECOVER, SFTK_VERIFY_RECOVER },
+ { CKF_MESSAGE_ENCRYPT, SFTK_MESSAGE_ENCRYPT },
+ { CKF_MESSAGE_DECRYPT, SFTK_MESSAGE_DECRYPT },
+ { CKF_MESSAGE_SIGN, SFTK_MESSAGE_SIGN },
+ { CKF_MESSAGE_VERIFY, SFTK_MESSAGE_VERIFY },
+};
+const static int sftk_flag_count = PR_ARRAY_SIZE(sftk_session_flags);
+
+/*
+ * Cancel one or more operations running on the existing session.
+ */
+CK_RV
+NSC_SessionCancel(CK_SESSION_HANDLE hSession, CK_FLAGS flags)
+{
+ SFTKSession *session;
+ SFTKSessionContext *context;
+ CK_RV gcrv = CKR_OK;
+ CK_RV crv;
+ int i;
+
+ for (i = 0; i < sftk_flag_count; i++) {
+ if (flags & sftk_session_flags[i].flag) {
+ flags &= ~sftk_session_flags[i].flag;
+ crv = sftk_GetContext(hSession, &context, sftk_session_flags[i].type, PR_TRUE, &session);
+ if (crv != CKR_OK) {
+ gcrv = CKR_OPERATION_CANCEL_FAILED;
+ continue;
+ }
+ sftk_TerminateOp(session, sftk_session_flags[i].type, context);
+ }
+ }
+ if (flags & CKF_FIND_OBJECTS) {
+ flags &= ~CKF_FIND_OBJECTS;
+ crv = NSC_FindObjectsFinal(hSession);
+ if (crv != CKR_OK) {
+ gcrv = CKR_OPERATION_CANCEL_FAILED;
+ }
+ }
+ if (flags) {
+ gcrv = CKR_OPERATION_CANCEL_FAILED;
+ }
+ return gcrv;
+}
+
+/* NSC_SignFinal finishes a multiple-part signature operation,
+ * returning the signature. */
+CK_RV
+NSC_SignFinal(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature,
+ CK_ULONG_PTR pulSignatureLen)
+{
+ SFTKSession *session;
+ SFTKSessionContext *context;
+ unsigned int outlen;
+ unsigned int maxoutlen = *pulSignatureLen;
+ CK_RV crv;
+
+ CHECK_FORK();
+
+ /* make sure we're legal */
+ crv = sftk_GetContext(hSession, &context, SFTK_SIGN, PR_TRUE, &session);
+ if (crv != CKR_OK)
+ return crv;
+
+ if (context->hashInfo) {
+ unsigned int digestLen;
+ unsigned char tmpbuf[SFTK_MAX_MAC_LENGTH];
+
+ if (!pSignature) {
+ outlen = context->maxLen;
+ goto finish;
+ }
+ (*context->end)(context->hashInfo, tmpbuf, &digestLen, sizeof(tmpbuf));
+ if (SECSuccess != (context->update)(context->cipherInfo, pSignature,
+ &outlen, maxoutlen, tmpbuf, digestLen))
+ crv = sftk_MapCryptError(PORT_GetError());
+ /* CKR_BUFFER_TOO_SMALL here isn't continuable, let operation terminate.
+ * Keeping "too small" CK_RV intact is a standard violation, but allows
+ * application read EXACT signature length */
+ PORT_Memset(tmpbuf, 0, sizeof tmpbuf);
+ } else {
+ /* must be block cipher MACing */
+ outlen = context->macSize;
+ /* null or "too small" buf doesn't terminate operation [PKCS#11,v2.11]*/
+ if (!pSignature || maxoutlen < outlen) {
+ if (pSignature)
+ crv = CKR_BUFFER_TOO_SMALL;
+ goto finish;
+ }
+ if (CKR_OK == (crv = sftk_MACFinal(context)))
+ PORT_Memcpy(pSignature, context->macBuf, outlen);
+ }
+
+ sftk_TerminateOp(session, SFTK_SIGN, context);
+finish:
+ *pulSignatureLen = outlen;
+ sftk_FreeSession(session);
+ return crv;
+}
+
+/* NSC_Sign signs (encrypts with private key) data in a single part,
+ * where the signature is (will be) an appendix to the data,
+ * and plaintext cannot be recovered from the signature */
+CK_RV
+NSC_Sign(CK_SESSION_HANDLE hSession,
+ CK_BYTE_PTR pData, CK_ULONG ulDataLen, CK_BYTE_PTR pSignature,
+ CK_ULONG_PTR pulSignatureLen)
+{
+ SFTKSession *session;
+ SFTKSessionContext *context;
+ CK_RV crv;
+
+ CHECK_FORK();
+
+ /* make sure we're legal */
+ crv = sftk_GetContext(hSession, &context, SFTK_SIGN, PR_FALSE, &session);
+ if (crv != CKR_OK)
+ return crv;
+
+ if (!pSignature) {
+ /* see also how C_SignUpdate implements this */
+ *pulSignatureLen = (!context->multi || context->hashInfo)
+ ? context->maxLen
+ : context->macSize; /* must be block cipher MACing */
+ goto finish;
+ }
+
+ /* multi part Signing are completely implemented by SignUpdate and
+ * sign Final */
+ if (context->multi) {
+ /* SignFinal can't follow failed SignUpdate */
+ if (CKR_OK == (crv = NSC_SignUpdate(hSession, pData, ulDataLen)))
+ crv = NSC_SignFinal(hSession, pSignature, pulSignatureLen);
+ } else {
+ /* single-part PKC signature (e.g. CKM_ECDSA) */
+ unsigned int outlen;
+ unsigned int maxoutlen = *pulSignatureLen;
+ if (SECSuccess != (*context->update)(context->cipherInfo, pSignature,
+ &outlen, maxoutlen, pData, ulDataLen))
+ crv = sftk_MapCryptError(PORT_GetError());
+ *pulSignatureLen = (CK_ULONG)outlen;
+ /* "too small" here is certainly continuable */
+ if (crv != CKR_BUFFER_TOO_SMALL)
+ sftk_TerminateOp(session, SFTK_SIGN, context);
+ } /* single-part */
+
+finish:
+ sftk_FreeSession(session);
+ return crv;
+}
+
+/*
+ ************** Crypto Functions: Sign Recover ************************
+ */
+/* NSC_SignRecoverInit initializes a signature operation,
+ * where the (digest) data can be recovered from the signature.
+ * E.g. encryption with the user's private key */
+CK_RV
+NSC_SignRecoverInit(CK_SESSION_HANDLE hSession,
+ CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey)
+{
+ CHECK_FORK();
+
+ switch (pMechanism->mechanism) {
+ case CKM_RSA_PKCS:
+ case CKM_RSA_X_509:
+ return NSC_SignInit(hSession, pMechanism, hKey);
+ default:
+ break;
+ }
+ return CKR_MECHANISM_INVALID;
+}
+
+/* NSC_SignRecover signs data in a single operation
+ * where the (digest) data can be recovered from the signature.
+ * E.g. encryption with the user's private key */
+CK_RV
+NSC_SignRecover(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
+ CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, CK_ULONG_PTR pulSignatureLen)
+{
+ CHECK_FORK();
+
+ return NSC_Sign(hSession, pData, ulDataLen, pSignature, pulSignatureLen);
+}
+
+/*
+ ************** Crypto Functions: verify ************************
+ */
+
+/* Handle RSA Signature formatting */
+static SECStatus
+sftk_hashCheckSign(SFTKHashVerifyInfo *info, const unsigned char *sig,
+ unsigned int sigLen, const unsigned char *digest,
+ unsigned int digestLen)
+{
+ PORT_Assert(info->key->keyType == NSSLOWKEYRSAKey);
+ if (info->key->keyType != NSSLOWKEYRSAKey) {
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
+ return SECFailure;
+ }
+
+ return RSA_HashCheckSign(info->hashOid, info->key, sig, sigLen, digest,
+ digestLen);
+}
+
+SECStatus
+RSA_HashCheckSign(SECOidTag digestOid, NSSLOWKEYPublicKey *key,
+ const unsigned char *sig, unsigned int sigLen,
+ const unsigned char *digestData, unsigned int digestLen)
+{
+ unsigned char *pkcs1DigestInfoData;
+ SECItem pkcs1DigestInfo;
+ SECItem digest;
+ unsigned int bufferSize;
+ SECStatus rv;
+
+ /* pkcs1DigestInfo.data must be less than key->u.rsa.modulus.len */
+ bufferSize = key->u.rsa.modulus.len;
+ pkcs1DigestInfoData = PORT_ZAlloc(bufferSize);
+ if (!pkcs1DigestInfoData) {
+ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ return SECFailure;
+ }
+
+ pkcs1DigestInfo.data = pkcs1DigestInfoData;
+ pkcs1DigestInfo.len = bufferSize;
+
+ /* decrypt the block */
+ rv = RSA_CheckSignRecover(&key->u.rsa, pkcs1DigestInfo.data,
+ &pkcs1DigestInfo.len, pkcs1DigestInfo.len,
+ sig, sigLen);
+ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+ } else {
+ digest.data = (PRUint8 *)digestData;
+ digest.len = digestLen;
+ rv = _SGN_VerifyPKCS1DigestInfo(
+ digestOid, &digest, &pkcs1DigestInfo,
+ PR_FALSE /*XXX: unsafeAllowMissingParameters*/);
+ }
+
+ PORT_ZFree(pkcs1DigestInfoData, bufferSize);
+ return rv;
+}
+
+static SECStatus
+sftk_RSACheckSign(NSSLOWKEYPublicKey *key, const unsigned char *sig,
+ unsigned int sigLen, const unsigned char *digest,
+ unsigned int digestLen)
+{
+ PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+ if (key->keyType != NSSLOWKEYRSAKey) {
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
+ return SECFailure;
+ }
+
+ return RSA_CheckSign(&key->u.rsa, sig, sigLen, digest, digestLen);
+}
+
+static SECStatus
+sftk_RSACheckSignRaw(NSSLOWKEYPublicKey *key, const unsigned char *sig,
+ unsigned int sigLen, const unsigned char *digest,
+ unsigned int digestLen)
+{
+ PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+ if (key->keyType != NSSLOWKEYRSAKey) {
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
+ return SECFailure;
+ }
+
+ return RSA_CheckSignRaw(&key->u.rsa, sig, sigLen, digest, digestLen);
+}
+
+static SECStatus
+sftk_RSACheckSignPSS(SFTKPSSVerifyInfo *info, const unsigned char *sig,
+ unsigned int sigLen, const unsigned char *digest,
+ unsigned int digestLen)
+{
+ HASH_HashType hashAlg;
+ HASH_HashType maskHashAlg;
+ CK_RSA_PKCS_PSS_PARAMS *params = &info->params;
+
+ PORT_Assert(info->key->keyType == NSSLOWKEYRSAKey);
+ if (info->key->keyType != NSSLOWKEYRSAKey) {
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
+ return SECFailure;
+ }
+
+ hashAlg = sftk_GetHashTypeFromMechanism(params->hashAlg);
+ maskHashAlg = sftk_GetHashTypeFromMechanism(params->mgf);
+
+ return RSA_CheckSignPSS(&info->key->u.rsa, hashAlg, maskHashAlg,
+ params->sLen, sig, sigLen, digest, digestLen);
+}
+
+/* NSC_VerifyInit initializes a verification operation,
+ * where the signature is an appendix to the data,
+ * and plaintext cannot be recovered from the signature (e.g. DSA) */
+CK_RV
+NSC_VerifyInit(CK_SESSION_HANDLE hSession,
+ CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey)
+{
+ SFTKSession *session;
+ SFTKObject *key;
+ SFTKSessionContext *context;
+ CK_KEY_TYPE key_type;
+ CK_RV crv = CKR_OK;
+ NSSLOWKEYPublicKey *pubKey;
+ SFTKHashVerifyInfo *info = NULL;
+ SFTKPSSVerifyInfo *pinfo = NULL;
+
+ CHECK_FORK();
+
+ /* Block Cipher MACing Algorithms use a different Context init method..*/
+ crv = sftk_InitCBCMac(hSession, pMechanism, hKey, CKA_VERIFY, SFTK_VERIFY);
+ if (crv != CKR_FUNCTION_NOT_SUPPORTED)
+ return crv;
+
+ session = sftk_SessionFromHandle(hSession);
+ if (session == NULL)
+ return CKR_SESSION_HANDLE_INVALID;
+ crv = sftk_InitGeneric(session, pMechanism, &context, SFTK_VERIFY, &key,
+ hKey, &key_type, CKO_PUBLIC_KEY, CKA_VERIFY);
+ if (crv != CKR_OK) {
+ sftk_FreeSession(session);
+ return crv;
+ }
+
+ context->multi = PR_FALSE;
+
+#define INIT_RSA_VFY_MECH(mmm) \
+ case CKM_##mmm##_RSA_PKCS: \
+ context->multi = PR_TRUE; \
+ crv = sftk_doSub##mmm(context); \
+ if (crv != CKR_OK) \
+ break; \
+ context->verify = (SFTKVerify)sftk_hashCheckSign; \
+ info = PORT_New(SFTKHashVerifyInfo); \
+ if (info == NULL) { \
+ crv = CKR_HOST_MEMORY; \
+ break; \
+ } \
+ info->hashOid = SEC_OID_##mmm; \
+ goto finish_rsa;
+
+ switch (pMechanism->mechanism) {
+ INIT_RSA_VFY_MECH(MD5)
+ INIT_RSA_VFY_MECH(MD2)
+ INIT_RSA_VFY_MECH(SHA1)
+ INIT_RSA_VFY_MECH(SHA224)
+ INIT_RSA_VFY_MECH(SHA256)
+ INIT_RSA_VFY_MECH(SHA384)
+ INIT_RSA_VFY_MECH(SHA512)
+
+ case CKM_RSA_PKCS:
+ context->verify = (SFTKVerify)sftk_RSACheckSign;
+ goto finish_rsa;
+ case CKM_RSA_X_509:
+ context->verify = (SFTKVerify)sftk_RSACheckSignRaw;
+ finish_rsa:
+ if (key_type != CKK_RSA) {
+ crv = CKR_KEY_TYPE_INCONSISTENT;
+ break;
+ }
+ context->rsa = PR_TRUE;
+ pubKey = sftk_GetPubKey(key, CKK_RSA, &crv);
+ if (pubKey == NULL) {
+ crv = CKR_KEY_TYPE_INCONSISTENT;
+ break;
+ }
+ if (info) {
+ info->key = pubKey;
+ context->cipherInfo = info;
+ context->destroy = sftk_Space;
+ } else {
+ context->cipherInfo = pubKey;
+ context->destroy = sftk_Null;
+ }
+ break;
+
+ INIT_RSA_PSS_SIG_MECH(SHA1)
+ INIT_RSA_PSS_SIG_MECH(SHA224)
+ INIT_RSA_PSS_SIG_MECH(SHA256)
+ INIT_RSA_PSS_SIG_MECH(SHA384)
+ INIT_RSA_PSS_SIG_MECH(SHA512)
+ case CKM_RSA_PKCS_PSS:
+ finish_rsa_pss:
+ if (key_type != CKK_RSA) {
+ crv = CKR_KEY_TYPE_INCONSISTENT;
+ break;
+ }
+ context->rsa = PR_TRUE;
+ if (pMechanism->ulParameterLen != sizeof(CK_RSA_PKCS_PSS_PARAMS) ||
+ !sftk_ValidatePssParams((const CK_RSA_PKCS_PSS_PARAMS *)pMechanism->pParameter)) {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+ pinfo = PORT_New(SFTKPSSVerifyInfo);
+ if (pinfo == NULL) {
+ crv = CKR_HOST_MEMORY;
+ break;
+ }
+ pinfo->size = sizeof(SFTKPSSVerifyInfo);
+ pinfo->params = *(CK_RSA_PKCS_PSS_PARAMS *)pMechanism->pParameter;
+ pinfo->key = sftk_GetPubKey(key, CKK_RSA, &crv);
+ if (pinfo->key == NULL) {
+ crv = CKR_KEY_TYPE_INCONSISTENT;
+ break;
+ }
+ context->cipherInfo = pinfo;
+ context->destroy = (SFTKDestroy)sftk_ZSpace;
+ context->verify = (SFTKVerify)sftk_RSACheckSignPSS;
+ break;
+
+ INIT_DSA_SIG_MECH(SHA1)
+ INIT_DSA_SIG_MECH(SHA224)
+ INIT_DSA_SIG_MECH(SHA256)
+ INIT_DSA_SIG_MECH(SHA384)
+ INIT_DSA_SIG_MECH(SHA512)
+ case CKM_DSA:
+ finish_dsa:
+ if (key_type != CKK_DSA) {
+ crv = CKR_KEY_TYPE_INCONSISTENT;
+ break;
+ }
+ pubKey = sftk_GetPubKey(key, CKK_DSA, &crv);
+ if (pubKey == NULL) {
+ break;
+ }
+ context->cipherInfo = pubKey;
+ context->verify = (SFTKVerify)nsc_DSA_Verify_Stub;
+ context->destroy = sftk_Null;
+ break;
+
+ INIT_ECDSA_SIG_MECH(SHA1)
+ INIT_ECDSA_SIG_MECH(SHA224)
+ INIT_ECDSA_SIG_MECH(SHA256)
+ INIT_ECDSA_SIG_MECH(SHA384)
+ INIT_ECDSA_SIG_MECH(SHA512)
+ case CKM_ECDSA:
+ finish_ecdsa:
+ if (key_type != CKK_EC) {
+ crv = CKR_KEY_TYPE_INCONSISTENT;
+ break;
+ }
+ pubKey = sftk_GetPubKey(key, CKK_EC, &crv);
+ if (pubKey == NULL) {
+ crv = CKR_HOST_MEMORY;
+ break;
+ }
+ context->cipherInfo = pubKey;
+ context->verify = (SFTKVerify)nsc_ECDSAVerifyStub;
+ context->destroy = sftk_Null;
+ break;
+
+ INIT_HMAC_MECH(MD2)
+ INIT_HMAC_MECH(MD5)
+ INIT_HMAC_MECH(SHA1)
+ INIT_HMAC_MECH(SHA224)
+ INIT_HMAC_MECH(SHA256)
+ INIT_HMAC_MECH(SHA384)
+ INIT_HMAC_MECH(SHA512)
+
+ case CKM_SSL3_MD5_MAC:
+ PORT_Assert(pMechanism->pParameter);
+ if (!pMechanism->pParameter) {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+ crv = sftk_doSSLMACInit(context, SEC_OID_MD5, key,
+ *(CK_ULONG *)pMechanism->pParameter);
+ break;
+ case CKM_SSL3_SHA1_MAC:
+ PORT_Assert(pMechanism->pParameter);
+ if (!pMechanism->pParameter) {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+ crv = sftk_doSSLMACInit(context, SEC_OID_SHA1, key,
+ *(CK_ULONG *)pMechanism->pParameter);
+ break;
+ case CKM_TLS_PRF_GENERAL:
+ crv = sftk_TLSPRFInit(context, key, key_type, HASH_AlgNULL, 0);
+ break;
+ case CKM_NSS_TLS_PRF_GENERAL_SHA256:
+ crv = sftk_TLSPRFInit(context, key, key_type, HASH_AlgSHA256, 0);
+ break;
+
+ default:
+ crv = CKR_MECHANISM_INVALID;
+ break;
+ }
+
+ if (crv != CKR_OK) {
+ if (info)
+ PORT_Free(info);
+ if (pinfo)
+ PORT_ZFree(pinfo, pinfo->size);
+ sftk_FreeContext(context);
+ sftk_FreeSession(session);
+ return crv;
+ }
+ sftk_SetContextByType(session, SFTK_VERIFY, context);
+ sftk_FreeSession(session);
+ return CKR_OK;
+}
+
+/* NSC_Verify verifies a signature in a single-part operation,
+ * where the signature is an appendix to the data,
+ * and plaintext cannot be recovered from the signature */
+CK_RV
+NSC_Verify(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData,
+ CK_ULONG ulDataLen, CK_BYTE_PTR pSignature, CK_ULONG ulSignatureLen)
+{
+ SFTKSession *session;
+ SFTKSessionContext *context;
+ CK_RV crv;
+
+ CHECK_FORK();
+
+ /* make sure we're legal */
+ crv = sftk_GetContext(hSession, &context, SFTK_VERIFY, PR_FALSE, &session);
+ if (crv != CKR_OK)
+ return crv;
+
+ /* multi part Verifying are completely implemented by VerifyUpdate and
+ * VerifyFinal */
+ if (context->multi) {
+ /* VerifyFinal can't follow failed VerifyUpdate */
+ if (CKR_OK == (crv = NSC_VerifyUpdate(hSession, pData, ulDataLen)))
+ crv = NSC_VerifyFinal(hSession, pSignature, ulSignatureLen);
+ } else {
+ if (SECSuccess != (*context->verify)(context->cipherInfo, pSignature,
+ ulSignatureLen, pData, ulDataLen))
+ crv = sftk_MapCryptError(PORT_GetError());
+
+ sftk_TerminateOp(session, SFTK_VERIFY, context);
+ }
+ sftk_FreeSession(session);
+ return crv;
+}
+
+/* NSC_VerifyUpdate continues a multiple-part verification operation,
+ * where the signature is an appendix to the data,
+ * and plaintext cannot be recovered from the signature
+ *
+ * A call which results in an error terminates the operation [PKCS#11,v2.11]
+ */
+CK_RV
+NSC_VerifyUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
+ CK_ULONG ulPartLen)
+{
+ CHECK_FORK();
+ return sftk_MACUpdate(hSession, pPart, ulPartLen, SFTK_VERIFY);
+}
+
+/* NSC_VerifyFinal finishes a multiple-part verification operation,
+ * checking the signature. */
+CK_RV
+NSC_VerifyFinal(CK_SESSION_HANDLE hSession,
+ CK_BYTE_PTR pSignature, CK_ULONG ulSignatureLen)
+{
+ SFTKSession *session;
+ SFTKSessionContext *context;
+ CK_RV crv;
+
+ CHECK_FORK();
+
+ if (!pSignature)
+ return CKR_ARGUMENTS_BAD;
+
+ /* make sure we're legal */
+ crv = sftk_GetContext(hSession, &context, SFTK_VERIFY, PR_TRUE, &session);
+ if (crv != CKR_OK)
+ return crv;
+
+ if (context->hashInfo) {
+ unsigned int digestLen;
+ unsigned char tmpbuf[SFTK_MAX_MAC_LENGTH];
+
+ (*context->end)(context->hashInfo, tmpbuf, &digestLen, sizeof(tmpbuf));
+ if (SECSuccess != (context->verify)(context->cipherInfo, pSignature,
+ ulSignatureLen, tmpbuf, digestLen))
+ crv = sftk_MapCryptError(PORT_GetError());
+ PORT_Memset(tmpbuf, 0, sizeof tmpbuf);
+ } else if (ulSignatureLen != context->macSize) {
+ /* must be block cipher MACing */
+ crv = CKR_SIGNATURE_LEN_RANGE;
+ } else if (CKR_OK == (crv = sftk_MACFinal(context))) {
+ if (NSS_SecureMemcmp(pSignature, context->macBuf, ulSignatureLen))
+ crv = CKR_SIGNATURE_INVALID;
+ }
+
+ sftk_TerminateOp(session, SFTK_VERIFY, context);
+ sftk_FreeSession(session);
+ return crv;
+}
+
+/*
+ ************** Crypto Functions: Verify Recover ************************
+ */
+static SECStatus
+sftk_RSACheckSignRecover(NSSLOWKEYPublicKey *key, unsigned char *data,
+ unsigned int *dataLen, unsigned int maxDataLen,
+ const unsigned char *sig, unsigned int sigLen)
+{
+ PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+ if (key->keyType != NSSLOWKEYRSAKey) {
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
+ return SECFailure;
+ }
+
+ return RSA_CheckSignRecover(&key->u.rsa, data, dataLen, maxDataLen,
+ sig, sigLen);
+}
+
+static SECStatus
+sftk_RSACheckSignRecoverRaw(NSSLOWKEYPublicKey *key, unsigned char *data,
+ unsigned int *dataLen, unsigned int maxDataLen,
+ const unsigned char *sig, unsigned int sigLen)
+{
+ PORT_Assert(key->keyType == NSSLOWKEYRSAKey);
+ if (key->keyType != NSSLOWKEYRSAKey) {
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
+ return SECFailure;
+ }
+
+ return RSA_CheckSignRecoverRaw(&key->u.rsa, data, dataLen, maxDataLen,
+ sig, sigLen);
+}
+
+/* NSC_VerifyRecoverInit initializes a signature verification operation,
+ * where the data is recovered from the signature.
+ * E.g. Decryption with the user's public key */
+CK_RV
+NSC_VerifyRecoverInit(CK_SESSION_HANDLE hSession,
+ CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey)
+{
+ SFTKSession *session;
+ SFTKObject *key;
+ SFTKSessionContext *context;
+ CK_KEY_TYPE key_type;
+ CK_RV crv = CKR_OK;
+ NSSLOWKEYPublicKey *pubKey;
+
+ CHECK_FORK();
+
+ session = sftk_SessionFromHandle(hSession);
+ if (session == NULL)
+ return CKR_SESSION_HANDLE_INVALID;
+ crv = sftk_InitGeneric(session, pMechanism, &context, SFTK_VERIFY_RECOVER,
+ &key, hKey, &key_type, CKO_PUBLIC_KEY, CKA_VERIFY_RECOVER);
+ if (crv != CKR_OK) {
+ sftk_FreeSession(session);
+ return crv;
+ }
+
+ context->multi = PR_TRUE;
+
+ switch (pMechanism->mechanism) {
+ case CKM_RSA_PKCS:
+ case CKM_RSA_X_509:
+ if (key_type != CKK_RSA) {
+ crv = CKR_KEY_TYPE_INCONSISTENT;
+ break;
+ }
+ context->multi = PR_FALSE;
+ context->rsa = PR_TRUE;
+ pubKey = sftk_GetPubKey(key, CKK_RSA, &crv);
+ if (pubKey == NULL) {
+ break;
+ }
+ context->cipherInfo = pubKey;
+ context->update = (SFTKCipher)(pMechanism->mechanism == CKM_RSA_X_509
+ ? sftk_RSACheckSignRecoverRaw
+ : sftk_RSACheckSignRecover);
+ context->destroy = sftk_Null;
+ break;
+ default:
+ crv = CKR_MECHANISM_INVALID;
+ break;
+ }
+
+ if (crv != CKR_OK) {
+ PORT_Free(context);
+ sftk_FreeSession(session);
+ return crv;
+ }
+ sftk_SetContextByType(session, SFTK_VERIFY_RECOVER, context);
+ sftk_FreeSession(session);
+ return CKR_OK;
+}
+
+/* NSC_VerifyRecover verifies a signature in a single-part operation,
+ * where the data is recovered from the signature.
+ * E.g. Decryption with the user's public key */
+CK_RV
+NSC_VerifyRecover(CK_SESSION_HANDLE hSession,
+ CK_BYTE_PTR pSignature, CK_ULONG ulSignatureLen,
+ CK_BYTE_PTR pData, CK_ULONG_PTR pulDataLen)
+{
+ SFTKSession *session;
+ SFTKSessionContext *context;
+ unsigned int outlen;
+ unsigned int maxoutlen = *pulDataLen;
+ CK_RV crv;
+ SECStatus rv;
+
+ CHECK_FORK();
+
+ /* make sure we're legal */
+ crv = sftk_GetContext(hSession, &context, SFTK_VERIFY_RECOVER,
+ PR_FALSE, &session);
+ if (crv != CKR_OK)
+ return crv;
+ if (pData == NULL) {
+ /* to return the actual size, we need to do the decrypt, just return
+ * the max size, which is the size of the input signature. */
+ *pulDataLen = ulSignatureLen;
+ rv = SECSuccess;
+ goto finish;
+ }
+
+ rv = (*context->update)(context->cipherInfo, pData, &outlen, maxoutlen,
+ pSignature, ulSignatureLen);
+ *pulDataLen = (CK_ULONG)outlen;
+
+ sftk_TerminateOp(session, SFTK_VERIFY_RECOVER, context);
+finish:
+ sftk_FreeSession(session);
+ return (rv == SECSuccess) ? CKR_OK : sftk_MapVerifyError(PORT_GetError());
+}
+
+/*
+ **************************** Random Functions: ************************
+ */
+
+/* NSC_SeedRandom mixes additional seed material into the token's random number
+ * generator. */
+CK_RV
+NSC_SeedRandom(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSeed,
+ CK_ULONG ulSeedLen)
+{
+ SECStatus rv;
+
+ CHECK_FORK();
+
+ rv = RNG_RandomUpdate(pSeed, ulSeedLen);
+ return (rv == SECSuccess) ? CKR_OK : sftk_MapCryptError(PORT_GetError());
+}
+
+/* NSC_GenerateRandom generates random data. */
+CK_RV
+NSC_GenerateRandom(CK_SESSION_HANDLE hSession,
+ CK_BYTE_PTR pRandomData, CK_ULONG ulRandomLen)
+{
+ SECStatus rv;
+
+ CHECK_FORK();
+
+ rv = RNG_GenerateGlobalRandomBytes(pRandomData, ulRandomLen);
+ /*
+ * This may fail with SEC_ERROR_NEED_RANDOM, which means the RNG isn't
+ * seeded with enough entropy.
+ */
+ return (rv == SECSuccess) ? CKR_OK : sftk_MapCryptError(PORT_GetError());
+}
+
+/*
+ **************************** Key Functions: ************************
+ */
+
+/*
+ * generate a password based encryption key. This code uses
+ * PKCS5 to do the work.
+ */
+static CK_RV
+nsc_pbe_key_gen(NSSPKCS5PBEParameter *pkcs5_pbe, CK_MECHANISM_PTR pMechanism,
+ void *buf, CK_ULONG *key_length, PRBool faulty3DES)
+{
+ SECItem *pbe_key = NULL, iv, pwitem;
+ CK_PBE_PARAMS *pbe_params = NULL;
+ CK_PKCS5_PBKD2_PARAMS *pbkd2_params = NULL;
+
+ *key_length = 0;
+ iv.data = NULL;
+ iv.len = 0;
+
+ if (pMechanism->mechanism == CKM_PKCS5_PBKD2) {
+ if (BAD_PARAM_CAST(pMechanism, sizeof(CK_PKCS5_PBKD2_PARAMS))) {
+ return CKR_MECHANISM_PARAM_INVALID;
+ }
+ pbkd2_params = (CK_PKCS5_PBKD2_PARAMS *)pMechanism->pParameter;
+ pwitem.data = (unsigned char *)pbkd2_params->pPassword;
+ /* was this a typo in the PKCS #11 spec? */
+ pwitem.len = *pbkd2_params->ulPasswordLen;
+ } else {
+ if (BAD_PARAM_CAST(pMechanism, sizeof(CK_PBE_PARAMS))) {
+ return CKR_MECHANISM_PARAM_INVALID;
+ }
+ pbe_params = (CK_PBE_PARAMS *)pMechanism->pParameter;
+ pwitem.data = (unsigned char *)pbe_params->pPassword;
+ pwitem.len = pbe_params->ulPasswordLen;
+ }
+ pbe_key = nsspkcs5_ComputeKeyAndIV(pkcs5_pbe, &pwitem, &iv, faulty3DES);
+ if (pbe_key == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+
+ PORT_Memcpy(buf, pbe_key->data, pbe_key->len);
+ *key_length = pbe_key->len;
+ SECITEM_ZfreeItem(pbe_key, PR_TRUE);
+ pbe_key = NULL;
+
+ if (iv.data) {
+ if (pbe_params && pbe_params->pInitVector != NULL) {
+ PORT_Memcpy(pbe_params->pInitVector, iv.data, iv.len);
+ }
+ PORT_Free(iv.data);
+ }
+
+ return CKR_OK;
+}
+
+/*
+ * this is coded for "full" support. These selections will be limitted to
+ * the official subset by freebl.
+ */
+static unsigned int
+sftk_GetSubPrimeFromPrime(unsigned int primeBits)
+{
+ if (primeBits <= 1024) {
+ return 160;
+ } else if (primeBits <= 2048) {
+ return 224;
+ } else if (primeBits <= 3072) {
+ return 256;
+ } else if (primeBits <= 7680) {
+ return 384;
+ } else {
+ return 512;
+ }
+}
+
+static CK_RV
+nsc_parameter_gen(CK_KEY_TYPE key_type, SFTKObject *key)
+{
+ SFTKAttribute *attribute;
+ CK_ULONG counter;
+ unsigned int seedBits = 0;
+ unsigned int subprimeBits = 0;
+ unsigned int primeBits;
+ unsigned int j = 8; /* default to 1024 bits */
+ CK_RV crv = CKR_OK;
+ PQGParams *params = NULL;
+ PQGVerify *vfy = NULL;
+ SECStatus rv;
+
+ attribute = sftk_FindAttribute(key, CKA_PRIME_BITS);
+ if (attribute == NULL) {
+ attribute = sftk_FindAttribute(key, CKA_PRIME);
+ if (attribute == NULL) {
+ return CKR_TEMPLATE_INCOMPLETE;
+ } else {
+ primeBits = attribute->attrib.ulValueLen;
+ sftk_FreeAttribute(attribute);
+ }
+ } else {
+ primeBits = (unsigned int)*(CK_ULONG *)attribute->attrib.pValue;
+ sftk_FreeAttribute(attribute);
+ }
+ if (primeBits < 1024) {
+ j = PQG_PBITS_TO_INDEX(primeBits);
+ if (j == (unsigned int)-1) {
+ return CKR_ATTRIBUTE_VALUE_INVALID;
+ }
+ }
+
+ attribute = sftk_FindAttribute(key, CKA_NSS_PQG_SEED_BITS);
+ if (attribute != NULL) {
+ seedBits = (unsigned int)*(CK_ULONG *)attribute->attrib.pValue;
+ sftk_FreeAttribute(attribute);
+ }
+
+ attribute = sftk_FindAttribute(key, CKA_SUBPRIME_BITS);
+ if (attribute != NULL) {
+ subprimeBits = (unsigned int)*(CK_ULONG *)attribute->attrib.pValue;
+ sftk_FreeAttribute(attribute);
+ }
+
+ /* if P and Q are supplied, we want to generate a new G */
+ attribute = sftk_FindAttribute(key, CKA_PRIME);
+ if (attribute != NULL) {
+ PLArenaPool *arena;
+
+ sftk_FreeAttribute(attribute);
+ arena = PORT_NewArena(1024);
+ if (arena == NULL) {
+ crv = CKR_HOST_MEMORY;
+ goto loser;
+ }
+ params = PORT_ArenaAlloc(arena, sizeof(*params));
+ if (params == NULL) {
+ crv = CKR_HOST_MEMORY;
+ goto loser;
+ }
+ params->arena = arena;
+ crv = sftk_Attribute2SSecItem(arena, &params->prime, key, CKA_PRIME);
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+ crv = sftk_Attribute2SSecItem(arena, &params->subPrime,
+ key, CKA_SUBPRIME);
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+
+ arena = PORT_NewArena(1024);
+ if (arena == NULL) {
+ crv = CKR_HOST_MEMORY;
+ goto loser;
+ }
+ vfy = PORT_ArenaAlloc(arena, sizeof(*vfy));
+ if (vfy == NULL) {
+ crv = CKR_HOST_MEMORY;
+ goto loser;
+ }
+ vfy->arena = arena;
+ crv = sftk_Attribute2SSecItem(arena, &vfy->seed, key, CKA_NSS_PQG_SEED);
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+ crv = sftk_Attribute2SSecItem(arena, &vfy->h, key, CKA_NSS_PQG_H);
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+ sftk_DeleteAttributeType(key, CKA_PRIME);
+ sftk_DeleteAttributeType(key, CKA_SUBPRIME);
+ sftk_DeleteAttributeType(key, CKA_NSS_PQG_SEED);
+ sftk_DeleteAttributeType(key, CKA_NSS_PQG_H);
+ }
+
+ sftk_DeleteAttributeType(key, CKA_PRIME_BITS);
+ sftk_DeleteAttributeType(key, CKA_SUBPRIME_BITS);
+ sftk_DeleteAttributeType(key, CKA_NSS_PQG_SEED_BITS);
+
+ /* use the old PQG interface if we have old input data */
+ if ((primeBits < 1024) || ((primeBits == 1024) && (subprimeBits == 0))) {
+ if (seedBits == 0) {
+ rv = PQG_ParamGen(j, &params, &vfy);
+ } else {
+ rv = PQG_ParamGenSeedLen(j, seedBits / 8, &params, &vfy);
+ }
+ } else {
+ if (subprimeBits == 0) {
+ subprimeBits = sftk_GetSubPrimeFromPrime(primeBits);
+ }
+ if (seedBits == 0) {
+ seedBits = primeBits;
+ }
+ rv = PQG_ParamGenV2(primeBits, subprimeBits, seedBits / 8, &params, &vfy);
+ }
+
+ if (rv != SECSuccess) {
+ if (PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+ sftk_fatalError = PR_TRUE;
+ }
+ return sftk_MapCryptError(PORT_GetError());
+ }
+ crv = sftk_AddAttributeType(key, CKA_PRIME,
+ params->prime.data, params->prime.len);
+ if (crv != CKR_OK)
+ goto loser;
+ crv = sftk_AddAttributeType(key, CKA_SUBPRIME,
+ params->subPrime.data, params->subPrime.len);
+ if (crv != CKR_OK)
+ goto loser;
+ crv = sftk_AddAttributeType(key, CKA_BASE,
+ params->base.data, params->base.len);
+ if (crv != CKR_OK)
+ goto loser;
+ counter = vfy->counter;
+ crv = sftk_AddAttributeType(key, CKA_NSS_PQG_COUNTER,
+ &counter, sizeof(counter));
+ crv = sftk_AddAttributeType(key, CKA_NSS_PQG_SEED,
+ vfy->seed.data, vfy->seed.len);
+ if (crv != CKR_OK)
+ goto loser;
+ crv = sftk_AddAttributeType(key, CKA_NSS_PQG_H,
+ vfy->h.data, vfy->h.len);
+ if (crv != CKR_OK)
+ goto loser;
+
+loser:
+ if (params) {
+ PQG_DestroyParams(params);
+ }
+
+ if (vfy) {
+ PQG_DestroyVerify(vfy);
+ }
+ return crv;
+}
+
+static CK_RV
+nsc_SetupBulkKeyGen(CK_MECHANISM_TYPE mechanism, CK_KEY_TYPE *key_type,
+ CK_ULONG *key_length)
+{
+ CK_RV crv = CKR_OK;
+
+ switch (mechanism) {
+#ifndef NSS_DISABLE_DEPRECATED_RC2
+ case CKM_RC2_KEY_GEN:
+ *key_type = CKK_RC2;
+ if (*key_length == 0)
+ crv = CKR_TEMPLATE_INCOMPLETE;
+ break;
+#endif /* NSS_DISABLE_DEPRECATED_RC2 */
+#if NSS_SOFTOKEN_DOES_RC5
+ case CKM_RC5_KEY_GEN:
+ *key_type = CKK_RC5;
+ if (*key_length == 0)
+ crv = CKR_TEMPLATE_INCOMPLETE;
+ break;
+#endif
+ case CKM_RC4_KEY_GEN:
+ *key_type = CKK_RC4;
+ if (*key_length == 0)
+ crv = CKR_TEMPLATE_INCOMPLETE;
+ break;
+ case CKM_GENERIC_SECRET_KEY_GEN:
+ *key_type = CKK_GENERIC_SECRET;
+ if (*key_length == 0)
+ crv = CKR_TEMPLATE_INCOMPLETE;
+ break;
+ case CKM_CDMF_KEY_GEN:
+ *key_type = CKK_CDMF;
+ *key_length = 8;
+ break;
+ case CKM_DES_KEY_GEN:
+ *key_type = CKK_DES;
+ *key_length = 8;
+ break;
+ case CKM_DES2_KEY_GEN:
+ *key_type = CKK_DES2;
+ *key_length = 16;
+ break;
+ case CKM_DES3_KEY_GEN:
+ *key_type = CKK_DES3;
+ *key_length = 24;
+ break;
+#ifndef NSS_DISABLE_DEPRECATED_SEED
+ case CKM_SEED_KEY_GEN:
+ *key_type = CKK_SEED;
+ *key_length = 16;
+ break;
+#endif /* NSS_DISABLE_DEPRECATED_SEED */
+ case CKM_CAMELLIA_KEY_GEN:
+ *key_type = CKK_CAMELLIA;
+ if (*key_length == 0)
+ crv = CKR_TEMPLATE_INCOMPLETE;
+ break;
+ case CKM_AES_KEY_GEN:
+ *key_type = CKK_AES;
+ if (*key_length == 0)
+ crv = CKR_TEMPLATE_INCOMPLETE;
+ break;
+ case CKM_NSS_CHACHA20_KEY_GEN:
+ *key_type = CKK_NSS_CHACHA20;
+ *key_length = 32;
+ break;
+ case CKM_CHACHA20_KEY_GEN:
+ *key_type = CKK_CHACHA20;
+ *key_length = 32;
+ break;
+ case CKM_HKDF_KEY_GEN:
+ *key_type = CKK_HKDF;
+ if (*key_length == 0)
+ crv = CKR_TEMPLATE_INCOMPLETE;
+ break;
+ default:
+ PORT_Assert(0);
+ crv = CKR_MECHANISM_INVALID;
+ break;
+ }
+
+ return crv;
+}
+
+CK_RV
+nsc_SetupHMACKeyGen(CK_MECHANISM_PTR pMechanism, NSSPKCS5PBEParameter **pbe)
+{
+ SECItem salt;
+ CK_PBE_PARAMS *pbe_params = NULL;
+ NSSPKCS5PBEParameter *params;
+ PLArenaPool *arena = NULL;
+ SECStatus rv;
+
+ *pbe = NULL;
+
+ arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
+ if (arena == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+
+ params = (NSSPKCS5PBEParameter *)PORT_ArenaZAlloc(arena,
+ sizeof(NSSPKCS5PBEParameter));
+ if (params == NULL) {
+ PORT_FreeArena(arena, PR_TRUE);
+ return CKR_HOST_MEMORY;
+ }
+ if (BAD_PARAM_CAST(pMechanism, sizeof(CK_PBE_PARAMS))) {
+ PORT_FreeArena(arena, PR_TRUE);
+ return CKR_MECHANISM_PARAM_INVALID;
+ }
+
+ params->poolp = arena;
+ params->ivLen = 0;
+ params->pbeType = NSSPKCS5_PKCS12_V2;
+ params->hashType = HASH_AlgSHA1;
+ params->encAlg = SEC_OID_SHA1; /* any invalid value */
+ params->is2KeyDES = PR_FALSE;
+ params->keyID = pbeBitGenIntegrityKey;
+ pbe_params = (CK_PBE_PARAMS *)pMechanism->pParameter;
+ params->iter = pbe_params->ulIteration;
+
+ salt.data = (unsigned char *)pbe_params->pSalt;
+ salt.len = (unsigned int)pbe_params->ulSaltLen;
+ salt.type = siBuffer;
+ rv = SECITEM_CopyItem(arena, &params->salt, &salt);
+ if (rv != SECSuccess) {
+ PORT_FreeArena(arena, PR_TRUE);
+ return CKR_HOST_MEMORY;
+ }
+ switch (pMechanism->mechanism) {
+ case CKM_NSS_PBE_SHA1_HMAC_KEY_GEN:
+ case CKM_PBA_SHA1_WITH_SHA1_HMAC:
+ params->hashType = HASH_AlgSHA1;
+ params->keyLen = 20;
+ break;
+ case CKM_NSS_PBE_MD5_HMAC_KEY_GEN:
+ params->hashType = HASH_AlgMD5;
+ params->keyLen = 16;
+ break;
+ case CKM_NSS_PBE_MD2_HMAC_KEY_GEN:
+ params->hashType = HASH_AlgMD2;
+ params->keyLen = 16;
+ break;
+ case CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN:
+ params->hashType = HASH_AlgSHA224;
+ params->keyLen = 28;
+ break;
+ case CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN:
+ params->hashType = HASH_AlgSHA256;
+ params->keyLen = 32;
+ break;
+ case CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN:
+ params->hashType = HASH_AlgSHA384;
+ params->keyLen = 48;
+ break;
+ case CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN:
+ params->hashType = HASH_AlgSHA512;
+ params->keyLen = 64;
+ break;
+ default:
+ PORT_FreeArena(arena, PR_TRUE);
+ return CKR_MECHANISM_INVALID;
+ }
+ *pbe = params;
+ return CKR_OK;
+}
+
+/* maybe this should be table driven? */
+static CK_RV
+nsc_SetupPBEKeyGen(CK_MECHANISM_PTR pMechanism, NSSPKCS5PBEParameter **pbe,
+ CK_KEY_TYPE *key_type, CK_ULONG *key_length)
+{
+ CK_RV crv = CKR_OK;
+ SECOidData *oid;
+ CK_PBE_PARAMS *pbe_params = NULL;
+ NSSPKCS5PBEParameter *params = NULL;
+ HASH_HashType hashType = HASH_AlgSHA1;
+ CK_PKCS5_PBKD2_PARAMS *pbkd2_params = NULL;
+ SECItem salt;
+ CK_ULONG iteration = 0;
+
+ *pbe = NULL;
+
+ oid = SECOID_FindOIDByMechanism(pMechanism->mechanism);
+ if (oid == NULL) {
+ return CKR_MECHANISM_INVALID;
+ }
+
+ if (pMechanism->mechanism == CKM_PKCS5_PBKD2) {
+ if (BAD_PARAM_CAST(pMechanism, sizeof(CK_PKCS5_PBKD2_PARAMS))) {
+ return CKR_MECHANISM_PARAM_INVALID;
+ }
+ pbkd2_params = (CK_PKCS5_PBKD2_PARAMS *)pMechanism->pParameter;
+ switch (pbkd2_params->prf) {
+ case CKP_PKCS5_PBKD2_HMAC_SHA1:
+ hashType = HASH_AlgSHA1;
+ break;
+ case CKP_PKCS5_PBKD2_HMAC_SHA224:
+ hashType = HASH_AlgSHA224;
+ break;
+ case CKP_PKCS5_PBKD2_HMAC_SHA256:
+ hashType = HASH_AlgSHA256;
+ break;
+ case CKP_PKCS5_PBKD2_HMAC_SHA384:
+ hashType = HASH_AlgSHA384;
+ break;
+ case CKP_PKCS5_PBKD2_HMAC_SHA512:
+ hashType = HASH_AlgSHA512;
+ break;
+ default:
+ return CKR_MECHANISM_PARAM_INVALID;
+ }
+ if (pbkd2_params->saltSource != CKZ_SALT_SPECIFIED) {
+ return CKR_MECHANISM_PARAM_INVALID;
+ }
+ salt.data = (unsigned char *)pbkd2_params->pSaltSourceData;
+ salt.len = (unsigned int)pbkd2_params->ulSaltSourceDataLen;
+ iteration = pbkd2_params->iterations;
+ } else {
+ if (BAD_PARAM_CAST(pMechanism, sizeof(CK_PBE_PARAMS))) {
+ return CKR_MECHANISM_PARAM_INVALID;
+ }
+ pbe_params = (CK_PBE_PARAMS *)pMechanism->pParameter;
+ salt.data = (unsigned char *)pbe_params->pSalt;
+ salt.len = (unsigned int)pbe_params->ulSaltLen;
+ iteration = pbe_params->ulIteration;
+ }
+ params = nsspkcs5_NewParam(oid->offset, hashType, &salt, iteration);
+ if (params == NULL) {
+ return CKR_MECHANISM_INVALID;
+ }
+
+ switch (params->encAlg) {
+ case SEC_OID_DES_CBC:
+ *key_type = CKK_DES;
+ *key_length = params->keyLen;
+ break;
+ case SEC_OID_DES_EDE3_CBC:
+ *key_type = params->is2KeyDES ? CKK_DES2 : CKK_DES3;
+ *key_length = params->keyLen;
+ break;
+#ifndef NSS_DISABLE_DEPRECATED_RC2
+ case SEC_OID_RC2_CBC:
+ *key_type = CKK_RC2;
+ *key_length = params->keyLen;
+ break;
+#endif /* NSS_DISABLE_DEPRECATED_RC2 */
+ case SEC_OID_RC4:
+ *key_type = CKK_RC4;
+ *key_length = params->keyLen;
+ break;
+ case SEC_OID_PKCS5_PBKDF2:
+ /* key type must already be set */
+ if (*key_type == CKK_INVALID_KEY_TYPE) {
+ crv = CKR_TEMPLATE_INCOMPLETE;
+ break;
+ }
+ /* PBKDF2 needs to calculate the key length from the other parameters
+ */
+ if (*key_length == 0) {
+ *key_length = sftk_MapKeySize(*key_type);
+ }
+ if (*key_length == 0) {
+ crv = CKR_TEMPLATE_INCOMPLETE;
+ break;
+ }
+ params->keyLen = *key_length;
+ break;
+ default:
+ crv = CKR_MECHANISM_INVALID;
+ break;
+ }
+ if (crv == CKR_OK) {
+ *pbe = params;
+ } else {
+ nsspkcs5_DestroyPBEParameter(params);
+ }
+ return crv;
+}
+
+/* NSC_GenerateKey generates a secret key, creating a new key object. */
+CK_RV
+NSC_GenerateKey(CK_SESSION_HANDLE hSession,
+ CK_MECHANISM_PTR pMechanism, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
+ CK_OBJECT_HANDLE_PTR phKey)
+{
+ SFTKObject *key;
+ SFTKSession *session;
+ PRBool checkWeak = PR_FALSE;
+ CK_ULONG key_length = 0;
+ CK_KEY_TYPE key_type = CKK_INVALID_KEY_TYPE;
+ CK_OBJECT_CLASS objclass = CKO_SECRET_KEY;
+ CK_RV crv = CKR_OK;
+ CK_BBOOL cktrue = CK_TRUE;
+ NSSPKCS5PBEParameter *pbe_param = NULL;
+ int i;
+ SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession);
+ unsigned char buf[MAX_KEY_LEN];
+ enum { nsc_pbe,
+ nsc_ssl,
+ nsc_bulk,
+ nsc_param,
+ nsc_jpake } key_gen_type;
+ SSL3RSAPreMasterSecret *rsa_pms;
+ CK_VERSION *version;
+ /* in very old versions of NSS, there were implementation errors with key
+ * generation methods. We want to beable to read these, but not
+ * produce them any more. The affected algorithm was 3DES.
+ */
+ PRBool faultyPBE3DES = PR_FALSE;
+ HASH_HashType hashType = HASH_AlgNULL;
+
+ CHECK_FORK();
+
+ if (!slot) {
+ return CKR_SESSION_HANDLE_INVALID;
+ }
+ /*
+ * now lets create an object to hang the attributes off of
+ */
+ key = sftk_NewObject(slot); /* fill in the handle later */
+ if (key == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+
+ /*
+ * load the template values into the object
+ */
+ for (i = 0; i < (int)ulCount; i++) {
+ if (pTemplate[i].type == CKA_VALUE_LEN) {
+ key_length = *(CK_ULONG *)pTemplate[i].pValue;
+ continue;
+ }
+ /* some algorithms need keytype specified */
+ if (pTemplate[i].type == CKA_KEY_TYPE) {
+ key_type = *(CK_ULONG *)pTemplate[i].pValue;
+ continue;
+ }
+
+ crv = sftk_AddAttributeType(key, sftk_attr_expand(&pTemplate[i]));
+ if (crv != CKR_OK) {
+ break;
+ }
+ }
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+
+ /* make sure we don't have any class, key_type, or value fields */
+ sftk_DeleteAttributeType(key, CKA_CLASS);
+ sftk_DeleteAttributeType(key, CKA_KEY_TYPE);
+ sftk_DeleteAttributeType(key, CKA_VALUE);
+
+ /* Now Set up the parameters to generate the key (based on mechanism) */
+ key_gen_type = nsc_bulk; /* bulk key by default */
+ switch (pMechanism->mechanism) {
+ case CKM_CDMF_KEY_GEN:
+ case CKM_DES_KEY_GEN:
+ case CKM_DES2_KEY_GEN:
+ case CKM_DES3_KEY_GEN:
+ checkWeak = PR_TRUE;
+/* fall through */
+#ifndef NSS_DISABLE_DEPRECATED_RC2
+ case CKM_RC2_KEY_GEN:
+#endif
+ case CKM_RC4_KEY_GEN:
+ case CKM_GENERIC_SECRET_KEY_GEN:
+#ifndef NSS_DISABLE_DEPRECATED_SEED
+ case CKM_SEED_KEY_GEN:
+#endif
+ case CKM_CAMELLIA_KEY_GEN:
+ case CKM_AES_KEY_GEN:
+ case CKM_NSS_CHACHA20_KEY_GEN:
+ case CKM_CHACHA20_KEY_GEN:
+#if NSS_SOFTOKEN_DOES_RC5
+ case CKM_RC5_KEY_GEN:
+#endif
+ crv = nsc_SetupBulkKeyGen(pMechanism->mechanism, &key_type, &key_length);
+ break;
+ case CKM_SSL3_PRE_MASTER_KEY_GEN:
+ key_type = CKK_GENERIC_SECRET;
+ key_length = 48;
+ key_gen_type = nsc_ssl;
+ break;
+ case CKM_PBA_SHA1_WITH_SHA1_HMAC:
+ case CKM_NSS_PBE_SHA1_HMAC_KEY_GEN:
+ case CKM_NSS_PBE_MD5_HMAC_KEY_GEN:
+ case CKM_NSS_PBE_MD2_HMAC_KEY_GEN:
+ case CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN:
+ case CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN:
+ case CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN:
+ case CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN:
+ key_gen_type = nsc_pbe;
+ key_type = CKK_GENERIC_SECRET;
+ crv = nsc_SetupHMACKeyGen(pMechanism, &pbe_param);
+ break;
+ case CKM_NSS_PBE_SHA1_FAULTY_3DES_CBC:
+ faultyPBE3DES = PR_TRUE;
+ /* fall through */
+ case CKM_NSS_PBE_SHA1_TRIPLE_DES_CBC:
+#ifndef NSS_DISABLE_DEPRECATED_RC2
+ case CKM_NSS_PBE_SHA1_40_BIT_RC2_CBC:
+ case CKM_NSS_PBE_SHA1_128_BIT_RC2_CBC:
+ case CKM_PBE_SHA1_RC2_128_CBC:
+ case CKM_PBE_SHA1_RC2_40_CBC:
+#endif
+ case CKM_NSS_PBE_SHA1_DES_CBC:
+ case CKM_NSS_PBE_SHA1_40_BIT_RC4:
+ case CKM_NSS_PBE_SHA1_128_BIT_RC4:
+ case CKM_PBE_SHA1_DES3_EDE_CBC:
+ case CKM_PBE_SHA1_DES2_EDE_CBC:
+ case CKM_PBE_SHA1_RC4_128:
+ case CKM_PBE_SHA1_RC4_40:
+ case CKM_PBE_MD5_DES_CBC:
+ case CKM_PBE_MD2_DES_CBC:
+ case CKM_PKCS5_PBKD2:
+ key_gen_type = nsc_pbe;
+ crv = nsc_SetupPBEKeyGen(pMechanism, &pbe_param, &key_type, &key_length);
+ break;
+ case CKM_DSA_PARAMETER_GEN:
+ key_gen_type = nsc_param;
+ key_type = CKK_DSA;
+ objclass = CKO_DOMAIN_PARAMETERS;
+ crv = CKR_OK;
+ break;
+ case CKM_NSS_JPAKE_ROUND1_SHA1:
+ hashType = HASH_AlgSHA1;
+ goto jpake1;
+ case CKM_NSS_JPAKE_ROUND1_SHA256:
+ hashType = HASH_AlgSHA256;
+ goto jpake1;
+ case CKM_NSS_JPAKE_ROUND1_SHA384:
+ hashType = HASH_AlgSHA384;
+ goto jpake1;
+ case CKM_NSS_JPAKE_ROUND1_SHA512:
+ hashType = HASH_AlgSHA512;
+ goto jpake1;
+ jpake1:
+ key_gen_type = nsc_jpake;
+ key_type = CKK_NSS_JPAKE_ROUND1;
+ objclass = CKO_PRIVATE_KEY;
+ if (pMechanism->pParameter == NULL ||
+ pMechanism->ulParameterLen != sizeof(CK_NSS_JPAKERound1Params)) {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+ if (sftk_isTrue(key, CKA_TOKEN)) {
+ crv = CKR_TEMPLATE_INCONSISTENT;
+ break;
+ }
+ crv = CKR_OK;
+ break;
+ default:
+ crv = CKR_MECHANISM_INVALID;
+ break;
+ }
+
+ /* make sure we aren't going to overflow the buffer */
+ if (sizeof(buf) < key_length) {
+ /* someone is getting pretty optimistic about how big their key can
+ * be... */
+ crv = CKR_TEMPLATE_INCONSISTENT;
+ }
+
+ if (crv != CKR_OK) {
+ if (pbe_param) {
+ nsspkcs5_DestroyPBEParameter(pbe_param);
+ }
+ goto loser;
+ }
+
+ /* if there was no error,
+ * key_type *MUST* be set in the switch statement above */
+ PORT_Assert(key_type != CKK_INVALID_KEY_TYPE);
+
+ /*
+ * now to the actual key gen.
+ */
+ switch (key_gen_type) {
+ case nsc_pbe:
+ crv = nsc_pbe_key_gen(pbe_param, pMechanism, buf, &key_length,
+ faultyPBE3DES);
+ nsspkcs5_DestroyPBEParameter(pbe_param);
+ break;
+ case nsc_ssl:
+ rsa_pms = (SSL3RSAPreMasterSecret *)buf;
+ if (BAD_PARAM_CAST(pMechanism, sizeof(CK_VERSION))) {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ goto loser;
+ }
+ version = (CK_VERSION *)pMechanism->pParameter;
+ rsa_pms->client_version[0] = version->major;
+ rsa_pms->client_version[1] = version->minor;
+ crv =
+ NSC_GenerateRandom(0, &rsa_pms->random[0], sizeof(rsa_pms->random));
+ break;
+ case nsc_bulk:
+ /* get the key, check for weak keys and repeat if found */
+ do {
+ crv = NSC_GenerateRandom(0, buf, key_length);
+ } while (crv == CKR_OK && checkWeak && sftk_IsWeakKey(buf, key_type));
+ break;
+ case nsc_param:
+ /* generate parameters */
+ *buf = 0;
+ crv = nsc_parameter_gen(key_type, key);
+ break;
+ case nsc_jpake:
+ if (BAD_PARAM_CAST(pMechanism, sizeof(CK_NSS_JPAKERound1Params))) {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ goto loser;
+ }
+ crv = jpake_Round1(hashType,
+ (CK_NSS_JPAKERound1Params *)pMechanism->pParameter,
+ key);
+ break;
+ }
+
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+
+ /* Add the class, key_type, and value */
+ crv = sftk_AddAttributeType(key, CKA_CLASS, &objclass, sizeof(CK_OBJECT_CLASS));
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+ crv = sftk_AddAttributeType(key, CKA_KEY_TYPE, &key_type, sizeof(CK_KEY_TYPE));
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+ if (key_length != 0) {
+ crv = sftk_AddAttributeType(key, CKA_VALUE, buf, key_length);
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+ }
+
+ /* get the session */
+ session = sftk_SessionFromHandle(hSession);
+ if (session == NULL) {
+ crv = CKR_SESSION_HANDLE_INVALID;
+ goto loser;
+ }
+
+ /*
+ * handle the base object stuff
+ */
+ crv = sftk_handleObject(key, session);
+ sftk_FreeSession(session);
+ if (crv == CKR_OK && sftk_isTrue(key, CKA_SENSITIVE)) {
+ crv = sftk_forceAttribute(key, CKA_ALWAYS_SENSITIVE, &cktrue, sizeof(CK_BBOOL));
+ }
+ if (crv == CKR_OK && !sftk_isTrue(key, CKA_EXTRACTABLE)) {
+ crv = sftk_forceAttribute(key, CKA_NEVER_EXTRACTABLE, &cktrue, sizeof(CK_BBOOL));
+ }
+ if (crv == CKR_OK) {
+ *phKey = key->handle;
+ }
+loser:
+ PORT_Memset(buf, 0, sizeof buf);
+ sftk_FreeObject(key);
+ return crv;
+}
+
+#define PAIRWISE_DIGEST_LENGTH SHA1_LENGTH /* 160-bits */
+#define PAIRWISE_MESSAGE_LENGTH 20 /* 160-bits */
+
+/*
+ * FIPS 140-2 pairwise consistency check utilized to validate key pair.
+ *
+ * This function returns
+ * CKR_OK if pairwise consistency check passed
+ * CKR_GENERAL_ERROR if pairwise consistency check failed
+ * other error codes if paiswise consistency check could not be
+ * performed, for example, CKR_HOST_MEMORY.
+ */
+static CK_RV
+sftk_PairwiseConsistencyCheck(CK_SESSION_HANDLE hSession, SFTKSlot *slot,
+ SFTKObject *publicKey, SFTKObject *privateKey, CK_KEY_TYPE keyType)
+{
+ /*
+ * Key type Mechanism type
+ * --------------------------------
+ * For encrypt/decrypt: CKK_RSA => CKM_RSA_PKCS
+ * others => CKM_INVALID_MECHANISM
+ *
+ * For sign/verify: CKK_RSA => CKM_RSA_PKCS
+ * CKK_DSA => CKM_DSA
+ * CKK_EC => CKM_ECDSA
+ * others => CKM_INVALID_MECHANISM
+ *
+ * None of these mechanisms has a parameter.
+ *
+ * For derive CKK_DH => CKM_DH_PKCS_DERIVE
+ * CKK_EC => CKM_ECDH1_DERIVE
+ * others => CKM_INVALID_MECHANISM
+ *
+ * The parameters for these mechanisms is the public key.
+ */
+ CK_MECHANISM mech = { 0, NULL, 0 };
+
+ CK_ULONG modulusLen = 0;
+ CK_ULONG subPrimeLen = 0;
+ PRBool isEncryptable = PR_FALSE;
+ PRBool canSignVerify = PR_FALSE;
+ PRBool isDerivable = PR_FALSE;
+ CK_RV crv;
+
+ /* Variables used for Encrypt/Decrypt functions. */
+ unsigned char *known_message = (unsigned char *)"Known Crypto Message";
+ unsigned char plaintext[PAIRWISE_MESSAGE_LENGTH];
+ CK_ULONG bytes_decrypted;
+ unsigned char *ciphertext;
+ unsigned char *text_compared;
+ CK_ULONG bytes_encrypted;
+ CK_ULONG bytes_compared;
+ CK_ULONG pairwise_digest_length = PAIRWISE_DIGEST_LENGTH;
+
+ /* Variables used for Signature/Verification functions. */
+ /* Must be at least 256 bits for DSA2 digest */
+ unsigned char *known_digest = (unsigned char *)"Mozilla Rules the World through NSS!";
+ unsigned char *signature;
+ CK_ULONG signature_length;
+
+ if (keyType == CKK_RSA) {
+ SFTKAttribute *attribute;
+
+ /* Get modulus length of private key. */
+ attribute = sftk_FindAttribute(privateKey, CKA_MODULUS);
+ if (attribute == NULL) {
+ return CKR_DEVICE_ERROR;
+ }
+ modulusLen = attribute->attrib.ulValueLen;
+ if (*(unsigned char *)attribute->attrib.pValue == 0) {
+ modulusLen--;
+ }
+ sftk_FreeAttribute(attribute);
+ } else if (keyType == CKK_DSA) {
+ SFTKAttribute *attribute;
+
+ /* Get subprime length of private key. */
+ attribute = sftk_FindAttribute(privateKey, CKA_SUBPRIME);
+ if (attribute == NULL) {
+ return CKR_DEVICE_ERROR;
+ }
+ subPrimeLen = attribute->attrib.ulValueLen;
+ if (subPrimeLen > 1 && *(unsigned char *)attribute->attrib.pValue == 0) {
+ subPrimeLen--;
+ }
+ sftk_FreeAttribute(attribute);
+ }
+
+ /**************************************************/
+ /* Pairwise Consistency Check of Encrypt/Decrypt. */
+ /**************************************************/
+
+ isEncryptable = sftk_isTrue(privateKey, CKA_DECRYPT);
+
+ /*
+ * If the decryption attribute is set, attempt to encrypt
+ * with the public key and decrypt with the private key.
+ */
+ if (isEncryptable) {
+ if (keyType != CKK_RSA) {
+ return CKR_DEVICE_ERROR;
+ }
+ bytes_encrypted = modulusLen;
+ mech.mechanism = CKM_RSA_PKCS;
+
+ /* Allocate space for ciphertext. */
+ ciphertext = (unsigned char *)PORT_ZAlloc(bytes_encrypted);
+ if (ciphertext == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+
+ /* Prepare for encryption using the public key. */
+ crv = NSC_EncryptInit(hSession, &mech, publicKey->handle);
+ if (crv != CKR_OK) {
+ PORT_Free(ciphertext);
+ return crv;
+ }
+
+ /* Encrypt using the public key. */
+ crv = NSC_Encrypt(hSession,
+ known_message,
+ PAIRWISE_MESSAGE_LENGTH,
+ ciphertext,
+ &bytes_encrypted);
+ if (crv != CKR_OK) {
+ PORT_Free(ciphertext);
+ return crv;
+ }
+
+ /* Always use the smaller of these two values . . . */
+ bytes_compared = PR_MIN(bytes_encrypted, PAIRWISE_MESSAGE_LENGTH);
+
+ /*
+ * If there was a failure, the plaintext
+ * goes at the end, therefore . . .
+ */
+ text_compared = ciphertext + bytes_encrypted - bytes_compared;
+
+ /*
+ * Check to ensure that ciphertext does
+ * NOT EQUAL known input message text
+ * per FIPS PUB 140-2 directive.
+ */
+ if (PORT_Memcmp(text_compared, known_message,
+ bytes_compared) == 0) {
+ /* Set error to Invalid PRIVATE Key. */
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
+ PORT_Free(ciphertext);
+ return CKR_GENERAL_ERROR;
+ }
+
+ /* Prepare for decryption using the private key. */
+ crv = NSC_DecryptInit(hSession, &mech, privateKey->handle);
+ if (crv != CKR_OK) {
+ PORT_Free(ciphertext);
+ return crv;
+ }
+
+ memset(plaintext, 0, PAIRWISE_MESSAGE_LENGTH);
+
+ /*
+ * Initialize bytes decrypted to be the
+ * expected PAIRWISE_MESSAGE_LENGTH.
+ */
+ bytes_decrypted = PAIRWISE_MESSAGE_LENGTH;
+
+ /*
+ * Decrypt using the private key.
+ * NOTE: No need to reset the
+ * value of bytes_encrypted.
+ */
+ crv = NSC_Decrypt(hSession,
+ ciphertext,
+ bytes_encrypted,
+ plaintext,
+ &bytes_decrypted);
+
+ /* Finished with ciphertext; free it. */
+ PORT_Free(ciphertext);
+
+ if (crv != CKR_OK) {
+ return crv;
+ }
+
+ /*
+ * Check to ensure that the output plaintext
+ * does EQUAL known input message text.
+ */
+ if ((bytes_decrypted != PAIRWISE_MESSAGE_LENGTH) ||
+ (PORT_Memcmp(plaintext, known_message,
+ PAIRWISE_MESSAGE_LENGTH) != 0)) {
+ /* Set error to Bad PUBLIC Key. */
+ PORT_SetError(SEC_ERROR_BAD_KEY);
+ return CKR_GENERAL_ERROR;
+ }
+ }
+
+ /**********************************************/
+ /* Pairwise Consistency Check of Sign/Verify. */
+ /**********************************************/
+
+ canSignVerify = sftk_isTrue(privateKey, CKA_SIGN);
+ /* Unfortunately CKA_SIGN is always true in lg dbs. We have to check the
+ * actual curve to determine if we can do sign/verify. */
+ if (canSignVerify && keyType == CKK_EC) {
+ NSSLOWKEYPrivateKey *privKey = sftk_GetPrivKey(privateKey, CKK_EC, &crv);
+ if (privKey && privKey->u.ec.ecParams.name == ECCurve25519) {
+ canSignVerify = PR_FALSE;
+ }
+ }
+
+ if (canSignVerify) {
+ /* Determine length of signature. */
+ switch (keyType) {
+ case CKK_RSA:
+ signature_length = modulusLen;
+ mech.mechanism = CKM_RSA_PKCS;
+ break;
+ case CKK_DSA:
+ signature_length = DSA_MAX_SIGNATURE_LEN;
+ pairwise_digest_length = subPrimeLen;
+ mech.mechanism = CKM_DSA;
+ break;
+ case CKK_EC:
+ signature_length = MAX_ECKEY_LEN * 2;
+ mech.mechanism = CKM_ECDSA;
+ break;
+ default:
+ return CKR_DEVICE_ERROR;
+ }
+
+ /* Allocate space for signature data. */
+ signature = (unsigned char *)PORT_ZAlloc(signature_length);
+ if (signature == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+
+ /* Sign the known hash using the private key. */
+ crv = NSC_SignInit(hSession, &mech, privateKey->handle);
+ if (crv != CKR_OK) {
+ PORT_Free(signature);
+ return crv;
+ }
+
+ crv = NSC_Sign(hSession,
+ known_digest,
+ pairwise_digest_length,
+ signature,
+ &signature_length);
+ if (crv != CKR_OK) {
+ PORT_Free(signature);
+ return crv;
+ }
+
+ /* detect trivial signing transforms */
+ if ((signature_length >= pairwise_digest_length) &&
+ (PORT_Memcmp(known_digest, signature + (signature_length - pairwise_digest_length), pairwise_digest_length) == 0)) {
+ PORT_Free(signature);
+ return CKR_DEVICE_ERROR;
+ }
+
+ /* Verify the known hash using the public key. */
+ crv = NSC_VerifyInit(hSession, &mech, publicKey->handle);
+ if (crv != CKR_OK) {
+ PORT_Free(signature);
+ return crv;
+ }
+
+ crv = NSC_Verify(hSession,
+ known_digest,
+ pairwise_digest_length,
+ signature,
+ signature_length);
+
+ /* Free signature data. */
+ PORT_Free(signature);
+
+ if ((crv == CKR_SIGNATURE_LEN_RANGE) ||
+ (crv == CKR_SIGNATURE_INVALID)) {
+ return CKR_GENERAL_ERROR;
+ }
+ if (crv != CKR_OK) {
+ return crv;
+ }
+ }
+
+ /**********************************************/
+ /* Pairwise Consistency Check for Derivation */
+ /**********************************************/
+
+ isDerivable = sftk_isTrue(privateKey, CKA_DERIVE);
+
+ if (isDerivable) {
+ SFTKAttribute *pubAttribute = NULL;
+ CK_OBJECT_HANDLE newKey;
+ PRBool isFIPS = sftk_isFIPS(slot->slotID);
+ CK_RV crv2;
+ CK_OBJECT_CLASS secret = CKO_SECRET_KEY;
+ CK_KEY_TYPE generic = CKK_GENERIC_SECRET;
+ CK_ULONG keyLen = 128;
+ CK_BBOOL ckTrue = CK_TRUE;
+ CK_ATTRIBUTE template[] = {
+ { CKA_CLASS, &secret, sizeof(secret) },
+ { CKA_KEY_TYPE, &generic, sizeof(generic) },
+ { CKA_VALUE_LEN, &keyLen, sizeof(keyLen) },
+ { CKA_DERIVE, &ckTrue, sizeof(ckTrue) }
+ };
+ CK_ULONG templateCount = PR_ARRAY_SIZE(template);
+ CK_ECDH1_DERIVE_PARAMS ecParams;
+
+ crv = CKR_OK; /*paranoia, already get's set before we drop to the end */
+ /* FIPS 140-2 requires we verify that the resulting key is a valid key.
+ * The easiest way to do this is to do a derive operation, which checks
+ * the validity of the key */
+
+ switch (keyType) {
+ case CKK_DH:
+ mech.mechanism = CKM_DH_PKCS_DERIVE;
+ pubAttribute = sftk_FindAttribute(publicKey, CKA_VALUE);
+ if (pubAttribute == NULL) {
+ return CKR_DEVICE_ERROR;
+ }
+ mech.pParameter = pubAttribute->attrib.pValue;
+ mech.ulParameterLen = pubAttribute->attrib.ulValueLen;
+ break;
+ case CKK_EC:
+ mech.mechanism = CKM_ECDH1_DERIVE;
+ pubAttribute = sftk_FindAttribute(publicKey, CKA_EC_POINT);
+ if (pubAttribute == NULL) {
+ return CKR_DEVICE_ERROR;
+ }
+ ecParams.kdf = CKD_NULL;
+ ecParams.ulSharedDataLen = 0;
+ ecParams.pSharedData = NULL;
+ ecParams.ulPublicDataLen = pubAttribute->attrib.ulValueLen;
+ ecParams.pPublicData = pubAttribute->attrib.pValue;
+ mech.pParameter = &ecParams;
+ mech.ulParameterLen = sizeof(ecParams);
+ break;
+ default:
+ return CKR_DEVICE_ERROR;
+ }
+
+ crv = NSC_DeriveKey(hSession, &mech, privateKey->handle, template, templateCount, &newKey);
+ if (crv != CKR_OK) {
+ sftk_FreeAttribute(pubAttribute);
+ return crv;
+ }
+ /* FIPS requires full validation, but in fipx mode NSC_Derive
+ * only does partial validation with approved primes, now handle
+ * full validation */
+ if (isFIPS && keyType == CKK_DH) {
+ SECItem pubKey;
+ SECItem prime;
+ SECItem subPrime;
+ const SECItem *subPrimePtr = &subPrime;
+
+ pubKey.data = pubAttribute->attrib.pValue;
+ pubKey.len = pubAttribute->attrib.ulValueLen;
+ prime.data = subPrime.data = NULL;
+ prime.len = subPrime.len = 0;
+ crv = sftk_Attribute2SecItem(NULL, &prime, privateKey, CKA_PRIME);
+ if (crv != CKR_OK) {
+ goto done;
+ }
+ crv = sftk_Attribute2SecItem(NULL, &prime, privateKey, CKA_PRIME);
+ /* we ignore the return code an only look at the length */
+ if (subPrime.len == 0) {
+ /* subprime not supplied, In this case look it up.
+ * This only works with approved primes, but in FIPS mode
+ * that's the only kine of prime that will get here */
+ subPrimePtr = sftk_VerifyDH_Prime(&prime, isFIPS);
+ if (subPrimePtr == NULL) {
+ crv = CKR_GENERAL_ERROR;
+ goto done;
+ }
+ }
+ if (!KEA_Verify(&pubKey, &prime, (SECItem *)subPrimePtr)) {
+ crv = CKR_GENERAL_ERROR;
+ }
+ done:
+ SECITEM_ZfreeItem(&subPrime, PR_FALSE);
+ SECITEM_ZfreeItem(&prime, PR_FALSE);
+ }
+ /* clean up before we return */
+ sftk_FreeAttribute(pubAttribute);
+ crv2 = NSC_DestroyObject(hSession, newKey);
+ if (crv != CKR_OK) {
+ return crv;
+ }
+ if (crv2 != CKR_OK) {
+ return crv2;
+ }
+ }
+
+ return CKR_OK;
+}
+
+/* NSC_GenerateKeyPair generates a public-key/private-key pair,
+ * creating new key objects. */
+CK_RV
+NSC_GenerateKeyPair(CK_SESSION_HANDLE hSession,
+ CK_MECHANISM_PTR pMechanism, CK_ATTRIBUTE_PTR pPublicKeyTemplate,
+ CK_ULONG ulPublicKeyAttributeCount, CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
+ CK_ULONG ulPrivateKeyAttributeCount, CK_OBJECT_HANDLE_PTR phPublicKey,
+ CK_OBJECT_HANDLE_PTR phPrivateKey)
+{
+ SFTKObject *publicKey, *privateKey;
+ SFTKSession *session;
+ CK_KEY_TYPE key_type;
+ CK_RV crv = CKR_OK;
+ CK_BBOOL cktrue = CK_TRUE;
+ SECStatus rv;
+ CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY;
+ CK_OBJECT_CLASS privClass = CKO_PRIVATE_KEY;
+ int i;
+ SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession);
+ unsigned int bitSize;
+
+ /* RSA */
+ int public_modulus_bits = 0;
+ SECItem pubExp;
+ RSAPrivateKey *rsaPriv;
+
+ /* DSA */
+ PQGParams pqgParam;
+ DHParams dhParam;
+ DSAPrivateKey *dsaPriv;
+
+ /* Diffie Hellman */
+ DHPrivateKey *dhPriv;
+
+ /* Elliptic Curve Cryptography */
+ SECItem ecEncodedParams; /* DER Encoded parameters */
+ ECPrivateKey *ecPriv;
+ ECParams *ecParams;
+
+ CHECK_FORK();
+
+ if (!slot) {
+ return CKR_SESSION_HANDLE_INVALID;
+ }
+ /*
+ * now lets create an object to hang the attributes off of
+ */
+ publicKey = sftk_NewObject(slot); /* fill in the handle later */
+ if (publicKey == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+
+ /*
+ * load the template values into the publicKey
+ */
+ for (i = 0; i < (int)ulPublicKeyAttributeCount; i++) {
+ if (pPublicKeyTemplate[i].type == CKA_MODULUS_BITS) {
+ public_modulus_bits = *(CK_ULONG *)pPublicKeyTemplate[i].pValue;
+ continue;
+ }
+
+ crv = sftk_AddAttributeType(publicKey,
+ sftk_attr_expand(&pPublicKeyTemplate[i]));
+ if (crv != CKR_OK)
+ break;
+ }
+
+ if (crv != CKR_OK) {
+ sftk_FreeObject(publicKey);
+ return CKR_HOST_MEMORY;
+ }
+
+ privateKey = sftk_NewObject(slot); /* fill in the handle later */
+ if (privateKey == NULL) {
+ sftk_FreeObject(publicKey);
+ return CKR_HOST_MEMORY;
+ }
+ /*
+ * now load the private key template
+ */
+ for (i = 0; i < (int)ulPrivateKeyAttributeCount; i++) {
+ if (pPrivateKeyTemplate[i].type == CKA_VALUE_BITS) {
+ continue;
+ }
+
+ crv = sftk_AddAttributeType(privateKey,
+ sftk_attr_expand(&pPrivateKeyTemplate[i]));
+ if (crv != CKR_OK)
+ break;
+ }
+
+ if (crv != CKR_OK) {
+ sftk_FreeObject(publicKey);
+ sftk_FreeObject(privateKey);
+ return CKR_HOST_MEMORY;
+ }
+ sftk_DeleteAttributeType(privateKey, CKA_CLASS);
+ sftk_DeleteAttributeType(privateKey, CKA_KEY_TYPE);
+ sftk_DeleteAttributeType(privateKey, CKA_VALUE);
+ sftk_DeleteAttributeType(publicKey, CKA_CLASS);
+ sftk_DeleteAttributeType(publicKey, CKA_KEY_TYPE);
+ sftk_DeleteAttributeType(publicKey, CKA_VALUE);
+
+ /* Now Set up the parameters to generate the key (based on mechanism) */
+ switch (pMechanism->mechanism) {
+ case CKM_RSA_PKCS_KEY_PAIR_GEN:
+ /* format the keys */
+ sftk_DeleteAttributeType(publicKey, CKA_MODULUS);
+ sftk_DeleteAttributeType(privateKey, CKA_NSS_DB);
+ sftk_DeleteAttributeType(privateKey, CKA_MODULUS);
+ sftk_DeleteAttributeType(privateKey, CKA_PRIVATE_EXPONENT);
+ sftk_DeleteAttributeType(privateKey, CKA_PUBLIC_EXPONENT);
+ sftk_DeleteAttributeType(privateKey, CKA_PRIME_1);
+ sftk_DeleteAttributeType(privateKey, CKA_PRIME_2);
+ sftk_DeleteAttributeType(privateKey, CKA_EXPONENT_1);
+ sftk_DeleteAttributeType(privateKey, CKA_EXPONENT_2);
+ sftk_DeleteAttributeType(privateKey, CKA_COEFFICIENT);
+ key_type = CKK_RSA;
+ if (public_modulus_bits == 0) {
+ crv = CKR_TEMPLATE_INCOMPLETE;
+ break;
+ }
+ if (public_modulus_bits < RSA_MIN_MODULUS_BITS) {
+ crv = CKR_ATTRIBUTE_VALUE_INVALID;
+ break;
+ }
+ if (public_modulus_bits % 2 != 0) {
+ crv = CKR_ATTRIBUTE_VALUE_INVALID;
+ break;
+ }
+
+ /* extract the exponent */
+ crv = sftk_Attribute2SSecItem(NULL, &pubExp, publicKey, CKA_PUBLIC_EXPONENT);
+ if (crv != CKR_OK)
+ break;
+ bitSize = sftk_GetLengthInBits(pubExp.data, pubExp.len);
+ if (bitSize < 2) {
+ crv = CKR_ATTRIBUTE_VALUE_INVALID;
+ SECITEM_ZfreeItem(&pubExp, PR_FALSE);
+ break;
+ }
+ crv = sftk_AddAttributeType(privateKey, CKA_PUBLIC_EXPONENT,
+ sftk_item_expand(&pubExp));
+ if (crv != CKR_OK) {
+ SECITEM_ZfreeItem(&pubExp, PR_FALSE);
+ break;
+ }
+
+ rsaPriv = RSA_NewKey(public_modulus_bits, &pubExp);
+ SECITEM_ZfreeItem(&pubExp, PR_FALSE);
+ if (rsaPriv == NULL) {
+ if (PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+ sftk_fatalError = PR_TRUE;
+ }
+ crv = sftk_MapCryptError(PORT_GetError());
+ break;
+ }
+ /* now fill in the RSA dependent paramenters in the public key */
+ crv = sftk_AddAttributeType(publicKey, CKA_MODULUS,
+ sftk_item_expand(&rsaPriv->modulus));
+ if (crv != CKR_OK)
+ goto kpg_done;
+ /* now fill in the RSA dependent paramenters in the private key */
+ crv = sftk_AddAttributeType(privateKey, CKA_NSS_DB,
+ sftk_item_expand(&rsaPriv->modulus));
+ if (crv != CKR_OK)
+ goto kpg_done;
+ crv = sftk_AddAttributeType(privateKey, CKA_MODULUS,
+ sftk_item_expand(&rsaPriv->modulus));
+ if (crv != CKR_OK)
+ goto kpg_done;
+ crv = sftk_AddAttributeType(privateKey, CKA_PRIVATE_EXPONENT,
+ sftk_item_expand(&rsaPriv->privateExponent));
+ if (crv != CKR_OK)
+ goto kpg_done;
+ crv = sftk_AddAttributeType(privateKey, CKA_PRIME_1,
+ sftk_item_expand(&rsaPriv->prime1));
+ if (crv != CKR_OK)
+ goto kpg_done;
+ crv = sftk_AddAttributeType(privateKey, CKA_PRIME_2,
+ sftk_item_expand(&rsaPriv->prime2));
+ if (crv != CKR_OK)
+ goto kpg_done;
+ crv = sftk_AddAttributeType(privateKey, CKA_EXPONENT_1,
+ sftk_item_expand(&rsaPriv->exponent1));
+ if (crv != CKR_OK)
+ goto kpg_done;
+ crv = sftk_AddAttributeType(privateKey, CKA_EXPONENT_2,
+ sftk_item_expand(&rsaPriv->exponent2));
+ if (crv != CKR_OK)
+ goto kpg_done;
+ crv = sftk_AddAttributeType(privateKey, CKA_COEFFICIENT,
+ sftk_item_expand(&rsaPriv->coefficient));
+ kpg_done:
+ /* Should zeroize the contents first, since this func doesn't. */
+ PORT_FreeArena(rsaPriv->arena, PR_TRUE);
+ break;
+ case CKM_DSA_KEY_PAIR_GEN:
+ sftk_DeleteAttributeType(publicKey, CKA_VALUE);
+ sftk_DeleteAttributeType(privateKey, CKA_NSS_DB);
+ sftk_DeleteAttributeType(privateKey, CKA_PRIME);
+ sftk_DeleteAttributeType(privateKey, CKA_SUBPRIME);
+ sftk_DeleteAttributeType(privateKey, CKA_BASE);
+ key_type = CKK_DSA;
+
+ /* extract the necessary parameters and copy them to the private key */
+ crv = sftk_Attribute2SSecItem(NULL, &pqgParam.prime, publicKey, CKA_PRIME);
+ if (crv != CKR_OK)
+ break;
+ crv = sftk_Attribute2SSecItem(NULL, &pqgParam.subPrime, publicKey,
+ CKA_SUBPRIME);
+ if (crv != CKR_OK) {
+ SECITEM_ZfreeItem(&pqgParam.prime, PR_FALSE);
+ break;
+ }
+ crv = sftk_Attribute2SSecItem(NULL, &pqgParam.base, publicKey, CKA_BASE);
+ if (crv != CKR_OK) {
+ SECITEM_ZfreeItem(&pqgParam.prime, PR_FALSE);
+ SECITEM_ZfreeItem(&pqgParam.subPrime, PR_FALSE);
+ break;
+ }
+ crv = sftk_AddAttributeType(privateKey, CKA_PRIME,
+ sftk_item_expand(&pqgParam.prime));
+ if (crv != CKR_OK) {
+ SECITEM_ZfreeItem(&pqgParam.prime, PR_FALSE);
+ SECITEM_ZfreeItem(&pqgParam.subPrime, PR_FALSE);
+ SECITEM_ZfreeItem(&pqgParam.base, PR_FALSE);
+ break;
+ }
+ crv = sftk_AddAttributeType(privateKey, CKA_SUBPRIME,
+ sftk_item_expand(&pqgParam.subPrime));
+ if (crv != CKR_OK) {
+ SECITEM_ZfreeItem(&pqgParam.prime, PR_FALSE);
+ SECITEM_ZfreeItem(&pqgParam.subPrime, PR_FALSE);
+ SECITEM_ZfreeItem(&pqgParam.base, PR_FALSE);
+ break;
+ }
+ crv = sftk_AddAttributeType(privateKey, CKA_BASE,
+ sftk_item_expand(&pqgParam.base));
+ if (crv != CKR_OK) {
+ SECITEM_ZfreeItem(&pqgParam.prime, PR_FALSE);
+ SECITEM_ZfreeItem(&pqgParam.subPrime, PR_FALSE);
+ SECITEM_ZfreeItem(&pqgParam.base, PR_FALSE);
+ break;
+ }
+
+ /*
+ * these are checked by DSA_NewKey
+ */
+ bitSize = sftk_GetLengthInBits(pqgParam.subPrime.data,
+ pqgParam.subPrime.len);
+ if ((bitSize < DSA_MIN_Q_BITS) || (bitSize > DSA_MAX_Q_BITS)) {
+ crv = CKR_TEMPLATE_INCOMPLETE;
+ SECITEM_ZfreeItem(&pqgParam.prime, PR_FALSE);
+ SECITEM_ZfreeItem(&pqgParam.subPrime, PR_FALSE);
+ SECITEM_ZfreeItem(&pqgParam.base, PR_FALSE);
+ break;
+ }
+ bitSize = sftk_GetLengthInBits(pqgParam.prime.data, pqgParam.prime.len);
+ if ((bitSize < DSA_MIN_P_BITS) || (bitSize > DSA_MAX_P_BITS)) {
+ crv = CKR_TEMPLATE_INCOMPLETE;
+ SECITEM_ZfreeItem(&pqgParam.prime, PR_FALSE);
+ SECITEM_ZfreeItem(&pqgParam.subPrime, PR_FALSE);
+ SECITEM_ZfreeItem(&pqgParam.base, PR_FALSE);
+ break;
+ }
+ bitSize = sftk_GetLengthInBits(pqgParam.base.data, pqgParam.base.len);
+ if ((bitSize < 2) || (bitSize > DSA_MAX_P_BITS)) {
+ crv = CKR_TEMPLATE_INCOMPLETE;
+ SECITEM_ZfreeItem(&pqgParam.prime, PR_FALSE);
+ SECITEM_ZfreeItem(&pqgParam.subPrime, PR_FALSE);
+ SECITEM_ZfreeItem(&pqgParam.base, PR_FALSE);
+ break;
+ }
+
+ /* Generate the key */
+ rv = DSA_NewKey(&pqgParam, &dsaPriv);
+
+ SECITEM_ZfreeItem(&pqgParam.prime, PR_FALSE);
+ SECITEM_ZfreeItem(&pqgParam.subPrime, PR_FALSE);
+ SECITEM_ZfreeItem(&pqgParam.base, PR_FALSE);
+
+ if (rv != SECSuccess) {
+ if (PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+ sftk_fatalError = PR_TRUE;
+ }
+ crv = sftk_MapCryptError(PORT_GetError());
+ break;
+ }
+
+ /* store the generated key into the attributes */
+ crv = sftk_AddAttributeType(publicKey, CKA_VALUE,
+ sftk_item_expand(&dsaPriv->publicValue));
+ if (crv != CKR_OK)
+ goto dsagn_done;
+
+ /* now fill in the RSA dependent paramenters in the private key */
+ crv = sftk_AddAttributeType(privateKey, CKA_NSS_DB,
+ sftk_item_expand(&dsaPriv->publicValue));
+ if (crv != CKR_OK)
+ goto dsagn_done;
+ crv = sftk_AddAttributeType(privateKey, CKA_VALUE,
+ sftk_item_expand(&dsaPriv->privateValue));
+
+ dsagn_done:
+ /* should zeroize, since this function doesn't. */
+ PORT_FreeArena(dsaPriv->params.arena, PR_TRUE);
+ break;
+
+ case CKM_DH_PKCS_KEY_PAIR_GEN:
+ sftk_DeleteAttributeType(privateKey, CKA_PRIME);
+ sftk_DeleteAttributeType(privateKey, CKA_BASE);
+ sftk_DeleteAttributeType(privateKey, CKA_VALUE);
+ sftk_DeleteAttributeType(privateKey, CKA_NSS_DB);
+ key_type = CKK_DH;
+
+ /* extract the necessary parameters and copy them to private keys */
+ crv = sftk_Attribute2SSecItem(NULL, &dhParam.prime, publicKey,
+ CKA_PRIME);
+ if (crv != CKR_OK)
+ break;
+ crv = sftk_Attribute2SSecItem(NULL, &dhParam.base, publicKey, CKA_BASE);
+ if (crv != CKR_OK) {
+ SECITEM_ZfreeItem(&dhParam.prime, PR_FALSE);
+ break;
+ }
+ crv = sftk_AddAttributeType(privateKey, CKA_PRIME,
+ sftk_item_expand(&dhParam.prime));
+ if (crv != CKR_OK) {
+ SECITEM_ZfreeItem(&dhParam.prime, PR_FALSE);
+ SECITEM_ZfreeItem(&dhParam.base, PR_FALSE);
+ break;
+ }
+ crv = sftk_AddAttributeType(privateKey, CKA_BASE,
+ sftk_item_expand(&dhParam.base));
+ if (crv != CKR_OK) {
+ SECITEM_ZfreeItem(&dhParam.prime, PR_FALSE);
+ SECITEM_ZfreeItem(&dhParam.base, PR_FALSE);
+ break;
+ }
+ bitSize = sftk_GetLengthInBits(dhParam.prime.data, dhParam.prime.len);
+ if ((bitSize < DH_MIN_P_BITS) || (bitSize > DH_MAX_P_BITS)) {
+ crv = CKR_TEMPLATE_INCOMPLETE;
+ SECITEM_ZfreeItem(&dhParam.prime, PR_FALSE);
+ SECITEM_ZfreeItem(&dhParam.base, PR_FALSE);
+ break;
+ }
+ bitSize = sftk_GetLengthInBits(dhParam.base.data, dhParam.base.len);
+ if ((bitSize < 1) || (bitSize > DH_MAX_P_BITS)) {
+ crv = CKR_TEMPLATE_INCOMPLETE;
+ SECITEM_ZfreeItem(&dhParam.prime, PR_FALSE);
+ SECITEM_ZfreeItem(&dhParam.base, PR_FALSE);
+ break;
+ }
+
+ rv = DH_NewKey(&dhParam, &dhPriv);
+ SECITEM_ZfreeItem(&dhParam.prime, PR_FALSE);
+ SECITEM_ZfreeItem(&dhParam.base, PR_FALSE);
+ if (rv != SECSuccess) {
+ if (PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+ sftk_fatalError = PR_TRUE;
+ }
+ crv = sftk_MapCryptError(PORT_GetError());
+ break;
+ }
+
+ crv = sftk_AddAttributeType(publicKey, CKA_VALUE,
+ sftk_item_expand(&dhPriv->publicValue));
+ if (crv != CKR_OK)
+ goto dhgn_done;
+
+ crv = sftk_AddAttributeType(privateKey, CKA_NSS_DB,
+ sftk_item_expand(&dhPriv->publicValue));
+ if (crv != CKR_OK)
+ goto dhgn_done;
+
+ crv = sftk_AddAttributeType(privateKey, CKA_VALUE,
+ sftk_item_expand(&dhPriv->privateValue));
+
+ dhgn_done:
+ /* should zeroize, since this function doesn't. */
+ PORT_FreeArena(dhPriv->arena, PR_TRUE);
+ break;
+
+ case CKM_EC_KEY_PAIR_GEN:
+ sftk_DeleteAttributeType(privateKey, CKA_EC_PARAMS);
+ sftk_DeleteAttributeType(privateKey, CKA_VALUE);
+ sftk_DeleteAttributeType(privateKey, CKA_NSS_DB);
+ key_type = CKK_EC;
+
+ /* extract the necessary parameters and copy them to private keys */
+ crv = sftk_Attribute2SSecItem(NULL, &ecEncodedParams, publicKey,
+ CKA_EC_PARAMS);
+ if (crv != CKR_OK)
+ break;
+
+ crv = sftk_AddAttributeType(privateKey, CKA_EC_PARAMS,
+ sftk_item_expand(&ecEncodedParams));
+ if (crv != CKR_OK) {
+ SECITEM_ZfreeItem(&ecEncodedParams, PR_FALSE);
+ break;
+ }
+
+ /* Decode ec params before calling EC_NewKey */
+ rv = EC_DecodeParams(&ecEncodedParams, &ecParams);
+ SECITEM_ZfreeItem(&ecEncodedParams, PR_FALSE);
+ if (rv != SECSuccess) {
+ crv = sftk_MapCryptError(PORT_GetError());
+ break;
+ }
+ rv = EC_NewKey(ecParams, &ecPriv);
+ if (rv != SECSuccess) {
+ if (PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
+ sftk_fatalError = PR_TRUE;
+ }
+ PORT_FreeArena(ecParams->arena, PR_TRUE);
+ crv = sftk_MapCryptError(PORT_GetError());
+ break;
+ }
+
+ if (PR_GetEnvSecure("NSS_USE_DECODED_CKA_EC_POINT") ||
+ ecParams->fieldID.type == ec_field_plain) {
+ PORT_FreeArena(ecParams->arena, PR_TRUE);
+ crv = sftk_AddAttributeType(publicKey, CKA_EC_POINT,
+ sftk_item_expand(&ecPriv->publicValue));
+ } else {
+ PORT_FreeArena(ecParams->arena, PR_TRUE);
+ SECItem *pubValue = SEC_ASN1EncodeItem(NULL, NULL,
+ &ecPriv->publicValue,
+ SEC_ASN1_GET(SEC_OctetStringTemplate));
+ if (!pubValue) {
+ crv = CKR_ARGUMENTS_BAD;
+ goto ecgn_done;
+ }
+ crv = sftk_AddAttributeType(publicKey, CKA_EC_POINT,
+ sftk_item_expand(pubValue));
+ SECITEM_ZfreeItem(pubValue, PR_TRUE);
+ }
+ if (crv != CKR_OK)
+ goto ecgn_done;
+
+ crv = sftk_AddAttributeType(privateKey, CKA_VALUE,
+ sftk_item_expand(&ecPriv->privateValue));
+ if (crv != CKR_OK)
+ goto ecgn_done;
+
+ crv = sftk_AddAttributeType(privateKey, CKA_NSS_DB,
+ sftk_item_expand(&ecPriv->publicValue));
+ ecgn_done:
+ /* should zeroize, since this function doesn't. */
+ PORT_FreeArena(ecPriv->ecParams.arena, PR_TRUE);
+ break;
+
+ default:
+ crv = CKR_MECHANISM_INVALID;
+ }
+
+ if (crv != CKR_OK) {
+ sftk_FreeObject(privateKey);
+ sftk_FreeObject(publicKey);
+ return crv;
+ }
+
+ /* Add the class, key_type The loop lets us check errors blow out
+ * on errors and clean up at the bottom */
+ session = NULL; /* make pedtantic happy... session cannot leave the*/
+ /* loop below NULL unless an error is set... */
+ do {
+ crv = sftk_AddAttributeType(privateKey, CKA_CLASS, &privClass,
+ sizeof(CK_OBJECT_CLASS));
+ if (crv != CKR_OK)
+ break;
+ crv = sftk_AddAttributeType(publicKey, CKA_CLASS, &pubClass,
+ sizeof(CK_OBJECT_CLASS));
+ if (crv != CKR_OK)
+ break;
+ crv = sftk_AddAttributeType(privateKey, CKA_KEY_TYPE, &key_type,
+ sizeof(CK_KEY_TYPE));
+ if (crv != CKR_OK)
+ break;
+ crv = sftk_AddAttributeType(publicKey, CKA_KEY_TYPE, &key_type,
+ sizeof(CK_KEY_TYPE));
+ if (crv != CKR_OK)
+ break;
+ session = sftk_SessionFromHandle(hSession);
+ if (session == NULL)
+ crv = CKR_SESSION_HANDLE_INVALID;
+ } while (0);
+
+ if (crv != CKR_OK) {
+ sftk_FreeObject(privateKey);
+ sftk_FreeObject(publicKey);
+ return crv;
+ }
+
+ /*
+ * handle the base object cleanup for the public Key
+ */
+ crv = sftk_handleObject(privateKey, session);
+ if (crv != CKR_OK) {
+ sftk_FreeSession(session);
+ sftk_FreeObject(privateKey);
+ sftk_FreeObject(publicKey);
+ return crv;
+ }
+
+ /*
+ * handle the base object cleanup for the private Key
+ * If we have any problems, we destroy the public Key we've
+ * created and linked.
+ */
+ crv = sftk_handleObject(publicKey, session);
+ sftk_FreeSession(session);
+ if (crv != CKR_OK) {
+ sftk_FreeObject(publicKey);
+ NSC_DestroyObject(hSession, privateKey->handle);
+ sftk_FreeObject(privateKey);
+ return crv;
+ }
+ if (sftk_isTrue(privateKey, CKA_SENSITIVE)) {
+ crv = sftk_forceAttribute(privateKey, CKA_ALWAYS_SENSITIVE,
+ &cktrue, sizeof(CK_BBOOL));
+ }
+ if (crv == CKR_OK && sftk_isTrue(publicKey, CKA_SENSITIVE)) {
+ crv = sftk_forceAttribute(publicKey, CKA_ALWAYS_SENSITIVE,
+ &cktrue, sizeof(CK_BBOOL));
+ }
+ if (crv == CKR_OK && !sftk_isTrue(privateKey, CKA_EXTRACTABLE)) {
+ crv = sftk_forceAttribute(privateKey, CKA_NEVER_EXTRACTABLE,
+ &cktrue, sizeof(CK_BBOOL));
+ }
+ if (crv == CKR_OK && !sftk_isTrue(publicKey, CKA_EXTRACTABLE)) {
+ crv = sftk_forceAttribute(publicKey, CKA_NEVER_EXTRACTABLE,
+ &cktrue, sizeof(CK_BBOOL));
+ }
+
+ if (crv == CKR_OK) {
+ /* Perform FIPS 140-2 pairwise consistency check. */
+ crv = sftk_PairwiseConsistencyCheck(hSession, slot,
+ publicKey, privateKey, key_type);
+ if (crv != CKR_OK) {
+ if (sftk_audit_enabled) {
+ char msg[128];
+ PR_snprintf(msg, sizeof msg,
+ "C_GenerateKeyPair(hSession=0x%08lX, "
+ "pMechanism->mechanism=0x%08lX)=0x%08lX "
+ "self-test: pair-wise consistency test failed",
+ (PRUint32)hSession, (PRUint32)pMechanism->mechanism,
+ (PRUint32)crv);
+ sftk_LogAuditMessage(NSS_AUDIT_ERROR, NSS_AUDIT_SELF_TEST, msg);
+ }
+ }
+ }
+
+ if (crv != CKR_OK) {
+ NSC_DestroyObject(hSession, publicKey->handle);
+ sftk_FreeObject(publicKey);
+ NSC_DestroyObject(hSession, privateKey->handle);
+ sftk_FreeObject(privateKey);
+ return crv;
+ }
+
+ *phPrivateKey = privateKey->handle;
+ *phPublicKey = publicKey->handle;
+ sftk_FreeObject(publicKey);
+ sftk_FreeObject(privateKey);
+
+ return CKR_OK;
+}
+
+static SECItem *
+sftk_PackagePrivateKey(SFTKObject *key, CK_RV *crvp)
+{
+ NSSLOWKEYPrivateKey *lk = NULL;
+ NSSLOWKEYPrivateKeyInfo *pki = NULL;
+ SFTKAttribute *attribute = NULL;
+ PLArenaPool *arena = NULL;
+ SECOidTag algorithm = SEC_OID_UNKNOWN;
+ void *dummy, *param = NULL;
+ SECStatus rv = SECSuccess;
+ SECItem *encodedKey = NULL;
+#ifdef EC_DEBUG
+ SECItem *fordebug;
+#endif
+ int savelen;
+
+ if (!key) {
+ *crvp = CKR_KEY_HANDLE_INVALID; /* really can't happen */
+ return NULL;
+ }
+
+ attribute = sftk_FindAttribute(key, CKA_KEY_TYPE);
+ if (!attribute) {
+ *crvp = CKR_KEY_TYPE_INCONSISTENT;
+ return NULL;
+ }
+
+ lk = sftk_GetPrivKey(key, *(CK_KEY_TYPE *)attribute->attrib.pValue, crvp);
+ sftk_FreeAttribute(attribute);
+ if (!lk) {
+ return NULL;
+ }
+
+ arena = PORT_NewArena(2048); /* XXX different size? */
+ if (!arena) {
+ *crvp = CKR_HOST_MEMORY;
+ rv = SECFailure;
+ goto loser;
+ }
+
+ pki = (NSSLOWKEYPrivateKeyInfo *)PORT_ArenaZAlloc(arena,
+ sizeof(NSSLOWKEYPrivateKeyInfo));
+ if (!pki) {
+ *crvp = CKR_HOST_MEMORY;
+ rv = SECFailure;
+ goto loser;
+ }
+ pki->arena = arena;
+
+ param = NULL;
+ switch (lk->keyType) {
+ case NSSLOWKEYRSAKey:
+ prepare_low_rsa_priv_key_for_asn1(lk);
+ dummy = SEC_ASN1EncodeItem(arena, &pki->privateKey, lk,
+ nsslowkey_RSAPrivateKeyTemplate);
+
+ /* determine RSA key type from the CKA_PUBLIC_KEY_INFO if present */
+ attribute = sftk_FindAttribute(key, CKA_PUBLIC_KEY_INFO);
+ if (attribute) {
+ NSSLOWKEYSubjectPublicKeyInfo *publicKeyInfo;
+ SECItem spki;
+
+ spki.data = attribute->attrib.pValue;
+ spki.len = attribute->attrib.ulValueLen;
+
+ publicKeyInfo = PORT_ArenaZAlloc(arena,
+ sizeof(NSSLOWKEYSubjectPublicKeyInfo));
+ if (!publicKeyInfo) {
+ sftk_FreeAttribute(attribute);
+ *crvp = CKR_HOST_MEMORY;
+ rv = SECFailure;
+ goto loser;
+ }
+ rv = SEC_QuickDERDecodeItem(arena, publicKeyInfo,
+ nsslowkey_SubjectPublicKeyInfoTemplate,
+ &spki);
+ if (rv != SECSuccess) {
+ sftk_FreeAttribute(attribute);
+ *crvp = CKR_KEY_TYPE_INCONSISTENT;
+ goto loser;
+ }
+ algorithm = SECOID_GetAlgorithmTag(&publicKeyInfo->algorithm);
+ if (algorithm != SEC_OID_PKCS1_RSA_ENCRYPTION &&
+ algorithm != SEC_OID_PKCS1_RSA_PSS_SIGNATURE) {
+ sftk_FreeAttribute(attribute);
+ rv = SECFailure;
+ *crvp = CKR_KEY_TYPE_INCONSISTENT;
+ goto loser;
+ }
+ param = SECITEM_DupItem(&publicKeyInfo->algorithm.parameters);
+ if (!param) {
+ sftk_FreeAttribute(attribute);
+ rv = SECFailure;
+ *crvp = CKR_HOST_MEMORY;
+ goto loser;
+ }
+ sftk_FreeAttribute(attribute);
+ } else {
+ /* default to PKCS #1 */
+ algorithm = SEC_OID_PKCS1_RSA_ENCRYPTION;
+ }
+ break;
+ case NSSLOWKEYDSAKey:
+ prepare_low_dsa_priv_key_export_for_asn1(lk);
+ dummy = SEC_ASN1EncodeItem(arena, &pki->privateKey, lk,
+ nsslowkey_DSAPrivateKeyExportTemplate);
+ prepare_low_pqg_params_for_asn1(&lk->u.dsa.params);
+ param = SEC_ASN1EncodeItem(NULL, NULL, &(lk->u.dsa.params),
+ nsslowkey_PQGParamsTemplate);
+ algorithm = SEC_OID_ANSIX9_DSA_SIGNATURE;
+ break;
+ case NSSLOWKEYECKey:
+ prepare_low_ec_priv_key_for_asn1(lk);
+ /* Public value is encoded as a bit string so adjust length
+ * to be in bits before ASN encoding and readjust
+ * immediately after.
+ *
+ * Since the SECG specification recommends not including the
+ * parameters as part of ECPrivateKey, we zero out the curveOID
+ * length before encoding and restore it later.
+ */
+ lk->u.ec.publicValue.len <<= 3;
+ savelen = lk->u.ec.ecParams.curveOID.len;
+ lk->u.ec.ecParams.curveOID.len = 0;
+ dummy = SEC_ASN1EncodeItem(arena, &pki->privateKey, lk,
+ nsslowkey_ECPrivateKeyTemplate);
+ lk->u.ec.ecParams.curveOID.len = savelen;
+ lk->u.ec.publicValue.len >>= 3;
+
+#ifdef EC_DEBUG
+ fordebug = &pki->privateKey;
+ SEC_PRINT("sftk_PackagePrivateKey()", "PrivateKey", lk->keyType,
+ fordebug);
+#endif
+
+ param = SECITEM_DupItem(&lk->u.ec.ecParams.DEREncoding);
+
+ algorithm = SEC_OID_ANSIX962_EC_PUBLIC_KEY;
+ break;
+ case NSSLOWKEYDHKey:
+ default:
+ dummy = NULL;
+ break;
+ }
+
+ if (!dummy || ((lk->keyType == NSSLOWKEYDSAKey) && !param)) {
+ *crvp = CKR_DEVICE_ERROR; /* should map NSS SECError */
+ rv = SECFailure;
+ goto loser;
+ }
+
+ rv = SECOID_SetAlgorithmID(arena, &pki->algorithm, algorithm,
+ (SECItem *)param);
+ if (rv != SECSuccess) {
+ *crvp = CKR_DEVICE_ERROR; /* should map NSS SECError */
+ rv = SECFailure;
+ goto loser;
+ }
+
+ dummy = SEC_ASN1EncodeInteger(arena, &pki->version,
+ NSSLOWKEY_PRIVATE_KEY_INFO_VERSION);
+ if (!dummy) {
+ *crvp = CKR_DEVICE_ERROR; /* should map NSS SECError */
+ rv = SECFailure;
+ goto loser;
+ }
+
+ encodedKey = SEC_ASN1EncodeItem(NULL, NULL, pki,
+ nsslowkey_PrivateKeyInfoTemplate);
+ *crvp = encodedKey ? CKR_OK : CKR_DEVICE_ERROR;
+
+#ifdef EC_DEBUG
+ fordebug = encodedKey;
+ SEC_PRINT("sftk_PackagePrivateKey()", "PrivateKeyInfo", lk->keyType,
+ fordebug);
+#endif
+loser:
+ if (arena) {
+ PORT_FreeArena(arena, PR_TRUE);
+ }
+
+ if (lk && (lk != key->objectInfo)) {
+ nsslowkey_DestroyPrivateKey(lk);
+ }
+
+ if (param) {
+ SECITEM_ZfreeItem((SECItem *)param, PR_TRUE);
+ }
+
+ if (rv != SECSuccess) {
+ return NULL;
+ }
+
+ return encodedKey;
+}
+
+/* it doesn't matter yet, since we colapse error conditions in the
+ * level above, but we really should map those few key error differences */
+static CK_RV
+sftk_mapWrap(CK_RV crv)
+{
+ switch (crv) {
+ case CKR_ENCRYPTED_DATA_INVALID:
+ crv = CKR_WRAPPED_KEY_INVALID;
+ break;
+ }
+ return crv;
+}
+
+/* NSC_WrapKey wraps (i.e., encrypts) a key. */
+CK_RV
+NSC_WrapKey(CK_SESSION_HANDLE hSession,
+ CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hWrappingKey,
+ CK_OBJECT_HANDLE hKey, CK_BYTE_PTR pWrappedKey,
+ CK_ULONG_PTR pulWrappedKeyLen)
+{
+ SFTKSession *session;
+ SFTKAttribute *attribute;
+ SFTKObject *key;
+ CK_RV crv;
+
+ CHECK_FORK();
+
+ session = sftk_SessionFromHandle(hSession);
+ if (session == NULL) {
+ return CKR_SESSION_HANDLE_INVALID;
+ }
+
+ key = sftk_ObjectFromHandle(hKey, session);
+ if (key == NULL) {
+ sftk_FreeSession(session);
+ return CKR_KEY_HANDLE_INVALID;
+ }
+
+ switch (key->objclass) {
+ case CKO_SECRET_KEY: {
+ SFTKSessionContext *context = NULL;
+ SECItem pText;
+
+ attribute = sftk_FindAttribute(key, CKA_VALUE);
+
+ if (attribute == NULL) {
+ crv = CKR_KEY_TYPE_INCONSISTENT;
+ break;
+ }
+ crv = sftk_CryptInit(hSession, pMechanism, hWrappingKey,
+ CKA_WRAP, CKA_WRAP, SFTK_ENCRYPT, PR_TRUE);
+ if (crv != CKR_OK) {
+ sftk_FreeAttribute(attribute);
+ break;
+ }
+
+ pText.type = siBuffer;
+ pText.data = (unsigned char *)attribute->attrib.pValue;
+ pText.len = attribute->attrib.ulValueLen;
+
+ /* Find out if this is a block cipher. */
+ crv = sftk_GetContext(hSession, &context, SFTK_ENCRYPT, PR_FALSE, NULL);
+ if (crv != CKR_OK || !context)
+ break;
+ if (context->blockSize > 1) {
+ unsigned int remainder = pText.len % context->blockSize;
+ if (!context->doPad && remainder) {
+ /* When wrapping secret keys with unpadded block ciphers,
+ ** the keys are zero padded, if necessary, to fill out
+ ** a full block.
+ */
+ pText.len += context->blockSize - remainder;
+ pText.data = PORT_ZAlloc(pText.len);
+ if (pText.data)
+ memcpy(pText.data, attribute->attrib.pValue,
+ attribute->attrib.ulValueLen);
+ else {
+ crv = CKR_HOST_MEMORY;
+ break;
+ }
+ }
+ }
+
+ crv = NSC_Encrypt(hSession, (CK_BYTE_PTR)pText.data,
+ pText.len, pWrappedKey, pulWrappedKeyLen);
+ /* always force a finalize, both on errors and when
+ * we are just getting the size */
+ if (crv != CKR_OK || pWrappedKey == NULL) {
+ CK_RV lcrv;
+ lcrv = sftk_GetContext(hSession, &context,
+ SFTK_ENCRYPT, PR_FALSE, NULL);
+ sftk_SetContextByType(session, SFTK_ENCRYPT, NULL);
+ if (lcrv == CKR_OK && context) {
+ sftk_FreeContext(context);
+ }
+ }
+
+ if (pText.data != (unsigned char *)attribute->attrib.pValue)
+ PORT_ZFree(pText.data, pText.len);
+ sftk_FreeAttribute(attribute);
+ break;
+ }
+
+ case CKO_PRIVATE_KEY: {
+ SECItem *bpki = sftk_PackagePrivateKey(key, &crv);
+ SFTKSessionContext *context = NULL;
+
+ if (!bpki) {
+ break;
+ }
+
+ crv = sftk_CryptInit(hSession, pMechanism, hWrappingKey,
+ CKA_WRAP, CKA_WRAP, SFTK_ENCRYPT, PR_TRUE);
+ if (crv != CKR_OK) {
+ SECITEM_ZfreeItem(bpki, PR_TRUE);
+ crv = CKR_KEY_TYPE_INCONSISTENT;
+ break;
+ }
+
+ crv = NSC_Encrypt(hSession, bpki->data, bpki->len,
+ pWrappedKey, pulWrappedKeyLen);
+ /* always force a finalize */
+ if (crv != CKR_OK || pWrappedKey == NULL) {
+ CK_RV lcrv;
+ lcrv = sftk_GetContext(hSession, &context,
+ SFTK_ENCRYPT, PR_FALSE, NULL);
+ sftk_SetContextByType(session, SFTK_ENCRYPT, NULL);
+ if (lcrv == CKR_OK && context) {
+ sftk_FreeContext(context);
+ }
+ }
+ SECITEM_ZfreeItem(bpki, PR_TRUE);
+ break;
+ }
+
+ default:
+ crv = CKR_KEY_TYPE_INCONSISTENT;
+ break;
+ }
+ sftk_FreeObject(key);
+ sftk_FreeSession(session);
+ return sftk_mapWrap(crv);
+}
+
+/*
+ * import a pprivate key info into the desired slot
+ */
+static SECStatus
+sftk_unwrapPrivateKey(SFTKObject *key, SECItem *bpki)
+{
+ CK_BBOOL cktrue = CK_TRUE;
+ CK_KEY_TYPE keyType = CKK_RSA;
+ SECStatus rv = SECFailure;
+ const SEC_ASN1Template *keyTemplate, *paramTemplate;
+ void *paramDest = NULL;
+ PLArenaPool *arena;
+ NSSLOWKEYPrivateKey *lpk = NULL;
+ NSSLOWKEYPrivateKeyInfo *pki = NULL;
+ CK_RV crv = CKR_KEY_TYPE_INCONSISTENT;
+
+ arena = PORT_NewArena(2048);
+ if (!arena) {
+ return SECFailure;
+ }
+
+ pki = (NSSLOWKEYPrivateKeyInfo *)PORT_ArenaZAlloc(arena,
+ sizeof(NSSLOWKEYPrivateKeyInfo));
+ if (!pki) {
+ PORT_FreeArena(arena, PR_FALSE);
+ return SECFailure;
+ }
+
+ if (SEC_ASN1DecodeItem(arena, pki, nsslowkey_PrivateKeyInfoTemplate, bpki) != SECSuccess) {
+ PORT_FreeArena(arena, PR_TRUE);
+ return SECFailure;
+ }
+
+ lpk = (NSSLOWKEYPrivateKey *)PORT_ArenaZAlloc(arena,
+ sizeof(NSSLOWKEYPrivateKey));
+ if (lpk == NULL) {
+ goto loser;
+ }
+ lpk->arena = arena;
+
+ switch (SECOID_GetAlgorithmTag(&pki->algorithm)) {
+ case SEC_OID_PKCS1_RSA_ENCRYPTION:
+ case SEC_OID_PKCS1_RSA_PSS_SIGNATURE:
+ keyTemplate = nsslowkey_RSAPrivateKeyTemplate;
+ paramTemplate = NULL;
+ paramDest = NULL;
+ lpk->keyType = NSSLOWKEYRSAKey;
+ prepare_low_rsa_priv_key_for_asn1(lpk);
+ break;
+ case SEC_OID_ANSIX9_DSA_SIGNATURE:
+ keyTemplate = nsslowkey_DSAPrivateKeyExportTemplate;
+ paramTemplate = nsslowkey_PQGParamsTemplate;
+ paramDest = &(lpk->u.dsa.params);
+ lpk->keyType = NSSLOWKEYDSAKey;
+ prepare_low_dsa_priv_key_export_for_asn1(lpk);
+ prepare_low_pqg_params_for_asn1(&lpk->u.dsa.params);
+ break;
+ /* case NSSLOWKEYDHKey: */
+ case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
+ keyTemplate = nsslowkey_ECPrivateKeyTemplate;
+ paramTemplate = NULL;
+ paramDest = &(lpk->u.ec.ecParams.DEREncoding);
+ lpk->keyType = NSSLOWKEYECKey;
+ prepare_low_ec_priv_key_for_asn1(lpk);
+ prepare_low_ecparams_for_asn1(&lpk->u.ec.ecParams);
+ break;
+ default:
+ keyTemplate = NULL;
+ paramTemplate = NULL;
+ paramDest = NULL;
+ break;
+ }
+
+ if (!keyTemplate) {
+ goto loser;
+ }
+
+ /* decode the private key and any algorithm parameters */
+ rv = SEC_QuickDERDecodeItem(arena, lpk, keyTemplate, &pki->privateKey);
+
+ if (lpk->keyType == NSSLOWKEYECKey) {
+ /* convert length in bits to length in bytes */
+ lpk->u.ec.publicValue.len >>= 3;
+ rv = SECITEM_CopyItem(arena,
+ &(lpk->u.ec.ecParams.DEREncoding),
+ &(pki->algorithm.parameters));
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+ }
+
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+ if (paramDest && paramTemplate) {
+ rv = SEC_QuickDERDecodeItem(arena, paramDest, paramTemplate,
+ &(pki->algorithm.parameters));
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+ }
+
+ rv = SECFailure;
+
+ switch (lpk->keyType) {
+ case NSSLOWKEYRSAKey:
+ keyType = CKK_RSA;
+ if (sftk_hasAttribute(key, CKA_NSS_DB)) {
+ sftk_DeleteAttributeType(key, CKA_NSS_DB);
+ }
+ crv = sftk_AddAttributeType(key, CKA_KEY_TYPE, &keyType,
+ sizeof(keyType));
+ if (crv != CKR_OK)
+ break;
+ crv = sftk_AddAttributeType(key, CKA_UNWRAP, &cktrue,
+ sizeof(CK_BBOOL));
+ if (crv != CKR_OK)
+ break;
+ crv = sftk_AddAttributeType(key, CKA_DECRYPT, &cktrue,
+ sizeof(CK_BBOOL));
+ if (crv != CKR_OK)
+ break;
+ crv = sftk_AddAttributeType(key, CKA_SIGN, &cktrue,
+ sizeof(CK_BBOOL));
+ if (crv != CKR_OK)
+ break;
+ crv = sftk_AddAttributeType(key, CKA_SIGN_RECOVER, &cktrue,
+ sizeof(CK_BBOOL));
+ if (crv != CKR_OK)
+ break;
+ crv = sftk_AddAttributeType(key, CKA_MODULUS,
+ sftk_item_expand(&lpk->u.rsa.modulus));
+ if (crv != CKR_OK)
+ break;
+ crv = sftk_AddAttributeType(key, CKA_PUBLIC_EXPONENT,
+ sftk_item_expand(&lpk->u.rsa.publicExponent));
+ if (crv != CKR_OK)
+ break;
+ crv = sftk_AddAttributeType(key, CKA_PRIVATE_EXPONENT,
+ sftk_item_expand(&lpk->u.rsa.privateExponent));
+ if (crv != CKR_OK)
+ break;
+ crv = sftk_AddAttributeType(key, CKA_PRIME_1,
+ sftk_item_expand(&lpk->u.rsa.prime1));
+ if (crv != CKR_OK)
+ break;
+ crv = sftk_AddAttributeType(key, CKA_PRIME_2,
+ sftk_item_expand(&lpk->u.rsa.prime2));
+ if (crv != CKR_OK)
+ break;
+ crv = sftk_AddAttributeType(key, CKA_EXPONENT_1,
+ sftk_item_expand(&lpk->u.rsa.exponent1));
+ if (crv != CKR_OK)
+ break;
+ crv = sftk_AddAttributeType(key, CKA_EXPONENT_2,
+ sftk_item_expand(&lpk->u.rsa.exponent2));
+ if (crv != CKR_OK)
+ break;
+ crv = sftk_AddAttributeType(key, CKA_COEFFICIENT,
+ sftk_item_expand(&lpk->u.rsa.coefficient));
+ break;
+ case NSSLOWKEYDSAKey:
+ keyType = CKK_DSA;
+ crv = (sftk_hasAttribute(key, CKA_NSS_DB)) ? CKR_OK : CKR_KEY_TYPE_INCONSISTENT;
+ if (crv != CKR_OK)
+ break;
+ crv = sftk_AddAttributeType(key, CKA_KEY_TYPE, &keyType,
+ sizeof(keyType));
+ if (crv != CKR_OK)
+ break;
+ crv = sftk_AddAttributeType(key, CKA_SIGN, &cktrue,
+ sizeof(CK_BBOOL));
+ if (crv != CKR_OK)
+ break;
+ crv = sftk_AddAttributeType(key, CKA_SIGN_RECOVER, &cktrue,
+ sizeof(CK_BBOOL));
+ if (crv != CKR_OK)
+ break;
+ crv = sftk_AddAttributeType(key, CKA_PRIME,
+ sftk_item_expand(&lpk->u.dsa.params.prime));
+ if (crv != CKR_OK)
+ break;
+ crv = sftk_AddAttributeType(key, CKA_SUBPRIME,
+ sftk_item_expand(&lpk->u.dsa.params.subPrime));
+ if (crv != CKR_OK)
+ break;
+ crv = sftk_AddAttributeType(key, CKA_BASE,
+ sftk_item_expand(&lpk->u.dsa.params.base));
+ if (crv != CKR_OK)
+ break;
+ crv = sftk_AddAttributeType(key, CKA_VALUE,
+ sftk_item_expand(&lpk->u.dsa.privateValue));
+ if (crv != CKR_OK)
+ break;
+ break;
+#ifdef notdef
+ case NSSLOWKEYDHKey:
+ template = dhTemplate;
+ templateCount = sizeof(dhTemplate) / sizeof(CK_ATTRIBUTE);
+ keyType = CKK_DH;
+ break;
+#endif
+ /* what about fortezza??? */
+ case NSSLOWKEYECKey:
+ keyType = CKK_EC;
+ crv = (sftk_hasAttribute(key, CKA_NSS_DB)) ? CKR_OK : CKR_KEY_TYPE_INCONSISTENT;
+ if (crv != CKR_OK)
+ break;
+ crv = sftk_AddAttributeType(key, CKA_KEY_TYPE, &keyType,
+ sizeof(keyType));
+ if (crv != CKR_OK)
+ break;
+ crv = sftk_AddAttributeType(key, CKA_SIGN, &cktrue,
+ sizeof(CK_BBOOL));
+ if (crv != CKR_OK)
+ break;
+ crv = sftk_AddAttributeType(key, CKA_SIGN_RECOVER, &cktrue,
+ sizeof(CK_BBOOL));
+ if (crv != CKR_OK)
+ break;
+ crv = sftk_AddAttributeType(key, CKA_DERIVE, &cktrue,
+ sizeof(CK_BBOOL));
+ if (crv != CKR_OK)
+ break;
+ crv = sftk_AddAttributeType(key, CKA_EC_PARAMS,
+ sftk_item_expand(&lpk->u.ec.ecParams.DEREncoding));
+ if (crv != CKR_OK)
+ break;
+ crv = sftk_AddAttributeType(key, CKA_VALUE,
+ sftk_item_expand(&lpk->u.ec.privateValue));
+ if (crv != CKR_OK)
+ break;
+ /* XXX Do we need to decode the EC Params here ?? */
+ break;
+ default:
+ crv = CKR_KEY_TYPE_INCONSISTENT;
+ break;
+ }
+
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+
+ /* For RSA-PSS, record the original algorithm parameters so
+ * they can be encrypted altoghether when wrapping */
+ if (SECOID_GetAlgorithmTag(&pki->algorithm) == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) {
+ NSSLOWKEYSubjectPublicKeyInfo spki;
+ NSSLOWKEYPublicKey pubk;
+ SECItem *publicKeyInfo;
+
+ memset(&spki, 0, sizeof(NSSLOWKEYSubjectPublicKeyInfo));
+ rv = SECOID_CopyAlgorithmID(arena, &spki.algorithm, &pki->algorithm);
+ if (rv != SECSuccess) {
+ crv = CKR_HOST_MEMORY;
+ goto loser;
+ }
+
+ prepare_low_rsa_pub_key_for_asn1(&pubk);
+
+ rv = SECITEM_CopyItem(arena, &pubk.u.rsa.modulus, &lpk->u.rsa.modulus);
+ if (rv != SECSuccess) {
+ crv = CKR_HOST_MEMORY;
+ goto loser;
+ }
+ rv = SECITEM_CopyItem(arena, &pubk.u.rsa.publicExponent, &lpk->u.rsa.publicExponent);
+ if (rv != SECSuccess) {
+ crv = CKR_HOST_MEMORY;
+ goto loser;
+ }
+
+ if (SEC_ASN1EncodeItem(arena, &spki.subjectPublicKey,
+ &pubk, nsslowkey_RSAPublicKeyTemplate) == NULL) {
+ crv = CKR_HOST_MEMORY;
+ goto loser;
+ }
+
+ publicKeyInfo = SEC_ASN1EncodeItem(arena, NULL,
+ &spki, nsslowkey_SubjectPublicKeyInfoTemplate);
+ if (!publicKeyInfo) {
+ crv = CKR_HOST_MEMORY;
+ goto loser;
+ }
+ crv = sftk_AddAttributeType(key, CKA_PUBLIC_KEY_INFO,
+ sftk_item_expand(publicKeyInfo));
+ }
+
+loser:
+ if (lpk) {
+ nsslowkey_DestroyPrivateKey(lpk);
+ }
+
+ if (crv != CKR_OK) {
+ return SECFailure;
+ }
+
+ return SECSuccess;
+}
+
+/* NSC_UnwrapKey unwraps (decrypts) a wrapped key, creating a new key object. */
+CK_RV
+NSC_UnwrapKey(CK_SESSION_HANDLE hSession,
+ CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hUnwrappingKey,
+ CK_BYTE_PTR pWrappedKey, CK_ULONG ulWrappedKeyLen,
+ CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount,
+ CK_OBJECT_HANDLE_PTR phKey)
+{
+ SFTKObject *key = NULL;
+ SFTKSession *session;
+ CK_ULONG key_length = 0;
+ unsigned char *buf = NULL;
+ CK_RV crv = CKR_OK;
+ int i;
+ CK_ULONG bsize = ulWrappedKeyLen;
+ SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession);
+ SECItem bpki;
+ CK_OBJECT_CLASS target_type = CKO_SECRET_KEY;
+
+ CHECK_FORK();
+
+ if (!slot) {
+ return CKR_SESSION_HANDLE_INVALID;
+ }
+ /*
+ * now lets create an object to hang the attributes off of
+ */
+ key = sftk_NewObject(slot); /* fill in the handle later */
+ if (key == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+
+ /*
+ * load the template values into the object
+ */
+ for (i = 0; i < (int)ulAttributeCount; i++) {
+ if (pTemplate[i].type == CKA_VALUE_LEN) {
+ key_length = *(CK_ULONG *)pTemplate[i].pValue;
+ continue;
+ }
+ if (pTemplate[i].type == CKA_CLASS) {
+ target_type = *(CK_OBJECT_CLASS *)pTemplate[i].pValue;
+ }
+ crv = sftk_AddAttributeType(key, sftk_attr_expand(&pTemplate[i]));
+ if (crv != CKR_OK)
+ break;
+ }
+ if (crv != CKR_OK) {
+ sftk_FreeObject(key);
+ return crv;
+ }
+
+ crv = sftk_CryptInit(hSession, pMechanism, hUnwrappingKey, CKA_UNWRAP,
+ CKA_UNWRAP, SFTK_DECRYPT, PR_FALSE);
+ if (crv != CKR_OK) {
+ sftk_FreeObject(key);
+ return sftk_mapWrap(crv);
+ }
+
+ /* allocate the buffer to decrypt into
+ * this assumes the unwrapped key is never larger than the
+ * wrapped key. For all the mechanisms we support this is true */
+ buf = (unsigned char *)PORT_Alloc(ulWrappedKeyLen);
+ bsize = ulWrappedKeyLen;
+
+ crv = NSC_Decrypt(hSession, pWrappedKey, ulWrappedKeyLen, buf, &bsize);
+ if (crv != CKR_OK) {
+ sftk_FreeObject(key);
+ PORT_Free(buf);
+ return sftk_mapWrap(crv);
+ }
+
+ switch (target_type) {
+ case CKO_SECRET_KEY:
+ if (!sftk_hasAttribute(key, CKA_KEY_TYPE)) {
+ crv = CKR_TEMPLATE_INCOMPLETE;
+ break;
+ }
+
+ if (key_length == 0 || key_length > bsize) {
+ key_length = bsize;
+ }
+ if (key_length > MAX_KEY_LEN) {
+ crv = CKR_TEMPLATE_INCONSISTENT;
+ break;
+ }
+
+ /* add the value */
+ crv = sftk_AddAttributeType(key, CKA_VALUE, buf, key_length);
+ break;
+ case CKO_PRIVATE_KEY:
+ bpki.data = (unsigned char *)buf;
+ bpki.len = bsize;
+ crv = CKR_OK;
+ if (sftk_unwrapPrivateKey(key, &bpki) != SECSuccess) {
+ crv = CKR_TEMPLATE_INCOMPLETE;
+ }
+ break;
+ default:
+ crv = CKR_TEMPLATE_INCONSISTENT;
+ break;
+ }
+
+ PORT_ZFree(buf, bsize);
+ if (crv != CKR_OK) {
+ sftk_FreeObject(key);
+ return crv;
+ }
+
+ /* get the session */
+ session = sftk_SessionFromHandle(hSession);
+ if (session == NULL) {
+ sftk_FreeObject(key);
+ return CKR_SESSION_HANDLE_INVALID;
+ }
+
+ /* mark the key as FIPS if the previous operation was all FIPS */
+ key->isFIPS = session->lastOpWasFIPS;
+
+ /*
+ * handle the base object stuff
+ */
+ crv = sftk_handleObject(key, session);
+ *phKey = key->handle;
+ sftk_FreeSession(session);
+ sftk_FreeObject(key);
+
+ return crv;
+}
+
+/*
+ * The SSL key gen mechanism create's lots of keys. This function handles the
+ * details of each of these key creation.
+ */
+static CK_RV
+sftk_buildSSLKey(CK_SESSION_HANDLE hSession, SFTKObject *baseKey,
+ PRBool isMacKey, unsigned char *keyBlock, unsigned int keySize,
+ CK_OBJECT_HANDLE *keyHandle)
+{
+ SFTKObject *key;
+ SFTKSession *session;
+ CK_KEY_TYPE keyType = CKK_GENERIC_SECRET;
+ CK_BBOOL cktrue = CK_TRUE;
+ CK_BBOOL ckfalse = CK_FALSE;
+ CK_RV crv = CKR_HOST_MEMORY;
+
+ /*
+ * now lets create an object to hang the attributes off of
+ */
+ *keyHandle = CK_INVALID_HANDLE;
+ key = sftk_NewObject(baseKey->slot);
+ if (key == NULL)
+ return CKR_HOST_MEMORY;
+ sftk_narrowToSessionObject(key)->wasDerived = PR_TRUE;
+
+ crv = sftk_CopyObject(key, baseKey);
+ if (crv != CKR_OK)
+ goto loser;
+ if (isMacKey) {
+ crv = sftk_forceAttribute(key, CKA_KEY_TYPE, &keyType, sizeof(keyType));
+ if (crv != CKR_OK)
+ goto loser;
+ crv = sftk_forceAttribute(key, CKA_DERIVE, &cktrue, sizeof(CK_BBOOL));
+ if (crv != CKR_OK)
+ goto loser;
+ crv = sftk_forceAttribute(key, CKA_ENCRYPT, &ckfalse, sizeof(CK_BBOOL));
+ if (crv != CKR_OK)
+ goto loser;
+ crv = sftk_forceAttribute(key, CKA_DECRYPT, &ckfalse, sizeof(CK_BBOOL));
+ if (crv != CKR_OK)
+ goto loser;
+ crv = sftk_forceAttribute(key, CKA_SIGN, &cktrue, sizeof(CK_BBOOL));
+ if (crv != CKR_OK)
+ goto loser;
+ crv = sftk_forceAttribute(key, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL));
+ if (crv != CKR_OK)
+ goto loser;
+ crv = sftk_forceAttribute(key, CKA_WRAP, &ckfalse, sizeof(CK_BBOOL));
+ if (crv != CKR_OK)
+ goto loser;
+ crv = sftk_forceAttribute(key, CKA_UNWRAP, &ckfalse, sizeof(CK_BBOOL));
+ if (crv != CKR_OK)
+ goto loser;
+ }
+ crv = sftk_forceAttribute(key, CKA_VALUE, keyBlock, keySize);
+ if (crv != CKR_OK)
+ goto loser;
+
+ /* get the session */
+ crv = CKR_HOST_MEMORY;
+ session = sftk_SessionFromHandle(hSession);
+ if (session == NULL) {
+ goto loser;
+ }
+
+ crv = sftk_handleObject(key, session);
+ sftk_FreeSession(session);
+ *keyHandle = key->handle;
+loser:
+ if (key)
+ sftk_FreeObject(key);
+ return crv;
+}
+
+/*
+ * if there is an error, we need to free the keys we already created in SSL
+ * This is the routine that will do it..
+ */
+static void
+sftk_freeSSLKeys(CK_SESSION_HANDLE session,
+ CK_SSL3_KEY_MAT_OUT *returnedMaterial)
+{
+ if (returnedMaterial->hClientMacSecret != CK_INVALID_HANDLE) {
+ NSC_DestroyObject(session, returnedMaterial->hClientMacSecret);
+ }
+ if (returnedMaterial->hServerMacSecret != CK_INVALID_HANDLE) {
+ NSC_DestroyObject(session, returnedMaterial->hServerMacSecret);
+ }
+ if (returnedMaterial->hClientKey != CK_INVALID_HANDLE) {
+ NSC_DestroyObject(session, returnedMaterial->hClientKey);
+ }
+ if (returnedMaterial->hServerKey != CK_INVALID_HANDLE) {
+ NSC_DestroyObject(session, returnedMaterial->hServerKey);
+ }
+}
+
+/*
+ * when deriving from sensitive and extractable keys, we need to preserve some
+ * of the semantics in the derived key. This helper routine maintains these
+ * semantics.
+ */
+static CK_RV
+sftk_DeriveSensitiveCheck(SFTKObject *baseKey, SFTKObject *destKey,
+ PRBool canBeData)
+{
+ PRBool hasSensitive;
+ PRBool sensitive = PR_FALSE;
+ CK_BBOOL bFalse = CK_FALSE;
+ PRBool hasExtractable;
+ PRBool extractable = PR_TRUE;
+ CK_BBOOL bTrue = CK_TRUE;
+ CK_RV crv = CKR_OK;
+ SFTKAttribute *att;
+ PRBool isData = PR_TRUE;
+
+ if (canBeData) {
+ CK_OBJECT_CLASS objClass;
+
+ /* if the target key is actually data, don't set the unexpected
+ * attributes */
+ crv = sftk_GetULongAttribute(destKey, CKA_CLASS, &objClass);
+ if (crv != CKR_OK) {
+ return crv;
+ }
+ if (objClass == CKO_DATA) {
+ return CKR_OK;
+ }
+
+ /* if the base key is data, it doesn't have sensitive attributes,
+ * allow the destKey to get it's own */
+ crv = sftk_GetULongAttribute(baseKey, CKA_CLASS, &objClass);
+ if (crv != CKR_OK) {
+ return crv;
+ }
+ if (objClass == CKO_DATA) {
+ isData = PR_TRUE;
+ }
+ }
+
+ hasSensitive = PR_FALSE;
+ att = sftk_FindAttribute(destKey, CKA_SENSITIVE);
+ if (att) {
+ hasSensitive = PR_TRUE;
+ sensitive = (PRBool) * (CK_BBOOL *)att->attrib.pValue;
+ sftk_FreeAttribute(att);
+ }
+
+ hasExtractable = PR_FALSE;
+ att = sftk_FindAttribute(destKey, CKA_EXTRACTABLE);
+ if (att) {
+ hasExtractable = PR_TRUE;
+ extractable = (PRBool) * (CK_BBOOL *)att->attrib.pValue;
+ sftk_FreeAttribute(att);
+ }
+
+ /* don't make a key more accessible */
+ if (sftk_isTrue(baseKey, CKA_SENSITIVE) && hasSensitive &&
+ (sensitive == PR_FALSE)) {
+ return CKR_KEY_FUNCTION_NOT_PERMITTED;
+ }
+ if (!sftk_isTrue(baseKey, CKA_EXTRACTABLE) && hasExtractable &&
+ (extractable == PR_TRUE)) {
+ return CKR_KEY_FUNCTION_NOT_PERMITTED;
+ }
+
+ /* inherit parent's sensitivity */
+ if (!hasSensitive) {
+ att = sftk_FindAttribute(baseKey, CKA_SENSITIVE);
+ if (att != NULL) {
+ crv = sftk_defaultAttribute(destKey,
+ sftk_attr_expand(&att->attrib));
+ sftk_FreeAttribute(att);
+ } else if (isData) {
+ crv = sftk_defaultAttribute(destKey, CKA_SENSITIVE,
+ &bFalse, sizeof(bFalse));
+ } else {
+ return CKR_KEY_TYPE_INCONSISTENT;
+ }
+ if (crv != CKR_OK)
+ return crv;
+ }
+ if (!hasExtractable) {
+ att = sftk_FindAttribute(baseKey, CKA_EXTRACTABLE);
+ if (att != NULL) {
+ crv = sftk_defaultAttribute(destKey,
+ sftk_attr_expand(&att->attrib));
+ sftk_FreeAttribute(att);
+ } else if (isData) {
+ crv = sftk_defaultAttribute(destKey, CKA_EXTRACTABLE,
+ &bTrue, sizeof(bTrue));
+ } else {
+ return CKR_KEY_TYPE_INCONSISTENT;
+ }
+ if (crv != CKR_OK)
+ return crv;
+ }
+
+ /* we should inherit the parent's always extractable/ never sensitive info,
+ * but handleObject always forces this attributes, so we would need to do
+ * something special. */
+ return CKR_OK;
+}
+
+/*
+ * make known fixed PKCS #11 key types to their sizes in bytes
+ */
+unsigned long
+sftk_MapKeySize(CK_KEY_TYPE keyType)
+{
+ switch (keyType) {
+ case CKK_CDMF:
+ return 8;
+ case CKK_DES:
+ return 8;
+ case CKK_DES2:
+ return 16;
+ case CKK_DES3:
+ return 24;
+ /* IDEA and CAST need to be added */
+ default:
+ break;
+ }
+ return 0;
+}
+
+/* Inputs:
+ * key_len: Length of derived key to be generated.
+ * SharedSecret: a shared secret that is the output of a key agreement primitive.
+ * SharedInfo: (Optional) some data shared by the entities computing the secret key.
+ * SharedInfoLen: the length in octets of SharedInfo
+ * Hash: The hash function to be used in the KDF
+ * HashLen: the length in octets of the output of Hash
+ * Output:
+ * key: Pointer to a buffer containing derived key, if return value is SECSuccess.
+ */
+static CK_RV
+sftk_compute_ANSI_X9_63_kdf(CK_BYTE **key, CK_ULONG key_len, SECItem *SharedSecret,
+ CK_BYTE_PTR SharedInfo, CK_ULONG SharedInfoLen,
+ SECStatus Hash(unsigned char *, const unsigned char *, PRUint32),
+ CK_ULONG HashLen)
+{
+ unsigned char *buffer = NULL, *output_buffer = NULL;
+ PRUint32 buffer_len, max_counter, i;
+ SECStatus rv;
+ CK_RV crv;
+
+ /* Check that key_len isn't too long. The maximum key length could be
+ * greatly increased if the code below did not limit the 4-byte counter
+ * to a maximum value of 255. */
+ if (key_len > 254 * HashLen)
+ return CKR_ARGUMENTS_BAD;
+
+ if (SharedInfo == NULL)
+ SharedInfoLen = 0;
+
+ buffer_len = SharedSecret->len + 4 + SharedInfoLen;
+ buffer = (CK_BYTE *)PORT_Alloc(buffer_len);
+ if (buffer == NULL) {
+ crv = CKR_HOST_MEMORY;
+ goto loser;
+ }
+
+ max_counter = key_len / HashLen;
+ if (key_len > max_counter * HashLen)
+ max_counter++;
+
+ output_buffer = (CK_BYTE *)PORT_Alloc(max_counter * HashLen);
+ if (output_buffer == NULL) {
+ crv = CKR_HOST_MEMORY;
+ goto loser;
+ }
+
+ /* Populate buffer with SharedSecret || Counter || [SharedInfo]
+ * where Counter is 0x00000001 */
+ PORT_Memcpy(buffer, SharedSecret->data, SharedSecret->len);
+ buffer[SharedSecret->len] = 0;
+ buffer[SharedSecret->len + 1] = 0;
+ buffer[SharedSecret->len + 2] = 0;
+ buffer[SharedSecret->len + 3] = 1;
+ if (SharedInfo) {
+ PORT_Memcpy(&buffer[SharedSecret->len + 4], SharedInfo, SharedInfoLen);
+ }
+
+ for (i = 0; i < max_counter; i++) {
+ rv = Hash(&output_buffer[i * HashLen], buffer, buffer_len);
+ if (rv != SECSuccess) {
+ /* 'Hash' should not fail. */
+ crv = CKR_FUNCTION_FAILED;
+ goto loser;
+ }
+
+ /* Increment counter (assumes max_counter < 255) */
+ buffer[SharedSecret->len + 3]++;
+ }
+
+ PORT_ZFree(buffer, buffer_len);
+ if (key_len < max_counter * HashLen) {
+ PORT_Memset(output_buffer + key_len, 0, max_counter * HashLen - key_len);
+ }
+ *key = output_buffer;
+
+ return CKR_OK;
+
+loser:
+ if (buffer) {
+ PORT_ZFree(buffer, buffer_len);
+ }
+ if (output_buffer) {
+ PORT_ZFree(output_buffer, max_counter * HashLen);
+ }
+ return crv;
+}
+
+static CK_RV
+sftk_ANSI_X9_63_kdf(CK_BYTE **key, CK_ULONG key_len,
+ SECItem *SharedSecret,
+ CK_BYTE_PTR SharedInfo, CK_ULONG SharedInfoLen,
+ CK_EC_KDF_TYPE kdf)
+{
+ if (kdf == CKD_SHA1_KDF)
+ return sftk_compute_ANSI_X9_63_kdf(key, key_len, SharedSecret, SharedInfo,
+ SharedInfoLen, SHA1_HashBuf, SHA1_LENGTH);
+ else if (kdf == CKD_SHA224_KDF)
+ return sftk_compute_ANSI_X9_63_kdf(key, key_len, SharedSecret, SharedInfo,
+ SharedInfoLen, SHA224_HashBuf, SHA224_LENGTH);
+ else if (kdf == CKD_SHA256_KDF)
+ return sftk_compute_ANSI_X9_63_kdf(key, key_len, SharedSecret, SharedInfo,
+ SharedInfoLen, SHA256_HashBuf, SHA256_LENGTH);
+ else if (kdf == CKD_SHA384_KDF)
+ return sftk_compute_ANSI_X9_63_kdf(key, key_len, SharedSecret, SharedInfo,
+ SharedInfoLen, SHA384_HashBuf, SHA384_LENGTH);
+ else if (kdf == CKD_SHA512_KDF)
+ return sftk_compute_ANSI_X9_63_kdf(key, key_len, SharedSecret, SharedInfo,
+ SharedInfoLen, SHA512_HashBuf, SHA512_LENGTH);
+ else
+ return CKR_MECHANISM_INVALID;
+}
+
+/*
+ * Handle the derive from a block encryption cipher
+ */
+CK_RV
+sftk_DeriveEncrypt(SFTKCipher encrypt, void *cipherInfo,
+ int blockSize, SFTKObject *key, CK_ULONG keySize,
+ unsigned char *data, CK_ULONG len)
+{
+ /* large enough for a 512-bit key */
+ unsigned char tmpdata[SFTK_MAX_DERIVE_KEY_SIZE];
+ SECStatus rv;
+ unsigned int outLen;
+ CK_RV crv;
+
+ if ((len % blockSize) != 0) {
+ return CKR_MECHANISM_PARAM_INVALID;
+ }
+ if (len > SFTK_MAX_DERIVE_KEY_SIZE) {
+ return CKR_MECHANISM_PARAM_INVALID;
+ }
+ if (keySize && (len < keySize)) {
+ return CKR_MECHANISM_PARAM_INVALID;
+ }
+ if (keySize == 0) {
+ keySize = len;
+ }
+
+ rv = (*encrypt)(cipherInfo, &tmpdata, &outLen, len, data, len);
+ if (rv != SECSuccess) {
+ crv = sftk_MapCryptError(PORT_GetError());
+ return crv;
+ }
+
+ crv = sftk_forceAttribute(key, CKA_VALUE, tmpdata, keySize);
+ PORT_Memset(tmpdata, 0, sizeof tmpdata);
+ return crv;
+}
+
+CK_RV
+sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_SESSION_HANDLE hSession,
+ SFTKObject *sourceKey, const unsigned char *sourceKeyBytes,
+ int sourceKeyLen, SFTKObject *key, unsigned char *outKeyBytes,
+ int keySize, PRBool canBeData, PRBool isFIPS)
+{
+ SFTKSession *session;
+ SFTKAttribute *saltKey_att = NULL;
+ const SECHashObject *rawHash;
+ unsigned hashLen;
+ unsigned genLen = 0;
+ unsigned char hashbuf[HASH_LENGTH_MAX];
+ unsigned char keyBlock[9 * SFTK_MAX_MAC_LENGTH];
+ unsigned char *keyBlockAlloc = NULL; /* allocated keyBlock */
+ unsigned char *keyBlockData = keyBlock; /* pointer to current keyBlock */
+ const unsigned char *prk; /* psuedo-random key */
+ CK_ULONG prkLen;
+ const unsigned char *okm; /* output keying material */
+ HASH_HashType hashType = sftk_GetHashTypeFromMechanism(params->prfHashMechanism);
+ SFTKObject *saltKey = NULL;
+ CK_RV crv = CKR_OK;
+
+ /* Spec says it should be the base hash, but also accept the HMAC */
+ if (hashType == HASH_AlgNULL) {
+ hashType = sftk_HMACMechanismToHash(params->prfHashMechanism);
+ }
+ rawHash = HASH_GetRawHashObject(hashType);
+ if (rawHash == NULL || rawHash->length > sizeof(hashbuf)) {
+ return CKR_MECHANISM_INVALID;
+ }
+ hashLen = rawHash->length;
+
+ if ((!params->bExpand && !params->bExtract) ||
+ (params->bExtract && params->ulSaltLen > 0 && !params->pSalt) ||
+ (params->bExpand && params->ulInfoLen > 0 && !params->pInfo)) {
+ return CKR_MECHANISM_PARAM_INVALID;
+ }
+ if ((params->bExpand && keySize == 0) ||
+ (!params->bExpand && keySize > hashLen) ||
+ (params->bExpand && keySize > 255 * hashLen)) {
+ return CKR_TEMPLATE_INCONSISTENT;
+ }
+
+ /* sourceKey is NULL if we are called from the POST, skip the
+ * sensitiveCheck */
+ if (sourceKey != NULL) {
+ crv = sftk_DeriveSensitiveCheck(sourceKey, key, canBeData);
+ if (crv != CKR_OK)
+ return crv;
+ }
+
+ /* HKDF-Extract(salt, base key value) */
+ if (params->bExtract) {
+ CK_BYTE *salt;
+ CK_ULONG saltLen;
+ HMACContext *hmac;
+ unsigned int bufLen;
+
+ switch (params->ulSaltType) {
+ case CKF_HKDF_SALT_NULL:
+ saltLen = hashLen;
+ salt = hashbuf;
+ memset(salt, 0, saltLen);
+ break;
+ case CKF_HKDF_SALT_DATA:
+ salt = params->pSalt;
+ saltLen = params->ulSaltLen;
+ if ((salt == NULL) || (params->ulSaltLen == 0)) {
+ return CKR_MECHANISM_PARAM_INVALID;
+ }
+ break;
+ case CKF_HKDF_SALT_KEY:
+ /* lookup key */
+ session = sftk_SessionFromHandle(hSession);
+ if (session == NULL) {
+ return CKR_SESSION_HANDLE_INVALID;
+ }
+
+ saltKey = sftk_ObjectFromHandle(params->hSaltKey, session);
+ sftk_FreeSession(session);
+ if (saltKey == NULL) {
+ return CKR_KEY_HANDLE_INVALID;
+ }
+ /* if the base key is not fips, but the salt key is, the
+ * resulting key can be fips */
+ if (isFIPS && (key->isFIPS == 0) && (saltKey->isFIPS == 1)) {
+ CK_MECHANISM mech;
+ mech.mechanism = CKM_HKDF_DERIVE;
+ mech.pParameter = params;
+ mech.ulParameterLen = sizeof(*params);
+ key->isFIPS = sftk_operationIsFIPS(saltKey->slot, &mech,
+ CKA_DERIVE, saltKey);
+ }
+ saltKey_att = sftk_FindAttribute(saltKey, CKA_VALUE);
+ if (saltKey_att == NULL) {
+ sftk_FreeObject(saltKey);
+ return CKR_KEY_HANDLE_INVALID;
+ }
+ /* save the resulting salt */
+ salt = saltKey_att->attrib.pValue;
+ saltLen = saltKey_att->attrib.ulValueLen;
+ break;
+ default:
+ return CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+
+ hmac = HMAC_Create(rawHash, salt, saltLen, isFIPS);
+ if (saltKey_att) {
+ sftk_FreeAttribute(saltKey_att);
+ }
+ if (saltKey) {
+ sftk_FreeObject(saltKey);
+ }
+ if (!hmac) {
+ return CKR_HOST_MEMORY;
+ }
+ HMAC_Begin(hmac);
+ HMAC_Update(hmac, sourceKeyBytes, sourceKeyLen);
+ HMAC_Finish(hmac, hashbuf, &bufLen, sizeof(hashbuf));
+ HMAC_Destroy(hmac, PR_TRUE);
+ PORT_Assert(bufLen == rawHash->length);
+ prk = hashbuf;
+ prkLen = bufLen;
+ } else {
+ /* PRK = base key value */
+ prk = sourceKeyBytes;
+ prkLen = sourceKeyLen;
+ }
+
+ /* HKDF-Expand */
+ if (!params->bExpand) {
+ okm = prk;
+ keySize = genLen = hashLen;
+ } else {
+ /* T(1) = HMAC-Hash(prk, "" | info | 0x01)
+ * T(n) = HMAC-Hash(prk, T(n-1) | info | n
+ * key material = T(1) | ... | T(n)
+ */
+ HMACContext *hmac;
+ CK_BYTE bi;
+ unsigned iterations;
+
+ genLen = PR_ROUNDUP(keySize, hashLen);
+ iterations = genLen / hashLen;
+
+ if (genLen > sizeof(keyBlock)) {
+ keyBlockAlloc = PORT_Alloc(genLen);
+ if (keyBlockAlloc == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+ keyBlockData = keyBlockAlloc;
+ }
+ hmac = HMAC_Create(rawHash, prk, prkLen, isFIPS);
+ if (hmac == NULL) {
+ PORT_Free(keyBlockAlloc);
+ return CKR_HOST_MEMORY;
+ }
+ for (bi = 1; bi <= iterations && bi > 0; ++bi) {
+ unsigned len;
+ HMAC_Begin(hmac);
+ if (bi > 1) {
+ HMAC_Update(hmac, &keyBlockData[(bi - 2) * hashLen], hashLen);
+ }
+ if (params->ulInfoLen != 0) {
+ HMAC_Update(hmac, params->pInfo, params->ulInfoLen);
+ }
+ HMAC_Update(hmac, &bi, 1);
+ HMAC_Finish(hmac, &keyBlockData[(bi - 1) * hashLen], &len,
+ hashLen);
+ PORT_Assert(len == hashLen);
+ }
+ HMAC_Destroy(hmac, PR_TRUE);
+ okm = &keyBlockData[0];
+ }
+ /* key material = okm */
+ crv = CKR_OK;
+ if (key) {
+ crv = sftk_forceAttribute(key, CKA_VALUE, okm, keySize);
+ } else {
+ PORT_Assert(outKeyBytes != NULL);
+ PORT_Memcpy(outKeyBytes, okm, keySize);
+ }
+ PORT_Memset(keyBlockData, 0, genLen);
+ PORT_Memset(hashbuf, 0, sizeof(hashbuf));
+ PORT_Free(keyBlockAlloc);
+ return crv;
+}
+
+/*
+ * SSL Key generation given pre master secret
+ */
+#define NUM_MIXERS 9
+static const char *const mixers[NUM_MIXERS] = {
+ "A",
+ "BB",
+ "CCC",
+ "DDDD",
+ "EEEEE",
+ "FFFFFF",
+ "GGGGGGG",
+ "HHHHHHHH",
+ "IIIIIIIII"
+};
+#define SSL3_PMS_LENGTH 48
+#define SSL3_MASTER_SECRET_LENGTH 48
+#define SSL3_RANDOM_LENGTH 32
+
+/* NSC_DeriveKey derives a key from a base key, creating a new key object. */
+CK_RV
+NSC_DeriveKey(CK_SESSION_HANDLE hSession,
+ CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hBaseKey,
+ CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount,
+ CK_OBJECT_HANDLE_PTR phKey)
+{
+ SFTKSession *session;
+ SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession);
+ SFTKObject *key;
+ SFTKObject *sourceKey;
+ SFTKAttribute *att = NULL;
+ SFTKAttribute *att2 = NULL;
+ unsigned char *buf;
+ SHA1Context *sha;
+ MD5Context *md5;
+ MD2Context *md2;
+ CK_ULONG macSize;
+ CK_ULONG tmpKeySize;
+ CK_ULONG IVSize;
+ CK_ULONG keySize = 0;
+ CK_RV crv = CKR_OK;
+ CK_BBOOL cktrue = CK_TRUE;
+ CK_KEY_TYPE keyType = CKK_GENERIC_SECRET;
+ CK_OBJECT_CLASS classType = CKO_SECRET_KEY;
+ CK_KEY_DERIVATION_STRING_DATA *stringPtr;
+ PRBool isTLS = PR_FALSE;
+ PRBool isDH = PR_FALSE;
+ HASH_HashType tlsPrfHash = HASH_AlgNULL;
+ SECStatus rv;
+ int i;
+ unsigned int outLen;
+ unsigned char sha_out[SHA1_LENGTH];
+ unsigned char key_block[NUM_MIXERS * SFTK_MAX_MAC_LENGTH];
+ PRBool isFIPS;
+ HASH_HashType hashType;
+ CK_MECHANISM_TYPE hashMech;
+ PRBool extractValue = PR_TRUE;
+ CK_NSS_IKE1_APP_B_PRF_DERIVE_PARAMS ikeAppB;
+ CK_NSS_IKE1_APP_B_PRF_DERIVE_PARAMS *pIkeAppB;
+
+ CHECK_FORK();
+
+ if (!slot) {
+ return CKR_SESSION_HANDLE_INVALID;
+ }
+ if (!pMechanism) {
+ return CKR_MECHANISM_PARAM_INVALID;
+ }
+ CK_MECHANISM_TYPE mechanism = pMechanism->mechanism;
+
+ /*
+ * now lets create an object to hang the attributes off of
+ */
+ if (phKey)
+ *phKey = CK_INVALID_HANDLE;
+
+ key = sftk_NewObject(slot); /* fill in the handle later */
+ if (key == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+ isFIPS = sftk_isFIPS(slot->slotID);
+
+ /*
+ * load the template values into the object
+ */
+ for (i = 0; i < (int)ulAttributeCount; i++) {
+ crv = sftk_AddAttributeType(key, sftk_attr_expand(&pTemplate[i]));
+ if (crv != CKR_OK)
+ break;
+
+ if (pTemplate[i].type == CKA_KEY_TYPE) {
+ keyType = *(CK_KEY_TYPE *)pTemplate[i].pValue;
+ }
+ if (pTemplate[i].type == CKA_VALUE_LEN) {
+ keySize = *(CK_ULONG *)pTemplate[i].pValue;
+ }
+ }
+ if (crv != CKR_OK) {
+ sftk_FreeObject(key);
+ return crv;
+ }
+
+ if (keySize == 0) {
+ keySize = sftk_MapKeySize(keyType);
+ }
+
+ switch (mechanism) {
+ case CKM_NSS_JPAKE_ROUND2_SHA1: /* fall through */
+ case CKM_NSS_JPAKE_ROUND2_SHA256: /* fall through */
+ case CKM_NSS_JPAKE_ROUND2_SHA384: /* fall through */
+ case CKM_NSS_JPAKE_ROUND2_SHA512:
+ extractValue = PR_FALSE;
+ classType = CKO_PRIVATE_KEY;
+ break;
+ case CKM_NSS_PUB_FROM_PRIV:
+ extractValue = PR_FALSE;
+ classType = CKO_PUBLIC_KEY;
+ break;
+ case CKM_HKDF_DATA: /* fall through */
+ case CKM_NSS_SP800_108_COUNTER_KDF_DERIVE_DATA: /* fall through */
+ case CKM_NSS_SP800_108_FEEDBACK_KDF_DERIVE_DATA: /* fall through */
+ case CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA:
+ classType = CKO_DATA;
+ break;
+ case CKM_NSS_JPAKE_FINAL_SHA1: /* fall through */
+ case CKM_NSS_JPAKE_FINAL_SHA256: /* fall through */
+ case CKM_NSS_JPAKE_FINAL_SHA384: /* fall through */
+ case CKM_NSS_JPAKE_FINAL_SHA512:
+ extractValue = PR_FALSE;
+ /* fall through */
+ default:
+ classType = CKO_SECRET_KEY;
+ }
+
+ crv = sftk_forceAttribute(key, CKA_CLASS, &classType, sizeof(classType));
+ if (crv != CKR_OK) {
+ sftk_FreeObject(key);
+ return crv;
+ }
+
+ /* look up the base key we're deriving with */
+ session = sftk_SessionFromHandle(hSession);
+ if (session == NULL) {
+ sftk_FreeObject(key);
+ return CKR_SESSION_HANDLE_INVALID;
+ }
+
+ sourceKey = sftk_ObjectFromHandle(hBaseKey, session);
+ sftk_FreeSession(session);
+ /* is this eventually succeeds, lastOpWasFIPS will be set the resulting key's
+ * FIPS state below. */
+ session->lastOpWasFIPS = PR_FALSE;
+ if (sourceKey == NULL) {
+ sftk_FreeObject(key);
+ return CKR_KEY_HANDLE_INVALID;
+ }
+
+ if (extractValue) {
+ /* get the value of the base key */
+ att = sftk_FindAttribute(sourceKey, CKA_VALUE);
+ if (att == NULL) {
+ sftk_FreeObject(key);
+ sftk_FreeObject(sourceKey);
+ return CKR_KEY_HANDLE_INVALID;
+ }
+ }
+ key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_DERIVE, sourceKey);
+
+ switch (mechanism) {
+ /* get a public key from a private key. nsslowkey_ConvertToPublickey()
+ * will generate the public portion if it doesn't already exist. */
+ case CKM_NSS_PUB_FROM_PRIV: {
+ NSSLOWKEYPrivateKey *privKey;
+ NSSLOWKEYPublicKey *pubKey;
+ int error;
+
+ crv = sftk_GetULongAttribute(sourceKey, CKA_KEY_TYPE, &keyType);
+ if (crv != CKR_OK) {
+ break;
+ }
+
+ /* privKey is stored in sourceKey and will be destroyed when
+ * the sourceKey is freed. */
+ privKey = sftk_GetPrivKey(sourceKey, keyType, &crv);
+ if (privKey == NULL) {
+ break;
+ }
+ pubKey = nsslowkey_ConvertToPublicKey(privKey);
+ if (pubKey == NULL) {
+ error = PORT_GetError();
+ crv = sftk_MapCryptError(error);
+ break;
+ }
+ crv = sftk_PutPubKey(key, sourceKey, keyType, pubKey);
+ nsslowkey_DestroyPublicKey(pubKey);
+ break;
+ }
+ case CKM_NSS_IKE_PRF_DERIVE:
+ if (pMechanism->ulParameterLen !=
+ sizeof(CK_NSS_IKE_PRF_DERIVE_PARAMS)) {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+ crv = sftk_ike_prf(hSession, att,
+ (CK_NSS_IKE_PRF_DERIVE_PARAMS *)pMechanism->pParameter, key);
+ break;
+ case CKM_NSS_IKE1_PRF_DERIVE:
+ if (pMechanism->ulParameterLen !=
+ sizeof(CK_NSS_IKE1_PRF_DERIVE_PARAMS)) {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+ crv = sftk_ike1_prf(hSession, att,
+ (CK_NSS_IKE1_PRF_DERIVE_PARAMS *)pMechanism->pParameter,
+ key, keySize);
+ break;
+ case CKM_NSS_IKE1_APP_B_PRF_DERIVE:
+ pIkeAppB = (CK_NSS_IKE1_APP_B_PRF_DERIVE_PARAMS *)pMechanism->pParameter;
+ if (pMechanism->ulParameterLen ==
+ sizeof(CK_MECHANISM_TYPE)) {
+ ikeAppB.prfMechanism = *(CK_MECHANISM_TYPE *)pMechanism->pParameter;
+ ikeAppB.bHasKeygxy = PR_FALSE;
+ ikeAppB.hKeygxy = CK_INVALID_HANDLE;
+ ikeAppB.pExtraData = NULL;
+ ikeAppB.ulExtraDataLen = 0;
+ pIkeAppB = &ikeAppB;
+ } else if (pMechanism->ulParameterLen !=
+ sizeof(CK_NSS_IKE1_APP_B_PRF_DERIVE_PARAMS)) {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+ crv = sftk_ike1_appendix_b_prf(hSession, att, pIkeAppB, key,
+ keySize);
+ break;
+ case CKM_NSS_IKE_PRF_PLUS_DERIVE:
+ if (pMechanism->ulParameterLen !=
+ sizeof(CK_NSS_IKE_PRF_PLUS_DERIVE_PARAMS)) {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+ crv = sftk_ike_prf_plus(hSession, att,
+ (CK_NSS_IKE_PRF_PLUS_DERIVE_PARAMS *)pMechanism->pParameter,
+ key, keySize);
+ break;
+ /*
+ * generate the master secret
+ */
+ case CKM_TLS12_MASTER_KEY_DERIVE:
+ case CKM_TLS12_MASTER_KEY_DERIVE_DH:
+ case CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256:
+ case CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256:
+ case CKM_TLS_MASTER_KEY_DERIVE:
+ case CKM_TLS_MASTER_KEY_DERIVE_DH:
+ case CKM_SSL3_MASTER_KEY_DERIVE:
+ case CKM_SSL3_MASTER_KEY_DERIVE_DH: {
+ CK_SSL3_MASTER_KEY_DERIVE_PARAMS *ssl3_master;
+ SSL3RSAPreMasterSecret *rsa_pms;
+ unsigned char crsrdata[SSL3_RANDOM_LENGTH * 2];
+
+ if ((mechanism == CKM_TLS12_MASTER_KEY_DERIVE) ||
+ (mechanism == CKM_TLS12_MASTER_KEY_DERIVE_DH)) {
+ if (BAD_PARAM_CAST(pMechanism, sizeof(CK_TLS12_MASTER_KEY_DERIVE_PARAMS))) {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+ CK_TLS12_MASTER_KEY_DERIVE_PARAMS *tls12_master =
+ (CK_TLS12_MASTER_KEY_DERIVE_PARAMS *)pMechanism->pParameter;
+ tlsPrfHash = sftk_GetHashTypeFromMechanism(tls12_master->prfHashMechanism);
+ if (tlsPrfHash == HASH_AlgNULL) {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+ } else if ((mechanism == CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256) ||
+ (mechanism == CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256)) {
+ tlsPrfHash = HASH_AlgSHA256;
+ }
+
+ if ((mechanism != CKM_SSL3_MASTER_KEY_DERIVE) &&
+ (mechanism != CKM_SSL3_MASTER_KEY_DERIVE_DH)) {
+ isTLS = PR_TRUE;
+ }
+ if ((mechanism == CKM_SSL3_MASTER_KEY_DERIVE_DH) ||
+ (mechanism == CKM_TLS_MASTER_KEY_DERIVE_DH) ||
+ (mechanism == CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256) ||
+ (mechanism == CKM_TLS12_MASTER_KEY_DERIVE_DH)) {
+ isDH = PR_TRUE;
+ }
+
+ /* first do the consistency checks */
+ if (!isDH && (att->attrib.ulValueLen != SSL3_PMS_LENGTH)) {
+ crv = CKR_KEY_TYPE_INCONSISTENT;
+ break;
+ }
+ att2 = sftk_FindAttribute(sourceKey, CKA_KEY_TYPE);
+ if ((att2 == NULL) || (*(CK_KEY_TYPE *)att2->attrib.pValue !=
+ CKK_GENERIC_SECRET)) {
+ if (att2)
+ sftk_FreeAttribute(att2);
+ crv = CKR_KEY_FUNCTION_NOT_PERMITTED;
+ break;
+ }
+ sftk_FreeAttribute(att2);
+ if (keyType != CKK_GENERIC_SECRET) {
+ crv = CKR_KEY_FUNCTION_NOT_PERMITTED;
+ break;
+ }
+ if ((keySize != 0) && (keySize != SSL3_MASTER_SECRET_LENGTH)) {
+ crv = CKR_KEY_FUNCTION_NOT_PERMITTED;
+ break;
+ }
+
+ /* finally do the key gen */
+ ssl3_master = (CK_SSL3_MASTER_KEY_DERIVE_PARAMS *)
+ pMechanism->pParameter;
+
+ if (ssl3_master->pVersion) {
+ SFTKSessionObject *sessKey = sftk_narrowToSessionObject(key);
+ rsa_pms = (SSL3RSAPreMasterSecret *)att->attrib.pValue;
+ /* don't leak more key material then necessary for SSL to work */
+ if ((sessKey == NULL) || sessKey->wasDerived) {
+ ssl3_master->pVersion->major = 0xff;
+ ssl3_master->pVersion->minor = 0xff;
+ } else {
+ ssl3_master->pVersion->major = rsa_pms->client_version[0];
+ ssl3_master->pVersion->minor = rsa_pms->client_version[1];
+ }
+ }
+ if (ssl3_master->RandomInfo.ulClientRandomLen != SSL3_RANDOM_LENGTH) {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+ if (ssl3_master->RandomInfo.ulServerRandomLen != SSL3_RANDOM_LENGTH) {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+ PORT_Memcpy(crsrdata,
+ ssl3_master->RandomInfo.pClientRandom, SSL3_RANDOM_LENGTH);
+ PORT_Memcpy(crsrdata + SSL3_RANDOM_LENGTH,
+ ssl3_master->RandomInfo.pServerRandom, SSL3_RANDOM_LENGTH);
+
+ if (isTLS) {
+ SECStatus status;
+ SECItem crsr = { siBuffer, NULL, 0 };
+ SECItem master = { siBuffer, NULL, 0 };
+ SECItem pms = { siBuffer, NULL, 0 };
+
+ crsr.data = crsrdata;
+ crsr.len = sizeof crsrdata;
+ master.data = key_block;
+ master.len = SSL3_MASTER_SECRET_LENGTH;
+ pms.data = (unsigned char *)att->attrib.pValue;
+ pms.len = att->attrib.ulValueLen;
+
+ if (tlsPrfHash != HASH_AlgNULL) {
+ status = TLS_P_hash(tlsPrfHash, &pms, "master secret",
+ &crsr, &master, isFIPS);
+ } else {
+ status = TLS_PRF(&pms, "master secret", &crsr, &master, isFIPS);
+ }
+ if (status != SECSuccess) {
+ PORT_Memset(crsrdata, 0, sizeof crsrdata);
+ crv = CKR_FUNCTION_FAILED;
+ break;
+ }
+ } else {
+ /* now allocate the hash contexts */
+ md5 = MD5_NewContext();
+ if (md5 == NULL) {
+ PORT_Memset(crsrdata, 0, sizeof crsrdata);
+ crv = CKR_HOST_MEMORY;
+ break;
+ }
+ sha = SHA1_NewContext();
+ if (sha == NULL) {
+ PORT_Memset(crsrdata, 0, sizeof crsrdata);
+ PORT_Free(md5);
+ crv = CKR_HOST_MEMORY;
+ break;
+ }
+ for (i = 0; i < 3; i++) {
+ SHA1_Begin(sha);
+ SHA1_Update(sha, (unsigned char *)mixers[i], strlen(mixers[i]));
+ SHA1_Update(sha, (const unsigned char *)att->attrib.pValue,
+ att->attrib.ulValueLen);
+ SHA1_Update(sha, crsrdata, sizeof crsrdata);
+ SHA1_End(sha, sha_out, &outLen, SHA1_LENGTH);
+ PORT_Assert(outLen == SHA1_LENGTH);
+
+ MD5_Begin(md5);
+ MD5_Update(md5, (const unsigned char *)att->attrib.pValue,
+ att->attrib.ulValueLen);
+ MD5_Update(md5, sha_out, outLen);
+ MD5_End(md5, &key_block[i * MD5_LENGTH], &outLen, MD5_LENGTH);
+ PORT_Assert(outLen == MD5_LENGTH);
+ }
+ PORT_Free(md5);
+ PORT_Free(sha);
+ PORT_Memset(crsrdata, 0, sizeof crsrdata);
+ PORT_Memset(sha_out, 0, sizeof sha_out);
+ }
+
+ /* store the results */
+ crv = sftk_forceAttribute(key, CKA_VALUE, key_block, SSL3_MASTER_SECRET_LENGTH);
+ PORT_Memset(key_block, 0, sizeof key_block);
+ if (crv != CKR_OK)
+ break;
+ keyType = CKK_GENERIC_SECRET;
+ crv = sftk_forceAttribute(key, CKA_KEY_TYPE, &keyType, sizeof(keyType));
+ if (isTLS) {
+ /* TLS's master secret is used to "sign" finished msgs with PRF. */
+ /* XXX This seems like a hack. But SFTK_Derive only accepts
+ * one "operation" argument. */
+ crv = sftk_forceAttribute(key, CKA_SIGN, &cktrue, sizeof(CK_BBOOL));
+ if (crv != CKR_OK)
+ break;
+ crv = sftk_forceAttribute(key, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL));
+ if (crv != CKR_OK)
+ break;
+ /* While we're here, we might as well force this, too. */
+ crv = sftk_forceAttribute(key, CKA_DERIVE, &cktrue, sizeof(CK_BBOOL));
+ if (crv != CKR_OK)
+ break;
+ }
+ break;
+ }
+
+ /* Extended master key derivation [draft-ietf-tls-session-hash] */
+ case CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE:
+ case CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH: {
+ CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS *ems_params;
+ SSL3RSAPreMasterSecret *rsa_pms;
+ SECStatus status;
+ SECItem pms = { siBuffer, NULL, 0 };
+ SECItem seed = { siBuffer, NULL, 0 };
+ SECItem master = { siBuffer, NULL, 0 };
+
+ ems_params = (CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS *)
+ pMechanism->pParameter;
+
+ /* First do the consistency checks */
+ if ((mechanism == CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE) &&
+ (att->attrib.ulValueLen != SSL3_PMS_LENGTH)) {
+ crv = CKR_KEY_TYPE_INCONSISTENT;
+ break;
+ }
+ att2 = sftk_FindAttribute(sourceKey, CKA_KEY_TYPE);
+ if ((att2 == NULL) ||
+ (*(CK_KEY_TYPE *)att2->attrib.pValue != CKK_GENERIC_SECRET)) {
+ if (att2)
+ sftk_FreeAttribute(att2);
+ crv = CKR_KEY_FUNCTION_NOT_PERMITTED;
+ break;
+ }
+ sftk_FreeAttribute(att2);
+ if (keyType != CKK_GENERIC_SECRET) {
+ crv = CKR_KEY_FUNCTION_NOT_PERMITTED;
+ break;
+ }
+ if ((keySize != 0) && (keySize != SSL3_MASTER_SECRET_LENGTH)) {
+ crv = CKR_KEY_FUNCTION_NOT_PERMITTED;
+ break;
+ }
+
+ /* Do the key derivation */
+ pms.data = (unsigned char *)att->attrib.pValue;
+ pms.len = att->attrib.ulValueLen;
+ seed.data = ems_params->pSessionHash;
+ seed.len = ems_params->ulSessionHashLen;
+ master.data = key_block;
+ master.len = SSL3_MASTER_SECRET_LENGTH;
+ if (ems_params->prfHashMechanism == CKM_TLS_PRF) {
+ /*
+ * In this case, the session hash is the concatenation of SHA-1
+ * and MD5, so it should be 36 bytes long.
+ */
+ if (seed.len != MD5_LENGTH + SHA1_LENGTH) {
+ crv = CKR_TEMPLATE_INCONSISTENT;
+ break;
+ }
+
+ status = TLS_PRF(&pms, "extended master secret",
+ &seed, &master, isFIPS);
+ } else {
+ const SECHashObject *hashObj;
+
+ tlsPrfHash = sftk_GetHashTypeFromMechanism(ems_params->prfHashMechanism);
+ if (tlsPrfHash == HASH_AlgNULL) {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+
+ hashObj = HASH_GetRawHashObject(tlsPrfHash);
+ if (seed.len != hashObj->length) {
+ crv = CKR_TEMPLATE_INCONSISTENT;
+ break;
+ }
+
+ status = TLS_P_hash(tlsPrfHash, &pms, "extended master secret",
+ &seed, &master, isFIPS);
+ }
+ if (status != SECSuccess) {
+ crv = CKR_FUNCTION_FAILED;
+ break;
+ }
+
+ /* Reflect the version if required */
+ if (ems_params->pVersion) {
+ SFTKSessionObject *sessKey = sftk_narrowToSessionObject(key);
+ rsa_pms = (SSL3RSAPreMasterSecret *)att->attrib.pValue;
+ /* don't leak more key material than necessary for SSL to work */
+ if ((sessKey == NULL) || sessKey->wasDerived) {
+ ems_params->pVersion->major = 0xff;
+ ems_params->pVersion->minor = 0xff;
+ } else {
+ ems_params->pVersion->major = rsa_pms->client_version[0];
+ ems_params->pVersion->minor = rsa_pms->client_version[1];
+ }
+ }
+
+ /* Store the results */
+ crv = sftk_forceAttribute(key, CKA_VALUE, key_block,
+ SSL3_MASTER_SECRET_LENGTH);
+ PORT_Memset(key_block, 0, sizeof key_block);
+ break;
+ }
+
+ case CKM_TLS12_KEY_AND_MAC_DERIVE:
+ case CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256:
+ case CKM_TLS_KEY_AND_MAC_DERIVE:
+ case CKM_SSL3_KEY_AND_MAC_DERIVE: {
+ CK_SSL3_KEY_MAT_PARAMS *ssl3_keys;
+ CK_SSL3_KEY_MAT_OUT *ssl3_keys_out;
+ CK_ULONG effKeySize;
+ unsigned int block_needed;
+ unsigned char srcrdata[SSL3_RANDOM_LENGTH * 2];
+
+ if (mechanism == CKM_TLS12_KEY_AND_MAC_DERIVE) {
+ if (BAD_PARAM_CAST(pMechanism, sizeof(CK_TLS12_KEY_MAT_PARAMS))) {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+ CK_TLS12_KEY_MAT_PARAMS *tls12_keys =
+ (CK_TLS12_KEY_MAT_PARAMS *)pMechanism->pParameter;
+ tlsPrfHash = sftk_GetHashTypeFromMechanism(tls12_keys->prfHashMechanism);
+ if (tlsPrfHash == HASH_AlgNULL) {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+ } else if (mechanism == CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256) {
+ tlsPrfHash = HASH_AlgSHA256;
+ }
+
+ if (mechanism != CKM_SSL3_KEY_AND_MAC_DERIVE) {
+ isTLS = PR_TRUE;
+ }
+
+ crv = sftk_DeriveSensitiveCheck(sourceKey, key, PR_FALSE);
+ if (crv != CKR_OK)
+ break;
+
+ if (att->attrib.ulValueLen != SSL3_MASTER_SECRET_LENGTH) {
+ crv = CKR_KEY_FUNCTION_NOT_PERMITTED;
+ break;
+ }
+ att2 = sftk_FindAttribute(sourceKey, CKA_KEY_TYPE);
+ if ((att2 == NULL) || (*(CK_KEY_TYPE *)att2->attrib.pValue !=
+ CKK_GENERIC_SECRET)) {
+ if (att2)
+ sftk_FreeAttribute(att2);
+ crv = CKR_KEY_FUNCTION_NOT_PERMITTED;
+ break;
+ }
+ sftk_FreeAttribute(att2);
+ md5 = MD5_NewContext();
+ if (md5 == NULL) {
+ crv = CKR_HOST_MEMORY;
+ break;
+ }
+ sha = SHA1_NewContext();
+ if (sha == NULL) {
+ MD5_DestroyContext(md5, PR_TRUE);
+ crv = CKR_HOST_MEMORY;
+ break;
+ }
+
+ if (BAD_PARAM_CAST(pMechanism, sizeof(CK_SSL3_KEY_MAT_PARAMS))) {
+ MD5_DestroyContext(md5, PR_TRUE);
+ SHA1_DestroyContext(sha, PR_TRUE);
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+ ssl3_keys = (CK_SSL3_KEY_MAT_PARAMS *)pMechanism->pParameter;
+
+ PORT_Memcpy(srcrdata,
+ ssl3_keys->RandomInfo.pServerRandom, SSL3_RANDOM_LENGTH);
+ PORT_Memcpy(srcrdata + SSL3_RANDOM_LENGTH,
+ ssl3_keys->RandomInfo.pClientRandom, SSL3_RANDOM_LENGTH);
+
+ /*
+ * clear out our returned keys so we can recover on failure
+ */
+ ssl3_keys_out = ssl3_keys->pReturnedKeyMaterial;
+ ssl3_keys_out->hClientMacSecret = CK_INVALID_HANDLE;
+ ssl3_keys_out->hServerMacSecret = CK_INVALID_HANDLE;
+ ssl3_keys_out->hClientKey = CK_INVALID_HANDLE;
+ ssl3_keys_out->hServerKey = CK_INVALID_HANDLE;
+
+ /*
+ * How much key material do we need?
+ */
+ macSize = ssl3_keys->ulMacSizeInBits / 8;
+ effKeySize = ssl3_keys->ulKeySizeInBits / 8;
+ IVSize = ssl3_keys->ulIVSizeInBits / 8;
+ if (keySize == 0) {
+ effKeySize = keySize;
+ }
+
+ /* bIsExport must be false. */
+ if (ssl3_keys->bIsExport) {
+ MD5_DestroyContext(md5, PR_TRUE);
+ SHA1_DestroyContext(sha, PR_TRUE);
+ PORT_Memset(srcrdata, 0, sizeof srcrdata);
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+
+ block_needed = 2 * (macSize + effKeySize + IVSize);
+ PORT_Assert(block_needed <= sizeof key_block);
+ if (block_needed > sizeof key_block)
+ block_needed = sizeof key_block;
+
+ /*
+ * generate the key material: This looks amazingly similar to the
+ * PMS code, and is clearly crying out for a function to provide it.
+ */
+ if (isTLS) {
+ SECStatus status;
+ SECItem srcr = { siBuffer, NULL, 0 };
+ SECItem keyblk = { siBuffer, NULL, 0 };
+ SECItem master = { siBuffer, NULL, 0 };
+
+ srcr.data = srcrdata;
+ srcr.len = sizeof srcrdata;
+ keyblk.data = key_block;
+ keyblk.len = block_needed;
+ master.data = (unsigned char *)att->attrib.pValue;
+ master.len = att->attrib.ulValueLen;
+
+ if (tlsPrfHash != HASH_AlgNULL) {
+ status = TLS_P_hash(tlsPrfHash, &master, "key expansion",
+ &srcr, &keyblk, isFIPS);
+ } else {
+ status = TLS_PRF(&master, "key expansion", &srcr, &keyblk,
+ isFIPS);
+ }
+ if (status != SECSuccess) {
+ goto key_and_mac_derive_fail;
+ }
+ } else {
+ unsigned int block_bytes = 0;
+ /* key_block =
+ * MD5(master_secret + SHA('A' + master_secret +
+ * ServerHello.random + ClientHello.random)) +
+ * MD5(master_secret + SHA('BB' + master_secret +
+ * ServerHello.random + ClientHello.random)) +
+ * MD5(master_secret + SHA('CCC' + master_secret +
+ * ServerHello.random + ClientHello.random)) +
+ * [...];
+ */
+ for (i = 0; i < NUM_MIXERS && block_bytes < block_needed; i++) {
+ SHA1_Begin(sha);
+ SHA1_Update(sha, (unsigned char *)mixers[i], strlen(mixers[i]));
+ SHA1_Update(sha, (const unsigned char *)att->attrib.pValue,
+ att->attrib.ulValueLen);
+ SHA1_Update(sha, srcrdata, sizeof srcrdata);
+ SHA1_End(sha, sha_out, &outLen, SHA1_LENGTH);
+ PORT_Assert(outLen == SHA1_LENGTH);
+ MD5_Begin(md5);
+ MD5_Update(md5, (const unsigned char *)att->attrib.pValue,
+ att->attrib.ulValueLen);
+ MD5_Update(md5, sha_out, outLen);
+ MD5_End(md5, &key_block[i * MD5_LENGTH], &outLen, MD5_LENGTH);
+ PORT_Assert(outLen == MD5_LENGTH);
+ block_bytes += outLen;
+ }
+ PORT_Memset(sha_out, 0, sizeof sha_out);
+ }
+
+ /*
+ * Put the key material where it goes.
+ */
+ i = 0; /* now shows how much consumed */
+
+ /*
+ * The key_block is partitioned as follows:
+ * client_write_MAC_secret[CipherSpec.hash_size]
+ */
+ crv = sftk_buildSSLKey(hSession, key, PR_TRUE, &key_block[i], macSize,
+ &ssl3_keys_out->hClientMacSecret);
+ if (crv != CKR_OK)
+ goto key_and_mac_derive_fail;
+
+ i += macSize;
+
+ /*
+ * server_write_MAC_secret[CipherSpec.hash_size]
+ */
+ crv = sftk_buildSSLKey(hSession, key, PR_TRUE, &key_block[i], macSize,
+ &ssl3_keys_out->hServerMacSecret);
+ if (crv != CKR_OK) {
+ goto key_and_mac_derive_fail;
+ }
+ i += macSize;
+
+ if (keySize) {
+ /*
+ ** Generate Domestic write keys and IVs.
+ ** client_write_key[CipherSpec.key_material]
+ */
+ crv = sftk_buildSSLKey(hSession, key, PR_FALSE, &key_block[i],
+ keySize, &ssl3_keys_out->hClientKey);
+ if (crv != CKR_OK) {
+ goto key_and_mac_derive_fail;
+ }
+ i += keySize;
+
+ /*
+ ** server_write_key[CipherSpec.key_material]
+ */
+ crv = sftk_buildSSLKey(hSession, key, PR_FALSE, &key_block[i],
+ keySize, &ssl3_keys_out->hServerKey);
+ if (crv != CKR_OK) {
+ goto key_and_mac_derive_fail;
+ }
+ i += keySize;
+
+ /*
+ ** client_write_IV[CipherSpec.IV_size]
+ */
+ if (IVSize > 0) {
+ PORT_Memcpy(ssl3_keys_out->pIVClient,
+ &key_block[i], IVSize);
+ i += IVSize;
+ }
+
+ /*
+ ** server_write_IV[CipherSpec.IV_size]
+ */
+ if (IVSize > 0) {
+ PORT_Memcpy(ssl3_keys_out->pIVServer,
+ &key_block[i], IVSize);
+ i += IVSize;
+ }
+ PORT_Assert(i <= sizeof key_block);
+ }
+
+ crv = CKR_OK;
+
+ if (0) {
+ key_and_mac_derive_fail:
+ if (crv == CKR_OK)
+ crv = CKR_FUNCTION_FAILED;
+ sftk_freeSSLKeys(hSession, ssl3_keys_out);
+ }
+ PORT_Memset(srcrdata, 0, sizeof srcrdata);
+ PORT_Memset(key_block, 0, sizeof key_block);
+ MD5_DestroyContext(md5, PR_TRUE);
+ SHA1_DestroyContext(sha, PR_TRUE);
+ sftk_FreeObject(key);
+ key = NULL;
+ break;
+ }
+
+ case CKM_DES3_ECB_ENCRYPT_DATA:
+ case CKM_DES3_CBC_ENCRYPT_DATA: {
+ void *cipherInfo;
+ unsigned char des3key[MAX_DES3_KEY_SIZE];
+ CK_DES_CBC_ENCRYPT_DATA_PARAMS *desEncryptPtr;
+ int mode;
+ unsigned char *iv;
+ unsigned char *data;
+ CK_ULONG len;
+
+ if (mechanism == CKM_DES3_ECB_ENCRYPT_DATA) {
+ if (BAD_PARAM_CAST(pMechanism, sizeof(CK_KEY_DERIVATION_STRING_DATA))) {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+ stringPtr = (CK_KEY_DERIVATION_STRING_DATA *)
+ pMechanism->pParameter;
+ mode = NSS_DES_EDE3;
+ iv = NULL;
+ data = stringPtr->pData;
+ len = stringPtr->ulLen;
+ } else {
+ mode = NSS_DES_EDE3_CBC;
+ desEncryptPtr =
+ (CK_DES_CBC_ENCRYPT_DATA_PARAMS *)
+ pMechanism->pParameter;
+ iv = desEncryptPtr->iv;
+ data = desEncryptPtr->pData;
+ len = desEncryptPtr->length;
+ }
+ if (att->attrib.ulValueLen == 16) {
+ PORT_Memcpy(des3key, att->attrib.pValue, 16);
+ PORT_Memcpy(des3key + 16, des3key, 8);
+ } else if (att->attrib.ulValueLen == 24) {
+ PORT_Memcpy(des3key, att->attrib.pValue, 24);
+ } else {
+ crv = CKR_KEY_SIZE_RANGE;
+ break;
+ }
+ cipherInfo = DES_CreateContext(des3key, iv, mode, PR_TRUE);
+ PORT_Memset(des3key, 0, 24);
+ if (cipherInfo == NULL) {
+ crv = CKR_HOST_MEMORY;
+ break;
+ }
+ crv = sftk_DeriveEncrypt((SFTKCipher)DES_Encrypt,
+ cipherInfo, 8, key, keySize,
+ data, len);
+ DES_DestroyContext(cipherInfo, PR_TRUE);
+ break;
+ }
+
+ case CKM_AES_ECB_ENCRYPT_DATA:
+ case CKM_AES_CBC_ENCRYPT_DATA: {
+ void *cipherInfo;
+ CK_AES_CBC_ENCRYPT_DATA_PARAMS *aesEncryptPtr;
+ int mode;
+ unsigned char *iv;
+ unsigned char *data;
+ CK_ULONG len;
+
+ if (mechanism == CKM_AES_ECB_ENCRYPT_DATA) {
+ mode = NSS_AES;
+ iv = NULL;
+ if (BAD_PARAM_CAST(pMechanism, sizeof(CK_KEY_DERIVATION_STRING_DATA))) {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+ stringPtr = (CK_KEY_DERIVATION_STRING_DATA *)pMechanism->pParameter;
+ data = stringPtr->pData;
+ len = stringPtr->ulLen;
+ } else {
+ if (BAD_PARAM_CAST(pMechanism, sizeof(CK_AES_CBC_ENCRYPT_DATA_PARAMS))) {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+ aesEncryptPtr =
+ (CK_AES_CBC_ENCRYPT_DATA_PARAMS *)pMechanism->pParameter;
+ mode = NSS_AES_CBC;
+ iv = aesEncryptPtr->iv;
+ data = aesEncryptPtr->pData;
+ len = aesEncryptPtr->length;
+ }
+
+ cipherInfo = AES_CreateContext((unsigned char *)att->attrib.pValue,
+ iv, mode, PR_TRUE,
+ att->attrib.ulValueLen, 16);
+ if (cipherInfo == NULL) {
+ crv = CKR_HOST_MEMORY;
+ break;
+ }
+ crv = sftk_DeriveEncrypt((SFTKCipher)AES_Encrypt,
+ cipherInfo, 16, key, keySize,
+ data, len);
+ AES_DestroyContext(cipherInfo, PR_TRUE);
+ break;
+ }
+
+ case CKM_CAMELLIA_ECB_ENCRYPT_DATA:
+ case CKM_CAMELLIA_CBC_ENCRYPT_DATA: {
+ void *cipherInfo;
+ CK_AES_CBC_ENCRYPT_DATA_PARAMS *aesEncryptPtr;
+ int mode;
+ unsigned char *iv;
+ unsigned char *data;
+ CK_ULONG len;
+
+ if (mechanism == CKM_CAMELLIA_ECB_ENCRYPT_DATA) {
+ if (BAD_PARAM_CAST(pMechanism, sizeof(CK_KEY_DERIVATION_STRING_DATA))) {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+ stringPtr = (CK_KEY_DERIVATION_STRING_DATA *)
+ pMechanism->pParameter;
+ aesEncryptPtr = NULL;
+ mode = NSS_CAMELLIA;
+ data = stringPtr->pData;
+ len = stringPtr->ulLen;
+ iv = NULL;
+ } else {
+ if (BAD_PARAM_CAST(pMechanism, sizeof(CK_AES_CBC_ENCRYPT_DATA_PARAMS))) {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+ stringPtr = NULL;
+ aesEncryptPtr = (CK_AES_CBC_ENCRYPT_DATA_PARAMS *)
+ pMechanism->pParameter;
+ mode = NSS_CAMELLIA_CBC;
+ iv = aesEncryptPtr->iv;
+ data = aesEncryptPtr->pData;
+ len = aesEncryptPtr->length;
+ }
+
+ cipherInfo = Camellia_CreateContext((unsigned char *)att->attrib.pValue,
+ iv, mode, PR_TRUE,
+ att->attrib.ulValueLen);
+ if (cipherInfo == NULL) {
+ crv = CKR_HOST_MEMORY;
+ break;
+ }
+ crv = sftk_DeriveEncrypt((SFTKCipher)Camellia_Encrypt,
+ cipherInfo, 16, key, keySize,
+ data, len);
+ Camellia_DestroyContext(cipherInfo, PR_TRUE);
+ break;
+ }
+
+#ifndef NSS_DISABLE_DEPRECATED_SEED
+ case CKM_SEED_ECB_ENCRYPT_DATA:
+ case CKM_SEED_CBC_ENCRYPT_DATA: {
+ void *cipherInfo;
+ CK_AES_CBC_ENCRYPT_DATA_PARAMS *aesEncryptPtr;
+ int mode;
+ unsigned char *iv;
+ unsigned char *data;
+ CK_ULONG len;
+
+ if (mechanism == CKM_SEED_ECB_ENCRYPT_DATA) {
+ if (BAD_PARAM_CAST(pMechanism, sizeof(CK_KEY_DERIVATION_STRING_DATA))) {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+ mode = NSS_SEED;
+ stringPtr = (CK_KEY_DERIVATION_STRING_DATA *)
+ pMechanism->pParameter;
+ aesEncryptPtr = NULL;
+ data = stringPtr->pData;
+ len = stringPtr->ulLen;
+ iv = NULL;
+ } else {
+ if (BAD_PARAM_CAST(pMechanism, sizeof(CK_AES_CBC_ENCRYPT_DATA_PARAMS))) {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+ mode = NSS_SEED_CBC;
+ aesEncryptPtr = (CK_AES_CBC_ENCRYPT_DATA_PARAMS *)
+ pMechanism->pParameter;
+ iv = aesEncryptPtr->iv;
+ data = aesEncryptPtr->pData;
+ len = aesEncryptPtr->length;
+ }
+
+ cipherInfo = SEED_CreateContext((unsigned char *)att->attrib.pValue,
+ iv, mode, PR_TRUE);
+ if (cipherInfo == NULL) {
+ crv = CKR_HOST_MEMORY;
+ break;
+ }
+ crv = sftk_DeriveEncrypt((SFTKCipher)SEED_Encrypt,
+ cipherInfo, 16, key, keySize,
+ data, len);
+ SEED_DestroyContext(cipherInfo, PR_TRUE);
+ break;
+ }
+#endif /* NSS_DISABLE_DEPRECATED_SEED */
+
+ case CKM_CONCATENATE_BASE_AND_KEY: {
+ SFTKObject *newKey;
+
+ crv = sftk_DeriveSensitiveCheck(sourceKey, key, PR_FALSE);
+ if (crv != CKR_OK)
+ break;
+
+ session = sftk_SessionFromHandle(hSession);
+ if (session == NULL) {
+ crv = CKR_SESSION_HANDLE_INVALID;
+ break;
+ }
+
+ newKey = sftk_ObjectFromHandle(*(CK_OBJECT_HANDLE *)
+ pMechanism->pParameter,
+ session);
+ sftk_FreeSession(session);
+ if (newKey == NULL) {
+ crv = CKR_KEY_HANDLE_INVALID;
+ break;
+ }
+
+ if (sftk_isTrue(newKey, CKA_SENSITIVE)) {
+ crv = sftk_forceAttribute(newKey, CKA_SENSITIVE, &cktrue,
+ sizeof(CK_BBOOL));
+ if (crv != CKR_OK) {
+ sftk_FreeObject(newKey);
+ break;
+ }
+ }
+
+ att2 = sftk_FindAttribute(newKey, CKA_VALUE);
+ if (att2 == NULL) {
+ sftk_FreeObject(newKey);
+ crv = CKR_KEY_HANDLE_INVALID;
+ break;
+ }
+ tmpKeySize = att->attrib.ulValueLen + att2->attrib.ulValueLen;
+ if (keySize == 0)
+ keySize = tmpKeySize;
+ if (keySize > tmpKeySize) {
+ sftk_FreeObject(newKey);
+ sftk_FreeAttribute(att2);
+ crv = CKR_TEMPLATE_INCONSISTENT;
+ break;
+ }
+ buf = (unsigned char *)PORT_Alloc(tmpKeySize);
+ if (buf == NULL) {
+ sftk_FreeAttribute(att2);
+ sftk_FreeObject(newKey);
+ crv = CKR_HOST_MEMORY;
+ break;
+ }
+
+ PORT_Memcpy(buf, att->attrib.pValue, att->attrib.ulValueLen);
+ PORT_Memcpy(buf + att->attrib.ulValueLen,
+ att2->attrib.pValue, att2->attrib.ulValueLen);
+
+ crv = sftk_forceAttribute(key, CKA_VALUE, buf, keySize);
+ PORT_ZFree(buf, tmpKeySize);
+ sftk_FreeAttribute(att2);
+ sftk_FreeObject(newKey);
+ break;
+ }
+
+ case CKM_CONCATENATE_BASE_AND_DATA:
+ crv = sftk_DeriveSensitiveCheck(sourceKey, key, PR_FALSE);
+ if (crv != CKR_OK)
+ break;
+
+ if (BAD_PARAM_CAST(pMechanism, sizeof(CK_KEY_DERIVATION_STRING_DATA))) {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+ stringPtr = (CK_KEY_DERIVATION_STRING_DATA *)pMechanism->pParameter;
+ tmpKeySize = att->attrib.ulValueLen + stringPtr->ulLen;
+ if (keySize == 0)
+ keySize = tmpKeySize;
+ if (keySize > tmpKeySize) {
+ crv = CKR_TEMPLATE_INCONSISTENT;
+ break;
+ }
+ buf = (unsigned char *)PORT_Alloc(tmpKeySize);
+ if (buf == NULL) {
+ crv = CKR_HOST_MEMORY;
+ break;
+ }
+
+ PORT_Memcpy(buf, att->attrib.pValue, att->attrib.ulValueLen);
+ PORT_Memcpy(buf + att->attrib.ulValueLen, stringPtr->pData,
+ stringPtr->ulLen);
+
+ crv = sftk_forceAttribute(key, CKA_VALUE, buf, keySize);
+ PORT_ZFree(buf, tmpKeySize);
+ break;
+ case CKM_CONCATENATE_DATA_AND_BASE:
+ crv = sftk_DeriveSensitiveCheck(sourceKey, key, PR_FALSE);
+ if (crv != CKR_OK)
+ break;
+
+ if (BAD_PARAM_CAST(pMechanism, sizeof(CK_KEY_DERIVATION_STRING_DATA))) {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+ stringPtr = (CK_KEY_DERIVATION_STRING_DATA *)pMechanism->pParameter;
+ tmpKeySize = att->attrib.ulValueLen + stringPtr->ulLen;
+ if (keySize == 0)
+ keySize = tmpKeySize;
+ if (keySize > tmpKeySize) {
+ crv = CKR_TEMPLATE_INCONSISTENT;
+ break;
+ }
+ buf = (unsigned char *)PORT_Alloc(tmpKeySize);
+ if (buf == NULL) {
+ crv = CKR_HOST_MEMORY;
+ break;
+ }
+
+ PORT_Memcpy(buf, stringPtr->pData, stringPtr->ulLen);
+ PORT_Memcpy(buf + stringPtr->ulLen, att->attrib.pValue,
+ att->attrib.ulValueLen);
+
+ crv = sftk_forceAttribute(key, CKA_VALUE, buf, keySize);
+ PORT_ZFree(buf, tmpKeySize);
+ break;
+ case CKM_XOR_BASE_AND_DATA:
+ crv = sftk_DeriveSensitiveCheck(sourceKey, key, PR_FALSE);
+ if (crv != CKR_OK)
+ break;
+
+ if (BAD_PARAM_CAST(pMechanism, sizeof(CK_KEY_DERIVATION_STRING_DATA))) {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+ stringPtr = (CK_KEY_DERIVATION_STRING_DATA *)pMechanism->pParameter;
+ tmpKeySize = PR_MIN(att->attrib.ulValueLen, stringPtr->ulLen);
+ if (keySize == 0)
+ keySize = tmpKeySize;
+ if (keySize > tmpKeySize) {
+ crv = CKR_TEMPLATE_INCONSISTENT;
+ break;
+ }
+ buf = (unsigned char *)PORT_Alloc(keySize);
+ if (buf == NULL) {
+ crv = CKR_HOST_MEMORY;
+ break;
+ }
+
+ PORT_Memcpy(buf, att->attrib.pValue, keySize);
+ for (i = 0; i < (int)keySize; i++) {
+ buf[i] ^= stringPtr->pData[i];
+ }
+
+ crv = sftk_forceAttribute(key, CKA_VALUE, buf, keySize);
+ PORT_ZFree(buf, keySize);
+ break;
+
+ case CKM_EXTRACT_KEY_FROM_KEY: {
+ if (BAD_PARAM_CAST(pMechanism, sizeof(CK_EXTRACT_PARAMS))) {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+ /* the following assumes 8 bits per byte */
+ CK_ULONG extract = *(CK_EXTRACT_PARAMS *)pMechanism->pParameter;
+ CK_ULONG shift = extract & 0x7; /* extract mod 8 the fast way */
+ CK_ULONG offset = extract >> 3; /* extract div 8 the fast way */
+
+ crv = sftk_DeriveSensitiveCheck(sourceKey, key, PR_FALSE);
+ if (crv != CKR_OK)
+ break;
+
+ if (keySize == 0) {
+ crv = CKR_TEMPLATE_INCOMPLETE;
+ break;
+ }
+ /* make sure we have enough bits in the original key */
+ if (att->attrib.ulValueLen <
+ (offset + keySize + ((shift != 0) ? 1 : 0))) {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+ buf = (unsigned char *)PORT_Alloc(keySize);
+ if (buf == NULL) {
+ crv = CKR_HOST_MEMORY;
+ break;
+ }
+
+ /* copy the bits we need into the new key */
+ for (i = 0; i < (int)keySize; i++) {
+ unsigned char *value =
+ ((unsigned char *)att->attrib.pValue) + offset + i;
+ if (shift) {
+ buf[i] = (value[0] << (shift)) | (value[1] >> (8 - shift));
+ } else {
+ buf[i] = value[0];
+ }
+ }
+
+ crv = sftk_forceAttribute(key, CKA_VALUE, buf, keySize);
+ PORT_ZFree(buf, keySize);
+ break;
+ }
+ case CKM_MD2_KEY_DERIVATION:
+ if (keySize == 0)
+ keySize = MD2_LENGTH;
+ if (keySize > MD2_LENGTH) {
+ crv = CKR_TEMPLATE_INCONSISTENT;
+ break;
+ }
+ /* now allocate the hash contexts */
+ md2 = MD2_NewContext();
+ if (md2 == NULL) {
+ crv = CKR_HOST_MEMORY;
+ break;
+ }
+ MD2_Begin(md2);
+ MD2_Update(md2, (const unsigned char *)att->attrib.pValue,
+ att->attrib.ulValueLen);
+ MD2_End(md2, key_block, &outLen, MD2_LENGTH);
+ MD2_DestroyContext(md2, PR_TRUE);
+
+ crv = sftk_forceAttribute(key, CKA_VALUE, key_block, keySize);
+ PORT_Memset(key_block, 0, MD2_LENGTH);
+ break;
+#define DERIVE_KEY_HASH(hash) \
+ case CKM_##hash##_KEY_DERIVATION: \
+ if (keySize == 0) \
+ keySize = hash##_LENGTH; \
+ if (keySize > hash##_LENGTH) { \
+ crv = CKR_TEMPLATE_INCONSISTENT; \
+ break; \
+ } \
+ hash##_HashBuf(key_block, (const unsigned char *)att->attrib.pValue, \
+ att->attrib.ulValueLen); \
+ crv = sftk_forceAttribute(key, CKA_VALUE, key_block, keySize); \
+ PORT_Memset(key_block, 0, hash##_LENGTH); \
+ break;
+ DERIVE_KEY_HASH(MD5)
+ DERIVE_KEY_HASH(SHA1)
+ DERIVE_KEY_HASH(SHA224)
+ DERIVE_KEY_HASH(SHA256)
+ DERIVE_KEY_HASH(SHA384)
+ DERIVE_KEY_HASH(SHA512)
+
+ case CKM_DH_PKCS_DERIVE: {
+ SECItem derived, dhPublic;
+ SECItem dhPrime, dhValue;
+ const SECItem *subPrime;
+ /* sourceKey - values for the local existing low key */
+ /* get prime and value attributes */
+ crv = sftk_Attribute2SecItem(NULL, &dhPrime, sourceKey, CKA_PRIME);
+ if (crv != CKR_OK)
+ break;
+
+ dhPublic.data = pMechanism->pParameter;
+ dhPublic.len = pMechanism->ulParameterLen;
+
+ /* if the prime is an approved prime, we can skip all the other
+ * checks. */
+ subPrime = sftk_VerifyDH_Prime(&dhPrime, isFIPS);
+ if (subPrime == NULL) {
+ SECItem dhSubPrime;
+ /* If the caller set the subprime value, it means that
+ * either the caller knows the subprime value and wants us
+ * to validate the key against the subprime, or that the
+ * caller wants us to verify that the prime is a safe prime
+ * by passing in subprime = (prime-1)/2 */
+ dhSubPrime.data = NULL;
+ dhSubPrime.len = 0;
+ crv = sftk_Attribute2SecItem(NULL, &dhSubPrime,
+ sourceKey, CKA_SUBPRIME);
+ /* we ignore the value of crv here, We treat a valid
+ * return of len = 0 and a failure to find a subrime the same
+ * NOTE: we free the subprime in both cases depending on
+ * PORT_Free of NULL to be a noop */
+ if (dhSubPrime.len != 0) {
+ PRBool isSafe = PR_FALSE;
+
+ /* Callers can set dhSubPrime to q=(p-1)/2 to force
+ * checks for safe primes. If so we only need to check
+ * q and p for primality and skip the group test. */
+ rv = sftk_IsSafePrime(&dhPrime, &dhSubPrime, &isSafe);
+ if (rv != SECSuccess) {
+ /* either p or q was even and therefore not prime,
+ * we can stop processing here and fail now */
+ crv = CKR_ARGUMENTS_BAD;
+ SECITEM_ZfreeItem(&dhPrime, PR_FALSE);
+ SECITEM_ZfreeItem(&dhSubPrime, PR_FALSE);
+ break;
+ }
+
+ /* first make sure the primes are really prime */
+ if (!KEA_PrimeCheck(&dhPrime)) {
+ crv = CKR_ARGUMENTS_BAD;
+ SECITEM_ZfreeItem(&dhPrime, PR_FALSE);
+ SECITEM_ZfreeItem(&dhSubPrime, PR_FALSE);
+ break;
+ }
+ if (!KEA_PrimeCheck(&dhSubPrime)) {
+ crv = CKR_ARGUMENTS_BAD;
+ SECITEM_ZfreeItem(&dhPrime, PR_FALSE);
+ SECITEM_ZfreeItem(&dhSubPrime, PR_FALSE);
+ break;
+ }
+ if (isFIPS || !isSafe) {
+ /* With safe primes, there is only one other small
+ * subgroup. As long as y isn't 0, 1, or -1 mod p,
+ * any other y is safe. Only do the full check for
+ * non-safe primes, except in FIPS mode we need
+ * to do this check on all primes in which
+ * we receive the subprime value */
+ if (!KEA_Verify(&dhPublic, &dhPrime, &dhSubPrime)) {
+ crv = CKR_ARGUMENTS_BAD;
+ SECITEM_ZfreeItem(&dhPrime, PR_FALSE);
+ SECITEM_ZfreeItem(&dhSubPrime, PR_FALSE);
+ break;
+ }
+ }
+ } else if (isFIPS) {
+ /* In FIPS mode we only accept approved primes, or
+ * primes with the full subprime value */
+ crv = CKR_ARGUMENTS_BAD;
+ SECITEM_ZfreeItem(&dhPrime, PR_FALSE);
+ break;
+ }
+ /* checks are complete, no need for the subPrime any longer */
+ SECITEM_ZfreeItem(&dhSubPrime, PR_FALSE);
+ }
+
+ /* now that the prime is validated, get the private value */
+ crv = sftk_Attribute2SecItem(NULL, &dhValue, sourceKey, CKA_VALUE);
+ if (crv != CKR_OK) {
+ SECITEM_ZfreeItem(&dhPrime, PR_FALSE);
+ break;
+ }
+
+ /* calculate private value - oct */
+ rv = DH_Derive(&dhPublic, &dhPrime, &dhValue, &derived, keySize);
+
+ SECITEM_ZfreeItem(&dhPrime, PR_FALSE);
+ SECITEM_ZfreeItem(&dhValue, PR_FALSE);
+
+ if (rv == SECSuccess) {
+ sftk_forceAttribute(key, CKA_VALUE, derived.data, derived.len);
+ SECITEM_ZfreeItem(&derived, PR_FALSE);
+ crv = CKR_OK;
+ } else
+ crv = CKR_HOST_MEMORY;
+
+ break;
+ }
+
+ case CKM_ECDH1_DERIVE:
+ case CKM_ECDH1_COFACTOR_DERIVE: {
+ SECItem ecScalar, ecPoint;
+ SECItem tmp;
+ PRBool withCofactor = PR_FALSE;
+ unsigned char *secret;
+ unsigned char *keyData = NULL;
+ unsigned int secretlen, pubKeyLen;
+ CK_ECDH1_DERIVE_PARAMS *mechParams;
+ NSSLOWKEYPrivateKey *privKey;
+ PLArenaPool *arena = NULL;
+
+ /* Check mechanism parameters */
+ mechParams = (CK_ECDH1_DERIVE_PARAMS *)pMechanism->pParameter;
+ if ((pMechanism->ulParameterLen != sizeof(CK_ECDH1_DERIVE_PARAMS)) ||
+ ((mechParams->kdf == CKD_NULL) &&
+ ((mechParams->ulSharedDataLen != 0) ||
+ (mechParams->pSharedData != NULL)))) {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+
+ privKey = sftk_GetPrivKey(sourceKey, CKK_EC, &crv);
+ if (privKey == NULL) {
+ break;
+ }
+
+ /* Now we are working with a non-NULL private key */
+ SECITEM_CopyItem(NULL, &ecScalar, &privKey->u.ec.privateValue);
+
+ ecPoint.data = mechParams->pPublicData;
+ ecPoint.len = mechParams->ulPublicDataLen;
+
+ pubKeyLen = EC_GetPointSize(&privKey->u.ec.ecParams);
+
+ /* if the len is too large, might be an encoded point */
+ if (ecPoint.len > pubKeyLen) {
+ SECItem newPoint;
+
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (arena == NULL) {
+ goto ec_loser;
+ }
+
+ rv = SEC_QuickDERDecodeItem(arena, &newPoint,
+ SEC_ASN1_GET(SEC_OctetStringTemplate),
+ &ecPoint);
+ if (rv != SECSuccess) {
+ goto ec_loser;
+ }
+ ecPoint = newPoint;
+ }
+
+ if (mechanism == CKM_ECDH1_COFACTOR_DERIVE) {
+ withCofactor = PR_TRUE;
+ }
+
+ rv = ECDH_Derive(&ecPoint, &privKey->u.ec.ecParams, &ecScalar,
+ withCofactor, &tmp);
+ SECITEM_ZfreeItem(&ecScalar, PR_FALSE);
+ ecScalar.data = NULL;
+ if (privKey != sourceKey->objectInfo) {
+ nsslowkey_DestroyPrivateKey(privKey);
+ privKey = NULL;
+ }
+ if (arena) {
+ PORT_FreeArena(arena, PR_FALSE);
+ arena = NULL;
+ }
+
+ if (rv != SECSuccess) {
+ crv = sftk_MapCryptError(PORT_GetError());
+ break;
+ }
+
+ /*
+ * apply the kdf function.
+ */
+ if (mechParams->kdf == CKD_NULL) {
+ /*
+ * tmp is the raw data created by ECDH_Derive,
+ * secret and secretlen are the values we will
+ * eventually pass as our generated key.
+ */
+ secret = tmp.data;
+ secretlen = tmp.len;
+ } else {
+ secretlen = keySize;
+ crv = sftk_ANSI_X9_63_kdf(&secret, keySize,
+ &tmp, mechParams->pSharedData,
+ mechParams->ulSharedDataLen, mechParams->kdf);
+ PORT_ZFree(tmp.data, tmp.len);
+ if (crv != CKR_OK) {
+ break;
+ }
+ tmp.data = secret;
+ tmp.len = secretlen;
+ }
+
+ /*
+ * if keySize is supplied, then we are generating a key of a specific
+ * length. This is done by taking the least significant 'keySize'
+ * bytes from the unsigned value calculated by ECDH. Note: this may
+ * mean padding temp with extra leading zeros from what ECDH_Derive
+ * already returned (which itself may contain leading zeros).
+ */
+ if (keySize) {
+ if (secretlen < keySize) {
+ keyData = PORT_ZAlloc(keySize);
+ if (!keyData) {
+ PORT_ZFree(tmp.data, tmp.len);
+ crv = CKR_HOST_MEMORY;
+ break;
+ }
+ PORT_Memcpy(&keyData[keySize - secretlen], secret, secretlen);
+ secret = keyData;
+ } else {
+ secret += (secretlen - keySize);
+ }
+ secretlen = keySize;
+ }
+
+ sftk_forceAttribute(key, CKA_VALUE, secret, secretlen);
+ PORT_ZFree(tmp.data, tmp.len);
+ if (keyData) {
+ PORT_ZFree(keyData, keySize);
+ }
+ break;
+
+ ec_loser:
+ crv = CKR_ARGUMENTS_BAD;
+ SECITEM_ZfreeItem(&ecScalar, PR_FALSE);
+ if (privKey != sourceKey->objectInfo)
+ nsslowkey_DestroyPrivateKey(privKey);
+ if (arena) {
+ PORT_FreeArena(arena, PR_TRUE);
+ }
+ break;
+ }
+ /* See RFC 5869 and CK_NSS_HKDFParams for documentation. */
+ case CKM_NSS_HKDF_SHA1:
+ hashMech = CKM_SHA_1;
+ goto hkdf;
+ case CKM_NSS_HKDF_SHA256:
+ hashMech = CKM_SHA256;
+ goto hkdf;
+ case CKM_NSS_HKDF_SHA384:
+ hashMech = CKM_SHA384;
+ goto hkdf;
+ case CKM_NSS_HKDF_SHA512:
+ hashMech = CKM_SHA512;
+ goto hkdf;
+ hkdf : {
+ const CK_NSS_HKDFParams *params =
+ (const CK_NSS_HKDFParams *)pMechanism->pParameter;
+ CK_HKDF_PARAMS hkdfParams;
+
+ if (pMechanism->ulParameterLen != sizeof(CK_NSS_HKDFParams)) {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+ hkdfParams.bExtract = params->bExtract;
+ hkdfParams.bExpand = params->bExpand;
+ if (params->pSalt) {
+ hkdfParams.ulSaltType = CKF_HKDF_SALT_DATA;
+ } else {
+ hkdfParams.ulSaltType = CKF_HKDF_SALT_NULL;
+ }
+ hkdfParams.pSalt = params->pSalt;
+ hkdfParams.ulSaltLen = params->ulSaltLen;
+ hkdfParams.hSaltKey = CK_INVALID_HANDLE;
+ hkdfParams.pInfo = params->pInfo;
+ hkdfParams.ulInfoLen = params->ulInfoLen;
+ hkdfParams.prfHashMechanism = hashMech;
+
+ crv = sftk_HKDF(&hkdfParams, hSession, sourceKey,
+ att->attrib.pValue, att->attrib.ulValueLen,
+ key, NULL, keySize, PR_FALSE, isFIPS);
+ } break;
+ case CKM_HKDF_DERIVE:
+ case CKM_HKDF_DATA: /* only difference is the class of key */
+ if ((pMechanism->pParameter == NULL) ||
+ (pMechanism->ulParameterLen != sizeof(CK_HKDF_PARAMS))) {
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ break;
+ }
+ crv = sftk_HKDF((CK_HKDF_PARAMS_PTR)pMechanism->pParameter,
+ hSession, sourceKey, att->attrib.pValue,
+ att->attrib.ulValueLen, key, NULL, keySize, PR_TRUE,
+ isFIPS);
+ break;
+ case CKM_NSS_JPAKE_ROUND2_SHA1:
+ hashType = HASH_AlgSHA1;
+ goto jpake2;
+ case CKM_NSS_JPAKE_ROUND2_SHA256:
+ hashType = HASH_AlgSHA256;
+ goto jpake2;
+ case CKM_NSS_JPAKE_ROUND2_SHA384:
+ hashType = HASH_AlgSHA384;
+ goto jpake2;
+ case CKM_NSS_JPAKE_ROUND2_SHA512:
+ hashType = HASH_AlgSHA512;
+ goto jpake2;
+ jpake2:
+ if (pMechanism->pParameter == NULL ||
+ pMechanism->ulParameterLen != sizeof(CK_NSS_JPAKERound2Params))
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ if (crv == CKR_OK && sftk_isTrue(key, CKA_TOKEN))
+ crv = CKR_TEMPLATE_INCONSISTENT;
+ if (crv == CKR_OK)
+ crv = sftk_DeriveSensitiveCheck(sourceKey, key, PR_FALSE);
+ if (crv == CKR_OK)
+ crv = jpake_Round2(hashType,
+ (CK_NSS_JPAKERound2Params *)pMechanism->pParameter,
+ sourceKey, key);
+ break;
+
+ case CKM_NSS_JPAKE_FINAL_SHA1:
+ hashType = HASH_AlgSHA1;
+ goto jpakeFinal;
+ case CKM_NSS_JPAKE_FINAL_SHA256:
+ hashType = HASH_AlgSHA256;
+ goto jpakeFinal;
+ case CKM_NSS_JPAKE_FINAL_SHA384:
+ hashType = HASH_AlgSHA384;
+ goto jpakeFinal;
+ case CKM_NSS_JPAKE_FINAL_SHA512:
+ hashType = HASH_AlgSHA512;
+ goto jpakeFinal;
+ jpakeFinal:
+ if (pMechanism->pParameter == NULL ||
+ pMechanism->ulParameterLen != sizeof(CK_NSS_JPAKEFinalParams))
+ crv = CKR_MECHANISM_PARAM_INVALID;
+ /* We purposely do not do the derive sensitivity check; we want to be
+ able to derive non-sensitive keys while allowing the ROUND1 and
+ ROUND2 keys to be sensitive (which they always are, since they are
+ in the CKO_PRIVATE_KEY class). The caller must include CKA_SENSITIVE
+ in the template in order for the resultant keyblock key to be
+ sensitive.
+ */
+ if (crv == CKR_OK)
+ crv = jpake_Final(hashType,
+ (CK_NSS_JPAKEFinalParams *)pMechanism->pParameter,
+ sourceKey, key);
+ break;
+
+ case CKM_NSS_SP800_108_COUNTER_KDF_DERIVE_DATA: /* fall through */
+ case CKM_NSS_SP800_108_FEEDBACK_KDF_DERIVE_DATA: /* fall through */
+ case CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA: /* fall through */
+ case CKM_SP800_108_COUNTER_KDF: /* fall through */
+ case CKM_SP800_108_FEEDBACK_KDF: /* fall through */
+ case CKM_SP800_108_DOUBLE_PIPELINE_KDF:
+ crv = sftk_DeriveSensitiveCheck(sourceKey, key, PR_FALSE);
+ if (crv != CKR_OK) {
+ break;
+ }
+
+ crv = kbkdf_Dispatch(mechanism, hSession, pMechanism, sourceKey, key, keySize);
+ break;
+ default:
+ crv = CKR_MECHANISM_INVALID;
+ }
+ if (att) {
+ sftk_FreeAttribute(att);
+ }
+ sftk_FreeObject(sourceKey);
+ if (crv != CKR_OK) {
+ if (key)
+ sftk_FreeObject(key);
+ return crv;
+ }
+
+ /* link the key object into the list */
+ if (key) {
+ SFTKSessionObject *sessKey = sftk_narrowToSessionObject(key);
+ PORT_Assert(sessKey);
+ /* get the session */
+ sessKey->wasDerived = PR_TRUE;
+ session = sftk_SessionFromHandle(hSession);
+ if (session == NULL) {
+ sftk_FreeObject(key);
+ return CKR_HOST_MEMORY;
+ }
+
+ crv = sftk_handleObject(key, session);
+ session->lastOpWasFIPS = key->isFIPS;
+ sftk_FreeSession(session);
+ *phKey = key->handle;
+ sftk_FreeObject(key);
+ }
+ return crv;
+}
+
+/* NSC_GetFunctionStatus obtains an updated status of a function running
+ * in parallel with an application. */
+CK_RV
+NSC_GetFunctionStatus(CK_SESSION_HANDLE hSession)
+{
+ CHECK_FORK();
+
+ return CKR_FUNCTION_NOT_PARALLEL;
+}
+
+/* NSC_CancelFunction cancels a function running in parallel */
+CK_RV
+NSC_CancelFunction(CK_SESSION_HANDLE hSession)
+{
+ CHECK_FORK();
+
+ return CKR_FUNCTION_NOT_PARALLEL;
+}
+
+/* NSC_GetOperationState saves the state of the cryptographic
+ * operation in a session.
+ * NOTE: This code only works for digest functions for now. eventually need
+ * to add full flatten/resurect to our state stuff so that all types of state
+ * can be saved */
+CK_RV
+NSC_GetOperationState(CK_SESSION_HANDLE hSession,
+ CK_BYTE_PTR pOperationState, CK_ULONG_PTR pulOperationStateLen)
+{
+ SFTKSessionContext *context;
+ SFTKSession *session;
+ CK_RV crv;
+ CK_ULONG pOSLen = *pulOperationStateLen;
+
+ CHECK_FORK();
+
+ /* make sure we're legal */
+ crv = sftk_GetContext(hSession, &context, SFTK_HASH, PR_TRUE, &session);
+ if (crv != CKR_OK)
+ return crv;
+
+ *pulOperationStateLen = context->cipherInfoLen + sizeof(CK_MECHANISM_TYPE) + sizeof(SFTKContextType);
+ if (pOperationState == NULL) {
+ sftk_FreeSession(session);
+ return CKR_OK;
+ } else {
+ if (pOSLen < *pulOperationStateLen) {
+ return CKR_BUFFER_TOO_SMALL;
+ }
+ }
+ PORT_Memcpy(pOperationState, &context->type, sizeof(SFTKContextType));
+ pOperationState += sizeof(SFTKContextType);
+ PORT_Memcpy(pOperationState, &context->currentMech,
+ sizeof(CK_MECHANISM_TYPE));
+ pOperationState += sizeof(CK_MECHANISM_TYPE);
+ PORT_Memcpy(pOperationState, context->cipherInfo, context->cipherInfoLen);
+ sftk_FreeSession(session);
+ return CKR_OK;
+}
+
+#define sftk_Decrement(stateSize, len) \
+ stateSize = ((stateSize) > (CK_ULONG)(len)) ? ((stateSize) - (CK_ULONG)(len)) : 0;
+
+/* NSC_SetOperationState restores the state of the cryptographic
+ * operation in a session. This is coded like it can restore lots of
+ * states, but it only works for truly flat cipher structures. */
+CK_RV
+NSC_SetOperationState(CK_SESSION_HANDLE hSession,
+ CK_BYTE_PTR pOperationState, CK_ULONG ulOperationStateLen,
+ CK_OBJECT_HANDLE hEncryptionKey, CK_OBJECT_HANDLE hAuthenticationKey)
+{
+ SFTKSessionContext *context;
+ SFTKSession *session;
+ SFTKContextType type;
+ CK_MECHANISM mech;
+ CK_RV crv = CKR_OK;
+
+ CHECK_FORK();
+
+ while (ulOperationStateLen != 0) {
+ /* get what type of state we're dealing with... */
+ PORT_Memcpy(&type, pOperationState, sizeof(SFTKContextType));
+
+ /* fix up session contexts based on type */
+ session = sftk_SessionFromHandle(hSession);
+ if (session == NULL)
+ return CKR_SESSION_HANDLE_INVALID;
+ context = sftk_ReturnContextByType(session, type);
+ sftk_SetContextByType(session, type, NULL);
+ if (context) {
+ sftk_FreeContext(context);
+ }
+ pOperationState += sizeof(SFTKContextType);
+ sftk_Decrement(ulOperationStateLen, sizeof(SFTKContextType));
+
+ /* get the mechanism structure */
+ PORT_Memcpy(&mech.mechanism, pOperationState, sizeof(CK_MECHANISM_TYPE));
+ pOperationState += sizeof(CK_MECHANISM_TYPE);
+ sftk_Decrement(ulOperationStateLen, sizeof(CK_MECHANISM_TYPE));
+ /* should be filled in... but not necessary for hash */
+ mech.pParameter = NULL;
+ mech.ulParameterLen = 0;
+ switch (type) {
+ case SFTK_HASH:
+ crv = NSC_DigestInit(hSession, &mech);
+ if (crv != CKR_OK)
+ break;
+ crv = sftk_GetContext(hSession, &context, SFTK_HASH, PR_TRUE,
+ NULL);
+ if (crv != CKR_OK)
+ break;
+ PORT_Memcpy(context->cipherInfo, pOperationState,
+ context->cipherInfoLen);
+ pOperationState += context->cipherInfoLen;
+ sftk_Decrement(ulOperationStateLen, context->cipherInfoLen);
+ break;
+ default:
+ /* do sign/encrypt/decrypt later */
+ crv = CKR_SAVED_STATE_INVALID;
+ }
+ sftk_FreeSession(session);
+ if (crv != CKR_OK)
+ break;
+ }
+ return crv;
+}
+
+/* Dual-function cryptographic operations */
+
+/* NSC_DigestEncryptUpdate continues a multiple-part digesting and encryption
+ * operation. */
+CK_RV
+NSC_DigestEncryptUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
+ CK_ULONG ulPartLen, CK_BYTE_PTR pEncryptedPart,
+ CK_ULONG_PTR pulEncryptedPartLen)
+{
+ CK_RV crv;
+
+ CHECK_FORK();
+
+ crv = NSC_EncryptUpdate(hSession, pPart, ulPartLen, pEncryptedPart,
+ pulEncryptedPartLen);
+ if (crv != CKR_OK)
+ return crv;
+ crv = NSC_DigestUpdate(hSession, pPart, ulPartLen);
+
+ return crv;
+}
+
+/* NSC_DecryptDigestUpdate continues a multiple-part decryption and
+ * digesting operation. */
+CK_RV
+NSC_DecryptDigestUpdate(CK_SESSION_HANDLE hSession,
+ CK_BYTE_PTR pEncryptedPart, CK_ULONG ulEncryptedPartLen,
+ CK_BYTE_PTR pPart, CK_ULONG_PTR pulPartLen)
+{
+ CK_RV crv;
+
+ CHECK_FORK();
+
+ crv = NSC_DecryptUpdate(hSession, pEncryptedPart, ulEncryptedPartLen,
+ pPart, pulPartLen);
+ if (crv != CKR_OK)
+ return crv;
+ crv = NSC_DigestUpdate(hSession, pPart, *pulPartLen);
+
+ return crv;
+}
+
+/* NSC_SignEncryptUpdate continues a multiple-part signing and
+ * encryption operation. */
+CK_RV
+NSC_SignEncryptUpdate(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
+ CK_ULONG ulPartLen, CK_BYTE_PTR pEncryptedPart,
+ CK_ULONG_PTR pulEncryptedPartLen)
+{
+ CK_RV crv;
+
+ CHECK_FORK();
+
+ crv = NSC_EncryptUpdate(hSession, pPart, ulPartLen, pEncryptedPart,
+ pulEncryptedPartLen);
+ if (crv != CKR_OK)
+ return crv;
+ crv = NSC_SignUpdate(hSession, pPart, ulPartLen);
+
+ return crv;
+}
+
+/* NSC_DecryptVerifyUpdate continues a multiple-part decryption
+ * and verify operation. */
+CK_RV
+NSC_DecryptVerifyUpdate(CK_SESSION_HANDLE hSession,
+ CK_BYTE_PTR pEncryptedData, CK_ULONG ulEncryptedDataLen,
+ CK_BYTE_PTR pData, CK_ULONG_PTR pulDataLen)
+{
+ CK_RV crv;
+
+ CHECK_FORK();
+
+ crv = NSC_DecryptUpdate(hSession, pEncryptedData, ulEncryptedDataLen,
+ pData, pulDataLen);
+ if (crv != CKR_OK)
+ return crv;
+ crv = NSC_VerifyUpdate(hSession, pData, *pulDataLen);
+
+ return crv;
+}
+
+/* NSC_DigestKey continues a multi-part message-digesting operation,
+ * by digesting the value of a secret key as part of the data already digested.
+ */
+CK_RV
+NSC_DigestKey(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hKey)
+{
+ SFTKSession *session = NULL;
+ SFTKObject *key = NULL;
+ SFTKAttribute *att;
+ CK_RV crv;
+
+ CHECK_FORK();
+
+ session = sftk_SessionFromHandle(hSession);
+ if (session == NULL)
+ return CKR_SESSION_HANDLE_INVALID;
+
+ key = sftk_ObjectFromHandle(hKey, session);
+ sftk_FreeSession(session);
+ if (key == NULL)
+ return CKR_KEY_HANDLE_INVALID;
+
+ /* PUT ANY DIGEST KEY RESTRICTION CHECKS HERE */
+
+ /* make sure it's a valid key for this operation */
+ if (key->objclass != CKO_SECRET_KEY) {
+ sftk_FreeObject(key);
+ return CKR_KEY_TYPE_INCONSISTENT;
+ }
+ /* get the key value */
+ att = sftk_FindAttribute(key, CKA_VALUE);
+ sftk_FreeObject(key);
+ if (!att) {
+ return CKR_KEY_HANDLE_INVALID;
+ }
+ crv = NSC_DigestUpdate(hSession, (CK_BYTE_PTR)att->attrib.pValue,
+ att->attrib.ulValueLen);
+ sftk_FreeAttribute(att);
+ return crv;
+}
diff --git a/security/nss/lib/softoken/pkcs11i.h b/security/nss/lib/softoken/pkcs11i.h
new file mode 100644
index 0000000000..b0408dc430
--- /dev/null
+++ b/security/nss/lib/softoken/pkcs11i.h
@@ -0,0 +1,977 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/*
+ * Internal data structures and functions used by pkcs11.c
+ */
+#ifndef _PKCS11I_H_
+#define _PKCS11I_H_ 1
+
+#include "nssilock.h"
+#include "seccomon.h"
+#include "secoidt.h"
+#include "lowkeyti.h"
+#include "pkcs11t.h"
+
+#include "sftkdbt.h"
+#include "chacha20poly1305.h"
+#include "hasht.h"
+
+#include "alghmac.h"
+#include "cmac.h"
+
+/*
+ * Configuration Defines
+ *
+ * The following defines affect the space verse speed trade offs of
+ * the PKCS #11 module. For the most part the current settings are optimized
+ * for web servers, where we want faster speed and lower lock contention at
+ * the expense of space.
+ */
+
+/*
+ * The attribute allocation strategy is static allocation:
+ * Attributes are pre-allocated as part of the session object and used from
+ * the object array.
+ */
+#define MAX_OBJS_ATTRS 45 /* number of attributes to preallocate in \
+ * the object (must me the absolute max) */
+#define ATTR_SPACE 50 /* Maximum size of attribute data before extra \
+ * data needs to be allocated. This is set to \
+ * enough space to hold an SSL MASTER secret */
+
+#define NSC_STRICT PR_FALSE /* forces the code to do strict template \
+ * matching when doing C_FindObject on token \
+ * objects. This will slow down search in \
+ * NSS. */
+/* default search block allocations and increments */
+#define NSC_CERT_BLOCK_SIZE 50
+#define NSC_SEARCH_BLOCK_SIZE 5
+#define NSC_SLOT_LIST_BLOCK_SIZE 10
+
+#define NSC_MIN_SESSION_OBJECT_HANDLE 1U
+
+#define NSC_FIPS_MODULE 1
+#define NSC_NON_FIPS_MODULE 0
+
+/* these are data base storage hashes, not cryptographic hashes.. The define
+ * the effective size of the various object hash tables */
+/* clients care more about memory usage than lookup performance on
+ * cyrptographic objects. Clients also have less objects around to play with
+ *
+ * we eventually should make this configurable at runtime! Especially now that
+ * NSS is a shared library.
+ */
+#define SPACE_ATTRIBUTE_HASH_SIZE 32
+#define SPACE_SESSION_OBJECT_HASH_SIZE 32
+#define SPACE_SESSION_HASH_SIZE 32
+#define TIME_ATTRIBUTE_HASH_SIZE 32
+#define TIME_SESSION_OBJECT_HASH_SIZE 1024
+#define TIME_SESSION_HASH_SIZE 1024
+#define MAX_OBJECT_LIST_SIZE 800
+/* how many objects to keep on the free list
+ * before we start freeing them */
+#define MAX_KEY_LEN 256 /* maximum symmetric key length in bytes */
+
+/*
+ * LOG2_BUCKETS_PER_SESSION_LOCK must be a prime number.
+ * With SESSION_HASH_SIZE=1024, LOG2 can be 9, 5, 1, or 0.
+ * With SESSION_HASH_SIZE=4096, LOG2 can be 11, 9, 5, 1, or 0.
+ *
+ * HASH_SIZE LOG2_BUCKETS_PER BUCKETS_PER_LOCK NUMBER_OF_BUCKETS
+ * 1024 9 512 2
+ * 1024 5 32 32
+ * 1024 1 2 512
+ * 1024 0 1 1024
+ * 4096 11 2048 2
+ * 4096 9 512 8
+ * 4096 5 32 128
+ * 4096 1 2 2048
+ * 4096 0 1 4096
+ */
+#define LOG2_BUCKETS_PER_SESSION_LOCK 1
+#define BUCKETS_PER_SESSION_LOCK (1 << (LOG2_BUCKETS_PER_SESSION_LOCK))
+/* NOSPREAD sessionID to hash table index macro has been slower. */
+
+/* define typedefs, double as forward declarations as well */
+typedef struct SFTKAttributeStr SFTKAttribute;
+typedef struct SFTKObjectListStr SFTKObjectList;
+typedef struct SFTKObjectFreeListStr SFTKObjectFreeList;
+typedef struct SFTKObjectListElementStr SFTKObjectListElement;
+typedef struct SFTKObjectStr SFTKObject;
+typedef struct SFTKSessionObjectStr SFTKSessionObject;
+typedef struct SFTKTokenObjectStr SFTKTokenObject;
+typedef struct SFTKSessionStr SFTKSession;
+typedef struct SFTKSlotStr SFTKSlot;
+typedef struct SFTKSessionContextStr SFTKSessionContext;
+typedef struct SFTKSearchResultsStr SFTKSearchResults;
+typedef struct SFTKHashVerifyInfoStr SFTKHashVerifyInfo;
+typedef struct SFTKHashSignInfoStr SFTKHashSignInfo;
+typedef struct SFTKOAEPInfoStr SFTKOAEPInfo;
+typedef struct SFTKPSSSignInfoStr SFTKPSSSignInfo;
+typedef struct SFTKPSSVerifyInfoStr SFTKPSSVerifyInfo;
+typedef struct SFTKSSLMACInfoStr SFTKSSLMACInfo;
+typedef struct SFTKChaCha20Poly1305InfoStr SFTKChaCha20Poly1305Info;
+typedef struct SFTKChaCha20CtrInfoStr SFTKChaCha20CtrInfo;
+typedef struct SFTKItemTemplateStr SFTKItemTemplate;
+
+/* define function pointer typdefs for pointer tables */
+typedef void (*SFTKDestroy)(void *, PRBool);
+typedef void (*SFTKBegin)(void *);
+typedef SECStatus (*SFTKCipher)(void *, void *, unsigned int *, unsigned int,
+ void *, unsigned int);
+typedef SECStatus (*SFTKAEADCipher)(void *, void *, unsigned int *,
+ unsigned int, void *, unsigned int,
+ void *, unsigned int, void *, unsigned int);
+typedef SECStatus (*SFTKVerify)(void *, void *, unsigned int, void *, unsigned int);
+typedef void (*SFTKHash)(void *, const void *, unsigned int);
+typedef void (*SFTKEnd)(void *, void *, unsigned int *, unsigned int);
+typedef void (*SFTKFree)(void *);
+
+/* Value to tell if an attribute is modifiable or not.
+ * NEVER: attribute is only set on creation.
+ * ONCOPY: attribute is set on creation and can only be changed on copy.
+ * SENSITIVE: attribute can only be changed to TRUE.
+ * ALWAYS: attribute can always be changed.
+ */
+typedef enum {
+ SFTK_NEVER = 0,
+ SFTK_ONCOPY = 1,
+ SFTK_SENSITIVE = 2,
+ SFTK_ALWAYS = 3
+} SFTKModifyType;
+
+/*
+ * Free Status Enum... tell us more information when we think we're
+ * deleting an object.
+ */
+typedef enum {
+ SFTK_DestroyFailure,
+ SFTK_Destroyed,
+ SFTK_Busy
+} SFTKFreeStatus;
+
+/*
+ * attribute values of an object.
+ */
+struct SFTKAttributeStr {
+ SFTKAttribute *next;
+ SFTKAttribute *prev;
+ PRBool freeAttr;
+ PRBool freeData;
+ /*must be called handle to make sftkqueue_find work */
+ CK_ATTRIBUTE_TYPE handle;
+ CK_ATTRIBUTE attrib;
+ unsigned char space[ATTR_SPACE];
+};
+
+/*
+ * doubly link list of objects
+ */
+struct SFTKObjectListStr {
+ SFTKObjectList *next;
+ SFTKObjectList *prev;
+ SFTKObject *parent;
+};
+
+struct SFTKObjectFreeListStr {
+ SFTKObject *head;
+ PZLock *lock;
+ int count;
+};
+
+/*
+ * PKCS 11 crypto object structure
+ */
+struct SFTKObjectStr {
+ SFTKObject *next;
+ SFTKObject *prev;
+ CK_OBJECT_CLASS objclass;
+ CK_OBJECT_HANDLE handle;
+ int refCount;
+ PZLock *refLock;
+ SFTKSlot *slot;
+ void *objectInfo;
+ SFTKFree infoFree;
+ PRBool isFIPS;
+};
+
+struct SFTKTokenObjectStr {
+ SFTKObject obj;
+ SECItem dbKey;
+};
+
+struct SFTKSessionObjectStr {
+ SFTKObject obj;
+ SFTKObjectList sessionList;
+ PZLock *attributeLock;
+ SFTKSession *session;
+ PRBool wasDerived;
+ int nextAttr;
+ SFTKAttribute attrList[MAX_OBJS_ATTRS];
+ PRBool optimizeSpace;
+ unsigned int hashSize;
+ SFTKAttribute *head[1];
+};
+
+/*
+ * struct to deal with a temparary list of objects
+ */
+struct SFTKObjectListElementStr {
+ SFTKObjectListElement *next;
+ SFTKObject *object;
+};
+
+/*
+ * Area to hold Search results
+ */
+struct SFTKSearchResultsStr {
+ CK_OBJECT_HANDLE *handles;
+ int size;
+ int index;
+ int array_size;
+};
+
+/*
+ * the universal crypto/hash/sign/verify context structure
+ */
+typedef enum {
+ SFTK_ENCRYPT,
+ SFTK_DECRYPT,
+ SFTK_HASH,
+ SFTK_SIGN,
+ SFTK_SIGN_RECOVER,
+ SFTK_VERIFY,
+ SFTK_VERIFY_RECOVER,
+ SFTK_MESSAGE_ENCRYPT,
+ SFTK_MESSAGE_DECRYPT,
+ SFTK_MESSAGE_SIGN,
+ SFTK_MESSAGE_VERIFY
+} SFTKContextType;
+
+/** max block size of supported block ciphers */
+#define SFTK_MAX_BLOCK_SIZE 16
+/** currently SHA512 is the biggest hash length */
+#define SFTK_MAX_MAC_LENGTH 64
+#define SFTK_INVALID_MAC_SIZE 0xffffffff
+
+/** Particular ongoing operation in session (sign/verify/digest/encrypt/...)
+ *
+ * Understanding sign/verify context:
+ * multi=1 hashInfo=0 block (symmetric) cipher MACing
+ * multi=1 hashInfo=X PKC S/V with prior hashing
+ * multi=0 hashInfo=0 PKC S/V one shot (w/o hashing)
+ * multi=0 hashInfo=X *** shouldn't happen ***
+ */
+struct SFTKSessionContextStr {
+ SFTKContextType type;
+ PRBool multi; /* is multipart */
+ PRBool rsa; /* is rsa */
+ PRBool doPad; /* use PKCS padding for block ciphers */
+ PRBool isXCBC; /* xcbc, use special handling in final */
+ PRBool isFIPS; /* current operation is in FIPS mode */
+ unsigned int blockSize; /* blocksize for padding */
+ unsigned int padDataLength; /* length of the valid data in padbuf */
+ /** latest incomplete block of data for block cipher */
+ unsigned char padBuf[SFTK_MAX_BLOCK_SIZE];
+ /** result of MAC'ing of latest full block of data with block cipher */
+ unsigned char macBuf[SFTK_MAX_BLOCK_SIZE];
+ unsigned char k2[SFTK_MAX_BLOCK_SIZE];
+ unsigned char k3[SFTK_MAX_BLOCK_SIZE];
+ CK_ULONG macSize; /* size of a general block cipher mac*/
+ void *cipherInfo;
+ void *hashInfo;
+ unsigned int cipherInfoLen;
+ CK_MECHANISM_TYPE currentMech;
+ SFTKCipher update;
+ SFTKAEADCipher aeadUpdate;
+ SFTKHash hashUpdate;
+ SFTKEnd end;
+ SFTKDestroy destroy;
+ SFTKDestroy hashdestroy;
+ SFTKVerify verify;
+ unsigned int maxLen;
+ SFTKObject *key;
+};
+
+/*
+ * Sessions (have objects)
+ */
+struct SFTKSessionStr {
+ SFTKSession *next;
+ SFTKSession *prev;
+ CK_SESSION_HANDLE handle;
+ PZLock *objectLock;
+ int objectIDCount;
+ CK_SESSION_INFO info;
+ CK_NOTIFY notify;
+ CK_VOID_PTR appData;
+ SFTKSlot *slot;
+ SFTKSearchResults *search;
+ SFTKSessionContext *enc_context;
+ SFTKSessionContext *hash_context;
+ SFTKSessionContext *sign_context;
+ PRBool lastOpWasFIPS;
+ SFTKObjectList *objects[1];
+};
+
+/*
+ * slots (have sessions and objects)
+ *
+ * The array of sessionLock's protect the session hash table (head[])
+ * as well as the reference count of session objects in that bucket
+ * (head[]->refCount), objectLock protects all elements of the slot's
+ * object hash tables (sessObjHashTable[] and tokObjHashTable), and
+ * sessionObjectHandleCount.
+ * slotLock protects the remaining protected elements:
+ * password, needLogin, isLoggedIn, ssoLoggedIn, and sessionCount,
+ * and pwCheckLock serializes the key database password checks in
+ * NSC_SetPIN and NSC_Login.
+ *
+ * Each of the fields below has the following lifetime as commented
+ * next to the fields:
+ * invariant - This value is set when the slot is first created and
+ * never changed until it is destroyed.
+ * per load - This value is set when the slot is first created, or
+ * when the slot is used to open another directory. Between open and close
+ * this field does not change.
+ * variable - This value changes through the normal process of slot operation.
+ * - reset. The value of this variable is cleared during an open/close
+ * cycles.
+ * - preserved. The value of this variable is preserved over open/close
+ * cycles.
+ */
+struct SFTKSlotStr {
+ CK_SLOT_ID slotID; /* invariant */
+ PZLock *slotLock; /* invariant */
+ PZLock **sessionLock; /* invariant */
+ unsigned int numSessionLocks; /* invariant */
+ unsigned long sessionLockMask; /* invariant */
+ PZLock *objectLock; /* invariant */
+ PRLock *pwCheckLock; /* invariant */
+ PRBool present; /* variable -set */
+ PRBool hasTokens; /* per load */
+ PRBool isLoggedIn; /* variable - reset */
+ PRBool ssoLoggedIn; /* variable - reset */
+ PRBool needLogin; /* per load */
+ PRBool DB_loaded; /* per load */
+ PRBool readOnly; /* per load */
+ PRBool optimizeSpace; /* invariant */
+ SFTKDBHandle *certDB; /* per load */
+ SFTKDBHandle *keyDB; /* per load */
+ int minimumPinLen; /* per load */
+ PRInt32 sessionIDCount; /* atomically incremented */
+ /* (preserved) */
+ int sessionIDConflict; /* not protected by a lock */
+ /* (preserved) */
+ int sessionCount; /* variable - reset */
+ PRInt32 rwSessionCount; /* set by atomic operations */
+ /* (reset) */
+ int sessionObjectHandleCount; /* variable - perserved */
+ CK_ULONG index; /* invariant */
+ PLHashTable *tokObjHashTable; /* invariant */
+ SFTKObject **sessObjHashTable; /* variable - reset */
+ unsigned int sessObjHashSize; /* invariant */
+ SFTKSession **head; /* variable -reset */
+ unsigned int sessHashSize; /* invariant */
+ char tokDescription[33]; /* per load */
+ char updateTokDescription[33]; /* per load */
+ char slotDescription[65]; /* invariant */
+ SFTKSession moduleObjects; /* global session to hang module specific
+ * objects like profile objects or
+ * validation objects */
+};
+
+/*
+ * special joint operations Contexts
+ */
+struct SFTKHashVerifyInfoStr {
+ SECOidTag hashOid;
+ void *params;
+ NSSLOWKEYPublicKey *key;
+};
+
+struct SFTKHashSignInfoStr {
+ SECOidTag hashOid;
+ void *params;
+ NSSLOWKEYPrivateKey *key;
+};
+
+struct SFTKPSSVerifyInfoStr {
+ size_t size; /* must be first */
+ CK_RSA_PKCS_PSS_PARAMS params;
+ NSSLOWKEYPublicKey *key;
+};
+
+struct SFTKPSSSignInfoStr {
+ size_t size; /* must be first */
+ CK_RSA_PKCS_PSS_PARAMS params;
+ NSSLOWKEYPrivateKey *key;
+};
+
+/**
+ * Contexts for RSA-OAEP
+ */
+struct SFTKOAEPInfoStr {
+ CK_RSA_PKCS_OAEP_PARAMS params;
+ PRBool isEncrypt;
+ union {
+ NSSLOWKEYPublicKey *pub;
+ NSSLOWKEYPrivateKey *priv;
+ } key;
+};
+
+/* context for the Final SSLMAC message */
+struct SFTKSSLMACInfoStr {
+ size_t size; /* must be first */
+ void *hashContext;
+ SFTKBegin begin;
+ SFTKHash update;
+ SFTKEnd end;
+ CK_ULONG macSize;
+ int padSize;
+ unsigned char key[MAX_KEY_LEN];
+ unsigned int keySize;
+};
+
+/* SFTKChaCha20Poly1305Info saves the key, tag length, nonce,
+ * and additional data for a ChaCha20+Poly1305 AEAD operation. */
+struct SFTKChaCha20Poly1305InfoStr {
+ ChaCha20Poly1305Context freeblCtx;
+ unsigned char nonce[12];
+ unsigned char ad[16];
+ unsigned char *adOverflow;
+ unsigned int adLen;
+};
+
+/* SFTKChaCha20BlockInfoStr the key, nonce and counter for a
+ * ChaCha20 block operation. */
+struct SFTKChaCha20CtrInfoStr {
+ PRUint8 key[32];
+ PRUint8 nonce[12];
+ PRUint32 counter;
+};
+
+/*
+ * Template based on SECItems, suitable for passing as arrays
+ */
+struct SFTKItemTemplateStr {
+ CK_ATTRIBUTE_TYPE type;
+ SECItem *item;
+};
+
+/* macro for setting SFTKTemplates. */
+#define SFTK_SET_ITEM_TEMPLATE(templ, count, itemPtr, attr) \
+ templ[count].type = attr; \
+ templ[count].item = itemPtr
+
+#define SFTK_MAX_ITEM_TEMPLATE 10
+
+/*
+ * session handle modifiers
+ */
+#define SFTK_SESSION_SLOT_MASK 0xff000000L
+
+/*
+ * object handle modifiers
+ */
+#define SFTK_TOKEN_MASK 0x80000000L
+#define SFTK_TOKEN_MAGIC 0x80000000L
+#define SFTK_TOKEN_TYPE_MASK 0x70000000L
+/* keydb (high bit == 0) */
+#define SFTK_TOKEN_TYPE_PRIV 0x10000000L
+#define SFTK_TOKEN_TYPE_PUB 0x20000000L
+#define SFTK_TOKEN_TYPE_KEY 0x30000000L
+/* certdb (high bit == 1) */
+#define SFTK_TOKEN_TYPE_TRUST 0x40000000L
+#define SFTK_TOKEN_TYPE_CRL 0x50000000L
+#define SFTK_TOKEN_TYPE_SMIME 0x60000000L
+#define SFTK_TOKEN_TYPE_CERT 0x70000000L
+
+#define SFTK_TOKEN_KRL_HANDLE (SFTK_TOKEN_MAGIC | SFTK_TOKEN_TYPE_CRL | 1)
+/* how big (in bytes) a password/pin we can deal with */
+#define SFTK_MAX_PIN 500
+/* minimum password/pin length (in Unicode characters) in FIPS mode */
+#define FIPS_MIN_PIN 7
+
+/* slot ID's */
+#define NETSCAPE_SLOT_ID 1
+#define PRIVATE_KEY_SLOT_ID 2
+#define FIPS_SLOT_ID 3
+
+/* slot helper macros */
+#define sftk_SlotFromSession(sp) ((sp)->slot)
+#define sftk_isToken(id) (((id)&SFTK_TOKEN_MASK) == SFTK_TOKEN_MAGIC)
+#define sftk_isFIPS(id) \
+ (((id) == FIPS_SLOT_ID) || ((id) >= SFTK_MIN_FIPS_USER_SLOT_ID))
+
+/* the session hash multiplier (see bug 201081) */
+#define SHMULTIPLIER 1791398085
+
+/* queueing helper macros */
+#define sftk_hash(value, size) \
+ ((PRUint32)((value)*SHMULTIPLIER) & (size - 1))
+#define sftkqueue_add(element, id, head, hash_size) \
+ { \
+ int tmp = sftk_hash(id, hash_size); \
+ (element)->next = (head)[tmp]; \
+ (element)->prev = NULL; \
+ if ((head)[tmp]) \
+ (head)[tmp]->prev = (element); \
+ (head)[tmp] = (element); \
+ }
+#define sftkqueue_find(element, id, head, hash_size) \
+ for ((element) = (head)[sftk_hash(id, hash_size)]; (element) != NULL; \
+ (element) = (element)->next) { \
+ if ((element)->handle == (id)) { \
+ break; \
+ } \
+ }
+#define sftkqueue_is_queued(element, id, head, hash_size) \
+ (((element)->next) || ((element)->prev) || \
+ ((head)[sftk_hash(id, hash_size)] == (element)))
+#define sftkqueue_delete(element, id, head, hash_size) \
+ if ((element)->next) \
+ (element)->next->prev = (element)->prev; \
+ if ((element)->prev) \
+ (element)->prev->next = (element)->next; \
+ else \
+ (head)[sftk_hash(id, hash_size)] = ((element)->next); \
+ (element)->next = NULL; \
+ (element)->prev = NULL;
+
+#define sftkqueue_init_element(element) \
+ (element)->prev = NULL;
+
+#define sftkqueue_add2(element, id, index, head) \
+ { \
+ (element)->next = (head)[index]; \
+ if ((head)[index]) \
+ (head)[index]->prev = (element); \
+ (head)[index] = (element); \
+ }
+
+#define sftkqueue_find2(element, id, index, head) \
+ for ((element) = (head)[index]; \
+ (element) != NULL; \
+ (element) = (element)->next) { \
+ if ((element)->handle == (id)) { \
+ break; \
+ } \
+ }
+
+#define sftkqueue_delete2(element, id, index, head) \
+ if ((element)->next) \
+ (element)->next->prev = (element)->prev; \
+ if ((element)->prev) \
+ (element)->prev->next = (element)->next; \
+ else \
+ (head)[index] = ((element)->next);
+
+#define sftkqueue_clear_deleted_element(element) \
+ (element)->next = NULL; \
+ (element)->prev = NULL;
+
+/* sessionID (handle) is used to determine session lock bucket */
+#ifdef NOSPREAD
+/* NOSPREAD: (ID>>L2LPB) & (perbucket-1) */
+#define SFTK_SESSION_LOCK(slot, handle) \
+ ((slot)->sessionLock[((handle) >> LOG2_BUCKETS_PER_SESSION_LOCK) & (slot)->sessionLockMask])
+#else
+/* SPREAD: ID & (perbucket-1) */
+#define SFTK_SESSION_LOCK(slot, handle) \
+ ((slot)->sessionLock[(handle) & (slot)->sessionLockMask])
+#endif
+
+/* expand an attribute & secitem structures out */
+#define sftk_attr_expand(ap) (ap)->type, (ap)->pValue, (ap)->ulValueLen
+#define sftk_item_expand(ip) (ip)->data, (ip)->len
+
+typedef struct sftk_token_parametersStr {
+ CK_SLOT_ID slotID;
+ char *configdir;
+ char *certPrefix;
+ char *keyPrefix;
+ char *updatedir;
+ char *updCertPrefix;
+ char *updKeyPrefix;
+ char *updateID;
+ char *tokdes;
+ char *slotdes;
+ char *updtokdes;
+ int minPW;
+ PRBool readOnly;
+ PRBool noCertDB;
+ PRBool noKeyDB;
+ PRBool forceOpen;
+ PRBool pwRequired;
+ PRBool optimizeSpace;
+} sftk_token_parameters;
+
+typedef struct sftk_parametersStr {
+ char *configdir;
+ char *updatedir;
+ char *updateID;
+ char *secmodName;
+ char *man;
+ char *libdes;
+ PRBool readOnly;
+ PRBool noModDB;
+ PRBool noCertDB;
+ PRBool forceOpen;
+ PRBool pwRequired;
+ PRBool optimizeSpace;
+ sftk_token_parameters *tokens;
+ int token_count;
+} sftk_parameters;
+
+/* path stuff (was machine dependent) used by dbinit.c and pk11db.c */
+#define CERT_DB_FMT "%scert%s.db"
+#define KEY_DB_FMT "%skey%s.db"
+
+struct sftk_MACConstantTimeCtxStr {
+ const SECHashObject *hash;
+ unsigned char mac[64];
+ unsigned char secret[64];
+ unsigned int headerLength;
+ unsigned int secretLength;
+ unsigned int totalLength;
+ unsigned char header[75];
+};
+typedef struct sftk_MACConstantTimeCtxStr sftk_MACConstantTimeCtx;
+
+struct sftk_MACCtxStr {
+ /* This is a common MAC context that supports both HMAC and CMAC
+ * operations. This also presents a unified set of semantics:
+ *
+ * - Everything except Destroy returns a CK_RV, indicating success
+ * or failure. (This handles the difference between HMAC's and CMAC's
+ * interfaces, since the underlying AES _might_ fail with CMAC).
+ *
+ * - The underlying MAC is started on Init(...), so Update(...) can
+ * called right away. (This handles the difference between HMAC and
+ * CMAC in their *_Init(...) functions).
+ *
+ * - Calling semantics:
+ *
+ * - One of sftk_MAC_{Create,Init,InitRaw}(...) to set up the MAC
+ * context, checking the return code.
+ * - sftk_MAC_Update(...) as many times as necessary to process
+ * input data, checking the return code.
+ * - sftk_MAC_Finish(...) to get the output of the MAC; result_len
+ * may be NULL if the caller knows the expected output length,
+ * checking the return code. If result_len is NULL, this will
+ * PR_ASSERT(...) that the actual returned length was equal to
+ * max_result_len.
+ *
+ * Note: unlike HMAC_Finish(...), this allows the caller to specify
+ * a return value less than return length, to align with
+ * CMAC_Finish(...)'s semantics. This will force an additional
+ * stack allocation of size SFTK_MAX_MAC_LENGTH.
+ * - sftk_MAC_Reset(...) if the caller wishes to compute a new MAC
+ * with the same key, checking the return code.
+ * - sftk_MAC_Destroy(...) when the caller frees its associated
+ * memory, passing PR_TRUE if sftk_MAC_Create(...) was called,
+ * and PR_FALSE otherwise.
+ */
+
+ CK_MECHANISM_TYPE mech;
+ unsigned int mac_size;
+
+ union {
+ HMACContext *hmac;
+ CMACContext *cmac;
+
+ /* Functions to update when adding a new MAC or a new hash:
+ *
+ * - sftk_MAC_Init
+ * - sftk_MAC_Update
+ * - sftk_MAC_Finish
+ * - sftk_MAC_Reset
+ */
+ void *raw;
+ } mac;
+
+ void (*destroy_func)(void *ctx, PRBool free_it);
+};
+typedef struct sftk_MACCtxStr sftk_MACCtx;
+
+extern CK_NSS_MODULE_FUNCTIONS sftk_module_funcList;
+extern CK_NSS_FIPS_FUNCTIONS sftk_fips_funcList;
+
+SEC_BEGIN_PROTOS
+
+/* shared functions between pkcs11.c and fipstokn.c */
+extern PRBool nsf_init;
+extern CK_RV nsc_CommonInitialize(CK_VOID_PTR pReserved, PRBool isFIPS);
+extern CK_RV nsc_CommonFinalize(CK_VOID_PTR pReserved, PRBool isFIPS);
+extern PRBool sftk_ForkReset(CK_VOID_PTR pReserved, CK_RV *crv);
+extern CK_RV nsc_CommonGetSlotList(CK_BBOOL tokPresent,
+ CK_SLOT_ID_PTR pSlotList,
+ CK_ULONG_PTR pulCount,
+ unsigned int moduleIndex);
+
+/* slot initialization, reinit, shutdown and destruction */
+extern CK_RV SFTK_SlotInit(char *configdir, char *updatedir, char *updateID,
+ sftk_token_parameters *params,
+ unsigned int moduleIndex);
+extern CK_RV SFTK_SlotReInit(SFTKSlot *slot, char *configdir,
+ char *updatedir, char *updateID,
+ sftk_token_parameters *params,
+ unsigned int moduleIndex);
+extern CK_RV SFTK_DestroySlotData(SFTKSlot *slot);
+extern CK_RV SFTK_ShutdownSlot(SFTKSlot *slot);
+extern CK_RV sftk_CloseAllSessions(SFTKSlot *slot, PRBool logout);
+
+/* internal utility functions used by pkcs11.c */
+extern CK_RV sftk_MapCryptError(int error);
+extern CK_RV sftk_MapDecryptError(int error);
+extern CK_RV sftk_MapVerifyError(int error);
+extern SFTKAttribute *sftk_FindAttribute(SFTKObject *object,
+ CK_ATTRIBUTE_TYPE type);
+extern void sftk_FreeAttribute(SFTKAttribute *attribute);
+extern CK_RV sftk_AddAttributeType(SFTKObject *object, CK_ATTRIBUTE_TYPE type,
+ const void *valPtr, CK_ULONG length);
+extern CK_RV sftk_Attribute2SecItem(PLArenaPool *arena, SECItem *item,
+ SFTKObject *object, CK_ATTRIBUTE_TYPE type);
+extern CK_RV sftk_MultipleAttribute2SecItem(PLArenaPool *arena,
+ SFTKObject *object,
+ SFTKItemTemplate *templ, int count);
+extern unsigned int sftk_GetLengthInBits(unsigned char *buf,
+ unsigned int bufLen);
+extern CK_RV sftk_ConstrainAttribute(SFTKObject *object,
+ CK_ATTRIBUTE_TYPE type, int minLength,
+ int maxLength, int minMultiple);
+extern PRBool sftk_hasAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type);
+extern PRBool sftk_isTrue(SFTKObject *object, CK_ATTRIBUTE_TYPE type);
+extern void sftk_DeleteAttributeType(SFTKObject *object,
+ CK_ATTRIBUTE_TYPE type);
+extern CK_RV sftk_Attribute2SecItem(PLArenaPool *arena, SECItem *item,
+ SFTKObject *object, CK_ATTRIBUTE_TYPE type);
+extern CK_RV sftk_Attribute2SSecItem(PLArenaPool *arena, SECItem *item,
+ SFTKObject *object,
+ CK_ATTRIBUTE_TYPE type);
+extern SFTKModifyType sftk_modifyType(CK_ATTRIBUTE_TYPE type,
+ CK_OBJECT_CLASS inClass);
+extern PRBool sftk_isSensitive(CK_ATTRIBUTE_TYPE type, CK_OBJECT_CLASS inClass);
+extern char *sftk_getString(SFTKObject *object, CK_ATTRIBUTE_TYPE type);
+extern void sftk_nullAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type);
+extern CK_RV sftk_GetULongAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type,
+ CK_ULONG *longData);
+extern CK_RV sftk_forceAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type,
+ const void *value, unsigned int len);
+extern CK_RV sftk_defaultAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type,
+ const void *value, unsigned int len);
+extern unsigned int sftk_MapTrust(CK_TRUST trust, PRBool clientAuth);
+
+extern SFTKObject *sftk_NewObject(SFTKSlot *slot);
+extern CK_RV sftk_CopyObject(SFTKObject *destObject, SFTKObject *srcObject);
+extern SFTKFreeStatus sftk_FreeObject(SFTKObject *object);
+extern CK_RV sftk_DeleteObject(SFTKSession *session, SFTKObject *object);
+extern void sftk_ReferenceObject(SFTKObject *object);
+extern SFTKObject *sftk_ObjectFromHandle(CK_OBJECT_HANDLE handle,
+ SFTKSession *session);
+extern CK_OBJECT_HANDLE sftk_getNextHandle(SFTKSlot *slot);
+extern void sftk_AddSlotObject(SFTKSlot *slot, SFTKObject *object);
+extern void sftk_AddObject(SFTKSession *session, SFTKObject *object);
+/* clear out all the existing object ID to database key mappings.
+ * used to reinit a token */
+extern CK_RV SFTK_ClearTokenKeyHashTable(SFTKSlot *slot);
+
+extern CK_RV sftk_searchObjectList(SFTKSearchResults *search,
+ SFTKObject **head, unsigned int size,
+ PZLock *lock, CK_ATTRIBUTE_PTR inTemplate,
+ int count, PRBool isLoggedIn);
+extern SFTKObjectListElement *sftk_FreeObjectListElement(
+ SFTKObjectListElement *objectList);
+extern void sftk_FreeObjectList(SFTKObjectListElement *objectList);
+extern void sftk_FreeSearch(SFTKSearchResults *search);
+extern CK_RV sftk_handleObject(SFTKObject *object, SFTKSession *session);
+
+extern SFTKSlot *sftk_SlotFromID(CK_SLOT_ID slotID, PRBool all);
+extern SFTKSlot *sftk_SlotFromSessionHandle(CK_SESSION_HANDLE handle);
+extern CK_SLOT_ID sftk_SlotIDFromSessionHandle(CK_SESSION_HANDLE handle);
+extern SFTKSession *sftk_SessionFromHandle(CK_SESSION_HANDLE handle);
+extern void sftk_FreeSession(SFTKSession *session);
+extern void sftk_ClearSession(SFTKSession *session);
+extern void sftk_DestroySession(SFTKSession *session);
+extern CK_RV sftk_InitSession(SFTKSession *session, SFTKSlot *slot,
+ CK_SLOT_ID slotID, CK_NOTIFY notify,
+ CK_VOID_PTR pApplication, CK_FLAGS flags);
+extern SFTKSession *sftk_NewSession(CK_SLOT_ID slotID, CK_NOTIFY notify,
+ CK_VOID_PTR pApplication, CK_FLAGS flags);
+extern void sftk_update_state(SFTKSlot *slot, SFTKSession *session);
+extern void sftk_update_all_states(SFTKSlot *slot);
+extern void sftk_InitFreeLists(void);
+extern void sftk_CleanupFreeLists(void);
+
+/*
+ * Helper functions to handle the session crypto contexts
+ */
+extern CK_RV sftk_InitGeneric(SFTKSession *session,
+ CK_MECHANISM *pMechanism,
+ SFTKSessionContext **contextPtr,
+ SFTKContextType ctype, SFTKObject **keyPtr,
+ CK_OBJECT_HANDLE hKey, CK_KEY_TYPE *keyTypePtr,
+ CK_OBJECT_CLASS pubKeyType,
+ CK_ATTRIBUTE_TYPE operation);
+void sftk_SetContextByType(SFTKSession *session, SFTKContextType type,
+ SFTKSessionContext *context);
+extern CK_RV sftk_GetContext(CK_SESSION_HANDLE handle,
+ SFTKSessionContext **contextPtr,
+ SFTKContextType type, PRBool needMulti,
+ SFTKSession **sessionPtr);
+extern void sftk_TerminateOp(SFTKSession *session, SFTKContextType ctype,
+ SFTKSessionContext *context);
+extern void sftk_FreeContext(SFTKSessionContext *context);
+
+extern NSSLOWKEYPublicKey *sftk_GetPubKey(SFTKObject *object,
+ CK_KEY_TYPE key_type, CK_RV *crvp);
+extern NSSLOWKEYPrivateKey *sftk_GetPrivKey(SFTKObject *object,
+ CK_KEY_TYPE key_type, CK_RV *crvp);
+extern CK_RV sftk_PutPubKey(SFTKObject *publicKey, SFTKObject *privKey, CK_KEY_TYPE keyType,
+ NSSLOWKEYPublicKey *pubKey);
+extern void sftk_FormatDESKey(unsigned char *key, int length);
+extern PRBool sftk_CheckDESKey(unsigned char *key);
+extern PRBool sftk_IsWeakKey(unsigned char *key, CK_KEY_TYPE key_type);
+extern void sftk_EncodeInteger(PRUint64 integer, CK_ULONG num_bits, CK_BBOOL littleEndian,
+ CK_BYTE_PTR output, CK_ULONG_PTR output_len);
+
+/* ike and xcbc helpers */
+extern CK_RV sftk_ike_prf(CK_SESSION_HANDLE hSession,
+ const SFTKAttribute *inKey,
+ const CK_NSS_IKE_PRF_DERIVE_PARAMS *params, SFTKObject *outKey);
+extern CK_RV sftk_ike1_prf(CK_SESSION_HANDLE hSession,
+ const SFTKAttribute *inKey,
+ const CK_NSS_IKE1_PRF_DERIVE_PARAMS *params, SFTKObject *outKey,
+ unsigned int keySize);
+extern CK_RV sftk_ike1_appendix_b_prf(CK_SESSION_HANDLE hSession,
+ const SFTKAttribute *inKey,
+ const CK_NSS_IKE1_APP_B_PRF_DERIVE_PARAMS *params,
+ SFTKObject *outKey,
+ unsigned int keySize);
+extern CK_RV sftk_ike_prf_plus(CK_SESSION_HANDLE hSession,
+ const SFTKAttribute *inKey,
+ const CK_NSS_IKE_PRF_PLUS_DERIVE_PARAMS *params, SFTKObject *outKey,
+ unsigned int keySize);
+extern CK_RV sftk_aes_xcbc_new_keys(CK_SESSION_HANDLE hSession,
+ CK_OBJECT_HANDLE hKey, CK_OBJECT_HANDLE_PTR phKey,
+ unsigned char *k2, unsigned char *k3);
+extern CK_RV sftk_xcbc_mac_pad(unsigned char *padBuf, unsigned int bufLen,
+ unsigned int blockSize, const unsigned char *k2,
+ const unsigned char *k3);
+extern SECStatus sftk_fips_IKE_PowerUpSelfTests(void);
+
+/* mechanism allows this operation */
+extern CK_RV sftk_MechAllowsOperation(CK_MECHANISM_TYPE type, CK_ATTRIBUTE_TYPE op);
+
+/* helper function which calls nsslowkey_FindKeyByPublicKey after safely
+ * acquiring a reference to the keydb from the slot */
+NSSLOWKEYPrivateKey *sftk_FindKeyByPublicKey(SFTKSlot *slot, SECItem *dbKey);
+
+/*
+ * parameter parsing functions
+ */
+CK_RV sftk_parseParameters(char *param, sftk_parameters *parsed, PRBool isFIPS);
+void sftk_freeParams(sftk_parameters *params);
+PRBool sftk_RawArgHasFlag(const char *entry, const char *flag, const void *pReserved);
+
+/*
+ * narrow objects
+ */
+SFTKSessionObject *sftk_narrowToSessionObject(SFTKObject *);
+SFTKTokenObject *sftk_narrowToTokenObject(SFTKObject *);
+
+/*
+ * token object utilities
+ */
+void sftk_addHandle(SFTKSearchResults *search, CK_OBJECT_HANDLE handle);
+PRBool sftk_poisonHandle(SFTKSlot *slot, SECItem *dbkey,
+ CK_OBJECT_HANDLE handle);
+SFTKObject *sftk_NewTokenObject(SFTKSlot *slot, SECItem *dbKey,
+ CK_OBJECT_HANDLE handle);
+SFTKTokenObject *sftk_convertSessionToToken(SFTKObject *so);
+
+/* J-PAKE (jpakesftk.c) */
+extern CK_RV jpake_Round1(HASH_HashType hashType,
+ CK_NSS_JPAKERound1Params *params,
+ SFTKObject *key);
+extern CK_RV jpake_Round2(HASH_HashType hashType,
+ CK_NSS_JPAKERound2Params *params,
+ SFTKObject *sourceKey, SFTKObject *key);
+extern CK_RV jpake_Final(HASH_HashType hashType,
+ const CK_NSS_JPAKEFinalParams *params,
+ SFTKObject *sourceKey, SFTKObject *key);
+
+/* Constant time MAC functions (hmacct.c) */
+sftk_MACConstantTimeCtx *sftk_HMACConstantTime_New(
+ CK_MECHANISM_PTR mech, SFTKObject *key);
+sftk_MACConstantTimeCtx *sftk_SSLv3MACConstantTime_New(
+ CK_MECHANISM_PTR mech, SFTKObject *key);
+void sftk_HMACConstantTime_Update(void *pctx, const void *data, unsigned int len);
+void sftk_SSLv3MACConstantTime_Update(void *pctx, const void *data, unsigned int len);
+void sftk_MACConstantTime_EndHash(
+ void *pctx, void *out, unsigned int *outLength, unsigned int maxLength);
+void sftk_MACConstantTime_DestroyContext(void *pctx, PRBool);
+
+/* Crypto Utilities */
+HASH_HashType sftk_GetHashTypeFromMechanism(CK_MECHANISM_TYPE mech);
+
+/****************************************
+ * implement TLS Pseudo Random Function (PRF)
+ */
+
+extern CK_RV
+sftk_TLSPRFInit(SFTKSessionContext *context,
+ SFTKObject *key,
+ CK_KEY_TYPE key_type,
+ HASH_HashType hash_alg,
+ unsigned int out_len);
+
+/* PKCS#11 MAC implementation. See sftk_MACCtxStr declaration above for
+ * calling semantics for these functions. */
+HASH_HashType sftk_HMACMechanismToHash(CK_MECHANISM_TYPE mech);
+CK_RV sftk_MAC_Create(CK_MECHANISM_TYPE mech, SFTKObject *key, sftk_MACCtx **ret_ctx);
+CK_RV sftk_MAC_Init(sftk_MACCtx *ctx, CK_MECHANISM_TYPE mech, SFTKObject *key);
+CK_RV sftk_MAC_InitRaw(sftk_MACCtx *ctx, CK_MECHANISM_TYPE mech, const unsigned char *key, unsigned int key_len, PRBool isFIPS);
+CK_RV sftk_MAC_Update(sftk_MACCtx *ctx, const CK_BYTE *data, unsigned int data_len);
+CK_RV sftk_MAC_Finish(sftk_MACCtx *ctx, CK_BYTE_PTR result, unsigned int *result_len, unsigned int max_result_len);
+CK_RV sftk_MAC_Reset(sftk_MACCtx *ctx);
+void sftk_MAC_Destroy(sftk_MACCtx *ctx, PRBool free_it);
+
+/* constant time helpers */
+unsigned int sftk_CKRVToMask(CK_RV rv);
+CK_RV sftk_CheckCBCPadding(CK_BYTE_PTR pBuf, unsigned int bufLen,
+ unsigned int blockSize, unsigned int *outPadSize);
+
+/* NIST 800-108 (kbkdf.c) implementations */
+extern CK_RV kbkdf_Dispatch(CK_MECHANISM_TYPE mech, CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, SFTKObject *base_key, SFTKObject *ret_key, CK_ULONG keySize);
+extern SECStatus sftk_fips_SP800_108_PowerUpSelfTests(void);
+
+/* export the HKDF function for use in PowerupSelfTests */
+CK_RV sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_SESSION_HANDLE hSession,
+ SFTKObject *sourceKey, const unsigned char *sourceKeyBytes,
+ int sourceKeyLen, SFTKObject *key,
+ unsigned char *outKeyBytes, int keySize,
+ PRBool canBeData, PRBool isFIPS);
+
+char **NSC_ModuleDBFunc(unsigned long function, char *parameters, void *args);
+
+/* dh verify functions */
+/* verify that dhPrime matches one of our known primes, and if so return
+ * it's subprime value */
+const SECItem *sftk_VerifyDH_Prime(SECItem *dhPrime, PRBool isFIPS);
+/* check if dhSubPrime claims dhPrime is a safe prime. */
+SECStatus sftk_IsSafePrime(SECItem *dhPrime, SECItem *dhSubPrime, PRBool *isSafe);
+/* map an operation Attribute to a Mechanism flag */
+CK_FLAGS sftk_AttributeToFlags(CK_ATTRIBUTE_TYPE op);
+/* check the FIPS table to determine if this current operation is allowed by
+ * FIPS security policy */
+PRBool sftk_operationIsFIPS(SFTKSlot *slot, CK_MECHANISM *mech,
+ CK_ATTRIBUTE_TYPE op, SFTKObject *source);
+/* add validation objects to the slot */
+CK_RV sftk_CreateValidationObjects(SFTKSlot *slot);
+
+SEC_END_PROTOS
+
+#endif /* _PKCS11I_H_ */
diff --git a/security/nss/lib/softoken/pkcs11ni.h b/security/nss/lib/softoken/pkcs11ni.h
new file mode 100644
index 0000000000..612842c938
--- /dev/null
+++ b/security/nss/lib/softoken/pkcs11ni.h
@@ -0,0 +1,20 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef _PKCS11NI_H_
+#define _PKCS11NI_H_
+
+/*
+ * pkcs11ni.h
+ *
+ * This file contains softoken private exports for NSS
+ */
+
+/* softoken slot ID's */
+#define SFTK_MIN_USER_SLOT_ID 4
+#define SFTK_MAX_USER_SLOT_ID 100
+#define SFTK_MIN_FIPS_USER_SLOT_ID 101
+#define SFTK_MAX_FIPS_USER_SLOT_ID 127
+
+#endif /* _PKCS11NI_H_ */
diff --git a/security/nss/lib/softoken/pkcs11u.c b/security/nss/lib/softoken/pkcs11u.c
new file mode 100644
index 0000000000..f483060986
--- /dev/null
+++ b/security/nss/lib/softoken/pkcs11u.c
@@ -0,0 +1,2563 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/*
+ * Internal PKCS #11 functions. Should only be called by pkcs11.c
+ */
+#include "pkcs11.h"
+#include "pkcs11i.h"
+#include "lowkeyi.h"
+#include "secasn1.h"
+#include "blapi.h"
+#include "secerr.h"
+#include "prnetdb.h" /* for PR_ntohl */
+#include "sftkdb.h"
+#include "softoken.h"
+#include "secoid.h"
+#include "softkver.h"
+
+#if !defined(NSS_FIPS_DISABLED) && defined(NSS_ENABLE_FIPS_INDICATORS)
+/* this file should be supplied by the vendor and include all the
+ * algorithms which have Algorithm certs and have been reviewed by
+ * the lab. A blank file is included for the base so that FIPS mode
+ * will still be compiled and run, but FIPS indicators will always
+ * return PR_FALSE
+ */
+#include "fips_algorithms.h"
+#define NSS_HAS_FIPS_INDICATORS 1
+#endif
+
+/*
+ * ******************** Error mapping *******************************
+ */
+/*
+ * map all the SEC_ERROR_xxx error codes that may be returned by freebl
+ * functions to CKR_xxx. return CKR_DEVICE_ERROR by default for backward
+ * compatibility.
+ */
+CK_RV
+sftk_MapCryptError(int error)
+{
+ switch (error) {
+ case SEC_ERROR_INVALID_ARGS:
+ case SEC_ERROR_BAD_DATA: /* MP_RANGE gets mapped to this */
+ return CKR_ARGUMENTS_BAD;
+ case SEC_ERROR_INPUT_LEN:
+ return CKR_DATA_LEN_RANGE;
+ case SEC_ERROR_OUTPUT_LEN:
+ return CKR_BUFFER_TOO_SMALL;
+ case SEC_ERROR_LIBRARY_FAILURE:
+ return CKR_GENERAL_ERROR;
+ case SEC_ERROR_NO_MEMORY:
+ return CKR_HOST_MEMORY;
+ case SEC_ERROR_BAD_SIGNATURE:
+ return CKR_SIGNATURE_INVALID;
+ case SEC_ERROR_INVALID_KEY:
+ return CKR_KEY_SIZE_RANGE;
+ case SEC_ERROR_BAD_KEY: /* an EC public key that fails validation */
+ return CKR_KEY_SIZE_RANGE; /* the closest error code */
+ case SEC_ERROR_UNSUPPORTED_EC_POINT_FORM:
+ return CKR_TEMPLATE_INCONSISTENT;
+ case SEC_ERROR_UNSUPPORTED_KEYALG:
+ return CKR_MECHANISM_INVALID;
+ case SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE:
+ return CKR_DOMAIN_PARAMS_INVALID;
+ /* key pair generation failed after max number of attempts */
+ case SEC_ERROR_NEED_RANDOM:
+ return CKR_FUNCTION_FAILED;
+ }
+ return CKR_DEVICE_ERROR;
+}
+
+/*
+ * functions which adjust the mapping based on different contexts
+ * (Decrypt or Verify).
+ */
+
+/* used by Decrypt and UnwrapKey (indirectly) and Decrypt message */
+CK_RV
+sftk_MapDecryptError(int error)
+{
+ switch (error) {
+ /* usually a padding error, or aead tag mismatch */
+ case SEC_ERROR_BAD_DATA:
+ return CKR_ENCRYPTED_DATA_INVALID;
+ default:
+ return sftk_MapCryptError(error);
+ }
+}
+
+/*
+ * return CKR_SIGNATURE_INVALID instead of CKR_DEVICE_ERROR by default for
+ * backward compatibilty.
+ */
+CK_RV
+sftk_MapVerifyError(int error)
+{
+ CK_RV crv = sftk_MapCryptError(error);
+ if (crv == CKR_DEVICE_ERROR)
+ crv = CKR_SIGNATURE_INVALID;
+ return crv;
+}
+
+/*
+ * ******************** Attribute Utilities *******************************
+ */
+
+/*
+ * create a new attribute with type, value, and length. Space is allocated
+ * to hold value.
+ */
+static SFTKAttribute *
+sftk_NewAttribute(SFTKObject *object,
+ CK_ATTRIBUTE_TYPE type, const void *value, CK_ULONG len)
+{
+ SFTKAttribute *attribute;
+
+ SFTKSessionObject *so = sftk_narrowToSessionObject(object);
+ int index;
+
+ if (so == NULL) {
+ /* allocate new attribute in a buffer */
+ PORT_Assert(0);
+ return NULL;
+ }
+ /*
+ * We attempt to keep down contention on Malloc and Arena locks by
+ * limiting the number of these calls on high traversed paths. This
+ * is done for attributes by 'allocating' them from a pool already
+ * allocated by the parent object.
+ */
+ PZ_Lock(so->attributeLock);
+ index = so->nextAttr++;
+ PZ_Unlock(so->attributeLock);
+ PORT_Assert(index < MAX_OBJS_ATTRS);
+ if (index >= MAX_OBJS_ATTRS)
+ return NULL;
+
+ attribute = &so->attrList[index];
+ attribute->attrib.type = type;
+ attribute->freeAttr = PR_FALSE;
+ attribute->freeData = PR_FALSE;
+ if (value) {
+ if (len <= ATTR_SPACE) {
+ attribute->attrib.pValue = attribute->space;
+ } else {
+ attribute->attrib.pValue = PORT_Alloc(len);
+ attribute->freeData = PR_TRUE;
+ }
+ if (attribute->attrib.pValue == NULL) {
+ return NULL;
+ }
+ PORT_Memcpy(attribute->attrib.pValue, value, len);
+ attribute->attrib.ulValueLen = len;
+ } else {
+ attribute->attrib.pValue = NULL;
+ attribute->attrib.ulValueLen = 0;
+ }
+ attribute->attrib.type = type;
+ attribute->handle = type;
+ attribute->next = attribute->prev = NULL;
+ return attribute;
+}
+
+/*
+ * Free up all the memory associated with an attribute. Reference count
+ * must be zero to call this.
+ */
+static void
+sftk_DestroyAttribute(SFTKAttribute *attribute)
+{
+ if (attribute->attrib.pValue) {
+ /* clear out the data in the attribute value... it may have been
+ * sensitive data */
+ PORT_Memset(attribute->attrib.pValue, 0, attribute->attrib.ulValueLen);
+ if (attribute->freeData) {
+ PORT_Free(attribute->attrib.pValue);
+ attribute->attrib.pValue = NULL;
+ attribute->freeData = PR_FALSE;
+ }
+ }
+ if (attribute->freeAttr) {
+ PORT_Free(attribute);
+ }
+}
+
+/*
+ * release a reference to an attribute structure
+ */
+void
+sftk_FreeAttribute(SFTKAttribute *attribute)
+{
+ if (attribute && attribute->freeAttr) {
+ sftk_DestroyAttribute(attribute);
+ return;
+ }
+}
+
+static SFTKAttribute *
+sftk_FindTokenAttribute(SFTKTokenObject *object, CK_ATTRIBUTE_TYPE type)
+{
+ SFTKAttribute *myattribute = NULL;
+ SFTKDBHandle *dbHandle = NULL;
+ CK_RV crv = CKR_HOST_MEMORY;
+
+ myattribute = (SFTKAttribute *)PORT_Alloc(sizeof(SFTKAttribute));
+ if (myattribute == NULL) {
+ goto loser;
+ }
+
+ dbHandle = sftk_getDBForTokenObject(object->obj.slot, object->obj.handle);
+
+ myattribute->handle = type;
+ myattribute->attrib.type = type;
+ myattribute->attrib.pValue = myattribute->space;
+ myattribute->attrib.ulValueLen = ATTR_SPACE;
+ myattribute->next = myattribute->prev = NULL;
+ myattribute->freeAttr = PR_TRUE;
+ myattribute->freeData = PR_FALSE;
+
+ crv = sftkdb_GetAttributeValue(dbHandle, object->obj.handle,
+ &myattribute->attrib, 1);
+
+ /* attribute is bigger than our attribute space buffer, malloc it */
+ if (crv == CKR_BUFFER_TOO_SMALL) {
+ myattribute->attrib.pValue = NULL;
+ crv = sftkdb_GetAttributeValue(dbHandle, object->obj.handle,
+ &myattribute->attrib, 1);
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+ myattribute->attrib.pValue = PORT_Alloc(myattribute->attrib.ulValueLen);
+ if (myattribute->attrib.pValue == NULL) {
+ crv = CKR_HOST_MEMORY;
+ goto loser;
+ }
+ myattribute->freeData = PR_TRUE;
+ crv = sftkdb_GetAttributeValue(dbHandle, object->obj.handle,
+ &myattribute->attrib, 1);
+ }
+loser:
+ if (dbHandle) {
+ sftk_freeDB(dbHandle);
+ }
+ if (crv != CKR_OK) {
+ if (myattribute) {
+ myattribute->attrib.ulValueLen = 0;
+ sftk_FreeAttribute(myattribute);
+ myattribute = NULL;
+ }
+ }
+ return myattribute;
+}
+
+/*
+ * look up and attribute structure from a type and Object structure.
+ * The returned attribute is referenced and needs to be freed when
+ * it is no longer needed.
+ */
+SFTKAttribute *
+sftk_FindAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type)
+{
+ SFTKAttribute *attribute;
+ SFTKSessionObject *sessObject = sftk_narrowToSessionObject(object);
+
+ if (sessObject == NULL) {
+ return sftk_FindTokenAttribute(sftk_narrowToTokenObject(object), type);
+ }
+
+ PZ_Lock(sessObject->attributeLock);
+ sftkqueue_find(attribute, type, sessObject->head, sessObject->hashSize);
+ PZ_Unlock(sessObject->attributeLock);
+
+ return (attribute);
+}
+
+/*
+ * Take a buffer and it's length and return it's true size in bits;
+ */
+unsigned int
+sftk_GetLengthInBits(unsigned char *buf, unsigned int bufLen)
+{
+ unsigned int size = bufLen * 8;
+ unsigned int i;
+
+ /* Get the real length in bytes */
+ for (i = 0; i < bufLen; i++) {
+ unsigned char c = *buf++;
+ if (c != 0) {
+ unsigned char m;
+ for (m = 0x80; m > 0; m = m >> 1) {
+ if ((c & m) != 0) {
+ break;
+ }
+ size--;
+ }
+ break;
+ }
+ size -= 8;
+ }
+ return size;
+}
+
+/*
+ * Constrain a big num attribute. to size and padding
+ * minLength means length of the object must be greater than equal to minLength
+ * maxLength means length of the object must be less than equal to maxLength
+ * minMultiple means that object length mod minMultiple must equal 0.
+ * all input sizes are in bits.
+ * if any constraint is '0' that constraint is not checked.
+ */
+CK_RV
+sftk_ConstrainAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type,
+ int minLength, int maxLength, int minMultiple)
+{
+ SFTKAttribute *attribute;
+ int size;
+ unsigned char *ptr;
+
+ attribute = sftk_FindAttribute(object, type);
+ if (!attribute) {
+ return CKR_TEMPLATE_INCOMPLETE;
+ }
+ ptr = (unsigned char *)attribute->attrib.pValue;
+ if (ptr == NULL) {
+ sftk_FreeAttribute(attribute);
+ return CKR_ATTRIBUTE_VALUE_INVALID;
+ }
+ size = sftk_GetLengthInBits(ptr, attribute->attrib.ulValueLen);
+ sftk_FreeAttribute(attribute);
+
+ if ((minLength != 0) && (size < minLength)) {
+ return CKR_ATTRIBUTE_VALUE_INVALID;
+ }
+ if ((maxLength != 0) && (size > maxLength)) {
+ return CKR_ATTRIBUTE_VALUE_INVALID;
+ }
+ if ((minMultiple != 0) && ((size % minMultiple) != 0)) {
+ return CKR_ATTRIBUTE_VALUE_INVALID;
+ }
+ return CKR_OK;
+}
+
+PRBool
+sftk_hasAttributeToken(SFTKTokenObject *object, CK_ATTRIBUTE_TYPE type)
+{
+ CK_ATTRIBUTE template;
+ CK_RV crv;
+ SFTKDBHandle *dbHandle;
+
+ dbHandle = sftk_getDBForTokenObject(object->obj.slot, object->obj.handle);
+ template.type = type;
+ template.pValue = NULL;
+ template.ulValueLen = 0;
+
+ crv = sftkdb_GetAttributeValue(dbHandle, object->obj.handle, &template, 1);
+ sftk_freeDB(dbHandle);
+
+ /* attribute is bigger than our attribute space buffer, malloc it */
+ return (crv == CKR_OK) ? PR_TRUE : PR_FALSE;
+}
+
+/*
+ * return true if object has attribute
+ */
+PRBool
+sftk_hasAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type)
+{
+ SFTKAttribute *attribute;
+ SFTKSessionObject *sessObject = sftk_narrowToSessionObject(object);
+
+ if (sessObject == NULL) {
+ return sftk_hasAttributeToken(sftk_narrowToTokenObject(object), type);
+ }
+
+ PZ_Lock(sessObject->attributeLock);
+ sftkqueue_find(attribute, type, sessObject->head, sessObject->hashSize);
+ PZ_Unlock(sessObject->attributeLock);
+
+ return (PRBool)(attribute != NULL);
+}
+
+/*
+ * add an attribute to an object
+ */
+static void
+sftk_AddAttribute(SFTKObject *object, SFTKAttribute *attribute)
+{
+ SFTKSessionObject *sessObject = sftk_narrowToSessionObject(object);
+
+ if (sessObject == NULL)
+ return;
+ PZ_Lock(sessObject->attributeLock);
+ sftkqueue_add(attribute, attribute->handle,
+ sessObject->head, sessObject->hashSize);
+ PZ_Unlock(sessObject->attributeLock);
+}
+
+/*
+ * copy an unsigned attribute into a SECItem. Secitem is allocated in
+ * the specified arena.
+ */
+CK_RV
+sftk_Attribute2SSecItem(PLArenaPool *arena, SECItem *item, SFTKObject *object,
+ CK_ATTRIBUTE_TYPE type)
+{
+ SFTKAttribute *attribute;
+
+ item->data = NULL;
+
+ attribute = sftk_FindAttribute(object, type);
+ if (attribute == NULL)
+ return CKR_TEMPLATE_INCOMPLETE;
+
+ (void)SECITEM_AllocItem(arena, item, attribute->attrib.ulValueLen);
+ if (item->data == NULL) {
+ sftk_FreeAttribute(attribute);
+ return CKR_HOST_MEMORY;
+ }
+ PORT_Memcpy(item->data, attribute->attrib.pValue, item->len);
+ sftk_FreeAttribute(attribute);
+ return CKR_OK;
+}
+
+/*
+ * fetch multiple attributes into SECItems. Secitem data is allocated in
+ * the specified arena.
+ */
+CK_RV
+sftk_MultipleAttribute2SecItem(PLArenaPool *arena, SFTKObject *object,
+ SFTKItemTemplate *itemTemplate, int itemTemplateCount)
+{
+
+ CK_RV crv = CKR_OK;
+ CK_ATTRIBUTE templateSpace[SFTK_MAX_ITEM_TEMPLATE];
+ CK_ATTRIBUTE *template;
+ SFTKTokenObject *tokObject;
+ SFTKDBHandle *dbHandle = NULL;
+ int i;
+
+ tokObject = sftk_narrowToTokenObject(object);
+
+ /* session objects, just loop through the list */
+ if (tokObject == NULL) {
+ for (i = 0; i < itemTemplateCount; i++) {
+ crv = sftk_Attribute2SecItem(arena, itemTemplate[i].item, object,
+ itemTemplate[i].type);
+ if (crv != CKR_OK) {
+ return crv;
+ }
+ }
+ return CKR_OK;
+ }
+
+ /* don't do any work if none is required */
+ if (itemTemplateCount == 0) {
+ return CKR_OK;
+ }
+
+ /* don't allocate the template unless we need it */
+ if (itemTemplateCount > SFTK_MAX_ITEM_TEMPLATE) {
+ template = PORT_NewArray(CK_ATTRIBUTE, itemTemplateCount);
+ } else {
+ template = templateSpace;
+ }
+
+ if (template == NULL) {
+ crv = CKR_HOST_MEMORY;
+ goto loser;
+ }
+
+ dbHandle = sftk_getDBForTokenObject(object->slot, object->handle);
+ if (dbHandle == NULL) {
+ crv = CKR_OBJECT_HANDLE_INVALID;
+ goto loser;
+ }
+
+ /* set up the PKCS #11 template */
+ for (i = 0; i < itemTemplateCount; i++) {
+ template[i].type = itemTemplate[i].type;
+ template[i].pValue = NULL;
+ template[i].ulValueLen = 0;
+ }
+
+ /* fetch the attribute lengths */
+ crv = sftkdb_GetAttributeValue(dbHandle, object->handle,
+ template, itemTemplateCount);
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+
+ /* allocate space for the attributes */
+ for (i = 0; i < itemTemplateCount; i++) {
+ template[i].pValue = PORT_ArenaAlloc(arena, template[i].ulValueLen);
+ if (template[i].pValue == NULL) {
+ crv = CKR_HOST_MEMORY;
+ goto loser;
+ }
+ }
+
+ /* fetch the attributes */
+ crv = sftkdb_GetAttributeValue(dbHandle, object->handle,
+ template, itemTemplateCount);
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+
+ /* Fill in the items */
+ for (i = 0; i < itemTemplateCount; i++) {
+ itemTemplate[i].item->data = template[i].pValue;
+ itemTemplate[i].item->len = template[i].ulValueLen;
+ }
+
+loser:
+ if (template != templateSpace) {
+ PORT_Free(template);
+ }
+ if (dbHandle) {
+ sftk_freeDB(dbHandle);
+ }
+
+ return crv;
+}
+
+/*
+ * delete an attribute from an object
+ */
+static void
+sftk_DeleteAttribute(SFTKObject *object, SFTKAttribute *attribute)
+{
+ SFTKSessionObject *sessObject = sftk_narrowToSessionObject(object);
+
+ if (sessObject == NULL) {
+ return;
+ }
+ PZ_Lock(sessObject->attributeLock);
+ if (sftkqueue_is_queued(attribute, attribute->handle,
+ sessObject->head, sessObject->hashSize)) {
+ sftkqueue_delete(attribute, attribute->handle,
+ sessObject->head, sessObject->hashSize);
+ }
+ PZ_Unlock(sessObject->attributeLock);
+}
+
+/*
+ * this is only valid for CK_BBOOL type attributes. Return the state
+ * of that attribute.
+ */
+PRBool
+sftk_isTrue(SFTKObject *object, CK_ATTRIBUTE_TYPE type)
+{
+ SFTKAttribute *attribute;
+ PRBool tok = PR_FALSE;
+
+ attribute = sftk_FindAttribute(object, type);
+ if (attribute == NULL) {
+ return PR_FALSE;
+ }
+ tok = (PRBool)(*(CK_BBOOL *)attribute->attrib.pValue);
+ sftk_FreeAttribute(attribute);
+
+ return tok;
+}
+
+/*
+ * force an attribute to null.
+ * this is for sensitive keys which are stored in the database, we don't
+ * want to keep this info around in memory in the clear.
+ */
+void
+sftk_nullAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type)
+{
+ SFTKAttribute *attribute;
+
+ attribute = sftk_FindAttribute(object, type);
+ if (attribute == NULL)
+ return;
+
+ if (attribute->attrib.pValue != NULL) {
+ PORT_Memset(attribute->attrib.pValue, 0, attribute->attrib.ulValueLen);
+ if (attribute->freeData) {
+ PORT_Free(attribute->attrib.pValue);
+ }
+ attribute->freeData = PR_FALSE;
+ attribute->attrib.pValue = NULL;
+ attribute->attrib.ulValueLen = 0;
+ }
+ sftk_FreeAttribute(attribute);
+}
+
+static CK_RV
+sftk_forceTokenAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type,
+ const void *value, unsigned int len)
+{
+ CK_ATTRIBUTE attribute;
+ SFTKDBHandle *dbHandle = NULL;
+ SFTKTokenObject *to = sftk_narrowToTokenObject(object);
+ CK_RV crv;
+
+ PORT_Assert(to);
+ if (to == NULL) {
+ return CKR_DEVICE_ERROR;
+ }
+
+ dbHandle = sftk_getDBForTokenObject(object->slot, object->handle);
+
+ attribute.type = type;
+ attribute.pValue = (void *)value;
+ attribute.ulValueLen = len;
+
+ crv = sftkdb_SetAttributeValue(dbHandle, object, &attribute, 1);
+ sftk_freeDB(dbHandle);
+ return crv;
+}
+
+/*
+ * force an attribute to a specifc value.
+ */
+CK_RV
+sftk_forceAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type,
+ const void *value, unsigned int len)
+{
+ SFTKAttribute *attribute;
+ void *att_val = NULL;
+ PRBool freeData = PR_FALSE;
+
+ PORT_Assert(object);
+ PORT_Assert(object->refCount);
+ PORT_Assert(object->slot);
+ if (!object ||
+ !object->refCount ||
+ !object->slot) {
+ return CKR_DEVICE_ERROR;
+ }
+ if (sftk_isToken(object->handle)) {
+ return sftk_forceTokenAttribute(object, type, value, len);
+ }
+ attribute = sftk_FindAttribute(object, type);
+ if (attribute == NULL)
+ return sftk_AddAttributeType(object, type, value, len);
+
+ if (value) {
+ if (len <= ATTR_SPACE) {
+ att_val = attribute->space;
+ } else {
+ att_val = PORT_Alloc(len);
+ freeData = PR_TRUE;
+ }
+ if (att_val == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+ if (attribute->attrib.pValue == att_val) {
+ PORT_Memset(attribute->attrib.pValue, 0,
+ attribute->attrib.ulValueLen);
+ }
+ PORT_Memcpy(att_val, value, len);
+ }
+ if (attribute->attrib.pValue != NULL) {
+ if (attribute->attrib.pValue != att_val) {
+ PORT_Memset(attribute->attrib.pValue, 0,
+ attribute->attrib.ulValueLen);
+ }
+ if (attribute->freeData) {
+ PORT_Free(attribute->attrib.pValue);
+ }
+ attribute->freeData = PR_FALSE;
+ attribute->attrib.pValue = NULL;
+ attribute->attrib.ulValueLen = 0;
+ }
+ if (att_val) {
+ attribute->attrib.pValue = att_val;
+ attribute->attrib.ulValueLen = len;
+ attribute->freeData = freeData;
+ }
+ sftk_FreeAttribute(attribute);
+ return CKR_OK;
+}
+
+/*
+ * return a null terminated string from attribute 'type'. This string
+ * is allocated and needs to be freed with PORT_Free() When complete.
+ */
+char *
+sftk_getString(SFTKObject *object, CK_ATTRIBUTE_TYPE type)
+{
+ SFTKAttribute *attribute;
+ char *label = NULL;
+
+ attribute = sftk_FindAttribute(object, type);
+ if (attribute == NULL)
+ return NULL;
+
+ if (attribute->attrib.pValue != NULL) {
+ label = (char *)PORT_Alloc(attribute->attrib.ulValueLen + 1);
+ if (label == NULL) {
+ sftk_FreeAttribute(attribute);
+ return NULL;
+ }
+
+ PORT_Memcpy(label, attribute->attrib.pValue,
+ attribute->attrib.ulValueLen);
+ label[attribute->attrib.ulValueLen] = 0;
+ }
+ sftk_FreeAttribute(attribute);
+ return label;
+}
+
+/*
+ * decode when a particular attribute may be modified
+ * SFTK_NEVER: This attribute must be set at object creation time and
+ * can never be modified.
+ * SFTK_ONCOPY: This attribute may be modified only when you copy the
+ * object.
+ * SFTK_SENSITIVE: The CKA_SENSITIVE attribute can only be changed from
+ * CK_FALSE to CK_TRUE.
+ * SFTK_ALWAYS: This attribute can always be modified.
+ * Some attributes vary their modification type based on the class of the
+ * object.
+ */
+SFTKModifyType
+sftk_modifyType(CK_ATTRIBUTE_TYPE type, CK_OBJECT_CLASS inClass)
+{
+ /* if we don't know about it, user user defined, always allow modify */
+ SFTKModifyType mtype = SFTK_ALWAYS;
+
+ switch (type) {
+ /* NEVER */
+ case CKA_CLASS:
+ case CKA_CERTIFICATE_TYPE:
+ case CKA_KEY_TYPE:
+ case CKA_MODULUS:
+ case CKA_MODULUS_BITS:
+ case CKA_PUBLIC_EXPONENT:
+ case CKA_PRIVATE_EXPONENT:
+ case CKA_PRIME:
+ case CKA_BASE:
+ case CKA_PRIME_1:
+ case CKA_PRIME_2:
+ case CKA_EXPONENT_1:
+ case CKA_EXPONENT_2:
+ case CKA_COEFFICIENT:
+ case CKA_VALUE_LEN:
+ case CKA_ALWAYS_SENSITIVE:
+ case CKA_NEVER_EXTRACTABLE:
+ case CKA_NSS_DB:
+ mtype = SFTK_NEVER;
+ break;
+
+ /* ONCOPY */
+ case CKA_TOKEN:
+ case CKA_PRIVATE:
+ case CKA_MODIFIABLE:
+ mtype = SFTK_ONCOPY;
+ break;
+
+ /* SENSITIVE */
+ case CKA_SENSITIVE:
+ case CKA_EXTRACTABLE:
+ mtype = SFTK_SENSITIVE;
+ break;
+
+ /* ALWAYS */
+ case CKA_LABEL:
+ case CKA_APPLICATION:
+ case CKA_ID:
+ case CKA_SERIAL_NUMBER:
+ case CKA_START_DATE:
+ case CKA_END_DATE:
+ case CKA_DERIVE:
+ case CKA_ENCRYPT:
+ case CKA_DECRYPT:
+ case CKA_SIGN:
+ case CKA_VERIFY:
+ case CKA_SIGN_RECOVER:
+ case CKA_VERIFY_RECOVER:
+ case CKA_WRAP:
+ case CKA_UNWRAP:
+ mtype = SFTK_ALWAYS;
+ break;
+
+ /* DEPENDS ON CLASS */
+ case CKA_VALUE:
+ mtype = (inClass == CKO_DATA) ? SFTK_ALWAYS : SFTK_NEVER;
+ break;
+
+ case CKA_SUBPRIME:
+ /* allow the CKA_SUBPRIME to be added to dh private keys */
+ mtype = (inClass == CKO_PRIVATE_KEY) ? SFTK_ALWAYS : SFTK_NEVER;
+ break;
+
+ case CKA_SUBJECT:
+ mtype = (inClass == CKO_CERTIFICATE) ? SFTK_NEVER : SFTK_ALWAYS;
+ break;
+ default:
+ break;
+ }
+ return mtype;
+}
+
+/* decode if a particular attribute is sensitive (cannot be read
+ * back to the user of if the object is set to SENSITIVE) */
+PRBool
+sftk_isSensitive(CK_ATTRIBUTE_TYPE type, CK_OBJECT_CLASS inClass)
+{
+ switch (type) {
+ /* ALWAYS */
+ case CKA_PRIVATE_EXPONENT:
+ case CKA_PRIME_1:
+ case CKA_PRIME_2:
+ case CKA_EXPONENT_1:
+ case CKA_EXPONENT_2:
+ case CKA_COEFFICIENT:
+ return PR_TRUE;
+
+ /* DEPENDS ON CLASS */
+ case CKA_VALUE:
+ /* PRIVATE and SECRET KEYS have SENSITIVE values */
+ return (PRBool)((inClass == CKO_PRIVATE_KEY) || (inClass == CKO_SECRET_KEY));
+
+ default:
+ break;
+ }
+ return PR_FALSE;
+}
+
+/*
+ * copy an attribute into a SECItem. Secitem is allocated in the specified
+ * arena.
+ */
+CK_RV
+sftk_Attribute2SecItem(PLArenaPool *arena, SECItem *item, SFTKObject *object,
+ CK_ATTRIBUTE_TYPE type)
+{
+ int len;
+ SFTKAttribute *attribute;
+
+ attribute = sftk_FindAttribute(object, type);
+ if (attribute == NULL)
+ return CKR_TEMPLATE_INCOMPLETE;
+ len = attribute->attrib.ulValueLen;
+
+ if (arena) {
+ item->data = (unsigned char *)PORT_ArenaAlloc(arena, len);
+ } else {
+ item->data = (unsigned char *)PORT_Alloc(len);
+ }
+ if (item->data == NULL) {
+ sftk_FreeAttribute(attribute);
+ return CKR_HOST_MEMORY;
+ }
+ item->len = len;
+ PORT_Memcpy(item->data, attribute->attrib.pValue, len);
+ sftk_FreeAttribute(attribute);
+ return CKR_OK;
+}
+
+CK_RV
+sftk_GetULongAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type,
+ CK_ULONG *longData)
+{
+ SFTKAttribute *attribute;
+
+ attribute = sftk_FindAttribute(object, type);
+ if (attribute == NULL)
+ return CKR_TEMPLATE_INCOMPLETE;
+
+ if (attribute->attrib.ulValueLen != sizeof(CK_ULONG)) {
+ return CKR_ATTRIBUTE_VALUE_INVALID;
+ }
+
+ *longData = *(CK_ULONG *)attribute->attrib.pValue;
+ sftk_FreeAttribute(attribute);
+ return CKR_OK;
+}
+
+void
+sftk_DeleteAttributeType(SFTKObject *object, CK_ATTRIBUTE_TYPE type)
+{
+ SFTKAttribute *attribute;
+ attribute = sftk_FindAttribute(object, type);
+ if (attribute == NULL)
+ return;
+ sftk_DeleteAttribute(object, attribute);
+ sftk_DestroyAttribute(attribute);
+}
+
+CK_RV
+sftk_AddAttributeType(SFTKObject *object, CK_ATTRIBUTE_TYPE type,
+ const void *valPtr, CK_ULONG length)
+{
+ SFTKAttribute *attribute;
+ attribute = sftk_NewAttribute(object, type, valPtr, length);
+ if (attribute == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+ sftk_AddAttribute(object, attribute);
+ return CKR_OK;
+}
+
+/*
+ * ******************** Object Utilities *******************************
+ */
+
+/* must be called holding sftk_tokenKeyLock(slot) */
+static SECItem *
+sftk_lookupTokenKeyByHandle(SFTKSlot *slot, CK_OBJECT_HANDLE handle)
+{
+ return (SECItem *)PL_HashTableLookup(slot->tokObjHashTable, (void *)(uintptr_t)handle);
+}
+
+/*
+ * use the refLock. This operations should be very rare, so the added
+ * contention on the ref lock should be lower than the overhead of adding
+ * a new lock. We use separate functions for this just in case I'm wrong.
+ */
+static void
+sftk_tokenKeyLock(SFTKSlot *slot)
+{
+ SKIP_AFTER_FORK(PZ_Lock(slot->objectLock));
+}
+
+static void
+sftk_tokenKeyUnlock(SFTKSlot *slot)
+{
+ SKIP_AFTER_FORK(PZ_Unlock(slot->objectLock));
+}
+
+static PRIntn
+sftk_freeHashItem(PLHashEntry *entry, PRIntn index, void *arg)
+{
+ SECItem *item = (SECItem *)entry->value;
+
+ SECITEM_FreeItem(item, PR_TRUE);
+ return HT_ENUMERATE_NEXT;
+}
+
+CK_RV
+SFTK_ClearTokenKeyHashTable(SFTKSlot *slot)
+{
+ sftk_tokenKeyLock(slot);
+ PORT_Assert(!slot->present);
+ PL_HashTableEnumerateEntries(slot->tokObjHashTable, sftk_freeHashItem, NULL);
+ sftk_tokenKeyUnlock(slot);
+ return CKR_OK;
+}
+
+/* allocation hooks that allow us to recycle old object structures */
+static SFTKObjectFreeList sessionObjectList = { NULL, NULL, 0 };
+static SFTKObjectFreeList tokenObjectList = { NULL, NULL, 0 };
+
+SFTKObject *
+sftk_GetObjectFromList(PRBool *hasLocks, PRBool optimizeSpace,
+ SFTKObjectFreeList *list, unsigned int hashSize, PRBool isSessionObject)
+{
+ SFTKObject *object;
+ int size = 0;
+
+ if (!optimizeSpace) {
+ PZ_Lock(list->lock);
+ object = list->head;
+ if (object) {
+ list->head = object->next;
+ list->count--;
+ }
+ PZ_Unlock(list->lock);
+ if (object) {
+ object->next = object->prev = NULL;
+ *hasLocks = PR_TRUE;
+ return object;
+ }
+ }
+ size = isSessionObject ? sizeof(SFTKSessionObject) + hashSize * sizeof(SFTKAttribute *) : sizeof(SFTKTokenObject);
+
+ object = (SFTKObject *)PORT_ZAlloc(size);
+ if (isSessionObject && object) {
+ ((SFTKSessionObject *)object)->hashSize = hashSize;
+ }
+ *hasLocks = PR_FALSE;
+ return object;
+}
+
+static void
+sftk_PutObjectToList(SFTKObject *object, SFTKObjectFreeList *list,
+ PRBool isSessionObject)
+{
+
+ /* the code below is equivalent to :
+ * optimizeSpace = isSessionObject ? object->optimizeSpace : PR_FALSE;
+ * just faster.
+ */
+ PRBool optimizeSpace = isSessionObject &&
+ ((SFTKSessionObject *)object)->optimizeSpace;
+ if (object->refLock && !optimizeSpace && (list->count < MAX_OBJECT_LIST_SIZE)) {
+ PZ_Lock(list->lock);
+ object->next = list->head;
+ list->head = object;
+ list->count++;
+ PZ_Unlock(list->lock);
+ return;
+ }
+ if (isSessionObject) {
+ SFTKSessionObject *so = (SFTKSessionObject *)object;
+ PZ_DestroyLock(so->attributeLock);
+ so->attributeLock = NULL;
+ }
+ if (object->refLock) {
+ PZ_DestroyLock(object->refLock);
+ object->refLock = NULL;
+ }
+ PORT_Free(object);
+}
+
+static SFTKObject *
+sftk_freeObjectData(SFTKObject *object)
+{
+ SFTKObject *next = object->next;
+
+ PORT_Free(object);
+ return next;
+}
+
+static void
+sftk_InitFreeList(SFTKObjectFreeList *list)
+{
+ if (!list->lock) {
+ list->lock = PZ_NewLock(nssILockObject);
+ }
+}
+
+void
+sftk_InitFreeLists(void)
+{
+ sftk_InitFreeList(&sessionObjectList);
+ sftk_InitFreeList(&tokenObjectList);
+}
+
+static void
+sftk_CleanupFreeList(SFTKObjectFreeList *list, PRBool isSessionList)
+{
+ SFTKObject *object;
+
+ if (!list->lock) {
+ return;
+ }
+ SKIP_AFTER_FORK(PZ_Lock(list->lock));
+ for (object = list->head; object != NULL;
+ object = sftk_freeObjectData(object)) {
+ PZ_DestroyLock(object->refLock);
+ if (isSessionList) {
+ PZ_DestroyLock(((SFTKSessionObject *)object)->attributeLock);
+ }
+ }
+ list->count = 0;
+ list->head = NULL;
+ SKIP_AFTER_FORK(PZ_Unlock(list->lock));
+ SKIP_AFTER_FORK(PZ_DestroyLock(list->lock));
+ list->lock = NULL;
+}
+
+void
+sftk_CleanupFreeLists(void)
+{
+ sftk_CleanupFreeList(&sessionObjectList, PR_TRUE);
+ sftk_CleanupFreeList(&tokenObjectList, PR_FALSE);
+}
+
+/*
+ * Create a new object
+ */
+SFTKObject *
+sftk_NewObject(SFTKSlot *slot)
+{
+ SFTKObject *object;
+ SFTKSessionObject *sessObject;
+ PRBool hasLocks = PR_FALSE;
+ unsigned int i;
+ unsigned int hashSize = 0;
+
+ hashSize = (slot->optimizeSpace) ? SPACE_ATTRIBUTE_HASH_SIZE : TIME_ATTRIBUTE_HASH_SIZE;
+
+ object = sftk_GetObjectFromList(&hasLocks, slot->optimizeSpace,
+ &sessionObjectList, hashSize, PR_TRUE);
+ if (object == NULL) {
+ return NULL;
+ }
+ sessObject = (SFTKSessionObject *)object;
+ sessObject->nextAttr = 0;
+
+ for (i = 0; i < MAX_OBJS_ATTRS; i++) {
+ sessObject->attrList[i].attrib.pValue = NULL;
+ sessObject->attrList[i].freeData = PR_FALSE;
+ }
+ sessObject->optimizeSpace = slot->optimizeSpace;
+
+ object->handle = 0;
+ object->next = object->prev = NULL;
+ object->slot = slot;
+ object->isFIPS = sftk_isFIPS(slot->slotID);
+
+ object->refCount = 1;
+ sessObject->sessionList.next = NULL;
+ sessObject->sessionList.prev = NULL;
+ sessObject->sessionList.parent = object;
+ sessObject->session = NULL;
+ sessObject->wasDerived = PR_FALSE;
+ if (!hasLocks)
+ object->refLock = PZ_NewLock(nssILockRefLock);
+ if (object->refLock == NULL) {
+ PORT_Free(object);
+ return NULL;
+ }
+ if (!hasLocks)
+ sessObject->attributeLock = PZ_NewLock(nssILockAttribute);
+ if (sessObject->attributeLock == NULL) {
+ PZ_DestroyLock(object->refLock);
+ PORT_Free(object);
+ return NULL;
+ }
+ for (i = 0; i < sessObject->hashSize; i++) {
+ sessObject->head[i] = NULL;
+ }
+ object->objectInfo = NULL;
+ object->infoFree = NULL;
+ return object;
+}
+
+static CK_RV
+sftk_DestroySessionObjectData(SFTKSessionObject *so)
+{
+ int i;
+
+ for (i = 0; i < MAX_OBJS_ATTRS; i++) {
+ unsigned char *value = so->attrList[i].attrib.pValue;
+ if (value) {
+ PORT_Memset(value, 0, so->attrList[i].attrib.ulValueLen);
+ if (so->attrList[i].freeData) {
+ PORT_Free(value);
+ }
+ so->attrList[i].attrib.pValue = NULL;
+ so->attrList[i].freeData = PR_FALSE;
+ }
+ }
+ /* PZ_DestroyLock(so->attributeLock);*/
+ return CKR_OK;
+}
+
+/*
+ * free all the data associated with an object. Object reference count must
+ * be 'zero'.
+ */
+static CK_RV
+sftk_DestroyObject(SFTKObject *object)
+{
+ CK_RV crv = CKR_OK;
+ SFTKSessionObject *so = sftk_narrowToSessionObject(object);
+ SFTKTokenObject *to = sftk_narrowToTokenObject(object);
+
+ PORT_Assert(object->refCount == 0);
+
+ /* delete the database value */
+ if (to) {
+ if (to->dbKey.data) {
+ PORT_Free(to->dbKey.data);
+ to->dbKey.data = NULL;
+ }
+ }
+ if (so) {
+ sftk_DestroySessionObjectData(so);
+ }
+ if (object->objectInfo) {
+ (*object->infoFree)(object->objectInfo);
+ object->objectInfo = NULL;
+ object->infoFree = NULL;
+ }
+ if (so) {
+ sftk_PutObjectToList(object, &sessionObjectList, PR_TRUE);
+ } else {
+ sftk_PutObjectToList(object, &tokenObjectList, PR_FALSE);
+ }
+ return crv;
+}
+
+void
+sftk_ReferenceObject(SFTKObject *object)
+{
+ PZ_Lock(object->refLock);
+ object->refCount++;
+ PZ_Unlock(object->refLock);
+}
+
+static SFTKObject *
+sftk_ObjectFromHandleOnSlot(CK_OBJECT_HANDLE handle, SFTKSlot *slot)
+{
+ SFTKObject *object;
+ PRUint32 index = sftk_hash(handle, slot->sessObjHashSize);
+
+ if (sftk_isToken(handle)) {
+ return sftk_NewTokenObject(slot, NULL, handle);
+ }
+
+ PZ_Lock(slot->objectLock);
+ sftkqueue_find2(object, handle, index, slot->sessObjHashTable);
+ if (object) {
+ sftk_ReferenceObject(object);
+ }
+ PZ_Unlock(slot->objectLock);
+
+ return (object);
+}
+/*
+ * look up and object structure from a handle. OBJECT_Handles only make
+ * sense in terms of a given session. make a reference to that object
+ * structure returned.
+ */
+SFTKObject *
+sftk_ObjectFromHandle(CK_OBJECT_HANDLE handle, SFTKSession *session)
+{
+ SFTKSlot *slot = sftk_SlotFromSession(session);
+
+ return sftk_ObjectFromHandleOnSlot(handle, slot);
+}
+
+/*
+ * release a reference to an object handle
+ */
+SFTKFreeStatus
+sftk_FreeObject(SFTKObject *object)
+{
+ PRBool destroy = PR_FALSE;
+ CK_RV crv;
+
+ PZ_Lock(object->refLock);
+ if (object->refCount == 1)
+ destroy = PR_TRUE;
+ object->refCount--;
+ PZ_Unlock(object->refLock);
+
+ if (destroy) {
+ crv = sftk_DestroyObject(object);
+ if (crv != CKR_OK) {
+ return SFTK_DestroyFailure;
+ }
+ return SFTK_Destroyed;
+ }
+ return SFTK_Busy;
+}
+
+/* find the next available object handle that isn't currently in use */
+/* NOTE: This function could loop forever if we've exhausted all
+ * 3^31-1 handles. This is highly unlikely (NSS has been running for
+ * decades with this code) uless we start increasing the size of the
+ * SFTK_TOKEN_MASK (which is just the high bit currently). */
+CK_OBJECT_HANDLE
+sftk_getNextHandle(SFTKSlot *slot)
+{
+ CK_OBJECT_HANDLE handle;
+ SFTKObject *duplicateObject = NULL;
+ do {
+ PRUint32 wrappedAround;
+
+ duplicateObject = NULL;
+ PZ_Lock(slot->objectLock);
+ wrappedAround = slot->sessionObjectHandleCount & SFTK_TOKEN_MASK;
+ handle = slot->sessionObjectHandleCount & ~SFTK_TOKEN_MASK;
+ if (!handle) /* don't allow zero handle */
+ handle = NSC_MIN_SESSION_OBJECT_HANDLE;
+ slot->sessionObjectHandleCount = (handle + 1U) | wrappedAround;
+ /* Is there already a session object with this handle? */
+ if (wrappedAround) {
+ sftkqueue_find(duplicateObject, handle, slot->sessObjHashTable,
+ slot->sessObjHashSize);
+ }
+ PZ_Unlock(slot->objectLock);
+ } while (duplicateObject != NULL);
+ return handle;
+}
+
+/*
+ * add an object to a slot and session queue. These two functions
+ * adopt the object.
+ */
+void
+sftk_AddSlotObject(SFTKSlot *slot, SFTKObject *object)
+{
+ PRUint32 index = sftk_hash(object->handle, slot->sessObjHashSize);
+ sftkqueue_init_element(object);
+ PZ_Lock(slot->objectLock);
+ sftkqueue_add2(object, object->handle, index, slot->sessObjHashTable);
+ PZ_Unlock(slot->objectLock);
+}
+
+void
+sftk_AddObject(SFTKSession *session, SFTKObject *object)
+{
+ SFTKSlot *slot = sftk_SlotFromSession(session);
+ SFTKSessionObject *so = sftk_narrowToSessionObject(object);
+
+ if (so) {
+ PZ_Lock(session->objectLock);
+ sftkqueue_add(&so->sessionList, 0, session->objects, 0);
+ so->session = session;
+ PZ_Unlock(session->objectLock);
+ }
+ sftk_AddSlotObject(slot, object);
+ sftk_ReferenceObject(object);
+}
+
+/*
+ * delete an object from a slot and session queue
+ */
+CK_RV
+sftk_DeleteObject(SFTKSession *session, SFTKObject *object)
+{
+ SFTKSlot *slot = sftk_SlotFromSession(session);
+ SFTKSessionObject *so = sftk_narrowToSessionObject(object);
+ CK_RV crv = CKR_OK;
+ PRUint32 index = sftk_hash(object->handle, slot->sessObjHashSize);
+
+ /* Handle Token case */
+ if (so && so->session) {
+ session = so->session;
+ PZ_Lock(session->objectLock);
+ sftkqueue_delete(&so->sessionList, 0, session->objects, 0);
+ PZ_Unlock(session->objectLock);
+ PZ_Lock(slot->objectLock);
+ sftkqueue_delete2(object, object->handle, index, slot->sessObjHashTable);
+ PZ_Unlock(slot->objectLock);
+ sftkqueue_clear_deleted_element(object);
+ sftk_FreeObject(object); /* free the reference owned by the queue */
+ } else {
+ SFTKDBHandle *handle = sftk_getDBForTokenObject(slot, object->handle);
+#ifdef DEBUG
+ SFTKTokenObject *to = sftk_narrowToTokenObject(object);
+ PORT_Assert(to);
+#endif
+ crv = sftkdb_DestroyObject(handle, object->handle, object->objclass);
+ sftk_freeDB(handle);
+ }
+ return crv;
+}
+
+/*
+ * Token objects don't explicitly store their attributes, so we need to know
+ * what attributes make up a particular token object before we can copy it.
+ * below are the tables by object type.
+ */
+static const CK_ATTRIBUTE_TYPE commonAttrs[] = {
+ CKA_CLASS, CKA_TOKEN, CKA_PRIVATE, CKA_LABEL, CKA_MODIFIABLE
+};
+static const CK_ULONG commonAttrsCount =
+ sizeof(commonAttrs) / sizeof(commonAttrs[0]);
+
+static const CK_ATTRIBUTE_TYPE commonKeyAttrs[] = {
+ CKA_ID, CKA_START_DATE, CKA_END_DATE, CKA_DERIVE, CKA_LOCAL, CKA_KEY_TYPE
+};
+static const CK_ULONG commonKeyAttrsCount =
+ sizeof(commonKeyAttrs) / sizeof(commonKeyAttrs[0]);
+
+static const CK_ATTRIBUTE_TYPE secretKeyAttrs[] = {
+ CKA_SENSITIVE, CKA_EXTRACTABLE, CKA_ENCRYPT, CKA_DECRYPT, CKA_SIGN,
+ CKA_VERIFY, CKA_WRAP, CKA_UNWRAP, CKA_VALUE
+};
+static const CK_ULONG secretKeyAttrsCount =
+ sizeof(secretKeyAttrs) / sizeof(secretKeyAttrs[0]);
+
+static const CK_ATTRIBUTE_TYPE commonPubKeyAttrs[] = {
+ CKA_ENCRYPT, CKA_VERIFY, CKA_VERIFY_RECOVER, CKA_WRAP, CKA_SUBJECT
+};
+static const CK_ULONG commonPubKeyAttrsCount =
+ sizeof(commonPubKeyAttrs) / sizeof(commonPubKeyAttrs[0]);
+
+static const CK_ATTRIBUTE_TYPE rsaPubKeyAttrs[] = {
+ CKA_MODULUS, CKA_PUBLIC_EXPONENT
+};
+static const CK_ULONG rsaPubKeyAttrsCount =
+ sizeof(rsaPubKeyAttrs) / sizeof(rsaPubKeyAttrs[0]);
+
+static const CK_ATTRIBUTE_TYPE dsaPubKeyAttrs[] = {
+ CKA_SUBPRIME, CKA_PRIME, CKA_BASE, CKA_VALUE
+};
+static const CK_ULONG dsaPubKeyAttrsCount =
+ sizeof(dsaPubKeyAttrs) / sizeof(dsaPubKeyAttrs[0]);
+
+static const CK_ATTRIBUTE_TYPE dhPubKeyAttrs[] = {
+ CKA_PRIME, CKA_BASE, CKA_VALUE
+};
+static const CK_ULONG dhPubKeyAttrsCount =
+ sizeof(dhPubKeyAttrs) / sizeof(dhPubKeyAttrs[0]);
+static const CK_ATTRIBUTE_TYPE ecPubKeyAttrs[] = {
+ CKA_EC_PARAMS, CKA_EC_POINT
+};
+static const CK_ULONG ecPubKeyAttrsCount =
+ sizeof(ecPubKeyAttrs) / sizeof(ecPubKeyAttrs[0]);
+
+static const CK_ATTRIBUTE_TYPE commonPrivKeyAttrs[] = {
+ CKA_DECRYPT, CKA_SIGN, CKA_SIGN_RECOVER, CKA_UNWRAP, CKA_SUBJECT,
+ CKA_SENSITIVE, CKA_EXTRACTABLE, CKA_NSS_DB, CKA_PUBLIC_KEY_INFO
+};
+static const CK_ULONG commonPrivKeyAttrsCount =
+ sizeof(commonPrivKeyAttrs) / sizeof(commonPrivKeyAttrs[0]);
+
+static const CK_ATTRIBUTE_TYPE rsaPrivKeyAttrs[] = {
+ CKA_MODULUS, CKA_PUBLIC_EXPONENT, CKA_PRIVATE_EXPONENT,
+ CKA_PRIME_1, CKA_PRIME_2, CKA_EXPONENT_1, CKA_EXPONENT_2, CKA_COEFFICIENT
+};
+static const CK_ULONG rsaPrivKeyAttrsCount =
+ sizeof(rsaPrivKeyAttrs) / sizeof(rsaPrivKeyAttrs[0]);
+
+static const CK_ATTRIBUTE_TYPE dsaPrivKeyAttrs[] = {
+ CKA_SUBPRIME, CKA_PRIME, CKA_BASE, CKA_VALUE
+};
+static const CK_ULONG dsaPrivKeyAttrsCount =
+ sizeof(dsaPrivKeyAttrs) / sizeof(dsaPrivKeyAttrs[0]);
+
+static const CK_ATTRIBUTE_TYPE dhPrivKeyAttrs[] = {
+ CKA_PRIME, CKA_BASE, CKA_VALUE
+};
+static const CK_ULONG dhPrivKeyAttrsCount =
+ sizeof(dhPrivKeyAttrs) / sizeof(dhPrivKeyAttrs[0]);
+static const CK_ATTRIBUTE_TYPE ecPrivKeyAttrs[] = {
+ CKA_EC_PARAMS, CKA_VALUE
+};
+static const CK_ULONG ecPrivKeyAttrsCount =
+ sizeof(ecPrivKeyAttrs) / sizeof(ecPrivKeyAttrs[0]);
+
+static const CK_ATTRIBUTE_TYPE certAttrs[] = {
+ CKA_CERTIFICATE_TYPE, CKA_VALUE, CKA_SUBJECT, CKA_ISSUER, CKA_SERIAL_NUMBER
+};
+static const CK_ULONG certAttrsCount =
+ sizeof(certAttrs) / sizeof(certAttrs[0]);
+
+static const CK_ATTRIBUTE_TYPE trustAttrs[] = {
+ CKA_ISSUER, CKA_SERIAL_NUMBER, CKA_CERT_SHA1_HASH, CKA_CERT_MD5_HASH,
+ CKA_TRUST_SERVER_AUTH, CKA_TRUST_CLIENT_AUTH, CKA_TRUST_EMAIL_PROTECTION,
+ CKA_TRUST_CODE_SIGNING, CKA_TRUST_STEP_UP_APPROVED
+};
+static const CK_ULONG trustAttrsCount =
+ sizeof(trustAttrs) / sizeof(trustAttrs[0]);
+
+static const CK_ATTRIBUTE_TYPE smimeAttrs[] = {
+ CKA_SUBJECT, CKA_NSS_EMAIL, CKA_NSS_SMIME_TIMESTAMP, CKA_VALUE
+};
+static const CK_ULONG smimeAttrsCount =
+ sizeof(smimeAttrs) / sizeof(smimeAttrs[0]);
+
+static const CK_ATTRIBUTE_TYPE crlAttrs[] = {
+ CKA_SUBJECT, CKA_VALUE, CKA_NSS_URL, CKA_NSS_KRL
+};
+static const CK_ULONG crlAttrsCount =
+ sizeof(crlAttrs) / sizeof(crlAttrs[0]);
+
+/* copy an object based on it's table */
+CK_RV
+stfk_CopyTokenAttributes(SFTKObject *destObject, SFTKTokenObject *src_to,
+ const CK_ATTRIBUTE_TYPE *attrArray, CK_ULONG attrCount)
+{
+ SFTKAttribute *attribute;
+ SFTKAttribute *newAttribute;
+ CK_RV crv = CKR_OK;
+ unsigned int i;
+
+ for (i = 0; i < attrCount; i++) {
+ if (!sftk_hasAttribute(destObject, attrArray[i])) {
+ attribute = sftk_FindAttribute(&src_to->obj, attrArray[i]);
+ if (!attribute) {
+ continue; /* return CKR_ATTRIBUTE_VALUE_INVALID; */
+ }
+ /* we need to copy the attribute since each attribute
+ * only has one set of link list pointers */
+ newAttribute = sftk_NewAttribute(destObject,
+ sftk_attr_expand(&attribute->attrib));
+ sftk_FreeAttribute(attribute); /* free the old attribute */
+ if (!newAttribute) {
+ return CKR_HOST_MEMORY;
+ }
+ sftk_AddAttribute(destObject, newAttribute);
+ }
+ }
+ return crv;
+}
+
+CK_RV
+stfk_CopyTokenPrivateKey(SFTKObject *destObject, SFTKTokenObject *src_to)
+{
+ CK_RV crv;
+ CK_KEY_TYPE key_type;
+ SFTKAttribute *attribute;
+
+ /* copy the common attributes for all keys first */
+ crv = stfk_CopyTokenAttributes(destObject, src_to, commonKeyAttrs,
+ commonKeyAttrsCount);
+ if (crv != CKR_OK) {
+ goto fail;
+ }
+ /* copy the common attributes for all private keys next */
+ crv = stfk_CopyTokenAttributes(destObject, src_to, commonPrivKeyAttrs,
+ commonPrivKeyAttrsCount);
+ if (crv != CKR_OK) {
+ goto fail;
+ }
+ attribute = sftk_FindAttribute(&src_to->obj, CKA_KEY_TYPE);
+ PORT_Assert(attribute); /* if it wasn't here, ww should have failed
+ * copying the common attributes */
+ if (!attribute) {
+ /* OK, so CKR_ATTRIBUTE_VALUE_INVALID is the immediate error, but
+ * the fact is, the only reason we couldn't get the attribute would
+ * be a memory error or database error (an error in the 'device').
+ * if we have a database error code, we could return it here */
+ crv = CKR_DEVICE_ERROR;
+ goto fail;
+ }
+ key_type = *(CK_KEY_TYPE *)attribute->attrib.pValue;
+ sftk_FreeAttribute(attribute);
+
+ /* finally copy the attributes for various private key types */
+ switch (key_type) {
+ case CKK_RSA:
+ crv = stfk_CopyTokenAttributes(destObject, src_to, rsaPrivKeyAttrs,
+ rsaPrivKeyAttrsCount);
+ break;
+ case CKK_DSA:
+ crv = stfk_CopyTokenAttributes(destObject, src_to, dsaPrivKeyAttrs,
+ dsaPrivKeyAttrsCount);
+ break;
+ case CKK_DH:
+ crv = stfk_CopyTokenAttributes(destObject, src_to, dhPrivKeyAttrs,
+ dhPrivKeyAttrsCount);
+ break;
+ case CKK_EC:
+ crv = stfk_CopyTokenAttributes(destObject, src_to, ecPrivKeyAttrs,
+ ecPrivKeyAttrsCount);
+ break;
+ default:
+ crv = CKR_DEVICE_ERROR; /* shouldn't happen unless we store more types
+ * of token keys into our database. */
+ }
+fail:
+ return crv;
+}
+
+CK_RV
+stfk_CopyTokenPublicKey(SFTKObject *destObject, SFTKTokenObject *src_to)
+{
+ CK_RV crv;
+ CK_KEY_TYPE key_type;
+ SFTKAttribute *attribute;
+
+ /* copy the common attributes for all keys first */
+ crv = stfk_CopyTokenAttributes(destObject, src_to, commonKeyAttrs,
+ commonKeyAttrsCount);
+ if (crv != CKR_OK) {
+ goto fail;
+ }
+
+ /* copy the common attributes for all public keys next */
+ crv = stfk_CopyTokenAttributes(destObject, src_to, commonPubKeyAttrs,
+ commonPubKeyAttrsCount);
+ if (crv != CKR_OK) {
+ goto fail;
+ }
+ attribute = sftk_FindAttribute(&src_to->obj, CKA_KEY_TYPE);
+ PORT_Assert(attribute); /* if it wasn't here, ww should have failed
+ * copying the common attributes */
+ if (!attribute) {
+ /* OK, so CKR_ATTRIBUTE_VALUE_INVALID is the immediate error, but
+ * the fact is, the only reason we couldn't get the attribute would
+ * be a memory error or database error (an error in the 'device').
+ * if we have a database error code, we could return it here */
+ crv = CKR_DEVICE_ERROR;
+ goto fail;
+ }
+ key_type = *(CK_KEY_TYPE *)attribute->attrib.pValue;
+ sftk_FreeAttribute(attribute);
+
+ /* finally copy the attributes for various public key types */
+ switch (key_type) {
+ case CKK_RSA:
+ crv = stfk_CopyTokenAttributes(destObject, src_to, rsaPubKeyAttrs,
+ rsaPubKeyAttrsCount);
+ break;
+ case CKK_DSA:
+ crv = stfk_CopyTokenAttributes(destObject, src_to, dsaPubKeyAttrs,
+ dsaPubKeyAttrsCount);
+ break;
+ case CKK_DH:
+ crv = stfk_CopyTokenAttributes(destObject, src_to, dhPubKeyAttrs,
+ dhPubKeyAttrsCount);
+ break;
+ case CKK_EC:
+ crv = stfk_CopyTokenAttributes(destObject, src_to, ecPubKeyAttrs,
+ ecPubKeyAttrsCount);
+ break;
+ default:
+ crv = CKR_DEVICE_ERROR; /* shouldn't happen unless we store more types
+ * of token keys into our database. */
+ }
+fail:
+ return crv;
+}
+CK_RV
+stfk_CopyTokenSecretKey(SFTKObject *destObject, SFTKTokenObject *src_to)
+{
+ CK_RV crv;
+ crv = stfk_CopyTokenAttributes(destObject, src_to, commonKeyAttrs,
+ commonKeyAttrsCount);
+ if (crv != CKR_OK) {
+ goto fail;
+ }
+ crv = stfk_CopyTokenAttributes(destObject, src_to, secretKeyAttrs,
+ secretKeyAttrsCount);
+fail:
+ return crv;
+}
+
+/*
+ * Copy a token object. We need to explicitly copy the relevant
+ * attributes since token objects don't store those attributes in
+ * the token itself.
+ */
+CK_RV
+sftk_CopyTokenObject(SFTKObject *destObject, SFTKObject *srcObject)
+{
+ SFTKTokenObject *src_to = sftk_narrowToTokenObject(srcObject);
+ CK_RV crv;
+
+ PORT_Assert(src_to);
+ if (src_to == NULL) {
+ return CKR_DEVICE_ERROR; /* internal state inconsistant */
+ }
+
+ crv = stfk_CopyTokenAttributes(destObject, src_to, commonAttrs,
+ commonAttrsCount);
+ if (crv != CKR_OK) {
+ goto fail;
+ }
+ switch (src_to->obj.objclass) {
+ case CKO_CERTIFICATE:
+ crv = stfk_CopyTokenAttributes(destObject, src_to, certAttrs,
+ certAttrsCount);
+ break;
+ case CKO_NSS_TRUST:
+ crv = stfk_CopyTokenAttributes(destObject, src_to, trustAttrs,
+ trustAttrsCount);
+ break;
+ case CKO_NSS_SMIME:
+ crv = stfk_CopyTokenAttributes(destObject, src_to, smimeAttrs,
+ smimeAttrsCount);
+ break;
+ case CKO_NSS_CRL:
+ crv = stfk_CopyTokenAttributes(destObject, src_to, crlAttrs,
+ crlAttrsCount);
+ break;
+ case CKO_PRIVATE_KEY:
+ crv = stfk_CopyTokenPrivateKey(destObject, src_to);
+ break;
+ case CKO_PUBLIC_KEY:
+ crv = stfk_CopyTokenPublicKey(destObject, src_to);
+ break;
+ case CKO_SECRET_KEY:
+ crv = stfk_CopyTokenSecretKey(destObject, src_to);
+ break;
+ default:
+ crv = CKR_DEVICE_ERROR; /* shouldn't happen unless we store more types
+ * of token keys into our database. */
+ }
+fail:
+ return crv;
+}
+
+/*
+ * copy the attributes from one object to another. Don't overwrite existing
+ * attributes. NOTE: This is a pretty expensive operation since it
+ * grabs the attribute locks for the src object for a *long* time.
+ */
+CK_RV
+sftk_CopyObject(SFTKObject *destObject, SFTKObject *srcObject)
+{
+ SFTKAttribute *attribute;
+ SFTKSessionObject *src_so = sftk_narrowToSessionObject(srcObject);
+ unsigned int i;
+
+ destObject->isFIPS = srcObject->isFIPS;
+ if (src_so == NULL) {
+ return sftk_CopyTokenObject(destObject, srcObject);
+ }
+
+ PZ_Lock(src_so->attributeLock);
+ for (i = 0; i < src_so->hashSize; i++) {
+ attribute = src_so->head[i];
+ do {
+ if (attribute) {
+ if (!sftk_hasAttribute(destObject, attribute->handle)) {
+ /* we need to copy the attribute since each attribute
+ * only has one set of link list pointers */
+ SFTKAttribute *newAttribute = sftk_NewAttribute(
+ destObject, sftk_attr_expand(&attribute->attrib));
+ if (newAttribute == NULL) {
+ PZ_Unlock(src_so->attributeLock);
+ return CKR_HOST_MEMORY;
+ }
+ sftk_AddAttribute(destObject, newAttribute);
+ }
+ attribute = attribute->next;
+ }
+ } while (attribute != NULL);
+ }
+ PZ_Unlock(src_so->attributeLock);
+
+ return CKR_OK;
+}
+
+/*
+ * ******************** Search Utilities *******************************
+ */
+
+/* add an object to a search list */
+CK_RV
+AddToList(SFTKObjectListElement **list, SFTKObject *object)
+{
+ SFTKObjectListElement *newElem =
+ (SFTKObjectListElement *)PORT_Alloc(sizeof(SFTKObjectListElement));
+
+ if (newElem == NULL)
+ return CKR_HOST_MEMORY;
+
+ newElem->next = *list;
+ newElem->object = object;
+ sftk_ReferenceObject(object);
+
+ *list = newElem;
+ return CKR_OK;
+}
+
+/* return true if the object matches the template */
+PRBool
+sftk_objectMatch(SFTKObject *object, CK_ATTRIBUTE_PTR theTemplate, int count)
+{
+ int i;
+
+ for (i = 0; i < count; i++) {
+ SFTKAttribute *attribute = sftk_FindAttribute(object, theTemplate[i].type);
+ if (attribute == NULL) {
+ return PR_FALSE;
+ }
+ if (attribute->attrib.ulValueLen == theTemplate[i].ulValueLen) {
+ if (PORT_Memcmp(attribute->attrib.pValue, theTemplate[i].pValue,
+ theTemplate[i].ulValueLen) == 0) {
+ sftk_FreeAttribute(attribute);
+ continue;
+ }
+ }
+ sftk_FreeAttribute(attribute);
+ return PR_FALSE;
+ }
+ return PR_TRUE;
+}
+
+/* search through all the objects in the queue and return the template matches
+ * in the object list.
+ */
+CK_RV
+sftk_searchObjectList(SFTKSearchResults *search, SFTKObject **head,
+ unsigned int size, PZLock *lock, CK_ATTRIBUTE_PTR theTemplate,
+ int count, PRBool isLoggedIn)
+{
+ unsigned int i;
+ SFTKObject *object;
+ CK_RV crv = CKR_OK;
+
+ PZ_Lock(lock);
+ for (i = 0; i < size; i++) {
+ for (object = head[i]; object != NULL; object = object->next) {
+ if (sftk_objectMatch(object, theTemplate, count)) {
+ /* don't return objects that aren't yet visible */
+ if ((!isLoggedIn) && sftk_isTrue(object, CKA_PRIVATE))
+ continue;
+ sftk_addHandle(search, object->handle);
+ }
+ }
+ }
+ PZ_Unlock(lock);
+ return crv;
+}
+
+/*
+ * free a single list element. Return the Next object in the list.
+ */
+SFTKObjectListElement *
+sftk_FreeObjectListElement(SFTKObjectListElement *objectList)
+{
+ SFTKObjectListElement *ol = objectList->next;
+
+ sftk_FreeObject(objectList->object);
+ PORT_Free(objectList);
+ return ol;
+}
+
+/* free an entire object list */
+void
+sftk_FreeObjectList(SFTKObjectListElement *objectList)
+{
+ SFTKObjectListElement *ol;
+
+ for (ol = objectList; ol != NULL; ol = sftk_FreeObjectListElement(ol)) {
+ }
+}
+
+/*
+ * free a search structure
+ */
+void
+sftk_FreeSearch(SFTKSearchResults *search)
+{
+ if (search->handles) {
+ PORT_Free(search->handles);
+ }
+ PORT_Free(search);
+}
+
+/*
+ * ******************** Session Utilities *******************************
+ */
+
+/* update the sessions state based in it's flags and wether or not it's
+ * logged in */
+void
+sftk_update_state(SFTKSlot *slot, SFTKSession *session)
+{
+ if (slot->isLoggedIn) {
+ if (slot->ssoLoggedIn) {
+ session->info.state = CKS_RW_SO_FUNCTIONS;
+ } else if (session->info.flags & CKF_RW_SESSION) {
+ session->info.state = CKS_RW_USER_FUNCTIONS;
+ } else {
+ session->info.state = CKS_RO_USER_FUNCTIONS;
+ }
+ } else {
+ if (session->info.flags & CKF_RW_SESSION) {
+ session->info.state = CKS_RW_PUBLIC_SESSION;
+ } else {
+ session->info.state = CKS_RO_PUBLIC_SESSION;
+ }
+ }
+}
+
+/* update the state of all the sessions on a slot */
+void
+sftk_update_all_states(SFTKSlot *slot)
+{
+ unsigned int i;
+ SFTKSession *session;
+
+ for (i = 0; i < slot->sessHashSize; i++) {
+ PZLock *lock = SFTK_SESSION_LOCK(slot, i);
+ PZ_Lock(lock);
+ for (session = slot->head[i]; session; session = session->next) {
+ sftk_update_state(slot, session);
+ }
+ PZ_Unlock(lock);
+ }
+}
+
+/*
+ * context are cipher and digest contexts that are associated with a session
+ */
+void
+sftk_FreeContext(SFTKSessionContext *context)
+{
+ if (context->cipherInfo) {
+ (*context->destroy)(context->cipherInfo, PR_TRUE);
+ }
+ if (context->hashInfo) {
+ (*context->hashdestroy)(context->hashInfo, PR_TRUE);
+ }
+ if (context->key) {
+ sftk_FreeObject(context->key);
+ context->key = NULL;
+ }
+ PORT_Free(context);
+}
+
+/*
+ * Init a new session. NOTE: The session handle is not set, and the
+ * session is not added to the slot's session queue.
+ */
+CK_RV
+sftk_InitSession(SFTKSession *session, SFTKSlot *slot, CK_SLOT_ID slotID,
+ CK_NOTIFY notify, CK_VOID_PTR pApplication, CK_FLAGS flags)
+{
+ session->next = session->prev = NULL;
+ session->enc_context = NULL;
+ session->hash_context = NULL;
+ session->sign_context = NULL;
+ session->search = NULL;
+ session->objectIDCount = 1;
+ session->objectLock = PZ_NewLock(nssILockObject);
+ if (session->objectLock == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+ session->objects[0] = NULL;
+
+ session->slot = slot;
+ session->notify = notify;
+ session->appData = pApplication;
+ session->info.flags = flags;
+ session->info.slotID = slotID;
+ session->info.ulDeviceError = 0;
+ sftk_update_state(slot, session);
+ /* no ops completed yet, so the last one couldn't be a FIPS op */
+ session->lastOpWasFIPS = PR_FALSE;
+ return CKR_OK;
+}
+
+/*
+ * Create a new session and init it.
+ */
+SFTKSession *
+sftk_NewSession(CK_SLOT_ID slotID, CK_NOTIFY notify, CK_VOID_PTR pApplication,
+ CK_FLAGS flags)
+{
+ SFTKSession *session;
+ SFTKSlot *slot = sftk_SlotFromID(slotID, PR_FALSE);
+ CK_RV crv;
+
+ if (slot == NULL)
+ return NULL;
+
+ session = (SFTKSession *)PORT_Alloc(sizeof(SFTKSession));
+ if (session == NULL)
+ return NULL;
+
+ crv = sftk_InitSession(session, slot, slotID, notify, pApplication, flags);
+ if (crv != CKR_OK) {
+ PORT_Free(session);
+ return NULL;
+ }
+ return session;
+}
+
+/* free all the data associated with a session. */
+void
+sftk_ClearSession(SFTKSession *session)
+{
+ SFTKObjectList *op, *next;
+
+ /* clean out the attributes */
+ /* since no one is referencing us, it's safe to walk the chain
+ * without a lock */
+ for (op = session->objects[0]; op != NULL; op = next) {
+ next = op->next;
+ /* paranoia */
+ op->next = op->prev = NULL;
+ sftk_DeleteObject(session, op->parent);
+ }
+ PZ_DestroyLock(session->objectLock);
+ if (session->enc_context) {
+ sftk_FreeContext(session->enc_context);
+ }
+ if (session->hash_context) {
+ sftk_FreeContext(session->hash_context);
+ }
+ if (session->sign_context) {
+ sftk_FreeContext(session->sign_context);
+ }
+ if (session->search) {
+ sftk_FreeSearch(session->search);
+ }
+}
+
+/* free the data associated with the session, and the session */
+void
+sftk_DestroySession(SFTKSession *session)
+{
+ sftk_ClearSession(session);
+ PORT_Free(session);
+}
+
+/*
+ * look up a session structure from a session handle
+ * generate a reference to it.
+ */
+SFTKSession *
+sftk_SessionFromHandle(CK_SESSION_HANDLE handle)
+{
+ SFTKSlot *slot = sftk_SlotFromSessionHandle(handle);
+ SFTKSession *session;
+ PZLock *lock;
+
+ if (!slot)
+ return NULL;
+ lock = SFTK_SESSION_LOCK(slot, handle);
+
+ PZ_Lock(lock);
+ sftkqueue_find(session, handle, slot->head, slot->sessHashSize);
+ PZ_Unlock(lock);
+
+ return (session);
+}
+
+/*
+ * release a reference to a session handle. This method of using SFTKSessions
+ * is deprecated, but the pattern should be retained until a future effort
+ * to refactor all SFTKSession users at once is completed.
+ */
+void
+sftk_FreeSession(SFTKSession *session)
+{
+ return;
+}
+
+void
+sftk_addHandle(SFTKSearchResults *search, CK_OBJECT_HANDLE handle)
+{
+ if (search->handles == NULL) {
+ return;
+ }
+ if (search->size >= search->array_size) {
+ search->array_size += NSC_SEARCH_BLOCK_SIZE;
+ search->handles = (CK_OBJECT_HANDLE *)PORT_Realloc(search->handles,
+ sizeof(CK_OBJECT_HANDLE) * search->array_size);
+ if (search->handles == NULL) {
+ return;
+ }
+ }
+ search->handles[search->size] = handle;
+ search->size++;
+}
+
+static CK_RV
+handleToClass(SFTKSlot *slot, CK_OBJECT_HANDLE handle,
+ CK_OBJECT_CLASS *objClass)
+{
+ SFTKDBHandle *dbHandle = sftk_getDBForTokenObject(slot, handle);
+ CK_ATTRIBUTE objClassTemplate;
+ CK_RV crv;
+
+ *objClass = CKO_DATA;
+ objClassTemplate.type = CKA_CLASS;
+ objClassTemplate.pValue = objClass;
+ objClassTemplate.ulValueLen = sizeof(*objClass);
+ crv = sftkdb_GetAttributeValue(dbHandle, handle, &objClassTemplate, 1);
+ sftk_freeDB(dbHandle);
+ return crv;
+}
+
+SFTKObject *
+sftk_NewTokenObject(SFTKSlot *slot, SECItem *dbKey, CK_OBJECT_HANDLE handle)
+{
+ SFTKObject *object = NULL;
+ PRBool hasLocks = PR_FALSE;
+ CK_RV crv;
+
+ object = sftk_GetObjectFromList(&hasLocks, PR_FALSE, &tokenObjectList, 0,
+ PR_FALSE);
+ if (object == NULL) {
+ return NULL;
+ }
+
+ object->handle = handle;
+ /* every object must have a class, if we can't get it, the object
+ * doesn't exist */
+ crv = handleToClass(slot, handle, &object->objclass);
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+ object->slot = slot;
+ object->isFIPS = sftk_isFIPS(slot->slotID);
+ object->objectInfo = NULL;
+ object->infoFree = NULL;
+ if (!hasLocks) {
+ object->refLock = PZ_NewLock(nssILockRefLock);
+ }
+ if (object->refLock == NULL) {
+ goto loser;
+ }
+ object->refCount = 1;
+
+ return object;
+loser:
+ (void)sftk_DestroyObject(object);
+ return NULL;
+}
+
+SFTKTokenObject *
+sftk_convertSessionToToken(SFTKObject *obj)
+{
+ SECItem *key;
+ SFTKSessionObject *so = (SFTKSessionObject *)obj;
+ SFTKTokenObject *to = sftk_narrowToTokenObject(obj);
+ SECStatus rv;
+
+ sftk_DestroySessionObjectData(so);
+ PZ_DestroyLock(so->attributeLock);
+ if (to == NULL) {
+ return NULL;
+ }
+ sftk_tokenKeyLock(so->obj.slot);
+ key = sftk_lookupTokenKeyByHandle(so->obj.slot, so->obj.handle);
+ if (key == NULL) {
+ sftk_tokenKeyUnlock(so->obj.slot);
+ return NULL;
+ }
+ rv = SECITEM_CopyItem(NULL, &to->dbKey, key);
+ sftk_tokenKeyUnlock(so->obj.slot);
+ if (rv == SECFailure) {
+ return NULL;
+ }
+
+ return to;
+}
+
+SFTKSessionObject *
+sftk_narrowToSessionObject(SFTKObject *obj)
+{
+ return !sftk_isToken(obj->handle) ? (SFTKSessionObject *)obj : NULL;
+}
+
+SFTKTokenObject *
+sftk_narrowToTokenObject(SFTKObject *obj)
+{
+ return sftk_isToken(obj->handle) ? (SFTKTokenObject *)obj : NULL;
+}
+
+/* Constant time helper functions */
+
+/* sftk_CKRVToMask returns, in constant time, a mask value of
+ * all ones if rv == CKR_OK. Otherwise it returns zero. */
+unsigned int
+sftk_CKRVToMask(CK_RV rv)
+{
+ PR_STATIC_ASSERT(CKR_OK == 0);
+ return ~PORT_CT_NOT_ZERO(rv);
+}
+
+/* sftk_CheckCBCPadding checks, in constant time, the padding validity and
+ * accordingly sets the pad length. */
+CK_RV
+sftk_CheckCBCPadding(CK_BYTE_PTR pBuf, unsigned int bufLen,
+ unsigned int blockSize, unsigned int *outPadSize)
+{
+ PORT_Assert(outPadSize);
+
+ unsigned int padSize = (unsigned int)pBuf[bufLen - 1];
+
+ /* If padSize <= blockSize, set goodPad to all-1s and all-0s otherwise.*/
+ unsigned int goodPad = PORT_CT_DUPLICATE_MSB_TO_ALL(~(blockSize - padSize));
+ /* padSize should not be 0 */
+ goodPad &= PORT_CT_NOT_ZERO(padSize);
+
+ unsigned int i;
+ for (i = 0; i < blockSize; i++) {
+ /* If i < padSize, set loopMask to all-1s and all-0s otherwise.*/
+ unsigned int loopMask = PORT_CT_DUPLICATE_MSB_TO_ALL(~(padSize - 1 - i));
+ /* Get the padding value (should be padSize) from buffer */
+ unsigned int padVal = pBuf[bufLen - 1 - i];
+ /* Update goodPad only if i < padSize */
+ goodPad &= PORT_CT_SEL(loopMask, ~(padVal ^ padSize), goodPad);
+ }
+
+ /* If any of the final padding bytes had the wrong value, one or more
+ * of the lower eight bits of |goodPad| will be cleared. We AND the
+ * bottom 8 bits together and duplicate the result to all the bits. */
+ goodPad &= goodPad >> 4;
+ goodPad &= goodPad >> 2;
+ goodPad &= goodPad >> 1;
+ goodPad <<= sizeof(goodPad) * 8 - 1;
+ goodPad = PORT_CT_DUPLICATE_MSB_TO_ALL(goodPad);
+
+ /* Set outPadSize to padSize or 0 */
+ *outPadSize = PORT_CT_SEL(goodPad, padSize, 0);
+ /* Return OK if the pad is valid */
+ return PORT_CT_SEL(goodPad, CKR_OK, CKR_ENCRYPTED_DATA_INVALID);
+}
+
+void
+sftk_EncodeInteger(PRUint64 integer, CK_ULONG num_bits, CK_BBOOL littleEndian,
+ CK_BYTE_PTR output, CK_ULONG_PTR output_len)
+{
+ if (output_len) {
+ *output_len = (num_bits / 8);
+ }
+
+ PR_ASSERT(num_bits > 0 && num_bits <= 64 && (num_bits % 8) == 0);
+
+ if (littleEndian == CK_TRUE) {
+ for (size_t offset = 0; offset < num_bits / 8; offset++) {
+ output[offset] = (unsigned char)((integer >> (offset * 8)) & 0xFF);
+ }
+ } else {
+ for (size_t offset = 0; offset < num_bits / 8; offset++) {
+ PRUint64 shift = num_bits - (offset + 1) * 8;
+ output[offset] = (unsigned char)((integer >> shift) & 0xFF);
+ }
+ }
+}
+
+CK_FLAGS
+sftk_AttributeToFlags(CK_ATTRIBUTE_TYPE op)
+{
+ CK_FLAGS flags = 0;
+
+ switch (op) {
+ case CKA_ENCRYPT:
+ flags = CKF_ENCRYPT;
+ break;
+ case CKA_DECRYPT:
+ flags = CKF_DECRYPT;
+ break;
+ case CKA_WRAP:
+ flags = CKF_WRAP;
+ break;
+ case CKA_UNWRAP:
+ flags = CKF_UNWRAP;
+ break;
+ case CKA_SIGN:
+ flags = CKF_SIGN;
+ break;
+ case CKA_SIGN_RECOVER:
+ flags = CKF_SIGN_RECOVER;
+ break;
+ case CKA_VERIFY:
+ flags = CKF_VERIFY;
+ break;
+ case CKA_VERIFY_RECOVER:
+ flags = CKF_VERIFY_RECOVER;
+ break;
+ case CKA_DERIVE:
+ flags = CKF_DERIVE;
+ break;
+ /* fake attribute to select digesting */
+ case CKA_DIGEST:
+ flags = CKF_DIGEST;
+ break;
+ case CKA_NSS_MESSAGE | CKA_ENCRYPT:
+ flags = CKF_MESSAGE_ENCRYPT;
+ break;
+ case CKA_NSS_MESSAGE | CKA_DECRYPT:
+ flags = CKF_MESSAGE_DECRYPT;
+ break;
+ case CKA_NSS_MESSAGE | CKA_SIGN:
+ flags = CKF_MESSAGE_SIGN;
+ break;
+ case CKA_NSS_MESSAGE | CKA_VERIFY:
+ flags = CKF_MESSAGE_VERIFY;
+ break;
+ default:
+ break;
+ }
+ return flags;
+}
+
+/*
+ * ******************** Hash Utilities **************************
+ */
+/*
+ * Utility function for converting PSS/OAEP parameter types into
+ * HASH_HashTypes. Note: Only SHA family functions are defined in RFC 3447.
+ */
+HASH_HashType
+sftk_GetHashTypeFromMechanism(CK_MECHANISM_TYPE mech)
+{
+ switch (mech) {
+ case CKM_SHA_1:
+ case CKG_MGF1_SHA1:
+ return HASH_AlgSHA1;
+ case CKM_SHA224:
+ case CKG_MGF1_SHA224:
+ return HASH_AlgSHA224;
+ case CKM_SHA256:
+ case CKG_MGF1_SHA256:
+ return HASH_AlgSHA256;
+ case CKM_SHA384:
+ case CKG_MGF1_SHA384:
+ return HASH_AlgSHA384;
+ case CKM_SHA512:
+ case CKG_MGF1_SHA512:
+ return HASH_AlgSHA512;
+ default:
+ return HASH_AlgNULL;
+ }
+}
+
+#ifdef NSS_HAS_FIPS_INDICATORS
+/**************** FIPS Indicator Utilities *************************/
+/* sigh, we probably need a version of this in secutil so that both
+ * softoken and NSS can use it */
+static SECOidTag
+sftk_quickGetECCCurveOid(SFTKObject *source)
+{
+ SFTKAttribute *attribute = sftk_FindAttribute(source, CKA_EC_PARAMS);
+ unsigned char *encoded;
+ int len;
+ SECItem oid;
+ SECOidTag tag;
+
+ if (attribute == NULL) {
+ return SEC_OID_UNKNOWN;
+ }
+ encoded = attribute->attrib.pValue;
+ len = attribute->attrib.ulValueLen;
+ if ((len < 2) || (encoded[0] != SEC_ASN1_OBJECT_ID) ||
+ (len != encoded[1] + 2)) {
+ sftk_FreeAttribute(attribute);
+ return SEC_OID_UNKNOWN;
+ }
+ oid.data = encoded + 2;
+ oid.len = len - 2;
+ tag = SECOID_FindOIDTag(&oid);
+ sftk_FreeAttribute(attribute);
+ return tag;
+}
+
+/* This function currently only returns valid lengths for
+ * FIPS approved ECC curves. If we want to make this generic
+ * in the future, that Curve determination can be done in
+ * the sftk_handleSpecial. Since it's currently only used
+ * in FIPS indicators, it's currently only compiled with
+ * the FIPS indicator code */
+static int
+sftk_getKeyLength(SFTKObject *source)
+{
+ CK_KEY_TYPE keyType = CK_INVALID_HANDLE;
+ CK_ATTRIBUTE_TYPE keyAttribute;
+ CK_ULONG keyLength = 0;
+ SFTKAttribute *attribute;
+ CK_RV crv;
+
+ /* If we don't have a key, then it doesn't have a length.
+ * this may be OK (say we are hashing). The mech info will
+ * sort this out because algorithms which expect no keys
+ * will accept zero length for the keys */
+ if (source == NULL) {
+ return 0;
+ }
+
+ crv = sftk_GetULongAttribute(source, CKA_KEY_TYPE, &keyType);
+ if (crv != CKR_OK) {
+ /* sometimes we're passed a data object, in that case the
+ * key length is CKA_VALUE, which is the default */
+ keyType = CKK_INVALID_KEY_TYPE;
+ }
+ if (keyType == CKK_EC) {
+ SECOidTag curve = sftk_quickGetECCCurveOid(source);
+ switch (curve) {
+ case SEC_OID_CURVE25519:
+ /* change when we start algorithm testing on curve25519 */
+ return 0;
+ case SEC_OID_SECG_EC_SECP256R1:
+ return 256;
+ case SEC_OID_SECG_EC_SECP384R1:
+ return 384;
+ case SEC_OID_SECG_EC_SECP521R1:
+ /* this is a lie, but it makes the table easier. We don't
+ * have to have a double entry for every ECC mechanism */
+ return 512;
+ default:
+ break;
+ }
+ /* other curves aren't NIST approved, returning 0 will cause these
+ * curves to fail FIPS length criteria */
+ return 0;
+ }
+
+ switch (keyType) {
+ case CKK_RSA:
+ keyAttribute = CKA_MODULUS;
+ break;
+ case CKK_DSA:
+ case CKK_DH:
+ keyAttribute = CKA_PRIME;
+ break;
+ default:
+ keyAttribute = CKA_VALUE;
+ break;
+ }
+ attribute = sftk_FindAttribute(source, keyAttribute);
+ if (attribute) {
+ keyLength = attribute->attrib.ulValueLen * 8;
+ sftk_FreeAttribute(attribute);
+ }
+ return keyLength;
+}
+
+/*
+ * handle specialized FIPS semantics that are too complicated to
+ * handle with just a table. NOTE: this means any additional semantics
+ * would have to be coded here before they can be added to the table */
+static PRBool
+sftk_handleSpecial(SFTKSlot *slot, CK_MECHANISM *mech,
+ SFTKFIPSAlgorithmList *mechInfo, SFTKObject *source)
+{
+ switch (mechInfo->special) {
+ case SFTKFIPSDH: {
+ SECItem dhPrime;
+ const SECItem *dhSubPrime;
+ CK_RV crv = sftk_Attribute2SecItem(NULL, &dhPrime,
+ source, CKA_PRIME);
+ if (crv != CKR_OK) {
+ return PR_FALSE;
+ }
+ dhSubPrime = sftk_VerifyDH_Prime(&dhPrime, PR_TRUE);
+ SECITEM_ZfreeItem(&dhPrime, PR_FALSE);
+ return (dhSubPrime) ? PR_TRUE : PR_FALSE;
+ }
+ case SFTKFIPSNone:
+ return PR_FALSE;
+ case SFTKFIPSECC:
+ /* we've already handled the curve selection in the 'getlength'
+ * function */
+ return PR_TRUE;
+ case SFTKFIPSAEAD: {
+ if (mech->ulParameterLen == 0) {
+ /* AEAD ciphers are only in FIPS mode if we are using the
+ * MESSAGE interface. This takes an empty parameter
+ * in the init function */
+ return PR_TRUE;
+ }
+ return PR_FALSE;
+ }
+ case SFTKFIPSRSAPSS: {
+ /* PSS salt must not be longer than the underlying hash.
+ * We verify that the underlying hash of the
+ * parameters matches Hash of the combined hash mechanisms, so
+ * we don't need to look at the specific PSS mechanism */
+ CK_RSA_PKCS_PSS_PARAMS *pss = (CK_RSA_PKCS_PSS_PARAMS *)
+ mech->pParameter;
+ const SECHashObject *hashObj = NULL;
+ if (mech->ulParameterLen != sizeof(*pss)) {
+ return PR_FALSE;
+ }
+ /* we use the existing hash utilities to find the length of
+ * the hash */
+ hashObj = HASH_GetRawHashObject(sftk_GetHashTypeFromMechanism(
+ pss->hashAlg));
+ if (hashObj == NULL) {
+ return PR_FALSE;
+ }
+ if (pss->sLen > hashObj->length) {
+ return PR_FALSE;
+ }
+ return PR_TRUE;
+ }
+ default:
+ break;
+ }
+ /* if we didn't understand the special processing, mark it non-fips */
+ return PR_FALSE;
+}
+#endif
+
+PRBool
+sftk_operationIsFIPS(SFTKSlot *slot, CK_MECHANISM *mech, CK_ATTRIBUTE_TYPE op,
+ SFTKObject *source)
+{
+#ifndef NSS_HAS_FIPS_INDICATORS
+ return PR_FALSE;
+#else
+ int i;
+ CK_FLAGS opFlags;
+ CK_ULONG keyLength;
+
+ /* handle all the quick stuff first */
+ if (!sftk_isFIPS(slot->slotID)) {
+ return PR_FALSE;
+ }
+ if (source && !source->isFIPS) {
+ return PR_FALSE;
+ }
+ if (mech == NULL) {
+ return PR_FALSE;
+ }
+
+ /* now get the calculated values */
+ opFlags = sftk_AttributeToFlags(op);
+ if (opFlags == 0) {
+ return PR_FALSE;
+ }
+ keyLength = sftk_getKeyLength(source);
+
+ /* check against our algorithm array */
+ for (i = 0; i < SFTK_NUMBER_FIPS_ALGORITHMS; i++) {
+ SFTKFIPSAlgorithmList *mechs = &sftk_fips_mechs[i];
+ /* if we match the number of records exactly, then we are an
+ * approved algorithm in the approved mode with an approved key */
+ if (((mech->mechanism == mechs->type) &&
+ (opFlags == (mechs->info.flags & opFlags)) &&
+ (keyLength <= mechs->info.ulMaxKeySize) &&
+ (keyLength >= mechs->info.ulMinKeySize) &&
+ ((keyLength - mechs->info.ulMinKeySize) % mechs->step) == 0) &&
+ ((mechs->special == SFTKFIPSNone) ||
+ sftk_handleSpecial(slot, mech, mechs, source))) {
+ return PR_TRUE;
+ }
+ }
+ return PR_FALSE;
+#endif
+}
+
+/*
+ * create the FIPS Validation objects. If the vendor
+ * doesn't supply an NSS_FIPS_MODULE_ID, at compile time,
+ * then we assumethis is an unvalidated module.
+ */
+CK_RV
+sftk_CreateValidationObjects(SFTKSlot *slot)
+{
+ const char *module_id;
+ int module_id_len;
+ CK_RV crv = CKR_OK;
+ /* we currently use vendor specific values until the validation
+ * objects are approved for PKCS #11 v3.2. */
+ CK_OBJECT_CLASS cko_validation = CKO_NSS_VALIDATION;
+ CK_NSS_VALIDATION_TYPE ckv_fips = CKV_NSS_FIPS_140;
+ CK_VERSION fips_version = { 3, 0 }; /* FIPS-140-3 */
+ CK_ULONG fips_level = 1; /* or 2 if you validated at level 2 */
+
+#ifndef NSS_FIPS_MODULE_ID
+#define NSS_FIPS_MODULE_ID "Generic NSS " SOFTOKEN_VERSION " Unvalidated"
+#endif
+ module_id = NSS_FIPS_MODULE_ID;
+ module_id_len = sizeof(NSS_FIPS_MODULE_ID) - 1;
+ SFTKObject *object;
+
+ object = sftk_NewObject(slot); /* fill in the handle later */
+ if (object == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+ object->isFIPS = PR_FALSE;
+
+ crv = sftk_AddAttributeType(object, CKA_CLASS,
+ &cko_validation, sizeof(cko_validation));
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+ crv = sftk_AddAttributeType(object, CKA_NSS_VALIDATION_TYPE,
+ &ckv_fips, sizeof(ckv_fips));
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+ crv = sftk_AddAttributeType(object, CKA_NSS_VALIDATION_VERSION,
+ &fips_version, sizeof(fips_version));
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+ crv = sftk_AddAttributeType(object, CKA_NSS_VALIDATION_LEVEL,
+ &fips_level, sizeof(fips_level));
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+ crv = sftk_AddAttributeType(object, CKA_NSS_VALIDATION_MODULE_ID,
+ module_id, module_id_len);
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+
+ /* future, fill in validation certificate information from a supplied
+ * pointer to a config file */
+ object->handle = sftk_getNextHandle(slot);
+ object->slot = slot;
+ sftk_AddObject(&slot->moduleObjects, object);
+loser:
+ sftk_FreeObject(object);
+ return crv;
+}
diff --git a/security/nss/lib/softoken/sdb.c b/security/nss/lib/softoken/sdb.c
new file mode 100644
index 0000000000..548cf42537
--- /dev/null
+++ b/security/nss/lib/softoken/sdb.c
@@ -0,0 +1,2469 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/*
+ * This file implements PKCS 11 on top of our existing security modules
+ *
+ * For more information about PKCS 11 See PKCS 11 Token Inteface Standard.
+ * This implementation has two slots:
+ * slot 1 is our generic crypto support. It does not require login.
+ * It supports Public Key ops, and all they bulk ciphers and hashes.
+ * It can also support Private Key ops for imported Private keys. It does
+ * not have any token storage.
+ * slot 2 is our private key support. It requires a login before use. It
+ * can store Private Keys and Certs as token objects. Currently only private
+ * keys and their associated Certificates are saved on the token.
+ *
+ * In this implementation, session objects are only visible to the session
+ * that created or generated them.
+ */
+
+#include "sdb.h"
+#include "pkcs11t.h"
+#include "seccomon.h"
+#include <sqlite3.h>
+#include "prthread.h"
+#include "prio.h"
+#include <stdio.h>
+#include "secport.h"
+#include "prmon.h"
+#include "prenv.h"
+#include "prprf.h"
+#include "prsystem.h" /* for PR_GetDirectorySeparator() */
+#include <sys/stat.h>
+#if defined(_WIN32)
+#include <io.h>
+#include <windows.h>
+#elif defined(XP_UNIX)
+#include <unistd.h>
+#endif
+#if defined(LINUX) && !defined(ANDROID)
+#include <linux/magic.h>
+#include <sys/vfs.h>
+#endif
+#include "utilpars.h"
+
+#ifdef SQLITE_UNSAFE_THREADS
+#include "prlock.h"
+/*
+ * SQLite can be compiled to be thread safe or not.
+ * turn on SQLITE_UNSAFE_THREADS if the OS does not support
+ * a thread safe version of sqlite.
+ */
+static PRLock *sqlite_lock = NULL;
+
+#define LOCK_SQLITE() PR_Lock(sqlite_lock);
+#define UNLOCK_SQLITE() PR_Unlock(sqlite_lock);
+#else
+#define LOCK_SQLITE()
+#define UNLOCK_SQLITE()
+#endif
+
+typedef enum {
+ SDB_CERT = 1,
+ SDB_KEY = 2
+} sdbDataType;
+
+/*
+ * defines controlling how long we wait to acquire locks.
+ *
+ * SDB_SQLITE_BUSY_TIMEOUT specifies how long (in milliseconds)
+ * sqlite will wait on lock. If that timeout expires, sqlite will
+ * return SQLITE_BUSY.
+ * SDB_BUSY_RETRY_TIME specifies how many seconds the sdb_ code waits
+ * after receiving a busy before retrying.
+ * SDB_MAX_BUSY_RETRIES specifies how many times the sdb_ will retry on
+ * a busy condition.
+ *
+ * SDB_SQLITE_BUSY_TIMEOUT affects all opertions, both manual
+ * (prepare/step/reset/finalize) and automatic (sqlite3_exec()).
+ * SDB_BUSY_RETRY_TIME and SDB_MAX_BUSY_RETRIES only affect manual operations
+ *
+ * total wait time for automatic operations:
+ * 1 second (SDB_SQLITE_BUSY_TIMEOUT/1000).
+ * total wait time for manual operations:
+ * (1 second + SDB_BUSY_RETRY_TIME) * 30 = 30 seconds.
+ * (SDB_SQLITE_BUSY_TIMEOUT/1000 + SDB_BUSY_RETRY_TIME)*SDB_MAX_BUSY_RETRIES
+ */
+#define SDB_SQLITE_BUSY_TIMEOUT 1000 /* milliseconds */
+#define SDB_BUSY_RETRY_TIME 5 /* 'ticks', varies by platforms */
+#define SDB_MAX_BUSY_RETRIES 30
+
+/*
+ * known attributes
+ */
+static const CK_ATTRIBUTE_TYPE known_attributes[] = {
+ CKA_CLASS, CKA_TOKEN, CKA_PRIVATE, CKA_LABEL, CKA_APPLICATION,
+ CKA_VALUE, CKA_OBJECT_ID, CKA_CERTIFICATE_TYPE, CKA_ISSUER,
+ CKA_SERIAL_NUMBER, CKA_AC_ISSUER, CKA_OWNER, CKA_ATTR_TYPES, CKA_TRUSTED,
+ CKA_CERTIFICATE_CATEGORY, CKA_JAVA_MIDP_SECURITY_DOMAIN, CKA_URL,
+ CKA_HASH_OF_SUBJECT_PUBLIC_KEY, CKA_HASH_OF_ISSUER_PUBLIC_KEY,
+ CKA_CHECK_VALUE, CKA_KEY_TYPE, CKA_SUBJECT, CKA_ID, CKA_SENSITIVE,
+ CKA_ENCRYPT, CKA_DECRYPT, CKA_WRAP, CKA_UNWRAP, CKA_SIGN, CKA_SIGN_RECOVER,
+ CKA_VERIFY, CKA_VERIFY_RECOVER, CKA_DERIVE, CKA_START_DATE, CKA_END_DATE,
+ CKA_MODULUS, CKA_MODULUS_BITS, CKA_PUBLIC_EXPONENT, CKA_PRIVATE_EXPONENT,
+ CKA_PRIME_1, CKA_PRIME_2, CKA_EXPONENT_1, CKA_EXPONENT_2, CKA_COEFFICIENT,
+ CKA_PUBLIC_KEY_INFO, CKA_PRIME, CKA_SUBPRIME, CKA_BASE, CKA_PRIME_BITS,
+ CKA_SUB_PRIME_BITS, CKA_VALUE_BITS, CKA_VALUE_LEN, CKA_EXTRACTABLE,
+ CKA_LOCAL, CKA_NEVER_EXTRACTABLE, CKA_ALWAYS_SENSITIVE,
+ CKA_KEY_GEN_MECHANISM, CKA_MODIFIABLE, CKA_EC_PARAMS,
+ CKA_EC_POINT, CKA_SECONDARY_AUTH, CKA_AUTH_PIN_FLAGS,
+ CKA_ALWAYS_AUTHENTICATE, CKA_WRAP_WITH_TRUSTED, CKA_HW_FEATURE_TYPE,
+ CKA_RESET_ON_INIT, CKA_HAS_RESET, CKA_PIXEL_X, CKA_PIXEL_Y,
+ CKA_RESOLUTION, CKA_CHAR_ROWS, CKA_CHAR_COLUMNS, CKA_COLOR,
+ CKA_BITS_PER_PIXEL, CKA_CHAR_SETS, CKA_ENCODING_METHODS, CKA_MIME_TYPES,
+ CKA_MECHANISM_TYPE, CKA_REQUIRED_CMS_ATTRIBUTES,
+ CKA_DEFAULT_CMS_ATTRIBUTES, CKA_SUPPORTED_CMS_ATTRIBUTES,
+ CKA_WRAP_TEMPLATE, CKA_UNWRAP_TEMPLATE, CKA_NSS_TRUST, CKA_NSS_URL,
+ CKA_NSS_EMAIL, CKA_NSS_SMIME_INFO, CKA_NSS_SMIME_TIMESTAMP,
+ CKA_NSS_PKCS8_SALT, CKA_NSS_PASSWORD_CHECK, CKA_NSS_EXPIRES,
+ CKA_NSS_KRL, CKA_NSS_PQG_COUNTER, CKA_NSS_PQG_SEED,
+ CKA_NSS_PQG_H, CKA_NSS_PQG_SEED_BITS, CKA_NSS_MODULE_SPEC,
+ CKA_NSS_OVERRIDE_EXTENSIONS, CKA_NSS_SERVER_DISTRUST_AFTER,
+ CKA_NSS_EMAIL_DISTRUST_AFTER, CKA_TRUST_DIGITAL_SIGNATURE,
+ CKA_TRUST_NON_REPUDIATION, CKA_TRUST_KEY_ENCIPHERMENT,
+ CKA_TRUST_DATA_ENCIPHERMENT, CKA_TRUST_KEY_AGREEMENT,
+ CKA_TRUST_KEY_CERT_SIGN, CKA_TRUST_CRL_SIGN, CKA_TRUST_SERVER_AUTH,
+ CKA_TRUST_CLIENT_AUTH, CKA_TRUST_CODE_SIGNING, CKA_TRUST_EMAIL_PROTECTION,
+ CKA_TRUST_IPSEC_END_SYSTEM, CKA_TRUST_IPSEC_TUNNEL, CKA_TRUST_IPSEC_USER,
+ CKA_TRUST_TIME_STAMPING, CKA_TRUST_STEP_UP_APPROVED, CKA_CERT_SHA1_HASH,
+ CKA_CERT_MD5_HASH, CKA_NSS_DB
+};
+
+static const int known_attributes_size = PR_ARRAY_SIZE(known_attributes);
+
+/*
+ * Note on use of sqlReadDB: Only one thread at a time may have an actual
+ * operation going on given sqlite3 * database. An operation is defined as
+ * the time from a sqlite3_prepare() until the sqlite3_finalize().
+ * Multiple sqlite3 * databases can be open and have simultaneous operations
+ * going. We use the sqlXactDB for all write operations. This database
+ * is only opened when we first create a transaction and closed when the
+ * transaction is complete. sqlReadDB is open when we first opened the database
+ * and is used for all read operation. It's use is protected by a monitor. This
+ * is because an operation can span the use of FindObjectsInit() through the
+ * call to FindObjectsFinal(). In the intermediate time it is possible to call
+ * other operations like NSC_GetAttributeValue */
+
+struct SDBPrivateStr {
+ char *sqlDBName; /* invariant, path to this database */
+ sqlite3 *sqlXactDB; /* access protected by dbMon, use protected
+ * by the transaction. Current transaction db*/
+ PRThread *sqlXactThread; /* protected by dbMon,
+ * current transaction thread */
+ sqlite3 *sqlReadDB; /* use protected by dbMon, value invariant */
+ PRIntervalTime lastUpdateTime; /* last time the cache was updated */
+ PRIntervalTime updateInterval; /* how long the cache can go before it
+ * must be updated again */
+ sdbDataType type; /* invariant, database type */
+ char *table; /* invariant, SQL table which contains the db */
+ char *cacheTable; /* invariant, SQL table cache of db */
+ PRMonitor *dbMon; /* invariant, monitor to protect
+ * sqlXact* fields, and use of the sqlReadDB */
+ CK_ATTRIBUTE_TYPE *schemaAttrs; /* Attribute columns that exist in the table. */
+ unsigned int numSchemaAttrs;
+};
+
+typedef struct SDBPrivateStr SDBPrivate;
+
+/* Magic for an explicit NULL. NOTE: ideally this should be
+ * out of band data. Since it's not completely out of band, pick
+ * a value that has no meaning to any existing PKCS #11 attributes.
+ * This value is 1) not a valid string (imbedded '\0'). 2) not a U_LONG
+ * or a normal key (too short). 3) not a bool (too long). 4) not an RSA
+ * public exponent (too many bits).
+ */
+const unsigned char SQLITE_EXPLICIT_NULL[] = { 0xa5, 0x0, 0x5a };
+#define SQLITE_EXPLICIT_NULL_LEN 3
+
+/*
+ * determine when we've completed our tasks
+ */
+static int
+sdb_done(int err, int *count)
+{
+ /* allow as many rows as the database wants to give */
+ if (err == SQLITE_ROW) {
+ *count = 0;
+ return 0;
+ }
+ if (err != SQLITE_BUSY) {
+ return 1;
+ }
+ /* err == SQLITE_BUSY, Dont' retry forever in this case */
+ if (++(*count) >= SDB_MAX_BUSY_RETRIES) {
+ return 1;
+ }
+ return 0;
+}
+
+#if defined(_WIN32)
+/*
+ * NSPR functions and narrow CRT functions do not handle UTF-8 file paths that
+ * sqlite3 expects.
+ */
+
+static int
+sdb_chmod(const char *filename, int pmode)
+{
+ int result;
+
+ if (!filename) {
+ return -1;
+ }
+
+ wchar_t *filenameWide = _NSSUTIL_UTF8ToWide(filename);
+ if (!filenameWide) {
+ return -1;
+ }
+ result = _wchmod(filenameWide, pmode);
+ PORT_Free(filenameWide);
+
+ return result;
+}
+#else
+#define sdb_chmod(filename, pmode) chmod((filename), (pmode))
+#endif
+
+/*
+ * find out where sqlite stores the temp tables. We do this by replicating
+ * the logic from sqlite.
+ */
+#if defined(_WIN32)
+static char *
+sdb_getFallbackTempDir(void)
+{
+ /* sqlite uses sqlite3_temp_directory if it is not NULL. We don't have
+ * access to sqlite3_temp_directory because it is not exported from
+ * sqlite3.dll. Assume sqlite3_win32_set_directory isn't called and
+ * sqlite3_temp_directory is NULL.
+ */
+ char path[MAX_PATH];
+ DWORD rv;
+ size_t len;
+
+ rv = GetTempPathA(MAX_PATH, path);
+ if (rv > MAX_PATH || rv == 0)
+ return NULL;
+ len = strlen(path);
+ if (len == 0)
+ return NULL;
+ /* The returned string ends with a backslash, for example, "C:\TEMP\". */
+ if (path[len - 1] == '\\')
+ path[len - 1] = '\0';
+ return PORT_Strdup(path);
+}
+#elif defined(XP_UNIX)
+static char *
+sdb_getFallbackTempDir(void)
+{
+ const char *azDirs[] = {
+ NULL,
+ NULL,
+ "/var/tmp",
+ "/usr/tmp",
+ "/tmp",
+ NULL /* List terminator */
+ };
+ unsigned int i;
+ struct stat buf;
+ const char *zDir = NULL;
+
+ azDirs[0] = sqlite3_temp_directory;
+ azDirs[1] = PR_GetEnvSecure("TMPDIR");
+
+ for (i = 0; i < PR_ARRAY_SIZE(azDirs); i++) {
+ zDir = azDirs[i];
+ if (zDir == NULL)
+ continue;
+ if (stat(zDir, &buf))
+ continue;
+ if (!S_ISDIR(buf.st_mode))
+ continue;
+ if (access(zDir, 07))
+ continue;
+ break;
+ }
+
+ if (zDir == NULL)
+ return NULL;
+ return PORT_Strdup(zDir);
+}
+#else
+#error "sdb_getFallbackTempDir not implemented"
+#endif
+
+#ifndef SQLITE_FCNTL_TEMPFILENAME
+/* SQLITE_FCNTL_TEMPFILENAME was added in SQLite 3.7.15 */
+#define SQLITE_FCNTL_TEMPFILENAME 16
+#endif
+
+static char *
+sdb_getTempDir(sqlite3 *sqlDB)
+{
+ int sqlrv;
+ char *result = NULL;
+ char *tempName = NULL;
+ char *foundSeparator = NULL;
+
+ /* Obtain temporary filename in sqlite's directory for temporary tables */
+ sqlrv = sqlite3_file_control(sqlDB, 0, SQLITE_FCNTL_TEMPFILENAME,
+ (void *)&tempName);
+ if (sqlrv == SQLITE_NOTFOUND) {
+ /* SQLITE_FCNTL_TEMPFILENAME not implemented because we are using
+ * an older SQLite. */
+ return sdb_getFallbackTempDir();
+ }
+ if (sqlrv != SQLITE_OK) {
+ return NULL;
+ }
+
+ /* We'll extract the temporary directory from tempName */
+ foundSeparator = PORT_Strrchr(tempName, PR_GetDirectorySeparator());
+ if (foundSeparator) {
+ /* We shorten the temp filename string to contain only
+ * the directory name (including the trailing separator).
+ * We know the byte after the foundSeparator position is
+ * safe to use, in the shortest scenario it contains the
+ * end-of-string byte.
+ * By keeping the separator at the found position, it will
+ * even work if tempDir consists of the separator, only.
+ * (In this case the toplevel directory will be used for
+ * access speed testing). */
+ ++foundSeparator;
+ *foundSeparator = 0;
+
+ /* Now we copy the directory name for our caller */
+ result = PORT_Strdup(tempName);
+ }
+
+ sqlite3_free(tempName);
+ return result;
+}
+
+/*
+ * Map SQL_LITE errors to PKCS #11 errors as best we can.
+ */
+static CK_RV
+sdb_mapSQLError(sdbDataType type, int sqlerr)
+{
+ switch (sqlerr) {
+ /* good matches */
+ case SQLITE_OK:
+ case SQLITE_DONE:
+ return CKR_OK;
+ case SQLITE_NOMEM:
+ return CKR_HOST_MEMORY;
+ case SQLITE_READONLY:
+ return CKR_TOKEN_WRITE_PROTECTED;
+ /* close matches */
+ case SQLITE_AUTH:
+ case SQLITE_PERM:
+ /*return CKR_USER_NOT_LOGGED_IN; */
+ case SQLITE_CANTOPEN:
+ case SQLITE_NOTFOUND:
+ /* NSS distiguishes between failure to open the cert and the key db */
+ return type == SDB_CERT ? CKR_NSS_CERTDB_FAILED : CKR_NSS_KEYDB_FAILED;
+ case SQLITE_IOERR:
+ return CKR_DEVICE_ERROR;
+ default:
+ break;
+ }
+ return CKR_GENERAL_ERROR;
+}
+
+/*
+ * build up database name from a directory, prefix, name, version and flags.
+ */
+static char *
+sdb_BuildFileName(const char *directory,
+ const char *prefix, const char *type,
+ int version)
+{
+ char *dbname = NULL;
+ /* build the full dbname */
+ dbname = sqlite3_mprintf("%s%c%s%s%d.db", directory,
+ (int)(unsigned char)PR_GetDirectorySeparator(),
+ prefix, type, version);
+ return dbname;
+}
+
+/*
+ * find out how expensive the access system call is for non-existant files
+ * in the given directory. Return the number of operations done in 33 ms.
+ */
+static PRUint32
+sdb_measureAccess(const char *directory)
+{
+ PRUint32 i;
+ PRIntervalTime time;
+ PRIntervalTime delta;
+ PRIntervalTime duration = PR_MillisecondsToInterval(33);
+ const char *doesntExistName = "_dOeSnotExist_.db";
+ char *temp, *tempStartOfFilename;
+ size_t maxTempLen, maxFileNameLen, directoryLength, tmpdirLength = 0;
+#ifdef SDB_MEASURE_USE_TEMP_DIR
+ /*
+ * on some OS's and Filesystems, creating a bunch of files and deleting
+ * them messes up the systems's caching, but if we create the files in
+ * a temp directory which we later delete, then the cache gets cleared
+ * up. This code uses several OS dependent calls, and it's not clear
+ * that temp directory use won't mess up other filesystems and OS caching,
+ * so if you need this for your OS, you can turn on the
+ * 'SDB_MEASURE_USE_TEMP_DIR' define in coreconf
+ */
+ const char template[] = "dbTemp.XXXXXX";
+ tmpdirLength = sizeof(template);
+#endif
+ /* no directory, just return one */
+ if (directory == NULL) {
+ return 1;
+ }
+
+ /* our calculation assumes time is a 4 bytes == 32 bit integer */
+ PORT_Assert(sizeof(time) == 4);
+
+ directoryLength = strlen(directory);
+
+ maxTempLen = directoryLength + 1 /* dirname + / */
+ + tmpdirLength /* tmpdirname includes / */
+ + strlen(doesntExistName) /* filename base */
+ + 11 /* max chars for 32 bit int plus potential sign */
+ + 1; /* zero terminator */
+
+ temp = PORT_ZAlloc(maxTempLen);
+ if (!temp) {
+ return 1;
+ }
+
+ /* We'll copy directory into temp just once, then ensure it ends
+ * with the directory separator. */
+
+ strcpy(temp, directory);
+ if (directory[directoryLength - 1] != PR_GetDirectorySeparator()) {
+ temp[directoryLength++] = PR_GetDirectorySeparator();
+ }
+
+#ifdef SDB_MEASURE_USE_TEMP_DIR
+ /* add the template for a temporary subdir, and create it */
+ strcat(temp, template);
+ if (!mkdtemp(temp)) {
+ PORT_Free(temp);
+ return 1;
+ }
+ /* and terminate that tmp subdir with a / */
+ strcat(temp, "/");
+#endif
+
+ /* Remember the position after the last separator, and calculate the
+ * number of remaining bytes. */
+ tempStartOfFilename = temp + directoryLength + tmpdirLength;
+ maxFileNameLen = maxTempLen - directoryLength;
+
+ /* measure number of Access operations that can be done in 33 milliseconds
+ * (1/30'th of a second), or 10000 operations, which ever comes first.
+ */
+ time = PR_IntervalNow();
+ for (i = 0; i < 10000u; i++) {
+ PRIntervalTime next;
+
+ /* We'll use the variable part first in the filename string, just in
+ * case it's longer than assumed, so if anything gets cut off, it
+ * will be cut off from the constant part.
+ * This code assumes the directory name at the beginning of
+ * temp remains unchanged during our loop. */
+ PR_snprintf(tempStartOfFilename, maxFileNameLen,
+ ".%lu%s", (PRUint32)(time + i), doesntExistName);
+ PR_Access(temp, PR_ACCESS_EXISTS);
+ next = PR_IntervalNow();
+ delta = next - time;
+ if (delta >= duration)
+ break;
+ }
+
+#ifdef SDB_MEASURE_USE_TEMP_DIR
+ /* turn temp back into our tmpdir path by removing doesntExistName, and
+ * remove the tmp dir */
+ *tempStartOfFilename = '\0';
+ (void)rmdir(temp);
+#endif
+ PORT_Free(temp);
+
+ /* always return 1 or greater */
+ return i ? i : 1u;
+}
+
+/*
+ * some file sytems are very slow to run sqlite3 on, particularly if the
+ * access count is pretty high. On these filesystems is faster to create
+ * a temporary database on the local filesystem and access that. This
+ * code uses a temporary table to create that cache. Temp tables are
+ * automatically cleared when the database handle it was created on
+ * Is freed.
+ */
+static const char DROP_CACHE_CMD[] = "DROP TABLE %s";
+static const char CREATE_CACHE_CMD[] =
+ "CREATE TEMPORARY TABLE %s AS SELECT * FROM %s";
+static const char CREATE_ISSUER_INDEX_CMD[] =
+ "CREATE INDEX issuer ON %s (a81)";
+static const char CREATE_SUBJECT_INDEX_CMD[] =
+ "CREATE INDEX subject ON %s (a101)";
+static const char CREATE_LABEL_INDEX_CMD[] = "CREATE INDEX label ON %s (a3)";
+static const char CREATE_ID_INDEX_CMD[] = "CREATE INDEX ckaid ON %s (a102)";
+
+static CK_RV
+sdb_buildCache(sqlite3 *sqlDB, sdbDataType type,
+ const char *cacheTable, const char *table)
+{
+ char *newStr;
+ int sqlerr = SQLITE_OK;
+
+ newStr = sqlite3_mprintf(CREATE_CACHE_CMD, cacheTable, table);
+ if (newStr == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+ sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL);
+ sqlite3_free(newStr);
+ if (sqlerr != SQLITE_OK) {
+ return sdb_mapSQLError(type, sqlerr);
+ }
+ /* failure to create the indexes is not an issue */
+ newStr = sqlite3_mprintf(CREATE_ISSUER_INDEX_CMD, cacheTable);
+ if (newStr == NULL) {
+ return CKR_OK;
+ }
+ sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL);
+ sqlite3_free(newStr);
+ newStr = sqlite3_mprintf(CREATE_SUBJECT_INDEX_CMD, cacheTable);
+ if (newStr == NULL) {
+ return CKR_OK;
+ }
+ sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL);
+ sqlite3_free(newStr);
+ newStr = sqlite3_mprintf(CREATE_LABEL_INDEX_CMD, cacheTable);
+ if (newStr == NULL) {
+ return CKR_OK;
+ }
+ sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL);
+ sqlite3_free(newStr);
+ newStr = sqlite3_mprintf(CREATE_ID_INDEX_CMD, cacheTable);
+ if (newStr == NULL) {
+ return CKR_OK;
+ }
+ sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL);
+ sqlite3_free(newStr);
+ return CKR_OK;
+}
+
+/*
+ * update the cache and the data records describing it.
+ * The cache is updated by dropping the temp database and recreating it.
+ */
+static CK_RV
+sdb_updateCache(SDBPrivate *sdb_p)
+{
+ int sqlerr = SQLITE_OK;
+ CK_RV error = CKR_OK;
+ char *newStr;
+
+ /* drop the old table */
+ newStr = sqlite3_mprintf(DROP_CACHE_CMD, sdb_p->cacheTable);
+ if (newStr == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+ sqlerr = sqlite3_exec(sdb_p->sqlReadDB, newStr, NULL, 0, NULL);
+ sqlite3_free(newStr);
+ if ((sqlerr != SQLITE_OK) && (sqlerr != SQLITE_ERROR)) {
+ /* something went wrong with the drop, don't try to refresh...
+ * NOTE: SQLITE_ERROR is returned if the table doesn't exist. In
+ * that case, we just continue on and try to reload it */
+ return sdb_mapSQLError(sdb_p->type, sqlerr);
+ }
+
+ /* set up the new table */
+ error = sdb_buildCache(sdb_p->sqlReadDB, sdb_p->type,
+ sdb_p->cacheTable, sdb_p->table);
+ if (error == CKR_OK) {
+ /* we have a new cache! */
+ sdb_p->lastUpdateTime = PR_IntervalNow();
+ }
+ return error;
+}
+
+/*
+ * The sharing of sqlite3 handles across threads is tricky. Older versions
+ * couldn't at all, but newer ones can under strict conditions. Basically
+ * no 2 threads can use the same handle while another thread has an open
+ * stmt running. Once the sqlite3_stmt is finalized, another thread can then
+ * use the database handle.
+ *
+ * We use monitors to protect against trying to use a database before
+ * it's sqlite3_stmt is finalized. This is preferable to the opening and
+ * closing the database each operation because there is significant overhead
+ * in the open and close. Also continually opening and closing the database
+ * defeats the cache code as the cache table is lost on close (thus
+ * requiring us to have to reinitialize the cache every operation).
+ *
+ * An execption to the shared handle is transations. All writes happen
+ * through a transaction. When we are in a transaction, we must use the
+ * same database pointer for that entire transation. In this case we save
+ * the transaction database and use it for all accesses on the transaction
+ * thread. Other threads use the common database.
+ *
+ * There can only be once active transaction on the database at a time.
+ *
+ * sdb_openDBLocal() provides us with a valid database handle for whatever
+ * state we are in (reading or in a transaction), and acquires any locks
+ * appropriate to that state. It also decides when it's time to refresh
+ * the cache before we start an operation. Any database handle returned
+ * just eventually be closed with sdb_closeDBLocal().
+ *
+ * The table returned either points to the database's physical table, or
+ * to the cached shadow. Tranactions always return the physical table
+ * and read operations return either the physical table or the cache
+ * depending on whether or not the cache exists.
+ */
+static CK_RV
+sdb_openDBLocal(SDBPrivate *sdb_p, sqlite3 **sqlDB, const char **table)
+{
+ *sqlDB = NULL;
+
+ PR_EnterMonitor(sdb_p->dbMon);
+
+ if (table) {
+ *table = sdb_p->table;
+ }
+
+ /* We're in a transaction, use the transaction DB */
+ if ((sdb_p->sqlXactDB) && (sdb_p->sqlXactThread == PR_GetCurrentThread())) {
+ *sqlDB = sdb_p->sqlXactDB;
+ /* only one thread can get here, safe to unlock */
+ PR_ExitMonitor(sdb_p->dbMon);
+ return CKR_OK;
+ }
+
+ /*
+ * if we are just reading from the table, we may have the table
+ * cached in a temporary table (especially if it's on a shared FS).
+ * In that case we want to see updates to the table, the the granularity
+ * is on order of human scale, not computer scale.
+ */
+ if (table && sdb_p->cacheTable) {
+ PRIntervalTime now = PR_IntervalNow();
+ if ((now - sdb_p->lastUpdateTime) > sdb_p->updateInterval) {
+ sdb_updateCache(sdb_p);
+ }
+ *table = sdb_p->cacheTable;
+ }
+
+ *sqlDB = sdb_p->sqlReadDB;
+
+ /* leave holding the lock. only one thread can actually use a given
+ * database connection at once */
+
+ return CKR_OK;
+}
+
+/* closing the local database currenly means unlocking the monitor */
+static CK_RV
+sdb_closeDBLocal(SDBPrivate *sdb_p, sqlite3 *sqlDB)
+{
+ if (sdb_p->sqlXactDB != sqlDB) {
+ /* if we weren't in a transaction, we got a lock */
+ PR_ExitMonitor(sdb_p->dbMon);
+ }
+ return CKR_OK;
+}
+
+/*
+ * wrapper to sqlite3_open which also sets the busy_timeout
+ */
+static int
+sdb_openDB(const char *name, sqlite3 **sqlDB, int flags)
+{
+ int sqlerr;
+ int openFlags;
+
+ *sqlDB = NULL;
+
+ if (flags & SDB_RDONLY) {
+ openFlags = SQLITE_OPEN_READONLY;
+ } else {
+ openFlags = SQLITE_OPEN_READWRITE | SQLITE_OPEN_CREATE;
+ /* sqlite 3.34 seem to incorrectly open readwrite.
+ * when the file is readonly. Explicitly reject that issue here */
+ if ((_NSSUTIL_Access(name, PR_ACCESS_EXISTS) == PR_SUCCESS) && (_NSSUTIL_Access(name, PR_ACCESS_WRITE_OK) != PR_SUCCESS)) {
+ return SQLITE_READONLY;
+ }
+ }
+
+ /* Requires SQLite 3.5.0 or newer. */
+ sqlerr = sqlite3_open_v2(name, sqlDB, openFlags, NULL);
+ if (sqlerr != SQLITE_OK) {
+ return sqlerr;
+ }
+
+ sqlerr = sqlite3_busy_timeout(*sqlDB, SDB_SQLITE_BUSY_TIMEOUT);
+ if (sqlerr != SQLITE_OK) {
+ sqlite3_close(*sqlDB);
+ *sqlDB = NULL;
+ return sqlerr;
+ }
+ return SQLITE_OK;
+}
+
+/* Sigh, if we created a new table since we opened the database,
+ * the database handle will not see the new table, we need to close this
+ * database and reopen it. Caller must be in a transaction or holding
+ * the dbMon. sqlDB is changed on success. */
+static int
+sdb_reopenDBLocal(SDBPrivate *sdb_p, sqlite3 **sqlDB)
+{
+ sqlite3 *newDB;
+ int sqlerr;
+
+ /* open a new database */
+ sqlerr = sdb_openDB(sdb_p->sqlDBName, &newDB, SDB_RDONLY);
+ if (sqlerr != SQLITE_OK) {
+ return sqlerr;
+ }
+
+ /* if we are in a transaction, we may not be holding the monitor.
+ * grab it before we update the transaction database. This is
+ * safe since are using monitors. */
+ PR_EnterMonitor(sdb_p->dbMon);
+ /* update our view of the database */
+ if (sdb_p->sqlReadDB == *sqlDB) {
+ sdb_p->sqlReadDB = newDB;
+ } else if (sdb_p->sqlXactDB == *sqlDB) {
+ sdb_p->sqlXactDB = newDB;
+ }
+ PR_ExitMonitor(sdb_p->dbMon);
+
+ /* close the old one */
+ sqlite3_close(*sqlDB);
+
+ *sqlDB = newDB;
+ return SQLITE_OK;
+}
+
+struct SDBFindStr {
+ sqlite3 *sqlDB;
+ sqlite3_stmt *findstmt;
+};
+
+static const char FIND_OBJECTS_CMD[] = "SELECT ALL id FROM %s WHERE %s;";
+static const char FIND_OBJECTS_ALL_CMD[] = "SELECT ALL id FROM %s;";
+CK_RV
+sdb_FindObjectsInit(SDB *sdb, const CK_ATTRIBUTE *template, CK_ULONG count,
+ SDBFind **find)
+{
+ SDBPrivate *sdb_p = sdb->private;
+ sqlite3 *sqlDB = NULL;
+ const char *table;
+ char *newStr, *findStr = NULL;
+ sqlite3_stmt *findstmt = NULL;
+ char *join = "";
+ int sqlerr = SQLITE_OK;
+ CK_RV error = CKR_OK;
+ unsigned int i;
+
+ LOCK_SQLITE()
+ *find = NULL;
+ error = sdb_openDBLocal(sdb_p, &sqlDB, &table);
+ if (error != CKR_OK) {
+ goto loser;
+ }
+
+ findStr = sqlite3_mprintf("");
+ for (i = 0; findStr && i < count; i++) {
+ newStr = sqlite3_mprintf("%s%sa%x=$DATA%d", findStr, join,
+ template[i].type, i);
+ join = " AND ";
+ sqlite3_free(findStr);
+ findStr = newStr;
+ }
+
+ if (findStr == NULL) {
+ error = CKR_HOST_MEMORY;
+ goto loser;
+ }
+
+ if (count == 0) {
+ newStr = sqlite3_mprintf(FIND_OBJECTS_ALL_CMD, table);
+ } else {
+ newStr = sqlite3_mprintf(FIND_OBJECTS_CMD, table, findStr);
+ }
+ sqlite3_free(findStr);
+ if (newStr == NULL) {
+ error = CKR_HOST_MEMORY;
+ goto loser;
+ }
+ sqlerr = sqlite3_prepare_v2(sqlDB, newStr, -1, &findstmt, NULL);
+ sqlite3_free(newStr);
+ for (i = 0; sqlerr == SQLITE_OK && i < count; i++) {
+ const void *blobData = template[i].pValue;
+ unsigned int blobSize = template[i].ulValueLen;
+ if (blobSize == 0) {
+ blobSize = SQLITE_EXPLICIT_NULL_LEN;
+ blobData = SQLITE_EXPLICIT_NULL;
+ }
+ sqlerr = sqlite3_bind_blob(findstmt, i + 1, blobData, blobSize,
+ SQLITE_TRANSIENT);
+ }
+ if (sqlerr == SQLITE_OK) {
+ *find = PORT_New(SDBFind);
+ if (*find == NULL) {
+ error = CKR_HOST_MEMORY;
+ goto loser;
+ }
+ (*find)->findstmt = findstmt;
+ (*find)->sqlDB = sqlDB;
+ UNLOCK_SQLITE()
+ return CKR_OK;
+ }
+ error = sdb_mapSQLError(sdb_p->type, sqlerr);
+
+loser:
+ if (findstmt) {
+ sqlite3_reset(findstmt);
+ sqlite3_finalize(findstmt);
+ }
+ if (sqlDB) {
+ sdb_closeDBLocal(sdb_p, sqlDB);
+ }
+ UNLOCK_SQLITE()
+ return error;
+}
+
+CK_RV
+sdb_FindObjects(SDB *sdb, SDBFind *sdbFind, CK_OBJECT_HANDLE *object,
+ CK_ULONG arraySize, CK_ULONG *count)
+{
+ SDBPrivate *sdb_p = sdb->private;
+ sqlite3_stmt *stmt = sdbFind->findstmt;
+ int sqlerr = SQLITE_OK;
+ int retry = 0;
+
+ *count = 0;
+
+ if (arraySize == 0) {
+ return CKR_OK;
+ }
+ LOCK_SQLITE()
+
+ do {
+ sqlerr = sqlite3_step(stmt);
+ if (sqlerr == SQLITE_BUSY) {
+ PR_Sleep(SDB_BUSY_RETRY_TIME);
+ }
+ if (sqlerr == SQLITE_ROW) {
+ /* only care about the id */
+ *object++ = sqlite3_column_int(stmt, 0);
+ arraySize--;
+ (*count)++;
+ }
+ } while (!sdb_done(sqlerr, &retry) && (arraySize > 0));
+
+ /* we only have some of the objects, there is probably more,
+ * set the sqlerr to an OK value so we return CKR_OK */
+ if (sqlerr == SQLITE_ROW && arraySize == 0) {
+ sqlerr = SQLITE_DONE;
+ }
+ UNLOCK_SQLITE()
+
+ return sdb_mapSQLError(sdb_p->type, sqlerr);
+}
+
+CK_RV
+sdb_FindObjectsFinal(SDB *sdb, SDBFind *sdbFind)
+{
+ SDBPrivate *sdb_p = sdb->private;
+ sqlite3_stmt *stmt = sdbFind->findstmt;
+ sqlite3 *sqlDB = sdbFind->sqlDB;
+ int sqlerr = SQLITE_OK;
+
+ LOCK_SQLITE()
+ if (stmt) {
+ sqlite3_reset(stmt);
+ sqlerr = sqlite3_finalize(stmt);
+ }
+ if (sqlDB) {
+ sdb_closeDBLocal(sdb_p, sqlDB);
+ }
+ PORT_Free(sdbFind);
+
+ UNLOCK_SQLITE()
+ return sdb_mapSQLError(sdb_p->type, sqlerr);
+}
+
+static CK_RV
+sdb_GetValidAttributeValueNoLock(SDB *sdb, CK_OBJECT_HANDLE object_id,
+ CK_ATTRIBUTE *template, CK_ULONG count)
+{
+ SDBPrivate *sdb_p = sdb->private;
+ sqlite3 *sqlDB = NULL;
+ sqlite3_stmt *stmt = NULL;
+ const char *table = NULL;
+ int sqlerr = SQLITE_OK;
+ CK_RV error = CKR_OK;
+ int found = 0;
+ int retry = 0;
+ unsigned int i;
+
+ if (count == 0) {
+ error = CKR_OBJECT_HANDLE_INVALID;
+ goto loser;
+ }
+
+ /* open a new db if necessary */
+ error = sdb_openDBLocal(sdb_p, &sqlDB, &table);
+ if (error != CKR_OK) {
+ goto loser;
+ }
+
+ char *columns = NULL;
+ for (i = 0; i < count; i++) {
+ char *newColumns;
+ if (columns) {
+ newColumns = sqlite3_mprintf("%s, a%x", columns, template[i].type);
+ sqlite3_free(columns);
+ columns = NULL;
+ } else {
+ newColumns = sqlite3_mprintf("a%x", template[i].type);
+ }
+ if (!newColumns) {
+ error = CKR_HOST_MEMORY;
+ goto loser;
+ }
+ columns = newColumns;
+ }
+
+ PORT_Assert(columns);
+
+ char *statement = sqlite3_mprintf("SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;",
+ columns, table);
+ sqlite3_free(columns);
+ columns = NULL;
+ if (!statement) {
+ error = CKR_HOST_MEMORY;
+ goto loser;
+ }
+
+ sqlerr = sqlite3_prepare_v2(sqlDB, statement, -1, &stmt, NULL);
+ sqlite3_free(statement);
+ statement = NULL;
+ if (sqlerr != SQLITE_OK) {
+ goto loser;
+ }
+
+ // NB: indices in sqlite3_bind_int are 1-indexed
+ sqlerr = sqlite3_bind_int(stmt, 1, object_id);
+ if (sqlerr != SQLITE_OK) {
+ goto loser;
+ }
+
+ do {
+ sqlerr = sqlite3_step(stmt);
+ if (sqlerr == SQLITE_BUSY) {
+ PR_Sleep(SDB_BUSY_RETRY_TIME);
+ }
+ if (sqlerr == SQLITE_ROW) {
+ PORT_Assert(!found);
+ for (i = 0; i < count; i++) {
+ unsigned int blobSize;
+ const char *blobData;
+
+ // NB: indices in sqlite_column_{bytes,blob} are 0-indexed
+ blobSize = sqlite3_column_bytes(stmt, i);
+ blobData = sqlite3_column_blob(stmt, i);
+ if (blobData == NULL) {
+ /* PKCS 11 requires that get attributes process all the
+ * attributes in the template, marking the attributes with
+ * issues with -1. Mark the error but continue */
+ template[i].ulValueLen = -1;
+ error = CKR_ATTRIBUTE_TYPE_INVALID;
+ continue;
+ }
+ /* If the blob equals our explicit NULL value, then the
+ * attribute is a NULL. */
+ if ((blobSize == SQLITE_EXPLICIT_NULL_LEN) &&
+ (PORT_Memcmp(blobData, SQLITE_EXPLICIT_NULL,
+ SQLITE_EXPLICIT_NULL_LEN) == 0)) {
+ blobSize = 0;
+ }
+ if (template[i].pValue) {
+ if (template[i].ulValueLen < blobSize) {
+ /* like CKR_ATTRIBUTE_TYPE_INVALID, continue processing */
+ template[i].ulValueLen = -1;
+ error = CKR_BUFFER_TOO_SMALL;
+ continue;
+ }
+ PORT_Memcpy(template[i].pValue, blobData, blobSize);
+ }
+ template[i].ulValueLen = blobSize;
+ }
+ found = 1;
+ }
+ } while (!sdb_done(sqlerr, &retry));
+
+ sqlite3_reset(stmt);
+ sqlite3_finalize(stmt);
+ stmt = NULL;
+
+loser:
+ /* fix up the error if necessary */
+ if (error == CKR_OK) {
+ error = sdb_mapSQLError(sdb_p->type, sqlerr);
+ if (!found && error == CKR_OK) {
+ error = CKR_OBJECT_HANDLE_INVALID;
+ }
+ }
+
+ if (stmt) {
+ sqlite3_reset(stmt);
+ sqlite3_finalize(stmt);
+ }
+
+ /* if we had to open a new database, free it now */
+ if (sqlDB) {
+ sdb_closeDBLocal(sdb_p, sqlDB);
+ }
+ return error;
+}
+
+/* NOTE: requires sdb_p->schemaAttrs to be sorted asc. */
+inline static PRBool
+sdb_attributeExists(SDB *sdb, CK_ATTRIBUTE_TYPE attr)
+{
+ SDBPrivate *sdb_p = sdb->private;
+ int first = 0;
+ int last = (int)sdb_p->numSchemaAttrs - 1;
+ while (last >= first) {
+ int mid = first + (last - first) / 2;
+ if (sdb_p->schemaAttrs[mid] == attr) {
+ return PR_TRUE;
+ }
+ if (attr > sdb_p->schemaAttrs[mid]) {
+ first = mid + 1;
+ } else {
+ last = mid - 1;
+ }
+ }
+
+ return PR_FALSE;
+}
+
+CK_RV
+sdb_GetAttributeValue(SDB *sdb, CK_OBJECT_HANDLE object_id,
+ CK_ATTRIBUTE *template, CK_ULONG count)
+{
+ CK_RV crv = CKR_OK;
+ unsigned int tmplIdx;
+ unsigned int resIdx = 0;
+ unsigned int validCount = 0;
+ unsigned int i;
+
+ if (count == 0) {
+ return crv;
+ }
+
+ CK_ATTRIBUTE *validTemplate;
+ PRBool invalidExists = PR_FALSE;
+ for (tmplIdx = 0; tmplIdx < count; tmplIdx++) {
+ if (!sdb_attributeExists(sdb, template[tmplIdx].type)) {
+ template[tmplIdx].ulValueLen = -1;
+ crv = CKR_ATTRIBUTE_TYPE_INVALID;
+ invalidExists = PR_TRUE;
+ break;
+ }
+ }
+
+ if (!invalidExists) {
+ validTemplate = template;
+ validCount = count;
+ } else {
+ /* Create a new template containing only the valid subset of
+ * input |template|, and query with that. */
+ validCount = tmplIdx;
+ validTemplate = malloc(sizeof(CK_ATTRIBUTE) * count);
+ if (!validTemplate) {
+ return CKR_HOST_MEMORY;
+ }
+ /* Copy in what we already know is valid. */
+ for (i = 0; i < validCount; i++) {
+ validTemplate[i] = template[i];
+ }
+
+ /* tmplIdx was left at the index of the first invalid
+ * attribute, which has been handled. We only need to
+ * deal with the remainder. */
+ tmplIdx++;
+ for (; tmplIdx < count; tmplIdx++) {
+ if (sdb_attributeExists(sdb, template[tmplIdx].type)) {
+ validTemplate[validCount++] = template[tmplIdx];
+ } else {
+ template[tmplIdx].ulValueLen = -1;
+ }
+ }
+ }
+
+ if (validCount) {
+ LOCK_SQLITE()
+ CK_RV crv2 = sdb_GetValidAttributeValueNoLock(sdb, object_id, validTemplate, validCount);
+ UNLOCK_SQLITE()
+
+ /* If an invalid attribute was removed above, let
+ * the caller know. Any other error from the actual
+ * query should propogate. */
+ crv = (crv2 == CKR_OK) ? crv : crv2;
+ }
+
+ if (invalidExists) {
+ /* Copy out valid lengths. */
+ tmplIdx = 0;
+ for (resIdx = 0; resIdx < validCount; resIdx++) {
+ for (; tmplIdx < count; tmplIdx++) {
+ if (template[tmplIdx].type != validTemplate[resIdx].type) {
+ continue;
+ }
+ template[tmplIdx].ulValueLen = validTemplate[resIdx].ulValueLen;
+ tmplIdx++;
+ break;
+ }
+ }
+ free(validTemplate);
+ }
+
+ return crv;
+}
+
+static const char SET_ATTRIBUTE_CMD[] = "UPDATE %s SET %s WHERE id=$ID;";
+CK_RV
+sdb_SetAttributeValue(SDB *sdb, CK_OBJECT_HANDLE object_id,
+ const CK_ATTRIBUTE *template, CK_ULONG count)
+{
+ SDBPrivate *sdb_p = sdb->private;
+ sqlite3 *sqlDB = NULL;
+ sqlite3_stmt *stmt = NULL;
+ char *setStr = NULL;
+ char *newStr = NULL;
+ int sqlerr = SQLITE_OK;
+ int retry = 0;
+ CK_RV error = CKR_OK;
+ unsigned int i;
+
+ if ((sdb->sdb_flags & SDB_RDONLY) != 0) {
+ return CKR_TOKEN_WRITE_PROTECTED;
+ }
+
+ if (count == 0) {
+ return CKR_OK;
+ }
+
+ LOCK_SQLITE()
+ setStr = sqlite3_mprintf("");
+ for (i = 0; setStr && i < count; i++) {
+ if (i == 0) {
+ sqlite3_free(setStr);
+ setStr = sqlite3_mprintf("a%x=$VALUE%d",
+ template[i].type, i);
+ continue;
+ }
+ newStr = sqlite3_mprintf("%s,a%x=$VALUE%d", setStr,
+ template[i].type, i);
+ sqlite3_free(setStr);
+ setStr = newStr;
+ }
+ newStr = NULL;
+
+ if (setStr == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+ newStr = sqlite3_mprintf(SET_ATTRIBUTE_CMD, sdb_p->table, setStr);
+ sqlite3_free(setStr);
+ if (newStr == NULL) {
+ UNLOCK_SQLITE()
+ return CKR_HOST_MEMORY;
+ }
+ error = sdb_openDBLocal(sdb_p, &sqlDB, NULL);
+ if (error != CKR_OK) {
+ goto loser;
+ }
+ sqlerr = sqlite3_prepare_v2(sqlDB, newStr, -1, &stmt, NULL);
+ if (sqlerr != SQLITE_OK)
+ goto loser;
+ for (i = 0; i < count; i++) {
+ if (template[i].ulValueLen != 0) {
+ sqlerr = sqlite3_bind_blob(stmt, i + 1, template[i].pValue,
+ template[i].ulValueLen, SQLITE_STATIC);
+ } else {
+ sqlerr = sqlite3_bind_blob(stmt, i + 1, SQLITE_EXPLICIT_NULL,
+ SQLITE_EXPLICIT_NULL_LEN, SQLITE_STATIC);
+ }
+ if (sqlerr != SQLITE_OK)
+ goto loser;
+ }
+ sqlerr = sqlite3_bind_int(stmt, i + 1, object_id);
+ if (sqlerr != SQLITE_OK)
+ goto loser;
+
+ do {
+ sqlerr = sqlite3_step(stmt);
+ if (sqlerr == SQLITE_BUSY) {
+ PR_Sleep(SDB_BUSY_RETRY_TIME);
+ }
+ } while (!sdb_done(sqlerr, &retry));
+
+loser:
+ if (newStr) {
+ sqlite3_free(newStr);
+ }
+ if (error == CKR_OK) {
+ error = sdb_mapSQLError(sdb_p->type, sqlerr);
+ }
+
+ if (stmt) {
+ sqlite3_reset(stmt);
+ sqlite3_finalize(stmt);
+ }
+
+ if (sqlDB) {
+ sdb_closeDBLocal(sdb_p, sqlDB);
+ }
+
+ UNLOCK_SQLITE()
+ return error;
+}
+
+/*
+ * check to see if a candidate object handle already exists.
+ */
+static PRBool
+sdb_objectExists(SDB *sdb, CK_OBJECT_HANDLE candidate)
+{
+ CK_RV crv;
+ CK_ATTRIBUTE template = { CKA_LABEL, NULL, 0 };
+
+ crv = sdb_GetValidAttributeValueNoLock(sdb, candidate, &template, 1);
+ if (crv == CKR_OBJECT_HANDLE_INVALID) {
+ return PR_FALSE;
+ }
+ return PR_TRUE;
+}
+
+/*
+ * if we're here, we are in a transaction, so it's safe
+ * to examine the current state of the database
+ */
+static CK_OBJECT_HANDLE
+sdb_getObjectId(SDB *sdb)
+{
+ CK_OBJECT_HANDLE candidate;
+ static CK_OBJECT_HANDLE next_obj = CK_INVALID_HANDLE;
+ int count;
+ /*
+ * get an initial object handle to use
+ */
+ if (next_obj == CK_INVALID_HANDLE) {
+ PRTime time;
+ time = PR_Now();
+
+ next_obj = (CK_OBJECT_HANDLE)(time & 0x3fffffffL);
+ }
+ candidate = next_obj++;
+ /* detect that we've looped through all the handles... */
+ for (count = 0; count < 0x40000000; count++, candidate = next_obj++) {
+ /* mask off excess bits */
+ candidate &= 0x3fffffff;
+ /* if we hit zero, go to the next entry */
+ if (candidate == CK_INVALID_HANDLE) {
+ continue;
+ }
+ /* make sure we aren't already using */
+ if (!sdb_objectExists(sdb, candidate)) {
+ /* this one is free */
+ return candidate;
+ }
+ }
+
+ /* no handle is free, fail */
+ return CK_INVALID_HANDLE;
+}
+
+CK_RV
+sdb_GetNewObjectID(SDB *sdb, CK_OBJECT_HANDLE *object)
+{
+ CK_OBJECT_HANDLE id;
+
+ id = sdb_getObjectId(sdb);
+ if (id == CK_INVALID_HANDLE) {
+ return CKR_DEVICE_MEMORY; /* basically we ran out of resources */
+ }
+ *object = id;
+ return CKR_OK;
+}
+
+static const char CREATE_CMD[] = "INSERT INTO %s (id%s) VALUES($ID%s);";
+CK_RV
+sdb_CreateObject(SDB *sdb, CK_OBJECT_HANDLE *object_id,
+ const CK_ATTRIBUTE *template, CK_ULONG count)
+{
+ SDBPrivate *sdb_p = sdb->private;
+ sqlite3 *sqlDB = NULL;
+ sqlite3_stmt *stmt = NULL;
+ char *columnStr = NULL;
+ char *valueStr = NULL;
+ char *newStr = NULL;
+ int sqlerr = SQLITE_OK;
+ CK_RV error = CKR_OK;
+ CK_OBJECT_HANDLE this_object = CK_INVALID_HANDLE;
+ int retry = 0;
+ unsigned int i;
+
+ if ((sdb->sdb_flags & SDB_RDONLY) != 0) {
+ return CKR_TOKEN_WRITE_PROTECTED;
+ }
+
+ LOCK_SQLITE()
+ if ((*object_id != CK_INVALID_HANDLE) &&
+ !sdb_objectExists(sdb, *object_id)) {
+ this_object = *object_id;
+ } else {
+ this_object = sdb_getObjectId(sdb);
+ }
+ if (this_object == CK_INVALID_HANDLE) {
+ UNLOCK_SQLITE();
+ return CKR_HOST_MEMORY;
+ }
+ columnStr = sqlite3_mprintf("");
+ valueStr = sqlite3_mprintf("");
+ *object_id = this_object;
+ for (i = 0; columnStr && valueStr && i < count; i++) {
+ newStr = sqlite3_mprintf("%s,a%x", columnStr, template[i].type);
+ sqlite3_free(columnStr);
+ columnStr = newStr;
+ newStr = sqlite3_mprintf("%s,$VALUE%d", valueStr, i);
+ sqlite3_free(valueStr);
+ valueStr = newStr;
+ }
+ newStr = NULL;
+ if ((columnStr == NULL) || (valueStr == NULL)) {
+ if (columnStr) {
+ sqlite3_free(columnStr);
+ }
+ if (valueStr) {
+ sqlite3_free(valueStr);
+ }
+ UNLOCK_SQLITE()
+ return CKR_HOST_MEMORY;
+ }
+ newStr = sqlite3_mprintf(CREATE_CMD, sdb_p->table, columnStr, valueStr);
+ sqlite3_free(columnStr);
+ sqlite3_free(valueStr);
+ error = sdb_openDBLocal(sdb_p, &sqlDB, NULL);
+ if (error != CKR_OK) {
+ goto loser;
+ }
+ sqlerr = sqlite3_prepare_v2(sqlDB, newStr, -1, &stmt, NULL);
+ if (sqlerr != SQLITE_OK)
+ goto loser;
+ sqlerr = sqlite3_bind_int(stmt, 1, *object_id);
+ if (sqlerr != SQLITE_OK)
+ goto loser;
+ for (i = 0; i < count; i++) {
+ if (template[i].ulValueLen) {
+ sqlerr = sqlite3_bind_blob(stmt, i + 2, template[i].pValue,
+ template[i].ulValueLen, SQLITE_STATIC);
+ } else {
+ sqlerr = sqlite3_bind_blob(stmt, i + 2, SQLITE_EXPLICIT_NULL,
+ SQLITE_EXPLICIT_NULL_LEN, SQLITE_STATIC);
+ }
+ if (sqlerr != SQLITE_OK)
+ goto loser;
+ }
+
+ do {
+ sqlerr = sqlite3_step(stmt);
+ if (sqlerr == SQLITE_BUSY) {
+ PR_Sleep(SDB_BUSY_RETRY_TIME);
+ }
+ } while (!sdb_done(sqlerr, &retry));
+
+loser:
+ if (newStr) {
+ sqlite3_free(newStr);
+ }
+ if (error == CKR_OK) {
+ error = sdb_mapSQLError(sdb_p->type, sqlerr);
+ }
+
+ if (stmt) {
+ sqlite3_reset(stmt);
+ sqlite3_finalize(stmt);
+ }
+
+ if (sqlDB) {
+ sdb_closeDBLocal(sdb_p, sqlDB);
+ }
+ UNLOCK_SQLITE()
+
+ return error;
+}
+
+/*
+ * Generic destroy that can destroy metadata or objects
+ */
+static const char DESTROY_CMD[] = "DELETE FROM %s WHERE (id=$ID);";
+CK_RV
+sdb_destroyAnyObject(SDB *sdb, const char *table,
+ CK_OBJECT_HANDLE object_id, const char *string_id)
+{
+ SDBPrivate *sdb_p = sdb->private;
+ sqlite3 *sqlDB = NULL;
+ sqlite3_stmt *stmt = NULL;
+ char *newStr = NULL;
+ int sqlerr = SQLITE_OK;
+ CK_RV error = CKR_OK;
+ int retry = 0;
+
+ if ((sdb->sdb_flags & SDB_RDONLY) != 0) {
+ return CKR_TOKEN_WRITE_PROTECTED;
+ }
+
+ LOCK_SQLITE()
+ error = sdb_openDBLocal(sdb_p, &sqlDB, NULL);
+ if (error != CKR_OK) {
+ goto loser;
+ }
+ newStr = sqlite3_mprintf(DESTROY_CMD, table);
+ if (newStr == NULL) {
+ error = CKR_HOST_MEMORY;
+ goto loser;
+ }
+ sqlerr = sqlite3_prepare_v2(sqlDB, newStr, -1, &stmt, NULL);
+ sqlite3_free(newStr);
+ if (sqlerr != SQLITE_OK)
+ goto loser;
+ if (string_id == NULL) {
+ sqlerr = sqlite3_bind_int(stmt, 1, object_id);
+ } else {
+ sqlerr = sqlite3_bind_text(stmt, 1, string_id,
+ PORT_Strlen(string_id), SQLITE_STATIC);
+ }
+ if (sqlerr != SQLITE_OK)
+ goto loser;
+
+ do {
+ sqlerr = sqlite3_step(stmt);
+ if (sqlerr == SQLITE_BUSY) {
+ PR_Sleep(SDB_BUSY_RETRY_TIME);
+ }
+ } while (!sdb_done(sqlerr, &retry));
+
+loser:
+ if (error == CKR_OK) {
+ error = sdb_mapSQLError(sdb_p->type, sqlerr);
+ }
+
+ if (stmt) {
+ sqlite3_reset(stmt);
+ sqlite3_finalize(stmt);
+ }
+
+ if (sqlDB) {
+ sdb_closeDBLocal(sdb_p, sqlDB);
+ }
+
+ UNLOCK_SQLITE()
+ return error;
+}
+
+CK_RV
+sdb_DestroyObject(SDB *sdb, CK_OBJECT_HANDLE object_id)
+{
+ SDBPrivate *sdb_p = sdb->private;
+ return sdb_destroyAnyObject(sdb, sdb_p->table, object_id, NULL);
+}
+
+CK_RV
+sdb_DestroyMetaData(SDB *sdb, const char *id)
+{
+ return sdb_destroyAnyObject(sdb, "metaData", 0, id);
+}
+
+static const char BEGIN_CMD[] = "BEGIN IMMEDIATE TRANSACTION;";
+
+/*
+ * start a transaction.
+ *
+ * We need to open a new database, then store that new database into
+ * the private data structure. We open the database first, then use locks
+ * to protect storing the data to prevent deadlocks.
+ */
+CK_RV
+sdb_Begin(SDB *sdb)
+{
+ SDBPrivate *sdb_p = sdb->private;
+ sqlite3 *sqlDB = NULL;
+ sqlite3_stmt *stmt = NULL;
+ int sqlerr = SQLITE_OK;
+ CK_RV error = CKR_OK;
+ int retry = 0;
+
+ if ((sdb->sdb_flags & SDB_RDONLY) != 0) {
+ return CKR_TOKEN_WRITE_PROTECTED;
+ }
+
+ LOCK_SQLITE()
+
+ /* get a new version that we will use for the entire transaction */
+ sqlerr = sdb_openDB(sdb_p->sqlDBName, &sqlDB, SDB_RDWR);
+ if (sqlerr != SQLITE_OK) {
+ goto loser;
+ }
+
+ sqlerr = sqlite3_prepare_v2(sqlDB, BEGIN_CMD, -1, &stmt, NULL);
+
+ do {
+ sqlerr = sqlite3_step(stmt);
+ if (sqlerr == SQLITE_BUSY) {
+ PR_Sleep(SDB_BUSY_RETRY_TIME);
+ }
+ /* don't retry BEGIN transaction*/
+ retry = 0;
+ } while (!sdb_done(sqlerr, &retry));
+
+ if (stmt) {
+ sqlite3_reset(stmt);
+ sqlite3_finalize(stmt);
+ }
+
+loser:
+ error = sdb_mapSQLError(sdb_p->type, sqlerr);
+
+ /* we are starting a new transaction,
+ * and if we succeeded, then save this database for the rest of
+ * our transaction */
+ if (error == CKR_OK) {
+ /* we hold a 'BEGIN TRANSACTION' and a sdb_p->lock. At this point
+ * sdb_p->sqlXactDB MUST be null */
+ PR_EnterMonitor(sdb_p->dbMon);
+ PORT_Assert(sdb_p->sqlXactDB == NULL);
+ sdb_p->sqlXactDB = sqlDB;
+ sdb_p->sqlXactThread = PR_GetCurrentThread();
+ PR_ExitMonitor(sdb_p->dbMon);
+ } else {
+ /* we failed to start our transaction,
+ * free any databases we opened. */
+ if (sqlDB) {
+ sqlite3_close(sqlDB);
+ }
+ }
+
+ UNLOCK_SQLITE()
+ return error;
+}
+
+/*
+ * Complete a transaction. Basically undo everything we did in begin.
+ * There are 2 flavors Abort and Commit. Basically the only differerence between
+ * these 2 are what the database will show. (no change in to former, change in
+ * the latter).
+ */
+static CK_RV
+sdb_complete(SDB *sdb, const char *cmd)
+{
+ SDBPrivate *sdb_p = sdb->private;
+ sqlite3 *sqlDB = NULL;
+ sqlite3_stmt *stmt = NULL;
+ int sqlerr = SQLITE_OK;
+ CK_RV error = CKR_OK;
+ int retry = 0;
+
+ if ((sdb->sdb_flags & SDB_RDONLY) != 0) {
+ return CKR_TOKEN_WRITE_PROTECTED;
+ }
+
+ /* We must have a transation database, or we shouldn't have arrived here */
+ PR_EnterMonitor(sdb_p->dbMon);
+ PORT_Assert(sdb_p->sqlXactDB);
+ if (sdb_p->sqlXactDB == NULL) {
+ PR_ExitMonitor(sdb_p->dbMon);
+ return CKR_GENERAL_ERROR; /* shouldn't happen */
+ }
+ PORT_Assert(sdb_p->sqlXactThread == PR_GetCurrentThread());
+ if (sdb_p->sqlXactThread != PR_GetCurrentThread()) {
+ PR_ExitMonitor(sdb_p->dbMon);
+ return CKR_GENERAL_ERROR; /* shouldn't happen */
+ }
+ sqlDB = sdb_p->sqlXactDB;
+ sdb_p->sqlXactDB = NULL; /* no one else can get to this DB,
+ * safe to unlock */
+ sdb_p->sqlXactThread = NULL;
+ PR_ExitMonitor(sdb_p->dbMon);
+
+ sqlerr = sqlite3_prepare_v2(sqlDB, cmd, -1, &stmt, NULL);
+
+ do {
+ sqlerr = sqlite3_step(stmt);
+ if (sqlerr == SQLITE_BUSY) {
+ PR_Sleep(SDB_BUSY_RETRY_TIME);
+ }
+ } while (!sdb_done(sqlerr, &retry));
+
+ /* Pending BEGIN TRANSACTIONS Can move forward at this point. */
+
+ if (stmt) {
+ sqlite3_reset(stmt);
+ sqlite3_finalize(stmt);
+ }
+
+ /* we we have a cached DB image, update it as well */
+ if (sdb_p->cacheTable) {
+ PR_EnterMonitor(sdb_p->dbMon);
+ sdb_updateCache(sdb_p);
+ PR_ExitMonitor(sdb_p->dbMon);
+ }
+
+ error = sdb_mapSQLError(sdb_p->type, sqlerr);
+
+ /* We just finished a transaction.
+ * Free the database, and remove it from the list */
+ sqlite3_close(sqlDB);
+
+ return error;
+}
+
+static const char COMMIT_CMD[] = "COMMIT TRANSACTION;";
+CK_RV
+sdb_Commit(SDB *sdb)
+{
+ CK_RV crv;
+ LOCK_SQLITE()
+ crv = sdb_complete(sdb, COMMIT_CMD);
+ UNLOCK_SQLITE()
+ return crv;
+}
+
+static const char ROLLBACK_CMD[] = "ROLLBACK TRANSACTION;";
+CK_RV
+sdb_Abort(SDB *sdb)
+{
+ CK_RV crv;
+ LOCK_SQLITE()
+ crv = sdb_complete(sdb, ROLLBACK_CMD);
+ UNLOCK_SQLITE()
+ return crv;
+}
+
+static int tableExists(sqlite3 *sqlDB, const char *tableName);
+
+static const char GET_PW_CMD[] = "SELECT ALL * FROM metaData WHERE id=$ID;";
+CK_RV
+sdb_GetMetaData(SDB *sdb, const char *id, SECItem *item1, SECItem *item2)
+{
+ SDBPrivate *sdb_p = sdb->private;
+ sqlite3 *sqlDB = sdb_p->sqlXactDB;
+ sqlite3_stmt *stmt = NULL;
+ int sqlerr = SQLITE_OK;
+ CK_RV error = CKR_OK;
+ int found = 0;
+ int retry = 0;
+
+ LOCK_SQLITE()
+ error = sdb_openDBLocal(sdb_p, &sqlDB, NULL);
+ if (error != CKR_OK) {
+ goto loser;
+ }
+
+ /* handle 'test' versions of the sqlite db */
+ sqlerr = sqlite3_prepare_v2(sqlDB, GET_PW_CMD, -1, &stmt, NULL);
+ /* Sigh, if we created a new table since we opened the database,
+ * the database handle will not see the new table, we need to close this
+ * database and reopen it. This is safe because we are holding the lock
+ * still. */
+ if (sqlerr == SQLITE_SCHEMA) {
+ sqlerr = sdb_reopenDBLocal(sdb_p, &sqlDB);
+ if (sqlerr != SQLITE_OK) {
+ goto loser;
+ }
+ sqlerr = sqlite3_prepare_v2(sqlDB, GET_PW_CMD, -1, &stmt, NULL);
+ }
+ if (sqlerr != SQLITE_OK)
+ goto loser;
+ sqlerr = sqlite3_bind_text(stmt, 1, id, PORT_Strlen(id), SQLITE_STATIC);
+ do {
+ sqlerr = sqlite3_step(stmt);
+ if (sqlerr == SQLITE_BUSY) {
+ PR_Sleep(SDB_BUSY_RETRY_TIME);
+ }
+ if (sqlerr == SQLITE_ROW) {
+ const char *blobData;
+ unsigned int len = item1->len;
+ item1->len = sqlite3_column_bytes(stmt, 1);
+ if (item1->len > len) {
+ error = CKR_BUFFER_TOO_SMALL;
+ continue;
+ }
+ blobData = sqlite3_column_blob(stmt, 1);
+ PORT_Memcpy(item1->data, blobData, item1->len);
+ if (item2) {
+ len = item2->len;
+ item2->len = sqlite3_column_bytes(stmt, 2);
+ if (item2->len > len) {
+ error = CKR_BUFFER_TOO_SMALL;
+ continue;
+ }
+ blobData = sqlite3_column_blob(stmt, 2);
+ PORT_Memcpy(item2->data, blobData, item2->len);
+ }
+ found = 1;
+ }
+ } while (!sdb_done(sqlerr, &retry));
+
+loser:
+ /* fix up the error if necessary */
+ if (error == CKR_OK) {
+ error = sdb_mapSQLError(sdb_p->type, sqlerr);
+ if (!found && error == CKR_OK) {
+ error = CKR_OBJECT_HANDLE_INVALID;
+ }
+ }
+
+ if (stmt) {
+ sqlite3_reset(stmt);
+ sqlite3_finalize(stmt);
+ }
+
+ if (sqlDB) {
+ sdb_closeDBLocal(sdb_p, sqlDB);
+ }
+ UNLOCK_SQLITE()
+
+ return error;
+}
+
+static const char PW_CREATE_TABLE_CMD[] =
+ "CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);";
+static const char PW_CREATE_CMD[] =
+ "INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);";
+static const char MD_CREATE_CMD[] =
+ "INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);";
+
+CK_RV
+sdb_PutMetaData(SDB *sdb, const char *id, const SECItem *item1,
+ const SECItem *item2)
+{
+ SDBPrivate *sdb_p = sdb->private;
+ sqlite3 *sqlDB = sdb_p->sqlXactDB;
+ sqlite3_stmt *stmt = NULL;
+ int sqlerr = SQLITE_OK;
+ CK_RV error = CKR_OK;
+ int retry = 0;
+ const char *cmd = PW_CREATE_CMD;
+
+ if ((sdb->sdb_flags & SDB_RDONLY) != 0) {
+ return CKR_TOKEN_WRITE_PROTECTED;
+ }
+
+ LOCK_SQLITE()
+ error = sdb_openDBLocal(sdb_p, &sqlDB, NULL);
+ if (error != CKR_OK) {
+ goto loser;
+ }
+
+ if (!tableExists(sqlDB, "metaData")) {
+ sqlerr = sqlite3_exec(sqlDB, PW_CREATE_TABLE_CMD, NULL, 0, NULL);
+ if (sqlerr != SQLITE_OK)
+ goto loser;
+ }
+ if (item2 == NULL) {
+ cmd = MD_CREATE_CMD;
+ }
+ sqlerr = sqlite3_prepare_v2(sqlDB, cmd, -1, &stmt, NULL);
+ if (sqlerr != SQLITE_OK)
+ goto loser;
+ sqlerr = sqlite3_bind_text(stmt, 1, id, PORT_Strlen(id), SQLITE_STATIC);
+ if (sqlerr != SQLITE_OK)
+ goto loser;
+ sqlerr = sqlite3_bind_blob(stmt, 2, item1->data, item1->len, SQLITE_STATIC);
+ if (sqlerr != SQLITE_OK)
+ goto loser;
+ if (item2) {
+ sqlerr = sqlite3_bind_blob(stmt, 3, item2->data,
+ item2->len, SQLITE_STATIC);
+ if (sqlerr != SQLITE_OK)
+ goto loser;
+ }
+
+ do {
+ sqlerr = sqlite3_step(stmt);
+ if (sqlerr == SQLITE_BUSY) {
+ PR_Sleep(SDB_BUSY_RETRY_TIME);
+ }
+ } while (!sdb_done(sqlerr, &retry));
+
+loser:
+ /* fix up the error if necessary */
+ if (error == CKR_OK) {
+ error = sdb_mapSQLError(sdb_p->type, sqlerr);
+ }
+
+ if (stmt) {
+ sqlite3_reset(stmt);
+ sqlite3_finalize(stmt);
+ }
+
+ if (sqlDB) {
+ sdb_closeDBLocal(sdb_p, sqlDB);
+ }
+ UNLOCK_SQLITE()
+
+ return error;
+}
+
+static const char RESET_CMD[] = "DELETE FROM %s;";
+CK_RV
+sdb_Reset(SDB *sdb)
+{
+ SDBPrivate *sdb_p = sdb->private;
+ sqlite3 *sqlDB = NULL;
+ char *newStr;
+ int sqlerr = SQLITE_OK;
+ CK_RV error = CKR_OK;
+
+ /* only Key databases can be reset */
+ if (sdb_p->type != SDB_KEY) {
+ return CKR_OBJECT_HANDLE_INVALID;
+ }
+
+ LOCK_SQLITE()
+ error = sdb_openDBLocal(sdb_p, &sqlDB, NULL);
+ if (error != CKR_OK) {
+ goto loser;
+ }
+
+ if (tableExists(sqlDB, sdb_p->table)) {
+ /* delete the contents of the key table */
+ newStr = sqlite3_mprintf(RESET_CMD, sdb_p->table);
+ if (newStr == NULL) {
+ error = CKR_HOST_MEMORY;
+ goto loser;
+ }
+ sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL);
+ sqlite3_free(newStr);
+
+ if (sqlerr != SQLITE_OK)
+ goto loser;
+ }
+
+ /* delete the password entry table */
+ sqlerr = sqlite3_exec(sqlDB, "DROP TABLE IF EXISTS metaData;",
+ NULL, 0, NULL);
+
+loser:
+ /* fix up the error if necessary */
+ if (error == CKR_OK) {
+ error = sdb_mapSQLError(sdb_p->type, sqlerr);
+ }
+
+ if (sqlDB) {
+ sdb_closeDBLocal(sdb_p, sqlDB);
+ }
+
+ UNLOCK_SQLITE()
+ return error;
+}
+
+CK_RV
+sdb_Close(SDB *sdb)
+{
+ SDBPrivate *sdb_p = sdb->private;
+ int sqlerr = SQLITE_OK;
+ sdbDataType type = sdb_p->type;
+
+ sqlerr = sqlite3_close(sdb_p->sqlReadDB);
+ PORT_Free(sdb_p->sqlDBName);
+ if (sdb_p->cacheTable) {
+ sqlite3_free(sdb_p->cacheTable);
+ }
+ if (sdb_p->dbMon) {
+ PR_DestroyMonitor(sdb_p->dbMon);
+ }
+ free(sdb_p->schemaAttrs);
+ free(sdb_p);
+ free(sdb);
+ return sdb_mapSQLError(type, sqlerr);
+}
+
+/*
+ * functions to support open
+ */
+
+static const char CHECK_TABLE_CMD[] = "SELECT ALL * FROM %s LIMIT 0;";
+
+/* return 1 if sqlDB contains table 'tableName */
+static int
+tableExists(sqlite3 *sqlDB, const char *tableName)
+{
+ char *cmd = sqlite3_mprintf(CHECK_TABLE_CMD, tableName);
+ int sqlerr = SQLITE_OK;
+
+ if (cmd == NULL) {
+ return 0;
+ }
+
+ sqlerr = sqlite3_exec(sqlDB, cmd, NULL, 0, 0);
+ sqlite3_free(cmd);
+
+ return (sqlerr == SQLITE_OK) ? 1 : 0;
+}
+
+void
+sdb_SetForkState(PRBool forked)
+{
+ /* XXXright now this is a no-op. The global fork state in the softokn3
+ * shared library is already taken care of at the PKCS#11 level.
+ * If and when we add fork state to the sqlite shared library and extern
+ * interface, we will need to set it and reset it from here */
+}
+
+static int
+sdb_attributeComparator(const void *a, const void *b)
+{
+ if (*(CK_ATTRIBUTE_TYPE *)a < *(CK_ATTRIBUTE_TYPE *)b) {
+ return -1;
+ }
+ if (*(CK_ATTRIBUTE_TYPE *)a > *(CK_ATTRIBUTE_TYPE *)b) {
+ return 1;
+ }
+ return 0;
+}
+
+/*
+ * initialize a single database
+ */
+static const char INIT_CMD[] =
+ "CREATE TABLE %s (id PRIMARY KEY UNIQUE ON CONFLICT ABORT%s)";
+
+CK_RV
+sdb_init(char *dbname, char *table, sdbDataType type, int *inUpdate,
+ int *newInit, int inFlags, PRUint32 accessOps, SDB **pSdb)
+{
+ int i;
+ char *initStr = NULL;
+ char *newStr;
+ char *queryStr = NULL;
+ int inTransaction = 0;
+ SDB *sdb = NULL;
+ SDBPrivate *sdb_p = NULL;
+ sqlite3 *sqlDB = NULL;
+ int sqlerr = SQLITE_OK;
+ CK_RV error = CKR_OK;
+ char *cacheTable = NULL;
+ PRIntervalTime now = 0;
+ char *env;
+ PRBool enableCache = PR_FALSE;
+ PRBool checkFSType = PR_FALSE;
+ PRBool measureSpeed = PR_FALSE;
+ PRBool create;
+ int flags = inFlags & 0x7;
+
+ *pSdb = NULL;
+ *inUpdate = 0;
+
+ /* sqlite3 doesn't have a flag to specify that we want to
+ * open the database read only. If the db doesn't exist,
+ * sqlite3 will always create it.
+ */
+ LOCK_SQLITE();
+ create = (_NSSUTIL_Access(dbname, PR_ACCESS_EXISTS) != PR_SUCCESS);
+ if ((flags == SDB_RDONLY) && create) {
+ error = sdb_mapSQLError(type, SQLITE_CANTOPEN);
+ goto loser;
+ }
+ sqlerr = sdb_openDB(dbname, &sqlDB, flags);
+ if (sqlerr != SQLITE_OK) {
+ error = sdb_mapSQLError(type, sqlerr);
+ goto loser;
+ }
+
+ /*
+ * SQL created the file, but it doesn't set appropriate modes for
+ * a database.
+ *
+ * NO NSPR call for chmod? :(
+ */
+ if (create && sdb_chmod(dbname, 0600) != 0) {
+ error = sdb_mapSQLError(type, SQLITE_CANTOPEN);
+ goto loser;
+ }
+
+ if (flags != SDB_RDONLY) {
+ sqlerr = sqlite3_exec(sqlDB, BEGIN_CMD, NULL, 0, NULL);
+ if (sqlerr != SQLITE_OK) {
+ error = sdb_mapSQLError(type, sqlerr);
+ goto loser;
+ }
+ inTransaction = 1;
+ }
+ if (!tableExists(sqlDB, table)) {
+ *newInit = 1;
+ if (flags != SDB_CREATE) {
+ error = sdb_mapSQLError(type, SQLITE_CANTOPEN);
+ goto loser;
+ }
+ initStr = sqlite3_mprintf("");
+ for (i = 0; initStr && i < known_attributes_size; i++) {
+ newStr = sqlite3_mprintf("%s, a%x", initStr, known_attributes[i]);
+ sqlite3_free(initStr);
+ initStr = newStr;
+ }
+ if (initStr == NULL) {
+ error = CKR_HOST_MEMORY;
+ goto loser;
+ }
+
+ newStr = sqlite3_mprintf(INIT_CMD, table, initStr);
+ sqlite3_free(initStr);
+ if (newStr == NULL) {
+ error = CKR_HOST_MEMORY;
+ goto loser;
+ }
+ sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL);
+ sqlite3_free(newStr);
+ if (sqlerr != SQLITE_OK) {
+ error = sdb_mapSQLError(type, sqlerr);
+ goto loser;
+ }
+
+ newStr = sqlite3_mprintf(CREATE_ISSUER_INDEX_CMD, table);
+ if (newStr == NULL) {
+ error = CKR_HOST_MEMORY;
+ goto loser;
+ }
+ sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL);
+ sqlite3_free(newStr);
+ if (sqlerr != SQLITE_OK) {
+ error = sdb_mapSQLError(type, sqlerr);
+ goto loser;
+ }
+
+ newStr = sqlite3_mprintf(CREATE_SUBJECT_INDEX_CMD, table);
+ if (newStr == NULL) {
+ error = CKR_HOST_MEMORY;
+ goto loser;
+ }
+ sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL);
+ sqlite3_free(newStr);
+ if (sqlerr != SQLITE_OK) {
+ error = sdb_mapSQLError(type, sqlerr);
+ goto loser;
+ }
+
+ newStr = sqlite3_mprintf(CREATE_LABEL_INDEX_CMD, table);
+ if (newStr == NULL) {
+ error = CKR_HOST_MEMORY;
+ goto loser;
+ }
+ sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL);
+ sqlite3_free(newStr);
+ if (sqlerr != SQLITE_OK) {
+ error = sdb_mapSQLError(type, sqlerr);
+ goto loser;
+ }
+
+ newStr = sqlite3_mprintf(CREATE_ID_INDEX_CMD, table);
+ if (newStr == NULL) {
+ error = CKR_HOST_MEMORY;
+ goto loser;
+ }
+ sqlerr = sqlite3_exec(sqlDB, newStr, NULL, 0, NULL);
+ sqlite3_free(newStr);
+ if (sqlerr != SQLITE_OK) {
+ error = sdb_mapSQLError(type, sqlerr);
+ goto loser;
+ }
+ }
+ /*
+ * detect the case where we have created the database, but have
+ * not yet updated it.
+ *
+ * We only check the Key database because only the key database has
+ * a metaData table. The metaData table is created when a password
+ * is set, or in the case of update, when a password is supplied.
+ * If no key database exists, then the update would have happened immediately
+ * on noticing that the cert database didn't exist (see newInit set above).
+ */
+ if (type == SDB_KEY && !tableExists(sqlDB, "metaData")) {
+ *newInit = 1;
+ }
+
+ /* access to network filesystems are significantly slower than local ones
+ * for database operations. In those cases we need to create a cached copy
+ * of the database in a temporary location on the local disk. SQLITE
+ * already provides a way to create a temporary table and initialize it,
+ * so we use it for the cache (see sdb_buildCache for how it's done).*/
+
+ /*
+ * we decide whether or not to use the cache based on the following input.
+ *
+ * NSS_SDB_USE_CACHE environment variable is set to anything other than
+ * "yes" or "no" (for instance, "auto"): NSS will measure the performance
+ * of access to the temp database versus the access to the user's
+ * passed-in database location. If the temp database location is
+ * "significantly" faster we will use the cache.
+ *
+ * NSS_SDB_USE_CACHE environment variable is nonexistent or set to "no":
+ * cache will not be used.
+ *
+ * NSS_SDB_USE_CACHE environment variable is set to "yes": cache will
+ * always be used.
+ *
+ * It is expected that most applications will not need this feature, and
+ * thus it is disabled by default.
+ */
+
+ env = PR_GetEnvSecure("NSS_SDB_USE_CACHE");
+
+ /* Variables enableCache, checkFSType, measureSpeed are PR_FALSE by default,
+ * which is the expected behavior for NSS_SDB_USE_CACHE="no".
+ * We don't need to check for "no" here. */
+ if (!env) {
+ /* By default, with no variable set, we avoid expensive measuring for
+ * most FS types. We start with inexpensive FS type checking, and
+ * might perform measuring for some types. */
+ checkFSType = PR_TRUE;
+ } else if (PORT_Strcasecmp(env, "yes") == 0) {
+ enableCache = PR_TRUE;
+ } else if (PORT_Strcasecmp(env, "no") != 0) { /* not "no" => "auto" */
+ measureSpeed = PR_TRUE;
+ }
+
+ if (checkFSType) {
+#if defined(LINUX) && !defined(ANDROID)
+ struct statfs statfs_s;
+ if (statfs(dbname, &statfs_s) == 0) {
+ switch (statfs_s.f_type) {
+ case SMB_SUPER_MAGIC:
+ case 0xff534d42: /* CIFS_MAGIC_NUMBER */
+ case NFS_SUPER_MAGIC:
+ /* We assume these are slow. */
+ enableCache = PR_TRUE;
+ break;
+ case CODA_SUPER_MAGIC:
+ case 0x65735546: /* FUSE_SUPER_MAGIC */
+ case NCP_SUPER_MAGIC:
+ /* It's uncertain if this FS is fast or slow.
+ * It seems reasonable to perform slow measuring for users
+ * with questionable FS speed. */
+ measureSpeed = PR_TRUE;
+ break;
+ case AFS_SUPER_MAGIC: /* Already implements caching. */
+ default:
+ break;
+ }
+ }
+#endif
+ }
+
+ if (measureSpeed) {
+ char *tempDir = NULL;
+ PRUint32 tempOps = 0;
+ /*
+ * Use PR_Access to determine how expensive it
+ * is to check for the existance of a local file compared to the same
+ * check in the temp directory. If the temp directory is faster, cache
+ * the database there. */
+ tempDir = sdb_getTempDir(sqlDB);
+ if (tempDir) {
+ tempOps = sdb_measureAccess(tempDir);
+ PORT_Free(tempDir);
+
+ /* There is a cost to continually copying the database.
+ * Account for that cost with the arbitrary factor of 10 */
+ enableCache = (PRBool)(tempOps > accessOps * 10);
+ }
+ }
+
+ if (enableCache) {
+ /* try to set the temp store to memory.*/
+ sqlite3_exec(sqlDB, "PRAGMA temp_store=MEMORY", NULL, 0, NULL);
+ /* Failure to set the temp store to memory is not fatal,
+ * ignore the error */
+
+ cacheTable = sqlite3_mprintf("%sCache", table);
+ if (cacheTable == NULL) {
+ error = CKR_HOST_MEMORY;
+ goto loser;
+ }
+ /* build the cache table */
+ error = sdb_buildCache(sqlDB, type, cacheTable, table);
+ if (error != CKR_OK) {
+ goto loser;
+ }
+ /* initialize the last cache build time */
+ now = PR_IntervalNow();
+ }
+
+ sdb = (SDB *)malloc(sizeof(SDB));
+ if (!sdb) {
+ error = CKR_HOST_MEMORY;
+ goto loser;
+ }
+ sdb_p = (SDBPrivate *)malloc(sizeof(SDBPrivate));
+ if (!sdb_p) {
+ error = CKR_HOST_MEMORY;
+ goto loser;
+ }
+
+ /* Cache the attributes that are held in the table, so we can later check
+ * that queried attributes actually exist. We don't assume the schema
+ * to be exactly |known_attributes|, as it may change over time. */
+ sdb_p->schemaAttrs = NULL;
+ if (!PORT_Strcmp("nssPublic", table) ||
+ !PORT_Strcmp("nssPrivate", table)) {
+ sqlite3_stmt *stmt = NULL;
+ int retry = 0;
+ unsigned int backedAttrs = 0;
+
+ /* Can't bind parameters to a PRAGMA. */
+ queryStr = sqlite3_mprintf("PRAGMA table_info(%s);", table);
+ if (queryStr == NULL) {
+ error = CKR_HOST_MEMORY;
+ goto loser;
+ }
+ sqlerr = sqlite3_prepare_v2(sqlDB, queryStr, -1, &stmt, NULL);
+ sqlite3_free(queryStr);
+ queryStr = NULL;
+ if (sqlerr != SQLITE_OK) {
+ goto loser;
+ }
+ unsigned int schemaAttrsCapacity = known_attributes_size;
+ sdb_p->schemaAttrs = malloc(schemaAttrsCapacity * sizeof(CK_ATTRIBUTE_TYPE));
+ if (!sdb_p->schemaAttrs) {
+ error = CKR_HOST_MEMORY;
+ goto loser;
+ }
+ do {
+ sqlerr = sqlite3_step(stmt);
+ if (sqlerr == SQLITE_BUSY) {
+ PR_Sleep(SDB_BUSY_RETRY_TIME);
+ }
+ if (sqlerr == SQLITE_ROW) {
+ if (backedAttrs == schemaAttrsCapacity) {
+ schemaAttrsCapacity += known_attributes_size;
+ sdb_p->schemaAttrs = realloc(sdb_p->schemaAttrs,
+ schemaAttrsCapacity * sizeof(CK_ATTRIBUTE_TYPE));
+ if (!sdb_p->schemaAttrs) {
+ error = CKR_HOST_MEMORY;
+ goto loser;
+ }
+ }
+ /* Record the ULONG attribute value. */
+ char *val = (char *)sqlite3_column_text(stmt, 1);
+ if (val && val[0] == 'a') {
+ CK_ATTRIBUTE_TYPE attr = strtoul(&val[1], NULL, 16);
+ sdb_p->schemaAttrs[backedAttrs++] = attr;
+ }
+ }
+ } while (!sdb_done(sqlerr, &retry));
+
+ if (sqlerr != SQLITE_DONE) {
+ goto loser;
+ }
+ sqlerr = sqlite3_reset(stmt);
+ if (sqlerr != SQLITE_OK) {
+ goto loser;
+ }
+ sqlerr = sqlite3_finalize(stmt);
+ if (sqlerr != SQLITE_OK) {
+ goto loser;
+ }
+
+ sdb_p->numSchemaAttrs = backedAttrs;
+
+ /* Sort these once so we can shortcut invalid attribute searches. */
+ qsort(sdb_p->schemaAttrs, sdb_p->numSchemaAttrs,
+ sizeof(CK_ATTRIBUTE_TYPE), sdb_attributeComparator);
+ }
+
+ /* invariant fields */
+ sdb_p->sqlDBName = PORT_Strdup(dbname);
+ sdb_p->type = type;
+ sdb_p->table = table;
+ sdb_p->cacheTable = cacheTable;
+ sdb_p->lastUpdateTime = now;
+ /* set the cache delay time. This is how long we will wait before we
+ * decide the existing cache is stale. Currently set to 10 sec */
+ sdb_p->updateInterval = PR_SecondsToInterval(10);
+ sdb_p->dbMon = PR_NewMonitor();
+ /* these fields are protected by the lock */
+ sdb_p->sqlXactDB = NULL;
+ sdb_p->sqlXactThread = NULL;
+ sdb->private = sdb_p;
+ sdb->version = 1;
+ sdb->sdb_flags = inFlags | SDB_HAS_META;
+ sdb->app_private = NULL;
+ sdb->sdb_FindObjectsInit = sdb_FindObjectsInit;
+ sdb->sdb_FindObjects = sdb_FindObjects;
+ sdb->sdb_FindObjectsFinal = sdb_FindObjectsFinal;
+ sdb->sdb_GetAttributeValue = sdb_GetAttributeValue;
+ sdb->sdb_SetAttributeValue = sdb_SetAttributeValue;
+ sdb->sdb_CreateObject = sdb_CreateObject;
+ sdb->sdb_DestroyObject = sdb_DestroyObject;
+ sdb->sdb_GetMetaData = sdb_GetMetaData;
+ sdb->sdb_PutMetaData = sdb_PutMetaData;
+ sdb->sdb_DestroyMetaData = sdb_DestroyMetaData;
+ sdb->sdb_Begin = sdb_Begin;
+ sdb->sdb_Commit = sdb_Commit;
+ sdb->sdb_Abort = sdb_Abort;
+ sdb->sdb_Reset = sdb_Reset;
+ sdb->sdb_Close = sdb_Close;
+ sdb->sdb_SetForkState = sdb_SetForkState;
+ sdb->sdb_GetNewObjectID = sdb_GetNewObjectID;
+
+ if (inTransaction) {
+ sqlerr = sqlite3_exec(sqlDB, COMMIT_CMD, NULL, 0, NULL);
+ if (sqlerr != SQLITE_OK) {
+ error = sdb_mapSQLError(sdb_p->type, sqlerr);
+ goto loser;
+ }
+ inTransaction = 0;
+ }
+
+ sdb_p->sqlReadDB = sqlDB;
+
+ *pSdb = sdb;
+ UNLOCK_SQLITE();
+ return CKR_OK;
+
+loser:
+ /* lots of stuff to do */
+ if (inTransaction) {
+ sqlite3_exec(sqlDB, ROLLBACK_CMD, NULL, 0, NULL);
+ }
+ if (sdb) {
+ free(sdb);
+ }
+ if (sdb_p) {
+ if (sdb_p->schemaAttrs) {
+ free(sdb_p->schemaAttrs);
+ }
+ free(sdb_p);
+ }
+ if (sqlDB) {
+ sqlite3_close(sqlDB);
+ }
+ UNLOCK_SQLITE();
+ return error;
+}
+
+/* sdbopen */
+CK_RV
+s_open(const char *directory, const char *certPrefix, const char *keyPrefix,
+ int cert_version, int key_version, int flags,
+ SDB **certdb, SDB **keydb, int *newInit)
+{
+ char *cert = sdb_BuildFileName(directory, certPrefix,
+ "cert", cert_version);
+ char *key = sdb_BuildFileName(directory, keyPrefix,
+ "key", key_version);
+ CK_RV error = CKR_OK;
+ int inUpdate;
+ PRUint32 accessOps;
+
+ if (certdb)
+ *certdb = NULL;
+ if (keydb)
+ *keydb = NULL;
+ *newInit = 0;
+
+#ifdef SQLITE_UNSAFE_THREADS
+ if (sqlite_lock == NULL) {
+ sqlite_lock = PR_NewLock();
+ if (sqlite_lock == NULL) {
+ error = CKR_HOST_MEMORY;
+ goto loser;
+ }
+ }
+#endif
+
+ /* how long does it take to test for a non-existant file in our working
+ * directory? Allows us to test if we may be on a network file system */
+ accessOps = 1;
+ {
+ char *env;
+ env = PR_GetEnvSecure("NSS_SDB_USE_CACHE");
+ /* If the environment variable is undefined or set to yes or no,
+ * sdb_init() will ignore the value of accessOps, and we can skip the
+ * measuring.*/
+ if (env && PORT_Strcasecmp(env, "no") != 0 &&
+ PORT_Strcasecmp(env, "yes") != 0) {
+ accessOps = sdb_measureAccess(directory);
+ }
+ }
+
+ /*
+ * open the cert data base
+ */
+ if (certdb) {
+ /* initialize Certificate database */
+ error = sdb_init(cert, "nssPublic", SDB_CERT, &inUpdate,
+ newInit, flags, accessOps, certdb);
+ if (error != CKR_OK) {
+ goto loser;
+ }
+ }
+
+ /*
+ * open the key data base:
+ * NOTE:if we want to implement a single database, we open
+ * the same database file as the certificate here.
+ *
+ * cert an key db's have different tables, so they will not
+ * conflict.
+ */
+ if (keydb) {
+ /* initialize the Key database */
+ error = sdb_init(key, "nssPrivate", SDB_KEY, &inUpdate,
+ newInit, flags, accessOps, keydb);
+ if (error != CKR_OK) {
+ goto loser;
+ }
+ }
+
+loser:
+ if (cert) {
+ sqlite3_free(cert);
+ }
+ if (key) {
+ sqlite3_free(key);
+ }
+
+ if (error != CKR_OK) {
+ /* currently redundant, but could be necessary if more code is added
+ * just before loser */
+ if (keydb && *keydb) {
+ sdb_Close(*keydb);
+ }
+ if (certdb && *certdb) {
+ sdb_Close(*certdb);
+ }
+ }
+
+ return error;
+}
+
+CK_RV
+s_shutdown()
+{
+#ifdef SQLITE_UNSAFE_THREADS
+ if (sqlite_lock) {
+ PR_DestroyLock(sqlite_lock);
+ sqlite_lock = NULL;
+ }
+#endif
+ return CKR_OK;
+}
diff --git a/security/nss/lib/softoken/sdb.h b/security/nss/lib/softoken/sdb.h
new file mode 100644
index 0000000000..931be826ce
--- /dev/null
+++ b/security/nss/lib/softoken/sdb.h
@@ -0,0 +1,101 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/*
+ * This file implements PKCS 11 on top of our existing security modules
+ *
+ * For more information about PKCS 11 See PKCS 11 Token Inteface Standard.
+ * This implementation has two slots:
+ * slot 1 is our generic crypto support. It does not require login.
+ * It supports Public Key ops, and all they bulk ciphers and hashes.
+ * It can also support Private Key ops for imported Private keys. It does
+ * not have any token storage.
+ * slot 2 is our private key support. It requires a login before use. It
+ * can store Private Keys and Certs as token objects. Currently only private
+ * keys and their associated Certificates are saved on the token.
+ *
+ * In this implementation, session objects are only visible to the session
+ * that created or generated them.
+ */
+
+/*
+ * the following data structures should be moved to a 'rdb.h'.
+ */
+
+#ifndef _SDB_H
+#define _SDB_H 1
+#include "pkcs11t.h"
+#include "secitem.h"
+#include "sftkdbt.h"
+
+#define STATIC_CMD_SIZE 2048
+
+typedef struct SDBFindStr SDBFind;
+typedef struct SDBStr SDB;
+
+struct SDBStr {
+ void *private;
+ int version;
+ int reserved;
+ int sdb_flags;
+ void *app_private;
+ CK_RV(*sdb_FindObjectsInit)
+ (SDB *sdb, const CK_ATTRIBUTE *template,
+ CK_ULONG count, SDBFind **find);
+ CK_RV(*sdb_FindObjects)
+ (SDB *sdb, SDBFind *find, CK_OBJECT_HANDLE *ids,
+ CK_ULONG arraySize, CK_ULONG *count);
+ CK_RV(*sdb_FindObjectsFinal)
+ (SDB *sdb, SDBFind *find);
+ CK_RV(*sdb_GetAttributeValue)
+ (SDB *sdb, CK_OBJECT_HANDLE object,
+ CK_ATTRIBUTE *template, CK_ULONG count);
+ CK_RV(*sdb_SetAttributeValue)
+ (SDB *sdb, CK_OBJECT_HANDLE object,
+ const CK_ATTRIBUTE *template, CK_ULONG count);
+ CK_RV(*sdb_CreateObject)
+ (SDB *sdb, CK_OBJECT_HANDLE *object,
+ const CK_ATTRIBUTE *template, CK_ULONG count);
+ CK_RV(*sdb_DestroyObject)
+ (SDB *sdb, CK_OBJECT_HANDLE object);
+ CK_RV(*sdb_GetMetaData)
+ (SDB *sdb, const char *id,
+ SECItem *item1, SECItem *item2);
+ CK_RV(*sdb_PutMetaData)
+ (SDB *sdb, const char *id,
+ const SECItem *item1, const SECItem *item2);
+ CK_RV(*sdb_Begin)
+ (SDB *sdb);
+ CK_RV(*sdb_Commit)
+ (SDB *sdb);
+ CK_RV(*sdb_Abort)
+ (SDB *sdb);
+ CK_RV(*sdb_Reset)
+ (SDB *sdb);
+ CK_RV(*sdb_Close)
+ (SDB *sdb);
+ void (*sdb_SetForkState)(PRBool forked);
+ CK_RV(*sdb_GetNewObjectID)
+ (SDB *db, CK_OBJECT_HANDLE *object);
+ CK_RV(*sdb_DestroyMetaData)
+ (SDB *db, const char *id);
+};
+
+CK_RV s_open(const char *directory, const char *certPrefix,
+ const char *keyPrefix,
+ int cert_version, int key_version,
+ int flags, SDB **certdb, SDB **keydb, int *newInit);
+CK_RV s_shutdown();
+
+#if defined(_WIN32)
+wchar_t *sdb_UTF8ToWide(const char *buf);
+#endif
+
+/* flags */
+#define SDB_RDONLY 1
+#define SDB_RDWR 2
+#define SDB_CREATE 4
+#define SDB_HAS_META 8
+#define SDB_FIPS 0x10
+
+#endif
diff --git a/security/nss/lib/softoken/sftkdb.c b/security/nss/lib/softoken/sftkdb.c
new file mode 100644
index 0000000000..8827902ca3
--- /dev/null
+++ b/security/nss/lib/softoken/sftkdb.c
@@ -0,0 +1,3047 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/*
+ * The following code handles the storage of PKCS 11 modules used by the
+ * NSS. For the rest of NSS, only one kind of database handle exists:
+ *
+ * SFTKDBHandle
+ *
+ * There is one SFTKDBHandle for the each key database and one for each cert
+ * database. These databases are opened as associated pairs, one pair per
+ * slot. SFTKDBHandles are reference counted objects.
+ *
+ * Each SFTKDBHandle points to a low level database handle (SDB). This handle
+ * represents the underlying physical database. These objects are not
+ * reference counted, an are 'owned' by their respective SFTKDBHandles.
+ *
+ *
+ */
+#include "sftkdb.h"
+#include "sftkdbti.h"
+#include "pkcs11t.h"
+#include "pkcs11i.h"
+#include "sdb.h"
+#include "prprf.h"
+#include "pratom.h"
+#include "lgglue.h"
+#include "utilpars.h"
+#include "secerr.h"
+#include "softoken.h"
+#if defined(_WIN32)
+#include <windows.h>
+#endif
+
+/*
+ * We want all databases to have the same binary representation independent of
+ * endianness or length of the host architecture. In general PKCS #11 attributes
+ * are endian/length independent except those attributes that pass CK_ULONG.
+ *
+ * The following functions fixes up the CK_ULONG type attributes so that the data
+ * base sees a machine independent view. CK_ULONGs are stored as 4 byte network
+ * byte order values (big endian).
+ */
+#define BBP 8
+
+PRBool
+sftkdb_isULONGAttribute(CK_ATTRIBUTE_TYPE type)
+{
+ switch (type) {
+ case CKA_CERTIFICATE_CATEGORY:
+ case CKA_CERTIFICATE_TYPE:
+ case CKA_CLASS:
+ case CKA_JAVA_MIDP_SECURITY_DOMAIN:
+ case CKA_KEY_GEN_MECHANISM:
+ case CKA_KEY_TYPE:
+ case CKA_MECHANISM_TYPE:
+ case CKA_MODULUS_BITS:
+ case CKA_PRIME_BITS:
+ case CKA_SUBPRIME_BITS:
+ case CKA_VALUE_BITS:
+ case CKA_VALUE_LEN:
+
+ case CKA_TRUST_DIGITAL_SIGNATURE:
+ case CKA_TRUST_NON_REPUDIATION:
+ case CKA_TRUST_KEY_ENCIPHERMENT:
+ case CKA_TRUST_DATA_ENCIPHERMENT:
+ case CKA_TRUST_KEY_AGREEMENT:
+ case CKA_TRUST_KEY_CERT_SIGN:
+ case CKA_TRUST_CRL_SIGN:
+
+ case CKA_TRUST_SERVER_AUTH:
+ case CKA_TRUST_CLIENT_AUTH:
+ case CKA_TRUST_CODE_SIGNING:
+ case CKA_TRUST_EMAIL_PROTECTION:
+ case CKA_TRUST_IPSEC_END_SYSTEM:
+ case CKA_TRUST_IPSEC_TUNNEL:
+ case CKA_TRUST_IPSEC_USER:
+ case CKA_TRUST_TIME_STAMPING:
+ case CKA_TRUST_STEP_UP_APPROVED:
+ return PR_TRUE;
+ default:
+ break;
+ }
+ return PR_FALSE;
+}
+
+/* are the attributes private? */
+static PRBool
+sftkdb_isPrivateAttribute(CK_ATTRIBUTE_TYPE type)
+{
+ switch (type) {
+ case CKA_VALUE:
+ case CKA_PRIVATE_EXPONENT:
+ case CKA_PRIME_1:
+ case CKA_PRIME_2:
+ case CKA_EXPONENT_1:
+ case CKA_EXPONENT_2:
+ case CKA_COEFFICIENT:
+ return PR_TRUE;
+ default:
+ break;
+ }
+ return PR_FALSE;
+}
+
+/* These attributes must be authenticated with an hmac. */
+static PRBool
+sftkdb_isAuthenticatedAttribute(CK_ATTRIBUTE_TYPE type)
+{
+ switch (type) {
+ case CKA_MODULUS:
+ case CKA_PUBLIC_EXPONENT:
+ case CKA_CERT_SHA1_HASH:
+ case CKA_CERT_MD5_HASH:
+ case CKA_TRUST_SERVER_AUTH:
+ case CKA_TRUST_CLIENT_AUTH:
+ case CKA_TRUST_EMAIL_PROTECTION:
+ case CKA_TRUST_CODE_SIGNING:
+ case CKA_TRUST_STEP_UP_APPROVED:
+ case CKA_NSS_OVERRIDE_EXTENSIONS:
+ return PR_TRUE;
+ default:
+ break;
+ }
+ return PR_FALSE;
+}
+/*
+ * convert a native ULONG to a database ulong. Database ulong's
+ * are all 4 byte big endian values.
+ */
+void
+sftk_ULong2SDBULong(unsigned char *data, CK_ULONG value)
+{
+ int i;
+
+ for (i = 0; i < SDB_ULONG_SIZE; i++) {
+ data[i] = (value >> (SDB_ULONG_SIZE - 1 - i) * BBP) & 0xff;
+ }
+}
+
+/*
+ * convert a database ulong back to a native ULONG. (reverse of the above
+ * function).
+ */
+static CK_ULONG
+sftk_SDBULong2ULong(unsigned char *data)
+{
+ int i;
+ CK_ULONG value = 0;
+
+ for (i = 0; i < SDB_ULONG_SIZE; i++) {
+ value |= (((CK_ULONG)data[i]) << (SDB_ULONG_SIZE - 1 - i) * BBP);
+ }
+ return value;
+}
+
+/* certain trust records are default values, which are the values
+ * returned if the signature check fails anyway.
+ * In those cases, we can skip the signature check. */
+PRBool
+sftkdb_isNullTrust(const CK_ATTRIBUTE *template)
+{
+ switch (template->type) {
+ case CKA_TRUST_SERVER_AUTH:
+ case CKA_TRUST_CLIENT_AUTH:
+ case CKA_TRUST_EMAIL_PROTECTION:
+ case CKA_TRUST_CODE_SIGNING:
+ if (template->ulValueLen != SDB_ULONG_SIZE) {
+ break;
+ }
+ if (sftk_SDBULong2ULong(template->pValue) ==
+ CKT_NSS_TRUST_UNKNOWN) {
+ return PR_TRUE;
+ }
+ break;
+ case CKA_TRUST_STEP_UP_APPROVED:
+ if (template->ulValueLen != 1) {
+ break;
+ }
+ if (*((unsigned char *)(template->pValue)) == 0) {
+ return PR_TRUE;
+ }
+ break;
+ default:
+ break;
+ }
+ return PR_FALSE;
+}
+
+/*
+ * fix up the input templates. Our fixed up ints are stored in data and must
+ * be freed by the caller. The new template must also be freed. If there are no
+ * CK_ULONG attributes, the orignal template is passed in as is.
+ */
+static CK_ATTRIBUTE *
+sftkdb_fixupTemplateIn(const CK_ATTRIBUTE *template, int count,
+ unsigned char **dataOut, int *dataOutSize)
+{
+ int i;
+ int ulongCount = 0;
+ unsigned char *data;
+ CK_ATTRIBUTE *ntemplate;
+
+ *dataOut = NULL;
+ *dataOutSize = 0;
+
+ /* first count the number of CK_ULONG attributes */
+ for (i = 0; i < count; i++) {
+ /* Don't 'fixup' NULL values */
+ if (!template[i].pValue) {
+ continue;
+ }
+ if (template[i].ulValueLen == sizeof(CK_ULONG)) {
+ if (sftkdb_isULONGAttribute(template[i].type)) {
+ ulongCount++;
+ }
+ }
+ }
+ /* no attributes to fixup, just call on through */
+ if (ulongCount == 0) {
+ return (CK_ATTRIBUTE *)template;
+ }
+
+ /* allocate space for new ULONGS */
+ data = (unsigned char *)PORT_Alloc(SDB_ULONG_SIZE * ulongCount);
+ if (!data) {
+ return NULL;
+ }
+
+ /* allocate new template */
+ ntemplate = PORT_NewArray(CK_ATTRIBUTE, count);
+ if (!ntemplate) {
+ PORT_Free(data);
+ return NULL;
+ }
+ *dataOut = data;
+ *dataOutSize = SDB_ULONG_SIZE * ulongCount;
+ /* copy the old template, fixup the actual ulongs */
+ for (i = 0; i < count; i++) {
+ ntemplate[i] = template[i];
+ /* Don't 'fixup' NULL values */
+ if (!template[i].pValue) {
+ continue;
+ }
+ if (template[i].ulValueLen == sizeof(CK_ULONG)) {
+ if (sftkdb_isULONGAttribute(template[i].type)) {
+ CK_ULONG value = *(CK_ULONG *)template[i].pValue;
+ sftk_ULong2SDBULong(data, value);
+ ntemplate[i].pValue = data;
+ ntemplate[i].ulValueLen = SDB_ULONG_SIZE;
+ data += SDB_ULONG_SIZE;
+ }
+ }
+ }
+ return ntemplate;
+}
+
+static const char SFTKDB_META_SIG_TEMPLATE[] = "sig_%s_%08x_%08x";
+
+/*
+ * return a string describing the database type (key or cert)
+ */
+const char *
+sftkdb_TypeString(SFTKDBHandle *handle)
+{
+ return (handle->type == SFTK_KEYDB_TYPE) ? "key" : "cert";
+}
+
+/*
+ * Some attributes are signed with an Hmac and a pbe key generated from
+ * the password. This signature is stored indexed by object handle and
+ * attribute type in the meta data table in the key database.
+ *
+ * Signature entries are indexed by the string
+ * sig_[cert/key]_{ObjectID}_{Attribute}
+ *
+ * This function fetches that pkcs5 signature. Caller supplies a SECItem
+ * pre-allocated to the appropriate size if the SECItem is too small the
+ * function will fail with CKR_BUFFER_TOO_SMALL.
+ */
+static CK_RV
+sftkdb_getRawAttributeSignature(SFTKDBHandle *handle, SDB *db,
+ CK_OBJECT_HANDLE objectID,
+ CK_ATTRIBUTE_TYPE type,
+ SECItem *signText)
+{
+ char id[30];
+ CK_RV crv;
+
+ snprintf(id, sizeof(id), SFTKDB_META_SIG_TEMPLATE,
+ sftkdb_TypeString(handle),
+ (unsigned int)objectID, (unsigned int)type);
+
+ crv = (*db->sdb_GetMetaData)(db, id, signText, NULL);
+ return crv;
+}
+
+CK_RV
+sftkdb_GetAttributeSignature(SFTKDBHandle *handle, SFTKDBHandle *keyHandle,
+ CK_OBJECT_HANDLE objectID, CK_ATTRIBUTE_TYPE type,
+ SECItem *signText)
+{
+ SDB *db = SFTK_GET_SDB(keyHandle);
+ return sftkdb_getRawAttributeSignature(handle, db, objectID, type, signText);
+}
+
+CK_RV
+sftkdb_DestroyAttributeSignature(SFTKDBHandle *handle, SDB *db,
+ CK_OBJECT_HANDLE objectID,
+ CK_ATTRIBUTE_TYPE type)
+{
+ char id[30];
+ CK_RV crv;
+
+ snprintf(id, sizeof(id), SFTKDB_META_SIG_TEMPLATE,
+ sftkdb_TypeString(handle),
+ (unsigned int)objectID, (unsigned int)type);
+
+ crv = (*db->sdb_DestroyMetaData)(db, id);
+ return crv;
+}
+
+/*
+ * Some attributes are signed with an Hmac and a pbe key generated from
+ * the password. This signature is stored indexed by object handle and
+ * attribute type in the meta data table in the key database.
+ *
+ * Signature entries are indexed by the string
+ * sig_[cert/key]_{ObjectID}_{Attribute}
+ *
+ * This function stores that pkcs5 signature.
+ */
+CK_RV
+sftkdb_PutAttributeSignature(SFTKDBHandle *handle, SDB *keyTarget,
+ CK_OBJECT_HANDLE objectID, CK_ATTRIBUTE_TYPE type,
+ SECItem *signText)
+{
+ char id[30];
+ CK_RV crv;
+
+ snprintf(id, sizeof(id), SFTKDB_META_SIG_TEMPLATE,
+ sftkdb_TypeString(handle),
+ (unsigned int)objectID, (unsigned int)type);
+
+ crv = (*keyTarget->sdb_PutMetaData)(keyTarget, id, signText, NULL);
+ return crv;
+}
+
+/*
+ * fix up returned data. NOTE: sftkdb_fixupTemplateIn has already allocated
+ * separate data sections for the database ULONG values.
+ */
+static CK_RV
+sftkdb_fixupTemplateOut(CK_ATTRIBUTE *template, CK_OBJECT_HANDLE objectID,
+ CK_ATTRIBUTE *ntemplate, int count, SFTKDBHandle *handle)
+{
+ int i;
+ CK_RV crv = CKR_OK;
+ SFTKDBHandle *keyHandle;
+ PRBool checkSig = PR_TRUE;
+ PRBool checkEnc = PR_TRUE;
+
+ PORT_Assert(handle);
+
+ /* find the key handle */
+ keyHandle = handle;
+ if (handle->type != SFTK_KEYDB_TYPE) {
+ checkEnc = PR_FALSE;
+ keyHandle = handle->peerDB;
+ }
+
+ if ((keyHandle == NULL) ||
+ ((SFTK_GET_SDB(keyHandle)->sdb_flags & SDB_HAS_META) == 0) ||
+ (sftkdb_PWCached(keyHandle) != SECSuccess)) {
+ checkSig = PR_FALSE;
+ }
+
+ for (i = 0; i < count; i++) {
+ CK_ULONG length = template[i].ulValueLen;
+ template[i].ulValueLen = ntemplate[i].ulValueLen;
+ /* fixup ulongs */
+ if (ntemplate[i].ulValueLen == SDB_ULONG_SIZE) {
+ if (sftkdb_isULONGAttribute(template[i].type)) {
+ if (template[i].pValue) {
+ CK_ULONG value;
+
+ value = sftk_SDBULong2ULong(ntemplate[i].pValue);
+ if (length < sizeof(CK_ULONG)) {
+ template[i].ulValueLen = -1;
+ crv = CKR_BUFFER_TOO_SMALL;
+ continue;
+ }
+ PORT_Memcpy(template[i].pValue, &value, sizeof(CK_ULONG));
+ }
+ template[i].ulValueLen = sizeof(CK_ULONG);
+ }
+ }
+
+ /* if no data was retrieved, no need to process encrypted or signed
+ * attributes */
+ if ((template[i].pValue == NULL) || (template[i].ulValueLen == -1)) {
+ continue;
+ }
+
+ /* fixup private attributes */
+ if (checkEnc && sftkdb_isPrivateAttribute(ntemplate[i].type)) {
+ /* we have a private attribute */
+ /* This code depends on the fact that the cipherText is bigger
+ * than the plain text */
+ SECItem cipherText;
+ SECItem *plainText;
+ SECStatus rv;
+
+ cipherText.data = ntemplate[i].pValue;
+ cipherText.len = ntemplate[i].ulValueLen;
+ PZ_Lock(handle->passwordLock);
+ if (handle->passwordKey.data == NULL) {
+ PZ_Unlock(handle->passwordLock);
+ template[i].ulValueLen = -1;
+ crv = CKR_USER_NOT_LOGGED_IN;
+ continue;
+ }
+ rv = sftkdb_DecryptAttribute(handle,
+ &handle->passwordKey,
+ objectID,
+ ntemplate[i].type,
+ &cipherText, &plainText);
+ PZ_Unlock(handle->passwordLock);
+ if (rv != SECSuccess) {
+ PORT_Memset(template[i].pValue, 0, template[i].ulValueLen);
+ template[i].ulValueLen = -1;
+ crv = CKR_GENERAL_ERROR;
+ continue;
+ }
+ PORT_Assert(template[i].ulValueLen >= plainText->len);
+ if (template[i].ulValueLen < plainText->len) {
+ SECITEM_ZfreeItem(plainText, PR_TRUE);
+ PORT_Memset(template[i].pValue, 0, template[i].ulValueLen);
+ template[i].ulValueLen = -1;
+ crv = CKR_GENERAL_ERROR;
+ continue;
+ }
+
+ /* copy the plain text back into the template */
+ PORT_Memcpy(template[i].pValue, plainText->data, plainText->len);
+ template[i].ulValueLen = plainText->len;
+ SECITEM_ZfreeItem(plainText, PR_TRUE);
+ }
+ /* make sure signed attributes are valid */
+ if (checkSig && sftkdb_isAuthenticatedAttribute(ntemplate[i].type) && !sftkdb_isNullTrust(&ntemplate[i])) {
+ SECStatus rv;
+ CK_RV local_crv;
+ SECItem signText;
+ SECItem plainText;
+ unsigned char signData[SDB_MAX_META_DATA_LEN];
+
+ signText.data = signData;
+ signText.len = sizeof(signData);
+
+ /* Use a local variable so that we don't clobber any already
+ * set error. This function returns either CKR_OK or the last
+ * found error in the template */
+ local_crv = sftkdb_GetAttributeSignature(handle, keyHandle,
+ objectID,
+ ntemplate[i].type,
+ &signText);
+ if (local_crv != CKR_OK) {
+ PORT_Memset(template[i].pValue, 0, template[i].ulValueLen);
+ template[i].ulValueLen = -1;
+ crv = local_crv;
+ continue;
+ }
+
+ plainText.data = ntemplate[i].pValue;
+ plainText.len = ntemplate[i].ulValueLen;
+
+ /*
+ * we do a second check holding the lock just in case the user
+ * loggout while we were trying to get the signature.
+ */
+ PZ_Lock(keyHandle->passwordLock);
+ if (keyHandle->passwordKey.data == NULL) {
+ /* if we are no longer logged in, no use checking the other
+ * Signatures either. */
+ checkSig = PR_FALSE;
+ PZ_Unlock(keyHandle->passwordLock);
+ continue;
+ }
+
+ rv = sftkdb_VerifyAttribute(keyHandle,
+ &keyHandle->passwordKey,
+ objectID, ntemplate[i].type,
+ &plainText, &signText);
+ PZ_Unlock(keyHandle->passwordLock);
+ if (rv != SECSuccess) {
+ PORT_Memset(template[i].pValue, 0, template[i].ulValueLen);
+ template[i].ulValueLen = -1;
+ crv = CKR_SIGNATURE_INVALID; /* better error code? */
+ }
+ /* This Attribute is fine */
+ }
+ }
+ return crv;
+}
+
+/*
+ * Some attributes are signed with an HMAC and a pbe key generated from
+ * the password. This signature is stored indexed by object handle and
+ *
+ * Those attributes are:
+ * 1) Trust object hashes and trust values.
+ * 2) public key values.
+ *
+ * Certs themselves are considered properly authenticated by virtue of their
+ * signature, or their matching hash with the trust object.
+ *
+ * These signature is only checked for objects coming from shared databases.
+ * Older dbm style databases have such no signature checks. HMACs are also
+ * only checked when the token is logged in, as it requires a pbe generated
+ * from the password.
+ *
+ * Tokens which have no key database (and therefore no master password) do not
+ * have any stored signature values. Signature values are stored in the key
+ * database, since the signature data is tightly coupled to the key database
+ * password.
+ *
+ * This function takes a template of attributes that were either created or
+ * modified. These attributes are checked to see if the need to be signed.
+ * If they do, then this function signs the attributes and writes them
+ * to the meta data store.
+ *
+ * This function can fail if there are attributes that must be signed, but
+ * the token is not logged in.
+ *
+ * The caller is expected to abort any transaction he was in in the
+ * event of a failure of this function.
+ */
+static CK_RV
+sftk_signTemplate(PLArenaPool *arena, SFTKDBHandle *handle,
+ PRBool mayBeUpdateDB,
+ CK_OBJECT_HANDLE objectID, const CK_ATTRIBUTE *template,
+ CK_ULONG count)
+{
+ unsigned int i;
+ CK_RV crv;
+ SFTKDBHandle *keyHandle = handle;
+ SDB *keyTarget = NULL;
+ PRBool usingPeerDB = PR_FALSE;
+ PRBool inPeerDBTransaction = PR_FALSE;
+
+ PORT_Assert(handle);
+
+ if (handle->type != SFTK_KEYDB_TYPE) {
+ keyHandle = handle->peerDB;
+ usingPeerDB = PR_TRUE;
+ }
+
+ /* no key DB defined? then no need to sign anything */
+ if (keyHandle == NULL) {
+ crv = CKR_OK;
+ goto loser;
+ }
+
+ /* When we are in a middle of an update, we have an update database set,
+ * but we want to write to the real database. The bool mayBeUpdateDB is
+ * set to TRUE if it's possible that we want to write an update database
+ * rather than a primary */
+ keyTarget = (mayBeUpdateDB && keyHandle->update) ? keyHandle->update : keyHandle->db;
+
+ /* skip the the database does not support meta data */
+ if ((keyTarget->sdb_flags & SDB_HAS_META) == 0) {
+ crv = CKR_OK;
+ goto loser;
+ }
+
+ /* If we had to switch databases, we need to initialize a transaction. */
+ if (usingPeerDB) {
+ crv = (*keyTarget->sdb_Begin)(keyTarget);
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+ inPeerDBTransaction = PR_TRUE;
+ }
+
+ for (i = 0; i < count; i++) {
+ if (sftkdb_isAuthenticatedAttribute(template[i].type)) {
+ SECStatus rv;
+ SECItem *signText;
+ SECItem plainText;
+
+ plainText.data = template[i].pValue;
+ plainText.len = template[i].ulValueLen;
+ PZ_Lock(keyHandle->passwordLock);
+ if (keyHandle->passwordKey.data == NULL) {
+ PZ_Unlock(keyHandle->passwordLock);
+ crv = CKR_USER_NOT_LOGGED_IN;
+ goto loser;
+ }
+ rv = sftkdb_SignAttribute(arena, keyHandle, keyTarget,
+ &keyHandle->passwordKey,
+ keyHandle->defaultIterationCount,
+ objectID, template[i].type,
+ &plainText, &signText);
+ PZ_Unlock(keyHandle->passwordLock);
+ if (rv != SECSuccess) {
+ crv = CKR_GENERAL_ERROR; /* better error code here? */
+ goto loser;
+ }
+ crv = sftkdb_PutAttributeSignature(handle, keyTarget, objectID,
+ template[i].type, signText);
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+ }
+ }
+ crv = CKR_OK;
+
+ /* If necessary, commit the transaction */
+ if (inPeerDBTransaction) {
+ crv = (*keyTarget->sdb_Commit)(keyTarget);
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+ inPeerDBTransaction = PR_FALSE;
+ }
+
+loser:
+ if (inPeerDBTransaction) {
+ /* The transaction must have failed. Abort. */
+ (*keyTarget->sdb_Abort)(keyTarget);
+ PORT_Assert(crv != CKR_OK);
+ if (crv == CKR_OK)
+ crv = CKR_GENERAL_ERROR;
+ }
+ return crv;
+}
+
+static CK_RV
+sftkdb_CreateObject(PLArenaPool *arena, SFTKDBHandle *handle,
+ SDB *db, CK_OBJECT_HANDLE *objectID,
+ CK_ATTRIBUTE *template, CK_ULONG count)
+{
+ CK_RV crv;
+
+ crv = (*db->sdb_CreateObject)(db, objectID, template, count);
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+ crv = sftk_signTemplate(arena, handle, (db == handle->update),
+ *objectID, template, count);
+loser:
+
+ return crv;
+}
+
+static CK_RV
+sftkdb_fixupSignatures(SFTKDBHandle *handle,
+ SDB *db, CK_OBJECT_HANDLE oldID, CK_OBJECT_HANDLE newID,
+ CK_ATTRIBUTE *ptemplate, CK_ULONG max_attributes)
+{
+ unsigned int i;
+ CK_RV crv = CKR_OK;
+
+ /* if we don't have a meta table, we didn't write any signature objects */
+ if ((db->sdb_flags & SDB_HAS_META) == 0) {
+ return CKR_OK;
+ }
+ for (i = 0; i < max_attributes; i++) {
+ CK_ATTRIBUTE *att = &ptemplate[i];
+ CK_ATTRIBUTE_TYPE type = att->type;
+ if (sftkdb_isPrivateAttribute(type)) {
+ /* move the signature from one object handle to another and delete
+ * the old entry */
+ SECItem signature;
+ unsigned char signData[SDB_MAX_META_DATA_LEN];
+
+ signature.data = signData;
+ signature.len = sizeof(signData);
+ crv = sftkdb_getRawAttributeSignature(handle, db, oldID, type,
+ &signature);
+ if (crv != CKR_OK) {
+ /* NOTE: if we ever change our default write from AES_CBC
+ * to AES_KW, We'll need to change this to a continue as
+ * we won't need the integrity record for AES_KW */
+ break;
+ }
+ crv = sftkdb_PutAttributeSignature(handle, db, newID, type,
+ &signature);
+ if (crv != CKR_OK) {
+ break;
+ }
+ /* now get rid of the old one */
+ crv = sftkdb_DestroyAttributeSignature(handle, db, oldID, type);
+ if (crv != CKR_OK) {
+ break;
+ }
+ }
+ }
+ return crv;
+}
+
+CK_ATTRIBUTE *
+sftk_ExtractTemplate(PLArenaPool *arena, SFTKObject *object,
+ SFTKDBHandle *handle, CK_OBJECT_HANDLE objectID,
+ SDB *db, CK_ULONG *pcount, CK_RV *crv)
+{
+ unsigned int count;
+ CK_ATTRIBUTE *template;
+ unsigned int i, templateIndex;
+ SFTKSessionObject *sessObject = sftk_narrowToSessionObject(object);
+ PRBool doEnc = PR_TRUE;
+
+ *crv = CKR_OK;
+
+ if (sessObject == NULL) {
+ *crv = CKR_GENERAL_ERROR; /* internal programming error */
+ return NULL;
+ }
+
+ PORT_Assert(handle);
+ /* find the key handle */
+ if (handle->type != SFTK_KEYDB_TYPE) {
+ doEnc = PR_FALSE;
+ }
+
+ PZ_Lock(sessObject->attributeLock);
+ count = 0;
+ for (i = 0; i < sessObject->hashSize; i++) {
+ SFTKAttribute *attr;
+ for (attr = sessObject->head[i]; attr; attr = attr->next) {
+ count++;
+ }
+ }
+ template = PORT_ArenaNewArray(arena, CK_ATTRIBUTE, count);
+ if (template == NULL) {
+ PZ_Unlock(sessObject->attributeLock);
+ *crv = CKR_HOST_MEMORY;
+ return NULL;
+ }
+ templateIndex = 0;
+ for (i = 0; i < sessObject->hashSize; i++) {
+ SFTKAttribute *attr;
+ for (attr = sessObject->head[i]; attr; attr = attr->next) {
+ CK_ATTRIBUTE *tp = &template[templateIndex++];
+ /* copy the attribute */
+ *tp = attr->attrib;
+
+ /* fixup ULONG s */
+ if ((tp->ulValueLen == sizeof(CK_ULONG)) &&
+ (sftkdb_isULONGAttribute(tp->type))) {
+ CK_ULONG value = *(CK_ULONG *)tp->pValue;
+ unsigned char *data;
+
+ tp->pValue = PORT_ArenaAlloc(arena, SDB_ULONG_SIZE);
+ data = (unsigned char *)tp->pValue;
+ if (data == NULL) {
+ *crv = CKR_HOST_MEMORY;
+ break;
+ }
+ sftk_ULong2SDBULong(data, value);
+ tp->ulValueLen = SDB_ULONG_SIZE;
+ }
+
+ /* encrypt private attributes */
+ if (doEnc && sftkdb_isPrivateAttribute(tp->type)) {
+ /* we have a private attribute */
+ SECItem *cipherText;
+ SECItem plainText;
+ SECStatus rv;
+
+ plainText.data = tp->pValue;
+ plainText.len = tp->ulValueLen;
+ PZ_Lock(handle->passwordLock);
+ if (handle->passwordKey.data == NULL) {
+ PZ_Unlock(handle->passwordLock);
+ *crv = CKR_USER_NOT_LOGGED_IN;
+ break;
+ }
+ rv = sftkdb_EncryptAttribute(arena, handle, db,
+ &handle->passwordKey,
+ handle->defaultIterationCount,
+ objectID,
+ tp->type,
+ &plainText, &cipherText);
+ PZ_Unlock(handle->passwordLock);
+ if (rv == SECSuccess) {
+ tp->pValue = cipherText->data;
+ tp->ulValueLen = cipherText->len;
+ } else {
+ *crv = CKR_GENERAL_ERROR; /* better error code here? */
+ break;
+ }
+ PORT_Memset(plainText.data, 0, plainText.len);
+ }
+ }
+ }
+ PORT_Assert(templateIndex <= count);
+ PZ_Unlock(sessObject->attributeLock);
+
+ if (*crv != CKR_OK) {
+ return NULL;
+ }
+ if (pcount) {
+ *pcount = count;
+ }
+ return template;
+}
+
+/*
+ * return a pointer to the attribute in the give template.
+ * The return value is not const, as the caller may modify
+ * the given attribute value, but such modifications will
+ * modify the actual value in the template.
+ */
+static CK_ATTRIBUTE *
+sftkdb_getAttributeFromTemplate(CK_ATTRIBUTE_TYPE attribute,
+ CK_ATTRIBUTE *ptemplate, CK_ULONG len)
+{
+ CK_ULONG i;
+
+ for (i = 0; i < len; i++) {
+ if (attribute == ptemplate[i].type) {
+ return &ptemplate[i];
+ }
+ }
+ return NULL;
+}
+
+static const CK_ATTRIBUTE *
+sftkdb_getAttributeFromConstTemplate(CK_ATTRIBUTE_TYPE attribute,
+ const CK_ATTRIBUTE *ptemplate, CK_ULONG len)
+{
+ CK_ULONG i;
+
+ for (i = 0; i < len; i++) {
+ if (attribute == ptemplate[i].type) {
+ return &ptemplate[i];
+ }
+ }
+ return NULL;
+}
+
+/*
+ * fetch a template which identifies 'unique' entries based on object type
+ */
+static CK_RV
+sftkdb_getFindTemplate(CK_OBJECT_CLASS objectType, unsigned char *objTypeData,
+ CK_ATTRIBUTE *findTemplate, CK_ULONG *findCount,
+ CK_ATTRIBUTE *ptemplate, int len)
+{
+ CK_ATTRIBUTE *attr;
+ CK_ULONG count = 1;
+
+ sftk_ULong2SDBULong(objTypeData, objectType);
+ findTemplate[0].type = CKA_CLASS;
+ findTemplate[0].pValue = objTypeData;
+ findTemplate[0].ulValueLen = SDB_ULONG_SIZE;
+
+ switch (objectType) {
+ case CKO_CERTIFICATE:
+ case CKO_NSS_TRUST:
+ attr = sftkdb_getAttributeFromTemplate(CKA_ISSUER, ptemplate, len);
+ if (attr == NULL) {
+ return CKR_TEMPLATE_INCOMPLETE;
+ }
+ findTemplate[1] = *attr;
+ attr = sftkdb_getAttributeFromTemplate(CKA_SERIAL_NUMBER,
+ ptemplate, len);
+ if (attr == NULL) {
+ return CKR_TEMPLATE_INCOMPLETE;
+ }
+ findTemplate[2] = *attr;
+ count = 3;
+ break;
+
+ case CKO_PRIVATE_KEY:
+ case CKO_PUBLIC_KEY:
+ case CKO_SECRET_KEY:
+ attr = sftkdb_getAttributeFromTemplate(CKA_ID, ptemplate, len);
+ if (attr == NULL) {
+ return CKR_TEMPLATE_INCOMPLETE;
+ }
+ if (attr->ulValueLen == 0) {
+ /* key is too generic to determine that it's unique, usually
+ * happens in the key gen case */
+ return CKR_OBJECT_HANDLE_INVALID;
+ }
+
+ findTemplate[1] = *attr;
+ count = 2;
+ break;
+
+ case CKO_NSS_CRL:
+ attr = sftkdb_getAttributeFromTemplate(CKA_SUBJECT, ptemplate, len);
+ if (attr == NULL) {
+ return CKR_TEMPLATE_INCOMPLETE;
+ }
+ findTemplate[1] = *attr;
+ count = 2;
+ break;
+
+ case CKO_NSS_SMIME:
+ attr = sftkdb_getAttributeFromTemplate(CKA_SUBJECT, ptemplate, len);
+ if (attr == NULL) {
+ return CKR_TEMPLATE_INCOMPLETE;
+ }
+ findTemplate[1] = *attr;
+ attr = sftkdb_getAttributeFromTemplate(CKA_NSS_EMAIL, ptemplate, len);
+ if (attr == NULL) {
+ return CKR_TEMPLATE_INCOMPLETE;
+ }
+ findTemplate[2] = *attr;
+ count = 3;
+ break;
+ default:
+ attr = sftkdb_getAttributeFromTemplate(CKA_VALUE, ptemplate, len);
+ if (attr == NULL) {
+ return CKR_TEMPLATE_INCOMPLETE;
+ }
+ findTemplate[1] = *attr;
+ count = 2;
+ break;
+ }
+ *findCount = count;
+
+ return CKR_OK;
+}
+
+/*
+ * look to see if this object already exists and return its object ID if
+ * it does.
+ */
+static CK_RV
+sftkdb_lookupObject(SDB *db, CK_OBJECT_CLASS objectType,
+ CK_OBJECT_HANDLE *id, CK_ATTRIBUTE *ptemplate, CK_ULONG len)
+{
+ CK_ATTRIBUTE findTemplate[3];
+ CK_ULONG count = 1;
+ CK_ULONG objCount = 0;
+ SDBFind *find = NULL;
+ unsigned char objTypeData[SDB_ULONG_SIZE];
+ CK_RV crv;
+
+ *id = CK_INVALID_HANDLE;
+ if (objectType == CKO_NSS_CRL) {
+ return CKR_OK;
+ }
+ crv = sftkdb_getFindTemplate(objectType, objTypeData,
+ findTemplate, &count, ptemplate, len);
+
+ if (crv == CKR_OBJECT_HANDLE_INVALID) {
+ /* key is too generic to determine that it's unique, usually
+ * happens in the key gen case, tell the caller to go ahead
+ * and just create it */
+ return CKR_OK;
+ }
+ if (crv != CKR_OK) {
+ return crv;
+ }
+
+ /* use the raw find, so we get the correct database */
+ crv = (*db->sdb_FindObjectsInit)(db, findTemplate, count, &find);
+ if (crv != CKR_OK) {
+ return crv;
+ }
+ (*db->sdb_FindObjects)(db, find, id, 1, &objCount);
+ (*db->sdb_FindObjectsFinal)(db, find);
+
+ if (objCount == 0) {
+ *id = CK_INVALID_HANDLE;
+ }
+ return CKR_OK;
+}
+
+/*
+ * check to see if this template conflicts with others in our current database.
+ */
+static CK_RV
+sftkdb_checkConflicts(SDB *db, CK_OBJECT_CLASS objectType,
+ const CK_ATTRIBUTE *ptemplate, CK_ULONG len,
+ CK_OBJECT_HANDLE sourceID)
+{
+ CK_ATTRIBUTE findTemplate[2];
+ unsigned char objTypeData[SDB_ULONG_SIZE];
+ /* we may need to allocate some temporaries. Keep track of what was
+ * allocated so we can free it in the end */
+ unsigned char *temp1 = NULL;
+ unsigned char *temp2 = NULL;
+ CK_ULONG objCount = 0;
+ SDBFind *find = NULL;
+ CK_OBJECT_HANDLE id;
+ const CK_ATTRIBUTE *attr, *attr2;
+ CK_RV crv;
+ CK_ATTRIBUTE subject;
+
+ /* Currently the only conflict is with nicknames pointing to the same
+ * subject when creating or modifying a certificate. */
+ /* If the object is not a cert, no problem. */
+ if (objectType != CKO_CERTIFICATE) {
+ return CKR_OK;
+ }
+ /* if not setting a nickname then there's still no problem */
+ attr = sftkdb_getAttributeFromConstTemplate(CKA_LABEL, ptemplate, len);
+ if ((attr == NULL) || (attr->ulValueLen == 0)) {
+ return CKR_OK;
+ }
+ /* fetch the subject of the source. For creation and merge, this should
+ * be found in the template */
+ attr2 = sftkdb_getAttributeFromConstTemplate(CKA_SUBJECT, ptemplate, len);
+ if (sourceID == CK_INVALID_HANDLE) {
+ if ((attr2 == NULL) || ((CK_LONG)attr2->ulValueLen < 0)) {
+ crv = CKR_TEMPLATE_INCOMPLETE;
+ goto done;
+ }
+ } else if ((attr2 == NULL) || ((CK_LONG)attr2->ulValueLen <= 0)) {
+ /* sourceID is set if we are trying to modify an existing entry instead
+ * of creating a new one. In this case the subject may not be (probably
+ * isn't) in the template, we have to read it from the database */
+ subject.type = CKA_SUBJECT;
+ subject.pValue = NULL;
+ subject.ulValueLen = 0;
+ crv = (*db->sdb_GetAttributeValue)(db, sourceID, &subject, 1);
+ if (crv != CKR_OK) {
+ goto done;
+ }
+ if ((CK_LONG)subject.ulValueLen < 0) {
+ crv = CKR_DEVICE_ERROR; /* closest pkcs11 error to corrupted DB */
+ goto done;
+ }
+ temp1 = subject.pValue = PORT_Alloc(++subject.ulValueLen);
+ if (temp1 == NULL) {
+ crv = CKR_HOST_MEMORY;
+ goto done;
+ }
+ crv = (*db->sdb_GetAttributeValue)(db, sourceID, &subject, 1);
+ if (crv != CKR_OK) {
+ goto done;
+ }
+ attr2 = &subject;
+ }
+
+ /* check for another cert in the database with the same nickname */
+ sftk_ULong2SDBULong(objTypeData, objectType);
+ findTemplate[0].type = CKA_CLASS;
+ findTemplate[0].pValue = objTypeData;
+ findTemplate[0].ulValueLen = SDB_ULONG_SIZE;
+ findTemplate[1] = *attr;
+
+ crv = (*db->sdb_FindObjectsInit)(db, findTemplate, 2, &find);
+ if (crv != CKR_OK) {
+ goto done;
+ }
+ (*db->sdb_FindObjects)(db, find, &id, 1, &objCount);
+ (*db->sdb_FindObjectsFinal)(db, find);
+
+ /* object count == 0 means no conflicting certs found,
+ * go on with the operation */
+ if (objCount == 0) {
+ crv = CKR_OK;
+ goto done;
+ }
+
+ /* There is a least one cert that shares the nickname, make sure it also
+ * matches the subject. */
+ findTemplate[0] = *attr2;
+ /* we know how big the source subject was. Use that length to create the
+ * space for the target. If it's not enough space, then it means the
+ * source subject is too big, and therefore not a match. GetAttributeValue
+ * will return CKR_BUFFER_TOO_SMALL. Otherwise it should be exactly enough
+ * space (or enough space to be able to compare the result. */
+ temp2 = findTemplate[0].pValue = PORT_Alloc(++findTemplate[0].ulValueLen);
+ if (temp2 == NULL) {
+ crv = CKR_HOST_MEMORY;
+ goto done;
+ }
+ crv = (*db->sdb_GetAttributeValue)(db, id, findTemplate, 1);
+ if (crv != CKR_OK) {
+ if (crv == CKR_BUFFER_TOO_SMALL) {
+ /* if our buffer is too small, then the Subjects clearly do
+ * not match */
+ crv = CKR_ATTRIBUTE_VALUE_INVALID;
+ goto loser;
+ }
+ /* otherwise we couldn't get the value, just fail */
+ goto done;
+ }
+
+ /* Ok, we have both subjects, make sure they are the same.
+ * Compare the subjects */
+ if ((findTemplate[0].ulValueLen != attr2->ulValueLen) ||
+ (attr2->ulValueLen > 0 &&
+ PORT_Memcmp(findTemplate[0].pValue, attr2->pValue, attr2->ulValueLen) != 0)) {
+ crv = CKR_ATTRIBUTE_VALUE_INVALID;
+ goto loser;
+ }
+ crv = CKR_OK;
+
+done:
+ /* If we've failed for some other reason than a conflict, make sure we
+ * return an error code other than CKR_ATTRIBUTE_VALUE_INVALID.
+ * (NOTE: neither sdb_FindObjectsInit nor sdb_GetAttributeValue should
+ * return CKR_ATTRIBUTE_VALUE_INVALID, so the following is paranoia).
+ */
+ if (crv == CKR_ATTRIBUTE_VALUE_INVALID) {
+ crv = CKR_GENERAL_ERROR; /* clearly a programming error */
+ }
+
+/* exit point if we found a conflict */
+loser:
+ PORT_Free(temp1);
+ PORT_Free(temp2);
+ return crv;
+}
+
+/*
+ * try to update the template to fix any errors. This is only done
+ * during update.
+ *
+ * NOTE: we must update the template or return an error, or the update caller
+ * will loop forever!
+ *
+ * Two copies of the source code for this algorithm exist in NSS.
+ * Changes must be made in both copies.
+ * The other copy is in pk11_IncrementNickname() in pk11wrap/pk11merge.c.
+ *
+ */
+static CK_RV
+sftkdb_resolveConflicts(PLArenaPool *arena, CK_OBJECT_CLASS objectType,
+ CK_ATTRIBUTE *ptemplate, CK_ULONG *plen)
+{
+ CK_ATTRIBUTE *attr;
+ char *nickname, *newNickname;
+ unsigned int end, digit;
+
+ /* sanity checks. We should never get here with these errors */
+ if (objectType != CKO_CERTIFICATE) {
+ return CKR_GENERAL_ERROR; /* shouldn't happen */
+ }
+ attr = sftkdb_getAttributeFromTemplate(CKA_LABEL, ptemplate, *plen);
+ if ((attr == NULL) || (attr->ulValueLen == 0)) {
+ return CKR_GENERAL_ERROR; /* shouldn't happen */
+ }
+
+ /* update the nickname */
+ /* is there a number at the end of the nickname already?
+ * if so just increment that number */
+ nickname = (char *)attr->pValue;
+
+ /* does nickname end with " #n*" ? */
+ for (end = attr->ulValueLen - 1;
+ end >= 2 && (digit = nickname[end]) <= '9' && digit >= '0';
+ end--) /* just scan */
+ ;
+ if (attr->ulValueLen >= 3 &&
+ end < (attr->ulValueLen - 1) /* at least one digit */ &&
+ nickname[end] == '#' &&
+ nickname[end - 1] == ' ') {
+ /* Already has a suitable suffix string */
+ } else {
+ /* ... append " #2" to the name */
+ static const char num2[] = " #2";
+ newNickname = PORT_ArenaAlloc(arena, attr->ulValueLen + sizeof(num2));
+ if (!newNickname) {
+ return CKR_HOST_MEMORY;
+ }
+ PORT_Memcpy(newNickname, nickname, attr->ulValueLen);
+ PORT_Memcpy(&newNickname[attr->ulValueLen], num2, sizeof(num2));
+ attr->pValue = newNickname; /* modifies ptemplate */
+ attr->ulValueLen += 3; /* 3 is strlen(num2) */
+ return CKR_OK;
+ }
+
+ for (end = attr->ulValueLen; end-- > 0;) {
+ digit = nickname[end];
+ if (digit > '9' || digit < '0') {
+ break;
+ }
+ if (digit < '9') {
+ nickname[end]++;
+ return CKR_OK;
+ }
+ nickname[end] = '0';
+ }
+
+ /* we overflowed, insert a new '1' for a carry in front of the number */
+ newNickname = PORT_ArenaAlloc(arena, attr->ulValueLen + 1);
+ if (!newNickname) {
+ return CKR_HOST_MEMORY;
+ }
+ /* PORT_Memcpy should handle len of '0' */
+ PORT_Memcpy(newNickname, nickname, ++end);
+ newNickname[end] = '1';
+ PORT_Memset(&newNickname[end + 1], '0', attr->ulValueLen - end);
+ attr->pValue = newNickname;
+ attr->ulValueLen++;
+ return CKR_OK;
+}
+
+/*
+ * set an attribute and sign it if necessary
+ */
+static CK_RV
+sftkdb_setAttributeValue(PLArenaPool *arena, SFTKDBHandle *handle,
+ SDB *db, CK_OBJECT_HANDLE objectID, const CK_ATTRIBUTE *template,
+ CK_ULONG count)
+{
+ CK_RV crv;
+ crv = (*db->sdb_SetAttributeValue)(db, objectID, template, count);
+ if (crv != CKR_OK) {
+ return crv;
+ }
+ crv = sftk_signTemplate(arena, handle, db == handle->update,
+ objectID, template, count);
+ return crv;
+}
+
+/*
+ * write a softoken object out to the database.
+ */
+CK_RV
+sftkdb_write(SFTKDBHandle *handle, SFTKObject *object,
+ CK_OBJECT_HANDLE *objectID)
+{
+ CK_ATTRIBUTE *template;
+ PLArenaPool *arena;
+ CK_ULONG count;
+ CK_RV crv;
+ SDB *db;
+ PRBool inTransaction = PR_FALSE;
+ CK_OBJECT_HANDLE id, candidateID;
+
+ *objectID = CK_INVALID_HANDLE;
+
+ if (handle == NULL) {
+ return CKR_TOKEN_WRITE_PROTECTED;
+ }
+ db = SFTK_GET_SDB(handle);
+
+ /*
+ * we have opened a new database, but we have not yet updated it. We are
+ * still running pointing to the old database (so the application can
+ * still read). We don't want to write to the old database at this point,
+ * however, since it leads to user confusion. So at this point we simply
+ * require a user login. Let NSS know this so it can prompt the user.
+ */
+ if (db == handle->update) {
+ return CKR_USER_NOT_LOGGED_IN;
+ }
+
+ arena = PORT_NewArena(256);
+ if (arena == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+
+ crv = (*db->sdb_Begin)(db);
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+ inTransaction = PR_TRUE;
+
+ crv = (*db->sdb_GetNewObjectID)(db, &candidateID);
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+
+ template = sftk_ExtractTemplate(arena, object, handle, candidateID, db, &count, &crv);
+ if (!template) {
+ goto loser;
+ }
+
+ /*
+ * We want to make the base database as free from object specific knowledge
+ * as possible. To maintain compatibility, keep some of the desirable
+ * object specific semantics of the old database.
+ *
+ * These were 2 fold:
+ * 1) there were certain conflicts (like trying to set the same nickname
+ * on two different subjects) that would return an error.
+ * 2) Importing the 'same' object would silently update that object.
+ *
+ * The following 2 functions mimic the desirable effects of these two
+ * semantics without pushing any object knowledge to the underlying database
+ * code.
+ */
+
+ /* make sure we don't have attributes that conflict with the existing DB */
+ crv = sftkdb_checkConflicts(db, object->objclass, template, count,
+ CK_INVALID_HANDLE);
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+ /* Find any copies that match this particular object */
+ crv = sftkdb_lookupObject(db, object->objclass, &id, template, count);
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+ if (id == CK_INVALID_HANDLE) {
+ *objectID = candidateID;
+ crv = sftkdb_CreateObject(arena, handle, db, objectID, template, count);
+ } else {
+ /* object already exists, modify it's attributes */
+ *objectID = id;
+ /* The object ID changed from our candidate, we need to move any
+ * signature attribute signatures to the new object ID. */
+ crv = sftkdb_fixupSignatures(handle, db, candidateID, id,
+ template, count);
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+ crv = sftkdb_setAttributeValue(arena, handle, db, id, template, count);
+ }
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+ crv = (*db->sdb_Commit)(db);
+ inTransaction = PR_FALSE;
+
+loser:
+ if (inTransaction) {
+ (*db->sdb_Abort)(db);
+ /* It is trivial to show the following code cannot
+ * happen unless something is horribly wrong with our compilier or
+ * hardware */
+ PORT_Assert(crv != CKR_OK);
+ if (crv == CKR_OK)
+ crv = CKR_GENERAL_ERROR;
+ }
+
+ if (arena) {
+ PORT_FreeArena(arena, PR_TRUE);
+ }
+ if (crv == CKR_OK) {
+ *objectID |= (handle->type | SFTK_TOKEN_TYPE);
+ }
+ return crv;
+}
+
+CK_RV
+sftkdb_FindObjectsInit(SFTKDBHandle *handle, const CK_ATTRIBUTE *template,
+ CK_ULONG count, SDBFind **find)
+{
+ unsigned char *data = NULL;
+ CK_ATTRIBUTE *ntemplate = NULL;
+ CK_RV crv;
+ int dataSize;
+ SDB *db;
+
+ if (handle == NULL) {
+ return CKR_OK;
+ }
+ db = SFTK_GET_SDB(handle);
+
+ if (count != 0) {
+ ntemplate = sftkdb_fixupTemplateIn(template, count, &data, &dataSize);
+ if (ntemplate == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+ }
+
+ crv = (*db->sdb_FindObjectsInit)(db, ntemplate,
+ count, find);
+ if (data) {
+ PORT_Free(ntemplate);
+ PORT_ZFree(data, dataSize);
+ }
+ return crv;
+}
+
+CK_RV
+sftkdb_FindObjects(SFTKDBHandle *handle, SDBFind *find,
+ CK_OBJECT_HANDLE *ids, int arraySize, CK_ULONG *count)
+{
+ CK_RV crv;
+ SDB *db;
+
+ if (handle == NULL) {
+ *count = 0;
+ return CKR_OK;
+ }
+ db = SFTK_GET_SDB(handle);
+
+ crv = (*db->sdb_FindObjects)(db, find, ids,
+ arraySize, count);
+ if (crv == CKR_OK) {
+ unsigned int i;
+ for (i = 0; i < *count; i++) {
+ ids[i] |= (handle->type | SFTK_TOKEN_TYPE);
+ }
+ }
+ return crv;
+}
+
+CK_RV
+sftkdb_FindObjectsFinal(SFTKDBHandle *handle, SDBFind *find)
+{
+ SDB *db;
+ if (handle == NULL) {
+ return CKR_OK;
+ }
+ db = SFTK_GET_SDB(handle);
+ return (*db->sdb_FindObjectsFinal)(db, find);
+}
+
+CK_RV
+sftkdb_GetAttributeValue(SFTKDBHandle *handle, CK_OBJECT_HANDLE objectID,
+ CK_ATTRIBUTE *template, CK_ULONG count)
+{
+ CK_RV crv, crv2;
+ CK_ATTRIBUTE *ntemplate;
+ unsigned char *data = NULL;
+ int dataSize = 0;
+ SDB *db;
+
+ if (handle == NULL) {
+ return CKR_GENERAL_ERROR;
+ }
+
+ /* short circuit common attributes */
+ if (count == 1 &&
+ (template[0].type == CKA_TOKEN ||
+ template[0].type == CKA_PRIVATE ||
+ template[0].type == CKA_SENSITIVE)) {
+ CK_BBOOL boolVal = CK_TRUE;
+
+ if (template[0].pValue == NULL) {
+ template[0].ulValueLen = sizeof(CK_BBOOL);
+ return CKR_OK;
+ }
+ if (template[0].ulValueLen < sizeof(CK_BBOOL)) {
+ template[0].ulValueLen = -1;
+ return CKR_BUFFER_TOO_SMALL;
+ }
+
+ if ((template[0].type == CKA_PRIVATE) &&
+ (handle->type != SFTK_KEYDB_TYPE)) {
+ boolVal = CK_FALSE;
+ }
+ if ((template[0].type == CKA_SENSITIVE) &&
+ (handle->type != SFTK_KEYDB_TYPE)) {
+ boolVal = CK_FALSE;
+ }
+ *(CK_BBOOL *)template[0].pValue = boolVal;
+ template[0].ulValueLen = sizeof(CK_BBOOL);
+ return CKR_OK;
+ }
+
+ db = SFTK_GET_SDB(handle);
+ /* nothing to do */
+ if (count == 0) {
+ return CKR_OK;
+ }
+ ntemplate = sftkdb_fixupTemplateIn(template, count, &data, &dataSize);
+ if (ntemplate == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+ objectID &= SFTK_OBJ_ID_MASK;
+ crv = (*db->sdb_GetAttributeValue)(db, objectID,
+ ntemplate, count);
+ crv2 = sftkdb_fixupTemplateOut(template, objectID, ntemplate,
+ count, handle);
+ if (crv == CKR_OK)
+ crv = crv2;
+ if (data) {
+ PORT_Free(ntemplate);
+ PORT_ZFree(data, dataSize);
+ }
+ return crv;
+}
+
+CK_RV
+sftkdb_SetAttributeValue(SFTKDBHandle *handle, SFTKObject *object,
+ const CK_ATTRIBUTE *template, CK_ULONG count)
+{
+ CK_ATTRIBUTE *ntemplate;
+ unsigned char *data = NULL;
+ PLArenaPool *arena = NULL;
+ SDB *db;
+ CK_RV crv = CKR_OK;
+ CK_OBJECT_HANDLE objectID = (object->handle & SFTK_OBJ_ID_MASK);
+ PRBool inTransaction = PR_FALSE;
+ int dataSize;
+
+ if (handle == NULL) {
+ return CKR_TOKEN_WRITE_PROTECTED;
+ }
+
+ db = SFTK_GET_SDB(handle);
+ /* nothing to do */
+ if (count == 0) {
+ return CKR_OK;
+ }
+ /*
+ * we have opened a new database, but we have not yet updated it. We are
+ * still running pointing to the old database (so the application can
+ * still read). We don't want to write to the old database at this point,
+ * however, since it leads to user confusion. So at this point we simply
+ * require a user login. Let NSS know this so it can prompt the user.
+ */
+ if (db == handle->update) {
+ return CKR_USER_NOT_LOGGED_IN;
+ }
+
+ ntemplate = sftkdb_fixupTemplateIn(template, count, &data, &dataSize);
+ if (ntemplate == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+
+ /* make sure we don't have attributes that conflict with the existing DB */
+ crv = sftkdb_checkConflicts(db, object->objclass, ntemplate, count,
+ objectID);
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+
+ arena = PORT_NewArena(256);
+ if (arena == NULL) {
+ crv = CKR_HOST_MEMORY;
+ goto loser;
+ }
+
+ crv = (*db->sdb_Begin)(db);
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+ inTransaction = PR_TRUE;
+ crv = sftkdb_setAttributeValue(arena, handle, db, objectID, ntemplate,
+ count);
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+ crv = (*db->sdb_Commit)(db);
+loser:
+ if (crv != CKR_OK && inTransaction) {
+ (*db->sdb_Abort)(db);
+ }
+ if (data) {
+ PORT_Free(ntemplate);
+ PORT_ZFree(data, dataSize);
+ }
+ if (arena) {
+ PORT_FreeArena(arena, PR_FALSE);
+ }
+ return crv;
+}
+
+CK_RV
+sftkdb_DestroyObject(SFTKDBHandle *handle, CK_OBJECT_HANDLE objectID,
+ CK_OBJECT_CLASS objclass)
+{
+ CK_RV crv = CKR_OK;
+ SDB *db;
+
+ if (handle == NULL) {
+ return CKR_TOKEN_WRITE_PROTECTED;
+ }
+ db = SFTK_GET_SDB(handle);
+ objectID &= SFTK_OBJ_ID_MASK;
+
+ crv = (*db->sdb_Begin)(db);
+ if (crv != CKR_OK) {
+ return crv;
+ }
+ crv = (*db->sdb_DestroyObject)(db, objectID);
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+ /* if the database supports meta data, delete any old signatures
+ * that we may have added */
+ if ((db->sdb_flags & SDB_HAS_META) == SDB_HAS_META) {
+ SDB *keydb = db;
+ if (handle->type == SFTK_KEYDB_TYPE) {
+ /* delete any private attribute signatures that might exist */
+ (void)sftkdb_DestroyAttributeSignature(handle, keydb, objectID,
+ CKA_VALUE);
+ (void)sftkdb_DestroyAttributeSignature(handle, keydb, objectID,
+ CKA_PRIVATE_EXPONENT);
+ (void)sftkdb_DestroyAttributeSignature(handle, keydb, objectID,
+ CKA_PRIME_1);
+ (void)sftkdb_DestroyAttributeSignature(handle, keydb, objectID,
+ CKA_PRIME_2);
+ (void)sftkdb_DestroyAttributeSignature(handle, keydb, objectID,
+ CKA_EXPONENT_1);
+ (void)sftkdb_DestroyAttributeSignature(handle, keydb, objectID,
+ CKA_EXPONENT_2);
+ (void)sftkdb_DestroyAttributeSignature(handle, keydb, objectID,
+ CKA_COEFFICIENT);
+ } else {
+ keydb = SFTK_GET_SDB(handle->peerDB);
+ }
+ /* now destroy any authenticated attributes that may exist */
+ (void)sftkdb_DestroyAttributeSignature(handle, keydb, objectID,
+ CKA_MODULUS);
+ (void)sftkdb_DestroyAttributeSignature(handle, keydb, objectID,
+ CKA_PUBLIC_EXPONENT);
+ (void)sftkdb_DestroyAttributeSignature(handle, keydb, objectID,
+ CKA_CERT_SHA1_HASH);
+ (void)sftkdb_DestroyAttributeSignature(handle, keydb, objectID,
+ CKA_CERT_MD5_HASH);
+ (void)sftkdb_DestroyAttributeSignature(handle, keydb, objectID,
+ CKA_TRUST_SERVER_AUTH);
+ (void)sftkdb_DestroyAttributeSignature(handle, keydb, objectID,
+ CKA_TRUST_CLIENT_AUTH);
+ (void)sftkdb_DestroyAttributeSignature(handle, keydb, objectID,
+ CKA_TRUST_EMAIL_PROTECTION);
+ (void)sftkdb_DestroyAttributeSignature(handle, keydb, objectID,
+ CKA_TRUST_CODE_SIGNING);
+ (void)sftkdb_DestroyAttributeSignature(handle, keydb, objectID,
+ CKA_TRUST_STEP_UP_APPROVED);
+ (void)sftkdb_DestroyAttributeSignature(handle, keydb, objectID,
+ CKA_NSS_OVERRIDE_EXTENSIONS);
+ }
+ crv = (*db->sdb_Commit)(db);
+loser:
+ if (crv != CKR_OK) {
+ (*db->sdb_Abort)(db);
+ }
+ return crv;
+}
+
+CK_RV
+sftkdb_CloseDB(SFTKDBHandle *handle)
+{
+#ifdef NO_FORK_CHECK
+ PRBool parentForkedAfterC_Initialize = PR_FALSE;
+#endif
+ if (handle == NULL) {
+ return CKR_OK;
+ }
+ if (handle->update) {
+ if (handle->db->sdb_SetForkState) {
+ (*handle->db->sdb_SetForkState)(parentForkedAfterC_Initialize);
+ }
+ (*handle->update->sdb_Close)(handle->update);
+ }
+ if (handle->db) {
+ if (handle->db->sdb_SetForkState) {
+ (*handle->db->sdb_SetForkState)(parentForkedAfterC_Initialize);
+ }
+ (*handle->db->sdb_Close)(handle->db);
+ }
+ if (handle->passwordLock) {
+ PZ_Lock(handle->passwordLock);
+ }
+ if (handle->passwordKey.data) {
+ SECITEM_ZfreeItem(&handle->passwordKey, PR_FALSE);
+ }
+ if (handle->passwordLock) {
+ PZ_Unlock(handle->passwordLock);
+ SKIP_AFTER_FORK(PZ_DestroyLock(handle->passwordLock));
+ }
+ if (handle->updatePasswordKey) {
+ SECITEM_ZfreeItem(handle->updatePasswordKey, PR_TRUE);
+ }
+ if (handle->updateID) {
+ PORT_Free(handle->updateID);
+ }
+ PORT_Free(handle);
+ return CKR_OK;
+}
+
+/*
+ * reset a database to it's uninitialized state.
+ */
+static CK_RV
+sftkdb_ResetDB(SFTKDBHandle *handle)
+{
+ CK_RV crv = CKR_OK;
+ SDB *db;
+ if (handle == NULL) {
+ return CKR_TOKEN_WRITE_PROTECTED;
+ }
+ db = SFTK_GET_SDB(handle);
+ crv = (*db->sdb_Begin)(db);
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+ crv = (*db->sdb_Reset)(db);
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+ crv = (*db->sdb_Commit)(db);
+loser:
+ if (crv != CKR_OK) {
+ (*db->sdb_Abort)(db);
+ }
+ return crv;
+}
+
+CK_RV
+sftkdb_Begin(SFTKDBHandle *handle)
+{
+ CK_RV crv = CKR_OK;
+ SDB *db;
+
+ if (handle == NULL) {
+ return CKR_OK;
+ }
+ db = SFTK_GET_SDB(handle);
+ if (db) {
+ crv = (*db->sdb_Begin)(db);
+ }
+ return crv;
+}
+
+CK_RV
+sftkdb_Commit(SFTKDBHandle *handle)
+{
+ CK_RV crv = CKR_OK;
+ SDB *db;
+
+ if (handle == NULL) {
+ return CKR_OK;
+ }
+ db = SFTK_GET_SDB(handle);
+ if (db) {
+ (*db->sdb_Commit)(db);
+ }
+ return crv;
+}
+
+CK_RV
+sftkdb_Abort(SFTKDBHandle *handle)
+{
+ CK_RV crv = CKR_OK;
+ SDB *db;
+
+ if (handle == NULL) {
+ return CKR_OK;
+ }
+ db = SFTK_GET_SDB(handle);
+ if (db) {
+ crv = (db->sdb_Abort)(db);
+ }
+ return crv;
+}
+
+/*
+ * functions to update the database from an old database
+ */
+
+/*
+ * known attributes
+ */
+static const CK_ATTRIBUTE_TYPE known_attributes[] = {
+ CKA_CLASS, CKA_TOKEN, CKA_PRIVATE, CKA_LABEL, CKA_APPLICATION,
+ CKA_VALUE, CKA_OBJECT_ID, CKA_CERTIFICATE_TYPE, CKA_ISSUER,
+ CKA_SERIAL_NUMBER, CKA_AC_ISSUER, CKA_OWNER, CKA_ATTR_TYPES, CKA_TRUSTED,
+ CKA_CERTIFICATE_CATEGORY, CKA_JAVA_MIDP_SECURITY_DOMAIN, CKA_URL,
+ CKA_HASH_OF_SUBJECT_PUBLIC_KEY, CKA_HASH_OF_ISSUER_PUBLIC_KEY,
+ CKA_CHECK_VALUE, CKA_KEY_TYPE, CKA_SUBJECT, CKA_ID, CKA_SENSITIVE,
+ CKA_ENCRYPT, CKA_DECRYPT, CKA_WRAP, CKA_UNWRAP, CKA_SIGN, CKA_SIGN_RECOVER,
+ CKA_VERIFY, CKA_VERIFY_RECOVER, CKA_DERIVE, CKA_START_DATE, CKA_END_DATE,
+ CKA_MODULUS, CKA_MODULUS_BITS, CKA_PUBLIC_EXPONENT, CKA_PRIVATE_EXPONENT,
+ CKA_PRIME_1, CKA_PRIME_2, CKA_EXPONENT_1, CKA_EXPONENT_2, CKA_COEFFICIENT,
+ CKA_PRIME, CKA_SUBPRIME, CKA_BASE, CKA_PRIME_BITS,
+ CKA_SUB_PRIME_BITS, CKA_VALUE_BITS, CKA_VALUE_LEN, CKA_EXTRACTABLE,
+ CKA_LOCAL, CKA_NEVER_EXTRACTABLE, CKA_ALWAYS_SENSITIVE,
+ CKA_KEY_GEN_MECHANISM, CKA_MODIFIABLE, CKA_EC_PARAMS,
+ CKA_EC_POINT, CKA_SECONDARY_AUTH, CKA_AUTH_PIN_FLAGS,
+ CKA_ALWAYS_AUTHENTICATE, CKA_WRAP_WITH_TRUSTED, CKA_WRAP_TEMPLATE,
+ CKA_UNWRAP_TEMPLATE, CKA_HW_FEATURE_TYPE, CKA_RESET_ON_INIT,
+ CKA_HAS_RESET, CKA_PIXEL_X, CKA_PIXEL_Y, CKA_RESOLUTION, CKA_CHAR_ROWS,
+ CKA_CHAR_COLUMNS, CKA_COLOR, CKA_BITS_PER_PIXEL, CKA_CHAR_SETS,
+ CKA_ENCODING_METHODS, CKA_MIME_TYPES, CKA_MECHANISM_TYPE,
+ CKA_REQUIRED_CMS_ATTRIBUTES, CKA_DEFAULT_CMS_ATTRIBUTES,
+ CKA_SUPPORTED_CMS_ATTRIBUTES, CKA_NSS_URL, CKA_NSS_EMAIL,
+ CKA_NSS_SMIME_INFO, CKA_NSS_SMIME_TIMESTAMP,
+ CKA_NSS_PKCS8_SALT, CKA_NSS_PASSWORD_CHECK, CKA_NSS_EXPIRES,
+ CKA_NSS_KRL, CKA_NSS_PQG_COUNTER, CKA_NSS_PQG_SEED,
+ CKA_NSS_PQG_H, CKA_NSS_PQG_SEED_BITS, CKA_NSS_MODULE_SPEC,
+ CKA_TRUST_DIGITAL_SIGNATURE, CKA_TRUST_NON_REPUDIATION,
+ CKA_TRUST_KEY_ENCIPHERMENT, CKA_TRUST_DATA_ENCIPHERMENT,
+ CKA_TRUST_KEY_AGREEMENT, CKA_TRUST_KEY_CERT_SIGN, CKA_TRUST_CRL_SIGN,
+ CKA_TRUST_SERVER_AUTH, CKA_TRUST_CLIENT_AUTH, CKA_TRUST_CODE_SIGNING,
+ CKA_TRUST_EMAIL_PROTECTION, CKA_TRUST_IPSEC_END_SYSTEM,
+ CKA_TRUST_IPSEC_TUNNEL, CKA_TRUST_IPSEC_USER, CKA_TRUST_TIME_STAMPING,
+ CKA_TRUST_STEP_UP_APPROVED, CKA_CERT_SHA1_HASH, CKA_CERT_MD5_HASH,
+ CKA_NSS_DB, CKA_NSS_TRUST, CKA_NSS_OVERRIDE_EXTENSIONS,
+ CKA_PUBLIC_KEY_INFO
+};
+
+static unsigned int known_attributes_size = sizeof(known_attributes) /
+ sizeof(known_attributes[0]);
+
+static CK_RV
+sftkdb_GetObjectTemplate(SDB *source, CK_OBJECT_HANDLE id,
+ CK_ATTRIBUTE *ptemplate, CK_ULONG *max)
+{
+ unsigned int i, j;
+ CK_RV crv;
+
+ if (*max < known_attributes_size) {
+ *max = known_attributes_size;
+ return CKR_BUFFER_TOO_SMALL;
+ }
+ for (i = 0; i < known_attributes_size; i++) {
+ ptemplate[i].type = known_attributes[i];
+ ptemplate[i].pValue = NULL;
+ ptemplate[i].ulValueLen = 0;
+ }
+
+ crv = (*source->sdb_GetAttributeValue)(source, id,
+ ptemplate, known_attributes_size);
+
+ if ((crv != CKR_OK) && (crv != CKR_ATTRIBUTE_TYPE_INVALID)) {
+ return crv;
+ }
+
+ for (i = 0, j = 0; i < known_attributes_size; i++, j++) {
+ while (i < known_attributes_size && (ptemplate[i].ulValueLen == -1)) {
+ i++;
+ }
+ if (i >= known_attributes_size) {
+ break;
+ }
+ /* cheap optimization */
+ if (i == j) {
+ continue;
+ }
+ ptemplate[j] = ptemplate[i];
+ }
+ *max = j;
+ return CKR_OK;
+}
+
+static const char SFTKDB_META_UPDATE_TEMPLATE[] = "upd_%s_%s";
+
+/*
+ * check to see if we have already updated this database.
+ * a NULL updateID means we are trying to do an in place
+ * single database update. In that case we have already
+ * determined that an update was necessary.
+ */
+static PRBool
+sftkdb_hasUpdate(const char *typeString, SDB *db, const char *updateID)
+{
+ char *id;
+ CK_RV crv;
+ SECItem dummy = { 0, NULL, 0 };
+ unsigned char dummyData[SDB_MAX_META_DATA_LEN];
+
+ if (!updateID) {
+ return PR_FALSE;
+ }
+ id = PR_smprintf(SFTKDB_META_UPDATE_TEMPLATE, typeString, updateID);
+ if (id == NULL) {
+ return PR_FALSE;
+ }
+ dummy.data = dummyData;
+ dummy.len = sizeof(dummyData);
+
+ crv = (*db->sdb_GetMetaData)(db, id, &dummy, NULL);
+ PR_smprintf_free(id);
+ return crv == CKR_OK ? PR_TRUE : PR_FALSE;
+}
+
+/*
+ * we just completed an update, store the update id
+ * so we don't need to do it again. If non was given,
+ * there is nothing to do.
+ */
+static CK_RV
+sftkdb_putUpdate(const char *typeString, SDB *db, const char *updateID)
+{
+ char *id;
+ CK_RV crv;
+ SECItem dummy = { 0, NULL, 0 };
+
+ /* if no id was given, nothing to do */
+ if (updateID == NULL) {
+ return CKR_OK;
+ }
+
+ dummy.data = (unsigned char *)updateID;
+ dummy.len = PORT_Strlen(updateID);
+
+ id = PR_smprintf(SFTKDB_META_UPDATE_TEMPLATE, typeString, updateID);
+ if (id == NULL) {
+ return PR_FALSE;
+ }
+
+ crv = (*db->sdb_PutMetaData)(db, id, &dummy, NULL);
+ PR_smprintf_free(id);
+ return crv;
+}
+
+/*
+ * get a ULong attribute from a template:
+ * NOTE: this is a raw templated stored in database order!
+ */
+static CK_ULONG
+sftkdb_getULongFromTemplate(CK_ATTRIBUTE_TYPE type,
+ CK_ATTRIBUTE *ptemplate, CK_ULONG len)
+{
+ CK_ATTRIBUTE *attr = sftkdb_getAttributeFromTemplate(type,
+ ptemplate, len);
+
+ if (attr && attr->pValue && attr->ulValueLen == SDB_ULONG_SIZE) {
+ return sftk_SDBULong2ULong(attr->pValue);
+ }
+ return (CK_ULONG)-1;
+}
+
+/*
+ * we need to find a unique CKA_ID.
+ * The basic idea is to just increment the lowest byte.
+ * This code also handles the following corner cases:
+ * 1) the single byte overflows. On overflow we increment the next byte up
+ * and so forth until we have overflowed the entire CKA_ID.
+ * 2) If we overflow the entire CKA_ID we expand it by one byte.
+ * 3) the CKA_ID is non-existant, we create a new one with one byte.
+ * This means no matter what CKA_ID is passed, the result of this function
+ * is always a new CKA_ID, and this function will never return the same
+ * CKA_ID the it has returned in the passed.
+ */
+static CK_RV
+sftkdb_incrementCKAID(PLArenaPool *arena, CK_ATTRIBUTE *ptemplate)
+{
+ unsigned char *buf = ptemplate->pValue;
+ CK_ULONG len = ptemplate->ulValueLen;
+
+ if (buf == NULL || len == (CK_ULONG)-1) {
+ /* we have no valid CKAID, we'll create a basic one byte CKA_ID below */
+ len = 0;
+ } else {
+ CK_ULONG i;
+
+ /* walk from the back to front, incrementing
+ * the CKA_ID until we no longer have a carry,
+ * or have hit the front of the id. */
+ for (i = len; i != 0; i--) {
+ buf[i - 1]++;
+ if (buf[i - 1] != 0) {
+ /* no more carries, the increment is complete */
+ return CKR_OK;
+ }
+ }
+ /* we've now overflowed, fall through and expand the CKA_ID by
+ * one byte */
+ }
+ buf = PORT_ArenaAlloc(arena, len + 1);
+ if (!buf) {
+ return CKR_HOST_MEMORY;
+ }
+ if (len > 0) {
+ PORT_Memcpy(buf, ptemplate->pValue, len);
+ }
+ buf[len] = 0;
+ ptemplate->pValue = buf;
+ ptemplate->ulValueLen = len + 1;
+ return CKR_OK;
+}
+
+/*
+ * drop an attribute from a template.
+ */
+void
+sftkdb_dropAttribute(CK_ATTRIBUTE *attr, CK_ATTRIBUTE *ptemplate,
+ CK_ULONG *plen)
+{
+ CK_ULONG count = *plen;
+ CK_ULONG i;
+
+ for (i = 0; i < count; i++) {
+ if (attr->type == ptemplate[i].type) {
+ break;
+ }
+ }
+
+ if (i == count) {
+ /* attribute not found */
+ return;
+ }
+
+ /* copy the remaining attributes up */
+ for (i++; i < count; i++) {
+ ptemplate[i - 1] = ptemplate[i];
+ }
+
+ /* decrement the template size */
+ *plen = count - 1;
+}
+
+/*
+ * create some defines for the following functions to document the meaning
+ * of true/false. (make's it easier to remember what means what.
+ */
+typedef enum {
+ SFTKDB_DO_NOTHING = 0,
+ SFTKDB_ADD_OBJECT,
+ SFTKDB_MODIFY_OBJECT,
+ SFTKDB_DROP_ATTRIBUTE
+} sftkdbUpdateStatus;
+
+/*
+ * helper function to reconcile a single trust entry.
+ * Identify which trust entry we want to keep.
+ * If we don't need to do anything (the records are already equal).
+ * return SFTKDB_DO_NOTHING.
+ * If we want to use the source version,
+ * return SFTKDB_MODIFY_OBJECT
+ * If we want to use the target version,
+ * return SFTKDB_DROP_ATTRIBUTE
+ *
+ * In the end the caller will remove any attributes in the source
+ * template when SFTKDB_DROP_ATTRIBUTE is specified, then use do a
+ * set attributes with that template on the target if we received
+ * any SFTKDB_MODIFY_OBJECT returns.
+ */
+sftkdbUpdateStatus
+sftkdb_reconcileTrustEntry(PLArenaPool *arena, CK_ATTRIBUTE *target,
+ CK_ATTRIBUTE *source)
+{
+ CK_ULONG targetTrust = sftkdb_getULongFromTemplate(target->type,
+ target, 1);
+ CK_ULONG sourceTrust = sftkdb_getULongFromTemplate(target->type,
+ source, 1);
+
+ /*
+ * try to pick the best solution between the source and the
+ * target. Update the source template if we want the target value
+ * to win out. Prefer cases where we don't actually update the
+ * trust entry.
+ */
+
+ /* they are the same, everything is already kosher */
+ if (targetTrust == sourceTrust) {
+ return SFTKDB_DO_NOTHING;
+ }
+
+ /* handle the case where the source Trust attribute may be a bit
+ * flakey */
+ if (sourceTrust == (CK_ULONG)-1) {
+ /*
+ * The source Trust is invalid. We know that the target Trust
+ * must be valid here, otherwise the above
+ * targetTrust == sourceTrust check would have succeeded.
+ */
+ return SFTKDB_DROP_ATTRIBUTE;
+ }
+
+ /* target is invalid, use the source's idea of the trust value */
+ if (targetTrust == (CK_ULONG)-1) {
+ /* overwriting the target in this case is OK */
+ return SFTKDB_MODIFY_OBJECT;
+ }
+
+ /* at this point we know that both attributes exist and have the
+ * appropriate length (SDB_ULONG_SIZE). We no longer need to check
+ * ulValueLen for either attribute.
+ */
+ if (sourceTrust == CKT_NSS_TRUST_UNKNOWN) {
+ return SFTKDB_DROP_ATTRIBUTE;
+ }
+
+ /* target has no idea, use the source's idea of the trust value */
+ if (targetTrust == CKT_NSS_TRUST_UNKNOWN) {
+ /* overwriting the target in this case is OK */
+ return SFTKDB_MODIFY_OBJECT;
+ }
+
+ /* so both the target and the source have some idea of what this
+ * trust attribute should be, and neither agree exactly.
+ * At this point, we prefer 'hard' attributes over 'soft' ones.
+ * 'hard' ones are CKT_NSS_TRUSTED, CKT_NSS_TRUSTED_DELEGATOR, and
+ * CKT_NSS_NOT_TRUTED. Soft ones are ones which don't change the
+ * actual trust of the cert (CKT_MUST_VERIFY_TRUST,
+ * CKT_NSS_VALID_DELEGATOR).
+ */
+ if ((sourceTrust == CKT_NSS_MUST_VERIFY_TRUST) || (sourceTrust == CKT_NSS_VALID_DELEGATOR)) {
+ return SFTKDB_DROP_ATTRIBUTE;
+ }
+ if ((targetTrust == CKT_NSS_MUST_VERIFY_TRUST) || (targetTrust == CKT_NSS_VALID_DELEGATOR)) {
+ /* again, overwriting the target in this case is OK */
+ return SFTKDB_MODIFY_OBJECT;
+ }
+
+ /* both have hard attributes, we have a conflict, let the target win. */
+ return SFTKDB_DROP_ATTRIBUTE;
+}
+
+const CK_ATTRIBUTE_TYPE sftkdb_trustList[] = { CKA_TRUST_SERVER_AUTH, CKA_TRUST_CLIENT_AUTH,
+ CKA_TRUST_CODE_SIGNING, CKA_TRUST_EMAIL_PROTECTION,
+ CKA_TRUST_IPSEC_TUNNEL, CKA_TRUST_IPSEC_USER,
+ CKA_TRUST_TIME_STAMPING };
+
+#define SFTK_TRUST_TEMPLATE_COUNT \
+ (sizeof(sftkdb_trustList) / sizeof(sftkdb_trustList[0]))
+/*
+ * Run through the list of known trust types, and reconcile each trust
+ * entry one by one. Keep track of we really need to write out the source
+ * trust object (overwriting the existing one).
+ */
+static sftkdbUpdateStatus
+sftkdb_reconcileTrust(PLArenaPool *arena, SDB *db, CK_OBJECT_HANDLE id,
+ CK_ATTRIBUTE *ptemplate, CK_ULONG *plen)
+{
+ CK_ATTRIBUTE trustTemplate[SFTK_TRUST_TEMPLATE_COUNT];
+ unsigned char trustData[SFTK_TRUST_TEMPLATE_COUNT * SDB_ULONG_SIZE];
+ sftkdbUpdateStatus update = SFTKDB_DO_NOTHING;
+ CK_ULONG i;
+ CK_RV crv;
+
+ for (i = 0; i < SFTK_TRUST_TEMPLATE_COUNT; i++) {
+ trustTemplate[i].type = sftkdb_trustList[i];
+ trustTemplate[i].pValue = &trustData[i * SDB_ULONG_SIZE];
+ trustTemplate[i].ulValueLen = SDB_ULONG_SIZE;
+ }
+ crv = (*db->sdb_GetAttributeValue)(db, id,
+ trustTemplate, SFTK_TRUST_TEMPLATE_COUNT);
+ if ((crv != CKR_OK) && (crv != CKR_ATTRIBUTE_TYPE_INVALID)) {
+ /* target trust has some problems, update it */
+ update = SFTKDB_MODIFY_OBJECT;
+ goto done;
+ }
+
+ for (i = 0; i < SFTK_TRUST_TEMPLATE_COUNT; i++) {
+ CK_ATTRIBUTE *attr = sftkdb_getAttributeFromTemplate(
+ trustTemplate[i].type, ptemplate, *plen);
+ sftkdbUpdateStatus status;
+
+ /* if target trust value doesn't exist, nothing to merge */
+ if (trustTemplate[i].ulValueLen == (CK_ULONG)-1) {
+ /* if the source exists, then we want the source entry,
+ * go ahead and update */
+ if (attr && attr->ulValueLen != (CK_ULONG)-1) {
+ update = SFTKDB_MODIFY_OBJECT;
+ }
+ continue;
+ }
+
+ /*
+ * the source doesn't have the attribute, go to the next attribute
+ */
+ if (attr == NULL) {
+ continue;
+ }
+ status = sftkdb_reconcileTrustEntry(arena, &trustTemplate[i], attr);
+ if (status == SFTKDB_MODIFY_OBJECT) {
+ update = SFTKDB_MODIFY_OBJECT;
+ } else if (status == SFTKDB_DROP_ATTRIBUTE) {
+ /* drop the source copy of the attribute, we are going with
+ * the target's version */
+ sftkdb_dropAttribute(attr, ptemplate, plen);
+ }
+ }
+
+ /* finally manage stepup */
+ if (update == SFTKDB_MODIFY_OBJECT) {
+ CK_BBOOL stepUpBool = CK_FALSE;
+ /* if we are going to write from the source, make sure we don't
+ * overwrite the stepup bit if it's on*/
+ trustTemplate[0].type = CKA_TRUST_STEP_UP_APPROVED;
+ trustTemplate[0].pValue = &stepUpBool;
+ trustTemplate[0].ulValueLen = sizeof(stepUpBool);
+ crv = (*db->sdb_GetAttributeValue)(db, id, trustTemplate, 1);
+ if ((crv == CKR_OK) && (stepUpBool == CK_TRUE)) {
+ sftkdb_dropAttribute(trustTemplate, ptemplate, plen);
+ }
+ } else {
+ /* we currently aren't going to update. If the source stepup bit is
+ * on however, do an update so the target gets it as well */
+ CK_ATTRIBUTE *attr;
+
+ attr = sftkdb_getAttributeFromTemplate(CKA_TRUST_STEP_UP_APPROVED,
+ ptemplate, *plen);
+ if (attr && (attr->ulValueLen == sizeof(CK_BBOOL)) &&
+ (*(CK_BBOOL *)(attr->pValue) == CK_TRUE)) {
+ update = SFTKDB_MODIFY_OBJECT;
+ }
+ }
+
+done:
+ return update;
+}
+
+static sftkdbUpdateStatus
+sftkdb_handleIDAndName(PLArenaPool *arena, SDB *db, CK_OBJECT_HANDLE id,
+ CK_ATTRIBUTE *ptemplate, CK_ULONG *plen)
+{
+ sftkdbUpdateStatus update = SFTKDB_DO_NOTHING;
+ CK_ATTRIBUTE *attr1, *attr2;
+ CK_ATTRIBUTE ttemplate[2] = {
+ { CKA_ID, NULL, 0 },
+ { CKA_LABEL, NULL, 0 }
+ };
+
+ attr1 = sftkdb_getAttributeFromTemplate(CKA_LABEL, ptemplate, *plen);
+ attr2 = sftkdb_getAttributeFromTemplate(CKA_ID, ptemplate, *plen);
+
+ /* if the source has neither an id nor label, don't bother updating */
+ if ((!attr1 || attr1->ulValueLen == 0) &&
+ (!attr2 || attr2->ulValueLen == 0)) {
+ return SFTKDB_DO_NOTHING;
+ }
+
+ /* the source has either an id or a label, see what the target has */
+ (void)(*db->sdb_GetAttributeValue)(db, id, ttemplate, 2);
+
+ /* if the target has neither, update from the source */
+ if (((ttemplate[0].ulValueLen == 0) ||
+ (ttemplate[0].ulValueLen == (CK_ULONG)-1)) &&
+ ((ttemplate[1].ulValueLen == 0) ||
+ (ttemplate[1].ulValueLen == (CK_ULONG)-1))) {
+ return SFTKDB_MODIFY_OBJECT;
+ }
+
+ /* check the CKA_ID */
+ if ((ttemplate[0].ulValueLen != 0) &&
+ (ttemplate[0].ulValueLen != (CK_ULONG)-1)) {
+ /* we have a CKA_ID in the target, don't overwrite
+ * the target with an empty CKA_ID from the source*/
+ if (attr1 && attr1->ulValueLen == 0) {
+ sftkdb_dropAttribute(attr1, ptemplate, plen);
+ }
+ } else if (attr1 && attr1->ulValueLen != 0) {
+ /* source has a CKA_ID, but the target doesn't, update the target */
+ update = SFTKDB_MODIFY_OBJECT;
+ }
+
+ /* check the nickname */
+ if ((ttemplate[1].ulValueLen != 0) &&
+ (ttemplate[1].ulValueLen != (CK_ULONG)-1)) {
+
+ /* we have a nickname in the target, and we don't have to update
+ * the CKA_ID. We are done. NOTE: if we add addition attributes
+ * in this check, this shortcut can only go on the last of them. */
+ if (update == SFTKDB_DO_NOTHING) {
+ return update;
+ }
+ /* we have a nickname in the target, don't overwrite
+ * the target with an empty nickname from the source */
+ if (attr2 && attr2->ulValueLen == 0) {
+ sftkdb_dropAttribute(attr2, ptemplate, plen);
+ }
+ } else if (attr2 && attr2->ulValueLen != 0) {
+ /* source has a nickname, but the target doesn't, update the target */
+ update = SFTKDB_MODIFY_OBJECT;
+ }
+
+ return update;
+}
+
+/*
+ * This function updates the template before we write the object out.
+ *
+ * If we are going to skip updating this object, return PR_FALSE.
+ * If it should be updated we return PR_TRUE.
+ * To help readability, these have been defined
+ * as SFTK_DONT_UPDATE and SFTK_UPDATE respectively.
+ */
+static PRBool
+sftkdb_updateObjectTemplate(PLArenaPool *arena, SDB *db,
+ CK_OBJECT_CLASS objectType,
+ CK_ATTRIBUTE *ptemplate, CK_ULONG *plen,
+ CK_OBJECT_HANDLE *targetID)
+{
+ PRBool done; /* should we repeat the loop? */
+ CK_OBJECT_HANDLE id;
+ CK_RV crv = CKR_OK;
+
+ do {
+ crv = sftkdb_checkConflicts(db, objectType, ptemplate,
+ *plen, CK_INVALID_HANDLE);
+ if (crv != CKR_ATTRIBUTE_VALUE_INVALID) {
+ break;
+ }
+ crv = sftkdb_resolveConflicts(arena, objectType, ptemplate, plen);
+ } while (crv == CKR_OK);
+
+ if (crv != CKR_OK) {
+ return SFTKDB_DO_NOTHING;
+ }
+
+ do {
+ done = PR_TRUE;
+ crv = sftkdb_lookupObject(db, objectType, &id, ptemplate, *plen);
+ if (crv != CKR_OK) {
+ return SFTKDB_DO_NOTHING;
+ }
+
+ /* This object already exists, merge it, don't update */
+ if (id != CK_INVALID_HANDLE) {
+ CK_ATTRIBUTE *attr = NULL;
+ /* special post processing for attributes */
+ switch (objectType) {
+ case CKO_CERTIFICATE:
+ case CKO_PUBLIC_KEY:
+ case CKO_PRIVATE_KEY:
+ /* update target's CKA_ID and labels if they don't already
+ * exist */
+ *targetID = id;
+ return sftkdb_handleIDAndName(arena, db, id, ptemplate, plen);
+ case CKO_NSS_TRUST:
+ /* if we have conflicting trust object types,
+ * we need to reconcile them */
+ *targetID = id;
+ return sftkdb_reconcileTrust(arena, db, id, ptemplate, plen);
+ case CKO_SECRET_KEY:
+ /* secret keys in the old database are all sdr keys,
+ * unfortunately they all appear to have the same CKA_ID,
+ * even though they are truly different keys, so we always
+ * want to update these keys, but we need to
+ * give them a new CKA_ID */
+ /* NOTE: this changes ptemplate */
+ attr = sftkdb_getAttributeFromTemplate(CKA_ID, ptemplate, *plen);
+ crv = attr ? sftkdb_incrementCKAID(arena, attr)
+ : CKR_HOST_MEMORY;
+ /* in the extremely rare event that we needed memory and
+ * couldn't get it, just drop the key */
+ if (crv != CKR_OK) {
+ return SFTKDB_DO_NOTHING;
+ }
+ done = PR_FALSE; /* repeat this find loop */
+ break;
+ default:
+ /* for all other objects, if we found the equivalent object,
+ * don't update it */
+ return SFTKDB_DO_NOTHING;
+ }
+ }
+ } while (!done);
+
+ /* this object doesn't exist, update it */
+ return SFTKDB_ADD_OBJECT;
+}
+
+static CK_RV
+sftkdb_updateIntegrity(PLArenaPool *arena, SFTKDBHandle *handle,
+ SDB *source, CK_OBJECT_HANDLE sourceID,
+ SDB *target, CK_OBJECT_HANDLE targetID,
+ CK_ATTRIBUTE *ptemplate, CK_ULONG max_attributes)
+{
+ unsigned int i;
+ CK_RV global_crv = CKR_OK;
+
+ /* if the target doesn't have META data, don't need to do anything */
+ if ((target->sdb_flags & SDB_HAS_META) == 0) {
+ return CKR_OK;
+ }
+ /* if the source doesn't have meta data, then the record won't require
+ * integrity */
+ if ((source->sdb_flags & SDB_HAS_META) == 0) {
+ return CKR_OK;
+ }
+ for (i = 0; i < max_attributes; i++) {
+ CK_ATTRIBUTE *att = &ptemplate[i];
+ CK_ATTRIBUTE_TYPE type = att->type;
+ if (sftkdb_isPrivateAttribute(type)) {
+ /* copy integrity signatures associated with this record (if any) */
+ SECItem signature;
+ unsigned char signData[SDB_MAX_META_DATA_LEN];
+ CK_RV crv;
+
+ signature.data = signData;
+ signature.len = sizeof(signData);
+ crv = sftkdb_getRawAttributeSignature(handle, source, sourceID, type,
+ &signature);
+ if (crv != CKR_OK) {
+ /* old databases don't have signature IDs because they are
+ * 3DES encrypted. Since we know not to look for integrity
+ * for 3DES records it's OK not to find one here. A new record
+ * will be created when we reencrypt using AES CBC */
+ continue;
+ }
+ crv = sftkdb_PutAttributeSignature(handle, target, targetID, type,
+ &signature);
+ if (crv != CKR_OK) {
+ /* we had a signature in the source db, but we couldn't store
+ * it in the target, remember the error so we can report it. */
+ global_crv = crv;
+ }
+ }
+ }
+ return global_crv;
+}
+
+#define MAX_ATTRIBUTES 500
+static CK_RV
+sftkdb_mergeObject(SFTKDBHandle *handle, CK_OBJECT_HANDLE id,
+ SECItem *key)
+{
+ CK_ATTRIBUTE template[MAX_ATTRIBUTES];
+ CK_ATTRIBUTE *ptemplate;
+ CK_ULONG max_attributes = MAX_ATTRIBUTES;
+ CK_OBJECT_CLASS objectType;
+ SDB *source = handle->update;
+ SDB *target = handle->db;
+ unsigned int i;
+ CK_OBJECT_HANDLE newID = CK_INVALID_HANDLE;
+ CK_RV crv;
+ PLArenaPool *arena = NULL;
+
+ arena = PORT_NewArena(256);
+ if (arena == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+
+ ptemplate = &template[0];
+ id &= SFTK_OBJ_ID_MASK;
+ crv = sftkdb_GetObjectTemplate(source, id, ptemplate, &max_attributes);
+ if (crv == CKR_BUFFER_TOO_SMALL) {
+ ptemplate = PORT_ArenaNewArray(arena, CK_ATTRIBUTE, max_attributes);
+ if (ptemplate == NULL) {
+ crv = CKR_HOST_MEMORY;
+ } else {
+ crv = sftkdb_GetObjectTemplate(source, id,
+ ptemplate, &max_attributes);
+ }
+ }
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+
+ for (i = 0; i < max_attributes; i++) {
+ ptemplate[i].pValue = PORT_ArenaAlloc(arena, ptemplate[i].ulValueLen);
+ if (ptemplate[i].pValue == NULL) {
+ crv = CKR_HOST_MEMORY;
+ goto loser;
+ }
+ }
+ crv = (*source->sdb_GetAttributeValue)(source, id,
+ ptemplate, max_attributes);
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+
+ objectType = sftkdb_getULongFromTemplate(CKA_CLASS, ptemplate,
+ max_attributes);
+ /*
+ * Update Object updates the object template if necessary then returns
+ * whether or not we need to actually write the object out to our target
+ * database.
+ */
+ if (!handle->updateID) {
+ crv = sftkdb_CreateObject(arena, handle, target, &newID,
+ ptemplate, max_attributes);
+ } else {
+ sftkdbUpdateStatus update_status;
+ update_status = sftkdb_updateObjectTemplate(arena, target,
+ objectType, ptemplate, &max_attributes, &newID);
+ switch (update_status) {
+ case SFTKDB_ADD_OBJECT:
+ crv = sftkdb_CreateObject(arena, handle, target, &newID,
+ ptemplate, max_attributes);
+ break;
+ case SFTKDB_MODIFY_OBJECT:
+ crv = sftkdb_setAttributeValue(arena, handle, target,
+ newID, ptemplate, max_attributes);
+ break;
+ case SFTKDB_DO_NOTHING:
+ case SFTKDB_DROP_ATTRIBUTE:
+ break;
+ }
+ }
+
+ /* if keyDB copy any meta data hashes to target, Update for the new
+ * object ID */
+ if (crv == CKR_OK) {
+ crv = sftkdb_updateIntegrity(arena, handle, source, id, target, newID,
+ ptemplate, max_attributes);
+ }
+
+loser:
+ if (arena) {
+ PORT_FreeArena(arena, PR_TRUE);
+ }
+ return crv;
+}
+
+#define MAX_IDS 10
+/*
+ * update a new database from an old one, now that we have the key
+ */
+CK_RV
+sftkdb_Update(SFTKDBHandle *handle, SECItem *key)
+{
+ SDBFind *find = NULL;
+ CK_ULONG idCount = MAX_IDS;
+ CK_OBJECT_HANDLE ids[MAX_IDS];
+ SECItem *updatePasswordKey = NULL;
+ CK_RV crv, crv2;
+ PRBool inTransaction = PR_FALSE;
+ unsigned int i;
+
+ if (handle == NULL) {
+ return CKR_OK;
+ }
+ if (handle->update == NULL) {
+ return CKR_OK;
+ }
+ /*
+ * put the whole update under a transaction. This allows us to handle
+ * any possible race conditions between with the updateID check.
+ */
+ crv = (*handle->db->sdb_Begin)(handle->db);
+ if (crv != CKR_OK) {
+ return crv;
+ }
+ inTransaction = PR_TRUE;
+
+ /* some one else has already updated this db */
+ if (sftkdb_hasUpdate(sftkdb_TypeString(handle),
+ handle->db, handle->updateID)) {
+ crv = CKR_OK;
+ goto done;
+ }
+
+ updatePasswordKey = sftkdb_GetUpdatePasswordKey(handle);
+ if (updatePasswordKey) {
+ /* pass the source DB key to the legacy code,
+ * so it can decrypt things */
+ handle->oldKey = updatePasswordKey;
+ }
+
+ /* find all the objects */
+ crv = sftkdb_FindObjectsInit(handle, NULL, 0, &find);
+
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+ while ((crv == CKR_OK) && (idCount == MAX_IDS)) {
+ crv = sftkdb_FindObjects(handle, find, ids, MAX_IDS, &idCount);
+ for (i = 0; (crv == CKR_OK) && (i < idCount); i++) {
+ crv = sftkdb_mergeObject(handle, ids[i], key);
+ }
+ }
+ crv2 = sftkdb_FindObjectsFinal(handle, find);
+ if (crv == CKR_OK)
+ crv = crv2;
+
+loser:
+ /* no longer need the old key value */
+ handle->oldKey = NULL;
+
+ /* update the password - even if we didn't update objects */
+ if (handle->type == SFTK_KEYDB_TYPE) {
+ SECItem item1, item2;
+ unsigned char data1[SDB_MAX_META_DATA_LEN];
+ unsigned char data2[SDB_MAX_META_DATA_LEN];
+
+ item1.data = data1;
+ item1.len = sizeof(data1);
+ item2.data = data2;
+ item2.len = sizeof(data2);
+
+ /* if the target db already has a password, skip this. */
+ crv = (*handle->db->sdb_GetMetaData)(handle->db, "password",
+ &item1, &item2);
+ if (crv == CKR_OK) {
+ goto done;
+ }
+
+ /* nope, update it from the source */
+ crv = (*handle->update->sdb_GetMetaData)(handle->update, "password",
+ &item1, &item2);
+ if (crv != CKR_OK) {
+ /* if we get here, neither the source, nor the target has been initialized
+ * with a password entry. Create a metadata table now so that we don't
+ * mistake this for a partially updated database */
+ item1.data[0] = 0;
+ item2.data[0] = 0;
+ item1.len = item2.len = 1;
+ crv = (*handle->db->sdb_PutMetaData)(handle->db, "empty", &item1, &item2);
+ goto done;
+ }
+ crv = (*handle->db->sdb_PutMetaData)(handle->db, "password", &item1,
+ &item2);
+ if (crv != CKR_OK) {
+ goto done;
+ }
+ }
+
+done:
+ /* finally mark this up to date db up to date */
+ /* some one else has already updated this db */
+ if (crv == CKR_OK) {
+ crv = sftkdb_putUpdate(sftkdb_TypeString(handle),
+ handle->db, handle->updateID);
+ }
+
+ if (inTransaction) {
+ if (crv == CKR_OK) {
+ crv = (*handle->db->sdb_Commit)(handle->db);
+ } else {
+ (*handle->db->sdb_Abort)(handle->db);
+ }
+ }
+ if (handle->update) {
+ (*handle->update->sdb_Close)(handle->update);
+ handle->update = NULL;
+ }
+ if (handle->updateID) {
+ PORT_Free(handle->updateID);
+ handle->updateID = NULL;
+ }
+ sftkdb_FreeUpdatePasswordKey(handle);
+ if (updatePasswordKey) {
+ SECITEM_ZfreeItem(updatePasswordKey, PR_TRUE);
+ }
+ handle->updateDBIsInit = PR_FALSE;
+ return crv;
+}
+
+/******************************************************************
+ * DB handle managing functions.
+ *
+ * These functions are called by softoken to initialize, acquire,
+ * and release database handles.
+ */
+
+const char *
+sftkdb_GetUpdateID(SFTKDBHandle *handle)
+{
+ return handle->updateID;
+}
+
+/* release a database handle */
+void
+sftk_freeDB(SFTKDBHandle *handle)
+{
+ PRInt32 ref;
+
+ if (!handle)
+ return;
+ ref = PR_ATOMIC_DECREMENT(&handle->ref);
+ if (ref == 0) {
+ sftkdb_CloseDB(handle);
+ }
+ return;
+}
+
+/*
+ * acquire a database handle for a certificate db
+ * (database for public objects)
+ */
+SFTKDBHandle *
+sftk_getCertDB(SFTKSlot *slot)
+{
+ SFTKDBHandle *dbHandle;
+
+ PZ_Lock(slot->slotLock);
+ dbHandle = slot->certDB;
+ if (dbHandle) {
+ (void)PR_ATOMIC_INCREMENT(&dbHandle->ref);
+ }
+ PZ_Unlock(slot->slotLock);
+ return dbHandle;
+}
+
+/*
+ * acquire a database handle for a key database
+ * (database for private objects)
+ */
+SFTKDBHandle *
+sftk_getKeyDB(SFTKSlot *slot)
+{
+ SFTKDBHandle *dbHandle;
+
+ SKIP_AFTER_FORK(PZ_Lock(slot->slotLock));
+ dbHandle = slot->keyDB;
+ if (dbHandle) {
+ (void)PR_ATOMIC_INCREMENT(&dbHandle->ref);
+ }
+ SKIP_AFTER_FORK(PZ_Unlock(slot->slotLock));
+ return dbHandle;
+}
+
+/*
+ * acquire the database for a specific object. NOTE: objectID must point
+ * to a Token object!
+ */
+SFTKDBHandle *
+sftk_getDBForTokenObject(SFTKSlot *slot, CK_OBJECT_HANDLE objectID)
+{
+ SFTKDBHandle *dbHandle;
+
+ PZ_Lock(slot->slotLock);
+ dbHandle = objectID & SFTK_KEYDB_TYPE ? slot->keyDB : slot->certDB;
+ if (dbHandle) {
+ (void)PR_ATOMIC_INCREMENT(&dbHandle->ref);
+ }
+ PZ_Unlock(slot->slotLock);
+ return dbHandle;
+}
+
+/*
+ * initialize a new database handle
+ */
+static SFTKDBHandle *
+sftk_NewDBHandle(SDB *sdb, int type, PRBool legacy)
+{
+ SFTKDBHandle *handle = PORT_New(SFTKDBHandle);
+ handle->ref = 1;
+ handle->db = sdb;
+ handle->update = NULL;
+ handle->peerDB = NULL;
+ handle->newKey = NULL;
+ handle->oldKey = NULL;
+ handle->updatePasswordKey = NULL;
+ handle->updateID = NULL;
+ handle->type = type;
+ handle->usesLegacyStorage = legacy;
+ handle->passwordKey.data = NULL;
+ handle->passwordKey.len = 0;
+ handle->passwordLock = NULL;
+ if (type == SFTK_KEYDB_TYPE) {
+ handle->passwordLock = PZ_NewLock(nssILockAttribute);
+ }
+ sdb->app_private = handle;
+ return handle;
+}
+
+/*
+ * reset the key database to it's uninitialized state. This call
+ * will clear all the key entried.
+ */
+SECStatus
+sftkdb_ResetKeyDB(SFTKDBHandle *handle)
+{
+ CK_RV crv;
+
+ /* only rest the key db */
+ if (handle->type != SFTK_KEYDB_TYPE) {
+ return SECFailure;
+ }
+ crv = sftkdb_ResetDB(handle);
+ if (crv != CKR_OK) {
+ /* set error */
+ return SECFailure;
+ }
+ PZ_Lock(handle->passwordLock);
+ if (handle->passwordKey.data) {
+ SECITEM_ZfreeItem(&handle->passwordKey, PR_FALSE);
+ handle->passwordKey.data = NULL;
+ }
+ PZ_Unlock(handle->passwordLock);
+ return SECSuccess;
+}
+
+#ifndef NSS_DISABLE_DBM
+static PRBool
+sftk_oldVersionExists(const char *dir, int version)
+{
+ int i;
+ PRStatus exists = PR_FAILURE;
+ char *file = NULL;
+
+ for (i = version; i > 1; i--) {
+ file = PR_smprintf("%s%d.db", dir, i);
+ if (file == NULL) {
+ continue;
+ }
+ exists = PR_Access(file, PR_ACCESS_EXISTS);
+ PR_smprintf_free(file);
+ if (exists == PR_SUCCESS) {
+ return PR_TRUE;
+ }
+ }
+ return PR_FALSE;
+}
+
+#if defined(_WIN32)
+/*
+ * Convert an sdb path (encoded in UTF-8) to a legacy path (encoded in the
+ * current system codepage). Fails if the path contains a character outside
+ * the current system codepage.
+ */
+static char *
+sftk_legacyPathFromSDBPath(const char *confdir)
+{
+ wchar_t *confdirWide;
+ DWORD size;
+ char *nconfdir;
+ BOOL unmappable;
+
+ if (!confdir) {
+ return NULL;
+ }
+ confdirWide = _NSSUTIL_UTF8ToWide(confdir);
+ if (!confdirWide) {
+ return NULL;
+ }
+
+ size = WideCharToMultiByte(CP_ACP, WC_NO_BEST_FIT_CHARS, confdirWide, -1,
+ NULL, 0, NULL, &unmappable);
+ if (size == 0 || unmappable) {
+ PORT_Free(confdirWide);
+ return NULL;
+ }
+ nconfdir = PORT_Alloc(sizeof(char) * size);
+ if (!nconfdir) {
+ PORT_Free(confdirWide);
+ return NULL;
+ }
+ size = WideCharToMultiByte(CP_ACP, WC_NO_BEST_FIT_CHARS, confdirWide, -1,
+ nconfdir, size, NULL, &unmappable);
+ PORT_Free(confdirWide);
+ if (size == 0 || unmappable) {
+ PORT_Free(nconfdir);
+ return NULL;
+ }
+
+ return nconfdir;
+}
+#else
+#define sftk_legacyPathFromSDBPath(confdir) PORT_Strdup((confdir))
+#endif
+
+static PRBool
+sftk_hasLegacyDB(const char *confdir, const char *certPrefix,
+ const char *keyPrefix, int certVersion, int keyVersion)
+{
+ char *dir;
+ PRBool exists;
+
+ if (certPrefix == NULL) {
+ certPrefix = "";
+ }
+
+ if (keyPrefix == NULL) {
+ keyPrefix = "";
+ }
+
+ dir = PR_smprintf("%s/%scert", confdir, certPrefix);
+ if (dir == NULL) {
+ return PR_FALSE;
+ }
+
+ exists = sftk_oldVersionExists(dir, certVersion);
+ PR_smprintf_free(dir);
+ if (exists) {
+ return PR_TRUE;
+ }
+
+ dir = PR_smprintf("%s/%skey", confdir, keyPrefix);
+ if (dir == NULL) {
+ return PR_FALSE;
+ }
+
+ exists = sftk_oldVersionExists(dir, keyVersion);
+ PR_smprintf_free(dir);
+ return exists;
+}
+#endif /* NSS_DISABLE_DBM */
+
+/*
+ * initialize certificate and key database handles as a pair.
+ *
+ * This function figures out what type of database we are opening and
+ * calls the appropriate low level function to open the database.
+ * It also figures out whether or not to setup up automatic update.
+ */
+CK_RV
+sftk_DBInit(const char *configdir, const char *certPrefix,
+ const char *keyPrefix, const char *updatedir,
+ const char *updCertPrefix, const char *updKeyPrefix,
+ const char *updateID, PRBool readOnly, PRBool noCertDB,
+ PRBool noKeyDB, PRBool forceOpen, PRBool isFIPS,
+ SFTKDBHandle **certDB, SFTKDBHandle **keyDB)
+{
+ const char *confdir;
+ NSSDBType dbType = NSS_DB_TYPE_NONE;
+ char *appName = NULL;
+ SDB *keySDB, *certSDB;
+ CK_RV crv = CKR_OK;
+ int flags = SDB_RDONLY;
+ PRBool newInit = PR_FALSE;
+#ifndef NSS_DISABLE_DBM
+ PRBool needUpdate = PR_FALSE;
+#endif /* NSS_DISABLE_DBM */
+ char *nconfdir = NULL;
+ PRBool legacy = PR_TRUE;
+
+ if (!readOnly) {
+ flags = SDB_CREATE;
+ }
+ if (isFIPS) {
+ flags |= SDB_FIPS;
+ }
+
+ *certDB = NULL;
+ *keyDB = NULL;
+
+ if (noKeyDB && noCertDB) {
+ return CKR_OK;
+ }
+ confdir = _NSSUTIL_EvaluateConfigDir(configdir, &dbType, &appName);
+
+ /*
+ * now initialize the appropriate database
+ */
+ switch (dbType) {
+#ifndef NSS_DISABLE_DBM
+ case NSS_DB_TYPE_LEGACY:
+ crv = sftkdbCall_open(confdir, certPrefix, keyPrefix, 8, 3, flags,
+ noCertDB ? NULL : &certSDB, noKeyDB ? NULL : &keySDB);
+ break;
+ case NSS_DB_TYPE_MULTIACCESS:
+ crv = sftkdbCall_open(configdir, certPrefix, keyPrefix, 8, 3, flags,
+ noCertDB ? NULL : &certSDB, noKeyDB ? NULL : &keySDB);
+ break;
+#endif /* NSS_DISABLE_DBM */
+ case NSS_DB_TYPE_SQL:
+ case NSS_DB_TYPE_EXTERN: /* SHOULD open a loadable db */
+ crv = s_open(confdir, certPrefix, keyPrefix, 9, 4, flags,
+ noCertDB ? NULL : &certSDB, noKeyDB ? NULL : &keySDB, &newInit);
+ legacy = PR_FALSE;
+
+#ifndef NSS_DISABLE_DBM
+ /*
+ * if we failed to open the DB's read only, use the old ones if
+ * the exists.
+ */
+ if (crv != CKR_OK) {
+ legacy = PR_TRUE;
+ if ((flags & SDB_RDONLY) == SDB_RDONLY) {
+ nconfdir = sftk_legacyPathFromSDBPath(confdir);
+ }
+ if (nconfdir &&
+ sftk_hasLegacyDB(nconfdir, certPrefix, keyPrefix, 8, 3)) {
+ /* we have legacy databases, if we failed to open the new format
+ * DB's read only, just use the legacy ones */
+ crv = sftkdbCall_open(nconfdir, certPrefix,
+ keyPrefix, 8, 3, flags,
+ noCertDB ? NULL : &certSDB, noKeyDB ? NULL : &keySDB);
+ }
+ /* Handle the database merge case.
+ *
+ * For the merge case, we need help from the application. Only
+ * the application knows where the old database is, and what unique
+ * identifier it has associated with it.
+ *
+ * If the client supplies these values, we use them to determine
+ * if we need to update.
+ */
+ } else if (
+ /* both update params have been supplied */
+ updatedir && *updatedir && updateID && *updateID
+ /* old dbs exist? */
+ && sftk_hasLegacyDB(updatedir, updCertPrefix, updKeyPrefix, 8, 3)
+ /* and they have not yet been updated? */
+ && ((noKeyDB || !sftkdb_hasUpdate("key", keySDB, updateID)) || (noCertDB || !sftkdb_hasUpdate("cert", certSDB, updateID)))) {
+ /* we need to update */
+ confdir = updatedir;
+ certPrefix = updCertPrefix;
+ keyPrefix = updKeyPrefix;
+ needUpdate = PR_TRUE;
+ } else if (newInit) {
+ /* if the new format DB was also a newly created DB, and we
+ * succeeded, then need to update that new database with data
+ * from the existing legacy DB */
+ nconfdir = sftk_legacyPathFromSDBPath(confdir);
+ if (nconfdir &&
+ sftk_hasLegacyDB(nconfdir, certPrefix, keyPrefix, 8, 3)) {
+ confdir = nconfdir;
+ needUpdate = PR_TRUE;
+ }
+ }
+#endif /* NSS_DISABLE_DBM */
+ break;
+ default:
+ crv = CKR_GENERAL_ERROR; /* can't happen, EvaluationConfigDir MUST
+ * return one of the types we already
+ * specified. */
+ }
+ if (crv != CKR_OK) {
+ goto done;
+ }
+ if (!noCertDB) {
+ *certDB = sftk_NewDBHandle(certSDB, SFTK_CERTDB_TYPE, legacy);
+ } else {
+ *certDB = NULL;
+ }
+ if (!noKeyDB) {
+ *keyDB = sftk_NewDBHandle(keySDB, SFTK_KEYDB_TYPE, legacy);
+ } else {
+ *keyDB = NULL;
+ }
+
+ /* link them together */
+ if (*certDB) {
+ (*certDB)->peerDB = *keyDB;
+ }
+ if (*keyDB) {
+ (*keyDB)->peerDB = *certDB;
+ }
+
+#ifndef NSS_DISABLE_DBM
+ /*
+ * if we need to update, open the legacy database and
+ * mark the handle as needing update.
+ */
+ if (needUpdate) {
+ SDB *updateCert = NULL;
+ SDB *updateKey = NULL;
+ CK_RV crv2;
+
+ crv2 = sftkdbCall_open(confdir, certPrefix, keyPrefix, 8, 3, flags,
+ noCertDB ? NULL : &updateCert,
+ noKeyDB ? NULL : &updateKey);
+ if (crv2 == CKR_OK) {
+ if (*certDB) {
+ (*certDB)->update = updateCert;
+ (*certDB)->updateID = updateID && *updateID
+ ? PORT_Strdup(updateID)
+ : NULL;
+ updateCert->app_private = (*certDB);
+ }
+ if (*keyDB) {
+ PRBool tokenRemoved = PR_FALSE;
+ (*keyDB)->update = updateKey;
+ (*keyDB)->updateID = updateID && *updateID ? PORT_Strdup(updateID) : NULL;
+ updateKey->app_private = (*keyDB);
+ (*keyDB)->updateDBIsInit = PR_TRUE;
+ (*keyDB)->updateDBIsInit =
+ (sftkdb_HasPasswordSet(*keyDB) == SECSuccess) ? PR_TRUE : PR_FALSE;
+ /* if the password on the key db is NULL, kick off our update
+ * chain of events */
+ sftkdb_CheckPasswordNull((*keyDB), &tokenRemoved);
+ } else {
+ /* we don't have a key DB, update the certificate DB now */
+ sftkdb_Update(*certDB, NULL);
+ }
+ }
+ }
+#endif /* NSS_DISABLE_DBM */
+
+done:
+ if (appName) {
+ PORT_Free(appName);
+ }
+ if (nconfdir) {
+ PORT_Free(nconfdir);
+ }
+ return forceOpen ? CKR_OK : crv;
+}
+
+CK_RV
+sftkdb_Shutdown(void)
+{
+ s_shutdown();
+#ifndef NSS_DISABLE_DBM
+ sftkdbCall_Shutdown();
+#endif /* NSS_DISABLE_DBM */
+ return CKR_OK;
+}
diff --git a/security/nss/lib/softoken/sftkdb.h b/security/nss/lib/softoken/sftkdb.h
new file mode 100644
index 0000000000..a8c289d4d7
--- /dev/null
+++ b/security/nss/lib/softoken/sftkdb.h
@@ -0,0 +1,75 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+#include "sftkdbt.h"
+#include "sdb.h"
+#include "pkcs11i.h"
+#include "pkcs11t.h"
+
+/* raw database stuff */
+CK_RV sftkdb_write(SFTKDBHandle *handle, SFTKObject *, CK_OBJECT_HANDLE *);
+CK_RV sftkdb_FindObjectsInit(SFTKDBHandle *sdb, const CK_ATTRIBUTE *template,
+ CK_ULONG count, SDBFind **find);
+CK_RV sftkdb_FindObjects(SFTKDBHandle *sdb, SDBFind *find,
+ CK_OBJECT_HANDLE *ids, int arraySize, CK_ULONG *count);
+CK_RV sftkdb_FindObjectsFinal(SFTKDBHandle *sdb, SDBFind *find);
+CK_RV sftkdb_GetAttributeValue(SFTKDBHandle *handle,
+ CK_OBJECT_HANDLE object_id, CK_ATTRIBUTE *template, CK_ULONG count);
+CK_RV sftkdb_SetAttributeValue(SFTKDBHandle *handle, SFTKObject *object,
+ const CK_ATTRIBUTE *template, CK_ULONG count);
+CK_RV sftkdb_DestroyObject(SFTKDBHandle *handle, CK_OBJECT_HANDLE object_id,
+ CK_OBJECT_CLASS objclass);
+CK_RV sftkdb_closeDB(SFTKDBHandle *handle);
+
+/* keydb functions */
+
+SECStatus sftkdb_PWIsInitialized(SFTKDBHandle *keydb);
+SECStatus sftkdb_CheckPassword(SFTKDBHandle *keydb, const char *pw,
+ PRBool *tokenRemoved);
+SECStatus sftkdb_CheckPasswordNull(SFTKDBHandle *keydb, PRBool *tokenRemoved);
+SECStatus sftkdb_PWCached(SFTKDBHandle *keydb);
+SECStatus sftkdb_HasPasswordSet(SFTKDBHandle *keydb);
+SECStatus sftkdb_ResetKeyDB(SFTKDBHandle *keydb);
+SECStatus sftkdb_ChangePassword(SFTKDBHandle *keydb,
+ char *oldPin, char *newPin,
+ PRBool *tokenRemoved);
+SECStatus sftkdb_ClearPassword(SFTKDBHandle *keydb);
+PRBool sftkdb_InUpdateMerge(SFTKDBHandle *keydb);
+PRBool sftkdb_NeedUpdateDBPassword(SFTKDBHandle *keydb);
+const char *sftkdb_GetUpdateID(SFTKDBHandle *keydb);
+SECItem *sftkdb_GetUpdatePasswordKey(SFTKDBHandle *keydb);
+void sftkdb_FreeUpdatePasswordKey(SFTKDBHandle *keydb);
+
+/* Utility functions */
+/*
+ * OK there are now lots of options here, lets go through them all:
+ *
+ * configdir - base directory where all the cert, key, and module datbases live.
+ * certPrefix - prefix added to the beginning of the cert database example: "
+ * "https-server1-"
+ * keyPrefix - prefix added to the beginning of the key database example: "
+ * "https-server1-"
+ * secmodName - name of the security module database (usually "secmod.db").
+ * readOnly - Boolean: true if the databases are to be openned read only.
+ * nocertdb - Don't open the cert DB and key DB's, just initialize the
+ * Volatile certdb.
+ * nomoddb - Don't open the security module DB, just initialize the
+ * PKCS #11 module.
+ * forceOpen - Continue to force initializations even if the databases cannot
+ * be opened.
+ */
+CK_RV sftk_DBInit(const char *configdir, const char *certPrefix,
+ const char *keyPrefix, const char *updatedir,
+ const char *updCertPrefix, const char *updKeyPrefix,
+ const char *updateID, PRBool readOnly, PRBool noCertDB,
+ PRBool noKeyDB, PRBool forceOpen, PRBool isFIPS,
+ SFTKDBHandle **certDB, SFTKDBHandle **keyDB);
+CK_RV sftkdb_Shutdown(void);
+
+SFTKDBHandle *sftk_getCertDB(SFTKSlot *slot);
+SFTKDBHandle *sftk_getKeyDB(SFTKSlot *slot);
+SFTKDBHandle *sftk_getDBForTokenObject(SFTKSlot *slot,
+ CK_OBJECT_HANDLE objectID);
+void sftk_freeDB(SFTKDBHandle *certHandle);
+
+PRBool sftk_isLegacyIterationCountAllowed(void);
diff --git a/security/nss/lib/softoken/sftkdbt.h b/security/nss/lib/softoken/sftkdbt.h
new file mode 100644
index 0000000000..77beb845e5
--- /dev/null
+++ b/security/nss/lib/softoken/sftkdbt.h
@@ -0,0 +1,12 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef SFTKDBT_H
+#define SFTKDBT_H 1
+typedef struct SFTKDBHandleStr SFTKDBHandle;
+
+#define SDB_MAX_META_DATA_LEN 256
+#define SDB_ULONG_SIZE 4
+
+#endif
diff --git a/security/nss/lib/softoken/sftkdbti.h b/security/nss/lib/softoken/sftkdbti.h
new file mode 100644
index 0000000000..eea52c81d3
--- /dev/null
+++ b/security/nss/lib/softoken/sftkdbti.h
@@ -0,0 +1,82 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef SFTKDBTI_H
+#define SFTKDBTI_H 1
+
+/*
+ * private defines
+ */
+struct SFTKDBHandleStr {
+ SDB *db;
+ PRInt32 ref;
+ CK_OBJECT_HANDLE type;
+ SECItem passwordKey;
+ int defaultIterationCount;
+ SECItem *newKey;
+ int newDefaultIterationCount;
+ SECItem *oldKey;
+ SECItem *updatePasswordKey;
+ PZLock *passwordLock;
+ SFTKDBHandle *peerDB;
+ SDB *update;
+ char *updateID;
+ PRBool updateDBIsInit;
+ PRBool usesLegacyStorage;
+};
+
+#define SFTK_KEYDB_TYPE 0x40000000
+#define SFTK_CERTDB_TYPE 0x00000000
+#define SFTK_OBJ_TYPE_MASK 0xc0000000
+#define SFTK_OBJ_ID_MASK (~SFTK_OBJ_TYPE_MASK)
+#define SFTK_TOKEN_TYPE 0x80000000
+
+/* the following is the number of id's to handle on the stack at a time,
+ * it's not an upper limit of IDS that can be stored in the database */
+#define SFTK_MAX_IDS 10
+
+#define SFTK_GET_SDB(handle) \
+ ((handle)->update ? (handle)->update : (handle)->db)
+
+SECStatus sftkdb_DecryptAttribute(SFTKDBHandle *handle,
+ SECItem *passKey,
+ CK_OBJECT_HANDLE id,
+ CK_ATTRIBUTE_TYPE attrType,
+ SECItem *cipherText, SECItem **plainText);
+SECStatus sftkdb_EncryptAttribute(PLArenaPool *arena,
+ SFTKDBHandle *handle, SDB *db,
+ SECItem *passKey,
+ int iterationCount,
+ CK_OBJECT_HANDLE id,
+ CK_ATTRIBUTE_TYPE attrType,
+ SECItem *plainText, SECItem **cipherText);
+SECStatus sftkdb_SignAttribute(PLArenaPool *arena,
+ SFTKDBHandle *handle, SDB *db,
+ SECItem *passKey,
+ int iterationCount, CK_OBJECT_HANDLE objectID,
+ CK_ATTRIBUTE_TYPE attrType,
+ SECItem *plainText, SECItem **sigText);
+SECStatus sftkdb_VerifyAttribute(SFTKDBHandle *handle,
+ SECItem *passKey,
+ CK_OBJECT_HANDLE objectID,
+ CK_ATTRIBUTE_TYPE attrType,
+ SECItem *plainText, SECItem *sigText);
+
+PRBool sftkdb_isULONGAttribute(CK_ATTRIBUTE_TYPE type);
+void sftk_ULong2SDBULong(unsigned char *data, CK_ULONG value);
+CK_RV sftkdb_Update(SFTKDBHandle *handle, SECItem *key);
+CK_RV sftkdb_PutAttributeSignature(SFTKDBHandle *handle,
+ SDB *keyTarget, CK_OBJECT_HANDLE objectID,
+ CK_ATTRIBUTE_TYPE type, SECItem *signText);
+CK_RV sftkdb_GetAttributeSignature(SFTKDBHandle *handle,
+ SFTKDBHandle *keyHandle,
+ CK_OBJECT_HANDLE objectID,
+ CK_ATTRIBUTE_TYPE type,
+ SECItem *signText);
+CK_RV
+sftkdb_DestroyAttributeSignature(SFTKDBHandle *handle, SDB *db,
+ CK_OBJECT_HANDLE objectID,
+ CK_ATTRIBUTE_TYPE type);
+
+#endif
diff --git a/security/nss/lib/softoken/sftkdhverify.c b/security/nss/lib/softoken/sftkdhverify.c
new file mode 100644
index 0000000000..4310486116
--- /dev/null
+++ b/security/nss/lib/softoken/sftkdhverify.c
@@ -0,0 +1,6845 @@
+
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/*
+ * This file makes sure a prime given to us matches one of the known
+ * approved primes for diffie-helman.
+ *
+ * It also checks if a prime is a safe prime for the case
+ * where we don't match an approved prime.
+ */
+#include "seccomon.h"
+#include "secitem.h"
+#include "secerr.h"
+#include "blapi.h"
+
+/* IKE 1536 prime is: 2^1536 - 2^1472 - 1 + 2^64 * { [2^1406 pi] + 741804 } */
+static const unsigned char prime_ike_1536[] = {
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2,
+ 0x21, 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
+ 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6,
+ 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD,
+ 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D,
+ 0xF2, 0x5F, 0x14, 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45,
+ 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, 0xF4, 0x4C, 0x42, 0xE9,
+ 0xA6, 0x37, 0xED, 0x6B, 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED,
+ 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, 0xAE, 0x9F, 0x24, 0x11,
+ 0x7C, 0x4B, 0x1F, 0xE6, 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D,
+ 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, 0x98, 0xDA, 0x48, 0x36,
+ 0x1C, 0x55, 0xD3, 0x9A, 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F,
+ 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, 0x1C, 0x62, 0xF3, 0x56,
+ 0x20, 0x85, 0x52, 0xBB, 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D,
+ 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, 0xF1, 0x74, 0x6C, 0x08,
+ 0xCA, 0x23, 0x73, 0x27, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
+};
+
+/* IKE 2048 prime is: 2^2048 - 2^1984 - 1 + 2^64 * { [2^1918 pi] + 124476 */
+static const unsigned char prime_ike_2048[] = {
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2,
+ 0x21, 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
+ 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6,
+ 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD,
+ 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D,
+ 0xF2, 0x5F, 0x14, 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45,
+ 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, 0xF4, 0x4C, 0x42, 0xE9,
+ 0xA6, 0x37, 0xED, 0x6B, 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED,
+ 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, 0xAE, 0x9F, 0x24, 0x11,
+ 0x7C, 0x4B, 0x1F, 0xE6, 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D,
+ 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, 0x98, 0xDA, 0x48, 0x36,
+ 0x1C, 0x55, 0xD3, 0x9A, 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F,
+ 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, 0x1C, 0x62, 0xF3, 0x56,
+ 0x20, 0x85, 0x52, 0xBB, 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D,
+ 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, 0xF1, 0x74, 0x6C, 0x08,
+ 0xCA, 0x18, 0x21, 0x7C, 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B,
+ 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, 0x9B, 0x27, 0x83, 0xA2,
+ 0xEC, 0x07, 0xA2, 0x8F, 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9,
+ 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, 0x39, 0x95, 0x49, 0x7C,
+ 0xEA, 0x95, 0x6A, 0xE5, 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10,
+ 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAC, 0xAA, 0x68, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF
+};
+
+/* TLS 2048 prime is: 2^2048 - 2^1984 + {[2^1918 * e] + 560316 } * 2^64 - 1 */
+static const unsigned char prime_tls_2048[] = {
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xAD, 0xF8, 0x54, 0x58,
+ 0xA2, 0xBB, 0x4A, 0x9A, 0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1,
+ 0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, 0xA9, 0xE1, 0x36, 0x41,
+ 0x14, 0x64, 0x33, 0xFB, 0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9,
+ 0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, 0xF6, 0x81, 0xB2, 0x02,
+ 0xAE, 0xC4, 0x61, 0x7A, 0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61,
+ 0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, 0x85, 0x63, 0x65, 0x55,
+ 0x3D, 0xED, 0x1A, 0xF3, 0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35,
+ 0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, 0xE2, 0xA6, 0x89, 0xDA,
+ 0xF3, 0xEF, 0xE8, 0x72, 0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35,
+ 0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, 0xBC, 0x0A, 0xB1, 0x82,
+ 0xB3, 0x24, 0xFB, 0x61, 0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB,
+ 0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, 0x1D, 0x4F, 0x42, 0xA3,
+ 0xDE, 0x39, 0x4D, 0xF4, 0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19,
+ 0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, 0x9E, 0x02, 0xFC, 0xE1,
+ 0xCD, 0xF7, 0xE2, 0xEC, 0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61,
+ 0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, 0x8E, 0x4F, 0x12, 0x32,
+ 0xEE, 0xF2, 0x81, 0x83, 0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73,
+ 0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, 0xC5, 0x8E, 0xF1, 0x83,
+ 0x7D, 0x16, 0x83, 0xB2, 0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA,
+ 0x88, 0x6B, 0x42, 0x38, 0x61, 0x28, 0x5C, 0x97, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF
+};
+
+/* IKE 3072 prime is: 2^3072 - 2^3008 - 1 + 2^64 * { [2^2942 pi] + 1690314 } */
+static const unsigned char prime_ike_3072[] = {
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2,
+ 0x21, 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
+ 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6,
+ 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD,
+ 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D,
+ 0xF2, 0x5F, 0x14, 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45,
+ 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, 0xF4, 0x4C, 0x42, 0xE9,
+ 0xA6, 0x37, 0xED, 0x6B, 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED,
+ 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, 0xAE, 0x9F, 0x24, 0x11,
+ 0x7C, 0x4B, 0x1F, 0xE6, 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D,
+ 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, 0x98, 0xDA, 0x48, 0x36,
+ 0x1C, 0x55, 0xD3, 0x9A, 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F,
+ 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, 0x1C, 0x62, 0xF3, 0x56,
+ 0x20, 0x85, 0x52, 0xBB, 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D,
+ 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, 0xF1, 0x74, 0x6C, 0x08,
+ 0xCA, 0x18, 0x21, 0x7C, 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B,
+ 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, 0x9B, 0x27, 0x83, 0xA2,
+ 0xEC, 0x07, 0xA2, 0x8F, 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9,
+ 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, 0x39, 0x95, 0x49, 0x7C,
+ 0xEA, 0x95, 0x6A, 0xE5, 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10,
+ 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D, 0xAD, 0x33, 0x17, 0x0D,
+ 0x04, 0x50, 0x7A, 0x33, 0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64,
+ 0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A, 0x8A, 0xEA, 0x71, 0x57,
+ 0x5D, 0x06, 0x0C, 0x7D, 0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7,
+ 0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7, 0x1E, 0x8C, 0x94, 0xE0,
+ 0x4A, 0x25, 0x61, 0x9D, 0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B,
+ 0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64, 0xD8, 0x76, 0x02, 0x73,
+ 0x3E, 0xC8, 0x6A, 0x64, 0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C,
+ 0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C, 0x77, 0x09, 0x88, 0xC0,
+ 0xBA, 0xD9, 0x46, 0xE2, 0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31,
+ 0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E, 0x4B, 0x82, 0xD1, 0x20,
+ 0xA9, 0x3A, 0xD2, 0xCA, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
+};
+
+/* TLS 3072 prime is: 2^3072 - 2^3008 + {[2^2942 * e] + 2625351} * 2^64 - 1 */
+static const unsigned char prime_tls_3072[] = {
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xAD, 0xF8, 0x54, 0x58,
+ 0xA2, 0xBB, 0x4A, 0x9A, 0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1,
+ 0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, 0xA9, 0xE1, 0x36, 0x41,
+ 0x14, 0x64, 0x33, 0xFB, 0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9,
+ 0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, 0xF6, 0x81, 0xB2, 0x02,
+ 0xAE, 0xC4, 0x61, 0x7A, 0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61,
+ 0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, 0x85, 0x63, 0x65, 0x55,
+ 0x3D, 0xED, 0x1A, 0xF3, 0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35,
+ 0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, 0xE2, 0xA6, 0x89, 0xDA,
+ 0xF3, 0xEF, 0xE8, 0x72, 0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35,
+ 0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, 0xBC, 0x0A, 0xB1, 0x82,
+ 0xB3, 0x24, 0xFB, 0x61, 0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB,
+ 0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, 0x1D, 0x4F, 0x42, 0xA3,
+ 0xDE, 0x39, 0x4D, 0xF4, 0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19,
+ 0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, 0x9E, 0x02, 0xFC, 0xE1,
+ 0xCD, 0xF7, 0xE2, 0xEC, 0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61,
+ 0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, 0x8E, 0x4F, 0x12, 0x32,
+ 0xEE, 0xF2, 0x81, 0x83, 0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73,
+ 0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, 0xC5, 0x8E, 0xF1, 0x83,
+ 0x7D, 0x16, 0x83, 0xB2, 0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA,
+ 0x88, 0x6B, 0x42, 0x38, 0x61, 0x1F, 0xCF, 0xDC, 0xDE, 0x35, 0x5B, 0x3B,
+ 0x65, 0x19, 0x03, 0x5B, 0xBC, 0x34, 0xF4, 0xDE, 0xF9, 0x9C, 0x02, 0x38,
+ 0x61, 0xB4, 0x6F, 0xC9, 0xD6, 0xE6, 0xC9, 0x07, 0x7A, 0xD9, 0x1D, 0x26,
+ 0x91, 0xF7, 0xF7, 0xEE, 0x59, 0x8C, 0xB0, 0xFA, 0xC1, 0x86, 0xD9, 0x1C,
+ 0xAE, 0xFE, 0x13, 0x09, 0x85, 0x13, 0x92, 0x70, 0xB4, 0x13, 0x0C, 0x93,
+ 0xBC, 0x43, 0x79, 0x44, 0xF4, 0xFD, 0x44, 0x52, 0xE2, 0xD7, 0x4D, 0xD3,
+ 0x64, 0xF2, 0xE2, 0x1E, 0x71, 0xF5, 0x4B, 0xFF, 0x5C, 0xAE, 0x82, 0xAB,
+ 0x9C, 0x9D, 0xF6, 0x9E, 0xE8, 0x6D, 0x2B, 0xC5, 0x22, 0x36, 0x3A, 0x0D,
+ 0xAB, 0xC5, 0x21, 0x97, 0x9B, 0x0D, 0xEA, 0xDA, 0x1D, 0xBF, 0x9A, 0x42,
+ 0xD5, 0xC4, 0x48, 0x4E, 0x0A, 0xBC, 0xD0, 0x6B, 0xFA, 0x53, 0xDD, 0xEF,
+ 0x3C, 0x1B, 0x20, 0xEE, 0x3F, 0xD5, 0x9D, 0x7C, 0x25, 0xE4, 0x1D, 0x2B,
+ 0x66, 0xC6, 0x2E, 0x37, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
+};
+
+/* IKE 4096 prime is: 2^4096 - 2^4032 - 1 + 2^64 * { [2^3966 pi] + 240904 } */
+static const unsigned char prime_ike_4096[] = {
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2,
+ 0x21, 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
+ 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6,
+ 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD,
+ 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D,
+ 0xF2, 0x5F, 0x14, 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45,
+ 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, 0xF4, 0x4C, 0x42, 0xE9,
+ 0xA6, 0x37, 0xED, 0x6B, 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED,
+ 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, 0xAE, 0x9F, 0x24, 0x11,
+ 0x7C, 0x4B, 0x1F, 0xE6, 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D,
+ 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, 0x98, 0xDA, 0x48, 0x36,
+ 0x1C, 0x55, 0xD3, 0x9A, 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F,
+ 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, 0x1C, 0x62, 0xF3, 0x56,
+ 0x20, 0x85, 0x52, 0xBB, 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D,
+ 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, 0xF1, 0x74, 0x6C, 0x08,
+ 0xCA, 0x18, 0x21, 0x7C, 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B,
+ 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, 0x9B, 0x27, 0x83, 0xA2,
+ 0xEC, 0x07, 0xA2, 0x8F, 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9,
+ 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, 0x39, 0x95, 0x49, 0x7C,
+ 0xEA, 0x95, 0x6A, 0xE5, 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10,
+ 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D, 0xAD, 0x33, 0x17, 0x0D,
+ 0x04, 0x50, 0x7A, 0x33, 0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64,
+ 0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A, 0x8A, 0xEA, 0x71, 0x57,
+ 0x5D, 0x06, 0x0C, 0x7D, 0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7,
+ 0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7, 0x1E, 0x8C, 0x94, 0xE0,
+ 0x4A, 0x25, 0x61, 0x9D, 0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B,
+ 0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64, 0xD8, 0x76, 0x02, 0x73,
+ 0x3E, 0xC8, 0x6A, 0x64, 0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C,
+ 0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C, 0x77, 0x09, 0x88, 0xC0,
+ 0xBA, 0xD9, 0x46, 0xE2, 0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31,
+ 0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E, 0x4B, 0x82, 0xD1, 0x20,
+ 0xA9, 0x21, 0x08, 0x01, 0x1A, 0x72, 0x3C, 0x12, 0xA7, 0x87, 0xE6, 0xD7,
+ 0x88, 0x71, 0x9A, 0x10, 0xBD, 0xBA, 0x5B, 0x26, 0x99, 0xC3, 0x27, 0x18,
+ 0x6A, 0xF4, 0xE2, 0x3C, 0x1A, 0x94, 0x68, 0x34, 0xB6, 0x15, 0x0B, 0xDA,
+ 0x25, 0x83, 0xE9, 0xCA, 0x2A, 0xD4, 0x4C, 0xE8, 0xDB, 0xBB, 0xC2, 0xDB,
+ 0x04, 0xDE, 0x8E, 0xF9, 0x2E, 0x8E, 0xFC, 0x14, 0x1F, 0xBE, 0xCA, 0xA6,
+ 0x28, 0x7C, 0x59, 0x47, 0x4E, 0x6B, 0xC0, 0x5D, 0x99, 0xB2, 0x96, 0x4F,
+ 0xA0, 0x90, 0xC3, 0xA2, 0x23, 0x3B, 0xA1, 0x86, 0x51, 0x5B, 0xE7, 0xED,
+ 0x1F, 0x61, 0x29, 0x70, 0xCE, 0xE2, 0xD7, 0xAF, 0xB8, 0x1B, 0xDD, 0x76,
+ 0x21, 0x70, 0x48, 0x1C, 0xD0, 0x06, 0x91, 0x27, 0xD5, 0xB0, 0x5A, 0xA9,
+ 0x93, 0xB4, 0xEA, 0x98, 0x8D, 0x8F, 0xDD, 0xC1, 0x86, 0xFF, 0xB7, 0xDC,
+ 0x90, 0xA6, 0xC0, 0x8F, 0x4D, 0xF4, 0x35, 0xC9, 0x34, 0x06, 0x31, 0x99,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
+};
+
+/* TLS 4096 prime is: 2^4096 - 2^4032 + {[2^3966 * e] + 5736041} * 2^64 - 1 */
+static const unsigned char prime_tls_4096[] = {
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xAD, 0xF8, 0x54, 0x58,
+ 0xA2, 0xBB, 0x4A, 0x9A, 0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1,
+ 0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, 0xA9, 0xE1, 0x36, 0x41,
+ 0x14, 0x64, 0x33, 0xFB, 0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9,
+ 0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, 0xF6, 0x81, 0xB2, 0x02,
+ 0xAE, 0xC4, 0x61, 0x7A, 0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61,
+ 0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, 0x85, 0x63, 0x65, 0x55,
+ 0x3D, 0xED, 0x1A, 0xF3, 0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35,
+ 0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, 0xE2, 0xA6, 0x89, 0xDA,
+ 0xF3, 0xEF, 0xE8, 0x72, 0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35,
+ 0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, 0xBC, 0x0A, 0xB1, 0x82,
+ 0xB3, 0x24, 0xFB, 0x61, 0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB,
+ 0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, 0x1D, 0x4F, 0x42, 0xA3,
+ 0xDE, 0x39, 0x4D, 0xF4, 0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19,
+ 0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, 0x9E, 0x02, 0xFC, 0xE1,
+ 0xCD, 0xF7, 0xE2, 0xEC, 0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61,
+ 0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, 0x8E, 0x4F, 0x12, 0x32,
+ 0xEE, 0xF2, 0x81, 0x83, 0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73,
+ 0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, 0xC5, 0x8E, 0xF1, 0x83,
+ 0x7D, 0x16, 0x83, 0xB2, 0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA,
+ 0x88, 0x6B, 0x42, 0x38, 0x61, 0x1F, 0xCF, 0xDC, 0xDE, 0x35, 0x5B, 0x3B,
+ 0x65, 0x19, 0x03, 0x5B, 0xBC, 0x34, 0xF4, 0xDE, 0xF9, 0x9C, 0x02, 0x38,
+ 0x61, 0xB4, 0x6F, 0xC9, 0xD6, 0xE6, 0xC9, 0x07, 0x7A, 0xD9, 0x1D, 0x26,
+ 0x91, 0xF7, 0xF7, 0xEE, 0x59, 0x8C, 0xB0, 0xFA, 0xC1, 0x86, 0xD9, 0x1C,
+ 0xAE, 0xFE, 0x13, 0x09, 0x85, 0x13, 0x92, 0x70, 0xB4, 0x13, 0x0C, 0x93,
+ 0xBC, 0x43, 0x79, 0x44, 0xF4, 0xFD, 0x44, 0x52, 0xE2, 0xD7, 0x4D, 0xD3,
+ 0x64, 0xF2, 0xE2, 0x1E, 0x71, 0xF5, 0x4B, 0xFF, 0x5C, 0xAE, 0x82, 0xAB,
+ 0x9C, 0x9D, 0xF6, 0x9E, 0xE8, 0x6D, 0x2B, 0xC5, 0x22, 0x36, 0x3A, 0x0D,
+ 0xAB, 0xC5, 0x21, 0x97, 0x9B, 0x0D, 0xEA, 0xDA, 0x1D, 0xBF, 0x9A, 0x42,
+ 0xD5, 0xC4, 0x48, 0x4E, 0x0A, 0xBC, 0xD0, 0x6B, 0xFA, 0x53, 0xDD, 0xEF,
+ 0x3C, 0x1B, 0x20, 0xEE, 0x3F, 0xD5, 0x9D, 0x7C, 0x25, 0xE4, 0x1D, 0x2B,
+ 0x66, 0x9E, 0x1E, 0xF1, 0x6E, 0x6F, 0x52, 0xC3, 0x16, 0x4D, 0xF4, 0xFB,
+ 0x79, 0x30, 0xE9, 0xE4, 0xE5, 0x88, 0x57, 0xB6, 0xAC, 0x7D, 0x5F, 0x42,
+ 0xD6, 0x9F, 0x6D, 0x18, 0x77, 0x63, 0xCF, 0x1D, 0x55, 0x03, 0x40, 0x04,
+ 0x87, 0xF5, 0x5B, 0xA5, 0x7E, 0x31, 0xCC, 0x7A, 0x71, 0x35, 0xC8, 0x86,
+ 0xEF, 0xB4, 0x31, 0x8A, 0xED, 0x6A, 0x1E, 0x01, 0x2D, 0x9E, 0x68, 0x32,
+ 0xA9, 0x07, 0x60, 0x0A, 0x91, 0x81, 0x30, 0xC4, 0x6D, 0xC7, 0x78, 0xF9,
+ 0x71, 0xAD, 0x00, 0x38, 0x09, 0x29, 0x99, 0xA3, 0x33, 0xCB, 0x8B, 0x7A,
+ 0x1A, 0x1D, 0xB9, 0x3D, 0x71, 0x40, 0x00, 0x3C, 0x2A, 0x4E, 0xCE, 0xA9,
+ 0xF9, 0x8D, 0x0A, 0xCC, 0x0A, 0x82, 0x91, 0xCD, 0xCE, 0xC9, 0x7D, 0xCF,
+ 0x8E, 0xC9, 0xB5, 0x5A, 0x7F, 0x88, 0xA4, 0x6B, 0x4D, 0xB5, 0xA8, 0x51,
+ 0xF4, 0x41, 0x82, 0xE1, 0xC6, 0x8A, 0x00, 0x7E, 0x5E, 0x65, 0x5F, 0x6A,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
+};
+
+/* IKE 6144 prime is: 2^6144 - 2^6080 - 1 + 2^64 * { [2^6014 pi] + 929484 } */
+static const unsigned char prime_ike_6144[] = {
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2,
+ 0x21, 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
+ 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6,
+ 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD,
+ 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D,
+ 0xF2, 0x5F, 0x14, 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45,
+ 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, 0xF4, 0x4C, 0x42, 0xE9,
+ 0xA6, 0x37, 0xED, 0x6B, 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED,
+ 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, 0xAE, 0x9F, 0x24, 0x11,
+ 0x7C, 0x4B, 0x1F, 0xE6, 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D,
+ 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, 0x98, 0xDA, 0x48, 0x36,
+ 0x1C, 0x55, 0xD3, 0x9A, 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F,
+ 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, 0x1C, 0x62, 0xF3, 0x56,
+ 0x20, 0x85, 0x52, 0xBB, 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D,
+ 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, 0xF1, 0x74, 0x6C, 0x08,
+ 0xCA, 0x18, 0x21, 0x7C, 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B,
+ 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, 0x9B, 0x27, 0x83, 0xA2,
+ 0xEC, 0x07, 0xA2, 0x8F, 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9,
+ 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, 0x39, 0x95, 0x49, 0x7C,
+ 0xEA, 0x95, 0x6A, 0xE5, 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10,
+ 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D, 0xAD, 0x33, 0x17, 0x0D,
+ 0x04, 0x50, 0x7A, 0x33, 0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64,
+ 0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A, 0x8A, 0xEA, 0x71, 0x57,
+ 0x5D, 0x06, 0x0C, 0x7D, 0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7,
+ 0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7, 0x1E, 0x8C, 0x94, 0xE0,
+ 0x4A, 0x25, 0x61, 0x9D, 0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B,
+ 0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64, 0xD8, 0x76, 0x02, 0x73,
+ 0x3E, 0xC8, 0x6A, 0x64, 0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C,
+ 0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C, 0x77, 0x09, 0x88, 0xC0,
+ 0xBA, 0xD9, 0x46, 0xE2, 0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31,
+ 0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E, 0x4B, 0x82, 0xD1, 0x20,
+ 0xA9, 0x21, 0x08, 0x01, 0x1A, 0x72, 0x3C, 0x12, 0xA7, 0x87, 0xE6, 0xD7,
+ 0x88, 0x71, 0x9A, 0x10, 0xBD, 0xBA, 0x5B, 0x26, 0x99, 0xC3, 0x27, 0x18,
+ 0x6A, 0xF4, 0xE2, 0x3C, 0x1A, 0x94, 0x68, 0x34, 0xB6, 0x15, 0x0B, 0xDA,
+ 0x25, 0x83, 0xE9, 0xCA, 0x2A, 0xD4, 0x4C, 0xE8, 0xDB, 0xBB, 0xC2, 0xDB,
+ 0x04, 0xDE, 0x8E, 0xF9, 0x2E, 0x8E, 0xFC, 0x14, 0x1F, 0xBE, 0xCA, 0xA6,
+ 0x28, 0x7C, 0x59, 0x47, 0x4E, 0x6B, 0xC0, 0x5D, 0x99, 0xB2, 0x96, 0x4F,
+ 0xA0, 0x90, 0xC3, 0xA2, 0x23, 0x3B, 0xA1, 0x86, 0x51, 0x5B, 0xE7, 0xED,
+ 0x1F, 0x61, 0x29, 0x70, 0xCE, 0xE2, 0xD7, 0xAF, 0xB8, 0x1B, 0xDD, 0x76,
+ 0x21, 0x70, 0x48, 0x1C, 0xD0, 0x06, 0x91, 0x27, 0xD5, 0xB0, 0x5A, 0xA9,
+ 0x93, 0xB4, 0xEA, 0x98, 0x8D, 0x8F, 0xDD, 0xC1, 0x86, 0xFF, 0xB7, 0xDC,
+ 0x90, 0xA6, 0xC0, 0x8F, 0x4D, 0xF4, 0x35, 0xC9, 0x34, 0x02, 0x84, 0x92,
+ 0x36, 0xC3, 0xFA, 0xB4, 0xD2, 0x7C, 0x70, 0x26, 0xC1, 0xD4, 0xDC, 0xB2,
+ 0x60, 0x26, 0x46, 0xDE, 0xC9, 0x75, 0x1E, 0x76, 0x3D, 0xBA, 0x37, 0xBD,
+ 0xF8, 0xFF, 0x94, 0x06, 0xAD, 0x9E, 0x53, 0x0E, 0xE5, 0xDB, 0x38, 0x2F,
+ 0x41, 0x30, 0x01, 0xAE, 0xB0, 0x6A, 0x53, 0xED, 0x90, 0x27, 0xD8, 0x31,
+ 0x17, 0x97, 0x27, 0xB0, 0x86, 0x5A, 0x89, 0x18, 0xDA, 0x3E, 0xDB, 0xEB,
+ 0xCF, 0x9B, 0x14, 0xED, 0x44, 0xCE, 0x6C, 0xBA, 0xCE, 0xD4, 0xBB, 0x1B,
+ 0xDB, 0x7F, 0x14, 0x47, 0xE6, 0xCC, 0x25, 0x4B, 0x33, 0x20, 0x51, 0x51,
+ 0x2B, 0xD7, 0xAF, 0x42, 0x6F, 0xB8, 0xF4, 0x01, 0x37, 0x8C, 0xD2, 0xBF,
+ 0x59, 0x83, 0xCA, 0x01, 0xC6, 0x4B, 0x92, 0xEC, 0xF0, 0x32, 0xEA, 0x15,
+ 0xD1, 0x72, 0x1D, 0x03, 0xF4, 0x82, 0xD7, 0xCE, 0x6E, 0x74, 0xFE, 0xF6,
+ 0xD5, 0x5E, 0x70, 0x2F, 0x46, 0x98, 0x0C, 0x82, 0xB5, 0xA8, 0x40, 0x31,
+ 0x90, 0x0B, 0x1C, 0x9E, 0x59, 0xE7, 0xC9, 0x7F, 0xBE, 0xC7, 0xE8, 0xF3,
+ 0x23, 0xA9, 0x7A, 0x7E, 0x36, 0xCC, 0x88, 0xBE, 0x0F, 0x1D, 0x45, 0xB7,
+ 0xFF, 0x58, 0x5A, 0xC5, 0x4B, 0xD4, 0x07, 0xB2, 0x2B, 0x41, 0x54, 0xAA,
+ 0xCC, 0x8F, 0x6D, 0x7E, 0xBF, 0x48, 0xE1, 0xD8, 0x14, 0xCC, 0x5E, 0xD2,
+ 0x0F, 0x80, 0x37, 0xE0, 0xA7, 0x97, 0x15, 0xEE, 0xF2, 0x9B, 0xE3, 0x28,
+ 0x06, 0xA1, 0xD5, 0x8B, 0xB7, 0xC5, 0xDA, 0x76, 0xF5, 0x50, 0xAA, 0x3D,
+ 0x8A, 0x1F, 0xBF, 0xF0, 0xEB, 0x19, 0xCC, 0xB1, 0xA3, 0x13, 0xD5, 0x5C,
+ 0xDA, 0x56, 0xC9, 0xEC, 0x2E, 0xF2, 0x96, 0x32, 0x38, 0x7F, 0xE8, 0xD7,
+ 0x6E, 0x3C, 0x04, 0x68, 0x04, 0x3E, 0x8F, 0x66, 0x3F, 0x48, 0x60, 0xEE,
+ 0x12, 0xBF, 0x2D, 0x5B, 0x0B, 0x74, 0x74, 0xD6, 0xE6, 0x94, 0xF9, 0x1E,
+ 0x6D, 0xCC, 0x40, 0x24, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
+};
+
+/* TLS 6144 prime is: 2^6144 - 2^6080 + {[2^6014 * e] + 15705020} * 2^64 - 1 */
+static const unsigned char prime_tls_6144[] = {
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xAD, 0xF8, 0x54, 0x58,
+ 0xA2, 0xBB, 0x4A, 0x9A, 0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1,
+ 0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, 0xA9, 0xE1, 0x36, 0x41,
+ 0x14, 0x64, 0x33, 0xFB, 0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9,
+ 0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, 0xF6, 0x81, 0xB2, 0x02,
+ 0xAE, 0xC4, 0x61, 0x7A, 0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61,
+ 0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, 0x85, 0x63, 0x65, 0x55,
+ 0x3D, 0xED, 0x1A, 0xF3, 0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35,
+ 0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, 0xE2, 0xA6, 0x89, 0xDA,
+ 0xF3, 0xEF, 0xE8, 0x72, 0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35,
+ 0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, 0xBC, 0x0A, 0xB1, 0x82,
+ 0xB3, 0x24, 0xFB, 0x61, 0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB,
+ 0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, 0x1D, 0x4F, 0x42, 0xA3,
+ 0xDE, 0x39, 0x4D, 0xF4, 0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19,
+ 0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, 0x9E, 0x02, 0xFC, 0xE1,
+ 0xCD, 0xF7, 0xE2, 0xEC, 0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61,
+ 0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, 0x8E, 0x4F, 0x12, 0x32,
+ 0xEE, 0xF2, 0x81, 0x83, 0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73,
+ 0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, 0xC5, 0x8E, 0xF1, 0x83,
+ 0x7D, 0x16, 0x83, 0xB2, 0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA,
+ 0x88, 0x6B, 0x42, 0x38, 0x61, 0x1F, 0xCF, 0xDC, 0xDE, 0x35, 0x5B, 0x3B,
+ 0x65, 0x19, 0x03, 0x5B, 0xBC, 0x34, 0xF4, 0xDE, 0xF9, 0x9C, 0x02, 0x38,
+ 0x61, 0xB4, 0x6F, 0xC9, 0xD6, 0xE6, 0xC9, 0x07, 0x7A, 0xD9, 0x1D, 0x26,
+ 0x91, 0xF7, 0xF7, 0xEE, 0x59, 0x8C, 0xB0, 0xFA, 0xC1, 0x86, 0xD9, 0x1C,
+ 0xAE, 0xFE, 0x13, 0x09, 0x85, 0x13, 0x92, 0x70, 0xB4, 0x13, 0x0C, 0x93,
+ 0xBC, 0x43, 0x79, 0x44, 0xF4, 0xFD, 0x44, 0x52, 0xE2, 0xD7, 0x4D, 0xD3,
+ 0x64, 0xF2, 0xE2, 0x1E, 0x71, 0xF5, 0x4B, 0xFF, 0x5C, 0xAE, 0x82, 0xAB,
+ 0x9C, 0x9D, 0xF6, 0x9E, 0xE8, 0x6D, 0x2B, 0xC5, 0x22, 0x36, 0x3A, 0x0D,
+ 0xAB, 0xC5, 0x21, 0x97, 0x9B, 0x0D, 0xEA, 0xDA, 0x1D, 0xBF, 0x9A, 0x42,
+ 0xD5, 0xC4, 0x48, 0x4E, 0x0A, 0xBC, 0xD0, 0x6B, 0xFA, 0x53, 0xDD, 0xEF,
+ 0x3C, 0x1B, 0x20, 0xEE, 0x3F, 0xD5, 0x9D, 0x7C, 0x25, 0xE4, 0x1D, 0x2B,
+ 0x66, 0x9E, 0x1E, 0xF1, 0x6E, 0x6F, 0x52, 0xC3, 0x16, 0x4D, 0xF4, 0xFB,
+ 0x79, 0x30, 0xE9, 0xE4, 0xE5, 0x88, 0x57, 0xB6, 0xAC, 0x7D, 0x5F, 0x42,
+ 0xD6, 0x9F, 0x6D, 0x18, 0x77, 0x63, 0xCF, 0x1D, 0x55, 0x03, 0x40, 0x04,
+ 0x87, 0xF5, 0x5B, 0xA5, 0x7E, 0x31, 0xCC, 0x7A, 0x71, 0x35, 0xC8, 0x86,
+ 0xEF, 0xB4, 0x31, 0x8A, 0xED, 0x6A, 0x1E, 0x01, 0x2D, 0x9E, 0x68, 0x32,
+ 0xA9, 0x07, 0x60, 0x0A, 0x91, 0x81, 0x30, 0xC4, 0x6D, 0xC7, 0x78, 0xF9,
+ 0x71, 0xAD, 0x00, 0x38, 0x09, 0x29, 0x99, 0xA3, 0x33, 0xCB, 0x8B, 0x7A,
+ 0x1A, 0x1D, 0xB9, 0x3D, 0x71, 0x40, 0x00, 0x3C, 0x2A, 0x4E, 0xCE, 0xA9,
+ 0xF9, 0x8D, 0x0A, 0xCC, 0x0A, 0x82, 0x91, 0xCD, 0xCE, 0xC9, 0x7D, 0xCF,
+ 0x8E, 0xC9, 0xB5, 0x5A, 0x7F, 0x88, 0xA4, 0x6B, 0x4D, 0xB5, 0xA8, 0x51,
+ 0xF4, 0x41, 0x82, 0xE1, 0xC6, 0x8A, 0x00, 0x7E, 0x5E, 0x0D, 0xD9, 0x02,
+ 0x0B, 0xFD, 0x64, 0xB6, 0x45, 0x03, 0x6C, 0x7A, 0x4E, 0x67, 0x7D, 0x2C,
+ 0x38, 0x53, 0x2A, 0x3A, 0x23, 0xBA, 0x44, 0x42, 0xCA, 0xF5, 0x3E, 0xA6,
+ 0x3B, 0xB4, 0x54, 0x32, 0x9B, 0x76, 0x24, 0xC8, 0x91, 0x7B, 0xDD, 0x64,
+ 0xB1, 0xC0, 0xFD, 0x4C, 0xB3, 0x8E, 0x8C, 0x33, 0x4C, 0x70, 0x1C, 0x3A,
+ 0xCD, 0xAD, 0x06, 0x57, 0xFC, 0xCF, 0xEC, 0x71, 0x9B, 0x1F, 0x5C, 0x3E,
+ 0x4E, 0x46, 0x04, 0x1F, 0x38, 0x81, 0x47, 0xFB, 0x4C, 0xFD, 0xB4, 0x77,
+ 0xA5, 0x24, 0x71, 0xF7, 0xA9, 0xA9, 0x69, 0x10, 0xB8, 0x55, 0x32, 0x2E,
+ 0xDB, 0x63, 0x40, 0xD8, 0xA0, 0x0E, 0xF0, 0x92, 0x35, 0x05, 0x11, 0xE3,
+ 0x0A, 0xBE, 0xC1, 0xFF, 0xF9, 0xE3, 0xA2, 0x6E, 0x7F, 0xB2, 0x9F, 0x8C,
+ 0x18, 0x30, 0x23, 0xC3, 0x58, 0x7E, 0x38, 0xDA, 0x00, 0x77, 0xD9, 0xB4,
+ 0x76, 0x3E, 0x4E, 0x4B, 0x94, 0xB2, 0xBB, 0xC1, 0x94, 0xC6, 0x65, 0x1E,
+ 0x77, 0xCA, 0xF9, 0x92, 0xEE, 0xAA, 0xC0, 0x23, 0x2A, 0x28, 0x1B, 0xF6,
+ 0xB3, 0xA7, 0x39, 0xC1, 0x22, 0x61, 0x16, 0x82, 0x0A, 0xE8, 0xDB, 0x58,
+ 0x47, 0xA6, 0x7C, 0xBE, 0xF9, 0xC9, 0x09, 0x1B, 0x46, 0x2D, 0x53, 0x8C,
+ 0xD7, 0x2B, 0x03, 0x74, 0x6A, 0xE7, 0x7F, 0x5E, 0x62, 0x29, 0x2C, 0x31,
+ 0x15, 0x62, 0xA8, 0x46, 0x50, 0x5D, 0xC8, 0x2D, 0xB8, 0x54, 0x33, 0x8A,
+ 0xE4, 0x9F, 0x52, 0x35, 0xC9, 0x5B, 0x91, 0x17, 0x8C, 0xCF, 0x2D, 0xD5,
+ 0xCA, 0xCE, 0xF4, 0x03, 0xEC, 0x9D, 0x18, 0x10, 0xC6, 0x27, 0x2B, 0x04,
+ 0x5B, 0x3B, 0x71, 0xF9, 0xDC, 0x6B, 0x80, 0xD6, 0x3F, 0xDD, 0x4A, 0x8E,
+ 0x9A, 0xDB, 0x1E, 0x69, 0x62, 0xA6, 0x95, 0x26, 0xD4, 0x31, 0x61, 0xC1,
+ 0xA4, 0x1D, 0x57, 0x0D, 0x79, 0x38, 0xDA, 0xD4, 0xA4, 0x0E, 0x32, 0x9C,
+ 0xD0, 0xE4, 0x0E, 0x65, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
+};
+
+/* IKE 8192 prime is: 2^8192 - 2^8128 - 1 + 2^64 * { [2^8062 pi] + 4743158 } */
+static const unsigned char prime_ike_8192[] = {
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2,
+ 0x21, 0x68, 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
+ 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, 0xA6,
+ 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD,
+ 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D,
+ 0xF2, 0x5F, 0x14, 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45,
+ 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, 0xF4, 0x4C, 0x42, 0xE9,
+ 0xA6, 0x37, 0xED, 0x6B, 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED,
+ 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, 0xAE, 0x9F, 0x24, 0x11,
+ 0x7C, 0x4B, 0x1F, 0xE6, 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D,
+ 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, 0x98, 0xDA, 0x48, 0x36,
+ 0x1C, 0x55, 0xD3, 0x9A, 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F,
+ 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, 0x1C, 0x62, 0xF3, 0x56,
+ 0x20, 0x85, 0x52, 0xBB, 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D,
+ 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, 0xF1, 0x74, 0x6C, 0x08,
+ 0xCA, 0x18, 0x21, 0x7C, 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B,
+ 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, 0x9B, 0x27, 0x83, 0xA2,
+ 0xEC, 0x07, 0xA2, 0x8F, 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9,
+ 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, 0x39, 0x95, 0x49, 0x7C,
+ 0xEA, 0x95, 0x6A, 0xE5, 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10,
+ 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D, 0xAD, 0x33, 0x17, 0x0D,
+ 0x04, 0x50, 0x7A, 0x33, 0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64,
+ 0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A, 0x8A, 0xEA, 0x71, 0x57,
+ 0x5D, 0x06, 0x0C, 0x7D, 0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7,
+ 0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7, 0x1E, 0x8C, 0x94, 0xE0,
+ 0x4A, 0x25, 0x61, 0x9D, 0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B,
+ 0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64, 0xD8, 0x76, 0x02, 0x73,
+ 0x3E, 0xC8, 0x6A, 0x64, 0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C,
+ 0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C, 0x77, 0x09, 0x88, 0xC0,
+ 0xBA, 0xD9, 0x46, 0xE2, 0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31,
+ 0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E, 0x4B, 0x82, 0xD1, 0x20,
+ 0xA9, 0x21, 0x08, 0x01, 0x1A, 0x72, 0x3C, 0x12, 0xA7, 0x87, 0xE6, 0xD7,
+ 0x88, 0x71, 0x9A, 0x10, 0xBD, 0xBA, 0x5B, 0x26, 0x99, 0xC3, 0x27, 0x18,
+ 0x6A, 0xF4, 0xE2, 0x3C, 0x1A, 0x94, 0x68, 0x34, 0xB6, 0x15, 0x0B, 0xDA,
+ 0x25, 0x83, 0xE9, 0xCA, 0x2A, 0xD4, 0x4C, 0xE8, 0xDB, 0xBB, 0xC2, 0xDB,
+ 0x04, 0xDE, 0x8E, 0xF9, 0x2E, 0x8E, 0xFC, 0x14, 0x1F, 0xBE, 0xCA, 0xA6,
+ 0x28, 0x7C, 0x59, 0x47, 0x4E, 0x6B, 0xC0, 0x5D, 0x99, 0xB2, 0x96, 0x4F,
+ 0xA0, 0x90, 0xC3, 0xA2, 0x23, 0x3B, 0xA1, 0x86, 0x51, 0x5B, 0xE7, 0xED,
+ 0x1F, 0x61, 0x29, 0x70, 0xCE, 0xE2, 0xD7, 0xAF, 0xB8, 0x1B, 0xDD, 0x76,
+ 0x21, 0x70, 0x48, 0x1C, 0xD0, 0x06, 0x91, 0x27, 0xD5, 0xB0, 0x5A, 0xA9,
+ 0x93, 0xB4, 0xEA, 0x98, 0x8D, 0x8F, 0xDD, 0xC1, 0x86, 0xFF, 0xB7, 0xDC,
+ 0x90, 0xA6, 0xC0, 0x8F, 0x4D, 0xF4, 0x35, 0xC9, 0x34, 0x02, 0x84, 0x92,
+ 0x36, 0xC3, 0xFA, 0xB4, 0xD2, 0x7C, 0x70, 0x26, 0xC1, 0xD4, 0xDC, 0xB2,
+ 0x60, 0x26, 0x46, 0xDE, 0xC9, 0x75, 0x1E, 0x76, 0x3D, 0xBA, 0x37, 0xBD,
+ 0xF8, 0xFF, 0x94, 0x06, 0xAD, 0x9E, 0x53, 0x0E, 0xE5, 0xDB, 0x38, 0x2F,
+ 0x41, 0x30, 0x01, 0xAE, 0xB0, 0x6A, 0x53, 0xED, 0x90, 0x27, 0xD8, 0x31,
+ 0x17, 0x97, 0x27, 0xB0, 0x86, 0x5A, 0x89, 0x18, 0xDA, 0x3E, 0xDB, 0xEB,
+ 0xCF, 0x9B, 0x14, 0xED, 0x44, 0xCE, 0x6C, 0xBA, 0xCE, 0xD4, 0xBB, 0x1B,
+ 0xDB, 0x7F, 0x14, 0x47, 0xE6, 0xCC, 0x25, 0x4B, 0x33, 0x20, 0x51, 0x51,
+ 0x2B, 0xD7, 0xAF, 0x42, 0x6F, 0xB8, 0xF4, 0x01, 0x37, 0x8C, 0xD2, 0xBF,
+ 0x59, 0x83, 0xCA, 0x01, 0xC6, 0x4B, 0x92, 0xEC, 0xF0, 0x32, 0xEA, 0x15,
+ 0xD1, 0x72, 0x1D, 0x03, 0xF4, 0x82, 0xD7, 0xCE, 0x6E, 0x74, 0xFE, 0xF6,
+ 0xD5, 0x5E, 0x70, 0x2F, 0x46, 0x98, 0x0C, 0x82, 0xB5, 0xA8, 0x40, 0x31,
+ 0x90, 0x0B, 0x1C, 0x9E, 0x59, 0xE7, 0xC9, 0x7F, 0xBE, 0xC7, 0xE8, 0xF3,
+ 0x23, 0xA9, 0x7A, 0x7E, 0x36, 0xCC, 0x88, 0xBE, 0x0F, 0x1D, 0x45, 0xB7,
+ 0xFF, 0x58, 0x5A, 0xC5, 0x4B, 0xD4, 0x07, 0xB2, 0x2B, 0x41, 0x54, 0xAA,
+ 0xCC, 0x8F, 0x6D, 0x7E, 0xBF, 0x48, 0xE1, 0xD8, 0x14, 0xCC, 0x5E, 0xD2,
+ 0x0F, 0x80, 0x37, 0xE0, 0xA7, 0x97, 0x15, 0xEE, 0xF2, 0x9B, 0xE3, 0x28,
+ 0x06, 0xA1, 0xD5, 0x8B, 0xB7, 0xC5, 0xDA, 0x76, 0xF5, 0x50, 0xAA, 0x3D,
+ 0x8A, 0x1F, 0xBF, 0xF0, 0xEB, 0x19, 0xCC, 0xB1, 0xA3, 0x13, 0xD5, 0x5C,
+ 0xDA, 0x56, 0xC9, 0xEC, 0x2E, 0xF2, 0x96, 0x32, 0x38, 0x7F, 0xE8, 0xD7,
+ 0x6E, 0x3C, 0x04, 0x68, 0x04, 0x3E, 0x8F, 0x66, 0x3F, 0x48, 0x60, 0xEE,
+ 0x12, 0xBF, 0x2D, 0x5B, 0x0B, 0x74, 0x74, 0xD6, 0xE6, 0x94, 0xF9, 0x1E,
+ 0x6D, 0xBE, 0x11, 0x59, 0x74, 0xA3, 0x92, 0x6F, 0x12, 0xFE, 0xE5, 0xE4,
+ 0x38, 0x77, 0x7C, 0xB6, 0xA9, 0x32, 0xDF, 0x8C, 0xD8, 0xBE, 0xC4, 0xD0,
+ 0x73, 0xB9, 0x31, 0xBA, 0x3B, 0xC8, 0x32, 0xB6, 0x8D, 0x9D, 0xD3, 0x00,
+ 0x74, 0x1F, 0xA7, 0xBF, 0x8A, 0xFC, 0x47, 0xED, 0x25, 0x76, 0xF6, 0x93,
+ 0x6B, 0xA4, 0x24, 0x66, 0x3A, 0xAB, 0x63, 0x9C, 0x5A, 0xE4, 0xF5, 0x68,
+ 0x34, 0x23, 0xB4, 0x74, 0x2B, 0xF1, 0xC9, 0x78, 0x23, 0x8F, 0x16, 0xCB,
+ 0xE3, 0x9D, 0x65, 0x2D, 0xE3, 0xFD, 0xB8, 0xBE, 0xFC, 0x84, 0x8A, 0xD9,
+ 0x22, 0x22, 0x2E, 0x04, 0xA4, 0x03, 0x7C, 0x07, 0x13, 0xEB, 0x57, 0xA8,
+ 0x1A, 0x23, 0xF0, 0xC7, 0x34, 0x73, 0xFC, 0x64, 0x6C, 0xEA, 0x30, 0x6B,
+ 0x4B, 0xCB, 0xC8, 0x86, 0x2F, 0x83, 0x85, 0xDD, 0xFA, 0x9D, 0x4B, 0x7F,
+ 0xA2, 0xC0, 0x87, 0xE8, 0x79, 0x68, 0x33, 0x03, 0xED, 0x5B, 0xDD, 0x3A,
+ 0x06, 0x2B, 0x3C, 0xF5, 0xB3, 0xA2, 0x78, 0xA6, 0x6D, 0x2A, 0x13, 0xF8,
+ 0x3F, 0x44, 0xF8, 0x2D, 0xDF, 0x31, 0x0E, 0xE0, 0x74, 0xAB, 0x6A, 0x36,
+ 0x45, 0x97, 0xE8, 0x99, 0xA0, 0x25, 0x5D, 0xC1, 0x64, 0xF3, 0x1C, 0xC5,
+ 0x08, 0x46, 0x85, 0x1D, 0xF9, 0xAB, 0x48, 0x19, 0x5D, 0xED, 0x7E, 0xA1,
+ 0xB1, 0xD5, 0x10, 0xBD, 0x7E, 0xE7, 0x4D, 0x73, 0xFA, 0xF3, 0x6B, 0xC3,
+ 0x1E, 0xCF, 0xA2, 0x68, 0x35, 0x90, 0x46, 0xF4, 0xEB, 0x87, 0x9F, 0x92,
+ 0x40, 0x09, 0x43, 0x8B, 0x48, 0x1C, 0x6C, 0xD7, 0x88, 0x9A, 0x00, 0x2E,
+ 0xD5, 0xEE, 0x38, 0x2B, 0xC9, 0x19, 0x0D, 0xA6, 0xFC, 0x02, 0x6E, 0x47,
+ 0x95, 0x58, 0xE4, 0x47, 0x56, 0x77, 0xE9, 0xAA, 0x9E, 0x30, 0x50, 0xE2,
+ 0x76, 0x56, 0x94, 0xDF, 0xC8, 0x1F, 0x56, 0xE8, 0x80, 0xB9, 0x6E, 0x71,
+ 0x60, 0xC9, 0x80, 0xDD, 0x98, 0xED, 0xD3, 0xDF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF
+};
+
+/* TLS 8192 prime is: 2^8192 - 2^8128 + {[2^8062 * e] + 10965728} * 2^64 - 1 */
+static const unsigned char prime_tls_8192[] = {
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xAD, 0xF8, 0x54, 0x58,
+ 0xA2, 0xBB, 0x4A, 0x9A, 0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1,
+ 0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95, 0xA9, 0xE1, 0x36, 0x41,
+ 0x14, 0x64, 0x33, 0xFB, 0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9,
+ 0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, 0xF6, 0x81, 0xB2, 0x02,
+ 0xAE, 0xC4, 0x61, 0x7A, 0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61,
+ 0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, 0x85, 0x63, 0x65, 0x55,
+ 0x3D, 0xED, 0x1A, 0xF3, 0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35,
+ 0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77, 0xE2, 0xA6, 0x89, 0xDA,
+ 0xF3, 0xEF, 0xE8, 0x72, 0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35,
+ 0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, 0xBC, 0x0A, 0xB1, 0x82,
+ 0xB3, 0x24, 0xFB, 0x61, 0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB,
+ 0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68, 0x1D, 0x4F, 0x42, 0xA3,
+ 0xDE, 0x39, 0x4D, 0xF4, 0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19,
+ 0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, 0x9E, 0x02, 0xFC, 0xE1,
+ 0xCD, 0xF7, 0xE2, 0xEC, 0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61,
+ 0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, 0x8E, 0x4F, 0x12, 0x32,
+ 0xEE, 0xF2, 0x81, 0x83, 0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73,
+ 0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05, 0xC5, 0x8E, 0xF1, 0x83,
+ 0x7D, 0x16, 0x83, 0xB2, 0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA,
+ 0x88, 0x6B, 0x42, 0x38, 0x61, 0x1F, 0xCF, 0xDC, 0xDE, 0x35, 0x5B, 0x3B,
+ 0x65, 0x19, 0x03, 0x5B, 0xBC, 0x34, 0xF4, 0xDE, 0xF9, 0x9C, 0x02, 0x38,
+ 0x61, 0xB4, 0x6F, 0xC9, 0xD6, 0xE6, 0xC9, 0x07, 0x7A, 0xD9, 0x1D, 0x26,
+ 0x91, 0xF7, 0xF7, 0xEE, 0x59, 0x8C, 0xB0, 0xFA, 0xC1, 0x86, 0xD9, 0x1C,
+ 0xAE, 0xFE, 0x13, 0x09, 0x85, 0x13, 0x92, 0x70, 0xB4, 0x13, 0x0C, 0x93,
+ 0xBC, 0x43, 0x79, 0x44, 0xF4, 0xFD, 0x44, 0x52, 0xE2, 0xD7, 0x4D, 0xD3,
+ 0x64, 0xF2, 0xE2, 0x1E, 0x71, 0xF5, 0x4B, 0xFF, 0x5C, 0xAE, 0x82, 0xAB,
+ 0x9C, 0x9D, 0xF6, 0x9E, 0xE8, 0x6D, 0x2B, 0xC5, 0x22, 0x36, 0x3A, 0x0D,
+ 0xAB, 0xC5, 0x21, 0x97, 0x9B, 0x0D, 0xEA, 0xDA, 0x1D, 0xBF, 0x9A, 0x42,
+ 0xD5, 0xC4, 0x48, 0x4E, 0x0A, 0xBC, 0xD0, 0x6B, 0xFA, 0x53, 0xDD, 0xEF,
+ 0x3C, 0x1B, 0x20, 0xEE, 0x3F, 0xD5, 0x9D, 0x7C, 0x25, 0xE4, 0x1D, 0x2B,
+ 0x66, 0x9E, 0x1E, 0xF1, 0x6E, 0x6F, 0x52, 0xC3, 0x16, 0x4D, 0xF4, 0xFB,
+ 0x79, 0x30, 0xE9, 0xE4, 0xE5, 0x88, 0x57, 0xB6, 0xAC, 0x7D, 0x5F, 0x42,
+ 0xD6, 0x9F, 0x6D, 0x18, 0x77, 0x63, 0xCF, 0x1D, 0x55, 0x03, 0x40, 0x04,
+ 0x87, 0xF5, 0x5B, 0xA5, 0x7E, 0x31, 0xCC, 0x7A, 0x71, 0x35, 0xC8, 0x86,
+ 0xEF, 0xB4, 0x31, 0x8A, 0xED, 0x6A, 0x1E, 0x01, 0x2D, 0x9E, 0x68, 0x32,
+ 0xA9, 0x07, 0x60, 0x0A, 0x91, 0x81, 0x30, 0xC4, 0x6D, 0xC7, 0x78, 0xF9,
+ 0x71, 0xAD, 0x00, 0x38, 0x09, 0x29, 0x99, 0xA3, 0x33, 0xCB, 0x8B, 0x7A,
+ 0x1A, 0x1D, 0xB9, 0x3D, 0x71, 0x40, 0x00, 0x3C, 0x2A, 0x4E, 0xCE, 0xA9,
+ 0xF9, 0x8D, 0x0A, 0xCC, 0x0A, 0x82, 0x91, 0xCD, 0xCE, 0xC9, 0x7D, 0xCF,
+ 0x8E, 0xC9, 0xB5, 0x5A, 0x7F, 0x88, 0xA4, 0x6B, 0x4D, 0xB5, 0xA8, 0x51,
+ 0xF4, 0x41, 0x82, 0xE1, 0xC6, 0x8A, 0x00, 0x7E, 0x5E, 0x0D, 0xD9, 0x02,
+ 0x0B, 0xFD, 0x64, 0xB6, 0x45, 0x03, 0x6C, 0x7A, 0x4E, 0x67, 0x7D, 0x2C,
+ 0x38, 0x53, 0x2A, 0x3A, 0x23, 0xBA, 0x44, 0x42, 0xCA, 0xF5, 0x3E, 0xA6,
+ 0x3B, 0xB4, 0x54, 0x32, 0x9B, 0x76, 0x24, 0xC8, 0x91, 0x7B, 0xDD, 0x64,
+ 0xB1, 0xC0, 0xFD, 0x4C, 0xB3, 0x8E, 0x8C, 0x33, 0x4C, 0x70, 0x1C, 0x3A,
+ 0xCD, 0xAD, 0x06, 0x57, 0xFC, 0xCF, 0xEC, 0x71, 0x9B, 0x1F, 0x5C, 0x3E,
+ 0x4E, 0x46, 0x04, 0x1F, 0x38, 0x81, 0x47, 0xFB, 0x4C, 0xFD, 0xB4, 0x77,
+ 0xA5, 0x24, 0x71, 0xF7, 0xA9, 0xA9, 0x69, 0x10, 0xB8, 0x55, 0x32, 0x2E,
+ 0xDB, 0x63, 0x40, 0xD8, 0xA0, 0x0E, 0xF0, 0x92, 0x35, 0x05, 0x11, 0xE3,
+ 0x0A, 0xBE, 0xC1, 0xFF, 0xF9, 0xE3, 0xA2, 0x6E, 0x7F, 0xB2, 0x9F, 0x8C,
+ 0x18, 0x30, 0x23, 0xC3, 0x58, 0x7E, 0x38, 0xDA, 0x00, 0x77, 0xD9, 0xB4,
+ 0x76, 0x3E, 0x4E, 0x4B, 0x94, 0xB2, 0xBB, 0xC1, 0x94, 0xC6, 0x65, 0x1E,
+ 0x77, 0xCA, 0xF9, 0x92, 0xEE, 0xAA, 0xC0, 0x23, 0x2A, 0x28, 0x1B, 0xF6,
+ 0xB3, 0xA7, 0x39, 0xC1, 0x22, 0x61, 0x16, 0x82, 0x0A, 0xE8, 0xDB, 0x58,
+ 0x47, 0xA6, 0x7C, 0xBE, 0xF9, 0xC9, 0x09, 0x1B, 0x46, 0x2D, 0x53, 0x8C,
+ 0xD7, 0x2B, 0x03, 0x74, 0x6A, 0xE7, 0x7F, 0x5E, 0x62, 0x29, 0x2C, 0x31,
+ 0x15, 0x62, 0xA8, 0x46, 0x50, 0x5D, 0xC8, 0x2D, 0xB8, 0x54, 0x33, 0x8A,
+ 0xE4, 0x9F, 0x52, 0x35, 0xC9, 0x5B, 0x91, 0x17, 0x8C, 0xCF, 0x2D, 0xD5,
+ 0xCA, 0xCE, 0xF4, 0x03, 0xEC, 0x9D, 0x18, 0x10, 0xC6, 0x27, 0x2B, 0x04,
+ 0x5B, 0x3B, 0x71, 0xF9, 0xDC, 0x6B, 0x80, 0xD6, 0x3F, 0xDD, 0x4A, 0x8E,
+ 0x9A, 0xDB, 0x1E, 0x69, 0x62, 0xA6, 0x95, 0x26, 0xD4, 0x31, 0x61, 0xC1,
+ 0xA4, 0x1D, 0x57, 0x0D, 0x79, 0x38, 0xDA, 0xD4, 0xA4, 0x0E, 0x32, 0x9C,
+ 0xCF, 0xF4, 0x6A, 0xAA, 0x36, 0xAD, 0x00, 0x4C, 0xF6, 0x00, 0xC8, 0x38,
+ 0x1E, 0x42, 0x5A, 0x31, 0xD9, 0x51, 0xAE, 0x64, 0xFD, 0xB2, 0x3F, 0xCE,
+ 0xC9, 0x50, 0x9D, 0x43, 0x68, 0x7F, 0xEB, 0x69, 0xED, 0xD1, 0xCC, 0x5E,
+ 0x0B, 0x8C, 0xC3, 0xBD, 0xF6, 0x4B, 0x10, 0xEF, 0x86, 0xB6, 0x31, 0x42,
+ 0xA3, 0xAB, 0x88, 0x29, 0x55, 0x5B, 0x2F, 0x74, 0x7C, 0x93, 0x26, 0x65,
+ 0xCB, 0x2C, 0x0F, 0x1C, 0xC0, 0x1B, 0xD7, 0x02, 0x29, 0x38, 0x88, 0x39,
+ 0xD2, 0xAF, 0x05, 0xE4, 0x54, 0x50, 0x4A, 0xC7, 0x8B, 0x75, 0x82, 0x82,
+ 0x28, 0x46, 0xC0, 0xBA, 0x35, 0xC3, 0x5F, 0x5C, 0x59, 0x16, 0x0C, 0xC0,
+ 0x46, 0xFD, 0x82, 0x51, 0x54, 0x1F, 0xC6, 0x8C, 0x9C, 0x86, 0xB0, 0x22,
+ 0xBB, 0x70, 0x99, 0x87, 0x6A, 0x46, 0x0E, 0x74, 0x51, 0xA8, 0xA9, 0x31,
+ 0x09, 0x70, 0x3F, 0xEE, 0x1C, 0x21, 0x7E, 0x6C, 0x38, 0x26, 0xE5, 0x2C,
+ 0x51, 0xAA, 0x69, 0x1E, 0x0E, 0x42, 0x3C, 0xFC, 0x99, 0xE9, 0xE3, 0x16,
+ 0x50, 0xC1, 0x21, 0x7B, 0x62, 0x48, 0x16, 0xCD, 0xAD, 0x9A, 0x95, 0xF9,
+ 0xD5, 0xB8, 0x01, 0x94, 0x88, 0xD9, 0xC0, 0xA0, 0xA1, 0xFE, 0x30, 0x75,
+ 0xA5, 0x77, 0xE2, 0x31, 0x83, 0xF8, 0x1D, 0x4A, 0x3F, 0x2F, 0xA4, 0x57,
+ 0x1E, 0xFC, 0x8C, 0xE0, 0xBA, 0x8A, 0x4F, 0xE8, 0xB6, 0x85, 0x5D, 0xFE,
+ 0x72, 0xB0, 0xA6, 0x6E, 0xDE, 0xD2, 0xFB, 0xAB, 0xFB, 0xE5, 0x8A, 0x30,
+ 0xFA, 0xFA, 0xBE, 0x1C, 0x5D, 0x71, 0xA8, 0x7E, 0x2F, 0x74, 0x1E, 0xF8,
+ 0xC1, 0xFE, 0x86, 0xFE, 0xA6, 0xBB, 0xFD, 0xE5, 0x30, 0x67, 0x7F, 0x0D,
+ 0x97, 0xD1, 0x1D, 0x49, 0xF7, 0xA8, 0x44, 0x3D, 0x08, 0x22, 0xE5, 0x06,
+ 0xA9, 0xF4, 0x61, 0x4E, 0x01, 0x1E, 0x2A, 0x94, 0x83, 0x8F, 0xF8, 0x8C,
+ 0xD6, 0x8C, 0x8B, 0xB7, 0xC5, 0xC6, 0x42, 0x4C, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF
+};
+
+/* q=(p-1)/2 for prime prime_ike_1536 */
+static const unsigned char subprime_ike_1536_data[] = {
+ 0x7f,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xe4,
+ 0x87,
+ 0xed,
+ 0x51,
+ 0x10,
+ 0xb4,
+ 0x61,
+ 0x1a,
+ 0x62,
+ 0x63,
+ 0x31,
+ 0x45,
+ 0xc0,
+ 0x6e,
+ 0x0e,
+ 0x68,
+ 0x94,
+ 0x81,
+ 0x27,
+ 0x04,
+ 0x45,
+ 0x33,
+ 0xe6,
+ 0x3a,
+ 0x01,
+ 0x05,
+ 0xdf,
+ 0x53,
+ 0x1d,
+ 0x89,
+ 0xcd,
+ 0x91,
+ 0x28,
+ 0xa5,
+ 0x04,
+ 0x3c,
+ 0xc7,
+ 0x1a,
+ 0x02,
+ 0x6e,
+ 0xf7,
+ 0xca,
+ 0x8c,
+ 0xd9,
+ 0xe6,
+ 0x9d,
+ 0x21,
+ 0x8d,
+ 0x98,
+ 0x15,
+ 0x85,
+ 0x36,
+ 0xf9,
+ 0x2f,
+ 0x8a,
+ 0x1b,
+ 0xa7,
+ 0xf0,
+ 0x9a,
+ 0xb6,
+ 0xb6,
+ 0xa8,
+ 0xe1,
+ 0x22,
+ 0xf2,
+ 0x42,
+ 0xda,
+ 0xbb,
+ 0x31,
+ 0x2f,
+ 0x3f,
+ 0x63,
+ 0x7a,
+ 0x26,
+ 0x21,
+ 0x74,
+ 0xd3,
+ 0x1b,
+ 0xf6,
+ 0xb5,
+ 0x85,
+ 0xff,
+ 0xae,
+ 0x5b,
+ 0x7a,
+ 0x03,
+ 0x5b,
+ 0xf6,
+ 0xf7,
+ 0x1c,
+ 0x35,
+ 0xfd,
+ 0xad,
+ 0x44,
+ 0xcf,
+ 0xd2,
+ 0xd7,
+ 0x4f,
+ 0x92,
+ 0x08,
+ 0xbe,
+ 0x25,
+ 0x8f,
+ 0xf3,
+ 0x24,
+ 0x94,
+ 0x33,
+ 0x28,
+ 0xf6,
+ 0x72,
+ 0x2d,
+ 0x9e,
+ 0xe1,
+ 0x00,
+ 0x3e,
+ 0x5c,
+ 0x50,
+ 0xb1,
+ 0xdf,
+ 0x82,
+ 0xcc,
+ 0x6d,
+ 0x24,
+ 0x1b,
+ 0x0e,
+ 0x2a,
+ 0xe9,
+ 0xcd,
+ 0x34,
+ 0x8b,
+ 0x1f,
+ 0xd4,
+ 0x7e,
+ 0x92,
+ 0x67,
+ 0xaf,
+ 0xc1,
+ 0xb2,
+ 0xae,
+ 0x91,
+ 0xee,
+ 0x51,
+ 0xd6,
+ 0xcb,
+ 0x0e,
+ 0x31,
+ 0x79,
+ 0xab,
+ 0x10,
+ 0x42,
+ 0xa9,
+ 0x5d,
+ 0xcf,
+ 0x6a,
+ 0x94,
+ 0x83,
+ 0xb8,
+ 0x4b,
+ 0x4b,
+ 0x36,
+ 0xb3,
+ 0x86,
+ 0x1a,
+ 0xa7,
+ 0x25,
+ 0x5e,
+ 0x4c,
+ 0x02,
+ 0x78,
+ 0xba,
+ 0x36,
+ 0x04,
+ 0x65,
+ 0x11,
+ 0xb9,
+ 0x93,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+};
+
+/* q=(p-1)/2 for prime prime_ike_2048 */
+static const unsigned char subprime_ike_2048_data[] = {
+ 0x7f,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xe4,
+ 0x87,
+ 0xed,
+ 0x51,
+ 0x10,
+ 0xb4,
+ 0x61,
+ 0x1a,
+ 0x62,
+ 0x63,
+ 0x31,
+ 0x45,
+ 0xc0,
+ 0x6e,
+ 0x0e,
+ 0x68,
+ 0x94,
+ 0x81,
+ 0x27,
+ 0x04,
+ 0x45,
+ 0x33,
+ 0xe6,
+ 0x3a,
+ 0x01,
+ 0x05,
+ 0xdf,
+ 0x53,
+ 0x1d,
+ 0x89,
+ 0xcd,
+ 0x91,
+ 0x28,
+ 0xa5,
+ 0x04,
+ 0x3c,
+ 0xc7,
+ 0x1a,
+ 0x02,
+ 0x6e,
+ 0xf7,
+ 0xca,
+ 0x8c,
+ 0xd9,
+ 0xe6,
+ 0x9d,
+ 0x21,
+ 0x8d,
+ 0x98,
+ 0x15,
+ 0x85,
+ 0x36,
+ 0xf9,
+ 0x2f,
+ 0x8a,
+ 0x1b,
+ 0xa7,
+ 0xf0,
+ 0x9a,
+ 0xb6,
+ 0xb6,
+ 0xa8,
+ 0xe1,
+ 0x22,
+ 0xf2,
+ 0x42,
+ 0xda,
+ 0xbb,
+ 0x31,
+ 0x2f,
+ 0x3f,
+ 0x63,
+ 0x7a,
+ 0x26,
+ 0x21,
+ 0x74,
+ 0xd3,
+ 0x1b,
+ 0xf6,
+ 0xb5,
+ 0x85,
+ 0xff,
+ 0xae,
+ 0x5b,
+ 0x7a,
+ 0x03,
+ 0x5b,
+ 0xf6,
+ 0xf7,
+ 0x1c,
+ 0x35,
+ 0xfd,
+ 0xad,
+ 0x44,
+ 0xcf,
+ 0xd2,
+ 0xd7,
+ 0x4f,
+ 0x92,
+ 0x08,
+ 0xbe,
+ 0x25,
+ 0x8f,
+ 0xf3,
+ 0x24,
+ 0x94,
+ 0x33,
+ 0x28,
+ 0xf6,
+ 0x72,
+ 0x2d,
+ 0x9e,
+ 0xe1,
+ 0x00,
+ 0x3e,
+ 0x5c,
+ 0x50,
+ 0xb1,
+ 0xdf,
+ 0x82,
+ 0xcc,
+ 0x6d,
+ 0x24,
+ 0x1b,
+ 0x0e,
+ 0x2a,
+ 0xe9,
+ 0xcd,
+ 0x34,
+ 0x8b,
+ 0x1f,
+ 0xd4,
+ 0x7e,
+ 0x92,
+ 0x67,
+ 0xaf,
+ 0xc1,
+ 0xb2,
+ 0xae,
+ 0x91,
+ 0xee,
+ 0x51,
+ 0xd6,
+ 0xcb,
+ 0x0e,
+ 0x31,
+ 0x79,
+ 0xab,
+ 0x10,
+ 0x42,
+ 0xa9,
+ 0x5d,
+ 0xcf,
+ 0x6a,
+ 0x94,
+ 0x83,
+ 0xb8,
+ 0x4b,
+ 0x4b,
+ 0x36,
+ 0xb3,
+ 0x86,
+ 0x1a,
+ 0xa7,
+ 0x25,
+ 0x5e,
+ 0x4c,
+ 0x02,
+ 0x78,
+ 0xba,
+ 0x36,
+ 0x04,
+ 0x65,
+ 0x0c,
+ 0x10,
+ 0xbe,
+ 0x19,
+ 0x48,
+ 0x2f,
+ 0x23,
+ 0x17,
+ 0x1b,
+ 0x67,
+ 0x1d,
+ 0xf1,
+ 0xcf,
+ 0x3b,
+ 0x96,
+ 0x0c,
+ 0x07,
+ 0x43,
+ 0x01,
+ 0xcd,
+ 0x93,
+ 0xc1,
+ 0xd1,
+ 0x76,
+ 0x03,
+ 0xd1,
+ 0x47,
+ 0xda,
+ 0xe2,
+ 0xae,
+ 0xf8,
+ 0x37,
+ 0xa6,
+ 0x29,
+ 0x64,
+ 0xef,
+ 0x15,
+ 0xe5,
+ 0xfb,
+ 0x4a,
+ 0xac,
+ 0x0b,
+ 0x8c,
+ 0x1c,
+ 0xca,
+ 0xa4,
+ 0xbe,
+ 0x75,
+ 0x4a,
+ 0xb5,
+ 0x72,
+ 0x8a,
+ 0xe9,
+ 0x13,
+ 0x0c,
+ 0x4c,
+ 0x7d,
+ 0x02,
+ 0x88,
+ 0x0a,
+ 0xb9,
+ 0x47,
+ 0x2d,
+ 0x45,
+ 0x56,
+ 0x55,
+ 0x34,
+ 0x7f,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+};
+
+/* q=(p-1)/2 for prime prime_tls_2048 */
+static const unsigned char subprime_tls_2048_data[] = {
+ 0x7f,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xd6,
+ 0xfc,
+ 0x2a,
+ 0x2c,
+ 0x51,
+ 0x5d,
+ 0xa5,
+ 0x4d,
+ 0x57,
+ 0xee,
+ 0x2b,
+ 0x10,
+ 0x13,
+ 0x9e,
+ 0x9e,
+ 0x78,
+ 0xec,
+ 0x5c,
+ 0xe2,
+ 0xc1,
+ 0xe7,
+ 0x16,
+ 0x9b,
+ 0x4a,
+ 0xd4,
+ 0xf0,
+ 0x9b,
+ 0x20,
+ 0x8a,
+ 0x32,
+ 0x19,
+ 0xfd,
+ 0xe6,
+ 0x49,
+ 0xce,
+ 0xe7,
+ 0x12,
+ 0x4d,
+ 0x9f,
+ 0x7c,
+ 0xbe,
+ 0x97,
+ 0xf1,
+ 0xb1,
+ 0xb1,
+ 0x86,
+ 0x3a,
+ 0xec,
+ 0x7b,
+ 0x40,
+ 0xd9,
+ 0x01,
+ 0x57,
+ 0x62,
+ 0x30,
+ 0xbd,
+ 0x69,
+ 0xef,
+ 0x8f,
+ 0x6a,
+ 0xea,
+ 0xfe,
+ 0xb2,
+ 0xb0,
+ 0x92,
+ 0x19,
+ 0xfa,
+ 0x8f,
+ 0xaf,
+ 0x83,
+ 0x37,
+ 0x68,
+ 0x42,
+ 0xb1,
+ 0xb2,
+ 0xaa,
+ 0x9e,
+ 0xf6,
+ 0x8d,
+ 0x79,
+ 0xda,
+ 0xab,
+ 0x89,
+ 0xaf,
+ 0x3f,
+ 0xab,
+ 0xe4,
+ 0x9a,
+ 0xcc,
+ 0x27,
+ 0x86,
+ 0x38,
+ 0x70,
+ 0x73,
+ 0x45,
+ 0xbb,
+ 0xf1,
+ 0x53,
+ 0x44,
+ 0xed,
+ 0x79,
+ 0xf7,
+ 0xf4,
+ 0x39,
+ 0x0e,
+ 0xf8,
+ 0xac,
+ 0x50,
+ 0x9b,
+ 0x56,
+ 0xf3,
+ 0x9a,
+ 0x98,
+ 0x56,
+ 0x65,
+ 0x27,
+ 0xa4,
+ 0x1d,
+ 0x3c,
+ 0xbd,
+ 0x5e,
+ 0x05,
+ 0x58,
+ 0xc1,
+ 0x59,
+ 0x92,
+ 0x7d,
+ 0xb0,
+ 0xe8,
+ 0x84,
+ 0x54,
+ 0xa5,
+ 0xd9,
+ 0x64,
+ 0x71,
+ 0xfd,
+ 0xdc,
+ 0xb5,
+ 0x6d,
+ 0x5b,
+ 0xb0,
+ 0x6b,
+ 0xfa,
+ 0x34,
+ 0x0e,
+ 0xa7,
+ 0xa1,
+ 0x51,
+ 0xef,
+ 0x1c,
+ 0xa6,
+ 0xfa,
+ 0x57,
+ 0x2b,
+ 0x76,
+ 0xf3,
+ 0xb1,
+ 0xb9,
+ 0x5d,
+ 0x8c,
+ 0x85,
+ 0x83,
+ 0xd3,
+ 0xe4,
+ 0x77,
+ 0x05,
+ 0x36,
+ 0xb8,
+ 0x4f,
+ 0x01,
+ 0x7e,
+ 0x70,
+ 0xe6,
+ 0xfb,
+ 0xf1,
+ 0x76,
+ 0x60,
+ 0x1a,
+ 0x02,
+ 0x66,
+ 0x94,
+ 0x1a,
+ 0x17,
+ 0xb0,
+ 0xc8,
+ 0xb9,
+ 0x7f,
+ 0x4e,
+ 0x74,
+ 0xc2,
+ 0xc1,
+ 0xff,
+ 0xc7,
+ 0x27,
+ 0x89,
+ 0x19,
+ 0x77,
+ 0x79,
+ 0x40,
+ 0xc1,
+ 0xe1,
+ 0xff,
+ 0x1d,
+ 0x8d,
+ 0xa6,
+ 0x37,
+ 0xd6,
+ 0xb9,
+ 0x9d,
+ 0xda,
+ 0xfe,
+ 0x5e,
+ 0x17,
+ 0x61,
+ 0x10,
+ 0x02,
+ 0xe2,
+ 0xc7,
+ 0x78,
+ 0xc1,
+ 0xbe,
+ 0x8b,
+ 0x41,
+ 0xd9,
+ 0x63,
+ 0x79,
+ 0xa5,
+ 0x13,
+ 0x60,
+ 0xd9,
+ 0x77,
+ 0xfd,
+ 0x44,
+ 0x35,
+ 0xa1,
+ 0x1c,
+ 0x30,
+ 0x94,
+ 0x2e,
+ 0x4b,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+};
+
+/* q=(p-1)/2 for prime prime_ike_3072 */
+static const unsigned char subprime_ike_3072_data[] = {
+ 0x7f,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xe4,
+ 0x87,
+ 0xed,
+ 0x51,
+ 0x10,
+ 0xb4,
+ 0x61,
+ 0x1a,
+ 0x62,
+ 0x63,
+ 0x31,
+ 0x45,
+ 0xc0,
+ 0x6e,
+ 0x0e,
+ 0x68,
+ 0x94,
+ 0x81,
+ 0x27,
+ 0x04,
+ 0x45,
+ 0x33,
+ 0xe6,
+ 0x3a,
+ 0x01,
+ 0x05,
+ 0xdf,
+ 0x53,
+ 0x1d,
+ 0x89,
+ 0xcd,
+ 0x91,
+ 0x28,
+ 0xa5,
+ 0x04,
+ 0x3c,
+ 0xc7,
+ 0x1a,
+ 0x02,
+ 0x6e,
+ 0xf7,
+ 0xca,
+ 0x8c,
+ 0xd9,
+ 0xe6,
+ 0x9d,
+ 0x21,
+ 0x8d,
+ 0x98,
+ 0x15,
+ 0x85,
+ 0x36,
+ 0xf9,
+ 0x2f,
+ 0x8a,
+ 0x1b,
+ 0xa7,
+ 0xf0,
+ 0x9a,
+ 0xb6,
+ 0xb6,
+ 0xa8,
+ 0xe1,
+ 0x22,
+ 0xf2,
+ 0x42,
+ 0xda,
+ 0xbb,
+ 0x31,
+ 0x2f,
+ 0x3f,
+ 0x63,
+ 0x7a,
+ 0x26,
+ 0x21,
+ 0x74,
+ 0xd3,
+ 0x1b,
+ 0xf6,
+ 0xb5,
+ 0x85,
+ 0xff,
+ 0xae,
+ 0x5b,
+ 0x7a,
+ 0x03,
+ 0x5b,
+ 0xf6,
+ 0xf7,
+ 0x1c,
+ 0x35,
+ 0xfd,
+ 0xad,
+ 0x44,
+ 0xcf,
+ 0xd2,
+ 0xd7,
+ 0x4f,
+ 0x92,
+ 0x08,
+ 0xbe,
+ 0x25,
+ 0x8f,
+ 0xf3,
+ 0x24,
+ 0x94,
+ 0x33,
+ 0x28,
+ 0xf6,
+ 0x72,
+ 0x2d,
+ 0x9e,
+ 0xe1,
+ 0x00,
+ 0x3e,
+ 0x5c,
+ 0x50,
+ 0xb1,
+ 0xdf,
+ 0x82,
+ 0xcc,
+ 0x6d,
+ 0x24,
+ 0x1b,
+ 0x0e,
+ 0x2a,
+ 0xe9,
+ 0xcd,
+ 0x34,
+ 0x8b,
+ 0x1f,
+ 0xd4,
+ 0x7e,
+ 0x92,
+ 0x67,
+ 0xaf,
+ 0xc1,
+ 0xb2,
+ 0xae,
+ 0x91,
+ 0xee,
+ 0x51,
+ 0xd6,
+ 0xcb,
+ 0x0e,
+ 0x31,
+ 0x79,
+ 0xab,
+ 0x10,
+ 0x42,
+ 0xa9,
+ 0x5d,
+ 0xcf,
+ 0x6a,
+ 0x94,
+ 0x83,
+ 0xb8,
+ 0x4b,
+ 0x4b,
+ 0x36,
+ 0xb3,
+ 0x86,
+ 0x1a,
+ 0xa7,
+ 0x25,
+ 0x5e,
+ 0x4c,
+ 0x02,
+ 0x78,
+ 0xba,
+ 0x36,
+ 0x04,
+ 0x65,
+ 0x0c,
+ 0x10,
+ 0xbe,
+ 0x19,
+ 0x48,
+ 0x2f,
+ 0x23,
+ 0x17,
+ 0x1b,
+ 0x67,
+ 0x1d,
+ 0xf1,
+ 0xcf,
+ 0x3b,
+ 0x96,
+ 0x0c,
+ 0x07,
+ 0x43,
+ 0x01,
+ 0xcd,
+ 0x93,
+ 0xc1,
+ 0xd1,
+ 0x76,
+ 0x03,
+ 0xd1,
+ 0x47,
+ 0xda,
+ 0xe2,
+ 0xae,
+ 0xf8,
+ 0x37,
+ 0xa6,
+ 0x29,
+ 0x64,
+ 0xef,
+ 0x15,
+ 0xe5,
+ 0xfb,
+ 0x4a,
+ 0xac,
+ 0x0b,
+ 0x8c,
+ 0x1c,
+ 0xca,
+ 0xa4,
+ 0xbe,
+ 0x75,
+ 0x4a,
+ 0xb5,
+ 0x72,
+ 0x8a,
+ 0xe9,
+ 0x13,
+ 0x0c,
+ 0x4c,
+ 0x7d,
+ 0x02,
+ 0x88,
+ 0x0a,
+ 0xb9,
+ 0x47,
+ 0x2d,
+ 0x45,
+ 0x55,
+ 0x62,
+ 0x16,
+ 0xd6,
+ 0x99,
+ 0x8b,
+ 0x86,
+ 0x82,
+ 0x28,
+ 0x3d,
+ 0x19,
+ 0xd4,
+ 0x2a,
+ 0x90,
+ 0xd5,
+ 0xef,
+ 0x8e,
+ 0x5d,
+ 0x32,
+ 0x76,
+ 0x7d,
+ 0xc2,
+ 0x82,
+ 0x2c,
+ 0x6d,
+ 0xf7,
+ 0x85,
+ 0x45,
+ 0x75,
+ 0x38,
+ 0xab,
+ 0xae,
+ 0x83,
+ 0x06,
+ 0x3e,
+ 0xd9,
+ 0xcb,
+ 0x87,
+ 0xc2,
+ 0xd3,
+ 0x70,
+ 0xf2,
+ 0x63,
+ 0xd5,
+ 0xfa,
+ 0xd7,
+ 0x46,
+ 0x6d,
+ 0x84,
+ 0x99,
+ 0xeb,
+ 0x8f,
+ 0x46,
+ 0x4a,
+ 0x70,
+ 0x25,
+ 0x12,
+ 0xb0,
+ 0xce,
+ 0xe7,
+ 0x71,
+ 0xe9,
+ 0x13,
+ 0x0d,
+ 0x69,
+ 0x77,
+ 0x35,
+ 0xf8,
+ 0x97,
+ 0xfd,
+ 0x03,
+ 0x6c,
+ 0xc5,
+ 0x04,
+ 0x32,
+ 0x6c,
+ 0x3b,
+ 0x01,
+ 0x39,
+ 0x9f,
+ 0x64,
+ 0x35,
+ 0x32,
+ 0x29,
+ 0x0f,
+ 0x95,
+ 0x8c,
+ 0x0b,
+ 0xbd,
+ 0x90,
+ 0x06,
+ 0x5d,
+ 0xf0,
+ 0x8b,
+ 0xab,
+ 0xbd,
+ 0x30,
+ 0xae,
+ 0xb6,
+ 0x3b,
+ 0x84,
+ 0xc4,
+ 0x60,
+ 0x5d,
+ 0x6c,
+ 0xa3,
+ 0x71,
+ 0x04,
+ 0x71,
+ 0x27,
+ 0xd0,
+ 0x3a,
+ 0x72,
+ 0xd5,
+ 0x98,
+ 0xa1,
+ 0xed,
+ 0xad,
+ 0xfe,
+ 0x70,
+ 0x7e,
+ 0x88,
+ 0x47,
+ 0x25,
+ 0xc1,
+ 0x68,
+ 0x90,
+ 0x54,
+ 0x9d,
+ 0x69,
+ 0x65,
+ 0x7f,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+};
+
+/* q=(p-1)/2 for prime prime_tls_3072 */
+static const unsigned char subprime_tls_3072_data[] = {
+ 0x7f,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xd6,
+ 0xfc,
+ 0x2a,
+ 0x2c,
+ 0x51,
+ 0x5d,
+ 0xa5,
+ 0x4d,
+ 0x57,
+ 0xee,
+ 0x2b,
+ 0x10,
+ 0x13,
+ 0x9e,
+ 0x9e,
+ 0x78,
+ 0xec,
+ 0x5c,
+ 0xe2,
+ 0xc1,
+ 0xe7,
+ 0x16,
+ 0x9b,
+ 0x4a,
+ 0xd4,
+ 0xf0,
+ 0x9b,
+ 0x20,
+ 0x8a,
+ 0x32,
+ 0x19,
+ 0xfd,
+ 0xe6,
+ 0x49,
+ 0xce,
+ 0xe7,
+ 0x12,
+ 0x4d,
+ 0x9f,
+ 0x7c,
+ 0xbe,
+ 0x97,
+ 0xf1,
+ 0xb1,
+ 0xb1,
+ 0x86,
+ 0x3a,
+ 0xec,
+ 0x7b,
+ 0x40,
+ 0xd9,
+ 0x01,
+ 0x57,
+ 0x62,
+ 0x30,
+ 0xbd,
+ 0x69,
+ 0xef,
+ 0x8f,
+ 0x6a,
+ 0xea,
+ 0xfe,
+ 0xb2,
+ 0xb0,
+ 0x92,
+ 0x19,
+ 0xfa,
+ 0x8f,
+ 0xaf,
+ 0x83,
+ 0x37,
+ 0x68,
+ 0x42,
+ 0xb1,
+ 0xb2,
+ 0xaa,
+ 0x9e,
+ 0xf6,
+ 0x8d,
+ 0x79,
+ 0xda,
+ 0xab,
+ 0x89,
+ 0xaf,
+ 0x3f,
+ 0xab,
+ 0xe4,
+ 0x9a,
+ 0xcc,
+ 0x27,
+ 0x86,
+ 0x38,
+ 0x70,
+ 0x73,
+ 0x45,
+ 0xbb,
+ 0xf1,
+ 0x53,
+ 0x44,
+ 0xed,
+ 0x79,
+ 0xf7,
+ 0xf4,
+ 0x39,
+ 0x0e,
+ 0xf8,
+ 0xac,
+ 0x50,
+ 0x9b,
+ 0x56,
+ 0xf3,
+ 0x9a,
+ 0x98,
+ 0x56,
+ 0x65,
+ 0x27,
+ 0xa4,
+ 0x1d,
+ 0x3c,
+ 0xbd,
+ 0x5e,
+ 0x05,
+ 0x58,
+ 0xc1,
+ 0x59,
+ 0x92,
+ 0x7d,
+ 0xb0,
+ 0xe8,
+ 0x84,
+ 0x54,
+ 0xa5,
+ 0xd9,
+ 0x64,
+ 0x71,
+ 0xfd,
+ 0xdc,
+ 0xb5,
+ 0x6d,
+ 0x5b,
+ 0xb0,
+ 0x6b,
+ 0xfa,
+ 0x34,
+ 0x0e,
+ 0xa7,
+ 0xa1,
+ 0x51,
+ 0xef,
+ 0x1c,
+ 0xa6,
+ 0xfa,
+ 0x57,
+ 0x2b,
+ 0x76,
+ 0xf3,
+ 0xb1,
+ 0xb9,
+ 0x5d,
+ 0x8c,
+ 0x85,
+ 0x83,
+ 0xd3,
+ 0xe4,
+ 0x77,
+ 0x05,
+ 0x36,
+ 0xb8,
+ 0x4f,
+ 0x01,
+ 0x7e,
+ 0x70,
+ 0xe6,
+ 0xfb,
+ 0xf1,
+ 0x76,
+ 0x60,
+ 0x1a,
+ 0x02,
+ 0x66,
+ 0x94,
+ 0x1a,
+ 0x17,
+ 0xb0,
+ 0xc8,
+ 0xb9,
+ 0x7f,
+ 0x4e,
+ 0x74,
+ 0xc2,
+ 0xc1,
+ 0xff,
+ 0xc7,
+ 0x27,
+ 0x89,
+ 0x19,
+ 0x77,
+ 0x79,
+ 0x40,
+ 0xc1,
+ 0xe1,
+ 0xff,
+ 0x1d,
+ 0x8d,
+ 0xa6,
+ 0x37,
+ 0xd6,
+ 0xb9,
+ 0x9d,
+ 0xda,
+ 0xfe,
+ 0x5e,
+ 0x17,
+ 0x61,
+ 0x10,
+ 0x02,
+ 0xe2,
+ 0xc7,
+ 0x78,
+ 0xc1,
+ 0xbe,
+ 0x8b,
+ 0x41,
+ 0xd9,
+ 0x63,
+ 0x79,
+ 0xa5,
+ 0x13,
+ 0x60,
+ 0xd9,
+ 0x77,
+ 0xfd,
+ 0x44,
+ 0x35,
+ 0xa1,
+ 0x1c,
+ 0x30,
+ 0x8f,
+ 0xe7,
+ 0xee,
+ 0x6f,
+ 0x1a,
+ 0xad,
+ 0x9d,
+ 0xb2,
+ 0x8c,
+ 0x81,
+ 0xad,
+ 0xde,
+ 0x1a,
+ 0x7a,
+ 0x6f,
+ 0x7c,
+ 0xce,
+ 0x01,
+ 0x1c,
+ 0x30,
+ 0xda,
+ 0x37,
+ 0xe4,
+ 0xeb,
+ 0x73,
+ 0x64,
+ 0x83,
+ 0xbd,
+ 0x6c,
+ 0x8e,
+ 0x93,
+ 0x48,
+ 0xfb,
+ 0xfb,
+ 0xf7,
+ 0x2c,
+ 0xc6,
+ 0x58,
+ 0x7d,
+ 0x60,
+ 0xc3,
+ 0x6c,
+ 0x8e,
+ 0x57,
+ 0x7f,
+ 0x09,
+ 0x84,
+ 0xc2,
+ 0x89,
+ 0xc9,
+ 0x38,
+ 0x5a,
+ 0x09,
+ 0x86,
+ 0x49,
+ 0xde,
+ 0x21,
+ 0xbc,
+ 0xa2,
+ 0x7a,
+ 0x7e,
+ 0xa2,
+ 0x29,
+ 0x71,
+ 0x6b,
+ 0xa6,
+ 0xe9,
+ 0xb2,
+ 0x79,
+ 0x71,
+ 0x0f,
+ 0x38,
+ 0xfa,
+ 0xa5,
+ 0xff,
+ 0xae,
+ 0x57,
+ 0x41,
+ 0x55,
+ 0xce,
+ 0x4e,
+ 0xfb,
+ 0x4f,
+ 0x74,
+ 0x36,
+ 0x95,
+ 0xe2,
+ 0x91,
+ 0x1b,
+ 0x1d,
+ 0x06,
+ 0xd5,
+ 0xe2,
+ 0x90,
+ 0xcb,
+ 0xcd,
+ 0x86,
+ 0xf5,
+ 0x6d,
+ 0x0e,
+ 0xdf,
+ 0xcd,
+ 0x21,
+ 0x6a,
+ 0xe2,
+ 0x24,
+ 0x27,
+ 0x05,
+ 0x5e,
+ 0x68,
+ 0x35,
+ 0xfd,
+ 0x29,
+ 0xee,
+ 0xf7,
+ 0x9e,
+ 0x0d,
+ 0x90,
+ 0x77,
+ 0x1f,
+ 0xea,
+ 0xce,
+ 0xbe,
+ 0x12,
+ 0xf2,
+ 0x0e,
+ 0x95,
+ 0xb3,
+ 0x63,
+ 0x17,
+ 0x1b,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+};
+
+/* q=(p-1)/2 for prime prime_ike_4096 */
+static const unsigned char subprime_ike_4096_data[] = {
+ 0x7f,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xe4,
+ 0x87,
+ 0xed,
+ 0x51,
+ 0x10,
+ 0xb4,
+ 0x61,
+ 0x1a,
+ 0x62,
+ 0x63,
+ 0x31,
+ 0x45,
+ 0xc0,
+ 0x6e,
+ 0x0e,
+ 0x68,
+ 0x94,
+ 0x81,
+ 0x27,
+ 0x04,
+ 0x45,
+ 0x33,
+ 0xe6,
+ 0x3a,
+ 0x01,
+ 0x05,
+ 0xdf,
+ 0x53,
+ 0x1d,
+ 0x89,
+ 0xcd,
+ 0x91,
+ 0x28,
+ 0xa5,
+ 0x04,
+ 0x3c,
+ 0xc7,
+ 0x1a,
+ 0x02,
+ 0x6e,
+ 0xf7,
+ 0xca,
+ 0x8c,
+ 0xd9,
+ 0xe6,
+ 0x9d,
+ 0x21,
+ 0x8d,
+ 0x98,
+ 0x15,
+ 0x85,
+ 0x36,
+ 0xf9,
+ 0x2f,
+ 0x8a,
+ 0x1b,
+ 0xa7,
+ 0xf0,
+ 0x9a,
+ 0xb6,
+ 0xb6,
+ 0xa8,
+ 0xe1,
+ 0x22,
+ 0xf2,
+ 0x42,
+ 0xda,
+ 0xbb,
+ 0x31,
+ 0x2f,
+ 0x3f,
+ 0x63,
+ 0x7a,
+ 0x26,
+ 0x21,
+ 0x74,
+ 0xd3,
+ 0x1b,
+ 0xf6,
+ 0xb5,
+ 0x85,
+ 0xff,
+ 0xae,
+ 0x5b,
+ 0x7a,
+ 0x03,
+ 0x5b,
+ 0xf6,
+ 0xf7,
+ 0x1c,
+ 0x35,
+ 0xfd,
+ 0xad,
+ 0x44,
+ 0xcf,
+ 0xd2,
+ 0xd7,
+ 0x4f,
+ 0x92,
+ 0x08,
+ 0xbe,
+ 0x25,
+ 0x8f,
+ 0xf3,
+ 0x24,
+ 0x94,
+ 0x33,
+ 0x28,
+ 0xf6,
+ 0x72,
+ 0x2d,
+ 0x9e,
+ 0xe1,
+ 0x00,
+ 0x3e,
+ 0x5c,
+ 0x50,
+ 0xb1,
+ 0xdf,
+ 0x82,
+ 0xcc,
+ 0x6d,
+ 0x24,
+ 0x1b,
+ 0x0e,
+ 0x2a,
+ 0xe9,
+ 0xcd,
+ 0x34,
+ 0x8b,
+ 0x1f,
+ 0xd4,
+ 0x7e,
+ 0x92,
+ 0x67,
+ 0xaf,
+ 0xc1,
+ 0xb2,
+ 0xae,
+ 0x91,
+ 0xee,
+ 0x51,
+ 0xd6,
+ 0xcb,
+ 0x0e,
+ 0x31,
+ 0x79,
+ 0xab,
+ 0x10,
+ 0x42,
+ 0xa9,
+ 0x5d,
+ 0xcf,
+ 0x6a,
+ 0x94,
+ 0x83,
+ 0xb8,
+ 0x4b,
+ 0x4b,
+ 0x36,
+ 0xb3,
+ 0x86,
+ 0x1a,
+ 0xa7,
+ 0x25,
+ 0x5e,
+ 0x4c,
+ 0x02,
+ 0x78,
+ 0xba,
+ 0x36,
+ 0x04,
+ 0x65,
+ 0x0c,
+ 0x10,
+ 0xbe,
+ 0x19,
+ 0x48,
+ 0x2f,
+ 0x23,
+ 0x17,
+ 0x1b,
+ 0x67,
+ 0x1d,
+ 0xf1,
+ 0xcf,
+ 0x3b,
+ 0x96,
+ 0x0c,
+ 0x07,
+ 0x43,
+ 0x01,
+ 0xcd,
+ 0x93,
+ 0xc1,
+ 0xd1,
+ 0x76,
+ 0x03,
+ 0xd1,
+ 0x47,
+ 0xda,
+ 0xe2,
+ 0xae,
+ 0xf8,
+ 0x37,
+ 0xa6,
+ 0x29,
+ 0x64,
+ 0xef,
+ 0x15,
+ 0xe5,
+ 0xfb,
+ 0x4a,
+ 0xac,
+ 0x0b,
+ 0x8c,
+ 0x1c,
+ 0xca,
+ 0xa4,
+ 0xbe,
+ 0x75,
+ 0x4a,
+ 0xb5,
+ 0x72,
+ 0x8a,
+ 0xe9,
+ 0x13,
+ 0x0c,
+ 0x4c,
+ 0x7d,
+ 0x02,
+ 0x88,
+ 0x0a,
+ 0xb9,
+ 0x47,
+ 0x2d,
+ 0x45,
+ 0x55,
+ 0x62,
+ 0x16,
+ 0xd6,
+ 0x99,
+ 0x8b,
+ 0x86,
+ 0x82,
+ 0x28,
+ 0x3d,
+ 0x19,
+ 0xd4,
+ 0x2a,
+ 0x90,
+ 0xd5,
+ 0xef,
+ 0x8e,
+ 0x5d,
+ 0x32,
+ 0x76,
+ 0x7d,
+ 0xc2,
+ 0x82,
+ 0x2c,
+ 0x6d,
+ 0xf7,
+ 0x85,
+ 0x45,
+ 0x75,
+ 0x38,
+ 0xab,
+ 0xae,
+ 0x83,
+ 0x06,
+ 0x3e,
+ 0xd9,
+ 0xcb,
+ 0x87,
+ 0xc2,
+ 0xd3,
+ 0x70,
+ 0xf2,
+ 0x63,
+ 0xd5,
+ 0xfa,
+ 0xd7,
+ 0x46,
+ 0x6d,
+ 0x84,
+ 0x99,
+ 0xeb,
+ 0x8f,
+ 0x46,
+ 0x4a,
+ 0x70,
+ 0x25,
+ 0x12,
+ 0xb0,
+ 0xce,
+ 0xe7,
+ 0x71,
+ 0xe9,
+ 0x13,
+ 0x0d,
+ 0x69,
+ 0x77,
+ 0x35,
+ 0xf8,
+ 0x97,
+ 0xfd,
+ 0x03,
+ 0x6c,
+ 0xc5,
+ 0x04,
+ 0x32,
+ 0x6c,
+ 0x3b,
+ 0x01,
+ 0x39,
+ 0x9f,
+ 0x64,
+ 0x35,
+ 0x32,
+ 0x29,
+ 0x0f,
+ 0x95,
+ 0x8c,
+ 0x0b,
+ 0xbd,
+ 0x90,
+ 0x06,
+ 0x5d,
+ 0xf0,
+ 0x8b,
+ 0xab,
+ 0xbd,
+ 0x30,
+ 0xae,
+ 0xb6,
+ 0x3b,
+ 0x84,
+ 0xc4,
+ 0x60,
+ 0x5d,
+ 0x6c,
+ 0xa3,
+ 0x71,
+ 0x04,
+ 0x71,
+ 0x27,
+ 0xd0,
+ 0x3a,
+ 0x72,
+ 0xd5,
+ 0x98,
+ 0xa1,
+ 0xed,
+ 0xad,
+ 0xfe,
+ 0x70,
+ 0x7e,
+ 0x88,
+ 0x47,
+ 0x25,
+ 0xc1,
+ 0x68,
+ 0x90,
+ 0x54,
+ 0x90,
+ 0x84,
+ 0x00,
+ 0x8d,
+ 0x39,
+ 0x1e,
+ 0x09,
+ 0x53,
+ 0xc3,
+ 0xf3,
+ 0x6b,
+ 0xc4,
+ 0x38,
+ 0xcd,
+ 0x08,
+ 0x5e,
+ 0xdd,
+ 0x2d,
+ 0x93,
+ 0x4c,
+ 0xe1,
+ 0x93,
+ 0x8c,
+ 0x35,
+ 0x7a,
+ 0x71,
+ 0x1e,
+ 0x0d,
+ 0x4a,
+ 0x34,
+ 0x1a,
+ 0x5b,
+ 0x0a,
+ 0x85,
+ 0xed,
+ 0x12,
+ 0xc1,
+ 0xf4,
+ 0xe5,
+ 0x15,
+ 0x6a,
+ 0x26,
+ 0x74,
+ 0x6d,
+ 0xdd,
+ 0xe1,
+ 0x6d,
+ 0x82,
+ 0x6f,
+ 0x47,
+ 0x7c,
+ 0x97,
+ 0x47,
+ 0x7e,
+ 0x0a,
+ 0x0f,
+ 0xdf,
+ 0x65,
+ 0x53,
+ 0x14,
+ 0x3e,
+ 0x2c,
+ 0xa3,
+ 0xa7,
+ 0x35,
+ 0xe0,
+ 0x2e,
+ 0xcc,
+ 0xd9,
+ 0x4b,
+ 0x27,
+ 0xd0,
+ 0x48,
+ 0x61,
+ 0xd1,
+ 0x11,
+ 0x9d,
+ 0xd0,
+ 0xc3,
+ 0x28,
+ 0xad,
+ 0xf3,
+ 0xf6,
+ 0x8f,
+ 0xb0,
+ 0x94,
+ 0xb8,
+ 0x67,
+ 0x71,
+ 0x6b,
+ 0xd7,
+ 0xdc,
+ 0x0d,
+ 0xee,
+ 0xbb,
+ 0x10,
+ 0xb8,
+ 0x24,
+ 0x0e,
+ 0x68,
+ 0x03,
+ 0x48,
+ 0x93,
+ 0xea,
+ 0xd8,
+ 0x2d,
+ 0x54,
+ 0xc9,
+ 0xda,
+ 0x75,
+ 0x4c,
+ 0x46,
+ 0xc7,
+ 0xee,
+ 0xe0,
+ 0xc3,
+ 0x7f,
+ 0xdb,
+ 0xee,
+ 0x48,
+ 0x53,
+ 0x60,
+ 0x47,
+ 0xa6,
+ 0xfa,
+ 0x1a,
+ 0xe4,
+ 0x9a,
+ 0x03,
+ 0x18,
+ 0xcc,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+};
+
+/* q=(p-1)/2 for prime prime_tls_4096 */
+static const unsigned char subprime_tls_4096_data[] = {
+ 0x7f,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xd6,
+ 0xfc,
+ 0x2a,
+ 0x2c,
+ 0x51,
+ 0x5d,
+ 0xa5,
+ 0x4d,
+ 0x57,
+ 0xee,
+ 0x2b,
+ 0x10,
+ 0x13,
+ 0x9e,
+ 0x9e,
+ 0x78,
+ 0xec,
+ 0x5c,
+ 0xe2,
+ 0xc1,
+ 0xe7,
+ 0x16,
+ 0x9b,
+ 0x4a,
+ 0xd4,
+ 0xf0,
+ 0x9b,
+ 0x20,
+ 0x8a,
+ 0x32,
+ 0x19,
+ 0xfd,
+ 0xe6,
+ 0x49,
+ 0xce,
+ 0xe7,
+ 0x12,
+ 0x4d,
+ 0x9f,
+ 0x7c,
+ 0xbe,
+ 0x97,
+ 0xf1,
+ 0xb1,
+ 0xb1,
+ 0x86,
+ 0x3a,
+ 0xec,
+ 0x7b,
+ 0x40,
+ 0xd9,
+ 0x01,
+ 0x57,
+ 0x62,
+ 0x30,
+ 0xbd,
+ 0x69,
+ 0xef,
+ 0x8f,
+ 0x6a,
+ 0xea,
+ 0xfe,
+ 0xb2,
+ 0xb0,
+ 0x92,
+ 0x19,
+ 0xfa,
+ 0x8f,
+ 0xaf,
+ 0x83,
+ 0x37,
+ 0x68,
+ 0x42,
+ 0xb1,
+ 0xb2,
+ 0xaa,
+ 0x9e,
+ 0xf6,
+ 0x8d,
+ 0x79,
+ 0xda,
+ 0xab,
+ 0x89,
+ 0xaf,
+ 0x3f,
+ 0xab,
+ 0xe4,
+ 0x9a,
+ 0xcc,
+ 0x27,
+ 0x86,
+ 0x38,
+ 0x70,
+ 0x73,
+ 0x45,
+ 0xbb,
+ 0xf1,
+ 0x53,
+ 0x44,
+ 0xed,
+ 0x79,
+ 0xf7,
+ 0xf4,
+ 0x39,
+ 0x0e,
+ 0xf8,
+ 0xac,
+ 0x50,
+ 0x9b,
+ 0x56,
+ 0xf3,
+ 0x9a,
+ 0x98,
+ 0x56,
+ 0x65,
+ 0x27,
+ 0xa4,
+ 0x1d,
+ 0x3c,
+ 0xbd,
+ 0x5e,
+ 0x05,
+ 0x58,
+ 0xc1,
+ 0x59,
+ 0x92,
+ 0x7d,
+ 0xb0,
+ 0xe8,
+ 0x84,
+ 0x54,
+ 0xa5,
+ 0xd9,
+ 0x64,
+ 0x71,
+ 0xfd,
+ 0xdc,
+ 0xb5,
+ 0x6d,
+ 0x5b,
+ 0xb0,
+ 0x6b,
+ 0xfa,
+ 0x34,
+ 0x0e,
+ 0xa7,
+ 0xa1,
+ 0x51,
+ 0xef,
+ 0x1c,
+ 0xa6,
+ 0xfa,
+ 0x57,
+ 0x2b,
+ 0x76,
+ 0xf3,
+ 0xb1,
+ 0xb9,
+ 0x5d,
+ 0x8c,
+ 0x85,
+ 0x83,
+ 0xd3,
+ 0xe4,
+ 0x77,
+ 0x05,
+ 0x36,
+ 0xb8,
+ 0x4f,
+ 0x01,
+ 0x7e,
+ 0x70,
+ 0xe6,
+ 0xfb,
+ 0xf1,
+ 0x76,
+ 0x60,
+ 0x1a,
+ 0x02,
+ 0x66,
+ 0x94,
+ 0x1a,
+ 0x17,
+ 0xb0,
+ 0xc8,
+ 0xb9,
+ 0x7f,
+ 0x4e,
+ 0x74,
+ 0xc2,
+ 0xc1,
+ 0xff,
+ 0xc7,
+ 0x27,
+ 0x89,
+ 0x19,
+ 0x77,
+ 0x79,
+ 0x40,
+ 0xc1,
+ 0xe1,
+ 0xff,
+ 0x1d,
+ 0x8d,
+ 0xa6,
+ 0x37,
+ 0xd6,
+ 0xb9,
+ 0x9d,
+ 0xda,
+ 0xfe,
+ 0x5e,
+ 0x17,
+ 0x61,
+ 0x10,
+ 0x02,
+ 0xe2,
+ 0xc7,
+ 0x78,
+ 0xc1,
+ 0xbe,
+ 0x8b,
+ 0x41,
+ 0xd9,
+ 0x63,
+ 0x79,
+ 0xa5,
+ 0x13,
+ 0x60,
+ 0xd9,
+ 0x77,
+ 0xfd,
+ 0x44,
+ 0x35,
+ 0xa1,
+ 0x1c,
+ 0x30,
+ 0x8f,
+ 0xe7,
+ 0xee,
+ 0x6f,
+ 0x1a,
+ 0xad,
+ 0x9d,
+ 0xb2,
+ 0x8c,
+ 0x81,
+ 0xad,
+ 0xde,
+ 0x1a,
+ 0x7a,
+ 0x6f,
+ 0x7c,
+ 0xce,
+ 0x01,
+ 0x1c,
+ 0x30,
+ 0xda,
+ 0x37,
+ 0xe4,
+ 0xeb,
+ 0x73,
+ 0x64,
+ 0x83,
+ 0xbd,
+ 0x6c,
+ 0x8e,
+ 0x93,
+ 0x48,
+ 0xfb,
+ 0xfb,
+ 0xf7,
+ 0x2c,
+ 0xc6,
+ 0x58,
+ 0x7d,
+ 0x60,
+ 0xc3,
+ 0x6c,
+ 0x8e,
+ 0x57,
+ 0x7f,
+ 0x09,
+ 0x84,
+ 0xc2,
+ 0x89,
+ 0xc9,
+ 0x38,
+ 0x5a,
+ 0x09,
+ 0x86,
+ 0x49,
+ 0xde,
+ 0x21,
+ 0xbc,
+ 0xa2,
+ 0x7a,
+ 0x7e,
+ 0xa2,
+ 0x29,
+ 0x71,
+ 0x6b,
+ 0xa6,
+ 0xe9,
+ 0xb2,
+ 0x79,
+ 0x71,
+ 0x0f,
+ 0x38,
+ 0xfa,
+ 0xa5,
+ 0xff,
+ 0xae,
+ 0x57,
+ 0x41,
+ 0x55,
+ 0xce,
+ 0x4e,
+ 0xfb,
+ 0x4f,
+ 0x74,
+ 0x36,
+ 0x95,
+ 0xe2,
+ 0x91,
+ 0x1b,
+ 0x1d,
+ 0x06,
+ 0xd5,
+ 0xe2,
+ 0x90,
+ 0xcb,
+ 0xcd,
+ 0x86,
+ 0xf5,
+ 0x6d,
+ 0x0e,
+ 0xdf,
+ 0xcd,
+ 0x21,
+ 0x6a,
+ 0xe2,
+ 0x24,
+ 0x27,
+ 0x05,
+ 0x5e,
+ 0x68,
+ 0x35,
+ 0xfd,
+ 0x29,
+ 0xee,
+ 0xf7,
+ 0x9e,
+ 0x0d,
+ 0x90,
+ 0x77,
+ 0x1f,
+ 0xea,
+ 0xce,
+ 0xbe,
+ 0x12,
+ 0xf2,
+ 0x0e,
+ 0x95,
+ 0xb3,
+ 0x4f,
+ 0x0f,
+ 0x78,
+ 0xb7,
+ 0x37,
+ 0xa9,
+ 0x61,
+ 0x8b,
+ 0x26,
+ 0xfa,
+ 0x7d,
+ 0xbc,
+ 0x98,
+ 0x74,
+ 0xf2,
+ 0x72,
+ 0xc4,
+ 0x2b,
+ 0xdb,
+ 0x56,
+ 0x3e,
+ 0xaf,
+ 0xa1,
+ 0x6b,
+ 0x4f,
+ 0xb6,
+ 0x8c,
+ 0x3b,
+ 0xb1,
+ 0xe7,
+ 0x8e,
+ 0xaa,
+ 0x81,
+ 0xa0,
+ 0x02,
+ 0x43,
+ 0xfa,
+ 0xad,
+ 0xd2,
+ 0xbf,
+ 0x18,
+ 0xe6,
+ 0x3d,
+ 0x38,
+ 0x9a,
+ 0xe4,
+ 0x43,
+ 0x77,
+ 0xda,
+ 0x18,
+ 0xc5,
+ 0x76,
+ 0xb5,
+ 0x0f,
+ 0x00,
+ 0x96,
+ 0xcf,
+ 0x34,
+ 0x19,
+ 0x54,
+ 0x83,
+ 0xb0,
+ 0x05,
+ 0x48,
+ 0xc0,
+ 0x98,
+ 0x62,
+ 0x36,
+ 0xe3,
+ 0xbc,
+ 0x7c,
+ 0xb8,
+ 0xd6,
+ 0x80,
+ 0x1c,
+ 0x04,
+ 0x94,
+ 0xcc,
+ 0xd1,
+ 0x99,
+ 0xe5,
+ 0xc5,
+ 0xbd,
+ 0x0d,
+ 0x0e,
+ 0xdc,
+ 0x9e,
+ 0xb8,
+ 0xa0,
+ 0x00,
+ 0x1e,
+ 0x15,
+ 0x27,
+ 0x67,
+ 0x54,
+ 0xfc,
+ 0xc6,
+ 0x85,
+ 0x66,
+ 0x05,
+ 0x41,
+ 0x48,
+ 0xe6,
+ 0xe7,
+ 0x64,
+ 0xbe,
+ 0xe7,
+ 0xc7,
+ 0x64,
+ 0xda,
+ 0xad,
+ 0x3f,
+ 0xc4,
+ 0x52,
+ 0x35,
+ 0xa6,
+ 0xda,
+ 0xd4,
+ 0x28,
+ 0xfa,
+ 0x20,
+ 0xc1,
+ 0x70,
+ 0xe3,
+ 0x45,
+ 0x00,
+ 0x3f,
+ 0x2f,
+ 0x32,
+ 0xaf,
+ 0xb5,
+ 0x7f,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+};
+
+/* q=(p-1)/2 for prime prime_ike_6144 */
+static const unsigned char subprime_ike_6144_data[] = {
+ 0x7f,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xe4,
+ 0x87,
+ 0xed,
+ 0x51,
+ 0x10,
+ 0xb4,
+ 0x61,
+ 0x1a,
+ 0x62,
+ 0x63,
+ 0x31,
+ 0x45,
+ 0xc0,
+ 0x6e,
+ 0x0e,
+ 0x68,
+ 0x94,
+ 0x81,
+ 0x27,
+ 0x04,
+ 0x45,
+ 0x33,
+ 0xe6,
+ 0x3a,
+ 0x01,
+ 0x05,
+ 0xdf,
+ 0x53,
+ 0x1d,
+ 0x89,
+ 0xcd,
+ 0x91,
+ 0x28,
+ 0xa5,
+ 0x04,
+ 0x3c,
+ 0xc7,
+ 0x1a,
+ 0x02,
+ 0x6e,
+ 0xf7,
+ 0xca,
+ 0x8c,
+ 0xd9,
+ 0xe6,
+ 0x9d,
+ 0x21,
+ 0x8d,
+ 0x98,
+ 0x15,
+ 0x85,
+ 0x36,
+ 0xf9,
+ 0x2f,
+ 0x8a,
+ 0x1b,
+ 0xa7,
+ 0xf0,
+ 0x9a,
+ 0xb6,
+ 0xb6,
+ 0xa8,
+ 0xe1,
+ 0x22,
+ 0xf2,
+ 0x42,
+ 0xda,
+ 0xbb,
+ 0x31,
+ 0x2f,
+ 0x3f,
+ 0x63,
+ 0x7a,
+ 0x26,
+ 0x21,
+ 0x74,
+ 0xd3,
+ 0x1b,
+ 0xf6,
+ 0xb5,
+ 0x85,
+ 0xff,
+ 0xae,
+ 0x5b,
+ 0x7a,
+ 0x03,
+ 0x5b,
+ 0xf6,
+ 0xf7,
+ 0x1c,
+ 0x35,
+ 0xfd,
+ 0xad,
+ 0x44,
+ 0xcf,
+ 0xd2,
+ 0xd7,
+ 0x4f,
+ 0x92,
+ 0x08,
+ 0xbe,
+ 0x25,
+ 0x8f,
+ 0xf3,
+ 0x24,
+ 0x94,
+ 0x33,
+ 0x28,
+ 0xf6,
+ 0x72,
+ 0x2d,
+ 0x9e,
+ 0xe1,
+ 0x00,
+ 0x3e,
+ 0x5c,
+ 0x50,
+ 0xb1,
+ 0xdf,
+ 0x82,
+ 0xcc,
+ 0x6d,
+ 0x24,
+ 0x1b,
+ 0x0e,
+ 0x2a,
+ 0xe9,
+ 0xcd,
+ 0x34,
+ 0x8b,
+ 0x1f,
+ 0xd4,
+ 0x7e,
+ 0x92,
+ 0x67,
+ 0xaf,
+ 0xc1,
+ 0xb2,
+ 0xae,
+ 0x91,
+ 0xee,
+ 0x51,
+ 0xd6,
+ 0xcb,
+ 0x0e,
+ 0x31,
+ 0x79,
+ 0xab,
+ 0x10,
+ 0x42,
+ 0xa9,
+ 0x5d,
+ 0xcf,
+ 0x6a,
+ 0x94,
+ 0x83,
+ 0xb8,
+ 0x4b,
+ 0x4b,
+ 0x36,
+ 0xb3,
+ 0x86,
+ 0x1a,
+ 0xa7,
+ 0x25,
+ 0x5e,
+ 0x4c,
+ 0x02,
+ 0x78,
+ 0xba,
+ 0x36,
+ 0x04,
+ 0x65,
+ 0x0c,
+ 0x10,
+ 0xbe,
+ 0x19,
+ 0x48,
+ 0x2f,
+ 0x23,
+ 0x17,
+ 0x1b,
+ 0x67,
+ 0x1d,
+ 0xf1,
+ 0xcf,
+ 0x3b,
+ 0x96,
+ 0x0c,
+ 0x07,
+ 0x43,
+ 0x01,
+ 0xcd,
+ 0x93,
+ 0xc1,
+ 0xd1,
+ 0x76,
+ 0x03,
+ 0xd1,
+ 0x47,
+ 0xda,
+ 0xe2,
+ 0xae,
+ 0xf8,
+ 0x37,
+ 0xa6,
+ 0x29,
+ 0x64,
+ 0xef,
+ 0x15,
+ 0xe5,
+ 0xfb,
+ 0x4a,
+ 0xac,
+ 0x0b,
+ 0x8c,
+ 0x1c,
+ 0xca,
+ 0xa4,
+ 0xbe,
+ 0x75,
+ 0x4a,
+ 0xb5,
+ 0x72,
+ 0x8a,
+ 0xe9,
+ 0x13,
+ 0x0c,
+ 0x4c,
+ 0x7d,
+ 0x02,
+ 0x88,
+ 0x0a,
+ 0xb9,
+ 0x47,
+ 0x2d,
+ 0x45,
+ 0x55,
+ 0x62,
+ 0x16,
+ 0xd6,
+ 0x99,
+ 0x8b,
+ 0x86,
+ 0x82,
+ 0x28,
+ 0x3d,
+ 0x19,
+ 0xd4,
+ 0x2a,
+ 0x90,
+ 0xd5,
+ 0xef,
+ 0x8e,
+ 0x5d,
+ 0x32,
+ 0x76,
+ 0x7d,
+ 0xc2,
+ 0x82,
+ 0x2c,
+ 0x6d,
+ 0xf7,
+ 0x85,
+ 0x45,
+ 0x75,
+ 0x38,
+ 0xab,
+ 0xae,
+ 0x83,
+ 0x06,
+ 0x3e,
+ 0xd9,
+ 0xcb,
+ 0x87,
+ 0xc2,
+ 0xd3,
+ 0x70,
+ 0xf2,
+ 0x63,
+ 0xd5,
+ 0xfa,
+ 0xd7,
+ 0x46,
+ 0x6d,
+ 0x84,
+ 0x99,
+ 0xeb,
+ 0x8f,
+ 0x46,
+ 0x4a,
+ 0x70,
+ 0x25,
+ 0x12,
+ 0xb0,
+ 0xce,
+ 0xe7,
+ 0x71,
+ 0xe9,
+ 0x13,
+ 0x0d,
+ 0x69,
+ 0x77,
+ 0x35,
+ 0xf8,
+ 0x97,
+ 0xfd,
+ 0x03,
+ 0x6c,
+ 0xc5,
+ 0x04,
+ 0x32,
+ 0x6c,
+ 0x3b,
+ 0x01,
+ 0x39,
+ 0x9f,
+ 0x64,
+ 0x35,
+ 0x32,
+ 0x29,
+ 0x0f,
+ 0x95,
+ 0x8c,
+ 0x0b,
+ 0xbd,
+ 0x90,
+ 0x06,
+ 0x5d,
+ 0xf0,
+ 0x8b,
+ 0xab,
+ 0xbd,
+ 0x30,
+ 0xae,
+ 0xb6,
+ 0x3b,
+ 0x84,
+ 0xc4,
+ 0x60,
+ 0x5d,
+ 0x6c,
+ 0xa3,
+ 0x71,
+ 0x04,
+ 0x71,
+ 0x27,
+ 0xd0,
+ 0x3a,
+ 0x72,
+ 0xd5,
+ 0x98,
+ 0xa1,
+ 0xed,
+ 0xad,
+ 0xfe,
+ 0x70,
+ 0x7e,
+ 0x88,
+ 0x47,
+ 0x25,
+ 0xc1,
+ 0x68,
+ 0x90,
+ 0x54,
+ 0x90,
+ 0x84,
+ 0x00,
+ 0x8d,
+ 0x39,
+ 0x1e,
+ 0x09,
+ 0x53,
+ 0xc3,
+ 0xf3,
+ 0x6b,
+ 0xc4,
+ 0x38,
+ 0xcd,
+ 0x08,
+ 0x5e,
+ 0xdd,
+ 0x2d,
+ 0x93,
+ 0x4c,
+ 0xe1,
+ 0x93,
+ 0x8c,
+ 0x35,
+ 0x7a,
+ 0x71,
+ 0x1e,
+ 0x0d,
+ 0x4a,
+ 0x34,
+ 0x1a,
+ 0x5b,
+ 0x0a,
+ 0x85,
+ 0xed,
+ 0x12,
+ 0xc1,
+ 0xf4,
+ 0xe5,
+ 0x15,
+ 0x6a,
+ 0x26,
+ 0x74,
+ 0x6d,
+ 0xdd,
+ 0xe1,
+ 0x6d,
+ 0x82,
+ 0x6f,
+ 0x47,
+ 0x7c,
+ 0x97,
+ 0x47,
+ 0x7e,
+ 0x0a,
+ 0x0f,
+ 0xdf,
+ 0x65,
+ 0x53,
+ 0x14,
+ 0x3e,
+ 0x2c,
+ 0xa3,
+ 0xa7,
+ 0x35,
+ 0xe0,
+ 0x2e,
+ 0xcc,
+ 0xd9,
+ 0x4b,
+ 0x27,
+ 0xd0,
+ 0x48,
+ 0x61,
+ 0xd1,
+ 0x11,
+ 0x9d,
+ 0xd0,
+ 0xc3,
+ 0x28,
+ 0xad,
+ 0xf3,
+ 0xf6,
+ 0x8f,
+ 0xb0,
+ 0x94,
+ 0xb8,
+ 0x67,
+ 0x71,
+ 0x6b,
+ 0xd7,
+ 0xdc,
+ 0x0d,
+ 0xee,
+ 0xbb,
+ 0x10,
+ 0xb8,
+ 0x24,
+ 0x0e,
+ 0x68,
+ 0x03,
+ 0x48,
+ 0x93,
+ 0xea,
+ 0xd8,
+ 0x2d,
+ 0x54,
+ 0xc9,
+ 0xda,
+ 0x75,
+ 0x4c,
+ 0x46,
+ 0xc7,
+ 0xee,
+ 0xe0,
+ 0xc3,
+ 0x7f,
+ 0xdb,
+ 0xee,
+ 0x48,
+ 0x53,
+ 0x60,
+ 0x47,
+ 0xa6,
+ 0xfa,
+ 0x1a,
+ 0xe4,
+ 0x9a,
+ 0x01,
+ 0x42,
+ 0x49,
+ 0x1b,
+ 0x61,
+ 0xfd,
+ 0x5a,
+ 0x69,
+ 0x3e,
+ 0x38,
+ 0x13,
+ 0x60,
+ 0xea,
+ 0x6e,
+ 0x59,
+ 0x30,
+ 0x13,
+ 0x23,
+ 0x6f,
+ 0x64,
+ 0xba,
+ 0x8f,
+ 0x3b,
+ 0x1e,
+ 0xdd,
+ 0x1b,
+ 0xde,
+ 0xfc,
+ 0x7f,
+ 0xca,
+ 0x03,
+ 0x56,
+ 0xcf,
+ 0x29,
+ 0x87,
+ 0x72,
+ 0xed,
+ 0x9c,
+ 0x17,
+ 0xa0,
+ 0x98,
+ 0x00,
+ 0xd7,
+ 0x58,
+ 0x35,
+ 0x29,
+ 0xf6,
+ 0xc8,
+ 0x13,
+ 0xec,
+ 0x18,
+ 0x8b,
+ 0xcb,
+ 0x93,
+ 0xd8,
+ 0x43,
+ 0x2d,
+ 0x44,
+ 0x8c,
+ 0x6d,
+ 0x1f,
+ 0x6d,
+ 0xf5,
+ 0xe7,
+ 0xcd,
+ 0x8a,
+ 0x76,
+ 0xa2,
+ 0x67,
+ 0x36,
+ 0x5d,
+ 0x67,
+ 0x6a,
+ 0x5d,
+ 0x8d,
+ 0xed,
+ 0xbf,
+ 0x8a,
+ 0x23,
+ 0xf3,
+ 0x66,
+ 0x12,
+ 0xa5,
+ 0x99,
+ 0x90,
+ 0x28,
+ 0xa8,
+ 0x95,
+ 0xeb,
+ 0xd7,
+ 0xa1,
+ 0x37,
+ 0xdc,
+ 0x7a,
+ 0x00,
+ 0x9b,
+ 0xc6,
+ 0x69,
+ 0x5f,
+ 0xac,
+ 0xc1,
+ 0xe5,
+ 0x00,
+ 0xe3,
+ 0x25,
+ 0xc9,
+ 0x76,
+ 0x78,
+ 0x19,
+ 0x75,
+ 0x0a,
+ 0xe8,
+ 0xb9,
+ 0x0e,
+ 0x81,
+ 0xfa,
+ 0x41,
+ 0x6b,
+ 0xe7,
+ 0x37,
+ 0x3a,
+ 0x7f,
+ 0x7b,
+ 0x6a,
+ 0xaf,
+ 0x38,
+ 0x17,
+ 0xa3,
+ 0x4c,
+ 0x06,
+ 0x41,
+ 0x5a,
+ 0xd4,
+ 0x20,
+ 0x18,
+ 0xc8,
+ 0x05,
+ 0x8e,
+ 0x4f,
+ 0x2c,
+ 0xf3,
+ 0xe4,
+ 0xbf,
+ 0xdf,
+ 0x63,
+ 0xf4,
+ 0x79,
+ 0x91,
+ 0xd4,
+ 0xbd,
+ 0x3f,
+ 0x1b,
+ 0x66,
+ 0x44,
+ 0x5f,
+ 0x07,
+ 0x8e,
+ 0xa2,
+ 0xdb,
+ 0xff,
+ 0xac,
+ 0x2d,
+ 0x62,
+ 0xa5,
+ 0xea,
+ 0x03,
+ 0xd9,
+ 0x15,
+ 0xa0,
+ 0xaa,
+ 0x55,
+ 0x66,
+ 0x47,
+ 0xb6,
+ 0xbf,
+ 0x5f,
+ 0xa4,
+ 0x70,
+ 0xec,
+ 0x0a,
+ 0x66,
+ 0x2f,
+ 0x69,
+ 0x07,
+ 0xc0,
+ 0x1b,
+ 0xf0,
+ 0x53,
+ 0xcb,
+ 0x8a,
+ 0xf7,
+ 0x79,
+ 0x4d,
+ 0xf1,
+ 0x94,
+ 0x03,
+ 0x50,
+ 0xea,
+ 0xc5,
+ 0xdb,
+ 0xe2,
+ 0xed,
+ 0x3b,
+ 0x7a,
+ 0xa8,
+ 0x55,
+ 0x1e,
+ 0xc5,
+ 0x0f,
+ 0xdf,
+ 0xf8,
+ 0x75,
+ 0x8c,
+ 0xe6,
+ 0x58,
+ 0xd1,
+ 0x89,
+ 0xea,
+ 0xae,
+ 0x6d,
+ 0x2b,
+ 0x64,
+ 0xf6,
+ 0x17,
+ 0x79,
+ 0x4b,
+ 0x19,
+ 0x1c,
+ 0x3f,
+ 0xf4,
+ 0x6b,
+ 0xb7,
+ 0x1e,
+ 0x02,
+ 0x34,
+ 0x02,
+ 0x1f,
+ 0x47,
+ 0xb3,
+ 0x1f,
+ 0xa4,
+ 0x30,
+ 0x77,
+ 0x09,
+ 0x5f,
+ 0x96,
+ 0xad,
+ 0x85,
+ 0xba,
+ 0x3a,
+ 0x6b,
+ 0x73,
+ 0x4a,
+ 0x7c,
+ 0x8f,
+ 0x36,
+ 0xe6,
+ 0x20,
+ 0x12,
+ 0x7f,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+};
+
+/* q=(p-1)/2 for prime prime_tls_6144 */
+static const unsigned char subprime_tls_6144_data[] = {
+ 0x7f,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xd6,
+ 0xfc,
+ 0x2a,
+ 0x2c,
+ 0x51,
+ 0x5d,
+ 0xa5,
+ 0x4d,
+ 0x57,
+ 0xee,
+ 0x2b,
+ 0x10,
+ 0x13,
+ 0x9e,
+ 0x9e,
+ 0x78,
+ 0xec,
+ 0x5c,
+ 0xe2,
+ 0xc1,
+ 0xe7,
+ 0x16,
+ 0x9b,
+ 0x4a,
+ 0xd4,
+ 0xf0,
+ 0x9b,
+ 0x20,
+ 0x8a,
+ 0x32,
+ 0x19,
+ 0xfd,
+ 0xe6,
+ 0x49,
+ 0xce,
+ 0xe7,
+ 0x12,
+ 0x4d,
+ 0x9f,
+ 0x7c,
+ 0xbe,
+ 0x97,
+ 0xf1,
+ 0xb1,
+ 0xb1,
+ 0x86,
+ 0x3a,
+ 0xec,
+ 0x7b,
+ 0x40,
+ 0xd9,
+ 0x01,
+ 0x57,
+ 0x62,
+ 0x30,
+ 0xbd,
+ 0x69,
+ 0xef,
+ 0x8f,
+ 0x6a,
+ 0xea,
+ 0xfe,
+ 0xb2,
+ 0xb0,
+ 0x92,
+ 0x19,
+ 0xfa,
+ 0x8f,
+ 0xaf,
+ 0x83,
+ 0x37,
+ 0x68,
+ 0x42,
+ 0xb1,
+ 0xb2,
+ 0xaa,
+ 0x9e,
+ 0xf6,
+ 0x8d,
+ 0x79,
+ 0xda,
+ 0xab,
+ 0x89,
+ 0xaf,
+ 0x3f,
+ 0xab,
+ 0xe4,
+ 0x9a,
+ 0xcc,
+ 0x27,
+ 0x86,
+ 0x38,
+ 0x70,
+ 0x73,
+ 0x45,
+ 0xbb,
+ 0xf1,
+ 0x53,
+ 0x44,
+ 0xed,
+ 0x79,
+ 0xf7,
+ 0xf4,
+ 0x39,
+ 0x0e,
+ 0xf8,
+ 0xac,
+ 0x50,
+ 0x9b,
+ 0x56,
+ 0xf3,
+ 0x9a,
+ 0x98,
+ 0x56,
+ 0x65,
+ 0x27,
+ 0xa4,
+ 0x1d,
+ 0x3c,
+ 0xbd,
+ 0x5e,
+ 0x05,
+ 0x58,
+ 0xc1,
+ 0x59,
+ 0x92,
+ 0x7d,
+ 0xb0,
+ 0xe8,
+ 0x84,
+ 0x54,
+ 0xa5,
+ 0xd9,
+ 0x64,
+ 0x71,
+ 0xfd,
+ 0xdc,
+ 0xb5,
+ 0x6d,
+ 0x5b,
+ 0xb0,
+ 0x6b,
+ 0xfa,
+ 0x34,
+ 0x0e,
+ 0xa7,
+ 0xa1,
+ 0x51,
+ 0xef,
+ 0x1c,
+ 0xa6,
+ 0xfa,
+ 0x57,
+ 0x2b,
+ 0x76,
+ 0xf3,
+ 0xb1,
+ 0xb9,
+ 0x5d,
+ 0x8c,
+ 0x85,
+ 0x83,
+ 0xd3,
+ 0xe4,
+ 0x77,
+ 0x05,
+ 0x36,
+ 0xb8,
+ 0x4f,
+ 0x01,
+ 0x7e,
+ 0x70,
+ 0xe6,
+ 0xfb,
+ 0xf1,
+ 0x76,
+ 0x60,
+ 0x1a,
+ 0x02,
+ 0x66,
+ 0x94,
+ 0x1a,
+ 0x17,
+ 0xb0,
+ 0xc8,
+ 0xb9,
+ 0x7f,
+ 0x4e,
+ 0x74,
+ 0xc2,
+ 0xc1,
+ 0xff,
+ 0xc7,
+ 0x27,
+ 0x89,
+ 0x19,
+ 0x77,
+ 0x79,
+ 0x40,
+ 0xc1,
+ 0xe1,
+ 0xff,
+ 0x1d,
+ 0x8d,
+ 0xa6,
+ 0x37,
+ 0xd6,
+ 0xb9,
+ 0x9d,
+ 0xda,
+ 0xfe,
+ 0x5e,
+ 0x17,
+ 0x61,
+ 0x10,
+ 0x02,
+ 0xe2,
+ 0xc7,
+ 0x78,
+ 0xc1,
+ 0xbe,
+ 0x8b,
+ 0x41,
+ 0xd9,
+ 0x63,
+ 0x79,
+ 0xa5,
+ 0x13,
+ 0x60,
+ 0xd9,
+ 0x77,
+ 0xfd,
+ 0x44,
+ 0x35,
+ 0xa1,
+ 0x1c,
+ 0x30,
+ 0x8f,
+ 0xe7,
+ 0xee,
+ 0x6f,
+ 0x1a,
+ 0xad,
+ 0x9d,
+ 0xb2,
+ 0x8c,
+ 0x81,
+ 0xad,
+ 0xde,
+ 0x1a,
+ 0x7a,
+ 0x6f,
+ 0x7c,
+ 0xce,
+ 0x01,
+ 0x1c,
+ 0x30,
+ 0xda,
+ 0x37,
+ 0xe4,
+ 0xeb,
+ 0x73,
+ 0x64,
+ 0x83,
+ 0xbd,
+ 0x6c,
+ 0x8e,
+ 0x93,
+ 0x48,
+ 0xfb,
+ 0xfb,
+ 0xf7,
+ 0x2c,
+ 0xc6,
+ 0x58,
+ 0x7d,
+ 0x60,
+ 0xc3,
+ 0x6c,
+ 0x8e,
+ 0x57,
+ 0x7f,
+ 0x09,
+ 0x84,
+ 0xc2,
+ 0x89,
+ 0xc9,
+ 0x38,
+ 0x5a,
+ 0x09,
+ 0x86,
+ 0x49,
+ 0xde,
+ 0x21,
+ 0xbc,
+ 0xa2,
+ 0x7a,
+ 0x7e,
+ 0xa2,
+ 0x29,
+ 0x71,
+ 0x6b,
+ 0xa6,
+ 0xe9,
+ 0xb2,
+ 0x79,
+ 0x71,
+ 0x0f,
+ 0x38,
+ 0xfa,
+ 0xa5,
+ 0xff,
+ 0xae,
+ 0x57,
+ 0x41,
+ 0x55,
+ 0xce,
+ 0x4e,
+ 0xfb,
+ 0x4f,
+ 0x74,
+ 0x36,
+ 0x95,
+ 0xe2,
+ 0x91,
+ 0x1b,
+ 0x1d,
+ 0x06,
+ 0xd5,
+ 0xe2,
+ 0x90,
+ 0xcb,
+ 0xcd,
+ 0x86,
+ 0xf5,
+ 0x6d,
+ 0x0e,
+ 0xdf,
+ 0xcd,
+ 0x21,
+ 0x6a,
+ 0xe2,
+ 0x24,
+ 0x27,
+ 0x05,
+ 0x5e,
+ 0x68,
+ 0x35,
+ 0xfd,
+ 0x29,
+ 0xee,
+ 0xf7,
+ 0x9e,
+ 0x0d,
+ 0x90,
+ 0x77,
+ 0x1f,
+ 0xea,
+ 0xce,
+ 0xbe,
+ 0x12,
+ 0xf2,
+ 0x0e,
+ 0x95,
+ 0xb3,
+ 0x4f,
+ 0x0f,
+ 0x78,
+ 0xb7,
+ 0x37,
+ 0xa9,
+ 0x61,
+ 0x8b,
+ 0x26,
+ 0xfa,
+ 0x7d,
+ 0xbc,
+ 0x98,
+ 0x74,
+ 0xf2,
+ 0x72,
+ 0xc4,
+ 0x2b,
+ 0xdb,
+ 0x56,
+ 0x3e,
+ 0xaf,
+ 0xa1,
+ 0x6b,
+ 0x4f,
+ 0xb6,
+ 0x8c,
+ 0x3b,
+ 0xb1,
+ 0xe7,
+ 0x8e,
+ 0xaa,
+ 0x81,
+ 0xa0,
+ 0x02,
+ 0x43,
+ 0xfa,
+ 0xad,
+ 0xd2,
+ 0xbf,
+ 0x18,
+ 0xe6,
+ 0x3d,
+ 0x38,
+ 0x9a,
+ 0xe4,
+ 0x43,
+ 0x77,
+ 0xda,
+ 0x18,
+ 0xc5,
+ 0x76,
+ 0xb5,
+ 0x0f,
+ 0x00,
+ 0x96,
+ 0xcf,
+ 0x34,
+ 0x19,
+ 0x54,
+ 0x83,
+ 0xb0,
+ 0x05,
+ 0x48,
+ 0xc0,
+ 0x98,
+ 0x62,
+ 0x36,
+ 0xe3,
+ 0xbc,
+ 0x7c,
+ 0xb8,
+ 0xd6,
+ 0x80,
+ 0x1c,
+ 0x04,
+ 0x94,
+ 0xcc,
+ 0xd1,
+ 0x99,
+ 0xe5,
+ 0xc5,
+ 0xbd,
+ 0x0d,
+ 0x0e,
+ 0xdc,
+ 0x9e,
+ 0xb8,
+ 0xa0,
+ 0x00,
+ 0x1e,
+ 0x15,
+ 0x27,
+ 0x67,
+ 0x54,
+ 0xfc,
+ 0xc6,
+ 0x85,
+ 0x66,
+ 0x05,
+ 0x41,
+ 0x48,
+ 0xe6,
+ 0xe7,
+ 0x64,
+ 0xbe,
+ 0xe7,
+ 0xc7,
+ 0x64,
+ 0xda,
+ 0xad,
+ 0x3f,
+ 0xc4,
+ 0x52,
+ 0x35,
+ 0xa6,
+ 0xda,
+ 0xd4,
+ 0x28,
+ 0xfa,
+ 0x20,
+ 0xc1,
+ 0x70,
+ 0xe3,
+ 0x45,
+ 0x00,
+ 0x3f,
+ 0x2f,
+ 0x06,
+ 0xec,
+ 0x81,
+ 0x05,
+ 0xfe,
+ 0xb2,
+ 0x5b,
+ 0x22,
+ 0x81,
+ 0xb6,
+ 0x3d,
+ 0x27,
+ 0x33,
+ 0xbe,
+ 0x96,
+ 0x1c,
+ 0x29,
+ 0x95,
+ 0x1d,
+ 0x11,
+ 0xdd,
+ 0x22,
+ 0x21,
+ 0x65,
+ 0x7a,
+ 0x9f,
+ 0x53,
+ 0x1d,
+ 0xda,
+ 0x2a,
+ 0x19,
+ 0x4d,
+ 0xbb,
+ 0x12,
+ 0x64,
+ 0x48,
+ 0xbd,
+ 0xee,
+ 0xb2,
+ 0x58,
+ 0xe0,
+ 0x7e,
+ 0xa6,
+ 0x59,
+ 0xc7,
+ 0x46,
+ 0x19,
+ 0xa6,
+ 0x38,
+ 0x0e,
+ 0x1d,
+ 0x66,
+ 0xd6,
+ 0x83,
+ 0x2b,
+ 0xfe,
+ 0x67,
+ 0xf6,
+ 0x38,
+ 0xcd,
+ 0x8f,
+ 0xae,
+ 0x1f,
+ 0x27,
+ 0x23,
+ 0x02,
+ 0x0f,
+ 0x9c,
+ 0x40,
+ 0xa3,
+ 0xfd,
+ 0xa6,
+ 0x7e,
+ 0xda,
+ 0x3b,
+ 0xd2,
+ 0x92,
+ 0x38,
+ 0xfb,
+ 0xd4,
+ 0xd4,
+ 0xb4,
+ 0x88,
+ 0x5c,
+ 0x2a,
+ 0x99,
+ 0x17,
+ 0x6d,
+ 0xb1,
+ 0xa0,
+ 0x6c,
+ 0x50,
+ 0x07,
+ 0x78,
+ 0x49,
+ 0x1a,
+ 0x82,
+ 0x88,
+ 0xf1,
+ 0x85,
+ 0x5f,
+ 0x60,
+ 0xff,
+ 0xfc,
+ 0xf1,
+ 0xd1,
+ 0x37,
+ 0x3f,
+ 0xd9,
+ 0x4f,
+ 0xc6,
+ 0x0c,
+ 0x18,
+ 0x11,
+ 0xe1,
+ 0xac,
+ 0x3f,
+ 0x1c,
+ 0x6d,
+ 0x00,
+ 0x3b,
+ 0xec,
+ 0xda,
+ 0x3b,
+ 0x1f,
+ 0x27,
+ 0x25,
+ 0xca,
+ 0x59,
+ 0x5d,
+ 0xe0,
+ 0xca,
+ 0x63,
+ 0x32,
+ 0x8f,
+ 0x3b,
+ 0xe5,
+ 0x7c,
+ 0xc9,
+ 0x77,
+ 0x55,
+ 0x60,
+ 0x11,
+ 0x95,
+ 0x14,
+ 0x0d,
+ 0xfb,
+ 0x59,
+ 0xd3,
+ 0x9c,
+ 0xe0,
+ 0x91,
+ 0x30,
+ 0x8b,
+ 0x41,
+ 0x05,
+ 0x74,
+ 0x6d,
+ 0xac,
+ 0x23,
+ 0xd3,
+ 0x3e,
+ 0x5f,
+ 0x7c,
+ 0xe4,
+ 0x84,
+ 0x8d,
+ 0xa3,
+ 0x16,
+ 0xa9,
+ 0xc6,
+ 0x6b,
+ 0x95,
+ 0x81,
+ 0xba,
+ 0x35,
+ 0x73,
+ 0xbf,
+ 0xaf,
+ 0x31,
+ 0x14,
+ 0x96,
+ 0x18,
+ 0x8a,
+ 0xb1,
+ 0x54,
+ 0x23,
+ 0x28,
+ 0x2e,
+ 0xe4,
+ 0x16,
+ 0xdc,
+ 0x2a,
+ 0x19,
+ 0xc5,
+ 0x72,
+ 0x4f,
+ 0xa9,
+ 0x1a,
+ 0xe4,
+ 0xad,
+ 0xc8,
+ 0x8b,
+ 0xc6,
+ 0x67,
+ 0x96,
+ 0xea,
+ 0xe5,
+ 0x67,
+ 0x7a,
+ 0x01,
+ 0xf6,
+ 0x4e,
+ 0x8c,
+ 0x08,
+ 0x63,
+ 0x13,
+ 0x95,
+ 0x82,
+ 0x2d,
+ 0x9d,
+ 0xb8,
+ 0xfc,
+ 0xee,
+ 0x35,
+ 0xc0,
+ 0x6b,
+ 0x1f,
+ 0xee,
+ 0xa5,
+ 0x47,
+ 0x4d,
+ 0x6d,
+ 0x8f,
+ 0x34,
+ 0xb1,
+ 0x53,
+ 0x4a,
+ 0x93,
+ 0x6a,
+ 0x18,
+ 0xb0,
+ 0xe0,
+ 0xd2,
+ 0x0e,
+ 0xab,
+ 0x86,
+ 0xbc,
+ 0x9c,
+ 0x6d,
+ 0x6a,
+ 0x52,
+ 0x07,
+ 0x19,
+ 0x4e,
+ 0x68,
+ 0x72,
+ 0x07,
+ 0x32,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+};
+
+/* q=(p-1)/2 for prime prime_ike_8192 */
+static const unsigned char subprime_ike_8192_data[] = {
+ 0x7f,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xe4,
+ 0x87,
+ 0xed,
+ 0x51,
+ 0x10,
+ 0xb4,
+ 0x61,
+ 0x1a,
+ 0x62,
+ 0x63,
+ 0x31,
+ 0x45,
+ 0xc0,
+ 0x6e,
+ 0x0e,
+ 0x68,
+ 0x94,
+ 0x81,
+ 0x27,
+ 0x04,
+ 0x45,
+ 0x33,
+ 0xe6,
+ 0x3a,
+ 0x01,
+ 0x05,
+ 0xdf,
+ 0x53,
+ 0x1d,
+ 0x89,
+ 0xcd,
+ 0x91,
+ 0x28,
+ 0xa5,
+ 0x04,
+ 0x3c,
+ 0xc7,
+ 0x1a,
+ 0x02,
+ 0x6e,
+ 0xf7,
+ 0xca,
+ 0x8c,
+ 0xd9,
+ 0xe6,
+ 0x9d,
+ 0x21,
+ 0x8d,
+ 0x98,
+ 0x15,
+ 0x85,
+ 0x36,
+ 0xf9,
+ 0x2f,
+ 0x8a,
+ 0x1b,
+ 0xa7,
+ 0xf0,
+ 0x9a,
+ 0xb6,
+ 0xb6,
+ 0xa8,
+ 0xe1,
+ 0x22,
+ 0xf2,
+ 0x42,
+ 0xda,
+ 0xbb,
+ 0x31,
+ 0x2f,
+ 0x3f,
+ 0x63,
+ 0x7a,
+ 0x26,
+ 0x21,
+ 0x74,
+ 0xd3,
+ 0x1b,
+ 0xf6,
+ 0xb5,
+ 0x85,
+ 0xff,
+ 0xae,
+ 0x5b,
+ 0x7a,
+ 0x03,
+ 0x5b,
+ 0xf6,
+ 0xf7,
+ 0x1c,
+ 0x35,
+ 0xfd,
+ 0xad,
+ 0x44,
+ 0xcf,
+ 0xd2,
+ 0xd7,
+ 0x4f,
+ 0x92,
+ 0x08,
+ 0xbe,
+ 0x25,
+ 0x8f,
+ 0xf3,
+ 0x24,
+ 0x94,
+ 0x33,
+ 0x28,
+ 0xf6,
+ 0x72,
+ 0x2d,
+ 0x9e,
+ 0xe1,
+ 0x00,
+ 0x3e,
+ 0x5c,
+ 0x50,
+ 0xb1,
+ 0xdf,
+ 0x82,
+ 0xcc,
+ 0x6d,
+ 0x24,
+ 0x1b,
+ 0x0e,
+ 0x2a,
+ 0xe9,
+ 0xcd,
+ 0x34,
+ 0x8b,
+ 0x1f,
+ 0xd4,
+ 0x7e,
+ 0x92,
+ 0x67,
+ 0xaf,
+ 0xc1,
+ 0xb2,
+ 0xae,
+ 0x91,
+ 0xee,
+ 0x51,
+ 0xd6,
+ 0xcb,
+ 0x0e,
+ 0x31,
+ 0x79,
+ 0xab,
+ 0x10,
+ 0x42,
+ 0xa9,
+ 0x5d,
+ 0xcf,
+ 0x6a,
+ 0x94,
+ 0x83,
+ 0xb8,
+ 0x4b,
+ 0x4b,
+ 0x36,
+ 0xb3,
+ 0x86,
+ 0x1a,
+ 0xa7,
+ 0x25,
+ 0x5e,
+ 0x4c,
+ 0x02,
+ 0x78,
+ 0xba,
+ 0x36,
+ 0x04,
+ 0x65,
+ 0x0c,
+ 0x10,
+ 0xbe,
+ 0x19,
+ 0x48,
+ 0x2f,
+ 0x23,
+ 0x17,
+ 0x1b,
+ 0x67,
+ 0x1d,
+ 0xf1,
+ 0xcf,
+ 0x3b,
+ 0x96,
+ 0x0c,
+ 0x07,
+ 0x43,
+ 0x01,
+ 0xcd,
+ 0x93,
+ 0xc1,
+ 0xd1,
+ 0x76,
+ 0x03,
+ 0xd1,
+ 0x47,
+ 0xda,
+ 0xe2,
+ 0xae,
+ 0xf8,
+ 0x37,
+ 0xa6,
+ 0x29,
+ 0x64,
+ 0xef,
+ 0x15,
+ 0xe5,
+ 0xfb,
+ 0x4a,
+ 0xac,
+ 0x0b,
+ 0x8c,
+ 0x1c,
+ 0xca,
+ 0xa4,
+ 0xbe,
+ 0x75,
+ 0x4a,
+ 0xb5,
+ 0x72,
+ 0x8a,
+ 0xe9,
+ 0x13,
+ 0x0c,
+ 0x4c,
+ 0x7d,
+ 0x02,
+ 0x88,
+ 0x0a,
+ 0xb9,
+ 0x47,
+ 0x2d,
+ 0x45,
+ 0x55,
+ 0x62,
+ 0x16,
+ 0xd6,
+ 0x99,
+ 0x8b,
+ 0x86,
+ 0x82,
+ 0x28,
+ 0x3d,
+ 0x19,
+ 0xd4,
+ 0x2a,
+ 0x90,
+ 0xd5,
+ 0xef,
+ 0x8e,
+ 0x5d,
+ 0x32,
+ 0x76,
+ 0x7d,
+ 0xc2,
+ 0x82,
+ 0x2c,
+ 0x6d,
+ 0xf7,
+ 0x85,
+ 0x45,
+ 0x75,
+ 0x38,
+ 0xab,
+ 0xae,
+ 0x83,
+ 0x06,
+ 0x3e,
+ 0xd9,
+ 0xcb,
+ 0x87,
+ 0xc2,
+ 0xd3,
+ 0x70,
+ 0xf2,
+ 0x63,
+ 0xd5,
+ 0xfa,
+ 0xd7,
+ 0x46,
+ 0x6d,
+ 0x84,
+ 0x99,
+ 0xeb,
+ 0x8f,
+ 0x46,
+ 0x4a,
+ 0x70,
+ 0x25,
+ 0x12,
+ 0xb0,
+ 0xce,
+ 0xe7,
+ 0x71,
+ 0xe9,
+ 0x13,
+ 0x0d,
+ 0x69,
+ 0x77,
+ 0x35,
+ 0xf8,
+ 0x97,
+ 0xfd,
+ 0x03,
+ 0x6c,
+ 0xc5,
+ 0x04,
+ 0x32,
+ 0x6c,
+ 0x3b,
+ 0x01,
+ 0x39,
+ 0x9f,
+ 0x64,
+ 0x35,
+ 0x32,
+ 0x29,
+ 0x0f,
+ 0x95,
+ 0x8c,
+ 0x0b,
+ 0xbd,
+ 0x90,
+ 0x06,
+ 0x5d,
+ 0xf0,
+ 0x8b,
+ 0xab,
+ 0xbd,
+ 0x30,
+ 0xae,
+ 0xb6,
+ 0x3b,
+ 0x84,
+ 0xc4,
+ 0x60,
+ 0x5d,
+ 0x6c,
+ 0xa3,
+ 0x71,
+ 0x04,
+ 0x71,
+ 0x27,
+ 0xd0,
+ 0x3a,
+ 0x72,
+ 0xd5,
+ 0x98,
+ 0xa1,
+ 0xed,
+ 0xad,
+ 0xfe,
+ 0x70,
+ 0x7e,
+ 0x88,
+ 0x47,
+ 0x25,
+ 0xc1,
+ 0x68,
+ 0x90,
+ 0x54,
+ 0x90,
+ 0x84,
+ 0x00,
+ 0x8d,
+ 0x39,
+ 0x1e,
+ 0x09,
+ 0x53,
+ 0xc3,
+ 0xf3,
+ 0x6b,
+ 0xc4,
+ 0x38,
+ 0xcd,
+ 0x08,
+ 0x5e,
+ 0xdd,
+ 0x2d,
+ 0x93,
+ 0x4c,
+ 0xe1,
+ 0x93,
+ 0x8c,
+ 0x35,
+ 0x7a,
+ 0x71,
+ 0x1e,
+ 0x0d,
+ 0x4a,
+ 0x34,
+ 0x1a,
+ 0x5b,
+ 0x0a,
+ 0x85,
+ 0xed,
+ 0x12,
+ 0xc1,
+ 0xf4,
+ 0xe5,
+ 0x15,
+ 0x6a,
+ 0x26,
+ 0x74,
+ 0x6d,
+ 0xdd,
+ 0xe1,
+ 0x6d,
+ 0x82,
+ 0x6f,
+ 0x47,
+ 0x7c,
+ 0x97,
+ 0x47,
+ 0x7e,
+ 0x0a,
+ 0x0f,
+ 0xdf,
+ 0x65,
+ 0x53,
+ 0x14,
+ 0x3e,
+ 0x2c,
+ 0xa3,
+ 0xa7,
+ 0x35,
+ 0xe0,
+ 0x2e,
+ 0xcc,
+ 0xd9,
+ 0x4b,
+ 0x27,
+ 0xd0,
+ 0x48,
+ 0x61,
+ 0xd1,
+ 0x11,
+ 0x9d,
+ 0xd0,
+ 0xc3,
+ 0x28,
+ 0xad,
+ 0xf3,
+ 0xf6,
+ 0x8f,
+ 0xb0,
+ 0x94,
+ 0xb8,
+ 0x67,
+ 0x71,
+ 0x6b,
+ 0xd7,
+ 0xdc,
+ 0x0d,
+ 0xee,
+ 0xbb,
+ 0x10,
+ 0xb8,
+ 0x24,
+ 0x0e,
+ 0x68,
+ 0x03,
+ 0x48,
+ 0x93,
+ 0xea,
+ 0xd8,
+ 0x2d,
+ 0x54,
+ 0xc9,
+ 0xda,
+ 0x75,
+ 0x4c,
+ 0x46,
+ 0xc7,
+ 0xee,
+ 0xe0,
+ 0xc3,
+ 0x7f,
+ 0xdb,
+ 0xee,
+ 0x48,
+ 0x53,
+ 0x60,
+ 0x47,
+ 0xa6,
+ 0xfa,
+ 0x1a,
+ 0xe4,
+ 0x9a,
+ 0x01,
+ 0x42,
+ 0x49,
+ 0x1b,
+ 0x61,
+ 0xfd,
+ 0x5a,
+ 0x69,
+ 0x3e,
+ 0x38,
+ 0x13,
+ 0x60,
+ 0xea,
+ 0x6e,
+ 0x59,
+ 0x30,
+ 0x13,
+ 0x23,
+ 0x6f,
+ 0x64,
+ 0xba,
+ 0x8f,
+ 0x3b,
+ 0x1e,
+ 0xdd,
+ 0x1b,
+ 0xde,
+ 0xfc,
+ 0x7f,
+ 0xca,
+ 0x03,
+ 0x56,
+ 0xcf,
+ 0x29,
+ 0x87,
+ 0x72,
+ 0xed,
+ 0x9c,
+ 0x17,
+ 0xa0,
+ 0x98,
+ 0x00,
+ 0xd7,
+ 0x58,
+ 0x35,
+ 0x29,
+ 0xf6,
+ 0xc8,
+ 0x13,
+ 0xec,
+ 0x18,
+ 0x8b,
+ 0xcb,
+ 0x93,
+ 0xd8,
+ 0x43,
+ 0x2d,
+ 0x44,
+ 0x8c,
+ 0x6d,
+ 0x1f,
+ 0x6d,
+ 0xf5,
+ 0xe7,
+ 0xcd,
+ 0x8a,
+ 0x76,
+ 0xa2,
+ 0x67,
+ 0x36,
+ 0x5d,
+ 0x67,
+ 0x6a,
+ 0x5d,
+ 0x8d,
+ 0xed,
+ 0xbf,
+ 0x8a,
+ 0x23,
+ 0xf3,
+ 0x66,
+ 0x12,
+ 0xa5,
+ 0x99,
+ 0x90,
+ 0x28,
+ 0xa8,
+ 0x95,
+ 0xeb,
+ 0xd7,
+ 0xa1,
+ 0x37,
+ 0xdc,
+ 0x7a,
+ 0x00,
+ 0x9b,
+ 0xc6,
+ 0x69,
+ 0x5f,
+ 0xac,
+ 0xc1,
+ 0xe5,
+ 0x00,
+ 0xe3,
+ 0x25,
+ 0xc9,
+ 0x76,
+ 0x78,
+ 0x19,
+ 0x75,
+ 0x0a,
+ 0xe8,
+ 0xb9,
+ 0x0e,
+ 0x81,
+ 0xfa,
+ 0x41,
+ 0x6b,
+ 0xe7,
+ 0x37,
+ 0x3a,
+ 0x7f,
+ 0x7b,
+ 0x6a,
+ 0xaf,
+ 0x38,
+ 0x17,
+ 0xa3,
+ 0x4c,
+ 0x06,
+ 0x41,
+ 0x5a,
+ 0xd4,
+ 0x20,
+ 0x18,
+ 0xc8,
+ 0x05,
+ 0x8e,
+ 0x4f,
+ 0x2c,
+ 0xf3,
+ 0xe4,
+ 0xbf,
+ 0xdf,
+ 0x63,
+ 0xf4,
+ 0x79,
+ 0x91,
+ 0xd4,
+ 0xbd,
+ 0x3f,
+ 0x1b,
+ 0x66,
+ 0x44,
+ 0x5f,
+ 0x07,
+ 0x8e,
+ 0xa2,
+ 0xdb,
+ 0xff,
+ 0xac,
+ 0x2d,
+ 0x62,
+ 0xa5,
+ 0xea,
+ 0x03,
+ 0xd9,
+ 0x15,
+ 0xa0,
+ 0xaa,
+ 0x55,
+ 0x66,
+ 0x47,
+ 0xb6,
+ 0xbf,
+ 0x5f,
+ 0xa4,
+ 0x70,
+ 0xec,
+ 0x0a,
+ 0x66,
+ 0x2f,
+ 0x69,
+ 0x07,
+ 0xc0,
+ 0x1b,
+ 0xf0,
+ 0x53,
+ 0xcb,
+ 0x8a,
+ 0xf7,
+ 0x79,
+ 0x4d,
+ 0xf1,
+ 0x94,
+ 0x03,
+ 0x50,
+ 0xea,
+ 0xc5,
+ 0xdb,
+ 0xe2,
+ 0xed,
+ 0x3b,
+ 0x7a,
+ 0xa8,
+ 0x55,
+ 0x1e,
+ 0xc5,
+ 0x0f,
+ 0xdf,
+ 0xf8,
+ 0x75,
+ 0x8c,
+ 0xe6,
+ 0x58,
+ 0xd1,
+ 0x89,
+ 0xea,
+ 0xae,
+ 0x6d,
+ 0x2b,
+ 0x64,
+ 0xf6,
+ 0x17,
+ 0x79,
+ 0x4b,
+ 0x19,
+ 0x1c,
+ 0x3f,
+ 0xf4,
+ 0x6b,
+ 0xb7,
+ 0x1e,
+ 0x02,
+ 0x34,
+ 0x02,
+ 0x1f,
+ 0x47,
+ 0xb3,
+ 0x1f,
+ 0xa4,
+ 0x30,
+ 0x77,
+ 0x09,
+ 0x5f,
+ 0x96,
+ 0xad,
+ 0x85,
+ 0xba,
+ 0x3a,
+ 0x6b,
+ 0x73,
+ 0x4a,
+ 0x7c,
+ 0x8f,
+ 0x36,
+ 0xdf,
+ 0x08,
+ 0xac,
+ 0xba,
+ 0x51,
+ 0xc9,
+ 0x37,
+ 0x89,
+ 0x7f,
+ 0x72,
+ 0xf2,
+ 0x1c,
+ 0x3b,
+ 0xbe,
+ 0x5b,
+ 0x54,
+ 0x99,
+ 0x6f,
+ 0xc6,
+ 0x6c,
+ 0x5f,
+ 0x62,
+ 0x68,
+ 0x39,
+ 0xdc,
+ 0x98,
+ 0xdd,
+ 0x1d,
+ 0xe4,
+ 0x19,
+ 0x5b,
+ 0x46,
+ 0xce,
+ 0xe9,
+ 0x80,
+ 0x3a,
+ 0x0f,
+ 0xd3,
+ 0xdf,
+ 0xc5,
+ 0x7e,
+ 0x23,
+ 0xf6,
+ 0x92,
+ 0xbb,
+ 0x7b,
+ 0x49,
+ 0xb5,
+ 0xd2,
+ 0x12,
+ 0x33,
+ 0x1d,
+ 0x55,
+ 0xb1,
+ 0xce,
+ 0x2d,
+ 0x72,
+ 0x7a,
+ 0xb4,
+ 0x1a,
+ 0x11,
+ 0xda,
+ 0x3a,
+ 0x15,
+ 0xf8,
+ 0xe4,
+ 0xbc,
+ 0x11,
+ 0xc7,
+ 0x8b,
+ 0x65,
+ 0xf1,
+ 0xce,
+ 0xb2,
+ 0x96,
+ 0xf1,
+ 0xfe,
+ 0xdc,
+ 0x5f,
+ 0x7e,
+ 0x42,
+ 0x45,
+ 0x6c,
+ 0x91,
+ 0x11,
+ 0x17,
+ 0x02,
+ 0x52,
+ 0x01,
+ 0xbe,
+ 0x03,
+ 0x89,
+ 0xf5,
+ 0xab,
+ 0xd4,
+ 0x0d,
+ 0x11,
+ 0xf8,
+ 0x63,
+ 0x9a,
+ 0x39,
+ 0xfe,
+ 0x32,
+ 0x36,
+ 0x75,
+ 0x18,
+ 0x35,
+ 0xa5,
+ 0xe5,
+ 0xe4,
+ 0x43,
+ 0x17,
+ 0xc1,
+ 0xc2,
+ 0xee,
+ 0xfd,
+ 0x4e,
+ 0xa5,
+ 0xbf,
+ 0xd1,
+ 0x60,
+ 0x43,
+ 0xf4,
+ 0x3c,
+ 0xb4,
+ 0x19,
+ 0x81,
+ 0xf6,
+ 0xad,
+ 0xee,
+ 0x9d,
+ 0x03,
+ 0x15,
+ 0x9e,
+ 0x7a,
+ 0xd9,
+ 0xd1,
+ 0x3c,
+ 0x53,
+ 0x36,
+ 0x95,
+ 0x09,
+ 0xfc,
+ 0x1f,
+ 0xa2,
+ 0x7c,
+ 0x16,
+ 0xef,
+ 0x98,
+ 0x87,
+ 0x70,
+ 0x3a,
+ 0x55,
+ 0xb5,
+ 0x1b,
+ 0x22,
+ 0xcb,
+ 0xf4,
+ 0x4c,
+ 0xd0,
+ 0x12,
+ 0xae,
+ 0xe0,
+ 0xb2,
+ 0x79,
+ 0x8e,
+ 0x62,
+ 0x84,
+ 0x23,
+ 0x42,
+ 0x8e,
+ 0xfc,
+ 0xd5,
+ 0xa4,
+ 0x0c,
+ 0xae,
+ 0xf6,
+ 0xbf,
+ 0x50,
+ 0xd8,
+ 0xea,
+ 0x88,
+ 0x5e,
+ 0xbf,
+ 0x73,
+ 0xa6,
+ 0xb9,
+ 0xfd,
+ 0x79,
+ 0xb5,
+ 0xe1,
+ 0x8f,
+ 0x67,
+ 0xd1,
+ 0x34,
+ 0x1a,
+ 0xc8,
+ 0x23,
+ 0x7a,
+ 0x75,
+ 0xc3,
+ 0xcf,
+ 0xc9,
+ 0x20,
+ 0x04,
+ 0xa1,
+ 0xc5,
+ 0xa4,
+ 0x0e,
+ 0x36,
+ 0x6b,
+ 0xc4,
+ 0x4d,
+ 0x00,
+ 0x17,
+ 0x6a,
+ 0xf7,
+ 0x1c,
+ 0x15,
+ 0xe4,
+ 0x8c,
+ 0x86,
+ 0xd3,
+ 0x7e,
+ 0x01,
+ 0x37,
+ 0x23,
+ 0xca,
+ 0xac,
+ 0x72,
+ 0x23,
+ 0xab,
+ 0x3b,
+ 0xf4,
+ 0xd5,
+ 0x4f,
+ 0x18,
+ 0x28,
+ 0x71,
+ 0x3b,
+ 0x2b,
+ 0x4a,
+ 0x6f,
+ 0xe4,
+ 0x0f,
+ 0xab,
+ 0x74,
+ 0x40,
+ 0x5c,
+ 0xb7,
+ 0x38,
+ 0xb0,
+ 0x64,
+ 0xc0,
+ 0x6e,
+ 0xcc,
+ 0x76,
+ 0xe9,
+ 0xef,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+};
+
+/* q=(p-1)/2 for prime prime_tls_8192 */
+static const unsigned char subprime_tls_8192_data[] = {
+ 0x7f,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xd6,
+ 0xfc,
+ 0x2a,
+ 0x2c,
+ 0x51,
+ 0x5d,
+ 0xa5,
+ 0x4d,
+ 0x57,
+ 0xee,
+ 0x2b,
+ 0x10,
+ 0x13,
+ 0x9e,
+ 0x9e,
+ 0x78,
+ 0xec,
+ 0x5c,
+ 0xe2,
+ 0xc1,
+ 0xe7,
+ 0x16,
+ 0x9b,
+ 0x4a,
+ 0xd4,
+ 0xf0,
+ 0x9b,
+ 0x20,
+ 0x8a,
+ 0x32,
+ 0x19,
+ 0xfd,
+ 0xe6,
+ 0x49,
+ 0xce,
+ 0xe7,
+ 0x12,
+ 0x4d,
+ 0x9f,
+ 0x7c,
+ 0xbe,
+ 0x97,
+ 0xf1,
+ 0xb1,
+ 0xb1,
+ 0x86,
+ 0x3a,
+ 0xec,
+ 0x7b,
+ 0x40,
+ 0xd9,
+ 0x01,
+ 0x57,
+ 0x62,
+ 0x30,
+ 0xbd,
+ 0x69,
+ 0xef,
+ 0x8f,
+ 0x6a,
+ 0xea,
+ 0xfe,
+ 0xb2,
+ 0xb0,
+ 0x92,
+ 0x19,
+ 0xfa,
+ 0x8f,
+ 0xaf,
+ 0x83,
+ 0x37,
+ 0x68,
+ 0x42,
+ 0xb1,
+ 0xb2,
+ 0xaa,
+ 0x9e,
+ 0xf6,
+ 0x8d,
+ 0x79,
+ 0xda,
+ 0xab,
+ 0x89,
+ 0xaf,
+ 0x3f,
+ 0xab,
+ 0xe4,
+ 0x9a,
+ 0xcc,
+ 0x27,
+ 0x86,
+ 0x38,
+ 0x70,
+ 0x73,
+ 0x45,
+ 0xbb,
+ 0xf1,
+ 0x53,
+ 0x44,
+ 0xed,
+ 0x79,
+ 0xf7,
+ 0xf4,
+ 0x39,
+ 0x0e,
+ 0xf8,
+ 0xac,
+ 0x50,
+ 0x9b,
+ 0x56,
+ 0xf3,
+ 0x9a,
+ 0x98,
+ 0x56,
+ 0x65,
+ 0x27,
+ 0xa4,
+ 0x1d,
+ 0x3c,
+ 0xbd,
+ 0x5e,
+ 0x05,
+ 0x58,
+ 0xc1,
+ 0x59,
+ 0x92,
+ 0x7d,
+ 0xb0,
+ 0xe8,
+ 0x84,
+ 0x54,
+ 0xa5,
+ 0xd9,
+ 0x64,
+ 0x71,
+ 0xfd,
+ 0xdc,
+ 0xb5,
+ 0x6d,
+ 0x5b,
+ 0xb0,
+ 0x6b,
+ 0xfa,
+ 0x34,
+ 0x0e,
+ 0xa7,
+ 0xa1,
+ 0x51,
+ 0xef,
+ 0x1c,
+ 0xa6,
+ 0xfa,
+ 0x57,
+ 0x2b,
+ 0x76,
+ 0xf3,
+ 0xb1,
+ 0xb9,
+ 0x5d,
+ 0x8c,
+ 0x85,
+ 0x83,
+ 0xd3,
+ 0xe4,
+ 0x77,
+ 0x05,
+ 0x36,
+ 0xb8,
+ 0x4f,
+ 0x01,
+ 0x7e,
+ 0x70,
+ 0xe6,
+ 0xfb,
+ 0xf1,
+ 0x76,
+ 0x60,
+ 0x1a,
+ 0x02,
+ 0x66,
+ 0x94,
+ 0x1a,
+ 0x17,
+ 0xb0,
+ 0xc8,
+ 0xb9,
+ 0x7f,
+ 0x4e,
+ 0x74,
+ 0xc2,
+ 0xc1,
+ 0xff,
+ 0xc7,
+ 0x27,
+ 0x89,
+ 0x19,
+ 0x77,
+ 0x79,
+ 0x40,
+ 0xc1,
+ 0xe1,
+ 0xff,
+ 0x1d,
+ 0x8d,
+ 0xa6,
+ 0x37,
+ 0xd6,
+ 0xb9,
+ 0x9d,
+ 0xda,
+ 0xfe,
+ 0x5e,
+ 0x17,
+ 0x61,
+ 0x10,
+ 0x02,
+ 0xe2,
+ 0xc7,
+ 0x78,
+ 0xc1,
+ 0xbe,
+ 0x8b,
+ 0x41,
+ 0xd9,
+ 0x63,
+ 0x79,
+ 0xa5,
+ 0x13,
+ 0x60,
+ 0xd9,
+ 0x77,
+ 0xfd,
+ 0x44,
+ 0x35,
+ 0xa1,
+ 0x1c,
+ 0x30,
+ 0x8f,
+ 0xe7,
+ 0xee,
+ 0x6f,
+ 0x1a,
+ 0xad,
+ 0x9d,
+ 0xb2,
+ 0x8c,
+ 0x81,
+ 0xad,
+ 0xde,
+ 0x1a,
+ 0x7a,
+ 0x6f,
+ 0x7c,
+ 0xce,
+ 0x01,
+ 0x1c,
+ 0x30,
+ 0xda,
+ 0x37,
+ 0xe4,
+ 0xeb,
+ 0x73,
+ 0x64,
+ 0x83,
+ 0xbd,
+ 0x6c,
+ 0x8e,
+ 0x93,
+ 0x48,
+ 0xfb,
+ 0xfb,
+ 0xf7,
+ 0x2c,
+ 0xc6,
+ 0x58,
+ 0x7d,
+ 0x60,
+ 0xc3,
+ 0x6c,
+ 0x8e,
+ 0x57,
+ 0x7f,
+ 0x09,
+ 0x84,
+ 0xc2,
+ 0x89,
+ 0xc9,
+ 0x38,
+ 0x5a,
+ 0x09,
+ 0x86,
+ 0x49,
+ 0xde,
+ 0x21,
+ 0xbc,
+ 0xa2,
+ 0x7a,
+ 0x7e,
+ 0xa2,
+ 0x29,
+ 0x71,
+ 0x6b,
+ 0xa6,
+ 0xe9,
+ 0xb2,
+ 0x79,
+ 0x71,
+ 0x0f,
+ 0x38,
+ 0xfa,
+ 0xa5,
+ 0xff,
+ 0xae,
+ 0x57,
+ 0x41,
+ 0x55,
+ 0xce,
+ 0x4e,
+ 0xfb,
+ 0x4f,
+ 0x74,
+ 0x36,
+ 0x95,
+ 0xe2,
+ 0x91,
+ 0x1b,
+ 0x1d,
+ 0x06,
+ 0xd5,
+ 0xe2,
+ 0x90,
+ 0xcb,
+ 0xcd,
+ 0x86,
+ 0xf5,
+ 0x6d,
+ 0x0e,
+ 0xdf,
+ 0xcd,
+ 0x21,
+ 0x6a,
+ 0xe2,
+ 0x24,
+ 0x27,
+ 0x05,
+ 0x5e,
+ 0x68,
+ 0x35,
+ 0xfd,
+ 0x29,
+ 0xee,
+ 0xf7,
+ 0x9e,
+ 0x0d,
+ 0x90,
+ 0x77,
+ 0x1f,
+ 0xea,
+ 0xce,
+ 0xbe,
+ 0x12,
+ 0xf2,
+ 0x0e,
+ 0x95,
+ 0xb3,
+ 0x4f,
+ 0x0f,
+ 0x78,
+ 0xb7,
+ 0x37,
+ 0xa9,
+ 0x61,
+ 0x8b,
+ 0x26,
+ 0xfa,
+ 0x7d,
+ 0xbc,
+ 0x98,
+ 0x74,
+ 0xf2,
+ 0x72,
+ 0xc4,
+ 0x2b,
+ 0xdb,
+ 0x56,
+ 0x3e,
+ 0xaf,
+ 0xa1,
+ 0x6b,
+ 0x4f,
+ 0xb6,
+ 0x8c,
+ 0x3b,
+ 0xb1,
+ 0xe7,
+ 0x8e,
+ 0xaa,
+ 0x81,
+ 0xa0,
+ 0x02,
+ 0x43,
+ 0xfa,
+ 0xad,
+ 0xd2,
+ 0xbf,
+ 0x18,
+ 0xe6,
+ 0x3d,
+ 0x38,
+ 0x9a,
+ 0xe4,
+ 0x43,
+ 0x77,
+ 0xda,
+ 0x18,
+ 0xc5,
+ 0x76,
+ 0xb5,
+ 0x0f,
+ 0x00,
+ 0x96,
+ 0xcf,
+ 0x34,
+ 0x19,
+ 0x54,
+ 0x83,
+ 0xb0,
+ 0x05,
+ 0x48,
+ 0xc0,
+ 0x98,
+ 0x62,
+ 0x36,
+ 0xe3,
+ 0xbc,
+ 0x7c,
+ 0xb8,
+ 0xd6,
+ 0x80,
+ 0x1c,
+ 0x04,
+ 0x94,
+ 0xcc,
+ 0xd1,
+ 0x99,
+ 0xe5,
+ 0xc5,
+ 0xbd,
+ 0x0d,
+ 0x0e,
+ 0xdc,
+ 0x9e,
+ 0xb8,
+ 0xa0,
+ 0x00,
+ 0x1e,
+ 0x15,
+ 0x27,
+ 0x67,
+ 0x54,
+ 0xfc,
+ 0xc6,
+ 0x85,
+ 0x66,
+ 0x05,
+ 0x41,
+ 0x48,
+ 0xe6,
+ 0xe7,
+ 0x64,
+ 0xbe,
+ 0xe7,
+ 0xc7,
+ 0x64,
+ 0xda,
+ 0xad,
+ 0x3f,
+ 0xc4,
+ 0x52,
+ 0x35,
+ 0xa6,
+ 0xda,
+ 0xd4,
+ 0x28,
+ 0xfa,
+ 0x20,
+ 0xc1,
+ 0x70,
+ 0xe3,
+ 0x45,
+ 0x00,
+ 0x3f,
+ 0x2f,
+ 0x06,
+ 0xec,
+ 0x81,
+ 0x05,
+ 0xfe,
+ 0xb2,
+ 0x5b,
+ 0x22,
+ 0x81,
+ 0xb6,
+ 0x3d,
+ 0x27,
+ 0x33,
+ 0xbe,
+ 0x96,
+ 0x1c,
+ 0x29,
+ 0x95,
+ 0x1d,
+ 0x11,
+ 0xdd,
+ 0x22,
+ 0x21,
+ 0x65,
+ 0x7a,
+ 0x9f,
+ 0x53,
+ 0x1d,
+ 0xda,
+ 0x2a,
+ 0x19,
+ 0x4d,
+ 0xbb,
+ 0x12,
+ 0x64,
+ 0x48,
+ 0xbd,
+ 0xee,
+ 0xb2,
+ 0x58,
+ 0xe0,
+ 0x7e,
+ 0xa6,
+ 0x59,
+ 0xc7,
+ 0x46,
+ 0x19,
+ 0xa6,
+ 0x38,
+ 0x0e,
+ 0x1d,
+ 0x66,
+ 0xd6,
+ 0x83,
+ 0x2b,
+ 0xfe,
+ 0x67,
+ 0xf6,
+ 0x38,
+ 0xcd,
+ 0x8f,
+ 0xae,
+ 0x1f,
+ 0x27,
+ 0x23,
+ 0x02,
+ 0x0f,
+ 0x9c,
+ 0x40,
+ 0xa3,
+ 0xfd,
+ 0xa6,
+ 0x7e,
+ 0xda,
+ 0x3b,
+ 0xd2,
+ 0x92,
+ 0x38,
+ 0xfb,
+ 0xd4,
+ 0xd4,
+ 0xb4,
+ 0x88,
+ 0x5c,
+ 0x2a,
+ 0x99,
+ 0x17,
+ 0x6d,
+ 0xb1,
+ 0xa0,
+ 0x6c,
+ 0x50,
+ 0x07,
+ 0x78,
+ 0x49,
+ 0x1a,
+ 0x82,
+ 0x88,
+ 0xf1,
+ 0x85,
+ 0x5f,
+ 0x60,
+ 0xff,
+ 0xfc,
+ 0xf1,
+ 0xd1,
+ 0x37,
+ 0x3f,
+ 0xd9,
+ 0x4f,
+ 0xc6,
+ 0x0c,
+ 0x18,
+ 0x11,
+ 0xe1,
+ 0xac,
+ 0x3f,
+ 0x1c,
+ 0x6d,
+ 0x00,
+ 0x3b,
+ 0xec,
+ 0xda,
+ 0x3b,
+ 0x1f,
+ 0x27,
+ 0x25,
+ 0xca,
+ 0x59,
+ 0x5d,
+ 0xe0,
+ 0xca,
+ 0x63,
+ 0x32,
+ 0x8f,
+ 0x3b,
+ 0xe5,
+ 0x7c,
+ 0xc9,
+ 0x77,
+ 0x55,
+ 0x60,
+ 0x11,
+ 0x95,
+ 0x14,
+ 0x0d,
+ 0xfb,
+ 0x59,
+ 0xd3,
+ 0x9c,
+ 0xe0,
+ 0x91,
+ 0x30,
+ 0x8b,
+ 0x41,
+ 0x05,
+ 0x74,
+ 0x6d,
+ 0xac,
+ 0x23,
+ 0xd3,
+ 0x3e,
+ 0x5f,
+ 0x7c,
+ 0xe4,
+ 0x84,
+ 0x8d,
+ 0xa3,
+ 0x16,
+ 0xa9,
+ 0xc6,
+ 0x6b,
+ 0x95,
+ 0x81,
+ 0xba,
+ 0x35,
+ 0x73,
+ 0xbf,
+ 0xaf,
+ 0x31,
+ 0x14,
+ 0x96,
+ 0x18,
+ 0x8a,
+ 0xb1,
+ 0x54,
+ 0x23,
+ 0x28,
+ 0x2e,
+ 0xe4,
+ 0x16,
+ 0xdc,
+ 0x2a,
+ 0x19,
+ 0xc5,
+ 0x72,
+ 0x4f,
+ 0xa9,
+ 0x1a,
+ 0xe4,
+ 0xad,
+ 0xc8,
+ 0x8b,
+ 0xc6,
+ 0x67,
+ 0x96,
+ 0xea,
+ 0xe5,
+ 0x67,
+ 0x7a,
+ 0x01,
+ 0xf6,
+ 0x4e,
+ 0x8c,
+ 0x08,
+ 0x63,
+ 0x13,
+ 0x95,
+ 0x82,
+ 0x2d,
+ 0x9d,
+ 0xb8,
+ 0xfc,
+ 0xee,
+ 0x35,
+ 0xc0,
+ 0x6b,
+ 0x1f,
+ 0xee,
+ 0xa5,
+ 0x47,
+ 0x4d,
+ 0x6d,
+ 0x8f,
+ 0x34,
+ 0xb1,
+ 0x53,
+ 0x4a,
+ 0x93,
+ 0x6a,
+ 0x18,
+ 0xb0,
+ 0xe0,
+ 0xd2,
+ 0x0e,
+ 0xab,
+ 0x86,
+ 0xbc,
+ 0x9c,
+ 0x6d,
+ 0x6a,
+ 0x52,
+ 0x07,
+ 0x19,
+ 0x4e,
+ 0x67,
+ 0xfa,
+ 0x35,
+ 0x55,
+ 0x1b,
+ 0x56,
+ 0x80,
+ 0x26,
+ 0x7b,
+ 0x00,
+ 0x64,
+ 0x1c,
+ 0x0f,
+ 0x21,
+ 0x2d,
+ 0x18,
+ 0xec,
+ 0xa8,
+ 0xd7,
+ 0x32,
+ 0x7e,
+ 0xd9,
+ 0x1f,
+ 0xe7,
+ 0x64,
+ 0xa8,
+ 0x4e,
+ 0xa1,
+ 0xb4,
+ 0x3f,
+ 0xf5,
+ 0xb4,
+ 0xf6,
+ 0xe8,
+ 0xe6,
+ 0x2f,
+ 0x05,
+ 0xc6,
+ 0x61,
+ 0xde,
+ 0xfb,
+ 0x25,
+ 0x88,
+ 0x77,
+ 0xc3,
+ 0x5b,
+ 0x18,
+ 0xa1,
+ 0x51,
+ 0xd5,
+ 0xc4,
+ 0x14,
+ 0xaa,
+ 0xad,
+ 0x97,
+ 0xba,
+ 0x3e,
+ 0x49,
+ 0x93,
+ 0x32,
+ 0xe5,
+ 0x96,
+ 0x07,
+ 0x8e,
+ 0x60,
+ 0x0d,
+ 0xeb,
+ 0x81,
+ 0x14,
+ 0x9c,
+ 0x44,
+ 0x1c,
+ 0xe9,
+ 0x57,
+ 0x82,
+ 0xf2,
+ 0x2a,
+ 0x28,
+ 0x25,
+ 0x63,
+ 0xc5,
+ 0xba,
+ 0xc1,
+ 0x41,
+ 0x14,
+ 0x23,
+ 0x60,
+ 0x5d,
+ 0x1a,
+ 0xe1,
+ 0xaf,
+ 0xae,
+ 0x2c,
+ 0x8b,
+ 0x06,
+ 0x60,
+ 0x23,
+ 0x7e,
+ 0xc1,
+ 0x28,
+ 0xaa,
+ 0x0f,
+ 0xe3,
+ 0x46,
+ 0x4e,
+ 0x43,
+ 0x58,
+ 0x11,
+ 0x5d,
+ 0xb8,
+ 0x4c,
+ 0xc3,
+ 0xb5,
+ 0x23,
+ 0x07,
+ 0x3a,
+ 0x28,
+ 0xd4,
+ 0x54,
+ 0x98,
+ 0x84,
+ 0xb8,
+ 0x1f,
+ 0xf7,
+ 0x0e,
+ 0x10,
+ 0xbf,
+ 0x36,
+ 0x1c,
+ 0x13,
+ 0x72,
+ 0x96,
+ 0x28,
+ 0xd5,
+ 0x34,
+ 0x8f,
+ 0x07,
+ 0x21,
+ 0x1e,
+ 0x7e,
+ 0x4c,
+ 0xf4,
+ 0xf1,
+ 0x8b,
+ 0x28,
+ 0x60,
+ 0x90,
+ 0xbd,
+ 0xb1,
+ 0x24,
+ 0x0b,
+ 0x66,
+ 0xd6,
+ 0xcd,
+ 0x4a,
+ 0xfc,
+ 0xea,
+ 0xdc,
+ 0x00,
+ 0xca,
+ 0x44,
+ 0x6c,
+ 0xe0,
+ 0x50,
+ 0x50,
+ 0xff,
+ 0x18,
+ 0x3a,
+ 0xd2,
+ 0xbb,
+ 0xf1,
+ 0x18,
+ 0xc1,
+ 0xfc,
+ 0x0e,
+ 0xa5,
+ 0x1f,
+ 0x97,
+ 0xd2,
+ 0x2b,
+ 0x8f,
+ 0x7e,
+ 0x46,
+ 0x70,
+ 0x5d,
+ 0x45,
+ 0x27,
+ 0xf4,
+ 0x5b,
+ 0x42,
+ 0xae,
+ 0xff,
+ 0x39,
+ 0x58,
+ 0x53,
+ 0x37,
+ 0x6f,
+ 0x69,
+ 0x7d,
+ 0xd5,
+ 0xfd,
+ 0xf2,
+ 0xc5,
+ 0x18,
+ 0x7d,
+ 0x7d,
+ 0x5f,
+ 0x0e,
+ 0x2e,
+ 0xb8,
+ 0xd4,
+ 0x3f,
+ 0x17,
+ 0xba,
+ 0x0f,
+ 0x7c,
+ 0x60,
+ 0xff,
+ 0x43,
+ 0x7f,
+ 0x53,
+ 0x5d,
+ 0xfe,
+ 0xf2,
+ 0x98,
+ 0x33,
+ 0xbf,
+ 0x86,
+ 0xcb,
+ 0xe8,
+ 0x8e,
+ 0xa4,
+ 0xfb,
+ 0xd4,
+ 0x22,
+ 0x1e,
+ 0x84,
+ 0x11,
+ 0x72,
+ 0x83,
+ 0x54,
+ 0xfa,
+ 0x30,
+ 0xa7,
+ 0x00,
+ 0x8f,
+ 0x15,
+ 0x4a,
+ 0x41,
+ 0xc7,
+ 0xfc,
+ 0x46,
+ 0x6b,
+ 0x46,
+ 0x45,
+ 0xdb,
+ 0xe2,
+ 0xe3,
+ 0x21,
+ 0x26,
+ 0x7f,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+ 0xff,
+};
+
+static const SECItem subprime_ike_1536 = { siBuffer,
+ (unsigned char *)subprime_ike_1536_data,
+ sizeof(subprime_ike_1536_data) };
+static const SECItem subprime_ike_2048 = { siBuffer,
+ (unsigned char *)subprime_ike_2048_data,
+ sizeof(subprime_ike_2048_data) };
+static const SECItem subprime_ike_3072 = { siBuffer,
+ (unsigned char *)subprime_ike_3072_data,
+ sizeof(subprime_ike_3072_data) };
+static const SECItem subprime_ike_4096 = { siBuffer,
+ (unsigned char *)subprime_ike_4096_data,
+ sizeof(subprime_ike_4096_data) };
+static const SECItem subprime_ike_6144 = { siBuffer,
+ (unsigned char *)subprime_ike_6144_data,
+ sizeof(subprime_ike_6144_data) };
+static const SECItem subprime_ike_8192 = { siBuffer,
+ (unsigned char *)subprime_ike_8192_data,
+ sizeof(subprime_ike_8192_data) };
+static const SECItem subprime_tls_2048 = { siBuffer,
+ (unsigned char *)subprime_tls_2048_data,
+ sizeof(subprime_tls_2048_data) };
+static const SECItem subprime_tls_3072 = { siBuffer,
+ (unsigned char *)subprime_tls_3072_data,
+ sizeof(subprime_tls_3072_data) };
+static const SECItem subprime_tls_4096 = { siBuffer,
+ (unsigned char *)subprime_tls_4096_data,
+ sizeof(subprime_tls_4096_data) };
+static const SECItem subprime_tls_6144 = { siBuffer,
+ (unsigned char *)subprime_tls_6144_data,
+ sizeof(subprime_tls_6144_data) };
+static const SECItem subprime_tls_8192 = { siBuffer,
+ (unsigned char *)subprime_tls_8192_data,
+ sizeof(subprime_tls_8192_data) };
+
+/*
+ * verify that dhPrime matches one of our known primes
+ */
+const SECItem *
+sftk_VerifyDH_Prime(SECItem *dhPrime, PRBool isFIPS)
+{
+ /* use the length to decide which primes to check */
+ switch (dhPrime->len) {
+ case 1536 / PR_BITS_PER_BYTE:
+ /* don't accept 1536 bit primes in FIPS mode */
+ if (isFIPS) {
+ break;
+ }
+ if (PORT_Memcmp(dhPrime->data, prime_ike_1536,
+ sizeof(prime_ike_1536)) == 0) {
+ return &subprime_ike_1536;
+ }
+ break;
+ case 2048 / PR_BITS_PER_BYTE:
+ if (PORT_Memcmp(dhPrime->data, prime_tls_2048,
+ sizeof(prime_tls_2048)) == 0) {
+ return &subprime_tls_2048;
+ }
+ if (PORT_Memcmp(dhPrime->data, prime_ike_2048,
+ sizeof(prime_ike_2048)) == 0) {
+ return &subprime_ike_2048;
+ }
+ break;
+ case 3072 / PR_BITS_PER_BYTE:
+ if (PORT_Memcmp(dhPrime->data, prime_tls_3072,
+ sizeof(prime_tls_3072)) == 0) {
+ return &subprime_tls_3072;
+ }
+ if (PORT_Memcmp(dhPrime->data, prime_ike_3072,
+ sizeof(prime_ike_3072)) == 0) {
+ return &subprime_ike_3072;
+ }
+ break;
+ case 4096 / PR_BITS_PER_BYTE:
+ if (PORT_Memcmp(dhPrime->data, prime_tls_4096,
+ sizeof(prime_tls_4096)) == 0) {
+ return &subprime_tls_4096;
+ }
+ if (PORT_Memcmp(dhPrime->data, prime_ike_4096,
+ sizeof(prime_ike_4096)) == 0) {
+ return &subprime_ike_4096;
+ }
+ break;
+ case 6144 / PR_BITS_PER_BYTE:
+ if (PORT_Memcmp(dhPrime->data, prime_tls_6144,
+ sizeof(prime_tls_6144)) == 0) {
+ return &subprime_tls_6144;
+ }
+ if (PORT_Memcmp(dhPrime->data, prime_ike_6144,
+ sizeof(prime_ike_6144)) == 0) {
+ return &subprime_ike_6144;
+ }
+ break;
+ case 8192 / PR_BITS_PER_BYTE:
+ if (PORT_Memcmp(dhPrime->data, prime_tls_8192,
+ sizeof(prime_tls_8192)) == 0) {
+ return &subprime_tls_8192;
+ }
+ if (PORT_Memcmp(dhPrime->data, prime_ike_8192,
+ sizeof(prime_ike_8192)) == 0) {
+ return &subprime_ike_8192;
+ }
+ break;
+ }
+ /* no match found, return an error */
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return NULL;
+}
+
+/* Use the provided subPrime to see if dhPrime is a safe prime. We'll check
+ * primality of those values later. */
+SECStatus
+sftk_IsSafePrime(const SECItem *dhPrime, const SECItem *dhSubPrime, PRBool *isSafe)
+{
+ int i;
+ unsigned char carry = 0;
+ int offset = 0, subPrimeLen = dhPrime->len;
+ *isSafe = PR_FALSE;
+
+ /* Both dhPrime and dhSubPrime should be odd */
+ if (((dhPrime->data[dhPrime->len - 1] & 0x1) != 1) && ((dhSubPrime->data[dhSubPrime->len - 1] & 0x1) != 1)) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
+ }
+
+ /* subPrime is p-1/2, which means subPrime is 1 bit shorter than p.
+ * It's length in bytes is the same unless the high byte of p == 1 or 0.
+ */
+ if (dhPrime->data[0] <= 1) {
+ subPrimeLen--;
+ offset++;
+ carry = (dhPrime->data[0]) << 7;
+ }
+
+ /* if subprime len is not long enough it is not a strong prime */
+ if (dhSubPrime->len != subPrimeLen) {
+ return SECSuccess;
+ }
+
+ /* does the subprime match q == (p-1)/2 */
+ for (i = 0; i < subPrimeLen; i++) {
+ if (dhSubPrime->data[i] !=
+ (carry | ((dhPrime->data[i + offset] >> 1) & 0x7f))) {
+ return SECSuccess;
+ }
+ carry = ((dhPrime->data[i + offset] & 1) << 7) & 0x80;
+ }
+ /* subPrime for p claims to be q=(p-1)/2. So the caller thinks p
+ * is a strong prime, just need to check primality of p and q to verify */
+ *isSafe = PR_TRUE;
+ return SECSuccess;
+}
diff --git a/security/nss/lib/softoken/sftkhmac.c b/security/nss/lib/softoken/sftkhmac.c
new file mode 100644
index 0000000000..bec2df79f1
--- /dev/null
+++ b/security/nss/lib/softoken/sftkhmac.c
@@ -0,0 +1,477 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "seccomon.h"
+#include "secerr.h"
+#include "blapi.h"
+#include "pkcs11i.h"
+#include "softoken.h"
+#include "hmacct.h"
+
+/* sftk_HMACMechanismToHash converts a PKCS#11 MAC mechanism into a freebl hash
+ * type. */
+HASH_HashType
+sftk_HMACMechanismToHash(CK_MECHANISM_TYPE mech)
+{
+ switch (mech) {
+ case CKM_MD2_HMAC:
+ return HASH_AlgMD2;
+ case CKM_MD5_HMAC:
+ case CKM_SSL3_MD5_MAC:
+ return HASH_AlgMD5;
+ case CKM_SHA_1_HMAC:
+ case CKM_SSL3_SHA1_MAC:
+ return HASH_AlgSHA1;
+ case CKM_SHA224_HMAC:
+ return HASH_AlgSHA224;
+ case CKM_SHA256_HMAC:
+ return HASH_AlgSHA256;
+ case CKM_SHA384_HMAC:
+ return HASH_AlgSHA384;
+ case CKM_SHA512_HMAC:
+ return HASH_AlgSHA512;
+ }
+ return HASH_AlgNULL;
+}
+
+static sftk_MACConstantTimeCtx *
+SetupMAC(CK_MECHANISM_PTR mech, SFTKObject *key)
+{
+ CK_NSS_MAC_CONSTANT_TIME_PARAMS *params =
+ (CK_NSS_MAC_CONSTANT_TIME_PARAMS *)mech->pParameter;
+ sftk_MACConstantTimeCtx *ctx;
+ HASH_HashType alg;
+ SFTKAttribute *keyval;
+ unsigned char secret[sizeof(ctx->secret)];
+ unsigned int secretLength;
+
+ if (mech->ulParameterLen != sizeof(CK_NSS_MAC_CONSTANT_TIME_PARAMS)) {
+ return NULL;
+ }
+
+ alg = sftk_HMACMechanismToHash(params->macAlg);
+ if (alg == HASH_AlgNULL) {
+ return NULL;
+ }
+
+ keyval = sftk_FindAttribute(key, CKA_VALUE);
+ if (keyval == NULL) {
+ return NULL;
+ }
+ secretLength = keyval->attrib.ulValueLen;
+ if (secretLength > sizeof(secret)) {
+ sftk_FreeAttribute(keyval);
+ return NULL;
+ }
+ memcpy(secret, keyval->attrib.pValue, secretLength);
+ sftk_FreeAttribute(keyval);
+
+ ctx = PORT_Alloc(sizeof(sftk_MACConstantTimeCtx));
+ if (!ctx) {
+ PORT_Memset(secret, 0, secretLength);
+ return NULL;
+ }
+
+ memcpy(ctx->secret, secret, secretLength);
+ ctx->secretLength = secretLength;
+ ctx->hash = HASH_GetRawHashObject(alg);
+ ctx->totalLength = params->ulBodyTotalLen;
+ PORT_Memset(secret, 0, secretLength);
+
+ return ctx;
+}
+
+sftk_MACConstantTimeCtx *
+sftk_HMACConstantTime_New(CK_MECHANISM_PTR mech, SFTKObject *key)
+{
+ CK_NSS_MAC_CONSTANT_TIME_PARAMS *params =
+ (CK_NSS_MAC_CONSTANT_TIME_PARAMS *)mech->pParameter;
+ sftk_MACConstantTimeCtx *ctx;
+
+ if (params->ulHeaderLen > sizeof(ctx->header)) {
+ return NULL;
+ }
+ ctx = SetupMAC(mech, key);
+ if (!ctx) {
+ return NULL;
+ }
+
+ ctx->headerLength = params->ulHeaderLen;
+ memcpy(ctx->header, params->pHeader, params->ulHeaderLen);
+ return ctx;
+}
+
+sftk_MACConstantTimeCtx *
+sftk_SSLv3MACConstantTime_New(CK_MECHANISM_PTR mech, SFTKObject *key)
+{
+ CK_NSS_MAC_CONSTANT_TIME_PARAMS *params =
+ (CK_NSS_MAC_CONSTANT_TIME_PARAMS *)mech->pParameter;
+ unsigned int padLength = 40, j;
+ sftk_MACConstantTimeCtx *ctx;
+
+ if (params->macAlg != CKM_SSL3_MD5_MAC &&
+ params->macAlg != CKM_SSL3_SHA1_MAC) {
+ return NULL;
+ }
+ ctx = SetupMAC(mech, key);
+ if (!ctx) {
+ return NULL;
+ }
+
+ if (params->macAlg == CKM_SSL3_MD5_MAC) {
+ padLength = 48;
+ }
+
+ ctx->headerLength =
+ ctx->secretLength +
+ padLength +
+ params->ulHeaderLen;
+
+ if (ctx->headerLength > sizeof(ctx->header)) {
+ goto loser;
+ }
+
+ j = 0;
+ memcpy(&ctx->header[j], ctx->secret, ctx->secretLength);
+ j += ctx->secretLength;
+ memset(&ctx->header[j], 0x36, padLength);
+ j += padLength;
+ memcpy(&ctx->header[j], params->pHeader, params->ulHeaderLen);
+
+ return ctx;
+
+loser:
+ PORT_Free(ctx);
+ return NULL;
+}
+
+void
+sftk_HMACConstantTime_Update(void *pctx, const void *data, unsigned int len)
+{
+ sftk_MACConstantTimeCtx *ctx = (sftk_MACConstantTimeCtx *)pctx;
+ PORT_CheckSuccess(HMAC_ConstantTime(
+ ctx->mac, NULL, sizeof(ctx->mac),
+ ctx->hash,
+ ctx->secret, ctx->secretLength,
+ ctx->header, ctx->headerLength,
+ data, len,
+ ctx->totalLength));
+}
+
+void
+sftk_SSLv3MACConstantTime_Update(void *pctx, const void *data, unsigned int len)
+{
+ sftk_MACConstantTimeCtx *ctx = (sftk_MACConstantTimeCtx *)pctx;
+ PORT_CheckSuccess(SSLv3_MAC_ConstantTime(
+ ctx->mac, NULL, sizeof(ctx->mac),
+ ctx->hash,
+ ctx->secret, ctx->secretLength,
+ ctx->header, ctx->headerLength,
+ data, len,
+ ctx->totalLength));
+}
+
+void
+sftk_MACConstantTime_EndHash(void *pctx, void *out, unsigned int *outLength,
+ unsigned int maxLength)
+{
+ const sftk_MACConstantTimeCtx *ctx = (sftk_MACConstantTimeCtx *)pctx;
+ unsigned int toCopy = ctx->hash->length;
+ if (toCopy > maxLength) {
+ toCopy = maxLength;
+ }
+ memcpy(out, ctx->mac, toCopy);
+ if (outLength) {
+ *outLength = toCopy;
+ }
+}
+
+void
+sftk_MACConstantTime_DestroyContext(void *pctx, PRBool free)
+{
+ PORT_ZFree(pctx, sizeof(sftk_MACConstantTimeCtx));
+}
+
+CK_RV
+sftk_MAC_Create(CK_MECHANISM_TYPE mech, SFTKObject *key, sftk_MACCtx **ret_ctx)
+{
+ CK_RV ret;
+
+ if (ret_ctx == NULL || key == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+
+ *ret_ctx = PORT_New(sftk_MACCtx);
+ if (*ret_ctx == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+
+ ret = sftk_MAC_Init(*ret_ctx, mech, key);
+ if (ret != CKR_OK) {
+ sftk_MAC_Destroy(*ret_ctx, PR_TRUE);
+ }
+
+ return ret;
+}
+
+CK_RV
+sftk_MAC_Init(sftk_MACCtx *ctx, CK_MECHANISM_TYPE mech, SFTKObject *key)
+{
+ SFTKAttribute *keyval = NULL;
+ PRBool isFIPS = sftk_isFIPS(key->slot->slotID);
+ CK_RV ret = CKR_OK;
+
+ /* Find the actual value of the key. */
+ keyval = sftk_FindAttribute(key, CKA_VALUE);
+ if (keyval == NULL) {
+ ret = CKR_KEY_SIZE_RANGE;
+ goto done;
+ }
+
+ ret = sftk_MAC_InitRaw(ctx, mech,
+ (const unsigned char *)keyval->attrib.pValue,
+ keyval->attrib.ulValueLen, isFIPS);
+
+done:
+ if (keyval) {
+ sftk_FreeAttribute(keyval);
+ }
+ return ret;
+}
+
+CK_RV
+sftk_MAC_InitRaw(sftk_MACCtx *ctx, CK_MECHANISM_TYPE mech, const unsigned char *key, unsigned int key_len, PRBool isFIPS)
+{
+ const SECHashObject *hashObj = NULL;
+ CK_RV ret = CKR_OK;
+
+ if (ctx == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+
+ /* Clear the context before use. */
+ PORT_Memset(ctx, 0, sizeof(*ctx));
+
+ /* Save the mech. */
+ ctx->mech = mech;
+
+ /* Initialize the correct MAC context. */
+ switch (mech) {
+ case CKM_MD2_HMAC:
+ case CKM_MD5_HMAC:
+ case CKM_SHA_1_HMAC:
+ case CKM_SHA224_HMAC:
+ case CKM_SHA256_HMAC:
+ case CKM_SHA384_HMAC:
+ case CKM_SHA512_HMAC:
+ hashObj = HASH_GetRawHashObject(sftk_HMACMechanismToHash(mech));
+
+ /* Because we condition above only on hashes we know to be valid,
+ * hashObj should never be NULL. This assert is only useful when
+ * adding a new hash function (for which only partial support has
+ * been added); thus there is no need to turn it into an if and
+ * avoid the NULL dereference on the following line. */
+ PR_ASSERT(hashObj != NULL);
+ ctx->mac_size = hashObj->length;
+
+ goto hmac;
+ case CKM_AES_CMAC:
+ ctx->mac.cmac = CMAC_Create(CMAC_AES, key, key_len);
+ ctx->destroy_func = (void (*)(void *, PRBool))(&CMAC_Destroy);
+
+ /* Copy the behavior of sftk_doCMACInit here. */
+ if (ctx->mac.cmac == NULL) {
+ if (PORT_GetError() == SEC_ERROR_INVALID_ARGS) {
+ ret = CKR_KEY_SIZE_RANGE;
+ goto done;
+ }
+
+ ret = CKR_HOST_MEMORY;
+ goto done;
+ }
+
+ ctx->mac_size = AES_BLOCK_SIZE;
+
+ goto done;
+ default:
+ ret = CKR_MECHANISM_PARAM_INVALID;
+ goto done;
+ }
+
+hmac:
+ ctx->mac.hmac = HMAC_Create(hashObj, key, key_len, isFIPS);
+ ctx->destroy_func = (void (*)(void *, PRBool))(&HMAC_Destroy);
+
+ /* Copy the behavior of sftk_doHMACInit here. */
+ if (ctx->mac.hmac == NULL) {
+ if (PORT_GetError() == SEC_ERROR_INVALID_ARGS) {
+ ret = CKR_KEY_SIZE_RANGE;
+ goto done;
+ }
+ ret = CKR_HOST_MEMORY;
+ goto done;
+ }
+
+ /* Semantics: HMAC and CMAC should behave the same. Begin HMAC now. */
+ HMAC_Begin(ctx->mac.hmac);
+
+done:
+ /* Handle a failure: ctx->mac.raw should be NULL, but make sure
+ * destroy_func isn't set. */
+ if (ret != CKR_OK) {
+ ctx->destroy_func = NULL;
+ }
+
+ return ret;
+}
+
+CK_RV
+sftk_MAC_Reset(sftk_MACCtx *ctx)
+{
+ /* Useful for resetting the state of MAC prior to calling update again
+ *
+ * This lets the caller keep a single MAC instance and re-use it as long
+ * as the key stays the same. */
+ switch (ctx->mech) {
+ case CKM_MD2_HMAC:
+ case CKM_MD5_HMAC:
+ case CKM_SHA_1_HMAC:
+ case CKM_SHA224_HMAC:
+ case CKM_SHA256_HMAC:
+ case CKM_SHA384_HMAC:
+ case CKM_SHA512_HMAC:
+ HMAC_Begin(ctx->mac.hmac);
+ break;
+ case CKM_AES_CMAC:
+ if (CMAC_Begin(ctx->mac.cmac) != SECSuccess) {
+ return CKR_FUNCTION_FAILED;
+ }
+ break;
+ default:
+ /* This shouldn't happen -- asserting indicates partial support
+ * for a new MAC type. */
+ PR_ASSERT(PR_FALSE);
+ return CKR_FUNCTION_FAILED;
+ }
+
+ return CKR_OK;
+}
+
+CK_RV
+sftk_MAC_Update(sftk_MACCtx *ctx, const CK_BYTE *data, unsigned int data_len)
+{
+ switch (ctx->mech) {
+ case CKM_MD2_HMAC:
+ case CKM_MD5_HMAC:
+ case CKM_SHA_1_HMAC:
+ case CKM_SHA224_HMAC:
+ case CKM_SHA256_HMAC:
+ case CKM_SHA384_HMAC:
+ case CKM_SHA512_HMAC:
+ /* HMAC doesn't indicate failure in the return code. */
+ HMAC_Update(ctx->mac.hmac, data, data_len);
+ break;
+ case CKM_AES_CMAC:
+ /* CMAC indicates failure in the return code, however this is
+ * unlikely to occur. */
+ if (CMAC_Update(ctx->mac.cmac, data, data_len) != SECSuccess) {
+ return CKR_FUNCTION_FAILED;
+ }
+ break;
+ default:
+ /* This shouldn't happen -- asserting indicates partial support
+ * for a new MAC type. */
+ PR_ASSERT(PR_FALSE);
+ return CKR_FUNCTION_FAILED;
+ }
+ return CKR_OK;
+}
+
+CK_RV
+sftk_MAC_Finish(sftk_MACCtx *ctx, CK_BYTE_PTR result, unsigned int *result_len, unsigned int max_result_len)
+{
+ unsigned int actual_result_len;
+
+ switch (ctx->mech) {
+ case CKM_MD2_HMAC:
+ case CKM_MD5_HMAC:
+ case CKM_SHA_1_HMAC:
+ case CKM_SHA224_HMAC:
+ case CKM_SHA256_HMAC:
+ case CKM_SHA384_HMAC:
+ case CKM_SHA512_HMAC:
+ /* HMAC doesn't indicate failure in the return code. Additionally,
+ * unlike CMAC, it doesn't support partial results. This means that we
+ * need to allocate a buffer if max_result_len < ctx->mac_size. */
+ if (max_result_len >= ctx->mac_size) {
+ /* Split this into two calls to avoid an unnecessary stack
+ * allocation and memcpy when possible. */
+ HMAC_Finish(ctx->mac.hmac, result, &actual_result_len, max_result_len);
+ } else {
+ uint8_t tmp_buffer[SFTK_MAX_MAC_LENGTH];
+
+ /* Assumption: buffer is large enough to hold this HMAC's
+ * output. */
+ PR_ASSERT(SFTK_MAX_MAC_LENGTH >= ctx->mac_size);
+
+ HMAC_Finish(ctx->mac.hmac, tmp_buffer, &actual_result_len, SFTK_MAX_MAC_LENGTH);
+
+ if (actual_result_len > max_result_len) {
+ /* This should always be true since:
+ *
+ * (SFTK_MAX_MAC_LENGTH >= ctx->mac_size =
+ * actual_result_len) > max_result_len,
+ *
+ * but guard this truncation just in case. */
+ actual_result_len = max_result_len;
+ }
+
+ PORT_Memcpy(result, tmp_buffer, actual_result_len);
+ }
+ break;
+ case CKM_AES_CMAC:
+ /* CMAC indicates failure in the return code, however this is
+ * unlikely to occur. */
+ if (CMAC_Finish(ctx->mac.cmac, result, &actual_result_len, max_result_len) != SECSuccess) {
+ return CKR_FUNCTION_FAILED;
+ }
+ break;
+ default:
+ /* This shouldn't happen -- asserting indicates partial support
+ * for a new MAC type. */
+ PR_ASSERT(PR_FALSE);
+ return CKR_FUNCTION_FAILED;
+ }
+
+ if (result_len) {
+ /* When result length is passed, inform the caller of its value. */
+ *result_len = actual_result_len;
+ } else if (max_result_len == ctx->mac_size) {
+ /* Validate that the amount requested was what was actually given; the
+ * caller assumes that what they passed was the output size of the
+ * underlying MAC and that they got all the bytes the asked for. */
+ PR_ASSERT(actual_result_len == max_result_len);
+ }
+
+ return CKR_OK;
+}
+
+void
+sftk_MAC_Destroy(sftk_MACCtx *ctx, PRBool free_it)
+{
+ if (ctx == NULL) {
+ return;
+ }
+
+ if (ctx->mac.raw != NULL && ctx->destroy_func != NULL) {
+ ctx->destroy_func(ctx->mac.raw, PR_TRUE);
+ }
+
+ /* Clean up the struct so we don't double free accidentally. */
+ PORT_Memset(ctx, 0, sizeof(sftk_MACCtx));
+
+ if (free_it == PR_TRUE) {
+ PORT_Free(ctx);
+ }
+}
diff --git a/security/nss/lib/softoken/sftkike.c b/security/nss/lib/softoken/sftkike.c
new file mode 100644
index 0000000000..6756040b64
--- /dev/null
+++ b/security/nss/lib/softoken/sftkike.c
@@ -0,0 +1,1419 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/*
+ * This file implements PKCS 11 on top of our existing security modules
+ *
+ * For more information about PKCS 11 See PKCS 11 Token Inteface Standard.
+ * This implementation has two slots:
+ * slot 1 is our generic crypto support. It does not require login.
+ * It supports Public Key ops, and all they bulk ciphers and hashes.
+ * It can also support Private Key ops for imported Private keys. It does
+ * not have any token storage.
+ * slot 2 is our private key support. It requires a login before use. It
+ * can store Private Keys and Certs as token objects. Currently only private
+ * keys and their associated Certificates are saved on the token.
+ *
+ * In this implementation, session objects are only visible to the session
+ * that created or generated them.
+ */
+#include "seccomon.h"
+#include "secitem.h"
+#include "secport.h"
+#include "blapi.h"
+#include "pkcs11.h"
+#include "pkcs11i.h"
+#include "pkcs1sig.h"
+#include "lowkeyi.h"
+#include "secder.h"
+#include "secdig.h"
+#include "lowpbe.h" /* We do PBE below */
+#include "pkcs11t.h"
+#include "secoid.h"
+#include "alghmac.h"
+#include "softoken.h"
+#include "secasn1.h"
+#include "secerr.h"
+
+#include "prprf.h"
+#include "prenv.h"
+
+/*
+ * A common prfContext to handle both hmac and aes xcbc
+ * hash contexts have non-null hashObj and hmac, aes
+ * contexts have non-null aes */
+typedef struct prfContextStr {
+ HASH_HashType hashType;
+ const SECHashObject *hashObj;
+ HMACContext *hmac;
+ AESContext *aes;
+ unsigned int nextChar;
+ unsigned char padBuf[AES_BLOCK_SIZE];
+ unsigned char macBuf[AES_BLOCK_SIZE];
+ unsigned char k1[AES_BLOCK_SIZE];
+ unsigned char k2[AES_BLOCK_SIZE];
+ unsigned char k3[AES_BLOCK_SIZE];
+} prfContext;
+
+/* iv full of zeros used in several places in aes xcbc */
+static const unsigned char iv_zero[] = {
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+/*
+ * Generate AES XCBC keys from the AES MAC key.
+ * k1 is used in the actual mac.
+ * k2 and k3 are used in the final pad step.
+ */
+static CK_RV
+sftk_aes_xcbc_get_keys(const unsigned char *keyValue, unsigned int keyLen,
+ unsigned char *k1, unsigned char *k2, unsigned char *k3)
+{
+ SECStatus rv;
+ CK_RV crv;
+ unsigned int tmpLen;
+ AESContext *aes_context = NULL;
+ unsigned char newKey[AES_BLOCK_SIZE];
+
+ /* AES XCBC keys. k1, k2, and k3 are derived by encrypting
+ * k1data, k2data, and k3data with the mac key.
+ */
+ static const unsigned char k1data[] = {
+ 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
+ 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01
+ };
+ static const unsigned char k2data[] = {
+ 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
+ 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02
+ };
+ static const unsigned char k3data[] = {
+ 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
+ 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03
+ };
+
+ /* k1_0 = aes_ecb(0, k1data) */
+ static const unsigned char k1_0[] = {
+ 0xe1, 0x4d, 0x5d, 0x0e, 0xe2, 0x77, 0x15, 0xdf,
+ 0x08, 0xb4, 0x15, 0x2b, 0xa2, 0x3d, 0xa8, 0xe0
+
+ };
+ /* k2_0 = aes_ecb(0, k2data) */
+ static const unsigned char k2_0[] = {
+ 0x5e, 0xba, 0x73, 0xf8, 0x91, 0x42, 0xc5, 0x48,
+ 0x80, 0xf6, 0x85, 0x94, 0x37, 0x3c, 0x5c, 0x37
+ };
+ /* k3_0 = aes_ecb(0, k3data) */
+ static const unsigned char k3_0[] = {
+ 0x8d, 0x34, 0xef, 0xcb, 0x3b, 0xd5, 0x45, 0xca,
+ 0x06, 0x2a, 0xec, 0xdf, 0xef, 0x7c, 0x0b, 0xfa
+ };
+
+ /* first make sure out input key is the correct length
+ * rfc 4434. If key is shorter, pad with zeros to the
+ * the right. If key is longer newKey = aes_xcbc(0, key, keyLen).
+ */
+ if (keyLen < AES_BLOCK_SIZE) {
+ PORT_Memcpy(newKey, keyValue, keyLen);
+ PORT_Memset(&newKey[keyLen], 0, AES_BLOCK_SIZE - keyLen);
+ keyValue = newKey;
+ } else if (keyLen > AES_BLOCK_SIZE) {
+ /* calculate our new key = aes_xcbc(0, key, keyLen). Because the
+ * key above is fixed (0), we can precalculate k1, k2, and k3.
+ * if this code ever needs to be more generic (support any xcbc
+ * function rather than just aes, we would probably want to just
+ * recurse here using our prf functions. This would be safe because
+ * the recurse case would have keyLen == blocksize and thus skip
+ * this conditional.
+ */
+ aes_context = AES_CreateContext(k1_0, iv_zero, NSS_AES_CBC,
+ PR_TRUE, AES_BLOCK_SIZE, AES_BLOCK_SIZE);
+ /* we know the following loop will execute at least once */
+ while (keyLen > AES_BLOCK_SIZE) {
+ rv = AES_Encrypt(aes_context, newKey, &tmpLen, AES_BLOCK_SIZE,
+ keyValue, AES_BLOCK_SIZE);
+ if (rv != SECSuccess) {
+ goto fail;
+ }
+ keyValue += AES_BLOCK_SIZE;
+ keyLen -= AES_BLOCK_SIZE;
+ }
+ PORT_Memcpy(newKey, keyValue, keyLen);
+ sftk_xcbc_mac_pad(newKey, keyLen, AES_BLOCK_SIZE, k2_0, k3_0);
+ rv = AES_Encrypt(aes_context, newKey, &tmpLen, AES_BLOCK_SIZE,
+ newKey, AES_BLOCK_SIZE);
+ if (rv != SECSuccess) {
+ goto fail;
+ }
+ keyValue = newKey;
+ AES_DestroyContext(aes_context, PR_TRUE);
+ }
+ /* the length of the key in keyValue is known to be AES_BLOCK_SIZE,
+ * either because it was on input, or it was shorter and extended, or
+ * because it was mac'd down using aes_xcbc_prf.
+ */
+ aes_context = AES_CreateContext(keyValue, iv_zero,
+ NSS_AES, PR_TRUE, AES_BLOCK_SIZE, AES_BLOCK_SIZE);
+ if (aes_context == NULL) {
+ goto fail;
+ }
+ rv = AES_Encrypt(aes_context, k1, &tmpLen, AES_BLOCK_SIZE,
+ k1data, sizeof(k1data));
+ if (rv != SECSuccess) {
+ goto fail;
+ }
+ rv = AES_Encrypt(aes_context, k2, &tmpLen, AES_BLOCK_SIZE,
+ k2data, sizeof(k2data));
+ if (rv != SECSuccess) {
+ goto fail;
+ }
+ rv = AES_Encrypt(aes_context, k3, &tmpLen, AES_BLOCK_SIZE,
+ k3data, sizeof(k3data));
+ if (rv != SECSuccess) {
+ goto fail;
+ }
+ AES_DestroyContext(aes_context, PR_TRUE);
+ PORT_Memset(newKey, 0, AES_BLOCK_SIZE);
+ return CKR_OK;
+fail:
+ crv = sftk_MapCryptError(PORT_GetError());
+ if (aes_context) {
+ AES_DestroyContext(aes_context, PR_TRUE);
+ }
+ PORT_Memset(k1, 0, AES_BLOCK_SIZE);
+ PORT_Memset(k2, 0, AES_BLOCK_SIZE);
+ PORT_Memset(k3, 0, AES_BLOCK_SIZE);
+ PORT_Memset(newKey, 0, AES_BLOCK_SIZE);
+ return crv;
+}
+
+/* encode the final pad block of aes xcbc, padBuf is modified */
+CK_RV
+sftk_xcbc_mac_pad(unsigned char *padBuf, unsigned int bufLen,
+ unsigned int blockSize, const unsigned char *k2,
+ const unsigned char *k3)
+{
+ unsigned int i;
+ if (bufLen == blockSize) {
+ for (i = 0; i < blockSize; i++) {
+ padBuf[i] ^= k2[i];
+ }
+ } else {
+ padBuf[bufLen++] = 0x80;
+ for (i = bufLen; i < blockSize; i++) {
+ padBuf[i] = 0x00;
+ }
+ for (i = 0; i < blockSize; i++) {
+ padBuf[i] ^= k3[i];
+ }
+ }
+ return CKR_OK;
+}
+
+/* Map the mechanism to the underlying hash. If the type is not a hash
+ * or HMAC, return HASH_AlgNULL. This can happen legitimately if
+ * we are doing AES XCBC */
+static HASH_HashType
+sftk_map_hmac_to_hash(CK_MECHANISM_TYPE type)
+{
+ switch (type) {
+ case CKM_SHA_1_HMAC:
+ case CKM_SHA_1:
+ return HASH_AlgSHA1;
+ case CKM_MD5_HMAC:
+ case CKM_MD5:
+ return HASH_AlgMD5;
+ case CKM_MD2_HMAC:
+ case CKM_MD2:
+ return HASH_AlgMD2;
+ case CKM_SHA224_HMAC:
+ case CKM_SHA224:
+ return HASH_AlgSHA224;
+ case CKM_SHA256_HMAC:
+ case CKM_SHA256:
+ return HASH_AlgSHA256;
+ case CKM_SHA384_HMAC:
+ case CKM_SHA384:
+ return HASH_AlgSHA384;
+ case CKM_SHA512_HMAC:
+ case CKM_SHA512:
+ return HASH_AlgSHA512;
+ }
+ return HASH_AlgNULL;
+}
+
+/*
+ * Generally setup the context based on the mechanism.
+ * If the mech is HMAC, context->hashObj should be set
+ * Otherwise it is assumed to be AES XCBC. prf_setup
+ * checks these assumptions and will return an error
+ * if they are not met. NOTE: this function does not allocate
+ * anything, so there is no requirement to free context after
+ * prf_setup like there is if you call prf_init.
+ */
+static CK_RV
+prf_setup(prfContext *context, CK_MECHANISM_TYPE mech)
+{
+ context->hashType = sftk_map_hmac_to_hash(mech);
+ context->hashObj = NULL;
+ context->hmac = NULL;
+ context->aes = NULL;
+ if (context->hashType != HASH_AlgNULL) {
+ context->hashObj = HASH_GetRawHashObject(context->hashType);
+ if (context->hashObj == NULL) {
+ return CKR_GENERAL_ERROR;
+ }
+ return CKR_OK;
+ } else if (mech == CKM_AES_XCBC_MAC) {
+ return CKR_OK;
+ }
+ return CKR_MECHANISM_PARAM_INVALID;
+}
+
+/* return the underlying prf length for this context. This will
+ * function once the context is setup */
+static CK_RV
+prf_length(prfContext *context)
+{
+ if (context->hashObj) {
+ return context->hashObj->length;
+ }
+ return AES_BLOCK_SIZE; /* AES */
+}
+
+/* set up the key for the prf. prf_update or prf_final should not be called if
+ * prf_init has not been called first. Once prf_init returns hmac and
+ * aes contexts should set and valid.
+ */
+static CK_RV
+prf_init(prfContext *context, const unsigned char *keyValue,
+ unsigned int keyLen)
+{
+ CK_RV crv;
+
+ context->hmac = NULL;
+ if (context->hashObj) {
+ context->hmac = HMAC_Create(context->hashObj,
+ keyValue, keyLen, PR_FALSE);
+ if (context->hmac == NULL) {
+ return sftk_MapCryptError(PORT_GetError());
+ }
+ HMAC_Begin(context->hmac);
+ } else {
+ crv = sftk_aes_xcbc_get_keys(keyValue, keyLen, context->k1,
+ context->k2, context->k3);
+ if (crv != CKR_OK)
+ return crv;
+ context->nextChar = 0;
+ context->aes = AES_CreateContext(context->k1, iv_zero, NSS_AES_CBC,
+ PR_TRUE, sizeof(context->k1), AES_BLOCK_SIZE);
+ if (context->aes == NULL) {
+ crv = sftk_MapCryptError(PORT_GetError());
+ PORT_Memset(context->k1, 0, sizeof(context->k1));
+ PORT_Memset(context->k2, 0, sizeof(context->k2));
+ PORT_Memset(context->k3, 0, sizeof(context->k2));
+ return crv;
+ }
+ }
+ return CKR_OK;
+}
+
+/*
+ * process input to the prf
+ */
+static CK_RV
+prf_update(prfContext *context, const unsigned char *buf, unsigned int len)
+{
+ unsigned int tmpLen;
+ SECStatus rv;
+
+ if (context->hmac) {
+ HMAC_Update(context->hmac, buf, len);
+ } else {
+ /* AES MAC XCBC*/
+ /* We must keep the last block back so that it can be processed in
+ * final. This is why we only check that nextChar + len > blocksize,
+ * rather than checking that nextChar + len >= blocksize */
+ while (context->nextChar + len > AES_BLOCK_SIZE) {
+ if (context->nextChar != 0) {
+ /* first handle fill in any partial blocks in the buffer */
+ unsigned int left = AES_BLOCK_SIZE - context->nextChar;
+ /* note: left can be zero */
+ PORT_Memcpy(context->padBuf + context->nextChar, buf, left);
+ /* NOTE: AES MAC XCBC xors the data with the previous block
+ * We don't do that step here because our AES_Encrypt mode
+ * is CBC, which does the xor automatically */
+ rv = AES_Encrypt(context->aes, context->macBuf, &tmpLen,
+ sizeof(context->macBuf), context->padBuf,
+ sizeof(context->padBuf));
+ if (rv != SECSuccess) {
+ return sftk_MapCryptError(PORT_GetError());
+ }
+ context->nextChar = 0;
+ len -= left;
+ buf += left;
+ } else {
+ /* optimization. if we have complete blocks to write out
+ * (and will still have leftover blocks for padbuf in the end).
+ * we can mac directly out of our buffer without first copying
+ * them to padBuf */
+ rv = AES_Encrypt(context->aes, context->macBuf, &tmpLen,
+ sizeof(context->macBuf), buf, AES_BLOCK_SIZE);
+ if (rv != SECSuccess) {
+ return sftk_MapCryptError(PORT_GetError());
+ }
+ len -= AES_BLOCK_SIZE;
+ buf += AES_BLOCK_SIZE;
+ }
+ }
+ PORT_Memcpy(context->padBuf + context->nextChar, buf, len);
+ context->nextChar += len;
+ }
+ return CKR_OK;
+}
+
+/*
+ * free the data associated with the prf. Clear any possible CSPs
+ * This can safely be called on any context after prf_setup. It can
+ * also be called an an already freed context.
+ * A free context can be reused by calling prf_init again without
+ * the need to call prf_setup.
+ */
+static void
+prf_free(prfContext *context)
+{
+ if (context->hmac) {
+ HMAC_Destroy(context->hmac, PR_TRUE);
+ context->hmac = NULL;
+ }
+ if (context->aes) {
+ PORT_Memset(context->k1, 0, sizeof(context->k1));
+ PORT_Memset(context->k2, 0, sizeof(context->k2));
+ PORT_Memset(context->k3, 0, sizeof(context->k2));
+ PORT_Memset(context->padBuf, 0, sizeof(context->padBuf));
+ PORT_Memset(context->macBuf, 0, sizeof(context->macBuf));
+ AES_DestroyContext(context->aes, PR_TRUE);
+ context->aes = NULL;
+ }
+}
+
+/*
+ * extract the final prf value. On success, this has the side effect of
+ * also freeing the context data and clearing the keys
+ */
+static CK_RV
+prf_final(prfContext *context, unsigned char *buf, unsigned int len)
+{
+ unsigned int tmpLen;
+ SECStatus rv;
+
+ if (context->hmac) {
+ unsigned int outLen;
+ HMAC_Finish(context->hmac, buf, &outLen, len);
+ if (outLen != len) {
+ return CKR_GENERAL_ERROR;
+ }
+ } else {
+ /* prf_update had guarrenteed that the last full block is still in
+ * the padBuf if the input data is a multiple of the blocksize. This
+ * allows sftk_xcbc_mac_pad to process that pad buf accordingly */
+ CK_RV crv = sftk_xcbc_mac_pad(context->padBuf, context->nextChar,
+ AES_BLOCK_SIZE, context->k2, context->k3);
+ if (crv != CKR_OK) {
+ return crv;
+ }
+ rv = AES_Encrypt(context->aes, context->macBuf, &tmpLen,
+ sizeof(context->macBuf), context->padBuf, AES_BLOCK_SIZE);
+ if (rv != SECSuccess) {
+ return sftk_MapCryptError(PORT_GetError());
+ }
+ PORT_Memcpy(buf, context->macBuf, len);
+ }
+ prf_free(context);
+ return CKR_OK;
+}
+
+/*
+ * There are four flavors of ike prf functions here.
+ * ike_prf is used in both ikeV1 and ikeV2 to generate
+ * an initial key that all the other keys are generated with.
+ *
+ * These functions are called from NSC_DeriveKey with the inKey value
+ * already looked up, and it expects the CKA_VALUE for outKey to be set.
+ *
+ * Depending on usage it returns either:
+ * 1. prf(Ni|Nr, inKey); (bDataAsKey=TRUE, bRekey=FALSE)
+ * 2. prf(inKey, Ni|Nr); (bDataAsKkey=FALSE, bRekey=FALSE)
+ * 3. prf(inKey, newKey | Ni | Nr); (bDataAsKey=FALSE, bRekey=TRUE)
+ * The resulting output key is always the length of the underlying prf
+ * (as returned by prf_length()).
+ * The combination of bDataAsKey=TRUE and bRekey=TRUE is not allowed
+ *
+ * Case 1 is used in
+ * a. ikev2 (rfc5996) inKey is called g^ir, the output is called SKEYSEED
+ * b. ikev1 (rfc2409) inKey is called g^ir, the output is called SKEYID
+ * Case 2 is used in ikev1 (rfc2409) inkey is called pre-shared-key, output
+ * is called SKEYID
+ * Case 3 is used in ikev2 (rfc5996) rekey case, inKey is SK_d, newKey is
+ * g^ir (new), the output is called SKEYSEED
+ */
+CK_RV
+sftk_ike_prf(CK_SESSION_HANDLE hSession, const SFTKAttribute *inKey,
+ const CK_NSS_IKE_PRF_DERIVE_PARAMS *params, SFTKObject *outKey)
+{
+ SFTKAttribute *newKeyValue = NULL;
+ SFTKObject *newKeyObj = NULL;
+ unsigned char outKeyData[HASH_LENGTH_MAX];
+ unsigned char *newInKey = NULL;
+ unsigned int newInKeySize = 0;
+ unsigned int macSize;
+ CK_RV crv = CKR_OK;
+ prfContext context;
+
+ crv = prf_setup(&context, params->prfMechanism);
+ if (crv != CKR_OK) {
+ return crv;
+ }
+ macSize = prf_length(&context);
+ if ((params->bDataAsKey) && (params->bRekey)) {
+ return CKR_ARGUMENTS_BAD;
+ }
+ if (params->bRekey) {
+ /* lookup the value of new key from the session and key handle */
+ SFTKSession *session = sftk_SessionFromHandle(hSession);
+ if (session == NULL) {
+ return CKR_SESSION_HANDLE_INVALID;
+ }
+ newKeyObj = sftk_ObjectFromHandle(params->hNewKey, session);
+ sftk_FreeSession(session);
+ if (newKeyObj == NULL) {
+ return CKR_KEY_HANDLE_INVALID;
+ }
+ newKeyValue = sftk_FindAttribute(newKeyObj, CKA_VALUE);
+ if (newKeyValue == NULL) {
+ crv = CKR_KEY_HANDLE_INVALID;
+ goto fail;
+ }
+ }
+ if (params->bDataAsKey) {
+ /* The key is Ni || Np, so we need to concatenate them together first */
+ newInKeySize = params->ulNiLen + params->ulNrLen;
+ newInKey = PORT_Alloc(newInKeySize);
+ if (newInKey == NULL) {
+ crv = CKR_HOST_MEMORY;
+ goto fail;
+ }
+ PORT_Memcpy(newInKey, params->pNi, params->ulNiLen);
+ PORT_Memcpy(newInKey + params->ulNiLen, params->pNr, params->ulNrLen);
+ crv = prf_init(&context, newInKey, newInKeySize);
+ if (crv != CKR_OK) {
+ goto fail;
+ }
+ /* key as the data */
+ crv = prf_update(&context, inKey->attrib.pValue,
+ inKey->attrib.ulValueLen);
+ if (crv != CKR_OK) {
+ goto fail;
+ }
+ } else {
+ crv = prf_init(&context, inKey->attrib.pValue,
+ inKey->attrib.ulValueLen);
+ if (crv != CKR_OK) {
+ goto fail;
+ }
+ if (newKeyValue) {
+ crv = prf_update(&context, newKeyValue->attrib.pValue,
+ newKeyValue->attrib.ulValueLen);
+ if (crv != CKR_OK) {
+ goto fail;
+ }
+ }
+ crv = prf_update(&context, params->pNi, params->ulNiLen);
+ if (crv != CKR_OK) {
+ goto fail;
+ }
+ crv = prf_update(&context, params->pNr, params->ulNrLen);
+ if (crv != CKR_OK) {
+ goto fail;
+ }
+ }
+ crv = prf_final(&context, outKeyData, macSize);
+ if (crv != CKR_OK) {
+ goto fail;
+ }
+
+ crv = sftk_forceAttribute(outKey, CKA_VALUE, outKeyData, macSize);
+fail:
+ if (newInKey) {
+ PORT_ZFree(newInKey, newInKeySize);
+ }
+ if (newKeyValue) {
+ sftk_FreeAttribute(newKeyValue);
+ }
+ if (newKeyObj) {
+ sftk_FreeObject(newKeyObj);
+ }
+ PORT_Memset(outKeyData, 0, macSize);
+ prf_free(&context);
+ return crv;
+}
+
+/*
+ * The second flavor of ike prf is ike1_prf.
+ *
+ * It is used by ikeV1 to generate the various session keys used in the
+ * connection. It uses the initial key, an optional previous key, and a one byte
+ * key number to generate a unique key for each of the various session
+ * functions (encryption, decryption, mac). These keys expect a key size
+ * (as they may vary in length based on usage). If no length is provided,
+ * it will default to the length of the prf.
+ *
+ * This function returns either:
+ * prf(inKey, gxyKey || CKYi || CKYr || key_number)
+ * or
+ * prf(inKey, prevkey || gxyKey || CKYi || CKYr || key_number)
+ * depending on the stats of bHasPrevKey
+ *
+ * This is defined in rfc2409. For each of the following keys.
+ * inKey is SKEYID, gxyKey is g^xy
+ * for outKey = SKEYID_d, bHasPrevKey = false, key_number = 0
+ * for outKey = SKEYID_a, prevKey= SKEYID_d, key_number = 1
+ * for outKey = SKEYID_e, prevKey= SKEYID_a, key_number = 2
+ */
+CK_RV
+sftk_ike1_prf(CK_SESSION_HANDLE hSession, const SFTKAttribute *inKey,
+ const CK_NSS_IKE1_PRF_DERIVE_PARAMS *params, SFTKObject *outKey,
+ unsigned int keySize)
+{
+ SFTKAttribute *gxyKeyValue = NULL;
+ SFTKObject *gxyKeyObj = NULL;
+ SFTKAttribute *prevKeyValue = NULL;
+ SFTKObject *prevKeyObj = NULL;
+ SFTKSession *session;
+ unsigned char outKeyData[HASH_LENGTH_MAX];
+ unsigned int macSize;
+ CK_RV crv;
+ prfContext context;
+
+ crv = prf_setup(&context, params->prfMechanism);
+ if (crv != CKR_OK) {
+ return crv;
+ }
+ macSize = prf_length(&context);
+ if (keySize > macSize) {
+ return CKR_KEY_SIZE_RANGE;
+ }
+ if (keySize == 0) {
+ keySize = macSize;
+ }
+
+ /* lookup the two keys from their passed in handles */
+ session = sftk_SessionFromHandle(hSession);
+ if (session == NULL) {
+ return CKR_SESSION_HANDLE_INVALID;
+ }
+ gxyKeyObj = sftk_ObjectFromHandle(params->hKeygxy, session);
+ if (params->bHasPrevKey) {
+ prevKeyObj = sftk_ObjectFromHandle(params->hPrevKey, session);
+ }
+ sftk_FreeSession(session);
+ if ((gxyKeyObj == NULL) || ((params->bHasPrevKey) &&
+ (prevKeyObj == NULL))) {
+ crv = CKR_KEY_HANDLE_INVALID;
+ goto fail;
+ }
+ gxyKeyValue = sftk_FindAttribute(gxyKeyObj, CKA_VALUE);
+ if (gxyKeyValue == NULL) {
+ crv = CKR_KEY_HANDLE_INVALID;
+ goto fail;
+ }
+ if (prevKeyObj) {
+ prevKeyValue = sftk_FindAttribute(prevKeyObj, CKA_VALUE);
+ if (prevKeyValue == NULL) {
+ crv = CKR_KEY_HANDLE_INVALID;
+ goto fail;
+ }
+ }
+
+ /* outKey = prf(inKey, [prevKey|] gxyKey | CKYi | CKYr | keyNumber) */
+ crv = prf_init(&context, inKey->attrib.pValue, inKey->attrib.ulValueLen);
+ if (crv != CKR_OK) {
+ goto fail;
+ }
+ if (prevKeyValue) {
+ crv = prf_update(&context, prevKeyValue->attrib.pValue,
+ prevKeyValue->attrib.ulValueLen);
+ if (crv != CKR_OK) {
+ goto fail;
+ }
+ }
+ crv = prf_update(&context, gxyKeyValue->attrib.pValue,
+ gxyKeyValue->attrib.ulValueLen);
+ if (crv != CKR_OK) {
+ goto fail;
+ }
+ crv = prf_update(&context, params->pCKYi, params->ulCKYiLen);
+ if (crv != CKR_OK) {
+ goto fail;
+ }
+ crv = prf_update(&context, params->pCKYr, params->ulCKYrLen);
+ if (crv != CKR_OK) {
+ goto fail;
+ }
+ crv = prf_update(&context, &params->keyNumber, 1);
+ if (crv != CKR_OK) {
+ goto fail;
+ }
+ crv = prf_final(&context, outKeyData, macSize);
+ if (crv != CKR_OK) {
+ goto fail;
+ }
+
+ crv = sftk_forceAttribute(outKey, CKA_VALUE, outKeyData, keySize);
+fail:
+ if (gxyKeyValue) {
+ sftk_FreeAttribute(gxyKeyValue);
+ }
+ if (prevKeyValue) {
+ sftk_FreeAttribute(prevKeyValue);
+ }
+ if (gxyKeyObj) {
+ sftk_FreeObject(gxyKeyObj);
+ }
+ if (prevKeyObj) {
+ sftk_FreeObject(prevKeyObj);
+ }
+ PORT_Memset(outKeyData, 0, macSize);
+ prf_free(&context);
+ return crv;
+}
+
+/*
+ * The third flavor of ike prf is ike1_appendix_b.
+ *
+ * It is used by ikeV1 to generate longer key material from skeyid_e.
+ * Unlike ike1_prf, if no length is provided, this function
+ * will generate a KEY_RANGE_ERROR.
+ *
+ * This function returns (from rfc2409 appendix b):
+ * Ka = K1 | K2 | K3 | K4 |... Kn
+ * where:
+ * K1 = prf(K, [gxyKey]|[extraData]) or prf(K, 0) if gxyKey and extraData
+ * ar not present.
+ * K2 = prf(K, K1|[gxyKey]|[extraData])
+ * K3 = prf(K, K2|[gxyKey]|[extraData])
+ * K4 = prf(K, K3|[gxyKey]|[extraData])
+ * .
+ * Kn = prf(K, K(n-1)|[gxyKey]|[extraData])
+ * K = inKey
+ */
+CK_RV
+sftk_ike1_appendix_b_prf(CK_SESSION_HANDLE hSession, const SFTKAttribute *inKey,
+ const CK_NSS_IKE1_APP_B_PRF_DERIVE_PARAMS *params,
+ SFTKObject *outKey, unsigned int keySize)
+{
+ SFTKAttribute *gxyKeyValue = NULL;
+ SFTKObject *gxyKeyObj = NULL;
+ unsigned char *outKeyData = NULL;
+ unsigned char *thisKey = NULL;
+ unsigned char *lastKey = NULL;
+ unsigned int macSize;
+ unsigned int outKeySize;
+ unsigned int genKeySize;
+ PRBool quickMode = PR_FALSE;
+ CK_RV crv;
+ prfContext context;
+
+ if ((params->ulExtraDataLen != 0) && (params->pExtraData == NULL)) {
+ return CKR_ARGUMENTS_BAD;
+ }
+ crv = prf_setup(&context, params->prfMechanism);
+ if (crv != CKR_OK) {
+ return crv;
+ }
+
+ if (params->bHasKeygxy) {
+ SFTKSession *session;
+ session = sftk_SessionFromHandle(hSession);
+ if (session == NULL) {
+ return CKR_SESSION_HANDLE_INVALID;
+ }
+ gxyKeyObj = sftk_ObjectFromHandle(params->hKeygxy, session);
+ sftk_FreeSession(session);
+ if (gxyKeyObj == NULL) {
+ crv = CKR_KEY_HANDLE_INVALID;
+ goto fail;
+ }
+ gxyKeyValue = sftk_FindAttribute(gxyKeyObj, CKA_VALUE);
+ if (gxyKeyValue == NULL) {
+ crv = CKR_KEY_HANDLE_INVALID;
+ goto fail;
+ }
+ quickMode = PR_TRUE;
+ }
+
+ if (params->ulExtraDataLen != 0) {
+ quickMode = PR_TRUE;
+ }
+
+ macSize = prf_length(&context);
+
+ if (keySize == 0) {
+ keySize = macSize;
+ }
+
+ /* In appendix B, we are just expanding or contracting a single key.
+ * If the input key is less than or equal to the the key size we want,
+ * just subset the original key. In quick mode we are actually getting
+ * new keys (salted with our seed data and our gxy key), so we want to
+ * run through our algorithm */
+ if ((!quickMode) && (keySize <= inKey->attrib.ulValueLen)) {
+ return sftk_forceAttribute(outKey, CKA_VALUE,
+ inKey->attrib.pValue, keySize);
+ }
+
+ outKeySize = PR_ROUNDUP(keySize, macSize);
+ outKeyData = PORT_Alloc(outKeySize);
+ if (outKeyData == NULL) {
+ crv = CKR_HOST_MEMORY;
+ goto fail;
+ }
+
+ /*
+ * this loop generates on block of the prf, basically
+ * kn = prf(key, Kn-1 | [Keygxy] | [ExtraData])
+ * Kn is thisKey, Kn-1 is lastKey
+ * key is inKey
+ */
+ thisKey = outKeyData;
+ for (genKeySize = 0; genKeySize < keySize; genKeySize += macSize) {
+ PRBool hashedData = PR_FALSE;
+ crv = prf_init(&context, inKey->attrib.pValue, inKey->attrib.ulValueLen);
+ if (crv != CKR_OK) {
+ goto fail;
+ }
+ if (lastKey != NULL) {
+ crv = prf_update(&context, lastKey, macSize);
+ if (crv != CKR_OK) {
+ goto fail;
+ }
+ hashedData = PR_TRUE;
+ }
+ if (gxyKeyValue != NULL) {
+ crv = prf_update(&context, gxyKeyValue->attrib.pValue,
+ gxyKeyValue->attrib.ulValueLen);
+ if (crv != CKR_OK) {
+ goto fail;
+ }
+ hashedData = PR_TRUE;
+ }
+ if (params->ulExtraDataLen != 0) {
+ crv = prf_update(&context, params->pExtraData, params->ulExtraDataLen);
+ if (crv != CKR_OK) {
+ goto fail;
+ }
+ hashedData = PR_TRUE;
+ }
+ /* if we haven't hashed anything yet, hash a zero */
+ if (hashedData == PR_FALSE) {
+ const unsigned char zero = 0;
+ crv = prf_update(&context, &zero, 1);
+ if (crv != CKR_OK) {
+ goto fail;
+ }
+ }
+ crv = prf_final(&context, thisKey, macSize);
+ if (crv != CKR_OK) {
+ goto fail;
+ }
+ lastKey = thisKey;
+ thisKey += macSize;
+ }
+ crv = sftk_forceAttribute(outKey, CKA_VALUE, outKeyData, keySize);
+fail:
+ if (gxyKeyValue) {
+ sftk_FreeAttribute(gxyKeyValue);
+ }
+ if (gxyKeyObj) {
+ sftk_FreeObject(gxyKeyObj);
+ }
+ if (outKeyData) {
+ PORT_ZFree(outKeyData, outKeySize);
+ }
+ prf_free(&context);
+ return crv;
+}
+
+/*
+ * The final flavor of ike prf is ike_prf_plus
+ *
+ * It is used by ikeV2 to generate the various session keys used in the
+ * connection. It uses the initial key and a feedback version of the prf
+ * to generate sufficient bytes to cover all the session keys. The application
+ * will then use CK_EXTRACT_KEY_FROM_KEY to pull out the various subkeys.
+ * This function expects a key size to be set by the application to cover
+ * all the keys. Unlike ike1_prf, if no length is provided, this function
+ * will generate a KEY_RANGE_ERROR
+ *
+ * This function returns (from rfc5996):
+ * prfplus = T1 | T2 | T3 | T4 |... Tn
+ * where:
+ * T1 = prf(K, S | 0x01)
+ * T2 = prf(K, T1 | S | 0x02)
+ * T3 = prf(K, T3 | S | 0x03)
+ * T4 = prf(K, T4 | S | 0x04)
+ * .
+ * Tn = prf(K, T(n-1) | n)
+ * K = inKey, S = seedKey | seedData
+ */
+
+static CK_RV
+sftk_ike_prf_plus_raw(CK_SESSION_HANDLE hSession,
+ const unsigned char *inKeyData, CK_ULONG inKeyLen,
+ const CK_NSS_IKE_PRF_PLUS_DERIVE_PARAMS *params,
+ unsigned char **outKeyDataPtr, unsigned int *outKeySizePtr,
+ unsigned int keySize)
+{
+ SFTKAttribute *seedValue = NULL;
+ SFTKObject *seedKeyObj = NULL;
+ unsigned char *outKeyData = NULL;
+ unsigned int outKeySize;
+ unsigned char *thisKey;
+ unsigned char *lastKey = NULL;
+ unsigned char currentByte = 0;
+ unsigned int getKeySize;
+ unsigned int macSize;
+ CK_RV crv;
+ prfContext context;
+
+ if (keySize == 0) {
+ return CKR_KEY_SIZE_RANGE;
+ }
+
+ crv = prf_setup(&context, params->prfMechanism);
+ if (crv != CKR_OK) {
+ return crv;
+ }
+ /* pull in optional seedKey */
+ if (params->bHasSeedKey) {
+ SFTKSession *session = sftk_SessionFromHandle(hSession);
+ if (session == NULL) {
+ return CKR_SESSION_HANDLE_INVALID;
+ }
+ seedKeyObj = sftk_ObjectFromHandle(params->hSeedKey, session);
+ sftk_FreeSession(session);
+ if (seedKeyObj == NULL) {
+ return CKR_KEY_HANDLE_INVALID;
+ }
+ seedValue = sftk_FindAttribute(seedKeyObj, CKA_VALUE);
+ if (seedValue == NULL) {
+ crv = CKR_KEY_HANDLE_INVALID;
+ goto fail;
+ }
+ } else if (params->ulSeedDataLen == 0) {
+ crv = CKR_ARGUMENTS_BAD;
+ goto fail;
+ }
+ macSize = prf_length(&context);
+ outKeySize = PR_ROUNDUP(keySize, macSize);
+ outKeyData = PORT_Alloc(outKeySize);
+ if (outKeyData == NULL) {
+ crv = CKR_HOST_MEMORY;
+ goto fail;
+ }
+
+ /*
+ * this loop generates on block of the prf, basically
+ * Tn = prf(key, Tn-1 | S | n)
+ * Tn is thisKey, Tn-2 is lastKey, S is seedKey || seedData,
+ * key is inKey. currentByte = n-1 on entry.
+ */
+ thisKey = outKeyData;
+ for (getKeySize = 0; getKeySize < keySize; getKeySize += macSize) {
+ /* if currentByte is 255, we'll overflow when we increment it below.
+ * This can only happen if keysize > 255*macSize. In that case
+ * the application has asked for too much key material, so return
+ * an error */
+ if (currentByte == 255) {
+ crv = CKR_KEY_SIZE_RANGE;
+ goto fail;
+ }
+ crv = prf_init(&context, inKeyData, inKeyLen);
+ if (crv != CKR_OK) {
+ goto fail;
+ }
+
+ if (lastKey) {
+ crv = prf_update(&context, lastKey, macSize);
+ if (crv != CKR_OK) {
+ goto fail;
+ }
+ }
+ /* prf the key first */
+ if (seedValue) {
+ crv = prf_update(&context, seedValue->attrib.pValue,
+ seedValue->attrib.ulValueLen);
+ if (crv != CKR_OK) {
+ goto fail;
+ }
+ }
+ /* then prf the data */
+ if (params->ulSeedDataLen != 0) {
+ crv = prf_update(&context, params->pSeedData,
+ params->ulSeedDataLen);
+ if (crv != CKR_OK) {
+ goto fail;
+ }
+ }
+ currentByte++;
+ crv = prf_update(&context, &currentByte, 1);
+ if (crv != CKR_OK) {
+ goto fail;
+ }
+ crv = prf_final(&context, thisKey, macSize);
+ if (crv != CKR_OK) {
+ goto fail;
+ }
+ lastKey = thisKey;
+ thisKey += macSize;
+ }
+ *outKeyDataPtr = outKeyData;
+ *outKeySizePtr = outKeySize;
+ outKeyData = NULL; /* don't free it here, our caller will free it */
+fail:
+ if (outKeyData) {
+ PORT_ZFree(outKeyData, outKeySize);
+ }
+ if (seedValue) {
+ sftk_FreeAttribute(seedValue);
+ }
+ if (seedKeyObj) {
+ sftk_FreeObject(seedKeyObj);
+ }
+ prf_free(&context);
+ return crv;
+}
+
+/*
+ * ike prf + with code to deliever results tosoftoken objects.
+ */
+CK_RV
+sftk_ike_prf_plus(CK_SESSION_HANDLE hSession, const SFTKAttribute *inKey,
+ const CK_NSS_IKE_PRF_PLUS_DERIVE_PARAMS *params, SFTKObject *outKey,
+ unsigned int keySize)
+{
+ unsigned char *outKeyData = NULL;
+ unsigned int outKeySize;
+ CK_RV crv;
+
+ crv = sftk_ike_prf_plus_raw(hSession, inKey->attrib.pValue,
+ inKey->attrib.ulValueLen, params,
+ &outKeyData, &outKeySize, keySize);
+ if (crv != CKR_OK) {
+ return crv;
+ }
+
+ crv = sftk_forceAttribute(outKey, CKA_VALUE, outKeyData, keySize);
+ PORT_ZFree(outKeyData, outKeySize);
+ return crv;
+}
+
+/* sftk_aes_xcbc_new_keys:
+ *
+ * aes xcbc creates 3 new keys from the input key. The first key will be the
+ * base key of the underlying cbc. The sign code hooks directly into encrypt
+ * so we'll have to create a full PKCS #11 key with handle for that key. The
+ * caller needs to delete the key when it's through setting up the context.
+ *
+ * The other two keys will be stored in the sign context until we need them
+ * at the end.
+ */
+CK_RV
+sftk_aes_xcbc_new_keys(CK_SESSION_HANDLE hSession,
+ CK_OBJECT_HANDLE hKey, CK_OBJECT_HANDLE_PTR phKey,
+ unsigned char *k2, unsigned char *k3)
+{
+ SFTKObject *key = NULL;
+ SFTKSession *session = NULL;
+ SFTKObject *inKeyObj = NULL;
+ SFTKAttribute *inKeyValue = NULL;
+ CK_KEY_TYPE key_type = CKK_AES;
+ CK_OBJECT_CLASS objclass = CKO_SECRET_KEY;
+ CK_BBOOL ck_true = CK_TRUE;
+ CK_RV crv = CKR_OK;
+ SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession);
+ unsigned char buf[AES_BLOCK_SIZE];
+
+ if (!slot) {
+ return CKR_SESSION_HANDLE_INVALID;
+ }
+
+ /* get the session */
+ session = sftk_SessionFromHandle(hSession);
+ if (session == NULL) {
+ crv = CKR_SESSION_HANDLE_INVALID;
+ goto fail;
+ }
+
+ inKeyObj = sftk_ObjectFromHandle(hKey, session);
+ if (inKeyObj == NULL) {
+ crv = CKR_KEY_HANDLE_INVALID;
+ goto fail;
+ }
+
+ inKeyValue = sftk_FindAttribute(inKeyObj, CKA_VALUE);
+ if (inKeyValue == NULL) {
+ crv = CKR_KEY_HANDLE_INVALID;
+ goto fail;
+ }
+
+ crv = sftk_aes_xcbc_get_keys(inKeyValue->attrib.pValue,
+ inKeyValue->attrib.ulValueLen, buf, k2, k3);
+
+ if (crv != CKR_OK) {
+ goto fail;
+ }
+
+ /*
+ * now lets create an object to hang the attributes off of
+ */
+ key = sftk_NewObject(slot); /* fill in the handle later */
+ if (key == NULL) {
+ crv = CKR_HOST_MEMORY;
+ goto fail;
+ }
+
+ /* make sure we don't have any class, key_type, or value fields */
+ sftk_DeleteAttributeType(key, CKA_CLASS);
+ sftk_DeleteAttributeType(key, CKA_KEY_TYPE);
+ sftk_DeleteAttributeType(key, CKA_VALUE);
+ sftk_DeleteAttributeType(key, CKA_SIGN);
+
+ /* Add the class, key_type, and value */
+ crv = sftk_AddAttributeType(key, CKA_CLASS, &objclass, sizeof(CK_OBJECT_CLASS));
+ if (crv != CKR_OK) {
+ goto fail;
+ }
+ crv = sftk_AddAttributeType(key, CKA_KEY_TYPE, &key_type, sizeof(CK_KEY_TYPE));
+ if (crv != CKR_OK) {
+ goto fail;
+ }
+ crv = sftk_AddAttributeType(key, CKA_SIGN, &ck_true, sizeof(CK_BBOOL));
+ if (crv != CKR_OK) {
+ goto fail;
+ }
+ crv = sftk_AddAttributeType(key, CKA_VALUE, buf, AES_BLOCK_SIZE);
+ if (crv != CKR_OK) {
+ goto fail;
+ }
+
+ /*
+ * finish filling in the key and link it with our global system.
+ */
+ crv = sftk_handleObject(key, session);
+ if (crv != CKR_OK) {
+ goto fail;
+ }
+ *phKey = key->handle;
+fail:
+ if (session) {
+ sftk_FreeSession(session);
+ }
+
+ if (inKeyValue) {
+ sftk_FreeAttribute(inKeyValue);
+ }
+ if (inKeyObj) {
+ sftk_FreeObject(inKeyObj);
+ }
+ if (key) {
+ sftk_FreeObject(key);
+ }
+ /* clear our CSPs */
+ PORT_Memset(buf, 0, sizeof(buf));
+ if (crv != CKR_OK) {
+ PORT_Memset(k2, 0, AES_BLOCK_SIZE);
+ PORT_Memset(k3, 0, AES_BLOCK_SIZE);
+ }
+ return crv;
+}
+
+/*
+ * Helper function that tests a single prf test vector
+ */
+static SECStatus
+prf_test(CK_MECHANISM_TYPE mech,
+ const unsigned char *inKey, unsigned int inKeyLen,
+ const unsigned char *plainText, unsigned int plainTextLen,
+ const unsigned char *expectedResult, unsigned int expectedResultLen)
+{
+ PRUint8 ike_computed_mac[HASH_LENGTH_MAX];
+ prfContext context;
+ unsigned int macSize;
+ CK_RV crv;
+
+ crv = prf_setup(&context, mech);
+ if (crv != CKR_OK) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+ macSize = prf_length(&context);
+ crv = prf_init(&context, inKey, inKeyLen);
+ if (crv != CKR_OK) {
+ goto fail;
+ }
+ crv = prf_update(&context, plainText, plainTextLen);
+ if (crv != CKR_OK) {
+ goto fail;
+ }
+ crv = prf_final(&context, ike_computed_mac, macSize);
+ if (crv != CKR_OK) {
+ goto fail;
+ }
+
+ if (macSize != expectedResultLen) {
+ goto fail;
+ }
+ if (PORT_Memcmp(expectedResult, ike_computed_mac, macSize) != 0) {
+ goto fail;
+ }
+
+ /* only do the alignment if the plaintext is long enough */
+ if (plainTextLen <= macSize) {
+ return SECSuccess;
+ }
+ prf_free(&context);
+ /* do it again, but this time tweak with the alignment */
+ crv = prf_init(&context, inKey, inKeyLen);
+ if (crv != CKR_OK) {
+ goto fail;
+ }
+ crv = prf_update(&context, plainText, 1);
+ if (crv != CKR_OK) {
+ goto fail;
+ }
+ crv = prf_update(&context, &plainText[1], macSize);
+ if (crv != CKR_OK) {
+ goto fail;
+ }
+ crv = prf_update(&context, &plainText[1 + macSize], plainTextLen - (macSize + 1));
+ if (crv != CKR_OK) {
+ goto fail;
+ }
+ crv = prf_final(&context, ike_computed_mac, macSize);
+ if (crv != CKR_OK) {
+ goto fail;
+ }
+ if (PORT_Memcmp(expectedResult, ike_computed_mac, macSize) != 0) {
+ goto fail;
+ }
+ prf_free(&context);
+ return SECSuccess;
+fail:
+ prf_free(&context);
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+}
+
+/*
+ * FIPS Power up Self Tests for IKE. This is in this function so it
+ * can access the private prf_ functions here. It's called out of fipstest.c
+ */
+SECStatus
+sftk_fips_IKE_PowerUpSelfTests(void)
+{
+ /* PRF known test vectors */
+ static const PRUint8 ike_xcbc_known_key[] = {
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
+ };
+ static const PRUint8 ike_xcbc_known_plain_text[] = {
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
+ };
+ static const PRUint8 ike_xcbc_known_mac[] = {
+ 0xd2, 0xa2, 0x46, 0xfa, 0x34, 0x9b, 0x68, 0xa7,
+ 0x99, 0x98, 0xa4, 0x39, 0x4f, 0xf7, 0xa2, 0x63
+ };
+ /* test 2 uses the same key as test 1 */
+ static const PRUint8 ike_xcbc_known_plain_text_2[] = {
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+ 0x10, 0x11, 0x12, 0x13
+ };
+ static const PRUint8 ike_xcbc_known_mac_2[] = {
+ 0x47, 0xf5, 0x1b, 0x45, 0x64, 0x96, 0x62, 0x15,
+ 0xb8, 0x98, 0x5c, 0x63, 0x05, 0x5e, 0xd3, 0x08
+ };
+ static const PRUint8 ike_xcbc_known_key_3[] = {
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+ 0x08, 0x09
+ };
+ /* test 3 uses the same plaintest as test 2 */
+ static const PRUint8 ike_xcbc_known_mac_3[] = {
+ 0x0f, 0xa0, 0x87, 0xaf, 0x7d, 0x86, 0x6e, 0x76,
+ 0x53, 0x43, 0x4e, 0x60, 0x2f, 0xdd, 0xe8, 0x35
+ };
+ static const PRUint8 ike_xcbc_known_key_4[] = {
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+ 0xed, 0xcb
+ };
+ /* test 4 uses the same plaintest as test 2 */
+ static const PRUint8 ike_xcbc_known_mac_4[] = {
+ 0x8c, 0xd3, 0xc9, 0x3a, 0xe5, 0x98, 0xa9, 0x80,
+ 0x30, 0x06, 0xff, 0xb6, 0x7c, 0x40, 0xe9, 0xe4
+ };
+ static const PRUint8 ike_sha1_known_key[] = {
+ 0x59, 0x98, 0x2b, 0x5b, 0xa5, 0x7e, 0x62, 0xc0,
+ 0x46, 0x0d, 0xef, 0xc7, 0x1e, 0x18, 0x64, 0x63
+ };
+ static const PRUint8 ike_sha1_known_plain_text[] = {
+ 0x1c, 0x07, 0x32, 0x1a, 0x9a, 0x7e, 0x41, 0xcd,
+ 0x88, 0x0c, 0xa3, 0x7a, 0xdb, 0x10, 0xc7, 0x3b,
+ 0xf0, 0x0e, 0x7a, 0xe3, 0xcf, 0xc6, 0xfd, 0x8b,
+ 0x51, 0xbc, 0xe2, 0xb9, 0x90, 0xe6, 0xf2, 0x01
+ };
+ static const PRUint8 ike_sha1_known_mac[] = {
+ 0x0c, 0x2a, 0xf3, 0x42, 0x97, 0x15, 0x62, 0x1d,
+ 0x2a, 0xad, 0xc9, 0x94, 0x5a, 0x90, 0x26, 0xfa,
+ 0xc7, 0x91, 0xe2, 0x4b
+ };
+ static const PRUint8 ike_sha256_known_key[] = {
+ 0x9d, 0xa2, 0xd5, 0x8f, 0x57, 0xf0, 0x39, 0xf9,
+ 0x20, 0x4e, 0x0d, 0xd0, 0xef, 0x04, 0xf3, 0x72
+ };
+ static const PRUint8 ike_sha256_known_plain_text[] = {
+ 0x33, 0xf1, 0x7a, 0xfc, 0xb6, 0x13, 0x4c, 0xbf,
+ 0x1c, 0xab, 0x59, 0x87, 0x7d, 0x42, 0xdb, 0x35,
+ 0x82, 0x22, 0x6e, 0xff, 0x74, 0xdd, 0x37, 0xeb,
+ 0x8b, 0x75, 0xe6, 0x75, 0x64, 0x5f, 0xc1, 0x69
+ };
+ static const PRUint8 ike_sha256_known_mac[] = {
+ 0x80, 0x4b, 0x4a, 0x1e, 0x0e, 0xc5, 0x93, 0xcf,
+ 0xb6, 0xe4, 0x54, 0x52, 0x41, 0x49, 0x39, 0x6d,
+ 0xe2, 0x34, 0xd0, 0xda, 0xe2, 0x9f, 0x34, 0xa8,
+ 0xfd, 0xb5, 0xf9, 0xaf, 0xe7, 0x6e, 0xa6, 0x52
+ };
+ static const PRUint8 ike_sha384_known_key[] = {
+ 0xce, 0xc8, 0x9d, 0x84, 0x5a, 0xdd, 0x83, 0xef,
+ 0xce, 0xbd, 0x43, 0xab, 0x71, 0xd1, 0x7d, 0xb9
+ };
+ static const PRUint8 ike_sha384_known_plain_text[] = {
+ 0x17, 0x24, 0xdb, 0xd8, 0x93, 0x52, 0x37, 0x64,
+ 0xbf, 0xef, 0x8c, 0x6f, 0xa9, 0x27, 0x85, 0x6f,
+ 0xcc, 0xfb, 0x77, 0xae, 0x25, 0x43, 0x58, 0xcc,
+ 0xe2, 0x9c, 0x27, 0x69, 0xa3, 0x29, 0x15, 0xc1
+ };
+ static const PRUint8 ike_sha384_known_mac[] = {
+ 0x6e, 0x45, 0x14, 0x61, 0x0b, 0xf8, 0x2d, 0x0a,
+ 0xb7, 0xbf, 0x02, 0x60, 0x09, 0x6f, 0x61, 0x46,
+ 0xa1, 0x53, 0xc7, 0x12, 0x07, 0x1a, 0xbb, 0x63,
+ 0x3c, 0xed, 0x81, 0x3c, 0x57, 0x21, 0x56, 0xc7,
+ 0x83, 0xe3, 0x68, 0x74, 0xa6, 0x5a, 0x64, 0x69,
+ 0x0c, 0xa7, 0x01, 0xd4, 0x0d, 0x56, 0xea, 0x18
+ };
+ static const PRUint8 ike_sha512_known_key[] = {
+ 0xac, 0xad, 0xc6, 0x31, 0x4a, 0x69, 0xcf, 0xcd,
+ 0x4e, 0x4a, 0xd1, 0x77, 0x18, 0xfe, 0xa7, 0xce
+ };
+ static const PRUint8 ike_sha512_known_plain_text[] = {
+ 0xb1, 0x5a, 0x9c, 0xfc, 0xe8, 0xc8, 0xd7, 0xea,
+ 0xb8, 0x79, 0xd6, 0x24, 0x30, 0x29, 0xd4, 0x01,
+ 0x88, 0xd3, 0xb7, 0x40, 0x87, 0x5a, 0x6a, 0xc6,
+ 0x2f, 0x56, 0xca, 0xc4, 0x37, 0x7e, 0x2e, 0xdd
+ };
+ static const PRUint8 ike_sha512_known_mac[] = {
+ 0xf0, 0x5a, 0xa0, 0x36, 0xdf, 0xce, 0x45, 0xa5,
+ 0x58, 0xd4, 0x04, 0x18, 0xde, 0xa9, 0x80, 0x96,
+ 0xe5, 0x19, 0xbc, 0x78, 0x41, 0xe3, 0xdb, 0x3d,
+ 0xd9, 0x36, 0x58, 0xd1, 0x18, 0xc3, 0xe8, 0x3b,
+ 0x50, 0x2f, 0x39, 0x8e, 0xcb, 0x13, 0x61, 0xec,
+ 0x77, 0xd3, 0x8a, 0x88, 0x55, 0xef, 0xff, 0x40,
+ 0x7f, 0x6f, 0x77, 0x2e, 0x5d, 0x65, 0xb5, 0x8e,
+ 0xb1, 0x13, 0x40, 0x96, 0xe8, 0x47, 0x8d, 0x2b
+ };
+ static const PRUint8 ike_known_sha256_prf_plus[] = {
+ 0xe6, 0xf1, 0x9b, 0x4a, 0x02, 0xe9, 0x73, 0x72,
+ 0x93, 0x9f, 0xdb, 0x46, 0x1d, 0xb1, 0x49, 0xcb,
+ 0x53, 0x08, 0x98, 0x3d, 0x41, 0x36, 0xfa, 0x8b,
+ 0x47, 0x04, 0x49, 0x11, 0x0d, 0x6e, 0x96, 0x1d,
+ 0xab, 0xbe, 0x94, 0x28, 0xa0, 0xb7, 0x9c, 0xa3,
+ 0x29, 0xe1, 0x40, 0xf8, 0xf8, 0x88, 0xb9, 0xb5,
+ 0x40, 0xd4, 0x54, 0x4d, 0x25, 0xab, 0x94, 0xd4,
+ 0x98, 0xd8, 0x00, 0xbf, 0x6f, 0xef, 0xe8, 0x39
+ };
+ SECStatus rv;
+ CK_RV crv;
+ unsigned char *outKeyData = NULL;
+ unsigned int outKeySize;
+ CK_NSS_IKE_PRF_PLUS_DERIVE_PARAMS ike_params;
+
+ rv = prf_test(CKM_AES_XCBC_MAC,
+ ike_xcbc_known_key, sizeof(ike_xcbc_known_key),
+ ike_xcbc_known_plain_text, sizeof(ike_xcbc_known_plain_text),
+ ike_xcbc_known_mac, sizeof(ike_xcbc_known_mac));
+ if (rv != SECSuccess)
+ return rv;
+ rv = prf_test(CKM_AES_XCBC_MAC,
+ ike_xcbc_known_key, sizeof(ike_xcbc_known_key),
+ ike_xcbc_known_plain_text_2, sizeof(ike_xcbc_known_plain_text_2),
+ ike_xcbc_known_mac_2, sizeof(ike_xcbc_known_mac_2));
+ if (rv != SECSuccess)
+ return rv;
+ rv = prf_test(CKM_AES_XCBC_MAC,
+ ike_xcbc_known_key_3, sizeof(ike_xcbc_known_key_3),
+ ike_xcbc_known_plain_text_2, sizeof(ike_xcbc_known_plain_text_2),
+ ike_xcbc_known_mac_3, sizeof(ike_xcbc_known_mac_3));
+ if (rv != SECSuccess)
+ return rv;
+ rv = prf_test(CKM_AES_XCBC_MAC,
+ ike_xcbc_known_key_4, sizeof(ike_xcbc_known_key_4),
+ ike_xcbc_known_plain_text_2, sizeof(ike_xcbc_known_plain_text_2),
+ ike_xcbc_known_mac_4, sizeof(ike_xcbc_known_mac_4));
+ if (rv != SECSuccess)
+ return rv;
+ rv = prf_test(CKM_SHA_1_HMAC,
+ ike_sha1_known_key, sizeof(ike_sha1_known_key),
+ ike_sha1_known_plain_text, sizeof(ike_sha1_known_plain_text),
+ ike_sha1_known_mac, sizeof(ike_sha1_known_mac));
+ if (rv != SECSuccess)
+ return rv;
+ rv = prf_test(CKM_SHA256_HMAC,
+ ike_sha256_known_key, sizeof(ike_sha256_known_key),
+ ike_sha256_known_plain_text,
+ sizeof(ike_sha256_known_plain_text),
+ ike_sha256_known_mac, sizeof(ike_sha256_known_mac));
+ if (rv != SECSuccess)
+ return rv;
+ rv = prf_test(CKM_SHA384_HMAC,
+ ike_sha384_known_key, sizeof(ike_sha384_known_key),
+ ike_sha384_known_plain_text,
+ sizeof(ike_sha384_known_plain_text),
+ ike_sha384_known_mac, sizeof(ike_sha384_known_mac));
+ if (rv != SECSuccess)
+ return rv;
+ rv = prf_test(CKM_SHA512_HMAC,
+ ike_sha512_known_key, sizeof(ike_sha512_known_key),
+ ike_sha512_known_plain_text,
+ sizeof(ike_sha512_known_plain_text),
+ ike_sha512_known_mac, sizeof(ike_sha512_known_mac));
+
+ ike_params.prfMechanism = CKM_SHA256_HMAC;
+ ike_params.bHasSeedKey = PR_FALSE;
+ ike_params.hSeedKey = CK_INVALID_HANDLE;
+ ike_params.pSeedData = (CK_BYTE_PTR)ike_sha256_known_plain_text;
+ ike_params.ulSeedDataLen = sizeof(ike_sha256_known_plain_text);
+ crv = sftk_ike_prf_plus_raw(CK_INVALID_HANDLE, ike_sha256_known_key,
+ sizeof(ike_sha256_known_key), &ike_params,
+ &outKeyData, &outKeySize, 64);
+ if ((crv != CKR_OK) ||
+ (outKeySize != sizeof(ike_known_sha256_prf_plus)) ||
+ (PORT_Memcmp(outKeyData, ike_known_sha256_prf_plus,
+ sizeof(ike_known_sha256_prf_plus)) != 0)) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+ PORT_ZFree(outKeyData, outKeySize);
+ return rv;
+}
diff --git a/security/nss/lib/softoken/sftkmessage.c b/security/nss/lib/softoken/sftkmessage.c
new file mode 100644
index 0000000000..3e45445e8e
--- /dev/null
+++ b/security/nss/lib/softoken/sftkmessage.c
@@ -0,0 +1,377 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/*
+ * This file implements PKCS 11 on top of our existing security modules
+ *
+ * Implement the PKCS #11 v3.0 Message interfaces
+ */
+#include "seccomon.h"
+#include "pkcs11.h"
+#include "pkcs11i.h"
+#include "blapi.h"
+#include "prenv.h"
+#include "softoken.h"
+
+static SECStatus
+sftk_ChaCha20_Poly1305_Message_Encrypt(ChaCha20Poly1305Context *ctx,
+ unsigned char *cipherText, unsigned int *cipherTextLen,
+ unsigned int maxOutLen, const unsigned char *plainText,
+ unsigned int plainTextLen,
+ CK_SALSA20_CHACHA20_POLY1305_MSG_PARAMS *params,
+ unsigned int paramsLen, const unsigned char *aad,
+ unsigned int aadLen)
+{
+ return ChaCha20Poly1305_Encrypt(ctx, cipherText, cipherTextLen, maxOutLen,
+ plainText, plainTextLen, params->pNonce, params->ulNonceLen,
+ aad, aadLen, params->pTag);
+}
+static SECStatus
+sftk_ChaCha20_Poly1305_Message_Decrypt(ChaCha20Poly1305Context *ctx,
+ unsigned char *plainText, unsigned int *plainTextLen,
+ unsigned int maxOutLen, const unsigned char *cipherText,
+ unsigned int cipherTextLen,
+ CK_SALSA20_CHACHA20_POLY1305_MSG_PARAMS *params,
+ unsigned int paramsLen, const unsigned char *aad,
+ unsigned int aadLen)
+{
+ return ChaCha20Poly1305_Decrypt(ctx, plainText, plainTextLen, maxOutLen,
+ cipherText, cipherTextLen, params->pNonce, params->ulNonceLen,
+ aad, aadLen, params->pTag);
+}
+
+/*
+ * Handle AEAD Encryption operation
+ *
+ * The setup is similiar to sftk_CryptInit except we set the aeadUpdate
+ * function instead of the normal update function. This function handles
+ * both the Encrypt case and the Decrypt case.
+ */
+static CK_RV
+sftk_MessageCryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+ CK_OBJECT_HANDLE hKey, SFTKContextType contextType,
+ CK_ATTRIBUTE_TYPE operation, PRBool encrypt)
+{
+ SFTKSession *session;
+ SFTKObject *key;
+ SFTKSessionContext *context;
+ SFTKAttribute *att;
+ CK_KEY_TYPE key_type;
+ CK_RV crv = CKR_OK;
+
+ if (!pMechanism) {
+ return CKR_MECHANISM_PARAM_INVALID;
+ }
+
+ crv = sftk_MechAllowsOperation(pMechanism->mechanism,
+ CKA_NSS_MESSAGE | operation);
+ if (crv != CKR_OK)
+ return crv;
+
+ session = sftk_SessionFromHandle(hSession);
+ if (session == NULL)
+ return CKR_SESSION_HANDLE_INVALID;
+
+ crv = sftk_InitGeneric(session, pMechanism, &context, contextType, &key,
+ hKey, &key_type, CKO_SECRET_KEY, operation);
+ if (crv != CKR_OK) {
+ sftk_FreeSession(session);
+ return crv;
+ }
+
+ att = sftk_FindAttribute(key, CKA_VALUE);
+ if (att == NULL) {
+ sftk_FreeSession(session);
+ sftk_FreeContext(context);
+ return CKR_KEY_HANDLE_INVALID;
+ }
+
+ context->doPad = PR_FALSE;
+ context->multi = PR_TRUE; /* All message are 'multi' operations */
+
+ switch (pMechanism->mechanism) {
+ case CKM_AES_GCM:
+ context->cipherInfo = AES_CreateContext(
+ (unsigned char *)att->attrib.pValue,
+ NULL, NSS_AES_GCM, encrypt, att->attrib.ulValueLen,
+ AES_BLOCK_SIZE);
+ context->aeadUpdate = (SFTKAEADCipher)AES_AEAD;
+ context->destroy = (SFTKDestroy)AES_DestroyContext;
+ break;
+ case CKM_CHACHA20_POLY1305:
+ context->cipherInfo = ChaCha20Poly1305_CreateContext(
+ (unsigned char *)att->attrib.pValue, att->attrib.ulValueLen,
+ 16);
+ context->aeadUpdate = (SFTKAEADCipher)(encrypt ? sftk_ChaCha20_Poly1305_Message_Encrypt : sftk_ChaCha20_Poly1305_Message_Decrypt);
+ context->destroy = (SFTKDestroy)ChaCha20Poly1305_DestroyContext;
+ break;
+ default:
+ crv = CKR_MECHANISM_INVALID;
+ break;
+ }
+ if (context->cipherInfo == NULL) {
+ crv = sftk_MapCryptError(PORT_GetError());
+ if (crv == CKR_OK) {
+ crv = CKR_GENERAL_ERROR;
+ }
+ }
+ if (crv != CKR_OK) {
+ sftk_FreeContext(context);
+ sftk_FreeSession(session);
+ return crv;
+ }
+ sftk_SetContextByType(session, contextType, context);
+ sftk_FreeSession(session);
+ return CKR_OK;
+}
+
+/*
+ * Generic handler for the actual encryption/decryption. Each call handles
+ * The authentication data for the entire block. Multiple calls using
+ * BeginMessage and NextMessage are not supported and CKF_MESSSAGE_MULTI is
+ * not set on the supported algorithms
+ */
+static CK_RV
+sftk_CryptMessage(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter,
+ CK_ULONG ulParameterLen, CK_BYTE_PTR pAssociatedData,
+ CK_ULONG ulAssociatedDataLen, CK_BYTE_PTR pIntext,
+ CK_ULONG ulIntextLen, CK_BYTE_PTR pOuttext,
+ CK_ULONG_PTR pulOuttextLen, SFTKContextType contextType)
+{
+ SFTKSessionContext *context;
+ unsigned int outlen;
+ unsigned int maxout = *pulOuttextLen;
+ CK_RV crv;
+ SECStatus rv;
+
+ CHECK_FORK();
+
+ /* make sure we're legal */
+ crv = sftk_GetContext(hSession, &context, contextType, PR_TRUE, NULL);
+ if (crv != CKR_OK)
+ return crv;
+
+ if (!pOuttext) {
+ *pulOuttextLen = ulIntextLen;
+ return CKR_OK;
+ }
+ rv = (*context->aeadUpdate)(context->cipherInfo, pOuttext, &outlen,
+ maxout, pIntext, ulIntextLen,
+ pParameter, ulParameterLen,
+ pAssociatedData, ulAssociatedDataLen);
+
+ if (rv != SECSuccess) {
+ if (contextType == SFTK_MESSAGE_ENCRYPT) {
+ return sftk_MapCryptError(PORT_GetError());
+ } else {
+ return sftk_MapDecryptError(PORT_GetError());
+ }
+ }
+ *pulOuttextLen = (CK_ULONG)(outlen);
+ return CKR_OK;
+}
+
+/*
+ * Common message cleanup rountine
+ */
+static CK_RV
+sftk_MessageCryptFinal(CK_SESSION_HANDLE hSession,
+ SFTKContextType contextType)
+{
+ SFTKSession *session;
+ SFTKSessionContext *context;
+ CK_RV crv;
+
+ CHECK_FORK();
+
+ /* make sure we're legal */
+ crv = sftk_GetContext(hSession, &context, contextType, PR_TRUE, &session);
+ if (crv != CKR_OK)
+ return crv;
+ sftk_TerminateOp(session, contextType, context);
+ sftk_FreeSession(session);
+ return CKR_OK;
+}
+
+/* MessageEncrypt and EncryptMessage functions just use the helper functions
+ * above */
+CK_RV
+NSC_MessageEncryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+ CK_OBJECT_HANDLE hKey)
+{
+ return sftk_MessageCryptInit(hSession, pMechanism, hKey,
+ SFTK_MESSAGE_ENCRYPT, CKA_ENCRYPT, PR_TRUE);
+}
+
+CK_RV
+NSC_EncryptMessage(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter,
+ CK_ULONG ulParameterLen, CK_BYTE_PTR pAssociatedData,
+ CK_ULONG ulAssociatedDataLen, CK_BYTE_PTR pPlaintext,
+ CK_ULONG ulPlaintextLen, CK_BYTE_PTR pCiphertext,
+ CK_ULONG_PTR pulCiphertextLen)
+{
+ return sftk_CryptMessage(hSession, pParameter, ulParameterLen,
+ pAssociatedData, ulAssociatedDataLen, pPlaintext,
+ ulPlaintextLen, pCiphertext, pulCiphertextLen,
+ SFTK_MESSAGE_ENCRYPT);
+}
+
+/*
+ * We only support the single shot function. The Begin/Next version can be
+ * dealt with if we need to support S/MIME or something. It would probably
+ * just buffer rather then returning intermediate results.
+ */
+CK_RV
+NSC_EncryptMessageBegin(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter,
+ CK_ULONG ulParameterLen, CK_BYTE_PTR pAssociatedData,
+ CK_ULONG ulAssociatedDataLen)
+{
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV
+NSC_EncryptMessageNext(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter,
+ CK_ULONG ulParameterLen, CK_BYTE_PTR pPlaintextPart,
+ CK_ULONG ulPlaintextPartLen, CK_BYTE_PTR pCiphertextPart,
+ CK_ULONG_PTR pulCiphertextPartLen, CK_FLAGS flags)
+{
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV
+NSC_MessageEncryptFinal(CK_SESSION_HANDLE hSession)
+{
+ return sftk_MessageCryptFinal(hSession, SFTK_MESSAGE_ENCRYPT);
+}
+
+/* MessageDecrypt and DecryptMessage functions just use the helper functions
+ * above */
+CK_RV
+NSC_MessageDecryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+ CK_OBJECT_HANDLE hKey)
+{
+ return sftk_MessageCryptInit(hSession, pMechanism, hKey,
+ SFTK_MESSAGE_DECRYPT, CKA_DECRYPT, PR_FALSE);
+}
+
+CK_RV
+NSC_DecryptMessage(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter,
+ CK_ULONG ulParameterLen, CK_BYTE_PTR pAssociatedData,
+ CK_ULONG ulAssociatedDataLen, CK_BYTE_PTR pCiphertext,
+ CK_ULONG ulCiphertextLen, CK_BYTE_PTR pPlaintext,
+ CK_ULONG_PTR pulPlaintextLen)
+{
+ return sftk_CryptMessage(hSession, pParameter, ulParameterLen,
+ pAssociatedData, ulAssociatedDataLen, pCiphertext,
+ ulCiphertextLen, pPlaintext, pulPlaintextLen,
+ SFTK_MESSAGE_DECRYPT);
+}
+
+/*
+ * We only support the single shot function. The Begin/Next version can be
+ * dealt with if we need to support S/MIME or something. It would probably
+ * just buffer rather then returning intermediate results. This is expecially
+ * true for decrypt, which isn't supposed to return any data unless it's been
+ * authenticated (which can't happen until the last block is processed).
+ */
+CK_RV
+NSC_DecryptMessageBegin(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter,
+ CK_ULONG ulParameterLen, CK_BYTE_PTR pAssociatedData,
+ CK_ULONG ulAssociatedDataLen)
+{
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV
+NSC_DecryptMessageNext(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter,
+ CK_ULONG ulParameterLen, CK_BYTE_PTR pCiphertextPart,
+ CK_ULONG ulCiphertextPartLen, CK_BYTE_PTR pPlaintextPart,
+ CK_ULONG_PTR pulPlaintextPartLen, CK_FLAGS flags)
+{
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV
+NSC_MessageDecryptFinal(CK_SESSION_HANDLE hSession)
+{
+ return sftk_MessageCryptFinal(hSession, SFTK_MESSAGE_DECRYPT);
+}
+
+/*
+ * There are no mechanisms defined to use the MessageSign and MessageVerify
+ * interfaces yet, so we don't need to implement anything.
+ */
+CK_RV
+NSC_MessageSignInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+ CK_OBJECT_HANDLE hKey)
+{
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV
+NSC_SignMessage(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter,
+ CK_ULONG ulParameterLen, CK_BYTE_PTR pData, CK_ULONG ulDataLen,
+ CK_BYTE_PTR pSignature, CK_ULONG_PTR pulSignatureLen)
+{
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV
+NSC_SignMessageBegin(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter,
+ CK_ULONG ulParameterLen)
+{
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV
+NSC_SignMessageNext(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter,
+ CK_ULONG ulParameterLen, CK_BYTE_PTR pData,
+ CK_ULONG ulDataLen, CK_BYTE_PTR pSignature,
+ CK_ULONG_PTR pulSignatureLen)
+{
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV
+NSC_MessageSignFinal(CK_SESSION_HANDLE hSession)
+{
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV
+NSC_MessageVerifyInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
+ CK_OBJECT_HANDLE hKey)
+{
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV
+NSC_VerifyMessage(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter,
+ CK_ULONG ulParameterLen, CK_BYTE_PTR pData,
+ CK_ULONG ulDataLen, CK_BYTE_PTR pSignature,
+ CK_ULONG ulSignatureLen)
+{
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV
+NSC_VerifyMessageBegin(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter,
+ CK_ULONG ulParameterLen)
+{
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV
+NSC_VerifyMessageNext(CK_SESSION_HANDLE hSession, CK_VOID_PTR pParameter,
+ CK_ULONG ulParameterLen, CK_BYTE_PTR pData,
+ CK_ULONG ulDataLen, CK_BYTE_PTR pSignature,
+ CK_ULONG ulSignatureLen)
+{
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
+
+CK_RV
+NSC_MessageVerifyFinal(CK_SESSION_HANDLE hSession)
+{
+ return CKR_FUNCTION_NOT_SUPPORTED;
+}
diff --git a/security/nss/lib/softoken/sftkpars.c b/security/nss/lib/softoken/sftkpars.c
new file mode 100644
index 0000000000..fdd08648fc
--- /dev/null
+++ b/security/nss/lib/softoken/sftkpars.c
@@ -0,0 +1,268 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/*
+ * The following code handles the storage of PKCS 11 modules used by the
+ * NSS. This file is written to abstract away how the modules are
+ * stored so we can deside that later.
+ */
+#include "pkcs11i.h"
+#include "sdb.h"
+#include "prprf.h"
+#include "prenv.h"
+#include "utilpars.h"
+
+#define FREE_CLEAR(p) \
+ if (p) { \
+ PORT_Free(p); \
+ p = NULL; \
+ }
+
+static void
+sftk_parseTokenFlags(char *tmp, sftk_token_parameters *parsed)
+{
+ parsed->readOnly = NSSUTIL_ArgHasFlag("flags", "readOnly", tmp);
+ parsed->noCertDB = NSSUTIL_ArgHasFlag("flags", "noCertDB", tmp);
+ parsed->noKeyDB = NSSUTIL_ArgHasFlag("flags", "noKeyDB", tmp);
+ parsed->forceOpen = NSSUTIL_ArgHasFlag("flags", "forceOpen", tmp);
+ parsed->pwRequired = NSSUTIL_ArgHasFlag("flags", "passwordRequired", tmp);
+ parsed->optimizeSpace = NSSUTIL_ArgHasFlag("flags", "optimizeSpace", tmp);
+ return;
+}
+
+static void
+sftk_parseFlags(char *tmp, sftk_parameters *parsed)
+{
+ parsed->noModDB = NSSUTIL_ArgHasFlag("flags", "noModDB", tmp);
+ parsed->readOnly = NSSUTIL_ArgHasFlag("flags", "readOnly", tmp);
+ /* keep legacy interface working */
+ parsed->noCertDB = NSSUTIL_ArgHasFlag("flags", "noCertDB", tmp);
+ parsed->forceOpen = NSSUTIL_ArgHasFlag("flags", "forceOpen", tmp);
+ parsed->pwRequired = NSSUTIL_ArgHasFlag("flags", "passwordRequired", tmp);
+ parsed->optimizeSpace = NSSUTIL_ArgHasFlag("flags", "optimizeSpace", tmp);
+ return;
+}
+
+static CK_RV
+sftk_parseTokenParameters(char *param, sftk_token_parameters *parsed)
+{
+ int next;
+ char *tmp = NULL;
+ const char *index;
+ index = NSSUTIL_ArgStrip(param);
+
+ while (*index) {
+ NSSUTIL_HANDLE_STRING_ARG(index, parsed->configdir, "configDir=", ;)
+ NSSUTIL_HANDLE_STRING_ARG(index, parsed->updatedir, "updateDir=", ;)
+ NSSUTIL_HANDLE_STRING_ARG(index, parsed->updCertPrefix, "updateCertPrefix=", ;)
+ NSSUTIL_HANDLE_STRING_ARG(index, parsed->updKeyPrefix, "updateKeyPrefix=", ;)
+ NSSUTIL_HANDLE_STRING_ARG(index, parsed->updateID, "updateID=", ;)
+ NSSUTIL_HANDLE_STRING_ARG(index, parsed->certPrefix, "certPrefix=", ;)
+ NSSUTIL_HANDLE_STRING_ARG(index, parsed->keyPrefix, "keyPrefix=", ;)
+ NSSUTIL_HANDLE_STRING_ARG(index, parsed->tokdes, "tokenDescription=", ;)
+ NSSUTIL_HANDLE_STRING_ARG(index, parsed->updtokdes, "updateTokenDescription=", ;)
+ NSSUTIL_HANDLE_STRING_ARG(index, parsed->slotdes, "slotDescription=", ;)
+ NSSUTIL_HANDLE_STRING_ARG(
+ index, tmp, "minPWLen=",
+ if (tmp) { parsed->minPW=atoi(tmp); PORT_Free(tmp); tmp = NULL; })
+ NSSUTIL_HANDLE_STRING_ARG(
+ index, tmp, "flags=",
+ if (tmp) { sftk_parseTokenFlags(param,parsed); PORT_Free(tmp); tmp = NULL; })
+ NSSUTIL_HANDLE_FINAL_ARG(index)
+ }
+ return CKR_OK;
+}
+
+static void
+sftk_parseTokens(char *tokenParams, sftk_parameters *parsed)
+{
+ const char *tokenIndex;
+ sftk_token_parameters *tokens = NULL;
+ int i = 0, count = 0, next;
+
+ if ((tokenParams == NULL) || (*tokenParams == 0))
+ return;
+
+ /* first count the number of slots */
+ for (tokenIndex = NSSUTIL_ArgStrip(tokenParams); *tokenIndex;
+ tokenIndex = NSSUTIL_ArgStrip(NSSUTIL_ArgSkipParameter(tokenIndex))) {
+ count++;
+ }
+
+ /* get the data structures */
+ tokens = (sftk_token_parameters *)
+ PORT_ZAlloc(count * sizeof(sftk_token_parameters));
+ if (tokens == NULL)
+ return;
+
+ for (tokenIndex = NSSUTIL_ArgStrip(tokenParams), i = 0;
+ *tokenIndex && i < count; i++) {
+ char *name;
+ name = NSSUTIL_ArgGetLabel(tokenIndex, &next);
+ tokenIndex += next;
+
+ tokens[i].slotID = NSSUTIL_ArgDecodeNumber(name);
+ tokens[i].readOnly = PR_FALSE;
+ tokens[i].noCertDB = PR_FALSE;
+ tokens[i].noKeyDB = PR_FALSE;
+ if (!NSSUTIL_ArgIsBlank(*tokenIndex)) {
+ char *args = NSSUTIL_ArgFetchValue(tokenIndex, &next);
+ tokenIndex += next;
+ if (args) {
+ sftk_parseTokenParameters(args, &tokens[i]);
+ PORT_Free(args);
+ }
+ }
+ if (name)
+ PORT_Free(name);
+ tokenIndex = NSSUTIL_ArgStrip(tokenIndex);
+ }
+ parsed->token_count = i;
+ parsed->tokens = tokens;
+ return;
+}
+
+CK_RV
+sftk_parseParameters(char *param, sftk_parameters *parsed, PRBool isFIPS)
+{
+ int next;
+ char *tmp = NULL;
+ const char *index;
+ char *certPrefix = NULL, *keyPrefix = NULL;
+ char *tokdes = NULL, *ptokdes = NULL, *pupdtokdes = NULL;
+ char *slotdes = NULL, *pslotdes = NULL;
+ char *fslotdes = NULL, *ftokdes = NULL;
+ char *minPW = NULL;
+ index = NSSUTIL_ArgStrip(param);
+
+ PORT_Memset(parsed, 0, sizeof(sftk_parameters));
+
+ while (*index) {
+ NSSUTIL_HANDLE_STRING_ARG(index, parsed->configdir, "configDir=", ;)
+ NSSUTIL_HANDLE_STRING_ARG(index, parsed->updatedir, "updateDir=", ;)
+ NSSUTIL_HANDLE_STRING_ARG(index, parsed->updateID, "updateID=", ;)
+ NSSUTIL_HANDLE_STRING_ARG(index, parsed->secmodName, "secmod=", ;)
+ NSSUTIL_HANDLE_STRING_ARG(index, parsed->man, "manufacturerID=", ;)
+ NSSUTIL_HANDLE_STRING_ARG(index, parsed->libdes, "libraryDescription=", ;)
+ /* constructed values, used so legacy interfaces still work */
+ NSSUTIL_HANDLE_STRING_ARG(index, certPrefix, "certPrefix=", ;)
+ NSSUTIL_HANDLE_STRING_ARG(index, keyPrefix, "keyPrefix=", ;)
+ NSSUTIL_HANDLE_STRING_ARG(index, tokdes, "cryptoTokenDescription=", ;)
+ NSSUTIL_HANDLE_STRING_ARG(index, ptokdes, "dbTokenDescription=", ;)
+ NSSUTIL_HANDLE_STRING_ARG(index, slotdes, "cryptoSlotDescription=", ;)
+ NSSUTIL_HANDLE_STRING_ARG(index, pslotdes, "dbSlotDescription=", ;)
+ NSSUTIL_HANDLE_STRING_ARG(index, fslotdes, "FIPSSlotDescription=", ;)
+ NSSUTIL_HANDLE_STRING_ARG(index, ftokdes, "FIPSTokenDescription=", ;)
+ NSSUTIL_HANDLE_STRING_ARG(index, pupdtokdes, "updateTokenDescription=", ;)
+ NSSUTIL_HANDLE_STRING_ARG(index, minPW, "minPWLen=", ;)
+
+ NSSUTIL_HANDLE_STRING_ARG(
+ index, tmp, "flags=",
+ if (tmp) { sftk_parseFlags(param,parsed); PORT_Free(tmp); tmp = NULL; })
+ NSSUTIL_HANDLE_STRING_ARG(
+ index, tmp, "tokens=",
+ if (tmp) { sftk_parseTokens(tmp,parsed); PORT_Free(tmp); tmp = NULL; })
+ NSSUTIL_HANDLE_FINAL_ARG(index)
+ }
+ if (parsed->tokens == NULL) {
+ int count = isFIPS ? 1 : 2;
+ int i = count - 1;
+ sftk_token_parameters *tokens = NULL;
+
+ tokens = (sftk_token_parameters *)
+ PORT_ZAlloc(count * sizeof(sftk_token_parameters));
+ if (tokens == NULL) {
+ goto loser;
+ }
+ parsed->tokens = tokens;
+ parsed->token_count = count;
+ tokens[i].slotID = isFIPS ? FIPS_SLOT_ID : PRIVATE_KEY_SLOT_ID;
+ tokens[i].certPrefix = certPrefix;
+ tokens[i].keyPrefix = keyPrefix;
+ tokens[i].minPW = minPW ? atoi(minPW) : 0;
+ tokens[i].readOnly = parsed->readOnly;
+ tokens[i].noCertDB = parsed->noCertDB;
+ tokens[i].noKeyDB = parsed->noCertDB;
+ tokens[i].forceOpen = parsed->forceOpen;
+ tokens[i].pwRequired = parsed->pwRequired;
+ tokens[i].optimizeSpace = parsed->optimizeSpace;
+ tokens[0].optimizeSpace = parsed->optimizeSpace;
+ certPrefix = NULL;
+ keyPrefix = NULL;
+ if (isFIPS) {
+ tokens[i].tokdes = ftokdes;
+ tokens[i].updtokdes = pupdtokdes;
+ tokens[i].slotdes = fslotdes;
+ fslotdes = NULL;
+ ftokdes = NULL;
+ pupdtokdes = NULL;
+ } else {
+ tokens[i].tokdes = ptokdes;
+ tokens[i].updtokdes = pupdtokdes;
+ tokens[i].slotdes = pslotdes;
+ tokens[0].slotID = NETSCAPE_SLOT_ID;
+ tokens[0].tokdes = tokdes;
+ tokens[0].slotdes = slotdes;
+ tokens[0].noCertDB = PR_TRUE;
+ tokens[0].noKeyDB = PR_TRUE;
+ pupdtokdes = NULL;
+ ptokdes = NULL;
+ pslotdes = NULL;
+ tokdes = NULL;
+ slotdes = NULL;
+ }
+ }
+
+loser:
+ FREE_CLEAR(certPrefix);
+ FREE_CLEAR(keyPrefix);
+ FREE_CLEAR(tokdes);
+ FREE_CLEAR(ptokdes);
+ FREE_CLEAR(pupdtokdes);
+ FREE_CLEAR(slotdes);
+ FREE_CLEAR(pslotdes);
+ FREE_CLEAR(fslotdes);
+ FREE_CLEAR(ftokdes);
+ FREE_CLEAR(minPW);
+ return CKR_OK;
+}
+
+void
+sftk_freeParams(sftk_parameters *params)
+{
+ int i;
+
+ for (i = 0; i < params->token_count; i++) {
+ FREE_CLEAR(params->tokens[i].configdir);
+ FREE_CLEAR(params->tokens[i].certPrefix);
+ FREE_CLEAR(params->tokens[i].keyPrefix);
+ FREE_CLEAR(params->tokens[i].tokdes);
+ FREE_CLEAR(params->tokens[i].slotdes);
+ FREE_CLEAR(params->tokens[i].updatedir);
+ FREE_CLEAR(params->tokens[i].updCertPrefix);
+ FREE_CLEAR(params->tokens[i].updKeyPrefix);
+ FREE_CLEAR(params->tokens[i].updateID);
+ FREE_CLEAR(params->tokens[i].updtokdes);
+ }
+
+ FREE_CLEAR(params->configdir);
+ FREE_CLEAR(params->secmodName);
+ FREE_CLEAR(params->man);
+ FREE_CLEAR(params->libdes);
+ FREE_CLEAR(params->tokens);
+ FREE_CLEAR(params->updatedir);
+ FREE_CLEAR(params->updateID);
+}
+
+PRBool
+sftk_RawArgHasFlag(const char *entry, const char *flag, const void *pReserved)
+{
+ CK_C_INITIALIZE_ARGS *init_args = (CK_C_INITIALIZE_ARGS *)pReserved;
+
+ /* if we don't have any params, the flag isn't set */
+ if ((!init_args || !init_args->LibraryParameters)) {
+ return PR_FALSE;
+ }
+
+ return NSSUTIL_ArgHasFlag(entry, flag, (const char *)init_args->LibraryParameters);
+}
diff --git a/security/nss/lib/softoken/sftkpwd.c b/security/nss/lib/softoken/sftkpwd.c
new file mode 100644
index 0000000000..d885954085
--- /dev/null
+++ b/security/nss/lib/softoken/sftkpwd.c
@@ -0,0 +1,1485 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/*
+ * The following code handles the storage of PKCS 11 modules used by the
+ * NSS. For the rest of NSS, only one kind of database handle exists:
+ *
+ * SFTKDBHandle
+ *
+ * There is one SFTKDBHandle for the each key database and one for each cert
+ * database. These databases are opened as associated pairs, one pair per
+ * slot. SFTKDBHandles are reference counted objects.
+ *
+ * Each SFTKDBHandle points to a low level database handle (SDB). This handle
+ * represents the underlying physical database. These objects are not
+ * reference counted, an are 'owned' by their respective SFTKDBHandles.
+ *
+ *
+ */
+#include "sftkdb.h"
+#include "sftkdbti.h"
+#include "pkcs11t.h"
+#include "pkcs11i.h"
+#include "sdb.h"
+#include "prprf.h"
+#include "secasn1.h"
+#include "pratom.h"
+#include "blapi.h"
+#include "secoid.h"
+#include "lowpbe.h"
+#include "secdert.h"
+#include "prsystem.h"
+#include "lgglue.h"
+#include "secerr.h"
+#include "softoken.h"
+
+static const int NSS_MP_PBE_ITERATION_COUNT = 10000;
+
+static int
+getPBEIterationCount(void)
+{
+ int c = NSS_MP_PBE_ITERATION_COUNT;
+
+ char *val = getenv("NSS_MIN_MP_PBE_ITERATION_COUNT");
+ if (val) {
+ int minimum = atoi(val);
+ if (c < minimum) {
+ c = minimum;
+ }
+ }
+
+ val = getenv("NSS_MAX_MP_PBE_ITERATION_COUNT");
+ if (val) {
+ int maximum = atoi(val);
+ if (c > maximum) {
+ c = maximum;
+ }
+ }
+
+ return c;
+}
+
+PRBool
+sftk_isLegacyIterationCountAllowed(void)
+{
+ static const char *legacyCountEnvVar =
+ "NSS_ALLOW_LEGACY_DBM_ITERATION_COUNT";
+ char *iterEnv = getenv(legacyCountEnvVar);
+ return (iterEnv && strcmp("0", iterEnv) != 0);
+}
+
+/******************************************************************
+ *
+ * Key DB password handling functions
+ *
+ * These functions manage the key db password (set, reset, initialize, use).
+ *
+ * The key is managed on 'this side' of the database. All private data is
+ * encrypted before it is sent to the database itself. Besides PBE's, the
+ * database management code can also mix in various fixed keys so the data
+ * in the database is no longer considered 'plain text'.
+ */
+
+/* take string password and turn it into a key. The key is dependent
+ * on a global salt entry acquired from the database. This salted
+ * value will be based to a pkcs5 pbe function before it is used
+ * in an actual encryption */
+static SECStatus
+sftkdb_passwordToKey(SFTKDBHandle *keydb, SECItem *salt,
+ const char *pw, SECItem *key)
+{
+ SHA1Context *cx = NULL;
+ SECStatus rv = SECFailure;
+
+ if (!pw) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
+ }
+
+ key->data = PORT_Alloc(SHA1_LENGTH);
+ if (key->data == NULL) {
+ goto loser;
+ }
+ key->len = SHA1_LENGTH;
+
+ cx = SHA1_NewContext();
+ if (cx == NULL) {
+ goto loser;
+ }
+ SHA1_Begin(cx);
+ if (salt && salt->data) {
+ SHA1_Update(cx, salt->data, salt->len);
+ }
+ SHA1_Update(cx, (unsigned char *)pw, PORT_Strlen(pw));
+ SHA1_End(cx, key->data, &key->len, key->len);
+ rv = SECSuccess;
+
+loser:
+ if (cx) {
+ SHA1_DestroyContext(cx, PR_TRUE);
+ }
+ if (rv != SECSuccess) {
+ if (key->data != NULL) {
+ PORT_ZFree(key->data, key->len);
+ }
+ key->data = NULL;
+ }
+ return rv;
+}
+
+/*
+ * Cipher text stored in the database contains 3 elements:
+ * 1) an identifier describing the encryption algorithm.
+ * 2) an entry specific salt value.
+ * 3) the encrypted value.
+ *
+ * The following data structure represents the encrypted data in a decoded
+ * (but still encrypted) form.
+ */
+typedef struct sftkCipherValueStr sftkCipherValue;
+struct sftkCipherValueStr {
+ PLArenaPool *arena;
+ SECOidTag alg;
+ NSSPKCS5PBEParameter *param;
+ SECItem salt;
+ SECItem value;
+};
+
+#define SFTK_CIPHERTEXT_VERSION 3
+
+struct SFTKDBEncryptedDataInfoStr {
+ SECAlgorithmID algorithm;
+ SECItem encryptedData;
+};
+typedef struct SFTKDBEncryptedDataInfoStr SFTKDBEncryptedDataInfo;
+
+SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
+
+const SEC_ASN1Template sftkdb_EncryptedDataInfoTemplate[] = {
+ { SEC_ASN1_SEQUENCE,
+ 0, NULL, sizeof(SFTKDBEncryptedDataInfo) },
+ { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+ offsetof(SFTKDBEncryptedDataInfo, algorithm),
+ SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+ { SEC_ASN1_OCTET_STRING,
+ offsetof(SFTKDBEncryptedDataInfo, encryptedData) },
+ { 0 }
+};
+
+/*
+ * This parses the cipherText into cipher value. NOTE: cipherValue will point
+ * to data in cipherText, if cipherText is freed, cipherValue will be invalid.
+ */
+static SECStatus
+sftkdb_decodeCipherText(const SECItem *cipherText, sftkCipherValue *cipherValue)
+{
+ PLArenaPool *arena = NULL;
+ SFTKDBEncryptedDataInfo edi;
+ SECStatus rv;
+
+ PORT_Assert(cipherValue);
+ cipherValue->arena = NULL;
+ cipherValue->param = NULL;
+
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (arena == NULL) {
+ return SECFailure;
+ }
+
+ rv = SEC_QuickDERDecodeItem(arena, &edi, sftkdb_EncryptedDataInfoTemplate,
+ cipherText);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+ cipherValue->alg = SECOID_GetAlgorithmTag(&edi.algorithm);
+ cipherValue->param = nsspkcs5_AlgidToParam(&edi.algorithm);
+ if (cipherValue->param == NULL) {
+ goto loser;
+ }
+ cipherValue->value = edi.encryptedData;
+ cipherValue->arena = arena;
+
+ return SECSuccess;
+loser:
+ if (cipherValue->param) {
+ nsspkcs5_DestroyPBEParameter(cipherValue->param);
+ cipherValue->param = NULL;
+ }
+ if (arena) {
+ PORT_FreeArena(arena, PR_FALSE);
+ }
+ return SECFailure;
+}
+
+/*
+ * unlike decode, Encode actually allocates a SECItem the caller must free
+ * The caller can pass an optional arena to to indicate where to place
+ * the resultant cipherText.
+ */
+static SECStatus
+sftkdb_encodeCipherText(PLArenaPool *arena, sftkCipherValue *cipherValue,
+ SECItem **cipherText)
+{
+ SFTKDBEncryptedDataInfo edi;
+ SECAlgorithmID *algid;
+ SECStatus rv;
+ PLArenaPool *localArena = NULL;
+
+ localArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (localArena == NULL) {
+ return SECFailure;
+ }
+
+ algid = nsspkcs5_CreateAlgorithmID(localArena, cipherValue->alg,
+ cipherValue->param);
+ if (algid == NULL) {
+ rv = SECFailure;
+ goto loser;
+ }
+ rv = SECOID_CopyAlgorithmID(localArena, &edi.algorithm, algid);
+ SECOID_DestroyAlgorithmID(algid, PR_TRUE);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+ edi.encryptedData = cipherValue->value;
+
+ *cipherText = SEC_ASN1EncodeItem(arena, NULL, &edi,
+ sftkdb_EncryptedDataInfoTemplate);
+ if (*cipherText == NULL) {
+ rv = SECFailure;
+ }
+
+loser:
+ if (localArena) {
+ PORT_FreeArena(localArena, PR_TRUE);
+ }
+
+ return rv;
+}
+
+/*
+ * Use our key to decode a cipherText block from the database.
+ *
+ * plain text is allocated by nsspkcs5_CipherData and must be freed
+ * with SECITEM_FreeItem by the caller.
+ */
+SECStatus
+sftkdb_DecryptAttribute(SFTKDBHandle *handle, SECItem *passKey,
+ CK_OBJECT_HANDLE id, CK_ATTRIBUTE_TYPE type,
+ SECItem *cipherText, SECItem **plain)
+{
+ SECStatus rv;
+ sftkCipherValue cipherValue;
+
+ /* First get the cipher type */
+ *plain = NULL;
+ rv = sftkdb_decodeCipherText(cipherText, &cipherValue);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ *plain = nsspkcs5_CipherData(cipherValue.param, passKey, &cipherValue.value,
+ PR_FALSE, NULL);
+ if (*plain == NULL) {
+ rv = SECFailure;
+ goto loser;
+ }
+
+ /* If we are using aes 256, we need to check authentication as well.*/
+ if ((type != CKT_INVALID_TYPE) &&
+ (cipherValue.alg == SEC_OID_PKCS5_PBES2) &&
+ (cipherValue.param->encAlg == SEC_OID_AES_256_CBC)) {
+ SECItem signature;
+ unsigned char signData[SDB_MAX_META_DATA_LEN];
+ CK_RV crv;
+
+ /* if we get here from the old legacy db, there is clearly an
+ * error, don't return the plaintext */
+ if (handle == NULL) {
+ rv = SECFailure;
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ goto loser;
+ }
+
+ signature.data = signData;
+ signature.len = sizeof(signData);
+ rv = SECFailure;
+ /* sign sftkdb_GetAttriibuteSignature returns a crv, not an rv */
+ crv = sftkdb_GetAttributeSignature(handle, handle, id, type,
+ &signature);
+ if (crv == CKR_OK) {
+ rv = sftkdb_VerifyAttribute(handle, passKey, CK_INVALID_HANDLE,
+ type, *plain, &signature);
+ }
+ if (rv != SECSuccess) {
+ /* handle bug 1720226 where old versions of NSS misfiled the signature
+ * attribute on password update */
+ id |= SFTK_KEYDB_TYPE | SFTK_TOKEN_TYPE;
+ signature.len = sizeof(signData);
+ crv = sftkdb_GetAttributeSignature(handle, handle, id, type,
+ &signature);
+ if (crv != CKR_OK) {
+ rv = SECFailure;
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+ goto loser;
+ }
+ rv = sftkdb_VerifyAttribute(handle, passKey, CK_INVALID_HANDLE,
+ type, *plain, &signature);
+ }
+ }
+
+loser:
+ if (cipherValue.param) {
+ nsspkcs5_DestroyPBEParameter(cipherValue.param);
+ }
+ if (cipherValue.arena) {
+ PORT_FreeArena(cipherValue.arena, PR_FALSE);
+ }
+ /* Item decrypted, but failed integrity, clear it out */
+ if (*plain && rv != SECSuccess) {
+ SECITEM_ZfreeItem(*plain, PR_TRUE);
+ *plain = NULL;
+ }
+ return rv;
+}
+
+/* If the database can't store the integrity check, it's a non-FIPS database
+ * and we use the old encryption scheme for it */
+static PRBool
+sftkdb_useLegacyEncryption(SFTKDBHandle *handle, SDB *db)
+{
+ if ((handle == NULL) || (db == NULL)) {
+ /* this is the case where the legacy db is calling back to us to
+ * encrypt or decrypt attributes inside the lower level db code.
+ * This is because the legacy db stored keys as pkcs #8 encrypted
+ * blobs rather than individual encrypted attributes */
+ return PR_TRUE;
+ }
+ /* currently, only the legacy db can't store meta data, but if we
+ * add a new db that also can't store meta data, then it to wouldn't
+ * be able to do the integrity checks. In both cases use the old encryption
+ * algorithms. */
+ if ((db->sdb_flags & SDB_HAS_META) == 0) {
+ return PR_TRUE;
+ }
+ return PR_FALSE;
+}
+
+/*
+ * encrypt a block. This function returned the encrypted ciphertext which
+ * the caller must free. If the caller provides an arena, cipherText will
+ * be allocated out of that arena. This also generated the per entry
+ * salt automatically.
+ */
+SECStatus
+sftkdb_EncryptAttribute(PLArenaPool *arena, SFTKDBHandle *handle, SDB *db,
+ SECItem *passKey, int iterationCount,
+ CK_OBJECT_HANDLE id, CK_ATTRIBUTE_TYPE type,
+ SECItem *plainText, SECItem **cipherText)
+{
+ SECStatus rv;
+ sftkCipherValue cipherValue;
+ SECItem *cipher = NULL;
+ NSSPKCS5PBEParameter *param = NULL;
+ unsigned char saltData[HASH_LENGTH_MAX];
+ SECItem *signature = NULL;
+ HASH_HashType hashType = HASH_AlgNULL;
+
+ if (sftkdb_useLegacyEncryption(handle, db)) {
+ cipherValue.alg = SEC_OID_PKCS12_PBE_WITH_SHA1_AND_TRIPLE_DES_CBC;
+ cipherValue.salt.len = SHA1_LENGTH;
+ hashType = HASH_AlgSHA1;
+ } else {
+ cipherValue.alg = SEC_OID_AES_256_CBC;
+ cipherValue.salt.len = SHA256_LENGTH;
+ hashType = HASH_AlgSHA256;
+ }
+ cipherValue.salt.data = saltData;
+ RNG_GenerateGlobalRandomBytes(saltData, cipherValue.salt.len);
+
+ param = nsspkcs5_NewParam(cipherValue.alg, hashType, &cipherValue.salt,
+ iterationCount);
+ if (param == NULL) {
+ rv = SECFailure;
+ goto loser;
+ }
+ cipher = nsspkcs5_CipherData(param, passKey, plainText, PR_TRUE, NULL);
+ if (cipher == NULL) {
+ rv = SECFailure;
+ goto loser;
+ }
+ cipherValue.value = *cipher;
+ cipherValue.param = param;
+
+ rv = sftkdb_encodeCipherText(arena, &cipherValue, cipherText);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ /* If we are using aes 256, we need to add authentication as well */
+ if ((type != CKT_INVALID_TYPE) &&
+ (cipherValue.param->encAlg == SEC_OID_AES_256_CBC)) {
+ rv = sftkdb_SignAttribute(arena, handle, db, passKey, iterationCount,
+ CK_INVALID_HANDLE, type, plainText,
+ &signature);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+ rv = sftkdb_PutAttributeSignature(handle, db, id, type,
+ signature);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+ }
+
+loser:
+ if ((arena == NULL) && signature) {
+ SECITEM_ZfreeItem(signature, PR_TRUE);
+ }
+ if (cipher) {
+ SECITEM_FreeItem(cipher, PR_TRUE);
+ }
+ if (param) {
+ nsspkcs5_DestroyPBEParameter(param);
+ }
+ return rv;
+}
+
+/*
+ * use the password and the pbe parameters to generate an HMAC for the
+ * given plain text data. This is used by sftkdb_VerifyAttribute and
+ * sftkdb_SignAttribute. Signature is returned in signData. The caller
+ * must preallocate the space in the secitem.
+ */
+static SECStatus
+sftkdb_pbehash(SECOidTag sigOid, SECItem *passKey,
+ NSSPKCS5PBEParameter *param,
+ CK_OBJECT_HANDLE objectID, CK_ATTRIBUTE_TYPE attrType,
+ SECItem *plainText, SECItem *signData)
+{
+ SECStatus rv = SECFailure;
+ SECItem *key = NULL;
+ HMACContext *hashCx = NULL;
+ HASH_HashType hashType = HASH_AlgNULL;
+ const SECHashObject *hashObj;
+ unsigned char addressData[SDB_ULONG_SIZE];
+
+ hashType = HASH_FromHMACOid(param->encAlg);
+ if (hashType == HASH_AlgNULL) {
+ PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+ return SECFailure;
+ }
+
+ hashObj = HASH_GetRawHashObject(hashType);
+ if (hashObj == NULL) {
+ goto loser;
+ }
+
+ key = nsspkcs5_ComputeKeyAndIV(param, passKey, NULL, PR_FALSE);
+ if (!key) {
+ goto loser;
+ }
+
+ hashCx = HMAC_Create(hashObj, key->data, key->len, PR_TRUE);
+ if (!hashCx) {
+ goto loser;
+ }
+ HMAC_Begin(hashCx);
+ /* Tie this value to a particular object. This is most important for
+ * the trust attributes, where and attacker could copy a value for
+ * 'validCA' from another cert in the database */
+ sftk_ULong2SDBULong(addressData, objectID);
+ HMAC_Update(hashCx, addressData, SDB_ULONG_SIZE);
+ sftk_ULong2SDBULong(addressData, attrType);
+ HMAC_Update(hashCx, addressData, SDB_ULONG_SIZE);
+
+ HMAC_Update(hashCx, plainText->data, plainText->len);
+ rv = HMAC_Finish(hashCx, signData->data, &signData->len, signData->len);
+
+loser:
+ if (hashCx) {
+ HMAC_Destroy(hashCx, PR_TRUE);
+ }
+ if (key) {
+ SECITEM_ZfreeItem(key, PR_TRUE);
+ }
+ return rv;
+}
+
+/*
+ * Use our key to verify a signText block from the database matches
+ * the plainText from the database. The signText is a PKCS 5 v2 pbe.
+ * plainText is the plainText of the attribute.
+ */
+SECStatus
+sftkdb_VerifyAttribute(SFTKDBHandle *handle,
+ SECItem *passKey, CK_OBJECT_HANDLE objectID,
+ CK_ATTRIBUTE_TYPE attrType,
+ SECItem *plainText, SECItem *signText)
+{
+ SECStatus rv;
+ sftkCipherValue signValue;
+ SECItem signature;
+ unsigned char signData[HASH_LENGTH_MAX];
+
+ /* First get the cipher type */
+ rv = sftkdb_decodeCipherText(signText, &signValue);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+ signature.data = signData;
+ signature.len = sizeof(signData);
+
+ rv = sftkdb_pbehash(signValue.alg, passKey, signValue.param,
+ objectID, attrType, plainText, &signature);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+ if (SECITEM_CompareItem(&signValue.value, &signature) != 0) {
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+ rv = SECFailure;
+ }
+
+loser:
+ PORT_Memset(signData, 0, sizeof signData);
+ if (signValue.param) {
+ nsspkcs5_DestroyPBEParameter(signValue.param);
+ }
+ if (signValue.arena) {
+ PORT_FreeArena(signValue.arena, PR_TRUE);
+ }
+ return rv;
+}
+
+/*
+ * Use our key to create a signText block the plain text of an
+ * attribute. The signText is a PKCS 5 v2 pbe.
+ */
+SECStatus
+sftkdb_SignAttribute(PLArenaPool *arena, SFTKDBHandle *keyDB, SDB *db,
+ SECItem *passKey, int iterationCount,
+ CK_OBJECT_HANDLE objectID,
+ CK_ATTRIBUTE_TYPE attrType,
+ SECItem *plainText, SECItem **signature)
+{
+ SECStatus rv;
+ sftkCipherValue signValue;
+ NSSPKCS5PBEParameter *param = NULL;
+ unsigned char saltData[HASH_LENGTH_MAX];
+ unsigned char signData[HASH_LENGTH_MAX];
+ SECOidTag hmacAlg = SEC_OID_HMAC_SHA256; /* hash for authentication */
+ SECOidTag prfAlg = SEC_OID_HMAC_SHA256; /* hash for pb key generation */
+ HASH_HashType prfType;
+ unsigned int hmacLength;
+ unsigned int prfLength;
+
+ /* this code allows us to fetch the lengths and hashes on the fly
+ * by simply changing the OID above */
+ prfType = HASH_FromHMACOid(prfAlg);
+ PORT_Assert(prfType != HASH_AlgNULL);
+ prfLength = HASH_GetRawHashObject(prfType)->length;
+ PORT_Assert(prfLength <= HASH_LENGTH_MAX);
+
+ hmacLength = HASH_GetRawHashObject(HASH_FromHMACOid(hmacAlg))->length;
+ PORT_Assert(hmacLength <= HASH_LENGTH_MAX);
+
+ /* initialize our CipherValue structure */
+ signValue.alg = SEC_OID_PKCS5_PBMAC1;
+ signValue.salt.len = prfLength;
+ signValue.salt.data = saltData;
+ signValue.value.data = signData;
+ signValue.value.len = hmacLength;
+ RNG_GenerateGlobalRandomBytes(saltData, prfLength);
+
+ /* initialize our pkcs5 parameter */
+ param = nsspkcs5_NewParam(signValue.alg, HASH_AlgSHA1, &signValue.salt,
+ iterationCount);
+ if (param == NULL) {
+ rv = SECFailure;
+ goto loser;
+ }
+ param->keyID = pbeBitGenIntegrityKey;
+ /* set the PKCS 5 v2 parameters, not extractable from the
+ * data passed into nsspkcs5_NewParam */
+ param->encAlg = hmacAlg;
+ param->hashType = prfType;
+ param->keyLen = hmacLength;
+ rv = SECOID_SetAlgorithmID(param->poolp, &param->prfAlg, prfAlg, NULL);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ /* calculate the mac */
+ rv = sftkdb_pbehash(signValue.alg, passKey, param, objectID, attrType,
+ plainText, &signValue.value);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+ signValue.param = param;
+
+ /* write it out */
+ rv = sftkdb_encodeCipherText(arena, &signValue, signature);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+loser:
+ PORT_Memset(signData, 0, sizeof signData);
+ if (param) {
+ nsspkcs5_DestroyPBEParameter(param);
+ }
+ return rv;
+}
+
+/*
+ * safely swith the passed in key for the one caches in the keydb handle
+ *
+ * A key attached to the handle tells us the the token is logged in.
+ * We can used the key attached to the handle in sftkdb_EncryptAttribute
+ * and sftkdb_DecryptAttribute calls.
+ */
+static void
+sftkdb_switchKeys(SFTKDBHandle *keydb, SECItem *passKey, int iterationCount)
+{
+ unsigned char *data;
+ int len;
+
+ if (keydb->passwordLock == NULL) {
+ PORT_Assert(keydb->type != SFTK_KEYDB_TYPE);
+ return;
+ }
+
+ /* an atomic pointer set would be nice */
+ SKIP_AFTER_FORK(PZ_Lock(keydb->passwordLock));
+ data = keydb->passwordKey.data;
+ len = keydb->passwordKey.len;
+ keydb->passwordKey.data = passKey->data;
+ keydb->passwordKey.len = passKey->len;
+ keydb->defaultIterationCount = iterationCount;
+ passKey->data = data;
+ passKey->len = len;
+ SKIP_AFTER_FORK(PZ_Unlock(keydb->passwordLock));
+}
+
+/*
+ * returns true if we are in a middle of a merge style update.
+ */
+PRBool
+sftkdb_InUpdateMerge(SFTKDBHandle *keydb)
+{
+ return keydb->updateID ? PR_TRUE : PR_FALSE;
+}
+
+/*
+ * returns true if we are looking for the password for the user's old source
+ * database as part of a merge style update.
+ */
+PRBool
+sftkdb_NeedUpdateDBPassword(SFTKDBHandle *keydb)
+{
+ if (!sftkdb_InUpdateMerge(keydb)) {
+ return PR_FALSE;
+ }
+ if (keydb->updateDBIsInit && !keydb->updatePasswordKey) {
+ return PR_TRUE;
+ }
+ return PR_FALSE;
+}
+
+/*
+ * fetch an update password key from a handle.
+ */
+SECItem *
+sftkdb_GetUpdatePasswordKey(SFTKDBHandle *handle)
+{
+ SECItem *key = NULL;
+
+ /* if we're a cert db, fetch it from our peer key db */
+ if (handle->type == SFTK_CERTDB_TYPE) {
+ handle = handle->peerDB;
+ }
+
+ /* don't have one */
+ if (!handle) {
+ return NULL;
+ }
+
+ PZ_Lock(handle->passwordLock);
+ if (handle->updatePasswordKey) {
+ key = SECITEM_DupItem(handle->updatePasswordKey);
+ }
+ PZ_Unlock(handle->passwordLock);
+
+ return key;
+}
+
+/*
+ * free the update password key from a handle.
+ */
+void
+sftkdb_FreeUpdatePasswordKey(SFTKDBHandle *handle)
+{
+ SECItem *key = NULL;
+
+ /* don't have one */
+ if (!handle) {
+ return;
+ }
+
+ /* if we're a cert db, we don't have one */
+ if (handle->type == SFTK_CERTDB_TYPE) {
+ return;
+ }
+
+ PZ_Lock(handle->passwordLock);
+ if (handle->updatePasswordKey) {
+ key = handle->updatePasswordKey;
+ handle->updatePasswordKey = NULL;
+ }
+ PZ_Unlock(handle->passwordLock);
+
+ if (key) {
+ SECITEM_ZfreeItem(key, PR_TRUE);
+ }
+
+ return;
+}
+
+/*
+ * what password db we use depends heavily on the update state machine
+ *
+ * 1) no update db, return the normal database.
+ * 2) update db and no merge return the update db.
+ * 3) update db and in merge:
+ * return the update db if we need the update db's password,
+ * otherwise return our normal datbase.
+ */
+static SDB *
+sftk_getPWSDB(SFTKDBHandle *keydb)
+{
+ if (!keydb->update) {
+ return keydb->db;
+ }
+ if (!sftkdb_InUpdateMerge(keydb)) {
+ return keydb->update;
+ }
+ if (sftkdb_NeedUpdateDBPassword(keydb)) {
+ return keydb->update;
+ }
+ return keydb->db;
+}
+
+/*
+ * return success if we have a valid password entry.
+ * This is will show up outside of PKCS #11 as CKF_USER_PIN_INIT
+ * in the token flags.
+ */
+SECStatus
+sftkdb_HasPasswordSet(SFTKDBHandle *keydb)
+{
+ SECItem salt, value;
+ unsigned char saltData[SDB_MAX_META_DATA_LEN];
+ unsigned char valueData[SDB_MAX_META_DATA_LEN];
+ CK_RV crv;
+ SDB *db;
+
+ if (keydb == NULL) {
+ return SECFailure;
+ }
+
+ db = sftk_getPWSDB(keydb);
+ if (db == NULL) {
+ return SECFailure;
+ }
+
+ salt.data = saltData;
+ salt.len = sizeof(saltData);
+ value.data = valueData;
+ value.len = sizeof(valueData);
+ crv = (*db->sdb_GetMetaData)(db, "password", &salt, &value);
+
+ /* If no password is set, we can update right away */
+ if (((keydb->db->sdb_flags & SDB_RDONLY) == 0) && keydb->update && crv != CKR_OK) {
+ /* update the peer certdb if it exists */
+ if (keydb->peerDB) {
+ sftkdb_Update(keydb->peerDB, NULL);
+ }
+ sftkdb_Update(keydb, NULL);
+ }
+ return (crv == CKR_OK) ? SECSuccess : SECFailure;
+}
+
+/* pull out the common final part of checking a password */
+SECStatus
+sftkdb_finishPasswordCheck(SFTKDBHandle *keydb, SECItem *key,
+ const char *pw, SECItem *value,
+ PRBool *tokenRemoved);
+
+/*
+ * check to see if we have the NULL password set.
+ * We special case the NULL password so that if you have no password set, you
+ * don't do thousands of hash rounds. This allows us to startup and get
+ * webpages without slowdown in normal mode.
+ */
+SECStatus
+sftkdb_CheckPasswordNull(SFTKDBHandle *keydb, PRBool *tokenRemoved)
+{
+ /* just like sftkdb_CheckPassowd, we get the salt and value, and
+ * create a dbkey */
+ SECStatus rv;
+ SECItem salt, value;
+ unsigned char saltData[SDB_MAX_META_DATA_LEN];
+ unsigned char valueData[SDB_MAX_META_DATA_LEN];
+ SECItem key;
+ SDB *db;
+ CK_RV crv;
+ sftkCipherValue cipherValue;
+
+ cipherValue.param = NULL;
+ cipherValue.arena = NULL;
+
+ if (keydb == NULL) {
+ return SECFailure;
+ }
+
+ db = sftk_getPWSDB(keydb);
+ if (db == NULL) {
+ return SECFailure;
+ }
+
+ key.data = NULL;
+ key.len = 0;
+
+ /* get the entry from the database */
+ salt.data = saltData;
+ salt.len = sizeof(saltData);
+ value.data = valueData;
+ value.len = sizeof(valueData);
+ crv = (*db->sdb_GetMetaData)(db, "password", &salt, &value);
+ if (crv != CKR_OK) {
+ rv = SECFailure;
+ goto done;
+ }
+
+ /* get our intermediate key based on the entry salt value */
+ rv = sftkdb_passwordToKey(keydb, &salt, "", &key);
+ if (rv != SECSuccess) {
+ goto done;
+ }
+
+ /* First get the cipher type */
+ rv = sftkdb_decodeCipherText(&value, &cipherValue);
+ if (rv != SECSuccess) {
+ goto done;
+ }
+
+ if (cipherValue.param->iter != 1) {
+ rv = SECFailure;
+ goto done;
+ }
+
+ rv = sftkdb_finishPasswordCheck(keydb, &key, "", &value, tokenRemoved);
+
+done:
+ if (key.data) {
+ PORT_ZFree(key.data, key.len);
+ }
+ if (cipherValue.param) {
+ nsspkcs5_DestroyPBEParameter(cipherValue.param);
+ }
+ if (cipherValue.arena) {
+ PORT_FreeArena(cipherValue.arena, PR_FALSE);
+ }
+ return rv;
+}
+
+#define SFTK_PW_CHECK_STRING "password-check"
+#define SFTK_PW_CHECK_LEN 14
+
+/*
+ * check if the supplied password is valid
+ */
+SECStatus
+sftkdb_CheckPassword(SFTKDBHandle *keydb, const char *pw, PRBool *tokenRemoved)
+{
+ SECStatus rv;
+ SECItem salt, value;
+ unsigned char saltData[SDB_MAX_META_DATA_LEN];
+ unsigned char valueData[SDB_MAX_META_DATA_LEN];
+ SECItem key;
+ SDB *db;
+ CK_RV crv;
+
+ if (keydb == NULL) {
+ return SECFailure;
+ }
+
+ db = sftk_getPWSDB(keydb);
+ if (db == NULL) {
+ return SECFailure;
+ }
+
+ key.data = NULL;
+ key.len = 0;
+
+ if (pw == NULL)
+ pw = "";
+
+ /* get the entry from the database */
+ salt.data = saltData;
+ salt.len = sizeof(saltData);
+ value.data = valueData;
+ value.len = sizeof(valueData);
+ crv = (*db->sdb_GetMetaData)(db, "password", &salt, &value);
+ if (crv != CKR_OK) {
+ rv = SECFailure;
+ goto done;
+ }
+
+ /* get our intermediate key based on the entry salt value */
+ rv = sftkdb_passwordToKey(keydb, &salt, pw, &key);
+ if (rv != SECSuccess) {
+ goto done;
+ }
+
+ rv = sftkdb_finishPasswordCheck(keydb, &key, pw, &value, tokenRemoved);
+
+done:
+ if (key.data) {
+ PORT_ZFree(key.data, key.len);
+ }
+ return rv;
+}
+
+/* we need to pass iterationCount in case we are updating a new database
+ * and from an old one. */
+SECStatus
+sftkdb_finishPasswordCheck(SFTKDBHandle *keydb, SECItem *key, const char *pw,
+ SECItem *value, PRBool *tokenRemoved)
+{
+ SECItem *result = NULL;
+ SECStatus rv;
+ int iterationCount = getPBEIterationCount();
+
+ if (*pw == 0) {
+ iterationCount = 1;
+ } else if (keydb->usesLegacyStorage && !sftk_isLegacyIterationCountAllowed()) {
+ iterationCount = 1;
+ }
+
+ /* decrypt the entry value */
+ rv = sftkdb_DecryptAttribute(keydb, key, CK_INVALID_HANDLE,
+ CKT_INVALID_TYPE, value, &result);
+ if (rv != SECSuccess) {
+ goto done;
+ }
+
+ /* if it's what we expect, update our key in the database handle and
+ * return Success */
+ if ((result->len == SFTK_PW_CHECK_LEN) &&
+ PORT_Memcmp(result->data, SFTK_PW_CHECK_STRING, SFTK_PW_CHECK_LEN) == 0) {
+ /*
+ * We have a password, now lets handle any potential update cases..
+ *
+ * First, the normal case: no update. In this case we only need the
+ * the password for our only DB, which we now have, we switch
+ * the keys and fall through.
+ * Second regular (non-merge) update: The target DB does not yet have
+ * a password initialized, we now have the password for the source DB,
+ * so we can switch the keys and simply update the target database.
+ * Merge update case: This one is trickier.
+ * 1) If we need the source DB password, then we just got it here.
+ * We need to save that password,
+ * then we need to check to see if we need or have the target
+ * database password.
+ * If we have it (it's the same as the source), or don't need
+ * it (it's not set or is ""), we can start the update now.
+ * If we don't have it, we need the application to get it from
+ * the user. Clear our sessions out to simulate a token
+ * removal. C_GetTokenInfo will change the token description
+ * and the token will still appear to be logged out.
+ * 2) If we already have the source DB password, this password is
+ * for the target database. We can now move forward with the
+ * update, as we now have both required passwords.
+ *
+ */
+ PZ_Lock(keydb->passwordLock);
+ if (sftkdb_NeedUpdateDBPassword(keydb)) {
+ /* Squirrel this special key away.
+ * This has the side effect of turning sftkdb_NeedLegacyPW off,
+ * as well as changing which database is returned from
+ * SFTK_GET_PW_DB (thus effecting both sftkdb_CheckPassword()
+ * and sftkdb_HasPasswordSet()) */
+ keydb->updatePasswordKey = SECITEM_DupItem(key);
+ PZ_Unlock(keydb->passwordLock);
+ if (keydb->updatePasswordKey == NULL) {
+ /* PORT_Error set by SECITEM_DupItem */
+ rv = SECFailure;
+ goto done;
+ }
+
+ /* Simulate a token removal -- we need to do this any
+ * any case at this point so the token name is correct. */
+ *tokenRemoved = PR_TRUE;
+
+ /*
+ * OK, we got the update DB password, see if we need a password
+ * for the target...
+ */
+ if (sftkdb_HasPasswordSet(keydb) == SECSuccess) {
+ /* We have a password, do we know what the password is?
+ * check 1) for the password the user supplied for the
+ * update DB,
+ * and 2) for the null password.
+ *
+ * RECURSION NOTE: we are calling ourselves here. This means
+ * any updates, switchKeys, etc will have been completed
+ * if these functions return successfully, in those cases
+ * just exit returning Success. We don't recurse infinitely
+ * because we are making this call from a NeedUpdateDBPassword
+ * block and we've already set that update password at this
+ * point. */
+ rv = sftkdb_CheckPassword(keydb, pw, tokenRemoved);
+ if (rv == SECSuccess) {
+ /* source and target databases have the same password, we
+ * are good to go */
+ goto done;
+ }
+ sftkdb_CheckPasswordNull(keydb, tokenRemoved);
+
+ /*
+ * Important 'NULL' code here. At this point either we
+ * succeeded in logging in with "" or we didn't.
+ *
+ * If we did succeed at login, our machine state will be set
+ * to logged in appropriately. The application will find that
+ * it's logged in as soon as it opens a new session. We have
+ * also completed the update. Life is good.
+ *
+ * If we did not succeed, well the user still successfully
+ * logged into the update database, since we faked the token
+ * removal it's just like the user logged into his smart card
+ * then removed it. the actual login work, so we report that
+ * success back to the user, but we won't actually be
+ * logged in. The application will find this out when it
+ * checks it's login state, thus triggering another password
+ * prompt so we can get the real target DB password.
+ *
+ * summary, we exit from here with SECSuccess no matter what.
+ */
+ rv = SECSuccess;
+ goto done;
+ } else {
+ /* there is no password, just fall through to update.
+ * update will write the source DB's password record
+ * into the target DB just like it would in a non-merge
+ * update case. */
+ }
+ } else {
+ PZ_Unlock(keydb->passwordLock);
+ }
+ /* load the keys, so the keydb can parse it's key set */
+ sftkdb_switchKeys(keydb, key, iterationCount);
+
+ /* we need to update, do it now */
+ if (((keydb->db->sdb_flags & SDB_RDONLY) == 0) && keydb->update) {
+ /* update the peer certdb if it exists */
+ if (keydb->peerDB) {
+ sftkdb_Update(keydb->peerDB, key);
+ }
+ sftkdb_Update(keydb, key);
+ }
+ } else {
+ rv = SECFailure;
+ /*PORT_SetError( bad password); */
+ }
+
+done:
+ if (result) {
+ SECITEM_ZfreeItem(result, PR_TRUE);
+ }
+ return rv;
+}
+
+/*
+ * return Success if the there is a cached password key.
+ */
+SECStatus
+sftkdb_PWCached(SFTKDBHandle *keydb)
+{
+ SECStatus rv;
+ PZ_Lock(keydb->passwordLock);
+ rv = keydb->passwordKey.data ? SECSuccess : SECFailure;
+ PZ_Unlock(keydb->passwordLock);
+ return rv;
+}
+
+static CK_RV
+sftk_updateMacs(PLArenaPool *arena, SFTKDBHandle *handle,
+ CK_OBJECT_HANDLE id, SECItem *newKey, int iterationCount)
+{
+ SFTKDBHandle *keyHandle = handle;
+ SDB *keyTarget = NULL;
+ if (handle->type != SFTK_KEYDB_TYPE) {
+ keyHandle = handle->peerDB;
+ }
+ if (keyHandle == NULL) {
+ return CKR_OK;
+ }
+ // Old DBs don't have metadata, so we can return early here.
+ keyTarget = SFTK_GET_SDB(keyHandle);
+ if ((keyTarget->sdb_flags & SDB_HAS_META) == 0) {
+ return CKR_OK;
+ }
+
+ id &= SFTK_OBJ_ID_MASK;
+
+ CK_ATTRIBUTE_TYPE authAttrTypes[] = {
+ CKA_MODULUS,
+ CKA_PUBLIC_EXPONENT,
+ CKA_CERT_SHA1_HASH,
+ CKA_CERT_MD5_HASH,
+ CKA_TRUST_SERVER_AUTH,
+ CKA_TRUST_CLIENT_AUTH,
+ CKA_TRUST_EMAIL_PROTECTION,
+ CKA_TRUST_CODE_SIGNING,
+ CKA_TRUST_STEP_UP_APPROVED,
+ CKA_NSS_OVERRIDE_EXTENSIONS,
+ };
+ const CK_ULONG authAttrTypeCount = sizeof(authAttrTypes) / sizeof(authAttrTypes[0]);
+
+ // We don't know what attributes this object has, so we update them one at a
+ // time.
+ unsigned int i;
+ for (i = 0; i < authAttrTypeCount; i++) {
+ CK_ATTRIBUTE authAttr = { authAttrTypes[i], NULL, 0 };
+ CK_RV rv = sftkdb_GetAttributeValue(handle, id, &authAttr, 1);
+ if (rv != CKR_OK) {
+ continue;
+ }
+ if ((authAttr.ulValueLen == -1) || (authAttr.ulValueLen == 0)) {
+ continue;
+ }
+ authAttr.pValue = PORT_ArenaAlloc(arena, authAttr.ulValueLen);
+ if (authAttr.pValue == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+ rv = sftkdb_GetAttributeValue(handle, id, &authAttr, 1);
+ if (rv != CKR_OK) {
+ return rv;
+ }
+ if ((authAttr.ulValueLen == -1) || (authAttr.ulValueLen == 0)) {
+ return CKR_GENERAL_ERROR;
+ }
+ // GetAttributeValue just verified the old macs, so it is safe to write
+ // them out now.
+ if (authAttr.ulValueLen == sizeof(CK_ULONG) &&
+ sftkdb_isULONGAttribute(authAttr.type)) {
+ CK_ULONG value = *(CK_ULONG *)authAttr.pValue;
+ sftk_ULong2SDBULong(authAttr.pValue, value);
+ authAttr.ulValueLen = SDB_ULONG_SIZE;
+ }
+ SECItem *signText;
+ SECItem plainText;
+ plainText.data = authAttr.pValue;
+ plainText.len = authAttr.ulValueLen;
+ if (sftkdb_SignAttribute(arena, handle, keyTarget, newKey,
+ iterationCount, id, authAttr.type,
+ &plainText, &signText) != SECSuccess) {
+ return CKR_GENERAL_ERROR;
+ }
+ if (sftkdb_PutAttributeSignature(handle, keyTarget, id, authAttr.type,
+ signText) != SECSuccess) {
+ return CKR_GENERAL_ERROR;
+ }
+ }
+
+ return CKR_OK;
+}
+
+static CK_RV
+sftk_updateEncrypted(PLArenaPool *arena, SFTKDBHandle *keydb,
+ CK_OBJECT_HANDLE id, SECItem *newKey, int iterationCount)
+{
+ CK_ATTRIBUTE_TYPE privAttrTypes[] = {
+ CKA_VALUE,
+ CKA_PRIVATE_EXPONENT,
+ CKA_PRIME_1,
+ CKA_PRIME_2,
+ CKA_EXPONENT_1,
+ CKA_EXPONENT_2,
+ CKA_COEFFICIENT,
+ };
+ const CK_ULONG privAttrCount = sizeof(privAttrTypes) / sizeof(privAttrTypes[0]);
+
+ // We don't know what attributes this object has, so we update them one at a
+ // time.
+ unsigned int i;
+ for (i = 0; i < privAttrCount; i++) {
+ // Read the old attribute in the clear.
+ CK_OBJECT_HANDLE sdbId = id & SFTK_OBJ_ID_MASK;
+ CK_ATTRIBUTE privAttr = { privAttrTypes[i], NULL, 0 };
+ CK_RV crv = sftkdb_GetAttributeValue(keydb, id, &privAttr, 1);
+ if (crv != CKR_OK) {
+ continue;
+ }
+ if ((privAttr.ulValueLen == -1) || (privAttr.ulValueLen == 0)) {
+ continue;
+ }
+ privAttr.pValue = PORT_ArenaAlloc(arena, privAttr.ulValueLen);
+ if (privAttr.pValue == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+ crv = sftkdb_GetAttributeValue(keydb, id, &privAttr, 1);
+ if (crv != CKR_OK) {
+ return crv;
+ }
+ if ((privAttr.ulValueLen == -1) || (privAttr.ulValueLen == 0)) {
+ return CKR_GENERAL_ERROR;
+ }
+ SECItem plainText;
+ SECItem *result;
+ plainText.data = privAttr.pValue;
+ plainText.len = privAttr.ulValueLen;
+ if (sftkdb_EncryptAttribute(arena, keydb, keydb->db, newKey,
+ iterationCount, sdbId, privAttr.type,
+ &plainText, &result) != SECSuccess) {
+ return CKR_GENERAL_ERROR;
+ }
+ privAttr.pValue = result->data;
+ privAttr.ulValueLen = result->len;
+ // Clear sensitive data.
+ PORT_Memset(plainText.data, 0, plainText.len);
+
+ // Write the newly encrypted attributes out directly.
+ keydb->newKey = newKey;
+ keydb->newDefaultIterationCount = iterationCount;
+ crv = (*keydb->db->sdb_SetAttributeValue)(keydb->db, sdbId, &privAttr, 1);
+ keydb->newKey = NULL;
+ if (crv != CKR_OK) {
+ return crv;
+ }
+ }
+
+ return CKR_OK;
+}
+
+static CK_RV
+sftk_convertAttributes(SFTKDBHandle *handle, CK_OBJECT_HANDLE id,
+ SECItem *newKey, int iterationCount)
+{
+ CK_RV crv = CKR_OK;
+ PLArenaPool *arena = NULL;
+
+ /* get a new arena to simplify cleanup */
+ arena = PORT_NewArena(1024);
+ if (!arena) {
+ return CKR_HOST_MEMORY;
+ }
+
+ /*
+ * first handle the MACS
+ */
+ crv = sftk_updateMacs(arena, handle, id, newKey, iterationCount);
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+
+ if (handle->type == SFTK_KEYDB_TYPE) {
+ crv = sftk_updateEncrypted(arena, handle, id, newKey,
+ iterationCount);
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+ }
+
+ /* free up our mess */
+ PORT_FreeArena(arena, PR_TRUE);
+ return CKR_OK;
+
+loser:
+ /* there may be unencrypted data, clear it out down */
+ PORT_FreeArena(arena, PR_TRUE);
+ return crv;
+}
+
+/*
+ * must be called with the old key active.
+ */
+CK_RV
+sftkdb_convertObjects(SFTKDBHandle *handle, CK_ATTRIBUTE *template,
+ CK_ULONG count, SECItem *newKey, int iterationCount)
+{
+ SDBFind *find = NULL;
+ CK_ULONG idCount = SFTK_MAX_IDS;
+ CK_OBJECT_HANDLE ids[SFTK_MAX_IDS];
+ CK_RV crv, crv2;
+ unsigned int i;
+
+ crv = sftkdb_FindObjectsInit(handle, template, count, &find);
+
+ if (crv != CKR_OK) {
+ return crv;
+ }
+ while ((crv == CKR_OK) && (idCount == SFTK_MAX_IDS)) {
+ crv = sftkdb_FindObjects(handle, find, ids, SFTK_MAX_IDS, &idCount);
+ for (i = 0; (crv == CKR_OK) && (i < idCount); i++) {
+ crv = sftk_convertAttributes(handle, ids[i], newKey,
+ iterationCount);
+ }
+ }
+ crv2 = sftkdb_FindObjectsFinal(handle, find);
+ if (crv == CKR_OK)
+ crv = crv2;
+
+ return crv;
+}
+
+/*
+ * change the database password.
+ */
+SECStatus
+sftkdb_ChangePassword(SFTKDBHandle *keydb,
+ char *oldPin, char *newPin, PRBool *tokenRemoved)
+{
+ SECStatus rv = SECSuccess;
+ SECItem plainText;
+ SECItem newKey;
+ SECItem *result = NULL;
+ SECItem salt, value;
+ SFTKDBHandle *certdb;
+ unsigned char saltData[SDB_MAX_META_DATA_LEN];
+ unsigned char valueData[SDB_MAX_META_DATA_LEN];
+ int iterationCount = getPBEIterationCount();
+ CK_RV crv;
+ SDB *db;
+
+ if (keydb == NULL) {
+ return SECFailure;
+ }
+
+ db = SFTK_GET_SDB(keydb);
+ if (db == NULL) {
+ return SECFailure;
+ }
+
+ newKey.data = NULL;
+
+ /* make sure we have a valid old pin */
+ crv = (*keydb->db->sdb_Begin)(keydb->db);
+ if (crv != CKR_OK) {
+ rv = SECFailure;
+ goto loser;
+ }
+ salt.data = saltData;
+ salt.len = sizeof(saltData);
+ value.data = valueData;
+ value.len = sizeof(valueData);
+ crv = (*db->sdb_GetMetaData)(db, "password", &salt, &value);
+ if (crv == CKR_OK) {
+ rv = sftkdb_CheckPassword(keydb, oldPin, tokenRemoved);
+ if (rv == SECFailure) {
+ goto loser;
+ }
+ } else {
+ salt.len = SHA1_LENGTH;
+ RNG_GenerateGlobalRandomBytes(salt.data, salt.len);
+ }
+
+ if (newPin && *newPin == 0) {
+ iterationCount = 1;
+ } else if (keydb->usesLegacyStorage && !sftk_isLegacyIterationCountAllowed()) {
+ iterationCount = 1;
+ }
+
+ rv = sftkdb_passwordToKey(keydb, &salt, newPin, &newKey);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+
+ /*
+ * convert encrypted entries here.
+ */
+ crv = sftkdb_convertObjects(keydb, NULL, 0, &newKey, iterationCount);
+ if (crv != CKR_OK) {
+ rv = SECFailure;
+ goto loser;
+ }
+ /* fix up certdb macs */
+ certdb = keydb->peerDB;
+ if (certdb) {
+ CK_ATTRIBUTE objectType = { CKA_CLASS, 0, sizeof(CK_OBJECT_CLASS) };
+ CK_OBJECT_CLASS myClass = CKO_NSS_TRUST;
+
+ objectType.pValue = &myClass;
+ crv = sftkdb_convertObjects(certdb, &objectType, 1, &newKey,
+ iterationCount);
+ if (crv != CKR_OK) {
+ rv = SECFailure;
+ goto loser;
+ }
+ myClass = CKO_PUBLIC_KEY;
+ crv = sftkdb_convertObjects(certdb, &objectType, 1, &newKey,
+ iterationCount);
+ if (crv != CKR_OK) {
+ rv = SECFailure;
+ goto loser;
+ }
+ }
+
+ plainText.data = (unsigned char *)SFTK_PW_CHECK_STRING;
+ plainText.len = SFTK_PW_CHECK_LEN;
+
+ rv = sftkdb_EncryptAttribute(NULL, keydb, keydb->db, &newKey,
+ iterationCount, CK_INVALID_HANDLE,
+ CKT_INVALID_TYPE, &plainText, &result);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+ value.data = result->data;
+ value.len = result->len;
+ crv = (*keydb->db->sdb_PutMetaData)(keydb->db, "password", &salt, &value);
+ if (crv != CKR_OK) {
+ rv = SECFailure;
+ goto loser;
+ }
+ crv = (*keydb->db->sdb_Commit)(keydb->db);
+ if (crv != CKR_OK) {
+ rv = SECFailure;
+ goto loser;
+ }
+
+ keydb->newKey = NULL;
+
+ sftkdb_switchKeys(keydb, &newKey, iterationCount);
+
+loser:
+ if (newKey.data) {
+ PORT_ZFree(newKey.data, newKey.len);
+ }
+ if (result) {
+ SECITEM_FreeItem(result, PR_TRUE);
+ }
+ if (rv != SECSuccess) {
+ (*keydb->db->sdb_Abort)(keydb->db);
+ }
+
+ return rv;
+}
+
+/*
+ * lose our cached password
+ */
+SECStatus
+sftkdb_ClearPassword(SFTKDBHandle *keydb)
+{
+ SECItem oldKey;
+ oldKey.data = NULL;
+ oldKey.len = 0;
+ sftkdb_switchKeys(keydb, &oldKey, 1);
+ if (oldKey.data) {
+ PORT_ZFree(oldKey.data, oldKey.len);
+ }
+ return SECSuccess;
+}
diff --git a/security/nss/lib/softoken/softkver.c b/security/nss/lib/softoken/softkver.c
new file mode 100644
index 0000000000..3f20fad274
--- /dev/null
+++ b/security/nss/lib/softoken/softkver.c
@@ -0,0 +1,18 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/* Library identity and versioning */
+
+#include "softkver.h"
+
+#if defined(DEBUG)
+#define _DEBUG_STRING " (debug)"
+#else
+#define _DEBUG_STRING ""
+#endif
+
+/*
+ * Version information
+ */
+const char __nss_softokn_version[] = "Version: NSS " SOFTOKEN_VERSION _DEBUG_STRING;
diff --git a/security/nss/lib/softoken/softkver.h b/security/nss/lib/softoken/softkver.h
new file mode 100644
index 0000000000..b90bf9d251
--- /dev/null
+++ b/security/nss/lib/softoken/softkver.h
@@ -0,0 +1,27 @@
+/*
+ * Softoken version numbers
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef _SOFTKVER_H_
+#define _SOFTKVER_H_
+
+#define SOFTOKEN_ECC_STRING " Basic ECC"
+
+/*
+ * Softoken's major version, minor version, patch level, build number,
+ * and whether this is a beta release.
+ *
+ * The format of the version string should be
+ * "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
+ */
+#define SOFTOKEN_VERSION "3.90.1" SOFTOKEN_ECC_STRING
+#define SOFTOKEN_VMAJOR 3
+#define SOFTOKEN_VMINOR 90
+#define SOFTOKEN_VPATCH 1
+#define SOFTOKEN_VBUILD 0
+#define SOFTOKEN_BETA PR_FALSE
+
+#endif /* _SOFTKVER_H_ */
diff --git a/security/nss/lib/softoken/softoken.gyp b/security/nss/lib/softoken/softoken.gyp
new file mode 100644
index 0000000000..1ff5286d79
--- /dev/null
+++ b/security/nss/lib/softoken/softoken.gyp
@@ -0,0 +1,111 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+{
+ 'includes': [
+ '../../coreconf/config.gypi'
+ ],
+ 'targets': [
+ {
+ 'target_name': 'softokn_static',
+ 'type': 'static_library',
+ 'defines': [
+ 'NSS_STATIC_SOFTOKEN',
+ ],
+ 'dependencies': [
+ 'softokn_base',
+ '<(DEPTH)/exports.gyp:nss_exports',
+ '<(DEPTH)/lib/freebl/freebl.gyp:freebl_static',
+ ],
+ 'conditions': [
+ [ 'use_system_sqlite==1', {
+ 'dependencies': [
+ '<(DEPTH)/lib/sqlite/sqlite.gyp:sqlite3',
+ ],
+ }, {
+ 'dependencies': [
+ '<(DEPTH)/lib/sqlite/sqlite.gyp:sqlite',
+ ],
+ }],
+ ],
+ },
+ {
+ 'target_name': 'softokn',
+ 'type': 'static_library',
+ 'dependencies': [
+ 'softokn_base',
+ '<(DEPTH)/exports.gyp:nss_exports',
+ '<(DEPTH)/lib/sqlite/sqlite.gyp:sqlite3',
+ '<(DEPTH)/lib/freebl/freebl.gyp:freebl',
+ ]
+ },
+ {
+ 'target_name': 'softokn_base',
+ 'type': 'none',
+ 'direct_dependent_settings': {
+ 'sources': [
+ 'fipsaudt.c',
+ 'fipstest.c',
+ 'fipstokn.c',
+ 'jpakesftk.c',
+ 'kbkdf.c',
+ 'lowkey.c',
+ 'lowpbe.c',
+ 'padbuf.c',
+ 'pkcs11.c',
+ 'pkcs11c.c',
+ 'pkcs11u.c',
+ 'sdb.c',
+ 'sftkdhverify.c',
+ 'sftkdb.c',
+ 'sftkhmac.c',
+ 'sftkike.c',
+ 'sftkmessage.c',
+ 'sftkpars.c',
+ 'sftkpwd.c',
+ 'softkver.c',
+ 'tlsprf.c'
+ ],
+ 'conditions': [
+ [ 'disable_dbm==0', {
+ 'sources': [
+ 'lgglue.c',
+ ]
+ }]
+ ]
+ },
+ },
+ {
+ 'target_name': 'softokn3',
+ 'type': 'shared_library',
+ 'dependencies': [
+ 'softokn',
+ ],
+ 'conditions': [
+ [ 'moz_fold_libs==0', {
+ 'dependencies': [
+ '<(DEPTH)/lib/util/util.gyp:nssutil3',
+ ],
+ }, {
+ 'libraries': [
+ '<(moz_folded_library_name)',
+ ],
+ }],
+ ],
+ 'variables': {
+ 'mapfile': 'softokn.def'
+ }
+ }
+ ],
+ 'target_defaults': {
+ 'defines': [
+ 'SHLIB_SUFFIX=\"<(dll_suffix)\"',
+ 'SHLIB_PREFIX=\"<(dll_prefix)\"',
+ 'SOFTOKEN_LIB_NAME=\"<(dll_prefix)softokn3.<(dll_suffix)\"',
+ 'SHLIB_VERSION=\"3\"'
+ ]
+ },
+ 'variables': {
+ 'module': 'nss'
+ }
+}
diff --git a/security/nss/lib/softoken/softoken.h b/security/nss/lib/softoken/softoken.h
new file mode 100644
index 0000000000..dfb42b4e03
--- /dev/null
+++ b/security/nss/lib/softoken/softoken.h
@@ -0,0 +1,280 @@
+/*
+ * softoken.h - private data structures and prototypes for the softoken lib
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef _SOFTOKEN_H_
+#define _SOFTOKEN_H_
+
+#include "blapi.h"
+#include "lowkeyti.h"
+#include "softoknt.h"
+#include "secoidt.h"
+
+#include "pkcs11t.h"
+
+SEC_BEGIN_PROTOS
+
+/*
+ * Convenience wrapper for doing a single PKCS#1 v1.5 RSA operations where the
+ * encoded digest info is computed internally, rather than by the caller.
+ *
+ * The HashSign variants expect as input the value of H, the computed hash
+ * from RFC 3447, Section 9.2, Step 1, and will compute the DER-encoded
+ * DigestInfo structure internally prior to signing/verifying.
+ */
+extern SECStatus
+RSA_HashSign(SECOidTag hashOid, NSSLOWKEYPrivateKey *key,
+ unsigned char *sig, unsigned int *sigLen, unsigned int maxLen,
+ const unsigned char *hash, unsigned int hashLen);
+
+extern SECStatus
+RSA_HashCheckSign(SECOidTag hashOid, NSSLOWKEYPublicKey *key,
+ const unsigned char *sig, unsigned int sigLen,
+ const unsigned char *hash, unsigned int hashLen);
+
+/*
+** Prepare a buffer for padded CBC encryption, growing to the appropriate
+** boundary, filling with the appropriate padding.
+**
+** blockSize must be a power of 2.
+**
+** We add from 1 to blockSize bytes -- we *always* grow.
+** The extra bytes contain the value of the length of the padding:
+** if we have 2 bytes of padding, then the padding is "0x02, 0x02".
+**
+** NOTE: If arena is non-NULL, we re-allocate from there, otherwise
+** we assume (and use) PR memory (re)allocation.
+*/
+extern unsigned char *CBC_PadBuffer(PLArenaPool *arena, unsigned char *inbuf,
+ unsigned int inlen, unsigned int *outlen,
+ int blockSize);
+
+/****************************************/
+/*
+** Power-Up selftests are required for FIPS.
+*/
+/* make sure Power-up selftests have been run. */
+extern CK_RV sftk_FIPSEntryOK(PRBool rerun);
+
+/*
+** make known fixed PKCS #11 key types to their sizes in bytes
+*/
+unsigned long sftk_MapKeySize(CK_KEY_TYPE keyType);
+
+/*
+** FIPS 140-2 auditing
+*/
+extern PRBool sftk_audit_enabled;
+
+extern void sftk_LogAuditMessage(NSSAuditSeverity severity,
+ NSSAuditType, const char *msg);
+
+extern void sftk_AuditCreateObject(CK_SESSION_HANDLE hSession,
+ CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
+ CK_OBJECT_HANDLE_PTR phObject, CK_RV rv);
+
+extern void sftk_AuditCopyObject(CK_SESSION_HANDLE hSession,
+ CK_OBJECT_HANDLE hObject,
+ CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
+ CK_OBJECT_HANDLE_PTR phNewObject, CK_RV rv);
+
+extern void sftk_AuditDestroyObject(CK_SESSION_HANDLE hSession,
+ CK_OBJECT_HANDLE hObject, CK_RV rv);
+
+extern void sftk_AuditGetObjectSize(CK_SESSION_HANDLE hSession,
+ CK_OBJECT_HANDLE hObject, CK_ULONG_PTR pulSize,
+ CK_RV rv);
+
+extern void sftk_AuditGetAttributeValue(CK_SESSION_HANDLE hSession,
+ CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate,
+ CK_ULONG ulCount, CK_RV rv);
+
+extern void sftk_AuditSetAttributeValue(CK_SESSION_HANDLE hSession,
+ CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate,
+ CK_ULONG ulCount, CK_RV rv);
+
+extern void sftk_AuditCryptInit(const char *opName,
+ CK_SESSION_HANDLE hSession,
+ CK_MECHANISM_PTR pMechanism,
+ CK_OBJECT_HANDLE hKey, CK_RV rv);
+
+extern void sftk_AuditGenerateKey(CK_SESSION_HANDLE hSession,
+ CK_MECHANISM_PTR pMechanism,
+ CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
+ CK_OBJECT_HANDLE_PTR phKey, CK_RV rv);
+
+extern void sftk_AuditGenerateKeyPair(CK_SESSION_HANDLE hSession,
+ CK_MECHANISM_PTR pMechanism,
+ CK_ATTRIBUTE_PTR pPublicKeyTemplate,
+ CK_ULONG ulPublicKeyAttributeCount,
+ CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
+ CK_ULONG ulPrivateKeyAttributeCount,
+ CK_OBJECT_HANDLE_PTR phPublicKey,
+ CK_OBJECT_HANDLE_PTR phPrivateKey, CK_RV rv);
+
+extern void sftk_AuditWrapKey(CK_SESSION_HANDLE hSession,
+ CK_MECHANISM_PTR pMechanism,
+ CK_OBJECT_HANDLE hWrappingKey, CK_OBJECT_HANDLE hKey,
+ CK_BYTE_PTR pWrappedKey,
+ CK_ULONG_PTR pulWrappedKeyLen, CK_RV rv);
+
+extern void sftk_AuditUnwrapKey(CK_SESSION_HANDLE hSession,
+ CK_MECHANISM_PTR pMechanism,
+ CK_OBJECT_HANDLE hUnwrappingKey,
+ CK_BYTE_PTR pWrappedKey, CK_ULONG ulWrappedKeyLen,
+ CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount,
+ CK_OBJECT_HANDLE_PTR phKey, CK_RV rv);
+
+extern void sftk_AuditDeriveKey(CK_SESSION_HANDLE hSession,
+ CK_MECHANISM_PTR pMechanism,
+ CK_OBJECT_HANDLE hBaseKey,
+ CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount,
+ CK_OBJECT_HANDLE_PTR phKey, CK_RV rv);
+
+extern void sftk_AuditDigestKey(CK_SESSION_HANDLE hSession,
+ CK_OBJECT_HANDLE hKey, CK_RV rv);
+
+/*
+** FIPS 140-2 Error state
+*/
+extern PRBool sftk_fatalError;
+
+/*
+** macros to check for forked child process after C_Initialize
+*/
+/* for PKCS #11 3.0, default is NO_FORK_CHECK, if you want it, now you
+ * need to define DO_FORK_CHECK */
+#if defined(XP_UNIX) && defined(DO_FORK_CHECK)
+
+#ifdef DEBUG
+
+#define FORK_ASSERT() \
+ { \
+ char *forkAssert = PR_GetEnvSecure("NSS_STRICT_NOFORK"); \
+ if ((!forkAssert) || (0 == strcmp(forkAssert, "1"))) { \
+ PORT_Assert(0); \
+ } \
+ }
+
+#else
+
+#define FORK_ASSERT()
+
+#endif
+
+/* we have 3 methods of implementing the fork checks :
+ * - Solaris "mixed" method
+ * - pthread_atfork method
+ * - getpid method
+ */
+
+#if !defined(CHECK_FORK_MIXED) && !defined(CHECK_FORK_PTHREAD) && \
+ !defined(CHECK_FORK_GETPID)
+
+/* Choose fork check method automatically unless specified
+ * This section should be updated as more platforms get pthread fixes
+ * to unregister fork handlers in dlclose.
+ */
+
+#ifdef SOLARIS
+
+/* Solaris 8, s9 use PID checks, s10 uses pthread_atfork */
+
+#define CHECK_FORK_MIXED
+
+#elif defined(LINUX) || defined(__GLIBC__) || defined(FREEBSD) || defined(OPENBSD)
+
+#define CHECK_FORK_PTHREAD
+
+#else
+
+/* Other Unix platforms use only PID checks. Even if pthread_atfork is
+ * available, the behavior of dlclose isn't guaranteed by POSIX to
+ * unregister the fork handler. */
+
+#define CHECK_FORK_GETPID
+
+#endif
+
+#endif
+
+#if defined(CHECK_FORK_MIXED)
+
+extern PRBool usePthread_atfork;
+#include <unistd.h>
+extern pid_t myPid;
+extern PRBool forked;
+
+#define PARENT_FORKED() (usePthread_atfork ? forked : (myPid && myPid != getpid()))
+
+#elif defined(CHECK_FORK_PTHREAD)
+
+extern PRBool forked;
+
+#define PARENT_FORKED() forked
+
+#elif defined(CHECK_FORK_GETPID)
+
+#include <unistd.h>
+extern pid_t myPid;
+
+#define PARENT_FORKED() (myPid && myPid != getpid())
+
+#endif
+
+extern PRBool parentForkedAfterC_Initialize;
+extern PRBool sftkForkCheckDisabled;
+
+#define CHECK_FORK() \
+ do { \
+ if (!sftkForkCheckDisabled && PARENT_FORKED()) { \
+ FORK_ASSERT(); \
+ return CKR_DEVICE_ERROR; \
+ } \
+ } while (0)
+
+#define SKIP_AFTER_FORK(x) \
+ if (!parentForkedAfterC_Initialize) \
+ x
+
+#define ENABLE_FORK_CHECK() \
+ { \
+ char *doForkCheck = PR_GetEnvSecure("NSS_STRICT_NOFORK"); \
+ if (doForkCheck && !strcmp(doForkCheck, "DISABLED")) { \
+ sftkForkCheckDisabled = PR_TRUE; \
+ } \
+ }
+
+#else
+
+/* non-Unix platforms, or fork check disabled */
+
+#define CHECK_FORK()
+#define SKIP_AFTER_FORK(x) x
+#define ENABLE_FORK_CHECK()
+
+#ifndef NO_FORK_CHECK
+#define NO_FORK_CHECK
+#endif
+
+#endif
+
+/*
+ * If we were trying to be complete, we would have both FORK_SAFE
+ * and non-Fork safe interfaces here. That would require doubling
+ * the functions in our function list for both this and the FIPS
+ * interface. Since NSS now always asks for a FORK_SAFE interface,
+ * and can fall back to a non-FORK_SAFE interface, we set only
+ * export one set of interfaces here */
+#ifdef NO_FORK_CHECK
+#define NSS_INTERFACE_FLAGS CKF_INTERFACE_FORK_SAFE
+#else
+#define NSS_INTERFACE_FLAGS 0
+#endif
+
+SEC_END_PROTOS
+
+#endif /* _SOFTOKEN_H_ */
diff --git a/security/nss/lib/softoken/softokn.def b/security/nss/lib/softoken/softokn.def
new file mode 100644
index 0000000000..135755be6c
--- /dev/null
+++ b/security/nss/lib/softoken/softokn.def
@@ -0,0 +1,39 @@
+;+#
+;+# This Source Code Form is subject to the terms of the Mozilla Public
+;+# License, v. 2.0. If a copy of the MPL was not distributed with this
+;+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;+#
+;+# OK, this file is meant to support SUN, LINUX, AIX and WINDOWS
+;+# 1. For all unix platforms, the string ";-" means "remove this line"
+;+# 2. For all unix platforms, the string " DATA " will be removed from any
+;+# line on which it occurs.
+;+# 3. Lines containing ";+" will have ";+" removed on SUN and LINUX.
+;+# On AIX, lines containing ";+" will be removed.
+;+# 4. For all unix platforms, the string ";;" will thave the ";;" removed.
+;+# 5. For all unix platforms, after the above processing has taken place,
+;+# all characters after the first ";" on the line will be removed.
+;+# And for AIX, the first ";" will also be removed.
+;+# This file is passed directly to windows. Since ';' is a comment, all UNIX
+;+# directives are hidden behind ";", ";+", and ";-"
+;+NSS_3.4 { # NSS 3.4 release
+;+ global:
+LIBRARY softokn3 ;-
+EXPORTS ;-
+C_GetFunctionList; Make this function like a real PKCS #11 module as well
+FC_GetFunctionList;
+NSC_GetFunctionList;
+NSC_ModuleDBFunc;
+;+ local:
+;+ *;
+;+};
+;+NSS_3.52 { # NSS 3.52 release adds pkcs #11 v3.0
+;+ global:
+C_GetInterfaceList;
+FC_GetInterfaceList;
+NSC_GetInterfaceList;
+C_GetInterface;
+FC_GetInterface;
+NSC_GetInterface;
+;+ local:
+;+ *;
+;+};
diff --git a/security/nss/lib/softoken/softokn.rc b/security/nss/lib/softoken/softokn.rc
new file mode 100644
index 0000000000..f3dbb5c42e
--- /dev/null
+++ b/security/nss/lib/softoken/softokn.rc
@@ -0,0 +1,68 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "softkver.h"
+#include <winver.h>
+
+#define MY_LIBNAME "softokn"
+#define MY_FILEDESCRIPTION "NSS PKCS #11 Library"
+
+#define STRINGIZE(x) #x
+#define STRINGIZE2(x) STRINGIZE(x)
+#define SOFTOKEN_VMAJOR_STR STRINGIZE2(SOFTOKEN_VMAJOR)
+
+#ifdef _DEBUG
+#define MY_DEBUG_STR " (debug)"
+#define MY_FILEFLAGS_1 VS_FF_DEBUG
+#else
+#define MY_DEBUG_STR ""
+#define MY_FILEFLAGS_1 0x0L
+#endif
+#if SOFTOKEN_BETA
+#define MY_FILEFLAGS_2 MY_FILEFLAGS_1|VS_FF_PRERELEASE
+#else
+#define MY_FILEFLAGS_2 MY_FILEFLAGS_1
+#endif
+
+#ifdef WINNT
+#define MY_FILEOS VOS_NT_WINDOWS32
+#else
+#define MY_FILEOS VOS__WINDOWS32
+#endif
+
+#define MY_INTERNAL_NAME MY_LIBNAME SOFTOKEN_VMAJOR_STR
+
+/////////////////////////////////////////////////////////////////////////////
+//
+// Version-information resource
+//
+
+VS_VERSION_INFO VERSIONINFO
+ FILEVERSION SOFTOKEN_VMAJOR,SOFTOKEN_VMINOR,SOFTOKEN_VPATCH,SOFTOKEN_VBUILD
+ PRODUCTVERSION SOFTOKEN_VMAJOR,SOFTOKEN_VMINOR,SOFTOKEN_VPATCH,SOFTOKEN_VBUILD
+ FILEFLAGSMASK VS_FFI_FILEFLAGSMASK
+ FILEFLAGS MY_FILEFLAGS_2
+ FILEOS MY_FILEOS
+ FILETYPE VFT_DLL
+ FILESUBTYPE 0x0L // not used
+
+BEGIN
+ BLOCK "StringFileInfo"
+ BEGIN
+ BLOCK "040904B0" // Lang=US English, CharSet=Unicode
+ BEGIN
+ VALUE "CompanyName", "Mozilla Foundation\0"
+ VALUE "FileDescription", MY_FILEDESCRIPTION MY_DEBUG_STR "\0"
+ VALUE "FileVersion", SOFTOKEN_VERSION "\0"
+ VALUE "InternalName", MY_INTERNAL_NAME "\0"
+ VALUE "OriginalFilename", MY_INTERNAL_NAME ".dll\0"
+ VALUE "ProductName", "Network Security Services\0"
+ VALUE "ProductVersion", SOFTOKEN_VERSION "\0"
+ END
+ END
+ BLOCK "VarFileInfo"
+ BEGIN
+ VALUE "Translation", 0x409, 1200
+ END
+END
diff --git a/security/nss/lib/softoken/softoknt.h b/security/nss/lib/softoken/softoknt.h
new file mode 100644
index 0000000000..03c92361c0
--- /dev/null
+++ b/security/nss/lib/softoken/softoknt.h
@@ -0,0 +1,46 @@
+/*
+ * softoknt.h - public data structures for the software token library
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef _SOFTOKNT_H_
+#define _SOFTOKNT_H_
+
+#define NSS_SOFTOKEN_DEFAULT_CHUNKSIZE 2048
+#define DES_BLOCK_SIZE 8 /* bytes */
+#define MAX_DES3_KEY_SIZE 24 /* DES_BLOCK_SIZE * 3 */
+#define SFTK_MAX_DERIVE_KEY_SIZE 64
+
+/*
+ * FIPS 140-2 auditing
+ */
+typedef enum {
+ NSS_AUDIT_ERROR = 3, /* errors */
+ NSS_AUDIT_WARNING = 2, /* warning messages */
+ NSS_AUDIT_INFO = 1 /* informational messages */
+} NSSAuditSeverity;
+
+typedef enum {
+ NSS_AUDIT_ACCESS_KEY = 0,
+ NSS_AUDIT_CHANGE_KEY,
+ NSS_AUDIT_COPY_KEY,
+ NSS_AUDIT_CRYPT,
+ NSS_AUDIT_DERIVE_KEY,
+ NSS_AUDIT_DESTROY_KEY,
+ NSS_AUDIT_DIGEST_KEY,
+ NSS_AUDIT_FIPS_STATE,
+ NSS_AUDIT_GENERATE_KEY,
+ NSS_AUDIT_INIT_PIN,
+ NSS_AUDIT_INIT_TOKEN,
+ NSS_AUDIT_LOAD_KEY,
+ NSS_AUDIT_LOGIN,
+ NSS_AUDIT_LOGOUT,
+ NSS_AUDIT_SELF_TEST,
+ NSS_AUDIT_SET_PIN,
+ NSS_AUDIT_UNWRAP_KEY,
+ NSS_AUDIT_WRAP_KEY
+} NSSAuditType;
+
+#endif /* _SOFTOKNT_H_ */
diff --git a/security/nss/lib/softoken/tlsprf.c b/security/nss/lib/softoken/tlsprf.c
new file mode 100644
index 0000000000..042cf194f7
--- /dev/null
+++ b/security/nss/lib/softoken/tlsprf.c
@@ -0,0 +1,198 @@
+/* tlsprf.c - TLS Pseudo Random Function (PRF) implementation
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "pkcs11i.h"
+#include "blapi.h"
+#include "secerr.h"
+
+static void
+sftk_TLSPRFNull(void *data, PRBool freeit)
+{
+ return;
+}
+
+typedef struct {
+ PRUint32 cxSize; /* size of allocated block, in bytes. */
+ PRUint32 cxBufSize; /* sizeof buffer at cxBufPtr. */
+ unsigned char *cxBufPtr; /* points to real buffer, may be cxBuf. */
+ PRUint32 cxKeyLen; /* bytes of cxBufPtr containing key. */
+ PRUint32 cxDataLen; /* bytes of cxBufPtr containing data. */
+ SECStatus cxRv; /* records failure of void functions. */
+ PRBool cxIsFIPS; /* true if conforming to FIPS 198. */
+ HASH_HashType cxHashAlg; /* hash algorithm to use for TLS 1.2+ */
+ unsigned int cxOutLen; /* bytes of output if nonzero */
+ unsigned char cxBuf[512]; /* actual size may be larger than 512. */
+} TLSPRFContext;
+
+static void
+sftk_TLSPRFHashUpdate(TLSPRFContext *cx, const unsigned char *data,
+ unsigned int data_len)
+{
+ PRUint32 bytesUsed = cx->cxKeyLen + cx->cxDataLen;
+
+ if (cx->cxRv != SECSuccess) /* function has previously failed. */
+ return;
+ if (bytesUsed + data_len > cx->cxBufSize) {
+ /* We don't use realloc here because
+ ** (a) realloc doesn't zero out the old block, and
+ ** (b) if realloc fails, we lose the old block.
+ */
+ PRUint32 newBufSize = bytesUsed + data_len + 512;
+ unsigned char *newBuf = (unsigned char *)PORT_Alloc(newBufSize);
+ if (!newBuf) {
+ cx->cxRv = SECFailure;
+ return;
+ }
+ PORT_Memcpy(newBuf, cx->cxBufPtr, bytesUsed);
+ if (cx->cxBufPtr != cx->cxBuf) {
+ PORT_ZFree(cx->cxBufPtr, bytesUsed);
+ }
+ cx->cxBufPtr = newBuf;
+ cx->cxBufSize = newBufSize;
+ }
+ PORT_Memcpy(cx->cxBufPtr + bytesUsed, data, data_len);
+ cx->cxDataLen += data_len;
+}
+
+static void
+sftk_TLSPRFEnd(TLSPRFContext *ctx, unsigned char *hashout,
+ unsigned int *pDigestLen, unsigned int maxDigestLen)
+{
+ *pDigestLen = 0; /* tells Verify that no data has been input yet. */
+}
+
+/* Compute the PRF values from the data previously input. */
+static SECStatus
+sftk_TLSPRFUpdate(TLSPRFContext *cx,
+ unsigned char *sig, /* output goes here. */
+ unsigned int *sigLen, /* how much output. */
+ unsigned int maxLen, /* output buffer size */
+ unsigned char *hash, /* unused. */
+ unsigned int hashLen) /* unused. */
+{
+ SECStatus rv;
+ SECItem sigItem;
+ SECItem seedItem;
+ SECItem secretItem;
+
+ if (cx->cxRv != SECSuccess)
+ return cx->cxRv;
+
+ secretItem.data = cx->cxBufPtr;
+ secretItem.len = cx->cxKeyLen;
+
+ seedItem.data = cx->cxBufPtr + cx->cxKeyLen;
+ seedItem.len = cx->cxDataLen;
+
+ sigItem.data = sig;
+ if (cx->cxOutLen == 0) {
+ sigItem.len = maxLen;
+ } else if (cx->cxOutLen <= maxLen) {
+ sigItem.len = cx->cxOutLen;
+ } else {
+ PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+ return SECFailure;
+ }
+
+ if (cx->cxHashAlg != HASH_AlgNULL) {
+ rv = TLS_P_hash(cx->cxHashAlg, &secretItem, NULL, &seedItem, &sigItem,
+ cx->cxIsFIPS);
+ } else {
+ rv = TLS_PRF(&secretItem, NULL, &seedItem, &sigItem, cx->cxIsFIPS);
+ }
+ if (rv == SECSuccess && sigLen != NULL)
+ *sigLen = sigItem.len;
+ return rv;
+}
+
+static SECStatus
+sftk_TLSPRFVerify(TLSPRFContext *cx,
+ unsigned char *sig, /* input, for comparison. */
+ unsigned int sigLen, /* length of sig. */
+ unsigned char *hash, /* data to be verified. */
+ unsigned int hashLen) /* size of hash data. */
+{
+ unsigned char *tmp = (unsigned char *)PORT_Alloc(sigLen);
+ unsigned int tmpLen = sigLen;
+ SECStatus rv;
+
+ if (!tmp)
+ return SECFailure;
+ if (hashLen) {
+ /* hashLen is non-zero when the user does a one-step verify.
+ ** In this case, none of the data has been input yet.
+ */
+ sftk_TLSPRFHashUpdate(cx, hash, hashLen);
+ }
+ rv = sftk_TLSPRFUpdate(cx, tmp, &tmpLen, sigLen, NULL, 0);
+ if (rv == SECSuccess) {
+ rv = (SECStatus)(1 - !NSS_SecureMemcmp(tmp, sig, sigLen));
+ }
+ PORT_ZFree(tmp, sigLen);
+ return rv;
+}
+
+static void
+sftk_TLSPRFHashDestroy(TLSPRFContext *cx, PRBool freeit)
+{
+ if (freeit) {
+ if (cx->cxBufPtr != cx->cxBuf)
+ PORT_ZFree(cx->cxBufPtr, cx->cxBufSize);
+ PORT_ZFree(cx, cx->cxSize);
+ }
+}
+
+CK_RV
+sftk_TLSPRFInit(SFTKSessionContext *context,
+ SFTKObject *key,
+ CK_KEY_TYPE key_type,
+ HASH_HashType hash_alg,
+ unsigned int out_len)
+{
+ SFTKAttribute *keyVal;
+ TLSPRFContext *prf_cx;
+ CK_RV crv = CKR_HOST_MEMORY;
+ PRUint32 keySize;
+ PRUint32 blockSize;
+
+ if (key_type != CKK_GENERIC_SECRET)
+ return CKR_KEY_TYPE_INCONSISTENT; /* CKR_KEY_FUNCTION_NOT_PERMITTED */
+
+ context->multi = PR_TRUE;
+
+ keyVal = sftk_FindAttribute(key, CKA_VALUE);
+ keySize = (!keyVal) ? 0 : keyVal->attrib.ulValueLen;
+ blockSize = keySize + sizeof(TLSPRFContext);
+ prf_cx = (TLSPRFContext *)PORT_Alloc(blockSize);
+ if (!prf_cx)
+ goto done;
+ prf_cx->cxSize = blockSize;
+ prf_cx->cxKeyLen = keySize;
+ prf_cx->cxDataLen = 0;
+ prf_cx->cxBufSize = blockSize - offsetof(TLSPRFContext, cxBuf);
+ prf_cx->cxRv = SECSuccess;
+ prf_cx->cxIsFIPS = sftk_isFIPS(key->slot->slotID);
+ prf_cx->cxBufPtr = prf_cx->cxBuf;
+ prf_cx->cxHashAlg = hash_alg;
+ prf_cx->cxOutLen = out_len;
+ if (keySize)
+ PORT_Memcpy(prf_cx->cxBufPtr, keyVal->attrib.pValue, keySize);
+
+ context->hashInfo = (void *)prf_cx;
+ context->cipherInfo = (void *)prf_cx;
+ context->hashUpdate = (SFTKHash)sftk_TLSPRFHashUpdate;
+ context->end = (SFTKEnd)sftk_TLSPRFEnd;
+ context->update = (SFTKCipher)sftk_TLSPRFUpdate;
+ context->verify = (SFTKVerify)sftk_TLSPRFVerify;
+ context->destroy = (SFTKDestroy)sftk_TLSPRFNull;
+ context->hashdestroy = (SFTKDestroy)sftk_TLSPRFHashDestroy;
+ crv = CKR_OK;
+
+done:
+ if (keyVal)
+ sftk_FreeAttribute(keyVal);
+ return crv;
+}